摘要
国家标准GB17859-1999将信息系统分为五个等级,不同等级信息系统的安全策略和安全机制强度从第一级开始依次增强,称为“等级保护制度”,这是我国信息安全的基本制度。访问控制是实现重要信息资源保护的最直接和最基本的手段,也是等级保护的重要内容。然而,由于目前常用的访问控制模型和方法尚无法很好地解决系统内和系统间的间接违规访问问题,使得高等级信息系统和多级互联环境存在着很大的间接信息失泄密风险。为此,本文以多级互联系统为背景,设计了一种支持不同等级和不同互联模式下的访问控制系列模型,并提出了安全熵理论对其安全性进行了证明。具体而言,本文的主要工作包括:
1.为解决访问控制模型的安全性证明问题,提出了一种基于安全熵的量化分析方法。首先,根据信息论中加权熵的知识定义了安全熵,提出了违规访问行为判定的不确定性计算方法。然后,针对直接违规、流向违规和间接违规分别给出了安全熵计算方法,并根据可用性和保密性需求给出权值选取方法。第三,基于安全熵的形式,提出了判定系统是否存在违规访问可能性的方法,通过对典型访问控制模型的量化分析,验证了该方法的有效性,并指出了现有访问控制模型的不足。
2.基于安全熵给出了多级互联系统中不同等级和不同互联模式下的子系统安全性定理。首先分析了等级保护要求,以安全熵的形式提出了二、三、四级子系统在非互联模式下的安全性条件,为单级访问控制模型的安全性证明打下理论基础。然后,对安全熵进行扩展,提出联合安全熵概念,基于联合安全熵给出了适应不同互联模式的多级访问控制系统的安全性定理,为多联合访问控制模型的安全性证明打下理论基础。
3.提出了基于信息流强约束的单级访问控制模型,解决了系统内的间接违规信息流问题。首先,提出了基于信息流图的访问安全性判定方法,在信息流图基础上,对用户的间接违规访问行为进行增强型的约束。第二,对单级子系统状态机进行建模,定义了系统状态、状态转换规则、自动机和系统等要素,并给出了系统状态、状态转换规则、自动机和系统的安全性定理,对其安全性进行了证明。最后给出了二、三、四级子系统状态机的规则实现方法,并对规则集的安全性进行了证明。
4.提出了基于联合控制的多级互联访问控制模型,消除了多级互联系统的跨级间接违规信息流、流向泄密、用户安全标识假冒等风险。首先对多级互联访问控制系统进行建模,加入安全域、系统等级、信任矩阵、互联模式等要素,完备地描述多级互联系统。其次,给出多级互联访问控制模型的安全性定理,在多级信息流图的基础上,通过对用户跨域、跨级访问进行联合控制,保持不同等级子系统控制违规访问的一致性。第三,基于安全熵理论对模型的安全性进行了证明。最后,给出了六类子系统状态机的规则集,可支持不同互联模式的多级互联系统。
综上所述,本文形成了一套适用于多级互联系统的访问控制理论体系,为不同互联模式、不同安全等级的信息系统进行安全信息共享提供了基础理论支撑。
According to the GB17859-1999, the information system can be divided into five classes.The strength of security policy and security mechanism in different classes increases from thefirst one, which is called “level protection”. It is considered as the basic rule of our informationsecurity. Access control is the basic and direct way of realizing the important informationresources protection, as well as the primary aspect of “level protection”. However, the currentaccess control model and method can not effectively solve such problems as the intrasystem andintersystem irregular indirect access, resulting in the serious indirect risk of informationrevelation. Therefore, against the background of Cross-Multi-Class information system, thispaper originates a series of access control models, which works in different classes andinterconnection modes. In addition, security entropy is put forward, based on which, the securityof the model is proved. Specifically, the main contents of this paper are as below:
1. In order to solve the problem of security proof of access control in multi-class interconnection system,a security entropy-based quantitative analysis theory is proposed. Firstly, the policy security entropy is definedaccording to the weighted entropy in the information theory, and uncertainties calculate method is put forwardto determine the irregular access behaviors. Secondly, aiming at the direct violation, flow violation and indirectviolation, calculation method for security entropy are proposed respectively. Besides, weighs option method isgiven based on availability and confidentiality. Thirdly, based on the security entropy, the method ofdetermining the possibility of irregular access is presented. With the quantitative analysis of the typical accesscontrol model, the effectiveness of this method is verified, and the insufficient of the current model isindicated.
2. Based on the security entropy theory, the subsystem security theorem in different classesand different interconnection modes in multi-class interconnection system is proposed. Firstly,class-protection is analyzed, the security conditions of two, three, and four-class subsystemunder non-interconnection mode are proposed in the form of security entropy, laying thefoundation for the security certification of the single subsystem state machine. Then, securityentropy is extended, and the concept of the united security entropy is proposed. Based on theunited security entropy theory, the security theorem of the multi-class access control system usedin different interconnection modes is presented, laying the theoretical foundation for the securitycertification of the multi-class interconnection access control model.
3. The single-class access control model based on信息流强约束is put forward, and theproblem of intrasystem irregular indirect information stream is solved. Firstly, the method ofaccess security based on the information stream graph is raised. Then, based on the information stream graph, users’ indirect irregular accesses are strongly constrained. Secondly, thesingle-class subsystem state machine is modeled, as well as the system state, the state conversionrule, the auto machine and the system are defined. In addition, security theorems of the systemstate, the state conversion rule, the auto machine and the system are given, and their security isproved. Finally, the realization of rules for the two, three and four-class subsystem state machineis proposed, and its security is proved.
4. Based on the united control, the article puts forward the multi-class interconnectionaccess control model, through which, risks such as cross-class irregular indirect informationstream, wrong information flow, counterfeiting of user’s security identifiers in the multi-classinterconnection system is solved. Firstly, the multi-class interconnection access control system ismodeled, and security domain, system class, trust matrix, interconnection mode andadministrator are added. Besides, the multi-class interconnection system is described completely.Secondly, The security theorem of multi-class interconnection access control model is given.Based on multi-class information stream graph, through the united control of users’cross-domain and cross-class access, the consistency of different class subsystem controlirregular access is kept. Thirdly, based on the security entropy theory, the security of the modelis proved. Finally, the rule set of subsystem state machine in six classes is given, which cansupport the multi-class interconnection system in different interconnection model.
In conclusion, an access control theory system suited to multi-class interconnection systemis formed in this paper, which provides the theoretical foundation for the security informationsharing in the information system of different interconnection modes and security classes.
引文
[1]BELL D E,LAPADULA L J.Secure Computer Systems:Mathematical Foundations[R].Technical Report M74—244,The MITRE Corporation,Bedford,Massachussetts.1973.
[2] Bell D E, LaPadula L J. Secure computer system: unified exposition and multics interpretation[R]. Mitre Report,MTR-2997Rev1,1976.
[3] David Elliott Bell, Looking Back at the Bell-La Padula Model[J], Reston VA,20191,December7,2005.
[4] Classified National Security Information, Executive Order12958of April17,1995[EB/OL].:http://www.fas.org/sgp/clinton/eo12958.html.
[5] Amendment To Executive Order12958—Classified National Security Information, Executive Order13142ofNovember19,1999[EB/OL].: http://www.nodis3.gsfc.nasa.gov/displayEO.cfm.
[6] Further Amendment to Executive Order12958, as Amended, Classified National Security Information,Executive Order13292. March25,2003[EB/OL].: http://www.fas.org/sgp/bush/eoamend.html.
[7] Classified National Security Information, Executive Order13526of December29,2009[EB/OL].:http://www.nodis3.fsfc.nasa.gov/displayEO.cfm.
[8]国务院令147号令《中华人民共和国计算机信息系统安全保护条例》,1994.
[9] GB17859-1999.计算机信息系统安全保护等级划分准则[S].北京:中国标准出版社,1999.
[10]中办发[2003]27号.关于加强信息安全保障工作的意见.
[11]公通[2007]66号.关于印发《关于信息安全等级保护工作的实施意见》的通知
[12]国信办[2005]25号.电子政务信息安全等级保护实施指南(试行).
[13]公通字[2007]43号.信息安全等级保护管理办法
[14]公信安[2007]861号.关于开展全国重要信息系统安全等级保护定级工作的通知.
[15] GB/T18336.信息技术安全性评估准则[S],北京:中国标准出版社,2001.
[16] GB/T20273-2006.信息安全技术网络基础安全技术要求[S].北京:中国标准出版社,2006.
[17] GB/T22240-2008.信息安全技术信息系统安全保护等级定级指南[S].北京:中国标准出版社,2008.
[18] GB/T25070-2010.信息安全技术信息系统等级保护安全设计技术要求[S].2010.
[19]沈昌祥,加快推进信息安全等级保护工作[J],信息网络安全,2008(05)
[20] Kshemendra N. Paul. Information Sharing Environment[R]. Annual Report to the Congress Prepared by theProgram Manager, Information Sharing Environment, July2010.
[21] J. M. McConnell. United States Intelligence Community Information Sharing Strategy[R],, OFFICE OF THEDIRECTOR OF NATIONAL INTELLIGENCE, FEBRUARY22,2008.
[22] Thomas E. McNamara. Information Sharing Environment[R]. Annual Report to the Congress Prepared by theProgram Manager, Information Sharing Environment, July2009.
[23] Fred H. Cate. Creation of New Information Sharing Steering Committee for the IntelligenceCommunity[R],OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE PUBLIC AFFAIRS OFFICEWASHINGTON, D.C.20511, MARCH6,2007.
[24] GB/T22239-2008.信息安全技术信息系统安全等级保护基本要求[S].北京:中国标准出版社,2006.
[25] DoD.8500.2Instruction Information Assurance Implementaion.2003, February6.
[26]卿斯汉,刘文清,刘海峰等.操作系统安全[M].北京:清华大学出版社,2004.
[27] B.Lampson,”Protection,”Proceedings of the Fifth Princeton Symposium of Information Science andSystems,pp.437-443(Mar.1971);reprinted in Operation Syestms Review8(1),pp.18-24(Jan.1974).
[28] P.Denning,”Third Generation Computer Systems,”Computer Surveys3(4),pp.175-216(Dec.1971).
[29] G.Graham and P.Denning,”Protection—Pinciples and Practice,”Spring Joint Computer Conference,AFIPSConference Proceedings40,pp.417-429(1972).
[30] D.Miller and R.Baldwin,”Access Control by Boolean Expression Evaluation,” Proceeding of the5th AnnualComputer Security Applications Conference,pp.131-139(Dec.1990).
[31] R.Conway, W.Maxwall, and H.Morgan,”On the Implementation of Security Measures in InformationSystems,”Communications of the ACM15(4), pp.211-220(Apr.1972).
[32] H.Harrison and D.Hsiao,”Full Protection Specifications in the Semantic Model for Database ProtectionLanguages,” Proceedings of the1976ACM Annual Conference, pp.90-95(Oct.1976).
[33] L.Hoffman,“The Formulary Model for Flexible Privacy and Access Control,” Proceedings of the1971FallJoint Computer Conference, pp.587-601(1971).
[34] Sandhu R S, Coyne E J, Feinstein H L. Role-based access control models[J]. IEEE Computer,1996,29(2):38-47
[35] Saddhu R. Rationale for the RBAC96family of access control models[A]. Proceedings of the1st ACMWorkshop on Role-Based Access Control[C]. New York: ACM Press.,1997.
[36] FERRAIOLODF. KUNN R. Role-Based access contro1[A]. Proceedings of the15th Nation Computer SecurityConference[C], Baltimore,1992,554-563.
[37] D Denning. A lattice model of secure information flow. Communications of the ACM[J], l976, l9(5):236-243
[38]卿斯汉,刘文清,刘海峰.操作系统安全导论[M].北京:科学出版社,2003.
[39] REINHOLD V N. Morrie Gasser Building a Secure Computer system[M].1998.
[40] SANDHU R S. Lattice-based access control models[J]. IEEE Computer,1993,26(11):9-19.
[41] CAI Y,ZHENG Z R,SHEN C X. A planar attributes model based on multi level security policy[J]. ChineseJournal of Computer,2004,27(5):619-624.
[42] Ravi S.Sandhu, George,Lattice-Based Access Control Models[J]. IEEE,1993.
[43] McCullough D.Noninterference and the composition of security properties.In:Proc.of the IEEE Symposiumon Research in Security and Privacy.1988.
[44] Johnson D,Thayer F.Security and the composition of machines.In:Proc.of the Computer Security FoundationsWorkshop,IEEE Press,1988.14-23
[45] Goguen J,Meseguer J.Inference control and unwinding.In:Proc.of the IEEE Symposium on Research inSecurity and Privacy,1984.75-86
[46] Sutherland D.A model of information.In.Proc.of the ninth National Computer Security Conf.1986.175-183.
[47] Foley S N. A universal theory of information flow. In Proe.ofthe IEEE Symposium on Research in Securityand Privacy.IEEE Press,1987.116-121.
[48] McLean J.Security models and information flow.In:Proc.of1990IEEE Symposium on Research in Securityand Privacy.IEEE Press.1990.177-186
[49] O’Halloran C.A calculus of information flow.In:Proc.of FirstEuropean Symposium on Research inComputer Security(SORICS1990),1990.147-159.
[50] Zakinthinos A.Lee S.A general theory of security properties. In:Proc. of the1997IEEE Symposium onResearch in Se curity and Privacy.IEEE Computer Society Press.1997.94-102.
[51] Foley S N. A universal theory of information flow. In: Proe. of the IEEE Symposium on Research in Securityand Privacy. IEEE Press,1987.116-121
[52] Roscoe A W. CSP and determinism in security modeling. In:Proc.of the1995IEEE Symposium onSecurity and Privacy,IEEE Computer Society.1995.114-127.
[53] Ryan P Y A.A CSP formulation of non—interference and unwinding. Presented at CSFW199O andpublished in Cipher.Winter1990/1991.19-30.
[54] Ryan P Y A. Mathematical models of computer security. In:Foundations of Security Analysis and Design-Tutorial Lectures(R.Focardi and R.Gorrieri Eds),LNCS,Vol.2171,SpringerVerlag,2001.1-62
[55] Alien P G.A Comparison of non-Interference and non—Deducibility using CSP、In:Proc.of the FourthIEEE Computer Security Foundations Workshop,Franconia.New Hampshire,June1991.43-54.
[56] Rosce A W. CSP and determinism in security modeling. In:Proc.of the1995IEEE Symposium on Securityand Privacy,IEEE Computer Society.1995.114-127.
[57] Roscoe A W.Wood cock J C P.wulf L.Non—interference through Determinism. In:Proc.of EuropeanSymposium on Research in Computer Security1994(ESORICS’94).LNCS,Vo1.875,Springer—Verlag1994.33~53.
[58] Forster R.NoninteHerence Properties for Nondeterministic Ptocesses:[Vh. D Thesis].Trinity College,University of Oxford.1999.
[59] Schneider S A.M ay Testing.Non—interference and Compositionality:[-Technical Report CSD-TR-00-022001].Royal Holloway,University of London.
[60] Focardi R,.Gorrieri R. Classification of security properties(Part I:Information FIow). In:Foundations ofSecurity Analysis andDesign—Tutorial Lectures(R.Focardi and R.Gorrieri Eds). LNCS, Vol.2171,Springer-Verlag,2001,331-396.
[61] M ilner R.Communicating and M obile Systems.the Pi—Calculus.Cambridge University Press,1999.
[62]刘威鹏,张兴.基于非传递无干扰理论的二元多级安全模型研究[J].通信学报.2009,30(2):53-58.
[63] RUSHBY J.Noninterference,Transitivity, and Channel-control Security Policies[R]. Stanford ResearchInstitute, Tech Rep:CSL-92-02,1992.
[64] HAIGH J T, YONG W D. Extending the noninterference model of MLS for SAT[A]. Proceedings of theSymposium on Securiyt and Privacy[C]. Oakland,CA,l986.232-239.
[65] Dorothy E.Denning, A Lattice Model of Secure Information Flow[C]. Fifth ACM Symposium on OperatingSystems Principles, The University of Texas at Austin, November19-21,1975.
[66]石文昌,孙玉芳.多级安全政策的历史敏感性[J].软件学报,2003,14(1):91-96
[67]梁洪亮,孙玉芳,赵庆松.一个安全标记公共框架的设计与实现[J].软件学报,2003,14(3):547-552
[68]谭良,罗讯,周明天.动态多级安全系统安全标记的格模型[J].电子科技大学学报,2004,33(4):442-445
[69]石文昌,孙玉芳,梁洪亮.经典BLP安全公理的一种适应性标记实施方法及其正确性[J].计算机研究与发展,2001,38(11):1366-1372
[70]李瑞轩,赵战西,王治纲,等.一种基于访问历史的BLP模型[J].计算机科学,2006,33(7):286-289.
[71]张晓菲,许访,沈昌祥.基于可信状态的多级安全模型及其应用研究[J].电子学报,2007,35(8):1511-1515.
[72]谭智勇,刘铎,司天歌,戴一奇.一种具有可信度特征的多级安全模型[J].电子学报.2008,36(8):1637-1641.
[73] Bell D E. Secure computer systems: A network interpretation[A]. Proceedings of the3rd Annual ComputerSecurity Application Conference[C]. Vienna,VA,USA,1987.32-39.
[74] Lee T M P. Using mandatory integrity to enforce“commercial”security[A]. Proceedings of the8th NationalComputer SecurityConference[C]. Gaithersburg,MD,USA,1985.108-119.
[75]季庆光,卿斯汉,贺也平.一个改进的可动态调节的机密性策略模型[J].软件学报,2004,15(10):1547-1557.
[76] XIE J,XU F,HUANG H. Trust degree based multilevel security policy and its model of state machine[J].Journal of Software,2004,15(11):1700-1708.
[77] Varadharajan V, Black S, et al. A Multilevel Security Model for a Distributed Object-Oriented System[C].Computer Security Applications Conference,1990, proceedings of the sixth annual:68-78.
[78] Roderick Chapman, Adrian Hilton. Enforcing Security and Safety Models with an Information Flow AnalysisTool[C]. SIGAda’04Proceedings of the2004annual ACM SIGAda international conference on Ada: Theengineering.
[79] Common Criteria. Common Criteria for Information Technology Security Evaluation[S].1999.
[80] McLean J. Security Models and Information Flow[C]. Research in Security and Privacy.1990.
[81]郑志蓉,赫方,岳阳.一种基于良构应用的多级安全策略模型[J].计算机工程.2008,34(3):168-170.
[82]刘益和.一个基于网格环境的安全信息流模型[J].计算机科学.2011,38(6):157-160,199.
[83]葛方斌,杨林,王建新.多域环境下具有动态适应性的多级安全模型[J].计算机工程与应用.2008,44(22):124-128
[84]雷倩睿,孟祥义.应用于多级安全网络的安全策略模型研究[J].现代计算机(专业版),2010,(4):68-71.
[85]刘益和.多密级子网的网络安全信息流模型[J].华东理工大学学报,2007, vol.33增刊:70-73.
[86] ISO/IEC18028-3.信息技术,安全技术, IT网络安全,第3部分:使用安全网关的网络间的安全通信
[S].Switzerland:ISO/IEC,2005.
[87]陈颖,杨寿保,郭磊涛等.网格环境下的一种动态跨域访问控制策略[J].计算机研究与发展.2006,43(11):l863-1869.
[88]孙军红,王新红.一种分布式环境下基于角色的访问控制模型[J].计算机工程与应用.2011,47(23):84-87.
[89]武鹏,梁英,陈皓,王新.一种基于策略的跨自主域访问控制模型研究[J].微电子学与计算机.2008,25(9):7-11.
[90] Kapadia A, Al-Muhtadi J, Campbell R, et al.IRBAC2000: secure interoperability using dynamic roletranslation1, UIUCDCS-R-2000-2162[R].University of Illinois,2000.
[91] Campbell R, Liu Z, Nichnuas D.Seraphism: dynamic interoperable security architecture for active networks[C]//IEEE OPENARCH2000Tel-Aviv, March2000.
[92]洪帆,崔永泉,崔国华等.多域安全互操作的可管理使用控制模型研究[J].计算机科学,2006,33(3):283-286.
[93]邹翔,金波,倪力舜.跨域访问控制与边界防御方法研究[J].计算机应用研究.2010,27(4):1481-1483.
[94] Eric Yong, Jin Tong. Attributed Based Acess Control(ABAC)for Web Seavices. Proe.IEEE InternationalConference on Web Services(ICWS05), Florida, USA, May2005:561—569.
[95] M.Yague,A.Mana,L.Lopez,etc. Applying the Semantic Web layers to Access Control. Proc.DEXA2003Workshop on Web Semantics. Prague, Czech Republic, September2003:622-626.
[96] L.Kagal, T.Bemers-Lee, D.Connolly,etc. Using semantic web technologies for open policy management on theweb.21st National Conference on Artificial Intelligence(AAAI),2006.
[97] A.Uszok,J.M,Bradshaw,etc,Policy and contract management for semantic web services,in:Proceedings ofSemantic Web Se rvices Symposium,Stanford,California,2004.
[98] T.Priebe,W.Dobmeier, N.Kamprath,Supporting Attribute-Based Access Control with Ontologies.Prc.1stInternational Conference on Availability, Reliability and Security. Vienna,Austria.2006:465—472.
[99]胡罗凯,王海军.基于分布式本体的语义访问控制方法[J].湖北第二师范学院学报.2010,27(8):84-87.
[100] Apu Kapadia,Jalal A1-Muhtadi,Campbell R,et a1.IRBAC2000:Secure interoperability using dynamicrole translation[C].1st International Conference on Intemet Computing,2000。
[101]廖俊国,洪帆,朱贤等.多域间动态角色转换的职责分离[J].计算机研究与发展.2006,43(6):1065-1070.
[102]张文超,李亚芬.基于Web服务的联合访问控制系统的研究与实现[J].计算机工程与设计.2011,32(2):477-480.
[103]於光灿,李瑞轩.协作环境中基于场所的访问控制模型[J].计算机科学,2009:81-85.
[104]方萃浩,叶修梓等.协同环境中的访问控制[J].软件学报,2007:2295-2304.
[105]文珠穆.多域环境中的动态信任与访问控制研究[D].武汉:华中科技大学博士学位论文,2008.
[106]唐卓,张宗礼,李肯.立基于风险的工作流系统访问控制优化策略[J].计算机应用研究,2009:4295-4298.
[107] Sandhu R, Park J. Usage Control: A Vision for Next Generation Access Control. MMM-ACNS2003
[108] Park J. Sandhu R. Originator Control in Usage Control. In3rd International Workshop on Policies forDistributed Systems and Networks(Policy02).2002
[109] Jaehong Park and Ravi Sandhu, The UCONABC Usage Control Model, ACM Transactions on Informationand System Security,7(1):128-174,2004.
[110]李开勤.分布式环境中访问控制模型的研究与应用.西南交通大学,2007.
[111]刘瑞祥,梅海涛,殷兆麟.分布式对象访问控制的UML建模[J].微电子学与计算机.2009,26(9):102-106.
[112]翟征德,冯登国.一个通用的分布式访问控制决策中间件[J].计算机工程与应用.2008,44(1):17-22
[113]刘琼波,施军,尤晋元.分布式环境下的访问控制[J].计算机研究与发展,2001,38(6):735-740
[114]多域环境中基于蚁群算法的抗攻击时态信任模型[J].计算机科学.2009:
[115]王铁方,刘晓洁,李涛,龚勋,蒋亚平,杨进,赵奎,胡晓勤.基于家族基因的网格信任模型[J].四川大学学报,2007, Vol.38No.6:123-126.
[116]张仕斌,刘全,曾鸿.基于开放式网络环境的模糊自主信任模型[J].清华大学学报,2006, Vo l.46, No.S1:1109-1114.
[117]马满福,姚军.网格环境的一种跨域信任模型[J].计算机应用.2008,21-0062-03:62-64.
[118]汪进,杨新,刘晓松.一种新型的网格行为信任模型[J].计算机应用.2003,21-0062-03:62-64.
[119]李云亮.基于PKI的分布式交叉认证研究[D].重庆大学硕士学位论文,2004.
[120]朱启胜.基于WPKI的Kerberos身份认证的应用研究[D].西安:西安电子科技大学硕士学位论文,2006.
[121]张景安,郭显娥. P2P网络中基于动态推荐的信任模型[J].计算机工程,2010,(01).
[122]赵灵犀,田园,邓鲁耀. P2P环境下引入激励机制的动态信任模型[J].计算机应用研究,2010,(01)
[123]荆琦,唐礼勇,陈钟.无线传感器网络中的信任管理研究[J].软件学报,2008,19(7):1716-1730.
[124]叶阿勇,马建峰.一种移动自组网中信任评估模型的设计[J].计算机研究与发展,2008,45(5):765-771.
[125]卢震宇,戴英侠,胡艳.分布式认证系统互联的信任径构建分析和实现[J].计算机工程与应用,2002,10:155-158.
[126]樊蕊.跨域身份认证系统的研究与实现.西安电子科技大学硕士论文.
[127] Josang A, Knapskog S J.A metric for trusted systems [J].Global IT Secarity. Wien:Austrian ComputerSociety.1998,541-549.
[128] Reiter M K,Stubblebine S G.Toward acceptable metrics of authentication[C].Proc.1997IEEE Syrup.Security and Privacy.1997,10-20.
[129]张京楣,张景祥. P2P网络安全的信任模型研究[J].1001.3695(2003)03-0I6.0:76-77.
[130]田慧蓉,邹仕洪,王文东,程时端. P2P网络层次化信任模型[J].电子与信息学报.2007, Vol.29No.11:2560-2563.
[131]贾伟,张国瑜.基于代理机制的交叉认证模型研究[J].计算机应用.2007, Vol.27No.12:2925-2927.
[132]司天歌,谭智勇,戴一奇.一种对多级安全模型安全性的分析方法[J].计算机研究与发展.1711-1717
[133]胡俊,沈昌祥,张兴.一种BLP模型的量化分析方法[J].小型微型计算机系统.2009,30(8):1605-1610
[134]傅祖芸.信息论—基础理论与应用[M].北京:电子工业出版社,2007.
[135]王贵宝,黄洪钟,张小玲.风险可能数--一种基于最大信息熵理论的风险度量和风险排序新方法[J].航空学报.2009,30(9):1684-1690.
[136]付钰,吴晓平,叶清等.基于模糊集与熵权理论的信息系统安全风险评估研究[J].电子学报.2010,38(7):1490-1494.
[137]赵冬梅,马建峰,王跃生.信息系统的模糊风险评估模型[J].通信学报.2007,28(4):51-56.