Nowadays,Source Address Validation(SAV)is increasingly important for defending Distributed Denial of Service(DDoS)attacks and other malicious activities.Existing ingress/edge filtering-based solutions,such as SAVI,fil...Nowadays,Source Address Validation(SAV)is increasingly important for defending Distributed Denial of Service(DDoS)attacks and other malicious activities.Existing ingress/edge filtering-based solutions,such as SAVI,filter spoofed source addresses using Access Control Lists(ACL)or unicast Reverse Path Forwarding(uRPF),but they only provide coarse-grained filtering.Source Address Validation in intra-domain and inter-domain NETworks(SAVNET)has recently attracted much attention in both industry and the Internet Engineering Task Force(IETF),deploying SAV inside Internet Service Provider(ISP)networks and generating SAV tables by binding source address prefixes with incoming interfaces.However,SAVNET requires upgrading almost all routers across networks,which is impractical—especially in inter-domain scenarios.Moreover,due to policy routing and load balancing,determining the exact incoming interface for each source prefix is challenging.In this paper,we propose SAVNFV,a Network Functions Virtualization(NFV)based platform that provides SAV capabilities by building a“clean”virtual overlay network.SAVNFV randomly generates paths for each flow through a centralized controller,making the SAV table easy to obtain.The paths are periodically refreshed,and packets are transmitted through multiple routes,making it nearly impossible for attackers to identify the correct incoming interface.We formulate the multi-path transmission as an optimization problem and prove it to be NP-Complete,then design approximation algorithms with theoretical guarantees.Comprehensive simulations show that SAVNFV blocks 94.6%more malicious traffic than traditional solutions while maintaining acceptable path stretch.We also implement the system using open-source routing software and build a real-world experimental platform to further validate our design.展开更多
IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (S...IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (iETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing, in this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.展开更多
The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Bas...The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Based on the drastically increased IPv6 address space,a"source address validation architecture"(SAVA)is proposed in this paper,which can guarantee that every packet received and forwarded holds an authenticated source IP address.The design goals of the architecture are lightweight,loose coupling,"multi-fence support"and incremental deployment.This paper discusses the design and implementation for the architecture,including inter-AS,intra-AS and local subnet.The performance and scalability of SAVA are described.This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project.We believe that the SAVA will help the transition to a new,more secure and dependable Internet.展开更多
Near-field head-related transfer functions (HRTFs) are essential to scientific re- searches of binaural hearing and practical applications of virtual auditory display. High ef- ficiency, accuracy and repeatability a...Near-field head-related transfer functions (HRTFs) are essential to scientific re- searches of binaural hearing and practical applications of virtual auditory display. High ef- ficiency, accuracy and repeatability are required in a near-field HRTF measurement. Hence, there is no reference which intents on solving the measuring difficulties of near-field HRTF for human subjects. In present work, an efficient near-field HRTF measurement system based on computer control is designed and implemented, and a fast calibration method for the system is proposed to first solve the measurement of near-field HRTF for human subjects. The efficiency of measurement is enhanced by a comprehensive design on the acoustic, electronic and mechanical parts of the system. And the accuracy and repeatability of the measurement are greatly im- proved by carefully calibrating the positions of sound source, subject and binaural microphones. This system is suitable for near-field HRTF measurement at various source distances within 1.0 m, for both human subject and artificial head. The time costs of HRTF measurement at a single sound source distance and full directions has been reduced to less than 20 minutes. The measurement results indicate that the accuracy of the system satisfies the actual requirements. The system is applicable to scientific research and can be used to establish an individualized near-field HRTF database for human subjects.展开更多
基金supported by the National Key Research and Development Program of China(No.2022YFB3102302)the National Natural Science Foundation of China(Nos.U23B2026 and 62372305)+2 种基金the Guangdong Key Field Research and Development Program(No.2024A0101010001)the Shenzhen Science and Technology Program(Nos.KJZD20230923114809020 and 20220811110737003)the Research Team Cultivation Program of Shenzhen University(No.20230NT015).
文摘Nowadays,Source Address Validation(SAV)is increasingly important for defending Distributed Denial of Service(DDoS)attacks and other malicious activities.Existing ingress/edge filtering-based solutions,such as SAVI,filter spoofed source addresses using Access Control Lists(ACL)or unicast Reverse Path Forwarding(uRPF),but they only provide coarse-grained filtering.Source Address Validation in intra-domain and inter-domain NETworks(SAVNET)has recently attracted much attention in both industry and the Internet Engineering Task Force(IETF),deploying SAV inside Internet Service Provider(ISP)networks and generating SAV tables by binding source address prefixes with incoming interfaces.However,SAVNET requires upgrading almost all routers across networks,which is impractical—especially in inter-domain scenarios.Moreover,due to policy routing and load balancing,determining the exact incoming interface for each source prefix is challenging.In this paper,we propose SAVNFV,a Network Functions Virtualization(NFV)based platform that provides SAV capabilities by building a“clean”virtual overlay network.SAVNFV randomly generates paths for each flow through a centralized controller,making the SAV table easy to obtain.The paths are periodically refreshed,and packets are transmitted through multiple routes,making it nearly impossible for attackers to identify the correct incoming interface.We formulate the multi-path transmission as an optimization problem and prove it to be NP-Complete,then design approximation algorithms with theoretical guarantees.Comprehensive simulations show that SAVNFV blocks 94.6%more malicious traffic than traditional solutions while maintaining acceptable path stretch.We also implement the system using open-source routing software and build a real-world experimental platform to further validate our design.
基金supported by the National Natural Science Foundation of China Nos.61772307 and 61402257the National Key Basic Research and Development(973) Program of China Nos.2009CB320500 and 2009CB320501Tsinghua University Self-determined Project under grant No.2014z21051
文摘IP source address spoofing is regarded as one of the most prevalent components when launching an anonymous invasion, especially a Distributed Denial-of-Service (DDoS) attack. Although Source Address Validations (SAVs) at the access network level are standardized by the Internet Engineering Task Force (iETF), SAV at the inter-Autonomous System (AS) level still remains an important issue. To prevent routing hijacking, the IETF is constructing a Resource Public Key Infrastructure (RPKI) as a united trust anchor to secure interdomain routing, in this study, we creatively use the RPKI to support inter-AS SAV and propose an RPKI-based Inter-AS Source Protection (RISP) mechanism. According to the trust basis provided by the RPKI, RISP offers ASes a more credible source-oriented protection for the IP addresses they own and remains independent of the RPKI. Based on the experiments with real Internet topology, RISP not only provides better incentives, but also improves efficacy and economizes bandwidth with a modest resource consumption.
基金the National Natural Science Foundation of China(Grant No.90704001)the National Basic Research Program of China(973 Program)(Grant No.2003CB314800)
文摘The IP packet forwarding of current Internet is mainly destination based.In the forwarding process,the source IP address is not checked in most cases.This causes serious security,management and accounting problems.Based on the drastically increased IPv6 address space,a"source address validation architecture"(SAVA)is proposed in this paper,which can guarantee that every packet received and forwarded holds an authenticated source IP address.The design goals of the architecture are lightweight,loose coupling,"multi-fence support"and incremental deployment.This paper discusses the design and implementation for the architecture,including inter-AS,intra-AS and local subnet.The performance and scalability of SAVA are described.This architecture is deployed into the CNGI-CERNET2 infrastructure a large-scale native IPv6 backbone network of the China Next Generation Internet project.We believe that the SAVA will help the transition to a new,more secure and dependable Internet.
基金supported by the National Natural Science Foundation of China(11104082,11574090)Fundamental Research Funds for the Central Universities of South China University of Technology(2015ZZ135)
文摘Near-field head-related transfer functions (HRTFs) are essential to scientific re- searches of binaural hearing and practical applications of virtual auditory display. High ef- ficiency, accuracy and repeatability are required in a near-field HRTF measurement. Hence, there is no reference which intents on solving the measuring difficulties of near-field HRTF for human subjects. In present work, an efficient near-field HRTF measurement system based on computer control is designed and implemented, and a fast calibration method for the system is proposed to first solve the measurement of near-field HRTF for human subjects. The efficiency of measurement is enhanced by a comprehensive design on the acoustic, electronic and mechanical parts of the system. And the accuracy and repeatability of the measurement are greatly im- proved by carefully calibrating the positions of sound source, subject and binaural microphones. This system is suitable for near-field HRTF measurement at various source distances within 1.0 m, for both human subject and artificial head. The time costs of HRTF measurement at a single sound source distance and full directions has been reduced to less than 20 minutes. The measurement results indicate that the accuracy of the system satisfies the actual requirements. The system is applicable to scientific research and can be used to establish an individualized near-field HRTF database for human subjects.
