防火墙规则间包含关系的解析方法

doi:10.11772/j.issn.1001-9081.2015.11.3083

计算机应用 ›› 2015, Vol. 35 ›› Issue (11): 3083-3086.DOI: 10.11772/j.issn.1001-9081.2015.11.3083

• 2015年全国开放式分布与并行计算学术年会(DPCS 2015)论文 • 上一篇下一篇

防火墙规则间包含关系的解析方法

殷奕^1,2, 汪芸¹

1. 东南大学计算机科学与工程学院, 南京 211189;
2. 南京师范大学计算机科学与技术学院, 南京 210023

收稿日期:2015-06-17 修回日期:2015-07-28 发布日期:2015-11-13
通讯作者: 殷奕(1978-),女,江苏镇江人,讲师,博士,主要研究方向:网络安全、防火墙、入侵检测系统.
作者简介:汪芸(1969-),女,江苏苏州人,教授,博士,CCF会员,主要研究方向:分布式计算、云计算、大数据、传感器网络.
基金资助:
国家自然科学基金资助项目(60973122);国家973计划项目.

Analysis method of inclusion relations between firewall rules

YIN Yi^1,2, WANG Yun¹

1. School of Computer Science and Engineering, Southeast University, Nanjing Jiangsu 211189, China;
2. School of Computer Science and Technology, Nanjing Normal University, Nanjing Jiangsu 210023, China

Received:2015-06-17 Revised:2015-07-28 Published:2015-11-13

摘要/Abstract

摘要： 针对防火墙规则集中规则间的相互关系难以把握,从而导致防火墙无法正确地过滤数据包的问题,提出了一种基于集合理论的规则间包含关系的解析方法.该方法在不考虑规则动作的情况下,基于集合理论的包含关系来解析和分类规则之间的关系,简化了分析规则间相互关系的过程.并且使用高效的函数式编程语言Haskell实现了所提出的方法,整体代码简洁、易于维护和扩展.实验结果表明,对于中小规模的防火墙规则集,能够快速而有效地解析规则间的包含关系,并且能够为后续的规则间的异常检测提供重要的依据.

关键词: 网络安全, 防火墙, 规则集, 函数式编程语言, 集合理论

Abstract: It is difficult to understand all the relations between firewall rules. Poorly-organized rules may cause the problem that firewall could not filter packets correctly. In order to solve this problem, an analysis method of inclusion relations between firewall rules based on set theory was proposed. Based on the inclusion relations in set theory, the proposed method analyzed and classified the relations between firewall rules without considering the actions of rules. The proposed method simplified the process of analysis relations between firewall rules, and it was implemented by using a functional programming language, Haskell. The whole Haskell codes were concise, which also were easy to maintain and expand. The experimental results show that, with regard to medium scale sets of rules, the proposed method can analyze the inclusion relations between firewall rules rapidly and effectively. The proposed method also provides an important basis for the succeeding rules conflict detection.

Key words: network security, firewall, rules set, functional programming language, set theory

中图分类号:

TP393.08

殷奕, 汪芸. 防火墙规则间包含关系的解析方法[J]. 计算机应用, 2015, 35(11): 3083-3086.

YIN Yi, WANG Yun. Analysis method of inclusion relations between firewall rules[J]. Journal of Computer Applications, 2015, 35(11): 3083-3086.

参考文献

[1] CHESWICK W, BELLOVIN S, RUBIN A. Firewalls and Internet security: repelling the Wily hacker [M]. Boston: Addison-Wesley Professional, 2003: 175-176.
[2] WOOL A. A quantitative study of firewall configuration errors[J]. Computer, 2004, 37(6): 62-67.
[3] AL-SHAER E, HAMED H. Firewall policy advisor for anomaly discovery and rule editing[C]// Proceedings of the 8th IFIP/IEEE International Symposium on Integrated Management. Colorado Springs: Kluwer Academic Publishers, 2003: 17-30.
[4] AL-SHAER E, HAMED H. Modeling and management of firewall policies[J]. IEEE Transactions on Network and Service Management, 2004, 1(1): 2-10.
[5] AL-SHAER E, HAMED H. Discovery of policy anomalies in distributed firewalls[C]// Proceedings of the 23rd Annual Joint Conference of the IEEE Computer and Communications Societies. Piscataway: IEEE, 2004: 2605-2626.
[6] AL-SHAER E, HAMED H. Conflict classification and analysis of distributed firewall policies[J]. IEEE Journal on Selected Areas in Communication, 2005, 23(10): 2069-2084.
[7] YUAN L, MAI J, SU Z, CHEN H, et al. FIREMAN: a toolkit for firewall modeling and analysis[C]// Proceedings of the 2013 IEEE Symposium on Security and Privacy. Washington, DC: IEEE Computer Society, 2006: 199-213.
[8] THANASEGARAN S, YIN Y, TATEIWA Y, et al. A topology based conflict detection system for firewall policies using bit-vector-based spatial calculus[J]. International Journal of Communications, Network and System Sciences, 2011, 4(11): 683-695.
[9] HU H, AHN G, KULKARNI K. Detecting and resolving firewall policy anomalies[J]. IEEE Transactions on Dependable and Secure Computing, 2012, 9(3): 318-331.
[10] XIAO Q, QIN Y, YANG W, et al. MapReduce-based parallelization model for firewall policy conflict detecting and resolving [J]. Computer Science, 2013, 40(3): 50-54. (肖淇, 秦云川, 阳王东, 等. 一种基于MapReduce的防火墙策略冲突并行化检测及消解模型[J]. 计算机科学, 2013, 40(3): 50-54.)
[11] BASILE C, CAPPADONIA A, LIOY A. Network-level access control policy analysis and transformation[J]. IEEE/ACM Transactions on Networks, 2012, 20(4): 985-998.
[12] O'SULLIVAN B, GOERZEN J, STEWART D. Real world Haskell[M]. Sebastopol: O'Reilly Media, 2008: 71-76.
[13] The FreeBSD Documentation. FreeBSD handbook[EB/OL].[2015-04-28]. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/.
[14] ANDEREASSON O. Iptables tutorial[EB/OL]. [2015-04-28].https://www.frozentux.net/documents/iptables-tutorial/.
[15] YIN Y, KATAYAMA Y, TAKAHASHI N. Detection of conflicts caused by a combination of filters based on spatial relationships[J].Journal of Information Processing, 2008, 49(9): 3121-3135.
[16] The Snort Project. Snort users manual 2.9.7[EB/OL]. [2015-04-28]. http://manual.snort.org/
[17] OREBAUGH A, BILES S, BABBIN J. Snort cookbook[M]. Sebastopol: O'Reilly Media, 2005: 90-120.

防火墙规则间包含关系的解析方法

Analysis method of inclusion relations between firewall rules

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	王月, 江逸茗, 兰巨龙. 基于改进三元组网络和K近邻算法的入侵检测[J]. 计算机应用, 2021, 41(7): 1996-2002.
[2]	张全龙, 王怀彬. 基于膨胀卷积和门控循环单元组合的入侵检测模型[J]. 计算机应用, 2021, 41(5): 1372-1377.
[3]	唐延强, 李成海, 宋亚飞. 基于改进粒子群优化和极限学习机的网络安全态势预测[J]. 计算机应用, 2021, 41(3): 768-773.
[4]	杭梦鑫, 陈伟, 张仁杰. 基于改进的一维卷积神经网络的异常流量检测[J]. 计算机应用, 2021, 41(2): 433-440.
[5]	池亚平, 莫崇维, 杨垠坦, 陈纯霞. 面向软件定义网络架构的入侵检测模型设计与实现[J]. 计算机应用, 2020, 40(1): 116-122.
[6]	王佳欣, 冯毅, 由睿. 基于依赖关系图和通用漏洞评分系统的网络安全度量[J]. 计算机应用, 2019, 39(6): 1719-1727.
[7]	杜俊雄, 陈伟, 李雪妍. 基于物联网设备指纹的情境认证方法[J]. 计算机应用, 2019, 39(2): 464-469.
[8]	郭方方, 潮洛蒙, 朱建文. 基于相似连接的多源数据并行预处理方法[J]. 计算机应用, 2019, 39(1): 57-60.
[9]	王孝龙, 刘勤让, 林森杰, 黄雅静. 基于独立规则集位提取的包分类压缩方法[J]. 计算机应用, 2018, 38(8): 2375-2380.
[10]	张传浩, 谷学汇, 孟彩霞. 基于软件定义网络的反嗅探攻击方法[J]. 计算机应用, 2018, 38(11): 3258-3262.
[11]	孙文君, 苏旸, 曹镇. 非对称信息条件下APT攻防博弈模型[J]. 计算机应用, 2017, 37(9): 2557-2562.
[12]	谢丽霞, 王志华. 基于布谷鸟搜索优化BP神经网络的网络安全态势评估方法[J]. 计算机应用, 2017, 37(7): 1926-1930.
[13]	李方伟, 李骐, 朱江. 改进的基于隐马尔可夫模型的态势评估方法[J]. 计算机应用, 2017, 37(5): 1331-1334.
[14]	赵冬梅, 李红. 基于并行约简的网络安全态势要素提取方法[J]. 计算机应用, 2017, 37(4): 1008-1013.
[15]	朱江, 明月, 王森. 基于深度自编码网络的安全态势要素获取机制[J]. 计算机应用, 2017, 37(3): 771-776.