共查询到20条相似文献,搜索用时 46 毫秒
1.
Thathan Sureshkumar Mani Lingaraj Bojan Anand Thathan Premkumar 《International Journal of Communication Systems》2018,31(14)
Network operators heavily depend on security services to secure their information technology infrastructures. On the other hand, due to the complexity of security policies, it is not appropriate to straightforwardly use previous pathwise enforcement approaches. In this paper, the enforcement problem of the security policy on middleboxes is formulated as a weighted K set covering problem that requires a policy space analysis tool. This tool is intended to be supported on range‐represented hyperrectangles, which are tagged using a prioritized R‐tree. This methodological work initially evaluates the topological features of diverse types of policies. Hybrid firefly bat algorithm–supported heuristic information shows the inherent difficulties of security policies and provides direction for the design of the enforcement algorithm. At the same time, a scopewise policy enforcement procedure is proposed, which requires a moderate number of enforcement network nodes for organizing the various policy subsets in a greedy manner. Our results demonstrate that the proposed hybrid firefly bat algorithm with policy space analysis offer greatly improved outcomes in terms of the rule overhead, network security, packet delivery ratio, packet loss ratio, and time efficiency above the set operations of the security policy. 相似文献
2.
3.
基于内网安全管理的重要性分析,本文在P2DR模型的理论基础上,提出了内部网络安全管理系统的设计方案,对内网安全管理系统所涉及的安全策略、管理支持、策略执行、监控响应、审计共5个环节的内容进行了分析,之后选择了可行的开发工具,对客户端程序以及服务器程序的流程等进行了设计分析,最后分析了通信消息的结构。本文所述内容可为相关的理论分析提供参考。 相似文献
4.
5.
Language-based information-flow security 总被引:27,自引:0,他引:27
Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow. Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies. Previously, a promising new approach has been developed: the use of programming-language techniques for specifying and enforcing information-flow policies. In this paper, we survey the past three decades of research on information-flow security, particularly focusing on work that uses static program analysis to enforce information-flow policies. We give a structured view of work in the area and identify some important open challenges. 相似文献
6.
The major challenge in wireless body area networks (WBAN) is setting up a protected communication between data consumers and a body area network controller while meeting the security and privacy requirements. This paper proposes efficient and secure data communication in WBANs using a Twofish symmetric algorithm and ciphertext‐policy attribute‐based encryption with constant size ciphertext; in addition, the proposed scheme incorporates policy updating to update access policies. To the best of the author's knowledge, policy updating in WBAN has not been studied in earlier works. The proposed scheme is evaluated in terms of message size, energy consumption, and computation cost, and the results are compared with those of existing schemes. The result shows that the proposed method can achieve higher efficiency than conventional methods. 相似文献
7.
Taxonomy of conflicts in network security policies 总被引:5,自引:0,他引:5
Network security polices are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication. Network security perimeter devices such as firewalls, IPSec, and IDS/IPS devices operate based on locally configured policies. However, configuring network security policies remains a complex and error-prone task due to rule dependency semantics and the interaction between policies in the network. This complexity is likely to increase as the network size increases. A successful deployment of a network security system requires global analysis of policy configurations of all network security devices in order to avoid policy conflicts and inconsistency. Policy conflicts may cause serious security breaches and network vulnerability such as blocking legitimate traffic, permitting unwanted traffic, and insecure data transmission. This article presents a comprehensive classification of security policy conflicts that might potentially exist in a single security device (intrapolicy conflicts) or between different network devices (interpolicy conflicts) in enterprise networks. We also show the high probability of creating such conflicts even by expert system administrators and network practitioners. 相似文献
8.
Seyyed Naser Seyyed Hashemi Ali Bohlooli 《International Journal of Communication Systems》2019,32(18)
Information‐centric networking (ICN) has emerged as a promising candidate for designing content‐based future Internet paradigms. ICN increases the utilization of a network through location‐independent content naming and in‐network content caching. In routers, cache replacement policy determines which content to be replaced in the case of cache free space shortage. Thus, it has a direct influence on user experience, especially content delivery time. Meanwhile, content can be provided from different locations simultaneously because of the multi‐source property of the content in ICN. To the best of our knowledge, no work has yet studied the impact of cache replacement policy on the content delivery time considering multi‐source content delivery in ICN, an issue addressed in this paper. As our contribution, we analytically quantify the average content delivery time when different cache replacement policies, namely, least recently used (LRU) and random replacement (RR) policy, are employed. As an impressive result, we report the superiority of these policies in term of the popularity distribution of contents. The expected content delivery time in a supposed network topology was studied by both theoretical and experimental method. On the basis of the obtained results, some interesting findings of the performance of used cache replacement policies are provided. 相似文献
9.
10.
F. Schüller Dipl.-Ing. T. H?her Dipl.-Ing. H. Weisgrab 《e & i Elektrotechnik und Informationstechnik》2005,122(1-2):55-61
The basic principle of the Internet is to connect intelligent terminals via a relatively simple network made up of routers. This principle was broken by the introduction of so called middleboxes, e.g. firewalls. These network elements, mostly interconnected between clients and servers for security reasons, lead to many problems in the Voice over IP-telephony. Using additional protocols that control the middleboxes, these problems can be solved. UPnP and MIDCOM are two of the most important approaches. This article compares the two protocols and shows their potential in connection with VoIP. 相似文献
11.
安全系统只有能够支持多种安全政策才能满足实际需求.基于角色的访问控制(Role-Based Access Control,RBAC)是一种政策中性(Policy Neutral)的新模型,已经实现了多种安全政策.域-类型增强(Domain and Type Enforcement,DTE)安全政策充分体现了最小特权(Least Privilege)和职责分离(Separation of Duty)的安全原则,但是,RBAC96不便于直接实现DTE.根据RBAC和DTE的思想,本文提出了"基于角色的域-类型增强访问控制"(Role-Based Domain and Type Enforcement Access Control,RDTEAC)模型.该模型继承了RBAC96的优点,又体现了DTE的安全思想,并易于实现DTE安全政策.此外,我们还在Linux上实现了RDTEAC模型的一个原型. 相似文献
12.
Man Li 《IEEE network》2003,17(6):36-43
Security is vital to the success of e-commerce and many new valued-added IP services. As a consequence, IPsec is an especially important security mechanism in that it provides cryptographic-based protection mechanisms for IP packets. Moreover, in order for IPsec to work properly, security policies that describe how different IP packets are protected must be provisioned on all network elements that offer IPsec protection. Since IPsec policies are quite complex, manually configuring them on individual network elements is inefficient and therefore infeasible for large-scale IPsec deployment. Policy-based IPsec management strives to solve this problem: Policy-based management employs a policy server to manage a network as a whole; it translates business goals or policies into network resource configurations and automates these configurations across multiple different network elements. Policy-based IPsec management significantly simplifies the task of defining, deploying, and maintaining security policies across a network, thereby significantly simplifying large-scale IPsec deployment. This article describes the motivations, key concepts, and recent IETF developments for policy-based IPsec management. It then applies the key concepts to an example a IPsec VPN service provisioning and further describes an example of an IPsec policy server as well as experience gained from implementing such a server. Challenges facing policy-based IPsec management are also discussed. 相似文献
13.
基于加权熵的访问控制策略安全性分析研究 总被引:1,自引:0,他引:1
为解决访问控制策略的安全性分析问题,提出了一种基于信息熵的策略量化分析理论.首先,根据信息论中加权熵的知识定义了策略安全熵,提出了非授权访问行为的最大不确定性计算方法.然后,分别给出了典型访问控制策略的一维安全熵和N维安全熵,并对结果进行了证明.最后,依据安全熵分析了典型访问控制策略的安全性. 相似文献
14.
15.
The rapid increase in resource sharing across domains in the cloud computing environment makes the task of managing inter-domain access control policy integration difficult for the security administrators. Although a number of policy integration and security analysis mechanisms have been developed, few focus on enabling the average ad-ministrator by providing an intuitive cognitive sense about the integrated policies, which considerably undermines the usability factor. In this paper we propose a visualization framework for inter-domain access control policy integration, which integrates Role Based Access Control (RBAC) policies on the basis of role-mapping and then visualizes the integrated result. The role mapping algorithm in the framework considers the hybrid role hierarchy. It can not only satisfy the security constraints of non-cyclic inheritance and separation of duty but also make visualization easier. The framework uses role-permission trees and semantic substrates to visualize the integrated policies. Through the interactive policy query visualization, the average administrator can gain an intuitive understanding of the policy integration result. 相似文献
16.
一种针对JVM运行时库安全策略的全自动检测方法 总被引:1,自引:0,他引:1
JVM运行时库通过调用自身库函数的安全管理器类能够实现多种安全策略,其中非常重要的一条安全策略是保证程序在执行敏感操作之前必须进行相应的访问控制权限检查.传统上依赖于人工分析来确保JVM运行时库满足该安全策略,由于Java标准类库涵盖上千个类,上万个方法,且处于快速发展和演化过程中,人工分析费时费力,容易出错.本文提出一种全自动、高效、快速的模型检测方法评估JVM是否遵守这一安全策略,扫描Java标准类库字节码文件,将类的成员方法生成控制流图,通过定义检验模型,结合污点分析计算出方法摘要,自动检测出风险方法. 相似文献
17.
Internet防火墙安全 总被引:1,自引:0,他引:1
方妹妹 《信息安全与通信保密》1996,(4)
本文首先提出与Internet联网的安全问题,接着简述了安全策略的大致框架。防火墙技术是本文的核心,防火墙的种类、功能、特性在本文中都有系统的介绍。 相似文献
18.
19.
Al-Shaer E. El-Atawy A. Samak T. 《Selected Areas in Communications, IEEE Journal on》2009,27(3):302-314
Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence. 相似文献