網(wǎng)絡(luò)安全設(shè)備聯(lián)動策略的研究與應(yīng)用
發(fā)布時間:2018-09-06 17:52
【摘要】:基于策略的網(wǎng)絡(luò)安全設(shè)備聯(lián)動管理能夠保證系統(tǒng)內(nèi)的安全設(shè)備協(xié)同工作,有效地整合系統(tǒng)資源,提高安全事件的檢測精度和處理效率,從而應(yīng)對日趨復(fù)雜多變的網(wǎng)絡(luò)安全威脅,成為動態(tài)安全設(shè)備管理模型的核心。本文立足于IETF制定的策略管理框架和安全設(shè)備聯(lián)動體系模型,深入研究了聯(lián)動策略的描述、驗證、搜索與執(zhí)行這幾個方面的問題。 首先,在聯(lián)動策略的定義與描述方面,根據(jù)子網(wǎng)內(nèi)安全設(shè)備的協(xié)同性,按照子網(wǎng)劃分安全域,將聯(lián)動策略定義為安全域、觸發(fā)條件和執(zhí)行規(guī)則集三元組。觸發(fā)條件代表系統(tǒng)捕獲的安全事件威脅,,而規(guī)則集代表系統(tǒng)執(zhí)行策略需要采取的一系列配置動作集。 其次,在聯(lián)動策略的驗證方面。安全事件的處理過程即為安全域內(nèi)各類聯(lián)動設(shè)備相關(guān)進(jìn)程的啟動過程。以聯(lián)動設(shè)備進(jìn)程的開啟或關(guān)閉狀態(tài)作為狀態(tài)結(jié)點,令導(dǎo)致狀態(tài)結(jié)點變遷的安全事件作為邊,構(gòu)造出針對特定子網(wǎng)的有向圖狀態(tài)變遷模型,使得規(guī)則集中的一個執(zhí)行動作對應(yīng)有向圖中的一次狀態(tài)變遷。通過有向圖的深度優(yōu)先遍歷,考察各個狀態(tài)結(jié)點的變遷路徑,完成聯(lián)動策略的正確性、完整性、一致性、冗余性和可執(zhí)行性驗證。 第三,在聯(lián)動策略的查詢方面。同樣將聯(lián)動策略的查詢問題轉(zhuǎn)化為有向圖的遍歷問題,為保證高頻率安全事件能夠被優(yōu)先檢索,在構(gòu)造有向圖鄰接表時考慮事件的發(fā)生頻率。將有向圖按照終止結(jié)點的數(shù)量劃分為若干個子圖,將安全事件頻率轉(zhuǎn)化為路徑的耗散值,運用AOE網(wǎng)中的事件最遲發(fā)生時間定義啟發(fā)函數(shù),通過A*搜索算法在Closed表中完成狀態(tài)結(jié)點的排序,綜合各個子圖的重排序結(jié)點重新構(gòu)建鄰接表。 最后,在聯(lián)動策略執(zhí)行方面。通過SSH協(xié)議實現(xiàn)對安全設(shè)備的遠(yuǎn)程配置,保證了策略執(zhí)行的安全性,實現(xiàn)了不同設(shè)備SSH版本的兼容性。 通過實驗分析,本文提出的策略驗證算法在復(fù)雜度上優(yōu)于現(xiàn)有的一些方法,具有良好的執(zhí)行效率,同時本文的策略查詢方法能夠有效地對高頻率事件作出響應(yīng)。結(jié)合通過SSH協(xié)議遠(yuǎn)程配置安全設(shè)備的方法,應(yīng)用本文描述的方法能夠完成基于策略的網(wǎng)絡(luò)安全設(shè)備聯(lián)動系統(tǒng)的構(gòu)建,有效地應(yīng)對各類安全威脅。
[Abstract]:Policy-based network security equipment linkage management can ensure the cooperative work of the security equipment in the system, effectively integrate the system resources, improve the detection accuracy and processing efficiency of security incidents, so as to deal with the increasingly complex network security threats. It becomes the core of dynamic security equipment management model. Based on the policy management framework established by IETF and the security equipment linkage system model, this paper deeply studies the description, verification, search and execution of the linkage policy. Firstly, in terms of the definition and description of the linkage policy, according to the cooperation of the security equipment in the subnet, the security domain is divided according to the subnet, and the linkage policy is defined as the security domain, the trigger condition and the execution rule set triple. The trigger condition represents the security event threat captured by the system, while the rule set represents a set of configuration actions that the system needs to take to execute the policy. Secondly, in the linkage strategy verification. The process of handling security events is the starting process of all kinds of related processes in the security domain. The state transition model of directed graph for a specific subnet is constructed by using the opening or closing state of the linkage device process as the state node and the security event that leads to the transition of the state node as the edge. Causes an execution action in a rule set to correspond to a state transition in a directed graph. Based on the depth-first traversal of directed graphs, the transition paths of each state node are investigated to verify the correctness, integrity, consistency, redundancy and executability of the linkage strategy. Third, in the linkage strategy query aspect. The query problem of linkage strategy is also transformed into the traversal problem of directed graph. In order to ensure that high frequency security events can be retrieved first, the frequency of events is considered when constructing the adjacent table of directed graph. The directed graph is divided into several subgraphs according to the number of terminating nodes, and the frequency of security events is transformed into the dissipative value of the path, and the heuristic function is defined by the latest time of occurrence of events in AOE nets. The algorithm of A * search is used to complete the sorting of the state nodes in the Closed table, and the adjacent table is constructed by synthesizing the reordered nodes of each subgraph. Finally, in the linkage strategy execution aspect. The remote configuration of security devices is realized by SSH protocol, which ensures the security of policy execution and realizes the compatibility of SSH versions of different devices. The experimental results show that the proposed policy verification algorithm is superior to some existing methods in complexity and has good execution efficiency, and the policy query method in this paper can effectively respond to high frequency events. Combined with the method of remote configuration of security equipment through SSH protocol, the method described in this paper can be used to construct a policy-based network security device linkage system, which can effectively deal with all kinds of security threats.
【學(xué)位授予單位】:華北電力大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2014
【分類號】:TP393.08
本文編號:2227083
[Abstract]:Policy-based network security equipment linkage management can ensure the cooperative work of the security equipment in the system, effectively integrate the system resources, improve the detection accuracy and processing efficiency of security incidents, so as to deal with the increasingly complex network security threats. It becomes the core of dynamic security equipment management model. Based on the policy management framework established by IETF and the security equipment linkage system model, this paper deeply studies the description, verification, search and execution of the linkage policy. Firstly, in terms of the definition and description of the linkage policy, according to the cooperation of the security equipment in the subnet, the security domain is divided according to the subnet, and the linkage policy is defined as the security domain, the trigger condition and the execution rule set triple. The trigger condition represents the security event threat captured by the system, while the rule set represents a set of configuration actions that the system needs to take to execute the policy. Secondly, in the linkage strategy verification. The process of handling security events is the starting process of all kinds of related processes in the security domain. The state transition model of directed graph for a specific subnet is constructed by using the opening or closing state of the linkage device process as the state node and the security event that leads to the transition of the state node as the edge. Causes an execution action in a rule set to correspond to a state transition in a directed graph. Based on the depth-first traversal of directed graphs, the transition paths of each state node are investigated to verify the correctness, integrity, consistency, redundancy and executability of the linkage strategy. Third, in the linkage strategy query aspect. The query problem of linkage strategy is also transformed into the traversal problem of directed graph. In order to ensure that high frequency security events can be retrieved first, the frequency of events is considered when constructing the adjacent table of directed graph. The directed graph is divided into several subgraphs according to the number of terminating nodes, and the frequency of security events is transformed into the dissipative value of the path, and the heuristic function is defined by the latest time of occurrence of events in AOE nets. The algorithm of A * search is used to complete the sorting of the state nodes in the Closed table, and the adjacent table is constructed by synthesizing the reordered nodes of each subgraph. Finally, in the linkage strategy execution aspect. The remote configuration of security devices is realized by SSH protocol, which ensures the security of policy execution and realizes the compatibility of SSH versions of different devices. The experimental results show that the proposed policy verification algorithm is superior to some existing methods in complexity and has good execution efficiency, and the policy query method in this paper can effectively respond to high frequency events. Combined with the method of remote configuration of security equipment through SSH protocol, the method described in this paper can be used to construct a policy-based network security device linkage system, which can effectively deal with all kinds of security threats.
【學(xué)位授予單位】:華北電力大學(xué)
【學(xué)位級別】:碩士
【學(xué)位授予年份】:2014
【分類號】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前9條
1 李力;李志平;王亮;呂航;文繼鋒;陳松林;;穩(wěn)定控制裝置中策略搜索匹配狀態(tài)機(jī)模型[J];電力系統(tǒng)自動化;2012年17期
2 張煥;曹萬華;馮力;朱麗娜;;基于狀態(tài)遷移的網(wǎng)絡(luò)安全聯(lián)動策略模型[J];艦船電子工程;2009年03期
3 姚鍵 ,茅兵 ,謝立;一種基于有向圖模型的安全策略沖突檢測方法[J];計算機(jī)研究與發(fā)展;2005年07期
4 劉道斌;郭莉;白碩;;一種工作流安全策略分析方法[J];計算機(jī)研究與發(fā)展;2008年06期
5 李衛(wèi),劉小剛,李國棟,繆紅保,陶靜;網(wǎng)絡(luò)安全管理及安全聯(lián)動響應(yīng)的研究[J];計算機(jī)工程與應(yīng)用;2003年26期
6 包義保;殷麗華;方濱興;郭莉;;基于良基語義的安全策略表達(dá)與驗證方法[J];軟件學(xué)報;2012年04期
7 姚蘭,王新梅;防火墻與入侵檢測系統(tǒng)的聯(lián)動分析[J];信息安全與通信保密;2002年06期
8 梁琳,拾以娟,鐵玲;基于策略的安全智能聯(lián)動模型[J];信息安全與通信保密;2004年02期
9 何恩,李毅;一種基于策略的網(wǎng)絡(luò)安全聯(lián)動框架[J];信息安全與通信保密;2005年07期
本文編號:2227083
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2227083.html
最近更新
教材專著
