A method for processing ipv4 network source routing attack behavior based on geneve
By constructing a routing space monitoring model using GENEVE technology, the problems of source routing attacks and wormhole attacks in IPv4 networks are solved, thereby improving the security and efficiency of network data transmission.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- GUANGDONG AIRPORT MANAGEMENT GRP CO LTD ENG CONSTR HEADQUARTERS
- Filing Date
- 2024-04-11
- Publication Date
- 2026-06-23
AI Technical Summary
Existing technologies for handling IPv4 networks are susceptible to source routing attacks and network wormhole attacks, resulting in low network data transmission efficiency and threatening the security of the entire network system.
A routing space monitoring model is constructed using GENEVE technology. By acquiring network topology information and link nodes, the maximum receiving distance threshold is calculated, the transmission distance of neighboring nodes is limited, abnormal data is eliminated, and a routing hop space and path state matrix are generated. The defense strategy is then dynamically adjusted to deal with attacks.
It effectively resists wormhole attacks, prevents data loss and tampering, and achieves adaptive and dynamic route hopping defense, thereby improving network data security.
Smart Images

Figure CN118473697B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of routing attack prevention technology, specifically to a method for handling source routing attacks on IPv4 networks based on GENEVE. Background Technology
[0002] Segment Routing employs a source path selection mechanism, pre-encapsulating the segment identifiers (SegmentIdentifiers) assigned by the nodes the path will pass through at the source node. When a packet passes through an SR node, the node forwards the packet based on the SID. Except for the source node, other nodes do not need to maintain path state. Currently, SR technology is widely used in carrier networks. For example, in computing networks, SRv6 technology can simplify network structure and achieve seamless connectivity between networks. At the same time, routing capabilities are no longer fragmented and can be exposed in conjunction with Software-Defined Networking (SDN) to achieve resource interoperability. This can significantly reduce the complexity of service connections and deployments, making network service-oriented architecture (SSA) a necessary condition for providing services, namely, opening up network capabilities and data to support real-time, on-demand, and dynamic deployment of services.
[0003] However, existing methods for dealing with IPv4 source routing attacks in networks still have the following problems:
[0004] (1) Existing technologies mainly rely on existing tracing technology to obtain information on nodes along the shortest path forwarding. Then, by inserting a specified node address into the source routing list, the packets are forwarded along the specified path to continue to explore other network nodes and traverse continuously to finally obtain the entire network topology. However, there are attacks targeting the source routing in remote networks. The attacker only needs to find a valid vulnerability to launch an attack and quickly spread it on nodes with the same vulnerability, thereby threatening the entire network system.
[0005] (2) In existing networks, wormhole attacks and selective forwarding attacks are the most destructive to network routing. When they launch an attack, they can cause routing deception and seriously affect the efficiency of network data transmission. Summary of the Invention
[0006] The purpose of this invention is to provide a method for handling source routing attacks on IPv4 networks based on GENEVE, in order to solve the technical problems in the prior art where source routing attacks, wormhole attacks, and selective forwarding attacks in the network cause damage to network routing, resulting in serious impact on network data transmission efficiency and threatening the entire network system.
[0007] To solve the above-mentioned technical problems, the present invention specifically provides the following technical solution:
[0008] This invention provides a method for handling source routing attacks on IPv4 networks based on Geneve, comprising the following steps:
[0009] Real-time network topology information, link nodes, and flow table information are obtained, and the topology information, link nodes, and flow table information are used as network status information. The maximum receiving distance threshold of the link nodes is calculated based on the network status information.
[0010] Based on the maximum receiving distance threshold, the parameters of the neighboring nodes are set to prevent attacking nodes from establishing malicious false neighbors and to obtain abnormal monitoring data by limiting the transmission distance of messages sent by the neighboring nodes.
[0011] A routing space monitoring model is constructed based on the anomaly monitoring data. A hop space for routing hops is generated by backtracking. The communication link capacity corresponding to the communication latency and the non-overlapping constraints of the hop space is used to meet the bandwidth requirements of the communication path.
[0012] The path state matrix is obtained based on the communication link capacity. The weight coefficients are adjusted according to the current network security status using the path state matrix to generate a corresponding network security status flow table in order to cope with real-time route change defense strategies.
[0013] As a preferred embodiment of the present invention, calculating the maximum receiving distance threshold of the link node from the network status information includes:
[0014] All path nodes are obtained, and one path node is selected as the source node. The distance between the source node and the destination node is calculated using the distance formula between two points. The loss between the path nodes is obtained using the log-normal path loss function, the expression of which is:
[0015]
[0016] Where RD(d) represents the path loss of path d between two path nodes, RD(d0) represents the path loss per unit distance d0, β represents the path loss coefficient, and S0 represents a Gaussian random variable of all path nodes in a normal distribution.
[0017] The minimum path loss output by the log-normal path loss function is used as the maximum receiving distance threshold of the link node.
[0018] The neighboring nodes of a link node in the network link are defined based on the maximum receiving distance threshold of the link node.
[0019] As a preferred embodiment of the present invention, neighbor node parameters are set according to the maximum receiving distance threshold, and anomaly monitoring data is obtained, including:
[0020] The reception probability of adjacent nodes in the network layer routing is obtained by the maximum number of retransmissions at the data link layer, and the maximum reception probability of adjacent nodes is set according to the maximum reception distance threshold.
[0021] The maximum reception probability is used to calculate the reception distance of the adjacent nodes for a certain node, the transmission power and received signal strength of the source node that received the information are determined, and the transmission power of the source node is compared with the corresponding transmission power level to determine whether the source node is a wormhole node.
[0022] A distance threshold is set based on the receiving distance of the adjacent nodes to limit the transmission distance of the neighboring nodes, preventing the wormhole nodes from establishing malicious false neighbors and obtaining abnormal monitoring data.
[0023] As a preferred embodiment of the present invention, to prevent the wormhole node from establishing malicious false neighbors, it is necessary to establish safe neighbors between adjacent nodes and remove the abnormal monitoring data, including:
[0024] Calculate the distance between the source node and the base station in the network layer and the maximum receiving distance threshold S of the node. max The maximum receiving distance threshold S max Load it into the corresponding source node;
[0025] In the data link layer, all the path nodes are aggregated, and path node i is transmitted at a specific power P. r Upon receiving a broadcast message from a neighboring node i, the node extracts the transmit power of i and reads the signal strength indicator value P0 to determine the transmit power P of the path node i. r Is the condition that the signal strength is greater than the signal strength indication value P0?
[0026] If the path node i satisfies P r If P0 is reached, the received message is determined to be from a malicious node with high transmission power. The path node i is discarded as an abnormal packet, and the node does not establish a neighbor with it.
[0027] If the path node i does not satisfy P r If P0 >, then add the path node i to the candidate neighbor node set N(k) of the node, and calculate the distance L between all nodes in the candidate neighbor node set N(k) and the base station. r Determine the distance L r Is it greater than the maximum receiving distance threshold S? max ;
[0028] If the distance L r Greater than the maximum receiving distance threshold S maxIf the received message is determined to be an abnormal packet, it is a malicious replay by the wormhole node and is not a valid broadcast message. Therefore, it is discarded, and the corresponding node is removed from the N(k). If the distance L... r Less than the maximum receiving distance threshold S max If it responds to the corresponding broadcast message, it establishes a neighbor relationship with node i and becomes a real neighbor of node i.
[0029] Establish a loop in the candidate neighbor node set N(k) until all nodes in N(k) have been traversed, and finally obtain the true neighbor node set N of node i. s (k).
[0030] As a preferred embodiment of the present invention, the set of real neighbor nodes N s (k) Construct a routing space monitoring model, and generate the hop space of routing transitions using a backtracking method, including:
[0031] In the real neighbor node set N s In (k), the node with the smallest distance between adjacent nodes among the source node and the destination node is selected as the initial expansion node. Before the initial expansion node starts exploring the path, all paths are reset and the initial expansion node is placed in the path.
[0032] Randomly select a node from the set of neighboring nodes of the initial expanded node as a new node, and remove the node from the set of neighboring nodes to avoid repeated exploration;
[0033] The network layer routing space is modeled as an undirected graph, and the constraint function is applied to the new node v. j The constraint function expression is as follows:
[0034]
[0035] Among them, v i,j Indicates connecting any node v i and new node v j The link, C(v) i,j ) indicates link v i,j Available forwarding capacity, C i D(v) represents the required link capacity threshold for a communication link. j ) represents the exploration value of the new node v j The depth of exploration, L max Indicates the maximum number of routing hops allowed in the communication link;
[0036] When the new node v is obtained j When the path satisfies the constraint function, the new node v is... jReplace the original initial expansion node, select a new node to explore, and obtain the jump space that satisfies the route jump.
[0037] As a preferred embodiment of the present invention, the communication link capacity corresponding to the communication delay and the non-overlapping constraint of the transition space includes:
[0038] For the new node v j A route hopping mechanism is set up, which reduces the overlap between different paths when generating the hopping space by setting the premise that the same node cannot appear in the route hopping space multiple times.
[0039] The new node v j After placing the new path into the routing space, the new node v j The exploration continues as a new extension node. If the new node does not satisfy the constraint function, it reverts to the initial extension node and reselects a new node from the set of adjacent nodes of the initial extension node to explore and obtain the communication link capacity.
[0040] As a preferred embodiment of the present invention, obtaining the path state matrix based on the communication link capacity includes:
[0041] Through the new node v j Explore the corresponding communication link capacity of the exploration path, obtain the remaining bandwidth of the network layer path and the amount of data forwarded along the path, and construct the path state matrix H. cd The path state matrix H cd The expression is:
[0042]
[0043] in, This represents the routing hop space of the j-th path between users A and B when users A and B communicate. The weight representing the routing hop space of the j-th path is obtained based on the remaining bandwidth C of the path. Represents the path in the k-th transition cycle. The remaining bandwidth, Representing a path The weight is obtained based on the amount of forwarded data D. Indicates the path in the k-th transition cycle The amount of data transmitted between user A and user B. This represents the path influence weight in the k-th transition cycle, where paths p1 and p2 are... The weighting coefficients.
[0044] In a preferred embodiment of the present invention, the weight of each link path in the path state matrix depends on the weight of the current network state and the remaining bandwidth and data forwarding volume of the corresponding path, and the corresponding network security state flow table is generated by updating the path state matrix.
[0045] As a preferred embodiment of the present invention, a network security state flow table is updated in real time to cope with real-time route hopping defense strategies, including:
[0046] Within the transition space of the route transition, a safe transition period T is set, and the path state matrix is updated once at interval T.
[0047] The probability of selecting each path in the transition space and the corresponding transition period are determined based on the path state matrix, and the results are put into the defense strategy set.
[0048] A random number is generated within the interval [0,1] using a random function. When the random number belongs to the region of a certain path, the corresponding path and the path's transition period are used as the routing transition defense strategy at the current moment.
[0049] Compared with the prior art, the present invention has the following advantages:
[0050] This invention uses GENEVE technology to construct a routing space monitoring model for the abnormal monitoring data, establishes an abnormal data monitoring mechanism, determines the legality of the data, and if abnormal data is found, it uses the proposed distance threshold constraint principle to detect and remove wormhole attack nodes, thereby effectively resisting data loss and tampering caused by wormhole attacks and maintaining network data security.
[0051] A backtracking method is used to generate the route hop space. By formalizing the constraints that need to be satisfied to generate the route hop space into a constraint function of the backtracking method, the time complexity of generating the hop space is optimized. A path state matrix is constructed by combining the path states on which route link attacks and eavesdropping attacks rely. A route hop defense strategy is generated based on the path state matrix, thereby realizing an adaptive and dynamically adjusted route hop defense strategy. It also provides a deceptive response to malicious probe packets, preventing attackers from obtaining real network topology information, thereby achieving a better defense effect. Attached Figure Description
[0052] To more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are merely exemplary, and those skilled in the art can derive other embodiments based on the provided drawings without creative effort.
[0053] Figure 1 The flowchart illustrates a method for handling source routing attacks on IPv4 networks based on GENEVE, as provided in this embodiment of the invention. Detailed Implementation
[0054] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0055] like Figure 1 As shown, this invention provides a method for handling source routing attacks on IPv4 networks based on GENEVE, comprising the following steps:
[0056] Real-time network topology information, link nodes, and flow table information are obtained, and the topology information, link nodes, and flow table information are used as network status information. The maximum receiving distance threshold of the link nodes is calculated based on the network status information.
[0057] In this embodiment, network status information is used to obtain current network topology information and node information, and the influencing factors in the network are comprehensively considered. The maximum receiving distance threshold is obtained by calculating the maximum distance between link nodes under the current network status. The neighboring nodes are set by the maximum receiving distance threshold, which can maximize the utilization of the receiving signal capability of the neighboring nodes.
[0058] Based on the maximum receiving distance threshold, the parameters of the neighboring nodes are set to prevent attacking nodes from establishing malicious false neighbors and to obtain abnormal monitoring data by limiting the transmission distance of messages sent by the neighboring nodes.
[0059] In this embodiment, the maximum receiving distance threshold is used to set parameters for neighboring nodes based on the current network status, which effectively monitors the status of neighboring nodes under the current network status and can eliminate abnormal monitoring data in real time.
[0060] A routing space monitoring model is constructed based on the anomaly monitoring data. A hop space for routing hops is generated by backtracking. The communication link capacity corresponding to the communication latency and the non-overlapping constraints of the hop space is used to meet the bandwidth requirements of the communication path.
[0061] In this embodiment, the GENEVE technology is used to construct a routing space monitoring model from the anomaly monitoring data, which effectively expands the metadata of the data protocol contained in the routing space, making the application of the routing space monitoring model more flexible and able to effectively meet the bandwidth requirements of the communication path.
[0062] The path state matrix is obtained based on the communication link capacity. The weight coefficients are adjusted according to the current network security status using the path state matrix to generate a corresponding network security status flow table in order to cope with real-time route change defense strategies.
[0063] In this embodiment, the weight coefficient of the current network security status is adjusted according to the path state matrix. Since the weights of different paths in the routing transition space will be different, the probability of each path being selected and the corresponding transition period will also be different. Furthermore, the weight of each path will change dynamically as the path state changes. Compared with completely random path selection and fixed transition period, the defense strategy generated based on the path state matrix can adaptively adjust according to the attack behavior, thereby achieving a better defense effect.
[0064] Calculating the maximum receiving distance threshold of the link node from the network status information includes:
[0065] All path nodes are obtained, and one path node is selected as the source node. The distance between the source node and the destination node is calculated using the distance formula between two points. The loss between the path nodes is obtained using the log-normal path loss function, the expression of which is:
[0066]
[0067] Where RD(d) represents the path loss of path d between two path nodes, RD(d0) represents the path loss per unit distance d0, β represents the path loss coefficient, and S0 represents a Gaussian random variable of all path nodes in a normal distribution.
[0068] The minimum path loss output by the log-normal path loss function is used as the maximum receiving distance threshold of the link node.
[0069] The neighboring nodes of a link node in the network link are defined based on the maximum receiving distance threshold of the link node.
[0070] In this embodiment, the improved RSSI ranging technology sets the log-normal path loss function and measures the distance from each node to the initial base station to reduce energy consumption and time costs.
[0071] In this embodiment, the sequence cn received by the source node i The included message groups are compared with the sequence cn. i Using a counter that marks the most recently received message packets, determine whether the received message packet is a new message. If it is a new message, calculate the loss between the corresponding path nodes for the source node, update the sequence number, extract the new message again, and obtain the maximum receiving distance threshold for the corresponding link node.
[0072] Based on the maximum receiving distance threshold, neighbor node parameters are set, and anomaly monitoring data is obtained, including:
[0073] The reception probability of adjacent nodes in the network layer routing is obtained by the maximum number of retransmissions at the data link layer, and the maximum reception probability of adjacent nodes is set according to the maximum reception distance threshold.
[0074] The maximum reception probability is used to calculate the reception distance of the adjacent nodes for a certain node, the transmission power and received signal strength of the source node that received the information are determined, and the transmission power of the source node is compared with the corresponding transmission power level to determine whether the source node is a wormhole node.
[0075] A distance threshold is set based on the receiving distance of the adjacent nodes to limit the transmission distance of the neighboring nodes, preventing the wormhole nodes from establishing malicious false neighbors and obtaining abnormal monitoring data.
[0076] In this embodiment, the GENEVE technology is used to define the source route type of the network layer route as OptionClass 0x8888 and Type 0x88, which expands the network layer source route header to obtain the maximum number of retransmissions, making the service more flexible.
[0077] In this embodiment, during the neighbor node discovery phase, a HELLO message is broadcast to a certain node i with a specific transmission power. When the surrounding neighbor nodes receive the HELLO message sent by node i, they first determine the transmission power and received signal strength of the source node that received the message. They then compare the transmission power of the source node with the corresponding transmission power level to determine whether the source node is a wormhole node. If the received message comes from a wormhole node with high transmission power, the message is an abnormal packet and is discarded. The data during the propagation of this message is regarded as abnormal monitoring data.
[0078] To prevent the wormhole node from establishing malicious false neighbors, it is necessary to establish safe neighbors between adjacent nodes and remove the abnormal monitoring data, including:
[0079] Calculate the distance between the source node and the base station in the network layer and the maximum receiving distance threshold S of the node. max The maximum receiving distance threshold S max Load it into the corresponding source node;
[0080] In the data link layer, all the path nodes are aggregated, and path node i is transmitted at a specific power P. r Upon receiving a broadcast message from a neighboring node i, the node extracts the transmit power of i and reads the signal strength indicator value P0 to determine the transmit power P of the path node i. rIs the condition that the signal strength is greater than the signal strength indication value P0?
[0081] If the path node i satisfies P r If P0 is reached, the received message is determined to be from a malicious node with high transmission power. The path node i is discarded as an abnormal packet, and the node does not establish a neighbor with it.
[0082] If the path node i does not satisfy P r If P0 >, then add the path node i to the candidate neighbor node set N(k) of the node, and calculate the distance L between all nodes in the candidate neighbor node set N(k) and the base station. r Determine the distance L r Is it greater than the maximum receiving distance threshold S? max ;
[0083] If the distance L r Greater than the maximum receiving distance threshold S max If the received message is determined to be an abnormal packet, it is a malicious replay by the wormhole node and is not a valid broadcast message. Therefore, it is discarded, and the corresponding node is removed from the N(k). If the distance L... r Less than the maximum receiving distance threshold S max If it responds to the corresponding broadcast message, it establishes a neighbor relationship with node i and becomes a real neighbor of node i.
[0084] Establish a loop in the candidate neighbor node set N(k) until all nodes in N(k) have been traversed, and finally obtain the true neighbor node set N of node i. s (k).
[0085] In this embodiment, the maximum receiving distance threshold S is used. max Limiting the transmission distance of neighbor discovery messages can effectively prevent wormhole nodes from establishing malicious fake neighbors, thus constraining safe neighbors.
[0086] For the set of real neighbor nodes N s (k) Construct a routing space monitoring model, and generate the hop space of routing transitions using a backtracking method, including:
[0087] In the real neighbor node set N s In (k), the node with the smallest distance between adjacent nodes among the source node and the destination node is selected as the initial expansion node. Before the initial expansion node starts exploring the path, all paths are reset and the initial expansion node is placed in the path.
[0088] In this embodiment, a backtracking method is used to search forward according to the preferred conditions to achieve the goal. The path is explored starting from the initial extended node. When the exploration reaches a certain step, if the selection meets the preferred conditions, the search continues forward; otherwise, it backtracks to the previous step and selects again. The backtracking method explores the solution space of the problem according to the depth-first strategy. The root node is called the extended node, and the child node being explored is called the new node. When the new node meets the preferred conditions, the new node becomes the new extended node and continues to be explored; otherwise, it backtracks to the extended node and selects a new node.
[0089] Randomly select a node from the set of neighboring nodes of the initial expanded node as a new node, and remove the node from the set of neighboring nodes to avoid repeated exploration;
[0090] The network layer routing space is modeled as an undirected graph, and the constraint function is applied to the new node v. j The constraint function expression is as follows:
[0091]
[0092] Among them, v i,j Indicates connecting any node v i and new node v j The link, C(v) i,j ) indicates link v i,j Available forwarding capacity, C i D(v) represents the required link capacity threshold for a communication link. j ) represents the exploration value of the new node v j The depth of exploration, L max Indicates the maximum number of routing hops allowed in the communication link;
[0093] In this embodiment, the phenomenon of data packet loss due to link congestion is avoided by constraining the link forwarding capacity. When generating the route hop space, the available bandwidth of the communication path should be constrained to ensure that the generated path can provide reliable data transmission services.
[0094] When the new node v is obtained j When the path satisfies the constraint function, the new node v is... j Replace the original initial expansion node, select a new node to explore, and obtain the jump space that satisfies the route jump.
[0095] In this embodiment, the routing hopping mechanism typically generates a hopping space in conjunction with constraints. To ensure that the hopping space generated based on the backtracking method meets the user's communication needs while also satisfying the unpredictability of the routing hopping mechanism, the routing hopping space generated based on the backtracking method is mainly constrained from three aspects: link capacity, transmission delay, and non-overlapping.
[0096] The communication link capacity corresponding to the communication latency and the non-overlapping constraint of the transition space includes:
[0097] For the new node v j A route hopping mechanism is set up, which reduces the overlap between different paths when generating the hopping space by setting the premise that the same node cannot appear in the route hopping space multiple times.
[0098] The new node v j After placing the new path into the routing space, the new node v j The exploration continues as a new extension node. If the new node does not satisfy the constraint function, it reverts to the initial extension node and reselects a new node from the set of adjacent nodes of the initial extension node to explore and obtain the communication link capacity.
[0099] In this embodiment, the node with the smaller set of adjacent nodes in the source and destination nodes is used as the initial expansion node, and the node with the larger set of adjacent nodes is used as the destination node for exploration. This reduces the complexity of generating the jump space. Similarly, based on the non-overlapping constraint, when exploring from a certain adjacent node of the initial expansion node and obtaining a path that satisfies the constraint function, we can directly backtrack to the initial expansion node and reselect a new node for exploration, avoiding additional invalid exploration and reducing the complexity of generating the jump space using the backtracking method.
[0100] Obtaining the path state matrix based on the communication link capacity includes:
[0101] Through the new node v j Explore the corresponding communication link capacity of the exploration path, obtain the remaining bandwidth of the network layer path and the amount of data forwarded along the path, and construct the path state matrix H. cd The path state matrix H cd The expression is:
[0102]
[0103] in, This represents the routing hop space of the j-th path between users A and B when users A and B communicate. The weight representing the routing hop space of the j-th path is obtained based on the remaining bandwidth C of the path. Indicates the path in the k-th transition cycle The remaining bandwidth, Representing a path The weight is obtained based on the amount of forwarded data D. Indicates the path in the k-th transition cycle The amount of data transmitted between user A and user B. This represents the path influence weight in the k-th transition cycle, where paths p1 and p2 are... The weighting coefficients.
[0104] In this embodiment, when defending against link flooding attacks, the weight coefficients p1 and p2 can be adjusted to p1=1 and p2=0. At this time, the path state matrix is determined only by the remaining bandwidth of the path. Paths with more remaining bandwidth resources have more weights, and the defense benefit against link flooding attacks is maximized. When defending against eavesdropping attacks, the weight coefficients p1 and p2 can be adjusted to p1=0 and p2=1. At this time, the path state matrix is determined only by the forwarding data volume of the path. Paths with more forwarding data volume have lower weights, and the defense benefit against eavesdropping attacks is maximized. Under normal circumstances, the default weight coefficients p1=0.5 and p2=0.5.
[0105] In the path state matrix, the weight of each link path depends on the weight of the current network state, as well as the remaining bandwidth and data forwarding volume of the corresponding path. The corresponding network security state flow table is generated by updating the path state matrix.
[0106] In this embodiment, the weight of each path in the path state matrix depends on the weight coefficient of the current network state, as well as the remaining bandwidth and data forwarding volume of the path. The remaining bandwidth and data forwarding volume of the path reflect the current state of the path, and the weight coefficient can be used to dynamically adjust the defense strategy to deal with different attacks.
[0107] Real-time updates to the network security state flow table are used to counter real-time route hopping defense strategies, including:
[0108] Within the transition space of the route transition, a safe transition period T is set, and the path state matrix is updated once at interval T.
[0109] The probability of selecting each path in the transition space and the corresponding transition period are determined based on the path state matrix, and the results are put into the defense strategy set.
[0110] A random number is generated within the interval [0,1] using a random function. When the random number belongs to the region of a certain path, the corresponding path and the path's transition period are used as the routing transition defense strategy at the current moment.
[0111] In this embodiment, a path state matrix is constructed by combining the current network state and the link state on which the attack behavior is based, and a route hopping defense strategy is generated based on the path state matrix. When an attack behavior is detected, the security hopping period can be reduced, thereby making the hopping frequency faster and providing a more reliable defense effect. When no attack behavior is detected, the security hopping period can be increased, thereby reducing the hopping frequency and reducing system overhead. Since the weight value of each path in the path state matrix is no greater than 1, the hopping period of each path is within the security hopping period.
[0112] In this embodiment, the probability of each path being selected and the corresponding transition period will be different, and the weight of each path will change dynamically as the path state changes. Compared with completely random path selection and fixed transition period, the defense strategy generated based on the path state matrix can adaptively adjust according to the attack behavior, thereby achieving a better defense effect.
[0113] This invention uses GENEVE technology to construct a routing space monitoring model for the abnormal monitoring data, establishes an abnormal data monitoring mechanism, determines the legality of the data, and if abnormal data is found, it uses the proposed distance threshold constraint principle to detect and remove wormhole attack nodes, thereby effectively resisting data loss and tampering caused by wormhole attacks and maintaining network data security.
[0114] A backtracking method is used to generate the route hop space. By formalizing the constraints that need to be satisfied to generate the route hop space into a constraint function of the backtracking method, the time complexity of generating the hop space is optimized. A path state matrix is constructed by combining the path states on which route link attacks and eavesdropping attacks rely. A route hop defense strategy is generated based on the path state matrix, thereby realizing an adaptive and dynamically adjusted route hop defense strategy. It also provides a deceptive response to malicious probe packets, preventing attackers from obtaining real network topology information, thereby achieving a better defense effect.
[0115] The above embodiments are merely exemplary embodiments of this application and are not intended to limit this application. The scope of protection of this application is defined by the claims. Those skilled in the art can make various modifications or equivalent substitutions to this application within its substance and scope of protection, and such modifications or equivalent substitutions should also be considered to fall within the scope of protection of this application.
Claims
1. A method for handling source routing attacks on IPv4 networks based on GENEVE, characterized in that, Includes the following steps: Real-time network topology information, link nodes, and flow table information are obtained, and the topology information, link nodes, and flow table information are used as network status information. The maximum receiving distance threshold of the link nodes is calculated based on the network status information. Based on the maximum receiving distance threshold, the parameters of the neighboring nodes are set to prevent attacking nodes from establishing malicious false neighbors and to obtain abnormal monitoring data by limiting the transmission distance of messages sent by the neighboring nodes. A routing space monitoring model is constructed based on the anomaly monitoring data. A hop space for routing hops is generated by backtracking. The communication link capacity corresponding to the communication latency and the non-overlapping constraints of the hop space is used to meet the bandwidth requirements of the communication path. The path state matrix is obtained based on the communication link capacity. The weight coefficients are adjusted according to the current network security status using the path state matrix to generate a corresponding network security status flow table in order to cope with real-time route change defense strategies. Calculating the maximum receiving distance threshold of the link node from the network status information includes: Obtain all path nodes, select one path node as the source node, calculate the distance between the source node and the destination node using the distance formula between two points, and obtain the loss between the path nodes using the log-normal path loss function. The expression of the log-normal path loss function is: ; in, Indicates the path between two path nodes Path loss, Indicates unit distance as Path loss, Represents the path loss coefficient. Represents a Gaussian random variable representing all path nodes in a normally distributed state; The minimum path loss output by the log-normal path loss function is used as the maximum receiving distance threshold of the link node. The neighboring nodes of a link node in the network link are defined according to the maximum receiving distance threshold of the link node; The path state matrix is obtained based on the communication link capacity, including: Through the new node Explore the corresponding communication link capacity of the path, obtain the remaining bandwidth of the network layer path and the amount of data forwarded along the path to construct the path state matrix. Path state matrix The expression is: ; in, Indicates user With users During communication, the user , Between the first The routing hop space for each path Indicates the first The routing hop space for each path depends on the remaining bandwidth of the path. The obtained weights Indicates the first Path in each jump cycle The remaining bandwidth, Representing a path Based on the amount of forwarded data The obtained weights Indicates the first Path in each jump cycle The amount of data transmitted between user A and user B. Indicates the first The path influence weight in each transition cycle , path The weighting coefficients.
2. The method for handling source routing attacks on IPv4 networks based on GENEVE according to claim 1, characterized in that, Based on the maximum receiving distance threshold, neighbor node parameters are set, and anomaly monitoring data is obtained, including: The reception probability of adjacent nodes in the network layer routing is obtained by the maximum number of retransmissions at the data link layer, and the maximum reception probability of adjacent nodes is set according to the maximum reception distance threshold. The maximum reception probability is used to calculate the reception distance of the adjacent nodes for a certain node, the transmission power and received signal strength of the source node that received the information are determined, and the transmission power of the source node is compared with the corresponding transmission power level to determine whether the source node is a wormhole node. A distance threshold is set based on the receiving distance of the adjacent nodes to limit the transmission distance of the neighboring nodes, preventing the wormhole nodes from establishing malicious false neighbors and obtaining abnormal monitoring data.
3. The method for handling source routing attacks on IPv4 networks based on GENEVE according to claim 2, characterized in that, To prevent the wormhole node from establishing malicious false neighbors, it is necessary to establish safe neighbors between adjacent nodes and remove the abnormal monitoring data, including: Calculate the distance between the source node and the base station in the network layer and the maximum receiving distance threshold of the node. The maximum receiving distance threshold Load it into the corresponding source node; In the data link layer, all the path nodes are aggregated, and the path nodes are... With a specific transmission power Broadcast messages are received by neighboring nodes. After sending the broadcast message, extract The transmit power and the signal strength indicator value are read. Determine the path node Transmission power Greater than the signal strength indication value Is it valid? If the path node satisfy If the received message is determined to originate from a malicious node with high transmission power, the path node will be... Discarded as an abnormal group, and the node will not establish a neighbor with it; If the path node Not satisfied Then the path node Add to the set of candidate neighbor nodes In the process, the set of candidate neighbor nodes is calculated. Distance between all nodes and the base station Determine the distance Is it greater than the maximum receiving distance threshold? ; If the distance Greater than the maximum receiving distance threshold If the received message is determined to be an abnormal packet, indicating malicious replay by the wormhole node and not a valid broadcast message, it will be discarded, and the corresponding node will be removed from the list. Remove from the middle; if the distance is... Less than the maximum receiving distance threshold If so, reply with the corresponding broadcast message, and the node Establish neighbor relationships and become a node Real neighbors; In the candidate neighbor node set Establish a loop in the middle until all the items have been traversed. All nodes in the final node are obtained. Real Neighbor Node Set .
4. The method for handling source routing attacks on IPv4 networks based on GENEVE according to claim 3, characterized in that, For the set of real neighbor nodes Construct a routing space monitoring model and generate the hop space of routing transitions using a backtracking method, including: In the set of real neighbor nodes The node with the smallest distance between adjacent nodes among the source node and the destination node is selected as the initial expansion node. Before the initial expansion node starts exploring the path, all paths are reset and the initial expansion node is placed in the path. Randomly select a node from the set of neighboring nodes of the initial expanded node as a new node, and remove the node from the set of neighboring nodes to avoid repeated exploration; The network layer routing space is modeled as an undirected graph, and new nodes are assigned constraints based on these functions. The constraint function expression is as follows: ; in, Indicates connecting any node and new nodes The link, Indicates link Available forwarding capacity, This represents the threshold of link capacity required for a communication link. Indicates the new node of the exploration value. The depth of exploration Indicates the maximum number of routing hops allowed in the communication link; When the new node is obtained When the path satisfies the constraint function, the new node is... Replace the original initial expansion node, select a new node to explore, and obtain the jump space that satisfies the route jump.
5. A method for handling source routing attacks on IPv4 networks based on GENEVE according to claim 4, characterized in that, The communication link capacity corresponding to the communication latency and the non-overlapping constraint of the transition space includes: For the new node A route hopping mechanism is set up, which reduces the overlap between different paths when generating the hopping space by setting the premise that the same node cannot appear in the route hopping space multiple times. The new node After placing the new path into the routing space, the new node will be... The exploration continues as a new extension node. If the new node does not satisfy the constraint function, it reverts to the initial extension node and reselects a new node from the set of adjacent nodes of the initial extension node to explore and obtain the communication link capacity.
6. The method for handling source routing attacks on IPv4 networks based on GENEVE according to claim 5, characterized in that, In the path state matrix, the weight of each link path depends on the weight of the current network state, as well as the remaining bandwidth and data forwarding volume of the corresponding path. The corresponding network security state flow table is generated by updating the path state matrix.
7. A method for handling source routing attacks on IPv4 networks based on GENEVE according to claim 6, characterized in that, Real-time updates to the network security state flow table are used to counter real-time route hopping defense strategies, including: Within the transition space of the route transition, a safe transition period T is set, and the path state matrix is updated once at interval T. The probability of selecting each path in the transition space and the corresponding transition period are determined based on the path state matrix, and the results are put into the defense strategy set. exist When the random number belongs to the region of a certain path, the corresponding path and the path's transition period are used as the routing transition defense strategy at the current moment.