基于匿名化流表的网络数据分组实时匿名方法

doi:10.11959/j.issn.1000-436x.2016214

通信学报 ›› 2016, Vol. 37 ›› Issue (11): 11-22.doi: 10.11959/j.issn.1000-436x.2016214

基于匿名化流表的网络数据分组实时匿名方法

韩春静^1,^2,³,葛敬国³,谢高岗¹,李亮雄³,李佟³,刘韵洁¹

¹ 中国科学院计算技术研究所，北京 100190
² 中国科学院大学，北京100049
³ 中国科学院信息工程研究所，北京 100093

出版日期:2016-11-25 发布日期:2016-11-30
基金资助:
中国科学院先导专项基金资助项目;国家自然科学青年基金资助项目;国家重点基础研究发展计划（“973”计划）基金资助项目;国家高技术研究发展计划（“863”计划）基金资助项目

Online trace anonymization based on anonymous flow table

Chun-jing HAN^1,^2,³,Jing-guo GE³,Gao-gang XIE¹,Liang-xiong LI³,Tong LI³,Yun-jie LIU¹

¹ Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China
² University of Chinese Academy of Sciences, Beijing 100049, China
³ Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China

Online:2016-11-25 Published:2016-11-30
Supported by:
The Strategic Priority Research Program of the Chinese Academy of Sciences;The National Natural Science Youth Foundation of China;The National Basic Research Program of China (973 Program);The National High Technology Research and Development Program of China (863 Program)

摘要/Abstract

摘要：

提出了基于匿名化流表的网络数据分组实时匿名方法（Fad-Pan,online trace anonymization based on the anonymous flow table），主要研究Fad-Pan算法以及研发基于DPDK的Fad-Pan原型系统。实验结果表明，Fad-Pan算法比已有的方法在匿名化速度上提高了20倍以上，单个普通服务器可以实时处理万兆链路的IPv4和IPv6流量数据。

关键词: 网络流量匿名化, Fad-Pan, AFT, DPDK

Abstract:

A real-time network packet anonymous method named Fad-Pan (online trace anonymization based on the anonymous flow table) was proposed. The Fad-Pan algorithm was studied and an online trace anonymization prototype system based on DPDK library was developed. The experimental results prove that the Fad-Pan algorithm is faster more than 20 times than the existing method, and a single server can handle the real-time IPv4 and IPv6 traffic of the 10 Gbit/s link used by the Fad-Pan.

Key words: network trace anonymization, Fad-Pan, AFT, DPDK

韩春静,葛敬国,谢高岗,李亮雄,李佟,刘韵洁. 基于匿名化流表的网络数据分组实时匿名方法[J]. 通信学报, 2016, 37(11): 11-22.

Chun-jing HAN,Jing-guo GE,Gao-gang XIE,Liang-xiong LI,Tong LI,Yun-jie LIU. Online trace anonymization based on anonymous flow table[J]. Journal on Communications, 2016, 37(11): 11-22.

图/表 13

图1

图2

图3

图4

图5

表1

表2

表3

表4

表5

表6

图6

图7

参考文献 34

[1]	JAIN S , KUMAR A , MANDAL S , et al. B4: experience with a glob-ally-deployed software defined WAN[J]. ACM SIGCOMM Computer Communication Review, 2013,43(4):3-14.
[2]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H , et al. Open-flow: enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2):69-74.
[3]	ZHANG L , ESTRIN D , BURKE J , et al. Named data networking (NDN) project[J]. Relatório Técnico NDN-0001, Xerox Palo Alto Re-search Center-PARC, 2010.
[4]	HAN D , ANAND A , DOGAR F R , et al. XIA: efficient support for evolvable internetworking[C]// Presented as part of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12). 2012:309-322.
[5]	PANG R , ALLMAN M , PAXSON V , et al. The devil and packet trace anonymization[J]. ACM SIGCOMM Computer Communication Re-view, 2006,36(1):29-38.
[6]	FUENTES F , KAR D C . Ethereal vs tcpdump: a comparative study on packet sniffing tools for educational purpose[J]. Journal of Computing Sciences in Colleges, 2005,20(4):169-176.
[7]	LI Y , SLAGELL A , LUO K , et al. Canine: a combined conversion and anonymization tool for processing netflows for security[C]// International Conference on Telecommunication Systems Modeling and Analysis. 2005:21.
[8]	PANG R , ALLMAN M , PAXSON V , et al. The devil and packet trace anonymization[J]. ACM SIGCOMM Computer Communication Re-view, 2006,36(1):29-38.
[9]	SLAGELL A J , LAKKARAJU K , LUO K . FLAIM: a multi-level anonymization framework for computer and network logs[C]// LISA. 2006,6:3-8.
[10]	FARAH T , TRAJKOVIC L . Anonym: a tool for anonymization of the Internet traffic[C]// IEEE International Conference on Cybernetics (CYBCONF). IEEE, 2013:261-266.
[11]	LIN Y D , LIN P C , WANG S H , et al. Pcaplib: a system of extracting, classifying, and anonymizing real packet traces[J]. IEEE Systems Journal, 2016,10(2):520-531.
[12]	PAUL R R , VALGENTI V C , KIM M S . Real-time net shuffle: graph distortion for on-line anonymization[C]// The 2011 19th IEEE Interna-tional Conference on Network Protocols. IEEE Computer Society, 2011:133-134.
[13]	DINKAR K P , JAIN S A . Security and privacy preserving policy in mobile crowd sensing[J]. International Journal of Engineering Science, 2016,5206.
[14]	BLANTON E . Tcpurify: TCP packet sniffer[EB/OL]. (2002-9)..
[15]	BELLARE M . Practice-oriented provable-security[J]. Lecture Notes in Computer Science, 1998,156(11):221-231.
[16]	FAN J , XU J , AMMAR M H , et al. Prefix-preserving IP address ano-nymization: measurement-based security evaluation and a new cryp-tography-based scheme[J]. Computer Networks, 2004,46(2):253-72.
[17]	DAEMEN J , RIJMEN V . AES proposal: Rijndael[S]. US: NIST, 2003.
[18]	NATARAJAN S , WOLF T . Network-level privacy for hosted cloud services[C]// 2014 International Conference and Workshop on the Network of the Future (NOF), IEEE, 2014:1-8.
[19]	LI S , DOH I , CHAE K . An anonymous IP-based privacy protection routing mechanism for CDN[C]// 2016 International Conference on Information Networking (ICOIN). 2016:75-80.
[20]	RAMASWAMY R , WOLF T . High-speed prefix-preserving IP address anonymization for passive measurement systems[J]. IEEE/ACM Transactions on Networking, 2007,15(1):26-39.
[21]	史冰，吴连国，丁伟 . IP 地址前缀保留匿名化算法的改进[J]. 微电子学与计算机, 2007,24(10):167-170. SHI B , WU L G , DING W . Improvement of prefix-preserving IP address anonymization algorithm[J]. Microelectronics ＆ Computer, 2007,24(10):167-170.
[22]	JENKINS J R J . Isaac[C]// Fast Software Encryption. Springer Berlin Heidelberg, 1996:41-49.
[23]	ZHANG P , HUANG X , LUO M , et al. Fast restorable prefix- preserv-ing IP address anonymization for IPv4/IPv6[J]. The Journal of China Universities of Posts and Telecommunications, 2010,17:93-98.
[24]	CAO K , LI Y , YANG H , et al. Poster: an online prefix-preserving IP address anonymization algorithm for passive measurement sys-tems[C]// International Conference on Security and Privacy in Com-munication Systems. Springer International Publishing, 2015:581-584.
[25]	AHUJA R K , MAGNANTI T L , ORLIN J B . Network flows[R]. School of Management Cambridge, MA, 1988.
[26]	THOMPSON K , MILLER G J , WILDER R . Wide-area Internet traffic patterns and characteristics[J]. Network, 1997,11(6):10-23.
[27]	张广兴，张大方，谢高岗，等． Internet 城域出口链路流量测量与特征分析[J]. 电子学报, 2007,35(11):2092-2097. ZHANG G X , ZHANG D F , XIE G G , et al. Internet traffic measure-ment and characteristic analysis on output link of metro area net-work[J]. Acta Electronica Sinica, 2007,35(11):2092-2097.
[28]	BAKSHI R , CUDRE M P , WYLOT M . A comparison of different data structures to store RDF data[R]. 2013.
[29]	GOGLIN S D , CORNETT L . Flexible and extensible receive side scaling: U.S. Patent 7,584,286[P]. 2009-9-1.
[30]	WOO S , PARK K . Scalable TCP session monitoring with symmetric receive-side scaling[R]. Korea: KAIST, 2012.
[31]	VIEGA J , MESSIER M , CHANDRA P , . Network security with openssl:cryptography for secure communications[M]. O'Reilly Media, Inc, 2002.
[32]	KROYETZ T , ROGAWAY P . The software performance of authenti-cated-encryption modes[C]// Fast Software Encryption. Springer Berlin Heidelberg, 2011:306-327.
[33]	ALMEIDA V , BESTTAYROS A , CROYELLA M , et al. Characterizing reference locality in the WWW[C]// Fourth International Conference on. Parallel and Distributed Information Systems. IEEE, 1996:92-103.
[34]	葛敬国，唐海娜，鄂跃鹏，等．海云创新试验环境管控与服务系统总体设计[J]. 网络新媒体技术, 2012,1(6):45-51. GE J G , TANG H N , E Y P , et al. The overall design of resource con-trol and service system in the sea-cloud innovative and experimental environment[J]. Journal of Network New Media, 2012,1(6):45-51.

加密密钥长度/位	匿名化时间/s		加速比
加密密钥长度/位	分组级别	流级别	加速比
	Crypto-Pan	Fad-Pan
128	91.87	5.31	17.30
256	210.94	7.30	28.90

加密密钥长度/位	匿名化时间/s		加速比
加密密钥长度/位	分组级别	流级别	加速比
	Crypto-Pan	Fad-Pan
128	135.56	7.22	18.78
256	205.85	10.48	19.65

加密密钥长度/位	匿名化时间/s		加速比
加密密钥长度/位	分组级别	流级别	加速比
	Crypto-Pan	Fad-Pan
128	140.01	6.31	22.20
256	205.90	8.77	23.49

加密密钥长度/位	匿名化时间/s		加速比
加密密钥长度/位	分组级别	流级别	加速比
	Crypto-Pan	Fad-Pan
128	142.50	2.53	56.27
256	205.55	3.20	64.23

加密密钥长度/位	匿名化时间/s		加速比
加密密钥长度/位	分组级别	流级别	加速比
	Crypto-Pan	Fad-Pan
128	401.02	7.10	56.50
256	575.97	7.26	79.29

基于匿名化流表的网络数据分组实时匿名方法

Online trace anonymization based on anonymous flow table

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 34

相关文章 1

Metrics

推荐阅读 0