Hybrid firefly bat algorithm (HFBA)–based network security policy enforcement for PSA

Network operators heavily depend on security services to secure their information technology infrastructures. On the other hand, due to the complexity of security policies, it is not appropriate to straightforwardly use previous pathwise enforcement approaches. In this paper, the enforcement problem of the security policy on middleboxes is formulated as a weighted K set covering problem that requires a policy space analysis tool. This tool is intended to be supported on range‐represented hyperrectangles, which are tagged using a prioritized R‐tree. This methodological work initially evaluates the topological features of diverse types of policies. Hybrid firefly bat algorithm–supported heuristic information shows the inherent difficulties of security policies and provides direction for the design of the enforcement algorithm. At the same time, a scopewise policy enforcement procedure is proposed, which requires a moderate number of enforcement network nodes for organizing the various policy subsets in a greedy manner. Our results demonstrate that the proposed hybrid firefly bat algorithm with policy space analysis offer greatly improved outcomes in terms of the rule overhead, network security, packet delivery ratio, packet loss ratio, and time efficiency above the set operations of the security policy.     

信息系统安全策略研究

安全策略是信息系统安全的关键.信息系统安全的前提是确保安全策略的完备、正确和一致.安全策略的复杂性与系统本身的复杂程度密切相关.安全策略必须得到有效的实施.本文对安全策略的实施、要求和一致性进行了研究,给出了访问控制策略的一致性定理和一致性检查方法.     

计算机内网安全管理系统研究

基于内网安全管理的重要性分析,本文在P2DR模型的理论基础上,提出了内部网络安全管理系统的设计方案,对内网安全管理系统所涉及的安全策略、管理支持、策略执行、监控响应、审计共5个环节的内容进行了分析,之后选择了可行的开发工具,对客户端程序以及服务器程序的流程等进行了设计分析,最后分析了通信消息的结构。本文所述内容可为相关的理论分析提供参考。     

现代防火墙实现技术

现代网络技术的发展，网络应月的不断深入，传统网络型防火墙已难以满足要求，迫切需要一种能保障每个网络端点安全的产品。分百式防止墙将分布式对象技术引入到防火墙技术当中，能根据端点的不同定义不同的安全级别，同时安全策略的实施是通过网络硬件米实现的。     

Language-based information-flow security

Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow. Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies. Previously, a promising new approach has been developed: the use of programming-language techniques for specifying and enforcing information-flow policies. In this paper, we survey the past three decades of research on information-flow security, particularly focusing on work that uses static program analysis to enforce information-flow policies. We give a structured view of work in the area and identify some important open challenges.     

TF‐CPABE: An efficient and secure data communication with policy updating in wireless body area networks

The major challenge in wireless body area networks (WBAN) is setting up a protected communication between data consumers and a body area network controller while meeting the security and privacy requirements. This paper proposes efficient and secure data communication in WBANs using a Twofish symmetric algorithm and ciphertext‐policy attribute‐based encryption with constant size ciphertext; in addition, the proposed scheme incorporates policy updating to update access policies. To the best of the author's knowledge, policy updating in WBAN has not been studied in earlier works. The proposed scheme is evaluated in terms of message size, energy consumption, and computation cost, and the results are compared with those of existing schemes. The result shows that the proposed method can achieve higher efficiency than conventional methods.     

Taxonomy of conflicts in network security policies

Network security polices are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication. Network security perimeter devices such as firewalls, IPSec, and IDS/IPS devices operate based on locally configured policies. However, configuring network security policies remains a complex and error-prone task due to rule dependency semantics and the interaction between policies in the network. This complexity is likely to increase as the network size increases. A successful deployment of a network security system requires global analysis of policy configurations of all network security devices in order to avoid policy conflicts and inconsistency. Policy conflicts may cause serious security breaches and network vulnerability such as blocking legitimate traffic, permitting unwanted traffic, and insecure data transmission. This article presents a comprehensive classification of security policy conflicts that might potentially exist in a single security device (intrapolicy conflicts) or between different network devices (interpolicy conflicts) in enterprise networks. We also show the high probability of creating such conflicts even by expert system administrators and network practitioners.     

Analytical characterization of cache replacement policy impact on content delivery time in information‐centric networks

Information‐centric networking (ICN) has emerged as a promising candidate for designing content‐based future Internet paradigms. ICN increases the utilization of a network through location‐independent content naming and in‐network content caching. In routers, cache replacement policy determines which content to be replaced in the case of cache free space shortage. Thus, it has a direct influence on user experience, especially content delivery time. Meanwhile, content can be provided from different locations simultaneously because of the multi‐source property of the content in ICN. To the best of our knowledge, no work has yet studied the impact of cache replacement policy on the content delivery time considering multi‐source content delivery in ICN, an issue addressed in this paper. As our contribution, we analytically quantify the average content delivery time when different cache replacement policies, namely, least recently used (LRU) and random replacement (RR) policy, are employed. As an impressive result, we report the superiority of these policies in term of the popularity distribution of contents. The expected content delivery time in a supposed network topology was studied by both theoretical and experimental method. On the basis of the obtained results, some interesting findings of the performance of used cache replacement policies are provided.     

Die Firewall-Problematik bei Voice over IP

The basic principle of the Internet is to connect intelligent terminals via a relatively simple network made up of routers. This principle was broken by the introduction of so called middleboxes, e.g. firewalls. These network elements, mostly interconnected between clients and servers for security reasons, lead to many problems in the Voice over IP-telephony. Using additional protocols that control the middleboxes, these problems can be solved. UPnP and MIDCOM are two of the most important approaches. This article compares the two protocols and shows their potential in connection with VoIP.     

基于角色的域-类型增强访问控制模型研究及其实现

安全系统只有能够支持多种安全政策才能满足实际需求.基于角色的访问控制(Role-Based Access Control,RBAC)是一种政策中性(Policy Neutral)的新模型,已经实现了多种安全政策.域-类型增强(Domain and Type Enforcement,DTE)安全政策充分体现了最小特权(Least Privilege)和职责分离(Separation of Duty)的安全原则,但是,RBAC96不便于直接实现DTE.根据RBAC和DTE的思想,本文提出了"基于角色的域-类型增强访问控制"(Role-Based Domain and Type Enforcement Access Control,RDTEAC)模型.该模型继承了RBAC96的优点,又体现了DTE的安全思想,并易于实现DTE安全政策.此外,我们还在Linux上实现了RDTEAC模型的一个原型.     

Policy-based IPsec management

Security is vital to the success of e-commerce and many new valued-added IP services. As a consequence, IPsec is an especially important security mechanism in that it provides cryptographic-based protection mechanisms for IP packets. Moreover, in order for IPsec to work properly, security policies that describe how different IP packets are protected must be provisioned on all network elements that offer IPsec protection. Since IPsec policies are quite complex, manually configuring them on individual network elements is inefficient and therefore infeasible for large-scale IPsec deployment. Policy-based IPsec management strives to solve this problem: Policy-based management employs a policy server to manage a network as a whole; it translates business goals or policies into network resource configurations and automates these configurations across multiple different network elements. Policy-based IPsec management significantly simplifies the task of defining, deploying, and maintaining security policies across a network, thereby significantly simplifying large-scale IPsec deployment. This article describes the motivations, key concepts, and recent IETF developments for policy-based IPsec management. It then applies the key concepts to an example a IPsec VPN service provisioning and further describes an example of an IPsec policy server as well as experience gained from implementing such a server. Challenges facing policy-based IPsec management are also discussed.     

基于加权熵的访问控制策略安全性分析研究

为解决访问控制策略的安全性分析问题,提出了一种基于信息熵的策略量化分析理论.首先,根据信息论中加权熵的知识定义了策略安全熵,提出了非授权访问行为的最大不确定性计算方法.然后,分别给出了典型访问控制策略的一维安全熵和N维安全熵,并对结果进行了证明.最后,依据安全熵分析了典型访问控制策略的安全性.     

解决IPsec/VPN安全策略问题的新方法

提出了一种解决IPsec／VPN安全策略问题的新方法。根据安全策略来决定对所有进入或外出的通信量进行安全操作，因此正确地指定与配置安全策略显得非常重要。目前针对单个安全网关是通过手工配置IPsec安全策略，这样效率非常低且易出错。在该方法中根据给定的要求，通过把整个通信量流分成互不相关的束，找出满足每束要求的子集，然后生成每束要求操作的策略。这样不仅减少了管理员的大量工作，而且还保证了策略的正确。     

跨域访问控制策略合成的可视化框架

The rapid increase in resource sharing across domains in the cloud computing environment makes the task of managing inter-domain access control policy integration difficult for the security administrators. Although a number of policy integration and security analysis mechanisms have been developed, few focus on enabling the average ad-ministrator by providing an intuitive cognitive sense about the integrated policies, which considerably undermines the usability factor. In this paper we propose a visualization framework for inter-domain access control policy integration, which integrates Role Based Access Control (RBAC) policies on the basis of role-mapping and then visualizes the integrated result. The role mapping algorithm in the framework considers the hybrid role hierarchy. It can not only satisfy the security constraints of non-cyclic inheritance and separation of duty but also make visualization easier. The framework uses role-permission trees and semantic substrates to visualize the integrated policies. Through the interactive policy query visualization, the average administrator can gain an intuitive understanding of the policy integration result.     

一种针对JVM运行时库安全策略的全自动检测方法

JVM运行时库通过调用自身库函数的安全管理器类能够实现多种安全策略,其中非常重要的一条安全策略是保证程序在执行敏感操作之前必须进行相应的访问控制权限检查.传统上依赖于人工分析来确保JVM运行时库满足该安全策略,由于Java标准类库涵盖上千个类,上万个方法,且处于快速发展和演化过程中,人工分析费时费力,容易出错.本文提出一种全自动、高效、快速的模型检测方法评估JVM是否遵守这一安全策略,扫描Java标准类库字节码文件,将类的成员方法生成控制流图,通过定义检验模型,结合污点分析计算出方法摘要,自动检测出风险方法.     

Internet防火墙安全

本文首先提出与Internet联网的安全问题,接着简述了安全策略的大致框架。防火墙技术是本文的核心,防火墙的种类、功能、特性在本文中都有系统的介绍。     

基于不完全信息动态博弈的动态目标防御最优策略选取研究

针对动态目标防御的最优策略选取问题,分析了动态目标防御环境下的攻防对抗特点,提出了动态目标防御策略的收益量化方法,基于不完全信息动态博弈构建了面向动态目标防御的单阶段和多阶段博弈模型,给出了精炼贝叶斯均衡求解算法和先验信念修正方法,获得了不同安全态势下的最优动态目标防御策略.最后,通过实例说明和验证了上述模型和方法的可行性和有效性,总结了利用动态目标防御策略进行网络防御的一般性规律.     

Automated pseudo-live testing of firewall configuration enforcement

Network security devices such as firewalls and intrusion detection systems are constantly updated in their implementation to accommodate new features, performance standards and to utilize new hardware optimization. Reliable, yet practical, testing techniques for validating the configuration enforcement after every new software and firmware update become necessary to assure correct configuration realization. Generating random traffic to test the firewall configuration enforcement is not only inaccurate but also impractical as it requires an infeasible number of test cases for a reasonable testing coverage. In addition, in most cases the policies used during testing are manually generated or have limited configuration profiles. We present a framework for automatic testing of the firewall configuration enforcement using efficient and flexible policy and traffic generation. In a typical test session, a large set of different policies are generated based on the access-control list (ACL) grammar and according to custom profiles. Test packets are generated to particularly consider critical segments of the tested policies and to achieve high coverage of the testing space. We also describe our implementation of a fully-automated framework, which includes ACL grammar modeling, the policy generation, test cases generation, capturing and analyzing firewall output, and creating detailed test reports. Our evaluation results show that our security configuration testing is not only achievable but it also offers high coverage with significant degree of confidence.     

一种新的策略冲突解决方法的研究

在3GPP的PCC（Policy and Charging Control）架构以及TISPAN的RACS（Resource and Admission Control Subsystem）等资源控制平台中,资源控制和计费基于策略实现。在这些系统中,如何准确检测以及有效解决策略问冲突成为策略控制的关键问题。本文在对策略冲突分类和检测的分析基础上,指出了已有解决办法存在的问题,并提出了一种基于优先权设定的新方法,完备有效得解决策略间冲突。