内禀安全：网络安全能力体系化构建方法

doi:10.11959/j.issn.2096-109x.2023010

Abstract

Abstract:

At present, the mainstream cyber security systems are laid out in an alienated style, where security functions are separated from business processes, and security products are isolated from each other.It is difficult to effectively cope with increasingly complicated cyber threats in this architecture.Therefore, it is imperative to move security inward for more resilient and secure network infrastructures.Business scenarios of the cybersecurity sector can be categorized into four perspectives: organization, vendor, regulatory and threat, each of which has different business objectives.Starting from the commonness and individuality of the four perspectives, the needs of this sector was systematically summarized and then the goal of building an extensible cybersecurity capability ecosystem was recognized.As the key to this goal, the intrinsic assurance methodology was proposed.Intrinsic assurance capabilities referred to the abilities of ICT components to natively support security functions such as monitoring, protection and traceability.But intrinsic assurance is not the ultimate security implementation itself, which is a key difference from the existing “endogenous security” or “designed-in security” methodologies.Intrinsic assurance emphasizes the inherent security enabling endowment of network components, whether by activating an innate gift or by encapsulating a given one, both of which logically exhibit autoimmunity from an external viewpoint.One advantage of such a component is the cohesion of business and security, which leads to transparent security posture awareness, customized security policies, and close-fitting security protection.It also simplifies the overall engineering architecture and reduces management complexity through encapsulation of multiple functions into a singleton.Additionally, the Intrinsic Assurance Support Capability Framework was put forward, which summarized and enumerated the security capabilities that conformed to the intrinsic assurance concept.This framework classified the security capabilities into five categories, namely collection, cognition, execution, syndication and resilience respectively, together with their sub-types and underlying ICT technologies.Based on this framework, the enhanced implementations of typical security business scenarios was further introduced in light of intrinsic assurance.

Key words: intrinsic assurance, cybersecurity framework, endogenous security, security capabilities

CLC Number:

TP309.1

Xunxun CHEN, Mingzhe LI, Ning LYU, Liang HUANG. Intrinsic assurance: a systematic approach towards extensible cybersecurity[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 92-102.

Figures/Tables 4

References 26

[1]	2020年我国互联网网络安全态势综述[R]. 国家互联网应急中心, 2021.
	2020 CNCERT cybersecurity analysis[R]. CNCERT, 2021.
[2]	BECK E A . How zero-trust network security can enable recovery from cyberattacks[J]. ISACA Journal, 2014,6: 14-18.
[3]	张焕国, 罗捷, 金刚 ,等. 可信计算研究进展[J]. 武汉大学学报:理学版, 2006,52(5): 513-518.
	ZHANG H G , LUO J , JIN G ,et al. Development of trusted computing research[J]. Journal of Wuhan University:Science Edition, 2006,52(5): 513-518.
[4]	沈昌祥, 张焕国, 王怀民 ,等. 可信计算的研究与发展[J]. 中国科学:信息科学, 2010,40(2): 139-166.
	SHEN C X , ZHANG H G , WANG H M ,et al. Research and development of trusted computing[J]. Chinese Science:Information Science, 2010,40(2): 139-166.
[5]	CHIANG C , GOTTLIEB Y M , SUGRIM S J ,et al. ACyDS:An adaptive cyber deception system[C]// Military Communications Conference. IEEE, 2016: 800-805.
[6]	邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10.
	WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10.
[7]	邬江兴 . 网络空间拟态安全防御[J]. 保密科学技术, 2014,(10): 4-9.
	WU J X . Cyberspace mimic security defense[J]. Confidential Science and Technology, 2014,(10): 4-9.
[8]	齐向东 . 面向新基建,用内生安全框架支撑网络安全体系建设[J]. 中国科技产业, 2020(8): 4.
	QI X D . For new infrastructure construction,support the con-struction of network security system with endogenous security framework[J]. China Science and Technology Industry, 2020(8): 4.
[9]	DOUGHERTY C , SAYRE K , SEACORD R C ,et al. Secure design patterns[R]. Togashi,Kazuya:JPCERT/CC, 2009.
[10]	Lipner S , . The trustworthy computing security development lifecycle[C]// 20th Annual Computer Security Applications Conference. IEEE, 2004: 2-13.
[11]	SIMOIU C . Secure by default:a behavioral approach to cyber security[D]. Stanford University, 2020.
[12]	HAIDER A , MATTEO C . On intrinsic safety of soft robots[J]. Frontiers in Robotics and AI, 2017,4.
[13]	KALOROUMAKIS P E , SMITH M J . Toward a knowledge graph of cybersecurity countermeasures[R]. 2021.
[14]	Mitre. ENGAGE[EB].
[15]	BARRETT M P . Framework for improving critical infrastructure cybersecurity[R]. Gaithersburg,MD,USA:National Institute of Standards and Technology, 2018.
[16]	Joint Task Force Transformation Initiative Interagency Working Group. NIST special publication 800-53 revision 4-security and privacy controls for federal information systems and organizations[R]. Gaithersburg,MD,USA:National Institute of Standards and Technology, 2013.
[17]	李兴国, 费玲玲 . 基于 Netflow 的流量分析技术研究[J]. 微计算机信息, 2008,24(15): 198-200.
	LI X G , FEI L L . The research of netflow-based flow analyzing technology[J]. Microcomputer Information, 2008,24(15): 198-200.
[18]	施巍松, 张星洲, 王一帆 ,等. 边缘计算:现状与展望[J]. 计算机研究与发展, 2019,56(1): 69-89.
	SHI W S , ZHANG X Z , WANG Y F ,et al. Edge computing:state-of-the-art and future directions[J]. Journal of Computer Research and Development, 2019,56(1): 69-89.
[19]	KAIBJIAN J , . Enhancing security in telemetry post-processing environments with continuous diagnostics and mitigation (CDM)[C]// France:EDP Sciences, 2014.
[20]	KIRKPATRICK K . Software-defined networking[J]. Communications of the ACM, 2013,56(9): 16-19.
[21]	CISAR P , CISAR S M . The framework of runtime application self-protection technology[C]. 2016 IEEE 17th International Symposium on Computational Intelligence and Informatics (CINTI). IEEE, 2016: 81-86.
[22]	EVANS I , FINGERET S , GONZALEZ J ,et al. Missing the point(er):on the effectiveness of code pointer integrity[C]// IEEE Symposium on Security and Privacy. IEEE, 2015.
[23]	GAO Y , ZHOU A , LIU L . Data-execution prevention technology in windows system[J]. Information Security ＆ Communications Privacy, 2013.
[24]	GRAS B , RAZAVI K , BOSMAN E ,et al. ASLR on the line:practical cache attacks on the MMU[C]. NDSS. 2017,17:26.
[25]	SINHA K , KEMERLIS V P , SETHUMADHAVAN S . Reviving instruction set randomization[C]. 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST). IEEE, 2017: 21-28.
[26]	赵帆, 罗向阳, 刘粉林 . 网络空间测绘技术研究[J]. 网络与信息安全学报, 2016,2(9): 1-11.
	SHEN C X , ZHANG H G , WANG H M ,et al. Research on cyberspace surveying and mapping technology[J]. Chinese Journal of Network and Information Security, 2016,2(9): 1-11.

Metrics

Recommended 0

No Suggested Reading articles found!

Intrinsic assurance: a systematic approach towards extensible cybersecurity

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 4

References 26

Related Articles 1

Metrics

Recommended 0