Multilevel Security Network Communication Model Based on Multidimensional Control

,


Introduction
Although the rapid development of cloud computing [1], 5G [2], Internet of ings (IoT) [3], and other emerging technologies has brought great convenience to people, these technologies also pose a threat to the security of network and information owing to their openness, data sharing, and other characteristics [4][5][6]. At present, research on data security, such as on preserving privacy [7,8], information security transmission and sharing [9,10], and information encryption [11], plays a prominent role in information security. However, most of these studies are aimed at single-level data security and do not consider multilevel data security. Note that due to the complexity and diversity of information, different sensitivity levels of information exist in the network. erefore, to ensure the security of information at different sensitivity levels in the network, multilevel security networks [12] have emerged.
Owing to the various security levels in multilevel security networks, information systems face several problems such as those related to establishing intersystem communication relations, controlling interdomain subject-object access security, and transmission of information at different levels after interconnection [13]; these problems directly affect the availability of multilevel security networks. Establishing secure communication is the key to realizing secure interconnection and interoperability of information systems. erefore, in order to realize multilevel security interconnection of network information systems, attention must be paid to establish a multilevel security-oriented network security communication model and implementation of multilevel security control and security transmission.
In recent years, many scholars have carried out research on the problems and requirements of multilevel security models. In previous studies, the usability and adaptability of a multilevel security model were improved [14,15], but since the model was highly dependent on the access control characteristics of the Bell-LaPadula (BLP) model [16], the access flexibility between various subjectobject levels was limited. In other studies, a unified representation of multilevel security strategies was provided [17], and an application isolation model was proposed for secure computing environments, ensuring dynamic security of applications in the domain during operation [18]. In addition, a multilevel security model based on the BLP model was proposed to realize dynamic adjustment of the security level of subject-access-object in the model, and the flexibility of the multilevel security model was improved to a certain extent [19]. However, the model was mainly applicable to private cloud environments, and it controls the operations of users through a mandatory access model, which compromises the flexibility and compatibility of the model to a certain extent. A new multilevel secure access control model (V-MLR) was proposed [20], which not only provides a secure communication mechanism for virtual machine monitors (VMMs) and virtual machines (VMs) but also updates the communication mechanism synchronously with varying information in a VMM. However, this model relies on the overall performance of the VMM system. Lan et al. [21] proposed a safe and practical integrated network security strategy model. e architecture of the model comprises three parts: security system, secure connection of the network, and security transmission of data and key management.
is model realizes secure communication and management of data, but it does not solve the problem of multilevel interconnection and aggregation inference control. Information flow control [22] is another typical technology in multilevel security research; it focuses on access control research, which is usually used in security level control of information systems. However, information flow control is difficult to implement in a network because it cannot be well combined with security communication. In the above research, although the multilevel security model has been improved in terms of flexibility, adaptability, compatibility, and other aspects, it is still unable to integrate with the network security communication and provide a more comprehensive consideration to many aspects.
In a previous study [23], a security policy model SBLP for multilevel security networks was presented, and its state machine model definition and state change rules were provided, which formally confirmed the security of the model. However, its rules were relatively simple, without considering the problem of easy deduction and leakage of sensitive information by data aggregation. Another study [24] presented a method to build a unified directed acyclic graph model (including both subjects and objects) by using partially ordered sets. is method was easy to realize and has greater utility in designing an access control model; however, such a model does not provide control rules for secure access between hosts and objects at different levels. Furthermore, multilevel security communication was realized by using a quantum key and IPSec [25]. In this method, a field was added to implement the control strategy based on the security of data packets, a key effective time was used to meet the different security requirements, the "onetime-pad" algorithm was used to provide unconditional security, and the process of transmitting data packets was described. However, in this method, the generation and use rules of the quantum key were complex. In another study, a multilevel security access control strategy was proposed for distributed systems [26]. Based on the multilevel security model, the management platform and middleware modules were added to ensure data confidentiality and access process security and control. However, the system did not consider information transmission security and the integrity and security of the system during its formulation. Although the aforementioned studies provided effective guidance for secure interconnection of multilevel security networks, data flow control in communication, and secure access between hosts and objects at different levels, they could not adequately solve the security problems faced by multilevel security in network applications. Problems such as object aggregation inferring highly sensitive information and poor flexibility of communication between hosts and objects at different levels still exist. In a previous study, the noninterference theory was applied to a behavior-based access control model to control the access of the subject to structured documents without describing the access to unstructured documents regularly [27]. Furthermore, some studies [27][28][29] provided an effective guidance for using the noninterference theory to prove the security of a multilevel security model. For the security of sensitive information, a new framework to secure information in fog cloud IoT was proposed in [30], which can realize the security sharing of data in different locations. In addition, a novel quantum steganography protocol based on the hash function and quantum entangled states was presented. e hash function is used to authenticate embedded secret messages, avoiding the attacks of message, man-in-the-middle, and no-message. e protocol provides guidance for secure sharing and access of information with various sensitivity levels. e existing network security communication model has great improvement in flexibility, adaptability, and other aspects [31][32][33][34], but most of them do not support the multilevel security attributes effectively; hence, they cannot fully meet the security communication requirements of multilevel security network information systems. Hence, it can be seen that the current research on multilevel security models do not sufficiently meet the actual requirements of multilevel security network communication, and they still face many problems, such as the following: (1) e static nature of security labels makes multilevel security networks less flexible.
Multilevel security requires that a subject's access to an object strictly follows the simple security characteristics and " * " characteristic (state consistency characteristic) [35]. is restriction of multilevel security prevents access of legitimate network subjects, makes the implementation of the network more difficult, and renders the network less flexible and usable [36]. ese issues are mainly caused by the static nature of security labels, which once allocated, will not change [37].
As Figure 1 shows, in a network environment, situations where high-level subjects write low-level objects and low-level subjects read high-level objects exist [38]. Resolving the problem of a subject's illegal access to objects under special circumstances is the key to improving the flexibility and adaptability of a BLP model network.
(2) e existence of object-sensitive levels results in the deduction and leakage of information by object 2 Mathematical Problems in Engineering information aggregation in a multilevel security network. Although the BLP model prevents information from leaking with the "read-down and write-up" rule, sensitive information can easily be leaked owing to the similarity and attribute dependency of objects. In Figure 2, secret level subject s 1 reads "objects o 1 and o 2 ." Higher level (greater than the secret level) information is deducted from objects o 1 and o 2 . Secret level subject s 2 can read "objects o 3 , o 5 , and o 6 " and deduct higher level (more than the secret level) information from objects o 3 , o 5 , and o 6 . us, the multilevel security network access control no longer follows only the security characteristics of "readdown, write-up" but also considers the relationship between objects.
(3) Multilevel security lacks a security channel mechanism because of which problems of information leakage and interference occur. Existing multilevel security models do not support secure transmission adequately. Achieving efficient multilevel security network transmission based on an access control strategy is also an important consideration for realizing secure interconnection of multilevel security network information systems. e adaptability of the existing secure transmission mechanism in a multilevel security network will be poor because it is not combined with security features such as network security hierarchy and multilevel security information. Moreover, the established security channel is single-level. e information in the domain protected by interconnected entities is transmitted confidentially by the same channel. Isolation of information of different security levels is difficult, while interference can be easily caused between information. In addition, prevention of information deduction and leakage caused by information aggregation is even more difficult. As shown in Figure 3, O 1 and O 3 have different security levels, but they are transmitted in the same channel (a single-level security channel shown in Figure 3). Low-level information easily interferes with high-level information, resulting in leakage. erefore, in a multilevel security network, it is necessary to establish a multilevel security channel (dotted line in Figure 3) and build an independent, virtual, and logical multilevel security network to ensure isolation of information transmission at different levels.
Given the aforementioned problems, in order to improve the flexibility and adaptability of multilevel security in a network, it is essential to prevent information leakage risk and support the network security communication mechanism with multilevel security attributes, thus achieving secure interconnection among multilevel security network information systems. In meeting the abovementioned requirements, this study contributes in the following aspects: (1) In this study, we use the concept of "domain" to abstract the complex information system, and on the basis of the domain, we analyze the problems existing in the security communication between multilevel security network information systems, establish a multilevel securityoriented network security communication model based on multidimensional control (MLS_NSCM), construct the network communication environment suitable for multilevel security, and realize object sharing and interoperability between different levels of information systems are realized.

Confidential level
Security level > secret level information Security level > confidential level information Aggregation inference   (2) In the model, we design multilevel security control constraint rules and security channel control constraint rules, including 21 basic constraints of the model, and then we build a multilevel security virtual network. e model not only overcomes the problems of poor flexibility and adaptability of the BLP model and enhances the availability of the multilevel security model in the actual network but also reduces the risk of leakage caused by the aggregation of object information. rough multilevel security channel control, it realizes the mutual isolation of information of different levels and information with aggregation problems, thus reducing the possibility of information leakage and effectively improving the security of information systems.
(3) To verify the security and credibility of the model, we confirm the security of the model based on the noninterference theory, perform a comparative analysis of the security provided by the proposed model and existing models, and provide the typical application of the model in actual networks.

Model Building Concept
A network information system can be divided into domains [39,40]. erefore, in this study, the interdomain relationship of the system is considered as the basis to maintain the access control of security labels and integrate the interdomain relationship constraint, subject credibility constraint, object information aggregation inference, multilevel security channel establishment, and other controls in order to realize secure exchange of information between information systems. e schematic diagram of the building of the MLS_NSCM model is presented in Figure 4.
(1) e system is divided into a set of protected domains, and interdomain relations (i.e., hierarchical relations and peer-to-peer relations) are used to restrict interconnection relations, effectively implementing secure interconnection control and preventing arbitrary communication between domains.
(2) In the application layer, the credibility of the subject's security attributes is evaluated through a credibility evaluation mechanism, and the credibility threshold required by the subject and the object is taken as the basis of the multilevel security control of the network. is will solve the operation problem of the subject violating the multilevel security rules and accessing the object under special circumstances, for example, the access of s 1 to o 4 and the access of s 2 to o 5 in Figure 4. Every time the subject visits an object by violating rules, the credibility of the subject is evaluated and the method of dealing with the subject and object after the subject violates rules is considered such that the risk of system leakage is reduced and the reference relationship of the object is maintained. is process improves the flexibility and availability of the BLP model in network application.
(3) In the application layer, the relationship between objects is analyzed, control constraints are deduced based on aggregation, the access of subjects to relational objects is restricted, multilevel security is extended from security label access control to object relationship so as to reduce the risk of information leakage caused by object information aggregation, and the restriction of the BLP model on confidentiality security attributes is enhanced. (4) According to secure channel rules, a multilevel security channel is established, and a logical, independent, autonomous, and dedicated multilevel security virtual subnet is constructed to ensure safe transmission and isolation of information at different sensitive levels in different flow directions, to realize noninterference of the channel, and to prevent objects with aggregation problems from using the same channel for transmission, thereby reducing the possibility of network information leakage.
Based on the above concepts, from the aspects of multilevel security control and secure channel control, under the assistance of technologies such as security labels and information objects, data stream binding, aggregation inference control, subject trust evaluation, and secure channel establishment, this study implements subject-object access control and security transmission at application and network layers in order to achieve secure communication between network information systems.

Basic Constraints of Multilevel Security
Control. e MLS_NSCM model obeys the multilevel security control rules of the BLP model, that is, simple security features and " * " characteristics. After extension, the access operation set of the model includes the operations of inflow (f a ), outflow (f r ), in-out flow (f w ), and execution (f e ).

Constraint 1
s is the subject, or the communication initiator, which can be a user, a host, a subnet, an address range, a user group, a subnet group, or an address group; o is the object, or the communication receiving end, which can be a file, a database, a web service, an FTP service, a subnet, a host, an address range, or an address group; and L is a security label function. Constraint 1 shows that if o's security label dominates s, s inflows to access o.

Protection Domain Control Constraints
Definition 1. Protection domain (PD): PD is a set of subjects and objects protected by interconnected entities to achieve interdomain data flow control. Interconnection members and entities are detailed in Definitions 5 and 6. From the definition of PD, it can be as small as a single terminal or as large as one or a group of subnets. e relationship and interconnection control between PDs are maintained in an interconnection table of PDs (PDT), and effective interconnection control between domains and within domains is implemented according to the PDT.

Constraint 4
if pd i and pd j have n-level relationship, i.e., pd i ⊳ n pd j then / * It implies that the pd j n-fold contains pd i * / pd i and pd j have an interactive relationship. if n � 0 then pd i and pd j are the same PD. endif if pd i and pd j do not have a hierarchical relationship then e interaction between pd i and pd j is determined by the PDT. if pd i and pd j have an interactive relationship then It is recorded as pd i ⟷ pd j . endif Constraint 4 illustrates the interconnection control relationship between PDs in order to achieve mutual isolation between domains. e following are its main points: (1) pd i and pd j have n-level relationship, which indicates that pd j n-fold contains pd i , i.e., pd i is the subdomain of pd j , and there is an interaction between the parent domain and the subdomain. (2) ere is no hierarchical relationship between pd i and pd j , which indicates that they are independent and reciprocal. Even if they have the same parent domain, there is no direct interaction between them, but the interaction is determined by the PDT.
Public network  Mathematical Problems in Engineering 5

Constraint 5
if (pd i ⟷ pd j )&& (pd j ⟷ pd k ) then pd i and pd k do not necessarily obey pd i ⟷ pd k . endif e main manifestation is as follows: is relation indicates that pd j l-fold contains pd i ,pd k m-fold contains pd j , and pd k (l + m)-fold contains pd i . e inclusion relationship defined here is transitive.
is relation indicates that pd k l-fold contains pd i ,pd k m-fold contains pd j , and then pd j (l-m)-fold contains pd i .
is shows that the inclusion has implication relation.
(3) if pd i and pd j are peer domains, pd j and pd k are peer domains, and there are interactions among peer domains as well as pd i , pd j , and pd k are not equal then pd i and pd k are also peer domains, and the interactions are controlled by the PDT. endif is relationship indicates that pd i and pd j have an interaction relationship. pd k n-fold contains pd j ; hence, there should be an interaction relationship between pd i and pd k , which indicates that subdomain interaction is based on parent-domain interaction.
An interaction between pd i and pd k is not necessary. endif is relationship indicates that the parent domain pd j of pd k and pd i has an interactive relationship, but pd i and pd k do not necessarily have an interactive relationship, but the relationship is controlled by the PDT.

Subject Credibility Constraints
Definition 2. Reliability in security attributes: this refers to the degree of trust that the subject will not destroy the information security attributes of the object.
Confidentiality credibility refers to the credibility that the subject will not leak information after visiting the object, which is expressed as μ i (C), i ∈ S. λ i (C) denotes the confidence threshold (i ∈ S ∪ O) of a subject or an object on the confidentiality security attributes such that the lowest reliability required by the system is determined.
When a high-level subject inflows to access a low-level object, it must control the scope of the subject to inflow to access the object. It requires that the credibility μ s (C) of subject s in confidentiality should be no less than the minimum confidentiality credibility threshold λ s (C), which implies that subject s inflows to access object o with the current credibility is not enough for information leakage.
When a low-level subject outflows to access a high-level object, the credibility μ s (C) of subject s should not be less than the minimum confidentiality credibility threshold λ s (C) of subject s so that it will not leak information. At the same time, the reliability of s in confidentiality should be no less than the reliability threshold of object o.

Aggregation Inference Control Constraints.
Aggregation inference control of an object aims to reduce the risk of leakage caused by information object aggregation. By analyzing the relationship between objects, deducing the possibility of deriving higher-level information from relational objects, corresponding security strategies are formulated to control a subject's restricted access to relational objects. is study holds that relational objects mainly include similar objects and related objects. Similar objects refer to objects with similar contents and attributes, whereas related objects refer to those with some implicit deductive relationship, and they are also known as incompatible objects.     . . , cl(o valve ) after aggregation; that is, the information security level is higher than that of any object in o 1 , o 2 , . . . , o valve . ere are two types of threshold selection for the similar object clustering problem: one is the quantitative aspect, wherein high-level information can be deduced from any "valve" objects; the other is the qualitative aspect, wherein there are k objects in o 1 , o 2 , . . . , o n . As long as any or more of these k objects are included, high-level information can be deduced, "valve" will be any one value from k + 1 to n, and k objects are also called the special objects. Subjects with a security level less than cl can only access "valve-1" similar object. If special objects exist, they are absolutely not allowed to be accessed.

Subject-Object Level Adjustment Constraints
addtxt" denotes the data content added by subject s and inflow to access object o; "filt_buff" is a filter buffer area for filtering the content added by subject s to ensure the integrity of object o; "tmp_buff" is a temporary buffer for temporary storage of filtered content; "vs" is a virtual subject for checking data in buffer and adding checked content to object o; and "chk_buf" is a check function. Constraint 10 shows that when a low-level subject s inflows to access a high-level object o, s must be checked by vs in "filt_buff" to ensure the integrity of object o. e security level of vs must be consistent with the level of object o. vs adds the checked data to object o.
Keep the original object o unchanged endif Constraint 11 shows that the security level of fused data is higher than that of object o after fusing the data of subject s into object o with the original data of o. To ensure the reference relationship of other subjects to object o, we create new objects (data are fusion data) and keep the object o unchanged.

Constraint 12
Constraint 12 indicates that the security level of low-level subjects must be upgraded when a low-level subject s inflows to access a high-level object o. is is because if the security level of s remains unchanged, it is easy for s to divulge the information of high security level known to the subject or object of the same level. Moreover, the security level of s is raised temporarily. When o passes the period of confidentiality, the security level of s will return to its original level.

Security Label Mapping Constraints
Constraint 13. Security label transfer mapping. e security labels in pd i and pd j are heterogeneous. If the security label transfer of subject s in pd i is mapped to that in pd j , the permissions obtained by subject s in pd j include the following: (1) s can write the object dominated by security label sl pd j ; (2) s can read the object dominated by security label sl pd j .

Model Secure Channel Control
Constraint Rules e MLS_NSCM model is designed to ensure confidentiality, integrity, and credibility of data sources in secure channels.

Security Channel Classification Constraints.
A multilevel security channel has a certain level of security, and the purpose is to protect the security of different sensitive data streams. e higher the level of security, the stronger the protection provided by the security channel.
Definition 5. Interconnected members: this refers to all subjects and objects involved in the security interconnection of multilevel security network information systems. If "CM" represents the set of interconnected members, ∃cm i ∈ CM, and then cm i ∈ S ∪ O. Definition 6. Interconnected entities: this refers to devices or components that are securely interconnected in a network information system to protect interconnected members. If "CE" denotes the set of interconnected entities, ce ∈ CE.
Definition 7. Multilevel security channel: this refers to the special security channel based on the multilevel security network and multilevel data transmission achieved through encapsulation, encryption, authentication, and other technologies. If "lst k " is multilevel channel k, then the multilevel secure channel is defined as lst k � < ce i , ce j , < cl ce i , cl ce j > , lSA k > |ce i , ce j ∈ CE . Here, lSA k provides multilevel security association (SA: a set of policies and keys used to protect information) for lst k , including the encapsulation protocol, encryption and authentication algorithms, session key, and data stream direction.

Constraint 16.
e security level of multilevel secure channel lst k is determined by the level of data transmitted by the channel, and its constraints are described as follows: Constraint 16 shows that the secure channel level is related to the direction of the channel data flow because the data transmitted in the channel are related to the source end of the data flow. DL 1 and DL 2 reflect that, in the operation of inflow and outflow, the level of security of the channel is consistent with the level of security at the source end of channel data flow, whether it is a low-level subject inflow to access a high-level object, a high-level subject outflow to access a low-level object, or a high-level subject inflow to access a low-level object and a low-level subject outflow to access a high-level object. DL 3 reflects that the data flow is bidirectional in the inflow and outflow operations. Because the security level between the communication peers is the same, the security channel level should be the same as the security level of the communication peers. DL 4 reflects that the security level of the security channel is consistent with that of the subject in the execution operation because the security level of the subject is higher than that of the object in the operation.

Security Channel Protection Constraints.
Despite the unidirectionality of the secure channel, in the actual network environment, owing to the bidirectionality of the communication protocol, there is actually a bidirectional data flow in the secure channel. erefore, effective control of data flow in the multilevel secure channel is particularly important. Hence, this study formulates the protection rules of a secure channel to ensure legitimacy of data flow in a channel. Constraint 17. lSA k includes lSA k ��� �→ and lSA k ←��� � , representing the SA in two directions. If the flow direction of data stream in lst k is ce i ⟵ ce j , the protection rules are described as follows: if lst k .lt k .cl ce i > lst k .lt k .cl ce j then Constraint 17 states the following: (1) there exists unidirectionality in secure channel security association; that is, ce i ⟶ ce j and ce i ⟵ ce j each have a SA to protect the security of data flow in this direction. (2) Irrespective of forward or backward data flow, the strength of SA is related to the source endpoint of the data flow. If ce i ⟵ ce j is a reverse flow and if cl ce i > cl ce j , the strength of the forward flow SA is higher than that of the reverse flow SA. Conversely, the strength of the reverse flow SA is higher than that of the forward flow SA. It can be seen that the strength of SA is mainly related to the security level of the source side of the data stream, but not to the size of the data in the data stream, where I () denotes the strength of the SA. Constraint 18. lSA k includes lSA k ��� �→ and lSA k ←��� � , representing the SA in two directions. If the flow direction of data stream in lst k is ce i ⟷ ce j , then its protection rules are as follows: Constraint 18 shows that, in the case of bidirectional data flow, the protection measures should be the same; that is, SA is bidirectional at this time.

Security Channel Noninterference Control Constraints.
To strictly control the information leakage problem caused by information object aggregation, this study introduces the rule of no interference in secure channels, which restricts the object with an aggregation problem from using the same secure channel for protection transmission and prevents the deduction of information in the same secure channel.

Constraint 19.
If the information objects protected by ce i and ce j have the problem of aggregation inference, then when transmitting these objects in secure channels, no interference between channels should be achieved. e rules are as follows: Constraint 19 states that if a problem of aggregation inference exists between objects, the objects are prohibited from transmitting through the same secure channel to prevent information deduction. (1) Objects with the aggregation inference problem can belong to the same or different ce, but there is an interconnection between their ce.
(2) In case of objects with aggregate deduction relationship, although their security levels may be the same and the security levels of the negotiation channels are the same, these objects must choose different security channels for secure transmission according to the requirements of Constraint 8 and Constraint 9.

Secure Channel Switching and Forwarding Control
Constraints. Because a multilevel security network is composed of multiple domains, each domain is securely interconnected by ce, and the relationship is intricate. It is necessary to formulate corresponding rules for forwarding and exchange of the security channels in order to build a secure and usable multilevel security network.

Constraint 20.
e interconnected entities of secure channel lst m are ce i and ce k and those of secure channel lst n are ce k and ce j ; thus, ce k is the common interconnected entity of lst m and lst n . en, the secure channel is exchanged as follows: endif Constraint 20 reflects the situation of secure channel switching, where "visible ()" is a visual function, and "visible ( * )" is visible to " * "; "encap" is secure channel encapsulation, and "decap" is secure channel deencapsulation. Figure 5 illustrates secure channel switching.
e key points of secure channel switching include the following: (1) there is a common interconnected entity between secure channels; the prerequisite for secure channel exchange is that data information needs to be forwarded across the interconnected entity. For example, the common interconnected entity of lst m and lst n is ce k . (2) In secure channel switching, it implies that lst m and lst n have the data flow directions of ce i ⟶ ce k and ce k ⟶ ce j . Only when they have such direction of data flow, can they be allowed to exchange information. (3) Data m protected by the secure channel are visible to the interconnected entity ce k ; that is, there will be no leakage problems, such as aggregation inference. (4) e essence of secure channel exchange is that data m are protected by two secure channels and is unpackaged and reencapsulated at ce k . Data m are the original text at ce k .

Constraint 21.
e interconnected entities at both ends of the secure channel lst m are ce i and ce k , while those at both ends of lst n are ce k and ce j , respectively. e interconnected entities at both ends of lst p are ce i and ce j . ce k is the common interconnected entity end of lst m and lst n ; hence, the secure channel is forwarded as follows: ce k lst p (m)�decap(lst m (lst p (m))) lst n (lst p (m)))�encap(lst p (m)) ⟶ lst n (lst p (m)) ⟶ ce j lst p (m)�decap(lst n (lst p (m))) m�decap(lst p (m)) endif Constraint 21 reflects the situation of secure channel forwarding, in which "invisible ()" is an invisible function and "invisible ( * )" means invisible to " * ." It differs from Mathematical Problems in Engineering Constraint 20 in two aspects: (1) in this rule, data m are not visible to the interconnected entity ce k . At this time, ce k can only encapsulate the encapsulated data again but cannot decompose the existing encapsulated data. (2) e essence of secure channel forwarding is that one channel is nested and encapsulated by another channel, and then data are forwarded along the new channel.

Multilevel Security Virtual Network
In the MLS_NSCM model, the establishment of multilevel secure channels will allow the members of the decentralized and independent multilevel security network construct a virtual and exclusive secure communication environment. Under the rules of multilevel security control constraints and security channel control constraints, the restricted subject-object access in the multilevel security virtual network can be effectively controlled.
Multilevel security virtual network (MLS_VN): this network is composed of multiple labeled virtual networks (LVSNs), composed of interconnected members, interconnected entities, multilevel security channels, and security policies. It can be represented by the following eight tuples: LVSN id lvsn � id lvsn , id mlnsd , CM, CE, LST, MLSP, VFT, App .
(1) ① id lvsn is the identification of LVSN. ② id mlnsd denotes the security domain identity of the network. ③ CM is a set of interconnected members protected by the LVSN and CE is a set of interconnected entities constructed by the LVSN, and they belong to the same security domain. ④ LST is a multilevel secure channel set, while VFT is the channel exchange and forwarding relationship in LST. ⑤ MLSP is a multilevel security communication policy set, and App is an application of the information system. e multilevel security communication strategy, MLSP, includes the multilevel secure control strategy and secure transmission strategy. e former mainly relies on the comparison between the subject and object security labels as well as needs multilevel security control constraint rules to restrict subjectobject access. e latter is mainly used to protect data in the transmission process and to control the establishment and use of secure channels through the rules of secure channel control constraints.

Model Security Analysis
To analyze the security of the MLS_NSCM model, the model's security is verified through the nontransitive, noninterference theory, proposed by Rushby [41], and its related conclusions. is theory is used to analyze the rationality, effectiveness, and security of data flow control, and it serves as a good method to study the channel control strategy in a multilevel security network environment [42][43][44].

Nontransitive, Noninterference eory.
e basic idea of the nontransitive, noninterference theory is as follows [45]: two domains (security domains) u and v in the system are observed from the perspective of domain v. If the operation in domain u does not affect the subsequent output state of domain v, that is, the system state observed by domain v before and after the operation of domain u is the same, domain u is said to be noninterference to domain v.
Definition 8 (see [46]). Let system M be a finite automaton that consists of the following components: ① e system state set S, s 0 ∈ S, is the initial state. ② "A" is the system operation set, such as input, command, and instruction. ③ "OU" is the output set of the system. ④ step: S × A ⟶ S is a one-step state execution transition function. ⑤ output: S × A ⟶ OU is the output function of the system. ⑥ run: S × A * ⟶ S is a multistep state execution transition function. run(s, Λ) � s, and Λ is an empty sequence. run(s, a ∘ α) � run(step(s, a), α), and "∘" is a connector. ⑦ "D" denotes the domain, and dom: A ⟶ D denotes the system action execution domain. ⑧ e interdomain interference relation " ∼>" is a binary reflexive relation in the domain, and its complementary relation " / ∼> � (D × D)\ ∼>" is a noninterference relation. Information flow security policy refers to information flow rules between different domains, which can be represented by " ∼>" to illustrate the information flow relationship between security domains.
In the nontransitive, noninterference theory, a purge function of action sequence is defined as follows.
is subsequence is the remaining sequence after clearing the sequence of actions related to domain u in α; then, u / ∼> v, that is, (2) e main function of the purge function is to delete all operations that do not interfere with domain v from the execution sequence α. If the outputs of the system before and after deletion are consistent, the system conforms to noninterference [47]. us, the nontransitive, noninterference model provides the system security requirements as output run s 0 , α , a � output run s 0 , purge(α, dom(a)) , a . (3) To facilitate system security verification, the system security expansion theorem covering only one-step state has been given and proved in [41].

Theorem 1. (Unwinding eorem): "
∼> " is the information flow security policy of system M. If the following conditions are satisfied, system M is considered to be safe relative to " ∼> ". e proof is given in [41].

MLS_NSCM Model Security Proof.
To verify the access control model conveniently, the abstract concept of access control is given in the nontransitive, noninterference model, which involves the following main elements: ① N is a set of object names; all the names of object o in information systems are taken from the set of object names N; o (n) denotes the object whose name is n. ② V is a set of object values; the value of object o in information system is derived from set V. ③ contents: S × N ⟶ V is a value function, indicating that the object named n ∈ N takes v ∈ V when the information system state is s ∈ S. To verify the security of the MLS_NSCM model, the following functions are given according to the access control and transmission rules. Based on the model control rules, the hypothesis conditions for the secure communication monitor of the MLS_NSCM model system are given as follows:

Theorem 2. e MLS_NSCM model system M is secure for information flow strategy in access control if it satisfies the security communication monitoring hypotheses and model access control rules.
Proof. To prove eorem 2, it must be proved that the MLS_NSCM model system satisfies the reference monitor hypotheses under the assumption of secure communication monitor, and eorem 1 is valid. It can be seen that if ∼ u is the state equivalence relation on the model system M, then M meets the requirements of s ∼ u t ⟶ ∀n ∈ observe(u) : contents(s, n) � contents(t, n); hence, s ∼ dom(a) > t output(s,a)�output(t,a) holds. In addition, HY 4 is usually used for the management operation of the system; hence, the output of the system is the same when the same operation is performed under state s or t.
erefore, system M conforms to output consistency.
(2) One-step consistency To prove the one-step consistency, it is necessary to prove that s ∼ u t step(s,a) ∼ u step(t,a) , and as defined by the noninterference model system, it can be equivalent to s ∼ u t contents(step(s,a),n)�contents(step(t,a),n) ; that is, the object named n takes the same value as operation a in state s and t. Let us discuss n ∈ observe(u) in three cases.

① contents(step(s, a), n) ≠ contents(s, n)
If operation a is executed under state s and the value of object resource o(n) changes, then o(n) must execute operation n ∈ alter (dom(a)) ∨ write(dom(a)) by execution domain dom(a).
Because of n ∈ observe(u), dom(a) ∼ > u can be obtained, and then observe(dom(a)) ⊆ observe(u) can be known. erefore, s ∼ u t implies s ∼ dom(a) t. From the model control constraints, it can be seen that, after object o(n) is written, its integrity and citation relationship remain unchanged; hence, contents(step(s, a), n) � contents (step(t, a), n) holds. ② contents (step(t, a), n) ≠ contents(t, n). e same is true for this situation as well.
① When low-level subjects inflow to access highlevel objects and high-level subjects outflow to access low-level objects: When low-level subjects inflow to access highlevel objects and low-level subjects outflow to access high-level objects: n ∈ alter(dom(a)) ∧ n ∈ observe(u) ⟶ cl(dom(a)) ≤ cl(o(n)) ∧ filt(n) ∧ upgrade(u, s) ③ When high-level subjects inflow to access lowlevel objects and high-level subjects outflow to access low-level objects: ) ∧ impatile(u, n) ∧ sim(u, n) ④ When high-level subjects inflow to access lowlevel objects and low-level subjects outflow to access high-level objects: Of course, if domain A flows in and out of the object, the situation is similar to that of (1)(2)(3)(4). In summary, situation ①: cl(dom(a)) ≤ cl(u); furthermore, content filtering and the constraints of aggregation inference control are applied to object o(n), and the operation of dom(a) to object o(n) does not change the reference relationship of o(n). is implies that domain dom(a) can inflow domain u; that is, dom(a) ∼ > u. Situation ②: cl(dom(a)) ≤ cl(u); the content filtering of object o(n) ensures its integrity, and the reference relationship of object o(n) does not change after operation a. At the same time, the credibility of a subject in domain u on the confidentiality security attribute is required to be higher than the threshold of confidentiality credibility of its own and that of o(n). Moreover, the security level upgrade of subject s u that outflows to access o(n) in domain u is carried out, which follows Constraint 12. Similarly, the reference relationship of s u with other objects is not changed. Situation ③: in domain dom(a), the credibility of subject s a in confidentiality security attributes is higher than its own credibility threshold such that the possibility of s a leakage is reduced. According to Constraint 11, the operation of s a to o(n) does not change its reference relationship and cl(u) ≥ cl(o(n)). Moreover, the aggregation inference control is applied to o(n); hence, domain dom(a) can flow into domain u. Situation ④: similarly, the credibility of subject s a in the confidentiality security attribute in domain dom(a) is higher than its own credibility threshold, and the operation to o(n) does not change the reference relationship of o(n). At the same time, the current confidentiality credibility of subject s u in domain u is higher than the credibility threshold of its own and that of o(n). e aggregation inference control of o(n) and the upgrading of subject s u are executed, and the reference relationship of subject s u to other objects is not changed.
In summary, we can see that the security policy of domain dom(a) inflowing to domain u is valid, that is, dom(a) ∼> u. us, n ∈ (alter(dom(a))) ∨ write(dom(a)) ∧ n ∈ observe(u) dom(a) ∼> u is proved. erefore, according to the equivalence relation, ∃n ∈ observe (u): contents(s, n) ≠ contents (step(s, a), n) dom(a) ∼> u is valid. According to its converse negative proposition, dom(a) / ∼> u ⟶ s ∼ u step(s, a) is valid. Note that eorem 2 meets the three requirements of eorem 1. erefore, the security of eorem 2 is proved. Proof. e security of system M transmission is not only related to the secure channel protocol and multilevel SA (e.g., channel key and cryptographic algorithm) but also to the forwarding and exchange of secure channels. e premise of this proof is that the channel protocol is secure. Because the strength of the channel key and cryptographic algorithm can be tested by special tools, this study only needs to explain the security of forwarding and switching transmission. Figure 5 is used as an example to prove that system M is secure for information flow strategy in transmission.
① Hypotheses HY 1 -HY 4 show that any operation in the system needs to be protected by a secure channel. e strength of channel protection is related to the security level of interconnected members, and rules are constrained by 15 and 16. ② e secure channel between ce i and ce k is lst m , that between ce j and ce k is lst n , that between ce i and ce j is lst p , and ce k is the transit node of secure channels lst m and lst n . According to constraints 20 and 21, the direction of information flow is the same when forwarding and exchanging information flow between ce i -ce k -ce j . at is, if ce i has an inflow to access ce j , ce i ∼> ce k ∼> ce j is valid, and if ce j has an outflow to access ce i , ce i <∼ ce k <∼ ce j is valid. For the switching operations of secure channels, Constraint 20 shows that the transmission information between ce i and ce j is protected by lst m and lst n , which is visible to ce k and does not cause aggregation inference problems. Access control follows multilevel security control constraint rules and is proved in eorem 2. For the forwarding operations of secure channels, Constraint 21 shows that the transmission information between ce i and ce j is protected by lst p , and the encapsulated data are protected by lst m and lst n ; hence, the transmission information is invisible to ce k . Following the ce i ∼> ce j information flow strategy, the security of policy is proved in eorem 2. We see that ce i ∼> ce k ∼> ce j and ce i <∼ ce k <∼ ce j information flow strategy ∼> are secure; that is, system M is secure for information flow strategy ∼> in transmission.

Network Architecture and Case Analysis
Based on MLS_NSCM

Fundamental Multilevel Security Virtual Network.
According to the MLS_NSCM model, a multilevel security virtual network MLS_VN can be constructed, as shown in Figure 6. Different security interconnected entities can construct labeled virtual subnets according to their interconnection relationships. Each subnet is constructed on the basis of multiple security channels, and the level of each security channel is determined by the security level of the interconnected members. In each labeled virtual subnet, the subject-object access follows multilevel security control rules, and the security of information transmission is guaranteed by multilevel security channels. In an MLS_VN, when the nodes with communication relationship cannot communicate directly, it needs to follow Constraint 20 and Constraint 21 to forward or exchange secure channels. e communication between different labeled virtual subnets needs to be routed and forwarded through virtual routing devices, and only the labeled virtual subnets with communication relationship have virtual routing relationship. According to the virtual routing relationship, the security channel of the system information flow is encapsulated and unpackaged until the destination of the communication. Figure 7 shows the schematic of secure communication between labeled virtual subnets.
As the figure shows, when subject s in LVSN 1 accesses an object in LVSN 2 , the virtual routing device first determines whether LVSN 1 and LVSN 2 have a communication relationship. e communication relationship can be either direct or indirect. If so, it can be transmitted through a multilevel secure channel. e data stream from LVSN 1 is decrypted and decomposed, and the data stream is encrypted and encapsulated to another secure channel for forwarding, until it reaches the destination labeled virtual subnet LVSN 2 , thus completing the secure communication between different virtual subnets.

Typical Application Case and Comparative Analysis of MLS_NSCM Model.
To describe the application of the MLS_NSCM model in a real network, this paper presents a typical application case of multilevel network. e MLS_NSCM model was applied in the case, and the characteristics of MLS_NSCM model and the common models are analyzed according to the case. e case is shown in Figure 8. e application scenario consists of a service platform and protection domains pd 1 and pd 2 . e service platform includes a unified security label management subsystem, a subject credibility evaluation subsystem, and an aggregated information level deduction subsystem. e unified security label management subsystem is responsible for the generation, distribution, and maintenance of security labels in the unified security domain; the subject credibility evaluation is responsible for evaluating the credibility of a subject's illegal access and restricting the subject's illegal operation on an object; aggregated information level deduction is responsible for mining object information in the unified security domain, calculating the possibility of aggregated information deducing higher level information, and forming object relationship tables ORTI and ORTA according to the threshold set by the system.
Assuming that A, B, M, and N are similar objects, with their levels being secret and the access threshold being 3; C and P are related objects, with their levels being secret and confidential, respectively, and the relationship being incompatible. Subject s 1 is classified as secret, and subject s 2 is classified as confidential. It is assumed that there is an interconnection relationship between protection domains.
When the control device receives a request by subject s 1 to access object N, subject and object security labels are compared. Because cl(s 1 ) > cl(N), s 1 can perform f w on N, but because N has similar objects, it also checks the access history library of subject s 1 . If s 1 has visited objects A, B, and M, it is forbidden to visit object N. Otherwise, access is allowed and transmitted through the secure channel between the interconnected devices i and j. e transmission process follows the secure channel control rules.
When s 1 requests access to object P, because cl(s 1 ) > cl(P), s 1 is not allowed to access object P. Because of the special application of the network, subject s 1 must visit object P; then, subject s 1 needs to evaluate its credibility. If the credibility of s 1 is greater than the minimum threshold of object P, subject s 1 is allowed to access object P. However, because object C and object P are incompatible, it is checked whether s 1 has visited object C. If s 1 has visited object C, the access of s 1 to object P is prohibited; otherwise, it is allowed. Finally, the secure channel is chosen to encapsulate, encrypt, and authenticate the data according to the channel security parameters to ensure secure data transmission. If the level of object P outflow information is higher than that of subject s 1 , the security level of s 1 must be adjusted to that of object P outflow information.
When s 2 requests inflow to access object C, it compares subject and object security labels. Because cl(s 2 ) > cl(C), s 2 does not allow access to object C. However, owing to the special application of the network, subject s 2 must access object C; hence, the credibility of subject s 2 is evaluated. If the credibility of s 2 is greater than the threshold of the credibility that subject s 2 will not deliberately leak information, its access to object C is allowed. However, because object P and object C are incompatible, it is checked whether s 2 has visited object P. If s 2 has visited object P, the access of s 2 to object C is prohibited; otherwise, it is allowed. It also uses secure channels for transmission. If the level of    information flowing from subject s 2 to object C is higher than that of object C, a new object C′ is created.
By applying the MLS_NSCM model to the above cases, we prove that the model has good compatibility in actual multilevel networks.
rough the analysis of the model security described in Section 6, the information flow in the application case of multilevel security networks protected by the model can realize secure transmission and access. In addition, the model provides control methods under special circumstances, such as security control when a subject illegally operates an object and security constraints for aggregation inference problems.
is embodies flexibility, expansibility, universality, and other characteristics of the model in its application in multilevel networks.
To better reflect the effectiveness of the MLS_NSCM model, a comparative analysis is performed between the MLS_NSCM model and the common multilevel security models on the basis of the above case.
is method achieves the integration of IPSec and multilevel security features by adding security tags to the SA. Although this method can realize a secure interconnection between different protection domains and ensure the security of data transmission, IPSec only solves the problem of secure communication between peers. However, a multilevel security network mostly contains nonpeer members. For example, when the security levels of subjects s 1 and s 2 are different, it is impossible to negotiate the secure channel for communication. Moreover, some problems exist, such as cooperation between label access control and IPSec, security communication between heterogeneous information systems, and the aggregation inference of sensitive information, which affect the flexibility of multilevel network communication. In addition, this method only aims to solve the problem of secure interconnection and communication among network members but does not solve the problem of security control of different levels of subject access objects, such as the security access of s 1 to object A in the domain and to object P outside the domain.
(2) Network transmission security control model (NTSCM) [32]. is model provides the method of data transmission between networks of different security levels, thus realizing secure transmission of data between the networks and solving the communication problem between nonpeer members. However, the following problems exist in the model: ① Aggregation inference control problem: when objects A and B are transferred from domain pd 11 to domain pd 21 , A, B, M, and N are aggregated. Because they are similar objects and the threshold value is 3, when more than three data are aggregated, it is easy to infer the high-level information, which leads to the risk of leakage. When object C is transferred from domain pd 12 to domain pd 22 , if it is aggregated with its associated object P, it is easy to infer high-level sensitive information through analysis, leading to leakage. When the data are transmitted in two directions, there is also the problem of leakage caused by aggregation inference. ② is model does not address the security operation between subjects and objects at different levels in the network, and there are security risks in data access. For example, if low-level subject s 1 illegally accesses high-level object P, if it is not protected, sensitive information in P will be leaked.
(3) Multilevel security model based on noninterference theory in cloud (DIFC-B) [33]. is model uses the idea of distributed information flow control and combines the Biba model and BLP model to ensure the integrity and confidentiality of multilevel information systems. e model ensures the normal operation between the subjects and the objects in the system. However, the following problems still exist:  ① is model needs to strictly follow the Biba model and BLP model. For example, subject s 1 at the secret level can access objects A and B at the secret level, so when there is an operation violating the rules of the two models, the model cannot operate. For example, subject s 1 requests access to object P, but the security level of s 1 is less than that of object P. According to the DIFC-B model, access is not allowed, but due to the special needs of the subject, s 1 must access P, which cannot be realized in the DIFC-B model; therefore, the model lacks flexibility of access. ② is model only refers to the safe operation of information and does not provide a method to establish the safe channel. us, it cannot guarantee the security of information transmission in the network channel. at is, when domain pd 1 transmits information to domain pd 2 , the security of information in channels 1, 2, and 3 cannot be guaranteed. ③ is model does not solve the problem that sensitive information is inferred from aggregation among objects, the same as the analysis of point (2)-①. ④ is model is based on the multilevel security model of the cloud platform, which is mainly aimed at the distributed cloud computing environment, with certain limitations and poor generality.
In this model, the subject and the object are tagged with security level labels. Based on the concept of centralized and decentralized information flow control, the double-layer security control of information can be realized, thus solving the security access of the subject to the object in the case and realizing the dynamic adjustment of the security labels. erefore, better flexibility is achieved. is model does not realize the security protection of data in the process of cross-domain communication, the same as the analysis of point (3)-②. In addition, the model does not have the safety control ability of aggregation inference, the same as the analysis of point (2)-①.
According to the above analysis, the comparative analysis of each model is shown in Table 1.
To sum up, the four common models have certain shortcomings in the aspects such as security, flexibility, network compatibility, generality, and scalability. By contrast, the MLS_NSCM model can realize the security operation and communication of multilevel networks more efficiently.

Conclusions
In this study, by analyzing the characteristics of multilevel security networks and the problems associated with existing models, a network security communication model was proposed. e model integrates multilevel security control, protection domain control, security attribute reliability constraint, aggregation inference control, and multilevel security channel establishment. In the model, by introducing the credibility of subjects in confidentiality security attributes, the problem of operation of a subject's illegal access to objects under special circumstances in multilevel security networks is resolved to a certain extent. Furthermore, the method of dealing with subjects and objects after a subject's illegal operation is fully considered to enhance the network availability of the BLP model. By aggregation inference control constraints, the access of the subject to the associated objects is limited, which reduces the risk of information leakage caused by the aggregation of objects and enhances the restriction of the BLP model on the confidentiality security attributes. At the same time, by establishing multilevel security channels, a logical, independent, and multilevel virtual subnet is constructed, which realizes secure interconnection between nonpeer members and ensures the security and noninterference of information transmission. Compared with other models, the proposed MLS_NSCM model exhibits better flexibility, adaptability, and security.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.