摘要
定义了一种计算机网络防御策略描述语言CNDPSL(computer network defense policy specificationlanguage).该语言面向CNDPM模型,能够统一描述保护、检测和响应策略.在CNDPM模型中,给出了抽象策略细化为具体规则的推导原理,并以形式化的方法分析并验证了策略的完备性、一致性和有效性.CNDPSL是一种声明式语言,抽象了网络防御控制的行为,对网络防御需求具有较好的灵活性、可扩展性和适应性.最后给出了策略引擎的原型及其实现.在GTNetS仿真平台中的实验表明,该语言能够自动地转化为具体的技术规则并实现其表达的防御效能.
Policy is an essential part of computer network defense, which has important directive to the deployment, implementation, configuration and effects of defense systems. Presently, models and specifications on access control policy work well. However, they can not be directly applied to the whole defense policy area. In this paper, a new computer network defense policy specification language called CNDPSL is proposed to provide a common method of specifying protection, detection and response policies according to a new defined model called CNDPM, which is put forward by extending Or-BAC (organization based access control model). In CNDPM, automatic assignment mechanism is introduced to improve efficiency, and derivative principles are presented to refine abstract policies to concrete rules. Moreover, completeness, validity and consistency of policy are also formally analyzed and demonstrated. CNDPSL is declarative and able to abstract defense control behaviors of network, which makes this language flexible, extensible and adaptable to network defense requirements. Finally, a policy engine is implemented. Detailed experiments in GTNetS platform indicate that CNDSPL can be refined to concrete technical rules automatically, such as ACL (access control list) in firewall, IDS detection rules, response rules,etc, and obtain defense effects it expresses. The above information proves its effectiveness and efficiency.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2009年第1期89-99,共11页
Journal of Computer Research and Development
基金
北京市教育委员会共建项目建设计划基金项目(JD100060630)
国家"八六三"高技术研究发展计划基金项目(2007AA01Z407)~~
