CN112437058A - Firewall security policy automatic generation method based on session flow log - Google Patents
Firewall security policy automatic generation method based on session flow log Download PDFInfo
- Publication number
- CN112437058A CN112437058A CN202011253413.2A CN202011253413A CN112437058A CN 112437058 A CN112437058 A CN 112437058A CN 202011253413 A CN202011253413 A CN 202011253413A CN 112437058 A CN112437058 A CN 112437058A
- Authority
- CN
- China
- Prior art keywords
- security policy
- data
- service
- information
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to the technical field of network information, in particular to a firewall security policy automatic generation method based on a session flow log. n is a variable parameter, can be adjusted according to the network scale and the complexity, increases the adaptability to different network environments, selects the flow information of the front n for analysis, can also remove the error caused by the generation of the security policy by the trace flow of the rear row, and improves the accuracy of the security policy. The method provides security policies of various styles in the generation process, and a user can select a proper security policy according to the network condition and the preference of the user in the policy selection stage, so that the use flexibility of the user is improved. The method is used for processing the session flow information by standard table processing, is easy to realize by using a database tool, a big data tool, an excel tool and the like, and is convenient to operate.
Description
Technical Field
The invention relates to the technical field of network information, in particular to a firewall security policy automatic generation method based on a session flow log.
Background
With the increase of the national importance on network security, the firewall is applied more and more widely as a general boundary protection device. And for the configuration and use of the firewall, the firewall is generally held in the hands of professional network operation and maintenance personnel. When a firewall security policy is configured, due to the fact that the network topology is not deeply known or other human factors, problems such as policy omission, redundancy and even errors easily occur.
The existing policy configuration method often depends on a policy configuration template, a resource template, and the like, and the quality of policy generation depends on the quality of the template, and cannot adapt to a complex network topology, such as: patent CN110430206A, patent CN105847236B, and method and apparatus for configuring firewall security policy based on script templating generation. Still other configuration methods require the firewall to be too informative and complicated to implement, such as: patent "firewall security policy configuration method and management apparatus" CN 101582900B.
Therefore, no particularly convenient method exists in the existing network information security field, and the firewall security policy can be automatically generated; therefore, a more reasonable technical scheme needs to be provided to improve the problems in the prior art.
Disclosure of Invention
In order to overcome the defects in the prior art mentioned in the above, the invention provides a firewall security policy automatic generation method based on a session flow log, aiming at solving the problems of high template dependence, poor adaptability, complex operation and low accuracy of the current firewall policy generation method.
In order to achieve the purpose, the invention specifically adopts the technical scheme that:
the firewall security policy automatic generation method based on the session flow log comprises the following steps:
collecting conversation flow logs: acquiring a session flow log within time t;
and (3) session flow log processing: merging the obtained session flow logs, sequencing according to the number of bytes, and selecting standby data from the sequenced logs;
object extraction: grouping the standby data according to the data types, and performing information duplication elimination to obtain object element information;
and (3) generating and processing a security policy: building an information table by using standby data, and replacing the data information with ID to obtain an original security policy table; grouping data in the original security policy table according to a single element, and performing data deduplication processing to obtain a security policy table classified by a certain element; meanwhile, classifying data types to obtain a simplest security policy table; selecting one of the three policy tables as a selected security policy table;
creating a security policy: establishing a service object and a service table according to a security policy, adjusting a content service column of the service table, matching each group of data in the service table, screening application identification data, performing separation processing to obtain a result table, and establishing an object table according to the result table; and replacing each group of data in the result table with the ID to obtain a final security policy table, and creating a firewall security policy according to the final security policy table.
According to the automatic firewall security policy generation method, the data are integrated, the service data irrelevant to the security policy generation are removed, and the backup data are selected to generate a more accurate security policy.
Furthermore, in the above-disclosed step of collecting the session flow log, the firewall cloth is deployed on the network boundary, an all-pass policy is configured, flow information is collected by starting a flow log record, the flow information is calculated in a single normal service period, and the time t for obtaining each flow log is greater than or equal to one normal service period.
Further, the obtained session flow logs are merged, that is, logs of the same type, the same application identifier, the same protocol, the same source address, the same destination address, the same source port, the same destination port, the same ingress interface or the same egress interface are merged, and the number of bytes is accumulated.
Further, the sorting according to the number of bytes and selecting the standby data from the sorted logs are to sort the combined logs according to the number of bytes, select n groups of standby data from front to back according to the sorting, and adjust the proportion n of the selected standby data according to the complexity of the traffic flow.
Further, the object element information includes ID information, data type information, and data value information.
Further, the data type (type) includes an application identifier (appid), a protocol (proto), a source address (saddr), a destination address (daddr), a source port (sport), a destination port (dport), an ingress interface (iif), and an egress interface (oif).
Further, the data in the original security policy table is grouped according to a single element, and data deduplication processing is performed to obtain a security policy table classified by a certain element, specifically, the following feasible scheme is implemented: and performing grouping processing according to the application identifier, the protocol, the source address, the destination address, the source port, the destination port, the incoming interface or the outgoing interface data to obtain a security policy table grouped according to the corresponding data type.
Furthermore, the service object is composed of a protocol, a source port and a destination port.
Further, the service object and the service table are constructed according to the security policy, the content service column of the service table is adjusted, each group of data in the service table is matched, specifically, the service in the service table is added into the selected security policy table according to the corresponding relation, meanwhile, the data of the protocol, the source port and the destination port are removed, and the service column is added.
Further, screening and separating the application identification data to obtain a result table, wherein the feverfew adopts the following feasible scheme: if the representative with the application identification number 0 with the appid of 2 is not identified and can not be configured in the security policy, the security policy with the appid of 2 is separated and screened out, and a result table is obtained.
Compared with the prior art, the invention has the beneficial effects that:
the invention makes full use of the flow log information generated by the session-based firewall, analyzes and calculates the flow log information, and constructs the automatic firewall security policy generation method. The method calculates and ranks the flow information, and finally selects the top n information as a strategy generation material. n is a variable parameter, can be adjusted according to the network scale and the complexity, increases the adaptability to different network environments, selects the flow information of the front n for analysis, can also remove the error caused by the generation of the security policy by the trace flow of the rear row, and improves the accuracy of the security policy.
The method provides security policies of various styles in the generation process, and a user can select a proper security policy according to the network condition and the preference of the user in the policy selection stage, so that the use flexibility of the user is improved.
The method is used for processing the session flow information by standard table processing, is easy to realize by using a database tool, a big data tool, an excel tool and the like, and is convenient to operate.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only show some embodiments of the present invention, and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1 is a schematic flow diagram of the process.
Detailed Description
The invention is further explained below with reference to the drawings and the specific embodiments.
It should be noted that the description of the embodiments is provided to help understanding of the present invention, but the present invention is not limited thereto. Specific structural and functional details disclosed herein are merely illustrative of example embodiments of the invention. This invention may, however, be embodied in many alternate forms and should not be construed as limited to the embodiments set forth herein.
Examples
The embodiment provides a new method aiming at the problems of high template dependence, poor adaptability, complex operation and low accuracy of the current firewall policy generation method, and can solve the problems in the prior art.
Specifically, as shown in fig. 1, the technical solution adopted in the present embodiment is as follows.
The firewall security policy automatic generation method based on the session flow log comprises the following steps:
collecting conversation flow logs: acquiring a session flow log within time t;
and (3) session flow log processing: merging the obtained session flow logs, sequencing according to the number of bytes, and selecting standby data from the sequenced logs;
object extraction: grouping the standby data according to the data types, and performing information duplication elimination to obtain object element information;
and (3) generating and processing a security policy: building an information table by using standby data, and replacing the data information with ID to obtain an original security policy table; grouping data in the original security policy table according to a single element, and performing data deduplication processing to obtain a security policy table classified by a certain element; meanwhile, classifying data types to obtain a simplest security policy table; selecting one of the three policy tables as a selected security policy table;
creating a security policy: establishing a service object and a service table according to a security policy, adjusting a content service column of the service table, matching each group of data in the service table, screening application identification data, performing separation processing to obtain a result table, and establishing an object table according to the result table; and replacing each group of data in the result table with the ID to obtain a final security policy table, and creating a firewall security policy according to the final security policy table.
According to the automatic firewall security policy generation method, the data are integrated, the service data irrelevant to the security policy generation are removed, and the backup data are selected to generate a more accurate security policy.
In the above-disclosed collecting step of the session flow logs, the firewall cloth is deployed on the network boundary, an all-pass strategy is configured, flow information is collected by starting a flow log record mode, the flow information is calculated in a single normal service period, and the acquisition time t of each flow log is greater than or equal to one normal service period.
The obtained session flow logs are merged, that is, logs of the same type, the same application identifier, the same protocol, the same source address, the same destination address, the same source port, the same destination port, the same incoming interface or the same outgoing interface are merged, and the number of bytes is accumulated.
The sorting according to the byte number is performed, the standby data is selected from the sorted logs, the merged logs are sorted according to the byte number, n groups of standby data are selected from front to back according to the sorting, and the proportion n of the standby data is adjusted and selected according to the complexity of the service flow.
Preferably, in this embodiment, the policy generation process is described by using the information of top10, that is, n is 10, and the candidate data selected in this embodiment is shown in table 1 below:
table 1 alternative data table
In the process of extracting the object, data processing is continued according to table 1, and related information is subjected to deduplication processing to obtain object element information, as shown in table 2:
table 2 object element information table
In this embodiment, the object element information includes ID information (ID is an increasing integer and is unique), data type information (type), and data value information (value). Continuing to construct an object element detail table on the basis of the object element information table, as shown in the following table 3:
table 3 object element details table
Combining tables 1-3, replacing the content in table 1 with ID results in the original security policy table, as shown in table 4 below:
TABLE 4 original Security policy Table
| type | appid | proto | saddr | daddr | sport | dport | iif | oif |
| 1 | 1 | 5 | 7 | 11 | 18 | 27 | 32 | 34 |
| 1 | 2 | 5 | 8 | 12 | 19 | 28 | 32 | 34 |
| 1 | 2 | 5 | 8 | 11 | 20 | 27 | 32 | 34 |
| 1 | 3 | 5 | 9 | 13 | 21 | 29 | 32 | 35 |
| 1 | 3 | 5 | 7 | 14 | 22 | 29 | 32 | 35 |
| 1 | 4 | 5 | 9 | 15 | 23 | 29 | 32 | 35 |
| 1 | 2 | 6 | 7 | 16 | 24 | 30 | 32 | 35 |
| 1 | 2 | 6 | 9 | 16 | 25 | 30 | 32 | 35 |
| 1 | 2 | 6 | 10 | 17 | 26 | 31 | 33 | 36 |
| 1 | 2 | 5 | 10 | 17 | 26 | 31 | 33 | 36 |
In this embodiment, the data type (type) includes an application identifier (appid), a protocol (proto), a source address (saddr), a destination address (daddr), a source port (sport), a destination port (dport), an ingress interface (iif), and an egress interface (oif).
The method comprises the following steps of grouping data in the original security policy table according to a single element, carrying out data deduplication processing to obtain a security policy table classified by a certain element, and concretely, carrying out the following feasible scheme: and performing grouping processing according to the application identifier, the protocol, the source address, the destination address, the source port, the destination port, the incoming interface or the outgoing interface data to obtain a security policy table grouped according to the corresponding data type. Specifically, the following tables 5 to 12 show:
TABLE 5 grouping by application identification to derive security policies categorized by application identification
| type | appid | proto | saddr | daddr | sport | dport | iif | oif | byte |
| 1 | 1027 | 6 | 192.168.1.54 | 192.168.6.109 | 25686 | 80 | proxy1 | proxy2 | 21234 |
| 1 | 0 | 6 | 192.168.1.48 | 192.168.6.6 | 35586 | 21 | proxy1 | proxy2 | 11234 |
| 1 | 1027 | 6 | 192.168.1.48 | 192.168.6.109 | 26686 | 80 | proxy1 | proxy2 | 8234 |
| 1 | 1040 | 6 | 192.168.1.32 | 61.135.169.121 | 25686 | 443 | proxy1 | proxy3 | 7234 |
| 1 | 1040 | 6 | 192.168.1.54 | 112.90.6.240 | 23686 | 443 | proxy1 | proxy3 | 6234 |
| 1 | 748 | 6 | 192.168.1.32 | 14.204.139.118 | 8566 | 443 | proxy1 | proxy3 | 5234 |
| 1 | 0 | 17 | 192.168.1.54 | 114.114.114.114 | 2686 | 53 | proxy1 | proxy3 | 4234 |
| 1 | 0 | 17 | 192.168.1.32 | 114.114.114.114 | 22686 | 53 | proxy1 | proxy3 | 3234 |
| 1 | 0 | 17 | 172.5.30.30 | 192.168.1.54 | 4000 | 4000 | proxy3 | proxy1 | 3134 |
| 1 | 0 | 6 | 172.5.30.30 | 192.168.1.54 | 4000 | 4000 | proxy3 | proxy1 | 1234 |
TABLE 6 grouping by protocol resulting in protocol-classified security policies
TABLE 7 grouping by Source Address resulting in Security policy classified by Source Address
TABLE 8 grouping by destination Address resulting in a Security policy classified by destination Address
Table 9 grouping by source port results in a security policy classified by source port
TABLE 10 grouping by destination Port resulting in a security policy classified by destination Port
TABLE 11 grouping by ingress interface into security policies classified by ingress interface
Table 12 grouping by outbound interface to derive security policies classified by outbound interface
According to the method, the simplest security policy table is obtained by classifying the data types, which is specifically shown in the following table 13:
table 13 grouping types to get the simplest security policy
The security policy generated in the original security policy table (table 4) is the most accurate, but the configuration is the most complicated; the security policy generated in the simplest security policy table (table 13) is simplest, but the configuration range is expanded; the security policy tables (table 5 to table 12) grouped by the corresponding data type are compromise security policies. The user can select an appropriate security policy according to the complexity of the policy generation in table 4, table 13, or tables 5 to 12 and the preference of the user. The method selects the safety strategy with the least number of rules, namely the table 11, so that the generated strategy is simple, certain accuracy can be ensured, and the configuration habit of most operation and maintenance personnel is met.
Specifically, the security policies generated after selecting and processing table 12 are shown in table 14 below:
table 14 security policies generated by incoming interface classification
In this embodiment, the service object is composed of a protocol, a source port, and a destination port. And the constructed service table is shown in the following table 15:
table 15 service table
In the session-based firewall, the source port of the service is generally configured as 1024-; combining the table 14 and the table 6, when the table 14 and the table 6 adopt the same corresponding protocol, the port takes the intersection to obtain a service, records the corresponding security policy id, and constructs the service table 15 according to the method.
In this embodiment, the service object and the service table are constructed according to the security policy, the content of the service table is adjusted, the service columns in the service table are matched with each group of data in the service table, specifically, the services in the service table are added to the selected security policy table according to the corresponding relationship, and meanwhile, the protocol, the source port and the destination port column data are removed, and the service columns are added. Following this procedure the following table 16 was obtained:
TABLE 16
Screening the application identification data and carrying out separation treatment to obtain a result table, wherein the feverfew adopts the following feasible scheme: if the representative with the application identification number 0 with an appid of 2 is not identified and can not be configured in the security policy, the security policy with an appid of 2 is separated and screened out to obtain a result table, which is specifically shown in table 17 below.
TABLE 17 results table
From the details in table 17, an object table 18 may be created:
table 18 object table
| id | type | secid | value |
| 1 | 1 | 1 | 1,3,4 |
| 2 | 2 | 1 | 1001,1002 |
| 3 | 2 | 2 | 1003,104 |
| 4 | 2 | 3 | 1001,1002 |
| 5 | 3 | 1 | 7,8,9 |
| 6 | 3 | 2 | 10 |
| 7 | 3 | 3 | 7,8,9 |
| 8 | 4 | 1 | 11,12,13,14,15,16 |
| 9 | 4 | 2 | 17 |
| 10 | 4 | 3 | 11,12,13,14,15,16 |
| 11 | 5 | 1 | 32 |
| 12 | 5 | 2 | 33 |
| 13 | 5 | 3 | 32 |
| 14 | 6 | 1 | 34,35 |
| 15 | 6 | 2 | 36 |
| 16 | 6 | 3 | 34,35 |
In table 18, the meaning of the type value is: 1. an application object; 2. a service object; 3. a source address object; 4. a destination address object; 5. entering a region object; 6. and (6) outputting the region object.
At this time, replacing the contents of table 17 with the ID results in the final security policy table 19.
Table 19 final security policy table
| id | type | appid | server | saddr | daddr | iif | oif |
| 1 | 1 | 1 | 2 | 5 | 8 | 11 | 14 |
| 2 | 1 | / | 3 | 6 | 9 | 12 | 15 |
| 3 | 1 | / | 4 | 7 | 10 | 13 | 16 |
Further, an application object, a service object, a source address object, a destination address object, an entry area object, and an exit area object are created based on the contents of table 18, table 15, and table 3, respectively.
And creating a firewall security policy according to the application object, the service object, the source address object, the destination address object, the entering area object, the exiting area object and the table content in the final security policy table.
The present invention is not limited to the above-described alternative embodiments, and various other embodiments can be obtained by those skilled in the art from the above-described embodiments in any combination, and any other embodiments can be obtained in various forms while still being within the spirit of the present invention. The above detailed description should not be taken as limiting the scope of the invention, which is defined in the claims, and which the description is intended to be interpreted accordingly.
Claims (10)
1. The firewall security policy automatic generation method based on the session flow log is characterized by comprising the following steps:
collecting conversation flow logs: acquiring a session flow log within time t;
and (3) session flow log processing: merging the obtained session flow logs, sequencing according to the number of bytes, and selecting standby data from the sequenced logs;
object extraction: grouping the standby data according to the data types, and performing information duplication elimination to obtain object element information;
and (3) generating and processing a security policy: building an information table by using standby data, and replacing the data information with ID to obtain an original security policy table; grouping data in the original security policy table according to a single element, and performing data deduplication processing to obtain a security policy table classified by a certain element; meanwhile, classifying data types to obtain a simplest security policy table; selecting one of the three policy tables as a selected security policy table;
creating a security policy: establishing a service object and a service table according to a security policy, adjusting a content service column of the service table, matching each group of data in the service table, screening application identification data, performing separation processing to obtain a result table, and establishing an object table according to the result table; and replacing each group of data in the result table with the ID to obtain a final security policy table, and creating a firewall security policy according to the final security policy table.
2. The method for automatically generating the firewall security policy based on the session flow log according to claim 1, wherein:
deploying the firewall cloth on a network boundary, configuring an all-pass strategy, collecting flow information in a mode of starting flow log records, calculating in a single normal service period, and enabling the acquisition time t of each flow log to be more than or equal to one normal service period.
3. The method for automatically generating the firewall security policy based on the session traffic log according to claim 1, wherein the obtained session traffic logs are merged, and the method is characterized in that:
and respectively merging logs of the same type, the same application identifier, the same protocol, the same source address, the same destination address, the same source port, the same destination port, the same input interface or the same output interface, and accumulating the number of bytes.
4. The method for automatically generating the firewall security policy based on the session flow log according to claim 1 or 2, wherein the logs are sorted according to byte number, and the backup data is selected from the sorted logs, and the method is characterized in that:
and sequencing the combined logs according to the byte number, selecting standby data from front to back according to the sequencing, and adjusting the proportion of the selected standby data according to the complexity of the service flow.
5. The method for automatically generating the firewall security policy based on the session flow log according to claim 1, wherein: the object element information comprises ID information, data type information and data value information.
6. The method for automatically generating the firewall security policy based on the session traffic log according to claim 5, wherein: the data types comprise application identification, protocol, source address, destination address, source port, destination port, incoming interface and outgoing interface.
7. The method according to claim 1, wherein the data in the original security policy table is grouped according to a single element, and data deduplication processing is performed to obtain a security policy table classified by a certain element, and the method further comprises: and performing grouping processing according to the application identifier, the protocol, the source address, the destination address, the source port, the destination port, the incoming interface or the outgoing interface data to obtain a security policy table grouped according to the corresponding data type.
8. The method for automatically generating the firewall security policy based on the session flow log according to claim 1, wherein: the service object is composed of a protocol, a source port and a destination port.
9. The method according to claim 1, wherein the method comprises the steps of constructing a service object and a service table according to the security policy, adjusting a service column in the service table, and matching each group of data in the service table, wherein the method comprises the following steps:
and adding the service in the service table into the selected security policy table according to the corresponding relation, and removing the data of the protocol, the source port and the destination port column and adding the service column.
10. The method for automatically generating the firewall security policy based on the session flow log according to claim 1, wherein the application identification data is screened and separated to obtain a result table, and the method is characterized in that:
if the representative with the application identification number 0 with the appid of 2 is not identified and can not be configured in the security policy, the security policy with the appid of 2 is separated and screened out, and a result table is obtained.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011253413.2A CN112437058B (en) | 2020-11-11 | 2020-11-11 | Firewall security policy automatic generation method based on session flow log |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011253413.2A CN112437058B (en) | 2020-11-11 | 2020-11-11 | Firewall security policy automatic generation method based on session flow log |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112437058A true CN112437058A (en) | 2021-03-02 |
| CN112437058B CN112437058B (en) | 2022-02-08 |
Family
ID=74700415
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011253413.2A Active CN112437058B (en) | 2020-11-11 | 2020-11-11 | Firewall security policy automatic generation method based on session flow log |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112437058B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050114505A1 (en) * | 2003-11-26 | 2005-05-26 | Destefano Jason M. | Method and apparatus for retrieving and combining summarized log data in a distributed log data processing system |
| EP2577910A2 (en) * | 2010-05-27 | 2013-04-10 | A10 Networks Inc. | System and method to apply network traffic policy to an application session |
| CN105791213A (en) * | 2014-12-18 | 2016-07-20 | 华为技术有限公司 | Strategy optimization device and method |
| US20170339107A1 (en) * | 2005-11-22 | 2017-11-23 | Fortinet, Inc. | Policy-based content filtering |
| CN108418801A (en) * | 2018-02-01 | 2018-08-17 | 杭州安恒信息技术股份有限公司 | A kind of firewall policy optimization method and system based on big data analysis |
| CN110247933A (en) * | 2019-07-08 | 2019-09-17 | 中国工商银行股份有限公司 | The method and apparatus for realizing firewall policy |
-
2020
- 2020-11-11 CN CN202011253413.2A patent/CN112437058B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050114505A1 (en) * | 2003-11-26 | 2005-05-26 | Destefano Jason M. | Method and apparatus for retrieving and combining summarized log data in a distributed log data processing system |
| US20170339107A1 (en) * | 2005-11-22 | 2017-11-23 | Fortinet, Inc. | Policy-based content filtering |
| EP2577910A2 (en) * | 2010-05-27 | 2013-04-10 | A10 Networks Inc. | System and method to apply network traffic policy to an application session |
| CN105791213A (en) * | 2014-12-18 | 2016-07-20 | 华为技术有限公司 | Strategy optimization device and method |
| CN108418801A (en) * | 2018-02-01 | 2018-08-17 | 杭州安恒信息技术股份有限公司 | A kind of firewall policy optimization method and system based on big data analysis |
| CN110247933A (en) * | 2019-07-08 | 2019-09-17 | 中国工商银行股份有限公司 | The method and apparatus for realizing firewall policy |
Non-Patent Citations (3)
| Title |
|---|
| 吴荣: "Web日志挖掘的用户识别算法研究", 《微型电脑应用》 * |
| 张大雷: "基于防火墙日志的网络管理与用户行为分析", 《电信快报》 * |
| 陈铮等: "基于日志挖掘的防火墙安全测评方法", 《计算机工程与设计》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112437058B (en) | 2022-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20090052454A1 (en) | Methods, systems, and computer readable media for collecting data from network traffic traversing high speed internet protocol (ip) communication links | |
| CN101754253A (en) | General packet radio service (GPRS) end-to-end performance analysis method and system | |
| CN109639744A (en) | A kind of detection method and relevant device in the tunnel DNS | |
| CN106656616A (en) | Whole network flow analysis method of computer network | |
| CN111177360B (en) | Self-adaptive filtering method and device based on user logs on cloud | |
| CN109768936B (en) | Refined shunting system and shunting method | |
| CN109547251B (en) | Service system fault and performance prediction method based on monitoring data | |
| CN111309776A (en) | Distributed network flow aggregation dimension reduction statistical method based on data sorting | |
| CN112564991A (en) | Application identification method and device and storage medium | |
| CN112437058B (en) | Firewall security policy automatic generation method based on session flow log | |
| CN105719072B (en) | System and method for associating multi-segment component transactions | |
| CN105553787B (en) | Edge net egress network Traffic anomaly detection method based on Hadoop | |
| CN113850282A (en) | Traffic management method, system and device based on dynamic classification | |
| CN108063764B (en) | Network traffic processing method and device | |
| CN111080362A (en) | Advertisement monitoring system and method | |
| CN104753934A (en) | Method for separating known protocol multi-communication-parties data stream into point-to-point data stream | |
| CN113037551B (en) | Quick identification and positioning method for sensitive-related services based on traffic slice | |
| CN113688953B (en) | Industrial control signal classification method, device and medium based on multilayer GAN network | |
| CN102474457A (en) | Packet classification | |
| WO2021129849A1 (en) | Log processing method, apparatus and device, and storage medium | |
| CN110175635B (en) | OTT application program user classification method based on Bagging algorithm | |
| CN108667708B (en) | The acquisition analysis system and capturing analysis method of one kind of multiple VPN flows | |
| CN107592214B (en) | Method for identifying login user name of internet application system | |
| CN106547913B (en) | Page information collection and classification feedback method, device and system | |
| CN116781634B (en) | Network application classification and management method based on flow waveform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |