Research On Technology Of Security Policy Transformation

The current network environments incorporate an ever increasing variety of security mechanisms in order to fulfill the protection needs against network-based attacks. Security administrators need dealing with a number of complicated and different configurations.The workload is large and the error rate is high. Therefore, automated tools and methodologies are of high interest to assist security policy configuration tasks. Security policy transformation is a basic means for automatic policy configuration. Security policy conflict detection is an essential guarantee for correct policy configuration. This paper mainly focuses on the security policy transformation and conflict detection techniques. The main works and contributions are summarized as follows:1. Summarized the related work of technologies of policy transformation and policy conflict detection, pointed out existent problems, and determined the research scope of this paper.2. Studied the concepts of the policy, security policy and policy classification criterion. On the basis of analyzing the existing research work, we have proposed the familiar security policy classification, then put forward the concepts of security policy, security policy hierarchy and security policy transformation systematically.3. Put forward a security policy transformation model based on Application Level/Service Level/Device Level, including the definion of some basic elements, operation functions, transformation rules, the correlative theorems and attestation of policy transformation validation, which provided the theoretical support for realizing security policy transformation.4. Put forward a security policy conflict model based on analyzing the relation of the security policy, including a new security policy conflict classification, conflict denotation and some conflict theorems, which provided the theoretical support for estimating security policy conflict conditions and ascertaining security policy conflict classification.5. On the basis of the security policy conflict model, adopted the matrix and the idea of standardization/discretization to design and realize security policy conflict detection and resolution arithmetics, which is loosely coupled with the application, then analysed the capability and correctness of the arithmetics.6. On the basis of the security policy transformation model, designed the security policy transformation arithmetics between adjacent two levels, and proposed a policy translation method using macro policy and translation script, which resolved the transformation problems from the abstract specification level facing the policy editors to the configuration interface facing all kinds of underlying devices. 7. Designed and implemented a security policy transformation system which can support security policy transformation, security policy conflict detection, and security policy conflict resolution.