Information Technology Reference
In-Depth Information
8 //
find the set of means constra s g in a policy goal G and
assign all elements of the g to the set MC
MC
int
t
9
//
t
10
=
findelement G MeansConstra
(
,
int ,
s g
);
t
11
GGg g
x
WHILE m
=
-
−
;
i
t
12 1
←
;
13
M
FOR j TO n DO
Base on R get the elements of operational level corresponding
to the elements of goal level
Og
REPEAT
(
∈
)
x
14
(
=
1)
(
- 2)
15 //
,
16
//
x
17
18
←
j
j
1
x
x
19
O
=∪
O
//
t
he corresponding operational level policy for the xth means
//
j
j
20
xx
REPEAT
refinement from means constra
←+
1;
21
22 //
int "
s
MC
"
to operational level policy relation
"
PR
"//
23
PR
←
MC
|
M
|
k
O R
24
O
=∪
∪
k
=
1
25
END Policy
Re
fine
.wherein, n denotes the number of
means in one policy goal, m denotes the number of elements in one policy goal.
The time complexity of the algorithm is
Os m
(
•
)
5
The Experiment
In this section, we provide some examples to illustrate the effectiveness of policy
refinement through our experiments.
5.1
Experimental Environment
Experiment goal: In order to test the validity of our refinement methods, we use
CNDIDL[15] to describe one or more high-level defense policy goals. These high-
level defense policy goals can be transformed to operational-level defense policies
automatically with ours policy refinement method and the generated operational-level
policies would be simulated in simulation platform GTNeTs in which the defense
effect can be observed.
Network topology environment is shown in Fig. 1. The whole network is divided
into three main parts: external network, DMZ, and internal network. DMZ includes
Web server, DNS server, FTP server, and SMTP server (Corresponding IP addresses
are 192.168.1.4/24, 192.168.1.5/24, 192.168.1.3/24, and 192.168.1.2/24.). The internal
network is partitioned into two segments by switcher, i.e. Net 1 and Net 2. There are
three hosts and one system management server (IP:192.168.2.2/24)in Net 1; one host
and one Database Server (IP :192.168.3.2/24) in Net 2. There exist vulnerabilities in
hosts and servers of DMZ and internal network (They are shown in Table 2). By
exploiting these vulnerabilities, the attacker gains root access and brings about DoS
attack.
