CN104113516A - Method and terminal for recognizing rule conflicts of firewalls - Google Patents
Method and terminal for recognizing rule conflicts of firewalls Download PDFInfo
- Publication number
- CN104113516A CN104113516A CN201310138626.4A CN201310138626A CN104113516A CN 104113516 A CN104113516 A CN 104113516A CN 201310138626 A CN201310138626 A CN 201310138626A CN 104113516 A CN104113516 A CN 104113516A
- Authority
- CN
- China
- Prior art keywords
- rule
- conflict
- current
- collection
- regular
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention provides a method and terminal for recognizing rule conflicts of firewalls. The method includes the following steps that: a plurality of data packet sets are defined for each rule in a firewall, and data packets having different incidence relations with the rules are stored in each data packet set; conflict types of rule conflicts which appear between the rules are defined; a directed acyclic rule decision tree is constructed for a current rule, and conflict types of rule conflicts which appear between the current rule and the other rules are recognized based on the directed acyclic rule decision tree of the current rule; and a conflicting source is backtracked according to the conflict types, so that conflicting rules which cause the conflicts and data packets which are defined in the conflicting rules and cause the rule conflicts can be found. According to the method of the invention, the plurality of data packet sets are defined for each rule; the conflict types are classified; one directed acyclic rule decision tree is constructed for each rule; conflict type recognition is performed based on interrelations of the plurality of data packet sets of each rule; and therefore, conflicts among more than two rules can be recognized.
Description
Technical field
The present invention relates to firewall technology, refer to especially a kind of method and terminal of identifying the rule conflict of fire compartment wall.
Background technology
The rule of fire compartment wall is the structure of similar Access Control List (ACL) (ACL), comprises sequence number, decision space and behavior three parts.Decision space can consist of IP, TCP, UDP, ICMP stem arbitrary fields, decision space in practical application has comprised agreement, source IP address, source port number, object IP address and destination slogan conventionally, and behavior is the action that fire compartment wall should be taked according to rule.Fire compartment wall adopts the principle of Match in sequence, when packet arrives fire compartment wall, first fire compartment wall starts to mate with packet successively from article one rule, if coupling, takes corresponding action according to the defined behavior of rule: Deny represents packet discard, Accept represents to receive packet, otherwise, continue to detect packet and whether mate second rule, so be recycled to the last item rule, the last item rule is called default rule, normally abandons all packets.
The rule detection collision algorithm of the fire compartment wall of current maturation is the detection collision algorithm based on status transition chart being proposed by Ehab S.Al-Shaer and Hazem H.Hamed, and it has defined initial state: start; End-state: shadowed, redundant, general, correlated, none; Intermediateness: redundant?, shadow, generalize etc. amount to 15 states.Any two rule r
x, r
ymatch protocol (protocol), source IP address+source port number (src), object IP address+destination slogan (dst), behavior (action), travel through whole transition figure according to matching result successively, finally draws r
xand r
ywhether generation conflict.
This algorithm is covering conflict, associated conflict, extensive conflict and redundancy conflict Four types by any 2 rule conflict definitions.
Cover conflict (Shadowed), refer to regular r
ythe packet of decision space definition is positioned at the regular r before it completely
xinstitute covers, regular r
yaccording to the principle of fire compartment wall Match in sequence, do not mate any packet, r
ylost efficacy.
Associated conflict (Correlated), refers to regular r
ythe packet of decision space definition is partly positioned at the regular r before it
xinstitute covers, and r
xand r
yinstitute's define behavior is different.If exchange r
xand r
yposition, can cause that fire compartment wall takes different behaviors to the packet of the common coupling of two rules, the configuration of change firewall policy.
Extensive conflict (General), refers to regular r
xthe packet of decision space definition is positioned at regular r thereafter completely
yinstitute covers, and r
xand r
ydefined behavior is different.If exchange r
xand r
yposition, regular r
xdo not mate any data, and cause that fire compartment wall is to r
xdefined packet is taked different behaviors, the configuration of change firewall policy.
Redundancy conflict (Redundant), refers to regular r
xthe packet of decision space definition is positioned at regular r thereafter completely
yinstitute covers, and r
xand r
ydefined behavior is identical.Though redundancy conflict can not cause the change of firewall policy, owing to having increased firewall rule number, improved fire compartment wall match time, reduced fire compartment wall efficiency.
Detection collision algorithm based on status transition chart simply, easily realizes, but there are the following problems: first, the classification of conflict and detection collision algorithm can only be applicable to, between any two rules, can not expand to conflict classification and collision detection between many rules; Secondly, though this algorithm can provide the rule number that causes conflict, can not provide more detailed conflict source information, for example, according to this algorithm, detect regular r
yby regular r
xinstitute covers, and can show that causing the rule of conflicting is r
x, but can not obtain regular r
xdefined which partial data bag has caused and has covered conflict, and this just in firewall management more in the urgent need to information.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of method and terminal of identifying the rule conflict of fire compartment wall, be used for solving existing conflict classification and detect collision algorithm and can only be applicable between any two rules, the defect of more detailed conflict source information can not be provided.
For solving the problems of the technologies described above, embodiments of the invention provide a kind of method of identifying the rule conflict of fire compartment wall, comprise: for each rule in fire compartment wall, all define a plurality of packet collection, each packet collection deposit from rule between there is the packet of different incidence relations; The conflict type of the rule conflict occurring between definition rule; Be the rule decision tree that a current rule builds a directed acyclic, the type of conflicting of the rule conflict occurring between the current rule of rule decision tree identification based on current rule and all the other rules; According to conflict type, recall conflict source to find out the conflict rule that causes conflict, and the defined packet collection that has caused described rule conflict in conflict rule.
In described method, for each rule in fire compartment wall, all define a plurality of packet collection, each packet collection deposit from rule between there is the packet of different incidence relations, specifically comprise: there is d decision space F
1..., F
dfire compartment wall comprise n rule r
1, r
2..., r
n, for a rule r
idefine four packet collection: set of matches R
i, represent regular r
idefined packet collection; Judge collection E
i, represent regular r
iaccording to the packet collection of the principle institute first fit of fire compartment wall Match in sequence, meet
cover collection, represent to be positioned at regular r
ithe packet collection that rule is above mated, meets
m
i=M
i-1∪ E
i-1; With joining collection S
i, represent by being positioned at regular r
ithe packet collection that rule is afterwards mated, and and regular r
ithere is identical behavior.
In described method, the conflict type of the rule conflict occurring between definition rule specifically comprises: cover conflict completely, the defined arbitrary data bag of current rule all mates the rule being positioned at before current rule, and before deserving, rule is covered completely by rule above, and current rule lost efficacy; Part covers conflict, and the defined partial data bag coupling of current rule is positioned at the rule before current rule, and before deserving, rule is covered by rule part above; Covering completely conflicts and partly cover conflict is referred to as covering conflict; Redundancy conflict, current rule is not covered completely by rule above, and it judges that concentrated arbitrary data bag all mates the rule being positioned at after current rule, and current rule is the same with regular behavior afterwards.
In described method, according to corresponding rule decision tree, obtain concentrated judgement collection and the covering collection of a plurality of packets of current rule, specifically comprise: when described current rule is r
itime, previous regular r
i-1rule decision tree be t
i-1, by current regular r
ifirst decision space and rule decision tree t
i-1root node as current regular r
irule decision tree t
iinput, path corresponding to the limit newly increasing counted to current regular r
ijudgement collection E
i, solve and judge collection E
i, wherein, root node is current regular r
ifirst decision space of article one rule; Current regular r
icovering collection foundation
m
i=M
i-1∪ E
i-1obtain.
In described method, for thering is d decision space F
1..., F
dfire compartment wall, rule decision tree t meets: feature 1, t has and only has a root node that does not enter limit, the node that does not go out limit is called as leaf node; Feature 2, in t, arbitrary node v has a label F (v), if node v is not leaf node, label F (v) ∈ F
1..., F
dif node v is leaf node, label F (v) receives packet or packet discard; Feature 3, in t, any limit e:u has a label I (e), and I (e) is the nonvoid subset of codomain of the label of node u; Feature 4, the path in t from root node to leaf node forms a rule; Feature 5, in t, the satisfied condition of packet collection E (v) that goes out limit of arbitrary node v is any two different limit e and e' in E (v), has I (e) ∩ I (e').
In described method, the type of conflicting of the rule conflict occurring between the current rule of rule decision based on current rule tree identification and all the other rules, comprise: step 1, according to the rule decision tree of corresponding each current rule, obtain concentrated judgement collection and the covering collection of a plurality of packets of current rule, step 2, if current rule judge that collection is as sky, current rule is completely covered, execution step 5; Step 3, if the judgement collection of current rule and set of matches equate not have generation rule to conflict between current rule and all the other rules, performs step 5; Step 4, identification division covers conflict; Identification redundancy conflict; Step 5, exits current rule conflict identification.
In described method, identification division covers conflict, if current regular r
imeet
and E
i≠ R
i, judge between current rule and all the other rules and produced partly and covered and conflict; Identification redundancy conflict, constructs current regular r
isame join collection S
iif occur
and
judge between current rule and all the other rules and produced redundancy conflict.
In described method, construct current regular r
isame join collection S
i, specifically comprise: same the joining of the current rule of initialization integrates as empty set; From next rule of current rule, start to construct successively to the last item rule the rule decision tree of each follow-up rule, and obtain the judgement collection of each follow-up rule, judgement collection corresponding to follow-up rule identical with current regular behavior is incorporated into the same collection S that joins of current rule
i.
In described method, according to conflict type, recall conflict source to find out the conflict rule that causes conflict, and the defined packet collection that has caused described rule conflict in conflict rule, specifically comprise: if current regular r
iwhat produce is to cover conflict, and conflict source is R
i∩ M
i; If current regular r
iwhat produce is redundancy conflict, and conflict source is E
i∩ S
i.
A terminal of identifying the rule conflict of fire compartment wall, comprising: packet collection definition unit, for each rule for fire compartment wall, all define a plurality of packet collection, each packet collection deposit from rule between there is the packet of different incidence relations; Conflict definitions unit, for the conflict type of the rule conflict that occurs between definition rule; Rule decision tree unit, is used to a current rule to build the rule decision tree of a directed acyclic, the type of conflicting of the rule conflict occurring between the current rule of rule decision tree identification based on current rule and all the other rules; Conflict source trace unit, for recalling conflict source to find out the conflict rule that causes conflict according to conflict type, and the defined packet collection that has caused rule conflict in conflict rule.
The beneficial effect of technique scheme of the present invention is as follows: a plurality of packet collection that all define for each rule in fire compartment wall and the division to conflict type, the rule decision that builds separately a directed acyclic for each rule is set, the correlation of a plurality of packet collection based on the every rule type identification of conflicting, can identify for the conflict occurring between the rule more than two, according to the common factor occurring between different pieces of information bag collection, carrying out conflict source recalls, find out the conflict rule that causes conflict, and the defined packet collection that has caused this conflict in conflict rule, therefore more detailed conflict source information is provided.
Accompanying drawing explanation
Fig. 1 represents a kind of schematic flow sheet of method of the rule conflict of identifying fire compartment wall;
Fig. 2 represents the schematic flow sheet of conflict identification.
Embodiment
For making the technical problem to be solved in the present invention, technical scheme and advantage clearer, be described in detail below in conjunction with the accompanying drawings and the specific embodiments.
In the present invention, the aspect such as in fire compartment wall formal definitions, conflict classification of type, conflict classification of type and fire compartment wall conflict source, recall and improve.
The embodiment of the present invention provides a kind of method of identifying the rule conflict of fire compartment wall, as shown in Figure 1, comprising:
Step 101, all defines a plurality of packet collection for each rule in fire compartment wall, each packet collection deposit from rule between there is the packet of different incidence relations;
Step 102, the conflict type of the rule conflict occurring between definition rule;
Step 103, is the rule decision tree that a current rule builds a directed acyclic, the type of conflicting of the rule conflict occurring between the current rule of rule decision tree identification based on current rule and all the other rules;
Step 104, recalls conflict source to find out the conflict rule that causes conflict according to conflict type, and the defined packet collection that has caused described rule conflict in conflict rule.
The technology that application provides, a plurality of packet collection that all define for each rule in fire compartment wall and the division to conflict type, the rule decision that builds separately a directed acyclic for each rule is set, the correlation of a plurality of packet collection based on the every rule type identification of conflicting, can identify for the conflict occurring between the rule more than two, according to the common factor occurring between different pieces of information bag collection, carrying out conflict source recalls, find out the conflict rule that causes conflict, and the defined packet collection that has caused this conflict in conflict rule, therefore more detailed conflict source information is provided.
About fire compartment wall formal definitions, for making provided technology be adapted to various fire compartment walls, different forms method definition fire compartment wall f.
In a preferred embodiment, there is d decision space F
1..., F
dfire compartment wall comprise n rule r
1, r
2..., r
n, for a rule r
idefine four packet collection:
Set of matches (Matching Set) R
i, represent regular r
idefined packet collection;
Judge collection (Evaluating Set) E
i, represent regular r
iaccording to the packet collection of the principle institute first fit of fire compartment wall Match in sequence, meet
Cover collection (Masking Set) M
i, represent to be positioned at regular r
ithe packet collection that rule is above mated, meets
m
i=M
i-1∪ E
i-1;
With joining collection (Same Set) S
i, represent by being positioned at regular r
ithe packet collection that rule is afterwards mated, and and regular r
ithere is identical behavior.
In an application scenarios, packet P has d decision space F
1..., F
d, packet P can be defined as the tuple (p of a d dimension
1..., p
d), p
1∈ D (F
1), wherein, D (F
j) be decision space F
icodomain, be a nonnegative integer section or packet collection.
There is d decision space F
1..., F
dfire compartment wall f comprise n rule r
1, r
2..., r
n, be designated as f < r
1, r
2..., r
n>, regular r
i(1≤i≤n) is defined as: <t>^ (F
1∈ S
1) ^ ... ^ (F
d∈ S
d) → <action>, wherein S
i(1≤i≤d) is D (F
j) nonvoid subset, action is the behavior of rule definition, as deny and accept.
For regular r
ifollowing 4 the packet collection of definition:
Set of matches (Matching Set) R
i, represent regular r
idefined packet collection;
Judge collection (Evaluating Set) E
i, represent according to the principle of fire compartment wall Match in sequence regular r
ithe packet collection mating,
Cover collection (Masking Set) M
i, represent to be positioned at regular r
ithe packet collection that rule is above mated,
m
i-M
i-1∪ E
i-1;
With joining collection (Same Set) S
i, represent by being positioned at regular r
ithe packet collection that mated afterwards, and and regular r
ithere is identical behavior.
About conflict classification of type, to fire compartment wall, conflict is classified, and has provided the definition of different conflict types, and in a preferred embodiment, the conflict type of the rule conflict occurring between definition rule specifically comprises:
Cover conflict completely, the defined arbitrary data bag of current rule all mates the rule being positioned at before current rule, and before deserving, rule is covered completely by rule above, and current rule lost efficacy;
Part covers conflict, and the defined partial data bag coupling of current rule is positioned at the rule before current rule, and before deserving, rule is covered by rule part above;
Covering completely conflicts and partly cover conflict is referred to as covering conflict;
Redundancy conflict, current rule is not covered completely by rule above, and it judges that concentrated arbitrary data bag all mates the rule being positioned at after current rule, and current rule is the same with regular behavior afterwards.
Current rule can be any rule, and for example, current rule is i regular r specifically
i.
The conflict classification that embodiment provides is not only applicable to, between any two rules, can also expand between any many rules.
In an application scenarios, cover completely (Fully Masked), refer to that the defined arbitrary data bag of current rule all mates the rule being positioned at before it, before deserving, rule is covered completely by rule before it, and before deserving, rule lost efficacy.That is, current rule judge that collection is as empty set, its formalization is expressed as: regular r
ibe completely covered, if
Part covers (Partially Masked), refers to current regular r
idefined part (completely non-) is data packet matched is positioned at the rule before it, and before deserving, rule is covered by the rule part before it, and before deserving, the judgement collection of rule be its set of matches R
inonvoid subset, formalization is expressed as: current regular r
ibe partially covered, if
and E
i≠ R
i.
To cover completely and partly cover to be referred to as and cover conflict.
Redundancy conflict (Redundant), refers to current regular r
iby rule before it, do not covered completely, it judges that concentrated arbitrary data bag all mates the follow-up rule being positioned at after current rule, and their behavior is the same, and formalization is expressed as:
and
show current regular r
iby redundancy.
About fire compartment wall conflict identification, detect collision algorithm and comprise two parts: conflict recognizer and conflict source back-track algorithm.
The conflict recognizer of rule-based decision tree (RDT, Rule Decision Tree), for covering slightly difference of conflict identification and redundancy conflict identification, the definition of rule decision tree is:
In a preferred embodiment, according to corresponding rule decision tree, obtain concentrated judgement collection and the covering collection of a plurality of packets of current rule, specifically comprise:
When described current rule is r
itime, previous regular r
i-1rule decision tree be t
i-1,
By current regular r
ifirst decision space and rule decision tree t
i-1root node as current regular r
irule decision tree t
iinput, path corresponding to the limit newly increasing counted to current regular r
ijudgement collection E
i, solve and judge collection E
i, wherein, root node is current regular r
ifirst decision space of article one rule;
Current regular r
icovering collection foundation
m
i=M
i-1∪ E
i-1obtain.
Each rule in fire compartment wall, the rule decision all with a directed acyclic is set.Every rule builds a tree, and the decision tree of current rule is the rule decision tree differentiation by a upper rule.
In a preferred embodiment, for thering is d decision space F
1..., F
dfire compartment wall, rule decision tree t meets:
Feature 1, t has and only has a root node that does not enter limit, and the node that does not go out limit is called as leaf node;
Feature 2, in t, arbitrary node v has a label F (v), if node v is not leaf node, label F (v) ∈ F
1..., F
dif node v is leaf node, label F (v) receives packet or packet discard;
Feature 3, in t, any limit e:u has a label I (e), and I (e) is the nonvoid subset of codomain of the label of node u;
Feature 4, the path in t from root node to leaf node forms a rule;
Feature 5, in t, the satisfied condition of packet collection E (v) that goes out limit of arbitrary node v is any two different limit e and e' in E (v), has I (e) ∩ I (e').
Wherein, if node v is not leaf node, F (v) ∈ F
1..., F
dif node v is leaf node, F (v) receives packet or packet discard.
If the rule decision of regular i-1 tree is t
i-1, using the root node of first decision space of regular i and ti-1 as input, the corresponding rule decision tree of formation rule i t
i, in the process of structure, the corresponding path, new limit increasing is counted to the judgement collection E of regular i
i, implementation rule is judged solving of collection.
Wherein, root node is first decision space of article one rule, known according to the feature 4 of decision tree, and path is rule.
The construction algorithm of rule decision tree and judgement collection solve as following algorithm:
Conflict recognizer based on decision tree, can identify different conflict types, in the conflict recognizer flow process of a current rule,
In a preferred embodiment, for each rule, according to rule decision tree, obtain the judgement collection of this rule, cover collection.
In an application scenarios, take current rule as example, using first decision space of current rule and root node (first decision space of article one rule) as input, realize the corresponding rule decision tree of the current rule of structure, and solve the corresponding judgement collection of current rule E
i, so, according to rule decision tree, obtained the judgement collection of current rule, the covering collection foundation of current rule
m
i=M
i-1∪ E
i-1obtain.
Setting up the judgement collection of each rule, after covering collection, in a preferred embodiment, the type of conflicting of the rule conflict occurring between the current rule of rule decision tree identification based on current rule and all the other rules, comprising:
Step 1, concentrated judgement collection and the covering of a plurality of packets of obtaining current rule according to the rule decision tree of corresponding each current rule collects,
Step 2, if current rule judge that collection is as sky, current rule is completely covered, execution step 5;
Step 3, if the judgement collection of current rule and set of matches equate not have generation rule to conflict between current rule and all the other rules, performs step 5;
Step 4, identification division covers conflict; Identification redundancy conflict;
Step 5, exits current rule conflict identification.
In an application scenarios, the type of conflicting of the rule conflict occurring between the current rule of rule decision based on current rule tree identification and all the other rules, as shown in Figure 2, comprising:
Step 201, the identification of the type that starts to conflict.
Step 202, concentrated judgement collection and the covering of a plurality of packets of obtaining current rule according to the rule decision tree of corresponding each current rule collects.
Step 203, whether the collection of judging of current rule is sky, if judge, collection is sky, goes to step 204, otherwise goes to step 205.
Step 204, current rule judge that collection is as sky, show that current rule is completely covered, and goes to step 209.
Step 205, judges that whether collection equals set of matches, if go to step 206, otherwise goes to step 207.
Step 206, shows not have rule conflict between current rule and all the other rules, goes to step 209.
Step 207, identification division covers conflict.The precedence in life period not between step 207 and step 208 therefore, if step 208 is finished before step 207, goes to step 209 after execution of step 207.
Step 208, identification redundancy conflict.
Step 209, exits current rule conflict identification, finishes.
Conflict recognizer based on decision tree, for covering slightly difference of conflict identification and redundancy conflict identification.Wherein,
In a preferred embodiment, identification division covers conflict, if current regular r
imeet
and E
i≠ R
i, judge between current rule and all the other rules and produced partly and covered and conflict.
In a preferred embodiment, identification division covers conflict, if current regular r
imeet
and E
i≠ R
i, judge between current rule and all the other rules and produced partly and covered and conflict;
Identification redundancy conflict, constructs current regular r
isame join collection S
iif occur
and
judge between current rule and all the other rules and produced redundancy conflict.
In a preferred embodiment, construct current regular r
isame join collection S
i, specifically comprise:
Same the joining of the current rule of initialization integrates as empty set;
From next rule of current rule, start to construct successively to the last item rule the rule decision tree of each follow-up rule, and obtain the judgement collection of each follow-up rule,
Judgement collection corresponding to follow-up rule identical with current regular behavior is incorporated into the same collection S that joins of current rule
i.
About fire compartment wall conflict source, recall, in a preferred embodiment, according to conflict type, recall conflict source to find out the conflict rule that causes conflict, and the defined packet collection that has caused described rule conflict in conflict rule, specifically comprise:
If current regular r
iwhat produce is to cover conflict, and conflict source is R
i∩ M
i;
If current regular r
iwhat produce is redundancy conflict, and conflict source is E
i∩ S
i.
For each conflict type, realized and searched conflict source, shown that the rule number and defined which the partial data bag collection of this rule that cause conflict have caused this conflict.
The embodiment of the present invention provides a kind of terminal of identifying the rule conflict of fire compartment wall, comprising:
Packet collection definition unit, all defines a plurality of packet collection for each rule for fire compartment wall, each packet collection deposit from rule between there is the packet of different incidence relations;
Conflict definitions unit, for the conflict type of the rule conflict that occurs between definition rule;
Rule decision tree unit, is used to a current rule to build the rule decision tree of a directed acyclic, the type of conflicting of the rule conflict occurring between the current rule of rule decision tree identification based on current rule and all the other rules;
Conflict source trace unit, for recalling conflict source to find out the conflict rule that causes conflict according to conflict type, and the defined packet collection that has caused described rule conflict in conflict rule.
Adopt this programme advantage to be afterwards: to realize the identification completely to the conflict between firewall rule, its identification is not limited between two rules, can expand to many rules, the details in firewall rule conflict source are provided, for exclusionary rules conflict is provided convenience, the simple and reliable results of deterministic process.
The above is the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, do not departing under the prerequisite of principle of the present invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (10)
1. a method of identifying the rule conflict of fire compartment wall, is characterized in that, comprising:
For each rule in fire compartment wall, all define a plurality of packet collection, each packet collection deposit from rule between there is the packet of different incidence relations;
The conflict type of the rule conflict occurring between definition rule;
Be the rule decision tree that a current rule builds a directed acyclic, the type of conflicting of the rule conflict occurring between the current rule of rule decision tree identification based on current rule and all the other rules;
According to conflict type, recall conflict source to find out the conflict rule that causes conflict, and the defined packet collection that has caused described rule conflict in conflict rule.
2. method according to claim 1, is characterized in that, for each rule in fire compartment wall, all defines a plurality of packet collection, each packet collection deposit from rule between there is the packet of different incidence relations, specifically comprise:
There is d decision space F
1..., F
dfire compartment wall comprise n rule r
1, r
2..., r
n, for a rule r
idefine four packet collection:
Set of matches R
i, represent regular r
idefined packet collection;
Judge collection E
i, represent regular r
iaccording to the packet collection of the principle institute first fit of fire compartment wall Match in sequence, meet
Cover collection, represent to be positioned at regular r
ithe packet collection that rule is above mated, meets
m
i=M
i-1∪ E
i-1;
With joining collection S
i, represent by being positioned at regular r
ithe packet collection that rule is afterwards mated, and and regular r
ithere is identical behavior.
3. method according to claim 1, is characterized in that, the conflict type of the rule conflict occurring between definition rule specifically comprises:
Cover conflict completely, the defined arbitrary data bag of current rule all mates the rule being positioned at before current rule, and before deserving, rule is covered completely by rule above, and current rule lost efficacy;
Part covers conflict, and the defined partial data bag coupling of current rule is positioned at the rule before current rule, and before deserving, rule is covered by rule part above;
Covering completely conflicts and partly cover conflict is referred to as covering conflict;
Redundancy conflict, current rule is not covered completely by rule above, and it judges that concentrated arbitrary data bag all mates the rule being positioned at after current rule, and current rule is the same with regular behavior afterwards.
4. method according to claim 2, is characterized in that, obtains concentrated judgement collection and the covering collection of a plurality of packets of current rule according to corresponding rule decision tree, specifically comprises:
When described current rule is r
itime, previous regular r
i-1rule decision tree be t
i-1,
By current regular r
ifirst decision space and rule decision tree t
i-1root node as current regular r
irule decision tree t
iinput, path corresponding to the limit newly increasing counted to current regular r
ijudgement collection E
i, solve and judge collection E
i, wherein, root node is current regular r
ifirst decision space of article one rule;
Current regular r
icovering collection foundation
m
i=M
i-1∪ E
i-1obtain.
5. method according to claim 4, is characterized in that, for having d decision space F
1..., F
dfire compartment wall, rule decision tree t meets:
Feature 1, t has and only has a root node that does not enter limit, and the node that does not go out limit is called as leaf node;
Feature 2, in t, arbitrary node v has a label F (v), if node v is not leaf node, label F (v) ∈ F
1..., F
dif node v is leaf node, label F (v) receives packet or packet discard;
Feature 3, in t, any limit e:u has a label I (e), and I (e) is the nonvoid subset of codomain of the label of node u;
Feature 4, the path in t from root node to leaf node forms a rule;
Feature 5, in t, the satisfied condition of packet collection E (v) that goes out limit of arbitrary node v is any two different limit e and e' in E (v), has I (e) ∩ I (e').
6. method according to claim 5, is characterized in that, the type of conflicting of the rule conflict occurring between the current rule of rule decision based on current rule tree identification and all the other rules, comprising:
Step 1, concentrated judgement collection and the covering of a plurality of packets of obtaining current rule according to the rule decision tree of corresponding each current rule collects,
Step 2, if current rule judge that collection is as sky, current rule is completely covered, execution step 5;
Step 3, if the judgement collection of current rule and set of matches equate not have generation rule to conflict between current rule and all the other rules, performs step 5;
Step 4, identification division covers conflict; Identification redundancy conflict;
Step 5, exits current rule conflict identification.
7. method according to claim 6, is characterized in that,
Identification division covers conflict, if current regular r
imeet
and E
i≠ R
i, judge between current rule and all the other rules and produced partly and covered and conflict;
Identification redundancy conflict, constructs current regular r
isame join collection S
iif occur
and
judge between current rule and all the other rules and produced redundancy conflict.
8. method according to claim 7, is characterized in that, constructs current regular r
isame join collection S
i, specifically comprise:
Same the joining of the current rule of initialization integrates as empty set;
From next rule of current rule, start to construct successively to the last item rule the rule decision tree of each follow-up rule, and obtain the judgement collection of each follow-up rule,
Judgement collection corresponding to follow-up rule identical with current regular behavior is incorporated into the same collection S that joins of current rule
i.
9. method according to claim 7, is characterized in that, according to conflict type, recalls conflict source to find out the conflict rule that causes conflict, and the defined packet collection that has caused described rule conflict in conflict rule, specifically comprises:
If current regular r
iwhat produce is to cover conflict, and conflict source is R
i∩ M
i;
If current regular r
iwhat produce is redundancy conflict, and conflict source is E
i∩ S
i.
10. a terminal of identifying the rule conflict of fire compartment wall, is characterized in that, comprising:
Packet collection definition unit, all defines a plurality of packet collection for each rule for fire compartment wall, each packet collection deposit from rule between there is the packet of different incidence relations;
Conflict definitions unit, for the conflict type of the rule conflict that occurs between definition rule;
Rule decision tree unit, is used to a current rule to build the rule decision tree of a directed acyclic, the type of conflicting of the rule conflict occurring between the current rule of rule decision tree identification based on current rule and all the other rules;
Conflict source trace unit, for recalling conflict source to find out the conflict rule that causes conflict according to conflict type, and the defined packet collection that has caused described rule conflict in conflict rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310138626.4A CN104113516A (en) | 2013-04-19 | 2013-04-19 | Method and terminal for recognizing rule conflicts of firewalls |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310138626.4A CN104113516A (en) | 2013-04-19 | 2013-04-19 | Method and terminal for recognizing rule conflicts of firewalls |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104113516A true CN104113516A (en) | 2014-10-22 |
Family
ID=51710150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310138626.4A Pending CN104113516A (en) | 2013-04-19 | 2013-04-19 | Method and terminal for recognizing rule conflicts of firewalls |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104113516A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453387A (en) * | 2016-07-28 | 2017-02-22 | 电子科技大学 | Security strategy conflict detecting and eliminating method based on Hicuts algorithm |
| CN108471412A (en) * | 2018-03-19 | 2018-08-31 | 武汉华大国家数字化学习工程技术有限公司 | A kind of firewall rule conflict detection method |
| CN108566382A (en) * | 2018-03-21 | 2018-09-21 | 北京理工大学 | The fire wall adaptive ability method for improving of rule-based life cycle detection |
| CN109327472A (en) * | 2018-11-30 | 2019-02-12 | 深圳天元云科技有限公司 | Dynamic Programming firewall policy insertion method, system, terminal and storage medium |
| CN112425131A (en) * | 2018-11-30 | 2021-02-26 | 华为技术有限公司 | ACL rule classification method, ACL rule search method and ACL rule classification device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388789A (en) * | 2007-09-10 | 2009-03-18 | 上海市闵行中学 | Solving method for IP address collision failure brought up by router software BUG |
| CN101753369A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
| CN101876994A (en) * | 2009-12-22 | 2010-11-03 | 中国科学院软件研究所 | Establishing method for multi-layer optimized strategy evaluation engine and implementing method thereof |
| CN102737126A (en) * | 2012-06-19 | 2012-10-17 | 合肥工业大学 | Classification rule mining method under cloud computing environment |
-
2013
- 2013-04-19 CN CN201310138626.4A patent/CN104113516A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101388789A (en) * | 2007-09-10 | 2009-03-18 | 上海市闵行中学 | Solving method for IP address collision failure brought up by router software BUG |
| CN101753369A (en) * | 2008-12-03 | 2010-06-23 | 北京天融信网络安全技术有限公司 | Method and device for detecting firewall rule conflict |
| CN101876994A (en) * | 2009-12-22 | 2010-11-03 | 中国科学院软件研究所 | Establishing method for multi-layer optimized strategy evaluation engine and implementing method thereof |
| CN102737126A (en) * | 2012-06-19 | 2012-10-17 | 合肥工业大学 | Classification rule mining method under cloud computing environment |
Non-Patent Citations (3)
| Title |
|---|
| 刘军军: "《基于决策树的防火墙策略算法研究》", 《万方数据库》 * |
| 李林等: "《一种快速的防火墙规则冲突检测算法》", 《计算机应用研究》 * |
| 王毅: "《防火墙规则冲突检测研究与实现》", 《防火墙规则冲突检测研究与实现 中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453387A (en) * | 2016-07-28 | 2017-02-22 | 电子科技大学 | Security strategy conflict detecting and eliminating method based on Hicuts algorithm |
| CN106453387B (en) * | 2016-07-28 | 2019-08-13 | 电子科技大学 | Security strategy collision detection and removing method based on Hicuts algorithm |
| CN108471412A (en) * | 2018-03-19 | 2018-08-31 | 武汉华大国家数字化学习工程技术有限公司 | A kind of firewall rule conflict detection method |
| CN108566382A (en) * | 2018-03-21 | 2018-09-21 | 北京理工大学 | The fire wall adaptive ability method for improving of rule-based life cycle detection |
| CN108566382B (en) * | 2018-03-21 | 2020-12-08 | 北京理工大学 | Firewall self-adaption capability improving method based on rule life cycle detection |
| CN109327472A (en) * | 2018-11-30 | 2019-02-12 | 深圳天元云科技有限公司 | Dynamic Programming firewall policy insertion method, system, terminal and storage medium |
| CN112425131A (en) * | 2018-11-30 | 2021-02-26 | 华为技术有限公司 | ACL rule classification method, ACL rule search method and ACL rule classification device |
| CN109327472B (en) * | 2018-11-30 | 2021-06-25 | 深圳天元云科技有限公司 | Method, system, terminal and storage medium for dynamically planning firewall policy insertion |
| CN112425131B (en) * | 2018-11-30 | 2022-03-04 | 华为技术有限公司 | ACL rule classification method, ACL rule search method and ACL rule classification device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104113516A (en) | Method and terminal for recognizing rule conflicts of firewalls | |
| CN1881950B (en) | Packet classification acceleration using spectral analysis | |
| CN108737410B (en) | Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association | |
| CN100429617C (en) | Automatic protocol recognition method and system | |
| CN114143037B (en) | Malicious encrypted channel detection method based on process behavior analysis | |
| CN105743871B (en) | A kind of firewall policy collision detection method based on decision tree | |
| CN110602034B (en) | Method and system for detecting S7 protocol abnormal communication behavior based on PSO-SVM | |
| CN105917221A (en) | Tandem mass spectrometry data processing device | |
| Gogoi et al. | A rough set–based effective rule generation method for classification with an application in intrusion detection | |
| CN107360190B (en) | Trojan communication behavior detection method based on sequence pattern recognition | |
| CN105871861A (en) | Intrusion detection method for self-learning protocol rule | |
| Wan et al. | IoTMosaic: Inferring user activities from IoT network traffic in smart homes | |
| Ramasco et al. | Inversion method for content-based networks | |
| Hernandez-Orallo et al. | AI paradigms and AI safety: mapping artefacts and techniques to safety issues | |
| CN105072122A (en) | Rapid matching classification method for data packets | |
| CN106533955B (en) | A kind of sequence number recognition methods based on network message | |
| CN103973675A (en) | Method for detecting segmented redundancy in cross-domain collaboration firewalls | |
| CN111597411A (en) | Method and system for distinguishing and identifying power protocol data frames | |
| KR101648033B1 (en) | Method for Detecting Intrusion Based on Attack Signature without Attack Pattern and Apparatus Therefor | |
| CN112003813A (en) | Industrial control system threat situation perception method | |
| Daoudi et al. | Detecting types of variables for generalization in constraint acquisition | |
| CN110708344B (en) | Vulnerability detection method and system based on fuzzy technology | |
| CN115242424A (en) | Private network protocol classification method based on state machine subgraph isomorphic matching | |
| US8272025B1 (en) | Policy deconfliction | |
| CN103746991A (en) | Security event analysis method and system in cloud computing network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141022 |
|
| RJ01 | Rejection of invention patent application after publication |