Information security not only includes guaranteeing the security of locally stored data, but also the confidentiality and integrity of data in the process of communication. Research on network security at present is carried out mainly around network perimeter security. With the fast increment of network vulnerabilities and the development of attack technology, it has been harder and harder for traditional perimeter-centric passive defense strategies to tackle security threats. This paper protests that primary work of network security should change from perimeter protection to direct information protection. To protect information in its entire lifecycle, this paper proposes an information-centric security model. In this model, there are two data statuses--storage and transmission. The transferred information can be considered as a kind of dynamic storage and the network can be considered as a large storage device. Hence, any data can be regarded as static information in the storage device or dynamic information in the process of communication.Based on the above thought, this paper emphasizes the research of protecting the dynamic information in transmission. In the process of network communication, a user key is used to encrypt the application layer of packets carrying different resources. This can implement the access control of specific resource anywhere. At the application layer, deploying security strategies and introducing URI database to record resource objects that need to be encrypted and monitored. At the kernel layer, analyze all network packets passing in and out, encrypt and respond according to the security strategies. What's more, the system can identify file transmission through the analysis of application protocol to prevent the leakage of confidential and private information. The system uses packet capture technology based on NDIS to implement the above function effectively. The experiments prove that the system can capture and monitor all network packets effectively, and achieve the validity and security of information transmission. The system has stable performance, high efficiency and easy management, which is suitable for middle and small scale network and personal host with good expansibility. |