网络与应用相融冲突检测技术的研究与实现
发布时间:2019-05-28 02:51
【摘要】:随着网络规模的不断扩大,企业网络中的安全性问题也日益受到人们的重视。本文分析企业网络中相融冲突的国内外研究现状,结合一般企业环境对网络与应用系统的安全性需求,指出了应用系统的授权管理、网络与应用系统之间易产生冲突问题,从而给网络应用的安全运行带来挑战。论文针对此问题展开研究,采用了RBAC模型来描述应用系统访问控制需求,用Json语言来描述网络拓扑及拓扑中节点的网络设备规则。首先,分析了RBAC模型各元素之间的关系,,给出了应用系统授权需求冲突的定义,并给出了其冲突类型划分,在此基础上建立了基于着色Petri网的应用系统授权相融冲突检测方法。其次,针对网络与应用系统通信需求之间的不一致问题,采用有序二叉决策图建立全网拓扑的模型,利用布尔函数验证进行网络与应用之间的通信相融冲突检测。最后设计并实现了一个网络与应用相融冲突检测的原型系统并且选取了测试用例对系统进行了实验验证。 本文研究了网络与应用相融冲突检测技术,设计并实现了该技术的原型系统,主要的工作如下: 1.分析了国内外有关网络与应用相融冲突检测技术的研究现状,在冲突检测研究方面仍然存在一些有待解决的问题:现有的网络设备规则冲突检测方法在网络规模上只考虑单个或简单串联防火墙内部的规则冲突,较少考虑复杂网络拓扑中多个路由器、防火墙的规则冲突,同时规则冲突检测时也未考虑应用系统的需求。 2.给出了网络与应用相融冲突检测的一种解决方案。通过明确基于RBAC的应用系统授权需求的概念模型和冲突模型,给出了基于着色Petri网的授权相融冲突检测方法;通过研究应用系统需求的两层架构模型,给出了应用系统通信需求的概念定义,最后分析了应用系统高层需求到低层需求的转换。 3.给出了网络与应用相融冲突检测的关键算法:基于着色Petri网的授权相融冲突检测算法和基于OBDD的通信相融冲突检测算法。论文详细介绍了算法的实现原理,并分析了算法的特点。 4.设计并实现了网络与应用相融冲突检测的原型系统,该原型系统主要包括三个模块:文件预处理模块、RBAC建模模块和相融冲突检测模块。 5.针对实现的网络与应用冲突检测原型系统,设计了一系列实验用例。实验及结果分析表明:依据构建的网络与应用系统之间的两层架构模型,系统不仅能够检测出应用系统内部、网络与应用系统之间是否存在冲突,还可以提供冲突产生原因、冲突所属类型及冲突所在的位置等信息,为进一步的冲突消解奠定基础。
[Abstract]:With the continuous expansion of network scale, people pay more and more attention to the security of enterprise network. This paper analyzes the research status of fusion conflict in enterprise network at home and abroad, and points out the authorization management of application system and the conflict between network and application system according to the security requirements of network and application system in general enterprise environment. Thus, it brings challenges to the secure operation of network applications. In order to solve this problem, the RBAC model is used to describe the access control requirements of the application system, and the Json language is used to describe the network topology and the network device rules of the nodes in the topology. Firstly, the relationship between the elements of RBAC model is analyzed, the definition of authorization requirement conflict in application system is given, and the classification of conflict types is given. on this basis, an application system authorization fusion conflict detection method based on colored Petri net is established. Secondly, in order to solve the problem of inconsistency between the communication requirements of the network and the application system, the ordered binary decision graph is used to establish the model of the whole network topology, and the Boolean function verification is used to detect the communication conflict between the network and the application. Finally, a prototype system of conflict detection between network and application is designed and implemented, and the test cases are selected to verify the system. In this paper, the collision detection technology between network and application is studied, and the prototype system of the technology is designed and implemented. The main work is as follows: 1. The research status of conflict detection technology between network and application at home and abroad is analyzed. There are still some problems to be solved in the research of conflict detection: the existing rules conflict detection methods of network equipment only consider the rule conflicts within a single or simple series firewall on the network scale. Less consideration is given to the rule conflicts of multiple routers and firewalls in complex network topologies, and the requirements of application systems are not taken into account in rule conflict detection. 2. A solution to conflict detection between network and application is presented. By defining the conceptual model and conflict model of authorization requirements of application system based on RBAC, a collision detection method of authorization fusion based on colored Petri net is proposed. By studying the two-tier architecture model of application system requirements, the concept definition of application system communication requirements is given. finally, the transformation from high-level requirements to low-level requirements of application systems is analyzed. 3. The key algorithms of network and application fusion conflict detection are given: authorization fusion conflict detection algorithm based on colored Petri net and communication fusion conflict detection algorithm based on OBDD. In this paper, the implementation principle of the algorithm is introduced in detail, and the characteristics of the algorithm are analyzed. 4. A prototype system of network and application fusion conflict detection is designed and implemented. The prototype system mainly includes three modules: file preprocessing module, RBAC modeling module and fusion conflict detection module. 5. A series of experimental examples are designed for the prototype system of network and application conflict detection. The experimental and experimental results show that according to the two-tier architecture model between the network and the application system, the system can not only detect whether there is a conflict within the application system, between the network and the application system, but also provide the cause of the conflict. The information such as the type of conflict and the location of the conflict lay the foundation for further conflict resolution.
【学位授予单位】:北京航空航天大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2486673
[Abstract]:With the continuous expansion of network scale, people pay more and more attention to the security of enterprise network. This paper analyzes the research status of fusion conflict in enterprise network at home and abroad, and points out the authorization management of application system and the conflict between network and application system according to the security requirements of network and application system in general enterprise environment. Thus, it brings challenges to the secure operation of network applications. In order to solve this problem, the RBAC model is used to describe the access control requirements of the application system, and the Json language is used to describe the network topology and the network device rules of the nodes in the topology. Firstly, the relationship between the elements of RBAC model is analyzed, the definition of authorization requirement conflict in application system is given, and the classification of conflict types is given. on this basis, an application system authorization fusion conflict detection method based on colored Petri net is established. Secondly, in order to solve the problem of inconsistency between the communication requirements of the network and the application system, the ordered binary decision graph is used to establish the model of the whole network topology, and the Boolean function verification is used to detect the communication conflict between the network and the application. Finally, a prototype system of conflict detection between network and application is designed and implemented, and the test cases are selected to verify the system. In this paper, the collision detection technology between network and application is studied, and the prototype system of the technology is designed and implemented. The main work is as follows: 1. The research status of conflict detection technology between network and application at home and abroad is analyzed. There are still some problems to be solved in the research of conflict detection: the existing rules conflict detection methods of network equipment only consider the rule conflicts within a single or simple series firewall on the network scale. Less consideration is given to the rule conflicts of multiple routers and firewalls in complex network topologies, and the requirements of application systems are not taken into account in rule conflict detection. 2. A solution to conflict detection between network and application is presented. By defining the conceptual model and conflict model of authorization requirements of application system based on RBAC, a collision detection method of authorization fusion based on colored Petri net is proposed. By studying the two-tier architecture model of application system requirements, the concept definition of application system communication requirements is given. finally, the transformation from high-level requirements to low-level requirements of application systems is analyzed. 3. The key algorithms of network and application fusion conflict detection are given: authorization fusion conflict detection algorithm based on colored Petri net and communication fusion conflict detection algorithm based on OBDD. In this paper, the implementation principle of the algorithm is introduced in detail, and the characteristics of the algorithm are analyzed. 4. A prototype system of network and application fusion conflict detection is designed and implemented. The prototype system mainly includes three modules: file preprocessing module, RBAC modeling module and fusion conflict detection module. 5. A series of experimental examples are designed for the prototype system of network and application conflict detection. The experimental and experimental results show that according to the two-tier architecture model between the network and the application system, the system can not only detect whether there is a conflict within the application system, between the network and the application system, but also provide the cause of the conflict. The information such as the type of conflict and the location of the conflict lay the foundation for further conflict resolution.
【学位授予单位】:北京航空航天大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前9条
1 姚键 ,茅兵 ,谢立;一种基于有向图模型的安全策略冲突检测方法[J];计算机研究与发展;2005年07期
2 夏春和;魏玉娣;李肖坚;王海泉;何巍;;计算机网络防御策略描述语言研究[J];计算机研究与发展;2009年01期
3 张雷;向宏;胡海波;;基于语义的RBAC模型权限冲突检测方法[J];计算机工程与应用;2011年26期
4 朱建明;Srinivasan Raghunathan;;基于博弈论的信息安全技术评价模型[J];计算机学报;2009年04期
5 Wilfricd Brauer;袁崇义;;C.A.Petri与计算机科学[J];计算机科学;1988年05期
6 林闯,魏丫丫;随机进程代数与随机Petri网[J];软件学报;2002年02期
7 陈晓苏;林植;冯向东;;基于分层模型的网络安全策略逐级求精算法[J];小型微型计算机系统;2007年06期
8 李金双;常桂然;;HARBAC:基于分级管理思想的RBAC层级管理模型[J];小型微型计算机系统;2009年07期
9 崔立真;田君杰;王海洋;;基于两阶段规划模型的跨域服务流程动态构造方法[J];小型微型计算机系统;2011年09期
本文编号:2486673
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2486673.html
