Segmentation redundant detecting method in cross-domain cooperation fire compartment wall
(1) technical field
The present invention relates to computer network security field, be specially the segmentation redundant detecting method in a kind of cross-domain cooperation fire compartment wall.
(2) background technology
Fire compartment wall, as a kind of key technology of network security, is widely used in the Internet.In firewall policy, the quantity of firewall rule directly affects the throughput of fire compartment wall, and along with the increase of firewall rule quantity, its throughput can significantly reduce.Yet, in actual fire compartment wall, normally hundreds and thousands of of the numbers of firewall rule, and along with the explosive growth of Internet service, the scale of firewall policy also increasing rapidly.Therefore,, for improving execution speed, the lifting network performance of firewall policy, need to firewall policy, be optimized by technology such as redundancy detection.
Along with the VPN (virtual private network) widespread deployment of (Virtual Private Network is called for short VPN), there is the cooperation firewall technology between different management domains, the optimization of firewall policy has been brought to following challenge:
First, cross-domain cooperation fire compartment wall (Cross-Domain Cooperative Firewall, be called for short CDCF) refers to two fire compartment walls that are deployed under different management domains execution security strategy that mutually cooperates.Redundancy rule between fire compartment wall is defined as follows: given two adjacent fire compartment wall FW
1and FW
2, they belong to respectively different management domain Net
1and Net
2, wherein communication flows is from FW
1to FW
2, for FW
2in certain rule r, if all packets and FW
2in regular r coupling, but do not mate with the arbitrary rule before r, and these packets are by FW
1abandon, r is with respect to FW
1it is the redundancy rule between fire compartment wall.Obviously only in the situation that two fire compartment walls are known mutually the regular of the other side, could remove the redundancy between them.But in firewall policy, often comprise confidential information; or even potential security breaches; these are the utilization of possibility victim all; so the prerequisite of CDCF policy optimization is to carry out secret protection; its optimizing process must be in the situation that do not announce either party firewall policy; two fire compartment walls are calculated and compared, finally identify the redundancy rule between fire compartment wall.
Secondly, the rule set of fire compartment wall may be because of network security manager's demand frequent updating, such as adding, deleting or change some rule, if rule set upgrades, need again to detect redundancy between fire compartment wall.Fire compartment wall, as the router in network, also can not be shut down, so all more new capital is real-time update, the redundancy detection operation after renewal is also carried out in real time, and will complete as early as possible, so that by the security strategy application of upgrading wherein.
Therefore, for CDCF, we should consider from the angle of secret protection the problem of its policy optimization, also will consider that can policy optimization scheme meet the real-time update demand of CDCF.
Within 2011, there is scholar to propose first " the CDCF redundancy detection scheme based on secret protection " (for ease of describing; hereinafter by this scheme referred to as CDPP); this scheme can be under the prerequisite of secret protection, complete detects the redundancy strategy between two adjacent fire compartment walls in collaborative network.But operation once this scheme assess the cost and communications cost all larger, and if fire compartment wall frequent updating, repeatedly move this scheme and can bring and assess the cost significantly and communications cost.So this scheme may be inapplicable for the fire compartment wall of frequent updating.
CDCF technology is newer technology at present, for policy optimization rare report except such scheme of this class firewall.The present invention is not suitable for the problem of the CDCF of frequent updating mainly for such scheme, improve CDPP, and a kind of efficient segmentation redundant detecting method (Sectioned Process for Redundancy Removal proposed on its basis, be called for short SPRR), the thought based on segment processing detects redundancy rule between the fire compartment wall in CDCF.
(3) summary of the invention
The problem to be solved in the present invention is, for redundancy detection scheme between existing cooperation fire compartment wall assess the cost and communications cost too high, be not suitable for the problem of the CDCF of frequent updating, a kind of SPRR---efficient CDCF segmentation de-redundancy method is proposed.We know, at an Access Control List (ACL) (access control list, be called for short ACL) in, it is a sequence of rules that a firewall policy generally designates, (each rule wherein comprises five fields, source IP, object IP, source port, destination interface, article agreement) and one, decision-making (that is, accept and abandon).Generally, in an ACL, for some specific fields, some rule is not empty set at the common factor of the value of this field, and we claim these rules for correlation rule.The present invention considers that first field (being source IP) in ACL is specific field, has proposed a kind of " correlation rule is searched algorithm " and has identified these correlation rules.Basic thought of the present invention is: after ACL upgrades, search algorithm detect all correlation rule relevant to update rule according to correlation rule; Thought based on segment processing; only for these correlation rules, carry out redundancy detection scheme between the fire compartment wall based on secret protection; by the data scale that needs to process in reduction redundancy detection process, reach the object of the processing time, comparison time and the communications cost that reduce redundancy detection.
Main solution of the present invention specifically comprises following five steps.
Step 1: for different management domain Net
1and Net
2in fire compartment wall FW
1and FW
2if, FW
1and FW
2after forming CDCF, never carried out the redundancy detection between fire compartment wall, carry out the redundancy detection scheme between fire compartment wall first, carry out respectively step 2 and step 3; If FW
1and FW
2after forming CDCF, completed the redundancy detection between fire compartment wall first, analyze FW
1and FW
2update status, and be divided into more new scene of following three classes: [scene 1] FW
1upgrade FW
2remain unchanged; [scene 2] FW
2upgrade FW
1remain unchanged; [scene 3] FW
1and FW
2upgrade simultaneously.For [scene 1], carry out step 2; For [scene 2], carry out step 3; For [scene 3], by FW
1and FW
2be considered as two new fire compartment walls, according to the redundancy detection scheme between fire compartment wall first, carry out respectively step 2 and step 3.
Step 2: the object of this step is to transform FW
1, FW
1conversion process comprise following 9 sub-steps:
(1) operation " correlation rule is searched algorithm ", searches FW
1in the regular subset S that is associated with update rule
1.Note, for the redundancy detection between fire compartment wall first, its S
1for FW
1whole rule set.
(2) according to S
1construct fire compartment wall decision diagram subgraph (subgraph of firewall decision diagram is called for short SFDD), and by merging isomorphism subgraph, further simplify the scale of SFDD.For the redundancy detection between fire compartment wall first, now need to record first node F of SFDD
1the union of all output boundary upper boundary values
for [scene 1] under new scene more, now need to record first node F of SFDD
1the boundary value of all output boundaries
and by its with
in the scope subset do not upgraded do and set operation, obtain new node F
1the union of all output boundary upper boundary values
Note, fire compartment wall decision diagram (firewall decision diagram is called for short FDD) is an acyclic directed graph, for analyzing fire compartment wall FW at field F
1, K, F
don series of rules <r
1, L, r
n>, FDD comprises following 5 attributes: a) just have a node of not inputting border, be designated as root node, do not have the node of output boundary to be designated as terminal node; B) each node v has a label, is designated as F (v), if v is a nonterminal node, and F (v) ∈ { F so
1, L, F
d, if v is a terminal node, F (v) represents a decision-making; C) node u points to every limit e of the v of node, is a non-NULL integer range, is designated as I (e), and I (e) is the subset of the territory D (F (u)) of u,
d (F (u)) is that a predefined nonnegative integer is interval; D) set of all output boundaries of node v, is designated as E (v), meets two conditions: 1. consistency: for any two different limit e and e ' in E (v), have
2. integrality:
e) from the directed path of root node to terminal node, be called a decision path, the corresponding non-overlapped rule of every paths in FDD.SFDD the present invention is based on a kind of acyclic directed graph that is used for describing fire compartment wall correlation rule that FDD proposes, and the difference of SFDD and FDD is only that it is the correlation rule in ACL that SFDD describes, and FDD description is the strictly all rules in ACL.
(3) Net
1from SFDD, extract all non-overlapped rules that abandons.
(4) Net
1abandon each field F in rule by every of being drawn into is non-overlapped
kspan [a ', b '] be converted into a minimum prefix set of equal value, with T ([a ', b ']), represent.For example, T ([5,15])={ 0101,011*, 1***}.
(5) Net
1calculate all non-overlapped unions that abandon the minimum prefix set obtaining in rule.Note, in result of calculation, do not repeat row and write identical prefix.
(6) Net
1each prefix that quantizes is also used K
1encrypt, then by K
1prefix after encryption sends to Net
2.The scalarization method of employing is herein, the prefix b of given w position
1b
2lb
k* L*, we are first at b
krear insertion bit 1.Bit 1 represents b
1b
2lb
kand the separator between * L*.Then we replace each * with 0.For example 11** is converted into 11100.If prefix does not comprise *'s, we place 1 in last position.For example 1000 be converted into 10001.
(7) Net
2use K
2further encrypt these prefixes then by K
1, K
2prefix after double-encryption sends it back Net
1.
(8) because Net
1know the corresponding relation of field in prefix and non-overlapped rule, so Net
1according to these double-encryption prefixes, rebuild non-overlapped rule.
(9) Net
1a unique random index of non-overlapped regular allocation of giving each reconstruction, this index will be used to the redundancy detection process in later stage.
FW
1after conversion completes, Net
1from FW
1obtain a series of " the non-overlapped rules of double-encryption ", with (F
1∈ T
1) ∧ L ∧ (F
d∈ T
d) → discard represents double-encryption rule, wherein F
i(1≤i≤d) represents field, T
irepresent one group of double-encryption numerical value.Then, carry out step 4.
Step 3: the object of this step is to transform FW
2, FW
2conversion process comprise following 7 sub-steps:
(1) for [scene 2] under new scene more, now need according to the result of the redundancy detection between last fire compartment wall, in the rule set after record upgrades, last those regular sequence numbers that are judged as redundancy, use Ur
mrepresent, wherein r
m(1≤m≤n) and FW
2: <r
1, L, r
n>.Note, for the redundancy detection between fire compartment wall first, skip this link, directly enter FW
2(2) step in conversion process.
(2) operation " correlation rule is searched algorithm ", searches FW
2in the regular subset S that is associated with update rule
2.Note, for the redundancy detection between fire compartment wall first, its S
2whole rule set for FW2.
(3) according to S
2the fire compartment wall decision diagram subgraph of the full coupling of structure (all-match subgraph of firewall decision diagram is called for short all-match SFDD).For the redundancy detection between fire compartment wall first, now need to record first node F of all-match SFDD
1the union of all output boundary upper boundary values
for [scene 2] under new scene more, now need to record first node F of all-match SFDD
1the boundary value of all output boundaries
and by its with
in the scope subset do not upgraded do and set operation, obtain new node F
1the union of all output boundary upper boundary values
note, the difference of all-match SFDD and SFDD is its terminal node.In a SFDD, each terminal node marks with a decision-making, and in an all-match SFDD, the sequence of rules number mark of a series of non-NULLs for each terminal node, for regular r
i(1≤i≤n), we claim that i is r
isequence number.Be labeled in the sequence number (this decision path refers to the path of finishing with this terminal node) that a series of sequence of rules number on certain terminal node has comprised the strictly all rules overlapping with this decision path.
(4) Net
2from all-match SFDD, extract all non-overlapped rules, and by each field F in each non-overlapped rule
kthe form F of prefix family (a) and F (b) expression for span [a, b].
(5) Net
2calculate each field F
kunder the union of the prefix family that obtains in all non-overlapped rules.Note, in result of calculation, do not repeat row and write identical prefix family.Then, by these a plurality of prefix designates of prefix family, method for expressing is: the binary digit that represents a with k is long, and the F of prefix family (a) is comprised of k+1 prefix, and the last i-1 position in a is replaced and can be obtained i prefix with *.For example: 10 binary form is shown 1010, so we have F (10)={ 1010,101*, 10**, 1***, * * * * }.
(6) Net
2each prefix that quantizes is also used K
2encrypt, then by K
2prefix after encryption sends to Net
2.Note, the scalarization method herein adopting is with reference to step 3.
(7) Net
1use K
1further encrypt these prefixes.
FW
2after conversion completes, Net
1from FW
2obtain d group double-encryption numerical value.Use Τ
1l Τ
drepresent FW
2in d group double-encryption set of values.Then, carry out step 4.
Step 4: cover redundancy detection.For FW
1each field F
i(1≤i≤d) and FW
2double-encryption set of values Τ
iin each numerical value a, Net
1detect and whether have a double-encryption rule (F
1∈ T
1) ∧ L ∧ (F
d∈ T
d) → discard meets a ∈ T
i.If regular r
isatisfy condition, so Net
1a and rule index i are associated.Owing to may there being a plurality of rules that meet this condition, final Net
1a and a rule index collection may be associated.If condition does not meet, Net
1that a is associated with empty set.Finally, Net
1with with Τ
1l Τ
din the corresponding rule index collection of each numerical value replace these numerical value, and send it to Net
2.Net
2according to its reception result, find out the rule index overlapping with each prefix family.For from FW
2all-match SFDD in certain non-overlapped regular nr extracting, if its all prefix family all with FW
1sFDD in the same loss rule nr ' that extracts overlapping, nr is by nr ' covering, nr is redundancy so.Next, enter step 5.
Step 5: in view of step above, Net
2can identify FW
2the non-overlapped rule of middle redundancy.So, next, Net
2need to identify which original rule is the redundancy rule between fire compartment wall.Because FW
2all-match SFDD in every paths corresponding non-overlapped rule all, we claim that the path corresponding to non-overlapped rule of those and redundancy is redundant path, remaining path is called active path.We are according to give a definition to identify redundancy rule between fire compartment wall: the given fire compartment wall FW without fire compartment wall built-in redundancy
2: <r
1, L, r
n> and its all-match SFDD, during satisfied following two conditions that and if only if, FW
2in regular r
iwith respect to FW
1the redundancy rule between fire compartment wall: (1) exists a redundant path, and its terminal node comprises sequence number i; (2) do not exist terminal node to comprise the active path that i is least member.So far, Net
2can identify FW
2in with respect to FW
1fire compartment wall between redundancy rule collection R
new.Note that for [scene 2] under new scene more, now also need to utilize the R now obtaining
new, the Ur that obtains in step 3
mand S
2, use " relatively with merging redundancy rule algorithm ", obtain final complete FW
2in with respect to FW
1fire compartment wall between redundancy rule collection.
" correlation rule is searched algorithm " detailed process in step 2 and step 3 is as follows:
The value that obtains first field territory of update rule r, is designated as UR (this value is a numerical value interval), traversal step 2 or step 3 record
or
all values (each value is also interval numerical value), will wherein extract and form an interim S set with the crossing value of UR
t; Traversal fire compartment wall FW
1or FW
2original rule set, extracts the value in first field territory of every rule, is designated as OR (i) (wherein i represents sequence of rules number), if interim S set
tin any value intersect with OR (i), i rule is added to S set; After original rule set has traveled through, the S set finally obtaining just comprises all correlation rules that will search.
Comparison in step 5 is as follows with merging redundancy rule algorithm detailed process:
The Ur obtaining in traversal step 3
mif, Ur
min the Association Rules S that also tries to achieve in step 3 of certain rule r
2in, from Ur
mthe regular r of middle rejecting; After having traveled through, the U ' r of part rule will have been rejected
mthe new redundancy rule collection R obtaining with step 5
newdo and set operation, the set finally obtaining is the complete redundancy rule collection after final required renewal.
Segmentation de-redundancy method provided by the invention, can respond all kinds of update status of CDCF fast, and under the prerequisite of secret protection, identifies efficiently and remove the redundancy rule between fire compartment wall.
(4) accompanying drawing explanation
Fig. 1 is the system model of cross-domain cooperation fire compartment wall of the present invention
Fig. 2 is fire compartment wall FW in example
1and FW
2regular schematic diagram
Fig. 3 is FW during redundancy detection between fire compartment wall first
1conversion process
Fig. 4 is FW during redundancy detection between fire compartment wall first
2conversion process
Fig. 5 is active path and the redundant path of all-match SFDD during redundancy detection between fire compartment wall first
Fig. 6 is fire compartment wall FW in example
1policy Updates schematic diagram
Fig. 7 is fire compartment wall FW in example
1renewal, FW
2while remaining unchanged, FW
1conversion process
Fig. 8 is fire compartment wall FW in example
2policy Updates schematic diagram
Fig. 9 is fire compartment wall FW in example
2renewal, FW
1while remaining unchanged, FW
2conversion process
Figure 10 is fire compartment wall FW in example
2renewal, FW
1while remaining unchanged, FW
2active path and the redundant path of all-match SFDD
Figure 11 is fire compartment wall FW in example
1upgrade FW
2under constant scene, CDPP scheme and SPRR scheme are being encrypted temporal statistical chart
Figure 12 is fire compartment wall FW in example
1upgrade FW
2under constant scene, CDPP scheme and SPRR scheme are at the more temporal statistical chart of redundancy detection
Figure 13 is fire compartment wall FW in example
2upgrade FW
1under constant scene, CDPP scheme and SPRR scheme are being encrypted temporal statistical chart
Figure 14 is fire compartment wall FW in example
2upgrade FW
1under constant scene, CDPP scheme and SPRR scheme are at the more temporal statistical chart of redundancy detection
Figure 15 is fire compartment wall FW in example
1upgrade FW
2under constant scene, CDPP scheme and the statistical chart of SPRR scheme on communications cost
Figure 16 is fire compartment wall FW in example
2upgrade FW
1under constant scene, CDPP scheme and the statistical chart of SPRR scheme on communications cost
Figure 17 is fire compartment wall FW in CDCF
1and FW
2contingent 5 kinds of update status
Figure 18 is CDPP scheme and SPRR scheme firewall rule sets under discrimination configuring condition table used while being contrast experiment
Figure 19 is CDPP scheme and SPRR scheme while being contrast experiment, the redundancy ratio calculating under different update scene
(5) specific embodiments
Consider two not Firewall Model---fire compartment wall 1 and fire compartment walls 2 in same area, they belong to respectively two different management domain Net
1and Net
2, data traffic slave firewall 1 flows to fire compartment wall 2, as shown in Figure 1.Use FW
1represent fire compartment wall 1, be called entrance firewall policy; Use FW
2represent fire compartment wall 2, be called outlet firewall policy.For FW
2in certain regular r, if all packets and FW
2in regular r coupling, but do not mate with the arbitrary rule before r, and these packets are by FW
1abandon, can remove regular r, because meet the packet of regular r, can arrive FW never
2, so, regular r is FW
2with respect to FW
1fire compartment wall between redundancy rule.Obviously, in Fig. 1, at FW
2interior all coupling r
2and r
3packet (r
1be rule1), by FW
1interior r
2' abandon.So FW
2in r
2and r
3, with respect to FW
1in r
2', belong to redundancy between fire compartment wall.
Next, the present invention illustrates the specific implementation process of SPRR by an example.For the ease of showing, we only describe the rule in fire compartment wall with two fields and a decision-making in example.As shown in Figure 2, FW
1as entrance fire compartment wall, belong to Net
1network management domain; FW
2as outlet fire compartment wall, belong to Net
2network management domain.First, we carry out the redundancy detection between fire compartment wall first to it.
Between fire compartment wall, the specific implementation process of redundancy detection is as follows first:
Step 1: transform FW
1.
(1) operation " correlation rule is searched algorithm ", for the redundancy detection between fire compartment wall first, it exports S
1for FW
1whole rule set, as shown in Fig. 3 (a), S
1={ r
1', r
2', r
3', r
4', r
5'.(2) according to S
1construct SFDD, record first node F of SFDD
1the union of all output boundary upper boundary values
And by merging isomorphism subgraph, further simplify the scale of SFDD, as shown in Fig. 3 (b).(3) Net
1from SFDD, extract all non-overlapped rules that abandons, as shown in Fig. 3 (c).(4) Net
1abandon each field F in rule by every of being drawn into is non-overlapped
kspan [a ', b '] be converted into a minimum prefix set of equal value, as shown in Fig. 3 (d).(5) Net
1calculate all non-overlapped unions that abandon the minimum prefix set obtaining in rule, as shown in Fig. 3 (e).(6) Net
1each prefix that quantizes is also used K
1encrypt, then the prefix after encrypting is sent to Net
2, as shown in Fig. 3 (f).(7) Net
2use K
2further encrypt these prefixes and then result is sent it back to Net
1, as shown in Fig. 3 (g).(8) Net
1according to double-encryption prefix, rebuild non-overlapped rule, and give unique random index 13,27,17 and 45 of non-overlapped regular allocation of each reconstruction, as shown in Fig. 3 (h).
Step 2: transform FW
2.
(1) operation " correlation rule is searched algorithm ", for the redundancy detection between fire compartment wall first, it exports S
2for the whole rule set of FW2, as shown in Fig. 4 (a), S
2={ r
1, r
2, r
3, r
4.(2) according to S
2construct all-match SFDD, record first node F of all-match SFDD
1the union of all output boundary upper boundary values
As shown in Fig. 4 (b).(3) Net
2from all-match SFDD, extract all non-overlapped rules, and by each field F in each non-overlapped rule
kthe form F of prefix family (a) and F (b) expression for span [a, b], as shown in Fig. 4 (c).(4) Net
2calculate each field F
kunder the union of the prefix family that obtains in all non-overlapped rules, as shown in Fig. 4 (d).(5) Net
2each prefix that quantizes is also used K
2encrypt, then by K
2prefix after encryption sends to Net
2, as shown in Fig. 4 (e).(6) Net
1use K
1further encrypt these prefixes, as shown in Fig. 4 (f).
Step 3: cover redundancy detection.Net
1by each field F of " the non-overlapped rule of double-encryption "
idouble-encryption numerical value and FW under (i=1,2)
2double-encryption set of values Τ
iin each double-encryption numerical value a compare, make Τ
1, Τ
2in each numerical value corresponding with index or the empty set of the non-overlapped rule of double-encryption, Net then
1this result is sent to Net
2, Net
2according to its reception result, find out the rule index overlapping with each prefix family.In this example, Net
2finally can detect nr in the non-overlapped rule extracting from all-match SFDD
2, nr
4and nr
6it is redundancy.
Step 4: according to the testing result of step 3, because nr
2, nr
4and nr
6be the non-overlapped rule of redundancy, so the 2nd, 4 and 6 paths are redundant paths in all-match SFDD, the 1st, 3,5 remaining paths are active paths.As shown in Figure 5, the terminal node of redundant path 2 comprises sequence of rules numbers 1,2 and 4; The terminal node of redundant path 4 comprises sequence of rules numbers 2 and 4; The terminal node of redundant path 6 comprises sequence of rules numbers 4; Because comprise sequence of rules numbers 4 in the terminal node of active path 1,3,5, but do not comprise sequence of rules numbers 1 and 2, so FW yet
2in with respect to FW
1fire compartment wall between redundancy rule integrate as R
new={ r
1, r
2.
So far, SPRR has completed the redundancy detection between fire compartment wall first.
Below, we analyze the update status of CDCF.As shown in figure 17, FW in CDCF
1and FW
2may there is the renewal of following 5 kinds of situations: 1.FW
2in some regular decision-making there is change; 2.FW
1in some regular decision-making by abandoning, changed acceptance into; 3.FW
1in some regular decision-making by accepting to have changed into, abandon; 4.FW
1middle interpolation or delete some rule; 5.FW
2some rule of middle interpolation or deletion.For completing the CDCF of redundancy detection between fire compartment wall first, we are divided into more new scene of 3 classes by 5 kinds of above-mentioned update status: [scene 1] FW
1upgrade FW
2remain unchanged; [scene 2] FW
2upgrade FW
1remain unchanged; [scene 3] FW
1and FW
2upgrade simultaneously.
Next, we analyze respectively the more specific implementation process of SPRR under new scene of this 3 class.
[scene 1] FW
1upgrade FW
2remain unchanged.
Based on FW in Figure 17
1and FW
2contingent 5 kinds of update status, under this scene, contingent renewal is: the renewal that a) only a situation arises in 2; B) renewal that only a situation arises in 3; C) renewal that only a situation arises in 4; D) there is the renewal of any two kinds of situations in situation 2, situation 3 or situation 4; E) simultaneously a situation arises 2, the renewal in situation 3 and situation 4.
Below, based on FW during redundancy detection between fire compartment wall first
1and FW
2example, to FW
1in rule make renewal as shown in Figure 6 and (change meta-rule r
1' and r
2' decision-making, at meta-rule r
4' and r
5' between add new regulation, i.e. a r
5' '), then carry out the redundancy detection between fire compartment wall.
The specific implementation process of SPRR under [scene 1] is as follows:
Step 1: transform FW
1.[scene 1] lower FW
1conversion process as shown in Figure 7.
(1) because record in the upper once de-redundancy process before fire compartment wall this time upgrades
And FW
1after renewal, first field F of its update rule
1drop on
scope subset { [0,3], [8,15] } upper, so operation " correlation rule is searched algorithm " can obtain FW
1in the regular subset S that is associated with update rule
1={ r
1' ', r
2' ', r
5' ', r
6' ' }, as shown in Fig. 7 (a).(2) according to S
1structure SFDD (notes the F of SFDD
1be defined in scope subset { [0,3], [8,15] }), and by merging isomorphism subgraph, further simplify the scale of SFDD, record first node F of SFDD
1the boundary value of all output boundaries
And by its with
in the scope subset { [4,7] } do not upgraded do and set operation, obtain new node F
1the union of all output boundary upper boundary values
As shown in Fig. 7 (b).(3) Net
1from SFDD, extract all non-overlapped rules that abandons, as shown in Fig. 7 (c).(4) Net
1abandon each field F in rule by every of being drawn into is non-overlapped
kspan [a ', b '] be converted into a minimum prefix set of equal value, as shown in Fig. 7 (d).(5) Net
1calculate all non-overlapped unions that abandon the minimum prefix set obtaining in rule, as shown in Fig. 7 (e).(6) Net
1each prefix that quantizes is also used K
1encrypt, then by K
1prefix after encryption sends to Net
2, as shown in Fig. 7 (f).(7) Net
2use K
2further encrypt these prefixes and then result is sent it back to Net
1, as shown in Fig. 7 (g).(8) Net
1according to double-encryption prefix, rebuild non-overlapped rule, and give unique random index 12,19 and 21 of non-overlapped regular allocation of each reconstruction, as shown in Fig. 7 (h).
Step 2: cover redundancy detection.Process and " step 3 of the specific implementation process of redundancy detection between fire compartment wall first " of [scene 1] lower covering redundancy detection are similar, by each field F of " the non-overlapped rule of double-encryption " that obtain in step 1
i" the FW recording in last de-redundancy process before double-encryption numerical value under (i=1,2) and renewal
2double-encryption set of values Τ
iin each double-encryption numerical value a " processing of comparing.In this example, Net
2at FW
2non-overlapped rule in do not detect redundancy rule.
Step 3:[scene 1] identification FW
2original rule in fire compartment wall between process and " step 4 of the specific implementation process of redundancy detection between fire compartment wall first " of redundancy similar.But in this example, owing to not detecting the non-overlapped rule of redundancy in step 2, so can directly judge: the FW after upgrading with respect to this
1, initial FW
2in there is no a redundancy rule, so we need will be when upper once de-redundancy detected r
1and r
2again add back FW
2in.
So far, SPRR has completed the redundancy detection between [scene 1] lower fire compartment wall.
[scene 2] FW
2upgrade FW
1remain unchanged.
Based on FW in Figure 17
1and FW
2contingent 5 kinds of update status, under this scene, contingent renewal is: the renewal that a) only a situation arises in 1; B) renewal that only a situation arises in 5; C) simultaneously a situation arises 1 and situation 5 in renewal.
For a), we do not need fire compartment wall to do any processing.Because the redundancy detection between fire compartment wall, does not need to consider FW
2the decision-making of middle rule.
For b) and c), carry out SPRR scheme.
Below, based on FW during redundancy detection between fire compartment wall first
1and FW
2example, to FW
2in rule make renewal as shown in Figure 8 (at meta-rule r
1and r
2between add new regulation, i.e. a r
2 '), then carry out the redundancy detection between fire compartment wall.
The specific implementation process of SPRR under [scene 2] is as follows:
Step 1: transform FW
2.[scene 2] lower FW
2conversion process as shown in Figure 9.
(1) according to the result of the redundancy detection between last fire compartment wall, last those regular sequence number Ur that are judged as redundancy in the rule set after record upgrades
m={ r
1 ', r
3 '.(2) because record in the upper once de-redundancy process before fire compartment wall this time upgrades
And FW
2after renewal, first field F of its update rule
1drop on
scope subset { [3,5] } upper, so operation " correlation rule is searched algorithm " can obtain FW
2in the regular subset S that is associated with update rule
2={ r
2 ', r
3 ', r
5 ', as shown in Fig. 9 (a).(3) according to S
2structure all-match SFDD (notes the F of all-match SFDD
1be defined in scope subset { [3,5] }), record first node F of all-match SFDD
1all output boundary upper boundary values
And by its with
in the scope subset { [0,2], [6,15] } do not upgraded do and set operation, obtain new node F
1the union of all output boundary upper boundary values
={ [0,2], [3,3], [4,5], [6,15] }, as shown in Fig. 9 (b).(4) Net
2from all-match SFDD, extract all non-overlapped rules, and by each field F in each non-overlapped rule
kthe form F of prefix family (a) and F (b) expression for span [a, b], as shown in Fig. 9 (c).(5) Net
2calculate each field F
kunder the union of the prefix family that obtains in all non-overlapped rules, as shown in Fig. 9 (d).(6) quantize each prefix use K of Net2
2encrypt, then by K
2prefix after encryption sends to Net
2, as shown in Fig. 9 (e).(7) Net
1use K
1further encrypt these prefixes, as shown in Fig. 9 (f).
Step 2: cover redundancy detection.Process and " step 3 of the specific implementation process of redundancy detection between fire compartment wall first " of [scene 2] lower covering redundancy detection are similar, by the FW obtaining in step 1
2double-encryption set of values Τ
iin each double-encryption numerical value a with upgrade before last de-redundancy process in each field F of " the non-overlapped rule of double-encryption " that record
ithe processing of comparing of double-encryption numerical value under (i=1,2).In this example, Net
2finally can detect nr in the non-overlapped rule extracting from all-match SFDD
2and nr
4it is redundancy.
Step 3: according to the testing result of step 2, because nr
2and nr
4be the non-overlapped rule of redundancy, so the 2nd and 4 paths are redundant paths in all-match SFDD, the 1st and 3 remaining paths are active paths.As shown in figure 10, the terminal node of redundant path 2 comprises sequence of rules numbers 3 and 5; The terminal node of redundant path 4 comprises sequence of rules numbers 2,3 and 5; Because comprise sequence of rules numbers 5 in the terminal node of active path 1 and 3, but do not comprise sequence of rules numbers 2 and 3, so FW yet
2in with respect to FW
1fire compartment wall between redundancy rule integrate as R
new={ r
2 ', r
3 '.With R
new, the Ur that obtains in step 1
mand S
2input as " relatively with merging redundancy rule algorithm ", finally obtains FW
2in with respect to FW
1fire compartment wall between redundancy rule collection be { r
1 ', r
2 ', r
3 '.
So far, SPRR has completed the redundancy detection between [scene 2] lower fire compartment wall.
[scene 3] FW
1and FW
2upgrade simultaneously.
Work as FW
1and FW
2in rule while all there is change, for the redundancy rule between complete rejecting fire compartment wall, we are by FW
1and FW
2be considered as two new fire compartment walls, according to first between fire compartment wall the specific implementation process of redundancy detection detect FW
2in with respect to FW
1fire compartment wall between redundancy rule.
The present invention uses the rule set of true fire compartment wall to be the contrast experiment of SPRR and CDPP, and the form of firewall rule sets under discrimination adopts the Access Control List (ACL) (ACL) of Cisco's standard.Each rule wherein comprises five fields (that is, source IP, object IP, source port, destination interface, agreement) and a decision-making (that is, accept and abandon).Ubuntu11.10 operating system is being housed, and hardware configuration is on the PC of Intel Xeon CPU and 32GB internal memory, respectively true firewall rule sets under discrimination is processed.
Figure 18 shows five groups of fire compartment walls that experiment is used, and regular number is respectively 100,200,400,800,1600.
(1) comparison in processing time
Processing time comprises that encryption transformation time and redundancy detection compare the time.
The correlation rule of processing due to SPRR only accounts for the sub-fraction in rule set, and therefore data volume to be dealt with reduces greatly, has also just further reduced encryption transformation time and redundancy recognition and has compared the time.
Figure 11 is at FW
1upgrade FW
2under constant scene, the fire compartment wall of experimental record is encrypted transformation time, and five groups of experimental results are presented at least than CDPP scheme fast 10 times of the SPRR schemes of encrypting on transformation time, 250 times to how soon.
Figure 12 is at FW
1upgrade FW
2under constant scene, the redundancy detection between the fire compartment wall of experimental record is the time relatively, and five groups of experimental results are presented at upper SPRR scheme of redundancy detection time and at least than CDPP scheme, have reduced an order of magnitude.
Figure 13 is at FW
2upgrade FW
1under constant scene, the fire compartment wall of experimental record is encrypted transformation time, and five groups of experimental results are presented at least than CDPP scheme fast 12 times of the SPRR schemes of encrypting on transformation time, 36 times to how soon.
Figure 14 is at FW
2upgrade FW
1under constant scene, the redundancy detection between the fire compartment wall of experimental record is the time relatively, and five groups of experimental results are presented at upper SPRR scheme of redundancy detection time and at least than CDPP scheme, have also reduced an order of magnitude.
(2) comparison of communications cost
In like manner, because SPRR has reduced pending fuzzy rules, the intermediate object program that need to carry out Internet Transmission (that is, communications cost) after encryption also can greatly reduce.
Figure 15 is at FW
1upgrade FW
2under constant scene, the practical communication cost of experimental record, five groups of experimental results are presented at SPRR scheme on communications cost and at least than CDPP scheme, have reduced an order of magnitude.
Figure 16 is at FW
2upgrade FW
1under constant scene, the practical communication cost of experimental record, five groups of experimental results are presented at SPRR scheme on communications cost and at least than CDPP scheme, have also reduced an order of magnitude.
(1) redundancy ratio result of calculation
According to the redundant computation result of Figure 19, the redundancy rate that SPRR scheme calculates after renewal with CDPP scheme is consistent.CDPP has been proved to be able to the complete redundancy rule between fire compartment wall that detects, and in this experiment, SPRR can obtain the on all four redundancy rule with CDPP, so this experimental result shows the redundancy rule between fire compartment wall that detects that SPRR also can be complete.
Above test result demonstration, when firewall rule sets under discrimination occurs to upgrade, no matter segmentation redundancy detection scheme is on processing time and communications cost, is all better than processing completely the CDPP redundancy detection scheme of strictly all rules.