  • 孙瑞娜,夏豪骏,游瑞邦,涂碧波.基于意图的软件定义边界安全策略动态生成方法[J].信息安全学报,已采用    [点击复制]
  • sunruina,xiahaojun,youruibang,tubibo.Intent-based dynamic generating security policy for software-defined perimeter[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 2984次   下载 198  
孙瑞娜, 夏豪骏, 游瑞邦, 涂碧波
关键词:  云平台  软件定义边界  安全策略  意图转译  知识图谱
Intent-based dynamic generating security policy for software-defined perimeter
sunruina, xiahaojun, youruibang, tubibo
(Institute of Information Engineering, Chinese Academy of Sciences)
Since the inception of cloud computing, it had become the most mainstream computing platform, for its flexible, dynamic and scalable new service model was favored by the industry. However, with the constant enlargement in network scale and the rapid development of cloud computing, the network management was becoming extremely complex, the shared underlying infrastructure in the cloud,as well as the virtualization of the network perimeter and other features made the cloud environment more and more vulnerable to be attacked. The security issues of cloud had become increasingly prominent. The traditional method was based on fixed perimeter and static configuration of security policies,thus it was difficult to respond to cloud security protection requirements. In order to alleviate this problem, an intent-based method of dynamic generation of software-defined perimeter security policies was proposed. Under the software-defined network architecture, made use of software-defined perimeter technology to build a cloud security management framework, which separate security policy management from perimeter control points. Then decoupled the security policy from the underlying network through “intent” to achieve dynamic adjustment and timely response of security policies with network changes. First of all, the knowledge graph of cloud security policy elements was constructed. To the second, a professional descriptive language of security policy was provided to express the intention with ignoring the bottom implementation details, and the network entities in the intent expressions were identified through intent parsing. Then, a decision diagram was used to translate the intent into a mid-level policy. Finally, the mid-level policy was combined with a knowledge graph of security elements to guide the dynamic generation of the underlying network configuration policy. The experimental results showed that the proposed schemes were valid and accurate. The methods could be used for reference to realize dynamic and adaptive protection services for security policies in the cloud.
Key words:  cloud platform, software-defined perimeter, security policy, intent translation, knowledge graph