计算机科学 ›› 2020, Vol. 47 ›› Issue (5): 306-312.doi: 10.11896/jsjkx.190500038
白玮1, 潘志松1, 夏士明1, 成昂轩2
BAI Wei1, PAN Zhi-song1, XIA Shi-ming1, CHENG Ang-xuan2
摘要: 合理配置网络安全设备以对信息系统实施必要的访问控制,是网络安全管理的一项重要任务。随着网络规模的不断扩大,各种用户权限之间会形成复杂的依赖关系,传统基于人工的方式配置网络访问控制策略,主要是依据业务系统的实际需求,按照最小权限的原则进行分配,这种分配方式忽略了权限之间的依赖关系,容易产生过授权的现象,从而为网络带来安全隐患。为解决该问题,提出了一个基于遗传算法的安全配置自动生成框架。首先,以网络规划信息和配置信息为基础,确定用户可能的权限,提取网络基础语义,构建相应的网络安全风险评估模型,实现不同安全配置的安全评估;然后,对网络中所有可能的安全配置进行合理编码,确定遗传算子和算法参数,生成初始种群;最后,通过遗传算法,自动选取较优个体来生成子代个体。该框架能够通过自动比较不同的安全配置下的网络安全风险,以及在可能的配置空间内自动搜索安全配置的最优解,来实现网络安全设备访问控制策略的自动生成。构造一个拥有20个设备、30个服务的模拟网络环境对该框架进行验证,在该模拟环境下,该框架能够在种群样本数目为150的条件下,不超过10次迭代即可找到较优的安全配置。实验结果充分表明,该框架能够根据网络的安全需求,自动生成合理的网络安全配置。
中图分类号:
[1]HARI A,SURI S,PARULKAR G.Detecting and resolvingpacket filter conflicts[C]//Proceedings IEEE INFOCOM 2000 Conference on Computer Communications.Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies,2000:1203-1212. [2]HAMED H,AL-SHAER E,MARRERO W.Modeling and verification of IPSec and VPN security policies[C]//13TH IEEE International Conference on Network Protocols(ICNP'05).2005:269-278. [3]HU H,AHN G J,KULKARNI K.FAME:a firewall anomaly management environment[C]//Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.2010:17-26. [4]GOBJUKA H,AHMAT K A.Fast and scalable method for resolving anomalies in firewall policies[C]//2011 IEEE Conference on Computer Communications Workshops(INFOCOM WKSHPS).2011:828-833. [5]MANSMANN F,GOBEL T,CHESWICK W.Visual analysis of complex firewall configurations[C]//Proceedings of the Ninth International Symposium on Visualization for Cyber Security.2012:1-8. [6]CLARK P G,AGAH A.Modeling Firewalls for Behavior Analysis[J].Procedia Computer Science,2015,62:159-166. [7]SAÂDAOUI A,BEN Y B S N,BOUHOULA A.FARE:FDD-based firewall anomalies resolution tool[J].Journal of Computational Science,2017,23:181-191. [8]KHOUMSI A,ERRADI M,KROMBI W.A formal basis for the design and analysis of firewall security policies[J].Journal of King Saud University - Computer and Information Sciences,2018,30(1):51-66. [9]LUPU E C,SLOMAN M.Conflicts in policy-based distributed systems management[J].IEEE Transactions on Software Engineering,1999,25(6):852-869. [10]MACFARLANE R,BUCHANAN W,EKONOMOU E,et al.Formal security policy implementations in network firewalls[J].Computers & Security,2012,31(2):253-270. [11]GARCIA A J,CUPPENS F,CUPPENS B N,et al.Management of stateful firewall misconfiguration[J].Computers & Security,2013,39:64-85. [12]HACHANA S,CUPPENS B N,CUPPENS F.Mining a high level access control policy in a network with multiple firewalls[J].Journal of Information Security and Applications,2015,20:61-73. [13]MUTHUKUMARAN T.Secure Interoperation Model for Different User Authentication System using Multi Level Security(MLS)[J].International Journal of Advanced Research in Computer and Communication Engineering,2015,4(5):596-600. [14]JARRAYA Y,EGHTESADI A,SADRI S,et al.Verification of Firewall Reconfiguration for Virtual Machines Migrations in the Cloud[J].Computer Networks,2015,93(P3):480-491. [15]BASILE C,CANAVESE D,PITSCHEIDER C,et al.Assessing network authorization policies via reachability analysis[J].Computers & Electrical Engineering,2017,64:110-131. [16]PROBST C W,HANSEN R R.An extensible analysable system model[J].Elsevier Advanced Technology Publications,2008,13(4):235-246. [17]KOTENKO I,STEPASHKIN M,DOYNIKOVA E.Security Analysis of Information Systems Taking into Account Social Engineering Attacks[C]//the 19th International Euromicro Conference on Parallel,Distributed and Network-Based Processing.2011:611-618. [18]DIMKOV T.Alignment of organizational security policies:theory and practice[D].Enschede:University of Twente,2012. [19]BAI W,PAN Z,GUO S,et al.MDC-Checker:A Novel Network Risk Assessment Framework for Multiple Domain Configurations[J].Computers & Security,2019,86:388-401. |
[1] | 柳杰灵, 凌晓波, 张蕾, 王博, 王之梁, 李子木, 张辉, 杨家海, 吴程楠. 基于战术关联的网络安全风险评估框架 Network Security Risk Assessment Framework Based on Tactical Correlation 计算机科学, 2022, 49(9): 306-311. https://doi.org/10.11896/jsjkx.210600171 |
[2] | 王磊, 李晓宇. 基于随机洋葱路由的LBS移动隐私保护方案 LBS Mobile Privacy Protection Scheme Based on Random Onion Routing 计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077 |
[3] | 赵冬梅, 吴亚星, 张红斌. 基于IPSO-BiLSTM的网络安全态势预测 Network Security Situation Prediction Based on IPSO-BiLSTM 计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103 |
[4] | 陶礼靖, 邱菡, 朱俊虎, 李航天. 面向网络安全训练评估的受训者行为描述模型 Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment 计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048 |
[5] | 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓. 一种可快速迁移的领域知识图谱构建方法 Fast and Transmissible Domain Knowledge Graph Construction Method 计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018 |
[6] | 杨浩雄, 高晶, 邵恩露. 考虑一单多品的外卖订单配送时间的带时间窗的车辆路径问题 Vehicle Routing Problem with Time Window of Takeaway Food ConsideringOne-order-multi-product Order Delivery 计算机科学, 2022, 49(6A): 191-198. https://doi.org/10.11896/jsjkx.210400005 |
[7] | 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏. 基于网络媒体的非线性动力学信息传播模型 Nonlinear Dynamics Information Dissemination Model Based on Network Media 计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043 |
[8] | 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳. 基于进化神经网络的电力信息网安全态势量化方法 Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network 计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151 |
[9] | 沈彪, 沈立炜, 李弋. 空间众包任务的路径动态调度方法 Dynamic Task Scheduling Method for Space Crowdsourcing 计算机科学, 2022, 49(2): 231-240. https://doi.org/10.11896/jsjkx.210400249 |
[10] | 张师鹏, 李永忠. 基于降噪自编码器和三支决策的入侵检测方法 Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions 计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059 |
[11] | 周仕承, 刘京菊, 钟晓峰, 卢灿举. 基于深度强化学习的智能化渗透测试路径发现 Intelligent Penetration Testing Path Discovery Based on Deep Reinforcement Learning 计算机科学, 2021, 48(7): 40-46. https://doi.org/10.11896/jsjkx.210400057 |
[12] | 李贝贝, 宋佳芮, 杜卿芸, 何俊江. DRL-IDS:基于深度强化学习的工业物联网入侵检测系统 DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things 计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021 |
[13] | 吴善杰, 王新. 基于AGA-DBSCAN优化的RBF神经网络构造煤厚度预测方法 Prediction of Tectonic Coal Thickness Based on AGA-DBSCAN Optimized RBF Neural Networks 计算机科学, 2021, 48(7): 308-315. https://doi.org/10.11896/jsjkx.200800110 |
[14] | 陈海彪, 黄声勇, 蔡洁锐. 一个基于智能电网的跨层路由的信任评估协议 Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid 计算机科学, 2021, 48(6A): 491-497. https://doi.org/10.11896/jsjkx.201000169 |
[15] | 王金恒, 单志龙, 谭汉松, 王煜林. 基于遗传优化PNN神经网络的网络安全态势评估 Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network 计算机科学, 2021, 48(6): 338-342. https://doi.org/10.11896/jsjkx.201200239 |
|