计算机应用 ›› 2015, Vol. 35 ›› Issue (1): 62-67.DOI: 10.11772/j.issn.1001-9081.2015.01.0062

• 信息安全 • 上一篇    下一篇

基于软件定义网络的非集中式信息流控制系统——S-DIFC

王涛1, 严飞1,2, 王庆飞1, 张乐艺1   

  1. 1. 武汉大学 计算机学院, 武汉430072;
    2. 武汉大学 空天信息安全与可信计算教育部重点实验室, 武汉430072
  • 收稿日期:2014-07-18 修回日期:2014-09-02 发布日期:2015-01-26 出版日期:2015-01-01
  • 通讯作者: 严飞
  • 作者简介:王涛(1987-),男,河南郑州人,硕士研究生,主要研究方向:可信软件、信息流控制;严飞(1980-),男,湖北武汉人,副教授,博士,主要研究方向:信息安全、可信计算;王庆飞(1989-),男,安徽宿州人,硕士研究生,主要研究方向:可信软件、可信虚拟机;张乐艺(1990-),男,湖北黄冈人,硕士研究生,主要研究方向:可信软件.
  • 基金资助:

    国家自然科学基金资助项目(61272452, 61003268, 91118003, 61303024);国家973计划项目(2014CB340600).

S-DIFC: software defined network-based decentralized information flow control system

WANG Tao1, YAN Fei1,2, WANG Qingfei1, ZHANG Leyi1   

  1. 1. School of Computer, Wuhan University, Wuhan Hubei 430072, China;
    2. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education (Wuhan University), Wuhan Hubei 430072, China
  • Received:2014-07-18 Revised:2014-09-02 Online:2015-01-26 Published:2015-01-01

PDF

摘要:

针对当前非集中式信息流控制(DIFC)系统无法对主机与网络敏感数据进行一体化有效监控的问题,提出一种基于软件定义网络(SDN)的DIFC系统设计框架——S-DIFC.首先,在主机平面利用DIFC模块对主机中文件及进程进行细粒度的监控;然后,利用标签信息转换模块拦截网络通信,将敏感数据标签添加到网络流中;其次,在网络平面的SDN控制器中,对带有机密信息的流进行多级别的访问控制;最后,在目标主机DIFC系统上,恢复敏感数据所携带的敏感信息标记.实验结果表明,该系统对主机CPU负载影响在10%以内,对内存影响在0.3%以内,与依赖加解密处理的Dstar系统大于15 s的额外时延相比,有效地减轻了分布式网络控制系统对通信的负担.该框架能够适应下一代网络对敏感数据安全的需求,同时分布式的方法能够有效增强监控系统的灵活性.

关键词: 非集中式信息流控制, 软件定义网络, 数据防泄漏, 标签映射, 细粒度

Abstract:

To solve the problem that current Decentralized Information Flow Control (DIFC) systems are unable to monitor the integration of host and network sensitive data effectively, a new design framework of DIFC system based on Software Defined Network (SDN), called S-DIFC, was proposed. Firstly, this framework used DIFC modules to monitor files and processes in host plane with fine granularity. Moreover, label mapping modules were used to block network communication and insert sensitive data labels into network flow. Meanwhile the multi-level access control of the flow with security label was implemented with SDN's controller in network plane. Finally, S-DIFC recovered security labels carried by sensitive data in DIFC system on target host. The experimental results show S-DIFC influences host with CPU performance decrease within 10% and memory performance decrease within 1.3%. Compared to Dstar system with extra time-delay more than 15 seconds, S-DIFC mitigates communication overhead of distributed network control system effectively. This framework can meet the sensitive data security requirements of next generation network. In addition, the distributed method can enhance the flexibility of monitor system.

Key words: Decentralized Information Flow Control (DIFC), Software Defined Network (SDN), Data Leakage Prevention (DLP), label mapping, fine granularity

中图分类号: 

版权所有 © 2021 四川计算机应用杂志社有限公司
蜀ICP备 05010208 号-3 新出网证(川)字026号
技术支持:北京玛格泰克科技发展有限公司
访问总数:
今日访问: