论文部分内容阅读
The existing methods of policy refinement in computer network defense (CND) can only support the refinement of access control policy,but not the policies of protection,detection,response,and recovery.To solve this problem,we constructed a computer network defense policy refinement model and defined the refinement relations between high-level policy goal element and low-level operational policy element.We also provided formalism specifications of CND policies including protection (i.e.,access control,user authentication,encryption communication,backup),detection (i.e.,intrusion detection,vulnerabilities detection),response (i.e.,system rebooting,shutdown) and recovery (i.e.,rebuild,patch making).The semantic consistency of policy refinement was analyzed and verified.This guarantees the correctness of low-level policies refined from high-level policy goal.An algorithm of CND policy refinement was designed.At last,the effectiveness of our methods was verified through three experiment cases including the refinement of access control policy,composition policies with intrusion detection,vulnerabilities detection,and access control,as well as other composition policies with making patch and system rebooting.