CN102594770A - Adaptive optimizing method based on cloud storage firewall - Google Patents
Adaptive optimizing method based on cloud storage firewall Download PDFInfo
- Publication number
- CN102594770A CN102594770A CN2011100024214A CN201110002421A CN102594770A CN 102594770 A CN102594770 A CN 102594770A CN 2011100024214 A CN2011100024214 A CN 2011100024214A CN 201110002421 A CN201110002421 A CN 201110002421A CN 102594770 A CN102594770 A CN 102594770A
- Authority
- CN
- China
- Prior art keywords
- rule
- weight
- adaptive
- cloud storage
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention intends to disclose an adaptive optimizing method based on cloud storage firewall, which employs global information collection and statistics weight computation based on time, and relates to adaptive optimization which considers compositing of recent network flow with historically accumulated data, etc.; in comparison with other optimization models and strategies, the method pays attention to dynamic flow information based on time, so that adaptive capability and availability of the firewall are improved in general conditions, and the scope of application of the firewall is wider. Meanwhile, on a basis of packet filtering technology, the cloud storage firewall can be applied to stateless or state detection firewalls without too much change, so that the purpose of the adaptive optimizing method is achieved.
Description
Technical field
The present invention relates to a kind of adaptive optimization method, particularly a kind of adaptive optimization method based on cloud storage fire compartment wall.
Background technology
Along with the wide-scale distribution with information that develops rapidly of network, the importance of fire compartment wall is more and more significant also.Fire compartment wall is divided into software firewall and hardware firewall two big classes.The fail safe of software firewall mainly realizes through control law.In the realization of firewall security property, filtering rule connects through management, keeps watch on and filter the reliability and the security of system of network package (traffic flow) service data in turnover trusted area and untrusted zone.In order to improve security performance as far as possible, this security protection implementation pattern usually need be introduced a large amount of strictnesses rule targetedly, thereby has reduced the availability and the adaptive ability of fire compartment wall to a certain extent.
For availability and the adaptive ability of improving fire compartment wall, existing optimisation strategy and algorithm are considered function parallelization, the solution of raising such as the reconstruct of rale store structure adaptive capacity not influencing on the safe basis as far as possible.
But existing scheme does not much have to consider the filtering information collection based on the time period, the behavioral characteristics of network traffics, and perhaps strategy only guarantees the upper bound of probability analysis under the worst case.These defectives make that optimization is powerless for random case, thereby can not put in the practical application and go.
Software firewall has based on two types of filtering packets and proxy gateways.The technological scope of application based on filtering packets has relatively extensively also successively formed two generation filtering packets fire compartment walls (stateless firewall and stateful firewall).In the filtering packets fire compartment wall, filtering rule is the core part of fire compartment wall, is responsible for the realization of function of safety protection, also is the key factor that influences fire compartment wall availability and adaptive ability simultaneously.
Therefore, research improves fire compartment wall adaptive ability and availability under the prerequisite that does not influence fail safe, and to the user of fire compartment wall, particularly cloud storage fire compartment wall user is significant.
Comprise filtration based on the technological software firewall rule of filtering packets and comprise the required network field attribute of filtration usually.Traditional filtering rule generally comprises rule numbers (Rule ID); Application protocol type (Protocol Type); Long-range/local ip address (Remote/Local IP); Long-range/local port attribute filtered fields and package processing modes (Action) such as (Remote/Local Port), as shown in Figure 1.
In the rule match based on filtering packets, each turnover package of fire compartment wall interception makes its attribute and the respective field of rule circulate matching ratio.Not matching of any one field all will cause the end of current coupling, and jump to next bar rule automatically and mate again; Otherwise, if all attribute field (except the Rule ID, Filtering Action) matees successfully, then carry out the processing mode that defines among the Filtering Action, promptly transmit or abandon this package.We are not difficult to find in this course, and conventional regular texture can be introduced a large amount of redundancies.For example shown in Figure 1 regular 1,2 at protocol type, in full accord on the direction of the traffic.If rule 1 places before the rule 2 in the regular collection of reality, the package of matched rule 2 rule 1 that do not match so fully, and pass in and out on two fields with flow at protocol type at least and done extra invalid coupling.And general procotol all has fixing serve port, http (80) for example, ftp (21), pop3 (110) etc.In the rule similarly the attribute binding relationship also can aggravate redundancy ratio and the waste of memory space.
For tree-like storage, gather memory module based on the linear programming of array or chained list and be applicable to that regular quantity size is less, and the situation of its property value irregular distribution.When rule was linear storage, its relative position in regular collection also just was equivalent to its weight.In the rule match process; If the rule of the i bar in complete matching rule set of network package characteristic attribute; For this package matching process, preceding i-1 coupling all is extra coupling or invalid coupling so, thereby aggravated the end-to-end delay (end-to-enddelay) of this package.So, if the frequency of utilization of reasonable prediction rule is its suitable position of arrangement in regular collection, so from the overall situation with the service performance that improves fire compartment wall.At present,, exist, can only provide the possibility upper bound and do not pay close attention to average behavior, rely on problems such as a large amount of manual adjustment of user such as not considering the dynamic network traffic characteristic although some achievements are arranged on this direction.
In sum, to the defective of prior art, need a kind of adaptive optimization method especially, with the problem of mentioning more than solving based on cloud storage fire compartment wall.
Summary of the invention
The object of the present invention is to provide a kind of adaptive optimization method, solve the defective of above-mentioned prior art, on the basis of analyzing filtering packets technology and existing adaptive strategy and algorithm, improve the adaptive ability of fire compartment wall based on cloud storage fire compartment wall.
The technical problem that the present invention solved can adopt following technical scheme to realize:
A kind of adaptive optimization method based on cloud storage fire compartment wall is characterized in that it comprises the steps:
1) carries out the firewall rule structure optimization; Property value in the rule is changed greatly; Field and property value that the attribute dependence is less are more stable; The degree of association is big between the attribute field is separated, and when being divided into rule two son parts, sets up between two parts the major key in the global scope with reference to association;
2) carry out the firewall rule set and optimize, obtain formula:
Wherein, Fi is illustrated in this attribute collection of some special time periods and obtains this rule match number of times; Fi representes the weight of rule match number of times; Bi representes ad hoc rules data matching flow; Bi representes the overall percentage of ad hoc rules data matching flow.
In one embodiment of the invention; In above-mentioned steps 2, ratio difference shared in the definition rule weight can directly influence adaptive regular weight, uses an access weight factor p to regulate; Can specify two ratios that part is shared according to user's needs, obtain formula:
Access_Weighti=p*fi+(1-p)*bi
Wherein, 0<p<1, p is more near 0, and data volume is occupied big more weight so, on the contrary package quantity occupies big more weight.
In one embodiment of the invention; In above-mentioned steps 2, the order after the quicksort on the weight properties is optimized, right to use repeated factor q is optimized back order and historical accumulation order proportioning; Obtain position weight New_weight on the new global sense, obtain formula:
New_weighti=q*Old_Orderi+(1-q)*Optimized_Orderi。
Wherein, 0<q<1, Optimized_Order representes to optimize the back order, and Old_Order representes historical accumulation order.
Adaptive optimization method based on cloud storage fire compartment wall of the present invention; Use time-based global information to collect and statistical weight calculating; Considered that recent network traffics and historical accumulation data etc. carry out compound adaptive optimization, compared with strategy that this method is paid close attention to time-based dynamic flow information with other Optimization Model; Improved the adaptive ability and the availability of fire compartment wall generally speaking, range of application is more extensive; Simultaneously, be the basis, do not need too much change just to can be applicable on stateless or the state-inspection firewall, realize the object of the invention with the filtering packets technology.
Conclusion
The cloud storage fire compartment wall adaptive optimization strategy that this paper introduces is can flexible Application suitable in the regular collection scale, and filtering rule has the fire compartment wall scene of weight.Optimization Model has been considered filtering rule and regular collection structural remodeling, uses time-based global information to collect and statistical weight calculating, has considered that recent network traffics and historical accumulation data etc. carry out compound adaptive optimization.Compare with strategy with other Optimization Model, this strategy is paid close attention to time-based dynamic flow information, improved the adaptive ability and the availability of fire compartment wall generally speaking, so range of application is more extensive.On the other hand, because optimisation strategy is the basis with the filtering packets technology, so do not need too much change just to can be applicable on stateless or the state-inspection firewall.
Characteristics of the present invention can consult this case graphic and below better execution mode detailed description and obtain to be well understood to.
Description of drawings
Fig. 1 is the sketch map of existing linear firewall rule model;
Fig. 2 is the sketch map of regular reference model of the present invention;
Fig. 3 is the sketch map of the accessible best-case of NHOR for scene;
Fig. 4 is the sketch map of the performance results of two kinds of optimizations under twice visit that sequential structure differs greatly;
Fig. 5 is the HOR extra optimization result's of reference sketch map for expression with NHOR.
Embodiment
For technological means, creation characteristic that the present invention is realized, reach purpose and effect and be easy to understand and understand, below in conjunction with concrete diagram, further set forth the present invention.
Adaptive optimization method based on cloud storage fire compartment wall of the present invention is characterized in that it comprises the steps:
1) carries out the firewall rule structure optimization; Property value in the rule is changed greatly; Field and property value that the attribute dependence is less are more stable; The degree of association is big between the attribute field is separated, and when being divided into rule two son parts, sets up between two parts the major key in the global scope with reference to association;
2) carry out the firewall rule set and optimize, obtain formula:
Wherein, Fi is illustrated in this attribute collection of some special time periods and obtains this rule match number of times; Fi representes the weight of rule match number of times; Bi representes ad hoc rules data matching flow; Bi representes the overall percentage of ad hoc rules data matching flow.
The central factor that influences filtering packets fire compartment wall adaptive ability is a rule, and the adaptive optimization of rule is mainly concentrated on 2 points.The one, the relation between the reasonable processing rule, the 2nd, rationally arrange relative order regular in the regular collection.
The firewall rule structure optimization
Remove and use some rules specific to merge, it is redundant with beyond the dependence that the fractionation strategy reduces rule field, uses a regular reference model also can address the above problem.Soon property value changes greatly in the rule, and field and property value that the attribute dependence is less are more stable, and the field that the degree of association is big between the attribute is separated.When being divided into rule two son parts, set up between two parts the major key in the global scope with reference to association.As shown in Figure 2, this structure can be separated traditional regular texture, reduces the memory space and the number of comparisons of redundant field, and its performance along with the increase of regular number significantly.
The firewall rule set is optimized
At first, need consider the frequency of occurrences of successful match rule.With having certain a series of network package attribute occurrence number, perhaps the matching times of a rule is weighed.This attribute of some special time periods is collected, just can obtain this rule match number of times, Fi representes with variable.In order to make this attribute have global sense, use global registration percentage variable fi to weigh the weight of rule match number of times.Secondly, need consider that network traffics have deflection property.Common 20% network flow has 10 above network package, and the valid data total amount that this part flow contains 70%.That is to say,, but influence the key component of complete service quality though the weight of a part of package attribute on the rule match frequency is low.So when considering matching times, must consider data volume and weight ratio that flow carries, represent the overall percentage of ad hoc rules data matching flow and this flow respectively with variable Bi and bi, obtain as follows (1), (2) formula:
More than two formula consider the network attribute frequency of occurrences and the data traffic weight of dynamic flow.Consider that both can directly influence adaptive regular weight at ratio difference shared in the definition rule weight; Use an access weight factor p (0<p<1) to regulate; Can specify two ratios that part is shared according to user's needs, shown in (3) formula.Variable p is more near 0, and data volume is occupied big more weight so, otherwise package quantity occupies big more weight.The user can be according to the characteristic that conducts interviews, and Application Type is regulated this weight, makes the closing to reality situation more of optimizing.
Access_Weighti=p*fi+(1-p)*bi (3)
In one section special time; Can use formula (3) to calculate the weight (enliven rule and refer to the rule that in this time period, matches) of the active rule of each bar in the regular collection; Thereby regular collection is carried out the automatic reconfiguration adjustment, obtain adaptive optimization sequence of rules later on.Yet possibly there is contingency in the package contact sequence in the special time period, and the frequency of its generation, the data traffic of carrying can not whole data access of actual response or transmission courses, are not enough so only adopt such certainty optimization.In addition, though above-mentioned optimization is based on the accurate collection of access sequence information, but based on the Optimization result of outdated data.The Unpredictability of access sequence complexity and following package sequence can cause the follow-up package sequence of Optimization result incompatibility.So, can not be fully with the whole and unique conditional of the accumulation achievement in any a period of time as adaptive optimization.Therefore, we consider on the basis of carrying out first adaptive optimization, to proceed the adaptation optimization based on the history accumulation, shown in formula (4)
New_weighti=q*Old_Orderi+(1-q)*Optimized_Orderi (4)
Through the data collection of each time period, after calculating statistics rule weight and using other optimization processes, we use the order after the quicksort on the weight properties is optimized.Right to use repeated factor q (0<q<1) is optimized back order (Optimized_Order) and historical accumulation order (Old_Order) proportioning; Obtain position weight New_weight on the new global sense, the reconfiguration rule of on this weighted value, resequencing set.The adaptive optimization regular collection that we obtain just has adaptive ability more.The accumulation of regular weight before new weight has not only been considered and optimized, and considered that this new Optimization result is to original regular collection effect on structure.
Policy evaluation
In this part, we will prove the adaptive performance and the availability of our optimisation strategy through a series of tests.In test, the factor that influences rule match sum has following, and the rule sum enlivens regular number, package situation (comprising package number and data traffic).In order to make test effect more obvious, we arrange the filtering rule sum to reflect the usable range of adaptive optimization from 10-100.Whole filtering rules all is active rule, gets rid of non-ly to enliven rule optimization raising impacts to adaptive ability.We reduce quantity with coupling, and coupling reduces percentage and enlivens the influence of the raising of the relationship description adaptive ability between the regular quantity to fire wall performance.As shown in Figure 3, to use identical simulation package sequence that initial rules is gathered and carry out double matching test, with the Optimization result (promptly not using formula (4) to handle) of historical accumulation, HOR represents the Optimization result of using historical accumulation in the NHOR representative.Notice that this visit sequence is the best-case that NHOR optimizes, can obtain maximum 18% performance raising in this case.And use HOR to optimize, though improve in the performance that obtains about 13% under this special scenes at most, and be no more than 5% with NHOR difference under the average case.
Fig. 3 scene is the accessible best-case of NHOR.Proved also simultaneously that the optimization effect that has historical accumulation also has reasonable self adaptation effect under the metastable situation of access sequence structure.Below, use discrepant double access sequence to check the adaptivity of two kinds of optimizations.As shown in Figure 4, be the performance results of two kinds of optimizations under twice visit that sequential structure differs greatly.Fig. 5 representes with NHOR to be the HOR extra optimization result of reference, therefrom can find both difference more clearly.Enlivening regular quantity from the 10-100 change procedure, to compare with NHOR, it is maximum 18% that the HOR adaptive optimization can bring, minimum 5%, and average about 10% extra performance improves.If consider the long time integration of historical data, it is huge especially perhaps to pass in and out the package sequence difference, and both performance differences can further improve.
More than show and described basic principle of the present invention and principal character and advantage of the present invention.The technical staff of the industry should understand; The present invention is not restricted to the described embodiments; That describes in the foregoing description and the specification just explains principle of the present invention, and under the prerequisite that does not break away from spirit and scope of the invention, the present invention also has various changes and modifications; These variations and improvement all fall in the scope of the invention that requires protection, and the present invention requires protection range to be defined by appending claims and equivalent thereof.
Claims (3)
1. the adaptive optimization method based on cloud storage fire compartment wall is characterized in that it comprises the steps:
1) carries out the firewall rule structure optimization; Property value in the rule is changed greatly; Field and property value that the attribute dependence is less are more stable; The degree of association is big between the attribute field is separated, and when being divided into rule two son parts, sets up between two parts the major key in the global scope with reference to association;
2) carry out the firewall rule set and optimize, obtain formula:
Wherein, Fi is illustrated in this attribute collection of some special time periods and obtains this rule match number of times; Fi representes the weight of rule match number of times; Bi representes ad hoc rules data matching flow; Bi representes the overall percentage of ad hoc rules data matching flow.
2. the adaptive optimization method based on cloud storage fire compartment wall as claimed in claim 1; It is characterized in that; In above-mentioned steps 2, ratio difference shared in the definition rule weight can directly influence adaptive regular weight, uses an access weight factor p to regulate; Can specify two ratios that part is shared according to user's needs, obtain formula:
Access_Weighti=p*fi+(1-p)*bi
Wherein, 0<p<1, p is more near 0, and data volume is occupied big more weight so, on the contrary package quantity occupies big more weight.
3. the adaptive optimization method based on cloud storage fire compartment wall as claimed in claim 1; It is characterized in that; In above-mentioned steps 2, the order after the quicksort on the weight properties is optimized, right to use repeated factor q is optimized back order and historical accumulation order proportioning; Obtain position weight New_weight on the new global sense, obtain formula:
New_weighti=q*Old_Orderi+(1-q)*Optimized_Orderi。
Wherein, 0<q<1, Optimized_Order representes to optimize the back order, and Old_Order representes historical accumulation order.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100024214A CN102594770A (en) | 2011-01-07 | 2011-01-07 | Adaptive optimizing method based on cloud storage firewall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100024214A CN102594770A (en) | 2011-01-07 | 2011-01-07 | Adaptive optimizing method based on cloud storage firewall |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102594770A true CN102594770A (en) | 2012-07-18 |
Family
ID=46482978
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100024214A Pending CN102594770A (en) | 2011-01-07 | 2011-01-07 | Adaptive optimizing method based on cloud storage firewall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102594770A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104135461A (en) * | 2013-05-02 | 2014-11-05 | 中国移动通信集团河北有限公司 | Firewall policy processing method and device |
| CN104468161A (en) * | 2013-09-17 | 2015-03-25 | 中国移动通信集团设计院有限公司 | Configuration method and apparatus of firewall rule set, and firewall |
| CN105791213A (en) * | 2014-12-18 | 2016-07-20 | 华为技术有限公司 | Strategy optimization device and method |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
| CN109729082A (en) * | 2018-12-25 | 2019-05-07 | 国云科技股份有限公司 | A kind of firewall rule matching algorithm generated based on characteristic value with retrieval |
-
2011
- 2011-01-07 CN CN2011100024214A patent/CN102594770A/en active Pending
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104135461A (en) * | 2013-05-02 | 2014-11-05 | 中国移动通信集团河北有限公司 | Firewall policy processing method and device |
| CN104468161A (en) * | 2013-09-17 | 2015-03-25 | 中国移动通信集团设计院有限公司 | Configuration method and apparatus of firewall rule set, and firewall |
| CN104468161B (en) * | 2013-09-17 | 2018-05-22 | 中国移动通信集团设计院有限公司 | A kind of collocation method of firewall rule sets under discrimination, device and fire wall |
| CN105791213A (en) * | 2014-12-18 | 2016-07-20 | 华为技术有限公司 | Strategy optimization device and method |
| CN105791213B (en) * | 2014-12-18 | 2020-01-10 | 华为技术有限公司 | Policy optimization device and method |
| CN108462717A (en) * | 2018-03-21 | 2018-08-28 | 北京理工大学 | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance |
| CN108462717B (en) * | 2018-03-21 | 2020-07-28 | 北京理工大学 | Firewall rule set optimization method based on rule matching hit rate and distribution variance |
| CN109729082A (en) * | 2018-12-25 | 2019-05-07 | 国云科技股份有限公司 | A kind of firewall rule matching algorithm generated based on characteristic value with retrieval |
| CN109729082B (en) * | 2018-12-25 | 2021-11-19 | 国云科技股份有限公司 | Firewall rule matching method based on characteristic value generation and retrieval |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ren et al. | A trust-based minimum cost and quality aware data collection scheme in P2P network | |
| CN102594770A (en) | Adaptive optimizing method based on cloud storage firewall | |
| Chin et al. | Q-learning based traffic optimization in management of signal timing plan | |
| CN109120627A (en) | A kind of 6LoWPAN network inbreak detection method based on improvement KNN | |
| Molina et al. | Optimal sensor network layout using multi-objective metaheuristics. | |
| CN101355504A (en) | Method and apparatus for confirming user behavior | |
| CN109120463B (en) | Flow prediction method and device | |
| CN104049575A (en) | Collecting And Delivering Data To A Big Data Machine In A Process Control System | |
| Ayoubi et al. | An autonomous IoT service placement methodology in fog computing | |
| CN108537542B (en) | Data processing method for social network | |
| CN104869155A (en) | Data auditing method and device | |
| Seredynski et al. | Analysing the development of cooperation in MANETs using evolutionary game theory | |
| CN101132375A (en) | Network flux statistical method and device | |
| CN108628769A (en) | A kind of cache allocation method and equipment | |
| CN103916478B (en) | The method and apparatus that streaming based on distributed system builds data side | |
| CN110719194A (en) | Network data analysis method and device | |
| CN107292388A (en) | A kind of Forecasting Methodology and system of the hot spot data based on neutral net | |
| Acevedo et al. | WRF-RPL: Weighted random forward RPL for high traffic and energy demanding scenarios | |
| Wang et al. | Permissioned blockchain for efficient and secure resource sharing in vehicular edge computing | |
| Cripps et al. | Strategic experimentation in queues | |
| CN115016923A (en) | Intelligent processing method for Internet of things data based on edge gateway | |
| CN108037998B (en) | A kind of data receiving channel dynamic allocation method towards Spark Streaming platform | |
| US11652703B2 (en) | Dynamic processing distribution for utility communication networks | |
| CN108924203A (en) | Data copy self-adapting distribution method, distributed computing system and relevant device | |
| Kim et al. | Implementation of hybrid P2P networking distributed web crawler using AWS for smart work news big data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120718 |