CN103516550B - A kind of rule conflict detection method and system towards extensive bag classifying rules collection - Google Patents

A kind of rule conflict detection method and system towards extensive bag classifying rules collection Download PDF

Info

Publication number
CN103516550B
CN103516550B CN201310455753.7A CN201310455753A CN103516550B CN 103516550 B CN103516550 B CN 103516550B CN 201310455753 A CN201310455753 A CN 201310455753A CN 103516550 B CN103516550 B CN 103516550B
Authority
CN
China
Prior art keywords
rule
dip
prefix
sip
conflict
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310455753.7A
Other languages
Chinese (zh)
Other versions
CN103516550A (en
Inventor
云晓春
陈训逊
王东安
张晓明
张永铮
王曦
杜飞
王勇
臧天宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
National Computer Network and Information Security Management Center
Original Assignee
Institute of Information Engineering of CAS
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS, National Computer Network and Information Security Management Center filed Critical Institute of Information Engineering of CAS
Priority to CN201310455753.7A priority Critical patent/CN103516550B/en
Publication of CN103516550A publication Critical patent/CN103516550A/en
Application granted granted Critical
Publication of CN103516550B publication Critical patent/CN103516550B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of rule conflict detection method and system towards extensive bag classifying rules collection, described method comprises: step 1, receives and resolution rules; Step 2 is full prefix rule, non-full prefix rule and without prefix rule by the regular partition after resolving; Step 3, adopts the double-deck Hash table H of source IP-object IPSIP-DIPOr object IP Hash table H*-DIPOrganize full prefix rule set, and corresponding to HSIP-DIPOr H*-DIPIn carry out regular increase, deletion or inquiry; Step 4, adopts the two dimension of source IP-object IP Tire tree TSIP-TDIPOrganize non-full prefix rule set, and at TSIP-TDIPIn carry out regular increase, deletion or inquiry; Step 5, adopts chained list L*-*Organize without prefix rule set, and at L*-*In carry out regular increase, deletion or inquiry; Step 6, traversal HSIP-DIP、H*-DIP、TSIP-TDIPAnd L*-*In each rule as tested rule, detect and the strictly all rules of tested rule conflict. The invention solves the deficiency that in present technology, rule conflict algorithm exists.

Description

A kind of rule conflict detection method and system towards extensive bag classifying rules collection
Technical field
The present invention relates to classifying network packet field, particularly relate to a kind of towards extensive bag classificationRule conflict detection method and the system of rule set.
Background technology
Along with the evolution of Internet architecture and the development of the Internet, applications, based on single IP groundTraditional route technology in territory, location can not meet the demand of Network and network security. Bag pointClass technology, because it can be according to (the normally source ip of the multiple fields in network packet packet headerAddress, object ip address, source port, destination interface, protocol number) network traffics are carried outFine-grained classification, at disparate networks safety means such as router, fire wall, security gatewaysIn be widely used.
Bag sorting technique is realized as basis taking configuration rule set in packet classification engine. Along withThe continuous increase of classification demand, rule develops into multidimensional from one-dimensional, the fuzzy rules in rule setMore and more, and relation between rule becomes increasingly complex, and this will inevitably cause ruleThe situation of conflict occurs. When wrapping when classification, if packet simultaneously with two (orMany) rule match, and the processing of these regular defineds action is different, illustrate this twoBar (or many) rule conflict. Due to rule conflict, Network Security Device will with unexpectedly,Run counter to the mode of network manager's original intention and process network traffics, cause managerial confusion. So, rightIt is very significant that bag classifying rules collection carries out rule conflict detection.
Rule conflict detects and refers to, finds out conflict rule pair all in rule set, orIn rule set, find out and the afoul strictly all rules of certain rule. Detect and calculate for rule conflictMethod, both at home and abroad existing correlative study. Current existing rule conflict detection algorithm has: order inspectionMethod of determining and calculating, ASBV (AggregatedSBitVectors) algorithm and DBBV (DoubleBinaryBitVectors) algorithm.
One, sequence test algorthm
Detected rule and the every rule in rule set are compared, to judge whether it rushesProminent. Obviously, sequence test algorthm detects and has O (n2) time complexity, work as fuzzy rulesWhen larger, speed is slower.
Two, ASBV algorithm
ASBV algorithm adopts divide and rule thought and bit vector technique, first finds out the conflict rule of every one dimensionCollection, then seek common ground, final conflict rule collection obtained. ASBV algorithm is each of ruleDimension is set up a Trie tree, each node of Trie tree, and associated two length equal rule numberBit vector. Each of these two bit vectors, an all corresponding rule. For firstBit vector, if the prefix of the respective dimension of certain rule, the prefix corresponding with node equates, positionIn vector, the bit of this rule correspondence puts 1. For second bit vector, its value equals left and rightThe union of second bit vector of node. Two bit vectors of leaf node equate. When rushingWhen prominent detection, ASBV algorithm is first found out in every dimension concurrently, with the afoul rule of tested ruleSet, and then these set are sought common ground. In the processing procedure of every one dimension, according to quiltGauge is corresponding component prefix, in Trie, searches for. Often visit a node, ASBVAlgorithm is asked union to first bit vector of node. In the time searching regular component prefix, rightSecond bit vector of node asked union. ASBV algorithm has two shortcomings: (1) ASBV calculatesMethod is only supported the rule of prefix designates; (2) bit vector computing is too much. (3) space complexity tooGreatly.
Three, DBBV algorithm
Same divide and rule thought and the bit vector technique of adopting of DBBV algorithm, but pass through every one dimensionComponent be converted into Range Representation, and balance binary tree data structure, reduced position toThe computing of amount. But in the time carrying out incremental update, DBBV algorithm not only will be revised binary tree, andAnd also to revise a large amount of bit vectors, apply faster so be not suitable for Policy Updates frequency.
Can find out from the thought of ASBV algorithm and DBBV algorithm, it is mainly paid close attention toHow to promote collision detection speed, and bad to the support of real-time incremental update. When increasing or deletingExcept a certain when rule, because of the length of bit vector, all need change with regular corresponding relation and value,So need reconstructed bit vector. And for DBBV algorithm, when increase or deletion rule, rightBalanced binary tree also needs to adjust, so the efficiency of incremental update rule is lower. And for someApplication, as UTM system, because of its support the coordination linkage of each security module, its rule beContinuous increase and deletion; And along with the continuous increase of network size, granularity of classification more and moreRefinement, fuzzy rules rises to 1,000,000 grades from thousand grades, and the space complexity of these algorithms cannot be expiredFoot requirement.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of towards extensive bag classifying rulesRule conflict detection method and the system of collection, deposit for solving present technology rule conflict algorithmDeficiency.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: one is divided towards extensive bagThe rule conflict detection method of rule-like collection, comprising:
Step 1, creates remote layout and receives service, receives and resolution rules;
Step 2, by the prefix situation of source IP and object IP, is divided into the rule after resolvingFull prefix rule, non-full prefix rule and without prefix rule;
Step 3, adopts the double-deck Hash table H of source IP-object IPSIP-DIPOr object IP Hash tableH*-DIPOrganize full prefix rule set, and corresponding to HSIP-DIPOr H*-DIPIn carry out regular increasingAdd, delete or inquire about;
Step 4, adopts the two dimension of source IP-object IP Tire tree TSIP-TDIPOrganize non-full prefix ruleCollection, and at TSIP-TDIPIn carry out regular increase, deletion or inquiry;
Step 5, adopts chained list L*-*Organize without prefix rule set, and at L*-*In carry out ruleIncrease, deletion or inquiry;
Step 6, travels through full prefix rule set, non-full prefix rule set and without in prefix rule setEach rule as tested rule, detect and the strictly all rules of tested rule conflict.
On the basis of technique scheme, the present invention can also do following improvement.
Further, described step 2 specifically comprises: regular source IP and object after resolvingThe prefix length of IP is at 32 o'clock, or the prefix of in source IP and object IP is longDegree is 0, and another prefix length is 32 o'clock, is full prefix rule by this regular partition; WhenRegular source IP after parsing or the prefix length of object IP are between 1-31 time, by this ruleBe divided into non-full prefix rule; Regular source IP after resolving and the prefix length of object IPBeing at 0 o'clock, is without prefix rule by this regular partition.
Further, described step 3 specifically comprises: if source IP and the object IP of full prefix rulePrefix length be 32, or source IP prefix length is 32, the prefix length of object IP is 0,The double-deck Hash table H of employing source IP-object IPSIP-DIPOrganize full prefix rule set, and at HSIP-DIPIn carry out regular increase, deletion or inquiry; If the prefix length of the source IP of full prefix ruleBe 0, and the prefix length of object IP is 32, adopts the double-deck Hash table H of object IP*-DIPGroupKnit full prefix rule set, and at H*-DIPIn carry out regular increase, deletion or inquiry.
Further, described HSIP-DIPBe divided into a source IP Hash table H who is positioned at upper strataSIPAnd positionIn source IP Hash table HSIPUnder multiple object IP Hash table HDIP, and described at HSIP-DIPIn carry out regular increase and specifically comprise:
Step 3A1, by waiting to increase regular source IP at HSIPIn search and whether exist and thisThe node that source IP is corresponding, if do not exist at HSIPMiddle interpolation respective nodes, creates this nodeUnder object IP Hash table HDIP, then perform step 3A2, directly obtain this joint if existObject IP Hash table HDIP under point, and perform step 3A2;
Step 3A2, by waiting to increase regular object IP at HDIPIn search whether exist withThe node that this object IP is corresponding, if do not exist at HDIPMiddle interpolation respective nodes, and createRegular collection S under this nodeSIP-DIP, then perform step 3A3, directly obtaining if exist shouldRegular collection S under nodeSIP-DIP, and perform step 3A3;
Step 3A3, at SSIP-DIPIn search whether need to be increased rule exist, if do not exist,Rule to be increased is joined to SSIP-DIPIn, otherwise finish whole flow process.
Further, described at H*-DIPIn carry out regular increase and specifically comprise:
Step 3B1, by waiting to increase regular object IP at H*-DIPIn search whether exist withThe node that this object IP is corresponding, if do not exist at H*-DIPAdd respective nodes, and establishment shouldRule set S under node*-DIP, then perform step 3B2, otherwise directly obtain under this nodeRule set S*-DIP, and perform step 3B2;
Step 3B2, at S*-DIPIn search whether need to be increased rule exist, if do not exist,Rule to be increased is joined to S*-DIPIn, otherwise finish whole flow process.
Further, described TSIP-TDIPBe divided into source IP tree TSIPWith object IP tree TDIP, described inAt TSIP-TDIPIn carry out regular increase and specifically comprise:
Step 4A1, by waiting to increase regular source IP at TSIPIn search and whether exist and thisThe node that source IP is corresponding, if do not exist at TSIPMiddle interpolation respective nodes, and create this jointRule set S under pointSIP, then perform step 4A2, otherwise directly obtain the rule under this nodeCollection SSIP, and perform step 4A2;
Step 4A2, at SSIPIn search whether need to be increased rule exist, if do not exist,Rule to be increased is joined to SSIPIn, otherwise finish whole flow process.
Further, described TSIP-TDIPBe divided into source IP tree TSIPWith object IP tree TDIP, described inAt TSIP-TDIPIn carry out regular increase and specifically comprise:
Step 4B1, by waiting to increase regular object IP at TDIPIn search whether exist withThe node that this object IP is corresponding, if do not exist at TDIPMiddle interpolation respective nodes, and createRule set S under this nodeDIP, then perform step 4B2, otherwise directly obtain under this nodeRule set SDIP, and perform step 4B2;
Step 4B2, at SDIPIn search whether need to be increased rule exist, if do not exist,Rule to be increased is joined to SDIPIn, otherwise finish whole flow process.
Further, in described step 5, in L*-*, carrying out regular increase specifically comprises:L*-*Whether middle traversal strictly all rules, search to exist and wait to increase rule, if exist, rule increasesAdd failure; If do not exist, rule to be increased joins L*-*In.
Further, each rule that travels through full prefix rule set in described step 6 is as testedWhen rule, comprise traversal HSIP-DIPIn rule as tested rule and traversal H*-DIPIn ruleAs tested rule.
Further, as traversal HSIP-DIPIn rule as tested when rule, step 6 is concreteComprise:
Step 6A1, travels through the rule set S of tested rule node of living inSIP-DIPIn strictly all rules,Find out conflict rule;
Step 6A2, with the object IP of tested rule, at H*-DIPIn Hash table, find and thisThe node that object IP is corresponding, if exist, travels through the rule set of this node, finds out conflictRule, otherwise execution step 6A3;
Step 6A3, finds out tested rule at non-full prefix rule set with without in prefix rule setConflict rule.
Further, in described step 6A3, find out tested rule in the non-full prefix rule setConflict rule specifically comprises:
Steps A, with the source IP of tested rule at TSIPOn tree, do longest prefix match, findThe node corresponding with source IP, then the rule set on this node and its all father nodes is done alsoCollection;
Step B, with the object IP of tested rule at TDIPOn tree, do longest prefix match, look forTo the node corresponding with object IP, the rule set on this node and all father nodes thereof is doneUnion;
Step C, gets the common factor of two unions of steps A and step B acquisition, travels through this friendshipConcentrated rule, finds out conflict rule.
Further, as traversal H*-DIPIn rule as tested when rule, step 6 is specifically wrappedDraw together:
Step 6B1, travels through the rule set S of tested rule node of living in*-DIPIn strictly all rules,Find out conflict rule;
Step 6B2, finds out tested rule at non-full prefix rule set with without in prefix rule setConflict rule.
Further, in described step 6B2, find out tested rule in the non-full prefix rule setConflict rule specifically comprises: with being detected regular object IP at TDIPOn tree, do longest-prefixCoupling, finds the node corresponding with object IP, on this node and all father nodes thereofRule set does union, travels through this also concentrated rule, finds out conflict rule.
Further, as traversal TSIP-TDIPIn rule as tested when rule, step 6 is concreteComprise:
Step 6C1, to tested regular R at TSIPOn tree the node at place and all father nodes andRule set in subtree does union;
Step 6C2, the object IP by tested rule is at TDIPOn tree, do longest prefix match,Find the node corresponding with object IP, in this node and all father nodes and subtreeRule set does union;
Step 6C3, does and occurs simultaneously two unions of step 6C1 and step 6C2;
Step 6C4, the rule in the common factor that traversal step 6C3 obtains, finds out conflict rule;
Step 6C5, traversal L*-*In strictly all rules, find out all conflict rule.
Further, as traversal L*-*Rule as tested when rule, step 6 specifically comprises:Adopt sequence test algorthm to travel through without the strictly all rules in prefix rule set, find out all conflict rule.
Technical scheme of the present invention also comprises a kind of rule towards extensive bag classifying rules collectionCollision detection system, comprising:
Rule receives service interface, receives service for creating remote layout, receives and resolve rule;
Rule pretreatment module, it connects described rule and receives service interface, after resolvingRule by the prefix situation of source IP and object IP, be divided into full prefix rule, non-full prefixRule and without prefix rule;
Full prefix rule set processing module, it connects described regular pretreatment module, for adoptingThe double-deck Hash table H of source IP-object IPSIP-DIPOr object IP Hash table H*-DIPOrganize full prefixRule set, and corresponding to HSIP-DIPOr H*-DIPIn carry out regular increase, deletion or inquiry;
Non-full prefix rule set processing module, it connects described regular pretreatment module, for adoptingWith the two dimension of source IP-object IP Tire tree TSIP-TDIPOrganize non-full prefix rule set, andTSIP-TDIPIn carry out regular increase, deletion or inquiry;
Without prefix rule set processing module, it connects described regular pretreatment module, for adoptingChained list L*-*Organize without prefix rule set, and at L*-*In carry out regular increase, delete or look intoAsk;
Collision detection module, itself and described full prefix rule set processing module, non-full prefix ruleCollect processing module and be all connected without prefix rule set processing module, for traveling through HSIP-DIP、H*-DIP、TSIP-TDIPAnd L*-*In each rule as tested rule, detect with tested rule conflictStrictly all rules.
The invention has the beneficial effects as follows: the invention discloses a kind of towards extensive bag classifying rulesRule conflict detection method and the system of collection, its good effect embodies in the following areas: 1) punchingProminent detection speed is very fast. For full prefix rule, data structure that need not be complicated but adopt is breathed outUncommon table, changes into exact matching one to twice by complicated collision detection, reduces time complexity;For non-full prefix rule, adopt trie tree construction organization regulation, by conflicting regular groupBe woven in same path and subtree, reduce the number of times of traversal, reduce time complexity; 2) canSupport the rule set of 1,000,000 grades. By rule is divided according to prefix situation, reduce and accounted forThe full prefix rule of rule set large percentage increases the space of trie tree; 3) support to increase in real timeAmount is upgraded, and described three kinds of data structures all have the incremental update of linear time complexity; 4)In the process that can detect at rule conflict, add rule.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of rule conflict detection method of the present invention;
Fig. 2 is to H in the embodiment of the present inventionSIP-DIPThe schematic flow sheet that middle interpolation is regular;
Fig. 3 is to H in the embodiment of the present invention*-DIPThe schematic flow sheet that middle interpolation is regular;
Fig. 4 is to T in the embodiment of the present inventionSIP-DIPThe schematic flow sheet that middle interpolation is regular;
Fig. 5 travels through H in the embodiment of the present inventionSIP-DIPIn rule locating as tested ruleReason flow chart;
Fig. 6 travels through H in the embodiment of the present invention*-DIPIn rule as the processing of tested ruleFlow chart;
Fig. 7 is traversal traversal T in the embodiment of the present inventionSIPIn rule locating as tested ruleReason flow chart;
Fig. 8 is the structural representation of rule conflict detection system of the present invention.
Detailed description of the invention
Below in conjunction with accompanying drawing, principle of the present invention and feature are described, example only forExplain the present invention, be not intended to limit scope of the present invention.
Be three kinds according to the prefix situation of regular source IP component and object IP component by regular partition:Full prefix rule, non-full prefix rule and without prefix rule. Regular source IP after resolvingBe at 32 o'clock with the prefix length of object IP, or when in source IP and object IP onePrefix length is 0, and another prefix length is 32 o'clock, is full prefix rule by this regular partition; Regular source IP after resolving or the prefix length of object IP, will between 1-31 timeThis regular partition is non-full prefix rule; Before regular source IP after resolving and object IPSewing length and be at 0 o'clock, is without prefix rule by this regular partition. In the present embodiment, use source IP-The double-deck Hash table H of object IPSIP-DIPStorage and Hash table H*-DIPStore full prefix rule, ifThe full source IP of prefix rule and the prefix length of object IP are 32, or source IP prefix lengthBe 32, the prefix length of object IP is 0, adopts the double-deck Hash table H of source IP-object IPSIP-DIP;If the prefix length of the source IP of full prefix rule is 0, and the prefix length of object IP is 32,Adopt the double-deck Hash table H of object IP*-DIP; With two dimension Trie tree TSIP-DIPStore non-full prefixRule; Use chained list L*-*Storage is without prefix rule.
The data structure of above four tables is described as follows:
(1)HSIP-DIPBe the double-deck Hash table of source IP-object IP, be divided into and be positioned at upper strataA source IP Hash table HSIPBe positioned at source IP Hash table HSIPUnder multiple object IP HashTable HDIP. Source IP Hash table HSIPTaking source IP as key, one of each node maintenance is with objectIP is the object IP Hash table H of keyDIP。HSIPIn each node Ndip, safeguard ruleS setSIP-DIP, regular R is wherein<sip, dip, SPORT, DPORT, PROTO>and form.According to the research of prior art, in rule set, there is the regular number of identical sip and dip notBe greater than 20, so S setSIP-DIPUse storage of linked list.
(2)H*-DIPA Hash table taking object IP as key, H*-DIPIn each jointPoint NdipSafeguard a regular collection S*-dip。S*-dipBy storage of linked list, regular R is wherein<*, dip, SPORT, DPORT, PROTO>form, * is asterisk wildcard, represents that source IP canBe arbitrary value, the asterisk wildcard hereinafter relating to is all similar to this.
(3)TSIP-TDIPTwo Trie trees, TSIPTo set up with regular source IP addressTrie tree, TDIPIt is the Trie tree of setting up with regular destination address. For TSIPJoint on treePoint Nsip, safeguard that a source IP component equals the regular collection of sip; For TDIPJoint on treePoint Ndip, safeguard that an object IP component equals the regular collection of dip.
(4)L*-*Be a chained list table, regular R is wherein < *, *,SPORT, DPORT, PROTO > form.
As shown in Figure 1, the present embodiment relates to a kind of rule towards extensive bag classifying rules collectionCollision detection method, comprising:
Step 1, creates remote layout and receives service, receives and resolution rules;
Step 2, by the prefix situation of source IP and object IP, is divided into the rule after resolvingFull prefix rule, non-full prefix rule and without prefix rule;
Step 3, adopts the double-deck Hash table H of source IP-object IPSIP-DIPOr object IP Hash tableH*-DIPOrganize full prefix rule set, and corresponding to HSIP-DIPOr H*-DIPIn carry out regular increasingAdd, delete or inquire about;
Step 4, adopts the two dimension of source IP-object IP Tire tree TSIP-TDIPOrganize non-full prefix ruleCollection, and at TSIP-TDIPIn carry out regular increase, deletion or inquiry;
Step 5, adopts chained list L*-*Organize without prefix rule set, and at L*-*In carry out ruleIncrease, deletion or inquiry;
Step 6, travels through full prefix rule set, non-full prefix rule set and without in prefix rule setEach rule as tested rule, detect and the strictly all rules of tested rule conflict.
Known, mainly include and increase rule and detect conflict rule two parts.
One, increase rule
Wait to increase regular R=<sip, dip, sport, dport, proto, op with one below>be example explanationHow to carry out regular increase.
(1) as shown in Figure 2, at HSIP-DIPIn carry out regular increase and specifically comprise:
Step 3A1, by waiting to increase regular source IP at HSIPIn search and whether exist and thisThe node N that source IP is correspondingsipIf, NsipDo not exist at HSIPMiddle interpolation respective nodes Nsip,And create node NsipUnder object IP Hash table HDIP, then perform step 3A2, if existDirectly obtain NsipUnder object IP Hash table HDIP, and perform step 3A2;
Step 3A2, by waiting to increase regular object IP at HDIPIn search whether exist withThe node N that this object IP is correspondingdipIf, NdipDo not exist at HDIPMiddle interpolation respective nodesNdip, and create the node N that object IP is correspondingdipUnder regular collection SSIP-DIP, then carry out stepRapid 3A3, directly obtains N if existdipUnder regular collection SSIP-DIP, and perform step 3A3;
Step 3A3, at SSIP-DIPIn by relatively remaining four-tuple<sport, dport, proto, op>Value travel through search rule R and whether exist, if do not exist, will wait that increasing regular R addsEnter to SSIP-DIPIn, otherwise finish whole flow process.
(2) as shown in Figure 3, at H*-DIPIn carry out regular increase and specifically comprise:
Step 3B1, by waiting to increase regular object IP at H*-DIPIn search whether exist withThe node N that this object IP is correspondingdipIf, NdipDo not exist at H*-DIPAdd respective nodesNdip, and create node NdipUnder rule set S*-DIP, then perform step 3B2, otherwise directlyObtain node NdipUnder rule set S*-DIP, and perform step 3B2;
Step 3B2, at S*-DIPIn by relatively remaining four-tuple<sport, dport, proto, op>Value travel through search rule R and whether exist, if do not exist, will wait that increasing regular R addsEnter to S*-DIPIn, otherwise finish whole flow process.
(3) as shown in Figure 4, at TSIP-TDIPIn carry out regular increase and have two kinds of parallel holdingThe mode of row, first kind of way, if step 4A1 is to as shown in step 4A2, comprising:
Step 4A1, by waiting to increase regular source IP at TSIPIn search and whether exist and thisThe node N that source IP is correspondingsipIf, NsipDo not exist at TSIPMiddle interpolation respective nodes Nsip,And create this node NsipUnder rule set SSIP, then perform step 4A2, otherwise directly obtainThis node NsipUnder rule set SSIP, and perform step 4A2;
Step 4A2, at SSIPIn search whether need to be increased rule exist, if do not exist,Rule to be increased is joined to SSIPIn, otherwise finish whole flow process.
The second way, if step 4B1 is to as shown in step 4B2, specifically comprises:
Step 4B1, by waiting to increase regular object IP at TDIPIn search whether exist withThe node N that this object IP is correspondingdipIf, NdipDo not exist at TDIPMiddle interpolation respective nodesNdip, and create this node NdipUnder rule set SDIP, then perform step 4B2, otherwise straightObtain to obtain this node NdipUnder rule set SDIP, and perform step 4B2;
Step 4B2, at SDIPIn search whether need to be increased rule exist, if do not exist,Rule to be increased is joined to SDIPIn, otherwise finish whole flow process.
(4) at L*-*In carry out regular increase and specifically comprise: at L*-*The all rule of middle traversalWhether, search to exist and wait to increase rule, if exist, rule increases unsuccessfully; If do not exist,Rule to be increased joins L*-*In.
Two, conflict rule detects
The general principle of carrying out collision detection is: for each tested regular R, all safeguard oneIndividual conflict rule collection SC(R), often find a conflict rule Rc, by RcJoin SC(R)In, and R is joined to SC(Rc) in.
(1) traversal H as shown in Figure 5,SIP-DIPIn rule as tested rule R=<sip,dip,sport,dport,proto,op>。
1) travel through the rule set S of node of living inSIP-DIPIn strictly all rules, find out conflict rule,Join Sc(R) in.
2) with the dip of tested rule, at H*-DIPIn table, find respective nodes NdipIf, NdipDo not exist, travel through the rule set of this node, find out conflict rule, join Sc(R) in.
3) find out the conflict rule of tested rule in non-full prefix rule set: use sip at TSIPOn tree, do longest prefix match, find corresponding node Nsip', then to Nsip' and its all father's jointsRule set on point does union, obtains Sc(Rsip); With dip at TDIPOn tree, do longest-prefixJoin, find corresponding node Ndip', to Ndip', rule set on all father nodes does union,Obtain Sc(Rdip); Again to Sc(Rsip) and Sc(Rdip) do and occur simultaneously, obtain Sc(Rsip-dip), traversalSc(Rsip-dip) in rule, find out conflict rule, join Sc(R) in.
4) traversal L*-*In strictly all rules, find out all conflict rule, join Sc(R) in.
(2) traversal H as shown in Figure 6,*-DIPIn rule as tested ruleR=<*,dip,sport,dport,proto,op>。
1) travel through the rule set S of node of living in*-DIPIn strictly all rules, find out conflict rule, addEnter to Sc(R) in.
2) find out the conflict rule of tested rule in non-full prefix rule set: use dip at TDIPOn tree, do longest prefix match, find corresponding node Ndip', to Ndip', all father nodesOn rule set do union, obtain Sc(Rdip), traversal Sc(Rdip) in rule, find out conflictRule, joins Sc(R) in.
3) traversal L*-*In strictly all rules, find out all conflict rule, join Sc(R) in.
(3) traversal T as shown in Figure 7,SIPRule in tree is as tested ruleR=<sip,dip,sport,dport,proto,op>。
1) R is at TSIPOn tree, the node at place is Nsip, to Nsip, its all father nodes and sonRule set on tree does union, obtains Sc(Rsip). If sip is *, Sc(Rsip) be complete or collected works.
2) use dip at TDIPOn tree, do longest prefix match, find corresponding node Ndip。To Ndip, rule set in its all father nodes and subtree does union, obtains Sc(Rdip). IfDip is *, Sc(Rdip) be complete or collected works.
3) to Sc(Rsip) and Sc(Rdip) do and occur simultaneously, obtain Sc(Rsip-dip)。
4) traversal Sc(Rsip-dip) in rule, find out conflict rule, join Sc(R) in.
5) traversal L*-*In strictly all rules, find out all conflict rule, join Sc(R) in.
(4) traversal L*-*In rule as tested regular R=(*, *,Sport, dport, proto, op), adopt sequence test algorthm traversal without owning in prefix rule setRule, finds out all conflict rule, joins Sc(R) in.
(5) for Sc(R) be not empty regular R, by Sc(R) write report fileIn.
As shown in Figure 8, the present embodiment also provides a kind of towards extensive bag classifying rules collectionRule conflict detection system, comprising:
Rule receives service interface, receives service for creating remote layout, receives and resolve rule;
Rule pretreatment module, it connects described rule and receives service interface, after resolvingRule by the prefix situation of source IP and object IP, be divided into full prefix rule, non-full prefixRule and without prefix rule;
Full prefix rule set processing module, it connects described regular pretreatment module, for adoptingThe double-deck Hash table H of source IP-object IPSIP-DIPOr object IP Hash table H*-DIPOrganize full prefixRule set, and corresponding to HSIP-DIPOr H*-DIPIn carry out regular increase, deletion or inquiry;
Non-full prefix rule set processing module, it connects described regular pretreatment module, for adoptingWith the two dimension of source IP-object IP Tire tree TSIP-TDIPOrganize non-full prefix rule set, and TSIP-TDIPIn carry out regular increase, deletion or inquiry;
Without prefix rule set processing module, it connects described regular pretreatment module, for adoptingChained list L*-*Organize without prefix rule set, and at L*-*In carry out regular increase, delete or look intoAsk;
Collision detection module, itself and described full prefix rule set processing module, non-full prefix ruleCollect processing module and be all connected without prefix rule set processing module, for traveling through HSIP-DIP、H*-DIP、TSIP-TDIPAnd L*-*In each rule as tested rule, detect with tested rule conflictStrictly all rules.
The function realizing method of each module and details are identical with above-mentioned rule conflict detection method.The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, not all at thisWithin bright spirit and principle, any amendment of doing, be equal to replacement, improvement etc., all should wrapWithin being contained in protection scope of the present invention.

Claims (10)

1. towards a rule conflict detection method for extensive bag classifying rules collection, it is characterized in that, comprising:
Step 1, creates remote layout and receives service, receives and resolution rules;
Step 2, by the prefix situation of source IP and object IP, is divided into full prefix rule, non-full prefix rule and without prefix rule by the rule after resolving;
Step 3, adopts the double-deck Hash table H of source IP-object IPSIP-DIPOr object IP Hash table H*-DIPOrganize full prefix rule set, and corresponding to HSIP-DIPOr H*-DIPIn carry out regular increase, deletion or inquiry;
Step 4, adopts the two dimension of source IP-object IP Tire tree TSIP-TDIPOrganize non-full prefix rule set, and at TSIP-TDIPIn carry out regular increase, deletion or inquiry;
Step 5, adopts chained list L*-*Organize without prefix rule set, and at L*-*In carry out regular increase, deletion or inquiry;
Step 6, traversal HSIP-DIP、H*-DIP、TSIP-TDIPAnd L*-*In each rule as tested rule, detect and the strictly all rules of tested rule conflict.
2. rule conflict detection method according to claim 1, it is characterized in that, described step 2 specifically comprises: when the regular source IP after resolving and the prefix length of object IP are 32, or when the prefix length of in source IP and object IP is 0, another prefix length is 32 o'clock, is full prefix rule by this regular partition; Regular source IP after resolving or the prefix length of object IP between 1-31 time, are non-full prefix rule by this regular partition; When regular source IP after resolving and the prefix length of object IP are 0, be without prefix rule by this regular partition.
3. rule conflict detection method according to claim 2, it is characterized in that, described step 3 specifically comprises: if the full source IP of prefix rule and the prefix length of object IP are 32, or source IP prefix length is 32, the prefix length of object IP is 0, adopts the double-deck Hash table H of source IP-object IPSIP-DIPOrganize full prefix rule set, and at HSIP-DIPIn carry out regular increase, deletion or inquiry; If the prefix length of the source IP of full prefix rule is 0, and the prefix length of object IP is 32, adopts object IP Hash table H*-DIPOrganize full prefix rule set, and at H*-DIPIn carry out regular increase, deletion or inquiry.
4. rule conflict detection method according to claim 1, is characterized in that, as traversal HSIP-DIPIn rule as tested when rule, step 6 specifically comprises:
Step 6A1, travels through the rule set S of tested rule node of living inSIP-DIPIn strictly all rules, find out conflict rule;
Step 6A2, with the object IP of tested rule, at H*-DIPIn Hash table, find the node corresponding with this object IP, if exist, travel through the rule set of this node, find out conflict rule, otherwise execution step 6A3;
Step 6A3, finds out tested rule at non-full prefix rule set with without the conflict rule in prefix rule set.
5. rule conflict detection method according to claim 4, is characterized in that, finds out the conflict rule of tested rule in non-full prefix rule set and specifically comprise in described step 6A3:
Steps A, with the source IP of tested rule at TSIPOn tree, do longest prefix match, find the node corresponding with source IP, then the rule set on this node and its all father nodes is done to union;
Step B, with the object IP of tested rule at TDIPOn tree, do longest prefix match, find the node corresponding with object IP, the rule set on this node and all father nodes thereof is done to union;
Step C, gets the common factor of two unions of steps A and step B acquisition, travels through the rule in this common factor, finds out conflict rule.
6. rule conflict detection method according to claim 1, is characterized in that, as traversal H*-DIPIn rule as tested when rule, step 6 specifically comprises:
Step 6B1, travels through the rule set S of tested rule node of living in*-DIPIn strictly all rules, find out conflict rule;
Step 6B2, finds out tested rule at non-full prefix rule set with without the conflict rule in prefix rule set.
7. according to rule conflict detection method according to claim 6, it is characterized in that, in described step 6B2, find out the conflict rule of tested rule in non-full prefix rule set and specifically comprise: with being detected regular object IP at TDIPOn tree, do longest prefix match, find the node corresponding with object IP, the rule set on this node and all father nodes thereof is done to union, travel through this also concentrated rule, find out conflict rule.
8. rule conflict detection method according to claim 1, is characterized in that, as traversal TSIP-TDIPIn rule as tested when rule, step 6 specifically comprises:
Step 6C1, to tested regular R at TSIPRule set on tree in the node at place and all father nodes and subtree does union;
Step 6C2, the object IP by tested rule is at TDIPOn tree, do longest prefix match, find the node corresponding with object IP, the rule set in this node and all father nodes and subtree is done to union;
Step 6C3, does and occurs simultaneously two unions of step 6C1 and step 6C2;
Step 6C4, the rule in the common factor that traversal step 6C3 obtains, finds out conflict rule;
Step 6C5, traversal L*-*In strictly all rules, find out all conflict rule.
9. rule conflict detection method according to claim 1, is characterized in that, as traversal L*-*Rule as tested when rule, step 6 specifically comprises: adopt sequence test algorthm to travel through without the strictly all rules in prefix rule set, find out all conflict rule.
10. towards a rule conflict detection system for extensive bag classifying rules collection, it is characterized in that, comprising:
Rule receives service interface, receives service for creating remote layout, receives and resolution rules;
Rule pretreatment module, it connects described rule and receives service interface, for by the rule after resolving by the prefix situation of source IP and object IP, be divided into full prefix rule, non-full prefix rule and without prefix rule;
Full prefix rule set processing module, it connects described regular pretreatment module, for adopting the double-deck Hash table H of source IP-object IPSIP-DIPOr object IP Hash table H*-DIPOrganize full prefix rule set, and corresponding to HSIP-DIPOr H*-DIPIn carry out regular increase, deletion or inquiry;
Non-full prefix rule set processing module, it connects described regular pretreatment module, for adopting the two dimension of source IP-object IP Tire tree TSIP-TDIPOrganize non-full prefix rule set, and at TSIP-TDIPIn carry out regular increase, deletion or inquiry;
Without prefix rule set processing module, it connects described regular pretreatment module, for adopting chained list L*-*Organize without prefix rule set, and at L*-*In carry out regular increase, deletion or inquiry;
Collision detection module, it is with described full prefix rule set processing module, non-full prefix rule set processing module and be all connected without prefix rule set processing module, for traveling through HSIP-DIP、H*-DIP、TSIP-TDIPAnd L*-*In each rule as tested rule, detect and the strictly all rules of tested rule conflict.
CN201310455753.7A 2013-09-29 2013-09-29 A kind of rule conflict detection method and system towards extensive bag classifying rules collection Active CN103516550B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310455753.7A CN103516550B (en) 2013-09-29 2013-09-29 A kind of rule conflict detection method and system towards extensive bag classifying rules collection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310455753.7A CN103516550B (en) 2013-09-29 2013-09-29 A kind of rule conflict detection method and system towards extensive bag classifying rules collection

Publications (2)

Publication Number Publication Date
CN103516550A CN103516550A (en) 2014-01-15
CN103516550B true CN103516550B (en) 2016-05-11

Family

ID=49898627

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310455753.7A Active CN103516550B (en) 2013-09-29 2013-09-29 A kind of rule conflict detection method and system towards extensive bag classifying rules collection

Country Status (1)

Country Link
CN (1) CN103516550B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104104615B (en) * 2014-07-21 2017-07-07 华为技术有限公司 policy conflict resolution method and device
CN107196871B (en) * 2017-04-14 2020-04-28 同济大学 Stream rule conflict detection method and system based on alias protocol tree
CN107888494B (en) * 2017-11-29 2020-06-26 湖南大学 Community discovery-based packet classification method and system
CN110505187B (en) * 2018-05-18 2022-06-21 深信服科技股份有限公司 Security rule management method, system, server and storage medium in hybrid cloud
CN111641729B (en) * 2019-05-23 2021-03-30 北京航空航天大学 Inter-domain path identification prefix conflict detection and decomposition method based on prefix tree
CN110474929B (en) * 2019-09-27 2021-06-22 新华三信息安全技术有限公司 Redundancy rule detection method and device
CN111131015B (en) * 2019-12-27 2021-09-03 芯启源(南京)半导体科技有限公司 Method for dynamically updating route based on PC-Trie
CN111181974A (en) * 2019-12-31 2020-05-19 国家计算机网络与信息安全管理中心 Device and method for realizing flow preprocessing based on network processor
CN113127861A (en) * 2019-12-31 2021-07-16 深信服科技股份有限公司 Rule hit detection method and device, electronic equipment and readable storage medium
CN111291058B (en) * 2020-03-17 2023-06-16 芯启源(南京)半导体科技有限公司 LPM rule storage method based on layered pc-trie structure

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2415340A (en) * 2004-06-15 2005-12-21 Sun Microsystems Inc Resolving conflicts between rule sets for which priority is expressed by ordered precedence and longest prefix
CN101232444A (en) * 2008-01-22 2008-07-30 杭州华三通信技术有限公司 Apparatus and method for solving hash collision and exchange equipment with the same
CN102945249A (en) * 2012-10-10 2013-02-27 北京邮电大学 Policy rule matching query tree generating method, matching method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2415340A (en) * 2004-06-15 2005-12-21 Sun Microsystems Inc Resolving conflicts between rule sets for which priority is expressed by ordered precedence and longest prefix
CN101232444A (en) * 2008-01-22 2008-07-30 杭州华三通信技术有限公司 Apparatus and method for solving hash collision and exchange equipment with the same
CN102945249A (en) * 2012-10-10 2013-02-27 北京邮电大学 Policy rule matching query tree generating method, matching method and device

Also Published As

Publication number Publication date
CN103516550A (en) 2014-01-15

Similar Documents

Publication Publication Date Title
CN103516550B (en) A kind of rule conflict detection method and system towards extensive bag classifying rules collection
Khare et al. Big data in IoT
US9774707B2 (en) Efficient packet classification for dynamic containers
CN109376532A (en) Power network security monitoring method and system based on the analysis of ELK log collection
US11595503B2 (en) Efficient packet classification for dynamic containers
CN104580027B (en) A kind of OpenFlow message forwarding methods and equipment
CN106649632B (en) Method of data synchronization and system
CN104184664B (en) Route forwarding table items generation method and device
WO2016050158A1 (en) Learning a mac address in vxlan
CN104270384A (en) Fire wall policy redundancy detection method and device
CN105684391A (en) Automated generation of label-based access control rules
JP5685653B2 (en) NAT sub-topology management server
CN105429879B (en) Flow entry querying method, equipment and system
US20210218661A1 (en) Intent-based network virtualization design
US11038889B2 (en) System and method for migrating existing access control list policies to intent based policies and vice versa
CN110061921B (en) Cloud platform data packet distribution method and system
CN109766337A (en) Storage method, electronic equipment, storage medium and the system of tree structure data
CN104283792B (en) WInternet pipelined communication protocols routing algorithms based on content
JPWO2006059787A1 (en) Overlay link computing device and its computing method and program
CN104219113B (en) Display and the method for analysis multicast distributed topology figure
CN106130867B (en) Virtual machine communication method and device across data center
CN103581020B (en) The method of a kind of message forwarding, Apparatus and system
CN109688126A (en) A kind of data processing method, the network equipment and computer readable storage medium
CN106411553A (en) Optimization method of service chain path and apparatus thereof
Jingjing et al. The deployment of routing protocols in distributed control plane of SDN

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant