本文關鍵詞： 多級安全網絡 安全標記 綁定 可擴展標記語言 細粒度 包時隙均值 隱式流標記　出處：《解放軍信息工程大學》2014年碩士論文　論文類型：學位論文

【摘要】：多級安全是等級保護的理論基礎,三級信息系統安全建設的核心要素是基于安全標記的強制訪問控制。安全標記作為多級安全實施的重要依據,需要與保護對象實施安全可靠的綁定關系,并防止標記的假冒與篡改。然而現有的安全標記綁定技術中,應用級數據客體綁定面臨著數據結構多樣化而導致的標記實施難問題,網絡級數據流具有隱式綁定與數據流實時控制的安全需求,給安全標記綁定技術研究帶來了新挑戰(zhàn)。本文面向多級安全網絡中應用級數據客體和網絡級數據流,進行安全標記綁定技術研究,主要工作包括:1.針對應用級數據客體與網絡級數據流對安全標記的需求,構建了面向多級安全網絡的一體化安全標記框架,解決了安全標記生成、驗證、綁定與繼承問題�？蚣苄问交枋隽嘶驹�、約束規(guī)則和標記功能等與安全標記實施相關的要素;定義了支持強制訪問控制策略和標簽例外策略的標記格式;通過數據客體到數據流的標記繼承,實現了應用級與網絡級安全標記的有效傳遞;設計了框架基本域、標記域和功能域聯動的框架結構,增強了標記的適用性與靈活性。2.針對應用級數據客體結構多樣、標記綁定不統一的問題,提出了一種基于XML的多類型數據客體與安全標記統一化綁定技術。設計了基于客體邏輯多級分割的XML轉換方法,將客體轉換成由多級別數據單元組成,結構良好的樹形客體XML文檔,實現了文檔、圖像等多類型數據客體的一致性轉換;通過定義標記語法結構和約束規(guī)則,設計了基于遍歷的安全標記綁定算法和基于剪枝的客體視圖生成算法,實現了安全標記與數據客體統一的、細粒度的綁定。3.針對現有網絡級數據流顯式安全標記綁定方法存在的針對性攻擊等安全問題,提出了基于包時隙均值(Average of inter-packet delay,AIPD)的數據流與安全標記隱式綁定方法。首先引入漢明碼差錯控制機制對安全標記進行糾錯編碼,提高了安全標記綁定方案的準確率;然后設計了數據流包間隔時延(inter-packet delay,IPD)的隨機分組方式,計算安全標記載體AIPD,通過AIPD的差值控制,實現了標記信息的數據流嵌入;最后根據綁定規(guī)則調制分組內各數據包延遲時間,使其達到預期的AIPD值,實現了安全標記與數據流的綁定。最后通過分析和實驗驗證了綁定方法的有效性。4.設計并實現了基于安全標記的多級安全網絡強制訪問控制原型系統,實現了本文提出的安全標記綁定技術,結合基于安全標記的強制訪問控制策略,實現了應用級數據客體細粒度訪問控制,以及網絡級數據流實時控制,為開展三級安全應用建設提供支撐。
[Abstract]:Multi-level security is the theoretical basis of hierarchical protection, and the core element of the security construction of three-level information system is mandatory access control based on security marking, which is an important basis for the implementation of multi-level security. It is necessary to implement a secure binding relationship with protected objects and to prevent the counterfeiting and tampering of tags. However, in the existing secure tag binding technology, the application-level data object binding is faced with the problem of implementation of tags caused by the diversity of data structures. Network-level data flow has the security requirements of implicit binding and real-time control of data flow, which brings a new challenge to the research of security tag binding technology. This paper focuses on application-level data objects and network-level data streams in multi-level secure networks. The research of security label binding technology includes: 1. Aiming at the requirement of application level data object and network level data flow, an integrated security label framework for multi-level security network is constructed, which solves the problem of security label generation. The framework formally describes the basic elements, constraint rules and tag functions related to the implementation of security tags, and defines markup formats that support mandatory access control policies and label exception policies. Through the tag inheritance from the data object to the data stream, the effective transfer of security tags between application level and network level is realized, and the frame structure of basic domain, tag domain and functional domain is designed. It enhances the applicability and flexibility of tags. 2. Aiming at the problem of the diversity of object structure of application-level data and the inconsistency of tag binding, This paper presents a unified binding technique for multi-type data objects and security tags based on XML, and designs a XML transformation method based on object logic multi-level segmentation, which converts objects into multi-level data units. The well-structured tree object XML document realizes the consistency transformation of document, image and other kinds of data objects, and defines the tag syntax structure and constraint rules. The security tag binding algorithm based on traversal and the object view generation algorithm based on pruning are designed. Fine-grained binding. 3. Security issues such as targeted attacks on existing explicit security tag binding methods for existing network-level data streams, A data stream and security label implicit binding method based on the packet slot average of inter-packet delay (AIPD) is proposed. Firstly, the error control mechanism of hamming code is introduced to correct the error of the security tag, which improves the accuracy of the security tag binding scheme. Then we design a random packet scheme of packet interval delay inter-packet delay (IP), calculate the security label carrier (AIPD), and realize the data stream embedding by the difference control of AIPD. Finally, we modulate the delay time of each packet according to the binding rule. Finally, the validity of the binding method is verified by analysis and experiment. Finally, a multi-level secure network mandatory access control prototype system based on security label is designed and implemented. The security tag binding technology proposed in this paper is implemented. Combined with the mandatory access control strategy based on the security label, the application level data object fine-grained access control and the network level data stream real-time control are realized. It provides support for the construction of three-level safety application.
【學位授予單位】：解放軍信息工程大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

中國期刊全文數據庫 前10條

1 李鳳華;蘇斢;史國振;馬建峰;;訪問控制模型研究進展及發(fā)展趨勢[J];電子學報;2012年04期

2 張璐;羅軍舟;楊明;何高峰;;基于時隙質心流水印的匿名通信追蹤技術[J];軟件學報;2011年10期

3 楊曉紅;杜學繪;曹利峰;;基于隱式安全標記的IPsec研究[J];計算機工程;2011年13期

4 朱大立;陳曉蘇;;基于數字水印的電子文檔信息標識應用方案[J];計算機應用;2010年07期

5 葛金明;;基于Internet網絡協議的信息隱藏技術[J];科技資訊;2010年05期

6 陳君;王慶;;基于圖割和顯著性的圖像結構表示方法研究[J];計算機應用研究;2009年09期

7 馬新強;黃羿;;基于安全標簽的訪問控制研究與設計[J];計算機工程與設計;2008年21期

8 聶曉偉;馮登國;;基于動態(tài)可信度的可調節(jié)安全模型[J];通信學報;2008年10期

9 譚智勇;劉鐸;司天歌;戴一奇;;一種具有可信度特征的多級安全模型[J];電子學報;2008年08期

10 劉威鵬;胡俊;呂輝軍;劉毅;;LSM框架下可執(zhí)行程序的強制訪問控制機制[J];計算機工程;2008年07期

，

本文編號：1503152