本文選題：未來網(wǎng)絡(luò) + 安全��； 參考：《北京郵電大學(xué)》2014年博士論文

【摘要】：為了解決當(dāng)前網(wǎng)絡(luò)面臨的諸多挑戰(zhàn),學(xué)術(shù)界和工業(yè)界近年開展了未來網(wǎng)絡(luò)技術(shù)的研究。本文的工作針對以下問題展開探討：未來網(wǎng)絡(luò)如何在架構(gòu)層面支持服務(wù)創(chuàng)新,特別是如何支持用戶參與的服務(wù)創(chuàng)新;如何設(shè)計未來網(wǎng)絡(luò)中的安全服務(wù)架構(gòu),使安全服務(wù)也具有持續(xù)的服務(wù)創(chuàng)新能力,能快速地為用戶提供按需的安全服務(wù),滿足業(yè)務(wù)動態(tài)安全需求；相應(yīng)的未來網(wǎng)絡(luò)架構(gòu)的基本安全服務(wù)及構(gòu)建方式。 論文主要貢獻(xiàn)如下： 1.本文通過綜述未來網(wǎng)絡(luò)相關(guān)課題研究,抽象出未來網(wǎng)絡(luò)的架構(gòu)特征,根據(jù)這些特征要求,利用使互聯(lián)網(wǎng)具有極強(qiáng)服務(wù)創(chuàng)新能力的核心技術(shù)------Web技術(shù),設(shè)計了基于Web資源的未來網(wǎng)絡(luò)架構(gòu),將網(wǎng)絡(luò)中的低層和高層能力以Web資源的方式進(jìn)行抽象和開放,通過服務(wù)重組、用戶參與服務(wù)組件提供提升未來網(wǎng)絡(luò)服務(wù)創(chuàng)新能力。以物聯(lián)網(wǎng)為應(yīng)用場景,演示了基于Web資源的未來網(wǎng)絡(luò)架構(gòu)在數(shù)據(jù)訪問和設(shè)備管理方面的優(yōu)勢。 2.分析現(xiàn)有安全服務(wù)的挑戰(zhàn)和未來網(wǎng)絡(luò)安全架構(gòu)研究思路,提出了基于Web資源的未來網(wǎng)絡(luò)架構(gòu)中安全服務(wù)重組的概念,針對未來網(wǎng)絡(luò)演進(jìn)的進(jìn)程,設(shè)計兩種支持不同粒度安全資源抽象的安全服務(wù)架構(gòu)：虛擬化安全設(shè)備VSA (Virtualized Security Appliance)和軟件定義安全SDS (Software Defined Security)。前者實(shí)現(xiàn)基于傳統(tǒng)安全設(shè)備的資源抽象和重組；后者將當(dāng)前封裝在各安全設(shè)備中的基本功能進(jìn)行分解,以原子安全服務(wù)的形式開放,并通過Web服務(wù)重組技術(shù)提供按需安全服務(wù)。SDS有助于通過功能和計算的合并及冗余簡化使安全服務(wù)成本降低、性能提升,也有助于將安全服務(wù)與業(yè)務(wù)更緊地耦合,從而提供更有效的安全保護(hù)。 3.以物聯(lián)網(wǎng)應(yīng)用場景為例,以軟件定義網(wǎng)絡(luò)為網(wǎng)絡(luò)基礎(chǔ)設(shè)施,提出和設(shè)計了安全和管理控制器及以其為中心的安全資源訂閱、發(fā)布和調(diào)度機(jī)制,設(shè)計了主要安全服務(wù)的靜態(tài)編制過程,實(shí)驗驗證了所提架構(gòu)的可行性。相關(guān)工作成果已提交企業(yè),合作改進(jìn)安全產(chǎn)品,并在云計算中心中試運(yùn)行。 4.針對未來網(wǎng)絡(luò)高安全需求的服務(wù)編制,提出架構(gòu)設(shè)計階段的安全服務(wù),通過調(diào)整組合服務(wù)邏輯拓?fù)�、選擇各節(jié)點(diǎn)上的組件提供商,確保組合服務(wù)滿足對供應(yīng)鏈完整性攻擊的安全防御策略要求,從而保護(hù)關(guān)鍵資產(chǎn)。該方法解決了以往在理論上無法窮舉所有安全威脅、實(shí)現(xiàn)上無法遍歷各層次組件的問題,降低了實(shí)施成本,并為更一般性的問題：當(dāng)無法確保各層次組件安全可信時如何構(gòu)建盡可能安全的組合服務(wù),提供了可行的工程方法。本文利用供應(yīng)鏈模型支持服務(wù)重組安全模型的層次結(jié)構(gòu),創(chuàng)建了利用攻擊圖的完整性評估模型,以及支持主客觀參數(shù)的提供商可信度算法,并設(shè)計了基于公開漏洞庫信息的提供商客觀可信度計算方法。組合服務(wù)架構(gòu)的完整性評估和提供商可信度評估都可作為安全服務(wù)以資源的形式在基于Web資源的未來網(wǎng)絡(luò)架構(gòu)中進(jìn)行開放。 5.針對未來網(wǎng)絡(luò)開放業(yè)務(wù)環(huán)境中訪問主體未知,而采用基于屬性的訪問控制技術(shù)ABAC(Attributed Based Access control)又缺少可用的屬性服務(wù)這一問題,提出了組合社交網(wǎng)絡(luò)SNS(Social Network System)用戶信息管理的訪問控制服務(wù)。針對未來網(wǎng)絡(luò)中用戶參與的服務(wù)創(chuàng)新中資源可通過用戶提供這一需求,提出利用SNS實(shí)現(xiàn)用戶屬性管理的ABAC訪問控制模型,支持用戶自定義的細(xì)粒度訪問控制策略,具有策略沖突檢測能力,具有易實(shí)現(xiàn)性。本文提出并實(shí)現(xiàn)了基于RBAC(Role Based Access Control)框架的實(shí)現(xiàn)結(jié)構(gòu),在校園學(xué)生創(chuàng)新平臺中應(yīng)用。并提出了改進(jìn)的推理機(jī)實(shí)現(xiàn),進(jìn)行仿真測試。在對所提模型進(jìn)行安全分析的基礎(chǔ)上,針對較高安全性要求的業(yè)務(wù)場景,提出了基于Web信任模型的社交網(wǎng)絡(luò)用戶信息的屬性真實(shí)性評價服務(wù)可行方案。 論文最后對全文進(jìn)行了總結(jié),并對進(jìn)一步的研究方向提出了一些想法和思路。
[Abstract]:In order to solve the challenges facing the current network, the academic and industrial circles have carried out the research of the future network technology in recent years. The work of this paper is to discuss the following questions: how to support service innovation in the architecture level in the future, especially how to support the service innovation of users, and how to design the security suit in the future network. The service architecture makes the security service also have a continuous service innovation ability, can provide users with the required security services quickly, meet the needs of the business dynamic security, and the basic security services and construction methods of the corresponding future network architecture.
The main contributions of the paper are as follows:
1. this paper abstracts the architecture of the future network by summarizing the research on the future network related topics. According to these characteristics, the future network architecture based on Web resources is designed by using the core technology ------Web technology that makes the Internet with strong service innovation ability, and the low and high level capabilities in the network are entered into the way of Web resources. Abstract and open, through service reorganization, users participate in service components to improve the future network service innovation capability. Using the Internet of things as an application scenario, this paper demonstrates the advantages of future network architecture based on Web resources in data access and device management.
2. to analyze the challenges of existing security services and the research ideas of future network security architecture, the concept of security service reorganization in the future network architecture based on Web resources is proposed. Aiming at the process of future network evolution, two security service architectures that support the abstraction of different granularity security resources are designed: the virtualized security device VSA (Virtualized Secu) Rity Appliance) and software defined security SDS (Software Defined Security). The former implements resource abstraction and reorganization based on traditional security devices; the latter decomposes the basic functions encapsulated in each security device, opens in the form of atomic security services, and provides a secure service.SDS for the on-demand service through the Web service reorganization technology. It helps to reduce the cost of security services, improve performance, and enhance the tighter coupling of security services and services to provide more effective security protection through the combination and redundancy simplification of functions and computing.
3. take the application scene of the Internet of things as an example, take the software definition network as the network infrastructure, put forward and design the security and management controller and the security resource subscription, release and scheduling mechanism with its center, and design the static compilation process of the main security service. The experiment verifies the feasibility of the proposed architecture. The related work results have been submitted to the enterprise. Industry, cooperation to improve security products, and trial run in the cloud computing center.
4. according to the service compilation of high security demand in the future network, the security service of the architecture design phase is proposed. By adjusting the combinatorial service logic topology, the component providers on each node are selected to ensure that the combination service meets the security defense strategy requirements for the integrity attack of the supply chain, thus protecting the key assets. This method solves the previous theory. On the other hand, all security threats can not be exhaustive, the implementation costs can not be traversed and the cost of implementation is reduced, and for a more general problem, a feasible engineering method is provided when it is impossible to ensure that the components of all levels are safe and reliable, and provide a feasible engineering method. This paper uses the supply chain model to support service reorganization. The level structure of the security model, the integrity evaluation model using attack graph, and the provider reliability algorithm supporting the subjective and objective parameters, and the objective reliability calculation method based on the information of public vulnerability library are designed. The integrity evaluation of the composite service architecture and the reliability evaluation of the provider can all be used as security services. Open in the form of resources in future network architecture based on Web resources.
5. in view of the unknown access subject in the future network open business environment, and the use of attribute based access control technology ABAC (Attributed Based Access control) and the lack of available attribute services, the access control service of the user information management of the combined social network SNS (Social Network System) is proposed. In the service innovation of the household, the resource can provide this requirement by the user, and put forward the ABAC access control model of user attribute management by SNS, support the custom fine-grained access control strategy, and have the ability to detect the policy conflict. This paper proposes and implements the RBAC (Role Based Access Control) frame. The implementation structure of the frame is applied in the campus student innovation platform. The improved reasoning machine is put forward and the simulation test is carried out. On the basis of the security analysis of the proposed model, and aiming at the high security requirements of the business scene, this paper puts forward the feasibility of the attribute authenticity evaluation service of the social network user information based on the Web trust model. Plan.
At the end of the paper, the full text is summarized, and some ideas and ideas for further research are put forward.

【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 劉正濤;毛宇光;王建東;葉傳標(biāo);;基于角色的層次受限委托模型[J];電子科技大學(xué)學(xué)報;2010年01期

2 王浩學(xué);汪斌強(qiáng);蘭巨龍;鄔鈞霆;;基于開放可重構(gòu)路由交換平臺的新型網(wǎng)絡(luò)體系[J];電信科學(xué);2008年07期

3 王小明;付紅;張立臣;;基于屬性的訪問控制研究進(jìn)展[J];電子學(xué)報;2010年07期

4 李玉峰;邱菡;蘭巨龍;;可重構(gòu)路由器研究的現(xiàn)狀與展望[J];中國工程科學(xué);2008年07期

5 畢軍;;SDN體系結(jié)構(gòu)與未來網(wǎng)絡(luò)體系結(jié)構(gòu)創(chuàng)新環(huán)境[J];電信科學(xué);2013年08期

6 何永忠;李曉峰;馮登國;;RBAC實(shí)施中國墻策略及其變種的研究[J];計算機(jī)研究與發(fā)展;2007年04期

7 翟征德;;基于量化角色的可控委托模型[J];計算機(jī)學(xué)報;2006年08期

8 林闖;賈子驍;孟坤;;自適應(yīng)的未來網(wǎng)絡(luò)體系架構(gòu)[J];計算機(jī)學(xué)報;2012年06期

9 謝高崗;張玉軍;李振宇;孫毅;謝應(yīng)科;李忠誠;劉韻潔;;未來互聯(lián)網(wǎng)體系結(jié)構(gòu)研究綜述[J];計算機(jī)學(xué)報;2012年06期

10 梁軍學(xué);林昭文;馬嚴(yán);;未來互聯(lián)網(wǎng)試驗平臺[J];計算機(jī)學(xué)報;2013年07期

，

本文編號：1847473