以信息为中心的网络安全机制研究
|
摘要
信息安全除了保证数据在本地存储过程中的安全,还应该满足其在网络传输过程中的保密性和完整性要求。目前,网络安全防御领域的研究主要围绕边界安全保护展开,随着网络漏洞的增多以及攻击技术的发展,传统的以边界为中心的被动安全防护策略难以应付与日俱增的安全威胁。本文提出将网络安全工作的重心,由边界安全保护转变到直接针对信息的安全保护。在此基础上,本文提出一个以信息为中心的安全模型,以保障信息在其整个生命周期的安全性。在模型中,所有数据分为存储和传输两种形式,传输信息可以理解为数据的一种动态存储,网络则相当于一个大型的存储设备。因而,任何数据都可以认为是存储在计算机中的静态信息或存储在网络上的动态信息。
基于以上思路,本文着重研究网络上的流动信息的保护机制,对该模型在网络上的应用进行了探索,设计了一个系统应用方案,并实现了其中的部分关键模块。在网络通信过程中,针对不同的资源采用不同的密钥,对应用层数据实现加密通信,从而实现特定资源在任何地方存储时的访问控制。在应用层,配置系统安全策略,并引入URI数据库来记录需要加密及监控的资源对象。在核心层,分析进出主机的所有网络数据包,根据应用层的安全策略采用加密通信或做出其他系统响应。系统基于各个应用层协议分析来识别通信过程中的文件传输行为,有效防止机密和私有信息的泄露。本系统采用基于NDIS中间驱动的数据包拦截技术实现以上核心层功能,拦截彻底、安全高效。
经过实验证明,本系统能够有效拦截、监控及处理所有网络数据包,保证信息传输的合法性及安全性。系统具有性能稳定、运行高效、管理简单的特点,适用于中小型网络及个人主机,从而满足安全高度敏感的机构及部分个人的需求,并具有可扩展性。
Information security not only includes guaranteeing the security of locally stored data, but also the confidentiality and integrity of data in the process of communication. Research on network security at present is carried out mainly around network perimeter security. With the fast increment of network vulnerabilities and the development of attack technology, it has been harder and harder for traditional perimeter-centric passive defense strategies to tackle security threats. This paper protests that primary work of network security should change from perimeter protection to direct information protection. To protect information in its entire lifecycle, this paper proposes an information-centric security model. In this model, there are two data statuses--storage and transmission. The transferred information can be considered as a kind of dynamic storage and the network can be considered as a large storage device. Hence, any data can be regarded as static information in the storage device or dynamic information in the process of communication.
Based on the above thought, this paper emphasizes the research of protecting the dynamic information in transmission. In the process of network communication, a user key is used to encrypt the application layer of packets carrying different resources. This can implement the access control of specific resource anywhere. At the application layer, deploying security strategies and introducing URI database to record resource objects that need to be encrypted and monitored. At the kernel layer, analyze all network packets passing in and out, encrypt and respond according to the security strategies. What’s more, the system can identify file transmission through the analysis of application protocol to prevent the leakage of confidential and private information. The system uses packet capture technology based on NDIS to implement the above function effectively.
The experiments prove that the system can capture and monitor all network packets effectively, and achieve the validity and security of information transmission. The system has stable performance, high efficiency and easy management, which is suitable for middle and small scale network and personal host with good expansibility.
基于以上思路,本文着重研究网络上的流动信息的保护机制,对该模型在网络上的应用进行了探索,设计了一个系统应用方案,并实现了其中的部分关键模块。在网络通信过程中,针对不同的资源采用不同的密钥,对应用层数据实现加密通信,从而实现特定资源在任何地方存储时的访问控制。在应用层,配置系统安全策略,并引入URI数据库来记录需要加密及监控的资源对象。在核心层,分析进出主机的所有网络数据包,根据应用层的安全策略采用加密通信或做出其他系统响应。系统基于各个应用层协议分析来识别通信过程中的文件传输行为,有效防止机密和私有信息的泄露。本系统采用基于NDIS中间驱动的数据包拦截技术实现以上核心层功能,拦截彻底、安全高效。
经过实验证明,本系统能够有效拦截、监控及处理所有网络数据包,保证信息传输的合法性及安全性。系统具有性能稳定、运行高效、管理简单的特点,适用于中小型网络及个人主机,从而满足安全高度敏感的机构及部分个人的需求,并具有可扩展性。
Information security not only includes guaranteeing the security of locally stored data, but also the confidentiality and integrity of data in the process of communication. Research on network security at present is carried out mainly around network perimeter security. With the fast increment of network vulnerabilities and the development of attack technology, it has been harder and harder for traditional perimeter-centric passive defense strategies to tackle security threats. This paper protests that primary work of network security should change from perimeter protection to direct information protection. To protect information in its entire lifecycle, this paper proposes an information-centric security model. In this model, there are two data statuses--storage and transmission. The transferred information can be considered as a kind of dynamic storage and the network can be considered as a large storage device. Hence, any data can be regarded as static information in the storage device or dynamic information in the process of communication.
Based on the above thought, this paper emphasizes the research of protecting the dynamic information in transmission. In the process of network communication, a user key is used to encrypt the application layer of packets carrying different resources. This can implement the access control of specific resource anywhere. At the application layer, deploying security strategies and introducing URI database to record resource objects that need to be encrypted and monitored. At the kernel layer, analyze all network packets passing in and out, encrypt and respond according to the security strategies. What’s more, the system can identify file transmission through the analysis of application protocol to prevent the leakage of confidential and private information. The system uses packet capture technology based on NDIS to implement the above function effectively.
The experiments prove that the system can capture and monitor all network packets effectively, and achieve the validity and security of information transmission. The system has stable performance, high efficiency and easy management, which is suitable for middle and small scale network and personal host with good expansibility.
引文
[1] Lanlan Hu, Yixian Yang, Xinxin Niu, Improved Remote User Authentication Scheme Preserving User Anonymity, IEEE Fifth Annual Conference on Communication Networks and Services Research, 2007
[2] Christina Braz, Jean-Marc Robert, Security and Usability: The Case of the User Authentication Methods, ACM, 2006 Page(s):18-21 Vol.1
[3] Smith R., Authentication: From Passwords to Public Keys, Addison-Wesley 1st Edition, 2002
[4] Xiaomin Wang, Wenfang Zhang, Cryptanalysis and Improvement on Two Efficient Remote User Authentication Scheme Using Smart Cards, Elsevier, 2007 Page(s):507-512 Vol.29
[5] Kemmerer Richard A., Vigna Giovanni, Internet Security and Intrusion Detection, Proceedings Internation Conference on Software Engineering, 2003 Page(s):748-749
[6] Al-Shaer Ehab S., Hamed Hazem H., Manegement and Translation of Filtering Security Policies, IEEE International Conference on Communications, May 11-15 2003 Page(s):256-260
[7] Mark W. Eichin, Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988,1989.7
[8] Stephen Northcutt, Inside Network Perimeter Security, New Riders Publishing, 2003.8
[9] W. Richard Stevens, TCP/IP Illustrated Volume 1: The Protocols, Addison-Wesley, 2004.12
[10] Gonzalez Jose M, Paxson Vern, Enhancing Network Intrusion Detection with Integrated Sampling and Filtering, Proceedings Lecture Notes in Computer Science, 2006.4
[11] Greg Hoglund, James Butler, Rootkits: Subverting the Windows Kernel, Addison Wesley Professional, 2005.7
[12] Microsoft Corporation, Microsoft Developer Network MSDN Library for Windows DDK, Microsoft Corporation, 2005.8
[13] Mark E. Russinovich, David A. Solomon, Microsoft? Windows? Internals, Fourth Edition: Microsoft Windows Server? 2003, Windows XP, and Windows 2000, Microsoft Press, 2004.12
[14] Gary Nebbett, Windows NT 2000 Native API Reference, Macmillan Technical, 1996.11
[15] Joanna Rutkowska, Defining the Roadmap for Malware Detection on Windows System, 2005.6
[16] Hushon Dan, Grid at EMC, EMC Corporation, 2006
[17] Cheersun D. Yang, Integrate Information Security with Internet Networking, IEEE Frontiers in Education Conference, Nov 6-9 2002
[18] Jon Oltsik, The Time Has Come for Information-Centric Security, Enterprise Strategy Group, 2007
[19] Joe Cupano, Richard Nichols, Supporting Mobile Workforces and Data Anywhere, EMC Corporation, 2007
[20] Microsoft Corporation, Filter Driver Development Guide, Microsoft Corporation, 2004
[21] Walter Oney, Windows Driver Model, Microsoft Press, 1999
[22] Baker A., Lozand J., The Windows 2000 Device Driver Book: A Guide for Programmers, 2nd Edition, 2000
[23] David A. Solomon, Mark E. Russionvich, Inside Microsoft Windows2000 Third Edition, 2000
[24] Belkin N. J., Croft W. B., Information Filtering and Information Retrieval: Two Sides of the Same Coin, Communications of the ACM, 1992.12 Page(s):29-38
[25] Schonwalder J., Pras A., Martin Flatin J., On the Future of Internet Management Technologies, IEEE Communications Magazine, 2003 Page(s):90-97 Vol.41
[26] R. Fielding et al, Hypertext Transfer Protocol—HTTP/1.1, RFC 2616, 1999.6
[27] Allen Householder, Kevin Houle, Chad Dougherty, Computer Attack Trends Challenge Internet Security, IEEE/SECURITY&PRIVACY, 2002 Page(s):5-7
[28] James H. Morris, Mahadev Satyanarayanan, Michael H. Conner, Andrew : A Distributed Personal Computing Environment, Communications of the ACM, 1986.3 Vol.29
[29] Giovanni Vigna, Richard A. Kemmerer, NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security, 1999 Page(s):37-71 Vol.3
[30] Nathan Tuck, Timothy Sherwood, Brad Calder, et al, Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection, InProceedings of IEEE INFOCOMM, 2004 Page(s):333-340
[31] Howard, LeBlanc, Writing Secure Code, Microsoft Press, 2001
[32] Ilgun, K., Kemmerer R. A., Porras, P. A., State Transition Analysis: A Rule-based Intrusion Detection Approach, IEEE Transaction on Software Engineering, 1995 Page(s):181-199 Vol.21
[33] 冯登国,国内外信息安全研究现状及发展趋势,信息网络安全,2007(01)
[34] 陈小爱,刘海涛,基于 NDIS 中间层的通信安全机制的设计与实现,上海,微型电脑应用,2007.12
[35] 刘博,Windows CE.NET 平台基于 NDIS 中间层驱动的包过滤程序设计与实现,北京邮电大学,2006.2
[36] 刘文涛,网络安全开发包详解,北京,电子工业出版社,2005.10
[37] 2005 中国计算机网络安全应急年会,2004 年网络安全工作报告,2005
[38] 郑卫斌,张德运,丁会宁,基于哈希表的高性能 URL 过滤器研究,小型微型计算机系统,2005.2
[39] 于希国,叶毓睿,谈数据包保护技术――保护数据不泄漏,存储在线http://www.enet.com.cn/article/2007/0409/A20070409530453_2.shtml ,2004.4
[40] Jeffery Ritcher,Windows 核心编程,北京,机械工业出版社,2004.5
[41] 张耀疆,信息安全体系建设与服务过程,安言咨询,2004
[42] 段钢,加密与解密,北京,电子工业出版社,2003
[2] Christina Braz, Jean-Marc Robert, Security and Usability: The Case of the User Authentication Methods, ACM, 2006 Page(s):18-21 Vol.1
[3] Smith R., Authentication: From Passwords to Public Keys, Addison-Wesley 1st Edition, 2002
[4] Xiaomin Wang, Wenfang Zhang, Cryptanalysis and Improvement on Two Efficient Remote User Authentication Scheme Using Smart Cards, Elsevier, 2007 Page(s):507-512 Vol.29
[5] Kemmerer Richard A., Vigna Giovanni, Internet Security and Intrusion Detection, Proceedings Internation Conference on Software Engineering, 2003 Page(s):748-749
[6] Al-Shaer Ehab S., Hamed Hazem H., Manegement and Translation of Filtering Security Policies, IEEE International Conference on Communications, May 11-15 2003 Page(s):256-260
[7] Mark W. Eichin, Jon A. Rochlis, With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988,1989.7
[8] Stephen Northcutt, Inside Network Perimeter Security, New Riders Publishing, 2003.8
[9] W. Richard Stevens, TCP/IP Illustrated Volume 1: The Protocols, Addison-Wesley, 2004.12
[10] Gonzalez Jose M, Paxson Vern, Enhancing Network Intrusion Detection with Integrated Sampling and Filtering, Proceedings Lecture Notes in Computer Science, 2006.4
[11] Greg Hoglund, James Butler, Rootkits: Subverting the Windows Kernel, Addison Wesley Professional, 2005.7
[12] Microsoft Corporation, Microsoft Developer Network MSDN Library for Windows DDK, Microsoft Corporation, 2005.8
[13] Mark E. Russinovich, David A. Solomon, Microsoft? Windows? Internals, Fourth Edition: Microsoft Windows Server? 2003, Windows XP, and Windows 2000, Microsoft Press, 2004.12
[14] Gary Nebbett, Windows NT 2000 Native API Reference, Macmillan Technical, 1996.11
[15] Joanna Rutkowska, Defining the Roadmap for Malware Detection on Windows System, 2005.6
[16] Hushon Dan, Grid at EMC, EMC Corporation, 2006
[17] Cheersun D. Yang, Integrate Information Security with Internet Networking, IEEE Frontiers in Education Conference, Nov 6-9 2002
[18] Jon Oltsik, The Time Has Come for Information-Centric Security, Enterprise Strategy Group, 2007
[19] Joe Cupano, Richard Nichols, Supporting Mobile Workforces and Data Anywhere, EMC Corporation, 2007
[20] Microsoft Corporation, Filter Driver Development Guide, Microsoft Corporation, 2004
[21] Walter Oney, Windows Driver Model, Microsoft Press, 1999
[22] Baker A., Lozand J., The Windows 2000 Device Driver Book: A Guide for Programmers, 2nd Edition, 2000
[23] David A. Solomon, Mark E. Russionvich, Inside Microsoft Windows2000 Third Edition, 2000
[24] Belkin N. J., Croft W. B., Information Filtering and Information Retrieval: Two Sides of the Same Coin, Communications of the ACM, 1992.12 Page(s):29-38
[25] Schonwalder J., Pras A., Martin Flatin J., On the Future of Internet Management Technologies, IEEE Communications Magazine, 2003 Page(s):90-97 Vol.41
[26] R. Fielding et al, Hypertext Transfer Protocol—HTTP/1.1, RFC 2616, 1999.6
[27] Allen Householder, Kevin Houle, Chad Dougherty, Computer Attack Trends Challenge Internet Security, IEEE/SECURITY&PRIVACY, 2002 Page(s):5-7
[28] James H. Morris, Mahadev Satyanarayanan, Michael H. Conner, Andrew : A Distributed Personal Computing Environment, Communications of the ACM, 1986.3 Vol.29
[29] Giovanni Vigna, Richard A. Kemmerer, NetSTAT: A Network-based Intrusion Detection System. Journal of Computer Security, 1999 Page(s):37-71 Vol.3
[30] Nathan Tuck, Timothy Sherwood, Brad Calder, et al, Deterministic Memory-Efficient String Matching Algorithms for Intrusion Detection, InProceedings of IEEE INFOCOMM, 2004 Page(s):333-340
[31] Howard, LeBlanc, Writing Secure Code, Microsoft Press, 2001
[32] Ilgun, K., Kemmerer R. A., Porras, P. A., State Transition Analysis: A Rule-based Intrusion Detection Approach, IEEE Transaction on Software Engineering, 1995 Page(s):181-199 Vol.21
[33] 冯登国,国内外信息安全研究现状及发展趋势,信息网络安全,2007(01)
[34] 陈小爱,刘海涛,基于 NDIS 中间层的通信安全机制的设计与实现,上海,微型电脑应用,2007.12
[35] 刘博,Windows CE.NET 平台基于 NDIS 中间层驱动的包过滤程序设计与实现,北京邮电大学,2006.2
[36] 刘文涛,网络安全开发包详解,北京,电子工业出版社,2005.10
[37] 2005 中国计算机网络安全应急年会,2004 年网络安全工作报告,2005
[38] 郑卫斌,张德运,丁会宁,基于哈希表的高性能 URL 过滤器研究,小型微型计算机系统,2005.2
[39] 于希国,叶毓睿,谈数据包保护技术――保护数据不泄漏,存储在线http://www.enet.com.cn/article/2007/0409/A20070409530453_2.shtml ,2004.4
[40] Jeffery Ritcher,Windows 核心编程,北京,机械工业出版社,2004.5
[41] 张耀疆,信息安全体系建设与服务过程,安言咨询,2004
[42] 段钢,加密与解密,北京,电子工业出版社,2003
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |