CN103973675A - Method for detecting segmented redundancy in cross-domain collaboration firewalls - Google Patents

Method for detecting segmented redundancy in cross-domain collaboration firewalls Download PDF

Info

Publication number
CN103973675A
CN103973675A CN201410150528.7A CN201410150528A CN103973675A CN 103973675 A CN103973675 A CN 103973675A CN 201410150528 A CN201410150528 A CN 201410150528A CN 103973675 A CN103973675 A CN 103973675A
Authority
CN
China
Prior art keywords
rule
redundancy
fire compartment
compartment wall
net
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410150528.7A
Other languages
Chinese (zh)
Other versions
CN103973675B (en
Inventor
彭思思
秦拯
黄星辰
欧露
李文杰
刘向杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan University
Original Assignee
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan University filed Critical Hunan University
Priority to CN201410150528.7A priority Critical patent/CN103973675B/en
Publication of CN103973675A publication Critical patent/CN103973675A/en
Application granted granted Critical
Publication of CN103973675B publication Critical patent/CN103973675B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for detecting segmented redundancy in cross-domain collaboration firewalls. The cross-domain collaboration firewalls comprise the first firewall FW1 and the second firewall FW2, wherein the first firewall FW1 and the second firewall FW2 are deployed on a network management domain Net1 and a network management domain Net2 and collaborate with each other to execute a security policy, the network management domain Net1 and the network management domain Net2 are different, and the communication flow is from the FW1 and the FW2. For a certain rule r of the FW2, if all data packages are matched with the rule r of the FW2 but not matched with any rule except the r, the data packages are abandoned by the FW1, and the r is the redundancy rule between the firewalls for the FW1. The method for detecting the redundancy has the advantages that based on an existing scheme for detecting redundancy in the cross-domain collaboration firewalls, on the premise of privacy protection, the processing process conducted when a firewall rule set is updated is improved, redundancy detection efficiency is greatly improved, and communication cost of data transmission between the two network management domains in the redundancy analysis process is saved.

Description

Segmentation redundant detecting method in cross-domain cooperation fire compartment wall
(1) technical field
The present invention relates to computer network security field, be specially the segmentation redundant detecting method in a kind of cross-domain cooperation fire compartment wall.
(2) background technology
Fire compartment wall, as a kind of key technology of network security, is widely used in the Internet.In firewall policy, the quantity of firewall rule directly affects the throughput of fire compartment wall, and along with the increase of firewall rule quantity, its throughput can significantly reduce.Yet, in actual fire compartment wall, normally hundreds and thousands of of the numbers of firewall rule, and along with the explosive growth of Internet service, the scale of firewall policy also increasing rapidly.Therefore,, for improving execution speed, the lifting network performance of firewall policy, need to firewall policy, be optimized by technology such as redundancy detection.
Along with the VPN (virtual private network) widespread deployment of (Virtual Private Network is called for short VPN), there is the cooperation firewall technology between different management domains, the optimization of firewall policy has been brought to following challenge:
First, cross-domain cooperation fire compartment wall (Cross-Domain Cooperative Firewall, be called for short CDCF) refers to two fire compartment walls that are deployed under different management domains execution security strategy that mutually cooperates.Redundancy rule between fire compartment wall is defined as follows: given two adjacent fire compartment wall FW 1and FW 2, they belong to respectively different management domain Net 1and Net 2, wherein communication flows is from FW 1to FW 2, for FW 2in certain rule r, if all packets and FW 2in regular r coupling, but do not mate with the arbitrary rule before r, and these packets are by FW 1abandon, r is with respect to FW 1it is the redundancy rule between fire compartment wall.Obviously only in the situation that two fire compartment walls are known mutually the regular of the other side, could remove the redundancy between them.But in firewall policy, often comprise confidential information; or even potential security breaches; these are the utilization of possibility victim all; so the prerequisite of CDCF policy optimization is to carry out secret protection; its optimizing process must be in the situation that do not announce either party firewall policy; two fire compartment walls are calculated and compared, finally identify the redundancy rule between fire compartment wall.
Secondly, the rule set of fire compartment wall may be because of network security manager's demand frequent updating, such as adding, deleting or change some rule, if rule set upgrades, need again to detect redundancy between fire compartment wall.Fire compartment wall, as the router in network, also can not be shut down, so all more new capital is real-time update, the redundancy detection operation after renewal is also carried out in real time, and will complete as early as possible, so that by the security strategy application of upgrading wherein.
Therefore, for CDCF, we should consider from the angle of secret protection the problem of its policy optimization, also will consider that can policy optimization scheme meet the real-time update demand of CDCF.
Within 2011, there is scholar to propose first " the CDCF redundancy detection scheme based on secret protection " (for ease of describing; hereinafter by this scheme referred to as CDPP); this scheme can be under the prerequisite of secret protection, complete detects the redundancy strategy between two adjacent fire compartment walls in collaborative network.But operation once this scheme assess the cost and communications cost all larger, and if fire compartment wall frequent updating, repeatedly move this scheme and can bring and assess the cost significantly and communications cost.So this scheme may be inapplicable for the fire compartment wall of frequent updating.
CDCF technology is newer technology at present, for policy optimization rare report except such scheme of this class firewall.The present invention is not suitable for the problem of the CDCF of frequent updating mainly for such scheme, improve CDPP, and a kind of efficient segmentation redundant detecting method (Sectioned Process for Redundancy Removal proposed on its basis, be called for short SPRR), the thought based on segment processing detects redundancy rule between the fire compartment wall in CDCF.
(3) summary of the invention
The problem to be solved in the present invention is, for redundancy detection scheme between existing cooperation fire compartment wall assess the cost and communications cost too high, be not suitable for the problem of the CDCF of frequent updating, a kind of SPRR---efficient CDCF segmentation de-redundancy method is proposed.We know, at an Access Control List (ACL) (access control list, be called for short ACL) in, it is a sequence of rules that a firewall policy generally designates, (each rule wherein comprises five fields, source IP, object IP, source port, destination interface, article agreement) and one, decision-making (that is, accept and abandon).Generally, in an ACL, for some specific fields, some rule is not empty set at the common factor of the value of this field, and we claim these rules for correlation rule.The present invention considers that first field (being source IP) in ACL is specific field, has proposed a kind of " correlation rule is searched algorithm " and has identified these correlation rules.Basic thought of the present invention is: after ACL upgrades, search algorithm detect all correlation rule relevant to update rule according to correlation rule; Thought based on segment processing; only for these correlation rules, carry out redundancy detection scheme between the fire compartment wall based on secret protection; by the data scale that needs to process in reduction redundancy detection process, reach the object of the processing time, comparison time and the communications cost that reduce redundancy detection.
Main solution of the present invention specifically comprises following five steps.
Step 1: for different management domain Net 1and Net 2in fire compartment wall FW 1and FW 2if, FW 1and FW 2after forming CDCF, never carried out the redundancy detection between fire compartment wall, carry out the redundancy detection scheme between fire compartment wall first, carry out respectively step 2 and step 3; If FW 1and FW 2after forming CDCF, completed the redundancy detection between fire compartment wall first, analyze FW 1and FW 2update status, and be divided into more new scene of following three classes: [scene 1] FW 1upgrade FW 2remain unchanged; [scene 2] FW 2upgrade FW 1remain unchanged; [scene 3] FW 1and FW 2upgrade simultaneously.For [scene 1], carry out step 2; For [scene 2], carry out step 3; For [scene 3], by FW 1and FW 2be considered as two new fire compartment walls, according to the redundancy detection scheme between fire compartment wall first, carry out respectively step 2 and step 3.
Step 2: the object of this step is to transform FW 1, FW 1conversion process comprise following 9 sub-steps:
(1) operation " correlation rule is searched algorithm ", searches FW 1in the regular subset S that is associated with update rule 1.Note, for the redundancy detection between fire compartment wall first, its S 1for FW 1whole rule set.
(2) according to S 1construct fire compartment wall decision diagram subgraph (subgraph of firewall decision diagram is called for short SFDD), and by merging isomorphism subgraph, further simplify the scale of SFDD.For the redundancy detection between fire compartment wall first, now need to record first node F of SFDD 1the union of all output boundary upper boundary values for [scene 1] under new scene more, now need to record first node F of SFDD 1the boundary value of all output boundaries and by its with in the scope subset do not upgraded do and set operation, obtain new node F 1the union of all output boundary upper boundary values
Note, fire compartment wall decision diagram (firewall decision diagram is called for short FDD) is an acyclic directed graph, for analyzing fire compartment wall FW at field F 1, K, F don series of rules <r 1, L, r n>, FDD comprises following 5 attributes: a) just have a node of not inputting border, be designated as root node, do not have the node of output boundary to be designated as terminal node; B) each node v has a label, is designated as F (v), if v is a nonterminal node, and F (v) ∈ { F so 1, L, F d, if v is a terminal node, F (v) represents a decision-making; C) node u points to every limit e of the v of node, is a non-NULL integer range, is designated as I (e), and I (e) is the subset of the territory D (F (u)) of u, d (F (u)) is that a predefined nonnegative integer is interval; D) set of all output boundaries of node v, is designated as E (v), meets two conditions: 1. consistency: for any two different limit e and e ' in E (v), have 2. integrality: e) from the directed path of root node to terminal node, be called a decision path, the corresponding non-overlapped rule of every paths in FDD.SFDD the present invention is based on a kind of acyclic directed graph that is used for describing fire compartment wall correlation rule that FDD proposes, and the difference of SFDD and FDD is only that it is the correlation rule in ACL that SFDD describes, and FDD description is the strictly all rules in ACL.
(3) Net 1from SFDD, extract all non-overlapped rules that abandons.
(4) Net 1abandon each field F in rule by every of being drawn into is non-overlapped kspan [a ', b '] be converted into a minimum prefix set of equal value, with T ([a ', b ']), represent.For example, T ([5,15])={ 0101,011*, 1***}.
(5) Net 1calculate all non-overlapped unions that abandon the minimum prefix set obtaining in rule.Note, in result of calculation, do not repeat row and write identical prefix.
(6) Net 1each prefix that quantizes is also used K 1encrypt, then by K 1prefix after encryption sends to Net 2.The scalarization method of employing is herein, the prefix b of given w position 1b 2lb k* L*, we are first at b krear insertion bit 1.Bit 1 represents b 1b 2lb kand the separator between * L*.Then we replace each * with 0.For example 11** is converted into 11100.If prefix does not comprise *'s, we place 1 in last position.For example 1000 be converted into 10001.
(7) Net 2use K 2further encrypt these prefixes then by K 1, K 2prefix after double-encryption sends it back Net 1.
(8) because Net 1know the corresponding relation of field in prefix and non-overlapped rule, so Net 1according to these double-encryption prefixes, rebuild non-overlapped rule.
(9) Net 1a unique random index of non-overlapped regular allocation of giving each reconstruction, this index will be used to the redundancy detection process in later stage.
FW 1after conversion completes, Net 1from FW 1obtain a series of " the non-overlapped rules of double-encryption ", with (F 1∈ T 1) ∧ L ∧ (F d∈ T d) → discard represents double-encryption rule, wherein F i(1≤i≤d) represents field, T irepresent one group of double-encryption numerical value.Then, carry out step 4.
Step 3: the object of this step is to transform FW 2, FW 2conversion process comprise following 7 sub-steps:
(1) for [scene 2] under new scene more, now need according to the result of the redundancy detection between last fire compartment wall, in the rule set after record upgrades, last those regular sequence numbers that are judged as redundancy, use Ur mrepresent, wherein r m(1≤m≤n) and FW 2: <r 1, L, r n>.Note, for the redundancy detection between fire compartment wall first, skip this link, directly enter FW 2(2) step in conversion process.
(2) operation " correlation rule is searched algorithm ", searches FW 2in the regular subset S that is associated with update rule 2.Note, for the redundancy detection between fire compartment wall first, its S 2whole rule set for FW2.
(3) according to S 2the fire compartment wall decision diagram subgraph of the full coupling of structure (all-match subgraph of firewall decision diagram is called for short all-match SFDD).For the redundancy detection between fire compartment wall first, now need to record first node F of all-match SFDD 1the union of all output boundary upper boundary values for [scene 2] under new scene more, now need to record first node F of all-match SFDD 1the boundary value of all output boundaries and by its with in the scope subset do not upgraded do and set operation, obtain new node F 1the union of all output boundary upper boundary values note, the difference of all-match SFDD and SFDD is its terminal node.In a SFDD, each terminal node marks with a decision-making, and in an all-match SFDD, the sequence of rules number mark of a series of non-NULLs for each terminal node, for regular r i(1≤i≤n), we claim that i is r isequence number.Be labeled in the sequence number (this decision path refers to the path of finishing with this terminal node) that a series of sequence of rules number on certain terminal node has comprised the strictly all rules overlapping with this decision path.
(4) Net 2from all-match SFDD, extract all non-overlapped rules, and by each field F in each non-overlapped rule kthe form F of prefix family (a) and F (b) expression for span [a, b].
(5) Net 2calculate each field F kunder the union of the prefix family that obtains in all non-overlapped rules.Note, in result of calculation, do not repeat row and write identical prefix family.Then, by these a plurality of prefix designates of prefix family, method for expressing is: the binary digit that represents a with k is long, and the F of prefix family (a) is comprised of k+1 prefix, and the last i-1 position in a is replaced and can be obtained i prefix with *.For example: 10 binary form is shown 1010, so we have F (10)={ 1010,101*, 10**, 1***, * * * * }.
(6) Net 2each prefix that quantizes is also used K 2encrypt, then by K 2prefix after encryption sends to Net 2.Note, the scalarization method herein adopting is with reference to step 3.
(7) Net 1use K 1further encrypt these prefixes.
FW 2after conversion completes, Net 1from FW 2obtain d group double-encryption numerical value.Use Τ 1l Τ drepresent FW 2in d group double-encryption set of values.Then, carry out step 4.
Step 4: cover redundancy detection.For FW 1each field F i(1≤i≤d) and FW 2double-encryption set of values Τ iin each numerical value a, Net 1detect and whether have a double-encryption rule (F 1∈ T 1) ∧ L ∧ (F d∈ T d) → discard meets a ∈ T i.If regular r isatisfy condition, so Net 1a and rule index i are associated.Owing to may there being a plurality of rules that meet this condition, final Net 1a and a rule index collection may be associated.If condition does not meet, Net 1that a is associated with empty set.Finally, Net 1with with Τ 1l Τ din the corresponding rule index collection of each numerical value replace these numerical value, and send it to Net 2.Net 2according to its reception result, find out the rule index overlapping with each prefix family.For from FW 2all-match SFDD in certain non-overlapped regular nr extracting, if its all prefix family all with FW 1sFDD in the same loss rule nr ' that extracts overlapping, nr is by nr ' covering, nr is redundancy so.Next, enter step 5.
Step 5: in view of step above, Net 2can identify FW 2the non-overlapped rule of middle redundancy.So, next, Net 2need to identify which original rule is the redundancy rule between fire compartment wall.Because FW 2all-match SFDD in every paths corresponding non-overlapped rule all, we claim that the path corresponding to non-overlapped rule of those and redundancy is redundant path, remaining path is called active path.We are according to give a definition to identify redundancy rule between fire compartment wall: the given fire compartment wall FW without fire compartment wall built-in redundancy 2: <r 1, L, r n> and its all-match SFDD, during satisfied following two conditions that and if only if, FW 2in regular r iwith respect to FW 1the redundancy rule between fire compartment wall: (1) exists a redundant path, and its terminal node comprises sequence number i; (2) do not exist terminal node to comprise the active path that i is least member.So far, Net 2can identify FW 2in with respect to FW 1fire compartment wall between redundancy rule collection R new.Note that for [scene 2] under new scene more, now also need to utilize the R now obtaining new, the Ur that obtains in step 3 mand S 2, use " relatively with merging redundancy rule algorithm ", obtain final complete FW 2in with respect to FW 1fire compartment wall between redundancy rule collection.
" correlation rule is searched algorithm " detailed process in step 2 and step 3 is as follows:
The value that obtains first field territory of update rule r, is designated as UR (this value is a numerical value interval), traversal step 2 or step 3 record or all values (each value is also interval numerical value), will wherein extract and form an interim S set with the crossing value of UR t; Traversal fire compartment wall FW 1or FW 2original rule set, extracts the value in first field territory of every rule, is designated as OR (i) (wherein i represents sequence of rules number), if interim S set tin any value intersect with OR (i), i rule is added to S set; After original rule set has traveled through, the S set finally obtaining just comprises all correlation rules that will search.
Comparison in step 5 is as follows with merging redundancy rule algorithm detailed process:
The Ur obtaining in traversal step 3 mif, Ur min the Association Rules S that also tries to achieve in step 3 of certain rule r 2in, from Ur mthe regular r of middle rejecting; After having traveled through, the U ' r of part rule will have been rejected mthe new redundancy rule collection R obtaining with step 5 newdo and set operation, the set finally obtaining is the complete redundancy rule collection after final required renewal.
Segmentation de-redundancy method provided by the invention, can respond all kinds of update status of CDCF fast, and under the prerequisite of secret protection, identifies efficiently and remove the redundancy rule between fire compartment wall.
(4) accompanying drawing explanation
Fig. 1 is the system model of cross-domain cooperation fire compartment wall of the present invention
Fig. 2 is fire compartment wall FW in example 1and FW 2regular schematic diagram
Fig. 3 is FW during redundancy detection between fire compartment wall first 1conversion process
Fig. 4 is FW during redundancy detection between fire compartment wall first 2conversion process
Fig. 5 is active path and the redundant path of all-match SFDD during redundancy detection between fire compartment wall first
Fig. 6 is fire compartment wall FW in example 1policy Updates schematic diagram
Fig. 7 is fire compartment wall FW in example 1renewal, FW 2while remaining unchanged, FW 1conversion process
Fig. 8 is fire compartment wall FW in example 2policy Updates schematic diagram
Fig. 9 is fire compartment wall FW in example 2renewal, FW 1while remaining unchanged, FW 2conversion process
Figure 10 is fire compartment wall FW in example 2renewal, FW 1while remaining unchanged, FW 2active path and the redundant path of all-match SFDD
Figure 11 is fire compartment wall FW in example 1upgrade FW 2under constant scene, CDPP scheme and SPRR scheme are being encrypted temporal statistical chart
Figure 12 is fire compartment wall FW in example 1upgrade FW 2under constant scene, CDPP scheme and SPRR scheme are at the more temporal statistical chart of redundancy detection
Figure 13 is fire compartment wall FW in example 2upgrade FW 1under constant scene, CDPP scheme and SPRR scheme are being encrypted temporal statistical chart
Figure 14 is fire compartment wall FW in example 2upgrade FW 1under constant scene, CDPP scheme and SPRR scheme are at the more temporal statistical chart of redundancy detection
Figure 15 is fire compartment wall FW in example 1upgrade FW 2under constant scene, CDPP scheme and the statistical chart of SPRR scheme on communications cost
Figure 16 is fire compartment wall FW in example 2upgrade FW 1under constant scene, CDPP scheme and the statistical chart of SPRR scheme on communications cost
Figure 17 is fire compartment wall FW in CDCF 1and FW 2contingent 5 kinds of update status
Figure 18 is CDPP scheme and SPRR scheme firewall rule sets under discrimination configuring condition table used while being contrast experiment
Figure 19 is CDPP scheme and SPRR scheme while being contrast experiment, the redundancy ratio calculating under different update scene
(5) specific embodiments
Consider two not Firewall Model---fire compartment wall 1 and fire compartment walls 2 in same area, they belong to respectively two different management domain Net 1and Net 2, data traffic slave firewall 1 flows to fire compartment wall 2, as shown in Figure 1.Use FW 1represent fire compartment wall 1, be called entrance firewall policy; Use FW 2represent fire compartment wall 2, be called outlet firewall policy.For FW 2in certain regular r, if all packets and FW 2in regular r coupling, but do not mate with the arbitrary rule before r, and these packets are by FW 1abandon, can remove regular r, because meet the packet of regular r, can arrive FW never 2, so, regular r is FW 2with respect to FW 1fire compartment wall between redundancy rule.Obviously, in Fig. 1, at FW 2interior all coupling r 2and r 3packet (r 1be rule1), by FW 1interior r 2' abandon.So FW 2in r 2and r 3, with respect to FW 1in r 2', belong to redundancy between fire compartment wall.
Next, the present invention illustrates the specific implementation process of SPRR by an example.For the ease of showing, we only describe the rule in fire compartment wall with two fields and a decision-making in example.As shown in Figure 2, FW 1as entrance fire compartment wall, belong to Net 1network management domain; FW 2as outlet fire compartment wall, belong to Net 2network management domain.First, we carry out the redundancy detection between fire compartment wall first to it.
Between fire compartment wall, the specific implementation process of redundancy detection is as follows first:
Step 1: transform FW 1.
(1) operation " correlation rule is searched algorithm ", for the redundancy detection between fire compartment wall first, it exports S 1for FW 1whole rule set, as shown in Fig. 3 (a), S 1={ r 1', r 2', r 3', r 4', r 5'.(2) according to S 1construct SFDD, record first node F of SFDD 1the union of all output boundary upper boundary values FW 1 : U e &Element; E ( v 1 ) I ( e ) = { [ 0,3 ] , [ 4,7 ] , [ 8,15 ] } , And by merging isomorphism subgraph, further simplify the scale of SFDD, as shown in Fig. 3 (b).(3) Net 1from SFDD, extract all non-overlapped rules that abandons, as shown in Fig. 3 (c).(4) Net 1abandon each field F in rule by every of being drawn into is non-overlapped kspan [a ', b '] be converted into a minimum prefix set of equal value, as shown in Fig. 3 (d).(5) Net 1calculate all non-overlapped unions that abandon the minimum prefix set obtaining in rule, as shown in Fig. 3 (e).(6) Net 1each prefix that quantizes is also used K 1encrypt, then the prefix after encrypting is sent to Net 2, as shown in Fig. 3 (f).(7) Net 2use K 2further encrypt these prefixes and then result is sent it back to Net 1, as shown in Fig. 3 (g).(8) Net 1according to double-encryption prefix, rebuild non-overlapped rule, and give unique random index 13,27,17 and 45 of non-overlapped regular allocation of each reconstruction, as shown in Fig. 3 (h).
Step 2: transform FW 2.
(1) operation " correlation rule is searched algorithm ", for the redundancy detection between fire compartment wall first, it exports S 2for the whole rule set of FW2, as shown in Fig. 4 (a), S 2={ r 1, r 2, r 3, r 4.(2) according to S 2construct all-match SFDD, record first node F of all-match SFDD 1the union of all output boundary upper boundary values FW 2 : U e &Element; E ( v 1 ) I ( e ) = { [ 0,2 ] , [ 3,5 ] , [ 6,15 ] } , As shown in Fig. 4 (b).(3) Net 2from all-match SFDD, extract all non-overlapped rules, and by each field F in each non-overlapped rule kthe form F of prefix family (a) and F (b) expression for span [a, b], as shown in Fig. 4 (c).(4) Net 2calculate each field F kunder the union of the prefix family that obtains in all non-overlapped rules, as shown in Fig. 4 (d).(5) Net 2each prefix that quantizes is also used K 2encrypt, then by K 2prefix after encryption sends to Net 2, as shown in Fig. 4 (e).(6) Net 1use K 1further encrypt these prefixes, as shown in Fig. 4 (f).
Step 3: cover redundancy detection.Net 1by each field F of " the non-overlapped rule of double-encryption " idouble-encryption numerical value and FW under (i=1,2) 2double-encryption set of values Τ iin each double-encryption numerical value a compare, make Τ 1, Τ 2in each numerical value corresponding with index or the empty set of the non-overlapped rule of double-encryption, Net then 1this result is sent to Net 2, Net 2according to its reception result, find out the rule index overlapping with each prefix family.In this example, Net 2finally can detect nr in the non-overlapped rule extracting from all-match SFDD 2, nr 4and nr 6it is redundancy.
Step 4: according to the testing result of step 3, because nr 2, nr 4and nr 6be the non-overlapped rule of redundancy, so the 2nd, 4 and 6 paths are redundant paths in all-match SFDD, the 1st, 3,5 remaining paths are active paths.As shown in Figure 5, the terminal node of redundant path 2 comprises sequence of rules numbers 1,2 and 4; The terminal node of redundant path 4 comprises sequence of rules numbers 2 and 4; The terminal node of redundant path 6 comprises sequence of rules numbers 4; Because comprise sequence of rules numbers 4 in the terminal node of active path 1,3,5, but do not comprise sequence of rules numbers 1 and 2, so FW yet 2in with respect to FW 1fire compartment wall between redundancy rule integrate as R new={ r 1, r 2.
So far, SPRR has completed the redundancy detection between fire compartment wall first.
Below, we analyze the update status of CDCF.As shown in figure 17, FW in CDCF 1and FW 2may there is the renewal of following 5 kinds of situations: 1.FW 2in some regular decision-making there is change; 2.FW 1in some regular decision-making by abandoning, changed acceptance into; 3.FW 1in some regular decision-making by accepting to have changed into, abandon; 4.FW 1middle interpolation or delete some rule; 5.FW 2some rule of middle interpolation or deletion.For completing the CDCF of redundancy detection between fire compartment wall first, we are divided into more new scene of 3 classes by 5 kinds of above-mentioned update status: [scene 1] FW 1upgrade FW 2remain unchanged; [scene 2] FW 2upgrade FW 1remain unchanged; [scene 3] FW 1and FW 2upgrade simultaneously.
Next, we analyze respectively the more specific implementation process of SPRR under new scene of this 3 class.
[scene 1] FW 1upgrade FW 2remain unchanged.
Based on FW in Figure 17 1and FW 2contingent 5 kinds of update status, under this scene, contingent renewal is: the renewal that a) only a situation arises in 2; B) renewal that only a situation arises in 3; C) renewal that only a situation arises in 4; D) there is the renewal of any two kinds of situations in situation 2, situation 3 or situation 4; E) simultaneously a situation arises 2, the renewal in situation 3 and situation 4.
Below, based on FW during redundancy detection between fire compartment wall first 1and FW 2example, to FW 1in rule make renewal as shown in Figure 6 and (change meta-rule r 1' and r 2' decision-making, at meta-rule r 4' and r 5' between add new regulation, i.e. a r 5' '), then carry out the redundancy detection between fire compartment wall.
The specific implementation process of SPRR under [scene 1] is as follows:
Step 1: transform FW 1.[scene 1] lower FW 1conversion process as shown in Figure 7.
(1) because record in the upper once de-redundancy process before fire compartment wall this time upgrades FW 1 : U e &Element; E ( v 1 ) I ( e ) = { [ 0 , 3 ] , [ 4 , 7 ] , [ 8 , 15 ] } , And FW 1after renewal, first field F of its update rule 1drop on scope subset { [0,3], [8,15] } upper, so operation " correlation rule is searched algorithm " can obtain FW 1in the regular subset S that is associated with update rule 1={ r 1' ', r 2' ', r 5' ', r 6' ' }, as shown in Fig. 7 (a).(2) according to S 1structure SFDD (notes the F of SFDD 1be defined in scope subset { [0,3], [8,15] }), and by merging isomorphism subgraph, further simplify the scale of SFDD, record first node F of SFDD 1the boundary value of all output boundaries SFDD : U e &Element; E ( v 1 ) I ( e ) = { [ 0,3 ] , [ 8,11 ] , [ 12,15 ] } , And by its with in the scope subset { [4,7] } do not upgraded do and set operation, obtain new node F 1the union of all output boundary upper boundary values FW 1 &prime; : U e &Element; E ( v 1 ) I ( e ) = { [ 0,3 ] , [ 4,7 ] , [ 8,11 ] , [ 12,15 ] } . As shown in Fig. 7 (b).(3) Net 1from SFDD, extract all non-overlapped rules that abandons, as shown in Fig. 7 (c).(4) Net 1abandon each field F in rule by every of being drawn into is non-overlapped kspan [a ', b '] be converted into a minimum prefix set of equal value, as shown in Fig. 7 (d).(5) Net 1calculate all non-overlapped unions that abandon the minimum prefix set obtaining in rule, as shown in Fig. 7 (e).(6) Net 1each prefix that quantizes is also used K 1encrypt, then by K 1prefix after encryption sends to Net 2, as shown in Fig. 7 (f).(7) Net 2use K 2further encrypt these prefixes and then result is sent it back to Net 1, as shown in Fig. 7 (g).(8) Net 1according to double-encryption prefix, rebuild non-overlapped rule, and give unique random index 12,19 and 21 of non-overlapped regular allocation of each reconstruction, as shown in Fig. 7 (h).
Step 2: cover redundancy detection.Process and " step 3 of the specific implementation process of redundancy detection between fire compartment wall first " of [scene 1] lower covering redundancy detection are similar, by each field F of " the non-overlapped rule of double-encryption " that obtain in step 1 i" the FW recording in last de-redundancy process before double-encryption numerical value under (i=1,2) and renewal 2double-encryption set of values Τ iin each double-encryption numerical value a " processing of comparing.In this example, Net 2at FW 2non-overlapped rule in do not detect redundancy rule.
Step 3:[scene 1] identification FW 2original rule in fire compartment wall between process and " step 4 of the specific implementation process of redundancy detection between fire compartment wall first " of redundancy similar.But in this example, owing to not detecting the non-overlapped rule of redundancy in step 2, so can directly judge: the FW after upgrading with respect to this 1, initial FW 2in there is no a redundancy rule, so we need will be when upper once de-redundancy detected r 1and r 2again add back FW 2in.
So far, SPRR has completed the redundancy detection between [scene 1] lower fire compartment wall.
[scene 2] FW 2upgrade FW 1remain unchanged.
Based on FW in Figure 17 1and FW 2contingent 5 kinds of update status, under this scene, contingent renewal is: the renewal that a) only a situation arises in 1; B) renewal that only a situation arises in 5; C) simultaneously a situation arises 1 and situation 5 in renewal.
For a), we do not need fire compartment wall to do any processing.Because the redundancy detection between fire compartment wall, does not need to consider FW 2the decision-making of middle rule.
For b) and c), carry out SPRR scheme.
Below, based on FW during redundancy detection between fire compartment wall first 1and FW 2example, to FW 2in rule make renewal as shown in Figure 8 (at meta-rule r 1and r 2between add new regulation, i.e. a r 2 '), then carry out the redundancy detection between fire compartment wall.
The specific implementation process of SPRR under [scene 2] is as follows:
Step 1: transform FW 2.[scene 2] lower FW 2conversion process as shown in Figure 9.
(1) according to the result of the redundancy detection between last fire compartment wall, last those regular sequence number Ur that are judged as redundancy in the rule set after record upgrades m={ r 1 ', r 3 '.(2) because record in the upper once de-redundancy process before fire compartment wall this time upgrades FW 2 : U e &Element; E ( v 1 ) I ( e ) = { [ 0,2 ] , [ 3,5 ] , [ 6,15 ] } , And FW 2after renewal, first field F of its update rule 1drop on scope subset { [3,5] } upper, so operation " correlation rule is searched algorithm " can obtain FW 2in the regular subset S that is associated with update rule 2={ r 2 ', r 3 ', r 5 ', as shown in Fig. 9 (a).(3) according to S 2structure all-match SFDD (notes the F of all-match SFDD 1be defined in scope subset { [3,5] }), record first node F of all-match SFDD 1all output boundary upper boundary values dllmatchSFDD : U e &Element; E ( v 1 ) I ( e ) = { [ 3,3 ] , [ 4,5 ] } , And by its with in the scope subset { [0,2], [6,15] } do not upgraded do and set operation, obtain new node F 1the union of all output boundary upper boundary values ={ [0,2], [3,3], [4,5], [6,15] }, as shown in Fig. 9 (b).(4) Net 2from all-match SFDD, extract all non-overlapped rules, and by each field F in each non-overlapped rule kthe form F of prefix family (a) and F (b) expression for span [a, b], as shown in Fig. 9 (c).(5) Net 2calculate each field F kunder the union of the prefix family that obtains in all non-overlapped rules, as shown in Fig. 9 (d).(6) quantize each prefix use K of Net2 2encrypt, then by K 2prefix after encryption sends to Net 2, as shown in Fig. 9 (e).(7) Net 1use K 1further encrypt these prefixes, as shown in Fig. 9 (f).
Step 2: cover redundancy detection.Process and " step 3 of the specific implementation process of redundancy detection between fire compartment wall first " of [scene 2] lower covering redundancy detection are similar, by the FW obtaining in step 1 2double-encryption set of values Τ iin each double-encryption numerical value a with upgrade before last de-redundancy process in each field F of " the non-overlapped rule of double-encryption " that record ithe processing of comparing of double-encryption numerical value under (i=1,2).In this example, Net 2finally can detect nr in the non-overlapped rule extracting from all-match SFDD 2and nr 4it is redundancy.
Step 3: according to the testing result of step 2, because nr 2and nr 4be the non-overlapped rule of redundancy, so the 2nd and 4 paths are redundant paths in all-match SFDD, the 1st and 3 remaining paths are active paths.As shown in figure 10, the terminal node of redundant path 2 comprises sequence of rules numbers 3 and 5; The terminal node of redundant path 4 comprises sequence of rules numbers 2,3 and 5; Because comprise sequence of rules numbers 5 in the terminal node of active path 1 and 3, but do not comprise sequence of rules numbers 2 and 3, so FW yet 2in with respect to FW 1fire compartment wall between redundancy rule integrate as R new={ r 2 ', r 3 '.With R new, the Ur that obtains in step 1 mand S 2input as " relatively with merging redundancy rule algorithm ", finally obtains FW 2in with respect to FW 1fire compartment wall between redundancy rule collection be { r 1 ', r 2 ', r 3 '.
So far, SPRR has completed the redundancy detection between [scene 2] lower fire compartment wall.
[scene 3] FW 1and FW 2upgrade simultaneously.
Work as FW 1and FW 2in rule while all there is change, for the redundancy rule between complete rejecting fire compartment wall, we are by FW 1and FW 2be considered as two new fire compartment walls, according to first between fire compartment wall the specific implementation process of redundancy detection detect FW 2in with respect to FW 1fire compartment wall between redundancy rule.
The present invention uses the rule set of true fire compartment wall to be the contrast experiment of SPRR and CDPP, and the form of firewall rule sets under discrimination adopts the Access Control List (ACL) (ACL) of Cisco's standard.Each rule wherein comprises five fields (that is, source IP, object IP, source port, destination interface, agreement) and a decision-making (that is, accept and abandon).Ubuntu11.10 operating system is being housed, and hardware configuration is on the PC of Intel Xeon CPU and 32GB internal memory, respectively true firewall rule sets under discrimination is processed.
Figure 18 shows five groups of fire compartment walls that experiment is used, and regular number is respectively 100,200,400,800,1600.
(1) comparison in processing time
Processing time comprises that encryption transformation time and redundancy detection compare the time.
The correlation rule of processing due to SPRR only accounts for the sub-fraction in rule set, and therefore data volume to be dealt with reduces greatly, has also just further reduced encryption transformation time and redundancy recognition and has compared the time.
Figure 11 is at FW 1upgrade FW 2under constant scene, the fire compartment wall of experimental record is encrypted transformation time, and five groups of experimental results are presented at least than CDPP scheme fast 10 times of the SPRR schemes of encrypting on transformation time, 250 times to how soon.
Figure 12 is at FW 1upgrade FW 2under constant scene, the redundancy detection between the fire compartment wall of experimental record is the time relatively, and five groups of experimental results are presented at upper SPRR scheme of redundancy detection time and at least than CDPP scheme, have reduced an order of magnitude.
Figure 13 is at FW 2upgrade FW 1under constant scene, the fire compartment wall of experimental record is encrypted transformation time, and five groups of experimental results are presented at least than CDPP scheme fast 12 times of the SPRR schemes of encrypting on transformation time, 36 times to how soon.
Figure 14 is at FW 2upgrade FW 1under constant scene, the redundancy detection between the fire compartment wall of experimental record is the time relatively, and five groups of experimental results are presented at upper SPRR scheme of redundancy detection time and at least than CDPP scheme, have also reduced an order of magnitude.
(2) comparison of communications cost
In like manner, because SPRR has reduced pending fuzzy rules, the intermediate object program that need to carry out Internet Transmission (that is, communications cost) after encryption also can greatly reduce.
Figure 15 is at FW 1upgrade FW 2under constant scene, the practical communication cost of experimental record, five groups of experimental results are presented at SPRR scheme on communications cost and at least than CDPP scheme, have reduced an order of magnitude.
Figure 16 is at FW 2upgrade FW 1under constant scene, the practical communication cost of experimental record, five groups of experimental results are presented at SPRR scheme on communications cost and at least than CDPP scheme, have also reduced an order of magnitude.
(1) redundancy ratio result of calculation
According to the redundant computation result of Figure 19, the redundancy rate that SPRR scheme calculates after renewal with CDPP scheme is consistent.CDPP has been proved to be able to the complete redundancy rule between fire compartment wall that detects, and in this experiment, SPRR can obtain the on all four redundancy rule with CDPP, so this experimental result shows the redundancy rule between fire compartment wall that detects that SPRR also can be complete.
Above test result demonstration, when firewall rule sets under discrimination occurs to upgrade, no matter segmentation redundancy detection scheme is on processing time and communications cost, is all better than processing completely the CDPP redundancy detection scheme of strictly all rules.

Claims (6)

1. be applied to the segmentation redundant detecting method in cross-domain cooperation fire compartment wall (a Cross-Domain Cooperative Firewall is called for short CDCF), described CDCF refers to and is deployed in different management domain Net 1and Net 2in fire compartment wall FW 1and FW 2, communication flows is from FW 1to FW 2, described redundancy refers to for FW 2in certain rule r, if all packets and FW 2in regular r coupling, but do not mate with the arbitrary rule before r, and these packets are by FW 1abandon, r is with respect to FW 1it is the redundancy rule between fire compartment wall, it is characterized in that, described segmentation redundant detecting method is based on redundancy detection scheme between existing fire compartment wall, by the data scale that needs to process in reduction redundancy detection process, reduce processing time, comparison time and the communications cost of redundancy detection, the problem that redundancy detection speed is slow, expense is large that the CDCF dynamically updating with solution causes, the method comprises the following steps:
Step 1: if FW 1and FW 2after forming CDCF, never carried out the redundancy detection between fire compartment wall, carry out the redundancy detection scheme between fire compartment wall first, carry out respectively step 2 and step 3; If FW 1and FW 2complete the redundancy detection between fire compartment wall first, analyzed FW 1and FW 2update status: [scene 1] FW 1upgrade FW 2remain unchanged, carry out step 2; [scene 2] FW 2upgrade FW 1remain unchanged, carry out step 3; [scene 3] FW 1and FW 2upgrade, by FW simultaneously 1and FW 2be considered as two new fire compartment walls, according to redundancy detection scheme between fire compartment wall first, carry out respectively step 2 and step 3;
Step 2: the object of this step is to transform FW 1, FW 1conversion process comprise following 9 sub-steps: (1) operation " correlation rule is searched algorithm ", search the regular subset S being associated with update rule in FW1 1; (2) according to S 1structure fire compartment wall decision diagram subgraph (subgraph of firewall decision diagram, be called for short SFDD), and by merging isomorphism subgraph, further simplify the scale of SFDD, for the redundancy detection between fire compartment wall first, now need to record first node F of SFDD 1the union of all output boundary upper boundary values for [scene 1] under new scene more, record first node F of SFDD 1the boundary value of all output boundaries and by its with in the scope subset do not upgraded do and set operation, obtain new node F 1the union of all output boundary upper boundary values (3) Net 1from SFDD, extract all non-overlapped rules that abandons; (4) Net 1abandon each field F in rule by every of being drawn into is non-overlapped kspan [a ', b '] be converted into a minimum prefix set of equal value, with T ([a ', b ']), represent; (5) Net 1calculate all non-overlapped unions that abandon the minimum prefix set obtaining in rule; (6) Net 1each prefix that quantizes is also used K 1encrypt, then by K 1prefix after encryption sends to Net 2, the scalarization method of employing is herein, the prefix b of given w position 1b 2l b k* L*, first at b krear insertion bit 1, bit 1 represents b 1b 2lb kand the separator between * L*, then with 0, replace each *, if prefix does not comprise *'s, in last position, place 1; (7) Net 2use K 2further encrypt these prefixes then by K 1, K 2prefix after double-encryption sends it back Net 1; (8) Net 1according to these double-encryption prefixes, rebuild non-overlapped rule; (9) Net 1give unique random index of non-overlapped regular allocation (this index will be used to the redundancy detection process in later stage) of each reconstruction;
FW 1after conversion completes, Net 1from FW 1obtain a series of " the non-overlapped rules of double-encryption ", with (F 1∈ T 1) ∧ L ∧ (F d∈ T d) → discard represents double-encryption rule, wherein F i(1≤i≤d) represents field, T irepresent one group of double-encryption numerical value, then, carry out step 4;
Step 3: the object of this step is to transform FW 2, FW 2conversion process comprise following 7 sub-steps: (1), for [scene 2] under new scene more, according to the result of the redundancy detection between last fire compartment wall, in the rule set after record upgrades, last those regular sequence numbers that are judged as redundancy, use Ur mrepresent, wherein r m(1≤m≤n) and FW 2: <r 1, L, r n>, notes, for the redundancy detection between fire compartment wall first, skips this link, directly enters FW 2(2) step in conversion process; (2) operation " correlation rule is searched algorithm ", searches FW 2in the regular subset S that is associated with update rule 2; (3) according to S 2the fire compartment wall decision diagram subgraph of the full coupling of structure (all-match subgraph of firewall decision diagram is called for short all-match SFDD), for the redundancy detection between fire compartment wall first, records first node F of all-match SFDD 1the union of all output boundary upper boundary values for [scene 2] under new scene more, record the node F of all-match SFDD 1the boundary value of all output boundaries and by its with in the scope subset do not upgraded do and set operation, obtain new node F 1the union of all output boundary upper boundary values (4) Net 2from all-match SFDD, extract all non-overlapped rules, and by each field F in each non-overlapped rule kthe form F of prefix family (a) and F (b) expression for span [a, b]; (5) Net 2calculate each field F kunder the union of the prefix family that obtains in all non-overlapped rules, again by these a plurality of prefix designates of prefix family, method for expressing is: the binary digit that represents a with k is long, and the F of prefix family (a) is comprised of k+1 prefix, and the last i-1 position in a is replaced and can be obtained i prefix with *; (6) Net 2each prefix that quantizes is also used K 2encrypt, and by K 2prefix after encryption sends to Net 2; (7) Net 1use K 1further encrypt these prefixes;
FW 2after conversion completes, Net 1from FWx, obtain d group double-encryption numerical value, use Τ 1l Τ drepresent FW 2middle d group double-encryption set of values, then carry out step 4;
Step 4: cover redundancy detection: for FW 1each field F i(1≤i≤d) and FW 2double-encryption set of values Τ iin each numerical value a, Net 1detect and whether have a double-encryption rule (F 1∈ T 1) ∧ L ∧ (F d∈ T d) → discard meets a ∈ T iif, regular r isatisfy condition, so Net 1a and rule index i are associated, if condition does not meet, Net 1that a is associated with empty set; Final Net 1with with Τ 1l Τ din the corresponding rule index collection of each numerical value replace these numerical value, and send it to Net 2; Net 2according to reception result, find out the rule index overlapping with each prefix family, for FW 2in certain non-overlapped regular nr, if its all prefix family all with FW 1in same loss rule nr ' overlapping, nr is by nr ' covering, nr is redundancy so;
Step 5: in view of step above, Net 2can identify FW 2the non-overlapped rule of middle redundancy, next Net 2need to identify which original rule is the redundancy rule between fire compartment wall, because FW 2all-match SFDD in every paths corresponding non-overlapped rule all, we claim that the path corresponding to non-overlapped rule of those and redundancy is redundant path, remaining path is called active path, Net 2according to " redundancy rule criterion between fire compartment wall ", identify FW 2in with respect to FW 1fire compartment wall between redundancy rule collection R new, criterion is as follows: the given fire compartment wall FW without built-in redundancy 2: <r 1, L, r n> and its all-match SFDD, during satisfied following two conditions that and if only if, FW 2in regular r iwith respect to FW 1the redundancy rule between fire compartment wall: (1) exists a redundant path, and its terminal node comprises sequence number i, and (2) do not exist terminal node to comprise the active path that i is least member; For [scene 2] under new scene more, now also need to utilize the R now obtaining new, the Ur that obtains in step 3 mand S 2, use " relatively with merging redundancy rule algorithm ", obtain final complete FW 2in with respect to FW 1fire compartment wall between redundancy rule collection.
2. a kind of segmentation redundant detecting method being applied in cross-domain cooperation fire compartment wall according to claim 1, is characterized in that, the SFDD in described step 2 is defined as follows:
SFDD the present invention is based on fire compartment wall decision diagram (firewall decision diagram, abbreviation FDD) a kind of acyclic directed graph that is used for describing fire compartment wall correlation rule proposing, FDD is an acyclic directed graph, for analyzing fire compartment wall FW at field F 1, K, F don series of rules <r 1, L, r n>, FDD comprises following 5 attributes: a) just have a node of not inputting border, be designated as root node, do not have the node of output boundary to be designated as terminal node; B) each node v has a label, is designated as F (v), if v is a nonterminal node, and F (v) ∈ { F so 1, L, F d, if v is a terminal node, F (v) represents a decision-making; C) node u points to every limit e of the v of node, is a non-NULL integer range, is designated as I (e), and I (e) is the subset of the territory D (F (u)) of u, d (F (u)) is that a predefined nonnegative integer is interval; D) set of all output boundaries of node v, is designated as E (v), meets two conditions: 1. consistency: for any two different limit e and e ' in E (v), have 2. integrality: e) from the directed path of root node to terminal node, be called a decision path, the corresponding non-overlapped rule of every paths in FDD; The difference of SFDD and FDD is only that it is the correlation rule in ACL that SFDD describes, and FDD description is the strictly all rules in ACL.
3. a kind of segmentation redundant detecting method being applied in cross-domain cooperation fire compartment wall according to claim 1, is characterized in that, in described step 2, all-match SFDD is defined as follows:
The difference of all-match SFDD and SFDD is its terminal node, in a SFDD, each terminal node marks with a decision-making, and in an all-match SFDD, the sequence of rules number mark of a series of non-NULLs for each terminal node, is labeled in the sequence number that the series of rules sequence number on certain terminal node has comprised the strictly all rules overlapping with this decision path.
4. a kind of segmentation redundant detecting method being applied in cross-domain cooperation fire compartment wall according to claim 1, is characterized in that, it is as follows that the correlation rule using in described step 2 and step 3 is searched algorithm detailed process:
The value that obtains first field territory of update rule r, being designated as this value of UR(is a numerical value interval), traversal step 2 or step 3 record or all values (each value is also interval numerical value), will wherein extract and form an interim S set with the crossing value of UR t; Traversal fire compartment wall FW 1or FW 2original rule set, extracts the value in first field territory of every rule, is designated as OR (i) (wherein i represents sequence of rules number), if interim S set tin any value intersect with OR (i), i rule is added to S set; After original rule set has traveled through, the S set finally obtaining just comprises all correlation rules that will search.
5. a kind of segmentation redundant detecting method being applied in cross-domain cooperation fire compartment wall according to claim 1, is characterized in that, the comparison in described step 5 is as follows with merging redundancy rule algorithm detailed process:
The Ur obtaining in traversal step 3 mif, Ur min the Association Rules S that also tries to achieve in step 3 of certain rule r 2in, from Ur mthe regular r of middle rejecting; After having traveled through, the U ' r of part rule will have been rejected mthe new redundancy rule collection R obtaining with step 5 newdo and set operation, the set finally obtaining is the complete redundancy rule collection after final required renewal.
6. the correlation rule in ACL according to claim 2, is characterized in that:
In an ACL, it is a sequence of rules that a firewall policy generally designates, generally, for the some specific fields in ACL, (the present invention considers first field in ACL, " source IP " is specific field), some rule is not empty set at the common factor of the value of this field, and we claim these rules for correlation rule.
CN201410150528.7A 2014-04-15 2014-04-15 Method for detecting segmented redundancy in cross-domain collaboration firewalls Expired - Fee Related CN103973675B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410150528.7A CN103973675B (en) 2014-04-15 2014-04-15 Method for detecting segmented redundancy in cross-domain collaboration firewalls

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410150528.7A CN103973675B (en) 2014-04-15 2014-04-15 Method for detecting segmented redundancy in cross-domain collaboration firewalls

Publications (2)

Publication Number Publication Date
CN103973675A true CN103973675A (en) 2014-08-06
CN103973675B CN103973675B (en) 2017-05-24

Family

ID=51242721

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410150528.7A Expired - Fee Related CN103973675B (en) 2014-04-15 2014-04-15 Method for detecting segmented redundancy in cross-domain collaboration firewalls

Country Status (1)

Country Link
CN (1) CN103973675B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104270384A (en) * 2014-10-20 2015-01-07 山石网科通信技术有限公司 Fire wall policy redundancy detection method and device
CN106790228A (en) * 2017-01-16 2017-05-31 国网江苏省电力公司信息通信分公司 A kind of fire wall otherness computational methods based on binary decision diagrams (bdds)
CN108650222A (en) * 2018-03-29 2018-10-12 华付云技术(深圳)有限公司 Based on the firewall rule update method and its system for stretching filtering
CN114979149A (en) * 2022-06-17 2022-08-30 中国人民解放军战略支援部队信息工程大学 Multi-party cooperative data sharing method supporting access policy updating

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2023567A1 (en) * 2007-08-08 2009-02-11 Mitsubishi Electric Corporation Managing security rule conflicts
CN101594303A (en) * 2009-07-10 2009-12-02 清华大学 The quick net packet classifying method of traffic statistics information Network Based
CN1992673B (en) * 2005-12-31 2011-02-16 华为技术有限公司 Method of implementing fast packet flow recognition in high-speed router and firewall
CN102215211A (en) * 2010-04-02 2011-10-12 中兴通讯股份有限公司 Communication method, and security policy negotiation method and system for supporting trusted network connect
EP2432188A1 (en) * 2005-12-13 2012-03-21 Crossbeam Systems, Inc. Systems and methods for processing data flows

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2432188A1 (en) * 2005-12-13 2012-03-21 Crossbeam Systems, Inc. Systems and methods for processing data flows
CN1992673B (en) * 2005-12-31 2011-02-16 华为技术有限公司 Method of implementing fast packet flow recognition in high-speed router and firewall
EP2023567A1 (en) * 2007-08-08 2009-02-11 Mitsubishi Electric Corporation Managing security rule conflicts
CN101594303A (en) * 2009-07-10 2009-12-02 清华大学 The quick net packet classifying method of traffic statistics information Network Based
CN102215211A (en) * 2010-04-02 2011-10-12 中兴通讯股份有限公司 Communication method, and security policy negotiation method and system for supporting trusted network connect

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104270384A (en) * 2014-10-20 2015-01-07 山石网科通信技术有限公司 Fire wall policy redundancy detection method and device
CN104270384B (en) * 2014-10-20 2017-10-03 山石网科通信技术有限公司 Firewall policy redundant detecting method and device
CN106790228A (en) * 2017-01-16 2017-05-31 国网江苏省电力公司信息通信分公司 A kind of fire wall otherness computational methods based on binary decision diagrams (bdds)
CN108650222A (en) * 2018-03-29 2018-10-12 华付云技术(深圳)有限公司 Based on the firewall rule update method and its system for stretching filtering
CN108650222B (en) * 2018-03-29 2020-10-02 华付云技术(深圳)有限公司 Firewall rule updating method and system based on stretching filtering
CN114979149A (en) * 2022-06-17 2022-08-30 中国人民解放军战略支援部队信息工程大学 Multi-party cooperative data sharing method supporting access policy updating
CN114979149B (en) * 2022-06-17 2023-09-22 中国人民解放军战略支援部队信息工程大学 Multiparty collaboration data sharing method supporting access policy update

Also Published As

Publication number Publication date
CN103973675B (en) 2017-05-24

Similar Documents

Publication Publication Date Title
Bhat et al. Var-CNN: A data-efficient website fingerprinting attack based on deep learning
CN111565205B (en) Network attack identification method and device, computer equipment and storage medium
CN106464577B (en) Network system, control device, communication device and communication control method
US20180115470A1 (en) Security policy analysis framework for distributed software defined networking (sdn) based cloud environments
CN107925589A (en) Remote device management attribute is distributed to service node for service regulation processing
Husain et al. Development of an efficient network intrusion detection model using extreme gradient boosting (XGBoost) on the UNSW-NB15 dataset
EP2573995A1 (en) Method and apparatus for identifying application protocol
CN108028807B (en) Method and system for online automatic identification of network traffic models
CN106254321A (en) A kind of whole network abnormal data stream sorting technique
CN103973675A (en) Method for detecting segmented redundancy in cross-domain collaboration firewalls
CN114531273B (en) Method for defending distributed denial of service attack of industrial network system
Kozik et al. Balanced Efficient Lifelong Learning (B-ELLA) for Cyber Attack Detection.
CN117857220A (en) Block chain-based Internet of vehicles safety evaluation system
CN105812280A (en) Classification method and electronic equipment
CN117633657A (en) Method, device, processor and computer readable storage medium for realizing encryption application flow identification processing based on multi-graph characterization enhancement
US20230239306A1 (en) Modifying network relationships using a heterogenous network flows graph
CN112256753B (en) Data encryption secure transmission method
Zeng et al. Toward identifying malicious encrypted traffic with a causality detection system
Xi et al. Sema-ICN: Toward semantic information-centric networking supporting smart anomalous access detection
Huang et al. Detect malicious IP addresses using cross-protocol analysis
Zaenchkovski et al. Development of secure platform for innovative processes implementation in scientific and industrial cluster by VPN network segment differentiation
CN109902831B (en) Service decision processing method and device
Roeling et al. Stochastic block models as an unsupervised approach to detect botnet-infected clusters in networked data
Altaf et al. GNN-Based Network Traffic Analysis for the Detection of Sequential Attacks in IoT
Shakeri et al. Tracking container network connections in a Digital Data Marketplace with P4

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Ou Lu

Inventor after: Qin Zheng

Inventor after: Peng Sisi

Inventor after: Huang Xingchen

Inventor after: Li Wenjie

Inventor after: Liu Xiangyang

Inventor before: Peng Sisi

Inventor before: Qin Zheng

Inventor before: Huang Xingchen

Inventor before: Ou Lu

Inventor before: Li Wenjie

Inventor before: Liu Xiangyang

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170524

Termination date: 20180415

CF01 Termination of patent right due to non-payment of annual fee