【摘要】：基于策略的網(wǎng)絡(luò)管理由于具有靈活、易用、自動化等特點(diǎn),在網(wǎng)絡(luò)安全管理領(lǐng)域得到了廣泛的運(yùn)用。策略是由網(wǎng)絡(luò)管理員配置的約束規(guī)則集,用于保護(hù)系統(tǒng)安全。對當(dāng)前網(wǎng)絡(luò)安全策略模型研究發(fā)現(xiàn),模型中往往忽略了網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu),然而網(wǎng)絡(luò)拓?fù)涫腔诓呗缘木W(wǎng)絡(luò)管理中的一個(gè)重要考慮因素,網(wǎng)絡(luò)拓?fù)涞母淖儠咕W(wǎng)絡(luò)管理策略也隨之改變。與此同時(shí),隨著網(wǎng)絡(luò)的結(jié)構(gòu)變得越來越復(fù)雜,策略的配置不可避免的存在沖突。所以,幾乎所有的基于策略的網(wǎng)絡(luò)安全模型都需要對策略進(jìn)行一致性檢測,消除策略系統(tǒng)中存在的沖突,否則系統(tǒng)將存在安全漏洞。目前的策略沖突檢測方法分為單點(diǎn)檢測和全局檢測兩類,均存在缺陷:若進(jìn)行單點(diǎn)檢測,只能檢測到網(wǎng)絡(luò)設(shè)備內(nèi)部的策略沖突,并不能檢測網(wǎng)絡(luò)設(shè)備之間的策略沖突;而全局檢測則是把所有設(shè)備的規(guī)則集中起來進(jìn)行全部檢測,此時(shí)可能會造成沖突誤報(bào)。因?yàn)樵诖笮途W(wǎng)絡(luò)中,不同路徑之間的策略不一致是完全合理的。針對當(dāng)前網(wǎng)絡(luò)安全策略模型中存在忽略網(wǎng)絡(luò)拓?fù)浣Y(jié)構(gòu)的問題,本文提出了基于網(wǎng)絡(luò)拓?fù)涞木W(wǎng)絡(luò)安全策略模型,即把網(wǎng)絡(luò)拓?fù)浜途W(wǎng)絡(luò)設(shè)備中的策略規(guī)則進(jìn)行統(tǒng)一建模。在模型中,把網(wǎng)絡(luò)拓?fù)涑橄鬄闊o向圖,網(wǎng)絡(luò)設(shè)備之間的數(shù)據(jù)通信路徑抽象為無向圖中兩個(gè)結(jié)點(diǎn)之間的路徑。同時(shí),對端口及策略規(guī)則進(jìn)行形式化描述,實(shí)現(xiàn)策略和無向圖的有機(jī)聯(lián)系。針對當(dāng)前網(wǎng)絡(luò)安全策略沖突檢測中單點(diǎn)檢測或全局檢測過程所存在的問題,本文提出了基于路徑的策略沖突檢測方法,即沖突檢測的策略為網(wǎng)絡(luò)路徑中的路徑規(guī)則集。通過此方法,可以精確地檢測出網(wǎng)絡(luò)設(shè)備配置中可能存在的沖突。同時(shí),為了提高策略沖突的檢測效率,本文提出了基于決策樹的策略沖突檢測算法。算法根據(jù)規(guī)則中的維度對規(guī)則進(jìn)行分類,構(gòu)造出一棵決策樹,然后對決策樹中葉子結(jié)點(diǎn)中包含的規(guī)則進(jìn)行沖突檢測。通過決策樹對規(guī)則的分類,把可能存在沖突的規(guī)則分類到同一葉子結(jié)點(diǎn),減少了規(guī)則之間的比較次數(shù),進(jìn)而提高沖突檢測效率。最后,本文基于上述模型和算法,設(shè)計(jì)了網(wǎng)絡(luò)安全策略沖突檢測原型系統(tǒng)。通過測試用例驗(yàn)證,系統(tǒng)能夠準(zhǔn)確地檢測出網(wǎng)絡(luò)中的策略沖突,基于決策樹的分類算法也能夠顯著地提高策略沖突檢測效率。
[Abstract]:Policy-based network management has been widely used in the field of network security management because of its flexibility, ease of use and automation. A policy is a set of constraint rules configured by a network administrator to secure the system. It is found that the network topology structure is often neglected in the current network security policy model. However, network topology is an important consideration in policy-based network management. The change of network topology will change the network management strategy. At the same time, as the network structure becomes more and more complex, the configuration of the policy inevitably conflicts. Therefore, almost all policy-based network security models need to check the policy consistency to eliminate the conflicts in the policy system, otherwise, there will be security vulnerabilities in the system. The current policy conflict detection methods are divided into two categories: single point detection and global detection. If single point detection is carried out, only the policy conflict within the network equipment can be detected, but the policy conflict between the network devices can not be detected. Global detection is a set of rules for all devices, which may cause conflict false positives. Because in large networks, policy inconsistency between different paths is perfectly reasonable. Aiming at the problem of neglecting the network topology in the current network security policy model, this paper proposes a network security policy model based on network topology, that is, the unified modeling of network topology and policy rules in network devices. In the model, the network topology is abstracted as an undirected graph, and the data communication path between network devices is abstracted as a path between two nodes in an undirected graph. At the same time, the port and policy rules are formalized to realize the organic relation between policy and undirected graph. Aiming at the problems of single point detection or global detection in current network security policy conflict detection, a path-based policy conflict detection method is proposed in this paper, that is, the conflict detection strategy is the path rule set in the network path. By this method, the possible conflicts in network device configuration can be detected accurately. At the same time, in order to improve the efficiency of policy conflict detection, this paper proposes a policy conflict detection algorithm based on decision tree. The algorithm classifies the rules according to the dimension of the rules, constructs a decision tree, and then detects the conflict of the rules contained in the leaf nodes in the decision tree. By classifying the rules into the same leaf node by the decision tree, the conflict detection efficiency can be improved by reducing the number of rules compared with each other. Finally, based on the above model and algorithm, the prototype system of network security policy conflict detection is designed. Through the test case verification the system can accurately detect the policy conflict in the network and the classification algorithm based on decision tree can significantly improve the efficiency of policy conflict detection.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 李濤;林九川;胡愛群;;基于本體模型的網(wǎng)絡(luò)系統(tǒng)安全參數(shù)采集過程[J];網(wǎng)絡(luò)與信息安全學(xué)報(bào);2017年02期

2 周健;沈震群;;移動網(wǎng)絡(luò)安全策略沖突檢測方法的改進(jìn)研究[J];現(xiàn)代電子技術(shù);2017年03期

3 謝妞妞;;決策樹算法綜述[J];軟件導(dǎo)刊;2015年11期

4 唐成華;王麗娜;強(qiáng)保華;湯申生;張鑫;;基于語義相似度的靜態(tài)安全策略一致性檢測[J];計(jì)算機(jī)科學(xué);2015年08期

5 李瑞;許旭睿;;決策樹ID3算法的分析與優(yōu)化[J];大連交通大學(xué)學(xué)報(bào);2015年02期

6 劉江;張紅旗;代向東;王義功;;一種ABAC靜態(tài)策略沖突檢測算法[J];計(jì)算機(jī)工程;2013年06期

7 莫禾勝;楊端;;路由器訪問控制列表技術(shù)應(yīng)用研究[J];科技視界;2013年09期

8 張成;王學(xué)梅;丘東元;張波;;基于有限狀態(tài)自動機(jī)的電鍍電源多波形輸出方法[J];電源學(xué)報(bào);2012年06期

9 唐子蛟;李紅蟬;;基于ACL的網(wǎng)絡(luò)安全管理的應(yīng)用研究[J];四川理工學(xué)院學(xué)報(bào)(自然科學(xué)版);2009年01期

10 李鋼;吳燎原;張仁斌;張佑生;;基于有限自動機(jī)的模式匹配算法及其應(yīng)用研究[J];系統(tǒng)仿真學(xué)報(bào);2007年12期

相關(guān)博士學(xué)位論文 前1條

1 于海波;基于規(guī)則和本體的應(yīng)用安全策略研究[D];吉林大學(xué);2006年

相關(guān)碩士學(xué)位論文 前10條

1 陶昱;基于有限狀態(tài)自動機(jī)的動態(tài)信息流監(jiān)控研究與分析[D];江蘇大學(xué);2010年

2 陸雄;基于對象的綜合安全策略配置技術(shù)的研究與實(shí)現(xiàn)[D];國防科學(xué)技術(shù)大學(xué);2010年

3 朱耀強(qiáng);網(wǎng)格安全策略沖突檢測及其消解機(jī)制的研究[D];長春工業(yè)大學(xué);2010年

4 邱密;基于貝葉斯理論的網(wǎng)絡(luò)流量分類研究[D];湖南工業(yè)大學(xué);2009年

5 代向東;安全策略管理系統(tǒng)中策略描述及策略翻譯關(guān)鍵技術(shù)研究[D];解放軍信息工程大學(xué);2007年

6 陶欣予;基于PDL的策略管理系統(tǒng)研究[D];吉林大學(xué);2006年

7 魏雁平;基于有向圖覆蓋關(guān)系的安全策略沖突檢測模型[D];四川大學(xué);2006年

8 梅芳;PBNM系統(tǒng)中策略沖突檢測與消解機(jī)制的研究[D];吉林大學(xué);2005年

9 吳蓓;自適應(yīng)策略管理框架及關(guān)鍵技術(shù)研究[D];中國人民解放軍信息工程大學(xué);2005年

10 劉鵬;分布式安全策略部署模型的研究[D];西北工業(yè)大學(xué);2005年

，

本文編號：2187125