安全数据空间构建方法研究及其应用

信息安全研究 ›› 2016, Vol. 2 ›› Issue (12): 1098-1104.

安全数据空间构建方法研究及其应用

孙伟

中山大学信息科学技术学院

收稿日期:2016-12-26 出版日期:2016-12-15 发布日期:2016-12-26
通讯作者: 孙伟
作者简介:教授，博士生导师，主要研究方向为网络安全和多媒体技术.

Research and Application of Security Data Space Construction Method

Sun Wei

School of Information Science and Technology, Sun Yatsen University

Received:2016-12-26 Online:2016-12-15 Published:2016-12-26
Contact: Sun Wei

摘要/Abstract

摘要： 近年来，我国电子政务的快速发展带来一系列数据安全问题：数据与用户关联不够紧密、数据与业务流程映射关系不清晰、缺乏应对新的数据安全风险等问题.针对上述问题，提出安全数据空间构建方法(包括二维和三维2个层次的空间).其中二维数据空间通过梳理业务流与数据流的关系并确定数据关联用户，构建数据主权和边界明确、数据流向清晰的二维区域；三维安全数据空间在二维基础上，结合数据防护手段，保护数据主权和边界、分析和管控数据流向.安全数据空间方法在现行电子政务系统中进行了实践应用，取得了较好的效果.安全数据空间方法还可以扩展到其他行业信息系统，帮助指导改进其数据安全性.

关键词: 数据安全模型, 数据空间, 数据流分析, 数据防护

Abstract: In recent years, the rapid development of E-government generated a series of data security risks: data cannot be accurately mapped to the user and workflow, E-gov system cannot cope with new data security risks. To confront with these problems, a Security Data Space method(including 2D, 3D Security Data Space method) is presented in this paper. 2D Security Data Space build an area which has clear data ownership and boundary by sorting out the relationship between data, workflow, and user. 3D Security Data Space introducing data protection technology into 2D Security Data Space, can protect data ownership and boundary while accurately control the data flow. The Security Data Space method is applied in E-gov system and work effectively. The Security Data Space method can also be extended to other field to enhance the security of data.

Key words: data security model, data space, data flow analysis, data protection

孙伟. 安全数据空间构建方法研究及其应用[J]. 信息安全研究, 2016, 2(12): 1098-1104.

Sun Wei. Research and Application of Security Data Space Construction Method[J]. Journal of Information Security Research, 2016, 2(12): 1098-1104.

参考文献

［1］Garg A, Singh S. A review on Web application security vulnerabilities［J］. International Journal, 2013, 3(1): 222226［2］Antunes N, Vieira M. Defending against Web application vulnerabilities［J］. Computer, 2012, 45(2): 6672［3］中国信息安全测评中心. 中国国家信息安全漏洞库漏洞统计［DBOL］. ［20160701］. http: www.cnnvd.org.cnvulnerabilitystatistics［4］Williams J, Wichers D. OWASP top 10, the ten most critical Web application security risks［R］. New York: The Open Web Application Security Project, 2013［5］OWASP. OWASP top ten project［EBOL］. (20130623) ［20160914］. https:www.owasp.org index.phpCategory:OWASP_Top_Ten_Project［6］邱永华. XSS跨站脚本攻击剖析与防御［M］. 北京: 人民邮电出版社, 2013［7］Malviya V K, Saurav S, Gupta A. On security issues in Web applications through cross site scripting (XSS)［C］ Proc of the 20th AsiaPacific Software Engineering Conf. Piscataway, NJ: IEEE, 2013: 583588［8］Klein A. DOM based cross site scripting or XSS of the third kind［EBOL］. (20050407) ［20160910］. http:www.webappsec.orgprojectsarticles071105.shtml［9］Pan Jinkun, Mao Xiaoguang, Li Weishi. Taint inference for crosssite scripting in context of URL rewriting and HTML sanitization［J］. ETRI Journal, 2016, 38(2): 376386［10］OWASP. XSS (cross site scripting) prevention cheat sheet［EBOL］. ［20160327］. https:www.owasp.orgindex.phpXSS_(Cross_Site_Scripting)［11］Shar L K, Tan H B K. Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns［J］. Information and Software Technology, 2013, 55(10): 17671780［12］Kirda E, Jovanovic N, Kruegel C, et al. Clientside crosssite scripting protection［J］. Computers & Security, 2009, 28(7): 592604［13］OWASP. DOM based XSS prevention cheat sheet［EBOL］. ［20160908］. https:www.owasp.orgindex.phpDOM_based_XSS_Prevention_Cheat_Sheet［14］Van Gundy M, Chen H. Noncespaces: Using randomization to defeat crosssite scripting attacks ［J］. Computers & Security, 2012, 31(4): 612628［15］Shar L K, Tan H B K. Automated removal of cross site scripting vulnerabilities in Web applications［J］. Information and Software Technology, 2012, 54(5): 467478［16］曹黎波, 曹天杰. 基于动态测试的XSS漏洞检测方法研究［J］. 计算机应用与软件, 2015, 32(8): 272275［17］李洁, 俞研, 吴家顺. 基于动态污点分析的DOM XSS漏洞检测算法［J］. 计算机应用, 2016, 36(5): 12461249, 1278［18］沈寿忠, 张玉清. 基于爬虫的XSS漏洞检测工具设计与实现［J］. 计算机工程, 2009, 35(21): 151154［19］Vishnu B A, Jevitha K P. Prediction of crosssite scripting attack using machine learning algorithms［C］ Proc of Int Conf on Interdisciplinary Advances in Applied Computing. New York: ACM, 2014: No.55［20］张海燕, 莫勇. 基于决策树分类的跨站脚本攻击检测方法［J］. 微型机与应用, 2015, 34(16): 5557, 61［21］Guo Xiaobing, Jin Shuyuan, Zhang Yaxing. XSS vulnerability detection using optimized attack vector repertory［C］ Proc of Int Conf on Cyber Enabled Distributed Computing and Knowledge Discovery. Piscataway, NJ: IEEE, 2015: 2936孙伟

[1]	周航方勇黄诚刘亮陈兴刚. 针对PHP应用的二阶漏洞检测方法[J]. 信息安全研究, 2018, 4(4): 380-386.
[2]	孙伟陈林. 一种基于抽象语法树的C#源代码SQL注入漏洞检测算法[J]. 信息安全研究, 2015, 1(2): 112-125.