Research And Application On Policy Based Self-Adaptive Network Security Management

With the rapid developing of Information Technology, network becomes preternatural scale and complexity. Additionally, attacking manners emerge in endlessly, which result in that the network environment is worsen. In order to fulfill the dynamic changes of network security, self-adaptive requirement is imposed on the network security management. But the traditional equipment-oriented and manager knowledge and experience-based management mode can not meet the requirement of security management.Policy-based management (PBM) uses policy as a means to driver management procedures, consequently realize automate and dynamic system management. PBM can fulfill self-adaptive network security management requirements. PBM is new management mode in the domain of security management in recent years. This thesis mainly studies the realization and application on policy-based self-adaptive network security management (PB-SANSM), discusses the key technologies of PB-SANSM, provides relevant solutions for them, and applies these solutions to network security management. PB-SANSM can realize self-adaptive, effective security management on network information system; promote security assurance level of system.The main works and creations are as the foliowings:1) A model (named RDP~2DR, stands for Security Requirement, Policy Dynamic Management, Protection, Detection, and Response) is proposed in this paper, which based on P~2DR-a popular network security model. RDP~2DR takes security requirement as jumping-off, takes security policy as its running kernel, deploys and manages security modules in a self-adaptive and policy-based manner, clarifies the goals for security management and points out the ways to realize it, which reduces the risk of network. All of these make RDP~2DR a good guidance for PB-SANSM.2) Aiming at the shortcomings of Ponder in expressiveness, policy dynamic management and rules translation, this paper improves Ponder by extending basic policy syntax elements and policy types. The extended Ponder can fulfill the requirements of application on PB-SANSM, make it a common suitable policy specification language for network security management.3) This paper designs and realizes policy-based self-adaptive network security management platform, which makes use of policy life-cycle management to realize self-adaptive management on security equipments. This platform provides management GUI, realizes automated distribute, implement, dynamic management and management in running for policy, can manage the self-adaptive linkage operations between security equipments, enhance management efficiency, and realize the real-time, active, automatic security response. 4) This paper applies this policy-based self-adaptive network security management platform to the college network. Policy-based self-adaptive network security management platform can realize self-adaptive security management on security equipments, reduce network security management complexity, and ensure college network security running.