计算机网络防御策略模型

夏春和; 魏玉娣; 李肖坚; 何巍

计算机网络防御策略模型

北京航空航天大学虚拟现实技术与系统国家重点实验室, 北京 100191

基金项目: 北京教育委员会共建项目建设计划基金资助项目(JD100060517); 国家863计划资助项目(2007AA01Z407)

详细信息

作者简介:
夏春和(1965-),男,江苏海安人,教授,xch@buaa.edu.cn.

中图分类号: TP 393.08
计量
- 文章访问数: 2899
- HTML全文浏览量: 177
- PDF下载量: 1499
- 被引次数: 0
出版历程
- 收稿日期: 2007-09-06
- 网络出版日期: 2008-08-31

Computer network defense policy model

State Key Laboratory of Virtual Reality Technology and System, Beijing University of Aeronautics and Astronautics, Beijing 100191, China

摘要

摘要: 目前计算机网络防御研究中缺乏高层且易于细化的策略建模方法,因此在分析Or-BAC模型(Organization Based Access Control model)的基础上,对网络防御控制行为进行抽象,建立计算机网络防御策略模型(CNDPM,Computer Network Defense Policy Model).该模型对保护、检测和响应等策略进行统一建模,并引入角色、视图、活动自动分配的方法,以提高分配的效率,同时给出了策略到规则的推导规则,以细化为具体的防御规则.还给出了策略的完备性、有效性和一致性的形式化描述及分析.实例分析表明,该模型表示的计算机网络防御策略,能够有效地转化为防御规则,具有较好的实用性和扩展性.
- 计算机网络防御(CND) /
- 策略 /
- PPDR模型 /
- 细化
Abstract: Recent research on computer network defense is lack of a method which is able to model policy in high level and refine policy conveniently, hence computer network defense policy model (CNDPM) was presented to abstract network defense control behavior on the basis of organization based access control model (Or-BAC). The CNDPM provides a common method to model protection, detection and response policy, and introduces automatic assignment mechanism of role as well as view and activity to improve efficiency, also provides derivation principles to refine policy to concrete defense rule. Moreover, completeness, validity and consistency of policy are studied through formal analysis. The example shows that computer network defense policies modeled by CNDPM can be refined to defense rules conveniently and efficiently. The CNDPM model is characterized by good expansibility and practicability.
- computer network defense (CND) /
- policy /
- PPDR model /
- refinement

HTML全文

参考文献(1)

[1] Sloman M S. Policy driven management for distributed systems[J]. Journal of Network and Systems Management,1994, 2(4):333-360 [2] Stern D F. On the buzzword "security policy" Security and Privacy. Los Alamitors:IEEE CS Press, 1991: 219-230 [3] 夏春和. 基于入侵诱骗的防御体系及关键技术研究 . 北京:北京航空航天大学计算机学院, 2003 Xia Chunhe. Research on intrusion-deception-based network defense architecture and key technology . Beijing: School of Computer Science and Technology, Beijing University of Aeronautics and Astronautics,2003(in Chinese) [4] Zhang Feng, Qin Zhiguang, Zhou Shijie. Policy-tree based proactive defense model for network security Grid and Cooperative Computing. Berlin:Springer, 2004, 3252:437-439 [5] Moffett J D, Sloman M S. Policy hierarchies for distributed systems management[J]. IEEE JSAC Special Issue on Network Management, 1993, 11(9): 1404-1414 [6] Wies R. Using a classification of management policies for policy specification and policy transformation Integrated Network Management.London:Chapman Hill, 1995:44-56 [7] Katri Ylitalo. Policy core information model . 2000. http://www.cs.helsinki.fi/u/kraatika/Courses/QoS00a/ylitalo.pdf [8] Kim S Y, Kim M E, Kim K, et al. Information model for policy-based network security management Wired Communications and Management. Berlin:Springer, 2002, 2343: 662-672 [9] Tang Chenghua, Yao Shuping, Cui Zhongjie, et al. A network security policy model and its realization mechanism Information Security and Cryptology. Berlin:Springer, 2006,4318: 168-181 [10] Bartal Y, Mayer A J, Nissim K, et al. Firmato: a novel firewall management toolkit[J]. ACM Transactions on Computer Systems, 2004, 22(4):381-420 [11] Luck I, Schafer C, Krumm H. Model-based tool assistance for packet-filter design Policies for Distributed Systems and Networks. Berlin:Springer, 2001: 120-136 [12] Kalam A Abou El, Baida R El, Balbiani P, et al. Organization based access control Policies for Distributed Systems and Networks (POLICY'03).Lake Como:IEEE CS Press, 2003 :120-131 [13] Cuppens F, Cuppens-Boulahia N, Sans T, et al. A formal approach to specify and deploy a network security policy[J]. Second Workshop on Formal Aspects in Security and Trust, 2004 [14] Debar H, Thomas Y, Boulahia-Cuppens N, et al. Using contextual security policies for threat response Detection of Intrusions and Malware & Vulnerability Assessment. Berlin:Springer, 2006,4064:109-128 [15] 许国志. 系统科学[M]. 上海:上海科技教育出版社, 2000 Xu Guozhi. System science[M]. Shanghai: Shanghai Scientific and Technological Education Publishing House,2000(in Chinese) [16] Nstissc.National information systems security (infosec) glossary[S]. Nstissi No 4009: Nstissc,2000 [17] Sandhu R, Conyne E J, Lfeinstein H, et al. Role based access control models[J]. IEEE Computer,1996, 29(2):38-47

施引文献

资源附件(0)

访问统计