【作者】 李宏建；

【导师】 徐明；

【作者基本信息】 国防科学技术大学 ， 计算机科学与技术， 2011， 博士

【摘要】 无线Mesh网络是一种与传统无线网络完全不同的新型无线网络技术。基于多跳路由、对等网络技术,无线Mesh网络具有大容量、高速率、覆盖范围广以及健壮、稳定等特性,成为非常适合于大面积开放区域的无线区域网络解决方案。无线Mesh网络的出现,代表着无线网络技术的又一大跨越,有着极为广阔的应用前景,近年来得到了学术界和工业界越来越多的关注。由于其内在的无线、多跳等性质,无线Mesh网络的安全问题十分突出。而这些安全性问题对于无线Mesh网络的普及应用具有重要的影响,研究无线Mesh网络的安全关键技术具有重要的理论和实践意义。无线Mesh网络从Ad hoc网络分离出来,并承袭了部分无线局域网技术。因此其面临的安全威胁既与上述两种网络技术类似,又存在很大差别,需要重新设计针对无线Mesh网络的安全机制。本文以建立一个安全、可靠的无线Mesh网络作为最终目标,深入分析了无线Mesh网络的安全架构及国内外研究现状。在此基础上,对保证无线Mesh网络安全通信的关键技术进行了研究,提出了多个新的观点和解决方案。为了保证无线链路及网络的可用性,本文设计了针对无线Mesh网络的自私行为检测机制、链路拥塞检测算法、隐终端/暴露终端检测算法。为了提高无线Mesh网络的安全性本文提出了入侵检测机制和身份认证机制。本论文的主要创新成果如下:(1)自私行为检测针对无线Mesh网络MAC层的单点自私行为和多节点协作自私行为建立了自私行为模型,提出一种针对“聪明”自私节点的检测机制和算法。分析了无线Mesh网络中的多节点协作自私行为的攻击特征,并且提出了相应的检测算法。上述算法可以很好的缓解无线Mesh网络中自私行为尤其是“聪明”节点的攻击行为对网络性能(公平性、吞吐率)造成的影响。(2)无线Mesh网络故障检测为了保证无线Mesh网络的可用性,需要诊断网络中可能出现的故障。无线Mesh网络由于网络的动态性、无线信道的开放性、网络拓扑以及MAC机制等问题造成链路拥塞、隐藏终端/暴露终端以及外部噪声干扰等故障,网络可用性也因此会受到影响。为此,本文分析并总结了无线Mesh网络中拥塞、隐终端/暴露终端以及噪声干扰三类故障产生的原因,提出了局部的前应分布式检测算法。该算法通过对网络拓扑、节点信噪比以及网络流进行统计分析与计算,得到网络当前状态,检测是否出现上述故障。根据网络拓扑给出了针对隐藏终端/暴露终端的解决算法。该算法在实验平台上得到了验证,是一个轻量级的有效检测算法。(3)跨层入侵检测当其它安全措施都没有阻止无线Mesh网络中恶意节点的攻击时,需要入侵检测技术检测发现恶意行为。但是无线入侵检测技术由于受限于网络特性,存在误报率较高等问题。本文提出了使用不同网络层数据作为审计数据进行检测的跨层入侵检测框架。在系统中针对不同的入侵行为,使用物理层、MAC层以及网络层的数据进行检测。并且将网络故障的检测结果同时输入的到检测引擎,降低由于网络故障导致的误报。(4)安全认证技术无线Mesh网络环境下使用IEEE 802.11i协议存在不安全的用户名/密码方式和切换延时过大的问题。无线Mesh网络支持无线终端在网络内部的切换,但是无线Mesh网络过长的认证过程限制了实时性应用。本文提出了基于数字证书的快速认证优化方案和基于预认证/预配置的安全快速切换协议。其中基于数字证书的认证以数字证书为基础,加强了认证的安全性和可靠性。快速认证优化方案通过减少客户端与认证服务器之间的通信次数,使得用户在切换接入点时,能够以较小的延时完成认证,完成接入过程。预认证/预配置机制使得客户端在进行切换之前可以获得相应的认证和网络配置信息,因此在切换过程中可以显著减少切换时间。(5)系统设计与实现现有针对无线Mesh网络安全领域的很多研究均以软件模拟进行测试,其有效性的验证具有一定的局限性,往往无法反映真实网络环境。为此,本文建立了无线Mesh网络的原型系统。平台中使用的路由器YH-WMR V1.0由我们自行设计制作并具有自主知识产权,可以作为移动客户端接入点与Mesh网络路由器,且具备安全增强功能。在安全无线Mesh路由器中实现了防火墙、MAC地址过滤、入侵检测、故障诊断、认证与授权等安全技术。通过实际测试表明,本文中提出的安全无线Mesh网络关键技术可以为提高无线Mesh网络的安全性和可靠性,进一步推进无线Mesh网络的发展具有重要的参考与指导意义。更多还原

【Abstract】 Wireless Mesh Networks (WMNs) have emerged as a key technology for next generation wireless networking. Because of their advantages over other wireless networks, WMNs are undergoing rapid progress and inspiring numerous applications. However, many technical issues still exist in this field.The emergence of Wireless Mesh Networks facilitates another major leap with a very broad application prospects, and it has get more and more attention from academia and industry in recent years.WMNs, however, suffers from security, due to its multi-hop and Wireless transmission character. These security issues have highly impact for the popularization of WMNs. The research of security technologies in Wireless Mesh Networks has important theoretical and practical significance. WMNs originate from the Ad hoc network, and inherit the WLAN technology. Therefore, the security threats it faces are similar with the above two network technologies. There are also significant differences, so security mechanisms of Wireless Mesh Network are needed to be re-designed.In this thesis, our object is to construct a safe, reliable Wireless Mesh Network. Based on in-depth analysis of the Wireless Mesh Network security framework and research status, we propose a number of new ideas and solutions on the security of the Wireless Mesh Network.In order to ensure the availability of networks, we design a selfish behavior detection mechanism, a link congestion detection algorithm and a hidden terminal/exposed terminal detection algorithm for WMNs. In order to improve the secure level of Wireless Mesh Networks, this thesis presents the intrusion detection mechanisms and authentication mechanisms.The main contributions of this thesis are as follows:(1) Selfish behavior detection in Wireless Mesh Network We establish of single node and multi-node collaboration selfish behavior model in the MAC layer for Wireless Mesh Networks. The detection mechanisms and algorithms can detect "smart" selfish behavior. We analyze the characteristics of multi-node collaboration selfish behavior in the Wireless Mesh Network, and propose a detection algorithm, based on the cluster. The algorithm can greatly alleviate the impact on network performance (fairness, throughput) of selfish behavior.(2) Fault detection in Wireless Mesh NetworkWe need to detect network faults to improve the availability of WMNs. There are faults, including link congestion, hidden terminal/exposed terminal, and external noise interference. Faults can be caused by many reasons, including open wireless medium, network topology and MAC mechanisms and so on. Therefore, we analyze and summarize the reason of link congestion, hidden terminal / exposed terminal and the noise. The local distributed detection algorithms are proposed. The network topology, signal to noise ratio, and network flow are used for statistical analysis and calculation to detect the network faults.(3) Cross-layer intrusion detection in Wireless Mesh NetworkWhen the other security measures can’t prevent malicious attacks in the Wireless Mesh Networks, the intrusion detection technology is needed to detect the attacks. However, there are high false positives rate and other issues. In this thesis, the data in different layers are used as the audit to detect in the cross-layer intrusion detection system. In the system, the data from physical layer, MAC layer and network layer is used for different attacks. To reduce false positives rate that is caused due to network faults, we import the results of fault detection in IDS.(4) The authentication technology in Wireless Mesh NetworkThe mobile clients can roam in Wireless Mesh Networks. But certification process is too long for real-time application in Wireless Mesh Networks. There exists a tradeoff problem of insecurity and excessive handoff delay with IEEE 802.11i protocol using username / password method in Wireless Mesh Network. This thesis presents a digital certificate-based fast optimization authentication solution which is based on pre-certification / pre-configured security fast handoff protocol. Fast authentication optimization solution allows users to handoff between the access points, and ensures clients to access the network with the smaller delay. Pre-Certification / Pre-configuration mechanism allows clients to get the information about network configuration and certification.(5) System design and implementationTo verify the validity of our work in real environment, we build a prototype system of WMNs. Platform uses a router YH-WMR V1.0 which is designed with our own independent intellectual property rights. Intrusion detection system, fault detection, authentication and authority are implemented in the wireless mesh router. The practical test results demonstrate that the proposed security technologies in Wireless Mesh Network can improve the security and reliability.更多还原