基于动态模板的策略翻译及配置方法

doi:10.11959/j.issn.1000-436x.2019236

通信学报 ›› 2019, Vol. 40 ›› Issue (12): 138-148.doi: 10.11959/j.issn.1000-436x.2019236

基于动态模板的策略翻译及配置方法

郭云川¹,李凌^1,²,李勇俊^1,²,成林³,杜君⁴,张玲翠¹()

¹ 中国科学院信息工程研究所，北京100093
² 中国科学院大学网络空间安全学院，北京 100049
³ 中国信息安全测评中心，北京 100085
⁴ 北京网御星云信息技术有限公司，北京 100085

修回日期:2019-10-23 出版日期:2019-12-25 发布日期:2020-01-16
作者简介:郭云川（1977- ），男，四川营山人，博士，中国科学院副研究员、博士生导师，主要研究方向为访问控制、形式化方法|李凌（1993- ），女，湖南浏阳人，中国科学院硕士生，主要研究方向为安全策略管理|李勇俊（1992- ），男，浙江丽水人，中国科学院博士生，主要研究方向为入侵响应、安全评估、访问控制|成林（1983- ），男，河北邢台人，博士，中国信息安全测评中心助理研究员，主要研究方向为云计算安全、大数据安全|杜君（1982- ），男，陕西宁强人，北京网御星云信息技术有限公司助理总裁，主要研究方向为网络安全、云计算、工控安全|张玲翠（1986- ），女，河北故城人，中国科学院博士生，主要研究方向为网络安全、信息保护
基金资助:
国家重点研发计划基金资助项目(2017YFB0801802);国家重点研发计划基金资助项目(2016QY06X1203);国家自然科学基金资助项目(U1836203);中国科学院战略性先导科技专项基金资助项目(XDC02040400)

Policy translation and configuration using dynamic template

Yunchuan GUO¹,Ling LI^1,²,Yongjun LI^1,²,Lin CHENG³,Jun DU⁴,Lingcui ZHANG¹()

¹ Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China
² School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China
³ China Information Technology Security Evaluation Center,Beijing 100085,China
⁴ Beijing Leadsec Technology Co.,Ltd,Beijing 100191,China

Revised:2019-10-23 Online:2019-12-25 Published:2020-01-16
Supported by:
The National Key Research and Development Program of China(2017YFB0801802);The National Key Research and Development Program of China(2016QY06X1203);The National Natural Science Foundation of China(U1836203);The Strategic Priority Research Program of the Chinese Academy of Sciences(XDC02040400)

摘要/Abstract

摘要：

为解决大型系统中大量设备配置方式多样性导致人工安全设备配置复杂烦琐、容易出错、效率低下的问题，设计了一种基于动态模板的策略翻译及配置方法。通过构建基于编码的策略翻译模板，利用编码简单、通用、易计算的特点，指导归一化策略向设备个性化配置命令行转换，同时通过关键词对比法，保证策略配置的准确性。实验分析结果证明，所提策略翻译及配置方法具有强扩展性和高准确度。

关键词: 设备配置, 安全策略, 策略翻译, 动态模板

Abstract:

To solve the problem of complex,cumbersome and error-prone configuration of security devices caused by the heterogeneous configuration modes in complex networks,a dynamic template-based scheme for translating and configuring policy was proposed.In detail,considering the code’s features,the code-based template for translating policies was constructed to configure the command line conversion,and the keyword comparison method was used to ensure the accuracy of policy configuration.Experiments show that the scalability and the accuracy of the proposed scheme.

Key words: device configuration, security policy, policy translation, dynamic template

中图分类号:

TP311

郭云川,李凌,李勇俊,成林,杜君,张玲翠. 基于动态模板的策略翻译及配置方法[J]. 通信学报, 2019, 40(12): 138-148.

Yunchuan GUO,Ling LI,Yongjun LI,Lin CHENG,Jun DU,Lingcui ZHANG. Policy translation and configuration using dynamic template[J]. Journal on Communications, 2019, 40(12): 138-148.

图/表 9

图1

图2

图3

图4

表1

图5

图6

图7

图8

参考文献 23

[1]	JOHNSON M , BRADSHAW J M , JUNG H ,et al. Policy management across multiple platforms and application domains[C]// IEEE Workshop on Policies for Distributed Systems and Networks. IEEE, 2008: 199-202.
[2]	HOLMES B L , . Heterogeneous systems:can they ever work together?[C]// Symposium Record Policy Issues in Information and Communication Technologies in Medical Applications. IEEE, 1988: 169-174.
[3]	DAMIANOU N , DULAY N , LUPU E,et.al . The ponder policy specification language[J]. Proc of policy, 2001,55(8): 18-38.
[4]	JANICKE H , CAU A , SIEWE F ,et al. Deriving enforcement mechanisms from policies[C]// IEEE International Workshop on Policies for Distributed Systems and Networks. IEEE, 2007: 161-172.
[5]	JANICKE H , CAU A , SIEWE F ,et al. A compositional event ＆time-based policy model[C]// IEEE International Workshop on Policies for Distributed Systems and Networks. IEEE, 2006: 173-182.
[6]	SIEWE F , CAU A , ZEDAN H . A compositional framework for access control policies enforcement[C]// The 2003 ACM workshop on Formal Methods in Security Engineering. ACM, 2003: 32-42.
[7]	JANICKE H , CAU A , SIEWE F ,et al. Dynamic access control policies:specification and verification[J]. The Computer Journal, 2012,56(4): 440-463.
[8]	LOBO J , BHATIA R , NAQVI S . A policy description language[C]// The 16th National Conference on Artificial Intelligence and the 11th Innovative Applications of Artificial Intelligence Conference. 1999: 291-298.
[9]	RIBEIRO C , ZUQUETE A , FERREIRA P ,et al. SPL:an access control language for security policies and complex constraints[C]// The Network and Distributed System Security Symposium. 2001,1.
[10]	DAMIANOU N , DULAY N , LUPU E ,et al. Tools for domain-based policy management of distributed systems[C]// IEEE/IFIP Network Operations and Management Symposium. IEEE, 2002: 203-217.
[11]	ABWNAWAR N , JANICKE H , SMITH R ,et al. Towards data privacy in heterogeneous cloud environments:an extension to the SANTA policy language[C]// 2017 Second International Conference on Fog and Mobile Edge Computing. IEEE, 2017: 14-19.
[12]	代向东 . 安全策略管理系统中策略描述及策略翻译关键技术研究[D]. 郑州:信息工程大学, 2007.
	DAI X D . Research on key technologies of policy description and policy translation in security policy management system[D]. Zhengzhou:Information Engineering University, 2007.
[13]	HALE J , GALIASSO P , PAPA M ,et al. Security policy coordination for heterogeneous information systems[C]// The 15th Annual Computer Security Applications Conference. IEEE, 1999: 219-228.
[14]	BEIGI M S , CALO S , VERMA D . Policy transformation techniques in policy-based systems management[C]// The 15th IEEE International Workshop on Policies for Distributed Systems and Networks. 2004: 13-22.
[15]	HAN W , FANG Z , YANG L T,et.al . Collaborative policy administration[J]. IEEE Transactions on Parallel and Distributed Systems, 2013,25(2): 498-507.
[16]	WANG R , ENCK W , REEVES D ,et al. EASEAndroid:automatic policy analysis and refinement for security enhanced android via large-scale semi-supervised learning[C]// 24th USENIX Security Symposium. 2015: 351-366.
[17]	LEIGHTON G , BARBOSA D . Access control policy translation,verification,and minimization within heterogeneous data federations[J]. ACM Transactions on Information and System Security, 2011,14(3): 1-28.
[18]	RUDOLPH M , FETH D , DOERR J,et.al . Requirements elicitation and derivation of security policy templates—an industrial case study[C]// The 24th International Requirements Engineering Conference. 2016.
[19]	YANG J , JEONG J P . An automata-based security policy translation for network security functions[C]// 2018 International Conference on Information and Communication Technology Convergence. IEEE, 2018: 268-272.
[20]	陈文惠 . 防火墙系统策略配置研究[D]. 合肥:中国科学技术大学, 2007.
	CHEN W H . Research on policy configuration of firewall system[D]. Hefei:University of Science and Technology of China, 2007.
[21]	LOBO J , MARCHI M , PROVETTI A . Firewall configuration policies for the specification and implementation of private zones[C]// 2012 IEEE International Symposium on Policies for Distributed Systems and Networks. IEEE, 2012: 78-85.
[22]	JILLEPALLI A , DE LEON D C , STEINER S ,et al. Hermes:a high-level policy language for high-granularity enterprise-wide secure browser configuration management[C]// 2016 IEEE Symposium Series on Computational Intelligence. IEEE, 2016: 1-9.
[23]	李福亮, 杨家海, 吴建平 ,等. 互联网自动配置研究[J]. 软件学报, 2014,25(1): 118-134.
	LI F L , YANG J H , WU J P ,et al. Research on Internet auto configuration[J]. Journal of Software, 2014,25(1): 118-134.

设备类别	设备类型	操作系统
服务器	物理机	CentOS
安全设备	天融信NGFW防火墙	NGTOS
	华为USG6000V模拟防火墙	eNSP模拟
	IPtables防火墙	Linux
交换机	CiscoSG200	—

基于动态模板的策略翻译及配置方法

Policy translation and configuration using dynamic template

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 23

相关文章 11

Metrics

推荐阅读 0

[1]	宋宇波, 陈琪, 宋睿, 胡爱群. 基于虚拟机字节码注入的Android应用程序隐私保护机制[J]. 通信学报, 2021, 42(6): 171-181.
[2]	贾春福,哈冠雄,李瑞琪. 密文去重系统中的数据访问控制策略[J]. 通信学报, 2020, 41(5): 72-83.
[3]	杨宏宇,王在明. Android共谋攻击检测模型[J]. 通信学报, 2018, 39(6): 27-36.
[4]	王榕,张敏,冯登国,李昊. 数据库形式化安全策略模型建模及分析方法[J]. 通信学报, 2015, 36(9): 193-203.
[5]	付中南,尚群,公绪晓. 校园网络接入层一体化的规划与实践[J]. 通信学报, 2014, 35(Z1): 91-97.
[6]	付中南，尚群，公绪晓. 校园网络接入层一体化的规划与实践[J]. 通信学报, 2014, 35(Z1): 18-97.
[7]	王丽娜,张浩,余荣威,高汉军,甘宁. 基于VPE的可信虚拟域构建机制[J]. 通信学报, 2013, 34(12): 167-177.
[8]	张志勇,叶传奇,范科峰,张丽丽,牛丹梅. DRM安全策略的模糊层次分析法效用评估及选取[J]. 通信学报, 2009, 30(10A): 126-131.
[9]	高天寒,郭楠,朱志良. 基于动态策略的分布式移动IPv6网络安全管理机制[J]. 通信学报, 2009, 30(1): 50-57.
[10]	李丽萍,卿斯汉,周洲仪,何建波,温红子. 安全策略模型规范及其形式分析技术研究[J]. 通信学报, 2006, 27(6): 94-101.
[11]	李丽萍,卿斯汉,贺也平,沈晴霓. 基于访问控制空间的多策略安全体系结构[J]. 通信学报, 2006, 27(2): 107-112.