【作者】 陈小爱；

【导师】 李小勇； 刘海涛；

【作者基本信息】 上海交通大学 ， 密码学， 2008， 硕士

【摘要】 信息安全除了保证数据在本地存储过程中的安全,还应该满足其在网络传输过程中的保密性和完整性要求。目前,网络安全防御领域的研究主要围绕边界安全保护展开,随着网络漏洞的增多以及攻击技术的发展,传统的以边界为中心的被动安全防护策略难以应付与日俱增的安全威胁。本文提出将网络安全工作的重心,由边界安全保护转变到直接针对信息的安全保护。在此基础上,本文提出一个以信息为中心的安全模型,以保障信息在其整个生命周期的安全性。在模型中,所有数据分为存储和传输两种形式,传输信息可以理解为数据的一种动态存储,网络则相当于一个大型的存储设备。因而,任何数据都可以认为是存储在计算机中的静态信息或存储在网络上的动态信息。基于以上思路,本文着重研究网络上的流动信息的保护机制,对该模型在网络上的应用进行了探索,设计了一个系统应用方案,并实现了其中的部分关键模块。在网络通信过程中,针对不同的资源采用不同的密钥,对应用层数据实现加密通信,从而实现特定资源在任何地方存储时的访问控制。在应用层,配置系统安全策略,并引入URI数据库来记录需要加密及监控的资源对象。在核心层,分析进出主机的所有网络数据包,根据应用层的安全策略采用加密通信或做出其他系统响应。系统基于各个应用层协议分析来识别通信过程中的文件传输行为,有效防止机密和私有信息的泄露。本系统采用基于NDIS中间驱动的数据包拦截技术实现以上核心层功能,拦截彻底、安全高效。经过实验证明,本系统能够有效拦截、监控及处理所有网络数据包,保证信息传输的合法性及安全性。系统具有性能稳定、运行高效、管理简单的特点,适用于中小型网络及个人主机,从而满足安全高度敏感的机构及部分个人的需求,并具有可扩展性。更多还原

【Abstract】 Information security not only includes guaranteeing the security of locally stored data, but also the confidentiality and integrity of data in the process of communication. Research on network security at present is carried out mainly around network perimeter security. With the fast increment of network vulnerabilities and the development of attack technology, it has been harder and harder for traditional perimeter-centric passive defense strategies to tackle security threats. This paper protests that primary work of network security should change from perimeter protection to direct information protection. To protect information in its entire lifecycle, this paper proposes an information-centric security model. In this model, there are two data statuses--storage and transmission. The transferred information can be considered as a kind of dynamic storage and the network can be considered as a large storage device. Hence, any data can be regarded as static information in the storage device or dynamic information in the process of communication.Based on the above thought, this paper emphasizes the research of protecting the dynamic information in transmission. In the process of network communication, a user key is used to encrypt the application layer of packets carrying different resources. This can implement the access control of specific resource anywhere. At the application layer, deploying security strategies and introducing URI database to record resource objects that need to be encrypted and monitored. At the kernel layer, analyze all network packets passing in and out, encrypt and respond according to the security strategies. What’s more, the system can identify file transmission through the analysis of application protocol to prevent the leakage of confidential and private information. The system uses packet capture technology based on NDIS to implement the above function effectively. The experiments prove that the system can capture and monitor all network packets effectively, and achieve the validity and security of information transmission. The system has stable performance, high efficiency and easy management, which is suitable for middle and small scale network and personal host with good expansibility.更多还原