JP7326930B2 - SEARCH PROGRAM, SEARCH METHOD, AND INFORMATION PROCESSING DEVICE - Google Patents

Description

The present invention relates to a search program, search method, and information processing apparatus.

In recent years, the widespread use of the Internet and SNSs (Social Networking Services) has made it easier to obtain and transmit information, making it easier for people's needs to fluctuate, such as sudden increases in needs for specific products. Therefore, it may be desirable for companies that provide digital services to start services quickly in order to meet fluctuating needs and secure profits. Since starting a service may involve changing network settings, it is desirable to be able to easily change network settings in order to start services quickly. Therefore, techniques such as Software Defined Networking (SDN) and Network Functions Virtualization (NFV) are sometimes used to facilitate setting changes of network services. In a system built using SDN or NFV, settings such as new path settings can be changed by setting packet processing rules. When changing network settings by adding processing rules, etc., verify that no problems have occurred in the network due to the setting changes. However, the verification work is complicated and time consuming because it verifies that there is no contradiction between all the rules already set in the network and the newly added rules.

Therefore, in order to improve the efficiency of verification processing, a network verification technique (Delta-net) has been proposed in which the Boolean combination of processing rules is used as a different transfer operation expression than individual processing rules (Patent Document 1, etc.).

As a related technology, when extracting a series of records that match multiple search conditions, flags are attached to each item value of a specific item, and whether the appearance of the flag specified for the record to be processed complies with the search instruction. A determination method is also known (Patent Document 2, etc.).

JP 2018-46549 A JP 2007-323546 A

By describing the Boolean combination of processing rules as a separate transfer operation expression, among the packets in the scope of application of the processing rule that overlaps with the additionally set processing rule, the additionally set processing rule itself is not applied. can be excluded from verification processing. However, as the number of processing rules set in the network increases, the amount of calculation required to search for the coverage inclusion relationship between each of the set processing rules and the additionally set processing rules becomes enormous. As a result, it takes time to search for inclusion relationships. As a result, network verification processing also takes time. Moreover, even if the technology described as the related technology is used, this problem is not solved.

An object of the present invention, as one aspect, is to improve the efficiency of network verification processing.

A search program according to one aspect is executed by an information processing device. The information processing device selects relational rules applicable to one or more target packets to which additional rules to be added to the network are applied, among a plurality of rules set in the network for defining packet processing. Identify. The information processing device determines, for each of the relationship rules, an inclusion relationship between the relationship rule and the additional rule . The information processing device determines, for each combination of two or more rules among the plurality of rules including at least one of the relational rules, an inclusion relationship between the combination and the additional rule . The information processing device searches for an inclusion relationship between the target packet and each of the plurality of rules using the relationship rule and the inclusion relationship determined for the combination.

The network verification process can be made more efficient.

It is a figure explaining the example of the search method concerning embodiment. It is a figure explaining the example of a structure of an information processing apparatus. It is a figure explaining the example of the hardware constitutions of an information processing apparatus. It is a figure explaining the example of rule information. FIG. 10 is a diagram illustrating an example of a method for managing the scope of application of rules; FIG. 10 is a diagram illustrating examples of Venn diagrams and Hasse diagrams regarding the application range of processing rules; It is an example of a Hasse diagram showing rules of a network that performs search processing. FIG. 10 is a diagram illustrating an example of a derived rule map; 7 is a flowchart illustrating an example of processing for determining whether or not there is a relationship between rules; It is a figure explaining the example of a relationship rule map. 6 is a flowchart illustrating an example of a survey list generation method; FIG. 10 is a diagram illustrating an example of specifying a search target node; FIG. 11 is a flowchart illustrating an example of pattern classification processing; FIG. FIG. 11 is a flowchart illustrating an example of pattern classification processing; FIG. FIG. 10 is a flowchart for explaining an example of processing when a derived rule is generated by adding a rule; FIG. It is an example of a Hasse diagram obtained by the search process. FIG. 10 is a diagram illustrating an example of a method for determining the order of adding rules; This is an example of shortening the time required to search for the applicable area of each rule.

FIG. 1 is a diagram explaining an example of a search method according to an embodiment. The flowchart of FIG. 1 is an example of processing performed by an information processing apparatus that searches for an inclusion relationship of application ranges of a plurality of processing rules set in a network to be verified.

First, the information processing device identifies a processing rule (rule) set in the network to be verified and a processing rule to be added to the network to be verified (rule to be added) (step S1). The information processing device extracts a processing rule related to the processing rule to be added from among the processing rules being set as a related rule (step S2). The information processing device records the relationship rule in the relationship rule map 42 . Here, the relational rule is a processing rule applicable to one or more packets to which the processing rule to be added is applied. That is, if there is no overlap between a packet to which a processing rule is applied and a packet to which a processing rule to be added is applied, the processing rule is not a related rule of the processing rule to be added. Each processing rule defines one or more parameters, such as a range of addresses for packets to which the processing rule applies, a range of port values, a protocol, and the like. Therefore, when the value range of at least one parameter of the processing rule does not overlap with the value range of the parameter of the processing rule to be added, the information processing device determines that the processing rule is not a relational rule.

For example, assume that processing rule A is the processing rule to be added. Assume that the range of destination addresses of packets to which processing rule B is applied and the range of destination addresses of packets to which processing rule A is applied do not overlap. Then, the information processing apparatus determines that the set processing rule B is not a related rule of the processing rule A. FIG. In this way, the information processing apparatus can identify that the processing rule is not a relational rule by using some parameters used for defining the processing rule. On the other hand, processing rule C, which has an overlapping relationship in all parameters with processing rule A to be added, is set as a related rule.

Next, for each rule contained in the relational rule map, the information processing apparatus obtains an inclusion relationship between the rule and the rule derived from the rule (derivative rule) (step S3). . Here, the inclusion relationship between the rule to be added and the relationship rule is defined as follows: when the relationship rule includes the entire rule to be added, when the entire relationship rule is included in the rule to be added, rules may contain parts of each other but not all of them. The information processing device similarly obtains the inclusion relationship between the derived rule and the rule to be added.

The information processing device uses the obtained inclusion relationship to search for an inclusion relationship between the scope of the rule to be added and all the rules already set in the network (step S4). Here, inclusion relations can be explored as partially ordered sets using, for example, Hasse diagrams. In step S4, the scope of application of a plurality of rules already set to the network is defined as a derived rule derived from each rule that is applied in combination, and the scope of application of the rule to be added separately from each rule. Containment relationships are searched.

In this way, in the method shown in FIG. 1, targets for specifying inclusion relationships with rules to be added are limited to relational rules and derived rules derived from relational rules. Furthermore, since the processing at the time of specifying the relationship rule is the processing of excluding rules having one or more non-overlapping parameters from the relationship rule, the amount of calculation can be less than the processing of specifying the inclusion relationship. Therefore, in the search method according to the embodiment, in the case where a combination of processing rules is described as a derived rule separate from each rule that is the basis of the combination, in order to search for the inclusion relationship of the scope of application of each processing rule processing is streamlined. By streamlining the calculation of the inclusion relationship of the scope of application of each processing rule, the time required to identify packets to be verified can be shortened, and as a result, network verification can be made more efficient.

<Device configuration>
FIG. 2 is a diagram illustrating an example of the configuration of the information processing device 10. As shown in FIG. Note that the information processing apparatus 10 does not have to be connected to the network to be verified, or may be connected to the network to be verified, as long as the already set rules and the newly set processing rules can be obtained.

The information processing device 10 includes an input/output processing unit 20 , a control unit 30 and a storage unit 40 . The input/output processing unit 20 has an input unit 21 and an output unit 22 . The input unit 21 is used to input information on rules set in the network and rules to be newly set. Information input via the input unit 21 can be appropriately recorded in the storage unit 40 as the rule information 41 . The output unit 22 is used to output the obtained search results.

The storage unit 40 includes rule information 41 , a relationship rule map 42 , a derived rule map 43 and a research list 44 . The rule information 41 is information on processing rules set in the network and information on processing rules to be added. Note that the rule information 41 may also include information for specifying which combination of processing rules each derived rule is. The relational rule map 42 records identification information of processing rules identified as relational rules. The derived rule map 43 records information identifying derived rules obtained by combining two or more of the processing rules recorded in the rule information 41 . The investigation list 44 records information specifying processing rules and derivation rules for which inclusion relationships are determined.

The control unit 30 includes an identification unit 31, a list generation unit 32, an inclusion relationship determination unit 33, a search unit 34, and may optionally include an order determination unit 35. FIG. The identifying unit 31 identifies a related rule to the rule to be added from among the processing rules set in the network. The identifying unit 31 records the identified relationship rule in the relationship rule map 42 . The list generator 32 generates a survey list 44 using the relationship rule map 42 and the derivation rule map 43 . The inclusion relationship determining unit 33 determines the inclusion relationship between each of the relational rules and derived rules included in the investigation list 44 and the processing rule to be added. Using the inclusion relationship obtained by the inclusion relationship determination unit 33, the search unit 34 determines inclusion for all processing rules in the network, rules to be added, and derived rules derived from the processing rules to be added. Explore relationships. For example, the search unit 34 generates a Hasse diagram including all processing rules in the network, rules to be added, and derived rules derived from the processing rules to be added. The order determination unit 35 determines the order of adding processing rules when adding a plurality of processing rules.

FIG. 3 is a diagram illustrating an example of the hardware configuration of the information processing device 10. As shown in FIG. The information processing device 10 includes a processor 101 , a memory 102 , an input device 103 , an output device 104 and a bus 105 . Furthermore, the information processing apparatus 10 may have one or more of the storage device 106 , the portable storage medium drive device 107 and the network interface 109 . The information processing device 10 can be realized by, for example, a computer, a server device, or the like.

Processor 101 is any processing circuit and may be, for example, a Central Processing Unit (CPU). Processor 101 operates as control unit 30 . The processor 101 can execute programs stored in the memory 102 and the storage device 106, for example. The memory 102 appropriately stores data obtained by the operation of the processor 101 and data used for processing by the processor 101 . The storage device 106 stores programs, data, and the like, and appropriately provides the stored information to the processor 101 and the like. The memory 102 and the storage device 106 operate as the storage unit 40 in the information processing device 10 .

A bus 105 connects the processor 101, the memory 102, the input device 103, the output device 104, the storage device 106, the portable storage medium drive device 107, and the network interface 109 so that they can transmit and receive data to each other. Input device 103 is any device used to enter information, such as a keyboard, mouse, microphone, camera, and the like. The input device 103 can operate as the input unit 21 . Output device 104 is any device used to output data, such as a display, and can implement output unit 22 . The portable storage medium drive device 107 can output data in the memory 102 and the storage device 106 to the portable storage medium 108 and can read programs, data, and the like from the portable storage medium 108 . Here, the portable storage medium 108 can be any portable storage medium including Compact Disc Recordable (CD-R) and Digital Versatile Disk Recordable (DVD-R). The network interface 109 appropriately performs processing for the information processing device 10 to communicate with other devices. When the information processing device 10 is connected to a network to be verified and acquires processing rules and the like from node devices in the network, the input unit 21 can be implemented by the network interface 109 . Furthermore, when information on processing rules set in the network to be verified and rules to be added are notified from the management terminal used by the operator, the network interface 109 can operate as the input unit 21 and the output unit 22. When the network interface 109 operates as the output unit 22, the information processing apparatus 10 can transmit the obtained result to the operator's management terminal.

<First Embodiment>
Examples of processing rules used in a network, examples of network settings, identification of related rules for adding processing rules, generation of a survey list, and search processing will be described below. The information processing apparatus 10 implementing the first embodiment may include the order determination unit 35 or may not include the order determination unit 35 .

(1) Example of Processing Rule and Example of Network Setting FIG. 4 is a diagram illustrating an example of the rule information 41 . The rule information 41 may be an ACL (Access-control list) rule as indicated by R1, or may be a routing rule as indicated by R2. The ACL rule indicated by R1 includes a rule ID, information for specifying a packet to be processed, and a processing rule. In the example of R1, the processing rule is either processing for permitting passage of packets (Allow) or processing for not allowing passage of packets (Deny). In R1, information for specifying a packet to be processed includes a source IP address (IP-SA), a destination IP address (IP-DA), a source port number, a destination port number, and a protocol Contains 5-tuple information. In the rule with rule ID=1 included in R1, source IP address=221.38.7.9/32, destination IP address=203.21.45.10/32, source port number and destination port Packets of protocol A with numbers less than or equal to 65536 are allowed to pass. Similarly, for other rules, the scope of application of the rule is identified from the 5-tuple information.

In the R2 example, each rule includes a rule ID, a node device in the network to which the rule applies, a destination IPprefix, and Nexthop information. For example, according to the rule with rule ID=1, the node device identified by Node0 forwards the packet with the IP prefix 0.0.0.12/30 to the node device identified by Node2.

FIG. 5 is a diagram illustrating an example of a method for managing the scope of application of rules. In the following description, an area in which the same type of processing is applied to packets is referred to as PEC (Packet Equivalence Class). In the example of FIG. 5, rule a and rule b are applied to the network. Rule a permits passage of packets whose source IP address is in the range indicated by Ra (133.28.116.0 to 133.28.116.255). The range to which rule a is applied is denoted by α. According to rule b, packets whose destination IP address is in the range indicated by Rb (202.248.10.0 to 202.248.10.255) are transferred to the node device X. The range to which rule b is applied is denoted by β. The stippled area (#PEC C) in FIG. 5 is a packet whose source IP address is in the range indicated by Ra and whose destination IP address is in the range indicated by Rb. include. Therefore, the node equipment to which rule a and rule b are set permits passage of the packet included in #PEC C and transfers the packet included in #PEC C to node equipment X.

Let #PEC A be the area excluding #PEC C in the area indicated by α. # For PEC A, rule a applies but rule b does not. Therefore, packets included in #PEC A are permitted to pass according to rule a. Let #PEC B be the area excluding #PEC C in the area indicated by β. # In PEC B, rule b applies but rule a does not. Therefore, the packet included in PEC# B is transferred to node equipment X according to rule b.

In #PEC C shown in FIG. 5, rule a and rule b are combined. Therefore, it can be said that the rule applied in #PEC C is a rule derived from rule a and rule b. In this way, a Boolean combination of processing rules, such as a combination of multiple processing rules, can be managed as a new rule (derived rule).

FIG. 6 is a diagram illustrating an example of a Venn diagram and a Hasse diagram of the application range of processing rules. Let rule a, rule b, rule c, and rule e apply to the network. It is assumed that the scope of application of rule a includes the scope of application of each of rule b, rule c, and rule e. It is assumed that rule b and rule c partly overlap in scope, but neither of them includes the scope of the other. In this case, it is considered that derived rule d, which is a combination of rule b and rule c, is applied to a region to which rule b and rule c are applied in duplicate. Further assume that rule e is subsumed by rule d. Then, the scope of application of each rule becomes as shown in Venn diagram B1.

The relationship between rules shown in Venn diagram B1 can be expressed as a partially ordered set shown in Hasse diagram H1. The top layer of Hasse diagram H1 is rule a, and the layers below rule a are rule b and rule c. Rule d, the overlapping part of rule b and rule c, is represented in a layer below rule b and rule c. The scope of rule e is included in the scope of rule d, so rule e is represented in a layer below rule d.

When the area to which each rule is applied is represented by PEC, it becomes as shown in Venn diagram B2. The area where only rule a is applied is #PEC A, and the area where only rule b is applied is #PEC B. The region to which only rule c applies is #PEC C, and the region to which only rule e applies is #PEC E. Furthermore, the region to which only rule d, which is a combination of rule b and rule c, is applied is #PEC D.

Also shown in FIG. 6 are formulas representing the range accommodated in each PEC. In each formula, the range to which the rule applies is indicated by the lowercase letter representing the rule. Therefore, a is the scope of rule a. Therefore, the formula #PEC A=a-(#PEC B+#PEC C+#PEC D+#PEC E) is obtained by subtracting #PEC B, #PEC C, #PEC D, and #PEC E from the scope of rule a. represents a range. Similarly, the formula #PEC B=b−(#PEC D+#PEC E) represents the range of rule b minus #PEC D and #PEC E. The formula #PEC C=c−(#PEC D+#PEC E) represents the scope of rule c minus #PEC D and PEC# E. The formula #PEC D=d−#PEC E represents the scope of rule d minus #PEC E. Furthermore, the expression #PEC E=e represents the full range of applicability of rule e.

FIG. 7 is an example of a Hasse diagram showing rules of a network for performing search processing. Assume that the processing rules of rule 1 to rule 55 and the derived rules derived from rule 1 to rule 55 are set in the network. In the following description, in order to make it easier to distinguish between processing rules and derived rules set in the network, the identification information of the processing rules will be represented by numbers, and the identification information of the derived rules will be represented by alphabets. Rules and derived rules set in the network are represented as nodes in the Hasse diagram shown in FIG.

FIG. 8 is a diagram illustrating an example of the derived rule map 43. As shown in FIG. A derived rule map 43 shown in FIG. 8 is an example of a derived rule map 43 in a network in which rules are set as represented by the Hasse diagram shown in FIG. When a derived rule occurs when additional settings are made for a rule, identification information of the derived rule is generated and registered in the derived rule map 43 . The first entry in the derived rule map 43 shown in FIG. 8 indicates that derived rule a occurs when rule 5 is added. In the Hasse diagram of FIG. 7 as well, the derived rule a is recorded in the layer below the rule 2 and the rule 5. FIG. Similarly, for other rules in the derived rule map 43, each derived rule is recorded in the derived rule map 43 in association with one of the rules that caused the generation of that derived rule.

(2) Identification of related rules In the following description, when a new rule 56 is set in the networks shown in FIGS. 7 and 8, the relationship between the scope of application of the rule 56 and the scope of application of other rules is searched. Take the case as an example. When adding a new rule 56, the information of the inclusive relationship between each rule represented by each node shown in FIG. 7 and the rule 56 is used. However, if the processing for specifying the inclusion relationship with the rule 56 is performed for all the nodes in the Hasse diagram in FIG. 7, the amount of calculation in the information processing apparatus 10 increases.

Therefore, the information processing apparatus 10 first identifies the relationship rule of the rule 56 . The relational rules of the rule 56 are: a rule whose application target of the rule 56 is included in the application target of the rule 56; a rule whose application target is included in the application target of the rule 56; is one of the overlapping rules. For this reason, the specifying unit 31 selects, from among the rules corresponding to each node included in the Hasse diagram of FIG. excluded from the relationship rules of In the subsequent processing, the relational rule is targeted for specifying the inclusion relation with the rule 56 to be added.

FIG. 9 is a flowchart illustrating an example of processing for determining whether there is a relationship between rules. In FIG. 9, a case of adding a 5-tuple ACL rule as shown in rule R1 in FIG. 4 is taken as an example. Note that FIG. 9 is only an example of processing, and the processing procedure may be changed according to implementation. For example, the order of determination processing in steps S12 to S16 can be arbitrarily changed.

First, loop processing between loop ends L1 and L2 is performed for each of the rules set in the network. Hereinafter, a loop sandwiched between loop ends L1 and L2 may be referred to as a "judgment loop". The specifying unit 31 selects a rule that has not been processed in the determination loop from among the rules set in the network (step S11). The specifying unit 31 determines whether or not the selected rule and the rule to be added overlap in source IP address (step S12). If there is no overlap in the source IP address between the selected rule and the rule to be added, the identifying unit 31 determines that there is no overlapping area between the selected rule and the rule to be added (step S12). No, step S18). On the other hand, if there is overlap in source IP addresses between the selected rule and the rule to be added, the identifying unit 31 determines whether there is overlap in destination IP addresses between the selected rule and the rule to be added. (Yes in step S12, step S13).

If there is no overlap in the destination IP addresses between the selected rule and the rule to be added, the specifying unit 31 determines that there is no overlapping application area between the selected rule and the rule to be added (in step S13 No, step S18). On the other hand, if there is overlap in the destination IP address between the selected rule and the rule to be added, the specifying unit 31 determines whether there is overlap in the source port between the selected rule and the rule to be added ( Yes in step S13, step S14).

If there is no overlap in the transmission source port between the selected rule and the rule to be added, the specifying unit 31 determines that there is no overlapping application area between the selected rule and the rule to be added (step No in S14, step S18). On the other hand, if there is overlap in the source port between the selected rule and the rule to be added, the specifying unit 31 determines whether there is overlap in the destination port between the selected rule and the rule to be added (step Yes in S14, step S15).

If the destination port does not overlap between the selected rule and the rule to be added, the identifying unit 31 determines that there is no overlapping application area between the selected rule and the rule to be added (step S15). No, step S18). On the other hand, if there is overlap in the source port between the selected rule and the rule to be added, the specifying unit 31 determines whether there is overlap in protocol between the selected rule and the rule to be added (step S15). Yes, step S16).

When there is no protocol overlap between the selected rule and the rule to be added, the specifying unit 31 determines that there is no overlapping application area between the selected rule and the rule to be added (No in step S16, step S18). On the other hand, if there is overlap in protocol between the selected rule and the rule to be added, the specifying unit 31 determines that there is an overlapping application area between the selected rule and the rule to be added (Yes in step S16). , step S17).

After that, the specifying unit 31 determines whether or not all rules have been selected (loop end L2). If all the rules have not been selected, the processes after step S11 are repeated (No at loop end L2). On the other hand, if all the rules have been selected, the specifying unit 31 generates the relationship rule map 42 (Yes at loop end L2, step S19). In step S<b>19 , the identifying unit 31 records the rule determined in step S<b>17 as having an overlapping application area with the rule to be added as a relational rule in the relational rule map 42 .

FIG. 10 is a diagram illustrating an example of a relationship rule map. Assume that when rule 56 is a rule to be added, the processing described with reference to the flowchart of FIG. 9 is performed for each of rules 1 to 55 shown in FIG. As a result, if rule 1, rule 5, rule 15, rule 27, rule 28, and rule 40 are judged to have overlapping application areas with rule 56, the relationship rule map 42 shown in FIG. generated.

As will be described below, the rules recorded in the relational rule map 42 are subjected to processing (FIGS. 13A and 13B), which will be described later as detailed search processing for identifying inclusion relationships. On the other hand, in FIG. 9, a rule for which it is determined that the area overlapping the rule to be added does not fall within the scope of application is not recorded in the relationship rule map 42, and a detailed search process for specifying the inclusion relationship will be described later. is not subject to For this reason, in the information processing apparatus 10, compared to the case of specifying the inclusion relationship between each node of the Hasse diagram shown in FIG. be done.

(3) Generating Survey List FIG. 11 is a flow chart illustrating an example of a method for generating the survey list 44 . The list generator 32 generates a survey list 44 using the relationship rule map 42 and the derivation rule map 43 . For example, assume that the relationship rule map 42 shown in FIG. 10 has been obtained for the rule 56, and the derived rule map 43 in the network is as shown in FIG.

The list generator 32 copies the relationship rule map 42 to the investigation list 44 (step S31). Therefore, when step S31 is completed in the search process for adding rule 56, rule 1, rule 5, rule 15, rule 27, rule 28, and rule 40 are recorded in the investigation list 44. FIG.

Next, a loop process sandwiched between loop ends L11 and L12 is performed. Hereinafter, a loop sandwiched between loop ends L11 and L12 may be referred to as a "node addition loop". The list generator 32 identifies a rule of interest from the rules in the relational rule map 42 (step S32). The list generator 32 determines whether or not there is a record of the derivation rule map 43 for the rule of interest (step S33). If the rule of interest is recorded in the derived rule map 43, the list generator 32 adds the derived rule recorded in the derived rule map 43 in association with the rule of interest to the investigation list 44 (step S33). No, step S34). For example, when rule 5 in the investigation list 44 is specified as a rule of interest, a derived rule a is recorded in association with rule 5 in the derived rule map 43 . Since the list generation unit 32 adds the derived rule a to the investigation list 44 by the process of step S34, the updated investigation list 44 includes rule 1, rule 5, rule 15, rule 27, rule 28, rule 40, rule a is recorded.

After the process of step S34 or when it is determined in step S33 that there is no record of the derived rule map 43 for the rule of interest, the list generator 32 determines whether all the rules in the relational rule map 42 have been focused. (Loop end L12). If all the rules in the relational rule map 42 are not paid attention to, the processing after step S32 is repeated (No at loop end L12).

For example, assuming that the rule 15 is specified as a node of interest, the list generation unit 32 adds derived rule c and derived rule d to the investigation list 44 in the process of step S34. Therefore, rule 1, rule 5, rule 15, rule 27, rule 28, rule 40, rule a, rule c, and rule d are recorded in the investigation list 44. FIG. Returning to step S31, if the list generator 32 selects the rule 27, the rule associated with the rule 27 is not recorded in the derived rule map 43, so the survey list 44 is not changed, and step S31 is performed again. The following processing is performed. Next, since the list generation unit 32 identifies the rule 28 as the rule of interest, the derived rule m is added to the investigation list 44 in the process of step S34. Therefore, rule 1, rule 5, rule 15, rule 27, rule 28, rule 40, rule a, rule c, rule d, and rule m are recorded in the investigation list 44. FIG. After that, when the rule of interest is changed to the rule 40, the rule associated with the rule 40 is not recorded in the derived rule map 43, so the investigation list 44 is not changed.

When all the rules in the relational rule map 42 are noted, the list generator 32 terminates the process (Yes at loop end L12). Therefore, the survey list 44 generated for the process of adding rule 56 includes rule 1, rule 5, rule 15, rule 27, rule 28, rule 40, rule a, rule c, rule d, rule m. is included.

FIG. 12 is a diagram illustrating an example of specifying a search target node. FIG. 12 shows an example of a study list 44 generated for the process of adding a rule 56 and the position of each rule recorded in the study list 44 in the Hasse diagram. In the Hasse diagram shown in FIG. 12, a node corresponding to each rule recorded in the investigation list 44 is shown as a search node. A search node is a node to be searched for inclusion relationships. As shown in FIG. 12, by the processing described with reference to FIGS. It is limited to rule 40, rule a, rule c, rule d, and rule m.

(4) Search Processing FIGS. 13A and 13B are flowcharts illustrating an example of pattern classification processing. In FIGS. 13A and 13B, the inclusion relationship between the rule to be investigated and the rule to be added is classified into the following four patterns.
Pattern 1: The scope of the rule to be investigated includes the scope of the rule to be added Pattern 2: The scope of the rule to be added includes the scope of the rule to be investigated Pattern 3: The scope of the rule to be investigated The scope of application of the rule to be added partially overlaps, but the scope of application of either rule does not encompass the entirety of the other. Pattern 4: The scope of application of the rule to be investigated and the scope of the rule to be added do not overlap

The inclusion relation determination unit 33 sets the node in the Hasse diagram corresponding to the rule included in the investigation list 44 as the node of interest (step S41). At this time, the inclusive relationship determination unit 33 sets rule 1, which includes all the rules in the Hasse diagram, as the node to be focused on first. Next, the inclusion relation determination unit 33 identifies a node corresponding to the rule in the investigation list 44 among the child nodes in the Hasse diagram of the node of interest (step S42).

Thereafter, a loop process sandwiched between loop ends L21 and L22 is performed. A loop sandwiched between loop ends L21 and L22 may be referred to as a "pattern classification loop". The inclusion relationship determining unit 33 determines a research target among the identified child nodes (step S43). The inclusion relation determining unit 33 identifies, using the derivation rule map 43, a node (derivation node) indicating rule duplication caused by the addition of the child node to be investigated (step S44). For example, in the example shown in FIG. 12, among the child nodes of the node of rule 1, the node associated with rule 5 is specified, so the child node to be investigated is the node of rule 5. FIG. Furthermore, the derived node becomes the node of rule a.

Next, a loop process sandwiched between loop ends L31 and L32 is performed. A loop sandwiched between loop ends L31 and L32 may be referred to as a "classification processing loop". In the classification processing loop, the node in the Hasse diagram corresponding to the rule to be added may be referred to as the node to be added.

The inclusion relation determining unit 33 identifies the node to be processed from among the child node to be investigated and the derived nodes of the child node to be investigated (step S45). The inclusion relation determination unit 33 determines the inclusion relation of the source IP address of the rule associated with each node between the node to be processed and the node to be added (step S46). Next, the inclusion relationship determination unit 33 determines the inclusion relationship of the destination IP addresses of the rules associated with each node between the node to be processed and the node to be added (step S47). The inclusion relation determination unit 33 determines the inclusion relation of the transmission source port of the rule associated with each node between the node to be processed and the node to be added (step S48). The inclusion relationship determination unit 33 determines the inclusion relationship of the destination port of the rule associated with each node between the node to be processed and the node to be added (step S49). The inclusion relationship determination unit 33 determines the inclusion relationship of the protocol of the rule associated with each node between the node to be processed and the node to be added (step S50). The inclusion relationship determination unit 33 classifies the relationship between the node to be processed and the node to be added into one of patterns 1 to 4 based on the inclusion relationships obtained in steps S46 to S50.

For example, assume that the node of rule 5 is the node to be processed and the rule to be added is rule 56 . Here, the source IP address to which rule 5 is applied includes the range of source IP addresses of packets to which rule 56 is applied, and the destination IP address to which rule 5 is applied is the range of the packet to which rule 56 is applied. range of destination IP addresses. Also, the source port to which rule 5 is applied includes the range of the source port of the packet to which rule 56 is applied, and the destination port to which rule 5 is applied is the destination port of the packet to which rule 56 is applied. Suppose it encompasses the range. Furthermore, it is assumed that the protocol to which rule 5 is applied includes the packet protocol to which rule 56 is applied. In this case, the inclusion relationship determination unit 33 determines that rule 5 includes rule 56 . That is, the relationship between rule 5 and rule 56 is pattern 1 .

The inclusive relationship determination unit 33 determines whether all of the child node to be investigated and the derived nodes of the child node to be investigated have been processed (loop end L32). If not all of the child node to be investigated and the derived nodes of the child node to be investigated are to be processed, the inclusion relationship determination unit 33 repeats the processes after step S45 (No at loop end L32). For example, the inclusion relation determining unit 33 can set the node to be processed to the node a in step S45 and perform the subsequent processes. For example, in step S46, the inclusion relationship determination unit 33 determines that the source IP address to which rule a is applied does not overlap the range of source IP addresses of packets to which rule 56 is applied. Then, the inclusion relation determining unit 33 determines that the relation between rule a and rule 56 is pattern 4, regardless of the inclusion relation results in steps S47 to S50.

On the other hand, if all of the child node to be investigated and the derived nodes of the child node to be investigated are to be processed, the inclusion relationship determination unit 33 determines whether all of the child nodes identified in step S42 are to be processed. (Yes at loop end L32, loop end L22). If not all of the specified child nodes are to be processed, the inclusion relationship determining unit 33 repeats the processes from step S43 (No at loop end L22). On the other hand, if all of the specified child nodes are to be processed, the inclusion relationship determination unit 33 ends the process (Yes at loop end L22).

After the processing shown in FIGS. 13A and 13B has been performed for one layer in the Hasse diagram, also for the layer below the processed layer. The processing shown in FIGS. 13A and 13B is performed. For example, after the process of setting rule 1 as the node of interest in step S41, the process shown in FIGS. 13A and 13B is performed next with the node of rule 5 as the node of interest. After that, the processes shown in FIGS. 13A and 13B are performed until the inclusive relationship between the node of the lowest layer in the Hasse diagram and the rule to be added is obtained.

Note that the processing shown in FIGS. 13A and 13B is an example, and the processing may be changed according to implementation. For example, the order of the inclusion relationship determination process performed in steps S46 to S50 can be arbitrarily changed.

13A and 13B, the search unit 34 finds a node corresponding to the rule to be added in a Hasse diagram representing all rules set in the network. Search for a position to add . Further, when a new derived rule is generated by adding a rule to be added, the searching unit 34 also performs processing for registering the new derived rule.

FIG. 14 is a flowchart for explaining an example of processing when a derived rule is generated by adding a rule. Variable n and constant N are used in the process of FIG. A variable n is used to count the number of rules to be processed. The constant N is the total number of search nodes. The search unit 34 sets the variable n to 1 (step S61). The search unit 34 determines whether the rule to be added has a pattern 3 relationship with the n-th rule (step S62). If the rule to be added does not have the pattern 3 relationship with the n-th rule, the rule to be added is one of the other rules and pattern 1, pattern 2, or pattern 4 (No in step S62). . In this case, even if the rule to be added is added, no derived rule is generated due to duplication with the n-th rule.

On the other hand, if the rule to be added has a relationship of pattern 3 with the n-th rule, adding the rule to be added extends the range to which both the rule to be added and the n-th rule are applied. A derived rule to be applied is generated (Yes in step S62). Therefore, the search unit 34 generates identification information for identifying a derived rule that means application of both the rule to be added and the n-th rule (step S63). The search unit 34 records the generated identification information in the derived rule map 43 in association with the rule to be added (step S64). The search unit 34 adds a rule corresponding to the rule identified by the generated identification information to the Hasse diagram (step S65).

If it is determined No in step S62 or if the process of step S65 is finished, the search unit 34 increments the value of n by 1 to finish the process for the n-th rule (step S66). The search unit 34 compares the variable n with the constant N (step S67). When the variable n is equal to or less than the constant N, the search unit 34 repeats the processes after step S62 (No in step S67). On the other hand, when the variable n exceeds the constant N, the search unit 34 terminates the step processing (Yes in step S67).

FIG. 15 is an example of a Hasse diagram obtained by the search process. In the example of FIG. 15, rule 56 has a portion subsumed by derived rule m, which means that both rule 27 and rule 28 apply. Furthermore, there is some overlap in scope between rule 40 and rule 56 included in rule 27 . Therefore, by the processing shown in FIG. 14, the search unit 34 sets the derived rule x as the derived rule that means that both the rule 40 and the rule 56 are applied. Therefore, the node corresponding to the rule 56 shown in FIG. 15 represents the area to which only the rule 56 is applied among the areas to which the rule 56 is applied. On the other hand, the node corresponding to derived rule x represents the area to which both rule 40 and rule 56 apply. Furthermore, the area corresponding to the node of rule 40 in FIG.

As described above, in the search method according to the first embodiment, a rule whose scope does not overlap with a rule to be added is subjected to detailed search processing (FIGS. 13A and 13B) for specifying an inclusion relationship. Not applicable. Also, for each rule already set in the network, the calculation in the process for determining whether it is pattern 4 is a detailed search process for identifying inclusion relationships, as described with reference to FIG. less computational complexity than in For example, when determining whether the applicable ranges of rules overlap as shown in FIG. 9, it is sufficient to simply compare the upper limit and lower limit of each parameter. Assume that the parameter to be compared is the source IP address. In this case, it is determined whether the lower limit of the address space of the rule to be added is smaller than the upper limit of the address space of the rule to be added, and whether it overlaps the lower limit of the address space of the rule to be added. It suffices to determine whether the upper limit of the target rule address is larger. On the other hand, as in the processing in FIGS. 13A and 13B, when judging the inclusive relationship of each parameter, the processing load is several times more than when judging whether each parameter overlaps. Accordingly, the processing load of the information processing apparatus 10 is significantly reduced by limiting the process of specifying the inclusion relationship with the rule to be added to the relational rule and the derivative rule of the relational rule. That is, in the information processing apparatus 10, the calculation processing for specifying the scope of application of the rule is reduced compared to the case of specifying the inclusion relationship between each node of the Hasse diagram shown in FIG. 7 and the rule to be added. be.

<Second embodiment>
In the second embodiment, an embodiment in which a plurality of rules are set at once will be described. The information processing apparatus 10 that implements the second embodiment is assumed to include an order determination unit 35 .

When multiple rules are set in a network, it is expected that the rules corresponding to nodes written in higher layers on the Hasse diagram will contain more rules and the number of rules derived from those rules. Therefore, when a node written in an upper layer on the Hasse diagram is added after another node, even if the first embodiment is applied, comparison with many rules is performed. For example, when adding rule 5 after adding rules 1 to 4 and rules 6 to 56 in the Hasse diagram of FIG. (Relationship rules) are rule 2, rule 7, rule 12 to rule 56. Furthermore, among the derived rules added before rule 5 is added, rules derived from relational rules are also subject to investigation of inclusion relationships with rule 5 .

In this way, the higher the node described in the Hasse diagram, the greater the amount of calculation required for the addition process when added later. Therefore, in the second embodiment, the order determination unit 35 selects the rules to be added so that the Hasse diagram is generated by adding the rules that are likely to be in the upper layers in the Hasse diagram first to the network. Determines the order of additional processing. A rule with a high probability of coming to the upper layer on the Hasse diagram is expected to have a large number of related rules. Therefore, the order determining unit 35 determines the order so that the rule having the larger number of related rules among the rules to be added is added first.

FIG. 16 is a diagram illustrating an example of a method for determining the order of adding rules. In FIG. 16, variable x and constant X are used. The variable x is used to count the number of rules processed. The constant X is the total number of rules to add. The order determination unit 35 sets the variable x to 1 (step S71). The identifying unit 31 obtains a relational rule for the x-th rule to be added, and outputs the obtained result to the order determining unit 35 . The order determining unit 35 obtains the number of related rules (Rnum) for the x-th rule to be added using the information obtained from the specifying unit 31 (step S72). The order determination unit 35 increments the variable x by one and compares the variable x with the constant X (steps S73 and S74). If the variable x is equal to or less than the constant X, the processes after step S72 are repeated (No in step S74). On the other hand, when the variable x exceeds the constant X, the number of related rules has been obtained for all rules to be added (No in step S74). Therefore, the order determination unit 35 determines the order of adding processing for each rule in descending order of Rnum (step S75).

Note that the method of specifying the relational rule and the process of adding each rule after determining the order of adding the rules are the same in the second embodiment as in the first embodiment.

FIG. 17 shows an example of reducing the time required to search for the application area of each rule set in the network. The vertical axis of the graph in FIG. 17 is the time required for PEC segmentation. The horizontal axis of the graph in FIG. 17 is the total number of rules set in the network. Since the number of rules set in a network generally increases as the scale of the network increases, it can be said that the number of rules set in the network is an index representing the scale of the network.

The black circles in the graph of FIG. 17 are examples of the time required to search the application area of each rule when the method according to the embodiment is not applied. On the other hand, the white circles are examples of the time required to search the application area of each rule when the search methods according to the first and second embodiments are applied. As long as the number of rules set in the network is relatively small, there is not much difference between the two, but when the number of rules set in the network exceeds 10000, the white circles have a lower value than the black circles. Also, the difference in the required time between the white circles and the black circles increases as the number of rules set in the network increases. For example, in a large-scale network with 80,000 rules, it takes nearly seven hours to identify the application area of each rule without using the search method according to the embodiment. However, if the first and second embodiments are used together, it takes about 10 minutes to identify the application area of each rule in a large-scale network with 80,000 rules.

In this way, by using the first embodiment and the second embodiment, the target for specifying the inclusion relationship between the rule to be added is limited to the relational rule and the derived rule derived from the relational rule. . In addition, since rules are set in descending order of the number of relational rules, the number of relational rules to be processed is smaller than in the case of randomly determining the addition order of rules. Therefore, in the search methods according to the first and second embodiments, the scope of application of each processing rule when a combination of processing rules is described as a derived rule separate from each rule that is the basis of the combination The processing for searching for the inclusion relationship of is made efficient. The network verification process is made more efficient by streamlining the process of identifying the inclusion relationship of the scope of application of each process rule when a combination of process rules is made into separate derived rules.

<Others>
Note that the embodiment is not limited to the above, and various modifications are possible. Some examples are given below.

For example, in the processing of the classification processing loop described with reference to FIGS. 13A and 13B, as shown in the flowchart of FIG. Pattern 4 may be determined without determining the inclusion relationship of the parameters. If the process is modified in this way, for example, if it is determined in step S46 that there is no duplication of source IP addresses between the node to be processed and the node to be added, the processes of steps S47 to S50 are omitted and pattern 4 is executed. can be classified into Therefore, the processing load in the classification processing loop is further reduced.

The tables and rules described above are examples, and the information elements in the tables and the parameters used to define each rule may be changed according to the implementation. For example, only part of the 5-tuple information may be used to define the ACL rule. Furthermore, the method of specifying parameters such as protocols can be arbitrarily changed according to the implementation. For example, a protocol number may be used to designate a protocol, or a protocol name may be used.

Derived rules are recorded in the derived rule map 43 in association with one rule included in a combination of multiple rules, but the association of the derived rule map 43 can be changed depending on the implementation. For example, derived rules may be recorded in association with individual rules that are combined in derived rules.

10 information processing device 20 input/output processing unit 21 input unit 22 output unit 30 control unit 31 identification unit 32 list generation unit 33 inclusion relationship determination unit 34 search unit 35 order determination unit 40 storage unit 41 rule information 42 relationship rule map 43 derivation rule Map 44 Study List 101 Processor 102 Memory 103 Input Device 104 Output Device 105 Bus 106 Storage Device 107 Portable Storage Media Drive 108 Portable Storage Media 109 Network Interface

Claims (7)

Identifying, from among a plurality of rules set in a network for defining packet processing, applicable rules applicable to one or more target packets to which additional rules to be added to the network are applied;
determining, for each of the relationship rules, an inclusion relationship between the relationship rule and the additional rule ;
determining, for each combination of two or more rules of the plurality of rules , including at least one of the relationship rule, an inclusion relationship between the combination and the additional rule ;
A search program for causing an information processing device to search for an inclusion relationship between each of the target packet and the plurality of rules using the relationship rule and the inclusion relationship determined for the combination. . selecting a determination target rule for determining whether or not it is the relationship rule from the plurality of rules;
For each of one or more parameters used to identify the packet to which the additional rule is applied, the value of the parameter in the additional rule and the value of the parameter used to identify the packet to which the determination target rule is applied Determines if there is overlap between the values of the parameters,
2. The program according to claim 1, causing the information processing device to perform a process of setting the determination target rule to the relation rule when it is determined that all of the one or more parameters overlap. The information processing device, when there may be a packet to which the first rule and the second rule included in the plurality of rules are applied in duplicate, divides the first rule and the second rule. a derived rule map that records the combined third rule as a derived rule derived from the second rule in association with the second rule;
When the determination target rule is set to the relationship rule, the derived rule associated with the determination target rule in the derived rule map is set to the combination specifying an inclusion relationship with the additional rule . 3. The program according to claim 2, causing the information processing apparatus to perform processing. Identification information that identifies the other derived rule if, when the additional rule is added to the network, there may be a packet to which another derived rule combining the additional rule and the related rule is applied. to generate
4. The program according to claim 3, causing the information processing apparatus to perform a process of associating the identification information with the additional rule and recording it in the derived rule map. In the information processing device,
When adding a first additional rule and a second additional rule to the network, a first rule number, which is the number of the relationship rules when adding the first additional rule, and the second additional rule Obtaining a second number of rules, which is the number of said relationship rules when adding
If the second number of rules is greater than the first number of rules, prior to searching for an inclusion relationship between each of the first additional rule and the plurality of rules, the second additional rule and 5. The program according to any one of claims 1 to 4, wherein a process of searching for an inclusion relationship among each of said plurality of rules is performed. Identifying, from among a plurality of rules set in a network for defining packet processing, applicable rules applicable to one or more target packets to which additional rules to be added to the network are applied;
determining, for each of the relationship rules, an inclusion relationship between the relationship rule and the additional rule ;
determining, for each combination of two or more rules of the plurality of rules, including at least one of the relationship rule, an inclusion relationship between the combination and the additional rule ;
A search method, wherein an information processing device searches for an inclusion relationship between each of the target packet and the plurality of rules, using the inclusion relationship determined for the relationship rule and the combination. a specifying unit that specifies, from among a plurality of rules set in a network for defining packet processing, a relevant rule applicable to one or more target packets to which an additional rule to be added to the network is applied; ,
each of a combination of two or more of the plurality of rules, comprising, for each of the relationship rules, determining an inclusion relationship between the relationship rule and the additional rule, and including at least one of the relationship rules; a determination unit that determines an inclusion relationship between the combination and the additional rule for
An information processing apparatus, comprising: a search unit that searches for an inclusion relationship between each of the target packet and the plurality of rules, using the inclusion relationship determined by the determination unit.

Images