| In the recent years, the computer information systems for government and business have been intruded frequently, such as security vulnerabilities, malicious code spreading, and denial of service attacks. These intrusions harmed the national security and social stability greatly. To ensure the system running securely and the information that processes without leakage and tamper, the information systems have proposed to apply classified protection. The information security classified protection has been a basic regulation, strategy and methods in our country. A series of policies, regulations, and standards have been developed in the near decade.To complete the conformance validation for the classified information systems' security function, the methods and technologies of the information security evaluating and testing are researched. The secure requirements have also been analyzed for the different classes in the primary classified information standards. Then, a multi-layered evidence framework has been constructed for security function conformance validation, and a method based on the evidence theory is proposed to creating the verification and validation set. In addition, the model checking technology is applied to validate the information systems security function. The conformance, validity, and compliance have been validated for security policy in this paper. The main research contents and results are shown as follows.1. Based on the research of security evaluation, testing theory, and conformance validation, a general conformance model is proposed for the information systems' security function validation. A formal representation for the correct of validating method referenced on the software testing theory is given in according with the validating objectives. That is, the concept of the ideal test set is proposed based on the definition and formal description of the effectiveness and reliability;2. By studying on the international standards related to the information security and the primary standards for the information security classified protection, the security function requirements for the different levels have been analyzed. A multi-layered framework which is based on evidence theory has been established for the conformance verification of the information system's security function. In addition, a method of determining the test sets has been proposed for the security verification.3. Model checking is applied to the conformance verification for the information system security function. The security policies have been verified by checking if they match the security requirements and analyzing if they are valid for the system which applies these policies. In the verification between the security policies and requirements, the policies are transformed to the system operations according to the rules and modeled as the extended finite state machines, and the security requirements is described as the linear temporal logic formulas. Then, the model checking is used to complete the conformance verification for them. The validity of security policies is also verified by using the model checking technology. The structure and performance for the information system and security policies are modeled and described respectively.4. Most studies focus on the security rules analyzing and the conflict detecting in the research for firewall security analysis. There are few studies on the consistency verification between the firewall security rules and the system access policies. This article focuses on the security rules and access policies for consistency checking. Model checking based method is proposed to complete the verification. The security rules are modeled formally, and the access policies are described by linear temporal logic. The model checker SPIN is used to complete the consistency verification for the firewall security realizations and the system security access policies.5. A verification prototype system is designed to check the information system security functions. This system is composed by the verification management platform and verification tools component. The system contains the tool management, task management, questionnaire management, and knowledge management. The check results produced by the different tools will be processed to a uniform format after they provided to the management platform. The conformance result for the information system classified protection will be given through the comprehensive analysis.
|
PDF Full Text Request