CN103049700B - Conflict detection system and method for computer network defense (CND) policy - Google Patents

Conflict detection system and method for computer network defense (CND) policy Download PDF

Info

Publication number
CN103049700B
CN103049700B CN201310032527.8A CN201310032527A CN103049700B CN 103049700 B CN103049700 B CN 103049700B CN 201310032527 A CN201310032527 A CN 201310032527A CN 103049700 B CN103049700 B CN 103049700B
Authority
CN
China
Prior art keywords
policy
strategy
cnd
tuple
relation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201310032527.8A
Other languages
Chinese (zh)
Other versions
CN103049700A (en
Inventor
夏春和
罗杨
魏昭
李亚卓
梁晓艳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN201310032527.8A priority Critical patent/CN103049700B/en
Publication of CN103049700A publication Critical patent/CN103049700A/en
Application granted granted Critical
Publication of CN103049700B publication Critical patent/CN103049700B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to a conflict detection system and method for a computer network defense (CND) policy. According to the method, a CND policy description file is read and parsed by using a morphology parser and a grammar parser; an initial policy body is artificially constructed by using a body modeling tool, only comprises concepts for policy tuples in a CND policy and the relationship among the concepts, and does not include policy examples and the relationship among the policy examples; a local policy body including the policy examples is generated according to the initial policy body and a loaded and parsed policy ordered set, a semantic inclusion relationship among the tuples is then obtained according to the semantic mapping of the policy tuples in a defense policy information base, and a CND policy semantic model is constructed based on the semantic inclusion relationship; a relational diagram for all the tuples of the policy is constructed and traversed, and the relationship among the policy tuples is obtained through analysis; and through the measure of tuple comparison, the policy conflict analysis is completed, and the objects, types and reasons for conflict generation are finally provided by algorithms in the form of conflict reports. According to the system and the method, conflicts can be more effectively detected, security problems, such as unauthorized access and the like, are prevented from easily occurring, and the security of a computer network system is greatly improved.

Description

The collision detection system of computer network defense strategy and detection method
Technical field
The present invention relates to a kind of collision detection system and detection method of computer network defense strategy, belong to computer network security technology field, relate to the tactful allocation problem in computer-oriented cyber-defence, and wait the rudimentary description of Network Security Device to expand on this high level description of CND strategy the thought slave firewall of collision detection rule.
Background technology
In recent years, along with the development network of computer science and technology presents large-scale distributed feature, in system, the required strategy of configuration and the quantity of tactful configuration personnel will increase, the thing followed is that the maintenance difficulties of cyber-defence strategy strengthens gradually, in the layoutprocedure of strategy, very easily produce conflict, affect the security of whole system.Strategy is by keeper, or automatic configuration software, is converted into the rule on defensive equipment.Current automatic configuration software, machinery implementation strategy is to the conversion of defence rule, if there is conflict in strategy, as long as strategy is grammatically correct, automatic configuration software still can perform, so automatically, configuration software cannot discovery strategy conflict semantically, thus causes the path that there is implicit access path or implicit denied access in network, causes privacy compromise or stops the serious consequences such as legitimate correspondence.Keeper carries out the conversion of strategy to defence rule, due to reasons such as the scale of strategy, the interactions of tactful semanteme complexity, also there is this problem.
Therefore, from the security and the safeguards system operational efficiency high efficiency aspect that improve system, the collision detection carrying out strategy before strategy is implemented just seems particularly important.
First, existing many researchers analyze this problem to tactful rule conflict and have carried out large quantifier elimination, achieve many achievements, but it must be noted that, these work major parts are all to solve specific tactical management problem, or the target that research is paid close attention to is a series of access control policy collision detection problems such as the collision problem of policing rule, and for CN D strategy (Computer Network Defence, computer network defense, CND) detection in and the collision detection of response policy, researcher rarely has and relates to.CND strategy refers to realize specific Security Target, and computer network and information system select the rule of defensive measure according to certain condition.In view of computer network defense in the importance of network security, CND conflicting policies test in the importance of computer network defense, the collision detection of research CND strategy will be significant.
Secondly, this technology can make system detect for issuable conflict in tactful aspect, avoids when strategy exists contradiction, and still carrying out bottom can transform by executing rule, cause unsafe execution result, and affect the security of whole system; On the other hand, carry out collision detection in tactful aspect, more more efficient than carrying out collision detection in bottom rule aspect, also there is better flexibility and autgmentability.Therefore, from the security and the safeguards system operational efficiency high efficiency aspect that improve system, the collision detection technology of research CND strategy will highly significant.
Summary of the invention
Technology of the present invention is dealt with problems: overcome the deficiencies in the prior art, a kind of collision detection system and detection method of computer network defense strategy are provided, more effectively can detect conflict, prevent the safety problems such as unauthorized access to be easy to occur, substantially increase computer network system security.
Technical solution of the present invention: the collision detection system of computer network defense strategy, comprising: file reads and result display module, tactful pretreatment module, tactful semantic modeling module and conflicting policies test module, wherein:
File reads and result display module: be responsible for reading input file, and Output rusults; Be input as CND policy depiction file and CND initial policy ontology file, export as collision detection report; In addition, also safeguard a defence policies information bank in systems in which, what defence policies information bank was used for Inventory Policy tuple semantic mapping information and tactful tuple directly comprises information etc., so that the inclusion relation between analysis strategy tuple, defence policies information bank adopts SQL Server database management language to realize on specific design realizes, and tactful tuple semantic mapping information directly comprises information tables of data corresponding different respectively with tactful tuple;
Strategy pretreatment module: be responsible for resolving the CND policy depiction file of input, generates CND strategy ordered set as output; Described policy resolution procedure specifically can resolve each strategy in CND policy depiction file according to the syntax format of CND policy description language, a strategy or a tactful tuple are made up of organization, role, activity, view, context and measure 6 elements;
Tactful semantic modeling module: completing the semantic modeling work of CND strategy, is wherein three submodules: initial policy body imports submodule and is responsible for importing the CND initial policy ontology file of OWL language description and resolves; Policy instance loads the CND strategy ordered set that submodule is responsible for loading the generation of tactful pretreatment module, after conversion, form local policy body; Then by tactful tuple Semantic mapping submodule, the relation between determination strategy tuple, final structure CND strategy semantic model;
Conflicting policies test module: complete the collision detection function for CND strategy ordered set; First, on the CND strategy semantic model basis built, the digraph of each tuple relation of generation strategy, judges relation between tuple; Secondly, according to the relation in strategy between each corresponding tuple, the tactful tuple relation digraph that traversal generates, thus analyze the relation between strategy; Finally, policy conflict and affiliated type can just be analyzed according to the situation of the relation between strategy and comparison Strategic Measures whether contradiction.
The collision detection method of computer network defense strategy, step is as follows:
(1) the morphology resolver utilizing Lex and Yacc to build and syntax parsing device are resolved input CND policy depiction file, parse the elements such as the organization in every bar strategy, role, activity, view, context and measure, generate CND strategy ordered set;
(2) the CND initial policy body that the artificial constructed OWL language of ontology modeling tool Prot é g é describes is utilized, to import in detection system and to parse initial policy body, wherein CND initial policy ontology file adopts Ontology Language OWL to describe, adopt ontology to describe can to make concept in conflicting policies test and concept, concept and object, relation between object and object definitely, will the misunderstanding that may cause concept in Problem Areas and logical relation be greatly reduced.CND initial policy ontology file specifically comprises the CND strategy definition of concept and relation thereof, and the statement of policy instance and relation thereof; The tactful ordered set obtained in step (1), forms local policy body jointly with CND initial policy body, by tactful tuple Semantic mapping, and the relation between determination strategy tuple, final structure CND strategy semantic model;
(3) a defence policies information bank is safeguarded in systems in which, what defence policies information bank was used for Inventory Policy tuple semantic mapping information and tactful tuple directly comprises information, so that the inclusion relation between analysis strategy tuple, defence policies information bank adopts SQL Server database management language to realize on specific design realizes, and tactful tuple semantic mapping information directly comprises information tables of data corresponding different respectively with tactful tuple;
(4) the collision detection function for CND strategy ordered set is completed, first, on the CND strategy semantic model basis that step (2) builds, utilize the policy mappings relation in the defence policies information bank in step (3), the digraph of each tuple relation of generation strategy, judges relation between tuple; Wherein digraph refers to and utilizes the digraph in graph theory to describe the inheritance between the tactful tuples such as role, view and activity, when having connectedness between two nodes, namely represents between tactful tuple corresponding to these two nodes and has inclusion relation; The data structure that digraph adopts is adjacency list structure, sets up a single linked list to each node in digraph; Table node is made up of IncFlds, chain territory and data field three territories, wherein IncFlds represents and directly comprises node to current node, chain domain representation to current node other comprise node, data field represents the relevant information that this node stores, here refer to strategy tuple content; In head node, be made up of, wherein node in node domain representation figure node territory and data field, data field stores current node information;
(5) according to the relation between each tactful corresponding tuple of step (4), utilize the collision detection algorithm traversal generation strategy tuple relation digraph proposed, thus the relation analyzed between strategy, finally, policy conflict and affiliated type is gone out according to the situation analysis of the relation between strategy and comparison Strategic Measures whether contradiction; Collision detection algorithm comprises following components: initialize contextual policies and represent, check that whether context is overlapping, the content such as existing organization, role, activity, view, context and measure in initialization system, check role whether overlapping, check whether view overlapping, whether Survey Operations overlapping, whether the measure that checks conflicting, display Conflict Strategies and conflict type, concrete steps are as follows: first (a) algorithm according to CND strategy semantic model, builds the graph of a relation of each tactful tuple; B (), by traversal graph of a relation, analyzes the relation between tactful tuple; C () draws the relation between two defence policies on this basis, then by the comparison of measure tuple, complete policy conflict analysis; D object, type and reason that () final algorithm produces to entry/exit conflicts with the form of the report that conflicts, complete the collision detection to CND strategy.
The beneficial effect of the present invention compared with existing technical method is:
(1) Semantic Modeling Method of CND strategy is proposed.For CND strategy; adopt a kind of Computer Network Defence Policy Specification Language (computer network defense policy description language; CNDPSL); this language can be protected in Unify legislation computer network defense, detection and response strategy; collision detection can not be carried out for the bottom rule in concrete equipment like this, substantially increase the versatility of method.
(2) sorting technique and the Conflict Classification formalization representation of CND policy conflict is given.In conjunction with the existing sorting technique for policy conflict, study the sorting technique for CND policy conflict and provide each conflict type formalization representation.Concrete conflict type imports by reading conflict rule, can add or delete the conflict type needing to detect so dynamically, be with good expansibility.
(3) collision detection method of CND strategy is given.On the basis that CND strategy semantic model and Conflict Classification are studied, in conjunction with existing conflicting policies test algorithm, research is applicable to the collision detection algorithm of CND strategy, and can provide collision position, conflict type and conflict reason, facilitates Policy Administrator to carry out conflict resolution in time.Current existing conflicting policies test technology all lacks the detection of the information such as tactful position to conflict reason, conflict type and conflict place.
Accompanying drawing explanation
Fig. 1 is CND conflicting policies test systematic functional structrue figure of the present invention;
Fig. 2 is CND Policy model structure chart of the present invention;
Fig. 3 is CND of the present invention strategy semantic modeling algorithm flow chart;
Fig. 4 is initial policy body uml diagram of the present invention;
Fig. 5 is CND policy depiction file explained flowchart of the present invention;
Fig. 6 is CND conflicting policies test algorithm flow chart of the present invention;
Fig. 7 is Directed Graph Model of the present invention and corresponding adjacency list expression figure.
Detailed description of the invention
As shown in Figure 1, in the present invention, the collision detection system of computer network defense strategy is read and result display module, tactful pretreatment module, tactful semantic modeling module and conflicting policies test module composition by file.
Whole system implementation procedure is as follows:
(1) CNDPSL language model is first provided
CNDPSL language is towards Computer Network Defence Policy Model (computer network defense Policy model; CNDPM); Fig. 2 is the structure chart of this model; can Unify legislation protection, detection and response strategy; CNDPSL language is a kind of language stating formula; the behavior that abstract cyber-defence controls, has good flexibility, extensibility and adaptability to cyber-defence demand.
The defence policies that CNDPSL language describes is a flight data recorder relevant to organization, role, view and activity, and according to the definition of part in model, strategy (policy) formal definitions becomes hexa-atomic group:
POLICY::=<org,r,a,v,c,m>
Wherein, org ∈ ORG, r ∈ ROLE, a ∈ ACTIVITY, v ∈ VIEW, c ∈ CONTEXT, m ∈ MEASURE.
In strategy there is the relation of partial function in each entity:
F:ORG×R×A×V×C→M
In all strategies, organization is network security region, and tactful tuple value is the set of definition.
(2) classification of CND policy conflict is provided
According to semantic the need of introducing strategy in CND conflicting policies test process, policy conflict is divided into syntax and semantics conflict, the detection wherein for syntax clash does not need the semanteme introducing strategy; Secondly according to the relation between CND strategy, by semantic conflict again Further Division for comprising conflict, relevantly conflicting.
Define 1 syntax clash: be in two strategies in identical organization, context, role, view and activity tuple name are all identical, and the state that measure can not be satisfied simultaneously.This type of conflict does not need the semanteme of comprehension strategy, only just can detect whether strategy exists conflict from syntactic level.Be expressed as follows:
CNDPCONFLICT = ( { CNDP i , CNDP j } , &xi; conflict ) CNDP i , CNDP j &SubsetEqual; CNDPOLICY &xi; conflict = Role i = Role j , View i = View j , Activity i = Activity j , Context i = Context j , Measure i &NotEqual; Measure j
Define 2 semantic conflicts: refer to that two strategies are in identical organization, role, view, activity and context exist common action scope, and the state that measure can not be satisfied simultaneously.This kind of conflict needs the basis of the semanteme of each tuple in comprehension strategy detects conflict.Be expressed as follows:
Definition 3 comprises conflict: the one being semantic conflict, refer to that two strategies are in identical organization, there is common action scope in context, role, view and activity, and all exists between two strategies and comprise matching relationship, thus cause the state that measure can not be satisfied simultaneously.Be expressed as follows:
The relevant conflict of definition 4: the one being semantic conflict, refer to that two strategies are in identical organization, there is common action scope in context, role, view and activity, and all there is dependency relation between two strategies, thus cause the state that measure can not be satisfied simultaneously.Be expressed as follows:
Right for any two CND strategies, policy1 and policy2.According to definition, when the measure tuple of strategy is inconsistent, if there be a pair not overlapping namely common factor to be empty set between tactful corresponding tuple, then this strategy is Lothrus apterus to conflict situation, otherwise when all there is common factor not for sky, have a pair tactful tuple to be overlapping relation, then the conflict situation between this strategy is relevant conflict, otherwise for comprising conflict.Irrelevant between initial state assumption two strategies, then progressively corresponding in comparison strategy tuple, compares for role, if the common factor between role is empty set, so there is not conflict between these two strategies, directly jump to Lothrus apterus state.Otherwise to occur simultaneously and the relationship of the two is inclusion relation if existed between role, the conflict situation so between strategy may for comprising conflict or relevant conflict or Lothrus apterus; To occur simultaneously and the relationship of the two is overlapping relation if existed between role, the conflict situation so between strategy may be relevant conflict or Lothrus apterus.Then, successively judge the tactful tuple relation of other correspondence, its process is similar, by these comparison step, finally can determine these two strategies between conflict situation, namely whether exist conflict and affiliated conflict type.
(3) CND strategy semantic modeling algorithm is provided
Movable according to the semantic modeling introduced in CND conflicting policies test model, this section gives a kind of algorithm, and flow chart as shown in Figure 3.First describe the algorithm principle of this algorithm, in turn give algorithm false code and analysis thereof subsequently.The content of this algorithm will be introduced in detail below.
In conjunction with the Modeling Theory of body, and the relation between the concept of CND strategy of the present invention and concept, the Prot é g é instrument of Stanford University is used to establish initial policy body, wherein initial policy body only comprises the relation between the concept of tactful tuple in CND strategy and concept, and without policy instance and relation thereof.Fig. 4 is the uml diagram of initial policy body.The policy class information such as tactful triplet concept and protection, detection and response such as context, role, view, activity and measure that CND strategy comprises is described, for semantic modeling module lays the foundation in figure.
Read CND policy depiction file, the strategy in this file is all the defence policies meeting CNDPSL syntax format.After receiving the strategy inputted in CND policy depiction file, line by line the strategy in file is made an explanation, CNDPSL strategy is identified, generate CND strategy ordered set.Specific explanations building-block of logic as shown in Figure 5.In syntactic analysis, describe according to the BNF normal form in CNDPSL, identify every bar CND strategy, and to corresponding api interface in every bar CND strategy regulative strategy engine, by Parameter transfer to the correlation module in policy engine, complete final semantic analysis by policy engine.And result is stored in defence policies information bank.
According to initial policy body and the CND strategy ordered set through loading and resolve, generate the local policy body comprising policy instance, then according to the Semantic mapping of the tactful tuple in defence policies information bank, draw the semantic inclusion relation between tuple, build CND strategy semantic model on this basis, for generation strategy tuple graph of a relation afterwards and collision detection lay the foundation.To in the storage of tactful tuple semantic relation, adopt map data structure, each tuple in key value storage policy, corresponding value value stores other the tuple information that this tuple comprises, comprise the tuple information directly comprising and indirectly comprise, adopt this data structure storage to be conducive to the efficiency improving tuple relation judging efficiency and then improve collision detection.
(4) the CND conflicting policies test algorithm based on Directed Graph Model is provided
This algorithm mainly completes the collision detection for CND strategy.Algorithm is first according to CND strategy semantic model, the graph of a relation of each tuple of construction strategy, secondly pass through traversal graph of a relation, analyze the relation between tactful tuple, and then draw relation between two CND strategies on this basis, then by the comparison of measure tuple, complete policy conflict analysis, algorithm, finally with object, type and reason that the form of the report that conflicts produces to entry/exit conflicts, completes the collision detection to input CND strategy ordered set.Fig. 6 gives the flow chart of this arthmetic statement.Algorithm principle mainly comprises following components:
1. tactful tuple describes
Under computer network defense environment, can regard each tuple in organization as domain structure, be the concept of a set, sets theory being described as territory:
The relation in territory and territory, is similar to the relation between set, comprises and comprises, intersects and have nothing to do.
Comprise: A &SubsetEqual; B
Intersect:
Irrelevant:
Relationship essence between territory and object is the relation between set and element, comprises and belongs to and do not belong to.
Belong to: e ∈ U
Do not belong to: e &NotElement; U
2. Directed Graph Model
If G is (V, E) be digraph, wherein node V={x|x ∈ object ∨ x ∈ domain} in figure, the node in expression figure can be both the set that object may also be object, directed edge set E={ (x in figure, y) | p (x, y) ∨ (x, y ∈ V) }, wherein p (x, y) be an arc from x to y, path path is a node sequence (v i, v i+1, v i+2..., v j), wherein (v k, v k+1) ∈ E, i≤k < j and v i≠ v jif existed from node v ito v jpath, then v is described iand v jbe be communicated with, v is described icomprise v j, namely
As node v iand v jbetween there is a path, then claim node v icomprise v j, be expressed as: contain (v i, v j), formalized description is: contain ( v i , v j ) &LeftRightArrow; v j &SubsetEqual; v i . If j-i=1, then i is claimed directly to comprise j, if contain is (v i, v j), and during j-i > 1, then claim i indirectly to comprise j.
When carrying out collision detection, need to compare tuple each in strategy to judge relation or comprise crossing or irrelevant between the two, and adopt the connected relation between digraph node to clearly state to comprise hierarchical relationship in figure between node.
3. digraph is built
To CN D policy contexts, the expression of each tuples such as role, view, activity, all based on digraph, so, before carrying out the relation between determination strategy between each corresponding tuple, first needs the storage organization finding a kind of digraph, adjacency list structure.Set up a single linked list to each node in figure, in the ode table diagram of i-th single linked list, all of this node directly comprise node.Table node is made up of three territories, and wherein IncFlds represents and directly comprises node to current node, chain domain representation to current node other comprise node, data field represents the relevant information that this node stores, refers to tactful tuple content here.In head node, be made up of, wherein node in node domain representation figure node territory and data field, data field stores current node information.Digraph and adjacency list thereof represent as shown in Figure 7.
According to the reason of policy conflict, current CN D policy conflict comprises two large classes: syntax clash and semantic conflict, and semantic conflict is divided into again two classes: comprise conflict and relevant conflict.Therefore one extendible conflicting policies test method is flexibly needed, not only can detect defence policies conflict type known at present, conflict type newly-increased in the future can also be detected, simultaneously, testing result should be concrete in detail, not only detects and whether there is conflict, also should provide the information such as tactful position at conflict reason, conflict place further, so that related personnel takes corresponding measure to clear up conflict, ensure security of system.
Defence policies collision detection algorithm based on Directed Graph Model adopts digraph to represent tactful tuple relation information, the benefit selecting digraph to represent is that in organization, each territory inheritance hierarchy relation is clear, clearly the directed edge of the relation between policy object by figure is represented, and omit complicated path representation, internodal relation is showed with being connected by the level in figure.Detect between two strategies and whether there is conflict, first will determine the relation between strategy, algorithm is overlapping from the angle of set, the inclusion relation between tactful tuple is reduced to the reachability problem of node in figure, greatly reduces the complexity of calculating.
4. Algorithms T-cbmplexity analysis
If CND strategy P 1(Context 1, Role 1, View 1, Activity 1, Measure 1) and plan P 1(Context 1, Role 1, View 1, Activity 1, Measure 1), and Measure 1and Measure 2conflicting.Suppose DAG r(V, E) is CND strategy role Directed Graph Model, and supposes that other tuple Directed Graph Models are consistent with role.Then only need to examine or check tactful role digraph D AG rthe complexity of decision node relation in (V, E).
Digraph structure is divided into two kinds of situations below: (1) sparse graph, and figure interior joint number is | V|=n, and directed edge number is | E|=n-1, the simplest situation of corresponding tuple relation, tuple graph of a relation interior joint is all unidirectional connection; (2) dense graph, the node number in figure is | V|=n, directed edge number is | E|=n (n-1)/2, the most complicated situation of corresponding tuple relation.
According to algorithm, the relation of determination strategy tuple will be carried out once or twice traversing operation, when corresponding the comprising in list of node exist make a node time, once travel through, otherwise search another node corresponding comprise list, again travel through, if existed, the two belongs to inclusion relation.If both of these case all there is no internodal relation, then whether what judge one of them node comprises any one node in list in corresponding the comprising in list of another node, if existed, the two belongs to overlapping relation, otherwise the two is irrelevant.For sparse graph, judge that the time complexity of tuple relation is O (V|+|E), and to sparse graph, | E|=|V|-1, then complexity is O (| V|); For dense graph, | E|=|V| (| V|-1)/2, then complexity be O ((| V| 2+ | V|)/2), then generally, algorithm complex between therebetween, namely O (| V|) and O (| V| 2) between.
(5) conflict analysis report is generated
By the source policy position generation conflict analysis report that whether there is conflict, conflict type, conflict reason, conflict place drawn in step (4), be shown to user with the form reported.
The known technology that part belongs to those skilled in the art do not set forth in detail by description of the present invention.

Claims (2)

1. the collision detection system of computer network defense strategy, is characterized in that comprising: file reads and result display module, tactful pretreatment module, tactful semantic modeling module and conflicting policies test module, wherein:
File reads and result display module: be responsible for reading input file, and Output rusults; Be input as CND policy depiction file and CND initial policy ontology file, export as collision detection report; In addition, also safeguard a defence policies information bank in systems in which, what defence policies information bank was used for Inventory Policy tuple semantic mapping information and tactful tuple directly comprises information, so that the inclusion relation between analysis strategy tuple, defence policies information bank adopts SQL Server database management language to realize on specific design realizes, and tactful tuple semantic mapping information directly comprises information tables of data corresponding different respectively with tactful tuple;
Strategy pretreatment module: be responsible for resolving the CND policy depiction file of input, generates CND strategy ordered set as output; Described policy resolution procedure specifically can resolve each strategy in CND policy depiction file according to the syntax format of CND policy description language, a strategy or a tactful tuple are made up of organization, role, activity, view, context and measure 6 elements;
Tactful semantic modeling module: completing the semantic modeling work of CND strategy, is wherein three submodules: initial policy body imports submodule and is responsible for importing the CND initial policy ontology file of OWL language description and resolves; Policy instance loads the CND strategy ordered set that submodule is responsible for loading the generation of tactful pretreatment module, after conversion, form local policy body; Then by tactful tuple Semantic mapping submodule, the relation between determination strategy tuple, final structure CND strategy semantic model;
Conflicting policies test module: complete the collision detection function for CND strategy ordered set; First, on the CND strategy semantic model basis built, the digraph of each tuple relation of generation strategy, judges relation between tuple; Secondly, according to the relation in strategy between each corresponding tuple, the tactful tuple relation digraph that traversal generates, thus analyze the relation between strategy; Finally, policy conflict and affiliated type can just be analyzed according to the situation of the relation between strategy and comparison Strategic Measures whether contradiction.
2. the collision detection method of computer network defense strategy, is characterized in that step is as follows:
(1) input CND policy depiction file is resolved, parse the organization in every bar strategy, role, activity, view, context and measure element, generate CND strategy ordered set;
(2) import the CND initial policy ontology file of OWL language description and parse initial policy body, wherein CND initial policy ontology file adopts Ontology Language OWL to describe, adopt ontology to describe can to make concept in conflicting policies test and concept, concept and object, relation between object and object definitely, will the misunderstanding that may cause concept in Problem Areas and logical relation be greatly reduced; CND initial policy ontology file specifically comprises the CND strategy definition of concept and relation thereof, and the statement of policy instance and relation thereof; The tactful ordered set obtained in step (1), forms local policy body jointly with CND initial policy body, by tactful tuple Semantic mapping, and the relation between determination strategy tuple, final structure CND strategy semantic model;
(3) a defence policies information bank is safeguarded in systems in which, what defence policies information bank was used for Inventory Policy tuple semantic mapping information and tactful tuple directly comprises information, so that the inclusion relation between analysis strategy tuple, defence policies information bank adopts SQL Server database management language to realize on specific design realizes, and tactful tuple semantic mapping information directly comprises information tables of data corresponding different respectively with tactful tuple;
(4) the collision detection function for CND strategy ordered set is completed, first, on the CND strategy semantic model basis that step (2) builds, utilize the policy mappings relation in the defence policies information bank in step (3), the digraph of each tuple relation of generation strategy, judges relation between tuple; Wherein digraph refers to and utilizes the digraph in graph theory to describe the inheritance between role, view and these tactful tuples movable, when having connectedness between two nodes, namely represents between tactful tuple corresponding to these two nodes and has inclusion relation; The data structure that digraph adopts is adjacency list structure, sets up a single linked list to each node in digraph; Table node is made up of IncFlds, chain territory and data field three territories, wherein IncFlds represents and directly comprises node to current node, chain domain representation to current node other comprise node, data field represents the relevant information that this node stores, here refer to strategy tuple content; In head node, be made up of, wherein node in node domain representation figure node territory and data field, data field stores current node information;
(5) according to the relation between each tactful corresponding tuple of step (4), utilize the collision detection algorithm traversal generation strategy tuple relation digraph proposed, thus the relation analyzed between strategy, finally, policy conflict and affiliated type is gone out according to the situation analysis of the relation between strategy and comparison Strategic Measures whether contradiction; Collision detection algorithm comprises following components: initialize contextual policies and represent, check that whether context is overlapping, existing organization, role, activity, view, context and measure content in initialization system, check role whether overlapping, check whether view overlapping, whether Survey Operations overlapping, whether the measure that checks conflicting, display Conflict Strategies and conflict type, concrete steps are as follows: first (a) algorithm according to CND strategy semantic model, builds the graph of a relation of each tactful tuple; B (), by traversal graph of a relation, analyzes the relation between tactful tuple; C () draws the relation between two defence policies on this basis, then by the comparison of measure tuple, complete policy conflict analysis; D object, type and reason that () final algorithm produces to entry/exit conflicts with the form of the report that conflicts, complete the collision detection to CND strategy.
CN201310032527.8A 2013-01-28 2013-01-28 Conflict detection system and method for computer network defense (CND) policy Expired - Fee Related CN103049700B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310032527.8A CN103049700B (en) 2013-01-28 2013-01-28 Conflict detection system and method for computer network defense (CND) policy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310032527.8A CN103049700B (en) 2013-01-28 2013-01-28 Conflict detection system and method for computer network defense (CND) policy

Publications (2)

Publication Number Publication Date
CN103049700A CN103049700A (en) 2013-04-17
CN103049700B true CN103049700B (en) 2015-03-25

Family

ID=48062333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310032527.8A Expired - Fee Related CN103049700B (en) 2013-01-28 2013-01-28 Conflict detection system and method for computer network defense (CND) policy

Country Status (1)

Country Link
CN (1) CN103049700B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015006904A1 (en) * 2013-07-15 2015-01-22 中国科学院自动化研究所 Image set registration method based on dynamic directed graph
US10439875B2 (en) * 2017-05-31 2019-10-08 Cisco Technology, Inc. Identification of conflict rules in a network intent formal equivalence failure
CN109902825B (en) * 2019-03-07 2023-07-07 大国创新智能科技(东莞)有限公司 Consciousness generation method, consciousness generation device, consciousness generation system, robot and calculation model
CN112214865B (en) * 2020-08-10 2022-07-08 天津大学 Automatic pre-inspection method for heating ventilation air conditioner control strategy
CN112925506A (en) * 2020-11-27 2021-06-08 北京航空航天大学 Method for detecting conflict between software requirements and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6857018B2 (en) * 2000-07-31 2005-02-15 Dongyi Jiang System, method and computer software products for network firewall fast policy look-up
CN102387145A (en) * 2011-10-21 2012-03-21 北京航空航天大学 System and method for detecting access control strategy collision in collaborative environment
CN102546639A (en) * 2012-01-12 2012-07-04 北京航空航天大学 Network-oriented penetration testing scheme automatic-generation method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6857018B2 (en) * 2000-07-31 2005-02-15 Dongyi Jiang System, method and computer software products for network firewall fast policy look-up
CN102387145A (en) * 2011-10-21 2012-03-21 北京航空航天大学 System and method for detecting access control strategy collision in collaborative environment
CN102546639A (en) * 2012-01-12 2012-07-04 北京航空航天大学 Network-oriented penetration testing scheme automatic-generation method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Modeling and Verfication of IPSec and VPN Security Policies;Hazen Hamed 等;《Proceedings of the 13th IEEE International Conference on Network Protocols》;20051109;第1-10页 *
Network Topologic Discovery Based On SNMP;Kuangyu Qin 等;《Proceedings of the 5th International Conference on Ubiquitous Information Technologies and Applications》;20101218;第1-3页 *

Also Published As

Publication number Publication date
CN103049700A (en) 2013-04-17

Similar Documents

Publication Publication Date Title
Syed et al. UCO: A unified cybersecurity ontology
Ortiz et al. Data complexity of query answering in expressive description logics via tableaux
CN103049700B (en) Conflict detection system and method for computer network defense (CND) policy
CN107066256B (en) Object change model modeling method based on tense
Sequeda et al. Direct mapping SQL databases to the semantic web: A survey
Lano et al. Specification and verification of model transformations using UML-RSDS
Małuszyński et al. Partiality and inconsistency in agents' belief bases
Kirasić et al. Ontology-based design pattern recognition
Kurniawan et al. An att&ck-kg for linking cybersecurity attacks to adversary tactics and techniques
CN111506779B (en) Object version and associated information management method and system facing data processing
Dapoigny et al. Modeling ontological structures with type classes in Coq
Schmidt et al. Pleasantly consuming linked data with rdf data descriptions
Grau et al. Ontology contraction: Beyond propositional paradise
Halpin Modeling of reference schemes
Ahmad et al. Formal reasoning of web application firewall rules through ontological modeling
Horrocks et al. Hybrid logics and ontology languages
Kondylakis et al. Enabling ontology evolution in data integration
Sheremet Data and Knowledge Bases with Incomplete Information in a Set of Strings Framework
Wang et al. Effective large scale ontology mapping
Zou et al. Semantic rule based RBAC extension model for flexible resource allocation
Kim et al. RDFacl: A secure access control model based on RDF triple
Selvaraj Improving Program Analysis using Efficient Semantic and Deductive Techniques
Ghazi et al. A dual-engine for early analysis of critical systems
Blume et al. Towards flexible indices for distributed graph data: The formal schema-level index model FLuID
Andresel et al. Taming Complex Role Inclusions for DL-Lite.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20150325

Termination date: 20180128