基于时间的多层防火墙访问控制列表策略审计方案

doi:10.11772/j.issn.1001-9081.2017.01.0212

计算机应用 ›› 2017, Vol. 37 ›› Issue (1): 212-216.DOI: 10.11772/j.issn.1001-9081.2017.01.0212

基于时间的多层防火墙访问控制列表策略审计方案

王旭东¹, 陈清萍¹, 李文², 张信明²

1. 国家电网安徽省电力公司, 合肥 230061;
2. 中国科学技术大学计算机科学与技术学院, 合肥 230027

收稿日期:2016-06-22 修回日期:2016-08-06 出版日期:2017-01-10 发布日期:2017-01-09
通讯作者: 张信明
作者简介:王旭东(1966-),男,安徽霍山人,高级工程师,主要研究方向:信息安全、电力信息网络;陈清萍(1974-),女,安徽芜湖人,高级工程师,硕士,主要研究方向:信息安全、电力信息网络;李文(1991-),男,安徽安庆人,硕士研究生,主要研究方向:无线网络、智能电网;张信明(1964-),男,安徽天长人,教授,博士,CCF高级会员,主要研究方向:无线网络、智能电网。
基金资助:
国家自然科学基金资助项目（61672485，61379130）。

Time-based strategy audit scheme of access control list in multi-layer firewall

WANG Xudong¹, CHEN Qingping¹, LI Wen², ZHANG Xinming²

1. Anhui Electric Power Company, State Grid, Hefei Anhui 230061, China;
2. School of Computer Science and Technology, University of Science and Technology of China, Hefei Anhui 230027, China

Received:2016-06-22 Revised:2016-08-06 Online:2017-01-10 Published:2017-01-09
Supported by:
This work is partially supported by the National Natural Science Foundation of China (61672485, 61379130).

摘要/Abstract

摘要： 针对多层防火墙中的访问控制列表（ACL）策略审计问题，基于时间分析了单个防火墙间及多层防火墙间的策略异常，并根据防火墙之间的拓扑结构提出了一种基于树结构的回溯异常检测算法（ADBA）。首先，解析各个防火墙ACL策略，统一数据格式到数据库；然后，根据防火墙间的拓扑建立树状结构并检测单个防火墙内的策略异常；最后，ADBA利用数据库中的数据与树结构进行异常检测并记录异常策略。实验结果表明，ADBA与基于半同构标记防火墙决策图（SMFDD）算法相比，ADBA的检测时间比SMFDD算法减少了28.01%，同时参考时间因素相比SMFDD算法，ADBA能够减少异常检测的误判。故ADBA能有效实施于多层防火墙的ACL策略审计，提高异常检测的精确性并减少异常检测时间。

关键词: 多层防火墙, 防火墙规则, 异常检测, 访问控制列表审计

Abstract: To solve the Access Control List (ACL) strategic audit problem in multi-layer firewalls, the policy anomalies in single firewall and between multi-layer firewalls were analyzed based on time. Then the Anomaly Detection based on Backtracking Algorithm (ADBA) was proposed by constructing the tree structure according to the topology of firewalls. First, the ACL policy of each firewall was analyzed and the data format was unified to the database. Second, the tree structure of firewall was built based on the topology of the firewall and the anomaly would be detected in a single firewall. Finally, the data in the database and the tree structure was used in ADBA to detect and record the abnormal strategy. The experimental results show that compared with the Semi-isomorphic Marked Firewall Decision Diagram (SMFDD) algorithm, the proposed ADBA can reduce the execution time of anomaly detection by 28.01% and reduce the miscalculation of anomaly detection according to the time factor. The ADBA can be implemented effectively at multi-layer firewalls ACL audit to improve detection accuracy and reduce detection time.

Key words: multi-layer firewall, firewall rule, anomaly detection, Access Control List (ACL) audit

中图分类号:

TP393.08

王旭东, 陈清萍, 李文, 张信明. 基于时间的多层防火墙访问控制列表策略审计方案[J]. 计算机应用, 2017, 37(1): 212-216.

WANG Xudong, CHEN Qingping, LI Wen, ZHANG Xinming. Time-based strategy audit scheme of access control list in multi-layer firewall[J]. Journal of Computer Applications, 2017, 37(1): 212-216.

参考文献

[1] RUBIN A D, GEER D, RANUM M J. Web Security Sourcebook[M]. New York:John Wiley & Sons, 1997:14-15.
[2] YOON M K, CHEN S, ZHANG Z. Minimizing the maximum firewall rule set in a network with multiple firewalls[J]. IEEE Transactions on Computers, 2009, 59(2):218-230.
[3] 张昭理,洪帆,肖海军.一种防火墙规则冲突检测算法[J].计算机工程与应用,2007,43(15):111-113.(ZHANG S L, HONG F, XIAO H J. Firewall rule conflict discovery algorithm[J]. Computer Engineering and Applications, 2007, 43(15):111-113.)
[4] 殷奕,汪芸.防火墙规则间包含关系的解析方法[J].计算机应用,2015,35(11):3083-3086,3101.(YIN Y, WANG Y. Analysis method of inclusion relations between firewall rules[J]. Journal of Computer Applications, 2015, 35(11):3083-3086,3101.)
[5] 唐晔.一种基于规则分解映射的防火墙规则匹配算法[J].计算机应用,2009,29(11):2969-2971,2976.(TANG Y. Rule matching mapping algorithm for firewall based on rule decomposion mapping[J]. Journal of Computer Applications, 2009, 29(11):2969-2971,2976.)
[6] 施荣华,莫锐,赵文涛.一种基于冲突检测的无关联规则集匹配算法[J].计算机工程与科学,2010,32(10):1-4.(SHI R H, MO R, ZHAO W T. An irrelative rule set match algorithm based on collision detection[J]. Computer Engineering and Science, 2010, 32(10):1-4.)
[7] 卢云龙,罗守山,郭玉鹏.基于改进策略树的防火墙策略审计方案设计与实现[J].信息网络安全,2014(10):64-69.(LU Y L, LUO S S, GUO Y P. The design and implementation of firewall policy audit plan based on improved strategy tree[J]. Netinfo Security, 2014(10):64-69.)
[8] LIU A X. Formal verification of firewall policies[C]//Proceedings of the 2008 IEEE International Conference on Communications. Piscataway, NJ:IEEE, 2008:1494-1498.
[9] KAROUI K, FTIMA F B, GHEZALA H B. Firewalls anomalies severity evaluation and classification[J]. International Journal of Security & Networks, 2014, 9(3):167-176.
[10] LIAO X J, WANG Y, LU H. Rule anomalies detection in firewalls[J]. Key Engineering Materials, 2011, 474/475/476:822-827.(无期)
[11] ALSHAER E S, HAMED H H. Discovery of policy anomalies in distributed firewalls[C]//Proceedings of the 2004 IEEE International Conference on Computer Communications, Piscataway, NJ:IEEE, 2004:2605-2616.
[12] 张丽.分布式防火墙策略异常检测算法的研究[D].南京:南京理工大学,2007:44-48.(ZHANG L. The research on distributed firewall policy anomaly detection algorithm[D]. Nanjing:Nanjing University of Science and Technology, 2007:44-48.)
[13] 吴军,邓宝龙,邵定宏.基于SMFDD实现分布式防火墙异常规则检测及优化[J].计算机工程与设计,2014,35(11):3741-3746.(WU J, DENG B L, SHAO D H. Anomaly detection and optimization of distributed firewall rules based on SMFDD[J]. Computer Engineering and Design, 2014, 35(11):3741-3746.)
[14] THANASEGARAN S, TATEIWA Y, KATAYAMA Y, et al. Design and implementation of conflict detection system for time-based firewall policies[J]. Journal of Next Generation Information Technology, 2011, 2(4):24-39.
[15] CHEN F, LIU A X, HWANG J, et al. First step towards automatic correction of firewall policy faults[J]. ACM Transactions on Autonomous & Adaptive Systems, 2011, 7(2):439-447.

基于时间的多层防火墙访问控制列表策略审计方案

Time-based strategy audit scheme of access control list in multi-layer firewall

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	孟凡, 陈广, 王勇, 高阳, 高德群, 贾文龙. 基于多粒度时序结构表示的异常检测算法在储层含油性检测中应用[J]. 计算机应用, 2021, 41(8): 2453-2459.
[2]	胡天杰, 胡文军, 王士同. 分布熵惩罚的支持向量数据描述[J]. 计算机应用, 2021, 41(8): 2212-2218.
[3]	谢雨, 蒋瑜, 龙超奇. 基于随机子空间的扩展隔离林算法[J]. 计算机应用, 2021, 41(6): 1679-1685.
[4]	李衍志, 范勇, 高琳. 基于形态流的石油钻井水流异常检测[J]. 计算机应用, 2021, 41(6): 1842-1848.
[5]	姚杰, 程春玲, 韩静, 刘峥. 云工作流中基于多任务时序卷积网络的异常检测方法[J]. 计算机应用, 2021, 41(6): 1701-1708.
[6]	张晨曦, 唐曙, 唐珂. 迁移学习下的火箭发动机参数异常检测策略[J]. 计算机应用, 2020, 40(9): 2774-2780.
[7]	王磊. 改进粗糙集属性约简结合K-means聚类的网络入侵检测方法[J]. 计算机应用, 2020, 40(7): 1996-2002.
[8]	胡珉, 白雪, 徐伟, 吴秉键. 多维时间序列异常检测算法综述[J]. 计算机应用, 2020, 40(6): 1553-1564.
[9]	霍纬纲, 王慧芳. 基于自编码器和隐马尔可夫模型的时间序列异常检测方法[J]. 计算机应用, 2020, 40(5): 1329-1334.
[10]	仇媛, 常相茂, 仇倩, 彭程, 苏善婷. 基于长短期记忆网络和滑动窗口的流数据异常检测方法[J]. 计算机应用, 2020, 40(5): 1335-1339.
[11]	夏彬, 白宇轩, 殷俊杰. 基于生成对抗网络的系统日志级异常检测算法[J]. 计算机应用, 2020, 40(10): 2960-2966.
[12]	陶涛, 周喜, 马博, 赵凡. 基于双向LSTM的Seq2Seq模型在加油站时序数据异常检测中的应用[J]. 计算机应用, 2019, 39(3): 924-929.
[13]	王伟, 谢耀滨, 尹青. 针对不平衡数据的决策树改进方法[J]. 计算机应用, 2019, 39(3): 623-628.
[14]	刘子豪, 李凌, 叶枫. 基于SparkR的水文传感器数据的异常检测方法[J]. 计算机应用, 2019, 39(2): 436-440.
[15]	丁景全, 马博, 李晓. 基于融合时空数据的车辆加油行为多视图深度异常检测框架[J]. 计算机应用, 2019, 39(11): 3370-3375.