CN105743871A - Decision tree-based firewall policy conflict detection method - Google Patents
Decision tree-based firewall policy conflict detection method Download PDFInfo
- Publication number
- CN105743871A CN105743871A CN201410773170.3A CN201410773170A CN105743871A CN 105743871 A CN105743871 A CN 105743871A CN 201410773170 A CN201410773170 A CN 201410773170A CN 105743871 A CN105743871 A CN 105743871A
- Authority
- CN
- China
- Prior art keywords
- firewall policy
- node
- tree
- insert
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 31
- 238000003066 decision tree Methods 0.000 title claims abstract description 16
- 238000000034 method Methods 0.000 claims abstract description 31
- 230000009471 action Effects 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 16
- 238000003780 insertion Methods 0.000 claims description 4
- 230000037431 insertion Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 2
- 230000007547 defect Effects 0.000 abstract 1
- 230000009466 transformation Effects 0.000 abstract 1
- 238000001914 filtration Methods 0.000 description 4
- 230000008520 organization Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000000052 comparative effect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000002372 labelling Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004615 ingredient Substances 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000002459 sustained effect Effects 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a decision tree-based firewall policy conflict detection method. The method includes the following steps that: decision tree transformation is performed on each rule in a firewall rule set; the rules are stored in a tree data structure form; and each policy is corresponding to a unique path in a tree. With the method provided by the technical schemes of the invention adopted, defects in an existing decision tree-based firewall policy conflict detection method can be eliminated, and the time complexity of the method of the invention can be reduced, and conflict detection efficiency can be greatly improved.
Description
Technical field
The present invention relates to technical field of network security, in particular to a kind of firewall policy collision detection method based on decision tree.
Background technology
In the epoch of kownledge economy and information resources share, the Internet is flourish, day by day close with the various aspects of social life.It is inevitable that the thing followed threatens, and correlation technique is also more and more brilliant.Thus the maintenance of network security is particularly important, the setting of fire wall is a kind of effective computer network security maintenance measure.
Fire wall is the ingredient of network system; it is controlled seeking entry into the extraneous dangerous packet of internal security network by clear and definite security strategy; it can optionally intercept flame and to external world website access rights are set; when there being access; system conducts interviews authentication automatically, identifies objectionable website and virus, and at utmost restriction hacker invades network; thus limiting some network activity, it is finally reached the purpose of protection security of system.Firewall policy is actually the sequential chained list of filtering rule, each filtering rule is made up of several network domains, these domain theories can be any territory occurred in IP bag, TCP bag, UDP packet header, as long as practical experience shows generally to mate communication protocol type (protocol), source IP address (sourceIPaddress), source port (sourceport), target ip address (destinationIPaddress), target port (destinationport), these six territories of action (action).
Firewall policy is generally formed to thousands of rules by tens.Rule in fire wall be by management personnel according to demand and the experience of self formulate, when fuzzy rules is less, make a rational strategy not difficult, the maintenance of rule is also relatively easy, but when rule is constantly increasing, artificial security strategy of formulating occurs that some are slipped unavoidably, now just cannot ensure the Efficient Operation of fire wall, safety problem possibly even occurs, say, that be only the rule being not enough to deal with huge number by experience.That is the complexity that firewall rule is safeguarded may reduce the effectiveness of firewall security, just because of this, the research to firewall policy collision detection algorithm is requisite.
Decision tree is a tree construction being similar to flow chart, and wherein each internal node represents the test on an attribute, and each branch represents a test output, and each leaf nodes represents class or class distribution, and the top mode of tree is root node.Assume existing firewall policy has n rule, be designated as r1, r2 ..., rn, it filters territory<TCP/UDP etc., srcip, srcport, destip, destpoft, action>, is designated as F1, F2 ..., Fd.Consider rule ri, rj, it is determined that the root node of tree represents that both filtration territory F1 compare, and now 4 branches of root node represent respectively:
(1) ri [F1] is the proper subclass of rj [F1];
(2) ri [F1] is the superset of rj [F1];
(3) ri [F1] and rj [F1] is identical;
(4) ri [F1] and rj [F1] is uncorrelated.
For branch (1), (2) coming one say with (3), its root node then carries out ri [F2] and the comparison of rj [F2], and continues to create branch according to comparative result, this process is sustained, until comparative result can be produced.For branch (4), it is obvious that rule ri and rj can not produce conflict, then relatively also just the completing of ri and rj, as shown in Figure 1.
The advantage of existing decision tree model checking method is simple and clear, but owing to algorithm comprising substantial amounts of judgement statement, it is likely that to compare many times, thus the speed of service is slow, causes program runtime long, affects work efficiency.
Summary of the invention
For the deficiencies in the prior art, it is an object of the invention to provide a kind of firewall policy collision detection method based on decision tree, the method solve existing method exists because too much judging the slow problem of detection that statement causes.
It is an object of the invention to adopt following technical proposals to realize:
The present invention provides a kind of firewall policy collision detection method based on decision tree, and it thes improvement is that, described method comprises the steps:
Step 201: initialize storage tree;
Step 202: protocol domain is classified;
Step 203: source/destination port is to classification;
Step 204: compare source IP address;
Step 205: omparison purpose IP address;
Step 206: comparison territory.
Further, in described step 201, initialize storage tree and namely create tree, tree data structure is adopted to store whole firewall policies, including: create in the process of tree, Xiang Shuzhong inserts firewall policy, according to the protocol domain of firewall policy, source/destination port, the order of territory, source ip address, purpose IP address field and action fields is carried out, and stores the firewall policy id of correspondence after action fields.
Further, described establishment tree comprises the steps:
(1) in the process inserting firewall policy, using the next field the to judge child nodes as the leftmost side of the current field;
(2) in the tree created, except action fields, with regard to each self-corresponding all nodes in other territories, the node except the child of the leftmost side is the proper subclass of its father's node, and what deposit is the content of different fire-proof strategy the current field;Other territories described refer to protocol domain, source/destination port to territory, source ip address and purpose IP address field;
(3) in establishment process, during tree non-NULL, in the process inserting firewall policy, corresponding territory is compared with each node of tree, if the same continues the judgement of the next field from leftmost side child nodes;If the superset of current node, before current node, then insert a node deposit the current field being inserted into firewall policy, using the node compared as insert node child's node, and using insert firewall policy the next field as insert the node leftmost side child nodes;
If the subset of current node, then compare with this node child's node except one, the leftmost side being inserted into firewall policy the current field, if the same continue the judgement of the next field from leftmost side child nodes;If the superset of current node, before current node, then insert a node deposit the current field being inserted into firewall policy, using the node compared as insert node child's node, and using insert firewall policy the next field as insert the node leftmost side child nodes;
If current node only one of which child's node or be not matched to the node that content is identical, then the value in this territory is inserted, as the child nodes of current point.
Further, if to insert an item conflicted completely with existing firewall policy, then can not find suitable position in tree;
Using the action fields of rear insertion firewall policy child's node as existing firewall policy, to ensure that all of firewall policy all stores in tree.
Further, expanding tree until all of firewall policy all inserts, the final leafy node number of tree is consistent with firewall policy number of entries.
Further, after according to tree firewall policy being stored, economize the comparison removing the sibling correspondence firewall policy outside the leftmost side during detection firewall policy conflict, to reduce the time complexity that firewall policy compares.
Further, in described step 202, judging according to the protocol domain of firewall policy, the agreement of firewall policy protocol domain includes Transmission Control Protocol, udp protocol and unrestricted stroke three classes.
Further, in described step 203, according to source/destination port, territory being judged, firewall policy destination interface includes 21 ports, 80 ports and unrestricted three classes.
Further, in described step 204, carrying out source IP address judgement, the result of determination that whether there is repetition according to IP carries out classification storage, repeats if IP exists, then there is the situation of conflict or redundancy;
In described step 205, carrying out purpose IP address and judge, the result of determination that whether there is repetition according to IP carries out classification storage, repeats if IP exists, then there is the situation of conflict or redundancy;
In described step 206, carry out action fields judgement, including two kinds of situations of accept and deny.
Compared with immediate prior art, technical scheme provided by the invention has the beneficial effect that
1, the firewall policy collision detection method based on decision tree provided by the invention, protocol domain according to strategy judges for the first time, the strategy with same protocol territory is stored in the same branch of tree, avoid the different strategy of protocol domain and compare the time spent, improve the speed of conflicting policies test.
2, the firewall policy collision detection method based on decision tree provided by the invention, according to the span of source, destination interface in practical application, consider that firewall filtering rule occurs maximum mainly 21 ports and 80 ports, set up source/destination port accordingly to carrying out the tactful Further Division classification that protocol domain is identical.So can reduce the time complexity of tree search, decrease the tactful number needing traversal, tree store methods is adopted slightly to carry out relevant classification, directly decrease the number of times of judgement, avoid strategy traversal contrast, even directly can having detected whether duplicate paths in tree, eliminate the comparison of the redundancy strategy that substantially conflicts, the time complexity of detection method is also just correspondingly improved.
Accompanying drawing explanation
Fig. 1 is the existing firewall policy collision detection method schematic flow sheet based on decision tree provided by the invention;
Fig. 2 is that the method detecting firewall policy conflict described in the embodiment of the present invention realizes principle flow chart;
Fig. 3 is establishment tree-shaped storage organization process schematic described in the embodiment of the present invention;
Fig. 4 is the example schematic diagram that the embodiment of the present invention creates tree-shaped storage organization.
Detailed description of the invention
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in further detail.
For existing method exist because too much judging the slow problem of detection that statement causes, the embodiment of the present invention is on now methodical basis, tree store methods is adopted slightly to carry out relevant classification, to reduce the number of times judged, avoid strategy traversal contrast, even directly can detect whether duplicate paths in tree, eliminate the comparison of the redundancy strategy that substantially conflicts, thus the effect of collision detection can be realized quickly.
As in figure 2 it is shown, be that the method detecting firewall policy conflict described in the embodiment of the present invention realizes principle process.Mainly comprise the steps:
Step 201, initialization storage tree;When inserting tree, it is necessary to strategy number is carried out labelling.Initialize storage tree and namely create tree, tree data structure is adopted to store whole firewall policies, including: create in the process of tree, Xiang Shuzhong inserts firewall policy, according to the protocol domain of firewall policy, source/destination port, the order of territory, source ip address, purpose IP address field and action fields is carried out, and after action fields, store the firewall policy id of correspondence.
Establishment tree comprises the steps:
(1) in firewall policy insertion process, all the time using the next field the to judge child nodes as the leftmost side of the current field;
(2) in the tree created, except action fields, with regard to each self-corresponding all nodes in other territories, the node except the child of the leftmost side should be the proper subclass of its father's node, and what deposit is the content of different fire-proof strategy the current field;Other territories described refer to protocol domain, source/destination port to territory, source ip address and purpose IP address field;
(3), in establishment process, during tree non-NULL, in the process inserting firewall policy, corresponding territory to compare with each node of tree, if the same continues the judgement of the next field from leftmost side child nodes;If the superset of current node, before current node, then insert a node deposit the current field being inserted into firewall policy, using the node compared as insert node child's node, and using insert firewall policy the next field as insert the node leftmost side child nodes;
If the subset of current node, then compare with this node child's node except one, the leftmost side being inserted into firewall policy the current field, if the same continue the judgement of the next field from leftmost side child nodes;If the superset of current node, before current node, then insert a node deposit the current field being inserted into firewall policy, using the node compared as insert node child's node, and using insert firewall policy the next field as insert the node leftmost side child nodes;
If current node only one of which child's node or be not matched to the node that content is identical, then the value in this territory is inserted, as the child nodes of current point.
If inserting an item conflicted completely with existing firewall policy, then can not find suitable position in tree;
Using the action fields of rear insertion firewall policy child's node as existing firewall policy, to ensure that all of firewall policy all stores in tree.
Expanding tree until all of firewall policy all inserts, the final leafy node number of tree is consistent with firewall policy number of entries.
After according to tree firewall policy being stored, economize the comparison removing the sibling correspondence firewall policy outside the leftmost side during detection firewall policy conflict, to reduce the time complexity that firewall policy compares.
Step 202, protocol domain according to strategy judge, are TCP, UDP according to the agreement in policy protocol territory and are unrestrictedly divided into three classes.
Step 203, according to source/destination port, territory is judged, be 21 ports, 80 ports according to strategy destination interface and be unrestrictedly divided into three classes.
Step 204, carry out source address judgement, carry out ip classification storage according to practical situation.The result of determination that whether there is repetition according to IP carries out classification storage, repeats if IP exists, then there is the situation of conflict or redundancy;
Step 205, carry out destination address judgement, carry out ip classification storage according to practical situation.The result of determination that whether there is repetition according to IP carries out classification storage, repeats if IP exists, then there is the situation of conflict or redundancy;
Step 206, carry out action fields judgement, have two kinds of situations of accept and deny.
As it is shown on figure 3, be the process of embodiment of the present invention structure tree-shaped storage organization.If RuleNode is the rule being inserted in decision tree, PTRoot is the root node of tree to be created, and PTNode is the current node of tree, then creates tree and mainly comprises the steps:
If 301 PTRoot are equal to NULL, each territory in RuleNode according to protocol domain, source/destination port to territory, source ip address, purpose IP address field, action fields order be sequentially inserted on child's node of the leftmost side of tree;Otherwise, step 302 is performed.
302, from PTRoot node, each territory (protocol domain, port are to territory, port address territory, source, purpose IP address field, action fields) in rule RuleNode is compared with each node in tree respectively.PTRoot node is designated as PTNode, continues executing with step 303.
303, from PTRoot node, if the value of the corresponding domain of RuleNode is equal to the value of the PTNode node of tree, then perform step 304;Otherwise, if the value of the corresponding domain of RuleNode is the superset of PTNode nodal value, perform step 305;If the value of the corresponding domain of RuleNode is the subset of PTNode nodal value, perform step 306;If the value of the value of the corresponding domain of RuleNode and PTNode node is uncorrelated, perform step 307.
If the next field of 304 RuleNode is equal to NULL, then perform step 310;Otherwise, make PTNode point to child's node of its leftmost side, go to step 303 and continue executing with.
305, between PTNode and its father's node, a node is inserted, the current thresholding of storage RuleNode, then proceed to perform step 309.
306, obvious, child's node of PTNode is not NULL in this case.If PTNode only one of which child nodes, make PTNode point to this child's node, go to step 303 and continue executing with;Otherwise continue executing with step 308.
307, the current thresholding of RuleNode is inserted on the sibling of PTNode, continues executing with step 309.
308, compare the current thresholding of RuleNode and the PTNode all child's nodes except the child nodes of the leftmost side, if identical with one of them child's node, continue executing with step 304;If the subset of one of them child's node, make PTNode point to this child's node, continue executing with step 306;If not both the above situation, set up child's node for PTNode and deposit RuleNode the current field, then proceed to perform step 309.
309, using the thresholding after RuleNode successively as child's node of the leftmost side in previous territory until RuleNode the next field is empty, step 310 is continued executing with.
310, the numbering of labelling good rule RuleNode, this rule has been inserted, and continues into next rule, performs step 302.Steps be repeated alternatively until and do not have rule to insert in tree, then the tree-shaped storage organization of firewall policy has created.
As shown in Figure 4, it is an embodiment of the present invention example creating tree, it is assumed that user configured firewall rule sets under discrimination such as table 1 below, wherein the sequence number of rule i.e. the sequence number of priority:
The user configured firewall rule sets under discrimination table of table 1
| Sequence number | Agreement | Source address | Source port | Destination address | Destination interface | Action fields |
| 1 | any | *.*.*.* | * | *.*.*.* | * | accept |
| 2 | tcp | *.*.*.* | * | *.*.*.* | * | accept |
| 3 | tcp | *.*.*.* | * | *.*.*.* | 80 | accept |
| 4 | tcp | *.*.*.* | * | 11.128.3.* | 80 | accept |
| 5 | tcp | *.*.*.* | * | 11.128.3.2 | 80 | deny |
| 6 | tcp | 12.109.36.* | * | 11.128.3.* | 80 | accept |
| 7 | tcp | 12.109.36.* | * | 11.128.3.23 | 80 | accept |
| 8 | tcp | 12.109.36.5 | * | *.*.*.* | 80 | accept |
| 9 | tcp | 12.109.36.5 | * | 11.128.3.* | 80 | deny |
| 10 | tcp | 12.109.35.* | * | 11.128.3.23 | 80 | accept |
| 11 | tcp | 12.109.35.35 | * | 11.128.5.33 | 21 | accept |
| 12 | udp | 12.109.36.5 | * | 11.128.4.53 | 21 | accept |
| 13 | udp | 12.109.36.5 | * | 11.128.4.53 | 21 | deny |
From the above it can be seen that the embodiment of the present invention utilizes tree that the firewall policy collision detection method based on decision tree has been improved, the method is greatly improved in the performance of collision detection, and various types of conflict can be detected, be a kind of relatively effective extensive firewall policy collision detection method.
Finally should be noted that: above example is only in order to illustrate that technical scheme is not intended to limit; although the present invention being described in detail with reference to above-described embodiment; the specific embodiment of the present invention still can be modified or equivalent replacement by those of ordinary skill in the field; these are without departing from any amendment of spirit and scope of the invention or equivalent replace, within the claims of the present invention all awaited the reply in application.
Claims (9)
1. the firewall policy collision detection method based on decision tree, it is characterised in that described method comprises the steps:
Step 201: initialize storage tree;
Step 202: protocol domain is classified;
Step 203: source/destination port is to classification;
Step 204: compare source IP address;
Step 205: omparison purpose IP address;
Step 206: comparison territory.
2. firewall policy collision detection method as claimed in claim 1, it is characterized in that, in described step 201, initialize storage tree and namely create tree, tree data structure is adopted to store whole firewall policies, including: create in the process of tree, in tree, insert firewall policy, according to the protocol domain of firewall policy, source/destination port, the order of territory, source ip address, purpose IP address field and action fields is carried out, and after action fields, store the firewall policy id of correspondence.
3. firewall policy collision detection method as claimed in claim 2, it is characterised in that described establishment tree comprises the steps:
(1) in the process inserting firewall policy, using the next field the to judge child nodes as the leftmost side of the current field;
(2) in the tree created, except action fields, with regard to each self-corresponding all nodes in other territories, the node except the child of the leftmost side is the proper subclass of its father's node, and what deposit is the content of different fire-proof strategy the current field;Other territories described refer to protocol domain, source/destination port to territory, source ip address and purpose IP address field;
(3) in establishment process, during tree non-NULL, in the process inserting firewall policy, corresponding territory is compared with each node of tree, if the same continues the judgement of the next field from leftmost side child nodes;If the superset of current node, before current node, then insert a node deposit the current field being inserted into firewall policy, using the node compared as insert node child's node, and using insert firewall policy the next field as insert the node leftmost side child nodes;
If the subset of current node, then compare with this node child's node except one, the leftmost side being inserted into firewall policy the current field, if the same continue the judgement of the next field from leftmost side child nodes;If the superset of current node, before current node, then insert a node deposit the current field being inserted into firewall policy, using the node compared as insert node child's node, and using insert firewall policy the next field as insert the node leftmost side child nodes;
If current node only one of which child's node or be not matched to the node that content is identical, then the value in this territory is inserted, as the child nodes of current point.
4. firewall policy collision detection method as claimed in claim 2 or claim 3, it is characterised in that if to insert an item conflicted completely with existing firewall policy, then can not find suitable position in tree;
Using the action fields of rear insertion firewall policy child's node as existing firewall policy, to ensure that all of firewall policy all stores in tree.
5. the firewall policy collision detection method as according to any one of claim 2-4, it is characterised in that expanding tree until all of firewall policy all inserts, the final leafy node number of tree is consistent with firewall policy number of entries.
6. firewall policy collision detection method as claimed in claim 2, it is characterized in that, after according to tree firewall policy being stored, detection firewall policy economizes the comparison of the sibling correspondence firewall policy outside the removal leftmost side when conflicting, to reduce the time complexity that firewall policy compares.
7. firewall policy collision detection method as claimed in claim 1, it is characterised in that in described step 202, judge according to the protocol domain of firewall policy, the agreement of firewall policy protocol domain includes Transmission Control Protocol, udp protocol and unrestricted stroke three classes.
8. firewall policy collision detection method as claimed in claim 1, it is characterised in that in described step 203, according to source/destination port, territory being judged, firewall policy destination interface includes 21 ports, 80 ports and unrestricted three classes.
9. firewall policy collision detection method as claimed in claim 1, it is characterised in that in described step 204, carry out source IP address judgement, the result of determination that whether there is repetition according to IP carries out classification storage, repeats if IP exists, then there is the situation of conflict or redundancy;
In described step 205, carrying out purpose IP address and judge, the result of determination that whether there is repetition according to IP carries out classification storage, repeats if IP exists, then there is the situation of conflict or redundancy;
In described step 206, carry out action fields judgement, including two kinds of situations of accept and deny.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410773170.3A CN105743871B (en) | 2014-12-12 | 2014-12-12 | A kind of firewall policy collision detection method based on decision tree |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410773170.3A CN105743871B (en) | 2014-12-12 | 2014-12-12 | A kind of firewall policy collision detection method based on decision tree |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105743871A true CN105743871A (en) | 2016-07-06 |
| CN105743871B CN105743871B (en) | 2019-03-12 |
Family
ID=56241629
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410773170.3A Active CN105743871B (en) | 2014-12-12 | 2014-12-12 | A kind of firewall policy collision detection method based on decision tree |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105743871B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453387A (en) * | 2016-07-28 | 2017-02-22 | 电子科技大学 | Security strategy conflict detecting and eliminating method based on Hicuts algorithm |
| CN107196871A (en) * | 2017-04-14 | 2017-09-22 | 同济大学 | A kind of stream rule conflict detection method and system based on alias stipulations tree |
| CN110290152A (en) * | 2019-07-18 | 2019-09-27 | 成都安恒信息技术有限公司 | Firewall rule engine time complexity appraisal procedure based on probability weight path |
| CN110336841A (en) * | 2019-08-09 | 2019-10-15 | 深圳证券交易所 | Detection method, detection device and the readable storage medium storing program for executing of firewall rule |
| CN111708733A (en) * | 2020-05-28 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Policy detection method, system, equipment and computer readable storage medium |
| CN112887316A (en) * | 2021-01-29 | 2021-06-01 | 深圳市风云实业有限公司 | Access control list conflict detection system and method based on classification |
| CN113691488A (en) * | 2020-05-19 | 2021-11-23 | 奇安信科技集团股份有限公司 | Access control method, apparatus, device and medium executed by firewall device |
| CN114168800A (en) * | 2021-11-26 | 2022-03-11 | 哈尔滨工程大学 | Conflict detection method based on B + tree and bitmap index fusion tree |
| CN114172681A (en) * | 2021-10-25 | 2022-03-11 | 中国农业银行股份有限公司福建省分行 | Firewall policy management method and system |
| CN115065613A (en) * | 2022-06-08 | 2022-09-16 | 北京启明星辰信息安全技术有限公司 | Network connectivity analysis system and analysis method based on firewall configuration |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050138413A1 (en) * | 2003-12-11 | 2005-06-23 | Richard Lippmann | Network security planning architecture |
| US20070038775A1 (en) * | 2002-10-04 | 2007-02-15 | Ipolicy Networks, Inc. | Rule engine |
| CN101958903A (en) * | 2010-10-09 | 2011-01-26 | 南京博同科技有限公司 | Method for realizing high-performance firewall based on SOC and parallel virtual firewall |
| CN103905464A (en) * | 2014-04-21 | 2014-07-02 | 西安电子科技大学 | Network security strategy verification system and method on basis of formalizing method |
-
2014
- 2014-12-12 CN CN201410773170.3A patent/CN105743871B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070038775A1 (en) * | 2002-10-04 | 2007-02-15 | Ipolicy Networks, Inc. | Rule engine |
| US20050138413A1 (en) * | 2003-12-11 | 2005-06-23 | Richard Lippmann | Network security planning architecture |
| CN101958903A (en) * | 2010-10-09 | 2011-01-26 | 南京博同科技有限公司 | Method for realizing high-performance firewall based on SOC and parallel virtual firewall |
| CN103905464A (en) * | 2014-04-21 | 2014-07-02 | 西安电子科技大学 | Network security strategy verification system and method on basis of formalizing method |
Non-Patent Citations (4)
| Title |
|---|
| P.GUPTA 等: ""Algorithms for Packet Classification"", 《IEEE NETWORK》 * |
| 李林: "防火墙规则集关键技术研究", 《中国博士学位论文全文数据库 信息科技辑》 * |
| 赵启斌 等: ""防火墙过滤规则异常的研究"", 《计算机工程》 * |
| 陈文惠: ""防火墙系统策略配置研究"", 《中国博士学位论文全文数据库 信息科技辑》 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453387B (en) * | 2016-07-28 | 2019-08-13 | 电子科技大学 | Security strategy collision detection and removing method based on Hicuts algorithm |
| CN106453387A (en) * | 2016-07-28 | 2017-02-22 | 电子科技大学 | Security strategy conflict detecting and eliminating method based on Hicuts algorithm |
| CN107196871A (en) * | 2017-04-14 | 2017-09-22 | 同济大学 | A kind of stream rule conflict detection method and system based on alias stipulations tree |
| CN110290152A (en) * | 2019-07-18 | 2019-09-27 | 成都安恒信息技术有限公司 | Firewall rule engine time complexity appraisal procedure based on probability weight path |
| CN110290152B (en) * | 2019-07-18 | 2021-10-15 | 成都安恒信息技术有限公司 | Firewall rule engine time complexity evaluation method based on probability weighted path |
| CN110336841A (en) * | 2019-08-09 | 2019-10-15 | 深圳证券交易所 | Detection method, detection device and the readable storage medium storing program for executing of firewall rule |
| CN113691488A (en) * | 2020-05-19 | 2021-11-23 | 奇安信科技集团股份有限公司 | Access control method, apparatus, device and medium executed by firewall device |
| CN111708733A (en) * | 2020-05-28 | 2020-09-25 | 浪潮电子信息产业股份有限公司 | Policy detection method, system, equipment and computer readable storage medium |
| CN112887316A (en) * | 2021-01-29 | 2021-06-01 | 深圳市风云实业有限公司 | Access control list conflict detection system and method based on classification |
| CN114172681A (en) * | 2021-10-25 | 2022-03-11 | 中国农业银行股份有限公司福建省分行 | Firewall policy management method and system |
| CN114172681B (en) * | 2021-10-25 | 2024-05-24 | 中国农业银行股份有限公司福建省分行 | Firewall policy management method and system |
| CN114168800A (en) * | 2021-11-26 | 2022-03-11 | 哈尔滨工程大学 | Conflict detection method based on B + tree and bitmap index fusion tree |
| CN114168800B (en) * | 2021-11-26 | 2024-09-13 | 哈尔滨工程大学 | Conflict detection method based on B+ tree and bitmap index fusion tree |
| CN115065613A (en) * | 2022-06-08 | 2022-09-16 | 北京启明星辰信息安全技术有限公司 | Network connectivity analysis system and analysis method based on firewall configuration |
| CN115065613B (en) * | 2022-06-08 | 2024-01-12 | 北京启明星辰信息安全技术有限公司 | Network connectivity analysis system and analysis method based on firewall configuration |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105743871B (en) | 2019-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105743871A (en) | Decision tree-based firewall policy conflict detection method | |
| CN104580027B (en) | A kind of OpenFlow message forwarding methods and equipment | |
| CN105282169A (en) | DDoS attack warning method and system based on SDN controller threshold | |
| CN103281333A (en) | Forwarding method and device of data flow | |
| CN104883347A (en) | Network security regulation conflict analysis and simplification method | |
| Zhang et al. | A firewall rules optimized model based on service-grouping | |
| Zhang et al. | Symbolic router execution | |
| CN107733867A (en) | It is a kind of to find Botnet and the method and system of protection | |
| Gogoi et al. | A rough set–based effective rule generation method for classification with an application in intrusion detection | |
| CN1232922C (en) | Method for improving fire wall performance | |
| CN105991639A (en) | Network attack path analysis method | |
| Chomsiri et al. | Firewall rules analysis. | |
| Komisarek et al. | Network Intrusion Detection in the Wild-the Orange use case in the SIMARGL project | |
| Hubballi et al. | Towards reducing false alarms in network intrusion detection systems with data summarization technique | |
| Jégou et al. | Combining restarts, nogoods and decompositions for solving csps | |
| Castiglione et al. | An enhanced firewall scheme for dynamic and adaptive containment of emerging security threats | |
| Hamdi et al. | A cloud-based architecture for network attack signature learning | |
| Davy et al. | On harnessing information models and ontologies for policy conflict analysis | |
| Thakar et al. | An approach to improve performance of a packet-filtering firewall | |
| CN112887316A (en) | Access control list conflict detection system and method based on classification | |
| Hanamsagar et al. | Firewall anomaly management: A survey | |
| Rezvani et al. | Analyzing and resolving anomalies in firewall security policies based on propositional logic | |
| Zhang et al. | Detecting and Resolving Flow Entries Collisions in Software Defined Networks | |
| CN102801634A (en) | Method for intelligently identifying three-in-one network traffic | |
| Saad et al. | Context-aware intrusion alerts verification approach |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant after: State Grid Corporation of China Applicant after: China Electric Power Research Institute Applicant after: GLOBAL ENERGY INTERCONNECTION Research Institute Applicant after: JIANGSU ELECTRIC POWER Co. Applicant after: INFORMATION & TELECOMMUNICATION BRANCH OF STATE GRID JIANGSU ELECTRIC POWER Co. Applicant after: BEIJING SAFE-CODE TECHNOLOGY Co.,Ltd. Address before: 100031 Xicheng District West Chang'an Avenue, No. 86, Beijing Applicant before: State Grid Corporation of China Applicant before: China Electric Power Research Institute Applicant before: STATE GRID SMART GRID Research Institute Applicant before: JIANGSU ELECTRIC POWER Co. Applicant before: INFORMATION & TELECOMMUNICATION BRANCH OF STATE GRID JIANGSU ELECTRIC POWER Co. Applicant before: BEIJING SAFE-CODE TECHNOLOGY Co.,Ltd. |
|
| COR | Change of bibliographic data | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |