Formal validation of automated policy refinement in the management of network security systems |
| |
Authors: | João Porto de Albuquerque Heiko Krumm Paulo Lício de Geus |
| |
Affiliation: | (1) David R. Cheriton School of Computer Science, University of Waterloo, Waterloo, Canada |
| |
Abstract: | Policy hierarchies and automated policy refinement are powerful approaches to simplify administration of security services
in complex network environments. A crucial issue for the practical use of these approaches is to ensure the validity of the
policy hierarchy, i.e. since the policy sets for the lower levels are automatically derived from the abstract policies (defined
by the modeller), we must be sure that the derived policies uphold the high-level ones. This paper builds upon previous work
on Model-based Management, particularly on the Diagram of Abstract Subsystems approach, and goes further to propose a formal
validation approach for the policy hierarchies yielded by the automated policy refinement process. We establish general validation
conditions for a multi-layered policy model, i.e. necessary and sufficient conditions that a policy hierarchy must satisfy
so that the lower-level policy sets are valid refinements of the higher-level policies according to the criteria of consistency
and completeness. Relying upon the validation conditions and upon axioms about the model representativeness, two theorems
are proved to ensure compliance between the resulting system behaviour and the abstract policies that are modelled. |
| |
Keywords: | |
本文献已被 SpringerLink 等数据库收录! |
|