多级安全网络中安全标记绑定关键技术研究

发布时间：2018-02-11 13:18

本文关键词： 多级安全网络安全标记绑定可扩展标记语言细粒度包时隙均值隐式流标记　出处：《解放军信息工程大学》2014年硕士论文　论文类型：学位论文

【摘要】：多级安全是等级保护的理论基础,三级信息系统安全建设的核心要素是基于安全标记的强制访问控制。安全标记作为多级安全实施的重要依据,需要与保护对象实施安全可靠的绑定关系,并防止标记的假冒与篡改。然而现有的安全标记绑定技术中,应用级数据客体绑定面临着数据结构多样化而导致的标记实施难问题,网络级数据流具有隐式绑定与数据流实时控制的安全需求,给安全标记绑定技术研究带来了新挑战。本文面向多级安全网络中应用级数据客体和网络级数据流,进行安全标记绑定技术研究,主要工作包括:1.针对应用级数据客体与网络级数据流对安全标记的需求,构建了面向多级安全网络的一体化安全标记框架,解决了安全标记生成、验证、绑定与继承问题。框架形式化描述了基本元素、约束规则和标记功能等与安全标记实施相关的要素;定义了支持强制访问控制策略和标签例外策略的标记格式;通过数据客体到数据流的标记继承,实现了应用级与网络级安全标记的有效传递;设计了框架基本域、标记域和功能域联动的框架结构,增强了标记的适用性与灵活性。2.针对应用级数据客体结构多样、标记绑定不统一的问题,提出了一种基于XML的多类型数据客体与安全标记统一化绑定技术。设计了基于客体逻辑多级分割的XML转换方法,将客体转换成由多级别数据单元组成,结构良好的树形客体XML文档,实现了文档、图像等多类型数据客体的一致性转换;通过定义标记语法结构和约束规则,设计了基于遍历的安全标记绑定算法和基于剪枝的客体视图生成算法,实现了安全标记与数据客体统一的、细粒度的绑定。3.针对现有网络级数据流显式安全标记绑定方法存在的针对性攻击等安全问题,提出了基于包时隙均值(Average of inter-packet delay,AIPD)的数据流与安全标记隐式绑定方法。首先引入汉明码差错控制机制对安全标记进行纠错编码,提高了安全标记绑定方案的准确率;然后设计了数据流包间隔时延(inter-packet delay,IPD)的随机分组方式,计算安全标记载体AIPD,通过AIPD的差值控制,实现了标记信息的数据流嵌入;最后根据绑定规则调制分组内各数据包延迟时间,使其达到预期的AIPD值,实现了安全标记与数据流的绑定。最后通过分析和实验验证了绑定方法的有效性。4.设计并实现了基于安全标记的多级安全网络强制访问控制原型系统,实现了本文提出的安全标记绑定技术,结合基于安全标记的强制访问控制策略,实现了应用级数据客体细粒度访问控制,以及网络级数据流实时控制,为开展三级安全应用建设提供支撑。
[Abstract]:Multi-level security is the theoretical basis of hierarchical protection, and the core element of the security construction of three-level information system is mandatory access control based on security marking, which is an important basis for the implementation of multi-level security. It is necessary to implement a secure binding relationship with protected objects and to prevent the counterfeiting and tampering of tags. However, in the existing secure tag binding technology, the application-level data object binding is faced with the problem of implementation of tags caused by the diversity of data structures. Network-level data flow has the security requirements of implicit binding and real-time control of data flow, which brings a new challenge to the research of security tag binding technology. This paper focuses on application-level data objects and network-level data streams in multi-level secure networks. The research of security label binding technology includes: 1. Aiming at the requirement of application level data object and network level data flow, an integrated security label framework for multi-level security network is constructed, which solves the problem of security label generation. The framework formally describes the basic elements, constraint rules and tag functions related to the implementation of security tags, and defines markup formats that support mandatory access control policies and label exception policies. Through the tag inheritance from the data object to the data stream, the effective transfer of security tags between application level and network level is realized, and the frame structure of basic domain, tag domain and functional domain is designed. It enhances the applicability and flexibility of tags. 2. Aiming at the problem of the diversity of object structure of application-level data and the inconsistency of tag binding, This paper presents a unified binding technique for multi-type data objects and security tags based on XML, and designs a XML transformation method based on object logic multi-level segmentation, which converts objects into multi-level data units. The well-structured tree object XML document realizes the consistency transformation of document, image and other kinds of data objects, and defines the tag syntax structure and constraint rules. The security tag binding algorithm based on traversal and the object view generation algorithm based on pruning are designed. Fine-grained binding. 3. Security issues such as targeted attacks on existing explicit security tag binding methods for existing network-level data streams, A data stream and security label implicit binding method based on the packet slot average of inter-packet delay (AIPD) is proposed. Firstly, the error control mechanism of hamming code is introduced to correct the error of the security tag, which improves the accuracy of the security tag binding scheme. Then we design a random packet scheme of packet interval delay inter-packet delay (IP), calculate the security label carrier (AIPD), and realize the data stream embedding by the difference control of AIPD. Finally, we modulate the delay time of each packet according to the binding rule. Finally, the validity of the binding method is verified by analysis and experiment. Finally, a multi-level secure network mandatory access control prototype system based on security label is designed and implemented. The security tag binding technology proposed in this paper is implemented. Combined with the mandatory access control strategy based on the security label, the application level data object fine-grained access control and the network level data stream real-time control are realized. It provides support for the construction of three-level safety application.
【学位授予单位】：解放军信息工程大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】

中国期刊全文数据库前10条

1 李凤华;苏斢;史国振;马建峰;;访问控制模型研究进展及发展趋势[J];电子学报;2012年04期

2 张璐;罗军舟;杨明;何高峰;;基于时隙质心流水印的匿名通信追踪技术[J];软件学报;2011年10期

3 杨晓红;杜学绘;曹利峰;;基于隐式安全标记的IPsec研究[J];计算机工程;2011年13期

4 朱大立;陈晓苏;;基于数字水印的电子文档信息标识应用方案[J];计算机应用;2010年07期

5 葛金明;;基于Internet网络协议的信息隐藏技术[J];科技资讯;2010年05期

6 陈君;王庆;;基于图割和显著性的图像结构表示方法研究[J];计算机应用研究;2009年09期

7 马新强;黄羿;;基于安全标签的访问控制研究与设计[J];计算机工程与设计;2008年21期

8 聂晓伟;冯登国;;基于动态可信度的可调节安全模型[J];通信学报;2008年10期

9 谭智勇;刘铎;司天歌;戴一奇;;一种具有可信度特征的多级安全模型[J];电子学报;2008年08期

10 刘威鹏;胡俊;吕辉军;刘毅;;LSM框架下可执行程序的强制访问控制机制[J];计算机工程;2008年07期