本文關(guān)鍵詞： 多級安全網(wǎng)絡(luò) 安全標(biāo)記 綁定 可擴(kuò)展標(biāo)記語言 細(xì)粒度 包時隙均值 隱式流標(biāo)記　出處：《解放軍信息工程大學(xué)》2014年碩士論文　論文類型：學(xué)位論文

【摘要】：多級安全是等級保護(hù)的理論基礎(chǔ),三級信息系統(tǒng)安全建設(shè)的核心要素是基于安全標(biāo)記的強制訪問控制。安全標(biāo)記作為多級安全實施的重要依據(jù),需要與保護(hù)對象實施安全可靠的綁定關(guān)系,并防止標(biāo)記的假冒與篡改。然而現(xiàn)有的安全標(biāo)記綁定技術(shù)中,應(yīng)用級數(shù)據(jù)客體綁定面臨著數(shù)據(jù)結(jié)構(gòu)多樣化而導(dǎo)致的標(biāo)記實施難問題,網(wǎng)絡(luò)級數(shù)據(jù)流具有隱式綁定與數(shù)據(jù)流實時控制的安全需求,給安全標(biāo)記綁定技術(shù)研究帶來了新挑戰(zhàn)。本文面向多級安全網(wǎng)絡(luò)中應(yīng)用級數(shù)據(jù)客體和網(wǎng)絡(luò)級數(shù)據(jù)流,進(jìn)行安全標(biāo)記綁定技術(shù)研究,主要工作包括:1.針對應(yīng)用級數(shù)據(jù)客體與網(wǎng)絡(luò)級數(shù)據(jù)流對安全標(biāo)記的需求,構(gòu)建了面向多級安全網(wǎng)絡(luò)的一體化安全標(biāo)記框架,解決了安全標(biāo)記生成、驗證、綁定與繼承問題�？蚣苄问交枋隽嘶驹亍⒓s束規(guī)則和標(biāo)記功能等與安全標(biāo)記實施相關(guān)的要素;定義了支持強制訪問控制策略和標(biāo)簽例外策略的標(biāo)記格式;通過數(shù)據(jù)客體到數(shù)據(jù)流的標(biāo)記繼承,實現(xiàn)了應(yīng)用級與網(wǎng)絡(luò)級安全標(biāo)記的有效傳遞;設(shè)計了框架基本域、標(biāo)記域和功能域聯(lián)動的框架結(jié)構(gòu),增強了標(biāo)記的適用性與靈活性。2.針對應(yīng)用級數(shù)據(jù)客體結(jié)構(gòu)多樣、標(biāo)記綁定不統(tǒng)一的問題,提出了一種基于XML的多類型數(shù)據(jù)客體與安全標(biāo)記統(tǒng)一化綁定技術(shù)。設(shè)計了基于客體邏輯多級分割的XML轉(zhuǎn)換方法,將客體轉(zhuǎn)換成由多級別數(shù)據(jù)單元組成,結(jié)構(gòu)良好的樹形客體XML文檔,實現(xiàn)了文檔、圖像等多類型數(shù)據(jù)客體的一致性轉(zhuǎn)換;通過定義標(biāo)記語法結(jié)構(gòu)和約束規(guī)則,設(shè)計了基于遍歷的安全標(biāo)記綁定算法和基于剪枝的客體視圖生成算法,實現(xiàn)了安全標(biāo)記與數(shù)據(jù)客體統(tǒng)一的、細(xì)粒度的綁定。3.針對現(xiàn)有網(wǎng)絡(luò)級數(shù)據(jù)流顯式安全標(biāo)記綁定方法存在的針對性攻擊等安全問題,提出了基于包時隙均值(Average of inter-packet delay,AIPD)的數(shù)據(jù)流與安全標(biāo)記隱式綁定方法。首先引入漢明碼差錯控制機制對安全標(biāo)記進(jìn)行糾錯編碼,提高了安全標(biāo)記綁定方案的準(zhǔn)確率;然后設(shè)計了數(shù)據(jù)流包間隔時延(inter-packet delay,IPD)的隨機分組方式,計算安全標(biāo)記載體AIPD,通過AIPD的差值控制,實現(xiàn)了標(biāo)記信息的數(shù)據(jù)流嵌入;最后根據(jù)綁定規(guī)則調(diào)制分組內(nèi)各數(shù)據(jù)包延遲時間,使其達(dá)到預(yù)期的AIPD值,實現(xiàn)了安全標(biāo)記與數(shù)據(jù)流的綁定。最后通過分析和實驗驗證了綁定方法的有效性。4.設(shè)計并實現(xiàn)了基于安全標(biāo)記的多級安全網(wǎng)絡(luò)強制訪問控制原型系統(tǒng),實現(xiàn)了本文提出的安全標(biāo)記綁定技術(shù),結(jié)合基于安全標(biāo)記的強制訪問控制策略,實現(xiàn)了應(yīng)用級數(shù)據(jù)客體細(xì)粒度訪問控制,以及網(wǎng)絡(luò)級數(shù)據(jù)流實時控制,為開展三級安全應(yīng)用建設(shè)提供支撐。
[Abstract]:Multi-level security is the theoretical basis of hierarchical protection, and the core element of the security construction of three-level information system is mandatory access control based on security marking, which is an important basis for the implementation of multi-level security. It is necessary to implement a secure binding relationship with protected objects and to prevent the counterfeiting and tampering of tags. However, in the existing secure tag binding technology, the application-level data object binding is faced with the problem of implementation of tags caused by the diversity of data structures. Network-level data flow has the security requirements of implicit binding and real-time control of data flow, which brings a new challenge to the research of security tag binding technology. This paper focuses on application-level data objects and network-level data streams in multi-level secure networks. The research of security label binding technology includes: 1. Aiming at the requirement of application level data object and network level data flow, an integrated security label framework for multi-level security network is constructed, which solves the problem of security label generation. The framework formally describes the basic elements, constraint rules and tag functions related to the implementation of security tags, and defines markup formats that support mandatory access control policies and label exception policies. Through the tag inheritance from the data object to the data stream, the effective transfer of security tags between application level and network level is realized, and the frame structure of basic domain, tag domain and functional domain is designed. It enhances the applicability and flexibility of tags. 2. Aiming at the problem of the diversity of object structure of application-level data and the inconsistency of tag binding, This paper presents a unified binding technique for multi-type data objects and security tags based on XML, and designs a XML transformation method based on object logic multi-level segmentation, which converts objects into multi-level data units. The well-structured tree object XML document realizes the consistency transformation of document, image and other kinds of data objects, and defines the tag syntax structure and constraint rules. The security tag binding algorithm based on traversal and the object view generation algorithm based on pruning are designed. Fine-grained binding. 3. Security issues such as targeted attacks on existing explicit security tag binding methods for existing network-level data streams, A data stream and security label implicit binding method based on the packet slot average of inter-packet delay (AIPD) is proposed. Firstly, the error control mechanism of hamming code is introduced to correct the error of the security tag, which improves the accuracy of the security tag binding scheme. Then we design a random packet scheme of packet interval delay inter-packet delay (IP), calculate the security label carrier (AIPD), and realize the data stream embedding by the difference control of AIPD. Finally, we modulate the delay time of each packet according to the binding rule. Finally, the validity of the binding method is verified by analysis and experiment. Finally, a multi-level secure network mandatory access control prototype system based on security label is designed and implemented. The security tag binding technology proposed in this paper is implemented. Combined with the mandatory access control strategy based on the security label, the application level data object fine-grained access control and the network level data stream real-time control are realized. It provides support for the construction of three-level safety application.
【學(xué)位授予單位】：解放軍信息工程大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

中國期刊全文數(shù)據(jù)庫 前10條

1 李鳳華;蘇斢;史國振;馬建峰;;訪問控制模型研究進(jìn)展及發(fā)展趨勢[J];電子學(xué)報;2012年04期

2 張璐;羅軍舟;楊明;何高峰;;基于時隙質(zhì)心流水印的匿名通信追蹤技術(shù)[J];軟件學(xué)報;2011年10期

3 楊曉紅;杜學(xué)繪;曹利峰;;基于隱式安全標(biāo)記的IPsec研究[J];計算機工程;2011年13期

4 朱大立;陳曉蘇;;基于數(shù)字水印的電子文檔信息標(biāo)識應(yīng)用方案[J];計算機應(yīng)用;2010年07期

5 葛金明;;基于Internet網(wǎng)絡(luò)協(xié)議的信息隱藏技術(shù)[J];科技資訊;2010年05期

6 陳君;王慶;;基于圖割和顯著性的圖像結(jié)構(gòu)表示方法研究[J];計算機應(yīng)用研究;2009年09期

7 馬新強;黃羿;;基于安全標(biāo)簽的訪問控制研究與設(shè)計[J];計算機工程與設(shè)計;2008年21期

8 聶曉偉;馮登國;;基于動態(tài)可信度的可調(diào)節(jié)安全模型[J];通信學(xué)報;2008年10期

9 譚智勇;劉鐸;司天歌;戴一奇;;一種具有可信度特征的多級安全模型[J];電子學(xué)報;2008年08期

10 劉威鵬;胡俊;呂輝軍;劉毅;;LSM框架下可執(zhí)行程序的強制訪問控制機制[J];計算機工程;2008年07期

，

本文編號：1503152