A Computer Network Defense Policy Specification Language

Xia Chunhe; Wei Yudi; Li Xiaojian; Wang Haiquan; He Wei

Journal of Computer Research and Development > 2009 > 46(1): 89-99.

Xia Chunhe, Wei Yudi, Li Xiaojian, Wang Haiquan, He Wei. A Computer Network Defense Policy Specification Language[J]. Journal of Computer Research and Development, 2009, 46(1): 89-99.

Citation:

Xia Chunhe, Wei Yudi, Li Xiaojian, Wang Haiquan, He Wei. A Computer Network Defense Policy Specification Language[J]. Journal of Computer Research and Development, 2009, 46(1): 89-99.

Citation:

Xia Chunhe, Wei Yudi, Li Xiaojian, Wang Haiquan, He Wei. A Computer Network Defense Policy Specification Language[J]. Journal of Computer Research and Development, 2009, 46(1): 89-99.

PDF (2050 KB)

A Computer Network Defense Policy Specification Language

1(State Key Laboratory of Virtual Reality Technology, Beihang University, Beijing 100083) 2(Key Laboratory of Beijing Network Technology, Beihang University, Beijing 100083) 3(College of Computer Science and Information Technology, Guangxi Normal University, Guilin, Guangxi 541000) 4(College of Software, Beihang University, Beijing 100083)

More Information

Published Date: January 14, 2009

Graphical Abstract

Abstract

Abstract

Policy is an essential part of computer network defense, which has important directive to the deployment, implementation, configuration and effects of defense systems. Presently, models and specifications on access control policy work well. However, they can not be directly applied to the whole defense policy area. In this paper, a new computer network defense policy specification language called CNDPSL is proposed to provide a common method of specifying protection, detection and response policies according to a new defined model called CNDPM, which is put forward by extending Or-BAC (organization based access control model). In CNDPM, automatic assignment mechanism is introduced to improve efficiency, and derivative principles are presented to refine abstract policies to concrete rules. Moreover, completeness, validity and consistency of policy are also formally analyzed and demonstrated. CNDPSL is declarative and able to abstract defense control behaviors of network, which makes this language flexible, extensible and adaptable to network defense requirements. Finally, a policy engine is implemented. Detailed experiments in GTNetS platform indicate that CNDSPL can be refined to concrete technical rules automatically, such as ACL (access control list) in firewall, IDS detection rules, response rules, etc, and obtain defense effects it expresses. The above information proves its effectiveness and efficiency.
- computer network defense (CND),
- policy,
- CNDPM model,
- specification language,
- policy engine

FullText(HTML)

References (0)

[1]	Wu Yinghong, Huang Hao, Zeng Qingkai. Description of Service Oriented Access Control Policy Refinement[J]. Journal of Computer Research and Development, 2014, 51(11): 2470-2482. DOI: 10.7544/issn1000-1239.2014.20130973
[2]	Zhou Jingcai, Zhang Huyin, Zha Wenliang, and Chen Yibo. User-Aware Resource Provision Policy for Cloud Computing[J]. Journal of Computer Research and Development, 2014, 51(5): 1108-1119.
[3]	Yuan Chunyang, Xu Junfeng, Zhu Chunge. A Trusted Recovery Model for Assurance of Integrity Policy Validity[J]. Journal of Computer Research and Development, 2014, 51(2): 360-372.
[4]	Bao Yibao, Yin Lihua, Fang Binxing, Guo Li. Logic-Based Dynamical Security Policy Language and Verification[J]. Journal of Computer Research and Development, 2013, 50(5): 932-941.
[5]	Hu Jun and Li Zhiang. A Policy-Oriented Cooperation Model in Agent Organization[J]. Journal of Computer Research and Development, 2012, 49(7): 1474-1493.
[6]	Tang Chenghua, Yu Shunzheng. Verifying Network Security Policy Based on Features[J]. Journal of Computer Research and Development, 2009, 46(11): 1854-1861.
[7]	Zhang Min, Feng Dengguo, and Chen Chi. A Security Function Test Suite Generation Method Based on Security Policy Model[J]. Journal of Computer Research and Development, 2009, 46(10): 1686-1692.
[8]	Fan Hao, Wu Zhehui. Communication Protocol Entity Behavioral Specification and Description Language[J]. Journal of Computer Research and Development, 2007, 44(11): 1839-1848.
[9]	Li Xiaofeng, Feng Dengguo, He Yongzhong. Research on Preprocessing Policies in XACML Admin[J]. Journal of Computer Research and Development, 2007, 44(5): 729-736.
[10]	Zhang Xiangfeng and Sun Yufang. Dynamic Enforcement of the Strict Integrity Policy in Biba's Model[J]. Journal of Computer Research and Development, 2005, 42(5): 746-754.