面向内部威胁的数据泄漏防护关键技术研究
|
摘要
随着信息网络的快速发展,数据信息的应用环境越来越复杂,数据在从创建、存储、使用、共享、归档到销毁的生命周期各个阶段都面临各种泄漏风险,特别是由内部威胁导致的数据泄漏问题日益突出。传统的数据泄漏防护技术可以有效抵御来自外部的攻击,但对于内部威胁还缺乏有效的防护。而且这些技术多是针对数据生命周期某个阶段的防护需求建立相应的防护机制,没有形成统一的有机整体,一旦某个环节出现问题,将导致整个泄漏防护失败。分布式和云计算技术的广泛应用给数据泄漏防护提出了许多新的挑战。如何有效应对内部威胁导致的数据泄漏,建立支持数据全生命周期的统一防护机制,确保数据在存储、使用和共享传输过程中的安全,是当前信息安全领域亟待解决的关键问题。
本文分析了数据生命周期各个阶段的泄漏防护需求,并针对内部威胁的特点,从增强数据自身防护能力的角度出发,提出了一种面向内部威胁的数据泄漏主动防护模型。基于该模型,本文分别从信息流约束、可信主体的隔离约束以及主动防护体系结构等方面深入研究了数据泄漏防护的理论和技术。通过对关键技术的集成,设计实现了一款具有主动防护能力的安全移动存储器,验证了模型的正确性和防护技术的有效性。
本文取得的主要研究成果如下:
1.提出了一种面向内部威胁的数据泄漏主动防护模型。该模型通过对数据本身或数据存储环境进行属性和安全机制扩展,为数据增加具有自主安全防护能力的安全数据容器(Secure Data Container, SDC),由安全容器在数据生命周期的各个阶段主动对使用环境进行可信检测,并对数据使用过程进行安全控制,从而实现对数据的“贴身保护”。同时,针对内部威胁的特点,给出了数据泄漏主动防护模型的实现框架,为本文关键技术的研究提供总体的思想和结构指导。
2.提出了一种基于单向信息流约束的主动中国墙模型。该模型针对数据泄漏防护中信息流约束的特点和需求,对传统中国墙模型的冲突关系和联盟关系进行了扩展,提出了主动冲突关系和主动联盟关系的概念。在此基础上,给出了模型的形式化描述和安全特性分析,并与传统中国墙模型以及BLP模型等进行了比较和分析,最后给出了模型在访问控制、终端电子文档泄漏防护和虚拟机环境泄漏防护等不同应用场景下的实现结构。
3.提出了一种面向可信主体约束的动态隔离机制。该机制根据数据泄漏防护的需求划分隔离域,并针对可信主体的不同访问操作,通过读隔离、写隔离和通信隔离等三种隔离过程动态扩展隔离域范围,在保证可信主体应用完整性的同时,防止其通过“合法操作”导致的数据泄漏。给出了隔离过程中文件和进程迁移的实施策略,并使用形式化方法对动态隔离机制的安全性进行了描述和证明。在此基础上,通过扩展不同隔离域之间的引用关联,实现了一种动态隔离增强的轻量级虚拟机DI-FVM。DI-FVM在操作系统层进行虚拟化,通过引用关联来实现细粒度的行为约束。
4.提出了一种基于使用预期的主动安全存储结构。从数据角度出发,根据数据在不同状态下对属性、访问操作以及使用环境的安全预期,建立统一的安全需求描述机制,提出了基于预期的使用控制模型。在此基础上,重点研究了数据从存储设备到使用环境的连续保护问题,提出了一种基于使用预期的主动安全存储体系结构(Usage-Expectation-based Active Secure Storage, UE-ASS)。UE-ASS将主动防护机制绑定到存储设备中,通过在终端系统中动态构建虚拟隔离使用环境,并基于可信计算建立从存储设备到隔离环境的信任链,实现数据使用预期的可信传递和使用过程的连续控制。
5.以主动泄漏防护模型为指导,综合上述关键技术成果,设计实现了一款具有主动防护能力的安全移动存储器UTrustDisk。该存储器将嵌入式安全芯片集成到存储器硬件中,并通过安全芯片上运行的片上操作系统(Chip Operating System,COS)实现存储器的主动防护。COS会在终端系统中动态构建数据使用的虚拟隔离环境DI-FVM,并基于安全芯片提供的安全机制实现信任链的建立和数据使用预期的管理,从而确保数据从存储设备到使用环境过程中的主动泄漏防护。
以上研究成果综合考虑了内部威胁的特点和数据整个生命周期内的泄漏防护需求,以信息流分析方法为基础,结合虚拟隔离和可信计算的思想,通过增强数据自身的主动防护能力,实现数据全生命周期的连续泄漏防护。对信息流约束和动态隔离机制的形式化验证表明,本文的方法可以有效保证泄漏防护的安全性,具有一定的理论意义。原型系统的实现和测试也表明,以上泄漏防护技术可以较好的解决内部威胁导致的数据泄漏问题,为实际应用中的泄漏防护提供了重要的技术支撑,具有很好的实用价值。
With the rapid development of information networks, the application environment ofdata has become increasingly complex. The data owner would encounter various risk ofleakage in the whole life-cycle of data. The leakage caused by insider threats is increasingprominently. Traditional Data Leakage Prevention(DLP) technologies can effectivelydefend outsider attacks, but lack of protection against insider threats. Moreover, most ofthese technologies provide appropriate protection mechanisms against special situationsof data life-cycle with lack of unifying principles. So a failure at one point would breakdown all the protection mechanisms. What’s more important, the extensive application ofdistributed computing and cloud computing have brought many new challenges to DLP.How to effectively prevent data leakage caused by insider threats and especially assure thesecurity of data in storage, usage and sharing by building unified protection mechanismsfor the whole life-cycle of data has become a burning problem for information security.
This paper analyzes protection requirements in all stages of data life-cycle and proposesan active data leakage prevention model against insider threats. And then we presentthe theoretical basis and implementation techniques of this model though researching informationflow constraint mechanism, trusted subjects behavior isolation and active protectionimplementation architecture.Finally, we design and implement a secure removablestorage device which has active defense capabilities against data leakage.
The main contributions of this paper are as follows:
1. We propose an active data leakage prevention model against insider threats. Byextending the attributes and security mechanisms of data objects and data storage environment,this model contributes to adding the Secure Data Container(SDC) to data. TheSDC will provide trust detection and usage control with the data. Then we also give theimplementation framework for providing key ideas for the following research.
2. We propose an Active Chinese Wall Model(ACWM) based on one-way informationflow constraints. This model extends the conflict and alliance relation in traditionalChinese Wall Model(CWM) and presents the conception of active conflict and alliance relation.Based on this , we present the formal description of ACWM and proof its securityfeatures. Then we compare ACWM with traditional CWMs and BLP model. The resultshows the flexibility and adaptability of ACWM. Implementation frameworks based on ACWM are also presented for DLP on three different scenarios in the end.
3. We propose a dynamic isolation mechanism for the confinement of trusted subjects.This mechanism set the isolation domain according to the protection requirementof achieved data and dynamically extends the domain through isolation on read, write andcommunication operations of the trusted subject. We present implementation strategiesfor migration of files and processes. Then we give formal descriptions of the mechanismand proof the security for data leakage prevention. Based on this, we implement theDynamic-Isolation-enhanced Featherweight Virtual Machine(DI-FVM) by creating virtualizationlayer in the operating system level which can provide fine-grained behavioralconstraints for trusted subjects.
4. We propose an Usage-Expectation-based Active Secure Storage(UE-ASS) architecture.In order to build an unified security requirement description mechanism for dataleakage, we present the conception of expectation according to the security constraintson attributes, access operations and usage contexts of the data object. Based on this, weextend the usage control model from the data perspective to providing continuous controlfrom storage device to usage environment. Then we give UE-ASS architecture, whichcombines the active protection mechanism with the storage device and constructs virtualisolated usage environment in terminal system before usage.
5. Based on the above models and technologies, we design and implement a secureremovable storage device called UTrsutDisk. The hardware is integrated with an embeddedsecurity chip and achieves active defense by the Chip Operating System(COS). COSwill build a dynamic virtual isolation environment, named DI-FVM, in terminal systemand manage the usage expectations of data. So, UTrustDisk provides continuous protectionwhen the data is transmitting from the storage device to usage environment.
All the above research results provide effective theories and technologies for dataleakage prevention especially against insider threats. The formal verification of informationflow confinement and dynamic isolation mechanism shows the theoretical contributions.Meanwhile, the implementation and evaluation result shows the effectiveness fordata leakage in practice.
本文分析了数据生命周期各个阶段的泄漏防护需求,并针对内部威胁的特点,从增强数据自身防护能力的角度出发,提出了一种面向内部威胁的数据泄漏主动防护模型。基于该模型,本文分别从信息流约束、可信主体的隔离约束以及主动防护体系结构等方面深入研究了数据泄漏防护的理论和技术。通过对关键技术的集成,设计实现了一款具有主动防护能力的安全移动存储器,验证了模型的正确性和防护技术的有效性。
本文取得的主要研究成果如下:
1.提出了一种面向内部威胁的数据泄漏主动防护模型。该模型通过对数据本身或数据存储环境进行属性和安全机制扩展,为数据增加具有自主安全防护能力的安全数据容器(Secure Data Container, SDC),由安全容器在数据生命周期的各个阶段主动对使用环境进行可信检测,并对数据使用过程进行安全控制,从而实现对数据的“贴身保护”。同时,针对内部威胁的特点,给出了数据泄漏主动防护模型的实现框架,为本文关键技术的研究提供总体的思想和结构指导。
2.提出了一种基于单向信息流约束的主动中国墙模型。该模型针对数据泄漏防护中信息流约束的特点和需求,对传统中国墙模型的冲突关系和联盟关系进行了扩展,提出了主动冲突关系和主动联盟关系的概念。在此基础上,给出了模型的形式化描述和安全特性分析,并与传统中国墙模型以及BLP模型等进行了比较和分析,最后给出了模型在访问控制、终端电子文档泄漏防护和虚拟机环境泄漏防护等不同应用场景下的实现结构。
3.提出了一种面向可信主体约束的动态隔离机制。该机制根据数据泄漏防护的需求划分隔离域,并针对可信主体的不同访问操作,通过读隔离、写隔离和通信隔离等三种隔离过程动态扩展隔离域范围,在保证可信主体应用完整性的同时,防止其通过“合法操作”导致的数据泄漏。给出了隔离过程中文件和进程迁移的实施策略,并使用形式化方法对动态隔离机制的安全性进行了描述和证明。在此基础上,通过扩展不同隔离域之间的引用关联,实现了一种动态隔离增强的轻量级虚拟机DI-FVM。DI-FVM在操作系统层进行虚拟化,通过引用关联来实现细粒度的行为约束。
4.提出了一种基于使用预期的主动安全存储结构。从数据角度出发,根据数据在不同状态下对属性、访问操作以及使用环境的安全预期,建立统一的安全需求描述机制,提出了基于预期的使用控制模型。在此基础上,重点研究了数据从存储设备到使用环境的连续保护问题,提出了一种基于使用预期的主动安全存储体系结构(Usage-Expectation-based Active Secure Storage, UE-ASS)。UE-ASS将主动防护机制绑定到存储设备中,通过在终端系统中动态构建虚拟隔离使用环境,并基于可信计算建立从存储设备到隔离环境的信任链,实现数据使用预期的可信传递和使用过程的连续控制。
5.以主动泄漏防护模型为指导,综合上述关键技术成果,设计实现了一款具有主动防护能力的安全移动存储器UTrustDisk。该存储器将嵌入式安全芯片集成到存储器硬件中,并通过安全芯片上运行的片上操作系统(Chip Operating System,COS)实现存储器的主动防护。COS会在终端系统中动态构建数据使用的虚拟隔离环境DI-FVM,并基于安全芯片提供的安全机制实现信任链的建立和数据使用预期的管理,从而确保数据从存储设备到使用环境过程中的主动泄漏防护。
以上研究成果综合考虑了内部威胁的特点和数据整个生命周期内的泄漏防护需求,以信息流分析方法为基础,结合虚拟隔离和可信计算的思想,通过增强数据自身的主动防护能力,实现数据全生命周期的连续泄漏防护。对信息流约束和动态隔离机制的形式化验证表明,本文的方法可以有效保证泄漏防护的安全性,具有一定的理论意义。原型系统的实现和测试也表明,以上泄漏防护技术可以较好的解决内部威胁导致的数据泄漏问题,为实际应用中的泄漏防护提供了重要的技术支撑,具有很好的实用价值。
With the rapid development of information networks, the application environment ofdata has become increasingly complex. The data owner would encounter various risk ofleakage in the whole life-cycle of data. The leakage caused by insider threats is increasingprominently. Traditional Data Leakage Prevention(DLP) technologies can effectivelydefend outsider attacks, but lack of protection against insider threats. Moreover, most ofthese technologies provide appropriate protection mechanisms against special situationsof data life-cycle with lack of unifying principles. So a failure at one point would breakdown all the protection mechanisms. What’s more important, the extensive application ofdistributed computing and cloud computing have brought many new challenges to DLP.How to effectively prevent data leakage caused by insider threats and especially assure thesecurity of data in storage, usage and sharing by building unified protection mechanismsfor the whole life-cycle of data has become a burning problem for information security.
This paper analyzes protection requirements in all stages of data life-cycle and proposesan active data leakage prevention model against insider threats. And then we presentthe theoretical basis and implementation techniques of this model though researching informationflow constraint mechanism, trusted subjects behavior isolation and active protectionimplementation architecture.Finally, we design and implement a secure removablestorage device which has active defense capabilities against data leakage.
The main contributions of this paper are as follows:
1. We propose an active data leakage prevention model against insider threats. Byextending the attributes and security mechanisms of data objects and data storage environment,this model contributes to adding the Secure Data Container(SDC) to data. TheSDC will provide trust detection and usage control with the data. Then we also give theimplementation framework for providing key ideas for the following research.
2. We propose an Active Chinese Wall Model(ACWM) based on one-way informationflow constraints. This model extends the conflict and alliance relation in traditionalChinese Wall Model(CWM) and presents the conception of active conflict and alliance relation.Based on this , we present the formal description of ACWM and proof its securityfeatures. Then we compare ACWM with traditional CWMs and BLP model. The resultshows the flexibility and adaptability of ACWM. Implementation frameworks based on ACWM are also presented for DLP on three different scenarios in the end.
3. We propose a dynamic isolation mechanism for the confinement of trusted subjects.This mechanism set the isolation domain according to the protection requirementof achieved data and dynamically extends the domain through isolation on read, write andcommunication operations of the trusted subject. We present implementation strategiesfor migration of files and processes. Then we give formal descriptions of the mechanismand proof the security for data leakage prevention. Based on this, we implement theDynamic-Isolation-enhanced Featherweight Virtual Machine(DI-FVM) by creating virtualizationlayer in the operating system level which can provide fine-grained behavioralconstraints for trusted subjects.
4. We propose an Usage-Expectation-based Active Secure Storage(UE-ASS) architecture.In order to build an unified security requirement description mechanism for dataleakage, we present the conception of expectation according to the security constraintson attributes, access operations and usage contexts of the data object. Based on this, weextend the usage control model from the data perspective to providing continuous controlfrom storage device to usage environment. Then we give UE-ASS architecture, whichcombines the active protection mechanism with the storage device and constructs virtualisolated usage environment in terminal system before usage.
5. Based on the above models and technologies, we design and implement a secureremovable storage device called UTrsutDisk. The hardware is integrated with an embeddedsecurity chip and achieves active defense by the Chip Operating System(COS). COSwill build a dynamic virtual isolation environment, named DI-FVM, in terminal systemand manage the usage expectations of data. So, UTrustDisk provides continuous protectionwhen the data is transmitting from the storage device to usage environment.
All the above research results provide effective theories and technologies for dataleakage prevention especially against insider threats. The formal verification of informationflow confinement and dynamic isolation mechanism shows the theoretical contributions.Meanwhile, the implementation and evaluation result shows the effectiveness fordata leakage in practice.
引文
[1]凌捷.计算机数据安全技术[M].北京:科学出版社, 2004.
[2] P. E. Denning, P. J. Denning. Data Security[J]. ACM Computing Surveys, 1979,11(3):227–249.
[3] C. E. Landwehr. Formal Models for Computer Security[J]. ACM ComputingSurveys, 1981, 13(3):247–278.
[4] J. A. Goguen, J. Meseguer. Security Policies and Security Models[C]//Proceedingsof IEEE Symposium on Security and Privacy. 1982, 13:11–20.
[5] J. McLean. Security Models[J]. Encyclopedia of Software Engineering, 1994,2:1136–1145.
[6] A. J. A. Wang. Information Security Models and Metrics[C]//Proceedings of the43rd annual southeast regional conference on ACMSE 43. 2005:178–184.
[7] R. B(o|-)hme. Security Metrics and Security Investment Models[C]//Proceedings ofthe 5th international conference on Advances in information and computer security(IWSEC’10). 2010.
[8] R. Richardson. 2007 Csi Computer Crime and Security Survey[R]. Tech. rep.,Computer Security Institute, 2007. http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf.
[9] R. Richardson. 2008 Csi Computer Crime and Security Survey[R]. Tech.rep., Computer Security Institute, 2008. http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf.
[10] R. Richardson. 2009 Csi Computer Crime and Security Survey[R]. Tech.rep., Computer Security Institute, 2009. http://pathmaker.biz/whitepapers/CSISurvey2009.pdf.
[11] 2009 Annual Study:cost of a Data Breach[R]. Tech. rep., Ponemon Institute,LLC, 2010. http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf.
[12] W. H. Baker, A. Hutton, C. D. Hylender, et al. 2009 Data Breach InvestigationsReport[R]. Tech. rep., Verizon Business RISK team, 2009.http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf.
[13] K. D. Mitnick, W. L. Simon, S. Wozniak. The Art of Deception[M]. Wiley;edition, 2002.
[14] W. Baker, M. Goudie, A. Hutton, et al. 2010 Data Breach Investigations Report[R]. Tech. rep., Verizon RISK Team in cooperation with the United States SecretService, 2010. http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf.
[15] M. Theoharidou, S. Kokolakis, M. Karyda, et al. The Insider Threat to InformationSystems and the Effectiveness of Iso17799[J]. Computers & Security, 2005,24(6):472–484.
[16]初晓博,秦宇.一种基于可信计算的分布式使用控制系统[J].计算机学2010, 33(1):93–102.
[17] J. Park, R. Sandhu. Towards Usage Control Models: Beyond Traditional AccessControl[C]//Proceedings of the seventh ACM symposium on Access control modelsand technologies(SACMAT’02). New York, NY, USA: ACM, 2002:57–64.
[18] K. Padayachee, J. Eloff. Adapting Usage Control as a Deterrent to AddressInadequacies of Access Controls[J]. Computers & Security, 2009, 28:536–544.
[19]晏立,鞠时光,王昌迭.安全信息流的实时监控机制[J].通信学报, 2008,29(10):51–57.
[20] T. Jaeger, R. Sailer, U. Shankar. Prima: Policy-reduced Integrity MeasurementArchitecture[C]//Proceedings of the eleventh ACM symposium on Access controlmodels and technologies(SACMAT’06). SACMAT’06: ACM, 2006.
[21] InformationWeek. 2008中国信息安全调查, 2008. http://www.informationweek.com.cn/research/08security/.
[22] I. Burdonov, A. Kosachev, I. P. Virtualization-based Separation of Privilege:Working with Sensitive Data in Untrusted Environment[C]//Proceedingsthe 1st Eurosys Workshop on Virtualization Technology For Dependable Systems(VTDS’09). New York, NY, USA: ACM, 2009:1–6.
[23] K. S. Quinn. 2010 New Zealand Computer Crime and Security Survey[Tech. rep., Security Research Group, University of Otago, 2010. http://internetnz.net.nz/sites/default/files/workstreams/2010_nz_computer_crime__security_survey.pdf.
[24] B. W. Lampson. A Note on the Confinement Problem[J]. Communications ofACM, 1973, 16(10):613–615.
[25] D. B. Parker. Crime by Computer[M]. Charles Scribner’s Sons; 1st edition, 1976.
[26] B. Wood. An Insider Threat Model for Adversary Simulation[C]//R. H. Ander-son, T. Bozek, T. Longstafi, et al.. Research on Mitigating the Insider Threat toInformation Systems - #2 Proceedings of a Workshop. RAND, 2000. http://www.rand.org/pubs/conf_proceedings/CF163/CF163.pdf.
[27] D. B. Parker. Fighting Computer Crime: A New Framework for Protecting Infor-mation[M]. New York, NY, USA: John Wiley & Sons, Inc., 1998.
[28] Upadhyaya,S.Upadhyaya,R.Chinchani. AnAnalyticalFrameworkforReasoningabout Intrusions[C]//Symposium on Reliable Distributed Systems (SRDS) 2001.2001:99–108.
[29] G. B. Magklaras, S. M. Furnell. Insider Threat Prediction Tool: Evaluating theProbability of It Misuse[J]. Computers & Security, 2001, 21(1):62–73.
[30] E. E. Schultz. A Framework for Understanding and Predicting Insider Attacks[J].Computers & Security, 2002, 21(6):526–531.
[31] J. S. Park, S. M. Ho. Composite Role-based Monitoring (crbm) for CounteringInsider Threats[M]//H. Chen, R. Moore, D. D. Zeng, et al.. Intelligence and Secu-rity Informatics. Springer Berlin / Heidelberg, 2004, vol. 3073 of Lecture Notesin Computer Science:201–213.
[32] I. Ray, N. Poolsapassit. Using Attack Trees to Identify Malicious Attacks fromAuthorized Insiders[M]//S. d. C. di Vimercati, P. Syverson, D. Gollmann. Com-puter Security– ESORICS 2005. Springer Berlin / Heidelberg, 2005, vol. 3679 ofLecture Notes in Computer Science:231–246.
[33] B. Schneier. Attack Trees[J]. Dr. Dobb’s Journal(DDJ), 1999. http://www.schneier.com/paper-attacktrees-ddj-ft.html.
[34]张红斌,裴庆祺,马建峰.内部威胁云模型感知算法[J].计算机学报, 2009,32(2):784–792.
[35] G. Magklaras, S. Furnell. Insider Threat Specification as a Threat MitigationTechnique[M]//C. W. Probst, J. Hunker, D. Gollmann, et al.. Insider Threats inCyber Security. Springer US, 2010, vol. 49 of Advances in Information Secu-rity:219–244.
[36] M. Kandias, A. Mylonas, N. Virvilis, et al. An Insider Threat PredictionModel[C]//Proceedings of the 7th international conference on Trust, privacy andsecurity in digital business(TrustBus’10). Berlin, Heidelberg: Springer-Verlag,2010:26–37.
[37] R. E. Overill. Isms Insider Intrusion Prevention and Detection[J]. InformationSecurity Technical Report, 2008, 13(4):216–219.
[38] Y. Yu, T. cker Chiueh. Display-only File Server: A Solution Against Informa-tion Theft Due to Insider Attack[C]//2004 Digital Rights Management Work-shop(DRM’04). 2004:31–39.
[39] H. H. Thompson, J. A. Whittaker, M. Andrews. Intrusion Detection: Perspectiveson the Insider Threat[J]. Computer Fraud & Security, 2004, 2004(1):13–15.
[40]林闯,封富君,李俊山.新型网络环境下的访问控制技术[J].软件学报,2007, 18(4):955–966.
[41] B. W. Lampson. Dynamic Protection Structures[C]//Proceedings of the 1969 FallJointComputerConference(AFIPS’69).NewYork,NY,USA:ACM,1969:27–38.
[42] G. S. Graham, P. J. Denning. Protection: Principles and Practice[C]//Proceedingsof the 1972 Spring Joint Computer Conference(AFIPS’72). New York, NY, USA:ACM, 1972:417–429.
[43] D. E. Bell, L. J. LaPadula. Secure Computer Systems: Mathematical Founda-tions[R]. Tech. rep., Electronic Systems Division, Air Force System Command,Hanscom Field, 1973.
[44] M. A. Harrison, W. L. Ruzzo, J. D. Ullman. Protection in Operating Systems[J].Communications of the ACM, 1976, 19(8):461–471.
[45] DepartmentofDefenseStandard:trustedComputerSystemEvaluationCriteria[R].Tech. Rep. DoD 5200.28-STD, DEPARTMENT OF DEFENSE, 1985. http://csrc.nist.gov/publications/history/dod85.pdf.
[46] D. F. Ferraiolo, D. R. Kuhn. Role-based Access Controls[C]//Proccedings of15th National Computer Security Conference. 1992:554– 563. http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf.
[47] D. F. Ferraiolo, R. Sandhu, S. Gavrila, et al. Proposed Nist Standard for Role-based Access Control[J]. ACM Transactions on Information and System Security(TISSEC), 2001, 4(3):224–274.
[48] R. K. Thomas, R. S. Sandhu. Task-based Authentication Controls (tabc): AFamily of Models for Active and Enterprise-oriented Authentication Manage-ment[C]//T. Y. Lin, S. Qian. Proceedings of the IFIP WG11.3 Workshop onDatabase Security(DBSec). Chapman & Hall, 1997, 113:166–181. http://profsandhu.com/confrnc/ifip/i97tbac.pdf.
[49] S. Oh, S. Park. Task-role-based Access Control Model[J]. Information Systems,2003, 28(2):533–562.
[50] J. Park, R. Sandhu. The Uconabc Usage Control Model[J]. ACM Transactions onInformation and System Security (TISSEC), 2004, 7(1):128–174.
[51] J. McLean. A Comment on the‘basic Security Theorem’of Bell and Lapadula[J].Information Processing Letters, 1985, 20(2):67–70.
[52] A. Ott. Rule Set Based Access Control as Proposed in the’generalized Frameworkfor Access Control’Approach in Linux(in German)[D]. Hamburg:University ofHamburg, 1997.
[53] D. E. Bell. Security Policy Modeling for the Next-generation PacketSwitch[C]//Proccedings of IEEE Symposium on Security and Privacy. Los Alami-tos, CA, USA: IEEE Computer Society, 1988:212–216.
[54]石文昌,孙玉芳,梁洪亮.经典blp安全公理的一种适应性标记实施方法及其正确性[J].计算机研究与发展, 2001, 38(11):1365–1372.
[55]季庆光,卿斯汉,贺也平.一个改进的可动态调节的机密性策略模型[J].软件学报, 2004, 15(10):1547–1557.
[56]梁洪亮,孙玉芳,赵庆松,张相锋,孙波.一个安全标记公共框架的设计与实现[J].软件学报, 2003, 14(3):547–552.
[57]刘克龙,丁丽.基于“安全主体访问”概念对blp模型的改造[J].通信学报,2007, 28(12):25–32.
[58]谭智勇,刘铎,司天歌,戴一奇.一种具有可信度特征的多级安全模型[J].电子学报, 2008, 36(8):1637–1641.
[59]谢钧,许峰,黄皓.基于可信级别的多级安全策略及其状态机模型[J].软件学报, 2004, 15(11):1700–1708.
[60] A. Shafier, M. Auguston, C. Irvine, et al. A Security Domain Model forImplementing Trusted Subject Behaviors[C]//J. Whittle, J. Jürjens, B. Nu-seibeh, et al.. Proceedings of the 2008 Modeling Security Workshop(MODELS’08). Berlin, Heidelberg: Springer-Verlag, 2008, Vol-413:69–81.http://sunsite.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-413/paper03.pdf.
[61]沈晴霓,卿斯汉,贺也平,李丽萍.一种支持动态调节的最小特权安全策略架构[J].电子学报, 2006, 34(10):1803–1808.
[62]武延军,梁洪亮,赵琛.一个支持可信主体特权最小化的多级安全模型[J].软件学报, 2007, 18(3):730–738.
[63] D. E. Bell, L. J. LaPadula. Secure Computer System: Unified Exposition and Mul-tics Interpretation[R]. Tech. rep., Electronic Systems Division, Air Force SystemCommand, Hanscom Field, 1976.
[64] B. L. D. Vito, P. H. Palmquist, E. R. Anderson, et al. Specification and Verificationof the Asos Kernel[C]//Proccedings of IEEE Symposium on Security and Privacy.Los Alamitos, CA, USA: IEEE Computer Society, 1990:61–75.
[65] T. V. Benzel. Analysis of a Kemel Verification[C]//Proccedings of the 1984 IEEESymposium on Security and Privacy. Los Alamitos, CA, USA: IEEE ComputerSociety, 1984:125–133.
[66] R. Schell, T. Tao, M. Heckman. Designing the Gemsos Security Kernel for Se-curity and Performance[C]//Proceedings of the 8th National Computer SecurityConference. 1985:108–119.
[67] F. Mayer. An Interpretation of Refined Bell-lapadula Model for the Tmach Ker-nel[C]//Proccedings Of the 4th Aerospace Computer Security Application Confer-ence. 1988:368– 378.
[68] Assurance in the Fluke Microkernel Formal Top Level Specification[R]. Tech.rep., Secure Computing Corporation, 1999.
[69] P. Loscocco, S. Smalley. Integrating Flexible Support for Security PoliciesInto the Linux Operating System[C]//Proceedings of the FREENIX Track: 2001USENIX Annual Technical Conference. Berkeley, CA, USA: USENIX Associa-tion, 2001:29–42.
[70]张晓菲,许访,沈昌祥.基于可信状态的多级安全模型及其应用研究[J].电子学报, 2007, 35(8):1511–1515.
[71] Draft Standard for Information Technology—portable Operating Systeminter-face (posix). http://www.linux2you.dk/jtc1/sc22/open/n3232/xbdtext.pdf.
[72] J. Liao, Y. Zhao, C. Shen. A Feather-weight Application IsolationModel[M]//Trusted Systems. Springer Berlin / Heidelberg, 2010, vol. 6163 ofLecture Notes in Computer Science:197–211.
[73] K. Krukow, M. Nielsen, V. Sassone. A Framework for Concrete Reputation-systems with Applications to History-based Access Control[C]//Proceedings ofthe 12th ACM conference on Computer and communications security(CCS’05).New York, NY, USA: ACM, 2005:260–269.
[74] J. B. Filho, H. Martin. A Generalized Context-based Access Control Model forPervasiveEnvironments[C]//Proceedingsofthe2ndSIGSPATIALACMGIS2009International Workshop on Security and Privacy in GIS and LBS(SPRINGL’09).New York, NY, USA: ACM, 2009:12–21.
[75] R. A. Kemmerer. A Practical Approach to Identifying Storage and Timing Chan-nels: Twenty Years Later[C]//Proceedings of the 18th Annual Computer SecurityApplications Conference(ACSAC’02). Washington, DC, USA: IEEE ComputerSociety, 2002:109–118.
[76] D. E. Denning. A Lattice Model of Secure Information Flow[J]. Communicationsof the ACM, 1976, 19(5):236~243.
[77] D. E. Denning, P. J. Denning. Certification of Programs for Secure InformationFlow[J]. Communications of the ACM, 1977, 20(7):504–513.
[78] J. Mclean. Proving Noninterference and Functional Correctness Using Traces[J].Journal of Computer Security, 1992, 1:37–58.
[79] D. Volpano, G. Smith, C. Irvine. A Sound Type System for Secure Flow Analy-sis[J]. Journal of Computer Security, 1996, 4(2-3):167–187.
[80] A. C. Myers, B. Liskov. Complete, Safe Information Flow with Decen-tralized Labels[C]//Proceedings of IEEE Symposium on Security and Privacy.1998:186–197.
[81] B. Hicks, D. King, P. McDaniel. Jifclipse: Development Tools for Security-typedLanguages[C]//Proceedingsofthe2007workshoponProgramminglanguagesandanalysis for security(PLAS’07). New York, NY, USA: ACM, 2007:1–10.
[82] F. Pottier, V. Simonet. Information Flow Inference for Ml[J]. Transactions onProgramming Languages and Systems (TOPLAS), 2003, 25(1):117–158.
[83]訾小超,姚立红,李斓.一种基于有限状态机的隐含信息流分析方法[J].计算机学报, 2006, 29(8):1460–1467.
[84] A. B. Shafier, M. Auguston, C. E. Irvine, et al. A Security Domain Model to As-sess Software for Exploitable Covert Channels[C]//Proceedings of the third ACMSIGPLAN workshop on Programming languages and analysis for security(PLAS’08). New York, NY, USA: ACM, 2008:45–56.
[85]张阳.带敏感标签的selinux安全策略信息流分析方法[J].计算机学报, 2009,32(4):709–720.
[86] R.Sailer,T.Jaeger,E.Valdez,etal. BuildingaMac-basedSecurityArchitectureforthe Xen Open Source Hypcrvisor[C]//Proceedings of the 21st Annual ComputerSecurity Applications Conference(ACSAC’2005). 2005:276–285.
[87] J. M. McCune, T. Jaeger, S. Berger, et al. Shamon: A System for DistributedMandatory Access Control[C]//Proceedings of the 22nd Annual Computer Secu-rity Applications Conference. 2006:23–32.
[88] T. Jaeger, R. Sailer, Y. Sreenivasan. Managing the Risk of Covert InformationFlows in Virtual Machine Systems[C]//Proceedings of the 12th ACM Symposiumon Access Control Models and Technologies. 2007.
[89] G.Cheng,H.Jin,D.Zou,etal. APrioritizedChineseWallModelforManagingtheCovert Information Flows in Virtual Machine Systems[C]//The 9th InternationalConference for Young Computer Scientists. 2008:1481–1487.
[90] D. F. Bewer, M. J. Nash. The Chinese Wall Security Policy[C]//Proceedings of theSymposium on Security and Privacy. IEEE Computer Society, 1989:206–214.
[91] C. Meadows. Extending the Brewer Nash Model to a Multilevel Context[C]//Procof the 1990 IEEE Symposium on Research in Security and Privacy. 1990:95–102.
[92] R. S. Sandhu. Lattice-based Enforcement of Chinese Walls[J]. Computers &Security, 1992, 11(8):753–763.
[93] S. N. Foley. Building Chinese Walls in Standard Unix[J]. Unix Computers andSecurity Journal, 1997, 16(6):551–563.
[94]赵庆松,孙玉芳,梁洪亮,张相锋,孙波.“长城”安全政策的扩充研究及其实现[J].电子学报, 2002, 30(11):1–5.
[95]何永忠,李晓峰,冯登国. Rbac实施中国墙策略及其变种的研究[J].计算机研究与发展, 2007, 44(4):615–622.
[96]程戈,金海,邹德清,赵峰.基于动态联盟关系的中国墙模型研究[J].通信学报, 2009, 30(11):93–100.
[97] M. Radhakrishnan, J. A. Solworth. Application Security Support in the Operat-ingSystemKernel[C]//Proceedingsofthe2006ACMSymposiumonInformation,computer and communications security. Taipei, Taiwan, 2006.
[98] D. W. Oard, G. Marchionini. A Conceptual Framework for Text Filtering[R]. Tech.rep., University of Maryland, Maryland, 1996.
[99]沈昌祥.基于积极防御的安全保障框架[J].中国信息导报, 2003, 10:50–51.
[100] M. Beaumont-Gay, K. Eustice, P. Reiher. Information Protection via Environ-mental Data Tethers[C]//Proceedings of the 2007 Workshop on New SecurityParadigms(NSPW’07). New York, NY, USA: ACM, 2008:67–73.
[101] D. S. Bhilare, A. K. Ramani, S. K. Tanwani. Protecting Intellectual Property andSensitive Information in Academic Campuses from Trusted Insiders: LeveragingActive Directory[C]//Proceedings of the 37th annual ACM SIGUCCS fall confer-ence(SIGUCCS’09). New York, NY, USA: ACM, 2009:99–104.
[102] M. Fabian. Endpoint Security: Managing Usb-based Removable Devices with theAdvent of Portable Applications[C]//Proceedings of the 4th annual conference onInformation security curriculum development(InfoSecCD’07). New York, NY,USA: ACM, 2007:241–245.
[103] X. Zhang, F. Liu, T. Chen, et al. Research and Application of the Transpar-ent Data Encpryption in Intranet Data Leakage Prevention[C]//Proceedings of the2009 International Conference on Computational Intelligence and Security(CIS’09). Washington, DC, USA: IEEE Computer Society, 2009:376–379.
[104] TRUECRYPT. Data Leaks[C], 2011. http://www.truecrypt.org/docs.
[105] MICROSOFT. Bitlocker Drive Encryption[C]. http://windows.microsoft.com/en-us/windows7/products/features/bitlocker.
[106] APPLE. Filevault[C]. http://www.apple.com/macosx/s-ecurity.
[107]赵勇,刘吉强,韩臻,沈昌祥.信息泄漏防御模型在企业内网安全中的应用[J].计算机研究与发展, 2007, 44(5):761–767.
[108] McAfee. Data Loss Prevention[C]. http://www.mcafe-e.com/us/enterprise/products/data_protection/data_loss_prevention/in-dex.html.
[109] VERDASYS. Mobile Data Protection & Remote Media Encrypti-on[C].
[110] H. Lim, V. Kapoor, C. Wighe, et al. Active Disk File System: A Distributed, Scal-able File System[C]//Proceedings of the Eighteenth IEEE Symposium on MassStorage Systems and Technologies(MSS’01). Washington, DC, USA: IEEE Com-puter Society, 2001:101–114.
[111] K. Keeton, D. A. Patterson, J. M. Hellerstein. A Case for Intelligent Disks(idisks)[J]. ACM SIGMOD Record, 1998, 27(3):42–52.
[112]靳超,郑纬民,张悠慧.主动存储系统结构[J].计算机学报, 2005,28(6):1013–1020.
[113]谢雨来,冯丹,王芳.主动存储技术及其在对象存储中的实现[J].中国计算机学会通讯, 2008, 4(11):27–32.
[114]赵跃龙,蒋骞.基于智能网络磁盘的虚拟存储技术的研究与设计[J].计算机研究与发展, 2009, 46(Suppl.):44–49.
[115] J. D. Strunk, G. R. Goodson, M. L. Scheinholtz, et al. Self-securing Stor-age: Protecting Data in Compromised System[C]//Proceedings of the 4th confer-ence on Symposium on Operating System Design & Implementation - Volume 4(OSDI’00). Berkeley, CA, USA: USENIX Association, 2000:12–26.
[116] F. Pereira, E. Ordonez. A Hardware Architecture for Integrated-security Ser-vices[M]//M. Gavrilova, C. Tan, E. Moreno. Transactions on Computational Sci-ence IV. Springer Berlin / Heidelberg, 2009, vol. 5430 of Lecture Notes in Com-puter Science:215–229.
[117] Tcg Storage Architecture Core Specification, 2009. http://www.trustedcomputinggroup.org/files/static_page_files/B6811067-1D09-3519-ADDAFC18E3A87CB2/Storage_Architecture_Core_Spec_v2_r1-Final.pdf.
[118]徐明迪,张焕国.基于可信计算平台的可信存储研究[J].通信学报, 2007,28(11A):117–120.
[119]汪丹,冯登国,徐震.基于可信虚拟平台的数据封装方案[J].计算机研究与发展, 2009, 46(8):1325–1333.
[120] S. Berger, R. Cáceres, D. Pendarakis, et al. Tvdc: Managing Security in theTrusted Virtual Datacenter[J]. ACM SIGOPS Operating Systems Review, 2008,42(1):40–47.
[121] J. L. Grifin, T. Jaeger, R. Perez, et al. Trusted Virtual Domains: Toward Se-cure Distributed Services[C]//Proceedings of the 1st IEEE Workshop on Hot Top-ics in System Dependability(Hotdep’05). Los Alamitos, CA, USA: IEEE Com-puter Society, 2005. http://www.kiskeya.net/ramon/work/pubs/hotdep05.pdf.
[122] Y. Gasmi, A.-R. Sadeghi, P. Stewin, et al. Flexible and Secure Enterprise RightsManagement Based on Trusted Virtual Domains[C]//Proceedings of the 3rd ACMworkshop on Scalable trusted computing(STC’08). 2008.
[123] L. Catuogno, H. Lfihr, M. Manulis, et al. Transparent Mobile Storage Protectionin Trusted Virtual Domains[C]//Proceedings of the 23rd conference on Large In-stallation System Administration(LISA’09). 2009.
[124] Y.-B. Han, J.-Y. Sun, G.-L. Wang, et al. A Cloud-based Bpm Architecture withUser-end Distribution of Non-compute-intensive Activities and Sensitive Data[J].Journal of Computer Science and Technology, 2010, 25(6):1157–1167.
[125] D. Kang, B. Jung, K. Kim. Hardware Based Data Inspection for Usb Data Leak-age Prevention[M]//Dominik, T.-h. Kim, W.-C. Fang, et al.. Security Technology.Springer Berlin Heidelberg, 2009, vol. 58 of Communications in Computer andInformation Science:57–63.
[126] U. Kühn, C. Stüble. User-friendly and Secure Tpm-based Hard Disk Key Manage-ment[M]//D. Gawrock, H. Reimer, A.-R. Sadeghi, et al.. Future of Trust in Com-puting. Vieweg+Teubner, 2009:171–177.
[127] F. Yin, Y. Wang, L. Wang, et al. A Trustworthiness-based Distribution Model forData Leakage Prevention[J]. WuhanUniversityJournal of NaturalSciences, 2010,15(3):205–209.
[128] J. P. Anderson. Computer Security Threat Monitoring and Surveillance[R]. Tech.Rep. 98–17, James P Anderson Co., FortWashington, Pennsylvania,USA, 1980.http://csrc.nist.gov/publications/history/ande80.pdf.
[129] P. G. Neumann. The Challenges of Insider Misuse[C]//Workshop on Preventing,Detecting, and Responding to Malicious Insider Misuse. Santa Monica,CA, 1999.http://www.csl.sri.com/papers/pgn-misuse/.
[130] D. M. Cappelli, A. P. Moore, R. F. Trzeciak. Insider Threats in the Sdlc: LessonsLearnedfromActualIncidentsofFraud,TheftofSensitiveInformation,andItSab-otage[R]. Tech. rep., Software Engineering Institute, Carnegie Mellon University,2006. http://www.cert.org/archive/pdf/CSI_SDLC0711.pdf.
[131] T. Walker. Practical Management of Malicious Insider Threat - an Enterprise CsirtPerspective[J]. Information Security Technical Report, 2008, 13(4):225–234.
[132] Hrad Problem List[R]. Tech. rep., INFOSEC Research Council(IRC),2005. http://www.cyber.st.dhs.gov/docs/IRC_Hard_Problem_List.pdf.
[133] S. B. Lipner. A Comment on the Confinement Problem[C]//Proceedings of thefifth ACM symposium on Operating systems principles(SOSP’75). New York,NY, USA: ACM, 1975:192–196.
[134] P. Gordon. Data Leakage– Threats and Mitigation[R]. Tech. rep., SANSInstitute, SANS Institute InfoSec Reading Room site, 2007. http://www.sans.org/reading_room/whitepapers/awareness/data-leakage-threats-mitigation_1931.
[135] Tpm Main Part 1 Design Principles Specification Version 1.2. TCG PUB-LISHED, 2003. http://www.trustedcomputinggroup.org/files/resource_files/6469D0B1-1D09-3519-ADC345F5B6060474/tpmwg-mainrev62_Part1_Design_Principles.pdf.
[136] O. Sibert, D. Bernstein, D. Van Wie. Digibox: A Self-protecting Containerfor Information Commerce[C]//Proceedings of the 1st conference on USENIXWorkshop on Electronic Commerce - Volume 1(WOEC’95). Berkeley, CA, USA:USENIX Association, 1995:15–27.
[137] W. Sun, Z. Liang, R. Sekar, et al. One-way Isolation: An Effective Ap-proach for Realizing Safe Execution Environments[C]//Proceedings of the Net-work and Distributed System Security Symposium(NDSS’05). San Diego, Cali-fornia, USA: The Internet Society, 2005:265–278. http://www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/see.pdf.
[138] Y. Yu. Os-level Virtualization and its Applications[D]. New York:Stony BrookUniversity, 2007.
[139] K. L. Calvert, S. Bhattacharjee, E. W. Zegura, et al. Directions in Active Net-works[J]. IEEE Communications, 1998, 36(10):72–78.
[140] D. D. Clark, D. R. Wilson. A Comparison of Commercial and Military ComputerSecurity Policies[C]//IEEE Symposium on Security and Privacy. 1987:184–195.
[141] D. BREWER. The Corporate Implications of Commercial Security Poli-cies[C]//Proceedings of Corporate Computer Security 89. London, 1989.
[142] T.Y.Lin. Chinese Wall Security Policy-an Aggressive Model[C]//Fifth AnnualComputer Security Appfications Conference. 1989:282–289.
[143] V. Kessler. On the Chinese Wall Model[C]//Computer Security-ESORICS 92.1992.
[144] Y. Katsuno, Y. Watanabe, S. Furuichi, et al. Chinese Wall Process Confinementfor Practical Distributed Coalitions[C]//Proceedings of the 12th ACM Symposiumon Access Control Models and Technologies(SACMAT’07). New York, NY, USA:ACM, 2007:225–234.
[145] Z. Pawlak. On Confiicts[J]. International Journal of Man-Machine Studies, 1984,21(2):127–134.
[146] Z.Pawlak,J.Grzymala-Busse,R.Slowinski,etal. RoughSets[J]. Communicationsof the ACM, 1995, 38(11):89–95.
[147] T. Y. Lin. Placing the Chinese Walls on the Boundary of Confiicts-analysis ofSymmetric Binary Relations[C]//26th Annual International Computer Softwareand Applications Conference. 2002.
[148] T.Y.Lin. Chinese Wall Security Model and Confiict Analysis[C]//The 24 IEEEComputer Society International Computer Software and Applications Conference.2000:25–27.
[149] J. H. Saltzer, M. D. Schroeder. The Protection of Information in Computer Sys-tems[C]//Proceedings of the IEEE. 1975, 63:1278–1308.
[150] W.L.Stefian,J.D.Clow. TrustedProcessClasses[C]//Proceedingsof19thNationalInformation Systems Security Conference. 1996:54–61.
[151]任江春.系统可信赖安全增强关键技术的研究与实现[D].长沙:国防科学技术大学, 2006.
[152] F. A. von Hayek. The Constitution of Liberty[M]. Chicago: The University ofChicago Press, 1978:574.
[153] I. Goldberg, D. Wagner, R. Thomas, et al. A Secure Environment for Un-trusted Helper Applications: Confining the Wily Hacker[C]//Proceedings of the6th USENIX UNIX Security Symposium. San Jose, California, 1996.
[154] S. N. Chari, P. chen Cheng. Bluebox:a Policy–driven, Host–based Intrusion Detec-tion System[J]. ACM Transaction on Infomation and System Security(TISSEC),2002, 6(2):173–200.
[155] A. Acharya, M. Raje, A. Raje. Mapbox: Using Parameterized Behavior Classesto Confine Applications[C]//In Proceedings of the 9th USENIX Security Sympo-sium. 2000.
[156] J. E. Smith, R. Nair. The Architecture of Virtual Machines[J]. Computer, 2005,38(5):32–38.
[157] Z. Liang, V. N. Venkatakrishnan, R. Sekar. Isolated Program Execution: An Appli-cation Transparent Approach for Executing Untrusted Programs[C]//In Proceed-ingsofthe19thAnnualComputerSecurityApplicationsConference(ACSAC’03).2003.
[158] Y. Wen, H. Wang. A Secure Virtual Execution Environment for UntrustedCode[C]//Proceedings of the 10th international conference on Information secu-rity and cryptology(ICISC’07). 2008.
[159] D. Malkhi, M. K. Reiter. Secure Execution of Java Applets Using a Remote Play-ground[J]. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2000,26(12):1197–1209.
[160]谢均,黄皓,张佳.多保护域进程模型及其实现[J].电子学报, 2005,33(1):38–42.
[161] P. Liu, S. Jajodia, C. D. Mccollum. Intrusion Confinement by Isolation in Informa-tionSystems[J]. JournalofComputerSecurity-Specialissueondatabasesecurity,2000, 8(2):243–279.
[162] J.P.Anderson. ComputerSecurityTechnologyPlanningStudyVolume2[R]. Tech.Rep. ESD-TR-73-51, Electronic Systems Division, Air Force Systems Command,Hanscom Field, Bedford, MA, 1972. http://seclab.cs.ucdavis.edu/projects/history/papers/ande72.pdf.
[163]焦延飞.基于内网安全的文件访问控制研究[D].西安:西安电子科技大学,2008.
[164]金荣波.文档安全保护系统中防主动泄密关键技术研究与实现[D].四川:四川师范大学, 2008.
[165] D. S. Milo′fiiˇci′c, F. Douglis, Y. Paindaveine, et al. Process Migration[J]. ACMComputing Surveys (CSUR), 2000, 32(3):241–299.
[166]蒋江.异构集群系统中基于进程迁移机制的负载平衡算法的研究[D].长沙:国防科学技术大学, 2002.
[167] R. A. Baratto, S. Potter, G. Su, et al. Mobidesk: Mobile Virtual Desktop Comput-ing[C]//Proceedings of the 10th annual international conference on Mobile com-puting and networking(MobiCom’04). New York, NY, USA: ACM, 2004:1–15.
[168]陈俊霞,唐科,汪文勇.基于hip的进程迁移技术[J].通信学报, 2006,27(11A):164–167.
[169] Y. Yu, H. Kolam, L. chung Lam, et al. Applications of a Feather-weight VirtualMachine[C]//Proceedings of the fourth ACM SIGPLAN/SIGOPS internationalconference on Virtual execution environments(VEE’08). New York, NY, USA,2008:171–180.
[170]温研.隔离运行环境关键技术研究[D].长沙:国防科学技术大学, 2008.
[171] X. Zhang, F. Parisi-Presicce, R. Sandhu, et al. Formal Model and Policy Spec-ification of Usage Control[J]. ACM Transactions on Information and SystemsSecurity(TISSEC), 2005, 8(4):351–387.
[172] X. Zhang, R. Sandhu, F. Parisi-Presicce. Safety Analysis of Usage Control Au-thorization Models[C]//Proceedings of the 2006 ACM Symposium on Informa-tion,computerandcommunicationssecurity(ASIACCS’06).NewYork,NY,USA:ACM, 2006:243–254.
[173] M. Hilty, A. Pretschner, D. Basin, et al. A Policy Language for Distributed Us-ageControl[M]//ComputerSecurity–ESORICS2007,LectureNotesinComputerScience. Springer Berlin / Heidelberg, 2007:531–546.
[174]钟勇,秦小麟,郑吉平,林冬梅.一种灵活的使用控制授权语言框架研究[J].计算机学报, 2006, 29(8):1408–1418.
[175] M. Xu, X. Jiang, R. Sandhu, et al. Towards a Vmm-based Usage Control Frame-work for Os Kernel Integrity Protection[C]//Proceedings of the 12th ACM sympo-sium on Access control models and technologies(SACMAT’07). New York, NY,USA: ACM, 2007:71–80.
[176] B. Zhao, R. Sandhu, X. Zhang, et al. Towards a Times-based Usage Con-trol Model[C]//Proceedings of the 21st annual IFIP WG 11.3 working confer-ence on Data and applications security. Berlin, Heidelberg: Springer-Verlag,2007:227–242.
[177] A. Berthold, M. Alam, R. Breu, et al. A Technical Architecture for EnforcingUsageControlRequirementsinService-orientedArchitectures[C]//Proceedingsofthe 2007 ACM workshop on Secure web services(SWS’07). New York, NY, USA:ACM, 2007:18–25.
[178] T. C. Group. Tcg Architecture Overview, 2007. http://www.trustedcomputinggroup.org/files/resource_files/AC652DE1-1D09-3519-ADA026A0C05CFAC2/TCG_1_4_Architecture_Overview.pdf.
[179] A. Acharya, M. Uysal, J. Saltz. Active Disks: Programming Model, Algorithmsand Evaluation[J]. ACM SIGOPS Operating Systems Review, 1998, 32(5):81–91.
[180] A. C. Arpaci-Dusseau, R. H. Arpaci-Dusseau, L. N. Bairavasundaram, et al.Semantically-smart Disk Systems: Past, Present, and Future[J]. ACM SIGMET-RICS Performance Evaluation Review, 2006, 33(4):29–35.
[181] M. Mesnier, G. R.Ganger, E. Riedel. Object-based Storage[J]. IEEE Communi-cations Magazine, 2003, 41(8):84–90.
[182]吴世忠,石超英.一种智能卡和u盘复合设备及其与计算机通信的方法,2007.
[183] Introduction to U3 Smart Drive. http://u3.sandisk.com/.
[184] Armordisk(安全key盘)加密存储. http://www.nationz.com.cn/Solutions2.aspx?id=18.
[185] Pkcs#11: Cryptographic Token Interface Standard. http://www.rsa.com/rsalabs/node.asp?id=2133.
[186] S. Delaune, S. Kremer, G. Steel. Formal Analysis of Pkcs#11[C]//Proceedings of21st IEEE Computer Security Foundations Symposium. 2008:331–344.
[187] Z32系列安全控制器. http://www.nationz.com.cn/Products2.aspx?id=19.
[188] J. Ma, J. Ren, Z. Wang, et al. Research of a Secure File System for Protection ofIntellectual Property Right[C]//Proceedings of The 9th International Conferenceon Web-Age Information Management(WAIM’08). Washington, DC, USA: IEEEComputer Society, 2008:661–665.
[189] Microsoft. File System Filter Drivers. http://www.microsoft.com/whdc/driver/filterdrv/default.mspx.
[190]谭文,杨潇,邵坚磊.寒江独钓:windows内核安全编程[M].北京:电子工业出版社, 2009.
[191] M. Russinovich, B. Cogswell. Regmon for Windows V7.04, 2006. http://technet.microsoft.com/zh-cn/bb896652.aspx.
[192] G. Hunt, D. Brubacher. Detours: Binary Interception of Win32 Func-tions[C]//Proceedings of the 3rd USENIX Windows NT Symposium. 1999.
[193] U盘扩容检测工具. http://www.mydigit.cn/mydisktest.htm.
[194]精英型l8267国密安全版. http://www.aigo.com/ProductInformation-678.aspx.
[195] Udiskmonitor, 2009. http://www.pudn.com/downloads174/sourcecode/others/detail809769.html.
[2] P. E. Denning, P. J. Denning. Data Security[J]. ACM Computing Surveys, 1979,11(3):227–249.
[3] C. E. Landwehr. Formal Models for Computer Security[J]. ACM ComputingSurveys, 1981, 13(3):247–278.
[4] J. A. Goguen, J. Meseguer. Security Policies and Security Models[C]//Proceedingsof IEEE Symposium on Security and Privacy. 1982, 13:11–20.
[5] J. McLean. Security Models[J]. Encyclopedia of Software Engineering, 1994,2:1136–1145.
[6] A. J. A. Wang. Information Security Models and Metrics[C]//Proceedings of the43rd annual southeast regional conference on ACMSE 43. 2005:178–184.
[7] R. B(o|-)hme. Security Metrics and Security Investment Models[C]//Proceedings ofthe 5th international conference on Advances in information and computer security(IWSEC’10). 2010.
[8] R. Richardson. 2007 Csi Computer Crime and Security Survey[R]. Tech. rep.,Computer Security Institute, 2007. http://i.cmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf.
[9] R. Richardson. 2008 Csi Computer Crime and Security Survey[R]. Tech.rep., Computer Security Institute, 2008. http://www.cse.msstate.edu/~cse6243/readings/CSIsurvey2008.pdf.
[10] R. Richardson. 2009 Csi Computer Crime and Security Survey[R]. Tech.rep., Computer Security Institute, 2009. http://pathmaker.biz/whitepapers/CSISurvey2009.pdf.
[11] 2009 Annual Study:cost of a Data Breach[R]. Tech. rep., Ponemon Institute,LLC, 2010. http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/US_Ponemon_CODB_09_012209_sec.pdf.
[12] W. H. Baker, A. Hutton, C. D. Hylender, et al. 2009 Data Breach InvestigationsReport[R]. Tech. rep., Verizon Business RISK team, 2009.http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf.
[13] K. D. Mitnick, W. L. Simon, S. Wozniak. The Art of Deception[M]. Wiley;edition, 2002.
[14] W. Baker, M. Goudie, A. Hutton, et al. 2010 Data Breach Investigations Report[R]. Tech. rep., Verizon RISK Team in cooperation with the United States SecretService, 2010. http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf.
[15] M. Theoharidou, S. Kokolakis, M. Karyda, et al. The Insider Threat to InformationSystems and the Effectiveness of Iso17799[J]. Computers & Security, 2005,24(6):472–484.
[16]初晓博,秦宇.一种基于可信计算的分布式使用控制系统[J].计算机学2010, 33(1):93–102.
[17] J. Park, R. Sandhu. Towards Usage Control Models: Beyond Traditional AccessControl[C]//Proceedings of the seventh ACM symposium on Access control modelsand technologies(SACMAT’02). New York, NY, USA: ACM, 2002:57–64.
[18] K. Padayachee, J. Eloff. Adapting Usage Control as a Deterrent to AddressInadequacies of Access Controls[J]. Computers & Security, 2009, 28:536–544.
[19]晏立,鞠时光,王昌迭.安全信息流的实时监控机制[J].通信学报, 2008,29(10):51–57.
[20] T. Jaeger, R. Sailer, U. Shankar. Prima: Policy-reduced Integrity MeasurementArchitecture[C]//Proceedings of the eleventh ACM symposium on Access controlmodels and technologies(SACMAT’06). SACMAT’06: ACM, 2006.
[21] InformationWeek. 2008中国信息安全调查, 2008. http://www.informationweek.com.cn/research/08security/.
[22] I. Burdonov, A. Kosachev, I. P. Virtualization-based Separation of Privilege:Working with Sensitive Data in Untrusted Environment[C]//Proceedingsthe 1st Eurosys Workshop on Virtualization Technology For Dependable Systems(VTDS’09). New York, NY, USA: ACM, 2009:1–6.
[23] K. S. Quinn. 2010 New Zealand Computer Crime and Security Survey[Tech. rep., Security Research Group, University of Otago, 2010. http://internetnz.net.nz/sites/default/files/workstreams/2010_nz_computer_crime__security_survey.pdf.
[24] B. W. Lampson. A Note on the Confinement Problem[J]. Communications ofACM, 1973, 16(10):613–615.
[25] D. B. Parker. Crime by Computer[M]. Charles Scribner’s Sons; 1st edition, 1976.
[26] B. Wood. An Insider Threat Model for Adversary Simulation[C]//R. H. Ander-son, T. Bozek, T. Longstafi, et al.. Research on Mitigating the Insider Threat toInformation Systems - #2 Proceedings of a Workshop. RAND, 2000. http://www.rand.org/pubs/conf_proceedings/CF163/CF163.pdf.
[27] D. B. Parker. Fighting Computer Crime: A New Framework for Protecting Infor-mation[M]. New York, NY, USA: John Wiley & Sons, Inc., 1998.
[28] Upadhyaya,S.Upadhyaya,R.Chinchani. AnAnalyticalFrameworkforReasoningabout Intrusions[C]//Symposium on Reliable Distributed Systems (SRDS) 2001.2001:99–108.
[29] G. B. Magklaras, S. M. Furnell. Insider Threat Prediction Tool: Evaluating theProbability of It Misuse[J]. Computers & Security, 2001, 21(1):62–73.
[30] E. E. Schultz. A Framework for Understanding and Predicting Insider Attacks[J].Computers & Security, 2002, 21(6):526–531.
[31] J. S. Park, S. M. Ho. Composite Role-based Monitoring (crbm) for CounteringInsider Threats[M]//H. Chen, R. Moore, D. D. Zeng, et al.. Intelligence and Secu-rity Informatics. Springer Berlin / Heidelberg, 2004, vol. 3073 of Lecture Notesin Computer Science:201–213.
[32] I. Ray, N. Poolsapassit. Using Attack Trees to Identify Malicious Attacks fromAuthorized Insiders[M]//S. d. C. di Vimercati, P. Syverson, D. Gollmann. Com-puter Security– ESORICS 2005. Springer Berlin / Heidelberg, 2005, vol. 3679 ofLecture Notes in Computer Science:231–246.
[33] B. Schneier. Attack Trees[J]. Dr. Dobb’s Journal(DDJ), 1999. http://www.schneier.com/paper-attacktrees-ddj-ft.html.
[34]张红斌,裴庆祺,马建峰.内部威胁云模型感知算法[J].计算机学报, 2009,32(2):784–792.
[35] G. Magklaras, S. Furnell. Insider Threat Specification as a Threat MitigationTechnique[M]//C. W. Probst, J. Hunker, D. Gollmann, et al.. Insider Threats inCyber Security. Springer US, 2010, vol. 49 of Advances in Information Secu-rity:219–244.
[36] M. Kandias, A. Mylonas, N. Virvilis, et al. An Insider Threat PredictionModel[C]//Proceedings of the 7th international conference on Trust, privacy andsecurity in digital business(TrustBus’10). Berlin, Heidelberg: Springer-Verlag,2010:26–37.
[37] R. E. Overill. Isms Insider Intrusion Prevention and Detection[J]. InformationSecurity Technical Report, 2008, 13(4):216–219.
[38] Y. Yu, T. cker Chiueh. Display-only File Server: A Solution Against Informa-tion Theft Due to Insider Attack[C]//2004 Digital Rights Management Work-shop(DRM’04). 2004:31–39.
[39] H. H. Thompson, J. A. Whittaker, M. Andrews. Intrusion Detection: Perspectiveson the Insider Threat[J]. Computer Fraud & Security, 2004, 2004(1):13–15.
[40]林闯,封富君,李俊山.新型网络环境下的访问控制技术[J].软件学报,2007, 18(4):955–966.
[41] B. W. Lampson. Dynamic Protection Structures[C]//Proceedings of the 1969 FallJointComputerConference(AFIPS’69).NewYork,NY,USA:ACM,1969:27–38.
[42] G. S. Graham, P. J. Denning. Protection: Principles and Practice[C]//Proceedingsof the 1972 Spring Joint Computer Conference(AFIPS’72). New York, NY, USA:ACM, 1972:417–429.
[43] D. E. Bell, L. J. LaPadula. Secure Computer Systems: Mathematical Founda-tions[R]. Tech. rep., Electronic Systems Division, Air Force System Command,Hanscom Field, 1973.
[44] M. A. Harrison, W. L. Ruzzo, J. D. Ullman. Protection in Operating Systems[J].Communications of the ACM, 1976, 19(8):461–471.
[45] DepartmentofDefenseStandard:trustedComputerSystemEvaluationCriteria[R].Tech. Rep. DoD 5200.28-STD, DEPARTMENT OF DEFENSE, 1985. http://csrc.nist.gov/publications/history/dod85.pdf.
[46] D. F. Ferraiolo, D. R. Kuhn. Role-based Access Controls[C]//Proccedings of15th National Computer Security Conference. 1992:554– 563. http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf.
[47] D. F. Ferraiolo, R. Sandhu, S. Gavrila, et al. Proposed Nist Standard for Role-based Access Control[J]. ACM Transactions on Information and System Security(TISSEC), 2001, 4(3):224–274.
[48] R. K. Thomas, R. S. Sandhu. Task-based Authentication Controls (tabc): AFamily of Models for Active and Enterprise-oriented Authentication Manage-ment[C]//T. Y. Lin, S. Qian. Proceedings of the IFIP WG11.3 Workshop onDatabase Security(DBSec). Chapman & Hall, 1997, 113:166–181. http://profsandhu.com/confrnc/ifip/i97tbac.pdf.
[49] S. Oh, S. Park. Task-role-based Access Control Model[J]. Information Systems,2003, 28(2):533–562.
[50] J. Park, R. Sandhu. The Uconabc Usage Control Model[J]. ACM Transactions onInformation and System Security (TISSEC), 2004, 7(1):128–174.
[51] J. McLean. A Comment on the‘basic Security Theorem’of Bell and Lapadula[J].Information Processing Letters, 1985, 20(2):67–70.
[52] A. Ott. Rule Set Based Access Control as Proposed in the’generalized Frameworkfor Access Control’Approach in Linux(in German)[D]. Hamburg:University ofHamburg, 1997.
[53] D. E. Bell. Security Policy Modeling for the Next-generation PacketSwitch[C]//Proccedings of IEEE Symposium on Security and Privacy. Los Alami-tos, CA, USA: IEEE Computer Society, 1988:212–216.
[54]石文昌,孙玉芳,梁洪亮.经典blp安全公理的一种适应性标记实施方法及其正确性[J].计算机研究与发展, 2001, 38(11):1365–1372.
[55]季庆光,卿斯汉,贺也平.一个改进的可动态调节的机密性策略模型[J].软件学报, 2004, 15(10):1547–1557.
[56]梁洪亮,孙玉芳,赵庆松,张相锋,孙波.一个安全标记公共框架的设计与实现[J].软件学报, 2003, 14(3):547–552.
[57]刘克龙,丁丽.基于“安全主体访问”概念对blp模型的改造[J].通信学报,2007, 28(12):25–32.
[58]谭智勇,刘铎,司天歌,戴一奇.一种具有可信度特征的多级安全模型[J].电子学报, 2008, 36(8):1637–1641.
[59]谢钧,许峰,黄皓.基于可信级别的多级安全策略及其状态机模型[J].软件学报, 2004, 15(11):1700–1708.
[60] A. Shafier, M. Auguston, C. Irvine, et al. A Security Domain Model forImplementing Trusted Subject Behaviors[C]//J. Whittle, J. Jürjens, B. Nu-seibeh, et al.. Proceedings of the 2008 Modeling Security Workshop(MODELS’08). Berlin, Heidelberg: Springer-Verlag, 2008, Vol-413:69–81.http://sunsite.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-413/paper03.pdf.
[61]沈晴霓,卿斯汉,贺也平,李丽萍.一种支持动态调节的最小特权安全策略架构[J].电子学报, 2006, 34(10):1803–1808.
[62]武延军,梁洪亮,赵琛.一个支持可信主体特权最小化的多级安全模型[J].软件学报, 2007, 18(3):730–738.
[63] D. E. Bell, L. J. LaPadula. Secure Computer System: Unified Exposition and Mul-tics Interpretation[R]. Tech. rep., Electronic Systems Division, Air Force SystemCommand, Hanscom Field, 1976.
[64] B. L. D. Vito, P. H. Palmquist, E. R. Anderson, et al. Specification and Verificationof the Asos Kernel[C]//Proccedings of IEEE Symposium on Security and Privacy.Los Alamitos, CA, USA: IEEE Computer Society, 1990:61–75.
[65] T. V. Benzel. Analysis of a Kemel Verification[C]//Proccedings of the 1984 IEEESymposium on Security and Privacy. Los Alamitos, CA, USA: IEEE ComputerSociety, 1984:125–133.
[66] R. Schell, T. Tao, M. Heckman. Designing the Gemsos Security Kernel for Se-curity and Performance[C]//Proceedings of the 8th National Computer SecurityConference. 1985:108–119.
[67] F. Mayer. An Interpretation of Refined Bell-lapadula Model for the Tmach Ker-nel[C]//Proccedings Of the 4th Aerospace Computer Security Application Confer-ence. 1988:368– 378.
[68] Assurance in the Fluke Microkernel Formal Top Level Specification[R]. Tech.rep., Secure Computing Corporation, 1999.
[69] P. Loscocco, S. Smalley. Integrating Flexible Support for Security PoliciesInto the Linux Operating System[C]//Proceedings of the FREENIX Track: 2001USENIX Annual Technical Conference. Berkeley, CA, USA: USENIX Associa-tion, 2001:29–42.
[70]张晓菲,许访,沈昌祥.基于可信状态的多级安全模型及其应用研究[J].电子学报, 2007, 35(8):1511–1515.
[71] Draft Standard for Information Technology—portable Operating Systeminter-face (posix). http://www.linux2you.dk/jtc1/sc22/open/n3232/xbdtext.pdf.
[72] J. Liao, Y. Zhao, C. Shen. A Feather-weight Application IsolationModel[M]//Trusted Systems. Springer Berlin / Heidelberg, 2010, vol. 6163 ofLecture Notes in Computer Science:197–211.
[73] K. Krukow, M. Nielsen, V. Sassone. A Framework for Concrete Reputation-systems with Applications to History-based Access Control[C]//Proceedings ofthe 12th ACM conference on Computer and communications security(CCS’05).New York, NY, USA: ACM, 2005:260–269.
[74] J. B. Filho, H. Martin. A Generalized Context-based Access Control Model forPervasiveEnvironments[C]//Proceedingsofthe2ndSIGSPATIALACMGIS2009International Workshop on Security and Privacy in GIS and LBS(SPRINGL’09).New York, NY, USA: ACM, 2009:12–21.
[75] R. A. Kemmerer. A Practical Approach to Identifying Storage and Timing Chan-nels: Twenty Years Later[C]//Proceedings of the 18th Annual Computer SecurityApplications Conference(ACSAC’02). Washington, DC, USA: IEEE ComputerSociety, 2002:109–118.
[76] D. E. Denning. A Lattice Model of Secure Information Flow[J]. Communicationsof the ACM, 1976, 19(5):236~243.
[77] D. E. Denning, P. J. Denning. Certification of Programs for Secure InformationFlow[J]. Communications of the ACM, 1977, 20(7):504–513.
[78] J. Mclean. Proving Noninterference and Functional Correctness Using Traces[J].Journal of Computer Security, 1992, 1:37–58.
[79] D. Volpano, G. Smith, C. Irvine. A Sound Type System for Secure Flow Analy-sis[J]. Journal of Computer Security, 1996, 4(2-3):167–187.
[80] A. C. Myers, B. Liskov. Complete, Safe Information Flow with Decen-tralized Labels[C]//Proceedings of IEEE Symposium on Security and Privacy.1998:186–197.
[81] B. Hicks, D. King, P. McDaniel. Jifclipse: Development Tools for Security-typedLanguages[C]//Proceedingsofthe2007workshoponProgramminglanguagesandanalysis for security(PLAS’07). New York, NY, USA: ACM, 2007:1–10.
[82] F. Pottier, V. Simonet. Information Flow Inference for Ml[J]. Transactions onProgramming Languages and Systems (TOPLAS), 2003, 25(1):117–158.
[83]訾小超,姚立红,李斓.一种基于有限状态机的隐含信息流分析方法[J].计算机学报, 2006, 29(8):1460–1467.
[84] A. B. Shafier, M. Auguston, C. E. Irvine, et al. A Security Domain Model to As-sess Software for Exploitable Covert Channels[C]//Proceedings of the third ACMSIGPLAN workshop on Programming languages and analysis for security(PLAS’08). New York, NY, USA: ACM, 2008:45–56.
[85]张阳.带敏感标签的selinux安全策略信息流分析方法[J].计算机学报, 2009,32(4):709–720.
[86] R.Sailer,T.Jaeger,E.Valdez,etal. BuildingaMac-basedSecurityArchitectureforthe Xen Open Source Hypcrvisor[C]//Proceedings of the 21st Annual ComputerSecurity Applications Conference(ACSAC’2005). 2005:276–285.
[87] J. M. McCune, T. Jaeger, S. Berger, et al. Shamon: A System for DistributedMandatory Access Control[C]//Proceedings of the 22nd Annual Computer Secu-rity Applications Conference. 2006:23–32.
[88] T. Jaeger, R. Sailer, Y. Sreenivasan. Managing the Risk of Covert InformationFlows in Virtual Machine Systems[C]//Proceedings of the 12th ACM Symposiumon Access Control Models and Technologies. 2007.
[89] G.Cheng,H.Jin,D.Zou,etal. APrioritizedChineseWallModelforManagingtheCovert Information Flows in Virtual Machine Systems[C]//The 9th InternationalConference for Young Computer Scientists. 2008:1481–1487.
[90] D. F. Bewer, M. J. Nash. The Chinese Wall Security Policy[C]//Proceedings of theSymposium on Security and Privacy. IEEE Computer Society, 1989:206–214.
[91] C. Meadows. Extending the Brewer Nash Model to a Multilevel Context[C]//Procof the 1990 IEEE Symposium on Research in Security and Privacy. 1990:95–102.
[92] R. S. Sandhu. Lattice-based Enforcement of Chinese Walls[J]. Computers &Security, 1992, 11(8):753–763.
[93] S. N. Foley. Building Chinese Walls in Standard Unix[J]. Unix Computers andSecurity Journal, 1997, 16(6):551–563.
[94]赵庆松,孙玉芳,梁洪亮,张相锋,孙波.“长城”安全政策的扩充研究及其实现[J].电子学报, 2002, 30(11):1–5.
[95]何永忠,李晓峰,冯登国. Rbac实施中国墙策略及其变种的研究[J].计算机研究与发展, 2007, 44(4):615–622.
[96]程戈,金海,邹德清,赵峰.基于动态联盟关系的中国墙模型研究[J].通信学报, 2009, 30(11):93–100.
[97] M. Radhakrishnan, J. A. Solworth. Application Security Support in the Operat-ingSystemKernel[C]//Proceedingsofthe2006ACMSymposiumonInformation,computer and communications security. Taipei, Taiwan, 2006.
[98] D. W. Oard, G. Marchionini. A Conceptual Framework for Text Filtering[R]. Tech.rep., University of Maryland, Maryland, 1996.
[99]沈昌祥.基于积极防御的安全保障框架[J].中国信息导报, 2003, 10:50–51.
[100] M. Beaumont-Gay, K. Eustice, P. Reiher. Information Protection via Environ-mental Data Tethers[C]//Proceedings of the 2007 Workshop on New SecurityParadigms(NSPW’07). New York, NY, USA: ACM, 2008:67–73.
[101] D. S. Bhilare, A. K. Ramani, S. K. Tanwani. Protecting Intellectual Property andSensitive Information in Academic Campuses from Trusted Insiders: LeveragingActive Directory[C]//Proceedings of the 37th annual ACM SIGUCCS fall confer-ence(SIGUCCS’09). New York, NY, USA: ACM, 2009:99–104.
[102] M. Fabian. Endpoint Security: Managing Usb-based Removable Devices with theAdvent of Portable Applications[C]//Proceedings of the 4th annual conference onInformation security curriculum development(InfoSecCD’07). New York, NY,USA: ACM, 2007:241–245.
[103] X. Zhang, F. Liu, T. Chen, et al. Research and Application of the Transpar-ent Data Encpryption in Intranet Data Leakage Prevention[C]//Proceedings of the2009 International Conference on Computational Intelligence and Security(CIS’09). Washington, DC, USA: IEEE Computer Society, 2009:376–379.
[104] TRUECRYPT. Data Leaks[C], 2011. http://www.truecrypt.org/docs.
[105] MICROSOFT. Bitlocker Drive Encryption[C]. http://windows.microsoft.com/en-us/windows7/products/features/bitlocker.
[106] APPLE. Filevault[C]. http://www.apple.com/macosx/s-ecurity.
[107]赵勇,刘吉强,韩臻,沈昌祥.信息泄漏防御模型在企业内网安全中的应用[J].计算机研究与发展, 2007, 44(5):761–767.
[108] McAfee. Data Loss Prevention[C]. http://www.mcafe-e.com/us/enterprise/products/data_protection/data_loss_prevention/in-dex.html.
[109] VERDASYS. Mobile Data Protection & Remote Media Encrypti-on[C].
[110] H. Lim, V. Kapoor, C. Wighe, et al. Active Disk File System: A Distributed, Scal-able File System[C]//Proceedings of the Eighteenth IEEE Symposium on MassStorage Systems and Technologies(MSS’01). Washington, DC, USA: IEEE Com-puter Society, 2001:101–114.
[111] K. Keeton, D. A. Patterson, J. M. Hellerstein. A Case for Intelligent Disks(idisks)[J]. ACM SIGMOD Record, 1998, 27(3):42–52.
[112]靳超,郑纬民,张悠慧.主动存储系统结构[J].计算机学报, 2005,28(6):1013–1020.
[113]谢雨来,冯丹,王芳.主动存储技术及其在对象存储中的实现[J].中国计算机学会通讯, 2008, 4(11):27–32.
[114]赵跃龙,蒋骞.基于智能网络磁盘的虚拟存储技术的研究与设计[J].计算机研究与发展, 2009, 46(Suppl.):44–49.
[115] J. D. Strunk, G. R. Goodson, M. L. Scheinholtz, et al. Self-securing Stor-age: Protecting Data in Compromised System[C]//Proceedings of the 4th confer-ence on Symposium on Operating System Design & Implementation - Volume 4(OSDI’00). Berkeley, CA, USA: USENIX Association, 2000:12–26.
[116] F. Pereira, E. Ordonez. A Hardware Architecture for Integrated-security Ser-vices[M]//M. Gavrilova, C. Tan, E. Moreno. Transactions on Computational Sci-ence IV. Springer Berlin / Heidelberg, 2009, vol. 5430 of Lecture Notes in Com-puter Science:215–229.
[117] Tcg Storage Architecture Core Specification, 2009. http://www.trustedcomputinggroup.org/files/static_page_files/B6811067-1D09-3519-ADDAFC18E3A87CB2/Storage_Architecture_Core_Spec_v2_r1-Final.pdf.
[118]徐明迪,张焕国.基于可信计算平台的可信存储研究[J].通信学报, 2007,28(11A):117–120.
[119]汪丹,冯登国,徐震.基于可信虚拟平台的数据封装方案[J].计算机研究与发展, 2009, 46(8):1325–1333.
[120] S. Berger, R. Cáceres, D. Pendarakis, et al. Tvdc: Managing Security in theTrusted Virtual Datacenter[J]. ACM SIGOPS Operating Systems Review, 2008,42(1):40–47.
[121] J. L. Grifin, T. Jaeger, R. Perez, et al. Trusted Virtual Domains: Toward Se-cure Distributed Services[C]//Proceedings of the 1st IEEE Workshop on Hot Top-ics in System Dependability(Hotdep’05). Los Alamitos, CA, USA: IEEE Com-puter Society, 2005. http://www.kiskeya.net/ramon/work/pubs/hotdep05.pdf.
[122] Y. Gasmi, A.-R. Sadeghi, P. Stewin, et al. Flexible and Secure Enterprise RightsManagement Based on Trusted Virtual Domains[C]//Proceedings of the 3rd ACMworkshop on Scalable trusted computing(STC’08). 2008.
[123] L. Catuogno, H. Lfihr, M. Manulis, et al. Transparent Mobile Storage Protectionin Trusted Virtual Domains[C]//Proceedings of the 23rd conference on Large In-stallation System Administration(LISA’09). 2009.
[124] Y.-B. Han, J.-Y. Sun, G.-L. Wang, et al. A Cloud-based Bpm Architecture withUser-end Distribution of Non-compute-intensive Activities and Sensitive Data[J].Journal of Computer Science and Technology, 2010, 25(6):1157–1167.
[125] D. Kang, B. Jung, K. Kim. Hardware Based Data Inspection for Usb Data Leak-age Prevention[M]//Dominik, T.-h. Kim, W.-C. Fang, et al.. Security Technology.Springer Berlin Heidelberg, 2009, vol. 58 of Communications in Computer andInformation Science:57–63.
[126] U. Kühn, C. Stüble. User-friendly and Secure Tpm-based Hard Disk Key Manage-ment[M]//D. Gawrock, H. Reimer, A.-R. Sadeghi, et al.. Future of Trust in Com-puting. Vieweg+Teubner, 2009:171–177.
[127] F. Yin, Y. Wang, L. Wang, et al. A Trustworthiness-based Distribution Model forData Leakage Prevention[J]. WuhanUniversityJournal of NaturalSciences, 2010,15(3):205–209.
[128] J. P. Anderson. Computer Security Threat Monitoring and Surveillance[R]. Tech.Rep. 98–17, James P Anderson Co., FortWashington, Pennsylvania,USA, 1980.http://csrc.nist.gov/publications/history/ande80.pdf.
[129] P. G. Neumann. The Challenges of Insider Misuse[C]//Workshop on Preventing,Detecting, and Responding to Malicious Insider Misuse. Santa Monica,CA, 1999.http://www.csl.sri.com/papers/pgn-misuse/.
[130] D. M. Cappelli, A. P. Moore, R. F. Trzeciak. Insider Threats in the Sdlc: LessonsLearnedfromActualIncidentsofFraud,TheftofSensitiveInformation,andItSab-otage[R]. Tech. rep., Software Engineering Institute, Carnegie Mellon University,2006. http://www.cert.org/archive/pdf/CSI_SDLC0711.pdf.
[131] T. Walker. Practical Management of Malicious Insider Threat - an Enterprise CsirtPerspective[J]. Information Security Technical Report, 2008, 13(4):225–234.
[132] Hrad Problem List[R]. Tech. rep., INFOSEC Research Council(IRC),2005. http://www.cyber.st.dhs.gov/docs/IRC_Hard_Problem_List.pdf.
[133] S. B. Lipner. A Comment on the Confinement Problem[C]//Proceedings of thefifth ACM symposium on Operating systems principles(SOSP’75). New York,NY, USA: ACM, 1975:192–196.
[134] P. Gordon. Data Leakage– Threats and Mitigation[R]. Tech. rep., SANSInstitute, SANS Institute InfoSec Reading Room site, 2007. http://www.sans.org/reading_room/whitepapers/awareness/data-leakage-threats-mitigation_1931.
[135] Tpm Main Part 1 Design Principles Specification Version 1.2. TCG PUB-LISHED, 2003. http://www.trustedcomputinggroup.org/files/resource_files/6469D0B1-1D09-3519-ADC345F5B6060474/tpmwg-mainrev62_Part1_Design_Principles.pdf.
[136] O. Sibert, D. Bernstein, D. Van Wie. Digibox: A Self-protecting Containerfor Information Commerce[C]//Proceedings of the 1st conference on USENIXWorkshop on Electronic Commerce - Volume 1(WOEC’95). Berkeley, CA, USA:USENIX Association, 1995:15–27.
[137] W. Sun, Z. Liang, R. Sekar, et al. One-way Isolation: An Effective Ap-proach for Realizing Safe Execution Environments[C]//Proceedings of the Net-work and Distributed System Security Symposium(NDSS’05). San Diego, Cali-fornia, USA: The Internet Society, 2005:265–278. http://www.isoc.org/isoc/conferences/ndss/05/proceedings/papers/see.pdf.
[138] Y. Yu. Os-level Virtualization and its Applications[D]. New York:Stony BrookUniversity, 2007.
[139] K. L. Calvert, S. Bhattacharjee, E. W. Zegura, et al. Directions in Active Net-works[J]. IEEE Communications, 1998, 36(10):72–78.
[140] D. D. Clark, D. R. Wilson. A Comparison of Commercial and Military ComputerSecurity Policies[C]//IEEE Symposium on Security and Privacy. 1987:184–195.
[141] D. BREWER. The Corporate Implications of Commercial Security Poli-cies[C]//Proceedings of Corporate Computer Security 89. London, 1989.
[142] T.Y.Lin. Chinese Wall Security Policy-an Aggressive Model[C]//Fifth AnnualComputer Security Appfications Conference. 1989:282–289.
[143] V. Kessler. On the Chinese Wall Model[C]//Computer Security-ESORICS 92.1992.
[144] Y. Katsuno, Y. Watanabe, S. Furuichi, et al. Chinese Wall Process Confinementfor Practical Distributed Coalitions[C]//Proceedings of the 12th ACM Symposiumon Access Control Models and Technologies(SACMAT’07). New York, NY, USA:ACM, 2007:225–234.
[145] Z. Pawlak. On Confiicts[J]. International Journal of Man-Machine Studies, 1984,21(2):127–134.
[146] Z.Pawlak,J.Grzymala-Busse,R.Slowinski,etal. RoughSets[J]. Communicationsof the ACM, 1995, 38(11):89–95.
[147] T. Y. Lin. Placing the Chinese Walls on the Boundary of Confiicts-analysis ofSymmetric Binary Relations[C]//26th Annual International Computer Softwareand Applications Conference. 2002.
[148] T.Y.Lin. Chinese Wall Security Model and Confiict Analysis[C]//The 24 IEEEComputer Society International Computer Software and Applications Conference.2000:25–27.
[149] J. H. Saltzer, M. D. Schroeder. The Protection of Information in Computer Sys-tems[C]//Proceedings of the IEEE. 1975, 63:1278–1308.
[150] W.L.Stefian,J.D.Clow. TrustedProcessClasses[C]//Proceedingsof19thNationalInformation Systems Security Conference. 1996:54–61.
[151]任江春.系统可信赖安全增强关键技术的研究与实现[D].长沙:国防科学技术大学, 2006.
[152] F. A. von Hayek. The Constitution of Liberty[M]. Chicago: The University ofChicago Press, 1978:574.
[153] I. Goldberg, D. Wagner, R. Thomas, et al. A Secure Environment for Un-trusted Helper Applications: Confining the Wily Hacker[C]//Proceedings of the6th USENIX UNIX Security Symposium. San Jose, California, 1996.
[154] S. N. Chari, P. chen Cheng. Bluebox:a Policy–driven, Host–based Intrusion Detec-tion System[J]. ACM Transaction on Infomation and System Security(TISSEC),2002, 6(2):173–200.
[155] A. Acharya, M. Raje, A. Raje. Mapbox: Using Parameterized Behavior Classesto Confine Applications[C]//In Proceedings of the 9th USENIX Security Sympo-sium. 2000.
[156] J. E. Smith, R. Nair. The Architecture of Virtual Machines[J]. Computer, 2005,38(5):32–38.
[157] Z. Liang, V. N. Venkatakrishnan, R. Sekar. Isolated Program Execution: An Appli-cation Transparent Approach for Executing Untrusted Programs[C]//In Proceed-ingsofthe19thAnnualComputerSecurityApplicationsConference(ACSAC’03).2003.
[158] Y. Wen, H. Wang. A Secure Virtual Execution Environment for UntrustedCode[C]//Proceedings of the 10th international conference on Information secu-rity and cryptology(ICISC’07). 2008.
[159] D. Malkhi, M. K. Reiter. Secure Execution of Java Applets Using a Remote Play-ground[J]. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2000,26(12):1197–1209.
[160]谢均,黄皓,张佳.多保护域进程模型及其实现[J].电子学报, 2005,33(1):38–42.
[161] P. Liu, S. Jajodia, C. D. Mccollum. Intrusion Confinement by Isolation in Informa-tionSystems[J]. JournalofComputerSecurity-Specialissueondatabasesecurity,2000, 8(2):243–279.
[162] J.P.Anderson. ComputerSecurityTechnologyPlanningStudyVolume2[R]. Tech.Rep. ESD-TR-73-51, Electronic Systems Division, Air Force Systems Command,Hanscom Field, Bedford, MA, 1972. http://seclab.cs.ucdavis.edu/projects/history/papers/ande72.pdf.
[163]焦延飞.基于内网安全的文件访问控制研究[D].西安:西安电子科技大学,2008.
[164]金荣波.文档安全保护系统中防主动泄密关键技术研究与实现[D].四川:四川师范大学, 2008.
[165] D. S. Milo′fiiˇci′c, F. Douglis, Y. Paindaveine, et al. Process Migration[J]. ACMComputing Surveys (CSUR), 2000, 32(3):241–299.
[166]蒋江.异构集群系统中基于进程迁移机制的负载平衡算法的研究[D].长沙:国防科学技术大学, 2002.
[167] R. A. Baratto, S. Potter, G. Su, et al. Mobidesk: Mobile Virtual Desktop Comput-ing[C]//Proceedings of the 10th annual international conference on Mobile com-puting and networking(MobiCom’04). New York, NY, USA: ACM, 2004:1–15.
[168]陈俊霞,唐科,汪文勇.基于hip的进程迁移技术[J].通信学报, 2006,27(11A):164–167.
[169] Y. Yu, H. Kolam, L. chung Lam, et al. Applications of a Feather-weight VirtualMachine[C]//Proceedings of the fourth ACM SIGPLAN/SIGOPS internationalconference on Virtual execution environments(VEE’08). New York, NY, USA,2008:171–180.
[170]温研.隔离运行环境关键技术研究[D].长沙:国防科学技术大学, 2008.
[171] X. Zhang, F. Parisi-Presicce, R. Sandhu, et al. Formal Model and Policy Spec-ification of Usage Control[J]. ACM Transactions on Information and SystemsSecurity(TISSEC), 2005, 8(4):351–387.
[172] X. Zhang, R. Sandhu, F. Parisi-Presicce. Safety Analysis of Usage Control Au-thorization Models[C]//Proceedings of the 2006 ACM Symposium on Informa-tion,computerandcommunicationssecurity(ASIACCS’06).NewYork,NY,USA:ACM, 2006:243–254.
[173] M. Hilty, A. Pretschner, D. Basin, et al. A Policy Language for Distributed Us-ageControl[M]//ComputerSecurity–ESORICS2007,LectureNotesinComputerScience. Springer Berlin / Heidelberg, 2007:531–546.
[174]钟勇,秦小麟,郑吉平,林冬梅.一种灵活的使用控制授权语言框架研究[J].计算机学报, 2006, 29(8):1408–1418.
[175] M. Xu, X. Jiang, R. Sandhu, et al. Towards a Vmm-based Usage Control Frame-work for Os Kernel Integrity Protection[C]//Proceedings of the 12th ACM sympo-sium on Access control models and technologies(SACMAT’07). New York, NY,USA: ACM, 2007:71–80.
[176] B. Zhao, R. Sandhu, X. Zhang, et al. Towards a Times-based Usage Con-trol Model[C]//Proceedings of the 21st annual IFIP WG 11.3 working confer-ence on Data and applications security. Berlin, Heidelberg: Springer-Verlag,2007:227–242.
[177] A. Berthold, M. Alam, R. Breu, et al. A Technical Architecture for EnforcingUsageControlRequirementsinService-orientedArchitectures[C]//Proceedingsofthe 2007 ACM workshop on Secure web services(SWS’07). New York, NY, USA:ACM, 2007:18–25.
[178] T. C. Group. Tcg Architecture Overview, 2007. http://www.trustedcomputinggroup.org/files/resource_files/AC652DE1-1D09-3519-ADA026A0C05CFAC2/TCG_1_4_Architecture_Overview.pdf.
[179] A. Acharya, M. Uysal, J. Saltz. Active Disks: Programming Model, Algorithmsand Evaluation[J]. ACM SIGOPS Operating Systems Review, 1998, 32(5):81–91.
[180] A. C. Arpaci-Dusseau, R. H. Arpaci-Dusseau, L. N. Bairavasundaram, et al.Semantically-smart Disk Systems: Past, Present, and Future[J]. ACM SIGMET-RICS Performance Evaluation Review, 2006, 33(4):29–35.
[181] M. Mesnier, G. R.Ganger, E. Riedel. Object-based Storage[J]. IEEE Communi-cations Magazine, 2003, 41(8):84–90.
[182]吴世忠,石超英.一种智能卡和u盘复合设备及其与计算机通信的方法,2007.
[183] Introduction to U3 Smart Drive. http://u3.sandisk.com/.
[184] Armordisk(安全key盘)加密存储. http://www.nationz.com.cn/Solutions2.aspx?id=18.
[185] Pkcs#11: Cryptographic Token Interface Standard. http://www.rsa.com/rsalabs/node.asp?id=2133.
[186] S. Delaune, S. Kremer, G. Steel. Formal Analysis of Pkcs#11[C]//Proceedings of21st IEEE Computer Security Foundations Symposium. 2008:331–344.
[187] Z32系列安全控制器. http://www.nationz.com.cn/Products2.aspx?id=19.
[188] J. Ma, J. Ren, Z. Wang, et al. Research of a Secure File System for Protection ofIntellectual Property Right[C]//Proceedings of The 9th International Conferenceon Web-Age Information Management(WAIM’08). Washington, DC, USA: IEEEComputer Society, 2008:661–665.
[189] Microsoft. File System Filter Drivers. http://www.microsoft.com/whdc/driver/filterdrv/default.mspx.
[190]谭文,杨潇,邵坚磊.寒江独钓:windows内核安全编程[M].北京:电子工业出版社, 2009.
[191] M. Russinovich, B. Cogswell. Regmon for Windows V7.04, 2006. http://technet.microsoft.com/zh-cn/bb896652.aspx.
[192] G. Hunt, D. Brubacher. Detours: Binary Interception of Win32 Func-tions[C]//Proceedings of the 3rd USENIX Windows NT Symposium. 1999.
[193] U盘扩容检测工具. http://www.mydigit.cn/mydisktest.htm.
[194]精英型l8267国密安全版. http://www.aigo.com/ProductInformation-678.aspx.
[195] Udiskmonitor, 2009. http://www.pudn.com/downloads174/sourcecode/others/detail809769.html.