安全可信的互联网体系结构与端到端传送关键技术

摘要：围绕无连接网络中安全可信的端到端传送关键问题，从互联网的工作原理出发，提出了具备安全可信和主动防御能力的互联网端到端传送关键技术，包括层间交互、语义一致的协议栈安全漏洞检测与防御，随机标识、层次验证的分组转发正确性检测，以及频域分析、交互图构造的传送连接可信检测，实现了分组数据可靠生成、安全传输、可信应用3 个阶段全生命周期的安全闭环，有效增强了互联网的整体安全性。在实际网络环境中进行规模化应用及部署的结果表明，所提出的技术方法能够有效抵御拒绝服务（DoS）、流量劫持、身份欺骗、路由篡改等针对互联网的各种攻击威胁。

关键词：互联网体系结构；端到端传送；语义一致性；路径验证；恶意流量检测

Abstract: The key issues of secure and trusted end-to-end transmissions in connectionless are addressed. Aiming to ensure the consistency between network policies and the end-to-end transmission behavior, a new technique based on the working principles of the Internet is presented, i.e., identifying and mitigating vulnerabilities in protocol stacks by leveraging cross-layer interactions and semantic consistency analysis, detecting the correctness of packets forwarding path by leveraging random labels and hierarchical verification, as well as identifying the reliability of transmission connections by leveraging frequency domain analysis and interaction graph construction. Our technique can ensure the reliable generation, safe transmission and trusted application of IP packets in the three-stage life cycle, thus enhancing the security of the Internet. Through large-scale applications and deployments in the real world, experimental results show that our technique can effectively mitigate the threats of denial of service (DoS), traffic hijacking, identity spoofing, and route tampering.

Keywords: Internet architecture; end-to-end transmission; semantic consistency; path verification; malicious traffic detection