【作者】 董理君；

【导师】 余胜生；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2008， 博士

【摘要】 入侵防范系统(IPS)融合了入侵检测与防火墙的技术优点,通过预先对入侵活动和攻击性网络流量进行拦截来提供主动防护。IPS广泛地应用在客户/服务模式的访问系统中。目前的IPS尚存在一定的局限性,如:“入侵”的概念不够广泛,局限于攻击性网络流量和带有入侵特征的数据流,而实际的入侵活动涉及更多客观因素(如不适当的时间、空间,不安全的操作平台等);“防范”体系不够紧凑,局限于通过IDS简单串联防火墙实现实时阻断,而非一个实施安全防御的有机整体。针对普通IPS的局限性,在研究基于角色的访问控制(RBAC)基础上,结合主动防御思想,提出基于环境警备的访问控制(EABAC: Environment-Aware-Based Access Control)模型。EABAC将可能导致入侵的潜在因素纳入到防范体系中,提高入侵发生之前预测环境的安全防御能力,具有环境安全感知性,实现更为主动的安全防护。为了建立EABAC模型,在形式化描述、访问控制规则、安全约束策略的制定及提高系统建壮性等方面做了新的引申和定义:第一,扩充角色的含义,引入环境角色的概念,并依照RBAC标准形式进行定义和规范。所有影响访问系统安全性的客观因素都可被抽象为环境角色,并通过数学描述形式对环境角色各种因素给出了完整的语义和功能规范,依照RBAC的规则建立对应的核心模型、层次模型和权责分割机制,建立模型感知环境的桥梁,突破传统意义上的单一角色范畴,扩展入侵防护的范围。第二,制定以环境安全为准则的角色、许可指派策略,通过建立一系列算法证明其实施的过程。角色的多重性导致“用户?角色”及“角色?许可”映射的多样性,EABAC通过引入环境标签、标签许可的概念使许可分配与环境状态相关联,并通过角色等级制度使模型能够反映对环境感知的敏感度,细化访问控制粒度。第三,提出异维约束、关联约束的概念,制定了相关的冲突策略,并通过断言和实例分析进行了推导和证明。扩充角色约束的内容,通过安全约束,将多样化的环境因素关联为一个整体,实现访问控制策略与环境特性的紧耦合,并合理地解决角色模型中的冲突问题,增强安全防御的可控度。第四,为访问控制引入入侵容忍机制,给出了实现方式。完善的访问控制不但需要防范入侵,也要求系统具有耐攻击的可操作性。EABAC提供层次化的冗余防护,使某些特殊情况下尽管存在攻击,仍能为合法用户提供所需的全部或者降级的服务,并确保访问信息的保密性,从而提高IPS应用的健壮性。通过一系列的研究工作,对EABAC的工作逻辑进行了推导和分析,并实现了一个原型系统。对原型系统的分析表明,EABAC通过对时间、空间、操作平台、访问途径和数据流信息等多方因素的掌控,以包含多种角色的角色实例为载体实施动态访问控制,使系统能够抵抗更为多样化的入侵活动;并通过虚拟服务和安全隧道多路复用技术,在提供冗余保护机制的同时,分散了传统意义上集中式入侵防范的压力,降低了EABAC执行的复杂度。更多还原

【Abstract】 Intrusion Prevention System(IPS)combines the technical vantages of the Intrusion Detection System (IDS) and firewall. By blocking the intrusive activities and aggressive network flow in advance, IPS can provide the active protection. IPS is widely used in various kinds of“Client/Server”access systems, however, IPS has still some limitations at present. For example, the concept of intrusion is not popular enough, and it is only involved with suspicious data stream, but the actual intrusions should concern more external factors, such as improper time, site and insecure platform etc; it is also restricted to prevent intrusions by coupling IDS with firewall roughly, but not a organic unity of implementing defense.Based on the research of role-based access control (RBAC), an Environment-Awareness-Based Access Control (EABAC) model is put forward to improve the efficiency of IPS and providing the further active prevention. In EABAC, more potential factors that result in intrusions are brought into the prevention system to improve the ability of security defenses, before intrusion occurs. An access system based on EABAC is able to sense the security of environment as well as the proactive protection is implemented.To establish the EABAC model, some new extensions and definitions are explored, such as the design of the formalize description, the access control rules and the security constraint strategy, and also in the aspect of improving the system’s robustness. First, EABAC expands the definition of the roles and imports the concept of the environmental roles. All of the objective factors that have an influence on the system’s security can be abstracted into the environmental roles. The complete semantic and functional norms about multiple environment factors are presented in the form of mathematic description. According to the rules of RBAC, the core model, hierarchy model and separation of duty of EABAC are set up, by which the system can capture the context of the environment. The bound of traditional roles is broken and the range of intrusion prevention is extended.Second, the assignment policies of roles and permission based on the environmental security are established. The variety of roles results in the variety of“user?role”and“role?permission”. Bringing forward environment label and label permission, EABAC builds a relationship between the permission assignment and the environmental states. By the partial order of roles, the model can reflect the sensitivity of environment awareness and provide the fine-grained access control.Third, more abundant security constraints are implemented. The range of role constraint is expanded; different dimensions constraint, environment constraint and correlative constraint are proposed; the related conflict strategies are built. By realizing these security constraints, multiple environment factors are congregated to a whole; access control policies and environment security are coupled tightly. Resolving the conflicts in role model in reason, security defense could be controlled flexibly.Fourth, the intrusion tolerance mechanism is brought forward for EABAC. A perfect access control system need not only prevent intrusions but also resist attacks. Though the attacks still exist, the system can yet provide the full or partial services for user when some emergencies happening and the data of access are kept secret. By this way, the robustness of IPS application is improved.By doing the series of research work, the work-base logic of EABAC is deduced, and a prototype system is implemented. The analysis about the prototype system indicates that EABAC can resist the multifarious intrusions by capturing the information of the time, space, platform, approach and data stream. It implements dynamic access control using role instance as carrier which contains multiplex roles. Besides, EABAC provides the redundant protection as well as the stress of traditional centralized intrusion prevention is dispersed and the execution complexity of EABAC is reduced by the technologies of Virtual Service and Secure Tunnel Division Multiplexing.更多还原