基于动态模板的策略翻译及配置方法

郭云川; 李凌; 李勇俊; 成林; 杜君; 张玲翠

doi:10.11959/j.issn.1000-436x.2019236

您当前的位置：

首页 >

文章列表页 >

基于动态模板的策略翻译及配置方法

学术通信 | 更新时间：2024-06-05

- 基于动态模板的策略翻译及配置方法
- Policy translation and configuration using dynamic template
- 通信学报 2019年40卷第12期页码：138-148
- 作者机构：
  
  1. 中国科学院信息工程研究所，北京100093
  2. 中国科学院大学网络空间安全学院，北京 100049
  3. 中国信息安全测评中心，北京 100085
  4. 北京网御星云信息技术有限公司，北京 100085
- 作者简介：
  
  [ "郭云川（1977- ），男，四川营山人，博士，中国科学院副研究员、博士生导师，主要研究方向为访问控制、形式化方法" ]
  [ "李凌（1993- ），女，湖南浏阳人，中国科学院硕士生，主要研究方向为安全策略管理" ]
  [ "李勇俊（1992- ），男，浙江丽水人，中国科学院博士生，主要研究方向为入侵响应、安全评估、访问控制" ]
  [ "成林（1983- ），男，河北邢台人，博士，中国信息安全测评中心助理研究员，主要研究方向为云计算安全、大数据安全" ]
  [ "杜君（1982- ），男，陕西宁强人，北京网御星云信息技术有限公司助理总裁，主要研究方向为网络安全、云计算、工控安全" ]
  [ "张玲翠（1986- ），女，河北故城人，中国科学院博士生，主要研究方向为网络安全、信息保护" ]
- 基金信息：
  
  国家重点研发计划基金资助项目(2017YFB0801802);国家重点研发计划基金资助项目(2016QY06X1203);国家自然科学基金资助项目(U1836203);中国科学院战略性先导科技专项基金资助项目(XDC02040400)
- DOI：10.11959/j.issn.1000-436x.2019236
  中图分类号： TP311
- 网络出版日期：2019-12，
  
  纸质出版日期：2019-12-25
- 稿件说明：
移动端阅览
郭云川, 李凌, 李勇俊, 等. 基于动态模板的策略翻译及配置方法[J]. 通信学报, 2019,40(12):138-148.

Yunchuan GUO, Ling LI, Yongjun LI, et al. Policy translation and configuration using dynamic template[J]. Journal on communications, 2019, 40(12): 138-148.
郭云川, 李凌, 李勇俊, 等. 基于动态模板的策略翻译及配置方法[J]. 通信学报, 2019,40(12):138-148. DOI： 10.11959/j.issn.1000-436x.2019236.

Yunchuan GUO, Ling LI, Yongjun LI, et al. Policy translation and configuration using dynamic template[J]. Journal on communications, 2019, 40(12): 138-148. DOI： 10.11959/j.issn.1000-436x.2019236.

摘要

为解决大型系统中大量设备配置方式多样性导致人工安全设备配置复杂烦琐、容易出错、效率低下的问题，设计了一种基于动态模板的策略翻译及配置方法。通过构建基于编码的策略翻译模板，利用编码简单、通用、易计算的特点，指导归一化策略向设备个性化配置命令行转换，同时通过关键词对比法，保证策略配置的准确性。实验分析结果证明，所提策略翻译及配置方法具有强扩展性和高准确度。

Abstract

To solve the problem of complex

cumbersome and error-prone configuration of security devices caused by the heterogeneous configuration modes in complex networks

a dynamic template-based scheme for translating and configuring policy was proposed.In detail

considering the code’s features

the code-based template for translating policies was constructed to configure the command line conversion

and the keyword comparison method was used to ensure the accuracy of policy configuration.Experiments show that the scalability and the accuracy of the proposed scheme.

关键词

Keywords

references

JOHNSON M , BRADSHAW J M , JUNG H , et al . Policy management across multiple platforms and application domains [C ] // IEEE Workshop on Policies for Distributed Systems and Networks . IEEE , 2008 : 199 - 202 .

HOLMES B L , . Heterogeneous systems:can they ever work together? [C ] // Symposium Record Policy Issues in Information and Communication Technologies in Medical Applications . IEEE , 1988 : 169 - 174 .

DAMIANOU N , DULAY N , LUPU E,et.al . The ponder policy specification language [J ] . Proc of policy , 2001 , 55 ( 8 ): 18 - 38 .

JANICKE H , CAU A , SIEWE F , et al . Deriving enforcement mechanisms from policies [C ] // IEEE International Workshop on Policies for Distributed Systems and Networks . IEEE , 2007 : 161 - 172 .

JANICKE H , CAU A , SIEWE F , et al . A compositional event ＆time-based policy model [C ] // IEEE International Workshop on Policies for Distributed Systems and Networks . IEEE , 2006 : 173 - 182 .

SIEWE F , CAU A , ZEDAN H . A compositional framework for access control policies enforcement [C ] // The 2003 ACM workshop on Formal Methods in Security Engineering . ACM , 2003 : 32 - 42 .

JANICKE H , CAU A , SIEWE F , et al . Dynamic access control policies:specification and verification [J ] . The Computer Journal , 2012 , 56 ( 4 ): 440 - 463 .

LOBO J , BHATIA R , NAQVI S . A policy description language [C ] // The 16th National Conference on Artificial Intelligence and the 11th Innovative Applications of Artificial Intelligence Conference . 1999 : 291 - 298 .

RIBEIRO C , ZUQUETE A , FERREIRA P , et al . SPL:an access control language for security policies and complex constraints [C ] // The Network and Distributed System Security Symposium . 2001 ,1.

DAMIANOU N , DULAY N , LUPU E , et al . Tools for domain-based policy management of distributed systems [C ] // IEEE/IFIP Network Operations and Management Symposium . IEEE , 2002 : 203 - 217 .

ABWNAWAR N , JANICKE H , SMITH R , et al . Towards data privacy in heterogeneous cloud environments:an extension to the SANTA policy language [C ] // 2017 Second International Conference on Fog and Mobile Edge Computing . IEEE , 2017 : 14 - 19 .

代向东 . 安全策略管理系统中策略描述及策略翻译关键技术研究 [D ] . 郑州:信息工程大学 , 2007 .

DAI X D . Research on key technologies of policy description and policy translation in security policy management system [D ] . Zhengzhou:Information Engineering University , 2007 .

HALE J , GALIASSO P , PAPA M , et al . Security policy coordination for heterogeneous information systems [C ] // The 15th Annual Computer Security Applications Conference . IEEE , 1999 : 219 - 228 .

BEIGI M S , CALO S , VERMA D . Policy transformation techniques in policy-based systems management [C ] // The 15th IEEE International Workshop on Policies for Distributed Systems and Networks . 2004 : 13 - 22 .

HAN W , FANG Z , YANG L T,et.al . Collaborative policy administration [J ] . IEEE Transactions on Parallel and Distributed Systems , 2013 , 25 ( 2 ): 498 - 507 .

WANG R , ENCK W , REEVES D , et al . EASEAndroid:automatic policy analysis and refinement for security enhanced android via large-scale semi-supervised learning [C ] // 24th USENIX Security Symposium . 2015 : 351 - 366 .

LEIGHTON G , BARBOSA D . Access control policy translation,verification,and minimization within heterogeneous data federations [J ] . ACM Transactions on Information and System Security , 2011 , 14 ( 3 ): 1 - 28 .

RUDOLPH M , FETH D , DOERR J,et.al . Requirements elicitation and derivation of security policy templates—an industrial case study [C ] // The 24th International Requirements Engineering Conference . 2016 .

YANG J , JEONG J P . An automata-based security policy translation for network security functions [C ] // 2018 International Conference on Information and Communication Technology Convergence . IEEE , 2018 : 268 - 272 .

陈文惠 . 防火墙系统策略配置研究 [D ] . 合肥:中国科学技术大学 , 2007 .

CHEN W H . Research on policy configuration of firewall system [D ] . Hefei:University of Science and Technology of China , 2007 .

LOBO J , MARCHI M , PROVETTI A . Firewall configuration policies for the specification and implementation of private zones [C ] // 2012 IEEE International Symposium on Policies for Distributed Systems and Networks . IEEE , 2012 : 78 - 85 .

JILLEPALLI A , DE LEON D C , STEINER S , et al . Hermes:a high-level policy language for high-granularity enterprise-wide secure browser configuration management [C ] // 2016 IEEE Symposium Series on Computational Intelligence . IEEE , 2016 : 1 - 9 .

李福亮 , 杨家海 , 吴建平 , 等 . 互联网自动配置研究 [J ] . 软件学报 , 2014 , 25 ( 1 ): 118 - 134 .

LI F L , YANG J H , WU J P , et al . Research on Internet auto configuration [J ] . Journal of Software , 2014 , 25 ( 1 ): 118 - 134 .

浏览量

605

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

校园网络接入层一体化的规划与实践