A Computer Network Defense Policy Refinement Method
The existing methods of policy refinement in computer network defense (CND) can only support the refinement of access control policy,but not the policies of protection,detection,response,and recovery.To solve this problem,we constructed a computer network defense policy refinement model and defined the refinement relations between high-level policy goal element and low-level operational policy element.We also provided formalism specifications of CND policies including protection (i.e.,access control,user authentication,encryption communication,backup),detection (i.e.,intrusion detection,vulnerabilities detection),response (i.e.,system rebooting,shutdown) and recovery (i.e.,rebuild,patch making).The semantic consistency of policy refinement was analyzed and verified.This guarantees the correctness of low-level policies refined from high-level policy goal.An algorithm of CND policy refinement was designed.At last,the effectiveness of our methods was verified through three experiment cases including the refinement of access control policy,composition policies with intrusion detection,vulnerabilities detection,and access control,as well as other composition policies with making patch and system rebooting.
computer network defense formalism specifications policy refinement semantic consistency
Zhao Wei Yanli Lv Chunhe Xia Yang Luo Qing Wei
State Key Laboratory of Virtual Reality Technology and System, Key Laboratory of Beijing Network Tec Information Center of Ministry of Science and Technology, The Ministry of Science and Technology of
国内会议
张家界
英文
105-118
2013-07-01(万方平台首次上网日期,不代表论文的发表时间)