基于WEB资源的未来网络安全服务研究

发布时间：2018-05-05 11:12

本文选题：未来网络 + 安全　；参考：《北京邮电大学》2014年博士论文

【摘要】：为了解决当前网络面临的诸多挑战,学术界和工业界近年开展了未来网络技术的研究。本文的工作针对以下问题展开探讨：未来网络如何在架构层面支持服务创新,特别是如何支持用户参与的服务创新;如何设计未来网络中的安全服务架构,使安全服务也具有持续的服务创新能力,能快速地为用户提供按需的安全服务,满足业务动态安全需求；相应的未来网络架构的基本安全服务及构建方式。论文主要贡献如下： 1.本文通过综述未来网络相关课题研究,抽象出未来网络的架构特征,根据这些特征要求,利用使互联网具有极强服务创新能力的核心技术------Web技术,设计了基于Web资源的未来网络架构,将网络中的低层和高层能力以Web资源的方式进行抽象和开放,通过服务重组、用户参与服务组件提供提升未来网络服务创新能力。以物联网为应用场景,演示了基于Web资源的未来网络架构在数据访问和设备管理方面的优势。 2.分析现有安全服务的挑战和未来网络安全架构研究思路,提出了基于Web资源的未来网络架构中安全服务重组的概念,针对未来网络演进的进程,设计两种支持不同粒度安全资源抽象的安全服务架构：虚拟化安全设备VSA (Virtualized Security Appliance)和软件定义安全SDS (Software Defined Security)。前者实现基于传统安全设备的资源抽象和重组；后者将当前封装在各安全设备中的基本功能进行分解,以原子安全服务的形式开放,并通过Web服务重组技术提供按需安全服务。SDS有助于通过功能和计算的合并及冗余简化使安全服务成本降低、性能提升,也有助于将安全服务与业务更紧地耦合,从而提供更有效的安全保护。 3.以物联网应用场景为例,以软件定义网络为网络基础设施,提出和设计了安全和管理控制器及以其为中心的安全资源订阅、发布和调度机制,设计了主要安全服务的静态编制过程,实验验证了所提架构的可行性。相关工作成果已提交企业,合作改进安全产品,并在云计算中心中试运行。 4.针对未来网络高安全需求的服务编制,提出架构设计阶段的安全服务,通过调整组合服务逻辑拓扑、选择各节点上的组件提供商,确保组合服务满足对供应链完整性攻击的安全防御策略要求,从而保护关键资产。该方法解决了以往在理论上无法穷举所有安全威胁、实现上无法遍历各层次组件的问题,降低了实施成本,并为更一般性的问题：当无法确保各层次组件安全可信时如何构建尽可能安全的组合服务,提供了可行的工程方法。本文利用供应链模型支持服务重组安全模型的层次结构,创建了利用攻击图的完整性评估模型,以及支持主客观参数的提供商可信度算法,并设计了基于公开漏洞库信息的提供商客观可信度计算方法。组合服务架构的完整性评估和提供商可信度评估都可作为安全服务以资源的形式在基于Web资源的未来网络架构中进行开放。 5.针对未来网络开放业务环境中访问主体未知,而采用基于属性的访问控制技术ABAC(Attributed Based Access control)又缺少可用的属性服务这一问题,提出了组合社交网络SNS(Social Network System)用户信息管理的访问控制服务。针对未来网络中用户参与的服务创新中资源可通过用户提供这一需求,提出利用SNS实现用户属性管理的ABAC访问控制模型,支持用户自定义的细粒度访问控制策略,具有策略冲突检测能力,具有易实现性。本文提出并实现了基于RBAC(Role Based Access Control)框架的实现结构,在校园学生创新平台中应用。并提出了改进的推理机实现,进行仿真测试。在对所提模型进行安全分析的基础上,针对较高安全性要求的业务场景,提出了基于Web信任模型的社交网络用户信息的属性真实性评价服务可行方案。论文最后对全文进行了总结,并对进一步的研究方向提出了一些想法和思路。
[Abstract]:In order to solve the challenges facing the current network, the academic and industrial circles have carried out the research of the future network technology in recent years. The work of this paper is to discuss the following questions: how to support service innovation in the architecture level in the future, especially how to support the service innovation of users, and how to design the security suit in the future network. The service architecture makes the security service also have a continuous service innovation ability, can provide users with the required security services quickly, meet the needs of the business dynamic security, and the basic security services and construction methods of the corresponding future network architecture.
The main contributions of the paper are as follows:
1. this paper abstracts the architecture of the future network by summarizing the research on the future network related topics. According to these characteristics, the future network architecture based on Web resources is designed by using the core technology ------Web technology that makes the Internet with strong service innovation ability, and the low and high level capabilities in the network are entered into the way of Web resources. Abstract and open, through service reorganization, users participate in service components to improve the future network service innovation capability. Using the Internet of things as an application scenario, this paper demonstrates the advantages of future network architecture based on Web resources in data access and device management.
2. to analyze the challenges of existing security services and the research ideas of future network security architecture, the concept of security service reorganization in the future network architecture based on Web resources is proposed. Aiming at the process of future network evolution, two security service architectures that support the abstraction of different granularity security resources are designed: the virtualized security device VSA (Virtualized Secu) Rity Appliance) and software defined security SDS (Software Defined Security). The former implements resource abstraction and reorganization based on traditional security devices; the latter decomposes the basic functions encapsulated in each security device, opens in the form of atomic security services, and provides a secure service.SDS for the on-demand service through the Web service reorganization technology. It helps to reduce the cost of security services, improve performance, and enhance the tighter coupling of security services and services to provide more effective security protection through the combination and redundancy simplification of functions and computing.
3. take the application scene of the Internet of things as an example, take the software definition network as the network infrastructure, put forward and design the security and management controller and the security resource subscription, release and scheduling mechanism with its center, and design the static compilation process of the main security service. The experiment verifies the feasibility of the proposed architecture. The related work results have been submitted to the enterprise. Industry, cooperation to improve security products, and trial run in the cloud computing center.
4. according to the service compilation of high security demand in the future network, the security service of the architecture design phase is proposed. By adjusting the combinatorial service logic topology, the component providers on each node are selected to ensure that the combination service meets the security defense strategy requirements for the integrity attack of the supply chain, thus protecting the key assets. This method solves the previous theory. On the other hand, all security threats can not be exhaustive, the implementation costs can not be traversed and the cost of implementation is reduced, and for a more general problem, a feasible engineering method is provided when it is impossible to ensure that the components of all levels are safe and reliable, and provide a feasible engineering method. This paper uses the supply chain model to support service reorganization. The level structure of the security model, the integrity evaluation model using attack graph, and the provider reliability algorithm supporting the subjective and objective parameters, and the objective reliability calculation method based on the information of public vulnerability library are designed. The integrity evaluation of the composite service architecture and the reliability evaluation of the provider can all be used as security services. Open in the form of resources in future network architecture based on Web resources.
5. in view of the unknown access subject in the future network open business environment, and the use of attribute based access control technology ABAC (Attributed Based Access control) and the lack of available attribute services, the access control service of the user information management of the combined social network SNS (Social Network System) is proposed. In the service innovation of the household, the resource can provide this requirement by the user, and put forward the ABAC access control model of user attribute management by SNS, support the custom fine-grained access control strategy, and have the ability to detect the policy conflict. This paper proposes and implements the RBAC (Role Based Access Control) frame. The implementation structure of the frame is applied in the campus student innovation platform. The improved reasoning machine is put forward and the simulation test is carried out. On the basis of the security analysis of the proposed model, and aiming at the high security requirements of the business scene, this paper puts forward the feasibility of the attribute authenticity evaluation service of the social network user information based on the Web trust model. Plan.
At the end of the paper, the full text is summarized, and some ideas and ideas for further research are put forward.

【学位授予单位】：北京邮电大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】