终端安全软件的设计与实现
|
摘要
信息技术发展到今天,计算机和网络已经渗透到人们生产生活的每一个角落。各个组织和机构都依赖信息化系统来改善业务流程、提高工作效率。但是任何技术都是一把双刃剑,信息技术在带给人们便利的同时,也带来了安全隐患。近些年来,各个企业和组织的信息化越来越深入和广泛,但是内网和终端安全问题却没有得到相应的重视,造成数据泄密事故频增。内网安全事故轻则造成企业商业机密丢失,重则造成国家安全机密泄露,其重要程度可见一斑。
从源头上看,内网安全事故可分为主动泄密和被动泄密两种类型,也就是内部泄密和外部泄密。因此,内网安全从这两个方面入手解决问题。解决主动泄密采取事前控制和事后追踪。事前控制即用户行为控制,而用户行为包括从登录到退出系统的所有操作和事件,如登录注销、网络访问、文件操作、软件使用、打印机等外设的使用等。事后跟踪即用户行为的审计。解决被动泄密,要确保数据以密文形式存储于物理介质,计算机、网络等资源必须经过授权才能访问。
针对上述问题,本文研究开发了一套终端安全软件,提出了完整的解决方案。它包括主机安全代理、整盘加解密以及其它安全软件。主机代理中的功能模块实现各种控制功能,日志模块实现审计功能,消除内部威胁;整盘透明加解密和电子钥匙统一身份认证方案分别实现数据存储安全和资源授权访问,消除外部威胁。此外,鉴于终端安全软件的诸多模块使用AES进行数据加解密,为提高加解密速度,提升系统整体性能,本文设计了基于GPU的AES加解密算法。
In this information era, computers and web have been penetrated in every aspect of people's life and production. Each organization relies on information system to improve business process and raise work efficiency. But any technology is a double-edged sword. While information technology contributes to the conveniences, it brings about potential security problems as well. In recent years, the informatization process has been implemented both in depth and in width, but the security problems have not got corresponding attention. The seriousness of intranet security accidents ranges from loss of business confidential to threats of national security, which underlies the importance of security concerns.
Intranet security accidents can be roughly categorized as active leaking and passive leaking, or internal leaking and external leaking, according to the leaking source. Intranet security seeks solution for the two types respectively. For active leaking, before-hand control and after-hand track are brought forward. The former implies user operation control, including login control, web control, file control, peripheral control, etc; the latter means audit of user behavior. For passive leaking, ensuring the safety of resources is needed, which is completed by data encryption and access authorization.
Aiming at these problems, this paper developed a set of terminal security software, proposing a complete solution. It consists of host security monitor, disk encryption and other security software. Various functional modules in host monitor fulfill terminal control tasks. For audit, log module collects and reports all kinds of terminal behaviors. Disk transparent encryption and electronic key authorization ensure data security and access control. Besides, due to the frequent use of encryption operation in security software, this paper designed a GPU-based AES encryption algorithm since system performance is effected by encryption and decryption speed.
从源头上看,内网安全事故可分为主动泄密和被动泄密两种类型,也就是内部泄密和外部泄密。因此,内网安全从这两个方面入手解决问题。解决主动泄密采取事前控制和事后追踪。事前控制即用户行为控制,而用户行为包括从登录到退出系统的所有操作和事件,如登录注销、网络访问、文件操作、软件使用、打印机等外设的使用等。事后跟踪即用户行为的审计。解决被动泄密,要确保数据以密文形式存储于物理介质,计算机、网络等资源必须经过授权才能访问。
针对上述问题,本文研究开发了一套终端安全软件,提出了完整的解决方案。它包括主机安全代理、整盘加解密以及其它安全软件。主机代理中的功能模块实现各种控制功能,日志模块实现审计功能,消除内部威胁;整盘透明加解密和电子钥匙统一身份认证方案分别实现数据存储安全和资源授权访问,消除外部威胁。此外,鉴于终端安全软件的诸多模块使用AES进行数据加解密,为提高加解密速度,提升系统整体性能,本文设计了基于GPU的AES加解密算法。
In this information era, computers and web have been penetrated in every aspect of people's life and production. Each organization relies on information system to improve business process and raise work efficiency. But any technology is a double-edged sword. While information technology contributes to the conveniences, it brings about potential security problems as well. In recent years, the informatization process has been implemented both in depth and in width, but the security problems have not got corresponding attention. The seriousness of intranet security accidents ranges from loss of business confidential to threats of national security, which underlies the importance of security concerns.
Intranet security accidents can be roughly categorized as active leaking and passive leaking, or internal leaking and external leaking, according to the leaking source. Intranet security seeks solution for the two types respectively. For active leaking, before-hand control and after-hand track are brought forward. The former implies user operation control, including login control, web control, file control, peripheral control, etc; the latter means audit of user behavior. For passive leaking, ensuring the safety of resources is needed, which is completed by data encryption and access authorization.
Aiming at these problems, this paper developed a set of terminal security software, proposing a complete solution. It consists of host security monitor, disk encryption and other security software. Various functional modules in host monitor fulfill terminal control tasks. For audit, log module collects and reports all kinds of terminal behaviors. Disk transparent encryption and electronic key authorization ensure data security and access control. Besides, due to the frequent use of encryption operation in security software, this paper designed a GPU-based AES encryption algorithm since system performance is effected by encryption and decryption speed.
引文
[1]胡托任主机安全监控关键技术研究[学位论文]北京邮电大学2009
[2]张正秋著Windows应用程序捆绑核心编程清华大学出版社200654-77
[3]徐晓东,杨榆使用GPU加速RC5密码算法的研究2009高校通信类院系学术研讨会2009
[4]高静智能卡在网络安全管理系统中的研究和应用[学位论文]北京邮电大学2009
[5]宋群生,宋亚琼著硬盘扇区读写技术-修复硬盘与恢复文件机械工业出版社20052-3
[6]Erich Gamma, Richard Helm等著设计模式——可复用面向对象软件的基础机械工业出版社200045-51
[7]Jeffrey Richter, Christophe Nasarre著Windows核心编程(第5版)清华大学出版社2008323-35
[8]Greg Hoglund, james Butler Root著ROOTKITS——Windows内核的安全防护清华大学出版社200770-73
[9]Rajeev Nagar著Windows NT File System Internals——A Developer's Guide O'Reilly 1997 78-86
[10]Solomon,D.A, Russinovich,M.E著深入解析Windows操作系统(第4版)电子工业出版社2007 720-725
[11]卢坚高级加密标准研究及其FPGA设计[学位论文]西南交通大学 2002
[12]张伟ARP防火墙在终端主机安全管理系统中的设计与实现[学位论文]吉林大学2008
[13]邬钧霆 基于Brook的GPU通用计算研究[学位论文]解放军信息工程大学2007
[14]邵晓东网络终端安全管理系统的设计与实现[学位论文]山东大学2006
[15]祖峰计算机终端安全管理策略及应用的研究[学位论文]北京邮电大学2008
[16]何仲昆防火墙日志分析系统的研究与实现[学位论文]浙江大学2009
[17]张双应用代理防火墙中央日志审计子系统的设计与实现[学位论文]中国科学院研究生院 2001
[18]王鑫磊统一安全认证平台的设计与实现[学位论文]北京邮电大学2007
[19]肖新光主机安全检查与风险评估 信息网络安全2008,5:10-12
[20]USB Key身份认证技术在计算机系统信息安全中的使用方法高职论丛2009,3:36-38
[2]张正秋著Windows应用程序捆绑核心编程清华大学出版社200654-77
[3]徐晓东,杨榆使用GPU加速RC5密码算法的研究2009高校通信类院系学术研讨会2009
[4]高静智能卡在网络安全管理系统中的研究和应用[学位论文]北京邮电大学2009
[5]宋群生,宋亚琼著硬盘扇区读写技术-修复硬盘与恢复文件机械工业出版社20052-3
[6]Erich Gamma, Richard Helm等著设计模式——可复用面向对象软件的基础机械工业出版社200045-51
[7]Jeffrey Richter, Christophe Nasarre著Windows核心编程(第5版)清华大学出版社2008323-35
[8]Greg Hoglund, james Butler Root著ROOTKITS——Windows内核的安全防护清华大学出版社200770-73
[9]Rajeev Nagar著Windows NT File System Internals——A Developer's Guide O'Reilly 1997 78-86
[10]Solomon,D.A, Russinovich,M.E著深入解析Windows操作系统(第4版)电子工业出版社2007 720-725
[11]卢坚高级加密标准研究及其FPGA设计[学位论文]西南交通大学 2002
[12]张伟ARP防火墙在终端主机安全管理系统中的设计与实现[学位论文]吉林大学2008
[13]邬钧霆 基于Brook的GPU通用计算研究[学位论文]解放军信息工程大学2007
[14]邵晓东网络终端安全管理系统的设计与实现[学位论文]山东大学2006
[15]祖峰计算机终端安全管理策略及应用的研究[学位论文]北京邮电大学2008
[16]何仲昆防火墙日志分析系统的研究与实现[学位论文]浙江大学2009
[17]张双应用代理防火墙中央日志审计子系统的设计与实现[学位论文]中国科学院研究生院 2001
[18]王鑫磊统一安全认证平台的设计与实现[学位论文]北京邮电大学2007
[19]肖新光主机安全检查与风险评估 信息网络安全2008,5:10-12
[20]USB Key身份认证技术在计算机系统信息安全中的使用方法高职论丛2009,3:36-38