| The networked manufacturing (NM) is a sort of integrated strut environment which uses Internet to stride over the existing space among the different enterprises, realizes the sharing and integration of the manufactured resources belonged to the society and enterprises, and supports the cooperation and management in the enterprise group. Maunfacturing resources'sharing is the basical characteristic of the NM. In order to solve the resources'uneven distribution of the manufacturing equipment, achieve the optimal allocation of equipment resources in the whole society as well as a win-win cooperation between enterprises, the networked sharing model of manufacturing equipment has emerged. However, the diversity of sharing subjects and open environment of networks will enable networked sharing of manufacturing equipment to face security threats, which are inherent shortcomings of Internet. Therefore, this dissertation focuses on researches on the information security in networked sharing of manufacturing equipment, which consists of CNC equipment with remote operation, monitoring and diagnostic capabilities.Firstly, the definition of the networked sharing system of manufacturing equipment and the network architecture for equipment sharing monitoring are given, then system security connotations, the status and existing problems of manufacturing equipment sharing are analysed. On the basis of synthetically balancing the security costs, performance and security needs, a security model based on authentication, access control and network audit has been adopted. In the model, the trustworthiness-based feedback mechanism among the various security components is described, and the representation and exchange of data in sharing system are all in form of the eXtensible Markup Language (XML).With the deep analysis of the new features shown in manufacturing equipment sharing, such as staff diversification, the hierarchy of sharing privileges, dynamic sharing tasks, large-scale distribution, interface diversity and feedback between the security components, the corresponding access control objectives are educed on the basis of access control needs leaded by these features. The common access control models can not fully meet the above requirements, so a Role-Component Configurable Access Control Model (RCCACM) has been proposed. In this model, the monitored variable and the privileges of operating this variable are encapsulated in every monitoring component, and each processing task is instantiated as a series of the monitoring interfaces, each of which corresponds to a role involved in this task. Each monitoring interface is composed of the instances of monitoring components according to the role. On one hand, the monitoring interface is a platform for the state data display and equipment operation; on the other hand, it functions as the carrier to enforce the access control based on task and role. With a cube representation for the relationship among variables, components, and roles and tasks, role-based monitoring interface reconfiguration is described. As conflicts could arise because of role succession, multiple roles, and multiple associations based on tasks and roles, an approach by comparing privilege levels of monitoring components is proposed to resolve the conflicts. In order to provide network auditing subsystem with feedback interface, the mechanism which degrades the privilege levels of monitoring components on the basis of the user's trustworthiness is discussed. In addition, the model implementation based on XML is introduced.Secondly, a deep content auditing subsystem based on protocol analysis is developed, which analyses and audits the contents of the packets in the whole network on the protocol of application layer, to prevent security accidents due to the attack by malicious codes, disclosure of sensitive information and violating the security policy by the users. The system adopts two-level processing mechanism based on TCP/UDP and the protocol of application layer to support update and expansion of application protocols. Furthermore, great deal of optimization is carried out on memory management, multi-threaded concurrent processing and link management in order to improve auditing performance and reduce packet loss rate. To realize efficient collaboration as well as synchronization and mutex of sharing between multiple threads, system introduces memory pre-allocation strategy, the memory pool and the queue of packets'packages. The HASH chained list and two-way chained list for overtime check are used to achieve the correlative analysis of all the packets on the same link.The sharing monitoring protocol (SMON) for manufacturing equipment is designed based on XML. It provides sensitive information with encryption protection based on XML elements using the XML encryption standard, and other elements in form of plaintext are analysed and audited based on SMON protocol by network auditing subsystem, which will block the communications violating the security policy. A string matching algorithm based on HASH is proposed and the blocking approach through sending TCP RESET packets is introduced. Additionally, a trustworthiness assessment model based on auditing results is proposed. The comprehensive trustworthiness of every user is determined by the four indicators: the authentication strength, the user's credibility, the proficiency in using equipment and the activity in sharing system.Finally, based on the aforementioned techniques, network auditing subsystem has been developed on the Linux platform; Web server and monitoring server have been developed on the Windows platform using Java2 and Visual C++. Selecting a ZJK7532A CNC milling machine as the shared object, the running cases of developed prototype system are given, and its associated performance indicators were tested and analysed.
|
PDF Full Text Request