CN101753369A - Method and device for detecting firewall rule conflict - Google Patents
Method and device for detecting firewall rule conflict Download PDFInfo
- Publication number
- CN101753369A CN101753369A CN200810227967A CN200810227967A CN101753369A CN 101753369 A CN101753369 A CN 101753369A CN 200810227967 A CN200810227967 A CN 200810227967A CN 200810227967 A CN200810227967 A CN 200810227967A CN 101753369 A CN101753369 A CN 101753369A
- Authority
- CN
- China
- Prior art keywords
- rule
- linearisation
- attribute information
- interpolation
- modification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for detecting firewall rule conflict, and the method comprises the steps of carrying out linear transformation on attribute information centralizing all rules of firewall rules, and storing a linearization range which corresponds to the attribute information of all the rules obtained after transformation by taking serial numbers of the priorities of all the rules as an index and in the form of a linearization chain table; traversing the linearization range when carrying out rule addition or modification on the firewall rules, and centralizing the firewall rules in a relevant rule set which exists the attribute information intersection with the rules which are added or modified at this time; and sequentially judging whether the rules in the relevant rule set are consistent with the actions which corresponding to the rules which are added or modified at this time, determining the consistent corresponding actions as redundant rules, and determining the inconsistent corresponding actions as conflict rules. The method and the device can greatly improve the efficiency of detecting the firewall rule conflict.
Description
Technical field
The present invention relates to the network security technology field, relate in particular to a kind of method and device that detects firewall rule conflict.
Background technology
Firewall rule sets under discrimination is meant the conduct interviews regular collection whether message in the limiting network can pass through that is used for of when control administrator configurations of fire compartment wall.
In recent years, it is more and more huger that firewall rule sets under discrimination becomes, and for example large enterprise's level fire compartment wall includes hundreds of bar even thousands of rules usually.In the face of the rule of One's name is legion, even the keeper only finishes some the most basic tasks, such as the relation between the implication of understanding fully every rule and rule, neither one thing easily.Rule conflict is meant between two or many rules common factor, and when adding rule, new regulation A may rule conflict take place with certain existing regular B, causes some packet can mate A and B simultaneously.An ambiguous situation so just occurred: these packets according to which regular defined action are carried out actually.Usually, fire compartment wall solves successively by giving different priority for each rule.In afoul rule, fire compartment wall is carried out corresponding operation according to the high regular defined action of priority.Most of fire compartment walls come queueing discipline according to priority order from high to low, the regular priority height that the position is forward, and the regular priority after the position is leaned on is low.The keeper must be by being inserted into new regulation certain suitable position and giving its appropriate priority, to avoid data packet matched to the rule that should not mate like this.This shows, determine that correctly the position that new regulation is inserted is vital.
What the method for detection firewall rule conflict of the prior art was primarily aimed at is how to reduce the time complexity that compares between the rule, and do not consider attribute time complexity relatively, owing to regular attribute is not carried out the variation of the storage mode of any processing and regular attribute, can only carry out attribute relatively by polling mode so, it is big and efficient is very low therefore to carry out the difficulty of attribute relatively the time.
Summary of the invention
The invention provides a kind of method and device that detects firewall rule conflict, because the variation of the storage mode of regular attribute, the method that detects firewall rule conflict in the prior art is carried out the difficulty big and efficient very low problem of attribute relatively the time in order to solve.
Technical scheme of the present invention is as follows:
A kind of method that detects firewall rule conflict comprises step:
A, concentrating the attribute information of each bar rule to carry out linearisation to firewall rule to transform, is index with the priority sequence number of each bar rule, with the form of linearisation chained list the linearisation interval of the attribute information correspondence of each bar rule of obtaining after transforming is stored;
B, when described firewall rule sets under discrimination being carried out rule is added or revising, travel through described linearisation chained list, the rule that described firewall rule concentrates the rule with this interpolation or modification to exist attribute information to occur simultaneously is added in the dependency rule set;
C, judge whether the rule in the set of described dependency rule is consistent with the regular pairing action of this interpolation or modification successively, the rule of respective action unanimity is defined as rule with the regular phase redundancy of this interpolation or modification, the inconsistent rule of respective action is defined as regular afoul rule with this interpolation or modification.
Preferably, described attribute information is one or more in source address, destination address, host-host protocol, source port and the destination interface.
Preferably, comprise that also the rule of concentrating the rule with this interpolation or modification not exist attribute information to occur simultaneously described firewall rule is defined as the step with the irrelevant rule of the rule of this interpolation or modification.
Preferably, ascending mode sequence arrangement is pressed at described linearisation chained list in the linearisation interval of any attribute information correspondence of described rule, and does not have common factor between wherein any two linearisation intervals.
A kind of device that detects firewall rule conflict comprises linearisation conversion module, storage of linked list module, chained list spider module and judge module, wherein,
The linearisation conversion module is used for concentrating the attribute information of each bar rule to carry out linearisation to firewall rule and transforms;
The storage of linked list module, the priority sequence number that is used for each bar rule is an index, with the form of linearisation chained list the linearisation interval of the attribute information correspondence of each bar rule of obtaining after transforming through linearisation is stored;
The chained list spider module, when described firewall rule sets under discrimination being carried out the rule interpolation or revising, be used to travel through described linearisation chained list, the rule that the concentrated rule with this interpolation or modification of described firewall rule exists attribute information to occur simultaneously is added in the dependency rule set;
Judge module, be used for judging successively whether the rule of described dependency rule set is consistent with the regular pairing action of this interpolation or modification, the rule of respective action unanimity is defined as rule with the regular phase redundancy of this interpolation or modification, the inconsistent rule of respective action is defined as regular afoul rule with this interpolation or modification.
Preferably, described attribute information is one or more in source address, destination address, agreement, source port and the destination interface.
Preferably, described chained list spider module also is used for the rule that described firewall rule concentrates the rule with this interpolation or modification not exist attribute information to occur simultaneously is defined as and the irrelevant rule of rule of this interpolation or modification.
Preferably, ascending mode sequence arrangement is pressed at described linearisation chained list in the linearisation interval of any attribute information correspondence of described rule, and does not have common factor between wherein any two linearisation intervals.
Beneficial effect of the present invention is as follows:
Technical scheme of the present invention has been carried out linearization process by the attribute of the rule that firewall rule is concentrated, and the linearisation interval of the attribute information correspondence of each bar rule of obtaining after transforming is stored with the form of linearisation chained list, thereby reduced the complexity of comparison rule attribute greatly, and improved the efficient of collision detection.The efficient of attribute comparison can make original o (n) reduce greatly in collision detection, if two identical o (1) that can reduce to so of rule, crossing or covering can reduce to o (lgn).
Description of drawings
Fig. 1 is that the method for detection firewall rule conflict of the present invention realizes principle flow chart;
Fig. 2 is the structured flowchart of the device of detection firewall rule conflict of the present invention.
Embodiment
Below in conjunction with each accompanying drawing specific implementation process of the present invention is set forth.
See also Fig. 1, this figure is that the method for detection firewall rule conflict of the present invention realizes principle flow chart, mainly comprises the steps:
Described attribute information is one or more in source address, destination address, agreement, source port and the destination interface.
Ascending mode sequence arrangement is pressed at described linearisation chained list in the linearisation interval of any attribute information correspondence of described rule, and does not have common factor between wherein any two linearisation intervals.
Core of the present invention is exactly to concentrate the attribute information of each bar rule to carry out linearisation to firewall rule to transform, so-called linearisation, be that the attribute that rule is comprised is stored with a kind of unique expression-form, the attribute information to rule when conveniently carrying out collision detection compares.
Be how the example introduction carries out the linearisation conversion to the attribute information in the rule below with the source address:
A source address attribute may comprise multiple source address section or source address point, source address attribute in the rule is represented with the form between at least one linearizing source address field, used between source address field of ip1, ip2 record, require ip1<=ip2, if ip1=ip2, Here it is address points.In order to make it to become unique expression formula, between these source address field and the source address point need be according to sequence arrangement from small to large, and between any two common factor can not be arranged, two adjacent intervals will merge, finish the linearisation of source address attribute like this, other several attributes are also adopted and are carried out linearization process in the same way.
When concentrating interpolation at firewall rule or revising regular R, the detailed process that detects rule conflict is as follows:
Step 20, concentrate the linearisation result of the source address attribute of other regular Rx to compare successively the linearisation result and the firewall rule of the source address attribute of regular R, exist the rule of occuring simultaneously to add among the interim chained list L its regular R that neutralizes;
Step 21, the linearisation result of the destination address attribute of the linearisation result of the destination address attribute of regular R and the rule among the interim chained list L is compared successively, do not exist the rule of common factor from L, to delete its regular R that neutralizes;
If the interim chained list L of step 22 without any rule, illustrates that there is not conflict in the rule that regular R and firewall rule are concentrated, detects and finishes;
If also remain regularly among the interim chained list L of step 23, then the order according to destination interface, host-host protocol, source port adopts the mode in second step to carry out the attribute linearisation relatively; After if all properties is relatively finished, also remain regularly among the interim chained list L, then these rules and regular R exist conflict or redundancy.
Whether exist in the process of conflict between the detection rule, the linearisation of attribute comparison procedure as a result is as follows:
If the interval number after the linearisation of a certain attribute of regular R1 and regular R2 is identical, then just can confirm by disposable compare operation whether starting point S and terminal point E that each is interval distinguish correspondent equal, if equate, this attribute of so regular R1 and regular R2 is exactly identical, otherwise different; Attribute is identical to be a kind of special circumstances that exist attribute to occur simultaneously.
If the interval number after the linearisation of a certain attribute of regular R1 and regular R2 is different or the content difference, then need to confirm whether have common factor between the interval after the linearisation of this attribute of regular R1 and regular R2, any one interval (S1 for regular R1, E1), because the starting point in the linearizing interval of regular R2 is orderly, determine S1 point relative position by binary search, generally there are several situations the position that S1 is ordered, first kind, the S1 point equals certain interval starting point, and attribute has common factor so; Second kind, whether the S1 point also need confirm the S1 point less than this interval terminal point greater than last interval starting point, if less than, attribute has common factor so, otherwise attribute does not occur simultaneously; The third, whether the S1 point also need confirm the E1 point greater than this interval starting point less than first interval starting point, if greater than, attribute has common factor so, otherwise attribute does not occur simultaneously.As long as existing common factor to illustrate, a certain attribute of the regular R1 of affirmation and a certain attribute of regular R2 exist attribute information to occur simultaneously between regular R1 and the regular R2.
If there is not common factor in all properties of regular R1 and regular R2, illustrate do not conflict between regular R1 and the regular R2 not redundant yet; If exist to occur simultaneously, and the action of regular R1 and regular R2 correspondence is consistent, and these two rules are redundant so, otherwise conflict.
Below by an instantiation specific implementation of the method for the invention is given further detailed explanation.
Suppose user configured firewall rule sets under discrimination such as following table, the sequence number of rule is exactly the sequencing of priority:
| Sequence number | Source address | Destination address | Agreement | Port | Action |
| ??1 | ??11.22.33.* | ??11.22.44.* | ??Tcp | ??21 | ??accept |
| ??2 | ??11.22.1.38-11.22.1.56??11.22.2.5-11.22.2.128??11.22.3.0-11.22.3.16 | ??any | ??Tcp | ??80 | ??deny |
| ??3 | ??11.22.2.* | ??any | ??Tcp | ??80 | ??accept |
| ??4 | ??11.22.1.*??11.22.2.*??11.22.3.* | ??any | ??Tcp | ??80 | ??accept |
When above-mentioned firewall rule sets under discrimination was added regular operation, the detailed process that detects firewall rule conflict was as follows:
Above-mentioned firewall rule sets under discrimination is carried out linearization process, carry out linearization process and address properties need be expressed as address section (ip1, ip2) unique form, agreement and port only need carry out numeric ratio and get final product, if field is any, need not to do any processing so, because its meeting and any regular coupling.
It is as follows that above-mentioned firewall rule sets under discrimination is carried out the linearisation chained list that obtains after the linearization process:
| Sequence number | Source address | Destination address | Agreement | Port | Action |
| ??1 | ??11.22.33.0,11.22.33.255 | ??11.22..44.0,11.22.44.255 | ??tcp | ??21 | ??accept |
| ??2 | ??11.22.1.38,11.22.1.56??11.22.2.5,11.22.2.128??11.22.3.0,11.22.3.16 | ??any | ??Tcp | ??80 | ??deny |
| ??3 | ??11.22.2.0,11.22.2.255 | ??any | ??Tcp | ??80 | ??accept |
| ??4 | ??11.22.1.0,11.22.2.255 | ??any | ??Tcp | ??80 | ??accept |
When the user concentrate to add regularly 4 the time to firewall rule, specify below and how to carry out rule conflict and detect:
The first step, the source address attribute of carrying out between the rule compares, rule 4 is identical with the interval number of the source address correspondence of rule 1, directly compare and find that content is inconsistent, need further affirmation whether to have common factor, in rule 4 11.22.1.0 is between the source address field of rule 1, carry out binary search, obtain 11.22.1.0 at interval 11.22.33.0,11.22.33.255 the left side, then 11.22.2.255 and 11.22.33.0 are compared, 11.22.2.255 do not occur simultaneously less than having between the 11.22.33.0 explanation interval, these two regular source address attribute are irrelevant, promptly rule 4 and rule 1 are irrelevant; Search in like manner between the source address field of rule 2, find that 11.22.1.0 is at interval 11.22.1.38,11.22.1.56 the left side, compare 11.22.2.255 and 11.22.1.38 again, 11.22.2.255 greater than 11.22.1.38, so the source address attribute of rule 4 and rule 2 has common factor, and rule 2 is put among the interim chained list L; Also there is common factor in the source address attribute that compares as can be known rule 4 and rule 3 in the same way, equally rule 3 is also put into interim chained list L;
Second step, the destination address of rule among comparison rule 4 and the interim chained list L because the destination address of rule 4 is any, so and the destination address of any rule all have common factor, so rule 2,3 is still in interim chained list L;
The 3rd step, the destination interface of rule among comparison rule 4 and the interim chained list L, rule 2,3 is still in interim chained list L as a result;
The 4th step, the host-host protocol of rule among comparison rule 4 and the interim chained list L, rule 2,3 is still in L as a result;
In the 5th step, the action of rule 4 and regular 2 correspondences is different, thus there is conflict, and the action of rule 4 and regular 3 correspondences is consistent, so exist redundant.
Corresponding to said method of the present invention, the present invention and then proposed a kind of device that detects firewall rule conflict, see also Fig. 2, this figure is the structured flowchart of the device of detection firewall rule conflict of the present invention, it mainly comprises linearisation conversion module, storage of linked list module, chained list spider module and judge module, wherein
The linearisation conversion module is used for concentrating the attribute information of each bar rule to carry out linearisation to firewall rule and transforms; Described attribute information is one or more in source address, destination address, agreement, source port and the destination interface.
The storage of linked list module, the priority sequence number that is used for each bar rule is an index, with the form of linearisation chained list the linearisation interval of the attribute information correspondence of each bar rule of obtaining after transforming through linearisation is stored; Ascending mode sequence arrangement is pressed at described linearisation chained list in the linearisation interval of any attribute information correspondence of described rule, and does not have common factor between wherein any two linearisation intervals.
The chained list spider module, when described firewall rule sets under discrimination being carried out the rule interpolation or revising, be used to travel through described linearisation chained list, the rule that the concentrated rule with this interpolation or modification of described firewall rule exists attribute information to occur simultaneously is added in the dependency rule set; Described chained list spider module also is used for the rule that described firewall rule concentrates the rule with this interpolation or modification not exist attribute information to occur simultaneously is defined as and the irrelevant rule of rule of this interpolation or modification.
Judge module, be used for judging successively whether the rule of described dependency rule set is consistent with the regular pairing action of this interpolation or modification, the rule of respective action unanimity is defined as rule with the regular phase redundancy of this interpolation or modification, the inconsistent rule of respective action is defined as regular afoul rule with this interpolation or modification.
Other specific implementation processes of device of the present invention see also the description of corresponding contents in the said method of the present invention, no longer give here too much to give unnecessary details.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.
Claims (8)
1. a method that detects firewall rule conflict is characterized in that, comprises step:
A, concentrating the attribute information of each bar rule to carry out linearisation to firewall rule to transform, is index with the priority sequence number of each bar rule, with the form of linearisation chained list the linearisation interval of the attribute information correspondence of each bar rule of obtaining after transforming is stored;
B, when described firewall rule sets under discrimination being carried out rule is added or revising, travel through described linearisation chained list, the rule that described firewall rule concentrates the rule with this interpolation or modification to exist attribute information to occur simultaneously is added in the dependency rule set;
C, judge whether the rule in the set of described dependency rule is consistent with the regular pairing action of this interpolation or modification successively, the rule of respective action unanimity is defined as rule with the regular phase redundancy of this interpolation or modification, the inconsistent rule of respective action is defined as regular afoul rule with this interpolation or modification.
2. the method for claim 1 is characterized in that, described attribute information is one or more in source address, destination address, host-host protocol, source port and the destination interface.
3. the method for claim 1 is characterized in that, comprises that also the rule of concentrating the rule with this interpolation or modification not exist attribute information to occur simultaneously described firewall rule is defined as the step with the irrelevant rule of the rule of this interpolation or modification.
4. the method for claim 1 is characterized in that, ascending mode sequence arrangement is pressed at described linearisation chained list in the linearisation interval of any attribute information correspondence of described rule, and does not have common factor between wherein any two linearisation intervals.
5. a device that detects firewall rule conflict is characterized in that, comprises linearisation conversion module, storage of linked list module, chained list spider module and judge module, wherein,
The linearisation conversion module is used for concentrating the attribute information of each bar rule to carry out linearisation to firewall rule and transforms;
The storage of linked list module, the priority sequence number that is used for each bar rule is an index, with the form of linearisation chained list the linearisation interval of the attribute information correspondence of each bar rule of obtaining after transforming through linearisation is stored;
The chained list spider module, when described firewall rule sets under discrimination being carried out the rule interpolation or revising, be used to travel through described linearisation chained list, the rule that the concentrated rule with this interpolation or modification of described firewall rule exists attribute information to occur simultaneously is added in the dependency rule set;
Judge module, be used for judging successively whether the rule of described dependency rule set is consistent with the regular pairing action of this interpolation or modification, the rule of respective action unanimity is defined as rule with the regular phase redundancy of this interpolation or modification, the inconsistent rule of respective action is defined as regular afoul rule with this interpolation or modification.
6. device as claimed in claim 5 is characterized in that, described attribute information is one or more in source address, destination address, agreement, source port and the destination interface.
7. device as claimed in claim 5, it is characterized in that described chained list spider module also is used for the rule that described firewall rule concentrates the rule with this interpolation or modification not exist attribute information to occur simultaneously is defined as and the irrelevant rule of rule of this interpolation or modification.
8. device as claimed in claim 5 is characterized in that, ascending mode sequence arrangement is pressed at described linearisation chained list in the linearisation interval of any attribute information correspondence of described rule, and does not have common factor between wherein any two linearisation intervals.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102279678A CN101753369B (en) | 2008-12-03 | 2008-12-03 | Method and device for detecting firewall rule conflict |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102279678A CN101753369B (en) | 2008-12-03 | 2008-12-03 | Method and device for detecting firewall rule conflict |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101753369A true CN101753369A (en) | 2010-06-23 |
| CN101753369B CN101753369B (en) | 2012-03-28 |
Family
ID=42479808
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102279678A Active CN101753369B (en) | 2008-12-03 | 2008-12-03 | Method and device for detecting firewall rule conflict |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101753369B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103714415A (en) * | 2013-12-04 | 2014-04-09 | 深圳市华傲数据技术有限公司 | Method and system for automatic restoration of batch data |
| CN104113516A (en) * | 2013-04-19 | 2014-10-22 | 中国移动通信集团设计院有限公司 | Method and terminal for recognizing rule conflicts of firewalls |
| CN104135461A (en) * | 2013-05-02 | 2014-11-05 | 中国移动通信集团河北有限公司 | Firewall policy processing method and device |
| CN104519030A (en) * | 2013-09-30 | 2015-04-15 | 西门子公司 | Method and device for safety detection |
| CN104601526A (en) * | 2013-10-31 | 2015-05-06 | 华为技术有限公司 | Method and device for detecting and resolving conflict |
| CN104735026A (en) * | 2013-12-19 | 2015-06-24 | 华为技术有限公司 | Security strategy control method and device |
| CN104883347A (en) * | 2014-09-28 | 2015-09-02 | 北京匡恩网络科技有限责任公司 | Network security regulation conflict analysis and simplification method |
| CN106470205A (en) * | 2015-08-21 | 2017-03-01 | 中兴通讯股份有限公司 | A kind of security configuration alteration detection method and apparatus |
| CN107094143A (en) * | 2017-04-28 | 2017-08-25 | 杭州迪普科技股份有限公司 | A kind of detection method and device of tactful redundancy |
| CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
| CN108471412A (en) * | 2018-03-19 | 2018-08-31 | 武汉华大国家数字化学习工程技术有限公司 | A kind of firewall rule conflict detection method |
| CN108632203A (en) * | 2017-03-16 | 2018-10-09 | 哈尔滨英赛克信息技术有限公司 | A kind of flow table rule conflict optimization method based on alias collection rule reduction |
| CN108900543A (en) * | 2018-08-13 | 2018-11-27 | 郑州云海信息技术有限公司 | The method and apparatus of managing firewall rule |
| CN110290152A (en) * | 2019-07-18 | 2019-09-27 | 成都安恒信息技术有限公司 | Firewall rule engine time complexity appraisal procedure based on probability weight path |
| CN110710159A (en) * | 2017-05-31 | 2020-01-17 | 思科技术公司 | Generation of counter-examples for network intent form peer-to-peer failures |
| CN111416818A (en) * | 2020-03-17 | 2020-07-14 | 北京金山云网络技术有限公司 | Website security protection method and device and server |
| CN111935100A (en) * | 2020-07-16 | 2020-11-13 | 锐捷网络股份有限公司 | Flowspec rule issuing method, device, equipment and medium |
| CN114745208A (en) * | 2022-06-10 | 2022-07-12 | 深圳市永达电子信息股份有限公司 | Method for detecting and correcting abnormity of firewall access control list |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1282332C (en) * | 2003-11-13 | 2006-10-25 | 中兴通讯股份有限公司 | A method of fast data packet filtering |
| CN100499486C (en) * | 2004-08-07 | 2009-06-10 | 海信集团有限公司 | Firewall access control method of object-orientation mode |
-
2008
- 2008-12-03 CN CN2008102279678A patent/CN101753369B/en active Active
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104113516A (en) * | 2013-04-19 | 2014-10-22 | 中国移动通信集团设计院有限公司 | Method and terminal for recognizing rule conflicts of firewalls |
| CN104135461A (en) * | 2013-05-02 | 2014-11-05 | 中国移动通信集团河北有限公司 | Firewall policy processing method and device |
| CN104519030B (en) * | 2013-09-30 | 2018-07-17 | 西门子公司 | A kind of method and apparatus for safety detection |
| CN104519030A (en) * | 2013-09-30 | 2015-04-15 | 西门子公司 | Method and device for safety detection |
| CN104601526B (en) * | 2013-10-31 | 2018-01-09 | 华为技术有限公司 | A kind of method, apparatus of collision detection and solution |
| WO2015062291A1 (en) * | 2013-10-31 | 2015-05-07 | 华为技术有限公司 | Conflict detection and solving method and device |
| US10917437B2 (en) | 2013-10-31 | 2021-02-09 | Huawei Technologies Co., Ltd. | Conflict detection and resolution methods and apparatuses |
| CN104601526A (en) * | 2013-10-31 | 2015-05-06 | 华为技术有限公司 | Method and device for detecting and resolving conflict |
| US10044759B2 (en) | 2013-10-31 | 2018-08-07 | Huawei Technologies Co., Ltd. | Conflict detection and resolution methods and apparatuses |
| CN103714415A (en) * | 2013-12-04 | 2014-04-09 | 深圳市华傲数据技术有限公司 | Method and system for automatic restoration of batch data |
| CN104735026A (en) * | 2013-12-19 | 2015-06-24 | 华为技术有限公司 | Security strategy control method and device |
| CN104735026B (en) * | 2013-12-19 | 2018-05-18 | 华为技术有限公司 | Security strategy control method and device |
| CN104883347A (en) * | 2014-09-28 | 2015-09-02 | 北京匡恩网络科技有限责任公司 | Network security regulation conflict analysis and simplification method |
| CN106470205A (en) * | 2015-08-21 | 2017-03-01 | 中兴通讯股份有限公司 | A kind of security configuration alteration detection method and apparatus |
| CN106470205B (en) * | 2015-08-21 | 2021-03-05 | 中兴通讯股份有限公司 | Security configuration change detection method and device |
| CN108632203A (en) * | 2017-03-16 | 2018-10-09 | 哈尔滨英赛克信息技术有限公司 | A kind of flow table rule conflict optimization method based on alias collection rule reduction |
| CN107094143A (en) * | 2017-04-28 | 2017-08-25 | 杭州迪普科技股份有限公司 | A kind of detection method and device of tactful redundancy |
| CN110710159B (en) * | 2017-05-31 | 2022-08-19 | 思科技术公司 | Methods, systems, devices, and media for network configuration and troubleshooting |
| US11303531B2 (en) | 2017-05-31 | 2022-04-12 | Cisco Technologies, Inc. | Generation of counter examples for network intent formal equivalence failures |
| CN110710159A (en) * | 2017-05-31 | 2020-01-17 | 思科技术公司 | Generation of counter-examples for network intent form peer-to-peer failures |
| CN108471412A (en) * | 2018-03-19 | 2018-08-31 | 武汉华大国家数字化学习工程技术有限公司 | A kind of firewall rule conflict detection method |
| CN108429774A (en) * | 2018-06-21 | 2018-08-21 | 蔡梦臣 | A kind of firewall policy centralized optimization management method and its system |
| CN108900543A (en) * | 2018-08-13 | 2018-11-27 | 郑州云海信息技术有限公司 | The method and apparatus of managing firewall rule |
| CN110290152B (en) * | 2019-07-18 | 2021-10-15 | 成都安恒信息技术有限公司 | Firewall rule engine time complexity evaluation method based on probability weighted path |
| CN110290152A (en) * | 2019-07-18 | 2019-09-27 | 成都安恒信息技术有限公司 | Firewall rule engine time complexity appraisal procedure based on probability weight path |
| CN111416818A (en) * | 2020-03-17 | 2020-07-14 | 北京金山云网络技术有限公司 | Website security protection method and device and server |
| CN111935100A (en) * | 2020-07-16 | 2020-11-13 | 锐捷网络股份有限公司 | Flowspec rule issuing method, device, equipment and medium |
| CN111935100B (en) * | 2020-07-16 | 2022-05-20 | 锐捷网络股份有限公司 | Flowspec rule issuing method, device, equipment and medium |
| CN114745208A (en) * | 2022-06-10 | 2022-07-12 | 深圳市永达电子信息股份有限公司 | Method for detecting and correcting abnormity of firewall access control list |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101753369B (en) | 2012-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101753369B (en) | Method and device for detecting firewall rule conflict | |
| CN102301342B (en) | Regular Expression Matching Method And System, And Searching Device | |
| Chikhi et al. | Data structures to represent a set of k-long DNA sequences | |
| CN101753542A (en) | Method and device for speeding up matching of filter rules of firewalls | |
| CN107729371B (en) | Data indexing and querying method, device, equipment and storage medium of block chain | |
| CN105677683A (en) | Batch data query method and device | |
| US9892143B2 (en) | Association index linking child and parent tables | |
| WO2015021879A1 (en) | Method and device for mining data regular expression | |
| CN104572983A (en) | Construction method based on hash table of memory, text searching method and corresponding device | |
| WO2009095981A1 (en) | Method and device for building tree-structured data from table | |
| US20120078880A1 (en) | Accelerating Database Queries Containing Bitmap-Based Conditions | |
| CN103001878A (en) | Determination method and device for media access control (MAC) address Hash collision | |
| CN111666468A (en) | Method for searching personalized influence community in social network based on cluster attributes | |
| Shen et al. | Approximate covering detection among content-based subscriptions using space filling curves | |
| Yao et al. | Topology identification of multi‐weighted complex networks based on adaptive synchronization: a graph‐theoretic approach | |
| CN106599091A (en) | Storage and indexing method of RDF graph structures stored based on key values | |
| CN102207979A (en) | Sensitive word matching method and system | |
| CN101848248A (en) | Rule searching method and device | |
| CN113704252A (en) | Rule engine decision tree implementation method and device, computer equipment and computer readable storage medium | |
| CN105447135A (en) | Data search method and device | |
| JP7412935B2 (en) | How to convert source code to numeric identifiers and compare them against a dataset | |
| CN103984760A (en) | Data structure oriented to content publishing and subscribing system and mixed event matching method thereof | |
| CN109344239A (en) | A kind of business process model querying method and inquiry system based on temporal aspect | |
| CN104486259A (en) | Switch configuration file storage method, and switch configuration file storage system | |
| CN114064653A (en) | Data insertion method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |