Using HLA Object Models for the Analysis of Cross Domain Security Policies

摘要

Across defence, training equipment, data and scenarios are likely to have different classification levels. Thus it is sometimes necessary for training to be carried out using a federation of participating systems running at different classification levels, but without compromising security rules. This is usually done using guards and filters to limit the data that may be released from the higher security domain to the lower security domain. In some cases, limiting the data may negatively impact the training and make it impossible to meet all the training goals. When following the process from design to security accreditation it is crucial to understand how to meet security requirements while also understanding the impact this will have on the training. This paper suggests an approach based on a description of the data exchange using the object models of the High Level Architecture. One type of object model is the Federation Object Model (FOM). It specifies the type and format of any data exchanged in the federation. This includes descriptions of objects (such as aircraft, soldiers and weapons) and interactions (such as orders, fire and detonation). Another type of object model is the Simulation Object Model (SOM). This is used to describe which objects and interactions are published (produced) and subscribed (consumed) by any one simulation system. The proposed method uses the SOMs to analyse the data flow within and between the different security domains. It allows the user to suggest different security policies. It then provides an automatic analysis that can be used to analyse the effect from both training and security perspective. This analysis can be performed for standard FOMs, like RPR FOM and NATO NETN FOM as well as extensions of these and project specific FOMs. The proposed method can be used as a basis for a dialog between accreditors and developers of training federations. This can help to avoid security issues, to understand the impact of training goals and also to detect any technical issues that may be introduced by the presence of a guard.