高级检索

    计算机网络防御策略描述语言研究

    A Computer Network Defense Policy Specification Language

    • 摘要: 定义了一种计算机网络防御策略描述语言CNDPSL(computer network defense policy specification language).该语言面向CNDPM模型,能够统一描述保护、检测和响应策略.在CNDPM模型中,给出了抽象策略细化为具体规则的推导原理,并以形式化的方法分析并验证了策略的完备性、一致性和有效性.CNDPSL是一种声明式语言,抽象了网络防御控制的行为,对网络防御需求具有较好的灵活性、可扩展性和适应性.最后给出了策略引擎的原型及其实现.在GTNetS仿真平台中的实验表明,该语言能够自动地转化为具体的技术规则并实现其表达的防御效能.

       

      Abstract: Policy is an essential part of computer network defense, which has important directive to the deployment, implementation, configuration and effects of defense systems. Presently, models and specifications on access control policy work well. However, they can not be directly applied to the whole defense policy area. In this paper, a new computer network defense policy specification language called CNDPSL is proposed to provide a common method of specifying protection, detection and response policies according to a new defined model called CNDPM, which is put forward by extending Or-BAC (organization based access control model). In CNDPM, automatic assignment mechanism is introduced to improve efficiency, and derivative principles are presented to refine abstract policies to concrete rules. Moreover, completeness, validity and consistency of policy are also formally analyzed and demonstrated. CNDPSL is declarative and able to abstract defense control behaviors of network, which makes this language flexible, extensible and adaptable to network defense requirements. Finally, a policy engine is implemented. Detailed experiments in GTNetS platform indicate that CNDSPL can be refined to concrete technical rules automatically, such as ACL (access control list) in firewall, IDS detection rules, response rules, etc, and obtain defense effects it expresses. The above information proves its effectiveness and efficiency.

       

    /

    返回文章
    返回