Network Security Policy Conflic Research Based On Directed-Graph

Supported by the international organization of IETF and DMTF, and the manufacturer of IBM and CISCO, etc, Policy-based management is gradually applied in the fields of network management, security management and so on, and becomes a characteristic of the new distributed system management. To ensure security policies to work consistently and to maintain its own consistency is the first thing of realizing distributed system management to be resolved. Thus, the description and classification of security policy and the detection and solution of the security policy conflicts are the chief goal of achieving uniform security management, and also one of the most difficult problems in the field of the security management.The paper introduces two typical security policy frameworks in existence. Based on their virtues and flaws, then presents an adaptable security policy framework. In this security policy framework, in view of the faultiness of policy conflicts classification, the paper presents a comprehensive classification of the conflicts in filtering-based network security policy, gives its formal description and offers a comprehensive conflict analysis framework. In view of the shortcoming of previous security policy conflict detection methods, the paper deeply analyzes these typical methods on the policy conflict detection, and gives each method's advantages and limitation on every aspects. Based on this idea, the paper presents the directed-graph-based security policy conflict detection model. Combining with a few policy enforcement priority often used in practice, the paper presents an automatic detection and recovery model of policy conflict.Finally, the paper designs and accomplishes a simulation experiment of security policy conflict detection based on directed-graph to verify the validness of the method mentioned here and to evaluate the model framework and arithmetics. The results show that the framework is adaptable and the arithmetics, which have high conflict identification ratio and reasonable space and time complex degree, have the more practicality value.