【作者】 陈书义；

【导师】 赵宏；

【作者基本信息】 东北大学 ， 计算机应用技术， 2009， 博士

【摘要】 摘要固定移动融合(Fix Mobile Convergence,FMC)体系框架下的移动通信网络提供了更多的对外接口,网络具有了充分的开放性,原有体系的不安全因素完全暴露并成为重要的安全威胁。同时,随着全IP技术的引入,固定网络中的一些安全威胁和漏洞也被引入到移动通信网络中。因此,融合环境下移动通信网络所面临的安全威胁更加复杂多样。现有移动通信网络安全技术不能应对融合带来的挑战,IP网络安全技术也不适用于资源受限的移动通信网络。由于融合环境中移动通信网络安全威胁的特殊性、复杂性,探索适合移动通信网络的安全防护技术和解决方案具有重要的理论意义和应用价值。本文在全面分析移动通信网络安全威胁,深入研究可信计算技术、下一代信令(Next Step in Signaling, NSIS)技术的基础上,重点开展了可信计算技术、下一代信令技术(NSIS)在移动终端、无线接入网以及核心网安全防护中的应用研究,主要工作及结论包括：(1)可信计算模型的形式化分析方法提出了基于模糊集合的感性信任分析方法,基于谓词逻辑和条件谓词逻辑的理性信任分析方法。利用提出的方法对可信计算平台安全引导模型进行了形式化分析,结果表明,利用这些方法能够简洁、准确地评估可信计算系统的可信性,发现可信计算模型的安全漏洞,提出的方法为可信计算形式化分析提供了有效的手段。(2)基于可信计算的融合网络移动终端和可信无线接入方案提出了基于可信计算的融合网络移动终端和可信无线接入方案,并利用提出的形式化分析方法证明了方案的正确性。方案不仅能检验移动终端和网络身份的合法性,而且能够检验终端的可信状态,阻止不安全终端接入UMTS网络,从源头上保障了移动通信网络的安全。基于硬件的可信计算技术为资源受限的移动通信网络提供了简洁、有效的安全问题解决方案。(3)基于NSIS的网络管理、访问控制信令协议的设计、验证和分析提出了基于NSIS的网络管理应用层信令协议和基于NSIS的通用访问控制应用层信令协议,并对协议的逻辑正确性和性能进行了验证分析。将NSIS信令机制引入到融合网络的控制管理中,保障了控制管理信息的安全、可靠传输,为融合环境下移动通信网络控制管理提供了新的手段。(4)基于NSIS的第三代移动通信(3G)核心网动态安全防御系统提出了NSIS框架下的UMTS核心网动态防御系统。系统基于多源安全信息的融合和聚类分析,发现攻击并通过NSIS通用访问控制信令协议动态阻止针对核心网的攻击。NSIS信令技术的引入,解决了目前动态防御系统联动协议存在的通用性问题,保障了控制信息安全、可靠地传输。实验分析结果表明系统能够有效地防御针对核心网的攻击。本文的主要研究工作受到了国家自然科学基金,国家高技术研究发展计划的资金资助,相关工作及结论已经应用到实际的原型系统及产品开发中。更多还原

【Abstract】 More external interfaces are provided by mobile communication network in the framework of fixed mobile convergence (FMC), which has the characteristics of sufficient opening. The insecurity factors of mobile system completely exposed as major security threats. At the same time, a number of security threats and vulnerabilities in fixed network have been inherited into mobile communication network for the introduced of all-IP technology. In general, security threats faced by mobile communication network become more complicated and various.The existing security technologies of mobile network can not cope with the challenges of convergence, security technology of IP network is not quite fit the resource-constrained mobile network. The security threats of mobile network in convergence environment are unique and complex. Therefore, it has important theoretical and practical meaning to research appropriate security technologies and solutions for mobile network.The technologies of trusted computing and next steps in signaling are studied firstly. On analyzing security threats of terminals, radio access network and core network in converged network, trusted computing and NSIS based security protection for converged network is proposed. A number of important conclusions and results are obtained, which including.(1) The formal analysis methods of trusted computing modelsFormal analysis method for the emotional trust based on fuzzy set, formal analysis methods for the rational trust based on predicate logic and condition predicate logic were proposed after comprehensively studying the technologies of trusted computing. Trusted computing models were analyzed with the proposed methods. Analyzing results show that trusted computing system can be precisely, correctively analyzed and the vulnerabilities can be found with the proposed formal analysis methods. The effective way is provided for formalizing trusted computing with the proposed methods.(2)Secure schemes of mobile terminal and radio access network based on trusted computingThe schemes that trusted mobile terminal and trusted access are proposed based on trusted computing. With the proposed schemes, not only the authentication of mobile user and network is concerned about, but the health status of mobile platforms is verified. The insecure terminals were prevented form accessing UMTS network, which can protect network security from the source. New solution to security problems in convergence network is provided with the introduction of trusted computing.(3) Designing, validating the NSIS based application signaling protocol for access control and network managementSignaling protocols for access control and network management are proposed respectively based on the NSIS technology, and logic correctness and performance of the protocols are analyzed. The results show that the introduction of NSIS signaling mechanism in convergence network can ensure the security and reliability of the signaling information transmission, which provides new ideas and methods of network control and management in convergence network. New solution to security problem in convergence network is proposed with the introduction of trusted computing.(4) NSIS based dynamic defensive system in 3G core networkNSIS based dynamic defensive system in UMTS core network are proposed. Technologies of multi-source information integration and cluster analysis are taken in defensive system, and attacks against core network are detected and prevented real time with NSIS control signaling protocol. The problems of existed linkage protocols are resolved based on NSIS signaling mechanism introduced, and signaling information is transported securely and reliably. The attacks to core network are effectively resisted.This research is partly supported by the national science funds of China under Grant Nos. 60602061, and the National High-Tech Research and Development Plan of China under Grant Nos.2006AA01Z413. The work and conclusions have been applied to the actual prototype system and product development.更多还原