计算机科学 ›› 2020, Vol. 47 ›› Issue (5): 306-312.doi: 10.11896/jsjkx.190500038

• 信息安全 • 上一篇    下一篇

基于遗传算法的网络安全配置自动生成框架

白玮1, 潘志松1, 夏士明1, 成昂轩2   

  1. 1 陆军工程大学指挥控制工程学院 南京210014
    2 93117部队 南京210018
  • 收稿日期:2019-05-07 出版日期:2020-05-15 发布日期:2020-05-19
  • 通讯作者: 潘志松(hotpzs@hotmail.com)
  • 作者简介:baiwei_lgdx@126.com
  • 基金资助:
    国家重点研发计划(2017YFB0802800)

Network Security Configuration Generation Framework Based on Genetic Algorithm Optimization

BAI Wei1, PAN Zhi-song1, XIA Shi-ming1, CHENG Ang-xuan2   

  1. 1 Command &Control Engineering College,Army Engineering University of PLA,Nanjing 210014,China
    2 Unit 93117,PLA,Nanjing 210018,China
  • Received:2019-05-07 Online:2020-05-15 Published:2020-05-19
  • About author:BAI Wei,born in 1983,Ph.D,lecturer.His main research interests include network security,security policy and security management.
    PAN Zhi-song,born in 1973,Ph.D,professor,Ph.D supervisor.His main research interests include artificial intelligence and network security.
  • Supported by:
    This work was supported by the National Key Research Development Program of China(2017YFB0802800)

摘要: 合理配置网络安全设备以对信息系统实施必要的访问控制,是网络安全管理的一项重要任务。随着网络规模的不断扩大,各种用户权限之间会形成复杂的依赖关系,传统基于人工的方式配置网络访问控制策略,主要是依据业务系统的实际需求,按照最小权限的原则进行分配,这种分配方式忽略了权限之间的依赖关系,容易产生过授权的现象,从而为网络带来安全隐患。为解决该问题,提出了一个基于遗传算法的安全配置自动生成框架。首先,以网络规划信息和配置信息为基础,确定用户可能的权限,提取网络基础语义,构建相应的网络安全风险评估模型,实现不同安全配置的安全评估;然后,对网络中所有可能的安全配置进行合理编码,确定遗传算子和算法参数,生成初始种群;最后,通过遗传算法,自动选取较优个体来生成子代个体。该框架能够通过自动比较不同的安全配置下的网络安全风险,以及在可能的配置空间内自动搜索安全配置的最优解,来实现网络安全设备访问控制策略的自动生成。构造一个拥有20个设备、30个服务的模拟网络环境对该框架进行验证,在该模拟环境下,该框架能够在种群样本数目为150的条件下,不超过10次迭代即可找到较优的安全配置。实验结果充分表明,该框架能够根据网络的安全需求,自动生成合理的网络安全配置。

关键词: 安全策略, 多域配置, 网络安全, 遗传算法, 用户权限

Abstract: It is an important task in network security management to configure network security equipment reasonably and enforce access controls upon the information systems.With the increase of network size,there will be complex inter-dependent relationships among user privileges.Traditionally,access control lists are always generated manually according to the business requirements under the principle of least privilege,where the inter-dependent relationships are neglected.The network users may be granted with more privileges than they deserve,which may introduce vulnerabilities to network security.In this paper,a security configuration generation framework based on genetic algorithm optimization was proposed.Firstly,the framework extracts the user privilege information and network semantic information based on the network planning information and configurations information.And a network security risk assessment model is used to assess the network risk under different security configuration.Then,all possible access control configurations are encoded as genes.And initial population are generated based on the pre-determined genetic operators and super parameters.Finally,a better individual is generated according to the genetic algorithm.The framework cannot only compare the network security risks under different security configurations,but also search for the optimal solution of security configuration within the possible configuration space,thus realizing the automatic generation of network security device access control strategy.The framework is validated by constructing a simulated network environment with 20 devices and 30 services.In this simulation environment,the framework can find a better security configuration with no more than 10 generations of iteration under the condition of 150 population samples.Experimental data show that the framework can automatically generate reasonable network security configuration according to network security requirements.

Key words: Genetic algorithm, Multi-domain configuration, Network security, Security strategy, User privilege

中图分类号: 

  • TP309
[1]HARI A,SURI S,PARULKAR G.Detecting and resolvingpacket filter conflicts[C]//Proceedings IEEE INFOCOM 2000 Conference on Computer Communications.Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies,2000:1203-1212.
[2]HAMED H,AL-SHAER E,MARRERO W.Modeling and verification of IPSec and VPN security policies[C]//13TH IEEE International Conference on Network Protocols(ICNP'05).2005:269-278.
[3]HU H,AHN G J,KULKARNI K.FAME:a firewall anomaly management environment[C]//Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.2010:17-26.
[4]GOBJUKA H,AHMAT K A.Fast and scalable method for resolving anomalies in firewall policies[C]//2011 IEEE Conference on Computer Communications Workshops(INFOCOM WKSHPS).2011:828-833.
[5]MANSMANN F,GOBEL T,CHESWICK W.Visual analysis of complex firewall configurations[C]//Proceedings of the Ninth International Symposium on Visualization for Cyber Security.2012:1-8.
[6]CLARK P G,AGAH A.Modeling Firewalls for Behavior Analysis[J].Procedia Computer Science,2015,62:159-166.
[7]SAÂDAOUI A,BEN Y B S N,BOUHOULA A.FARE:FDD-based firewall anomalies resolution tool[J].Journal of Computational Science,2017,23:181-191.
[8]KHOUMSI A,ERRADI M,KROMBI W.A formal basis for the design and analysis of firewall security policies[J].Journal of King Saud University - Computer and Information Sciences,2018,30(1):51-66.
[9]LUPU E C,SLOMAN M.Conflicts in policy-based distributed systems management[J].IEEE Transactions on Software Engineering,1999,25(6):852-869.
[10]MACFARLANE R,BUCHANAN W,EKONOMOU E,et al.Formal security policy implementations in network firewalls[J].Computers & Security,2012,31(2):253-270.
[11]GARCIA A J,CUPPENS F,CUPPENS B N,et al.Management of stateful firewall misconfiguration[J].Computers & Security,2013,39:64-85.
[12]HACHANA S,CUPPENS B N,CUPPENS F.Mining a high level access control policy in a network with multiple firewalls[J].Journal of Information Security and Applications,2015,20:61-73.
[13]MUTHUKUMARAN T.Secure Interoperation Model for Different User Authentication System using Multi Level Security(MLS)[J].International Journal of Advanced Research in Computer and Communication Engineering,2015,4(5):596-600.
[14]JARRAYA Y,EGHTESADI A,SADRI S,et al.Verification of Firewall Reconfiguration for Virtual Machines Migrations in the Cloud[J].Computer Networks,2015,93(P3):480-491.
[15]BASILE C,CANAVESE D,PITSCHEIDER C,et al.Assessing network authorization policies via reachability analysis[J].Computers & Electrical Engineering,2017,64:110-131.
[16]PROBST C W,HANSEN R R.An extensible analysable system model[J].Elsevier Advanced Technology Publications,2008,13(4):235-246.
[17]KOTENKO I,STEPASHKIN M,DOYNIKOVA E.Security Analysis of Information Systems Taking into Account Social Engineering Attacks[C]//the 19th International Euromicro Conference on Parallel,Distributed and Network-Based Processing.2011:611-618.
[18]DIMKOV T.Alignment of organizational security policies:theory and practice[D].Enschede:University of Twente,2012.
[19]BAI W,PAN Z,GUO S,et al.MDC-Checker:A Novel Network Risk Assessment Framework for Multiple Domain Configurations[J].Computers & Security,2019,86:388-401.
[1] 柳杰灵, 凌晓波, 张蕾, 王博, 王之梁, 李子木, 张辉, 杨家海, 吴程楠.
基于战术关联的网络安全风险评估框架
Network Security Risk Assessment Framework Based on Tactical Correlation
计算机科学, 2022, 49(9): 306-311. https://doi.org/10.11896/jsjkx.210600171
[2] 王磊, 李晓宇.
基于随机洋葱路由的LBS移动隐私保护方案
LBS Mobile Privacy Protection Scheme Based on Random Onion Routing
计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077
[3] 赵冬梅, 吴亚星, 张红斌.
基于IPSO-BiLSTM的网络安全态势预测
Network Security Situation Prediction Based on IPSO-BiLSTM
计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103
[4] 陶礼靖, 邱菡, 朱俊虎, 李航天.
面向网络安全训练评估的受训者行为描述模型
Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment
计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048
[5] 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓.
一种可快速迁移的领域知识图谱构建方法
Fast and Transmissible Domain Knowledge Graph Construction Method
计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018
[6] 杨浩雄, 高晶, 邵恩露.
考虑一单多品的外卖订单配送时间的带时间窗的车辆路径问题
Vehicle Routing Problem with Time Window of Takeaway Food ConsideringOne-order-multi-product Order Delivery
计算机科学, 2022, 49(6A): 191-198. https://doi.org/10.11896/jsjkx.210400005
[7] 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏.
基于网络媒体的非线性动力学信息传播模型
Nonlinear Dynamics Information Dissemination Model Based on Network Media
计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043
[8] 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳.
基于进化神经网络的电力信息网安全态势量化方法
Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network
计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151
[9] 沈彪, 沈立炜, 李弋.
空间众包任务的路径动态调度方法
Dynamic Task Scheduling Method for Space Crowdsourcing
计算机科学, 2022, 49(2): 231-240. https://doi.org/10.11896/jsjkx.210400249
[10] 张师鹏, 李永忠.
基于降噪自编码器和三支决策的入侵检测方法
Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions
计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059
[11] 周仕承, 刘京菊, 钟晓峰, 卢灿举.
基于深度强化学习的智能化渗透测试路径发现
Intelligent Penetration Testing Path Discovery Based on Deep Reinforcement Learning
计算机科学, 2021, 48(7): 40-46. https://doi.org/10.11896/jsjkx.210400057
[12] 李贝贝, 宋佳芮, 杜卿芸, 何俊江.
DRL-IDS:基于深度强化学习的工业物联网入侵检测系统
DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things
计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021
[13] 吴善杰, 王新.
基于AGA-DBSCAN优化的RBF神经网络构造煤厚度预测方法
Prediction of Tectonic Coal Thickness Based on AGA-DBSCAN Optimized RBF Neural Networks
计算机科学, 2021, 48(7): 308-315. https://doi.org/10.11896/jsjkx.200800110
[14] 陈海彪, 黄声勇, 蔡洁锐.
一个基于智能电网的跨层路由的信任评估协议
Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid
计算机科学, 2021, 48(6A): 491-497. https://doi.org/10.11896/jsjkx.201000169
[15] 王金恒, 单志龙, 谭汉松, 王煜林.
基于遗传优化PNN神经网络的网络安全态势评估
Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network
计算机科学, 2021, 48(6): 338-342. https://doi.org/10.11896/jsjkx.201200239
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!