CT-ISG: Model-based, Automatic Network Security Management

CT-ISG：基于模型的自动网络安全管理

• 批准号: 0716665
• 负责人: Xinming Ou
• 金额: --
• 依托单位: Kansas State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2007
• 资助国家: 美国
• 起止时间: 2007-08-01 至 2010-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0716665&HistoricalAwards=false
• 关键词: CT; ISG; Model; based; Automatic

As our society increasingly relies upon networked computers for people's day-to-day life, cyber security has become a major concern. In order to have a meaningful security management strategy, one has to balance the risk of opening an access and the benefit of having the access. This is extremely difficult for a large system. All sizable organizations depend upon networked computers to provide essential services. One service may depend upon another, which may not be on the same computer. A seemingly legitimate configuration setting at one machine could cause unexpected security exposure at another. A seemingly moderate security control at one service could be too draconian for another service to operate smoothly. In determining a "good" configuration setting for an enterprise system, one has to consider all possible interactions among the system's components to ensure that accesses are opened in a way that usability and risk are well balanced. This research will develop a logic-based methodology to automate enterprise security management. The formal model-based approach makes sure that security knowledge can be shared in a machine-readable format, and consumed by automated tools to assist in reaching configuration settings that both satisfy legitimate business needs and protect the information systems adequately. The successful result from the research will enable management workforce to leverage an open management knowledge base, and be liberated from the mundane management jobs by tools that can automatically apply the generic knowledge to specific situations in an organization to reach a secure and usable configuration setting.

随着我们的社会越来越依赖于网络计算机为人们的日常生活，网络安全已成为一个主要问题。为了有一个有意义的安全管理策略，人们必须平衡开放访问的风险和拥有访问的好处。这对于一个大型系统来说是非常困难的。所有大型组织都依赖联网的计算机来提供基本服务。一个服务可能依赖于另一个服务，而另一个服务可能不在同一台计算机上。一台机器上看似合法的配置设置可能会在另一台机器上导致意外的安全暴露。在一个服务中看似温和的安全控制可能过于严厉，使另一个服务无法顺利运行。在确定企业系统的“良好”配置设置时，必须考虑系统组件之间所有可能的交互，以确保以可用性和风险得到良好平衡的方式打开访问。这项研究将开发一种基于逻辑的方法来自动化企业安全管理。正式的基于模型的方法确保安全知识可以以机器可读的格式共享，并由自动化工具使用，以帮助达到既满足合法业务需求又充分保护信息系统的配置设置。研究的成功结果将使管理人员能够利用开放的管理知识库，并通过可以自动将通用知识应用于组织中的特定情况的工具从平凡的管理工作中解放出来，以达到安全和可用的配置设置。