The Research On Authentication And Intrusion Detection System Of EPON

With the fact that the Internet promptness popularizes,broadband business springs up in large amount,people increases by gradually to the bandwidth need,EPON(Ethernet Passive Optical Network) arises at the historic moment as the preferred plan resolving "the first one mile" problem then.EPON system has serious security issues for its particular P2M(Point to Multi-Point) architecture.It is significant to study on and solve security issues of EPON for its mass commercial deployment.However,there is no standard solution to secure EPON.Encryption and authentication,currently used for security issues,are either defective or not effective to the some problem.It is bound to its significance that how to improve the existing program and to develope the new measures.We analyze several security issues of EPON in detail the based on its architecture firstly.Then study a registration-process-based authentication mechanism aimed at special attacks and put forward a both-teminal authentication mechanism,which is then realized in both OLT and ONU (Optical Network Unit) later,aimed at its limitation of merely authenticating the OLT(Optical Line terminal).Finally,an Intrusion Detection System of EPON has been designed to solve upstream DoS (Denial of Service) attack of EPON.The major research results were as follows:(1) Different attacks for EPON were analyzed based on the characteristics of architecture and working principles of EPON.We labored the implementing principle,process and harms of these attacks including simple passive monitoring,denial of DoS,masquerading and ToS(theft of service) and discussed corresponding countermeasures,such as authentication,so-called secure packaging and encryption and intrusion detection etc.(2) A both-termination authentication mechanism based on ECC encryption was introduced.Based on the analysis of ONU authentication,only ONU other than OLT was certified in the process of EPON,resulting the security hole was generated by the interaction between the legal ONU and the OLT faked by the malicious ONU,then we introduce a both-termination authentication mechanism based on ECC encryption,and realize it in the OLT and ONU side,the property of security is also improved.(3) The performance of the registration-process-based authentication and the both-termination authentication mechanism based on ECC encryption are simulated.The module of EPON constructed by NS2(a software for network simulation) is used to simulate the performance of the registration-process-based authentication and the both-termination authentication mechanism based on ECC encryption,with the simulation result that the both-termination authentication mechanism based on ECC encryption secure the higher security but need some less expend of bandwidth.(4) The intrusion detection is firstly used to solve the security mechanism against the Dos attack of EPON.According to the characters of the Dos attack,integrating with the property of EPON,the intrusion detection is introduced and a system framework of EPON is devised.And the main module including packet capture,the rule base,the resolution agreement,intrusion detection,alarm,log database is researched and devised,especially the rule and agreement parse are devised.