CN111726265A - Application layer firewall performance evaluation method and device - Google Patents
Application layer firewall performance evaluation method and device Download PDFInfo
- Publication number
- CN111726265A CN111726265A CN202010563938.XA CN202010563938A CN111726265A CN 111726265 A CN111726265 A CN 111726265A CN 202010563938 A CN202010563938 A CN 202010563938A CN 111726265 A CN111726265 A CN 111726265A
- Authority
- CN
- China
- Prior art keywords
- application layer
- layer
- firewall
- data transmission
- performance
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011156 evaluation Methods 0.000 title claims abstract description 46
- 230000005540 biological transmission Effects 0.000 claims abstract description 136
- 238000013210 evaluation model Methods 0.000 claims abstract description 61
- 238000000034 method Methods 0.000 claims abstract description 26
- 238000010276 construction Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000000691 measurement method Methods 0.000 description 2
- 238000013468 resource allocation Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000012938 design process Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0823—Errors, e.g. transmission errors
- H04L43/0829—Packet loss
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3447—Performance evaluation by modeling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0852—Delays
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0888—Throughput
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Life Sciences & Earth Sciences (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a device for evaluating the performance of an application layer firewall, and relates to the technical field of computers. Wherein, the method comprises the following steps: constructing an application layer firewall performance evaluation model based on a queuing theory; sequentially evaluating the performance parameters of the data transmission stages of the network layer, the transmission layer and the application layer according to the evaluation model; and then, determining the performance parameters of the firewall of the application layer according to the performance parameters of the network layer, the transmission layer and the data transmission stage of the application layer. Through the steps, the performance of the application layer firewall is evaluated in a mathematical modeling mode, and the efficiency and the accuracy of the performance evaluation of the application layer firewall are improved.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for evaluating the performance of an application layer firewall.
Background
With the rapid update of various malicious attack methods in the current network, the traditional firewall cannot provide reliable guarantee for the network communication security, for example, the traditional firewall cannot block virus intrusion from the target network. The security tools of the network also need to be continuously updated to provide more effective security measures. The appearance of application layer firewalls is a major breakthrough in preventing the rapid spread of computer worms and trojan horse programs. In modern network environments, the strong power of application-level firewalls to defend attacks is increasingly being demonstrated.
The application layer firewall can intercept all packets entering and exiting an application program comprehensively, but the application layer firewall not only needs to perform processing operation of a traditional firewall, but also needs to perform higher-level processing on HTTP (hypertext transfer protocol) data of the application layer, so that the information processing speed and the network communication efficiency are influenced.
In order to reduce the influence of the performance of the application-layer firewall on the network communication quality, the performance of the application-layer firewall needs to be improved, and it is necessary to research a performance evaluation method in the firewall design process. In the prior art, a network measurement tool is usually used to directly measure the performance of the firewall, and the method is complicated and consumes additional manpower and material resources.
Therefore, in order to overcome the above disadvantages, a new solution is needed to solve the problems of complex flow, high consumption, and the like of the conventional firewall performance measurement method.
Disclosure of Invention
Technical problem to be solved
The invention aims to solve the technical problems of complicated flow, high consumption and the like of the traditional firewall performance measurement method.
(II) technical scheme
In order to solve the above technical problem, in one aspect, the present invention provides a method for evaluating performance of an application layer firewall.
The method for evaluating the performance of the application layer firewall comprises the following steps: constructing an application layer firewall performance evaluation model based on a queuing theory; sequentially evaluating the performance parameters of the data transmission stages of the network layer, the transmission layer and the application layer according to the evaluation model; and then, determining the performance parameters of the firewall of the application layer according to the performance parameters of the network layer, the transmission layer and the data transmission stage of the application layer.
Optionally, the constructing the application-layer firewall performance evaluation model based on the queuing theory includes: modeling a network system using an application layer firewall to obtain an application layer firewall performance evaluation model; when a network using an application layer firewall is modeled, the input of a data packet is made to conform to Poisson distribution, the queuing process of the data packet is made to conform to a hybrid system, and the service time of a service window is made to conform to Ellang distribution.
Optionally, the performance parameter of the application layer firewall includes at least one of: throughput, packet loss rate, average queuing time of data packets.
Optionally, sequentially evaluating the performance parameters of the network layer, the transport layer, and the application layer in the data transmission stage according to the evaluation model includes: and calculating the packet loss rate and the throughput of the network layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the network layer data transmission stage in the evaluation model.
Optionally, sequentially evaluating the performance parameters of the network layer, the transport layer, and the application layer in the data transmission stage according to the evaluation model further includes: and calculating the packet loss rate and the throughput of the transmission layer data transmission stage and the average queuing time of the data packet of the transmission layer data transmission stage according to the evaluation function of the transmission layer data transmission stage in the evaluation model.
Optionally, sequentially evaluating the performance parameters of the network layer, the transport layer, and the application layer in the data transmission stage according to the evaluation model further includes: and calculating the packet loss rate and the throughput of the application layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the application layer data transmission stage in the evaluation model.
In order to solve the above technical problem, in another aspect, the present invention provides an apparatus for evaluating performance of an application-layer firewall.
The invention relates to an application layer firewall performance evaluation device, which comprises: the construction module is used for constructing an application layer firewall performance evaluation model based on a queuing theory; the evaluation module is used for sequentially evaluating the performance parameters of the data transmission stages of the network layer, the transmission layer and the application layer according to the evaluation model; and then, determining the performance parameters of the firewall of the application layer according to the performance parameters of the network layer, the transmission layer and the data transmission stage of the application layer.
Optionally, the building module building the firewall performance evaluation model of the application layer based on the queuing theory includes: the construction module is used for modeling a network system using the application layer firewall to obtain an application layer firewall performance evaluation model; when a network using an application layer firewall is modeled, the input of a data packet is made to conform to Poisson distribution, the queuing process of the data packet is made to conform to a hybrid system, and the service time of a service window is made to conform to Ellang distribution.
Optionally, the performance parameter of the application layer firewall includes at least one of: throughput, packet loss rate, average queuing time of data packets.
Optionally, the sequentially evaluating, by the evaluation module, the performance parameters of the network layer, the transport layer, and the application layer in the data transmission stage according to the evaluation model includes: the evaluation module calculates the packet loss rate and the throughput of the network layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the network layer data transmission stage in the evaluation model; the evaluation module calculates the packet loss rate and the throughput of the transmission layer data transmission stage and the average queuing time of the data packet of the transmission layer data transmission stage according to the evaluation function of the transmission layer data transmission stage in the evaluation model; and the evaluation module calculates the packet loss rate and the throughput of the application layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the application layer data transmission stage in the evaluation model.
(III) advantageous effects
The technical scheme of the invention has the following advantages: constructing an application layer firewall performance evaluation model based on a queuing theory; sequentially evaluating the performance parameters of the data transmission stages of the network layer, the transmission layer and the application layer according to the evaluation model; and then, determining the performance parameters of the firewall of the application layer according to the performance parameters of the network layer, the transmission layer and the data transmission stage of the application layer. Through the steps, the performance of the application layer firewall is evaluated in a mathematical modeling mode, and the efficiency and the accuracy of the performance evaluation of the application layer firewall are improved.
Drawings
Fig. 1 is a schematic main flow chart of a method for evaluating performance of an application-layer firewall according to a first embodiment of the present invention;
fig. 2 is a schematic main flow chart of a method for evaluating the performance of an application-layer firewall according to a second embodiment of the present invention;
fig. 3 is a schematic block diagram of a device for evaluating performance of an application-layer firewall according to a third embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
Example one
Fig. 1 is a schematic main flow chart of a method for evaluating performance of an application-layer firewall according to a first embodiment of the present invention. As shown in fig. 1, a method for evaluating performance of an application-layer firewall according to a first embodiment of the present invention includes:
and S101, constructing an application layer firewall performance evaluation model based on a queuing theory.
Illustratively, in this step, a network system using an application-level firewall may be modeled to derive an application-level firewall performance evaluation model. Preferably, when modeling a network using an application layer firewall, the input of packets is made to conform to a poisson distribution, the packet queuing process is made to conform to a hybrid system, and the service time of the service window is made to conform to an erlang distribution.
And S102, sequentially evaluating the performance parameters of the network layer, the transmission layer and the application layer in the data transmission stage according to the evaluation model.
In this step, performance parameters of the network layer data transmission stage, such as performance parameters of throughput, packet loss rate and/or average queuing time of the network layer data transmission stage, may be evaluated according to the application layer firewall performance evaluation model; then, according to the application layer firewall performance evaluation model, evaluating performance parameters of the transmission layer data transmission stage, such as the performance parameters of the transmission layer data transmission stage, such as throughput, packet loss rate and/or average queuing time; and then, evaluating performance parameters of the application layer data transmission stage, such as the throughput, the packet loss rate and/or the average queuing time of the application layer data transmission stage according to the application layer firewall performance evaluation model.
And step S103, determining the performance parameters of the firewall of the application layer according to the performance parameters of the network layer, the transmission layer and the data transmission stage of the application layer.
Illustratively, the performance parameters of the application-layer firewall system may include at least one of: the throughput of the application layer firewall system, the packet loss rate of the application layer firewall system and the average queuing time of the application layer firewall system.
In the embodiment of the invention, an application layer firewall performance evaluation model is constructed based on a queuing theory; sequentially evaluating the performance parameters of the data transmission stages of the network layer, the transmission layer and the application layer according to the evaluation model; and then, determining the performance parameters of the application layer firewall according to the performance parameters of the network layer, the transmission layer and the application layer data transmission stage, so that the performance of the application layer firewall is evaluated in a mathematical modeling manner, and the efficiency and the accuracy of evaluating the performance of the application layer firewall are improved.
Example two
Fig. 2 is a schematic main flow chart of an application-layer firewall performance evaluation method according to a second embodiment of the present invention. As shown in fig. 2, the method for evaluating the performance of an application-layer firewall according to the embodiment of the present invention includes:
step S201: and constructing an application layer firewall performance evaluation model based on a queuing theory.
Illustratively, in this step, a network system using the application-layer firewall is modeled based on the queuing theory, and a three-layer application-layer firewall performance evaluation model supporting multiple service stations is established. The three layers of the application layer firewall performance evaluation model correspond to three processing stages of the application layer firewall when the data packet is filtered, and the firewall system sets a certain number of service stations in each of the three stages to perform data processing on the arrived data packet according to the network layer rule, the transmission layer rule and the application layer rule in sequence. The application layer firewall system can set different application layer rules for data packets belonging to various application programs.
Preferably, when modeling a network using an application layer firewall, the input of packets is made to conform to a poisson distribution, the packet queuing process is made to conform to a hybrid system, and the service time of the service window is made to conform to an erlang distribution.
Step S202: and calculating the packet loss rate and the throughput of the network layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the network layer data transmission stage in the evaluation model.
Exemplarily, the step may specifically include:
a1, calculating the probability α that k data packets arrive at the system in the whole service time of processing one data packet by the firewall in the network layer data transmission stage based on the formula (1)k,a:
Wherein, λ is the rate of the data packet arriving at the system, Na is the number of service windows, ra is the number of rules, μ a is the service rate, and k is greater than or equal to 0.
A2, calculating the steady state probability pi of the network layer queuing system at the moment that the data packet leaves the network layer data transmission stage based on the formula (2)k+1,aAnd pi0,aRatio of
Wherein k is more than or equal to 0 and less than or equal to Ka + Na-2, and Ka is the capacity of the buffer area.
A3, calculating the steady state probability pi of the network layer data transmission stage based on the formula (3)0,aThe value of (c):
a4, calculating the packet loss rate P in the network layer data transmission stage based on the formula (4)loss,a:
Wherein,
a5, calculating the throughput gamma a of the network layer data transmission stage based on the formula (5):
γa=λ(1-Ploss,a) (5)
a6, calculating the average queuing time W of the data packets in the transmission layer data transmission stage based on the formula (6)a:
Step S203: and calculating the packet loss rate and the throughput of the network layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the network layer data transmission stage in the evaluation model.
Exemplarily, the step may specifically include:
b1, calculating probability α of k data packets arriving at the system in the whole service time of the firewall system processing one data packet in the transmission layer data transmission stage based on formula (7)k,b:
Wherein Nb is the number of service windows, rb is the number of rules, μ b is the service rate, and k is greater than or equal to 0.
B2, calculating the instant the data packet leaves the transport layer in the transport layer data transmission stage based on the formula (8)Stationary state probability pi of team systemk+1,bAnd pi0,bRatio of
Wherein k is more than or equal to 0 and less than or equal to Kb + Nb-2, and Kb is the buffer area capacity of the transmission layer.
B3, calculating the steady state probability pi of the transmission layer data transmission stage based on the formula (9)0,bThe value of (c):
b4, calculating the packet loss rate P in the transmission stage of the transmission layer data based on the formula (10)loss,b:
Wherein,
b5, calculating the throughput γ B of the transport layer data transmission stage based on equation (11):
γb=γa(1-Ploss,b) (11)
b6, calculating the average queuing time W of the data packets in the transmission layer data phase based on the formula (12)b:
Step S204: and calculating the packet loss rate and the throughput of the application layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the application layer data transmission stage in the evaluation model.
Exemplarily, the step may specifically include:
c1, calculating probability α that k data packets arrive at the system in the whole service time of one data packet by application i in the application layer data transmission stage based on formula (13)k,i:
Wherein qi is the probability that the arrived data packet belongs to the application i, Ni is the number of service windows for processing the application i, ri is the number of rules for processing the application i, μ b is the service rate for processing the application i, i is more than or equal to 1 and less than or equal to n, and k is more than or equal to 0.
C2, calculating the steady state probability pi of the queuing system of the application i at the moment that the data packet leaves the application i in the transmission stage of the application layer data based on the formula (14)k+1,iAnd pi0,iRatio of
Wherein k is more than or equal to 0 and less than or equal to Ki + Ni-2, and Ki is the buffer area capacity of the application i in the application layer.
C3, calculating the stationary state probability pi of the application i in the application layer data transmission stage based on the formula (15)0The value of (c):
c4, calculating the packet loss rate P of the application i data packets in the application layer data transmission stage based on the formula (16)loss,i:
Wherein,
c5, calculating the throughput γ i of the application i data packet in the application layer data transmission stage based on the formula (17):
γi=qi·γb(1-Ploss,i) (17)
c6, calculating the average queuing time W of the data packets of the application i in the application layer data transmission stage based on the formula (18)i:
Step S205: determining the performance parameters of the firewall of the application layer according to the performance parameters of the network layer, the transmission layer and the application layer in the data transmission stage
Illustratively, the performance parameters of the application-layer firewall system may include at least one of: the throughput of the application layer firewall system, the packet loss rate of the application layer firewall system and the average queuing time of the application layer firewall system.
Further, the step may specifically include:
d1, calculating the total throughput γ of the application-layer firewall based on equation (19):
d2, calculating the total packet loss rate P of the application layer firewall based on the formula (20)loss:
Ploss=Ploss,a+(1-Ploss,a)Ploss,b+[1-Ploss,a-(1-Ploss,a)Ploss,b]Ploss,c(20)
Wherein,
represents the average packet loss rate of the application layer.
D3, calculating the average queuing time W of the data packet passing through the firewall of the application layer based on the formula (21):
W=Wa+Wb+Wc(21)
wherein,
which represents the average queuing time of the data packets during the transmission phase of the application layer.
In the embodiment of the invention, aiming at the problem of firewall performance evaluation, the theoretical calculation of multiple performance indexes of the application layer firewall is realized, and the application layer firewall performance evaluation method based on the queuing theory is provided. The method can realize the performance evaluation of the application layer firewall under various CPU resource allocation scenes by analyzing the queuing rule of the application layer firewall for data processing, helps a firewall designer to realize the maximization of the performance under the condition of certain resource allocation, and has important significance in saving the development cost.
Compared with the prior art, the invention has the following remarkable advantages: (1) the randomness of the probability event is considered, and the performance evaluation result is more accurate by a probability distribution calculation method; (2) according to the current situation that a plurality of multi-core processors are supported by hardware of the current system, a multi-service-desk queuing model is established, so that the performance evaluation method can be reasonably applied to performance evaluation of the existing firewall system; (3) the evaluation process introduces a rule engine that can perform efficient performance evaluation for multiple application scenarios used for application layer data processing.
EXAMPLE III
Fig. 3 is a schematic block diagram of a device for evaluating performance of an application-layer firewall according to a third embodiment of the present invention. As shown in fig. 3, the apparatus 300 for evaluating the performance of an application-layer firewall in the embodiment of the present invention includes: a building module 301 and an evaluation module 302.
The building module 301 is configured to build an application layer firewall performance evaluation model based on a queuing theory.
For example, the building module 301 may model a network system using an application layer firewall to obtain an application layer firewall performance evaluation model. Preferably, when modeling a network using an application layer firewall, the input of packets is made to conform to a poisson distribution, the packet queuing process is made to conform to a hybrid system, and the service time of the service window is made to conform to an erlang distribution.
And the evaluation module 302 is configured to evaluate the performance parameters of the network layer, the transmission layer, and the application layer in the data transmission stage in sequence according to the evaluation model.
Specifically, the evaluation module 302 may first evaluate performance parameters of the network layer data transmission stage, such as performance parameters of throughput, packet loss rate, and/or average queuing time of the network layer data transmission stage, according to the application layer firewall performance evaluation model; then, according to the application layer firewall performance evaluation model, evaluating performance parameters of the transmission layer data transmission stage, such as the performance parameters of the transmission layer data transmission stage, such as throughput, packet loss rate and/or average queuing time; and then, evaluating performance parameters of the application layer data transmission stage, such as the throughput, the packet loss rate and/or the average queuing time of the application layer data transmission stage according to the application layer firewall performance evaluation model.
The evaluation module 302 is further configured to determine performance parameters of the firewall at the application layer according to the performance parameters at the network layer, the transport layer, and the application layer data transmission stage.
Illustratively, the performance parameters of the application-layer firewall system may include at least one of: the throughput of the application layer firewall system, the packet loss rate of the application layer firewall system and the average queuing time of the application layer firewall system.
In the embodiment of the invention, a construction module is used for constructing an application layer firewall performance evaluation model based on a queuing theory; the evaluation module evaluates the performance parameters of the network layer, the transmission layer and the application layer data transmission stage in sequence according to the evaluation model, and then determines the performance parameters of the application layer firewall according to the performance parameters of the network layer, the transmission layer and the application layer data transmission stage, so that the performance of the application layer firewall is evaluated in a mathematical modeling manner, and the efficiency and the accuracy of the performance evaluation of the application layer firewall are improved.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. An application layer firewall performance evaluation method, the method comprising:
constructing an application layer firewall performance evaluation model based on a queuing theory;
sequentially evaluating the performance parameters of the data transmission stages of the network layer, the transmission layer and the application layer according to the evaluation model; and then, determining the performance parameters of the firewall of the application layer according to the performance parameters of the network layer, the transmission layer and the data transmission stage of the application layer.
2. The method of claim 1, wherein the constructing the application layer firewall performance evaluation model based on the queuing theory comprises:
modeling a network system using an application layer firewall to obtain an application layer firewall performance evaluation model; when a network using an application layer firewall is modeled, the input of a data packet is made to conform to Poisson distribution, the queuing process of the data packet is made to conform to a hybrid system, and the service time of a service window is made to conform to Ellang distribution.
3. The method of claim 1, wherein the performance parameters of the application layer firewall comprise at least one of: throughput, packet loss rate, average queuing time of data packets.
4. The method according to claim 3, wherein the sequentially evaluating the performance parameters of the network layer, the transport layer and the application layer data transmission stage according to the evaluation model comprises:
and calculating the packet loss rate and the throughput of the network layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the network layer data transmission stage in the evaluation model.
5. The method of claim 4, wherein the sequentially evaluating the performance parameters of the network layer, the transport layer, and the application layer data transmission stages according to the evaluation model further comprises:
and calculating the packet loss rate and the throughput of the transmission layer data transmission stage and the average queuing time of the data packet of the transmission layer data transmission stage according to the evaluation function of the transmission layer data transmission stage in the evaluation model.
6. The method of claim 5, wherein the sequentially evaluating the performance parameters of the network layer, the transport layer, and the application layer data transmission stage according to the evaluation model further comprises:
and calculating the packet loss rate and the throughput of the application layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the application layer data transmission stage in the evaluation model.
7. An apparatus for application layer firewall performance evaluation, the apparatus comprising:
the construction module is used for constructing an application layer firewall performance evaluation model based on a queuing theory;
the evaluation module is used for sequentially evaluating the performance parameters of the data transmission stages of the network layer, the transmission layer and the application layer according to the evaluation model; and then, determining the performance parameters of the firewall of the application layer according to the performance parameters of the network layer, the transmission layer and the data transmission stage of the application layer.
8. The apparatus of claim 7, wherein the means for constructing comprises means for constructing an application layer firewall performance assessment model based on queuing theory:
the construction module is used for modeling a network system using the application layer firewall to obtain an application layer firewall performance evaluation model; when a network using an application layer firewall is modeled, the input of a data packet is made to conform to Poisson distribution, the queuing process of the data packet is made to conform to a hybrid system, and the service time of a service window is made to conform to Ellang distribution.
9. The apparatus of claim 7, wherein the performance parameters of the application layer firewall comprise at least one of: throughput, packet loss rate, average queuing time of data packets.
10. The apparatus of claim 9, wherein the evaluating module sequentially evaluates the performance parameters of the network layer, the transport layer, and the application layer data transmission stages according to the evaluation model comprises:
the evaluation module calculates the packet loss rate and the throughput of the network layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the network layer data transmission stage in the evaluation model;
the evaluation module calculates the packet loss rate and the throughput of the transmission layer data transmission stage and the average queuing time of the data packet of the transmission layer data transmission stage according to the evaluation function of the transmission layer data transmission stage in the evaluation model;
and the evaluation module calculates the packet loss rate and the throughput of the application layer data transmission stage and the average queuing time of the data packet of the stage according to the evaluation function of the application layer data transmission stage in the evaluation model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010563938.XA CN111726265A (en) | 2020-06-19 | 2020-06-19 | Application layer firewall performance evaluation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010563938.XA CN111726265A (en) | 2020-06-19 | 2020-06-19 | Application layer firewall performance evaluation method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111726265A true CN111726265A (en) | 2020-09-29 |
Family
ID=72567671
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010563938.XA Pending CN111726265A (en) | 2020-06-19 | 2020-06-19 | Application layer firewall performance evaluation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111726265A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109120483A (en) * | 2018-10-30 | 2019-01-01 | 杭州迪普科技股份有限公司 | A kind of firewall box performance test methods and device |
| US20190268376A1 (en) * | 2018-02-27 | 2019-08-29 | Hyundai Motor Company | System and method for security inspection of electronic equipment |
-
2020
- 2020-06-19 CN CN202010563938.XA patent/CN111726265A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190268376A1 (en) * | 2018-02-27 | 2019-08-29 | Hyundai Motor Company | System and method for security inspection of electronic equipment |
| CN109120483A (en) * | 2018-10-30 | 2019-01-01 | 杭州迪普科技股份有限公司 | A kind of firewall box performance test methods and device |
Non-Patent Citations (2)
| Title |
|---|
| 常飞: "WEB安全网关性能评价模型及优化", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 靳小鹏: "WEB防火墙性能评估与优化技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wang et al. | MAP based modeling method and performance study of a task offloading scheme with time-correlated traffic and VM repair in MEC systems | |
| Mechtri et al. | A scalable algorithm for the placement of service function chains | |
| Han et al. | OverWatch: a cross‐plane DDoS attack defense framework with collaborative intelligence in SDN | |
| EP3304823B1 (en) | Method and apparatus for computing cell density based rareness for use in anomaly detection | |
| Cui et al. | A session-packets-based encrypted traffic classification using capsule neural networks | |
| Mechtri et al. | VNF placement and chaining in distributed cloud | |
| Hui et al. | A new resource allocation mechanism for security of mobile edge computing system | |
| US20050229246A1 (en) | Programmable context aware firewall with integrated intrusion detection system | |
| Chaudhary et al. | LOADS: Load optimization and anomaly detection scheme for software-defined networks | |
| CN107750053A (en) | Based on multifactor wireless sensor network dynamic trust evaluation system and method | |
| Boudi et al. | Assessing lightweight virtualization for security-as-a-service at the network edge | |
| CN104836702A (en) | Host network abnormal behavior detection and classification method under large flow environment | |
| Ma | Analysis of anomaly detection method for Internet of things based on deep learning | |
| Chen et al. | FCM technique for efficient intrusion detection system for wireless networks in cloud environment | |
| Sood et al. | Analysis of policy-based security management system in software-defined networks | |
| Vitalii et al. | Method of building dynamic multi-hop VPN chains for ensuring security of terminal access systems | |
| US20200059491A1 (en) | Generation of security policies for microsegmented computer networks | |
| He et al. | 6g-enabled consumer electronics device intrusion detection with federated meta-learning and digital twins in a meta-verse environment | |
| Yu et al. | Deploying robust security in internet of things | |
| Chowdhary et al. | Sdn based network function parallelism in cloud | |
| Sedjelmaci et al. | On cooperative federated defense to secure multi-access edge computing | |
| Zhao et al. | Effective DDoS mitigation via ML-driven in-network traffic shaping | |
| Li et al. | Concerto: cooperative network-wide telemetry with controllable error rate | |
| Tang et al. | FTODefender: An efficient flow table overflow attacks defending system in SDN | |
| Cai et al. | Privacy-Preserving Deployment Mechanism for Service Function Chains Across Multiple Domains |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200929 |