Information Technology Reference
In-Depth Information
name, ID of nodes, user, and resources; linking relations among nodes that is
constructed with adjacent matrix; roles information that describes the name, ID of roles
and the domain of role; targets information that describes the name, ID of targets and
the domain of target; defense entities information that describes the name, ID of defense
entities, defense action; defense means that describes the name, ID of defense means;
means relations among means; context type that describes the vulnerabilities and events.
Refinement rules describe the refinement relations between the elements of goal-
level and operational-level. Refinement rules include the role-user rules that specify
the refinement relations between role and user; the domain-node rules that specify the
refinement relations between domain and node; the activity-action rules that specify
the refinement relations between activity and action; context rules that specify the
refinement relations between context type and context; means-defense entity rules that
specify the refinement relations between means and defense entity.
2. The process of CND policy refinement algorithm.
We have designed a description language CNDIDL [15] for the CND policy goal. A
scanning method was devised based on the lexical and syntax rules to decompose the
defense policy goal described by CNDIDL and stored into the memory data structure.
After the decomposition, we can transform a CND policy goal to one or more
operational-level defense policies through policy refinement repository.
The process of transformation algorithm is shown as follow:
(1)At first, we used each defense means in the list of defense to estimate which type
of defense policy goal it is. Based on the goals of protection (access control, user
authentication, encryption communication, backup, patch making), detection (intrusion
detection and vulnerabilities detection), response (rebooting, shutdown and the adding
of access control rules) and recovery (rebuild), we completed the CND policy
refinement with corresponding refinement algorithm. Now, we take the policy goal
refinement of access control for example.
(2)According to defense means, we derived a type of defense entity-firewall through
looking into the table of means-defense entity. In addition, in order to get the instance of
defense entity to execute operational-level access control policy, we would first find a
set of simple paths from source node to destination node. Simple path is a node
sequence in which there is not a same node. For the permission policy, we would
choose all firewalls in these paths. For the denial policy, we would choose the nearest
firewalls from the source node in these paths. The pseudocode of algorithm of getting
simple path set between source node and target node is shown as follow:
1lg
A orithm GETSimplePathSet
INPUT
2
:
InitialNode u T
:
,
arg
etNode v d
: ,
=−
1
3
OUTPUT
:
The set of simple path between node of u and v
:
PathSet
4Pr
ocedure GetSimplePathSet u v d
d d
visited u
( , , )
5
+←
1
;
6
[ ]
=
;
true
;
7
path d
[ ]
=
u
8 (
IF u
==
v
)
THEN
9
FOR
(
i
=
0)
TO
(
d
+
1)
DO
10
PATH
←
path i
[ ]; //
put all nodes
int
o set PATH between u and v
11
12
REPEAT
PathSet
←∪
PathSet
PATH
; //
get the set of all simple paths
