網(wǎng)絡(luò)安全設(shè)備聯(lián)動(dòng)策略的研究與應(yīng)用
發(fā)布時(shí)間:2018-09-06 17:52
【摘要】:基于策略的網(wǎng)絡(luò)安全設(shè)備聯(lián)動(dòng)管理能夠保證系統(tǒng)內(nèi)的安全設(shè)備協(xié)同工作,有效地整合系統(tǒng)資源,提高安全事件的檢測(cè)精度和處理效率,從而應(yīng)對(duì)日趨復(fù)雜多變的網(wǎng)絡(luò)安全威脅,成為動(dòng)態(tài)安全設(shè)備管理模型的核心。本文立足于IETF制定的策略管理框架和安全設(shè)備聯(lián)動(dòng)體系模型,深入研究了聯(lián)動(dòng)策略的描述、驗(yàn)證、搜索與執(zhí)行這幾個(gè)方面的問題。 首先,在聯(lián)動(dòng)策略的定義與描述方面,根據(jù)子網(wǎng)內(nèi)安全設(shè)備的協(xié)同性,按照子網(wǎng)劃分安全域,將聯(lián)動(dòng)策略定義為安全域、觸發(fā)條件和執(zhí)行規(guī)則集三元組。觸發(fā)條件代表系統(tǒng)捕獲的安全事件威脅,,而規(guī)則集代表系統(tǒng)執(zhí)行策略需要采取的一系列配置動(dòng)作集。 其次,在聯(lián)動(dòng)策略的驗(yàn)證方面。安全事件的處理過程即為安全域內(nèi)各類聯(lián)動(dòng)設(shè)備相關(guān)進(jìn)程的啟動(dòng)過程。以聯(lián)動(dòng)設(shè)備進(jìn)程的開啟或關(guān)閉狀態(tài)作為狀態(tài)結(jié)點(diǎn),令導(dǎo)致狀態(tài)結(jié)點(diǎn)變遷的安全事件作為邊,構(gòu)造出針對(duì)特定子網(wǎng)的有向圖狀態(tài)變遷模型,使得規(guī)則集中的一個(gè)執(zhí)行動(dòng)作對(duì)應(yīng)有向圖中的一次狀態(tài)變遷。通過有向圖的深度優(yōu)先遍歷,考察各個(gè)狀態(tài)結(jié)點(diǎn)的變遷路徑,完成聯(lián)動(dòng)策略的正確性、完整性、一致性、冗余性和可執(zhí)行性驗(yàn)證。 第三,在聯(lián)動(dòng)策略的查詢方面。同樣將聯(lián)動(dòng)策略的查詢問題轉(zhuǎn)化為有向圖的遍歷問題,為保證高頻率安全事件能夠被優(yōu)先檢索,在構(gòu)造有向圖鄰接表時(shí)考慮事件的發(fā)生頻率。將有向圖按照終止結(jié)點(diǎn)的數(shù)量劃分為若干個(gè)子圖,將安全事件頻率轉(zhuǎn)化為路徑的耗散值,運(yùn)用AOE網(wǎng)中的事件最遲發(fā)生時(shí)間定義啟發(fā)函數(shù),通過A*搜索算法在Closed表中完成狀態(tài)結(jié)點(diǎn)的排序,綜合各個(gè)子圖的重排序結(jié)點(diǎn)重新構(gòu)建鄰接表。 最后,在聯(lián)動(dòng)策略執(zhí)行方面。通過SSH協(xié)議實(shí)現(xiàn)對(duì)安全設(shè)備的遠(yuǎn)程配置,保證了策略執(zhí)行的安全性,實(shí)現(xiàn)了不同設(shè)備SSH版本的兼容性。 通過實(shí)驗(yàn)分析,本文提出的策略驗(yàn)證算法在復(fù)雜度上優(yōu)于現(xiàn)有的一些方法,具有良好的執(zhí)行效率,同時(shí)本文的策略查詢方法能夠有效地對(duì)高頻率事件作出響應(yīng)。結(jié)合通過SSH協(xié)議遠(yuǎn)程配置安全設(shè)備的方法,應(yīng)用本文描述的方法能夠完成基于策略的網(wǎng)絡(luò)安全設(shè)備聯(lián)動(dòng)系統(tǒng)的構(gòu)建,有效地應(yīng)對(duì)各類安全威脅。
[Abstract]:Policy-based network security equipment linkage management can ensure the cooperative work of the security equipment in the system, effectively integrate the system resources, improve the detection accuracy and processing efficiency of security incidents, so as to deal with the increasingly complex network security threats. It becomes the core of dynamic security equipment management model. Based on the policy management framework established by IETF and the security equipment linkage system model, this paper deeply studies the description, verification, search and execution of the linkage policy. Firstly, in terms of the definition and description of the linkage policy, according to the cooperation of the security equipment in the subnet, the security domain is divided according to the subnet, and the linkage policy is defined as the security domain, the trigger condition and the execution rule set triple. The trigger condition represents the security event threat captured by the system, while the rule set represents a set of configuration actions that the system needs to take to execute the policy. Secondly, in the linkage strategy verification. The process of handling security events is the starting process of all kinds of related processes in the security domain. The state transition model of directed graph for a specific subnet is constructed by using the opening or closing state of the linkage device process as the state node and the security event that leads to the transition of the state node as the edge. Causes an execution action in a rule set to correspond to a state transition in a directed graph. Based on the depth-first traversal of directed graphs, the transition paths of each state node are investigated to verify the correctness, integrity, consistency, redundancy and executability of the linkage strategy. Third, in the linkage strategy query aspect. The query problem of linkage strategy is also transformed into the traversal problem of directed graph. In order to ensure that high frequency security events can be retrieved first, the frequency of events is considered when constructing the adjacent table of directed graph. The directed graph is divided into several subgraphs according to the number of terminating nodes, and the frequency of security events is transformed into the dissipative value of the path, and the heuristic function is defined by the latest time of occurrence of events in AOE nets. The algorithm of A * search is used to complete the sorting of the state nodes in the Closed table, and the adjacent table is constructed by synthesizing the reordered nodes of each subgraph. Finally, in the linkage strategy execution aspect. The remote configuration of security devices is realized by SSH protocol, which ensures the security of policy execution and realizes the compatibility of SSH versions of different devices. The experimental results show that the proposed policy verification algorithm is superior to some existing methods in complexity and has good execution efficiency, and the policy query method in this paper can effectively respond to high frequency events. Combined with the method of remote configuration of security equipment through SSH protocol, the method described in this paper can be used to construct a policy-based network security device linkage system, which can effectively deal with all kinds of security threats.
【學(xué)位授予單位】:華北電力大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
本文編號(hào):2227083
[Abstract]:Policy-based network security equipment linkage management can ensure the cooperative work of the security equipment in the system, effectively integrate the system resources, improve the detection accuracy and processing efficiency of security incidents, so as to deal with the increasingly complex network security threats. It becomes the core of dynamic security equipment management model. Based on the policy management framework established by IETF and the security equipment linkage system model, this paper deeply studies the description, verification, search and execution of the linkage policy. Firstly, in terms of the definition and description of the linkage policy, according to the cooperation of the security equipment in the subnet, the security domain is divided according to the subnet, and the linkage policy is defined as the security domain, the trigger condition and the execution rule set triple. The trigger condition represents the security event threat captured by the system, while the rule set represents a set of configuration actions that the system needs to take to execute the policy. Secondly, in the linkage strategy verification. The process of handling security events is the starting process of all kinds of related processes in the security domain. The state transition model of directed graph for a specific subnet is constructed by using the opening or closing state of the linkage device process as the state node and the security event that leads to the transition of the state node as the edge. Causes an execution action in a rule set to correspond to a state transition in a directed graph. Based on the depth-first traversal of directed graphs, the transition paths of each state node are investigated to verify the correctness, integrity, consistency, redundancy and executability of the linkage strategy. Third, in the linkage strategy query aspect. The query problem of linkage strategy is also transformed into the traversal problem of directed graph. In order to ensure that high frequency security events can be retrieved first, the frequency of events is considered when constructing the adjacent table of directed graph. The directed graph is divided into several subgraphs according to the number of terminating nodes, and the frequency of security events is transformed into the dissipative value of the path, and the heuristic function is defined by the latest time of occurrence of events in AOE nets. The algorithm of A * search is used to complete the sorting of the state nodes in the Closed table, and the adjacent table is constructed by synthesizing the reordered nodes of each subgraph. Finally, in the linkage strategy execution aspect. The remote configuration of security devices is realized by SSH protocol, which ensures the security of policy execution and realizes the compatibility of SSH versions of different devices. The experimental results show that the proposed policy verification algorithm is superior to some existing methods in complexity and has good execution efficiency, and the policy query method in this paper can effectively respond to high frequency events. Combined with the method of remote configuration of security equipment through SSH protocol, the method described in this paper can be used to construct a policy-based network security device linkage system, which can effectively deal with all kinds of security threats.
【學(xué)位授予單位】:華北電力大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前9條
1 李力;李志平;王亮;呂航;文繼鋒;陳松林;;穩(wěn)定控制裝置中策略搜索匹配狀態(tài)機(jī)模型[J];電力系統(tǒng)自動(dòng)化;2012年17期
2 張煥;曹萬華;馮力;朱麗娜;;基于狀態(tài)遷移的網(wǎng)絡(luò)安全聯(lián)動(dòng)策略模型[J];艦船電子工程;2009年03期
3 姚鍵 ,茅兵 ,謝立;一種基于有向圖模型的安全策略沖突檢測(cè)方法[J];計(jì)算機(jī)研究與發(fā)展;2005年07期
4 劉道斌;郭莉;白碩;;一種工作流安全策略分析方法[J];計(jì)算機(jī)研究與發(fā)展;2008年06期
5 李衛(wèi),劉小剛,李國(guó)棟,繆紅保,陶靜;網(wǎng)絡(luò)安全管理及安全聯(lián)動(dòng)響應(yīng)的研究[J];計(jì)算機(jī)工程與應(yīng)用;2003年26期
6 包義保;殷麗華;方濱興;郭莉;;基于良基語義的安全策略表達(dá)與驗(yàn)證方法[J];軟件學(xué)報(bào);2012年04期
7 姚蘭,王新梅;防火墻與入侵檢測(cè)系統(tǒng)的聯(lián)動(dòng)分析[J];信息安全與通信保密;2002年06期
8 梁琳,拾以娟,鐵玲;基于策略的安全智能聯(lián)動(dòng)模型[J];信息安全與通信保密;2004年02期
9 何恩,李毅;一種基于策略的網(wǎng)絡(luò)安全聯(lián)動(dòng)框架[J];信息安全與通信保密;2005年07期
本文編號(hào):2227083
本文鏈接:http://www.sikaile.net/guanlilunwen/ydhl/2227083.html
最近更新
教材專著
