共查询到20条相似文献,搜索用时 23 毫秒
1.
在分析网络安全策略冲突研究现状的基础上,针对策略冲突分类不完善及现在安全策略冲突检测方法的不足,指出由于网络策略之间的规则依赖语义和规则相互作用,一个成功的网络安全系统配置需要全面分析所有网络安全设备的策略配置以避免策略冲突和矛盾.本文首先描述了过滤规则之间所有可能的关系,然后对基于过滤的网络安全策略中的冲突进行全面分类,接着通过实验指出即使是专家系统管理员,产生这种冲突的可能性也很高,并提出了内部和外部访问列表策略冲突的自动检测与恢复模型来识别和矫正这些冲突,最后讨论了今后研究的方向. 相似文献
2.
3.
Bhatti R. Bertino E. Ghafoor A. 《IEEE transactions on pattern analysis and machine intelligence》2006,32(5):330-346
Policy-based management (PBM) has been considered as a promising approach for design and enforcement of access management policies for distributed systems. The increasing shift toward federated information sharing in the organizational landscape, however, calls for revisiting current PBM approaches to satisfy the unique security requirements of the federated paradigm. This presents a twofold challenge for the design of a PBM approach, where, on the one hand, the policy must incorporate the access management needs of the individual systems, while, on the other hand, the policies across multiple systems must be designed in such a manner that they can be uniformly developed, deployed, and integrated within the federated system. In this paper, we analyze the impact of security management challenges on policy design and formulate a policy engineering methodology based on principles of software engineering to develop a PBM solution for federated systems. We present X-FEDERATE, a policy engineering framework for federated access management using an extension of the well-known role-based access control (RBAC) model. Our framework consists of an XML-based policy specification language, its UML-based meta-model, and an enforcement architecture. We provide a comparison of our framework with related approaches and highlight its significance for federated access management. The paper also presents a federation protocol and discusses a prototype of our framework that implements the protocol in a federated digital library environment. 相似文献
4.
Samiha Ayed Muhammad Sabir Idrees Nora Cuppens Frederic Cuppens 《International Journal of Information Security》2018,17(1):83-103
The dynamic configuration and evolution of large-scale heterogeneous systems has made the enforcement of security requirements one of the most critical phases throughout the system development lifecycle. In this paper, we propose a framework architecture to associate the security policies with the specification and the execution phases of applications defined for these systems. Our proposed framework is based on an aspect-oriented programming approach and on the organization-based access control model to dynamically enforce and manage the access and the usage control. The deployment of the framework modules, proposed in this paper, takes into account the changes that may occur in the security policy during the application execution. We also present the implementation as well as the evaluation of our proposition. 相似文献
5.
6.
1 引言基于多播的安全组通信技术是当今Internet上大规模信息传播应用的基础。安全多播应用情形很多,最典型的分类为单源多播(如付费点播)和多源多播(如多方视频会议),安全需求各不相同,不可能有一个统一的解决方案。 SIMM是为多播应用构造的安全基础设施,应用通过定义策略来配置安全服务,策略是连接动态的用户需求和静态的系统实现之间的桥梁。策略的定义、表示、翻译及实现等是SIMM策略框架的基本内容。 相似文献
7.
Anand R. Tripathi Devdatta Kulkarni Harsha Talkad Muralidhar Koka Sandeep Karanth Tanvir Ahmed Ivan Osipkov 《Software》2007,37(5):493-522
In this paper we present a framework for building policy‐based autonomic distributed agent systems. The autonomic mechanisms of configuration and recovery are supported through a distributed event processing model and a set of policy enforcement mechanisms embedded in an agent framework. Policies are event‐driven rules derived from the system's functional and non‐functional requirements. Agents in the network monitor the system state for policy violation conditions, generate appropriate events, and communicate them to other agents for cooperative filtering, aggregation, and handling. A set of agents perform policy enforcement actions whenever events signifying any policy violation conditions occur. Policies are defined using a specification framework based on XML. The policy enforcement agents interpret the policies given in XML. We illustrate the utility of this framework in the context of an agent‐based distributed network monitoring application. We also present an experimental evaluation of our approach. Copyright © 2006 John Wiley & Sons, Ltd. 相似文献
8.
9.
Web服务环境中,交互实体通常位于不同安全域,具有不可预见性。Web服务应该基于其他与领域无关的信息而非身份来实施访问控制,以实现对跨域未知用户的访问授权。为此,提出了适应于Web服务的基于上下文的访问控制策略模型。模型的核心思想是将各种与访问控制有关的信息统一抽象表示为一个上下文概念,以上下文为中心来制定和执行访问控制策略,上下文担当了类似基于角色的访问控制(RBAC)中角色的概念。基于描述逻辑语言(DL),定义了基于上下文的访问控制策略公理,建立了访问控制策略知识库,提出了访问控制策略的逻辑推理方法。最后基于Racer推理系统,通过实验验证了方法的可行性和有效性。 相似文献
10.
应用区域边界安全系统是一个关防系统,它在使用过程中能否达到保护应用环境安全的目标是由其安全授权规则集的完备性和一致性及对其授权的简便性决定的。应用环境中的主体是通过各种不同的应用协议对客体进行访问的,它们在通过应用区域边界安全系统时,应用区域边界安全系统将根据安全授权规则集对其访问请求进行检验,若满足安全授权规则集要求,则允许通过,反之拒绝。因此,我们根据访问请求所涉及的主体、客体、协议、安全策略等部件,给出了应用区域边界授权的体系结构,同时在给出刻画它们特性的谓词基础上,提出了易于表达安全策略的应用区域边界形式化授权模型。对此形式化模型进行编译不仅可以根据安全策略对授权的合法性进行检验,而且也可以及时发现安全策略中存在的漏洞,从而可以得到一个正确的安全授权规则集。 相似文献
11.
12.
13.
14.
With the development of policy management systems, policy-based management has been introduced in cross-domain organization collaborations and system integrations. Theoretically, cross-domain policy enforcement is possible, but in reality different systems from different organizations or domains have very different high-level policy representations and low-level enforcement mechanisms, such as security policies and privacy configurations. To ensure the compatibility and enforceability of one policy set in another domain, a simulation environment is needed prior to actual policy deployment and enforcement code development. In most cases, we have to manually write enforcement codes for all organizations or domains involved in every collaboration activity, which is a huge task. The goal of this paper is to propose an enforcement architecture and develop a simulation framework for cross-domain policy enforcement. The entire environment is used to simulate the problem of enforcing policies across domain boundaries when permanent or temporary collaborations have to span multiple domains. The middleware derived from this simulation environment can also be used to generate policy enforcement components directly for permanent integration or temporary interaction. This middleware provides various functions to enforce policies automatically or semi-automatically across domains, such as collecting policies of each participant domain in a new collaboration, generating policy models for each domain, and mapping specific policy rules following these models to different enforcement mechanisms of participant domains. 相似文献
15.
Interoperation and services sharing among different systems are becoming new paradigms for enterprise collaboration. To keep ahead in strong competition environments, an enterprise should provide flexible and comprehensive services to partners and support active collaborations with partners and customers. Achieving such goals requires enterprises to specify and enforce flexible security policies for their information systems. Although the area of access control has been widely investigated, current approaches still do not support flexible security policies able to account for different weighs that typically characterize the various attributes of the requesting parties and transactions and reflect the access control criteria that are relevant for the enterprise. In this paper we propose a novel approach that addresses such flexibility requirements while at the same time reducing the complexity of security management. To support flexible policy specification, we define the notion of restraint rules for authorization management processes and introduce the concept of impact weight for the conditions in these restraint rules. We also introduce a new data structure for the encoding of the condition tree as well as the corresponding algorithm for efficiently evaluating conditions. Furthermore, we present a system architecture that implements above approach and supports interoperation among heterogeneous platforms. 相似文献
16.
J. Milhau A. Idani R. Laleau M. A. Labiadh Y. Ledru M. Frappier 《Innovations in Systems and Software Engineering》2011,7(4):303-313
Combination of formal and semi-formal methods is more and more required to produce specifications that can be, on the one
hand, understood and thus validated by both designers and users and, on the other hand, precise enough to be verified by formal
methods. This motivates our aim to use these complementary paradigms in order to deal with security aspects of information
systems. This paper presents a methodology to specify access control policies starting with a set of graphical diagrams: UML
for the functional model, SecureUML for static access control and ASTD for dynamic access control. These diagrams are then
translated into a set of B machines. Finally, we present the formal specification of an access control filter that coordinates
the different kinds of access control rules and the specification of functional operations. The goal of such B specifications
is to rigorously check the access control policy of an information system taking advantage of tools from the B method. 相似文献
17.
18.
分布式防火墙的安全性很大程度上取决于过滤策略正确配置。过滤策略的异常可能导致分布式防火墙系统所保护的网络出现严重的访问漏洞。为了能够自动化地检测分布式防火墙过滤策略存在的异常,对分布式防火墙系统中各过滤节点上的过滤规则之间可能出现的异常进行分类,并建立了一个过滤策略异常检测的模型。该模型能够检测出分布式防火墙过滤规则之间的冗余、冲突、不完整等各种异常,从而保证了分布式防火墙过滤策略的完整性和一致性。 相似文献
19.
