網(wǎng)絡(luò)與應(yīng)用相融沖突檢測(cè)技術(shù)的研究與實(shí)現(xiàn)
發(fā)布時(shí)間:2019-05-28 02:51
【摘要】:隨著網(wǎng)絡(luò)規(guī)模的不斷擴(kuò)大,企業(yè)網(wǎng)絡(luò)中的安全性問題也日益受到人們的重視。本文分析企業(yè)網(wǎng)絡(luò)中相融沖突的國(guó)內(nèi)外研究現(xiàn)狀,結(jié)合一般企業(yè)環(huán)境對(duì)網(wǎng)絡(luò)與應(yīng)用系統(tǒng)的安全性需求,指出了應(yīng)用系統(tǒng)的授權(quán)管理、網(wǎng)絡(luò)與應(yīng)用系統(tǒng)之間易產(chǎn)生沖突問題,從而給網(wǎng)絡(luò)應(yīng)用的安全運(yùn)行帶來挑戰(zhàn)。論文針對(duì)此問題展開研究,采用了RBAC模型來描述應(yīng)用系統(tǒng)訪問控制需求,用Json語(yǔ)言來描述網(wǎng)絡(luò)拓?fù)浼巴負(fù)渲泄?jié)點(diǎn)的網(wǎng)絡(luò)設(shè)備規(guī)則。首先,分析了RBAC模型各元素之間的關(guān)系,,給出了應(yīng)用系統(tǒng)授權(quán)需求沖突的定義,并給出了其沖突類型劃分,在此基礎(chǔ)上建立了基于著色Petri網(wǎng)的應(yīng)用系統(tǒng)授權(quán)相融沖突檢測(cè)方法。其次,針對(duì)網(wǎng)絡(luò)與應(yīng)用系統(tǒng)通信需求之間的不一致問題,采用有序二叉決策圖建立全網(wǎng)拓?fù)涞哪P停貌紶柡瘮?shù)驗(yàn)證進(jìn)行網(wǎng)絡(luò)與應(yīng)用之間的通信相融沖突檢測(cè)。最后設(shè)計(jì)并實(shí)現(xiàn)了一個(gè)網(wǎng)絡(luò)與應(yīng)用相融沖突檢測(cè)的原型系統(tǒng)并且選取了測(cè)試用例對(duì)系統(tǒng)進(jìn)行了實(shí)驗(yàn)驗(yàn)證。 本文研究了網(wǎng)絡(luò)與應(yīng)用相融沖突檢測(cè)技術(shù),設(shè)計(jì)并實(shí)現(xiàn)了該技術(shù)的原型系統(tǒng),主要的工作如下: 1.分析了國(guó)內(nèi)外有關(guān)網(wǎng)絡(luò)與應(yīng)用相融沖突檢測(cè)技術(shù)的研究現(xiàn)狀,在沖突檢測(cè)研究方面仍然存在一些有待解決的問題:現(xiàn)有的網(wǎng)絡(luò)設(shè)備規(guī)則沖突檢測(cè)方法在網(wǎng)絡(luò)規(guī)模上只考慮單個(gè)或簡(jiǎn)單串聯(lián)防火墻內(nèi)部的規(guī)則沖突,較少考慮復(fù)雜網(wǎng)絡(luò)拓?fù)渲卸鄠(gè)路由器、防火墻的規(guī)則沖突,同時(shí)規(guī)則沖突檢測(cè)時(shí)也未考慮應(yīng)用系統(tǒng)的需求。 2.給出了網(wǎng)絡(luò)與應(yīng)用相融沖突檢測(cè)的一種解決方案。通過明確基于RBAC的應(yīng)用系統(tǒng)授權(quán)需求的概念模型和沖突模型,給出了基于著色Petri網(wǎng)的授權(quán)相融沖突檢測(cè)方法;通過研究應(yīng)用系統(tǒng)需求的兩層架構(gòu)模型,給出了應(yīng)用系統(tǒng)通信需求的概念定義,最后分析了應(yīng)用系統(tǒng)高層需求到低層需求的轉(zhuǎn)換。 3.給出了網(wǎng)絡(luò)與應(yīng)用相融沖突檢測(cè)的關(guān)鍵算法:基于著色Petri網(wǎng)的授權(quán)相融沖突檢測(cè)算法和基于OBDD的通信相融沖突檢測(cè)算法。論文詳細(xì)介紹了算法的實(shí)現(xiàn)原理,并分析了算法的特點(diǎn)。 4.設(shè)計(jì)并實(shí)現(xiàn)了網(wǎng)絡(luò)與應(yīng)用相融沖突檢測(cè)的原型系統(tǒng),該原型系統(tǒng)主要包括三個(gè)模塊:文件預(yù)處理模塊、RBAC建模模塊和相融沖突檢測(cè)模塊。 5.針對(duì)實(shí)現(xiàn)的網(wǎng)絡(luò)與應(yīng)用沖突檢測(cè)原型系統(tǒng),設(shè)計(jì)了一系列實(shí)驗(yàn)用例。實(shí)驗(yàn)及結(jié)果分析表明:依據(jù)構(gòu)建的網(wǎng)絡(luò)與應(yīng)用系統(tǒng)之間的兩層架構(gòu)模型,系統(tǒng)不僅能夠檢測(cè)出應(yīng)用系統(tǒng)內(nèi)部、網(wǎng)絡(luò)與應(yīng)用系統(tǒng)之間是否存在沖突,還可以提供沖突產(chǎn)生原因、沖突所屬類型及沖突所在的位置等信息,為進(jìn)一步的沖突消解奠定基礎(chǔ)。
[Abstract]:With the continuous expansion of network scale, people pay more and more attention to the security of enterprise network. This paper analyzes the research status of fusion conflict in enterprise network at home and abroad, and points out the authorization management of application system and the conflict between network and application system according to the security requirements of network and application system in general enterprise environment. Thus, it brings challenges to the secure operation of network applications. In order to solve this problem, the RBAC model is used to describe the access control requirements of the application system, and the Json language is used to describe the network topology and the network device rules of the nodes in the topology. Firstly, the relationship between the elements of RBAC model is analyzed, the definition of authorization requirement conflict in application system is given, and the classification of conflict types is given. on this basis, an application system authorization fusion conflict detection method based on colored Petri net is established. Secondly, in order to solve the problem of inconsistency between the communication requirements of the network and the application system, the ordered binary decision graph is used to establish the model of the whole network topology, and the Boolean function verification is used to detect the communication conflict between the network and the application. Finally, a prototype system of conflict detection between network and application is designed and implemented, and the test cases are selected to verify the system. In this paper, the collision detection technology between network and application is studied, and the prototype system of the technology is designed and implemented. The main work is as follows: 1. The research status of conflict detection technology between network and application at home and abroad is analyzed. There are still some problems to be solved in the research of conflict detection: the existing rules conflict detection methods of network equipment only consider the rule conflicts within a single or simple series firewall on the network scale. Less consideration is given to the rule conflicts of multiple routers and firewalls in complex network topologies, and the requirements of application systems are not taken into account in rule conflict detection. 2. A solution to conflict detection between network and application is presented. By defining the conceptual model and conflict model of authorization requirements of application system based on RBAC, a collision detection method of authorization fusion based on colored Petri net is proposed. By studying the two-tier architecture model of application system requirements, the concept definition of application system communication requirements is given. finally, the transformation from high-level requirements to low-level requirements of application systems is analyzed. 3. The key algorithms of network and application fusion conflict detection are given: authorization fusion conflict detection algorithm based on colored Petri net and communication fusion conflict detection algorithm based on OBDD. In this paper, the implementation principle of the algorithm is introduced in detail, and the characteristics of the algorithm are analyzed. 4. A prototype system of network and application fusion conflict detection is designed and implemented. The prototype system mainly includes three modules: file preprocessing module, RBAC modeling module and fusion conflict detection module. 5. A series of experimental examples are designed for the prototype system of network and application conflict detection. The experimental and experimental results show that according to the two-tier architecture model between the network and the application system, the system can not only detect whether there is a conflict within the application system, between the network and the application system, but also provide the cause of the conflict. The information such as the type of conflict and the location of the conflict lay the foundation for further conflict resolution.
【學(xué)位授予單位】:北京航空航天大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
本文編號(hào):2486673
[Abstract]:With the continuous expansion of network scale, people pay more and more attention to the security of enterprise network. This paper analyzes the research status of fusion conflict in enterprise network at home and abroad, and points out the authorization management of application system and the conflict between network and application system according to the security requirements of network and application system in general enterprise environment. Thus, it brings challenges to the secure operation of network applications. In order to solve this problem, the RBAC model is used to describe the access control requirements of the application system, and the Json language is used to describe the network topology and the network device rules of the nodes in the topology. Firstly, the relationship between the elements of RBAC model is analyzed, the definition of authorization requirement conflict in application system is given, and the classification of conflict types is given. on this basis, an application system authorization fusion conflict detection method based on colored Petri net is established. Secondly, in order to solve the problem of inconsistency between the communication requirements of the network and the application system, the ordered binary decision graph is used to establish the model of the whole network topology, and the Boolean function verification is used to detect the communication conflict between the network and the application. Finally, a prototype system of conflict detection between network and application is designed and implemented, and the test cases are selected to verify the system. In this paper, the collision detection technology between network and application is studied, and the prototype system of the technology is designed and implemented. The main work is as follows: 1. The research status of conflict detection technology between network and application at home and abroad is analyzed. There are still some problems to be solved in the research of conflict detection: the existing rules conflict detection methods of network equipment only consider the rule conflicts within a single or simple series firewall on the network scale. Less consideration is given to the rule conflicts of multiple routers and firewalls in complex network topologies, and the requirements of application systems are not taken into account in rule conflict detection. 2. A solution to conflict detection between network and application is presented. By defining the conceptual model and conflict model of authorization requirements of application system based on RBAC, a collision detection method of authorization fusion based on colored Petri net is proposed. By studying the two-tier architecture model of application system requirements, the concept definition of application system communication requirements is given. finally, the transformation from high-level requirements to low-level requirements of application systems is analyzed. 3. The key algorithms of network and application fusion conflict detection are given: authorization fusion conflict detection algorithm based on colored Petri net and communication fusion conflict detection algorithm based on OBDD. In this paper, the implementation principle of the algorithm is introduced in detail, and the characteristics of the algorithm are analyzed. 4. A prototype system of network and application fusion conflict detection is designed and implemented. The prototype system mainly includes three modules: file preprocessing module, RBAC modeling module and fusion conflict detection module. 5. A series of experimental examples are designed for the prototype system of network and application conflict detection. The experimental and experimental results show that according to the two-tier architecture model between the network and the application system, the system can not only detect whether there is a conflict within the application system, between the network and the application system, but also provide the cause of the conflict. The information such as the type of conflict and the location of the conflict lay the foundation for further conflict resolution.
【學(xué)位授予單位】:北京航空航天大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前9條
1 姚鍵 ,茅兵 ,謝立;一種基于有向圖模型的安全策略沖突檢測(cè)方法[J];計(jì)算機(jī)研究與發(fā)展;2005年07期
2 夏春和;魏玉娣;李肖堅(jiān);王海泉;何巍;;計(jì)算機(jī)網(wǎng)絡(luò)防御策略描述語(yǔ)言研究[J];計(jì)算機(jī)研究與發(fā)展;2009年01期
3 張雷;向宏;胡海波;;基于語(yǔ)義的RBAC模型權(quán)限沖突檢測(cè)方法[J];計(jì)算機(jī)工程與應(yīng)用;2011年26期
4 朱建明;Srinivasan Raghunathan;;基于博弈論的信息安全技術(shù)評(píng)價(jià)模型[J];計(jì)算機(jī)學(xué)報(bào);2009年04期
5 Wilfricd Brauer;袁崇義;;C.A.Petri與計(jì)算機(jī)科學(xué)[J];計(jì)算機(jī)科學(xué);1988年05期
6 林闖,魏丫丫;隨機(jī)進(jìn)程代數(shù)與隨機(jī)Petri網(wǎng)[J];軟件學(xué)報(bào);2002年02期
7 陳曉蘇;林植;馮向東;;基于分層模型的網(wǎng)絡(luò)安全策略逐級(jí)求精算法[J];小型微型計(jì)算機(jī)系統(tǒng);2007年06期
8 李金雙;常桂然;;HARBAC:基于分級(jí)管理思想的RBAC層級(jí)管理模型[J];小型微型計(jì)算機(jī)系統(tǒng);2009年07期
9 崔立真;田君杰;王海洋;;基于兩階段規(guī)劃模型的跨域服務(wù)流程動(dòng)態(tài)構(gòu)造方法[J];小型微型計(jì)算機(jī)系統(tǒng);2011年09期
本文編號(hào):2486673
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2486673.html
最近更新
教材專著
