CN109150816A - A kind of firewall rule sets under discrimination dynamic optimization method based on pile structure - Google Patents
A kind of firewall rule sets under discrimination dynamic optimization method based on pile structure Download PDFInfo
- Publication number
- CN109150816A CN109150816A CN201710750090.XA CN201710750090A CN109150816A CN 109150816 A CN109150816 A CN 109150816A CN 201710750090 A CN201710750090 A CN 201710750090A CN 109150816 A CN109150816 A CN 109150816A
- Authority
- CN
- China
- Prior art keywords
- rule
- pile structure
- rickle
- priority
- algorithm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005457 optimization Methods 0.000 title claims abstract description 65
- 238000000034 method Methods 0.000 title claims abstract description 24
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 105
- 230000001105 regulatory effect Effects 0.000 claims description 5
- 230000009467 reduction Effects 0.000 claims description 4
- 239000012141 concentrate Substances 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 3
- 101100366707 Arabidopsis thaliana SSL11 gene Proteins 0.000 claims description 2
- 101100366710 Arabidopsis thaliana SSL12 gene Proteins 0.000 claims description 2
- 101100366711 Arabidopsis thaliana SSL13 gene Proteins 0.000 claims description 2
- 101100366561 Panax ginseng SS11 gene Proteins 0.000 claims description 2
- 101100366562 Panax ginseng SS12 gene Proteins 0.000 claims description 2
- 101100366563 Panax ginseng SS13 gene Proteins 0.000 claims description 2
- 230000004075 alteration Effects 0.000 claims description 2
- 238000007619 statistical method Methods 0.000 abstract description 26
- 238000004364 calculation method Methods 0.000 abstract description 6
- 230000008859 change Effects 0.000 abstract description 6
- 230000000694 effects Effects 0.000 abstract description 3
- 238000012913 prioritisation Methods 0.000 abstract description 2
- 238000002474 experimental method Methods 0.000 description 17
- 238000011160 research Methods 0.000 description 8
- 238000004088 simulation Methods 0.000 description 6
- 238000012803 optimization experiment Methods 0.000 description 5
- 238000012360 testing method Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000010835 comparative analysis Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 206010022000 influenza Diseases 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000003786 synthesis reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure, which is characterized in that specifically include: step SS1: constructing the tectonic model of pile structure, and the tectonic model of the pile structure includes most rickle, single linked list;Step SS2: propose that the dynamic adjustment algorithm of pile structure, the dynamic adjustment algorithm include most rickle adjustment algorithm, pile structure adjustment algorithm.Advantageous effects of the invention: compared with existing statistical analysis technique, the invention proposes a kind of firewall rule sets under discrimination dynamic optimization algorithm based on pile structure, it is analyzed by the correlation properties to network packet, three formula of priority calculating are proposed, for realizing the quick calculating of rule prioritization.Simultaneously according to three calculation formula, a kind of efficient adjustment algorithm is proposed, so that firewall rule sets under discrimination is able to achieve the change of high efficient and reliable, reduces the hit-count of firewall rule sets under discrimination.
Description
Technical field
The present invention relates to a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure, it is excellent to belong to firewall rule sets under discrimination
Change technical field.
Background technique
Firewall rule has determined the sequence of its rule match when it is added in rule set, afterwards
It in rule match, modifies except unartificial, otherwise its matching order is fixed and invariable.This design pattern of firewall is big
It affects greatly, operational efficiency when rule match.
Original firewall rule sets under discrimination matching order is that from top to bottom, in the research of this chapter, we dynamically adjust anti-
Rule ordering in wall with flues rule set, so that the regular upper end for being in rule set in sequence that priority is high.
Statistical analysis algorithms are at present about a kind of method common in firewall rule sets under discrimination dynamic studies.In pertinent literature
In describe in detail statistical analysis firewall rule optimization in application, propose it is a kind of measure firewall rate matched finger
Mark, the index are designated as average rule match number, and algorithmic formula is as follows:
Wherein W indicates the Mean match number of rule, piIndicate the probability that the i-th rule is hit.W is firewall work
The evaluation criterion of performance, the rule low for priority undoubtedly increases matched number in firewall matching, to reduce
The hit efficiency of firewall.It is found simultaneously from above-mentioned formula, if regular number is more, the value of W will be bigger, it is therefore desirable to unite
Parser is counted to realize the dynamic adjustment of firewall rule sets under discrimination, to improve the hit efficiency of firewall.
Summary of the invention
The present invention is directed to the firewall rule sets under discrimination of screen data packet, proposes a kind of rule set dynamic based on pile structure
Optimization method.The present invention is directed to three kinds of features of network packet, proposes three kinds of algorithmic formulas, is that first hit is public respectively
Formula, priority increase formula and priority reduces formula.Three kinds of algorithmic formulas change the priority of firewall rule in real time, make
Obtain priority adjustment algorithm high efficient and reliable.
In the firewall rule sets under discrimination dynamic studies based on statistical analysis, the calculation method of firewall rule priority exists
One defect, when hitting same rule if there is continuous data packet, need to be exceedingly fast adjusts the priority of this rule, this
Caused by defect is derived from the inadequate natural endowment of statistical analysis, statistical analysis is the process that a quantitative change causes qualitative change, but real-time
Firewall research in it is desirable that efficient adjustment algorithm, therefore the research emphasis of this algorithm is how efficiently to adjust fire prevention
Wall rule set.
The characteristics of according to the network packet proposed in pertinent literature:
(1) data flow with 10 or more messages accounts for the 70% of network traffic data;
(2) the 60% of network data flow is accounted for from beginning message to the data flow that the time of end message is 10 seconds or more;
(3) if the free time of a data flow is greater than 60 seconds, this data flow will not have subsequent packet.
Thus it is concluded that
(1) it after firewall rule is hit for the first time, has 70% probability and is hit 10 times or more;
(2) 60% firewall rule hits the hit time primary to the end from first time can be greater than 10 seconds;
(3) it if a rule is not hit within the time greater than 60 seconds, will not will not ordered in a short time
In.
Due to the matching way (being matched since the first rule) of firewall rule sets under discrimination, in order to reduce the hit time of rule
Number, it is therefore desirable to calculating acquire it is N number of most can often be hit rule, while needing ceaselessly to modify to this N number of rule.
Based on above-mentioned thought, simultaneously because firewall, in large enterprise's firewall, the number of firewall rule is into hundred
Thousands of, therefore the quasi- sequence for intending to realize this rule using pile structure of the present invention.
The present invention adopts the following technical scheme: a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure, special
Sign is, specifically includes: step SS1: construct the tectonic model of pile structure, the tectonic model of the pile structure include most rickle,
Single linked list;Step SS2: propose that the dynamic adjustment algorithm of pile structure, the dynamic adjustment algorithm include most rickle adjustment algorithm, heap
Structural adjustment algorithm.
As a kind of preferred embodiment, the construction method of the tectonic model of the pile structure in the step SS1 includes such as
Lower step:
Step SS11: creation root node Root creates minimum heap pointer Heap and chain table pointer Link for root node Root,
It is respectively directed to most rickle heap top and single-stranded meter pointer;
Step SS12: creation most rickle Heap, since the property of heap causes it to be realized using array, creation length
Degree is the one-dimension array a [N] of N, and the arbitrary node in array needs to meet the property of most rickle: a [i]≤a [2i+1] [i]
≤ a [2i+2], wherein 2i+2≤N, concentrates the maximum N number of rule of priority to store firewall rule;
Step SS13: creation single linked list Link, remaining rule is concentrated to store firewall rule, regular storage is suitable
Sequence concentrates the sequence of rule to be stored according to firewall rule, the last one pointer of chained list is directed toward null pointer.
As a kind of preferred embodiment, the most rickle adjustment algorithm in the step SS2 is specifically included: for most rickle
Part since most rickle heap is complete binary tree, while using array representation complete binary tree, then for element in array, rule
Determine the left subtree that a [i+1] is a [i], a [i+2] is the right subtree of a [i], then most rickle adjustment algorithm uses recursive algorithm, is calculated
Method process is as follows:
(1) i=N/2, size=N are enabled;
(2) max=i is enabled, if i < N/2, carries out (2) step, otherwise i--, and jump back to (1) step;
(3) if 2i+1 < size, and a [i+2] < a [max], then max=2i+1, if 2i+2 < size, and a
[i+2] < a [max], then max=2i+2;
(4) if max ≠ i, a [i] and a [max] are exchanged, i=max, and (3) step is repeated, if max=i,
i--;
(5) if i > 0, repeatedly (2) step, otherwise terminates;
When traversing the pile structure using firewall, when being traversed for the rule in most rickle, using priority height
Rule better than the low rule of priority, therefore, it is necessary to construct the one-dimension array b [N] that a length is N, according to priority height is suitable
Sequence stores most rickle a [N], and a [N] is assigned to b [N], and b [N] uses quicksort, obtains the number of a priority from big to small
Group.
As a kind of preferred embodiment, the pile structure adjustment algorithm in the step SS2 specifically comprises the following steps:
Step SS21: heap model initialization algorithm is executed;
Step SS22: it executes pile structure and recycles adjustment algorithm;
Step SS23: data packet matched algorithm is executed.
As a kind of preferred embodiment, the heap model initialization algorithm in the step SS21 is specifically included: setting
The range for determining firewall rule priority is [1,100], then enables N < 100, will wherein N number of rule according to sequence original in rule set
It then takes out, in deposit a [N], by remaining rule by original sequence carry on single linked list Link;It sets regular excellent in a [N]
First grade is all 2, is both the priority array b [N] for constructing most rickle a [N];Set the priority of strictly all rules in single linked list Link
It is 1.
As a kind of preferred embodiment, the pile structure circulation adjustment algorithm in the step SS22 includes following step
It is rapid:
Step SS221: Δ T is set1To be hit nearest time, Δ T for the first time2It is hit for the last time nearest
Time, loop through each regular (including the rule in most rickle and single linked list) in above-mentioned pile structure, count each rules and regulations
Δ T then1With Δ T2;
Step SS222: if Δ T2< 60 and Δ T1-ΔT2> 10, and rule is rule in most rickle, then needs according to excellent
First grade improves algorithm and proposes the priority of rule, and jumps to step SS224;
Step SS223: if Δ T2>=60, and rule is rule in most rickle, then taking priority to reduce algorithm reduces
Its priority, and jump to step SS224;
Step SS224: adjusting minimum pile structure, traverses each rule in the single linked list Link in pile structure, respectively with
Most rickle heap top element is compared, and if it is greater than most rickle heap top element, then exchanges two elements, while according to most rickle tune
Whole algorithm adjusts most rickle, repeats step SS221.
As a kind of preferred embodiment, it includes: to set Δ that the priority, which improves algorithm and priority reduction algorithm,
T1To be hit nearest time, Δ T for the first time2It is hit the nearest time for the last time, if Δ T2>=60, then it advises
Priority then reduces algorithmic formula are as follows:
Wherein Mi'≥1;
If Δ T2< 60 and Δ T1-ΔT2> 10, then regular priority improves algorithmic formula are as follows:
Wherein Mi'≤100;
Wherein β is regulatory factor, sets β=0.6.
As a kind of preferred embodiment, the data packet matched algorithm in the step SS23 specifically includes following step
It is rapid:
Step SS231: using rule match network packet in pile structure, alteration ruler is hit the time recently, if
It is regular to be hit for the first time, and rule is rule on single linked list, then needs to be calculated using first hit formula, first hit is public
Formula is as follows:
Wherein Mi'≤100;
Wherein Mi' for adjustment after the i-th rule priority, MiFor the priority of former i-th rule, MminFor in most rickle
The value of the minimum rule of priority, ρ is regulatory factor, and set ρ is 0.7, and the priority of reduction most rickle heap top element is Mi- 1, together
When by regular RiIt is interchangeable with heap top element, adjusts the sequence in most rickle;
Step SS232: the priority for reducing most rickle heap top element is Mi- 1, at the same by this rule and heap top element into
Row exchanges, and adjusts the sequence in most rickle, repeats step SS231.
Advantageous effects of the invention: the invention proposes one kind to be based on compared with existing statistical analysis technique
The firewall rule sets under discrimination dynamic optimization algorithm of pile structure, is analyzed by the correlation properties to network packet, is proposed excellent
Three formula that first grade calculates, for realizing the quick calculating of rule prioritization.Simultaneously according to three calculation formula, one is proposed
The efficient adjustment algorithm of kind reduces the hit of firewall rule sets under discrimination so that firewall rule sets under discrimination is able to achieve the change of high efficient and reliable
Number.
Detailed description of the invention
Fig. 1 is the tectonic model figure of pile structure of the invention.
Fig. 2 is pile structure dynamic adjustment algorithm flow chart of the present invention.
Fig. 3 is the dynamic adjustment algorithm based on statistical analysis and the dynamic adjustment algorithm optimization percentage column based on pile structure
Shape figure.
Fig. 4 is the runing time folding of the dynamic adjustment algorithm based on statistical analysis and the dynamic adjustment algorithm based on pile structure
Line chart.
Fig. 5 is the opposite optimization hundred of the dynamic adjustment algorithm based on statistical analysis and the dynamic adjustment algorithm based on pile structure
Divide and compares column diagram.
Specific embodiment
The invention will be further described below in conjunction with the accompanying drawings.Following embodiment is only used for clearly illustrating the present invention
Technical solution, and not intended to limit the protection scope of the present invention.
To the firewall rule sets under discrimination dynamic optimization algorithm based on statistical analysis and pile structure is based below by emulation experiment
Firewall rule sets under discrimination dynamic optimization algorithm be described, and carry out related data comparative analysis.
(1) experimental situation
Emulation experiment is carried out under 6.3 operating system of CentOS, and the kernel version of 6.3 operating system of CentOS is
Linux-2.6.32-279.19.1.el6.i686, memory size are 512MB, and the version of compiler gcc is gcc-4.4.4.
Emulation tool is write using C language under linux, and major function is to realize Iptables program
Data packet matched function.Rule set used by rule set used by this chapter is by the rule of ClassBench Software Create
Collection includes 83164 rules, and used data packet is the data packet captured in public network server using tcpdump, original
Pcap data package size is 93M, there is 141997 data packets.
The target of this section experiment mainly has the following:
1) the original dynamic optimization algorithm based on statistical analysis of analogue simulation, Research statistics parser is in the same terms
It is no to reduce matching times;
2) dynamic optimization algorithm of the analogue simulation based on pile structure, research is based on the dynamic optimization algorithm to structure identical
Under the conditions of whether reduce matching times;
3) compare the matching efficiency and rule adjustment time of two kinds of algorithms according to statistical data.
(2) it tests and analyzes
This section experiment flow mainly includes three parts, is experiment, the base of Iptables procedure simulation simulation program respectively
In the dynamic optimization experiment, a kind of improved dynamic optimization experiment based on statistical analysis and moving based on pile structure of statistical analysis
State optimization experiment.
1) experiment of Iptables procedure simulation simulation program
In emulation experiment, it is specified that the fuzzy rules used be 300, data packet number be 10000,30000,50000,
70000 and 100000.This experiment is repeated 3 times, and statistical result is as shown in table 1.
The simulation experiment result of 1 Iptables program of table
The hiting data packet number counted in table 1 is the data packet number being hit in test case, same due to using
The test case of sample, therefore in the experiment algorithm of this section, the data packet number of hit is all that the number obtained is counted in 4.1 tables.
2) the dynamic optimization experiment based on statistical analysis
In this experiment, it is specified that the fuzzy rules used be 300, data packet number be 10000,30000,50000,
70000 and 100000.Its statistical result is as shown in table 2.
Dynamic optimization algorithm experimental result of the table 2 based on statistical analysis
3) the dynamic optimization experiment based on pile structure
In this experiment, it is specified that the fuzzy rules used be 300, data packet number be 10000,30000,50000,
70000 and 100000, the size of pile structure most rickle is set as 10, statistical result is as shown in table 3.
Dynamic optimization algorithm experimental result of the table 3 based on pile structure
4) experimental contrast analysis
(1) matching efficiency
Matching efficiency is described by being effectively matched number.In this experiment, it is known as having by the rule that data packet is hit
Effect rule, the research emphasis of this section experiment are the influences for studying two kinds of algorithms for effective rule match number.Therefore, this experiment
Firstly the need of the hit-count of statistics effectively rule.
The matching times for enabling effectively rule are Nuse, it is N that rule set, which matches total degree,sum, rule set size is n, data packet
Number is Dsum, hiting data packet number is Duse, calculation formula is as follows:
Nuse=Nsum-n(Dsum-Duse);
Effective rule match number of above two algorithm is obtained according to above-mentioned formula, as shown in table 4.
The effective rule match frequency table of table 4
According to the statistical result of upper table, the matching optimization percentage of computational algorithm, the calculation formula of matching optimization percentage
It is as follows:
Wherein PoptFor matching optimization percentage, NoldFor former hit-count, NnewFor innovatory algorithm hit-count.
5 matching optimization percentage statistical form of table
From table 5 and Fig. 3's the study found that dynamic optimization algorithm that this chapter is studied all improves the hit of firewall rule sets under discrimination
Rate, in dynamic optimization algorithm, the matching efficiency of the dynamic optimization algorithm based on pile structure is higher than dynamic based on statistical analysis
State optimization algorithm.
(2) the rule adjustment time
In Iptables algorithm, do not have well-regulated adjustment time, only exists the match time of rule.And this chapter research
In two kinds of dynamic optimization algorithms, both there is the match time of rule, there is also the adjustment times of rule.It is needed in the experiment of this section
The rule adjustment time of two kinds of dynamic optimization algorithms is calculated, and analysis comparison is carried out according to related data.
According to the average operating time of above-mentioned statistics and rule match number, enabling T is that algorithm runs average time, Tiptables
For Iptables Riming time of algorithm, Nsum is matching rule sum, and Niptables is Iptables algorithmic match rule sum,
Tadjust is the rule adjustment time, then the calculation formula of rule adjustment time is as follows:
From in table 6 and Fig. 4 the study found that the rule adjustment time that the dynamic optimization algorithm based on pile structure is tested is higher than
Dynamic optimization algorithm based on statistical analysis.
The rule adjustment timetable of 6 algorithm experimental of table
(3) comprehensive analysis
Learn that the matching efficiency of the dynamic optimization algorithm based on pile structure is better than the dynamic based on statistical analysis according to Fig. 3
The matching efficiency of optimization algorithm learns that the rule adjustment time of the dynamic optimization algorithm based on pile structure is higher than base according to Fig. 4
In the rule adjustment time of the dynamic optimization algorithm of statistical analysis.In order to which two various dynamic optimization algorithms are comprehensively compared, need
Matching efficiency and rule adjustment time synthesis are compared.Since efficiency of algorithm is proportional with matching efficiency, with rule
Adjustment time inversely, therefore using the dynamic optimization algorithm based on statistical analysis as contrast standard, defines opposite optimization hundred
Divide and compares Prelative, to profile matching efficiency, the relationship of rule adjustment time and efficiency of algorithm, algorithmic formula is as follows:
Wherein PrelativeOpposite optimization percentage, ToldFor the dynamic optimization algorithm based on statistical analysis rule adjustment when
Between, PoldFor the matching optimization percentage of the dynamic optimization algorithm based on statistical analysis.TnewFor the dynamic optimization based on pile structure
The rule adjustment time of algorithm, PnewFor the matching optimization percentage of the dynamic optimization algorithm based on pile structure.Its data result is such as
Shown in table 7.
The opposite optimization percentage of table 7
Opposite optimization percentage in table 7 is indicated using column diagram, as shown in Figure 5.
From table 7 and Fig. 5's the study found that based on the dynamic optimization algorithm of pile structure it is whole relatively in better than based on statistics
The dynamic optimization algorithm of analysis.In comprehensive comparison, the opposite optimization percentage of the dynamic optimization algorithm based on pile structure is substantially
All in 10%~15% or so fluctuation.
(3) experiment conclusion
In above-mentioned experiment, analogue simulation Iptables program, and counted its runing time and matching times, as
The correlation data of subsequent experimental, and counted the runing time and matching times of two kinds of algorithms of this chapter research.
In experimental contrast analysis, experimental result is analyzed from the performance of algorithm and functionally respectively, thus
Conclusion out:
1) on matching efficiency, effective rule match number of the dynamic optimization algorithm based on pile structure is minimum, optimization
Percentage highest is higher than the dynamic optimization algorithm based on statistical analysis;
2) on the rule adjustment time, the rule adjustment time loss longest of the dynamic optimization algorithm based on pile structure is wanted
Higher than the dynamic optimization algorithm based on statistical analysis;
3) by comprehensive analysis, dynamic optimization algorithm of the dynamic optimization algorithm based on pile structure better than statistical analysis.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations
Also it should be regarded as protection scope of the present invention.
Claims (8)
1. a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure, which is characterized in that specifically include: step SS1: structure
The tectonic model of pile structure is built, the tectonic model of the pile structure includes most rickle, single linked list;Step SS2: pile structure is proposed
Dynamic adjustment algorithm, the dynamic adjustment algorithm include most rickle adjustment algorithm, pile structure adjustment algorithm.
2. a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure according to claim 1, which is characterized in that
The construction method of the tectonic model of pile structure in the step SS1 includes the following steps:
Step SS11: creation root node Root, minimum heap pointer Heap and chain table pointer Link is created for root node Root, respectively
It is directed toward most rickle heap top and single-stranded meter pointer;
Step SS12: creation most rickle Heap, since the property of heap causes it to be realized using array, creation length is
The one-dimension array a [N] of N, the arbitrary node in array need to meet the property of most rickle: a [i]≤a [2i+1] [i]≤a
[2i+2], wherein 2i+2≤N, concentrates the maximum N number of rule of priority to store firewall rule;
Step SS13: creation single linked list Link, remaining rule is concentrated to store firewall rule, regular storage order is pressed
The sequence of rule is concentrated to be stored according to firewall rule, the last one pointer of chained list is directed toward null pointer.
3. a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure according to claim 1, which is characterized in that
Most rickle adjustment algorithm in the step SS2 specifically includes: for most rickle part, since most rickle heap is complete y-bend
Tree, while using array representation complete binary tree, then for element in array, it is specified that a [i+1] is the left subtree of a [i], a [i+
2] it is the right subtree of a [i], then most rickle adjustment algorithm uses recursive algorithm, and algorithm flow is as follows:
(1) i=N/2, size=N are enabled;
(2) max=i is enabled, if i < N/2, carries out (2) step, otherwise i--, and jump back to (1) step;
(3) if 2i+1 < size, and a [i+2] < a [max], then max=2i+1, if 2i+2 < size, and a [i+
2] < a [max], then max=2i+2;
(4) if max ≠ i, a [i] and a [max] are exchanged, i=max, and (3) step is repeated, if max=i, i--;
(5) if i > 0, repeatedly (2) step, otherwise terminates;
When traversing the pile structure using firewall, when being traversed for the rule in most rickle, using the high rule of priority
The then rule low better than priority, therefore, it is necessary to construct the one-dimension array b [N] that a length is N, according to priority sequence is deposited
Most rickle a [N] is stored up, a [N] is assigned to b [N], b [N] uses quicksort, obtains the array of a priority from big to small.
4. a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure according to claim 1, which is characterized in that
Pile structure adjustment algorithm in the step SS2 specifically comprises the following steps:
Step SS21: heap model initialization algorithm is executed;
Step SS22: it executes pile structure and recycles adjustment algorithm;
Step SS23: data packet matched algorithm is executed.
5. a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure according to claim 4, which is characterized in that
The heap model initialization algorithm in the step SS21 specifically includes: set the range of firewall rule priority as [1,
100], then N < 100 is enabled, will wherein N number of rule be taken out according to sequence original in rule set, in deposit a [N], by remaining rule
By original sequence carry on single linked list Link;Setting priority regular in a [N] is all 2, is both construction most rickle a [N]
Priority array b [N];The priority of strictly all rules in single linked list Link is set as 1.
6. a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure according to claim 4, which is characterized in that
Pile structure circulation adjustment algorithm in the step SS22 includes the following steps:
Step SS221: Δ T is set1To be hit nearest time, Δ T for the first time2When being hit nearest for the last time
Between, each regular (including the rule in most rickle and single linked list) in above-mentioned pile structure is looped through, each rule is counted
ΔT1With Δ T2;
Step SS222: if Δ T2< 60 and Δ T1-ΔT2> 10, and rule is rule in most rickle, then needs according to priority
It improves algorithm and proposes the priority of rule, and jump to step SS224;
Step SS223: if Δ T2>=60, and rule is rule in most rickle, then taking priority to reduce algorithm reduces it preferentially
Grade, and jump to step SS224;
Step SS224: adjusting minimum pile structure, traverses each rule in the single linked list Link in pile structure, respectively with minimum
Heap heap top element is compared, and if it is greater than most rickle heap top element, then exchanges two elements, while adjusting and calculating according to most rickle
Method adjusts most rickle, repeats step SS221.
7. a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure according to claim 6, which is characterized in that
It includes: to set Δ T that the priority, which improves algorithm and priority reduction algorithm,1To be hit the nearest time for the first time,
ΔT2It is hit the nearest time for the last time, if Δ T2>=60, then regular priority reduces algorithmic formula are as follows:
Wherein Mi'≥1;
If Δ T2< 60 and Δ T1-ΔT2> 10, then regular priority improves algorithmic formula are as follows:
Wherein Mi'≤100;
Wherein β is regulatory factor, sets β=0.6.
8. a kind of firewall rule sets under discrimination dynamic optimization method based on pile structure according to claim 4, which is characterized in that
The data packet matched algorithm in the step SS23 specifically comprises the following steps:
Step SS231: using rule match network packet in pile structure, alteration ruler is hit the time recently, if regular
It is hit for the first time, and rule is rule on single linked list, then needs to be calculated using first hit formula, it is first to hit formula such as
Under:
Wherein Mi'≤100;
Wherein Mi' for adjustment after the i-th rule priority, MiFor the priority of former i-th rule, MminIt is preferential in most rickle
The value of the minimum rule of grade, ρ is regulatory factor, and set ρ is 0.7, and the priority of reduction most rickle heap top element is Mi- 1, simultaneously will
Regular RiIt is interchangeable with heap top element, adjusts the sequence in most rickle;
Step SS232: the priority for reducing most rickle heap top element is Mi- 1, while this rule and heap top element being carried out mutually
It changes, adjusts the sequence in most rickle, repeat step SS231.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710750090.XA CN109150816A (en) | 2017-08-28 | 2017-08-28 | A kind of firewall rule sets under discrimination dynamic optimization method based on pile structure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710750090.XA CN109150816A (en) | 2017-08-28 | 2017-08-28 | A kind of firewall rule sets under discrimination dynamic optimization method based on pile structure |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109150816A true CN109150816A (en) | 2019-01-04 |
Family
ID=64803645
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710750090.XA Pending CN109150816A (en) | 2017-08-28 | 2017-08-28 | A kind of firewall rule sets under discrimination dynamic optimization method based on pile structure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109150816A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113411336A (en) * | 2021-06-21 | 2021-09-17 | 深圳天元云科技有限公司 | Firewall strategy position optimization method, system, terminal and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060521A (en) * | 2006-04-18 | 2007-10-24 | 华为技术有限公司 | Information packet filtering method and network firewall |
| CN101340424A (en) * | 2007-07-03 | 2009-01-07 | 华为技术有限公司 | Method, system and proxy device for adjusting rules and policies of traversal devices |
| US20150143502A1 (en) * | 2013-09-25 | 2015-05-21 | Veracode, Inc. | System and method for automated configuration of application firewalls |
| US20160226825A1 (en) * | 2015-01-30 | 2016-08-04 | Aruba Networks, Inc. | Dynamic detection and application-based policy enforcement of proxy connections |
-
2017
- 2017-08-28 CN CN201710750090.XA patent/CN109150816A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060521A (en) * | 2006-04-18 | 2007-10-24 | 华为技术有限公司 | Information packet filtering method and network firewall |
| CN101340424A (en) * | 2007-07-03 | 2009-01-07 | 华为技术有限公司 | Method, system and proxy device for adjusting rules and policies of traversal devices |
| US20150143502A1 (en) * | 2013-09-25 | 2015-05-21 | Veracode, Inc. | System and method for automated configuration of application firewalls |
| US20160226825A1 (en) * | 2015-01-30 | 2016-08-04 | Aruba Networks, Inc. | Dynamic detection and application-based policy enforcement of proxy connections |
Non-Patent Citations (1)
| Title |
|---|
| 单超: "防火墙配置规则集优化关键技术研究", 《万方学位论文集哈尔滨工程大学》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113411336A (en) * | 2021-06-21 | 2021-09-17 | 深圳天元云科技有限公司 | Firewall strategy position optimization method, system, terminal and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108462717A (en) | The firewall rule sets under discrimination optimization method of rule-based match hit rate and distribution variance | |
| CN109918548A (en) | A kind of methods and applications of automatic detection document sensitive information | |
| RU2012141478A (en) | SYSTEM AND METHOD FOR INCREASING THE QUALITY OF DETECTIONS OF MALICIOUS OBJECTS USING THE RULES AND PRIORITIES | |
| Zhou et al. | Comparison and evaluation of five methods of estimation of the Johnson system parameters | |
| CN111159243B (en) | User type identification method, device, equipment and storage medium | |
| CN110909773A (en) | Client classification method and system based on adaptive particle swarm | |
| CN106204083A (en) | A kind of targeted customer's sorting technique, Apparatus and system | |
| CN110493262A (en) | It is a kind of to improve the network attack detecting method classified and system | |
| CN110083507A (en) | Key Performance Indicator classification method and device | |
| CN109150816A (en) | A kind of firewall rule sets under discrimination dynamic optimization method based on pile structure | |
| CN109947933A (en) | Method and device for classifying to log | |
| CN109145003A (en) | A kind of method and device constructing knowledge mapping | |
| CN110290152A (en) | Firewall rule engine time complexity appraisal procedure based on probability weight path | |
| CN109656615A (en) | A method of permission early warning is carried out based on code method significance level | |
| CN111221864B (en) | Intelligent index recommendation method based on mysql slow query log word frequency analysis | |
| CN110782879B (en) | Voiceprint clustering method, device, equipment and storage medium based on sample size | |
| CN108776707B (en) | Sampling methods for exploratory queries | |
| Ahmed et al. | Network sampling designs for relational classification | |
| Rosenthal et al. | Impact of population size, selection and multi-parent recombination within a customized NSGA-II and a landscape analysis for biochemical optimization | |
| Zhang et al. | An optimization algorithm applied to the class integration and test order problem | |
| CN109802847A (en) | A kind of analysis method of network transmission service quality, device | |
| Jiang et al. | Time-varying hyperparameter strategies for radial basis function surrogate-based global optimization algorithm | |
| CN111641599B (en) | Identification method of VoIP network flow affiliated platform | |
| Lavesson et al. | A multi-dimensional measure function for classifier performance | |
| Maletzke et al. | Accurately quantifying under score variability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190104 |