Information Technology Reference
In-Depth Information
refinement methods, our method not only supports the refinement of access control
policy, but also the defense policy.
3
Computer Network Defense Policy Refinement Model
Computer network defense policy refinement is a process transforming goal-level
(high-level) defense policy goals to operational-level (low-level) defense policies.
Defense policy refinement model has two levels: Goals level and Operational level.
The elements of operational level are refined by goal level. So it forms a hierarchical
structure form high-level to low-level. The policies of goal level express the high-level
security requirements and defense goals. The policies of operational level express the
operational actions related to concrete network environment.
Definition Defense Policy Refinement Model: The defense policy refinement
model consists of elements at both goal level and operation level as well as defense
policy goals, operational-level defense policies and refinement relations among
elements at these two levels. We can conclude that the elements of operational-level
are refined by goal-level. So it forms a hierarchical structure form high-level to low-
level. The formalism of this model is shown as follows:
M
::
=
(
GOR
,
,
),
{
}
G
=
Domain Role T
,
,
arg,
et Activity Means ContextType MeansConstra
,
,
,
int
s
SNode User TNode
,
,
,
e
sour
ce Action DefenseAction
,
,
,
O
=
DefenseEntity Context Policy
,
,
Re
lation
RGOHPRGGLPROO
G
⊆×
;
⊆×
;
×
;
HPGOAL
::
=
(
,
HPR
);
LPOPERATION
::
=
(
O LPR
,
);
Wherein, G denotes the set of elements of the goal level, O the set of the operational
level, R the set of the refinement relations between the elements of goal level and
operational level. HPGOAL the set of the policy goals which consists of goal-level
elements and theirs relations, LPOPERATION the set of the operational-level policy
which consists of operational-level elements and theirs relations
The meaning of the elements of the goal level are explained as follow:
Domain: It denotes a scope or area. Domain can be divided depending on the
environment of network such as organization structure, geographical boundary,
security level, and management responsibility. It is shown as a hierarchical structure.
Role: It is a set of users who share common characteristics.
Target: It is a set of resources with common characteristics. Target is divided into
four classes such as data, operation system, application programs, and services.
Activity: It is a set of actions with common characteristics. It is divided two classes
including activities of local process with configuring, acquiring and operating and
activities of interact process with accessing and transferring.
Means: Means is a set of defense activities. According to the model of PDRR,
means are divided into four classes such as protection ( including the permission access
control and the denying access control, user authentication, encryption communication,
backup), detection (including intrusion detection, vulnerabilities detection), response
(including access control, system rebooting and system shutdown), and recovery
(including rebuild and making patch).
Search WWH ::




Custom Search