CN108366040B - Programmable firewall logic code detection method and device and electronic equipment - Google Patents
Programmable firewall logic code detection method and device and electronic equipment Download PDFInfo
- Publication number
- CN108366040B CN108366040B CN201710061779.1A CN201710061779A CN108366040B CN 108366040 B CN108366040 B CN 108366040B CN 201710061779 A CN201710061779 A CN 201710061779A CN 108366040 B CN108366040 B CN 108366040B
- Authority
- CN
- China
- Prior art keywords
- network application
- logic code
- flow sample
- application flow
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The invention relates to a method and a device for detecting logic codes of a programmable firewall and electronic equipment, wherein the method comprises the following steps: introducing the network application flow sample corresponding to the logic code into a simulator as input data, wherein the simulator reads each IP data packet of the network application flow sample in sequence and analyzes and processes the network application flow sample; compiling a logic code aiming at the network application according to the sample analysis and processing result, and loading; carrying out grammar check on the loaded logic code, and determining whether to modify the logic code according to a check result; executing the corresponding logic code which passes the syntax check on the network application flow sample to obtain the result of the logic code simulation operation of the network application flow sample; and comparing the operation result with the effect expected by the user, if the operation result of the logic code is consistent with the operation result of the user, storing the logic code into a code library of the simulator, and if the operation result of the logic code is not consistent with the operation result of the user, returning and modifying the logic code.
Description
Technical Field
The present invention relates to the field of network security application technologies, and in particular, to a method and an apparatus for detecting a logic code of a programmable firewall, and an electronic device.
Background
Programmable firewalls require different logic code to be written for each application, while different users are interested in different applications, and the application implementation is very different. The programmable firewall provides private or customized applications to the user in a secure service manner, so that the firewall obtains the capability of expanding application processing and analysis without the need of upgrading the system and replacing hardware.
A firewall is essentially an embedded system that prevents the combination of software and hardware from taking place in advance, preventing actions such as viruses, unauthorized user access, and hackers that may pose threats to the security of the internet resources and information.
Common application layer firewalls cannot be well adapted to deep parsing of all applications, while programmable firewalls can meet all user requirements and support adjustment of subsequent requirements. Before the programmable firewall executes the logic code, the logic code is verified by the simulator before being stored in the code base of the programmable engine. Emulators exist in the prior art for simulating code execution results, but there are no emulators for verification and modification of logic code in a programmable firewall. There is a need to solve this problem urgently.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a method and a device for detecting a logic code of a programmable firewall and electronic equipment, which can realize that the execution effect of the logic code in practical application meets expectations on the basis of ensuring the writing specification of the logic code stored in a code base of a programmable engine.
In order to achieve the above object, the present invention provides a method for detecting a logic code of a programmable firewall, comprising:
introducing the network application flow sample corresponding to the logic code into a simulator as input data, wherein the simulator reads each IP data packet of the network application flow sample in sequence and analyzes and processes the network application flow sample;
compiling a logic code aiming at the network application according to the sample analysis and processing result, and loading;
carrying out grammar check on the loaded logic code, and determining whether to modify the logic code according to a check result;
executing corresponding logic codes which pass syntax check on the network application flow sample to obtain a logic code simulation operation result of the network application flow sample;
and comparing the operation result with the effect expected by the user, if the operation result of the logic code is consistent with the operation result of the user, storing the logic code into a code library of the simulator, and if the operation result of the logic code is not consistent with the operation result of the user, returning and modifying the logic code.
Preferably, the logic code is done for network application online coding or offline coding.
Preferably, the logic code is loaded through an offline import method or an online encoding method.
Preferably, the step of processing each IP packet includes:
when the network application flow sample is TCP flow, carrying out flow recombination on the network application flow sample;
judging whether the network application flow sample after the flow recombination is subjected to SSL protocol encryption authentication or not; if not, identifying the reconstructed network application flow sample to obtain a bearer protocol type; otherwise, performing SSL proxy processing on the reconstructed network application flow sample, restoring the encrypted network application flow sample into a clear network application flow sample, and identifying the network application flow sample restored into the clear text to obtain a bearer protocol type;
and carrying out session restoration on the network application flow sample to obtain the network application type.
Preferably, the session restoring step includes:
analyzing the network application flow sample to obtain a response pairing between the client and the server, and filtering out the flow irrelevant to the response pairing.
Correspondingly, to achieve the above object, the present invention further provides a device for detecting a logic code of a programmable firewall, including:
the flow import unit is used for importing the network application flow sample corresponding to the logic code into a simulator as input data, and the simulator reads each IP data packet of the network application flow sample in sequence and analyzes and processes the network application flow sample;
the loading unit is used for compiling a logic code aiming at the network application according to the sample analysis and processing result and loading the logic code;
the grammar detection unit is used for carrying out grammar check on the loaded logic code and determining whether to modify the logic code according to a check result;
the simulation operation unit executes the corresponding logic code which passes the syntax check on the network application flow sample to obtain the result of the logic code simulation operation of the network application flow sample;
and the result comparison unit compares the operation result with the effect expected by the user, stores the logic code into a code library of the simulator if the operation results of the two operation results are consistent, and returns the logic code to be modified if the operation results of the two operation results are not consistent.
Preferably, the logic code is done for network application online coding or offline coding.
Preferably, the loading unit loads the logic code by an offline import method or an online coding method.
Preferably, the flow introduction unit includes:
the flow recombination module is used for carrying out flow recombination on the network application flow sample when the network application flow sample is TCP flow;
the bearer protocol type identification module is used for judging whether the network application flow sample after the flow recombination is subjected to SSL protocol encryption authentication; if not, identifying the reconstructed network application flow sample to obtain a bearer protocol type; otherwise, performing SSL proxy processing on the reconstructed network application flow sample, restoring the encrypted network application flow sample into a plaintext network application flow sample, and identifying the network application flow sample restored into the plaintext to obtain a bearer protocol type;
and the session restoration module is used for restoring the session of the network application flow sample to obtain the network application type.
Preferably, the session restoring module is specifically configured to analyze the network application traffic sample, obtain a response pair between the client and the server, and filter out traffic unrelated to the response pair.
In order to achieve the above object, the present invention further provides an electronic device, where the electronic device includes the above logic code detection apparatus for a programmable firewall.
The technical scheme has the following beneficial effects:
the technical scheme can verify the compiling specification and the execution effect of the logic code, and ensure that the execution effect of the logic code stored in the code base of the programmable engine can meet the expectation on the basis of the compiling specification, thereby ensuring that the logic code stored in the code base of the programmable engine cannot make mistakes when being executed, and laying a foundation for the user to automatically expand the application of the programmable firewall.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic view of the working principle of the present technical solution;
FIG. 2 is a schematic diagram of a UI interface according to the present embodiment;
FIG. 3 is a second schematic diagram of a UI interface according to the present embodiment;
FIG. 4 is a schematic diagram of the simulation operation principle of the present technical solution;
fig. 5 is a functional block diagram of a logic code detection apparatus of a programmable firewall according to an embodiment of the present invention;
fig. 6 is a functional block diagram of a flow importing unit in the logic code detecting apparatus of the programmable firewall according to the embodiment;
fig. 7 is a flowchart of a method for detecting a logic code of a programmable firewall according to an embodiment of the present invention;
fig. 8 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a method and a device for detecting logic codes of a programmable firewall and electronic equipment are provided.
Moreover, any number of elements in the drawings are by way of example and not by way of limitation, and any nomenclature is used solely for differentiation and not by way of limitation.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
Summary of The Invention
Conventionally, in order to expand the analysis processing capability of a firewall on network applications, expansion is usually performed on hardware of an existing firewall, and a user cannot add new applications by himself. Programmable firewalls require different logic code to be written for each application, while different users are interested in different applications, and the application implementation is very different.
After logic code is written in the programmable firewall system, two conditions need to be ensured before the programming engine is actually imported:
1) ensuring that newly written logic code conforms to the writing specification, such as: and (5) grammar rules.
2) The execution of the logic code may result in the desired effect.
Both of these problems require verification and modification of the logic code before it is actually imported into the programming engine of the programmable firewall.
And taking the network application flow sample as input data, sequentially reading each IP data packet of the network application flow sample by utilizing a libpcap technology, and processing each IP data packet according to a run-to-completion mode. The processing flow is consistent with the engine of the programmable firewall, the processing result is to obtain the bearer protocol type and the network application type, the corresponding logic code is compiled according to the bearer protocol type and the network application type, after the logic code is compiled, the newly compiled logic code is loaded firstly, syntax check is carried out on the logic code, syntax errors in the logic code can be fed back, and a user carries out syntax error modification on the logic code according to error prompts. Then, the logic code simulates execution and outputs a result. The technical scheme completely simulates the actual processing process of the programmable firewall to ensure the accuracy of the logic code.
The process of analyzing and processing the network application flow sample comprises the following steps: according to the requirements of a simulator, logic codes for certain network applications are developed, firstly, samples of network application traffic need to be obtained, and then characteristic information of the network application traffic is extracted according to the traffic samples. For the technical scheme, the characteristic information aims at the type of the bearer protocol and the type of the network application. The specific flow sample obtaining mode is divided into two conditions, for the internet public application, a flow sample is captured by a security developer (logic code developer) and then the flow characteristics of the network application are obtained by analyzing the flow sample; for the private application on the user side, the user is required to provide a traffic sample of the private application and technical data about the private application, and then a security developer (logic code developer) obtains characteristic information of the private application through the technical data or a manner of directly analyzing the traffic sample.
Having described the general principles of the invention, various non-limiting embodiments of the invention are described in detail below.
Principle of operation
As shown in fig. 1, it is a schematic diagram of the working principle of the present technical solution. In the technical scheme, a network traffic sample is prepared and stored as a data packet file in a tcpdump format. The network traffic sample is imported into the simulator through an "import traffic" function key of the UI interface, and the network traffic sample is processed and analyzed, as shown in fig. 4, which is a schematic diagram of a network traffic sample analysis principle according to the technical solution. The simulator comprises most functions of an engine of the programmable firewall, and the technical scheme utilizes the libpcap technology to sequentially read each IP data packet of the network application flow sample. When the flow input data of the coder is TCP flow, the flow recombination is carried out on the network application flow sample, and the transmission problems of disorder, overlapping, retransmission and the like are eliminated.
Then, judging whether the recombined network application flow sample is subjected to SSL encryption, if so, starting an SSL proxy function, splitting one SSL encryption connection into two SSL connections, reducing the encrypted flow into a plaintext flow, then carrying out subsequent processing, and then carrying out bearer protocol identification; otherwise, directly carrying out bearing protocol identification and determining the type of the bearing protocol.
Then, the network application traffic sample is subjected to session restoration. Network applications generally work in a request + response manner, for example, when sending a mail, the interaction between a client and a server is similar to the following manner:
a client: sending a theme, whether the theme is available;
the server side: can be sent;
a client: subject matter is xxxx;
the server side: and finishing the receiving.
The two requests and the two responses are contained in a one-to-one correspondence, which is an ideal situation. In practice, other application traffic is mixed between the two requests and responses, and needs to be filtered out. In addition, in order to improve the communication efficiency, it is also possible that the client continuously sends a plurality of requests together, and then the server continuously responds to a plurality of responses, in which case, the requests and the responses must be paired to perform the next analysis, the pairing of the requests and the responses and the process of filtering out the irrelevant traffic are session restoration, and after the session restoration process, the network application type is accurately determined.
And writing corresponding logic codes according to the analysis processing result, wherein the logic codes can be coded on line or off line. The code can be written on line through a UI interface provided by a firewall or by any third-party text editing tool. After writing, loading the logic code, wherein the logic code loading is divided into an offline import mode and an online coding mode.
Fig. 2 is a schematic diagram of a UI interface according to the present embodiment. In the technical scheme, codes are compiled by using any third-party text editor, the codes are stored into a text file in a UTF-8 format, and then the codes are loaded by clicking an import function key of a UI (user interface) of the simulator, so that the codes are imported offline; the code is directly written by using a text edit box of the UI interface, and a submit function key is directly clicked, so that the mode is online coding.
Fig. 3 is a second schematic diagram of the UI interface according to the present embodiment. After the code is loaded, a 'submit' function key in the UI interface is clicked, and then the basic grammar error of the newly loaded logic code is checked. The engine of the programmable firewall is based on the Lua language, so that the grammar conforms to the Lua specification, and the compliance of the grammar is also completed by a Lua interpreter built in the simulator. And if the grammar error exists, feeding back to the user through a UI interface. And the user corrects the logic code according to the feedback information until the grammar check is passed.
In the subsequent simulation operation, calling the corresponding logic code for eliminating the grammar error to perform the simulation operation, aiming at detecting the error in the execution process and verifying whether the output result of the written logic code meets the expectation, at the moment, a developer can correct the code according to the result of the simulation operation until the result meets the expected effect, and then importing the corrected logic code into a code library.
In the technical scheme, a simulation operation result is presented at a corresponding position of a UI interface, a debugging interface API for simulation output is arranged in an engine of the programmable firewall, the debugging interface API is used for outputting an execution result and error information of the simulator, and developers use the interfaces in developing logic codes by themselves to output execution process information expected to be seen by the developers. The API interfaces have the characteristics that the API interfaces can judge the current operating environment before execution, if the API interfaces operate in a simulator, the work of outputting results is finished, and if the API interfaces operate in a real programming engine, the API interfaces do nothing. The purpose of this design is that calling these API interfaces can facilitate developers to collect more running information in the emulator environment without affecting the processing performance in the real programming engine.
When editing a logic code program, setting a debugging API interface in each program statement in the program in advance, when the debugging interface is executed in a simulation mode, operating the program with the debugging API interface, and if the program statement is not operated normally, outputting a debugging result which is not normally executed.
According to the technical scheme, the logic codes are stored in the code base of the programmable firewall after the written logic codes are verified to be correct, so that the logic codes in the code base can be matched and selected according to the characteristics of network application flow when the programmable firewall is actually operated.
Exemplary devices
The device according to an exemplary embodiment of the present invention will now be described with reference to fig. 5, in conjunction with the schematic operating principle of fig. 1.
It should be noted that the above application scenarios are merely illustrated for the convenience of understanding the spirit and principles of the present invention, and the embodiments of the present invention are not limited in this respect. Rather, embodiments of the present invention may be applied to any scenario where applicable.
Referring to fig. 5, a functional block diagram of a device for detecting logic codes of a programmable firewall according to an embodiment of the present invention is shown. As shown, it includes:
a traffic import unit 501, importing the network application traffic sample corresponding to the logic code as input data into a simulator, where the simulator reads each IP data packet of the network application traffic sample in sequence, and analyzes and processes the network application traffic sample;
a loading unit 502 for writing a logic code for the network application according to the sample analysis processing result and loading the logic code;
a syntax detection unit 503, which performs syntax check on the loaded logic code and determines whether to modify the logic code according to the check result;
a simulation running unit 504, configured to execute a corresponding logic code that passes syntax check on the network application traffic sample, and obtain a result of logic code simulation running of the network application traffic sample;
and a result comparing unit 505 for comparing the operation result with the effect expected by the user, if the operation results of the two operation results are consistent, storing the logic code in a code library of the simulator, and if the operation results of the two operation results are not consistent, returning the logic code to be modified.
In this embodiment, the logic code is implemented for online encoding or offline encoding of the network application.
As shown in fig. 6, it is a functional block diagram of a flow importing unit in the logic code detection apparatus of the programmable firewall according to this embodiment. The method comprises the following steps:
a traffic reassembly module 5041, configured to perform traffic reassembly on the network application traffic sample when the network application traffic sample is TCP traffic;
the bearer protocol type identification module 5042 is configured to determine whether the network application traffic sample after traffic reassembly is subjected to SSL protocol encryption authentication; if not, identifying the reconstructed network application flow sample to obtain a bearer protocol type; otherwise, performing SSL proxy processing on the reconstructed network application flow sample, restoring the encrypted network application flow sample into a clear network application flow sample, and identifying the network application flow sample restored into the clear text to obtain a bearer protocol type;
a session restoring module 5043, configured to perform session restoration on the network application traffic sample to obtain a network application type; the method specifically comprises the following steps: analyzing the network application flow sample to obtain a response pairing between the client and the server, and filtering out the flow irrelevant to the response pairing.
For the technical scheme, the device is arranged in the engine of the programmable firewall, and can detect the compiling specification and the confidence effect of the logic code, so that the stored logic code is called to be normally executed when the programmable firewall is applied, and errors cannot occur in operation.
Furthermore, although several units of the apparatus are mentioned in the above detailed description, such division is not mandatory only. Indeed, the features and functions of two or more of the units described above may be embodied in one unit, according to embodiments of the invention. Also, the features and functions of one unit described above may be further divided into embodiments by a plurality of units.
Exemplary method
Having described the apparatus of an exemplary embodiment of the present invention, the method of an exemplary embodiment of the present invention is next described with reference to fig. 7.
Fig. 7 is a flowchart of a method for detecting a logic code of a programmable firewall according to an embodiment of the present invention. The method comprises the following steps:
step 701): introducing the network application flow sample corresponding to the logic code into a simulator as input data, wherein the simulator reads each IP data packet of the network application flow sample in sequence and analyzes and processes the network application flow sample;
specifically, the step of processing each IP packet includes:
when the network application flow sample is TCP flow, carrying out flow recombination on the network application flow sample;
judging whether the network application flow sample after the flow recombination is subjected to SSL protocol encryption authentication or not; if not, identifying the reconstructed network application flow sample to obtain a bearer protocol type; otherwise, performing SSL proxy processing on the reconstructed network application flow sample, restoring the encrypted network application flow sample into a clear network application flow sample, and identifying the network application flow sample restored into the clear text to obtain a bearer protocol type;
performing session restoration on the network application flow sample to obtain a network application type; the session restoration specifically comprises the following steps: analyzing the network application flow sample to obtain a response pairing between the client and the server, and filtering out the flow irrelevant to the response pairing.
Step 702): compiling a logic code aiming at the network application according to the sample analysis and processing result, and loading;
in this step, the logic code is loaded by an off-line import method or an on-line encoding method.
Step 703): carrying out grammar check on the loaded logic code, and determining whether to modify the logic code according to a check result;
step 704): executing the corresponding logic code which passes the syntax check on the network application flow sample to obtain a logic code simulation operation result of the network application flow sample;
step 705): and comparing the operation result with the effect expected by the user, if the operation result of the logic code is consistent with the operation result of the user, storing the logic code into a code library of the simulator, and if the operation result of the logic code is not consistent with the operation result of the user, returning and modifying the logic code.
The logic code is implemented for network application online coding or offline coding. Before the logic code is stored in a code base in an engine of the programmable firewall, the syntax of the logic code needs to be checked, and whether the written logic code achieves the expected execution effect is verified. And correcting the logic code according to the checking result and the verification result to ensure that the logic code can achieve the execution effect meeting the expectation in the practical application on the basis of the writing specification of the logic code stored in the code base of the programmable engine.
It should be noted that while the operations of the method of the present invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
Exemplary device
Based on the above exemplary apparatus and method, the present embodiment also provides an electronic device, as shown in fig. 8. The electronic equipment is used for detecting the logic code according to various network application request instructions, and comprises the following steps:
a memory 801 for storing network application request instructions;
a processor 802 coupled to the memory, the processor configured to execute network application request instructions stored in the memory, wherein the processor is configured with an application program to:
introducing the network application flow sample corresponding to the logic code into a simulator as input data, wherein the simulator reads each IP data packet of the network application flow sample in sequence and analyzes and processes the network application flow sample;
compiling a logic code aiming at the network application according to the sample analysis and processing result, and loading;
carrying out grammar check on the loaded logic code, and determining whether to modify the logic code according to a check result;
executing corresponding logic codes which pass syntax check on the network application flow sample to obtain a logic code simulation operation result of the network application flow sample;
and comparing the operation result with the effect expected by the user, if the operation result of the logic code is consistent with the operation result of the user, storing the logic code into a code library of the simulator, and if the operation result of the logic code is not consistent with the operation result of the user, returning and modifying the logic code.
An embodiment of the present invention further provides a computer-readable program, where when the program is executed in an electronic device, the program causes a computer to execute the method for detecting a logic code of a programmable firewall in the electronic device according to fig. 7.
An embodiment of the present invention further provides a storage medium storing a computer-readable program, where the computer-readable program enables a computer to execute the method for detecting a logic code of a programmable firewall in an electronic device as shown in fig. 7.
Examples
After years of digital innovation of a country surveying and mapping unit, a surveying and mapping map is completely digitalized. Digital map data is the core asset of the unit and maps of different accuracies have different privacy levels. The unit strictly prohibits the flow of digital maps within a secure range from inside the mapping unit to the internet. The digital map data has strong professionalism, common safety equipment cannot identify the data at all, and fine granularity can not be distinguished according to attributes such as precision and the like. In the demand scene, the unit provides relevant information of electronic map data, such as a map file sample, a map file format description and the like, then a professional safety worker or a developer of an information department of the test unit performs programming development on a programmable firewall to realize the identification of the electronic map data contained in network flow, fine-grained analysis is performed after the identification, the map precision, the area covered by the map, whether the geographic identification of a state department and the like can be analyzed according to the specific requirements of a surveying and mapping unit, and then whether the electronic map is involved in a secret or not can be judged and whether the electronic map can be transmitted on the internet or not can be judged. After the programming development is completed, a programmable firewall can be deployed at the internet outlet of a mapping unit to detect illegal map data propagation from the network traffic flowing in and out. Through practical inspection, the problem that products such as application-level filtering firewalls and the like have nothing to do is perfectly solved by the programmable firewall.
The programmable firewall enables the firewall platform to have the dynamic expansion capability of application detection, and the code is executed at the logic level of the network application, so all details of the network application can be completely mined through the customized code. The encoding personnel writes logic codes for a certain network application, and the firewall application recognizes and detects the corresponding network application and executes the logic codes for the application. Therefore, the application layer depth detection capability of the firewall can be rapidly expanded, and the problems that the number of network applications supported by the firewall is limited and the private application depth analysis in an enterprise is difficult are solved. Before the written logic code is stored in a code base in an engine of the programmable firewall, syntax check is carried out on the logic code, simulation operation is carried out, and the logic code can be executed in an actual application to achieve an execution effect meeting expectations on the basis of the writing specification of the logic code stored in the code base of the programmable firewall.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (11)
1. A method for detecting a logic code of a programmable firewall, comprising:
introducing the network application flow sample corresponding to the logic code into a simulator as input data, reading each IP data packet of the network application flow sample by the simulator in sequence, and analyzing and processing the network application flow sample to obtain a bearer protocol type and a network application type;
writing a logic code aiming at the network application according to the type of the bearer protocol and the type of the network application, and loading;
carrying out grammar check on the loaded logic code, and determining whether to modify the logic code according to a check result;
executing corresponding logic codes which pass syntax check on the network application flow sample to obtain a logic code simulation operation result of the network application flow sample;
and comparing the operation result with the effect expected by the user, if the operation result is consistent with the effect expected by the user, saving the logic code to a code library of the simulator, and if the operation result is not consistent with the effect expected by the user, returning the logic code to be modified.
2. The method of claim 1, wherein the logic code is done for network application online coding or offline coding.
3. The method of claim 1 or 2, wherein the logic code is loaded by an offline import method or an online encoding method.
4. The method of claim 1 or 2, wherein the analyzing the network application traffic samples comprises:
when the network application flow sample is TCP flow, carrying out flow recombination on the network application flow sample;
judging whether the network application flow sample after the flow recombination is subjected to SSL protocol encryption authentication or not; if not, identifying the reconstructed network application flow sample to obtain a bearer protocol type; otherwise, performing SSL proxy processing on the reconstructed network application flow sample, restoring the encrypted network application flow sample into a clear network application flow sample, and identifying the network application flow sample restored into the clear text to obtain a bearer protocol type;
and carrying out session restoration on the network application flow sample to obtain the network application type.
5. The method of claim 4, wherein the step of session restoration comprises:
analyzing the network application flow sample to obtain a response pairing between the client and the server, and filtering out the flow irrelevant to the response pairing.
6. An apparatus for detecting logic code of a programmable firewall, comprising:
the flow import unit is used for importing the network application flow sample corresponding to the logic code into a simulator as input data, the simulator reads each IP data packet of the network application flow sample in sequence, and the network application flow sample is analyzed and processed to obtain a bearer protocol type and a network application type;
the loading unit writes a logic code aiming at the network application according to the type of the bearing protocol and the type of the network application and loads the logic code;
the grammar detection unit is used for carrying out grammar check on the loaded logic code and determining whether to modify the logic code according to a check result;
the simulation operation unit executes the corresponding logic code which passes the syntax check on the network application flow sample to obtain the result of the logic code simulation operation of the network application flow sample;
and the result comparison unit compares the operation result with the effect expected by the user, stores the logic code into a code library of the simulator if the operation result is consistent with the effect expected by the user, and returns the logic code to be modified if the operation result is inconsistent with the effect expected by the user.
7. The apparatus of claim 6, wherein the logic code is done for network application online coding or offline coding.
8. The apparatus of claim 6 or 7, wherein the loading unit loads the logic code by an offline import method or an online coding method.
9. The apparatus of claim 6 or 7, wherein the flow introduction unit comprises:
the flow recombination module is used for carrying out flow recombination on the network application flow sample when the network application flow sample is TCP flow;
the bearer protocol type identification module is used for judging whether the network application flow sample after the flow recombination is subjected to SSL protocol encryption authentication; if not, identifying the reconstructed network application flow sample to obtain a bearer protocol type; otherwise, performing SSL proxy processing on the reconstructed network application flow sample, restoring the encrypted network application flow sample into a clear network application flow sample, and identifying the network application flow sample restored into the clear text to obtain a bearer protocol type;
and the session restoration module is used for restoring the session of the network application flow sample to obtain the network application type.
10. The apparatus of claim 9, wherein the session restoration module is specifically configured to analyze the network application traffic sample, obtain a response pair between a client and a server, and filter out traffic that is not related to the response pair.
11. An electronic device comprising the programmable firewall logic code detection apparatus of any of claims 6 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710061779.1A CN108366040B (en) | 2017-01-26 | 2017-01-26 | Programmable firewall logic code detection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710061779.1A CN108366040B (en) | 2017-01-26 | 2017-01-26 | Programmable firewall logic code detection method and device and electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108366040A CN108366040A (en) | 2018-08-03 |
| CN108366040B true CN108366040B (en) | 2021-03-02 |
Family
ID=63009967
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710061779.1A Active CN108366040B (en) | 2017-01-26 | 2017-01-26 | Programmable firewall logic code detection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108366040B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111158683A (en) * | 2019-12-30 | 2020-05-15 | 北京长亭未来科技有限公司 | Method, device and system for customizing extension function of WEB application firewall and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1917445A (en) * | 2006-09-07 | 2007-02-21 | 上海交通大学 | Method for auditing log event of fire wall, and teaching experimental system |
| CN104580157A (en) * | 2014-12-14 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Intelligent strategy validity verifying method based on dynamic message building technology |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8028334B2 (en) * | 2004-12-14 | 2011-09-27 | International Business Machines Corporation | Automated generation of configuration elements of an information technology system |
| US8572717B2 (en) * | 2008-10-09 | 2013-10-29 | Juniper Networks, Inc. | Dynamic access control policy with port restrictions for a network security appliance |
| US8024482B2 (en) * | 2009-02-16 | 2011-09-20 | Microsoft Corporation | Dynamic firewall configuration |
| CN105072085B (en) * | 2015-07-03 | 2018-08-03 | 北京航空航天大学 | A kind of stream rule legitimacy authentication method under software defined network |
| CN105871930A (en) * | 2016-06-21 | 2016-08-17 | 上海携程商务有限公司 | Self-adaptive firewall security policy configuration method and system based on applications |
| CN106202680A (en) * | 2016-07-01 | 2016-12-07 | 深圳市紫光同创电子有限公司 | FPGA configuration control module verification method and device |
-
2017
- 2017-01-26 CN CN201710061779.1A patent/CN108366040B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1917445A (en) * | 2006-09-07 | 2007-02-21 | 上海交通大学 | Method for auditing log event of fire wall, and teaching experimental system |
| CN104580157A (en) * | 2014-12-14 | 2015-04-29 | 中国航天科工集团第二研究院七〇六所 | Intelligent strategy validity verifying method based on dynamic message building technology |
Non-Patent Citations (2)
| Title |
|---|
| Samar Abdi;Umair Aftab;Gordon Bailey;Bochra Boughzala;Fa.PFPSim: A Programmable Forwarding Plane Simulator.《2016 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS)》.2016, * |
| 基于下一代防火墙技术的网络应用识别控制系统设计与实现;刘萌;《中国优秀硕士学位论文全文数据库信息科技辑》;20150315;正文第1.2.1、2.2、3.1-3.3、4.1、4.2.2小节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108366040A (en) | 2018-08-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9349015B1 (en) | Programmatically detecting collusion-based security policy violations | |
| US20080301647A1 (en) | Delivering Malformed Data for Fuzz Testing to Software Applications | |
| US10305962B1 (en) | Unit testing clients of web services | |
| CN106484611B (en) | Fuzzy test method and device based on automatic protocol adaptation | |
| CN105389263B (en) | Application software authority monitoring method, system and equipment | |
| US11748487B2 (en) | Detecting a potential security leak by a microservice | |
| CN112887388B (en) | Data processing system based on sandbox environment | |
| Weigert et al. | Practical experiences in using model-driven engineering to develop trustworthy computing systems | |
| US20190340101A1 (en) | System, computer program product and method for enhanced production environment behavior mirroring e.g. while conducting pilot on proof-of-concept (poc) platforms | |
| CN102123058A (en) | Test equipment and method for testing network protocol decoder | |
| CN107113199B (en) | Analysis device for analyzing and processing communication sequences | |
| US9432278B2 (en) | Simulation of interactions between network endpoints | |
| CN108366040B (en) | Programmable firewall logic code detection method and device and electronic equipment | |
| US10310962B2 (en) | Infrastructure rule generation | |
| CN112699034A (en) | Virtual login user construction method, device, equipment and storage medium | |
| KR102165037B1 (en) | Code coverage measuring apparatus, code coverage measuring method of the code coverage mearusing apparatus, and code coverage measuring system | |
| Roy Choudhary | Cross-platform testing and maintenance of web and mobile applications | |
| US11921862B2 (en) | Systems and methods for rules-based automated penetration testing to certify release candidates | |
| CN115906102A (en) | Vulnerability mining method and device for application program | |
| CN111722943B (en) | Big data processing method based on edge computing and central cloud server | |
| CN113515452A (en) | Automatic test method and system for application, electronic equipment and storage medium | |
| CN113094281B (en) | Test method and device for hybrid App | |
| US20230359992A1 (en) | Risk assessment based on augmented software bill of materials | |
| CN114416106B (en) | Method, system, electronic device and storage medium for updating compiling count value | |
| US20240028302A1 (en) | Systems and methods for improving efficiency and control compliance across software development life cycles using domain-specific controls |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |