CN107196871A - A kind of stream rule conflict detection method and system based on alias stipulations tree - Google Patents
A kind of stream rule conflict detection method and system based on alias stipulations tree Download PDFInfo
- Publication number
- CN107196871A CN107196871A CN201710247143.6A CN201710247143A CN107196871A CN 107196871 A CN107196871 A CN 107196871A CN 201710247143 A CN201710247143 A CN 201710247143A CN 107196871 A CN107196871 A CN 107196871A
- Authority
- CN
- China
- Prior art keywords
- rule
- module
- stream
- tree
- stipulations
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2441—Traffic characterised by specific attributes, e.g. priority or QoS relying on flow classification, e.g. using integrated services [IntServ]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Abstract
A kind of stream rule conflict detection method and system based on alias stipulations tree, including:Check insertion flow table item, the data flow that flow table item corresponding data bag is sent;Alias stipulations tree is constructed, the conflict that insertion flow table item triggers is recognized according to alias stipulations tree;According to alias stipulations tree, the data stream matches information in flow table item is matched with logic of propositions;The stream rule of flow table item is analyzed, judges whether stream rule is suitable to combination;If so, then parsing the conflict of combination and completing the combination of stream rule;If it is not, the network state that then more new application is read.
Description
Technical field
Rule conflict detection method, more particularly to a kind of stream rule based on alias stipulations tree are flowed the present invention relates to one kind
Collision detection method and system.
Background technology
With the explosive growth of internet scale and flow, the legacy network architectural framework by core of IP is new in network
The evolution of the innovation and development and network technology of agreement occurs in that bottleneck.Software defined network (software defined
Networking, abbreviation SDN), the network system decoupling of tradition closing is datum plane, control plane and applies plane, it is real
The logically integrated control & management of network is showed.SDN outstanding feature is open and programmability, can accelerate network wound
The deployment and implementation of new agreement, are obtained in fields such as network virtualization, data center network, WLAN and cloud computings at present
To application.
In the OpenFlow interchanger flow tables that the stream rule that control program is specified is mounted, stream rule includes being used for coupling number
According to packet matching domain and with corresponding set of actions.But, a packet may be matched by multiple flow table items, because stream
The matching domain of list item is probably asterisk wildcard (matching arbitrary value) or bitmask.Natarajan et al. proposes two kinds of conflicts
The method of detection, i.e., represented flow table using mixing Hash tree construction and determine conflict stream using divide-and-conquer strategy, and use base
The flow table item of conflict is represented and inferred in the logic inference system of body.Different from both collision detection methods, Bruno etc.
People is proposed to represent to flow conflict rule using first order logic, and these rules are put into the logical proxy for running Prolog engines
In.This mode can carry out stream rule conflict detection in real time in the controller, save resource and the reduction of interchanger
Configuration error in OpenFlow networks.Son et al. proposes a kind of controller extended software FortNox, can monitor and assist
Adjusting potential stream rule conflict, there is provided based role certification and security constraint implementation strategy, it is allowed to which Nox controllers are taken a kind of steady
Fixed Conflict Analysis monitors stream rule conflict in real time, prevents to have malicious application, is wanting insertion malicious stream regular " framing " just
The class phenomenon such as secure flows rule often applied.The method of collision detection of the prior art is represented using mixing Hash tree construction
Flow table simultaneously determines conflict stream, and represented using the logic inference system based on body and infer conflict using divide-and-conquer strategy
Flow table item, and represent using first order logic to flow conflict rule.A packet may be by multiple flow tables in conventional method
Item matching, may the wrong report rule that no conflict occurred.
The method of collision detection of the prior art is represented flow table and is used divide-and-conquer strategy using mixing Hash tree construction
It is determined that conflict stream, and the flow table item of conflict is represented and inferred using the logic inference system based on body, or use single order
Logic come represent flow conflict rule.In conventional method in matching process, a packet may be matched by multiple flow table items, and
And the rule that no conflict occurred may be reported by mistake, the technical problem that there is matching error and wrong report stream rule action conflict.
The content of the invention
In view of there is the technical problem of matching error and wrong report stream rule action conflict, mesh of the invention in above prior art
Be a kind of stream rule conflict detection method based on alias stipulations tree is provided, including:
Check insertion flow table item, the data flow that flow table item corresponding data bag is sent;
Alias stipulations tree is constructed, the conflict that insertion flow table item triggers is recognized according to alias stipulations tree;
According to alias stipulations tree, the data stream matches information in flow table item is matched with logic of propositions;
The stream rule of flow table item is analyzed, judges whether stream rule is suitable to combination;
If so, then parsing the conflict of combination and completing the combination of stream rule;
If it is not, the network state that then more new application is read.
In one embodiment of the present invention, insertion flow table item, the data flow that flow table item corresponding data bag is sent, bag are checked
Include:Filter invalid flow table item;It is preset in the installation authority of the stream rule of switch ports themselves.
In one embodiment of the present invention, alias stipulations tree is constructed, is recognized according to alias stipulations tree and inserts flow table item
Stream rule whether there is conflict, including:
Using primary flow rule data stream matches information in source IP address as alias stipulations tree root node;
Logic of propositions according to construction stipulations tree constructs alias stipulations tree;
Derivative stream rule is drawn according to alias stipulations tree;
The derivative stream rule of contrast and primary flow rule, draw regular comparing result;
According to regular comparing result, judge in the action species of stream rule and the present node of alias stipulations tree to be added
Action species with the presence or absence of conflict.
In one embodiment of the present invention, according to alias stipulations tree, the data flow in flow table item is matched with logic of propositions
Match information, including:
All stream rules of traversal;
It is the stream rule of modification source IP address to take action species in stream rule, generates source address modification set;
Travel through all source address modification streams rule in raw address modification set;
It is to change the rule of purpose IP address to act species for each source address modification stream rule match.
In one embodiment of the present invention, if so, then parsing the conflict of combination and to complete new stream regular with original stream
The combination of rule, including:
Rule by source address modification stream rule with action species for modification purpose IP address is combined, and obtains combination stream rule
Then;
The wherein minimum value of matching range is taken to each data stream matches information that rule is flowed in combination according to logic of propositions
As the value of current data stream match information, current minimum zone data stream matches information is obtained;
Minimum zone data stream matches information is changed, generation network updates rule;
Rule match is updated with network and is updated stream rule;
The IP address that the regular source IP address included of stream is revised as in stipulations tree father node will be updated.
In one embodiment of the present invention, a kind of stream rule conflict detecting system based on alias stipulations tree, including:Stream
List item check module, conflict set recognition module, traffic flow information matching module, combination judge module, conflict parsing composite module and
Updating network state module;Flow table item checks module, for checking insertion flow table item, the data that flow table item corresponding data bag is sent
Stream;Conflict set recognition module, for constructing alias stipulations tree, the conflict that insertion flow table item triggers, punching are recognized according to alias stipulations tree
Prominent identification module checks that module is connected with flow table item;Traffic flow information matching module, for according to alias stipulations tree, being patrolled with default
The data stream matches information in matching flow table item is collected, traffic flow information matching module is connected with conflict set recognition module;Combination judges
Module, the stream rule for analyzing flow table item, judges whether stream rule is suitable to combination, combination judge module and conflict set recognition module
Connection;Conflict parsing composite module, for when stream rule is suitable to combination, parsing the conflict of combination and completing the group of stream rule
Close, conflict parsing composite module is connected with conflict set recognition module, and conflict parsing composite module is with combining judge module connection;Network
State update module, for flow rule be unsuitable for combination when, the network state that more new application is read, network state is more
New module is with combining judge module connection.
In one embodiment of the present invention, flow table item checks module, including:Flow table filtering module and port authority mould
Block;Flow table filtering module, for filtering invalid flow table item;Port authority module, the stream rule for being preset in switch ports themselves
Installation authority, port authority module is connected with flow table filtering module.
In one embodiment of the present invention, conflict set recognition module, including:Stipulations tree initial module, stipulations tree construction mould
Block, derivative rule acquisition module, regular contrast module and conflict judge module;Stipulations tree initial module, for primary flow to be advised
The source IP address in data stream matches information then as alias stipulations tree root node;Stipulations tree constructing module, for according to
The logic of propositions construction alias stipulations tree of stipulations tree is constructed, stipulations tree constructing module is connected with stipulations tree initial module;Derivative rule
Then acquisition module, for drawing derivative stream rule according to alias stipulations tree, derives rule acquisition module and stipulations tree constructing module
Connection;Regular contrast module, for contrasting derivative stream rule and primary flow rule, draws regular comparing result, rule contrast mould
Block is connected with derivative rule acquisition module;Conflict judge module, for according to regular comparing result, judging the stream to be added rule
Action species and the action species in the present node of alias stipulations tree with the presence or absence of conflict, conflict judge module and rule it is right
Than module connection.
In one embodiment of the present invention, traffic flow information matching module, including:The regular spider module of stream, source address
Change concentrating module, COLLECTION TRAVERSALSThe module and rule match module;The regular spider module of stream, travels through all stream rules;Source address
Concentrating module is changed, is the stream rule of modification source IP address for obtaining action species in stream rule, generates source address modification collection
Close, source address modification concentrating module is connected with the regular spider module of stream;COLLECTION TRAVERSALSThe module, for traveling through raw address modification set
In all source address modification streams rule, COLLECTION TRAVERSALSThe module is connected with source address modification concentrating module;Rule match module, is used
It is to change the rule of purpose IP address in acting species for each source address modification stream rule match, rule match module and set
Spider module is connected.
In one embodiment of the present invention, conflict parsing composite module, including:Rule of combination module, minimum zone
With module, update rule generation module, renewal matching module and source address modification module;Rule of combination module, for by source
Rule of the location modification stream rule with action species for modification purpose IP address is combined, and obtains combination stream rule;Minimum zone is matched
Module, for taking the wherein minimum value of matching range to each data stream matches information that rule is flowed in combination according to logic of propositions
As the value of current data stream match information, current minimum zone data stream matches information, minimum zone matching module are obtained
It is connected with rule of combination module;Rule generation module is updated, for changing minimum zone data stream matches information, generation network is more
New rule, updates rule generation module and is connected with minimum zone matching module;Matching module is updated, for updating rule with network
Matching is updated stream rule, updates matching module and is connected with updating rule generation module;Source address modification module, for will be by more
The source IP address that new stream rule is included is revised as the IP address in stipulations tree father node, and source address modification module matches mould with updating
Block is connected.
As described above, a kind of stream rule conflict detection method and system based on alias stipulations tree that the present invention is provided, tool
There is following beneficial effect:.
In summary, the present invention provides a kind of stream rule conflict detection method and system based on alias stipulations tree, first
Necessary inspection is carried out to the flow table item to be inserted, some flow table items useless should be filtered, it is ensured that application program is in thing
There are enough authorities that stream rule is installed on the corresponding port of reason interchanger;Then, using dividing and ruling based on stipulations tree and dictionary tree
Algorithm carries out Rapid matching to all matching domains in flow table item;Finally, the action of these stream rule conflicts is analyzed, them are confirmed
Whether can be combined.If can be combined, just this kind of conflict is parsed using existing composite operator;Otherwise, to application
The network state that program is read is updated, and solves the matching error in conventional art and rule action conflict is flowed in wrong report
Technical problem.
Brief description of the drawings
Fig. 1 is shown as a kind of stream rule conflict detection method step schematic diagram based on alias stipulations tree of the present invention.
Fig. 2 is shown as the flow table item filtration step schematic diagram of the present invention.
The stipulations tree construction that Fig. 3 is shown as the present invention judges conflict schematic diagram.
Fig. 4 is shown as the stream rule match schematic diagram of the present invention.
Fig. 5 is shown as the regular combination step schematic diagram of stream of the present invention.
Fig. 6 is shown as a kind of stream rule conflict detecting system module diagram based on alias stipulations tree of the present invention.
The flow table item that Fig. 7 is shown as the present invention checks module diagram.
Fig. 8 is shown as the conflict set recognition module diagram of the present invention.
Fig. 9 is shown as the traffic flow information matching module schematic diagram of the present invention.
Figure 10 is shown as the conflict parsing composite module schematic diagram of the present invention.
Component label instructions
The 1 stream rule conflict detecting system based on alias stipulations tree
11 flow table items check module
12 conflict set recognition modules
13 traffic flow information matching modules
14 combination judge modules
15 conflict parsing composite modules
16 updating network state modules
111 flow table filtering modules
112 port authority modules
121 stipulations tree initial modules
122 stipulations tree constructing modules
123 derive rule acquisition module
124 regular contrast modules
125 conflict judge modules
The regular spider module of 131 streams
132 source address modification concentrating modules
133 COLLECTION TRAVERSALSThe modules
134 rule match modules
151 rule of combination modules
152 minimum zone matching modules
153 update rule generation module
154 update matching module
155 source address modification modules
Step numbers explanation
Fig. 1 S1~S6
Fig. 2 S11~S12
Fig. 3 S21~S25
Fig. 4 S31~S34
Fig. 5 S51~S55
Embodiment
Embodiments of the present invention are illustrated by particular specific embodiment below, those skilled in the art can be by this explanation
Content disclosed by book understands other advantages and effect of the present invention easily.
Fig. 1 is referred to Figure 10, it should however be clear that the structure depicted in this specification institute accompanying drawings, only to coordinate specification
Disclosed content, so that those skilled in the art is understood with reading, is not limited to enforceable restriction bar of the invention
Part, therefore do not have technical essential meaning, the modification of any structure, the change of proportionate relationship or the adjustment of size are not influenceing
Under effect that the utility model can be generated and the purpose that can reach, all should still it fall in the technology disclosed in the utility model
In the range of Rong Suoneng is covered.Meanwhile, in this specification it is cited as " on ", " under ", " left side ", " right side ", " centre " and " one "
Deng term, be merely convenient to understanding for narration, and be not used to limit enforceable scope of the invention, the change of its relativeness
Or adjustment, under without essence change technology contents, when being also considered as enforceable category of the invention.
Referring to Fig. 1, a kind of stream rule conflict detection method step based on alias stipulations tree for being shown as the present invention is shown
It is intended to, as shown in figure 1, including:
S1, inspection insertion flow table item, the data flow that flow table item corresponding data bag is sent, in SDN (Software Define
Network, software defined network) in, flow table is OpenFlow to the abstract of the data forwarding function of the network equipment.
Data forwarding in OpenFlow interchangers needs with relying on the two layer MAC address forward table preserved in equipment or three layers of IP
Location routing table, incorporates network configuration information at all levels in network in the list item of OpenFlow interchangers;
S2, construction alias stipulations tree, recognize the conflict that insertion flow table item triggers, according to stream rule according to alias stipulations tree
With domain and stream rule action species construction alias stipulations tree;
S3, according to alias stipulations tree, the data stream matches information in flow table item is matched with logic of propositions, according to based on stipulations
The algorithm of dividing and ruling of tree carries out Rapid matching to all matching domains in flow table item;
S4, the stream rule for analyzing flow table item, judge whether stream rule is suitable to combine, matching domain in flow table item and
The modification actions such as replacement source IP address or replacement purpose IP address in stream rule, judge stream rule if appropriate for combination;
S5, if so, then parse the conflict of combination and complete stream rule combination, derived according to the alias stipulations tree of structure
Stream rule be compared with primary flow rule, recognize and analyze flow it is regular between action conflict;
S6, if it is not, the network state that then more new application is read, in flowing and updating SDN when rule is unsuitable for combination
The network equipment such as interchanger status information.
Referring to Fig. 2, the flow table item filtration step schematic diagram of the present invention is shown as, as shown in Fig. 2 S1, inspection insertion stream
List item, the data flow that flow table item corresponding data bag is sent, including:
S11, the invalid flow table item of filtering, in the stream rule conflict detection method based on alias stipulations tree, reply first will
The flow table item of incorporation is checked that the presence of invalid flow table item can reduce the installation power of switch ports themselves stream rule in flow table item
Limit, need to carry out necessary filtering;
S12, the installation authority for flowing rule for being preset in switch ports themselves, after invalid flow table item is filtered out, are being exchanged
Generator terminal mouthful is installed flow table item authority and provided, and is adapted ensure that application program has enough authorities on the corresponding port of physical switches
Stream rule is installed.
Referring to Fig. 3, the stipulations tree construction for being shown as the present invention judges conflict schematic diagram, as shown in figure 3, S2, construction are other
Name stipulations tree, the stream rule for inserting flow table item is recognized according to alias stipulations tree with the presence or absence of conflict, including:
S21, using primary flow rule data stream matches information in source IP address as alias stipulations tree root node, just
Under beginning state, when alias stipulations tree is created, the source IP address in first stream rule match domain is used as alias stipulations tree
Root node, comprising current rule ID, purpose IP address set, and corresponding action, it is assumed that regular:A- > c are abandoned
(discarding source address is a, and destination address is c packet), then its corresponding alias stipulations tree;
S22, the logic of propositions construction alias stipulations tree according to construction stipulations tree, replace if included in the action of stream rule
The set-field operations of source IP address are changed, then update alias stipulations tree, using the source IP address being replaced as father node, are replaced
The source IP address of person is used as child node;If including the set-field operations for replacing purpose IP address in the action for flowing rule,
Alias stipulations tree is then updated, the purpose IP address replaced is added and is saved to current stream rule in the node of alias stipulations tree and ancestors
Purpose IP address set in point;If including forwarding or the operation abandoned in the action for flowing rule, alias rule are updated
About set, this action is added in the corresponding node of alias stipulations tree and its ancestor node, the regular collection for example to be inserted is:
1.a- > d set (a=> b);2.b- > d set (d=> c);3.b- > c are forwarded;
S23, derivative stream rule drawn according to alias stipulations tree, according to above-mentioned logical construct alias binary tree, draw derivative
Stream is regular, and the construction process of its corresponding alias stipulations tree is respectively:Insertion rule 1, insertion rule 2, insertion rule 3, it spreads out
Raw rule is a- > c forwardings (forwarding source address is a, and destination address is c packet), with existing rule conflict;
S24, the derivative stream rule of contrast and primary flow rule, draw regular comparing result;
S25, according to regular comparing result, the action species and alias stipulations tree for judging the stream rule to be added work as prosthomere
Action species in point is with the presence or absence of conflict, during alias stipulations tree is built, if it find that the stream rule to be added
Action conflicts with the action in the present node of alias stipulations tree, then it is assumed that the rule currently to be inserted and existing rule in flow table
Then clash.
Referring to Fig. 4, be shown as the present invention stream rule match schematic diagram, as shown in figure 4, S3, according to alias stipulations tree,
Data stream matches information in flow table item is matched with logic of propositions, including:
S31, travel through all stream rules, the input of algorithm is that existing regular collection rs in flow table, action are to set source IP
The regular collection srcIpRs of address, action are to set the regular collection dstIpRs of purpose IP address, action to be forwarding or lose
The regular collection otherRs abandoned, is output as the set addRules of stream rule newly increased;
S32, take stream rule in action species for modification source IP address stream rule, generate source address modification set, traversal
Act to set the regular collection srcIpRs of source IP address;
All source address modification streams rule in S33, traversal raw address modification set, searching loop set srcIpRs;
S34, it is that each source address modification stream rule match action species is to change the rule of purpose IP address, will gathers
DstIpRs is matched with the stream rule in set rs [srcid], will be acted as forwarding or the stream rule set otherRs abandoned
With rs [srcid] match obtaining set other setDstIps, be the stream rule after matching in the set.
Referring to Fig. 5, the regular combination step schematic diagram of the stream for being shown as the present invention, as shown in figure 5, S5, if so, then parsing
The conflict of combination and the combination for completing stream rule, including:
S51, the rule by source address modification stream rule with action species for modification purpose IP address are combined, and obtain combination stream
Rule, combination of address modification stream regular collection rs [id] and regular rs [DstIps] group of action species for modification purpose IP address
Close;
S52, taken according to logic of propositions wherein matching range minimum to each data stream matches information that rule is flowed in combination
Value obtains current minimum zone data stream matches information as the value of current data stream match information;
S53, modification minimum zone data stream matches information, generation network updates rule, by both regular matching domains
Combine, to each matching domain in rule, take the value of wherein matching range minimum as the value in current matching domain;
S54, with network update rule match be updated stream rule, the purpose ip of matching domain is revised as the second rule
Purpose ip with domain, generates new rule;
S55, the IP address that the source IP address that includes of stream rule is revised as in stipulations tree father node will be updated, go matching its
His rule, will match to the ip addresses that regular source ip addresses are revised as in stipulations tree father node, and these rules are to newly increase
Regular collection.
Referring to Fig. 6, a kind of stream rule conflict detecting system module based on alias stipulations tree for being shown as the present invention is shown
It is intended to, as shown in fig. 6, a kind of stream rule conflict detecting system based on alias stipulations tree, including:Flow table item inspection module 11,
Conflict set recognition module 12, traffic flow information matching module 13, combination judge module 14, conflict parse composite module 15 and network-like
State update module 16;Flow table item checks module 11, for checking insertion flow table item, the data that flow table item corresponding data bag is sent
Stream, in SDN (Software Define Network, software defined network), flow table is OpenFlow to the network equipment
Data forwarding function it is abstract.Data forwarding in OpenFlow interchangers needs to rely on the two layer MAC address preserved in equipment
Forward table or three layers of IP address routing table, incorporate network at all levels in network in the list item of OpenFlow interchangers
Configuration information;Conflict set recognition module 12, for constructing alias stipulations tree, recognizes what insertion flow table item triggered according to alias stipulations tree
Conflict, conflict set recognition module 12 checks that module is connected 11 with flow table item, according to stream rule match domain and stream rule action species structure
Make alias stipulations tree;Traffic flow information matching module 13, for according to alias stipulations tree, with logic of propositions matching flow table item
Data stream matches information, traffic flow information matching module 13 is connected with conflict set recognition module 12, according to dividing and ruling based on stipulations tree
Algorithm carries out Rapid matching to all matching domains in flow table item;Judge module 14 is combined, the stream rule for analyzing flow table item,
Judge whether stream rule is suitable to combination, combination judge module 14 is connected 12 with conflict set recognition module, the matching in flow table item
The modification action such as domain and replacement source IP address or replacement purpose IP address in stream rule, judges stream rule if appropriate for group
Close;Conflict parsing composite module 15, for when stream rule is suitable to combination, parsing the conflict of combination and completing the group of stream rule
Close, conflict parsing composite module 15 is connected with conflict set recognition module 12, conflict parsing composite module 15 is with combining judge module 14
Connection, the stream rule derived according to the alias stipulations tree of structure is compared with primary flow rule, recognizes and analyze stream rule
Between action conflict;Updating network state module 16, for when stream rule is unsuitable for combination, more new application to be read
Network state, updating network state module 16 is connected with combining judge module 14.
Referring to Fig. 7, the flow table item for being shown as the present invention checks module diagram, as shown in fig. 7, flow table item checks module
11, including:Flow table filtering module 111 and port authority module 112;Flow table filtering module 111, for filtering invalid flow table item,
The flow table item to be mixed should be checked first, the presence of invalid flow table item can reduce switch ports themselves stream rule in flow table item
Installation authority then, need to carry out necessary filtering;Port authority module 112, for be preset in switch ports themselves stream rule
Authority is installed, after invalid flow table item is filtered out, flow table item authority is installed in switch ports themselves and provided, is adapted ensure that and applies journey
Sequence has enough authorities to install stream rule, port authority module 112 and flow table filter module on the corresponding port of physical switches
Block 111 is connected.
Referring to Fig. 8, the conflict set recognition module diagram of the present invention is shown as, as shown in figure 8, conflict set recognition module 12,
Including:Stipulations tree initial module 121, stipulations tree constructing module 122, derivative rule acquisition module 123, regular contrast module 124
With conflict judge module 125;Stipulations tree initial module 121, for by primary flow rule data stream matches information in source IP
Address as alias stipulations tree root node, under original state, when alias stipulations tree is created, first stream rule match domain
In source IP address as alias stipulations tree root node;Stipulations tree constructing module 122, for according to the default of construction stipulations tree
Logical construct alias stipulations tree, stipulations tree constructing module 122 is connected with stipulations tree initial module 121, if the action of stream rule
In include replace source IP address set-field operation, then update alias stipulations tree, regard the source IP address being replaced as father
Node, the source IP address of replacement person is used as child node;If including the set- for replacing purpose IP address in the action for flowing rule
Field is operated, then updates alias stipulations tree, section of the purpose IP address that addition is replaced to current stream rule in alias stipulations tree
Purpose IP address set in point and ancestor node;If including forwarding or the operation abandoned in the action for flowing rule,
Alias stipulations tree is then updated, this action is added in the corresponding node of alias stipulations tree and its ancestor node;Derivative rule is obtained
Modulus block 123, for drawing derivative stream rule according to alias stipulations tree, derivative rule acquisition module 123 constructs mould with stipulations tree
Block 122 is connected;Regular contrast module 124, for contrasting derivative stream rule and primary flow rule, draws regular comparing result, advises
Then contrast module 124 is connected with derivative rule acquisition module 123;Conflict judge module 125, for according to regular comparing result,
Judge that the action species of the stream rule to be added whether there is with the action species in the present node of alias stipulations tree to conflict, sentence
The action species of the disconnected stream rule to be added whether there is with the action species in the present node of alias stipulations tree to conflict, in structure
During building alias stipulations tree, if it find that the action of stream rule to be added and moving in the present node of alias stipulations tree
Work conflicts, then it is assumed that the rule currently to be inserted and existing rules conflict in flow table, conflict judge module 125 and rule
Contrast module 124 is connected.
Referring to Fig. 9, the traffic flow information matching module schematic diagram of the present invention is shown as, as shown in figure 9, traffic flow information
Matching module 13, including:The regular spider module 131 of stream, source address modification concentrating module 132, COLLECTION TRAVERSALSThe module 133 and rule
Matching module 134;The regular spider module 131 of stream, travels through all stream rules;Source address modification concentrating module 132, for obtaining stream
Stream rule of the species for modification source IP address is acted in rule, source address modification set, source address modification concentrating module is generated
132 are connected with the regular spider module 131 of stream, and traversal action is the regular collection srcIpRs for setting source IP address;COLLECTION TRAVERSALSThe mould
Block 133, for traveling through all source address modification streams rule in raw address modification set, searching loop set srcIpRs, set
Spider module 133 is connected with source address modification concentrating module 132;Rule match module 134, for for each source address modification stream
Rule match action species is changes the rule of purpose IP address, by the stream rule in set dstIpRs and set rs [srcid]
Matched, it is that forwarding or the stream rule set otherRs abandoned with rs [srcid] match obtaining set other that will act
SetDstIps, is the stream rule after matching in the set, rule match module 134 is connected with COLLECTION TRAVERSALSThe module 133.
Referring to Fig. 10, being shown as the conflict parsing composite module schematic diagram of the present invention, as shown in Figure 10, conflict parsing group
Matched moulds block 15, including:Rule of combination module 151, minimum zone matching module 152, renewal rule generation module 153, renewal
With module 154 and source address modification module 155;Rule of combination module 151, for source address modification stream is regular with acting species
For the rule combination of modification purpose IP address, combination stream rule, combination of address modification stream regular collection rs [id] and action are obtained
Species combines for the regular rs [DstIps] of modification purpose IP address;Minimum zone matching module 152, for according to logic of propositions
Each data stream matches information to combination stream rule takes the wherein minimum value of matching range to believe as the matching of current data stream
The value of breath, obtains current minimum zone data stream matches information, minimum zone matching module 152 and rule of combination module 151
Connection;Rule generation module 153 is updated, for changing minimum zone data stream matches information, generation network updates rule, by this
Two kinds of regular matching domains combine, to each matching domain in rule, take the wherein minimum value conduct of matching range
The value in current matching domain, updates rule generation module 153 and is connected with minimum zone matching module 152;Update matching module
154, stream rule is updated for updating rule match with network, the purpose ip of matching domain is then revised as the second rule
Purpose ip with domain, generates new rule, updates matching module 154 and is connected with updating rule generation module 153;Source address modification
Module 155, for will be updated the IP address that the regular source IP address included of stream is revised as in stipulations tree father node, goes to match it
His rule, will match to the ip addresses that regular source ip addresses are revised as in stipulations tree father node, and these rules are to newly increase
Regular collection, source address modification module 155 with update matching module 154 be connected.
In summary, the present invention is provided a kind of stream rule conflict detection method and system based on alias stipulations tree, tool
There is following beneficial effect:The present invention overcomes the shortcomings of prior art, it is proposed that a kind of algorithm of dividing and ruling of rule conflict detection, can
Whether the strategy that the application program such as detection fire wall is issued exactly is directly or indirectly violated by other programs, flow table item useless
It should be filtered, it is ensured that application program has enough authorities to install stream rule on the corresponding port of physical switches;Then,
Rapid matching is carried out to all matching domains in flow table item using the algorithm of dividing and ruling based on stipulations tree and dictionary tree;Finally, analyze
The action of these stream rule conflicts, confirms whether they can be combined.If can be combined, just using existing combination behaviour
Make this kind of conflict of symbol parsing;Otherwise, the network state read to application program is updated, and solves in conventional art
Technical problem with mistake and wrong report stream rule action conflict, with very high commercial value and practicality.
Claims (10)
1. a kind of stream rule conflict detection method based on alias stipulations tree, it is characterised in that including:
Check insertion flow table item, the data flow that the flow table item corresponding data bag is sent;
Alias stipulations tree is constructed, the conflict that the insertion flow table item triggers is recognized according to the alias stipulations tree;
According to the alias stipulations tree, the data stream matches information in the flow table item is matched with logic of propositions;
The stream rule of the flow table item is analyzed, judges whether the stream rule is suitable to combination;
If so, then parsing the conflict of combination and completing the combination of the stream rule;
If it is not, the network state that then more new application is read.
2. according to the method described in claim 1, it is characterised in that described to check insertion flow table item, the flow table item correspondence number
The data flow sent according to bag, including:
Filter invalid flow table item;
It is preset in the installation authority of the stream rule of switch ports themselves.
3. according to the method described in claim 1, it is characterised in that the construction alias stipulations tree, according to the alias stipulations
The stream rule of the tree identification insertion flow table item whether there is conflict, including:
Using primary flow rule data stream matches information in source IP address as the alias stipulations tree root node;
Logic of propositions according to construction stipulations tree constructs the alias stipulations tree;
Derivative stream rule is drawn according to the alias stipulations tree;
The contrast derivative stream rule and primary flow rule, draw regular comparing result;
According to the regular comparing result, the action species of the stream to be added rule and working as the alias stipulations tree are judged
Action species in front nodal point is with the presence or absence of conflict.
4. according to the method described in claim 1, it is characterised in that described according to the alias stipulations tree, with logic of propositions
With the data stream matches information in the flow table item, including:
Travel through all stream rules;
It is the stream rule of modification source IP address to obtain action species in the stream rule, generates source address modification set;
Travel through all source address modification streams rule in the raw address modification set;
It is to change the rule of purpose IP address for each source address modification stream rule match action species.
5. the method according to claim 1 or 4, it is characterised in that described if so, then parsing the conflict of combination and completing new
Stream it is regular with it is original stream rule combination, including:
Rule by source address modification stream rule with action species for modification purpose IP address is combined, and obtains combination stream rule
Then;
The wherein minimum value of matching range is taken to each data stream matches information that rule is flowed in the combination according to logic of propositions
As the value of current data stream match information, current minimum zone data stream matches information is obtained.
The minimum zone data stream matches information is changed, generation network updates rule;
Rule match is updated with the network and is updated stream rule;
The IP address that the regular source IP address included of stream is revised as in stipulations tree father node is updated by described.
6. a kind of stream rule conflict detecting system based on alias stipulations tree, it is characterised in that including:Flow table item inspection module,
Conflict set recognition module, traffic flow information matching module, combination judge module and conflict parsing composite module;
The flow table item checks module, for checking insertion flow table item, the data flow that the flow table item corresponding data bag is sent;
The conflict set recognition module, for constructing alias stipulations tree, the insertion flow table item is recognized according to the alias stipulations tree
The conflict of initiation;
The traffic flow information matching module, for according to the alias stipulations tree, being matched with logic of propositions in the flow table item
Data stream matches information;
The combination judge module, the stream rule for analyzing the flow table item, judges whether the stream rule is suitable to combination;
The conflict parsing composite module, for when the stream rule is suitable to combination, parsing the conflict of combination and completing described
Flow the combination of rule;
The updating network state module, for it is described stream rule be unsuitable for combination when, the net that more new application is read
Network state.
7. system according to claim 6, it is characterised in that the flow table item checks module, including:Flow table filtering module
With port authority module;
The flow table filtering module, for filtering invalid flow table item;
The port authority module, the installation authority of the stream rule for being preset in switch ports themselves.
8. system according to claim 6, it is characterised in that the conflict set recognition module, including:Stipulations tree introductory die
Block, stipulations tree constructing module, derivative rule acquisition module, regular contrast module and conflict judge module;
The stipulations tree initial module, for using primary flow rule data stream matches information in source IP address as it is described not
The root node of name stipulations tree;
The stipulations tree constructing module, the alias stipulations tree is constructed for the logic of propositions according to construction stipulations tree;
The derivative rule acquisition module, for drawing derivative stream rule according to the alias stipulations tree;
The regular contrast module, for contrasting the derivative stream rule and primary flow rule, draws regular comparing result;
The conflict judge module, for according to the regular comparing result, judging the action kind of the stream to be added rule
Class whether there is with the action species in the present node of the alias stipulations tree to conflict.
9. system according to claim 6, it is characterised in that the traffic flow information matching module, including:Stream rule time
Go through module, source address modification concentrating module, COLLECTION TRAVERSALSThe module and rule match module;
The regular spider module of stream, travels through all stream rules;
The source address modification concentrating module, for obtaining the stream rule that action species in the stream rule is modification source IP address
Then, source address modification set is generated;
The COLLECTION TRAVERSALSThe module, for traveling through all source address modification streams rule in the raw address modification set;
The rule match module, for being with changing purpose IP for each source address modification stream rule match action species
The rule of location.
10. the system according to claim 6 or 9, it is characterised in that the conflict parses composite module, including:Combination rule
Then module, minimum zone matching module, update rule generation module, update matching module and source address modification module;
The rule of combination module, for source address modification stream rule to be changed into the rule of purpose IP address with action species
Then combine, obtain combination stream rule;
The minimum zone matching module, each data stream matches information for flowing rule to the combination according to logic of propositions
Take the wherein minimum value of matching range as the value of current data stream match information, obtain current minimum zone data flow
With information;
The renewal rule generation module, for changing the minimum zone data stream matches information, generation network updates rule;
The renewal matching module, stream rule is updated for updating rule match with the network;
The source address modification module, for the regular source IP address included of stream that is updated to be revised as into stipulations tree father node
In IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710247143.6A CN107196871B (en) | 2017-04-14 | 2017-04-14 | Stream rule conflict detection method and system based on alias protocol tree |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710247143.6A CN107196871B (en) | 2017-04-14 | 2017-04-14 | Stream rule conflict detection method and system based on alias protocol tree |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107196871A true CN107196871A (en) | 2017-09-22 |
| CN107196871B CN107196871B (en) | 2020-04-28 |
Family
ID=59871308
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710247143.6A Active CN107196871B (en) | 2017-04-14 | 2017-04-14 | Stream rule conflict detection method and system based on alias protocol tree |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107196871B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109445797A (en) * | 2018-10-24 | 2019-03-08 | 北京奇虎科技有限公司 | Handle task executing method and device |
| CN110505190A (en) * | 2018-05-18 | 2019-11-26 | 深信服科技股份有限公司 | Dispositions method, safety equipment, storage medium and the device of differential section |
| CN112261052A (en) * | 2020-10-23 | 2021-01-22 | 中国人民解放军战略支援部队信息工程大学 | SDN data plane abnormal behavior detection method and system based on flow rule analysis |
| CN113765901A (en) * | 2021-08-25 | 2021-12-07 | 紫光云(南京)数字技术有限公司 | Method for modifying ACL rule |
| CN115348065A (en) * | 2022-07-29 | 2022-11-15 | 中国舰船研究设计中心 | Firewall bypass conflict detection method based on programmable data plane |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516550A (en) * | 2013-09-29 | 2014-01-15 | 国家计算机网络与信息安全管理中心 | Rule conflict detection method and system aimed at large-scale packet classification rule set |
| CN105743871A (en) * | 2014-12-12 | 2016-07-06 | 国家电网公司 | Decision tree-based firewall policy conflict detection method |
| US20160323194A1 (en) * | 2015-05-01 | 2016-11-03 | Fujitsu Limited | System, method, and receiving device |
-
2017
- 2017-04-14 CN CN201710247143.6A patent/CN107196871B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103516550A (en) * | 2013-09-29 | 2014-01-15 | 国家计算机网络与信息安全管理中心 | Rule conflict detection method and system aimed at large-scale packet classification rule set |
| CN105743871A (en) * | 2014-12-12 | 2016-07-06 | 国家电网公司 | Decision tree-based firewall policy conflict detection method |
| US20160323194A1 (en) * | 2015-05-01 | 2016-11-03 | Fujitsu Limited | System, method, and receiving device |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505190A (en) * | 2018-05-18 | 2019-11-26 | 深信服科技股份有限公司 | Dispositions method, safety equipment, storage medium and the device of differential section |
| CN109445797A (en) * | 2018-10-24 | 2019-03-08 | 北京奇虎科技有限公司 | Handle task executing method and device |
| CN112261052A (en) * | 2020-10-23 | 2021-01-22 | 中国人民解放军战略支援部队信息工程大学 | SDN data plane abnormal behavior detection method and system based on flow rule analysis |
| CN112261052B (en) * | 2020-10-23 | 2022-10-25 | 中国人民解放军战略支援部队信息工程大学 | SDN data plane abnormal behavior detection method and system based on flow rule analysis |
| CN113765901A (en) * | 2021-08-25 | 2021-12-07 | 紫光云(南京)数字技术有限公司 | Method for modifying ACL rule |
| CN115348065A (en) * | 2022-07-29 | 2022-11-15 | 中国舰船研究设计中心 | Firewall bypass conflict detection method based on programmable data plane |
| CN115348065B (en) * | 2022-07-29 | 2024-04-12 | 中国舰船研究设计中心 | Firewall bypass conflict detection method based on programmable data plane |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107196871B (en) | 2020-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107196871A (en) | A kind of stream rule conflict detection method and system based on alias stipulations tree | |
| US10587484B2 (en) | Anomaly detection and reporting in a network assurance appliance | |
| CN106992877B (en) | Network Fault Detection and restorative procedure based on SDN framework | |
| US10504025B2 (en) | Parallel processing of data by multiple semantic reasoning engines | |
| US7710900B2 (en) | Method and system for providing network management based on defining and applying network administrative intents | |
| CN108289104A (en) | A kind of industry SDN network ddos attack detection with alleviate method | |
| CN110521169A (en) | Strategy for service chaining guarantees | |
| CN104125087B (en) | A kind of alarm information processing method and device | |
| CN110521170A (en) | The static network analysis of strategies of network | |
| CN110120923B (en) | Hash-Trie-based flow rule conflict detection method | |
| US20200204432A1 (en) | Event clustering for a network assurance platform | |
| EP3793137A1 (en) | Method and apparatus for configuring service | |
| CN102821009B (en) | Method for monitoring ring network on basis of link layer discovery protocol and device | |
| CN105406992A (en) | Business requirement transformation and deployment method for SDN (Software Defined Network) | |
| CN103493441A (en) | Generating a loop-free routing topology using routing arcs | |
| CN109495391A (en) | A kind of security service catenary system and data packet matched retransmission method based on SDN | |
| CN111049747B (en) | Intelligent virtual network path planning method for large-scale container cluster | |
| CN104662847A (en) | Gateway apparatus and data processing method | |
| CN106330697A (en) | Hybrid network spanning tree establishing method, backup method and control system thereof | |
| CN102523219A (en) | Regular expression matching system and regular expression matching method | |
| CN102273133B (en) | Method, device and system for diagnosing network faults | |
| CN108011894A (en) | Botnet detecting system and method under a kind of software defined network | |
| CN106302021A (en) | A kind of network flow forwards method for detecting abnormality | |
| CN105637806A (en) | Method and apparatus for determining network topology, and centralized network state information storage device | |
| CN104506339A (en) | Industrial Ethernet network topology management implementation method based on PROFINET |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |