PDF(1074 KB)
PDF(1074 KB)
PDF(1074 KB)
临近空间网络零信任架构设计与应用前瞻
Design and Application Prospects of Zero-Trust Architecture for Near-Space Networks
临近空间位置特殊,临近空间网络以各类临近空间飞行器为核心节点,是“空天地”一体化网络的关键组成部分;临近空间网络进行大量高价值、高敏感数据的传输、处理、存储,其安全防护至关重要。本文阐述了临近空间网络构成、关联的其他节点、可开展的网络应用情况,在梳理临近空间网络薄弱环节的基础上,辨识出身份认证、数据安全、网络可用性、飞行器控制等方面的临近空间网络安全需求。零信任架构已成为网络安全领域的重要应用趋势,拓展应用至临近空间网络安全防护具有科学合理性,据此提出了临近空间网络零信任架构,详细讨论了总体架构、评估模型、访问控制模型、策略定义框架等层面的构成要素与应用特征。进一步探讨了临近空间网络零信任架构面临的初期信息汇集处理工作量大、策略制定与维护复杂度高、网络架构不明确加大部署难度等应用挑战,进而展望了临近空间网络零信任架构部署过程中的新技术应用价值、发展理念与实施要点等。
The unique position of near space makes its network, centered around various near-space vehicles, a critical component of the integrated air-space-ground network. The near-space network transmits, processes, and stores a large amount of high-value, sensitive data, making its security protection crucial. This paper outlines the composition of the near-space network, its connections with other nodes, and potential network applications. Based on an analysis of its vulnerabilities, we identify security requirements in areas such as identity authentication, data security, network availability, and vehicle control. The zero-trust architecture, an important trend in network security, is scientifically and reasonably extended to near-space network protection. Accordingly, we propose a zero-trust architecture for near-space networks, discussing in detail its overall architecture, evaluation model, access control model, and policy definition framework. Furthermore, we address challenges such as the significant initial workload of information processing, the high complexity of policy formulation and maintenance, and the deployment difficulty due to unclear network architecture. Furthermore, we explore the application value of new technologies, development concepts, and implementation points in deploying the zero-trust architecture for near-space networks.
临近空间网络 / 零信任架构 / 网络安全 / 信任评估 / 访问控制
near-space network / zero-trust architecture / cyber security / trust assessment / access control
| [1] |
张平, 陈岩, 吴超楠. 6G: 新一代移动通信技术发展态势及展望 [J]. 中国工程科学, 2023, 25(6): 1‒8.
Zhang P, Chen Y, Wu C N. Six-generation mobile communication: Development trend and outlook [J]. Strategic Study of CAE, 2023, 25(6): 1‒8.
|
| [2] |
Nagpal L, Samdani K. Project loon: Innovating the connectivity worldwide [C]. Bangalore: 2017 2nd IEEE International Conference on Recent Trends in Electronics, Information & Communication Technology (RTEICT), 2017.
|
| [3] |
Brett T. BeyondCorp: Experimental zephyr drone sets new record for uncrewed flight duration [EB/OL]. (2022-07-28)[2024-06-15]. https://www.space.com/airbus-zephyr-drone-long-endurance-flight-record.
|
| [4] |
Tuzcu I, Marzocca P, Cestino E, et al. Stability, control, and simulation of high‒altitude‒long‒endurance UAVs [C]. Newport: 47th AIAA/ASME/ASCE/AHS/ASC Structures, Structural Dynamics, and Materials Conference, 2006.
|
| [5] |
李琦. 临近空间高空平台MIMO衰落信道模型研究 [D]. 西安: 西安电子科技大学(硕士学位论文), 2018.Li Q. Research on MIMO fading channel model of high altitude platform in near space [D]. Xi'an: Xidian University (Master's thesis), 2018.
|
| [6] |
徐贵贤, 罗敏, 吴圣能. 无人机系统安全防护思考 [J]. 信息安全与通信保密, 2023, 21(6): 21‒28.
Xu G X, Luo M, Wu S N. Reflection on the safety protection of UAV system [J]. Information Security and Communications Privacy, 2023, 21(6): 21‒28.
|
| [7] |
庞宇翔, 陈泽茂. 基于属性访问控制策略的无人机飞控安全方案 [J]. 计算机科学, 2024, 51(4): 366‒372.
Pang Y X, Chen Z M. Security scheme of UAV flight control based on attribute access control policy [J]. Computer Science, 2024, 51(4): 366‒372.
|
| [8] |
Keshavarz M, Shamsoshoara A, Afghah F, et al. A real-time framework for trust monitoring in a network of unmanned aerial vehicles [C]. Toronto: IEEE Conference on Computer Communications Workshops, 2020.
|
| [9] |
Ward R, Beyer B. BeyondCorp: A new approach to enterprise security [EB/OL]. (2014-12-15)[2024-06-15]. https://www.usenix.org/system/files/login/articles/login_dec14_02_ward.pdf.
|
| [10] |
Escobedo V, Beyer B, Saltonstall M, et al. BeyondCorp: The user experience [EB/OL]. (2017-06-15)[2024-06-15]. https://www.usenix.org/system/files/login/articles/login_fall17_08_escobedo.pdf.
|
| [11] |
Stafford V A. Zero trust architecture [R]. Washington DC: National Institute of Standards and Technology, 2020.
|
| [12] |
Boehme A, Koilpillai J, Iorga M, et al. 2014 software-defined perimeter zero trust. SDP specification v1.0 [R]. New York: Cloud Security Alliance, 2014.
|
| [13] |
陈本峰.零信任网络安全: 软件定义边界SDP技术架构指南 [M]. 北京: 电子工业出版社, 2021.Chen B F. Zero trust network security: A guide to software-defined perimeter (SDP) technology architecture [M]. Beijing: Publishing House of Electronics Industry, 2021.
|
| [14] |
America's Cyber Defense Agency. Executive order on improving the nation's cybersecurity [EB/OL]. (2021-05-12)[2024-06-15]. https://www.cisa.gov/topics/cybersecurity-best-practices/executive-order-improving-nations-cybersecurity.
|
| [15] |
Defense Information Systems Agency, National Security Agency Zero Trust Engineering Team. Department of Defence (DoD) zero trust reference architecture, version 2.0 [R]. Washington DC: Department of Defence, 2022.
|
| [16] |
KA-SAT Network cyber attack overview [EB/OL]. (2022-03-20)[2024-05-16]. https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview.
|
| [17] |
SpiderOak demonstrates successful deployment of orbitsecure on ball aerospace payload, achieving flight heritage [EB/OL]. (2023-06-22)[2024-05-16]. https://spideroak.com/spideroak-demonstrates-successful-deployment-of-orbitsecure/.
|
| [18] |
SpiderOak demonstrates zero-trust software on ISS [EB/OL]. (2023-08-29)[2024-05-16]. https://spideroak.com/spideroak-demonstrates-zero-trust-software-on-iss/.
|
| [19] |
Liu H S, Qin T, Gao Z, et al. Near-space communications: The last piece of 6G space‒air‒ground‒sea integrated network puzzle [J]. Space: Science & Technology, 2024, 4: 176.
|
| [20] |
中国民用航空局. 民用无人驾驶航空器空中交通管理信息服务系统数据接口规范(MH/T 4053—2022) [S]. 北京: 中国民航出版社, 2022Civil Aviation Administration of China. Interface specification of civil unmanned aircraft traffic management information service system (MH/T 4053—2022) [S]. Beijing: China Civil Aviation Publishing House, 2022.
|
| [21] |
Gilman E, Barth D. Zero trust networks: Building secure systems in untrusted networks [M]. Sebastopol: O'Reilly Media Inc., 2017.
|
| [22] |
Garbis J, Chapman J W. Zero trust security: An enterprise guide [M]. Berkeley: Apress, 2021.
|
| [23] |
Sun Y L, Yu W, Han Z, et al. Information theoretic framework of trust modeling and evaluation for ad hoc networks [J]. IEEE Journal on Selected Areas in Communications, 2006, 24(2): 305‒317.
|
| [24] |
Meng W Z, Li W J, Kwok L F. Towards effective trust-based packet filtering in collaborative network environments [J]. IEEE Transactions on Network and Service Management, 2017, 14(1): 233‒245.
|
| [25] |
Guleng S R, Wu C, Chen X F, et al. Decentralized trust evaluation in vehicular Internet of things [J]. IEEE Access, 2019, 7: 15980‒15988.
|
| [26] |
Wang J W, Jing X Y, Yan Z, et al. A survey on trust evaluation based on machine learning [J]. ACM Computing Surveys, 2021, 53(5): 1‒36.
|
| [27] |
Kashmar N, Adda M, Atieh M. From access control models to access control metamodels: A survey [M]. Cham: Springer International Publishing, 2019.
|
| [28] |
冀托. 白话零信任 [M]. 北京: 电子工业出版社, 2022.Ji T. Zero trust in vernacular [M]. Beijing: Publishing House of Electronics Industry, 2022.
|
| [29] |
Teerakanok S, Uehara T, Inomata A. Migrating to zero trust architecture: Reviews and challenges [J]. Security and Communication Networks, 2021, 2021: 9947347.
|
| [30] |
Cao X B, Yang P, Su X N. Survey on near-space information networks: Channel modeling, networking, and transmission perspectives [EB/OL]. (2023-10-13)[2024-06-15]. https://arxiv.org/abs/2310.09025v4.
|
| [31] |
Qu H, Xu X Y, Zhao J H, et al. An SDN-based space‒air‒ground integrated network architecture and controller deployment strategy [C]. Beijing: 2020 IEEE 3rd International Conference on Computer and Communication Engineering Technology (CCET), 2020.
|
| [32] |
Yuan S, Peng M G, Sun Y H, et al. Software defined intelligent satellite-terrestrial integrated networks: Insights and challenges [J]. Digital Communications and Networks, 2023, 9(6): 1331‒1339.
|
| [33] |
Ramezanpour K, Jagannath J. Intelligent zero trust architecture for 5G/6G networks: Principles, challenges, and the role of machine learning in the context of O-RAN [J]. Computer Networks, 2022, 217: 109358.
|
| [34] |
Wang J, Chen J H, Xiong N, et al. S-BDS: An effective blockchain-based data storage scheme in zero-trust IoT [J]. ACM Transactions on Internet Technology, 2023, 23(3): 1‒23.
|
| [35] |
Finney G, Kindervag J. Project zero trust: A story about a strategy for aligning security and the business [M]. New York: Wiley, 2023.
|
/
| 〈 |
|
〉 |
