2009 International Conference on Computer Technology and Development Security Model Based on Network Business Security Wu Kehe, Zhang Tong, Li Wei, Ma Gang Department of Computer Science and Technology North China Electric Power University Beijing, China epuwkh@126. com, zhtzhangtong@163. com, liwei@ncepu. edu. cn, hdmagang@163. com Abstract—Enterprise Network Information System is not only the platform for information sharing and information exchanging, but also the platform for Enterprise Production Automation System and Enterprise Management System working together.
As a result, the security defense of Enterprise Network Information System does not only include information system network security and data security, but also include the security of network business running on information system network, which is the confidentiality, integrity, continuity and real-time of network business. According to the security defense of Enterprise Network Information System, this paper proposes the “network business security” concept.
In this paper, the object of data information security is defined in three parts security, network system security and network business security, and the network business security model is described. The proposal of the concept “network business security” provides theoretical basis for security defense of enterprise automatic production system and enterprise management information system. Keywords-Information Security, Network Business Security, Network Business Security Model I. INTRODUCTION
Computer and network technology provide convenience to the people, but at the same time, security problems have emerged and become more and more serious. With the increasing popularity of computer applications, in particular, the rapid development of network technology, more and more security threat have appeared and information security has become a very important and urgent issue to be solved. Network information security has become the fifth security field after sea, land, air and space. In recent years, a great deal of theoretical research and technical studies on information security have been done.
Currently, information security has developed along the two following directions [1]: one is data security, another is network security. According to information (data) security defense in network environment, security theory based on data security [6] is established. Data security theory, based on cryptography theory, researches confidentiality, integrity and availability of data, data security defense 978-0-7695-3892-1/09 $26. 00 © 2009 IEEE DOI 10. 1109/ICCTD. 2009. 160 577 strategies and so on.
The main information security models include the data confidentiality model (BLP model [7]), the data integrity model (Biba model [8]), and the PDR model [9] which can guide security defense process. According to Open Systems Internet Security Architecture, security theory based on network security research network security from security protocol, security mechanisms and security services [10] three levels, in order to provide theoretical basis for establishing a secure network system. Therefore, the existing theoretical system of information security can be expressed in figure 1.
In the current practical application, the network environment can be simply divided into two types: one is a public information network, such as the Internet network, Chinanet network and Cernet network, which can provide information sharing and information exchange services; another is the enterprise information network [3], such as electric power dispatching data network (SPDnet) and electric power integrated data network (SPInet), which can work as the platform[2] of enterprise business operating and collaborative working as well as provide information sharing and information exchange services.
The information system running on the public information network is mainly the platform of information sharing and information exchange. So it focuses on the protection of network security and data security. However, Enterprise Network Information System is not only the platform for information sharing and information exchanging, but also the platform for Enterprise Production Automation System and Enterprise Management System working together. As a result, the security defense of Enterprise Network Information System does ot only include information system network security and data security, but also include the security of network business running on information system network. On the basis of the above analysis, according to the security defense of Enterprise Network Information System, this paper proposes the “network business security” concept. In this paper, the object of information security is defined in three parts data security, network system security and network business Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY.
Downloaded on June 15,2010 at 09:10:07 UTC from IEEE Xplore. Restrictions apply. security. The proposal of the concept “network business security” provides theoretical basis for security defense of Enterprise Network Information System. II. CONCEPT OF NETWORK BUSINESS SECURITY First of all, this paper defines the “network business” concept. Network business means enterprise management business or controlling process of Production Automation System running on network.
It can be further described as follows: 1) It is composed of function program running on network platform, realizing the enterprise management business processes and production control logic. 2) In the network environment, staff work in accordance with logic and rhythm of business management software, or in accordance with process of control logic, which can constitute the realization of the network business. 3) From the computer network system level, network business is composed of network process set, data sets and process operation sequence set.
Based on the analysis of network business’s concept and features, “network security” is defined as follows: network security means the reliability, stability and real-time of business running on the network, the continuity of business processes and business operation’s confidentiality and non-repudiation. Network security can be further described as follows: the integrity of network process sets and data sets, the running reliability and real-time of network process set, and the non-repudiation of processes running and writing operation on data set.
With the rapid development of enterprise informatization, enterprise information network has become a platform on which Enterprise Production Automation System and enterprise management business running. Network business security has become the main elements of Enterprise Information System security. Network business security is to be as a security object, which may be a new security concept and a new theoretical system. III. DESCRIPTION OF CONCEPT BASED ON NETWORK BUSINESS SECURITY
Enterprise Information Network is not only the platform for information sharing and information exchanging, but also the platform for enterprise business running on and collaborative operation. Therefore, the Enterprise Information Network security is not only to protect the security of data in network, but also to protect the security of business running on network. The existing theory of information security is based on data security and network security. However, in some special enterprises application environment, the security theory and security model based on data ecurity is opposite to actual requirements of security defense. For example, in power electricity enterprise information security defense applications, one important task is to ensure the absolute security of Dispatching Automation System (which is in the highest security level). At the same time, according to requirements of production command and management in power electricity enterprise, real-time data of power grid running state must be got from dispatching data network.
That is, data is transferred from high-security level network to low-security level network, which violates the confidentiality principle of BLP model. The key issue which leads to this problem is the two different defense objects in the dispatching data network, one is the business of Dispatching Automation System, and another is data in dispatching automation network. The existing theory of network security does not make a distinction between network business and network data. Therefore, network business security has become the main element in Enterprise Information System.
Seen network business as the defense target, this paper proposes the security concept based on network business security and gives the theoretical description. According to network business security defense in Enterprise Information Network, information security based on network business security is set up, which mainly protect network business on the basis of ensuring network security and data security. Its goal is to establish security defense of network business and the confidentiality and integrity constraints between network businesses which in different security level.
New information security system can be shown in Figure 2. The information security definition which defense objects are consist of data security, network security, and network business security can be described as follows: information security is theory and technology, which study how to protect hardware, software and data in computer network information systems, how to avoid accidental or malicious destruction, and how to ensure that the content of network information can’t be disclosed, network services can’t be interrupted and network business can running continuously and reliably.
The new definition emphasizes on the three aspects of information security concept: data security, network security and network business security. IV. MODEL OF NETWORK BUSINESS SECURITY According to network business security defense in Enterprise Information Network, security concept based on network business security is established, in order to ensure network business security. Its goal is to establish security defense of network business and the confidentiality and integrity constraints between businesses network which in different security level.
Therefore, this paper will give a formal description of network business and network business security model. 578 Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on June 15,2010 at 09:10:07 UTC from IEEE Xplore. Restrictions apply. A. Security Model of Network Business According to the definition of network business and network business security in this paper, we can conclude that network business is composed of the network process sets, data sets and process operation sequence sets.
Network business security is the security of network process sets and data sets, more precisely, is the security of network processes running and writing operation on data sets. According to the above description of network business and network business security, this paper describes the network security model specifically as follows: 1) Model Description a) Process Set: P={p0,p1,p2, ,pn}. pi P, is a process running on Enterprise Infromation Network. b) Data Set: D={d0,d1,d2, ,dm}. dj D is the data which processes access to. ) Access Set: F={f0,f1,f2, ,fn}. fi F, fi=f(p,d). f(p,d) means the model of process p access to data d. The whole access set F composes an access matrix A, and the elements of matrix A can be one of the follows: r process p can read data d. w process p can write data d r/w process p can not only read data d but also write data d. process p can neither read data d nor write data d. d) Process Sequence Set: S=G(P+). Which need to illustrate is, for any set H, H+ means the sub set of set H.
G(P+) means ordered sequence between processes. For example, G(P+) can be descripted as G(P+)=(P1+ P2+, ,Pk+). G(P+) tell us the logical sequence of business operation. e) Business Set: B= (P+,D+,F+,S). A business is composed of all of process which can finish the business, all of data which the business needs, the access property of processes access to data and ordered sequence between these processes. All of businesses compose the whole network application system which the model defendes. ) Model Constraints According to the above description of network business and network business security, this paper abstracts the following two properties: Property 1: The defense of data is the defense of writing operation on data, the defense of reading operation on data is not necessary. Property 2: The right ordered sequence between processes which network businesses needed must not be changed. According to the above two properties, the model constraint can be described as follows: For Property 1: This paper defines pclass(p) as the access class of process p, dclass(d) as the access class of data d.
Property 1 can be described as: only if the access class of process p is higher than the access class of data d, process p can write data d. The security formula is: For all p P d D (1) if w f(p,d) then pclass(p)>=dclass(d) For Property 2: For any business b, the ordered sequence between processes which business b needs must not be changed. T he security formula is: For all b B (2) S=G(P+)=(P1+ P2+, ,Pk+) 3) Definition of Security Status For each business, the all processes and all data must meet the f(p,d) and G(P+) constraint, so we think the business is safe.
If all of businesses in the network system is safe, then the application system in network is safe. B. Security Analysis of Network Business The above network business security model has realized an important element of the concept based on network business security, which is to establish security defense of network business. The premises of the model which can ensure network business security are the following two points: All of processes in the Process Set P are safe and credible, which is ensured by “the safe initial state”.
Concretely, in a safe and closed environment, we collect safe processes’ information as comprehensive as possible to establish the “Credible Network Process List”. Only the processes which have registered in the list can be allowed to run. How to maintain “Credible Network Process List” and how to intercept illegal processes by “Credible Network Process List” has been solved by Mandatory Running Control technology. The network business security model, proposed according to the specificity of Enterprise Information Network, has given a distinction between the defense of reading and writing on data.
The model does not have a special request for the confidentiality protection of data content, but has defended the data confidentiality property in accordance with the business requirements. Therefore, there are only explicit protection constraints of writing operation on data in the model. The security concept based on network business security has another important element, which is the confidentiality and integrity constraints between network businesses which in different security level. 579 Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY.
Downloaded on June 15,2010 at 09:10:07 UTC from IEEE Xplore. Restrictions apply. According to the importance and reliability of business running on Enterprise Information Network, Enterprise Information System can be divided into different network business areas which in different security levels. In order to meet the requirements of enterprise management and production command, these areas in different levels also have to transfer data, which have to meet certain security protection principles. This problem will be olved in the future research work. V. CONCLUSION On the basis of research on actual needs and current application status of Enterprise Information System network security defense, according to the key points of Enterprise Information System network defense, this paper has proposed the “network business security” concept by theoretical study and research on information security, dividing protection object of information security into data security, network security and network business security.
New information security concept considers network business security as an important protection object in Enterprise Information Network, well explaining special problems in Enterprise Information Systems. This paper specifically addresses the meaning of network business security and gives the formal description of network business security model, providing theoretical basis for security development and planning of Enterprise Information System. REFERENCES [1] YuNing Wang. Current Situation and Defense of Network Information Security[J]. Modern Commerce Industry , 2008 [2] DongHui Jiang.
Security Offense and Defense Testing and Analysis of LAN[J]. Science&Technology Information, 2009 [3] XingHua Chen. Enterprise Network Information Security and Countermeasure Study[J]. Agriculture Network Information ,2009 [4] Chi Hu. Strategy Choice of Enterprise Information Construction. [J]. China Science&Technology Investment,2009 [5] YuanFei Huang, LiYong Ji, LiPing Jin. Investigation of Network Information Security Situation and Hot Issues[J]. Telecommunications Science, 2009 [6] Chao Li. Simple Exploration of Network Information Security[J]. Scientific&Technological Information Development and Economic, 2009 [7] D.
E. Bell, L. LaPaDula. Secure Computer Systems: Mathematical Foundations and Model[J]. Technical Report M74 244, Mitre Corp. , Bedford, MA, May 1973. [8] K. J. Biba. Integrity Consideration for Secure Computer Systems[J]. Technical Report ESD-TR-76-372,Mitre Corp. , Bedford, MA, April 1979. [9] Winn Schwartau. Time-Based Security Explained: Provable Security Models and Formulas for the Practitioner and Vendor[J]. Computer&Security, USA, 1998:693~714. [10] HongSheng Yan, XueLi Wang, Jun Yang. Computer Network Security and Defense[M]. Beijing: Electronics Industry Press,2007 [11] R. Sandhu,V. Bhamidipati,E. Coyne.
The ARBAC97 Model for Role-Based Administration of Roles: Preliminary Description and Outline. In Proceedings of Second ACM Workshop on Role-Based Access Control, Fairfax, Virginia, 1997:41~49. [12] GuangQiong Wang. Comprehensive Study of Access Control Based on GFAC[J]. Journal of AnQing Teachers College,2004 Figure 1 Existing Theory of Information Security System Figure 2 The Information Security System Based on Data, Network and Network Busine 580 Authorized licensed use limited to: NWFP UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on June 15,2010 at 09:10:07 UTC from IEEE Xplore. Restrictions apply.
