网络安全策略监控模型及关键技术研究
|
摘要
近年来,随着安全管理的发展,安全策略管理已成为研究热点。目前,针对安全策略管理,研究较多的则是在策略统一描述、策略翻译以及策略冲突检测与消解等方面。然而,随着研究的深入,也需要对策略监控技术进行研究,以了解策略在系统中的配置情况以及策略下发到设备之后的执行情况,进一步保证策略管理系统的可靠运行。因此,作为安全策略管理系统的重要组成部分,策略监控技术成为了目前乃至今后一段时期内策略管理发展的又一项前沿技术。
本文针对策略监控技术涉及的相关内容进行了深入的分析和研究,主要的工作如下:
1.对策略的整个生命周期作了分析和总结,提出了策略配置状态与策略执行状态两个概念,引入有限状态自动机理论,运用到策略状态转换过程中,建立了策略监控模型,并进一步明确了策略监控的目的和任务,奠定了对策略全生命周期的生存状态进行监控的理论基础。
2.针对策略监控模型,提出了基于消息通道的策略监控机制——基于双队列的组织有效防止了消息乱序,并使用统一的监控消息格式和消息通道进行封装并排队,屏蔽了不同系统设备的数据差异,获取监控事件数据,提高了监控的效率。
3.通过对安全策略的两阶段执行过程的研究,提出了基于双点检测的策略执行监控数据采集方法,实现了对策略执行状态数据的捕获;针对策略监控的远程需求,采用BEEP协议框架进行扩展,设计了策略监控数据传输协议PMDTP(Policy Monitoring DataTransort Protocol),解决了策略监控机制中的两个关键技术。
4.基于本文提出的策略监控机制与相关技术方法,对策略监控的原型系统进行了设计实现。
综上所述,本文设计了基于Mealy自动机的策略监控模型以及基于消息通道的策略监控机制,并解决了其中涉及的关键技术,一方面为策略监控前沿技术的研究奠定了理论基础,另一方面,为构建一体化的安全策略管理系统提供了有益的技术支持。
With the development of the security management, security policy management becomes a hotspot in the research of imformation security. Otherwise, few people concerned the research of the policy monitoring technology, which is one of the most important components in the policy management that guarantee the whole security of the system.
The monitoring technology has been wildly used in the network management and the resourse management. Therefore, the policy monitoring technology will be a hotspot of the policy research in the future.
In this paper, we study the policy and the content interralated of network security devices to solve the policy monitoring problem. The main works of this paper are as follows:
1. Propose the states translation theory in the whole life of the policy. Build a policy monitoring model based on the FSA. According to the policy lifecycle and the FSA theory, we build the policy states translation model, which provides us the academic guidance for the study.
2. Design the common monitoring message channel for the phase of policy monitoring which can be used for the capture of the monitoring events. Then the policy states can be changed or the illegal events would be alarmed to the manager.
3. Propose a double spots detection mechanism for the policy working states monitoring for the acquisition of the policy enforment data; and a transport protocol is designed for the monitoring data transporting based on BEEP, which settled the teledata's transportting to the policy monitoring platform.
4. Based on the research above, we design and implement the policy monitoring prototype system PMS.
Policy monitoring technology is a new field in the policy theory. According to the need of the project, we study on the policy monitoring in the policy management system, which provide theoretical and technical supports for constructing security environment.
本文针对策略监控技术涉及的相关内容进行了深入的分析和研究,主要的工作如下:
1.对策略的整个生命周期作了分析和总结,提出了策略配置状态与策略执行状态两个概念,引入有限状态自动机理论,运用到策略状态转换过程中,建立了策略监控模型,并进一步明确了策略监控的目的和任务,奠定了对策略全生命周期的生存状态进行监控的理论基础。
2.针对策略监控模型,提出了基于消息通道的策略监控机制——基于双队列的组织有效防止了消息乱序,并使用统一的监控消息格式和消息通道进行封装并排队,屏蔽了不同系统设备的数据差异,获取监控事件数据,提高了监控的效率。
3.通过对安全策略的两阶段执行过程的研究,提出了基于双点检测的策略执行监控数据采集方法,实现了对策略执行状态数据的捕获;针对策略监控的远程需求,采用BEEP协议框架进行扩展,设计了策略监控数据传输协议PMDTP(Policy Monitoring DataTransort Protocol),解决了策略监控机制中的两个关键技术。
4.基于本文提出的策略监控机制与相关技术方法,对策略监控的原型系统进行了设计实现。
综上所述,本文设计了基于Mealy自动机的策略监控模型以及基于消息通道的策略监控机制,并解决了其中涉及的关键技术,一方面为策略监控前沿技术的研究奠定了理论基础,另一方面,为构建一体化的安全策略管理系统提供了有益的技术支持。
With the development of the security management, security policy management becomes a hotspot in the research of imformation security. Otherwise, few people concerned the research of the policy monitoring technology, which is one of the most important components in the policy management that guarantee the whole security of the system.
The monitoring technology has been wildly used in the network management and the resourse management. Therefore, the policy monitoring technology will be a hotspot of the policy research in the future.
In this paper, we study the policy and the content interralated of network security devices to solve the policy monitoring problem. The main works of this paper are as follows:
1. Propose the states translation theory in the whole life of the policy. Build a policy monitoring model based on the FSA. According to the policy lifecycle and the FSA theory, we build the policy states translation model, which provides us the academic guidance for the study.
2. Design the common monitoring message channel for the phase of policy monitoring which can be used for the capture of the monitoring events. Then the policy states can be changed or the illegal events would be alarmed to the manager.
3. Propose a double spots detection mechanism for the policy working states monitoring for the acquisition of the policy enforment data; and a transport protocol is designed for the monitoring data transporting based on BEEP, which settled the teledata's transportting to the policy monitoring platform.
4. Based on the research above, we design and implement the policy monitoring prototype system PMS.
Policy monitoring technology is a new field in the policy theory. According to the need of the project, we study on the policy monitoring in the policy management system, which provide theoretical and technical supports for constructing security environment.
引文
[1]A.Westerinen et al.Terminology for Policy-based Management[S].RFC3198.2001.
[2]Damianou,N.A Policy Framework for Management of Distributed Systems[D].Ph.D.thesis.Imperial College of Science.Technology and Medicine of London University.2002.
[3]Sloman,M.S.Policy Driven Management for Distributed Systems[J].Journal of Network and Systems Management.1994.vol.2(4).pp.333-360.
[4]Moffett,J.D.and M.S.Sloman.Policy Hierarchies for Distributed Systems Management[A].In:IEEE JSAC Special Issue on Network Management.1993.vol.11(9).pp.1404-1414.
[5]梅芳.PBNM系统中策略冲突检测与消解机制的研究[D].吉林大学硕士学位论文.2005.04.
[6]魏雁平.基于有向图覆盖关系的安全策略冲突检测模型[D].四川大学硕士学位论文.2006.04.
[7]Denis Trcek.Security policy management for networked information systems[C].Network Operations and Management Symposium.2000.
[8]温红子.商务安全策略及其形式分析研究[D].中国科学院软件研究所博士学位论文.2004.
[9]代向东.安全策略管理系统中策略描述及策略翻译关键技术研究[D].解放军信息工程大学硕士学位论文.2007.04.
[10]Alfaro,J.G.,Cuppens,F.,and Cuppens Boulahia,N.Aggregating and Deploying Network Access Control Policies[C].In lrst Symposium on Frontiers in Availability,Reliability and Security(FARES),2nd International Conference on Availability,Reliability and Security(ARES2007),Vienna,Austria.2007.
[11]D.C.Verma.Policy-base Networking:Architecture and Algorithm[M].New Riders Publishing.2001.
[12]Damianou,N.,N.Dulay,E.Lupu and M.Sloman.The Ponder Policy Specification Language[C].In:Proceedings of the Policy Workshop 2001,HP Labs,Bristol,UK,Springer-Verlag.2001.
[13]Damianou,N.,N.Dulay,E.Lupu and M.Sloman.Managing Security in Object-based Distributed Systems using Ponder[C].In:Proceedings of the 6th Open European Summer School(Eunice 2000),Enchede,the Netherlands.2000.
[14]Damianou,N.,T.Tonouchi,N.Dulay,E.Lupu and M.Sloman.Tools for Domain-based Policy Management of Distributed Systems[C].In Proceedings of the Network Operations and Management Symposium(NOMS 2002),Florence,Italy.2002.
[15]R.J.Hayton,J.M.Bacon,and Moody.Access Control in an Open Distributed Environment[C].In:Proc.Of the IEEE Symposium on Security and Privacy.Oakland,California,USA.1997.
[16]IETF Policy Framework Working Group[EB/OL].http://www.ietf.org/html/charters/policy- charter.html.
[17]Adel El-Atawy,Taghrid Samak,Zein Wali,Ehab Al-Shaer,Sheng Li.An Automated Framework for Validating Firewall Policy Enforcement[C].In proceedings of the Eighth IEEE Internation Workshop on Policies for Distributed Systems and Networks,California,USA.2007.pp.151-160.
[18]Kevin Twidle,Emil Lupu.Ponder2:policies,http://www-dse.doc.ic.ac.uk/policies.2007.11.
[19]Rene Wies.Policies in Network and Systems Management-Formal Definition and Architecture[J].Journal of Network and Systems Management.1994.Volume 2,Numberl.pp.63-83.
[20]J.Chomicki and J.Lobo.Monitors for History-Based Policies[C]In Proc.of the second IEEE International Workshop on Policies for distributed Systems and Networks(POLICY'01).London,UK.2001.06
[21]Elisa Bertino,Alessandra Mileo,Alessandro Provetti.Policy Monitoring with User-Preferences in PDL[C].In Proceedings of IJCAI-03 Workshop for Nonmonotonic Reasoning.2003.
[22]F.Baboescu,S.singh.Packet Classification for Core Routers:Is There an Alternative to Cams?[C]In Pro of the IEEE INFOCOM'03.2003.vol 1.pp.53-63.
[23]Claudio Bettini.Obligation Monitoring in Policy Management[C].In proceedings of the 2~(nd)International Workshop on Policies for Distributed Systems and Networks,London,UK.2001.pp.57-72.
[24]Lawrence Teo,Gail-Joon Ahn.Managing Heterogeneous Network Environments Using an Extensible Policy Framework[C].In proceedings of the 2~(nd) ACM symposium on International Computer and communications security,Singapore,2007.pp.362-364.
[25]代向东,陈性元,吴蓓,牛新建.策略执行监控技术的研究[J].计算机应用与软件2008.25(8):266-267,280.
[26]J E霍普克罗夫特,J D厄尔曼.自动机理论、语言和计算导引[M].北京:科学出版社.1986.
[27]严蔚敏,吴伟民.数据结构[M].北京:清华大学出版社.2003.
[28]周涛.基于有限状态自动机的复合事件检测的程序实现[J].计算机工程2005.31(23):85-86.
[29]王燕.基于linux的入侵检测系统与防火墙及其协作式工作的研究与设计[D].内蒙古大学硕士学位论文.2007.05.
[30]陈文惠.防火墙系统策略配置研究[D].中国科学技术大学博士学位论文.2007.04.
[31]王卫平,陈文惠.防火墙规则配置错误分析及其检测算法[J].计算机应用.2005.10.
[32]Steve Suehring Robert L.Ziegler著.何泾沙等译.Linux防火墙[M].机械工业出版社.2006.12.
[33]专题:Linux防火墙_51CTO.COM.http://www.51cto.com/art/200512/14457.htm
[34]Brian Caswell,Jay beale,James C.Foste,Jeffrey posluns著,宋劲松等译.Snort 2.0入侵检测[M].国防工业出版社.2004.01.
[35]刘文涛.Linux入侵检测系统[M].北京:电子工业出版社.
[36]严书亭,刘佳新,王新生.Snort规则链表结构的分析与改进[J].燕山大学学报.2006.30(3):272-275.
[37]王永亮.网络安全设备策略冲突与消解技术研究[D].解放军信息工程大学硕士学位论文.2008.04.
[38]A.Westerinen,J.Schnizlein.Terminology for Policy-Based Management[S].RFC 3198.November 2001.
[39]Jack Koziol著,吴溥峰,孙默,许诚等译.Snort入侵检测实用解决方案[M].机械工业出版社.2005.01.
[40]Scott Hazelhurst,Adi Attar,Raymond Sinnappan.Algorithms for Improving the Dependability of Firewall and Filter Rule Lists[C].Proc.of the International Conference on Dependable Systems and Networks(DSN'00).2000.pp.576-585.
[41]Mikkel Christiansen,Emmanuel Fleury.An Interval Decision Diagram Based Firewall[C].Proc.Of the 3~(rd) International Conference on Networking.2004.
[42]Alex X.Liu,Mohamed G.Gouda.Complete Redundancy Detection in Firewalls[C].Proc.of 19~(th)Annual IFIP Conference on Data and Applications Security,LNCS3654,Springer-Verlag.2005.pp.196-2O9.
[43]Mohamed G.Gouda,Alex X.Liu.Firewall Desing:Consistency,Completeness and Compactness[C].Proc.of the 24~(th) IEEE International Conference on Distributed Computing Systems(ICDCS'04).2004.pp.320-327.
[44]Alex X.Liu,Mohamed G.Gouda,Huibo Heidi Ma,Anne HH.Ngu.Firewall Queries[C].Proc.of the 8~(th) International Conference on Principles of Distributed Systems(OPODIS-04),LNCS, Springer-Verlag.2004.pp,1600-3349.
[45]Alex X.Liu.Mohamed G.Gouda.Diverse Firewall Design[C].Proc.of the International Conference on Dependable Systems and Networks(DSN'04).2004.pp.595-604.
[46]Errin W.Fulp,Stephen J.Tarsa.Trie-based Policy Representations for Network Firewalls[C].Proc.of 10~(th) IEEE Sympolium on Computers and Communications(ISCC 2005).2005.pp.434-441.
[47]杨亚飞.大规模分布式入侵检测框架模型与互动协议研究[D].北京邮电大学硕士学位论文.2005.04.
[48]IETF Internet Draft draft-ietf-idwg-beep-idxp-07.txt(IDXP)
[49]IETF Internet Draft draft-ietf-idmef-xml-10.txt(IDMEF)
[50]RFC 3080.The Blocks Extensible Exchange Protocol Core(BEEP)
[51]梁晓娅.统一安全管理平台联动机制的研究[D].华中师范大学硕士学位论文.2007.06.
[52]Marshall T.Rose.BEEP:the Definitive Guide,Reilly.2002.04.
[53]http://www-900.ibm.com/developerWorks/cn/xml/x-watch/partl/index_eng.shtml XMLWatch:Bird's-eye BEEP
[54]http://www-900.ibm.com/developerWorks/cn/xml/x-watch/part2/index_eng.shtml XMLatch:Worm's-eye BEEP
[55]刘春雷.分布式入侵检测系统协同通信关键技术的研究与实现[D].西安理工大学.2007.05.
[56]潘东.网络安全管理联动框架的研究与实践[D].重庆大学.2005.05.
[57]Buchheim T,Erlinger M.Implementing the initrusion detection exchange protocol[C].Computer Security Applications Conference.2001.pp.32-41.
[58]http://www.w3.org/TR/W3C规范
[59]http://www.xml.com/XML站点
[60]http://www.xml.org XML官方站点
[61]http://www.xml.org.cn中国XML联盟
[62]Rose M.Mapping the BEEP Core onto TCP[S].RFC 3081.2001.03.
[63]吴蓓.自适应策略管理框架及关键技术研究[D].硕士学位论文.解放军信息工程大学.2005.06.
[2]Damianou,N.A Policy Framework for Management of Distributed Systems[D].Ph.D.thesis.Imperial College of Science.Technology and Medicine of London University.2002.
[3]Sloman,M.S.Policy Driven Management for Distributed Systems[J].Journal of Network and Systems Management.1994.vol.2(4).pp.333-360.
[4]Moffett,J.D.and M.S.Sloman.Policy Hierarchies for Distributed Systems Management[A].In:IEEE JSAC Special Issue on Network Management.1993.vol.11(9).pp.1404-1414.
[5]梅芳.PBNM系统中策略冲突检测与消解机制的研究[D].吉林大学硕士学位论文.2005.04.
[6]魏雁平.基于有向图覆盖关系的安全策略冲突检测模型[D].四川大学硕士学位论文.2006.04.
[7]Denis Trcek.Security policy management for networked information systems[C].Network Operations and Management Symposium.2000.
[8]温红子.商务安全策略及其形式分析研究[D].中国科学院软件研究所博士学位论文.2004.
[9]代向东.安全策略管理系统中策略描述及策略翻译关键技术研究[D].解放军信息工程大学硕士学位论文.2007.04.
[10]Alfaro,J.G.,Cuppens,F.,and Cuppens Boulahia,N.Aggregating and Deploying Network Access Control Policies[C].In lrst Symposium on Frontiers in Availability,Reliability and Security(FARES),2nd International Conference on Availability,Reliability and Security(ARES2007),Vienna,Austria.2007.
[11]D.C.Verma.Policy-base Networking:Architecture and Algorithm[M].New Riders Publishing.2001.
[12]Damianou,N.,N.Dulay,E.Lupu and M.Sloman.The Ponder Policy Specification Language[C].In:Proceedings of the Policy Workshop 2001,HP Labs,Bristol,UK,Springer-Verlag.2001.
[13]Damianou,N.,N.Dulay,E.Lupu and M.Sloman.Managing Security in Object-based Distributed Systems using Ponder[C].In:Proceedings of the 6th Open European Summer School(Eunice 2000),Enchede,the Netherlands.2000.
[14]Damianou,N.,T.Tonouchi,N.Dulay,E.Lupu and M.Sloman.Tools for Domain-based Policy Management of Distributed Systems[C].In Proceedings of the Network Operations and Management Symposium(NOMS 2002),Florence,Italy.2002.
[15]R.J.Hayton,J.M.Bacon,and Moody.Access Control in an Open Distributed Environment[C].In:Proc.Of the IEEE Symposium on Security and Privacy.Oakland,California,USA.1997.
[16]IETF Policy Framework Working Group[EB/OL].http://www.ietf.org/html/charters/policy- charter.html.
[17]Adel El-Atawy,Taghrid Samak,Zein Wali,Ehab Al-Shaer,Sheng Li.An Automated Framework for Validating Firewall Policy Enforcement[C].In proceedings of the Eighth IEEE Internation Workshop on Policies for Distributed Systems and Networks,California,USA.2007.pp.151-160.
[18]Kevin Twidle,Emil Lupu.Ponder2:policies,http://www-dse.doc.ic.ac.uk/policies.2007.11.
[19]Rene Wies.Policies in Network and Systems Management-Formal Definition and Architecture[J].Journal of Network and Systems Management.1994.Volume 2,Numberl.pp.63-83.
[20]J.Chomicki and J.Lobo.Monitors for History-Based Policies[C]In Proc.of the second IEEE International Workshop on Policies for distributed Systems and Networks(POLICY'01).London,UK.2001.06
[21]Elisa Bertino,Alessandra Mileo,Alessandro Provetti.Policy Monitoring with User-Preferences in PDL[C].In Proceedings of IJCAI-03 Workshop for Nonmonotonic Reasoning.2003.
[22]F.Baboescu,S.singh.Packet Classification for Core Routers:Is There an Alternative to Cams?[C]In Pro of the IEEE INFOCOM'03.2003.vol 1.pp.53-63.
[23]Claudio Bettini.Obligation Monitoring in Policy Management[C].In proceedings of the 2~(nd)International Workshop on Policies for Distributed Systems and Networks,London,UK.2001.pp.57-72.
[24]Lawrence Teo,Gail-Joon Ahn.Managing Heterogeneous Network Environments Using an Extensible Policy Framework[C].In proceedings of the 2~(nd) ACM symposium on International Computer and communications security,Singapore,2007.pp.362-364.
[25]代向东,陈性元,吴蓓,牛新建.策略执行监控技术的研究[J].计算机应用与软件2008.25(8):266-267,280.
[26]J E霍普克罗夫特,J D厄尔曼.自动机理论、语言和计算导引[M].北京:科学出版社.1986.
[27]严蔚敏,吴伟民.数据结构[M].北京:清华大学出版社.2003.
[28]周涛.基于有限状态自动机的复合事件检测的程序实现[J].计算机工程2005.31(23):85-86.
[29]王燕.基于linux的入侵检测系统与防火墙及其协作式工作的研究与设计[D].内蒙古大学硕士学位论文.2007.05.
[30]陈文惠.防火墙系统策略配置研究[D].中国科学技术大学博士学位论文.2007.04.
[31]王卫平,陈文惠.防火墙规则配置错误分析及其检测算法[J].计算机应用.2005.10.
[32]Steve Suehring Robert L.Ziegler著.何泾沙等译.Linux防火墙[M].机械工业出版社.2006.12.
[33]专题:Linux防火墙_51CTO.COM.http://www.51cto.com/art/200512/14457.htm
[34]Brian Caswell,Jay beale,James C.Foste,Jeffrey posluns著,宋劲松等译.Snort 2.0入侵检测[M].国防工业出版社.2004.01.
[35]刘文涛.Linux入侵检测系统[M].北京:电子工业出版社.
[36]严书亭,刘佳新,王新生.Snort规则链表结构的分析与改进[J].燕山大学学报.2006.30(3):272-275.
[37]王永亮.网络安全设备策略冲突与消解技术研究[D].解放军信息工程大学硕士学位论文.2008.04.
[38]A.Westerinen,J.Schnizlein.Terminology for Policy-Based Management[S].RFC 3198.November 2001.
[39]Jack Koziol著,吴溥峰,孙默,许诚等译.Snort入侵检测实用解决方案[M].机械工业出版社.2005.01.
[40]Scott Hazelhurst,Adi Attar,Raymond Sinnappan.Algorithms for Improving the Dependability of Firewall and Filter Rule Lists[C].Proc.of the International Conference on Dependable Systems and Networks(DSN'00).2000.pp.576-585.
[41]Mikkel Christiansen,Emmanuel Fleury.An Interval Decision Diagram Based Firewall[C].Proc.Of the 3~(rd) International Conference on Networking.2004.
[42]Alex X.Liu,Mohamed G.Gouda.Complete Redundancy Detection in Firewalls[C].Proc.of 19~(th)Annual IFIP Conference on Data and Applications Security,LNCS3654,Springer-Verlag.2005.pp.196-2O9.
[43]Mohamed G.Gouda,Alex X.Liu.Firewall Desing:Consistency,Completeness and Compactness[C].Proc.of the 24~(th) IEEE International Conference on Distributed Computing Systems(ICDCS'04).2004.pp.320-327.
[44]Alex X.Liu,Mohamed G.Gouda,Huibo Heidi Ma,Anne HH.Ngu.Firewall Queries[C].Proc.of the 8~(th) International Conference on Principles of Distributed Systems(OPODIS-04),LNCS, Springer-Verlag.2004.pp,1600-3349.
[45]Alex X.Liu.Mohamed G.Gouda.Diverse Firewall Design[C].Proc.of the International Conference on Dependable Systems and Networks(DSN'04).2004.pp.595-604.
[46]Errin W.Fulp,Stephen J.Tarsa.Trie-based Policy Representations for Network Firewalls[C].Proc.of 10~(th) IEEE Sympolium on Computers and Communications(ISCC 2005).2005.pp.434-441.
[47]杨亚飞.大规模分布式入侵检测框架模型与互动协议研究[D].北京邮电大学硕士学位论文.2005.04.
[48]IETF Internet Draft draft-ietf-idwg-beep-idxp-07.txt(IDXP)
[49]IETF Internet Draft draft-ietf-idmef-xml-10.txt(IDMEF)
[50]RFC 3080.The Blocks Extensible Exchange Protocol Core(BEEP)
[51]梁晓娅.统一安全管理平台联动机制的研究[D].华中师范大学硕士学位论文.2007.06.
[52]Marshall T.Rose.BEEP:the Definitive Guide,Reilly.2002.04.
[53]http://www-900.ibm.com/developerWorks/cn/xml/x-watch/partl/index_eng.shtml XMLWatch:Bird's-eye BEEP
[54]http://www-900.ibm.com/developerWorks/cn/xml/x-watch/part2/index_eng.shtml XMLatch:Worm's-eye BEEP
[55]刘春雷.分布式入侵检测系统协同通信关键技术的研究与实现[D].西安理工大学.2007.05.
[56]潘东.网络安全管理联动框架的研究与实践[D].重庆大学.2005.05.
[57]Buchheim T,Erlinger M.Implementing the initrusion detection exchange protocol[C].Computer Security Applications Conference.2001.pp.32-41.
[58]http://www.w3.org/TR/W3C规范
[59]http://www.xml.com/XML站点
[60]http://www.xml.org XML官方站点
[61]http://www.xml.org.cn中国XML联盟
[62]Rose M.Mapping the BEEP Core onto TCP[S].RFC 3081.2001.03.
[63]吴蓓.自适应策略管理框架及关键技术研究[D].硕士学位论文.解放军信息工程大学.2005.06.