【作者】 王辉；

【导师】 刘淑芬；

【作者基本信息】 吉林大学 ， 计算机系统结构， 2009， 博士

【摘要】 目前,网络安全在入侵检测、防火墙、信息加密、访问控制等方面已取得长足进步,极大地帮助企业组织解决了外部发起的攻击。然而,这些控制和工具是针对Outsider Threat(外部威胁)设计的,是用来保障内部的信息网络安全,免受外部发动的攻击。但是它们在解决Insider Threat(内部威胁)方面,即内部攻击或滥用,基本上无能为力。对于Insider Threat课题而言,这方面有意义的发表研究还是比较缺乏的,其研究的重要性尚未被广大的专家学者所普遍重视。本文以Insider Threat如何防御为课题,以最大程度减少Insider Threat风险为目的,对企业组织如何建立一个内部威胁防御体系结构及其关键技术进行了深入研究。本文的研究成果包括以下内容:第一,在当今的信息安全领域,并没有针对企业组织内部安全领域制定一个标准的、综合的完整性框架体系结构。本文从企业整体性的角度出发,在即重视技术问题的同时,又重视人和环境问题,设计了一个涉及多维度、多学科的整体性内部安全防御体系结构ITSDA。第二,内部威胁是企业组织无法回避的安全难题,作为企业最贵重的信息资产——文档,是内部滥用的主要目标。以往的粗粒度安全策略,如最小权限原则、职责分离等,都不足以胜任文档安全化的内部威胁问题。本文提出一个新颖的文档信息流多级安全策略模型和信息流有向图模型,并给出了相关算法,对信息流通道进行动态约束,屏蔽相关的隐藏信息流通道,以保障文档操作环境的安全。第三,当今的安全解决方案更多地集中在提供安全防御,而不是解决信息系统(Information System,简称IS)安全问题的起因。为了辅助企业组织构造出一个适合自身的充分安全系统,改变以往的被动防御方式,提出了一个启发企业安全需求的安全需求工程SREP。它与系统研发过程相集成,全面分析和收集安全需求,通过一个系统的方法将安全需求整合到软件工程过程中。第四,本文通过对存在的一些内部威胁检测和预防模型的研究分析,针对存在的不足,提出了一种可定量的、可扩展的Insider Threat检测模型,能够直观地通过量化的手段提醒管理人员做出明智的决策,有效地检测内部用户的攻击行为。更多还原

【Abstract】 Currently, substantial advances in network security, intrusion detection, firewall, information encryption, access control mechanisms, and so on, have substantially helped organizations repel externally initiated attacks. However, these controls and tools are designed to fight against outsider threat of organization network, and little progress in dealing with the insider threat, including insider attack and insider misuse, has occurred. Survey data shows that the most serious security breach and the most important economic damage are basically made by the insider threat from organizations.Given the absence of any significant published research on this topic, the importance of research is still ignored by the large IT scholars. Any contributions made in this area will likely one day to be considered as seminal work. This paper not only point out the critical issues of the research, but also give some research clues.By considering all security-related aspects of enterprises, the objective of this dissertation is to provide the integrated and overall security architecture (ITSDA) to address the insider threat, and then some related key technologies in security architecture will be researched thoroughly. The goal of this paper is to extremely mitigate business damage posed by the insider misuse or the insider attack, try to cease the insider threat initially, and reduce internal risk to a minimum.Conducted researches of this dissertation mainly include: 1) Considering different characteristics and security obligation mechanisms of different industries, research on information security architecture of insider threat is submitted; 2) In view of the problem of information asset security in organizations, research on multi-level security policy model for document security is presented; 3) With regard to the elicitation of security requirements, research on security requirements engineering (SREP) based on software engineering process is provided; 4) For predicting and preventing insider threat, research on attack tree prediction model is proposed.The main contributions and accomplishments of this dissertation are as follows:1. A multi-dimensional, multi-disciplinary security architecture (ITSDA) is submitted.In network security field, no standardized, comprehensive security architecture for insider threat currently exists. Many security professionals and managers in organizations generally have a severe misconception about the insider threat. They simply think that the insider threat will be resolved well if good techniques can be thoroughly adopted in all aspects or departments. It is very obvious that the understanding of the insider threat is partial. It is important to note that due to enterprise organizations’continuous developing, the insider threat will take on dynamic nature. From an overall point of view, organizations should not only pay attention to technical details, but also attach importance to people and environmental issues. Only in this way can the organization design the holistic security defense architecture. The security architecture ITSDA is constituted by the seven dimensions, and these dimensions represent the role of different functions. Especially, the seven dimensions form a feedback loop. Through mutual feedback, they can quickly respond to enterprise development and the insider threat’s dynamic features. They will jointly establish a dynamic, comprehensive internal security and defense architecture.2. A novel multi-level security policy model based on document information flow is presented.For enterprises, the security issue must be overcome is the insider threat. The most valuable information assets - documents are the main objectives of insider abuse. Previous coarse-grained security policies, such as the principle of least privilege, separation of duties, etc. are not sufficient to protect the security of documents. Through research of Lattice model, BLP model and Chinese-Wall model, this paper first defines the concept of document information flow, and then adopts the concept of security level in Lattice model. In addition, the paper makes similar rules for read and write of BLP model. Based on the above research, this dissertation presents a novel multi-level security policy model and an information flow graph model, and proposes related algorithms. The security policy can mix to use with other security policies, and add relevant static obligation rules. With the different context of operating environment, it will make dynamic constraint with the path of information flow. For operating documents’security, it will shield the related hidden path of information flow.3. A security requirements engineering process SREP on eliciting security requirements from organizations is provided.Current security solutions more concentrate in the methods of security and defense, rather than to resolve the causes of IS security issues. According to software engineering process and CC standards, in this paper, the issue of security requirements is asked for involvement in the beginning stages of research and development. Based on related research results, this dissertation presents a security requirements engineering process SREP. The software engineering process is applied to the security requirements process. The SREP consists of the following nine steps: 1) agree on definitions; 2) characterizing the system; 3) identifying critical assets and processes; 4) identifying system vulnerabilities; 5) identifying threats; 6) identifying security objectives and dependencies; 7) generating threat model; 8) risk assessment; 9) eliciting security requirements. To defend against potential insider threat, the above nine steps will help enterprises design a suitable complete security system.4. A scalable predicting model for insider threat is proposed, and a probability generation algorithm for predicting attacks is provided.To deter cracker activities, this paper introduces an improved structure of augmented attack tree and the notion of“minimal attack tree”, proposes the concept of“attack cost”and“attack weight”, and presents the generation algorithm of minimal attack tree. Based on the above research, this paper presents a novel insider threat model. One user must submit his intended system usage before he will login system. Then this forms the user’s session scope, and it is converted to a“SPRINT”(Signature Powered Revised Instruction Table) plan. By virtue of one user’s SPRINT plan and customized minimal attack tree, we can not only monitor the user’s activities online for preventing his malicious operations, but also monitor inside attack launched by utilizing system vulnerabilities when the user still abet the SPRINT plan. Especially, this paper introduces an estimator of attack probability, and it can help system administrators make sound decision by a quantitative approach. The approach can provide the system administrator an early warning so that he can fight for unwelcome unauthorized activities. The advantage of this approach is that it is a flexible and scalable technique for system security management.For enterprise organizations, this research topic is not related to the economic value, but also related to the enterprise’s reputation and image. The accomplishments of this paper enrich the research results related to insider threat. Related researches for insider threat, such as security defense architecture, multi-level security policy model, security requirements engineering and predicting and detecting model, have a high theoretical significance and application value.更多还原