A kind of industrial fireproof wall rule base analysis method based on orthogonal list
Technical field
The invention belongs to industrial fireproof wall network safety filed, specifically, is related to a kind of industry based on orthogonal list
Firewall rule database analysis method.
Background technology
Industrial fireproof wall is after industrial control network is deployed to, safeguard industries control network environment safety.Protected ring
Border includes specific assets in environment, also including the relation between assets.Relation between assets is often through interaction between assets
Data flow embody.
Keeper explicitly defines the relation of data flow between assets to ensure that normal exchange is allowed between assets.Such as:Work
Oil refining temp measuring system periodically obtains certain high pressure valve current pressure values in control net.
Certain data flow relation is blocked for abnormal conditions between keeper explicitly defines assets.Such as:Refined oil in industry computer
Temp measuring system sends to pressure control tension gauge in system and resets order.
What keeper defined all allows or blocks for asset data stream, forms the rule base of industrial fireproof wall.Work
Industry fire wall is by the rule base for particular industry control network environment, to carry out particular industry control network environment bursting tube
Control.
Can be by industrial fireproof by each packet of industrial fireproof wall in industrial control network is by environmental protection
Wall processing, by or block.
There are many key businesses high to requirement of real-time in industrial control network, reaction speed is required in second, Millisecond.
In one complicated industrial control network environment, regular bar number is more than 8,000.And packet industrial protocol species is rich
Richness, it is related to form, identification content is even more to vary.Rule match speed how is improved, is not reducing industrial fireproof wall safety
Process performance is improved on the premise of ability, is the problem of industrial fireproof wall is there is an urgent need to handle.
Packet Filtering (Packet Filtering) refers to analyze packet in Internet, selected.Pass through inspection
Look into data flow the source IP address of each packet, purpose IP address, source port number, destination slogan, protocol type etc. because
Element or combinations thereof determine whether that the packet passes through.
State Inspection Packet Filter is the Function Extension in traditional packet filtering.State-inspection firewall has an inspection in Internet
Look into engine intercepted data bag and extract the information relevant with applying layer state, and determine to be to receive to the connection on this basis
Or refuse.
Deep packet inspection technical is that DPI technologies are a kind of flow detections and control technology based on application layer, when IP data
When bag, TCP or UDP message stream are by bandwidth management system based on DPI technologies, the system passes through deep reading IP payload packages
Content recombinates to the application layer message in the layer protocols of OSI seven, so as to obtain the content of whole application program, then according to
The management strategy that system defines carries out shaping operation to flow.
Prior art mainly has three kinds, its each own significant advantage, but shortcoming is also very serious.
The first is not as shown in figure 1, to the regular technology handled, a packet to be carried out for each rule
Parsing, until matching certain rule, then processing terminates.Each rule is all a Packet analyzing filter.Using the method journey
Sequence structure is clear, and logic is simple.Require to carry out Packet analyzing for every rule, complete rule match and judge, overall process efficiency
It is low.
Second to rule according to protocol type as shown in Fig. 2 to carry out certain finishing technique.It is right according to protocol type
Rule set is necessarily arranged, and for every group of rule process packet, until matching certain rule, then processing terminates.Regular group
Chained list institutional framework typically is used, some array type rules data structures are formed generally according to protocol type, when being resolved to data
Regular group of corresponding agreement is handled during a certain layer of bag.Certain Packet analyzing number can be reduced using this technology, but for application
Various depth content analysis then needs also exist for repeated multiple times carry out Packet analyzing, and overall process efficiency improves.
The third is the technology necessarily arranged to rule according to protocol type.Formed generally according to protocol type
Array type rules data structure, correspond to agreement regular group is handled when being resolved to a certain layer of packet.Using this technology energy
Reduce certain Packet analyzing number, but then need also exist for repeated multiple times carrying out bag solution for the various depth content analysis of application
Analysis, overall process efficiency improve.
Existing various technologies, wrapped from rule to parse.In the case of regular very different, it can not avoid to bag
Iterative parsing extraction given content operation.
The content of the invention
To solve the problems, such as in background technology, the present invention proposes one kind and specifically applies the rule in industrial control network
Storehouse analysis method, by using the organizational form of orthogonal list by agreement, content, regular organic assembling, reach one parsing number
According to bag, the purpose of the whole rules of traversal industrial fireproof wall, industrial fireproof wall processing data packets ability is improved well, is improved
Packet rule base analyze speed in industrial control network, the mesh that industrial control network is required packet low latency is reached
's.
The technical scheme is that:
A kind of industrial fireproof wall rule base analysis method based on orthogonal list, it is characterised in that:Its step is as follows:
Step 1:Under industrial control network environment, after system manager carries out safety analysis to network environment, it is determined that peace
Full rule set, safety regulation collection are made up of specific rules 0~regular N, and N is the positive integer more than 1, and every rule is determined
Justice, wherein regular N is the default last rule that can add, it is defined as blocking packet and reports;
Step 2:System orthogonal list according to corresponding to the safety regulation collection generation that system manager inputs;
Step 3:System carries out merger operation to orthogonal list, and identical content is carried out into normalizing, after merger, data structure
It is still an orthogonal list;
Step 4:According to the line index data of orthogonal list, determine to need to extract from packet under this safety regulation collection
Data set;
Step 5:Each row node of orthogonal list is examined in, data set contents decision node matching feelings are extracted according to agreement
Condition;
Step 6:Take the common factor of each node matching rule set, it is determined whether have matched rule, and the rule number of matching;Such as
Fruit has and an only matched rule, then packet according to the rule define perform, if matched rule more than one, data
Bag performs according to first matched rule definition, and Reports Administration person;If without matched rule, executing rule N, that is, number is blocked
According to wrapping and report.
In further improved scheme, N=8, orthogonal list is that 9 rows 7 arrange, corresponding 8 rules of 9 rows and wardrobe, 7 row pair
6 kinds of fields and row head are answered, 6 kinds of fields are respectively:Agreement, server ip address, client ip address, network address, web page contents,
Industry control protocol contents.
Industry control agreement refers to equipment room messaging protocol in industry control network.By industry control agreement, host computer is completed to industry control
The operation of the equipment such as network measure instrument.Industry control protocol contents refer to the specific instruction content included in industry control agreement.General bag
Contain:Function code+content+CRC check code is for example:Function code:Write operation content:No. 1 register.Or function code:In read operation
Hold:No. 1 register.
The innovation of the present invention is:
1st, by industrial control network rule set, built with orthogonal list structure.
2nd, rule composition transverse axis, the rule judgment condition composition longitudinal axis.
3rd, same class node merges, and reducing needs node to be processed.
4th, according to regular agreement situation dynamic call packet depth analysis engine in orthogonal list.
5th, by analysis node situation during orthogonal list analysis, dynamic excludes that node need not be handled.
Beneficial effects of the present invention are:
Rule of the present invention by way of orthogonal list in rule of combination storehouse.In the premise of retention discipline (OK) form
Under, the analysis of each rule condition (row) is carried out, obtains each regular relation in rule set, formation rule collection orthogonal list.Pass through
Rule set orthogonal list energy one parsing packet completes rule base analysis.Reduce packet iterative parsing process.Particularly
When in rule base comprising largely depth analysis rule is needed, efficiency enhancement effect is more notable.
By the regular flexible combination form of orthogonal list, the time of rule base data packet analysis process, space are improved
Utilization rate.
Regular orthogonal list has made the dependence between rule condition, mutual exclusion, comprising relation of equality, in orthogonal list section in order
During point analysis, dependence can be dynamically removed, mutex relation node, simply inclusion relation node is judged, merges identical relation
Node, reach reduction rule base analysis node, improve the purpose of analysis efficiency.
Packet rule base analyze speed in industrial control network is greatly improved using the technology of the present invention, meets industry
The purpose that control network is required packet low latency.
Brief description of the drawings
Fig. 1 is the flow chart for the technology not handled in the prior art rule.
Fig. 2 is the flow chart for carrying out certain finishing technique to rule according to protocol type in the prior art.
Fig. 3 is the flow chart of overall technical architecture of the present invention.
Fig. 4 is the particular flow sheet of step 2 in the present invention program.
Fig. 5 is the particular flow sheet of step 3 in the present invention program.
Fig. 6 is the particular flow sheet of step 4 in the present invention program.
Fig. 7 be in the present invention program in step 5 to the flow chart of the contents processing rule orthogonal list according to acquisition.
Embodiment
Fig. 3 describes the overall technical architecture of the present invention.
A kind of industrial fireproof wall rule base analysis method based on orthogonal list, step are as follows:
Step 1:Under industrial control network environment, after system manager carries out safety analysis to network environment, it is determined that peace
Full rule set, safety regulation collection are made up of specific rules 0~regular N, and N is the positive integer more than 1, and every rule is determined
Justice, wherein regular N is the default last rule that can add, it is defined as blocking packet and reports;
Step 2:System orthogonal list according to corresponding to the safety regulation collection generation that system manager inputs;
Step 3:System carries out merger operation to orthogonal list, and identical content is carried out into normalizing, after merger, data structure
It is still an orthogonal list;
Step 4:According to the line index data of orthogonal list, determine to need to extract from packet under this safety regulation collection
Data set;
Step 5:Each row node of orthogonal list is examined in, data set contents decision node matching feelings are extracted according to agreement
Condition;
Step 6:Take the common factor of each node matching rule set, it is determined whether have matched rule, and the rule number of matching;Such as
Fruit has and an only matched rule, then packet is defined according to the rule and performed, if unnecessary one of matched rule, data
Bag performs according to first matched rule definition, and Reports Administration person;If without matched rule, executing rule N, that is, number is blocked
According to wrapping and report.
Technical scheme is illustrated with reference to Fig. 4-7 is specific.
The first step:Under industrial control network environment, after system manager carries out safety analysis to network environment, it is determined that
Specific safety regulation:
Rule 0:Analyze data bag
Command parameter:--analyze
Explanation:This is the rule of default addition, before all other filtering rule.
Rule 1:Allow statistical department is anti-to ask historical data management server (it is assumed that 192.168.100.22, with http
Form accesses)
--filter http--where:server-ip:192.168.100.22;client-ip:@statistical departments-
jACCEPT_LOG
--filter http--where:server-ip:192.168.100.22-j DROP_LOG
Explanation:"@statistical departments " is an IP address group, can include one or more IP or IP scopes, order configuration is such as:
" -- add ip. statistical departments:192.168.1.0/24,192.168.2.0/24 "
Rule 2:Do not allow access to forbid website, or allow banned word should not occur in website, and let off other all
Http (web page access, it is allowed to which employee consults reference materials)
Command parameter:
--filter http--where:url:@forbids website;client-ip:Full company-j the DROP_LOG of@
--filter http--where:content:@banned words;client-ip:Full company-j the DROP_LOG of@
--filter http--where:client-ip:Full company-j the ACCEPT_LOG of@
Rule 3:Industry control agreement is monitored, only allows a production division to send operational motion, superintendent office and administrative department can be with
Check and (can not operate), remaining department does not allow then to access completely:
Command parameter:
-- filter industry control agreements -- where:Industry control order:@is operated;client-ip:@production divisions-j ACCEPT_
LOG
-- filter industry control agreements -- where:Industry control order:@is checked;client-ip:@superintendent offices ,@administrative departments-
j ACCEPT_LOG
-- filter industry control agreement-j DROP_LOG
Regular N:Remaining all packet, is blocked and log is reported
Command parameter:
-j DROP_LOG
Explanation:This is the default last rule that can add.
Note:@is acted:Represent set of actions.
Second step:As shown in figure 4, system orthogonal list according to corresponding to the rule set generation that keeper inputs:
Orthogonal list is that 9 rows 7 arrange.
Corresponding 8 rules of 9 rows and wardrobe,
The corresponding 6 kinds of fields of 7 row and row head:(1) agreement (2) server ip address (3) client ip address (4) network address (5)
Web page contents (6) industry control protocol contents
3rd step:As shown in figure 5, system carries out merger operation to orthogonal list, identical content is subjected to normalizing.Merger
Afterwards, data structure is still an orthogonal list.
Server ip address, which merges, turns into a 192.168.100.22, while records rule 1,2 corresponding to node matching;
Client ip address, which merges, turns into one, while records regular corresponding to different matching results;
Industry control agreement merges into one, while records regular corresponding to different matching results;
Agreement is merged into two, while records regular corresponding to different matching results;
4th step:As shown in fig. 6, according to orthogonal list line index data, determine to need from packet under this rule set
The data set of extraction.
By one parsing packet, content corresponding to acquisition.Data resolving is that the packet ISO/OSI of standard is gone
Encapsulation process.The agreement belonged to according to packet is different, and the content of the data set formed after parsing can be variant.
It is as follows with reference to HTTP resolve packet process interpretations:
A packet is obtained from administrative department's access profile website operation.This bag is http protocol, server ip
Location is 192.168.100.56, and client ip address is@administrative departments group, and network address is not in@forbids website, and web page contents are not
In@banned words.
5th step:As shown in fig. 7, being examined in each row node of orthogonal list, extracting data set contents according to agreement judges
Node matching situation.
First row needs to analyze agreement, only occurs " http " and " industry control agreement " two kinds of agreements here, then will only open
Depth monitoring is done with both protocol-analysis models, the analysis without enabling other agreements.
Monitoring that this client ip is not belonging to@production divisions, then rule 6 is just denied at the 3rd row (client-ip) place,
Then on " industry control agreement " this row, just only need to judge "@is checked " action, without judging "@operations " action.And pass
It is per treatment to be required for parsing industry control agreement in detail when handling rule 6 and 7 in system analysis engine, operational motion is therefrom extracted,
It is respectively compared again and whether " operates " and whether " check ".Reduce the depth data bag detection operation of unnecessary repetition.
It is as shown in Figure 7 according to the contents processing rule orthogonal list of acquisition.
It is as follows according to processing orthogonal list node matching result, traversal rule row, each node matching rule set:
Rule 12345
Rule 345678
Rule 345728
Rule 1245678
Rule 1235678
Rule 123458
6th step:Take the common factor of each node matching rule set, it is determined whether have matched rule, and the rule number of matching.Rule
Then 5->Each node matches entirely.Then this HTTP packet passes through operation according to the permission data flow of the definition of rule 5.
Can be with nonjoinder orthogonal list node in concrete scheme realization.But orthogonal list interior joint information is extracted, then
Form a list structure and preserve the information after extracting.Follow-up rule base analysis process is directed to information chained list, and processing mode is same as above
Technical scheme is stated, rule match result, which is put into orthogonal list, to be preserved.Whether judgment rule is matched, it is necessary to according to orthogonal list
Longitudinal direction index, judges whether there is mismatch per a line.
The above method is a change of the technology of the present invention, and processing basis is still orthogonal list.Simply not in cross chain
Rule condition information is preserved in table, rule condition information is preserved using certain other data structure.Such as:Array, set, chained list
Deng.
Above implementation is merely illustrative of the technical solution of the present invention, rather than its limitations;The professional technique of this area
Personnel can modify according to foregoing technical scheme, or carry out equivalent substitution to which part technical characteristic;And these
Modification is replaced, and the essence of appropriate technical solution is departed from the spirit and scope of technical solution of the present invention.