多级安全性政策的历史敏感性

对安全政策灵活性的支持是现代安全操作系统追求的目标之一,DTOS(distributed trusted operating system)项目提出了安全政策格的思想,为安全政策灵活性的研究提供了一种很好的手段.然而,DTOS项目给出的安全政策的格描述把多级安全性(multi-level security,简称MLS)政策认定为静态安全政策.首先,从理论上构造MLS政策的一个实施策略,说明MLS政策具有历史敏感性,从而具有动态特征,不能简单地作为静态安全政策对待.同时,给出所构造的实施策略的实现算法,说明该实施策略与常规实施策略具有相同的复杂度,是一个实用的实施策略.由此证明,可以找到合理、灵活、实用的实施策略,使MLS政策具有历史敏感性,从而证明把MLS政策认定为静态安全政策的不合理性.     

环境适应的通用多安全政策支持框架研究

在当今复杂多变的安全环境中，信息系统需要实施灵活完善的安全政策，在开发RFSOS安全操作系统和研究FLASK，DTOS安全体系结构的基础上，提出能适应环境变化的多安全政策支持框架－－Guards，在RFSOS中实现原型，衣据9个评价准则与FLASK进行了对比。     

基于扩充敏感标记的格理论模型研究

为在实现多级安全系统过程中有效兼顾BLP模型与Biba模型,分析安全模型敏感标记集合在数学上形成的格理论,提出一种能够有效融合这些模型的敏感标记格安全理论模型,以同时标识信息机密性与完整性,通过构建新的敏感标记格理论模型,为信息安全模型研究提供一定的理论依据。     

安全操作系统研究的发展（下）

6 动态政策时期从单一政策支持到多种政策支持,安全操作系统迈出了向实际应用环境接近的可喜一步。然而,R.Spencer等指出,从支持多种安全政策到支持政策灵活性,还有相当一段距离。政策灵活性是动态政策时期的重要特征,1999年,Flask系统的诞生是动态政策时期的帷幕徐徐打开的标志。 6.1 基于Fluke的Flask安全操作系统 Flask是以Fluke操作系统为基础开发的安全操作系统原型。Fluke是一个基于微内核的操作系统,它提供一个基于递归虚拟机思想的、利用权能系统的基本机制实现的体系结构。     

基于概念格的文本挖掘

文本挖掘是从非结构化的文本中发现潜在的概念以及概念间的相互关系。作为从浩瀚的Web信息资源中发现潜在的、有价值知识的有效技术，Web文本挖掘已倍受关注。文中提出了利用概念格来抽取隐含在文本中潜在的概念关系，将文本挖掘中文档与关键词之间的关系通过概念格结构呈现出来。     

基于概念格的产品信息描述及其优化策略

给出了利用概念格结构描述并显示产品信息特征的方法，介绍了如何利用关键格以及属性相似性聚类策略优化显示结专。在此基础上．建立了一种用于Web信息处理和显示的概念格结构模型，通过一个例子说明了具体应用和软件实现，并对其现实意义进行了分析。     

一种基于格的可证明安全数字签名方案

为确保签名算法的安全,现有基于格的数字签名方案在生成签名时存在较高的失败概率(接近2/3),因此需要运行签名算法3次才能生成一个合法签名。为此,提出一种基于格的可证明安全数字签名方案,将消息签名作为Ring-SIS问题,私钥作为Ring-SIS问题的一个解,使攻击者无法根据消息签名得到私钥。基于多项式环下的运算,在签名过程中引入两位随机数,并使用抗碰撞的哈希函数进行随机化,使最终签名分布与私钥分布无关。与现有方案相比,该方案解决了签名生成失败的问题,并且在保证签名算法安全性的同时对现有方案的计算复杂度无较大影响。     

一个安全标记公共框架的设计与实现

标记是实现多级安全系统的基础,实施强制访问控制的前提.如何确定和实现标记功能并使其支持多种安全政策是研究的目的.提出了一个安全标记公共框架,该框架基于静态客体标记和动态主体标记,引入了访问历史的概念,并给出了一个完备的标记函数集合.基于此框架,既可以实施多等级保密性安全政策,又可以实施多等级完整性安全政策.该框架在一个基于Linux的安全操作系统中的实现结果表明,基于该框架的安全系统在保证安全性的同时,还具有相当的灵活性和实用性.     

基于剪枝的概念格渐进式构造

概念格是形式概念分析中的核心数据结构。然而，随着需要分析处理的数据量日益剧增，概念格的构造效率成为一个关键问题。采用剪枝方法，消除了概念格构造过程中产生的冗余信息，提出了一种基于剪枝的概念格渐进式构造算法（Pruning based Concept Lattice，PCL），从而减少了概念格内涵的比较次数，提高了概念格的构造效率。采用恒星天体光谱数据作为形式背景，实验验证了算法PCL的正确性和有效性。     

WCF安全模型的设计与实现

本文为了满足面向服务应用程序的各种安全需求,在研究分析了WCF(Windows Communication Foundation)的原理特性和安全架构之后,提出了一种基于WCF的安全应用模型,相比传统的面向服务安全模型,该模型有着更好的灵活性、可扩展性,最后在一个安全中间件开发项目中对该模型进行了实现。     

A security policy language for wireless sensor networks

Authenticated computer system users are only authorized to access certain data within the system. In the future, wireless sensor networks (WSNs) will need to restrict access to data as well. To date, WSN security has largely been based on encryption and authentication schemes. The WSN Authorization Specification Language (WASL) is a mechanism-independent composable WSN policy language that can specify arbitrary and composable security policies that are able to span and integrate multiple WSN policies. Using WASL, a multi-level security policy for a 1000 node network requires only 60 bytes of memory per node.     

基于策略的网络安全防护系统框架研究

基于策略的安全防护技术是当前网络安全研究的重点,但适于网络环境的安全策略应用机制还很不完善。本文全面分析了实施基于策略的网络安全防护应用系统的要求,提出了一种将安全策略、安全防护行为、网络应用逻辑三者相互独立又有机结合的安全策略防护框架。针对网络应用的行为及其状态特征综合分析了应用系统、安全策略及安全防护护行为的形式化描述,制定了网络应用逻辑的监控机制和基于事件驱动的策略执行算法,实现了用策略动态控制应用系统行为的目的,增强了安全防护的灵活性和扩展性。     

Specification and enforcement of flexible security policy for active cooperation

Interoperation and services sharing among different systems are becoming new paradigms for enterprise collaboration. To keep ahead in strong competition environments, an enterprise should provide flexible and comprehensive services to partners and support active collaborations with partners and customers. Achieving such goals requires enterprises to specify and enforce flexible security policies for their information systems. Although the area of access control has been widely investigated, current approaches still do not support flexible security policies able to account for different weighs that typically characterize the various attributes of the requesting parties and transactions and reflect the access control criteria that are relevant for the enterprise. In this paper we propose a novel approach that addresses such flexibility requirements while at the same time reducing the complexity of security management. To support flexible policy specification, we define the notion of restraint rules for authorization management processes and introduce the concept of impact weight for the conditions in these restraint rules. We also introduce a new data structure for the encoding of the condition tree as well as the corresponding algorithm for efficiently evaluating conditions. Furthermore, we present a system architecture that implements above approach and supports interoperation among heterogeneous platforms.     

网络安全管理综述

随着网络的日益发展,网络管理的安全性也越来越重要。文章从安全的角度全面地阐述了网络管理协议,重点分析了SNMP的安全策略,并对当前常用的网管软件及其安全策略进行了分析,最后论述了安全网络管理中要考虑的一些问题。     

基于形式化与图形化的IPSec安全策略管理

IPSec是一个策略驱动的安全机制，只有当安全策略被正确定义和配置时才能保证IPSec的功能被正确执行，怎样根据特定的条件设置合理有效的策略，是正确实施IPSec的一个重要问题。该文对IPSec安全需求的分析方法进行了改进和形式化表示，给出了一种策略管理的图形化工具。     

A new model of security for metasystems

With the rapid growth of high-speed networking and microprocessing power, metasystems have become increasingly popular. The need for protection and security in such environments has never been greater. However, the conventional approach to security, that of enforcing a single system-wide policy, will not work for the large-scale distributed systems we envision. Our new model shifts the emphasis from ‘system as enforcer’ to user-definable policies, making users responsible for the security of their objects. This security model has been implemented as part of the Legion project. Legion is an object-oriented metacomputing system, with strong support for autonomy. This includes support for per-object, user-defined policies in many areas, including resource management and security. This paper briefly describes the Legion system, presents our security model, and discusses the realization of that model in Legion.     

基于信息格的降密策略

降密策略是信息流安全研究的重要挑战之一.目前的研究主要集中在不同维度的定性分析上,缺乏对机密信息降密数量的精确控制,从而导致降密策略的限制性与程序安全需求之间的关系难以精确控制.为此,提出基于信息格的量化度量方法,通过阈值的控制,从定量的角度对健壮性降密策略的限制性进行放松,实现富有弹性的健壮性降密策略.     

Virtual organization security policies: An ontology-based integration approach

This paper addresses the specification of a security policy ontology framework to mediate security policies between virtual organizations (VO) and real organizations (RO). The goal is to develop a common domain model for security policy via semantic mapping. This mitigates interoperability problems that exist due to heterogeneity in security policy data among various (VO) and (RO) in the semantic web. We propose to carry out integration or mapping for only one aspect of security policy, which is authorization policy. Other aspects such as integrity, repudiation and confidentiality will be addressed in future work. We employ various tools such as Protégé, RacerPro and PROMPT to show proof of concept.

应对计算机病毒的安全策略

计算机病毒的产生以及迅速蔓延已经使计算机系统的安全受到极大的威胁,在认清计算机系统安全的脆弱性和潜在威胁,我们应对计算机进行加强有力的安全策略和防护手段。本文探讨了计算机病毒的特点和计算机网络系统安全策略以及计算机的防护手段。     

Do security and privacy policies in B2B and B2C e-commerce differ? A comparative study using content analysis

Security and privacy policies address consumer concerns related to security and privacy in e-commerce websites. As these policies represent only the vendor’s perspective, often there exists a mismatch between the stated and desired policy. Based on transaction cost theory, we speculate that business-to-business (B2B) and business-to-consumer (B2C) e-commerce customers use their transaction cost savings in order to obtain varying levels of security and privacy. These differences are bound to be reflected in the security and privacy policies of e-commerce companies. Therefore, in this paper, we perform a comparative content analysis of the security and privacy policies in B2C and B2B e-commerce. Results show that B2B vendors are more concerned about security than their B2C counterparts, while B2C vendors are anxious about intimacy and restriction privacy. Our findings have important implications for e-commerce consumers and vendors as individual and corporate consumers have varying concerns while transacting online. Individual consumers are concerned about maintaining security and intimacy privacy, whereas corporate users are anxious about regulatory issues. Therefore, B2C vendors should incorporate stringent measures dedicated to confidentiality and protection of consumer data as well as enhance intimacy privacy in their security policies, while their B2B counterparts should focus on enhancing restriction privacy.