Research On Network Security Policy Model And Conflict Detection

Policy-based network management has been widely used in the network management field because of the characteristics including flexibility,easy usability and automation.Policy is a set of constraint rules configured by the network administrator to protect the system.The research on the current network security policy model shows that the network topology is often neglected in the model.However,the network topology is an important consideration in the policy-based network management.The change of the network topology will change the network policy of management.As the structure of the network becomes more and more complex,the configuration of the policy inevitably exists conflicts.Therefore,almost all of the policy-based network security model needs to detect the policy conflict in order to make sure the rules are consistent in the system,otherwise the system will be vulnerable.At present,the current policy conflict detection method is divided into two methods: single point detection and global detection,but they both are defective.If policy conflict detection is performed in single-point,only the policy conflicts within the network device can be detected and can not be detected the conflict between network devices.If conflict detection is performed for global system's policy which centralize the policy together,the result may be not true.Because in the network,the conflict between different paths may does not lead to system errors.In terms of the problem that the network topology is neglected in the current network security policy model,this thesis proposes a network security policy model based on network topology,which models the network topology and the network policy together.In the model,the network topology is abstracted as undirected graph,and the path of data communication between the network devices is abstracted as the path between the two nodes in the undirected graph.At the same time,the port and the rules are formalized to link the policy and undirected graph.In terms of the problem existing in the conflict detection that the conflict detection are for single points or global policies,this thesis proposes a policy conflict detection method based on path,in other words,the conflict detection are for the policy set in the network path.With this method,it is possible to accurately detect possible conflict in the network device configuration.In addition,this thesis proposes an algorithm about policy conflict detection based on decision tree to improve the efficiency of conflict detection.First,the algorithm classify the rules according to the dimension of rules,then the decision tree will be constructed.Finally,the rules in the leaf nodes of the decision tree are analyzed.By classified using decision tree,the rules which may exist conflicts are classified into the same leaf node,which reduces the times to compare between rules.So the algorithm improves the efficiency of conflict detection.Finally,based on the model and algorithm above,this thesis designs a prototype system about network security policy model based on network topology.Through validating the test data,the prototype system can accurately detect the network conflict.For the conflict detection algorithm,the decision tree based on the classification algorithm can also significantly improve the efficiency of the conflict detection.