[go: up one dir, main page]

CN106603524A - Method for combining safety rules and intelligent device - Google Patents

Method for combining safety rules and intelligent device Download PDF

Info

Publication number
CN106603524A
CN106603524A CN201611131225.6A CN201611131225A CN106603524A CN 106603524 A CN106603524 A CN 106603524A CN 201611131225 A CN201611131225 A CN 201611131225A CN 106603524 A CN106603524 A CN 106603524A
Authority
CN
China
Prior art keywords
security rules
processed
security
network firewall
pending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611131225.6A
Other languages
Chinese (zh)
Inventor
柴亚琴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Uniview Technologies Co Ltd
Original Assignee
Zhejiang Uniview Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Uniview Technologies Co Ltd filed Critical Zhejiang Uniview Technologies Co Ltd
Priority to CN201611131225.6A priority Critical patent/CN106603524A/en
Publication of CN106603524A publication Critical patent/CN106603524A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请提出一种安全规则的合并方法,在预设的时间周期开始时,获取网络防火墙的待处理安全规则,并根据网络防火墙的待处理安全规则的应对措施对网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;然后根据各类别中的待处理安全规则的地址信息对各类别中的待处理安全规则进行子类别划分,以使子类别中的待处理安全规则的源地址或目标地址连续;最后将子类别中所有的待处理安全规则合并为一条特征安全规则。可见,具备相同应对措施并且地址连续的待处理安全规则将合并为一条特征安全规则,从而大幅度的减少了网络防火墙中安全规则的数量,进而加快安全规则匹配的速度,提高防火墙的性能。

This application proposes a method for merging security rules. At the beginning of a preset time period, the pending security rules of the network firewall are obtained, and the pending security rules of the network firewall are processed according to the countermeasures of the pending security rules of the network firewall. Classification, so that the countermeasures of the security rules to be processed in each category are the same; and then subcategorying the security rules to be processed in each category according to the address information of the security rules to be processed in each category, so that The source addresses or destination addresses of the security rules to be processed in the subcategory are continuous; finally, all the security rules to be processed in the subcategory are merged into one characteristic security rule. It can be seen that pending security rules with the same countermeasures and consecutive addresses will be combined into one feature security rule, thereby greatly reducing the number of security rules in the network firewall, thereby speeding up the matching of security rules and improving the performance of the firewall.

Description

一种安全规则的合并方法以及智能设备A method for merging security rules and an intelligent device

技术领域technical field

本发明涉及通信技术领域,特别涉及一种安全规则的合并方法,同时本申请还特别涉及一种智能设备。The present invention relates to the technical field of communication, in particular to a method for merging security rules, and at the same time, the present application particularly relates to an intelligent device.

背景技术Background technique

网络防火墙(Firewall),也称网络防护墙,是一种位于内部网络与外部网络之间的网络安全系统。一项信息安全的防护系统,依照特定的安全规则,允许或是限制传输的数据通过。A network firewall (Firewall), also known as a network protection wall, is a network security system located between an internal network and an external network. An information security protection system that allows or restricts the transmission of data in accordance with specific security rules.

网络防火墙在做信息包过滤决定时,有一套遵循的安全规则,这些安全规则存储在专用的信息包过滤表中,而这些表集成在Linux内核中。在信息包过滤表中,安全规则被分组放在信息包过滤表的链(chain)中。信息包过滤系统是一款功能强大的工具,可用于添加、编辑和移除安全规则,安全规则可以控制是否允许其他设备连接本设备的端口,允许哪些IP或网段访问本设备等。When a network firewall makes a packet filtering decision, it has a set of security rules to follow, and these security rules are stored in a dedicated packet filtering table, and these tables are integrated in the Linux kernel. In the packet filtering table, security rules are grouped into chains of the packet filtering table. The packet filtering system is a powerful tool that can be used to add, edit and remove security rules. Security rules can control whether other devices are allowed to connect to the port of the device, which IP or network segments are allowed to access the device, etc.

安全规则包含属性和应对措施。属性包括地址信息和规则细节。地址信息是指数据包的源地址和目标地址信息,其中,源地址用来描述数据包的来源,其可以是某单个设备的地址,也可以为一系列地址的集合;目标地址,类似于源地址,用来描述数据包的目的地。规则细节是指规则的详细信息,用以描述数据包的详细特征。应对措施是指当数据包(报文)的信息和源地址、目标地址、规则细节匹配时,应该实行的应对措施。具体的,包括阻止数据包通过,允许数据包通过,允许但是向用户发送警告等。Security rules contain attributes and countermeasures. Properties include address information and rule details. Address information refers to the source address and destination address information of the data packet. The source address is used to describe the source of the data packet. It can be the address of a single device or a collection of a series of addresses; the destination address is similar to the source Address, used to describe the destination of the data packet. The rule details refer to the detailed information of the rule, which is used to describe the detailed characteristics of the data packet. The countermeasure refers to the countermeasure that should be implemented when the information of the data packet (message) matches the source address, destination address, and rule details. Specifically, it includes preventing data packets from passing, allowing data packets to pass, allowing but sending warnings to users, etc.

网络防火墙在进行规则匹配时,是在规则列表中从头到尾依次进行匹配。此方法的处理效率低下,在规则列表中的规则较多时,难以及时地寻找到匹配的规则。When the network firewall performs rule matching, it matches in sequence from the beginning to the end in the rule list. The processing efficiency of this method is low. When there are many rules in the rule list, it is difficult to find matching rules in time.

为了加快网络防火墙匹配安全规则的速度,现有技术中的方法有以下的两种:In order to speed up the speed of network firewall matching security rules, there are two methods in the prior art:

(1)方法一、基于安全规则冲突的分析与简化,对无用的规则项自动删除。当规则之间有包含、被包含、相交、冲突等关系时,对规则进行整理与简化。(2)方法二、使用多维模型和快速搜索的方法,提高防火墙匹配安全规则的性能。(1) Method 1. Based on the analysis and simplification of security rule conflicts, useless rule items are automatically deleted. Organize and simplify the rules when there are relations between the rules including, included, intersecting, conflicting, etc. (2) Method 2: Using a multi-dimensional model and a fast search method to improve the performance of the firewall in matching security rules.

发明人在实现本申请的过程中,发现现有技术中加快防火墙匹配规则的速度的方法至少存在以下的问题:In the process of implementing the present application, the inventor found that at least the following problems exist in the prior art method for speeding up the speed of firewall matching rules:

(1)对于方法一,大部分安全规则之间不存在包含、被包含、相交、冲突的关系。因此,该方法只能对少数的安全规则进行合并简化,对规则数目减少的程度有限。(1) For Method 1, most security rules do not contain, be contained, intersect, or conflict. Therefore, this method can only combine and simplify a small number of security rules, and the degree of reducing the number of rules is limited.

(2)对于方法二,该方法的本质是对查找算法进行改进,提高查找的速度。然而该方法不会减少安全规则的数量,在安全规则的数量较多时,还是存在查找速度慢的问题。(2) For the second method, the essence of this method is to improve the search algorithm and increase the search speed. However, this method does not reduce the number of security rules, and when the number of security rules is large, there is still a problem of slow search speed.

可见,如何有效的减少安全规则的数量,进而加快匹配安全规则的速度,提高防火墙的性能,成为本领域技术人员亟待解决的技术问题。It can be seen that how to effectively reduce the number of security rules, thereby speeding up the speed of matching security rules and improving the performance of the firewall has become a technical problem to be solved urgently by those skilled in the art.

发明内容Contents of the invention

本申请提出一种安全规则的合并方法,用以减少防火墙系统中安全规则的数量,进而加快匹配安全规则的速度,提高防火墙的性能,所述方法应用于包含网络防火墙的智能设备中,所述方法至少包括:This application proposes a method for merging security rules to reduce the number of security rules in the firewall system, thereby speeding up the speed of matching security rules and improving the performance of the firewall. The method is applied to smart devices including network firewalls. Methods include at least:

在预设的时间周期开始时,获取所述网络防火墙的待处理安全规则,并根据所述网络防火墙的待处理安全规则的应对措施对所述网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;At the beginning of the preset time period, obtain the pending security rules of the network firewall, and classify the pending security rules of the network firewall according to the countermeasures of the pending security rules of the network firewall, so that Actions are the same for pending security rules in each of the described categories;

根据所述类别中的待处理安全规则的地址信息对所述类别中的待处理安全规则进行子类别划分,以使所述子类别中的待处理安全规则的源地址或目标地址连续;dividing the security rules to be processed in the category into subcategories according to the address information of the security rules to be processed in the category, so that the source addresses or destination addresses of the security rules to be processed in the subcategories are continuous;

将所述子类别中所有的待处理安全规则合并为一条特征安全规则。Merge all pending security rules in the subcategory into one feature security rule.

优选地,在所述将所述子类别中的待处理安全规则合并为特征安全规则之后,所述方法还包括:Preferably, after said merging the security rules to be processed in the subcategories into feature security rules, the method further includes:

分别获取各所述特征安全规则命中的流量的信息;Respectively acquire information about traffic hit by each feature security rule;

按照各所述特征安全规则命中的流量的量值由大到小对各所述特征安全规则进行排序;Sorting each of the feature security rules according to the magnitude of the traffic hit by each of the feature security rules from large to small;

按照所述排序的顺序依次将各所述特征安全规则与所述网络防火墙接收到的报文相匹配。Match each feature security rule with the message received by the network firewall in sequence according to the sorting order.

优选地,所述根据所述网络防火墙的待处理安全规则的应对措施对所述网络防火墙的待处理安全规则进行类别划分,具体包括:Preferably, the countermeasures according to the pending security rules of the network firewall classify the pending security rules of the network firewall, specifically including:

分别获取所述网络防火墙的待处理安全规则的应对措施;Respectively acquire the countermeasures of the pending security rules of the network firewall;

将所述网络防火墙中具有相同应对措施的待处理安全规则划分到同一所述类别中。Divide the security rules to be processed with the same countermeasure in the network firewall into the same category.

优选地,所述根据所述类别中的待处理安全规则的地址信息对所述类别中的待处理安全规则进行子类别划分,具体包括:Preferably, the subcategory of the security rules to be processed in the category according to the address information of the security rules to be processed in the category specifically includes:

分别获取所述类别中的待处理安全规则的地址信息;Respectively acquire address information of the security rules to be processed in the categories;

将所述类别中源地址或者目的地址连续的待处理安全规则划分到同一所述子类别中。Divide the security rules to be processed with consecutive source addresses or destination addresses in the category into the same subcategory.

优选地,在所述时间周期开始之前,所述方法还包括:Preferably, before the time period begins, the method further comprises:

接收用户输入的周期设定信息;Receive cycle setting information input by the user;

根据所述周期设定信息对所述时间周期进行设定。The time period is set according to the period setting information.

相应的,本申请提出一种智能设备,所述智能设备包含网络防火墙,所述智能设备至少包括:Correspondingly, this application proposes a smart device, the smart device includes a network firewall, and the smart device includes at least:

第一分类模块,在预设的时间周期开始时,获取所述网络防火墙的待处理安全规则,并根据所述网络防火墙的待处理安全规则的应对措施对所述网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;The first classification module acquires the security rules to be processed of the network firewall at the beginning of the preset time period, and performs the security rules of the network firewall to be processed according to the countermeasures of the security rules to be processed of the network firewall. Classification so that the responses to pending security rules in each said class are the same;

第二分类模块,根据所述类别中的待处理安全规则的地址信息对所述类别中的待处理安全规则进行子类别划分,以使所述子类别中的待处理安全规则的源地址或目标地址连续;The second classification module divides the security rules to be processed in the category into subcategories according to the address information of the security rules to be processed in the category, so that the source addresses or destinations of the security rules to be processed in the subcategories The addresses are consecutive;

合并模块,将所述子类别中所有的待处理安全规则合并为一条特征安全规则。A merging module, merging all pending security rules in the subcategory into one feature security rule.

优选地,所述智能设备还包括:Preferably, the smart device also includes:

获取模块,分别获取各所述特征安全规则命中的流量的信息;An acquisition module, respectively acquiring the information of the traffic hit by each feature security rule;

排序模块,按照各所述特征安全规则命中的流量的量值由大到小对各所述特征安全规则进行排序;The sorting module sorts each of the feature security rules according to the magnitude of the traffic hit by each of the feature security rules from large to small;

匹配模块,按照所述排序的顺序依次将各所述特征安全规则与所述网络防火墙接收到的报文相匹配。The matching module sequentially matches each feature security rule with the message received by the network firewall according to the order of sorting.

优选地,所述第一分类模块具体用于:Preferably, the first classification module is specifically used for:

分别获取所述网络防火墙的待处理安全规则的应对措施;Respectively acquire the countermeasures of the pending security rules of the network firewall;

将所述网络防火墙中具有相同应对措施的待处理安全规则划分到同一所述类别中。Divide the security rules to be processed with the same countermeasure in the network firewall into the same category.

优选地,所述第二分类模块具体用于:Preferably, the second classification module is specifically used for:

分别获取所述类别中的待处理安全规则的地址信息;Respectively acquire address information of the security rules to be processed in the categories;

将所述类别中源地址或者目的地址连续的待处理安全规则划分到同一所述子类别中。Divide the security rules to be processed with consecutive source addresses or destination addresses in the category into the same subcategory.

优选地,所述智能设备还包括:Preferably, the smart device also includes:

接收模块,接收用户输入的周期设定信息;The receiving module receives the cycle setting information input by the user;

设定模块,根据所述周期设定信息对所述时间周期进行设定。A setting module, configured to set the time period according to the period setting information.

通过应用本申请的技术方案,在预设的时间周期开始时,获取网络防火墙的待处理安全规则,并根据网络防火墙的待处理安全规则的应对措施对网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;然后根据各类别中的待处理安全规则的地址信息对各类别中的待处理安全规则进行子类别划分,以使子类别中的待处理安全规则的源地址或目标地址连续;最后将子类别中所有的待处理安全规则合并为一条特征安全规则。可见,具备相同应对措施并且地址连续的待处理安全规则将合并为一条特征安全规则,从而大幅度的减少了网络防火墙中安全规则的数量,进而加快安全规则匹配的速度,提高防火墙的性能。By applying the technical solution of the present application, at the beginning of the preset time period, obtain the pending security rules of the network firewall, and classify the pending security rules of the network firewall according to the countermeasures of the pending security rules of the network firewall, so that the countermeasures of the security rules to be processed in each category are the same; and then divide the security rules to be processed in each category into subcategories according to the address information of the security rules to be processed in each category, so that in the subcategories The source addresses or destination addresses of the security rules to be processed are continuous; finally, all the security rules to be processed in the subcategory are merged into one feature security rule. It can be seen that pending security rules with the same countermeasures and consecutive addresses will be merged into one feature security rule, thereby greatly reducing the number of security rules in the network firewall, thereby speeding up the matching of security rules and improving the performance of the firewall.

附图说明Description of drawings

为了更清楚地说明本申请的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通的技术人员而言,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to illustrate the technical solution of the present application more clearly, the accompanying drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings in the following description are only some embodiments of the present application. Ordinary technicians can also obtain other drawings based on these drawings on the premise of not paying creative work.

图1为本申请实施例提出的一种安全规则的合并方法的流程示意图;FIG. 1 is a schematic flowchart of a method for merging security rules proposed in an embodiment of the present application;

图2为本申请具体实施例提出的一种安全规则的合并方法的流程示意图;FIG. 2 is a schematic flowchart of a security rule merging method proposed in a specific embodiment of the present application;

图3为本申请具体实施例提出的一种智能设备的结构示意图。FIG. 3 is a schematic structural diagram of a smart device proposed in a specific embodiment of the present application.

具体实施方式detailed description

如背景技术所述,为了加快网络防火墙匹配安全规则的速度,现有技术的方法有两种。其一,基于安全规则之间包含、被包含、相交、冲突等关系来对安全规则进行简化。然而由于大多数规则之间并不存在包含、被包含、相交、冲突等关系,因此此方法只能在一定程度上对安全规则进行简化。其二,使用多维模型和快速搜索的方法,提高防火墙匹配安全规则的速度。方法二本质上是对查找算法进行改进,起不到任何减少安全规则数量的作用。可见,在现有技术中没有特别有效能够减少安全规则数量的方法,从而使得在安全规则的数量较多时,网络防火墙匹配安全规则的速度过低。As mentioned in the background, in order to speed up the speed of network firewall matching security rules, there are two methods in the prior art. Firstly, the security rules are simplified based on the relationship among security rules including, included, intersecting, conflicting and so on. However, since most of the rules do not contain, be contained, intersect, conflict, etc., this method can only simplify the security rules to a certain extent. Second, use multi-dimensional models and fast search methods to improve the speed of firewall matching security rules. The second method is essentially to improve the search algorithm, which does not have any effect on reducing the number of security rules. It can be seen that there is no particularly effective method for reducing the number of security rules in the prior art, so that when the number of security rules is large, the speed of the network firewall to match the security rules is too low.

因此,为了能够有效的减少安全规则的数量,进而加快安全规则匹配的速度,提高防火墙的性能,本申请提出了一种安全规则的合并方法,在预设的时间周期开始时,获取网络防火墙的待处理安全规则,并根据网络防火墙的待处理安全规则的应对措施对网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;然后根据各类别中的待处理安全规则的地址信息对各类别中的待处理安全规则进行子类别划分,以使子类别中的待处理安全规则的源地址或目标地址连续;最后将子类别中所有的待处理安全规则合并为一条特征安全规则。可见,具备相同应对措施并且地址连续的待处理安全规则将合并为一条特征安全规则,从而大幅度的减少了网络防火墙中安全规则的数量,进而加快安全规则匹配的速度,提高防火墙的性能。Therefore, in order to effectively reduce the number of security rules, thereby speeding up the matching of security rules and improving the performance of the firewall, this application proposes a method for merging security rules. to be processed security rules, and classify the pending security rules of the network firewall according to the countermeasures of the pending security rules of the network firewall, so that the countermeasures of the pending security rules in each category are the same; The address information of the security rules to be processed in each category divides the security rules to be processed into subcategories, so that the source addresses or destination addresses of the security rules to be processed in the subcategories are continuous; finally, all the security rules to be processed in the subcategories are Processing security rules are merged into one feature security rule. It can be seen that pending security rules with the same countermeasures and consecutive addresses will be merged into one feature security rule, thereby greatly reducing the number of security rules in the network firewall, thereby speeding up the matching of security rules and improving the performance of the firewall.

如图1所示为本申请提出的一种安全规则的合并方法的流程示意图,需要说明的是本申请应用于包含网络防火墙的智能设备中,网络防火墙内包含多个待处理安全规则。待处理安全规则是指未经过合并处理的安全规则。具体的,本申请至少包括以下的步骤:FIG. 1 is a schematic flowchart of a method for merging security rules proposed by this application. It should be noted that this application is applied to a smart device including a network firewall, and the network firewall contains multiple security rules to be processed. Pending security rules are security rules that have not been merged. Specifically, the application at least includes the following steps:

S101,在预设的时间周期开始时,获取网络防火墙的待处理安全规则,并根据网络防火墙的待处理安全规则的应对措施对网络防火墙的待处理安全规则进行类别划分,以使每个类别中的待处理安全规则的应对措施相同。S101. At the beginning of the preset time period, obtain the pending security rules of the network firewall, and classify the pending security rules of the network firewall according to the countermeasures of the pending security rules of the network firewall, so that in each category The same actions are taken for the pending security rules of .

待处理安全规则是指网络防火墙中,未经过合并处理的安全规则。在本申请的实施例中,旨在通过对待处理安全规则进行分类、合并来达到减少网络防火墙内安全规则数目的效果。下面将详细的介绍对待处理安全规则进行分类以及合并的过程。The security rules to be processed refer to the security rules in the network firewall that have not been merged. In the embodiment of the present application, the aim is to achieve the effect of reducing the number of security rules in the network firewall by classifying and merging the security rules to be processed. The process of classifying and merging security rules to be processed will be introduced in detail below.

安全规则能够进行合并的前提之一是合并之前的各安全规则的应对措施是相同的。安全规则的应对措施是指应对措施是指当数据包的信息与安全规则相匹配时,网络防火墙实行的措施(执行的动作)。具体的,应对措施包括阻止数据包通过,允许数据包通过,允许但是向用户发送警告等。One of the prerequisites for merging security rules is that the countermeasures of the security rules before merging are the same. The countermeasure of the security rule means that the countermeasure refers to a measure (executed action) performed by the network firewall when the information of the data packet matches the security rule. Specifically, the countermeasures include preventing the data packet from passing through, allowing the data packet to pass through, allowing but sending a warning to the user, and the like.

在本申请的实施例中,首先根据网络防火墙的待处理安全规则的应对措施对网络防火墙的待处理安全规则进行类别划分,使得具有相同应对措施的待处理安全规则处于同一类别。然后再依次对每个类别中的待处理安全规则进行进一步处理。In the embodiment of the present application, firstly, the security rules to be processed of the network firewall are divided into categories according to the countermeasures of the security rules to be processed, so that the security rules to be processed with the same countermeasure are in the same category. The pending security rules in each category are then processed further in turn.

在本申请的优选实施例中,上述将网络防火墙的待处理安全规则按照应对措施进行类别划分的方法,可以通过以下的优选方案来实现,具体地,该方案包括以下的步骤:In a preferred embodiment of the present application, the above-mentioned method of classifying the pending security rules of the network firewall according to countermeasures can be realized through the following preferred solution, specifically, the solution includes the following steps:

(1)获取网络防火墙的待处理安全规则的应对措施;(1) Obtain the countermeasures of the pending security rules of the network firewall;

依次解析网络防火墙的待处理安全规则,并根据解析的结果获取网络防火墙所有待处理安全规则的应对措施。The pending security rules of the network firewall are parsed in turn, and the countermeasures of all the pending security rules of the network firewall are obtained according to the result of the parsing.

(2)将网络防火墙中具有相同应对措施的待处理安全规则划分到同一所述类别中。(2) Divide the security rules to be processed with the same countermeasures in the network firewall into the same category.

在获取网络防火墙所有待处理安全规则的应对措施之后,将具有相同应对措施的待处理安全规则划分到同一类别中。显而易见地,通过以上的优选方案能够确保每个类别中的待处理安全规则的应对措施相同,这为以下对同类别的安全规则进行合并提供了重要的合并依据。After obtaining the countermeasures of all pending security rules of the network firewall, the pending security rules with the same countermeasures are classified into the same category. Obviously, the above preferred solution can ensure that the security rules to be processed in each category have the same countermeasures, which provides an important basis for merging security rules of the same category below.

需要说明的是,上述公开的将待处理安全规则按照应对措施进行类别划分的方法只是本申请提出的优选实施方案,基于本申请的核心思想,本领域技术人员还可以采用其他将待处理安全规则按照应对措施进行类别划分的方法,这并不会影响本申请的保护范围。It should be noted that the above disclosed method of classifying the security rules to be processed according to the countermeasures is only a preferred implementation solution proposed by this application. Based on the core idea of this application, those skilled in the art can also adopt other security rules to be processed The method of classifying according to the countermeasures will not affect the protection scope of this application.

在本申请的优选实施例中,在预设的时间周期开始之前,本申请的方案还包括以下的优选步骤:In a preferred embodiment of the present application, before the preset time period starts, the solution of the present application also includes the following preferred steps:

(1)接收用户输入的周期设定信息;(1) Receive cycle setting information input by the user;

由于网络防火墙中的安全规则是动态变化的,因此需要周期性的去整理(分类、合并)网络防火墙的待处理安全规则。Since the security rules in the network firewall change dynamically, it is necessary to sort out (classify, merge) the pending security rules of the network firewall periodically.

在本申请的优选实施例中,在预设的时间周期开始之前,需要接收用户输入的周期设定信息,并对周期设定信息进行解析,获取用户设定的整理待处理安全规则的周期。In a preferred embodiment of the present application, before the preset time period begins, the period setting information input by the user needs to be received, and the period setting information is analyzed to obtain the period set by the user for sorting out security rules to be processed.

(2)根据用户输入的周期设定信息对整理待处理安全规则的时间周期进行设定。(2) Set the time period for sorting out the security rules to be processed according to the period setting information input by the user.

在获取了整理待处理安全规则的时间周期之后,再对该时间周期进行设定,以使智能设备在每经过该时间周期时都会对待处理安全规则进行整理。After the time period for sorting out the security rules to be processed is acquired, the time period is set, so that the smart device sorts out the security rules to be processed every time the time period passes.

S102,根据每个类别中的待处理安全规则的地址信息对每个类别中的待处理安全规则进行子类别划分,以使每个子类别中的待处理安全规则的源地址或目标地址连续。S102. Divide the security rules to be processed in each category into subcategories according to the address information of the security rules to be processed in each category, so that the source addresses or destination addresses of the security rules to be processed in each subcategory are continuous.

通过以上的步骤S101可以将待处理安全规则划分为具有相同的应对措施的类别。在本申请的实施例中,将对各个类别中的待处理安全规则进行进一步地子类别划分,下面将详细的叙述划分的过程。Through the above step S101, the security rules to be processed can be divided into categories with the same countermeasures. In the embodiment of the present application, the security rules to be processed in each category will be further divided into subcategories, and the process of dividing will be described in detail below.

对于同一类别的待处理安全规则,根据该类别中各待处理安全规则的地址信息对该类别中各待处理安全规则进行进一步地子类别划分,使得源地址或者目标地址连续的待处理安全规则处于同一子类别。然后再依次对每个子类别中的待处理安全规则进行进一步处理。For the security rules to be processed in the same category, according to the address information of the security rules to be processed in this category, each security rule to be processed in this category is further divided into subcategories, so that the security rules to be processed with continuous source addresses or destination addresses are in the same subcategory. The pending security rules in each subcategory are then processed further in turn.

在本申请的优选实施例中,上述将每个类别中的待处理安全规则按照地址信息进行类别划分的方法,可以通过以下的优选方案来实现,具体地,该方案包括以下的步骤:In a preferred embodiment of the present application, the above-mentioned method of classifying the security rules to be processed in each category according to the address information can be realized through the following preferred solution, specifically, the solution includes the following steps:

(1)分别获取所述类别中的待处理安全规则的地址信息。(1) Respectively acquire address information of security rules to be processed in the category.

通过对某一类别中的待处理安全规则依次进行解析,并根据解析的结果获取该类别所有待处理安全规则的应对措施。By analyzing the security rules to be processed in a certain category in sequence, and obtaining the countermeasures of all the security rules to be processed in the category according to the result of the analysis.

(2)将所述类别中源地址或者目的地址连续的待处理安全规则划分到同一子类别中。(2) Divide the security rules to be processed with consecutive source addresses or destination addresses in the category into the same subcategory.

在获取了该类别所有待处理安全规则的应对措施之后,将源地址或者目标地址连续的待处理安全规则划分到同一子类别中。显而易见地,通过以上的优选方案能够确保每个子类别中的待处理安全规则的源地址或者目标地址是连续的,这为以下对同一子类别的安全规则进行合并提供了重要的合并依据。After obtaining the countermeasures of all pending security rules of the category, the pending security rules with source addresses or destination addresses consecutively are classified into the same subcategory. Obviously, the above preferred solution can ensure that the source addresses or destination addresses of the security rules to be processed in each subcategory are continuous, which provides an important basis for merging security rules of the same subcategory below.

举例而言,若某类别的待处理安全规则的如下表1所示,For example, if the pending security rules of a certain category are as shown in Table 1 below,

待处理安全规则pending security rules 源地址IPSource address IP 动作action 待处理安全规则1Pending Security Rule 1 2.2.2.12.2.2.1 ACCEPTACCEPT 待处理安全规则2Pending Security Rule 2 2.2.2.22.2.2.2 ACCEPTACCEPT 待处理安全规则3Pending Security Rule 3 2.2.2.32.2.2.3 ACCEPTACCEPT 待处理安全规则4Pending Security Rule 4 3.3.3.83.3.3.8 ACCEPTACCEPT 待处理安全规则5Pending Security Rule 5 4.4.4.44.4.4.4 ACCEPTACCEPT 待处理安全规则6Pending Security Rule 6 5.5.5.55.5.5.5 ACCEPTACCEPT 待处理安全规则7Pending Security Rule 7 2.2.2.42.2.2.4 ACCEPTACCEPT 待处理安全规则8Pending Security Rule 8 5.5.5.65.5.5.6 ACCEPTACCEPT 待处理安全规则9Pending Security Rule 9 4.4.4.54.4.4.5 ACCEPTACCEPT

表1指定类别的安全规则表Table 1 Table of safety rules for specified categories

那么通过本申请提出的按照待处理安全规则的地址信息对待处理安全规则进行子类别划分之后的结果将如下表2所示:Then, the result of subcategorying the security rules to be processed according to the address information of the security rules to be processed proposed by this application will be shown in Table 2 below:

表2指定类别的安全规则的子类别划分表Table 2 Subcategory division table of security rules of specified category

由上述的表2可知,每个子类别中的待处理安全规则的源地址IP是连续的。It can be known from the above Table 2 that the source IP addresses of the security rules to be processed in each subcategory are continuous.

需要说明的是,上述公开的将待处理安全规则按照地址信息进行子类别划分的方法只是本申请提出的优选实施方案,基于本申请的核心思想,本领域技术人员还可以采用其他将待处理安全规则按照地址信息进行子类别划分的方法,这并不会影响本申请的保护范围。It should be noted that the above disclosed method of dividing the security rules to be processed into subcategories according to address information is only a preferred implementation solution proposed by this application. Based on the core idea of this application, those skilled in the art can also use other The method of dividing rules into subcategories according to address information will not affect the scope of protection of this application.

S103,将子类别中所有的待处理安全规则合并为一条特征安全规则。S103. Merge all pending security rules in the subcategories into one feature security rule.

通过以上的步骤S102可以将每个类别中的待处理安全规则进行子类别划分,并且每个子类别中的待处理安全规则的源地址或者目标地址是连续的。在本申请的实施例中,将子类别中所有的待处理安全规则进一步地合并为一条特征安全规则,从而达到减少安全规则数目的效果,下面将详细的叙述合并的过程。Through the above step S102, the security rules to be processed in each category can be divided into subcategories, and the source addresses or target addresses of the security rules to be processed in each subcategory are continuous. In the embodiment of the present application, all the security rules to be processed in the subcategories are further combined into one feature security rule, so as to achieve the effect of reducing the number of security rules. The merging process will be described in detail below.

由于每个子类别中的待处理安全规则的源地址或者目标地址是连续的,因此可以用一个地址范围来包括子类别中所有待处理安全规则的源地址或者目标地址。例如,如表2中的子类别1,其各待处理安全规则的源地址IP分别为2.2.2.1、2.2.2.2、2.2.2.3、2.2.2.4,则可以用地址范围“2.2.2.1~2.2.2.4”作为该子类别的特征安全规则的源地址。并且该子类别的特征安全规则的源地址的应对措施与该子类别的待处理安全规则的应对措施相同。可见,通过上述合并处理之后,具备相同应对措施并且地址连续的待处理安全规则将合并为特征安全规则,从而大幅度的减少了网络防火墙中安全规则的数量,进而加快安全规则匹配的速度,提高防火墙的性能。Since the source addresses or destination addresses of the security rules to be processed in each subcategory are continuous, an address range may be used to include the source addresses or destination addresses of all the security rules to be processed in the subcategory. For example, for subcategory 1 in Table 2, the source IP addresses of the security rules to be processed are 2.2.2.1, 2.2.2.2, 2.2.2.3, 2.2.2.4, and the address range "2.2.2.1~2.2 .2.4" as the source address of the signature security rules for this subcategory. And the countermeasure of the source address of the characteristic security rule of this subcategory is the same as the countermeasure of the pending security rule of this subcategory. It can be seen that after the above merging process, pending security rules with the same countermeasures and continuous addresses will be merged into feature security rules, thereby greatly reducing the number of security rules in the network firewall, thereby speeding up the matching of security rules and improving Firewall performance.

在本申请的优选实施例中,在步骤S103之后,本申请的还可以包括以下的优选方案,具体的,包括以下的步骤:In a preferred embodiment of the present application, after step S103, the present application may also include the following preferred solutions, specifically, including the following steps:

(1)分别获取各特征安全规则命中的流量的信息。(1) Obtain the information of traffic hit by each feature security rule respectively.

在将各个子类别中的待处理安全规则合并为特征安全规则之后,获取各特征安全规则命中的流量的信息。之后在对各特征安全规则命中的流量大小进行比较。After the security rules to be processed in each subcategory are merged into feature security rules, the information of traffic hit by each feature security rule is obtained. Then compare the size of traffic hit by each characteristic security rule.

(2)按照各特征安全规则命中的流量的量值由大到小对各所述特征安全规则进行排序。(2) Sort the feature security rules according to the magnitude of the traffic hit by each feature security rule from large to small.

(3)按照排序的顺序依次将各特征安全规则与网络防火墙接收到的报文相匹配。(3) Match each feature security rule with the message received by the network firewall according to the order of sorting.

在本申请的优选实施例中,网络防火墙在接收到报文时,将按照排序的顺序依次将各特征安全规则与网络防火墙接收到的报文相匹配。可见,若按照该排序的顺序去匹配报文,命中流量越大的报文越容易被匹配到,从而网络防火墙优选的对大流量的报文进行处理,进而避免了大流量的报文在防火墙处过久的停留而造成对网络防火墙性能的负面影响。In a preferred embodiment of the present application, when the network firewall receives the message, it will sequentially match each characteristic security rule with the message received by the network firewall according to the sorted order. It can be seen that if the packets are matched according to the order of the sorting, the packets with the larger hit traffic are more likely to be matched, so that the network firewall preferably processes the packets with a large flow, thereby preventing the packets with a large flow from being blocked by the firewall. The network firewall performance is negatively affected by staying in the network for too long.

由以上实施例的描述可知,通过应用本申请的技术方案,在预设的时间周期开始时,获取网络防火墙的待处理安全规则,并根据网络防火墙的待处理安全规则的应对措施对网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;然后根据各类别中的待处理安全规则的地址信息对各类别中的待处理安全规则进行子类别划分,以使子类别中的待处理安全规则的源地址或目标地址连续;最后将子类别中所有的待处理安全规则合并为一条特征安全规则。可见,具备相同应对措施并且地址连续的待处理安全规则将合并为一条特征安全规则,从而大幅度的减少了网络防火墙中安全规则的数量,进而加快安全规则匹配的速度,提高防火墙的性能。It can be seen from the description of the above embodiments that by applying the technical solution of the present application, at the beginning of the preset time period, the pending security rules of the network firewall are obtained, and the network firewall's security rules are processed according to the countermeasures of the pending security rules of the network firewall. The security rules to be processed are divided into categories, so that the countermeasures of the security rules to be processed in each category are the same; and then the security rules to be processed in each category are subdivided according to the address information of the security rules to be processed Classification, so that the source addresses or destination addresses of the security rules to be processed in the subcategories are continuous; finally, all the security rules to be processed in the subcategories are merged into one feature security rule. It can be seen that pending security rules with the same countermeasures and consecutive addresses will be merged into one feature security rule, thereby greatly reducing the number of security rules in the network firewall, thereby speeding up the matching of security rules and improving the performance of the firewall.

为了进一步阐述本发明的技术思想,现结合具体的实施流程,对本发明的技术方案进行说明。In order to further illustrate the technical idea of the present invention, the technical solution of the present invention will now be described in combination with a specific implementation process.

如图2所示为本申请具体实施例提出的一种安全规则的合并方法的流程示意图,由图可知,包括以下的步骤:As shown in FIG. 2, it is a schematic flow diagram of a method for merging security rules proposed in a specific embodiment of the present application. As can be seen from the figure, it includes the following steps:

S201,启动周期性定时器。S201, start a periodic timer.

定时器的周期可以修改,提供配置项,可供用户根据实际场景调整。The period of the timer can be modified, and configuration items are provided for users to adjust according to actual scenarios.

S202,扫描系统安全规则。S202, scanning system security rules.

扫描系统安全规则,加载目前为止所有的列表入内存。Scan system security rules, load all lists so far into memory.

S203,按照应对措施对扫描到的安全规则进行类别划分,并对划分的结果进行一级缓存。S203. Classify the scanned security rules according to the countermeasures, and cache the classified results at the first level.

S204,按照地址信息对每个类别中的安全规则进行子类别划分,并对划分的结果进行二级缓存。S204, divide the security rules in each category into subcategories according to the address information, and perform secondary cache for the divided results.

S205,将子类别中的安全规则合并为特殊安全规则,获取特殊安全规则命中的流量大小,并对合并结果进行三级缓存。S205. Merge the security rules in the subcategories into special security rules, obtain the size of traffic hit by the special security rules, and perform three-level caching on the combined results.

S206,按照流量由大到小对特殊安全规则进行排序,并将排序结果fork(写入)入防火墙系统的内核。S206. Sort the special security rules according to the traffic from large to small, and fork (write) the sorting result into the kernel of the firewall system.

可见,通过以上步骤的执行,能够保证安全规则的条数大大下降,且流量越大的报文,越容易被匹配到,从而大大提高了防火墙的性能。It can be seen that through the execution of the above steps, the number of security rules can be greatly reduced, and packets with larger traffic volumes are easier to be matched, thereby greatly improving the performance of the firewall.

由以上具体实施例的描述可知,通过应用本申请的技术方案,在预设的时间周期开始时,获取网络防火墙的待处理安全规则,并根据网络防火墙的待处理安全规则的应对措施对网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;然后根据各类别中的待处理安全规则的地址信息对各类别中的待处理安全规则进行子类别划分,以使子类别中的待处理安全规则的源地址或目标地址连续;最后将子类别中所有的待处理安全规则合并为一条特征安全规则。可见,具备相同应对措施并且地址连续的待处理安全规则将合并为一条特征安全规则,从而大幅度的减少了网络防火墙中安全规则的数量,进而加快安全规则匹配的速度,提高防火墙的性能。It can be seen from the description of the above specific embodiments that by applying the technical solution of the present application, at the beginning of the preset time period, the pending security rules of the network firewall are obtained, and the network firewall is processed according to the countermeasures of the pending security rules of the network firewall. The security rules to be processed are divided into categories, so that the countermeasures of the security rules to be processed in each category are the same; and then the security rules to be processed in each category are classified according to the address information of the security rules to be processed in each category The subcategories are divided so that the source addresses or destination addresses of the security rules to be processed in the subcategories are continuous; finally, all the security rules to be processed in the subcategories are merged into one characteristic security rule. It can be seen that pending security rules with the same countermeasures and consecutive addresses will be merged into one feature security rule, thereby greatly reducing the number of security rules in the network firewall, thereby speeding up the matching of security rules and improving the performance of the firewall.

为了达到以上的技术目的,如图3所示,本申请提出一种智能设备,所述智能设备包含网络防火墙,所述智能设备至少包括:In order to achieve the above technical objectives, as shown in Figure 3, the present application proposes a smart device, the smart device includes a network firewall, and the smart device includes at least:

第一分类模块301,在预设的时间周期开始时,获取所述网络防火墙的待处理安全规则,并根据所述网络防火墙的待处理安全规则的应对措施对所述网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;The first classification module 301, at the beginning of the preset time period, acquires the security rules to be processed of the network firewall, and classifies the security rules to be processed of the network firewall according to the countermeasures for the security rules to be processed of the network firewall Classification is done so that the responses to pending security rules in each said class are the same;

第二分类模块302,根据所述类别中的待处理安全规则的地址信息对所述类别中的待处理安全规则进行子类别划分,以使所述子类别中的待处理安全规则的源地址或目标地址连续;The second classification module 302 divides the security rules to be processed in the category into subcategories according to the address information of the security rules to be processed in the category, so that the source addresses of the security rules to be processed in the subcategory or The target address is continuous;

合并模块303,将所述子类别中所有的待处理安全规则合并为一条特征安全规则。The merging module 303 merges all the security rules to be processed in the subcategories into one feature security rule.

在具体的应用场景中,所述智能设备还包括:In a specific application scenario, the smart device also includes:

获取模块,分别获取各所述特征安全规则命中的流量的信息;An acquisition module, respectively acquiring the information of the traffic hit by each feature security rule;

排序模块,按照各所述特征安全规则命中的流量的量值由大到小对各所述特征安全规则进行排序;The sorting module sorts each of the feature security rules according to the magnitude of the traffic hit by each of the feature security rules from large to small;

匹配模块,按照所述排序的顺序依次将各所述特征安全规则与所述网络防火墙接收到的报文相匹配。The matching module sequentially matches each feature security rule with the message received by the network firewall according to the order of sorting.

在具体的应用场景中,所述第一分类模块具体用于:In a specific application scenario, the first classification module is specifically used for:

分别获取所述网络防火墙的待处理安全规则的应对措施;Respectively acquire the countermeasures of the pending security rules of the network firewall;

将所述网络防火墙中具有相同应对措施的待处理安全规则划分到同一所述类别中。Divide the security rules to be processed with the same countermeasure in the network firewall into the same category.

在具体的应用场景中,所述第二分类模块具体用于:In a specific application scenario, the second classification module is specifically used for:

分别获取所述类别中的待处理安全规则的地址信息;Respectively acquire address information of the security rules to be processed in the categories;

将所述类别中源地址或者目的地址连续的待处理安全规则划分到同一所述子类别中。Divide the security rules to be processed with consecutive source addresses or destination addresses in the category into the same subcategory.

在具体的应用场景中,所述智能设备还包括:In a specific application scenario, the smart device also includes:

接收模块,接收用户输入的周期设定信息;The receiving module receives the cycle setting information input by the user;

设定模块,根据所述周期设定信息对所述时间周期进行设定。A setting module, configured to set the time period according to the period setting information.

由以上具体设备的描述可知,通过应用本申请的技术方案,在预设的时间周期开始时,获取网络防火墙的待处理安全规则,并根据网络防火墙的待处理安全规则的应对措施对网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;然后根据各类别中的待处理安全规则的地址信息对各类别中的待处理安全规则进行子类别划分,以使子类别中的待处理安全规则的源地址或目标地址连续;最后将子类别中所有的待处理安全规则合并为一条特征安全规则。可见,具备相同应对措施并且地址连续的待处理安全规则将合并为一条特征安全规则,从而大幅度的减少了网络防火墙中安全规则的数量,进而加快安全规则匹配的速度,提高防火墙的性能。It can be seen from the description of the specific equipment above that by applying the technical solution of the present application, at the beginning of the preset time period, the pending security rules of the network firewall are acquired, and the network firewall's security rules are processed according to the countermeasures of the pending security rules of the network firewall. The security rules to be processed are divided into categories, so that the countermeasures of the security rules to be processed in each category are the same; and then the security rules to be processed in each category are subdivided according to the address information of the security rules to be processed Classification, so that the source addresses or destination addresses of the security rules to be processed in the subcategories are continuous; finally, all the security rules to be processed in the subcategories are merged into one feature security rule. It can be seen that pending security rules with the same countermeasures and consecutive addresses will be merged into one feature security rule, thereby greatly reducing the number of security rules in the network firewall, thereby speeding up the matching of security rules and improving the performance of the firewall.

最后说明的是:以上各实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述各实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解;其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明权利要求所限定的范围。Finally, it is noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than limiting them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand; it still Modifications may be made to the technical solutions described in the foregoing embodiments, or some or all of the technical features thereof may be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope defined by the claims of the present invention.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本发明可以通过硬件实现,也可以借助软件加必要的通用硬件平台的方式来实现。基于这样的理解,本发明的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施场景所述的方法。Through the above description of the embodiments, those skilled in the art can clearly understand that the present invention can be realized by hardware, or by software plus a necessary general hardware platform. Based on this understanding, the technical solution of the present invention can be embodied in the form of software products, which can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.), including several The instructions are used to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute the methods described in various implementation scenarios of the present invention.

本领域技术人员可以理解附图只是一个优选实施场景的示意图,附图中的模块或流程并不一定是实施本发明所必须的。Those skilled in the art can understand that the accompanying drawing is only a schematic diagram of a preferred implementation scenario, and the modules or processes in the accompanying drawings are not necessarily necessary for implementing the present invention.

本领域技术人员可以理解实施场景中的装置中的模块可以按照实施场景描述进行分布于实施场景的装置中,也可以进行相应变化位于不同于本实施场景的一个或多个装置中。上述实施场景的模块可以合并为一个模块,也可以进一步拆分成多个子模块。Those skilled in the art can understand that the modules in the devices in the implementation scenario can be distributed among the devices in the implementation scenario according to the description of the implementation scenario, or can be located in one or more devices different from the implementation scenario according to corresponding changes. The modules of the above implementation scenarios can be combined into one module, or can be further split into multiple sub-modules.

上述本发明序号仅仅为了描述,不代表实施场景的优劣。The above serial numbers of the present invention are for description only, and do not represent the pros and cons of the implementation scenarios.

以上公开的仅为本发明的几个具体实施场景,但是,本发明并非局限于此,任何本领域的技术人员能思之的变化都应落入本发明的保护范围。The above disclosures are only some specific implementation scenarios of the present invention, however, the present invention is not limited thereto, and any changes conceivable by those skilled in the art shall fall within the protection scope of the present invention.

Claims (10)

1.一种安全规则的合并方法,其特征在于,应用于包含网络防火墙的智能设备中,所述方法至少包括:1. A method for merging security rules, characterized in that it is applied to an intelligent device comprising a network firewall, and the method at least includes: 在预设的时间周期开始时,获取所述网络防火墙的待处理安全规则,并根据所述网络防火墙的待处理安全规则的应对措施对所述网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;At the beginning of the preset time period, obtain the pending security rules of the network firewall, and classify the pending security rules of the network firewall according to the countermeasures of the pending security rules of the network firewall, so that Actions are the same for pending security rules in each of the described categories; 根据所述类别中的待处理安全规则的地址信息对所述类别中的待处理安全规则进行子类别划分,以使所述子类别中的待处理安全规则的源地址或目标地址连续;dividing the security rules to be processed in the category into subcategories according to the address information of the security rules to be processed in the category, so that the source addresses or destination addresses of the security rules to be processed in the subcategories are continuous; 将所述子类别中所有的待处理安全规则合并为一条特征安全规则。Merge all pending security rules in the subcategory into one feature security rule. 2.如权利要求1所述的方法,其特征在于,在所述将所述子类别中的待处理安全规则合并为特征安全规则之后,所述方法还包括:2. The method according to claim 1, wherein after said merging the security rules to be processed in the subcategories into feature security rules, the method further comprises: 分别获取各所述特征安全规则命中的流量的信息;Respectively acquire information about traffic hit by each feature security rule; 按照各所述特征安全规则命中的流量的量值由大到小对各所述特征安全规则进行排序;Sorting each of the feature security rules according to the magnitude of the traffic hit by each of the feature security rules from large to small; 按照所述排序的顺序依次将各所述特征安全规则与所述网络防火墙接收到的报文相匹配。Match each feature security rule with the message received by the network firewall in sequence according to the sorting order. 3.如权利要求1所述的方法,其特征在于,所述根据所述网络防火墙的待处理安全规则的应对措施对所述网络防火墙的待处理安全规则进行类别划分,具体包括:3. The method according to claim 1, wherein the countermeasures according to the pending security rules of the network firewall classify the pending security rules of the network firewall, specifically comprising: 分别获取所述网络防火墙的待处理安全规则的应对措施;Respectively acquire the countermeasures of the pending security rules of the network firewall; 将所述网络防火墙中具有相同应对措施的待处理安全规则划分到同一所述类别中。Divide the security rules to be processed with the same countermeasure in the network firewall into the same category. 4.如权利要求3所述的方法,其特征在于,所述根据所述类别中的待处理安全规则的地址信息对所述类别中的待处理安全规则进行子类别划分,具体包括:4. The method according to claim 3, wherein the subcategory of the security rules to be processed in the category according to the address information of the security rules to be processed in the category specifically comprises: 分别获取所述类别中的待处理安全规则的地址信息;Respectively acquire address information of the security rules to be processed in the categories; 将所述类别中源地址或者目的地址连续的待处理安全规则划分到同一所述子类别中。Divide the security rules to be processed with consecutive source addresses or destination addresses in the category into the same subcategory. 5.如权利要求1-4任一项所述的方法,其特征在于,在所述时间周期开始之前,所述方法还包括:5. The method according to any one of claims 1-4, wherein, before the time period begins, the method further comprises: 接收用户输入的周期设定信息;Receive cycle setting information input by the user; 根据所述周期设定信息对所述时间周期进行设定。The time period is set according to the period setting information. 6.一种智能设备,其特征在于,所述智能设备包含网络防火墙,所述智能设备至少包括:6. A smart device, characterized in that the smart device comprises a network firewall, and the smart device includes at least: 第一分类模块,在预设的时间周期开始时,获取所述网络防火墙的待处理安全规则,并根据所述网络防火墙的待处理安全规则的应对措施对所述网络防火墙的待处理安全规则进行类别划分,以使每个所述类别中的待处理安全规则的应对措施相同;The first classification module acquires the security rules to be processed of the network firewall at the beginning of the preset time period, and performs the security rules of the network firewall to be processed according to the countermeasures of the security rules to be processed of the network firewall. Classification so that the responses to pending security rules in each said class are the same; 第二分类模块,根据所述类别中的待处理安全规则的地址信息对所述类别中的待处理安全规则进行子类别划分,以使所述子类别中的待处理安全规则的源地址或目标地址连续;The second classification module divides the security rules to be processed in the category into subcategories according to the address information of the security rules to be processed in the category, so that the source addresses or destinations of the security rules to be processed in the subcategories The addresses are consecutive; 合并模块,将所述子类别中所有的待处理安全规则合并为一条特征安全规则。A merging module, merging all pending security rules in the subcategory into one feature security rule. 7.如权利要求6所述的智能设备,其特征在于,所述智能设备还包括:7. The smart device according to claim 6, further comprising: 获取模块,分别获取各所述特征安全规则命中的流量的信息;An acquisition module, respectively acquiring the information of the traffic hit by each feature security rule; 排序模块,按照各所述特征安全规则命中的流量的量值由大到小对各所述特征安全规则进行排序;The sorting module sorts each of the feature security rules according to the magnitude of the traffic hit by each of the feature security rules from large to small; 匹配模块,按照所述排序的顺序依次将各所述特征安全规则与所述网络防火墙接收到的报文相匹配。The matching module sequentially matches each feature security rule with the message received by the network firewall according to the order of sorting. 8.如权利要求6所述的智能设备,其特征在于,所述第一分类模块具体用于:8. The smart device according to claim 6, wherein the first classification module is specifically used for: 分别获取所述网络防火墙的待处理安全规则的应对措施;Respectively acquire the countermeasures of the pending security rules of the network firewall; 将所述网络防火墙中具有相同应对措施的待处理安全规则划分到同一所述类别中。Divide the security rules to be processed with the same countermeasure in the network firewall into the same category. 9.如权利要求8所述的智能设备,其特征在于,所述第二分类模块具体用于:9. The smart device according to claim 8, wherein the second classification module is specifically used for: 分别获取所述类别中的待处理安全规则的地址信息;Respectively acquire address information of the security rules to be processed in the categories; 将所述类别中源地址或者目的地址连续的待处理安全规则划分到同一所述子类别中。Divide the security rules to be processed with consecutive source addresses or destination addresses in the category into the same subcategory. 10.如权利要求6-9任一项所述的智能设备,其特征在于,所述智能设备还包括:10. The smart device according to any one of claims 6-9, wherein the smart device further comprises: 接收模块,接收用户输入的周期设定信息;The receiving module receives the cycle setting information input by the user; 设定模块,根据所述周期设定信息对所述时间周期进行设定。A setting module, configured to set the time period according to the period setting information.
CN201611131225.6A 2016-12-09 2016-12-09 Method for combining safety rules and intelligent device Pending CN106603524A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611131225.6A CN106603524A (en) 2016-12-09 2016-12-09 Method for combining safety rules and intelligent device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611131225.6A CN106603524A (en) 2016-12-09 2016-12-09 Method for combining safety rules and intelligent device

Publications (1)

Publication Number Publication Date
CN106603524A true CN106603524A (en) 2017-04-26

Family

ID=58598545

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611131225.6A Pending CN106603524A (en) 2016-12-09 2016-12-09 Method for combining safety rules and intelligent device

Country Status (1)

Country Link
CN (1) CN106603524A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107592309A (en) * 2017-09-14 2018-01-16 携程旅游信息技术(上海)有限公司 Security incident detection and processing method, system, equipment and storage medium
CN113132312A (en) * 2019-12-31 2021-07-16 苏州三六零智能安全科技有限公司 Processing method and device for threat detection rule
CN113783850A (en) * 2021-08-26 2021-12-10 新华三信息安全技术有限公司 Network protection method, device, equipment and machine readable storage medium
CN113992364A (en) * 2021-10-15 2022-01-28 湖南恒茂高科股份有限公司 Network data packet blocking optimization method and system
CN115473689A (en) * 2022-08-15 2022-12-13 北京神州新桥科技有限公司 Firewall rule optimization method, device, electronic equipment, medium and program product

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1439985A (en) * 2002-02-20 2003-09-03 华北计算机系统工程研究所 Method for improving fire wall performance
US20040088706A1 (en) * 1996-02-06 2004-05-06 Wesinger Ralph E. Firewall providing enhanced netowrk security and user transparency
CN101582900A (en) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 Firewall security policy configuration method and management unit
CN103051609A (en) * 2012-12-07 2013-04-17 东软集团股份有限公司 Gateway equipment and network access controlled visualized interaction method executed by same
CN103873441A (en) * 2012-12-12 2014-06-18 中国电信股份有限公司 Firewall safety rule optimization method and device thereof
CN104022999A (en) * 2013-09-05 2014-09-03 北京科能腾达信息技术股份有限公司 Network data processing method and system based on protocol analysis
CN104618403A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Access control method and device for security gateway
CN104735026A (en) * 2013-12-19 2015-06-24 华为技术有限公司 Security strategy control method and device
US20160261606A1 (en) * 2014-12-22 2016-09-08 Fortinet, Inc. Location-based network security

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040088706A1 (en) * 1996-02-06 2004-05-06 Wesinger Ralph E. Firewall providing enhanced netowrk security and user transparency
CN1439985A (en) * 2002-02-20 2003-09-03 华北计算机系统工程研究所 Method for improving fire wall performance
CN101582900A (en) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 Firewall security policy configuration method and management unit
CN103051609A (en) * 2012-12-07 2013-04-17 东软集团股份有限公司 Gateway equipment and network access controlled visualized interaction method executed by same
CN103873441A (en) * 2012-12-12 2014-06-18 中国电信股份有限公司 Firewall safety rule optimization method and device thereof
CN104022999A (en) * 2013-09-05 2014-09-03 北京科能腾达信息技术股份有限公司 Network data processing method and system based on protocol analysis
CN104735026A (en) * 2013-12-19 2015-06-24 华为技术有限公司 Security strategy control method and device
US20160261606A1 (en) * 2014-12-22 2016-09-08 Fortinet, Inc. Location-based network security
CN104618403A (en) * 2015-03-10 2015-05-13 网神信息技术(北京)股份有限公司 Access control method and device for security gateway

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107592309A (en) * 2017-09-14 2018-01-16 携程旅游信息技术(上海)有限公司 Security incident detection and processing method, system, equipment and storage medium
CN107592309B (en) * 2017-09-14 2019-09-17 携程旅游信息技术(上海)有限公司 Security incident detection and processing method, system, equipment and storage medium
CN113132312A (en) * 2019-12-31 2021-07-16 苏州三六零智能安全科技有限公司 Processing method and device for threat detection rule
CN113132312B (en) * 2019-12-31 2025-02-28 苏州三六零智能安全科技有限公司 Threat detection rule processing method and device
CN113783850A (en) * 2021-08-26 2021-12-10 新华三信息安全技术有限公司 Network protection method, device, equipment and machine readable storage medium
CN113992364A (en) * 2021-10-15 2022-01-28 湖南恒茂高科股份有限公司 Network data packet blocking optimization method and system
CN113992364B (en) * 2021-10-15 2024-06-07 湖南恒茂高科股份有限公司 Network data packet blocking optimization method and system
CN115473689A (en) * 2022-08-15 2022-12-13 北京神州新桥科技有限公司 Firewall rule optimization method, device, electronic equipment, medium and program product
CN115473689B (en) * 2022-08-15 2025-06-20 北京神州新桥科技有限公司 Firewall rule optimization method, device, electronic device, medium and program product

Similar Documents

Publication Publication Date Title
US20210226920A1 (en) Methods, systems, and computer readable media for adaptive packet filtering
CN102857493B (en) Content filtering method and device
US10460250B2 (en) Scope in decision trees
CA2837994C (en) Clustering processing method and device for virus files
CN106603524A (en) Method for combining safety rules and intelligent device
US9208438B2 (en) Duplication in decision trees
CN112016317A (en) Sensitive word recognition method and device based on artificial intelligence and computer equipment
US9116879B2 (en) Dynamic rule reordering for message classification
CN109845223B (en) Use pre-classification to enforce network security policies
US9595003B1 (en) Compiler with mask nodes
US10409987B2 (en) System and method for adaptive modification of antivirus databases
CN105205397A (en) Rogue program sample classification method and device
CN110414236A (en) A kind of detection method and device of malicious process
CN117081858A (en) Intrusion behavior detection method, system, equipment and medium based on multi-decision tree
CN106209614A (en) A kind of net packet classifying method and device
CN119051955A (en) Threat information detection method, threat information detection system, storage medium and electronic equipment
CN112347100A (en) Database index optimization method and device, computer equipment and storage medium
CN114024761A (en) Network threat data detection method and device, storage medium and electronic equipment
CN101465807A (en) Control method and device for data stream
CN117201362A (en) Abnormal network access identification method, device, electronic equipment and storage medium
CN104618392B (en) Intelligent matching method for NGINX-MODSECURITY security rules
CN114398887B (en) Text classification method, device and electronic equipment
CN114866316B (en) Security protection method, device, equipment and storage medium
CN105279434B (en) Rogue program sample families naming method and device
CN101729259A (en) Highly-safe data checking method for data switching system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170426