内禀安全：网络安全能力体系化构建方法

doi:10.11959/j.issn.2096-109x.2023010

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (1): 92-102.doi: 10.11959/j.issn.2096-109x.2023010

内禀安全：网络安全能力体系化构建方法

陈训逊¹, 李明哲¹^,², 吕宁², 黄亮¹

¹ 国家计算机网络应急技术处理协调中心，北京100094
² 长安通信科技有限责任公司，北京102209

修回日期:2022-12-04 出版日期:2023-02-25 发布日期:2023-02-01
作者简介:陈训逊（1972- ），男，黑龙江哈尔滨人，博士，国家计算机网络应急技术处理协调中心正高级工程师，主要研究方向为网络空间安全、计算机网络与信息安全
李明哲（1988- ），男，山东临沂人，博士，国家计算机网络应急技术处理协调中心工程师，主要研究方向为网络信息安全
吕宁（1988- ），女，山东淄博人，硕士，长安通信科技有限责任公司工程师，主要研究方向为网络安全
黄亮（1982- ），男，湖南邵阳人，博士，国家计算机网络应急技术处理协调中心正高级工程师，主要研究方向为网络信息安全
基金资助:
国家重点研发计划(2022YFB3102905)

Intrinsic assurance: a systematic approach towards extensible cybersecurity

Xunxun CHEN¹, Mingzhe LI¹^,², Ning LYU², Liang HUANG¹

¹ National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100094, China
² Chang'an Communication Technology Co., Ltd., Beijing 102209, China

Revised:2022-12-04 Online:2023-02-25 Published:2023-02-01
Supported by:
The National Key R＆D Program of China(2022YFB3102905)

摘要/Abstract

摘要：

目前主流的网络安全防护体系是外嵌的，安全体系与业务体系分离，安全产品相互孤立，在防护能力上难以高效应对越来越复杂的网络安全挑战。网络安全从外向内进行强基，势在必行。将网络安全的业务场景归纳为组织、厂商、监管和威胁四方视角，各视角具有不同的业务目标。从四方视角的共性和个性出发，系统性归纳网络安全生态的能力需求，提出内禀安全方法论。内禀安全能力是指ICT组件原生支撑监测、防护和溯源等安全功能的能力。内禀安全能力对网络安全具有基础支撑作用，本身不是最终的安全功能实现，与现有的“内生安全”“内设安全”等方法论所针对的问题不同。内禀安全强调网络组件内在的安全赋能禀赋，有两种方式可以发掘这种禀赋，一是通过先天安全能力激活，二是外嵌能力内化，对外在逻辑上表现出自体免疫。此类组件的优势之一在于业务与安全的内聚，能够透明化感知安全态势、定制化配置安全策略、贴身化执行安全保护；优势之二在于将业务功能与安全功能进行合并封装，简化整体工程架构，降低网络管理复杂度。进一步提出了内禀安全支撑能力框架，对符合内禀安全理念的安全能力进行归纳和枚举，将安全支撑能力分为采集、认知、执行、协同和弹复5类，并进一步介绍各类能力的子类型和基础ICT技术。基于该框架，介绍了典型安全业务场景在内禀安全理念下的增强实现。

关键词: 内禀安全, 网络安全框架, 内生安全, 安全能力

Abstract:

At present, the mainstream cyber security systems are laid out in an alienated style, where security functions are separated from business processes, and security products are isolated from each other.It is difficult to effectively cope with increasingly complicated cyber threats in this architecture.Therefore, it is imperative to move security inward for more resilient and secure network infrastructures.Business scenarios of the cybersecurity sector can be categorized into four perspectives: organization, vendor, regulatory and threat, each of which has different business objectives.Starting from the commonness and individuality of the four perspectives, the needs of this sector was systematically summarized and then the goal of building an extensible cybersecurity capability ecosystem was recognized.As the key to this goal, the intrinsic assurance methodology was proposed.Intrinsic assurance capabilities referred to the abilities of ICT components to natively support security functions such as monitoring, protection and traceability.But intrinsic assurance is not the ultimate security implementation itself, which is a key difference from the existing “endogenous security” or “designed-in security” methodologies.Intrinsic assurance emphasizes the inherent security enabling endowment of network components, whether by activating an innate gift or by encapsulating a given one, both of which logically exhibit autoimmunity from an external viewpoint.One advantage of such a component is the cohesion of business and security, which leads to transparent security posture awareness, customized security policies, and close-fitting security protection.It also simplifies the overall engineering architecture and reduces management complexity through encapsulation of multiple functions into a singleton.Additionally, the Intrinsic Assurance Support Capability Framework was put forward, which summarized and enumerated the security capabilities that conformed to the intrinsic assurance concept.This framework classified the security capabilities into five categories, namely collection, cognition, execution, syndication and resilience respectively, together with their sub-types and underlying ICT technologies.Based on this framework, the enhanced implementations of typical security business scenarios was further introduced in light of intrinsic assurance.

Key words: intrinsic assurance, cybersecurity framework, endogenous security, security capabilities

中图分类号:

TP309.1

陈训逊, 李明哲, 吕宁, 黄亮. 内禀安全：网络安全能力体系化构建方法[J]. 网络与信息安全学报, 2023, 9(1): 92-102.

Xunxun CHEN, Mingzhe LI, Ning LYU, Liang HUANG. Intrinsic assurance: a systematic approach towards extensible cybersecurity[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 92-102.

图/表 4

参考文献 26

[1]	2020年我国互联网网络安全态势综述[R]. 国家互联网应急中心, 2021.
	2020 CNCERT cybersecurity analysis[R]. CNCERT, 2021.
[2]	BECK E A . How zero-trust network security can enable recovery from cyberattacks[J]. ISACA Journal, 2014,6: 14-18.
[3]	张焕国, 罗捷, 金刚 ,等. 可信计算研究进展[J]. 武汉大学学报:理学版, 2006,52(5): 513-518.
	ZHANG H G , LUO J , JIN G ,et al. Development of trusted computing research[J]. Journal of Wuhan University:Science Edition, 2006,52(5): 513-518.
[4]	沈昌祥, 张焕国, 王怀民 ,等. 可信计算的研究与发展[J]. 中国科学:信息科学, 2010,40(2): 139-166.
	SHEN C X , ZHANG H G , WANG H M ,et al. Research and development of trusted computing[J]. Chinese Science:Information Science, 2010,40(2): 139-166.
[5]	CHIANG C , GOTTLIEB Y M , SUGRIM S J ,et al. ACyDS:An adaptive cyber deception system[C]// Military Communications Conference. IEEE, 2016: 800-805.
[6]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[7]	邬江兴 . 网络空间拟态安全防御[J]. 保密科学技术, 2014,(10): 4-9.
	WU J X . Cyberspace mimic security defense[J]. Confidential Science and Technology, 2014,(10): 4-9.
[8]	齐向东 . 面向新基建,用内生安全框架支撑网络安全体系建设[J]. 中国科技产业, 2020(8): 4.
	QI X D . For new infrastructure construction,support the con-struction of network security system with endogenous security framework[J]. China Science and Technology Industry, 2020(8): 4.
[9]	DOUGHERTY C , SAYRE K , SEACORD R C ,et al. Secure design patterns[R]. Togashi,Kazuya:JPCERT/CC, 2009.
[10]	Lipner S , . The trustworthy computing security development lifecycle[C]// 20th Annual Computer Security Applications Conference. IEEE, 2004: 2-13.
[11]	SIMOIU C . Secure by default:a behavioral approach to cyber security[D]. Stanford University, 2020.
[12]	HAIDER A , MATTEO C . On intrinsic safety of soft robots[J]. Frontiers in Robotics and AI, 2017,4.
[13]	KALOROUMAKIS P E , SMITH M J . Toward a knowledge graph of cybersecurity countermeasures[R]. 2021.
[14]	Mitre. ENGAGE[EB].
[15]	BARRETT M P . Framework for improving critical infrastructure cybersecurity[R]. Gaithersburg,MD,USA:National Institute of Standards and Technology, 2018.
[16]	Joint Task Force Transformation Initiative Interagency Working Group. NIST special publication 800-53 revision 4-security and privacy controls for federal information systems and organizations[R]. Gaithersburg,MD,USA:National Institute of Standards and Technology, 2013.
[17]	李兴国, 费玲玲 . 基于 Netflow 的流量分析技术研究[J]. 微计算机信息, 2008,24(15): 198-200.
	LI X G , FEI L L . The research of netflow-based flow analyzing technology[J]. Microcomputer Information, 2008,24(15): 198-200.
[18]	施巍松, 张星洲, 王一帆 ,等. 边缘计算:现状与展望[J]. 计算机研究与发展, 2019,56(1): 69-89.
	SHI W S , ZHANG X Z , WANG Y F ,et al. Edge computing:state-of-the-art and future directions[J]. Journal of Computer Research and Development, 2019,56(1): 69-89.
[19]	KAIBJIAN J , . Enhancing security in telemetry post-processing environments with continuous diagnostics and mitigation (CDM)[C]// France:EDP Sciences, 2014.
[20]	KIRKPATRICK K . Software-defined networking[J]. Communications of the ACM, 2013,56(9): 16-19.
[21]	CISAR P , CISAR S M . The framework of runtime application self-protection technology[C]. 2016 IEEE 17th International Symposium on Computational Intelligence and Informatics (CINTI). IEEE, 2016: 81-86.
[22]	EVANS I , FINGERET S , GONZALEZ J ,et al. Missing the point(er):on the effectiveness of code pointer integrity[C]// IEEE Symposium on Security and Privacy. IEEE, 2015.
[23]	GAO Y , ZHOU A , LIU L . Data-execution prevention technology in windows system[J]. Information Security ＆ Communications Privacy, 2013.
[24]	GRAS B , RAZAVI K , BOSMAN E ,et al. ASLR on the line:practical cache attacks on the MMU[C]. NDSS. 2017,17:26.
[25]	SINHA K , KEMERLIS V P , SETHUMADHAVAN S . Reviving instruction set randomization[C]. 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 2017: 21-28.
[26]	赵帆, 罗向阳, 刘粉林 . 网络空间测绘技术研究[J]. 网络与信息安全学报, 2016,2(9): 1-11.
	SHEN C X , ZHANG H G , WANG H M ,et al. Research on cyberspace surveying and mapping technology[J]. Chinese Journal of Network and Information Security, 2016,2(9): 1-11.

内禀安全：网络安全能力体系化构建方法

Intrinsic assurance: a systematic approach towards extensible cybersecurity

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 4

参考文献 26

相关文章 2

Metrics

推荐阅读 0

[1]	刘科显, 关建峰, 张婉澂, 何志凯, 闫迪嘉. 基于时隙的多重冗余流指纹模型[J]. 网络与信息安全学报, 2023, 9(1): 115-129.
[2]	胡爱群, 方兰婷, 李涛. 基于仿生机理的内生安全防御体系研究[J]. 网络与信息安全学报, 2021, 7(1): 11-19.