基于遗传算法的网络安全配置自动生成框架

Network Security Configuration Generation Framework Based on Genetic Algorithm Optimization

合理配置网络安全设备以对信息系统实施必要的访问控制,是网络安全管理的一项重要任务。随着网络规模的不断扩大,各种用户权限之间会形成复杂的依赖关系,传统基于人工的方式配置网络访问控制策略,主要是依据业务系统的实际需求,按照最小权限的原则进行分配,这种分配方式忽略了权限之间的依赖关系,容易产生过授权的现象,从而为网络带来安全隐患。为解决该问题,提出了一个基于遗传算法的安全配置自动生成框架。首先,以网络规划信息和配置信息为基础,确定用户可能的权限,提取网络基础语义,构建相应的网络安全风险评估模型,实现不同安全配置的安全评估;然后,对网络中所有可能的安全配置进行合理编码,确定遗传算子和算法参数,生成初始种群;最后,通过遗传算法,自动选取较优个体来生成子代个体。该框架能够通过自动比较不同的安全配置下的网络安全风险,以及在可能的配置空间内自动搜索安全配置的最优解,来实现网络安全设备访问控制策略的自动生成。构造一个拥有20个设备、30个服务的模拟网络环境对该框架进行验证,在该模拟环境下,该框架能够在种群样本数目为150的条件下,不超过10次迭代即可找到较优的安全配置。实验结果充分表明,该框架能够根据网络的安全需求,自动生成合理的网络安全配置。

It is an important task in network security management to configure network security equipment reasonably and enforce access controls upon the information systems.With the increase of network size,there will be complex inter-dependent relationships among user privileges.Traditionally,access control lists are always generated manually according to the business requirements under the principle of least privilege,where the inter-dependent relationships are neglected.The network users may be granted with more privileges than they deserve,which may introduce vulnerabilities to network security.In this paper,a security configuration generation framework based on genetic algorithm optimization was proposed.Firstly,the framework extracts the user privilege information and network semantic information based on the network planning information and configurations information.And a network security risk assessment model is used to assess the network risk under different security configuration.Then,all possible access control configurations are encoded as genes.And initial population are generated based on the pre-determined genetic operators and super parameters.Finally,a better individual is generated according to the genetic algorithm.The framework cannot only compare the network security risks under different security configurations,but also search for the optimal solution of security configuration within the possible configuration space,thus realizing the automatic generation of network security device access control strategy.The framework is validated by constructing a simulated network environment with 20 devices and 30 services.In this simulation environment,the framework can find a better security configuration with no more than 10 generations of iteration under the condition of 150 population samples.Experimental data show that the framework can automatically generate reasonable network security configuration according to network security requirements.