基于软件定义网络的非集中式信息流控制系统——S-DIFC

doi:10.11772/j.issn.1001-9081.2015.01.0062

计算机应用 ›› 2015, Vol. 35 ›› Issue (1): 62-67.DOI: 10.11772/j.issn.1001-9081.2015.01.0062

基于软件定义网络的非集中式信息流控制系统——S-DIFC

王涛¹, 严飞^1,2, 王庆飞¹, 张乐艺¹

1. 武汉大学计算机学院, 武汉430072;
2. 武汉大学空天信息安全与可信计算教育部重点实验室, 武汉430072

收稿日期:2014-07-18 修回日期:2014-09-02 出版日期:2015-01-01 发布日期:2015-01-26
通讯作者: 严飞
作者简介:王涛(1987-),男,河南郑州人,硕士研究生,主要研究方向:可信软件、信息流控制;严飞(1980-),男,湖北武汉人,副教授,博士,主要研究方向:信息安全、可信计算;王庆飞(1989-),男,安徽宿州人,硕士研究生,主要研究方向:可信软件、可信虚拟机;张乐艺(1990-),男,湖北黄冈人,硕士研究生,主要研究方向:可信软件.
基金资助:
国家自然科学基金资助项目(61272452, 61003268, 91118003, 61303024);国家973计划项目(2014CB340600).

S-DIFC: software defined network-based decentralized information flow control system

WANG Tao¹, YAN Fei^1,2, WANG Qingfei¹, ZHANG Leyi¹

1. School of Computer, Wuhan University, Wuhan Hubei 430072, China;
2. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education (Wuhan University), Wuhan Hubei 430072, China

Received:2014-07-18 Revised:2014-09-02 Online:2015-01-01 Published:2015-01-26

摘要/Abstract

摘要：

针对当前非集中式信息流控制(DIFC)系统无法对主机与网络敏感数据进行一体化有效监控的问题,提出一种基于软件定义网络(SDN)的DIFC系统设计框架——S-DIFC.首先,在主机平面利用DIFC模块对主机中文件及进程进行细粒度的监控;然后,利用标签信息转换模块拦截网络通信,将敏感数据标签添加到网络流中;其次,在网络平面的SDN控制器中,对带有机密信息的流进行多级别的访问控制;最后,在目标主机DIFC系统上,恢复敏感数据所携带的敏感信息标记.实验结果表明,该系统对主机CPU负载影响在10%以内,对内存影响在0.3%以内,与依赖加解密处理的Dstar系统大于15 s的额外时延相比,有效地减轻了分布式网络控制系统对通信的负担.该框架能够适应下一代网络对敏感数据安全的需求,同时分布式的方法能够有效增强监控系统的灵活性.

关键词: 非集中式信息流控制, 软件定义网络, 数据防泄漏, 标签映射, 细粒度

Abstract:

To solve the problem that current Decentralized Information Flow Control (DIFC) systems are unable to monitor the integration of host and network sensitive data effectively, a new design framework of DIFC system based on Software Defined Network (SDN), called S-DIFC, was proposed. Firstly, this framework used DIFC modules to monitor files and processes in host plane with fine granularity. Moreover, label mapping modules were used to block network communication and insert sensitive data labels into network flow. Meanwhile the multi-level access control of the flow with security label was implemented with SDN's controller in network plane. Finally, S-DIFC recovered security labels carried by sensitive data in DIFC system on target host. The experimental results show S-DIFC influences host with CPU performance decrease within 10% and memory performance decrease within 1.3%. Compared to Dstar system with extra time-delay more than 15 seconds, S-DIFC mitigates communication overhead of distributed network control system effectively. This framework can meet the sensitive data security requirements of next generation network. In addition, the distributed method can enhance the flexibility of monitor system.

Key words: Decentralized Information Flow Control (DIFC), Software Defined Network (SDN), Data Leakage Prevention (DLP), label mapping, fine granularity

中图分类号:

TP309.2

王涛, 严飞, 王庆飞, 张乐艺. 基于软件定义网络的非集中式信息流控制系统——S-DIFC[J]. 计算机应用, 2015, 35(1): 62-67.

WANG Tao, YAN Fei, WANG Qingfei, ZHANG Leyi. S-DIFC: software defined network-based decentralized information flow control system[J]. Journal of Computer Applications, 2015, 35(1): 62-67.

参考文献

[1] MYERS A C, LISKOV B. A decentralized model for information flow control [J]. ACM SIGOPS Operating Systems Review, 1997, 31(5): 129-142.
[2] La PADULA L J, BELL D E. Secure computer system: a mathematical model, ESD-TR-73-278 [R]. Bedford: MITRE Corporation, 1973.
[3] FRIDRICH J, PEVNY T, KODOVSKY J, et al. Statistically undetectable JPEG steg-anography: dead ends, challenges and opportunities [C]// Proceedings of the 9th ACM Workshop on Multimedia and Security. New York, ACM Press, 2007: 3-14.
[4] JAIN S, KUMAR A, MANDAL S, et al. B4: experience with a globally-deployed software defined WAN [C]// SIGCOMM'13: Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM. New York, ACM Press, 2013: 3-14.
[5] ZELDOVICH N, BOYD-WICKIZER S, KOHLER E, et al. Making information flow explicit in HiStar [J]. Communications of the ACM, 2011, 54(11): 93-101.
[6] BRODSKY M, EFSTATHOPOULOS P, KAASHOEK F, et al. Toward secure services from untrusted developers, TR-2007-041 [R]. Cambridge: Massachusetts Institute of Technology, 2007.
[7] ZHANG Q, McCULLOUGH J, MA J, et al. Neon: system support for derived data management [J]. ACM SIGPLAN Notices, 2010, 45(7): 63-74.
[8] CORBATO F J, VYSSOTSKY V A. Introduction and overview of the multics system [C]// AFIPS'65: Proceedings of the 1965 Fall Joint Computer Conference. New York, ACM Press, 1965: 185-196.
[9] KROHN M, YIP A, BRODSKY M, et al. Information flow control for standard OS abstractions [J]. ACM SIGOPS Operating Systems Review, 2007, 41(6): 321-334.
[10] SHIN S, PORRAS P, YEGNESWARAN V, et al. FRESCO: modular composable security services for software-defined networks [EB/OL]. [2014-06-20]. http://www.csl.sri.com/users/vinod/papers/fresco.pdf.
[11] PORRAS P, SHIN S, YEGNESWARAN V, et al. A security enforcement kernel for OpenFlow networks [C]// HotSDN'12: Proceedings of the First Workshop on Hot Topics in Software Defined Networks. New York: ACM Press, 2012: 121-126.
[12] FAYAZBAKHSH S K, SEKAR V, YU M, et al. FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions [C]// HotSDN'13: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. New York: ACM Press, 2013: 19-24.
[13] MUNDADA Y, RAMACHANDRAN A, TARIQ M B, et al. Practical data-leak prevention for legacy applications in enterprise networks, GT-CS-11-01 [R]. Atlanta: Georgia Institute of Technology, 2011.
[14] MUNDADA Y, RAMACHANDRAN A, FEAMSTER N. Silver-Line: data and network isolation for cloud services [EB/OL]. [2014-06-10]. https://www.usenix.org/legacy/event/hotcloud11/tech/final_files/Mundada6-1-11.pdf.

[1]	陆鑫伟, 余鹏飞, 李海燕, 李红松, 丁文谦. 基于注意力自身线性融合的弱监督细粒度图像分类算法[J]. 计算机应用, 2021, 41(5): 1319-1325.
[2]	覃俊, 罗一凡, 帖军, 郑禄, 吕伟龙. 基于超列注意力机制的京剧人物识别[J]. 计算机应用, 2021, 41(4): 1027-1034.
[3]	许红亮, 杨桂芹, 蒋占军. 基于软件定义网络的数据中心自适应多路径负载均衡算法[J]. 计算机应用, 2021, 41(4): 1160-1164.
[4]	陈港, 孟相如, 康巧燕, 阳勇. 基于拓扑分割与聚类分析的虚拟软件定义网络映射算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3309-3318.
[5]	朱梦迪, 束永安. 软件定义网络中控制数据平面一致性的验证[J]. 计算机应用, 2020, 40(6): 1751-1754.
[6]	边小勇, 江沛龄, 赵敏, 丁胜, 张晓龙. 基于多分支神经网络模型的弱监督细粒度图像分类方法[J]. 计算机应用, 2020, 40(5): 1295-1300.
[7]	向雄, 田检. 基于软件定义网络的对等网传输调度优化[J]. 计算机应用, 2020, 40(3): 777-782.
[8]	赵季红, 吴豆豆, 曲桦, 殷振宇. 基于软件定义网络的可靠性虚拟网络映射保障机制[J]. 计算机应用, 2020, 40(3): 770-776.
[9]	傅泰铭, 陈燕, 李陶深. 基于线性分配的难负样本挖掘度量学习[J]. 计算机应用, 2020, 40(2): 352-357.
[10]	池亚平, 莫崇维, 杨垠坦, 陈纯霞. 面向软件定义网络架构的入侵检测模型设计与实现[J]. 计算机应用, 2020, 40(1): 116-122.
[11]	贾梦瑶, 王兴伟, 张爽, 易波, 黄敏. 基于软件定义网络的卫星网络容错路由机制[J]. 计算机应用, 2019, 39(6): 1772-1779.
[12]	李兆斌, 刘泽一, 魏占祯, 韩禹. 基于哈希链的软件定义网络路径安全[J]. 计算机应用, 2019, 39(5): 1368-1373.
[13]	邹承明, 刘攀文, 唐星. 动态主机配置协议泛洪攻击在软件定义网络中的实时防御[J]. 计算机应用, 2019, 39(4): 1066-1072.
[14]	曹震寰, 蔡小孩, 顾梦鹤, 顾小卓, 李晓伟. 基于访问控制列表机制的Android权限管控方案[J]. 计算机应用, 2019, 39(11): 3316-3322.
[15]	朱繁, 王洪元, 张继. 基于改进的Mask R-CNN的行人细粒度检测算法[J]. 计算机应用, 2019, 39(11): 3210-3215.

基于软件定义网络的非集中式信息流控制系统——S-DIFC

S-DIFC: software defined network-based decentralized information flow control system

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics