引用本文: |
-
孙瑞娜,夏豪骏,游瑞邦,涂碧波.基于意图的软件定义边界安全策略动态生成方法[J].信息安全学报,已采用 [点击复制]
- sunruina,xiahaojun,youruibang,tubibo.Intent-based dynamic generating security policy for software-defined perimeter[J].Journal of Cyber Security,Accept [点击复制]
|
|
摘要: |
云计算自提出以来已成为最主流的计算平台,其灵活可变、动态可扩展的新型服务模式备受业界青睐。然而,随着网络规模的不断扩大以及云计算技术的迅速发展,网络管理变得及其复杂,云中共享底层基础设施以及网络边界虚拟化等特性,又使得云环境更易成为攻击目标,云安全问题日益凸显。针对传统基于固定边界、静态部署安全策略的机制,难以有效应对云安全防护的问题,提出了一种基于意图的软件定义边界安全策略动态生成方法。在软件定义网络架构下,结合软件定义边界技术搭建云安全管理框架,将安全策略管理与边界控制点相分离,并通过“意图”将安全策略与底层网络解耦,实现安全策略随网络变化的动态调整和及时响应。首先,构建了云安全策略要素知识图谱;其次,通过自定义的安全策略专用描述性语言表达意图以屏蔽底层实施细节,通过意图解析识别意图表达中的网络实体;然后,采用设计的决策图进一步将意图转译为中级策略;最后,结合云安全要素知识图谱指导中级策略到底层网络配置策略的动态生成。实验分析结果表明:所提出的安全策略动态生成方法具备有效性和准确性。该方法为实现云中安全策略动态自适应的防护服务具有借鉴意义。 |
关键词: 云平台 软件定义边界 安全策略 意图转译 知识图谱 |
DOI:10.19363/J.cnki.cn10-1380/tn.2024.04.10 |
投稿时间:2022-03-24修订日期:2022-06-18 |
基金项目:广东省重点研发项目 |
|
Intent-based dynamic generating security policy for software-defined perimeter |
sunruina, xiahaojun, youruibang, tubibo
|
(Institute of Information Engineering, Chinese Academy of Sciences) |
Abstract: |
Since the inception of cloud computing, it had become the most mainstream computing platform, for its flexible, dynamic and scalable new service model was favored by the industry. However, with the constant enlargement in network scale and the rapid development of cloud computing, the network management was becoming extremely complex, the shared underlying infrastructure in the cloud,as well as the virtualization of the network perimeter and other features made the cloud environment more and more vulnerable to be attacked. The security issues of cloud had become increasingly prominent. The traditional method was based on fixed perimeter and static configuration of security policies,thus it was difficult to respond to cloud security protection requirements. In order to alleviate this problem, an intent-based method of dynamic generation of software-defined perimeter security policies was proposed. Under the software-defined network architecture, made use of software-defined perimeter technology to build a cloud security management framework, which separate security policy management from perimeter control points. Then decoupled the security policy from the underlying network through “intent” to achieve dynamic adjustment and timely response of security policies with network changes. First of all, the knowledge graph of cloud security policy elements was constructed. To the second, a professional descriptive language of security policy was provided to express the intention with ignoring the bottom implementation details, and the network entities in the intent expressions were identified through intent parsing. Then, a decision diagram was used to translate the intent into a mid-level policy. Finally, the mid-level policy was combined with a knowledge graph of security elements to guide the dynamic generation of the underlying network configuration policy. The experimental results showed that the proposed schemes were valid and accurate. The methods could be used for reference to realize dynamic and adaptive protection services for security policies in the cloud. |
Key words: cloud platform, software-defined perimeter, security policy, intent translation, knowledge graph |