计算机科学 ›› 2020, Vol. 47 ›› Issue (5): 306-312.doi: 10.11896/jsjkx.190500038

• 信息安全 • 上一篇    下一篇

基于遗传算法的网络安全配置自动生成框架

白玮1, 潘志松1, 夏士明1, 成昂轩2   

  1. 1 陆军工程大学指挥控制工程学院 南京210014
    2 93117部队 南京210018
  • 收稿日期:2019-05-07 出版日期:2020-05-15 发布日期:2020-05-19
  • 通讯作者: 潘志松(hotpzs@hotmail.com)
  • 作者简介:baiwei_lgdx@126.com
  • 基金资助:
    国家重点研发计划(2017YFB0802800)

Network Security Configuration Generation Framework Based on Genetic Algorithm Optimization

BAI Wei1, PAN Zhi-song1, XIA Shi-ming1, CHENG Ang-xuan2   

  1. 1 Command &Control Engineering College,Army Engineering University of PLA,Nanjing 210014,China
    2 Unit 93117,PLA,Nanjing 210018,China
  • Received:2019-05-07 Online:2020-05-15 Published:2020-05-19
  • About author:BAI Wei,born in 1983,Ph.D,lecturer.His main research interests include network security,security policy and security management.
    PAN Zhi-song,born in 1973,Ph.D,professor,Ph.D supervisor.His main research interests include artificial intelligence and network security.
  • Supported by:
    This work was supported by the National Key Research Development Program of China(2017YFB0802800)

摘要: 合理配置网络安全设备以对信息系统实施必要的访问控制,是网络安全管理的一项重要任务。随着网络规模的不断扩大,各种用户权限之间会形成复杂的依赖关系,传统基于人工的方式配置网络访问控制策略,主要是依据业务系统的实际需求,按照最小权限的原则进行分配,这种分配方式忽略了权限之间的依赖关系,容易产生过授权的现象,从而为网络带来安全隐患。为解决该问题,提出了一个基于遗传算法的安全配置自动生成框架。首先,以网络规划信息和配置信息为基础,确定用户可能的权限,提取网络基础语义,构建相应的网络安全风险评估模型,实现不同安全配置的安全评估;然后,对网络中所有可能的安全配置进行合理编码,确定遗传算子和算法参数,生成初始种群;最后,通过遗传算法,自动选取较优个体来生成子代个体。该框架能够通过自动比较不同的安全配置下的网络安全风险,以及在可能的配置空间内自动搜索安全配置的最优解,来实现网络安全设备访问控制策略的自动生成。构造一个拥有20个设备、30个服务的模拟网络环境对该框架进行验证,在该模拟环境下,该框架能够在种群样本数目为150的条件下,不超过10次迭代即可找到较优的安全配置。实验结果充分表明,该框架能够根据网络的安全需求,自动生成合理的网络安全配置。

关键词: 网络安全, 安全策略, 多域配置, 遗传算法, 用户权限

Abstract: It is an important task in network security management to configure network security equipment reasonably and enforce access controls upon the information systems.With the increase of network size,there will be complex inter-dependent relationships among user privileges.Traditionally,access control lists are always generated manually according to the business requirements under the principle of least privilege,where the inter-dependent relationships are neglected.The network users may be granted with more privileges than they deserve,which may introduce vulnerabilities to network security.In this paper,a security configuration generation framework based on genetic algorithm optimization was proposed.Firstly,the framework extracts the user privilege information and network semantic information based on the network planning information and configurations information.And a network security risk assessment model is used to assess the network risk under different security configuration.Then,all possible access control configurations are encoded as genes.And initial population are generated based on the pre-determined genetic operators and super parameters.Finally,a better individual is generated according to the genetic algorithm.The framework cannot only compare the network security risks under different security configurations,but also search for the optimal solution of security configuration within the possible configuration space,thus realizing the automatic generation of network security device access control strategy.The framework is validated by constructing a simulated network environment with 20 devices and 30 services.In this simulation environment,the framework can find a better security configuration with no more than 10 generations of iteration under the condition of 150 population samples.Experimental data show that the framework can automatically generate reasonable network security configuration according to network security requirements.

Key words: Network security, Security strategy, Multi-domain configuration, Genetic algorithm, User privilege

中图分类号: 

  • TP309
[1] HARI A,SURI S,PARULKAR G.Detecting and resolvingpacket filter conflicts[C]//Proceedings IEEE INFOCOM 2000 Conference on Computer Communications.Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies,2000:1203-1212.
[2] HAMED H,AL-SHAER E,MARRERO W.Modeling and verification of IPSec and VPN security policies[C]//13TH IEEE International Conference on Network Protocols(ICNP'05).2005:269-278.
[3] HU H,AHN G J,KULKARNI K.FAME:a firewall anomaly management environment[C]//Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.2010:17-26.
[4] GOBJUKA H,AHMAT K A.Fast and scalable method for resolving anomalies in firewall policies[C]//2011 IEEE Conference on Computer Communications Workshops(INFOCOM WKSHPS).2011:828-833.
[5] MANSMANN F,GOBEL T,CHESWICK W.Visual analysis of complex firewall configurations[C]//Proceedings of the Ninth International Symposium on Visualization for Cyber Security.2012:1-8.
[6] CLARK P G,AGAH A.Modeling Firewalls for Behavior Analysis[J].Procedia Computer Science,2015,62:159-166.
[7] SAÂDAOUI A,BEN Y B S N,BOUHOULA A.FARE:FDD-based firewall anomalies resolution tool[J].Journal of Computational Science,2017,23:181-191.
[8] KHOUMSI A,ERRADI M,KROMBI W.A formal basis for the design and analysis of firewall security policies[J].Journal of King Saud University - Computer and Information Sciences,2018,30(1):51-66.
[9] LUPU E C,SLOMAN M.Conflicts in policy-based distributed systems management[J].IEEE Transactions on Software Engineering,1999,25(6):852-869.
[10] MACFARLANE R,BUCHANAN W,EKONOMOU E,et al.Formal security policy implementations in network firewalls[J].Computers & Security,2012,31(2):253-270.
[11] GARCIA A J,CUPPENS F,CUPPENS B N,et al.Management of stateful firewall misconfiguration[J].Computers & Security,2013,39:64-85.
[12] HACHANA S,CUPPENS B N,CUPPENS F.Mining a high level access control policy in a network with multiple firewalls[J].Journal of Information Security and Applications,2015,20:61-73.
[13] MUTHUKUMARAN T.Secure Interoperation Model for Different User Authentication System using Multi Level Security(MLS)[J].International Journal of Advanced Research in Computer and Communication Engineering,2015,4(5):596-600.
[14] JARRAYA Y,EGHTESADI A,SADRI S,et al.Verification of Firewall Reconfiguration for Virtual Machines Migrations in the Cloud[J].Computer Networks,2015,93(P3):480-491.
[15] BASILE C,CANAVESE D,PITSCHEIDER C,et al.Assessing network authorization policies via reachability analysis[J].Computers & Electrical Engineering,2017,64:110-131.
[16] PROBST C W,HANSEN R R.An extensible analysable system model[J].Elsevier Advanced Technology Publications,2008,13(4):235-246.
[17] KOTENKO I,STEPASHKIN M,DOYNIKOVA E.Security Analysis of Information Systems Taking into Account Social Engineering Attacks[C]//the 19th International Euromicro Conference on Parallel,Distributed and Network-Based Processing.2011:611-618.
[18] DIMKOV T.Alignment of organizational security policies:theory and practice[D].Enschede:University of Twente,2012.
[19] BAI W,PAN Z,GUO S,et al.MDC-Checker:A Novel Network Risk Assessment Framework for Multiple Domain Configurations[J].Computers & Security,2019,86:388-401.
[1] 高基旭, 王珺. 一种基于遗传算法的多边缘协同计算卸载方案[J]. 计算机科学, 2021, 48(1): 72-80.
[2] 吉顺慧, 张鹏程. 基于支配关系的数据流测试用例生成方法[J]. 计算机科学, 2020, 47(9): 40-46.
[3] 董明刚, 黄宇扬, 敬超. 基于遗传实例和特征选择的K近邻训练集优化方法[J]. 计算机科学, 2020, 47(8): 178-184.
[4] 梁正友, 何景琳, 孙宇. 一种用于微表情自动识别的三维卷积神经网络进化方法[J]. 计算机科学, 2020, 47(8): 227-232.
[5] 杨德成, 李凤岐, 王祎, 王胜法, 殷慧殊. 智能3D打印路径规划算法[J]. 计算机科学, 2020, 47(8): 267-271.
[6] 冯炳超, 吴璟莉. 求解自行车共享系统静态再平衡问题的单亲遗传算法[J]. 计算机科学, 2020, 47(6A): 114-118.
[7] 姚敏. 求解柔性资源受限项目调度问题的多种群遗传算法[J]. 计算机科学, 2020, 47(6A): 124-129.
[8] 白雪, 努尔布力, 王亚东. 网络安全态势感知研究现状与发展趋势的图谱分析[J]. 计算机科学, 2020, 47(6A): 340-343.
[9] 包振山, 郭俊南, 谢源, 张文博. 基于LSTM-GA的股票价格涨跌预测模型[J]. 计算机科学, 2020, 47(6A): 467-473.
[10] 马创, 吕孝飞, 梁炎明. 基于GA-SVM的农产品质量分类[J]. 计算机科学, 2020, 47(6A): 517-520.
[11] 夏春艳, 王兴亚, 张岩. 基于多目标优化的测试用例优先级排序方法[J]. 计算机科学, 2020, 47(6): 38-43.
[12] 胡士娟, 鲁海燕, 向蕾, 沈莞蔷. 求解MMTSP的模糊聚类单亲遗传算法[J]. 计算机科学, 2020, 47(6): 219-224.
[13] 张举, 王浩, 罗舒婷, 耿海军, 尹霞. 基于遗传算法的混合软件定义网络路由节能算法[J]. 计算机科学, 2020, 47(6): 236-241.
[14] 金小敏, 滑文强. 移动云计算中面向能耗优化的资源管理[J]. 计算机科学, 2020, 47(6): 247-251.
[15] 梁俊斌, 张敏, 蒋婵. 社交传感云安全研究进展[J]. 计算机科学, 2020, 47(6): 276-283.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 雷丽晖,王静. 可能性测度下的LTL模型检测并行化研究[J]. 计算机科学, 2018, 45(4): 71 -75 .
[2] 孙启,金燕,何琨,徐凌轩. 用于求解混合车辆路径问题的混合进化算法[J]. 计算机科学, 2018, 45(4): 76 -82 .
[3] 张佳男,肖鸣宇. 带权混合支配问题的近似算法研究[J]. 计算机科学, 2018, 45(4): 83 -88 .
[4] 伍建辉,黄中祥,李武,吴健辉,彭鑫,张生. 城市道路建设时序决策的鲁棒优化[J]. 计算机科学, 2018, 45(4): 89 -93 .
[5] 史雯隽,武继刚,罗裕春. 针对移动云计算任务迁移的快速高效调度算法[J]. 计算机科学, 2018, 45(4): 94 -99 .
[6] 周燕萍,业巧林. 基于L1-范数距离的最小二乘对支持向量机[J]. 计算机科学, 2018, 45(4): 100 -105 .
[7] 刘博艺,唐湘滟,程杰仁. 基于多生长时期模板匹配的玉米螟识别方法[J]. 计算机科学, 2018, 45(4): 106 -111 .
[8] 耿海军,施新刚,王之梁,尹霞,尹少平. 基于有向无环图的互联网域内节能路由算法[J]. 计算机科学, 2018, 45(4): 112 -116 .
[9] 崔琼,李建华,王宏,南明莉. 基于节点修复的网络化指挥信息系统弹性分析模型[J]. 计算机科学, 2018, 45(4): 117 -121 .
[10] 王振朝,侯欢欢,连蕊. 抑制CMT中乱序程度的路径优化方案[J]. 计算机科学, 2018, 45(4): 122 -125 .