基于TRILL协议和时间及等级约束的G-SIS模型研究应用

发布时间：2018-04-26 21:24

本文选题：分组安全信息共享 + Trill协议　；参考：《南昌航空大学》2014年硕士论文

【摘要】：社会经济、文化的发展需要各个领域资源的共享，伴随着信息及互联网技术的迅速发展，也激发了人们对信息共享技术的关注。为了能更好的满足信息的共享，传统的访问控制技术将被新的访问控制技术所取代。分组安全信息共享技术（G-SIS）作为一种新的访问控制技术的引入，不仅克服了传统的访问控制主体授权容易传播（DAC）、主客体安全属性不可改变（MAC）、授权只能局限于角色（RBAC）等缺点也继承了使用控制（UCON）的八要素以及属性的可变性和连续性。利用分组的概念将主客体统一进行组管理，并在核心属性的基础上提出了额外属性使得授权更加灵活。现有的数据中心级网络架构多是采用二层汇聚+三层接入模式即二层STP等协议+三层路由协议的多协议方式而不能使用统一的协议架构。在二层同网段中使用MAC地址对主客体进行标记而在三层不同网段却要使用IP地址对主客体标记。而TRILL协议Nickname不仅能够映射同网段二层MAC地址学习也能在不同网段进行类似三层IP路由计算，因此只需要一套协议访问控制策略即可。 G-SIS模型中主要是针对主体和客体进行分组，组内主体并没有唯一标记。而TRILL协议中Nickname相当于IP地址和每台设备MAC地址对应且全网唯一，其中Egress Nickname信息发出端口Nickname确定了访问者来自何处可以用来唯一标记G-SIS中主体。 G-SIS模型中组内用户可以访问对应组内资源但是并没有对主体进行等级划分。因此我们需要加入一个等级约束，不仅使组内不同等级主体享有不同权限，，也能让不同等级主体在设定的条件下进行角色转变。我们同时在G-SIS另加入一个时间约束，它能够解决G-SIS模型仅仅依靠组操作（主体进入、离开及客体加入、删除）时态动作。不仅能够为主体等级角色转变提供时间上的设计也能使主体对客体资源操作实现了时间上约束控制。并利用线性时态逻辑（LTL）语言对这些策略进行“语言化”描述。最后在G-SIS模型中引用PEI框架，在策略模式（Policy Mode）下提出Nickname标记主体等级、时间约束策略；在实施模式（Enforcement Mode）下使用LTL语言对G-SIS策略进行流程化设计；最后在实现模式（ImplementationMode）将策略改进后的G-SIS模型应用于网上银行系统、企业培训系统、电商节日活动系统三个常用的大中型网络信息系统。
[Abstract]:The development of social economy and culture needs the sharing of resources in various fields. With the rapid development of information and Internet technology, people pay more attention to information sharing technology. In order to better meet the information sharing, the traditional access control technology will be replaced by the new access control technology. As a new access control technology, packet security information sharing technology (G-SIS) is introduced. It not only overcomes the shortcomings of traditional access control subject authorization, such as easy spread of DACU, immutable security attribute of subject and object, but also inherits the eight elements of UCON and the variability and continuity of attributes. By using the concept of grouping, the subject and object are unified in group management, and on the basis of the core attributes, additional attributes are proposed to make authorization more flexible. Most of the existing data center-level network architecture is based on the two-layer convergent three-layer access mode, that is, the two-layer STP protocol, the three-layer routing protocol, but not the unified protocol architecture. The MAC address is used to mark the subject and object in the second layer of the same network segment, but the IP address is used to mark the subject and object in the three different network segments. The TRILL protocol Nickname can not only map to the same network segment level 2 MAC address learning, but also can carry on the similar three layer IP routing computation in different network segments, so only need a set of protocol access control policy. In the G-SIS model, the subject and object are divided into groups, and there is no unique mark on the subject in the group. In the TRILL protocol, the Nickname corresponds to the IP address and the MAC address of each device, and the whole network is unique, where the Egress Nickname message sending port Nickname determines where the visitor comes from and can be used to uniquely mark the body in the G-SIS. In the G-SIS model, the users in the group can access the resources in the corresponding group, but they do not grade the principal. Therefore, we need to add a hierarchy constraint, which not only makes different subjects in the group have different permissions, but also can make different agents change their roles under the set conditions. At the same time, we add another time constraint to G-SIS, which can solve the problem that the G-SIS model only depends on group operations (subject entry, leaving and object joining, deleting) temporal actions. It can not only provide the time design for the change of agent hierarchy role, but also enable the subject to control the operation of object resource in time constraint. These strategies are described "linguistically" by using linear temporal logic (LTL) language. Finally, the PEI framework is cited in the G-SIS model, and under the policy mode, the policy of Nickname marking principal level and time constraint is put forward, and the LTL language is used to design the G-SIS policy by using LTL language. Finally, in the implementation mode, the improved G-SIS model is applied to three common large and medium-sized network information systems, such as online banking system, enterprise training system, and electronic commerce festival activity system.
【学位授予单位】：南昌航空大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】