基于复杂适用系统的动态网络安全模型的研究
|
摘要
随着网络的深入发展,使得网络安全问题显得越来越突出,人们对网络安全的问题也越来越关注。面对日益增多的网络攻击,如何真正做到“网络既开放又安全”已经成为摆在世界科技人员面前的一个重要课题。
安全模型是针对网络安全问题提出的解决方案,传统的安全模型是静态安全模型,对动态的安全威胁、系统的脆弱性没有应对措施。面对日益流行的分布式、协同式攻击,任何单个的安全组件防御能力是有限的,只有各安全组件实现有效的互动,构成整体安全解决方案,才能进行有效解决网络安全问题。
另外研究表明:Internet网络是一个由简单规则形成的复杂网络,随着时间的推延和人们对网络安全问题的关注的增加,如何提供好的网络安全模型使其适应这样的动态变化的复杂网络环境已成为一个亟待解决的问题。
本文在介绍现有的几种网络安全模型的基础上,详细分析了现有安全模型存在的问题,在复杂适用系统的基础上提出一个基于闭环控制的,以安全管理和安全策略为中心的SAP~2MDR~2C动态网络安全模型,并设计一种基于复杂适用系统的入侵检测系统应用于SAP~2MDR~2C模型中,一定程度上解决了入侵检测中的误测和漏测的问题,增加了模型的安全性能和安全等级。并利用Swarm提供的仿真环境,实现入侵检测系统聚集模块的动态仿真,对推动复杂适用系统和动态网络安全模型的进一步发展有一定的指导和借鉴意义。
With the development of Internet, network security becomes more and more prominently. The people also pay more attention to the network security.Facing network attacking which increases day by day, how truly achieved "the network both open and safely" already becomes suspends in front of a world technical personnel's important topic.
The security model is aims at the solution which the network security proposed.The traditional security model is the static security model. It is not measure to the dynamic safe threat and the system vulnerability .Facing day by day popular distributional, coordination type attack, any single security module defense capability is limited,.Only when each security module realize effective interaction and constitute whole safe solution, the model can solve the network security question effectively.
Moreover, the research indicated that, network is a complex network which forms by some simple rules.Along with time extending and the people to the network security question attention increase, how provides the good network security model which can adapt to such dynamic change complex network circumstances is become a question which urgently awaits to be solved.
This article introduced some network security models and analyzed their liminitation. Then the author brings forward a new dynamic network security model SAP~2MDR~2C of the complex adaptive system which based on the closed-loop control.Its nucleus is security management and security policy.And it designs a new algorithm of intrusion detection based on complex adaptive system utilizes in this model.It can solved in some degree the problem of measure by mistake and missed detection; increased the model safety performance and the security rating. With using the simulation environment of Swarm, it realizes dynamic simulation of intrusion detection system. It to impels complex adaptive system and the dynamic network security model further development has certain instruction and the model significance.
安全模型是针对网络安全问题提出的解决方案,传统的安全模型是静态安全模型,对动态的安全威胁、系统的脆弱性没有应对措施。面对日益流行的分布式、协同式攻击,任何单个的安全组件防御能力是有限的,只有各安全组件实现有效的互动,构成整体安全解决方案,才能进行有效解决网络安全问题。
另外研究表明:Internet网络是一个由简单规则形成的复杂网络,随着时间的推延和人们对网络安全问题的关注的增加,如何提供好的网络安全模型使其适应这样的动态变化的复杂网络环境已成为一个亟待解决的问题。
本文在介绍现有的几种网络安全模型的基础上,详细分析了现有安全模型存在的问题,在复杂适用系统的基础上提出一个基于闭环控制的,以安全管理和安全策略为中心的SAP~2MDR~2C动态网络安全模型,并设计一种基于复杂适用系统的入侵检测系统应用于SAP~2MDR~2C模型中,一定程度上解决了入侵检测中的误测和漏测的问题,增加了模型的安全性能和安全等级。并利用Swarm提供的仿真环境,实现入侵检测系统聚集模块的动态仿真,对推动复杂适用系统和动态网络安全模型的进一步发展有一定的指导和借鉴意义。
With the development of Internet, network security becomes more and more prominently. The people also pay more attention to the network security.Facing network attacking which increases day by day, how truly achieved "the network both open and safely" already becomes suspends in front of a world technical personnel's important topic.
The security model is aims at the solution which the network security proposed.The traditional security model is the static security model. It is not measure to the dynamic safe threat and the system vulnerability .Facing day by day popular distributional, coordination type attack, any single security module defense capability is limited,.Only when each security module realize effective interaction and constitute whole safe solution, the model can solve the network security question effectively.
Moreover, the research indicated that, network is a complex network which forms by some simple rules.Along with time extending and the people to the network security question attention increase, how provides the good network security model which can adapt to such dynamic change complex network circumstances is become a question which urgently awaits to be solved.
This article introduced some network security models and analyzed their liminitation. Then the author brings forward a new dynamic network security model SAP~2MDR~2C of the complex adaptive system which based on the closed-loop control.Its nucleus is security management and security policy.And it designs a new algorithm of intrusion detection based on complex adaptive system utilizes in this model.It can solved in some degree the problem of measure by mistake and missed detection; increased the model safety performance and the security rating. With using the simulation environment of Swarm, it realizes dynamic simulation of intrusion detection system. It to impels complex adaptive system and the dynamic network security model further development has certain instruction and the model significance.
引文
[1] 方锦清、汪小帆、刘曾荣,2004年:《略论复杂性问题和非线性复杂网络系统的研究》,《科技导报》第2期
[2] 陈森发编.复杂系统建模理论与方法[M].南京:东南大学出版社,2005:228-240
[3] Cohen F. Computer Virus-Theory and Experiments. Computer and Security, 1987, 6(1): 2 235
[4] 钱学森.再谈开放的复杂巨系统[J].模式识别与人工智能,1991,4(1):3-9
[5] J. Leskovec, J. Kleinberg, C. Faloutsos. Graphs over Time: Densification Laws, Shrinking Diameters and Possible Explanations. Proc. 11th ACM SIGKDD Intl. Conf. on Knowledge Discovery and Data Mining, 2005
[6] C. R. Myers. "Software systems as complex networks: structure, function, and evolvability of software collaboration graphs", Phys. Rev.E 68, 046116 (2003)
[7] J. Kleinberg, Complex Networks and Decentralized Search Algorithms. Proceedings of the International Congress of Mathematicians (ICM), 2006
[8] Pastor-Satorras R, Vespignani A. Evolution and Structure of the Internet: A Statistical Physics Approach. Cambridge University Press, 2004
[9] Newman M E J. The structure and function of complex networks. SIAM Review, 2003, 45:167-256
[10] 李涛.网络安全概论.北京:电子工业出版社[M],2004
[11] J. Kleinberg, M. Sandler, A. Slivkins. Network Failure Detection and Graph Connectivity. Proc. 15th ACM-SIAMSymposium on Discrete Algorithms, 2004
[12] 胡铮.网络与信息安全.北京:清华大学出版社[M],2006
[13] 候小梅,毛宗源,张波.基于P~2DR模型的Internet安全技术[J].计算机工程与应用,2000,36(12):1~2
[14] 孟学军,石岗.基于UDR网络安全体系结构[J].计算机工程,2004,30(4):99-101.
[15] 陈运明.动态网络安全模型的系统研究[J].网络安全与技术应用,2005(5):47-49
[16] Don Thompson. Designing a Microsoft Windows 2000 Networking Serviceslnfrastructure. MS PRESS. 2000
[17] 吴世忠,陈晓桦,李鹤田,李斌等.信息安全测评认证理论与实践.合肥:中国科学技术出版社,2006:43—47
[18] http://www.scichina.com/article?code=jos170885e&jccode=52
[19] 王绍斌,朱贤,洪帆.SAPPDRRC动态网络安全模型[J].微型机与应用,2004(1): 29-38
[20] http://space. mstc. com. cn/?4320/action_viewspace_itemid_79.html
[21] Mark Johnson. Implementing and Administering Microsoft Windows 2000 Directory Services. MS PRESS, 2000
[22] 曾海.P~2MDR~2网络安全防御模型的研究[J].湘潭大学学报(自然科学版),2005,27(3):32-35.
[23] http://ieeexplore.ieee.org/ie12/3866/11283/00515640.pdf?arnumber=515640
[25] Petitcolas F A P ,Anderson R J ,Kuhn M G. In formation Hiding-a Survey. In:Proceeding of IEEE, 1999,87(7):1062-1078
[26] Swanson M D, Kobayashi M, Tewfik A H. Multimedia Data Embedding and Watermarking Technologies. In:Proceeding of IEE, 1998,86(6):1064-1087
[27] 胡昌振.网络入侵检测原理与技术[M].北京:北京理工大学出版社,2006:
[28] Peter Lichodzijewski, Malcolm 1.Heywood Host-Based Intrusion Detection Using Self-Organizing Maps IEEE 2002,02
[29] Design of Secure System Architecture Model for Active Network. http://www.Jos.org.cn/1000—9825/13/1352.pdf. 2003-05-26
[30] Spitzner L. Honey pot: Definitions and Value of Honey pots. http://www.enteract.com/lspitz. 2003-05-26
[31] 郑成兴编.网络入侵防范理论与实践[M].北京:机械工业出版社,2006:
[32] Martin Botha,Rossouw Von Solms The Utilization of,artificial Intelligence in a Hybrid Intrusion Detection System Proceeding of SAICSIT 2002,pages 149-155
[33] David Wanger Drew Death. Intrusion Detection via Static Analysis.http://citeseer.nj.nec.com 2005
[34] Thomas H. Ptacek, Timothy N. newsham. Insertion, Evasion, and Oenialof Servic e:E luding Network intrusion Detection. Secure Networks, lnc2004
[35] The Intrusion Detection Exchange Protocol. http://www.ietf.org/internetdrafts/drafi-ietf-idwg-beep-idxp-07
[36] The Common Intrusion Detection Framework Architecture.http://www.isi.edu/gost/cidf/drafts/architecture.txt
[37] Communication in the Common Intrusion Detection Framework. http://www.isi.edu/gost/cidf/drafts/communication.txt
[38] Junling Hu,Michael P.ellman,Leaming about other agents in adynamic Multiagent system[J],Journal of Cognitive System Research2 (2001)67-79.
[39] ThmasY.Choi,Kevin J.Dooley etc,Supply network and complex adaptive system: control versus emergence [J], Journal of Operation Management 19 (2001) 351-366
[40] Puketa N F, Zhang K, Chung M, et al. A Methodology for Testing Intrusion De tection System.I EEE Transactionson Software Engineering, 1994,22(10): 719-722
[41] Cohen F.Models of Practical Defenses Against Computer Viruses. Computer and ecurit y, 1989,8(2):1 49160
[42] 许国志.系统科学[M].上海:上海科技教育出版社,2000
[43] 汪小帆,李翔,陈关荣.复杂网络理论及其应用[M].北京:清华大学出版社,2006
[44] 杨雅琴,杨进才,曹继伟.基于仿真平台的复杂网络建模研究[J].计算机与数字工程,2006,34(3):13~24
[45] http://www.swarmagents.com/complex
[46] http://philosophy.cass.cn/chuban/zxyj/yjgqml/04/0408/040809.htm
[47] http://61.183.121.131/whucn/resource/T-CAS%20Pinning.pdf
[48] http://www.univs.cn/univs/zzlm/collegejiangtan/info_display.php?id=101000
[49] 张守一,SWARM及其在经济研究中的应用[J],数量经济技术经济研究,2001第1期
[50] 李士勇编.非线性科学与复杂性科学[M].哈尔滨:哈尔滨工业大学出版社,2006:
[2] 陈森发编.复杂系统建模理论与方法[M].南京:东南大学出版社,2005:228-240
[3] Cohen F. Computer Virus-Theory and Experiments. Computer and Security, 1987, 6(1): 2 235
[4] 钱学森.再谈开放的复杂巨系统[J].模式识别与人工智能,1991,4(1):3-9
[5] J. Leskovec, J. Kleinberg, C. Faloutsos. Graphs over Time: Densification Laws, Shrinking Diameters and Possible Explanations. Proc. 11th ACM SIGKDD Intl. Conf. on Knowledge Discovery and Data Mining, 2005
[6] C. R. Myers. "Software systems as complex networks: structure, function, and evolvability of software collaboration graphs", Phys. Rev.E 68, 046116 (2003)
[7] J. Kleinberg, Complex Networks and Decentralized Search Algorithms. Proceedings of the International Congress of Mathematicians (ICM), 2006
[8] Pastor-Satorras R, Vespignani A. Evolution and Structure of the Internet: A Statistical Physics Approach. Cambridge University Press, 2004
[9] Newman M E J. The structure and function of complex networks. SIAM Review, 2003, 45:167-256
[10] 李涛.网络安全概论.北京:电子工业出版社[M],2004
[11] J. Kleinberg, M. Sandler, A. Slivkins. Network Failure Detection and Graph Connectivity. Proc. 15th ACM-SIAMSymposium on Discrete Algorithms, 2004
[12] 胡铮.网络与信息安全.北京:清华大学出版社[M],2006
[13] 候小梅,毛宗源,张波.基于P~2DR模型的Internet安全技术[J].计算机工程与应用,2000,36(12):1~2
[14] 孟学军,石岗.基于UDR网络安全体系结构[J].计算机工程,2004,30(4):99-101.
[15] 陈运明.动态网络安全模型的系统研究[J].网络安全与技术应用,2005(5):47-49
[16] Don Thompson. Designing a Microsoft Windows 2000 Networking Serviceslnfrastructure. MS PRESS. 2000
[17] 吴世忠,陈晓桦,李鹤田,李斌等.信息安全测评认证理论与实践.合肥:中国科学技术出版社,2006:43—47
[18] http://www.scichina.com/article?code=jos170885e&jccode=52
[19] 王绍斌,朱贤,洪帆.SAPPDRRC动态网络安全模型[J].微型机与应用,2004(1): 29-38
[20] http://space. mstc. com. cn/?4320/action_viewspace_itemid_79.html
[21] Mark Johnson. Implementing and Administering Microsoft Windows 2000 Directory Services. MS PRESS, 2000
[22] 曾海.P~2MDR~2网络安全防御模型的研究[J].湘潭大学学报(自然科学版),2005,27(3):32-35.
[23] http://ieeexplore.ieee.org/ie12/3866/11283/00515640.pdf?arnumber=515640
[25] Petitcolas F A P ,Anderson R J ,Kuhn M G. In formation Hiding-a Survey. In:Proceeding of IEEE, 1999,87(7):1062-1078
[26] Swanson M D, Kobayashi M, Tewfik A H. Multimedia Data Embedding and Watermarking Technologies. In:Proceeding of IEE, 1998,86(6):1064-1087
[27] 胡昌振.网络入侵检测原理与技术[M].北京:北京理工大学出版社,2006:
[28] Peter Lichodzijewski, Malcolm 1.Heywood Host-Based Intrusion Detection Using Self-Organizing Maps IEEE 2002,02
[29] Design of Secure System Architecture Model for Active Network. http://www.Jos.org.cn/1000—9825/13/1352.pdf. 2003-05-26
[30] Spitzner L. Honey pot: Definitions and Value of Honey pots. http://www.enteract.com/lspitz. 2003-05-26
[31] 郑成兴编.网络入侵防范理论与实践[M].北京:机械工业出版社,2006:
[32] Martin Botha,Rossouw Von Solms The Utilization of,artificial Intelligence in a Hybrid Intrusion Detection System Proceeding of SAICSIT 2002,pages 149-155
[33] David Wanger Drew Death. Intrusion Detection via Static Analysis.http://citeseer.nj.nec.com 2005
[34] Thomas H. Ptacek, Timothy N. newsham. Insertion, Evasion, and Oenialof Servic e:E luding Network intrusion Detection. Secure Networks, lnc2004
[35] The Intrusion Detection Exchange Protocol. http://www.ietf.org/internetdrafts/drafi-ietf-idwg-beep-idxp-07
[36] The Common Intrusion Detection Framework Architecture.http://www.isi.edu/gost/cidf/drafts/architecture.txt
[37] Communication in the Common Intrusion Detection Framework. http://www.isi.edu/gost/cidf/drafts/communication.txt
[38] Junling Hu,Michael P.ellman,Leaming about other agents in adynamic Multiagent system[J],Journal of Cognitive System Research2 (2001)67-79.
[39] ThmasY.Choi,Kevin J.Dooley etc,Supply network and complex adaptive system: control versus emergence [J], Journal of Operation Management 19 (2001) 351-366
[40] Puketa N F, Zhang K, Chung M, et al. A Methodology for Testing Intrusion De tection System.I EEE Transactionson Software Engineering, 1994,22(10): 719-722
[41] Cohen F.Models of Practical Defenses Against Computer Viruses. Computer and ecurit y, 1989,8(2):1 49160
[42] 许国志.系统科学[M].上海:上海科技教育出版社,2000
[43] 汪小帆,李翔,陈关荣.复杂网络理论及其应用[M].北京:清华大学出版社,2006
[44] 杨雅琴,杨进才,曹继伟.基于仿真平台的复杂网络建模研究[J].计算机与数字工程,2006,34(3):13~24
[45] http://www.swarmagents.com/complex
[46] http://philosophy.cass.cn/chuban/zxyj/yjgqml/04/0408/040809.htm
[47] http://61.183.121.131/whucn/resource/T-CAS%20Pinning.pdf
[48] http://www.univs.cn/univs/zzlm/collegejiangtan/info_display.php?id=101000
[49] 张守一,SWARM及其在经济研究中的应用[J],数量经济技术经济研究,2001第1期
[50] 李士勇编.非线性科学与复杂性科学[M].哈尔滨:哈尔滨工业大学出版社,2006: