Abstract:
Policy is an essential part of computer network defense, which has important directive to the deployment, implementation, configuration and effects of defense systems. Presently, models and specifications on access control policy work well. However, they can not be directly applied to the whole defense policy area. In this paper, a new computer network defense policy specification language called CNDPSL is proposed to provide a common method of specifying protection, detection and response policies according to a new defined model called CNDPM, which is put forward by extending Or-BAC (organization based access control model). In CNDPM, automatic assignment mechanism is introduced to improve efficiency, and derivative principles are presented to refine abstract policies to concrete rules. Moreover, completeness, validity and consistency of policy are also formally analyzed and demonstrated. CNDPSL is declarative and able to abstract defense control behaviors of network, which makes this language flexible, extensible and adaptable to network defense requirements. Finally, a policy engine is implemented. Detailed experiments in GTNetS platform indicate that CNDSPL can be refined to concrete technical rules automatically, such as ACL (access control list) in firewall, IDS detection rules, response rules, etc, and obtain defense effects it expresses. The above information proves its effectiveness and efficiency.