Research on an Anomalies Detection Method for Firewall Rules

doi:10.3969/j.issn.1671-1122.2018.10.011

Abstract

Abstract:

Firewall is one of the core elements in network security. However, the firewall in the cloud environment, the processing for network traffic usually reaches 10 Gb. And the generation of 10 Gb firewall, the increasing of firewall rules and the anomalies of rules impair the firewall performance seriously. This paper presented a valid-rule-set based anomalies detection method for firewall rules, which improve the state-transition based anomalies discovery algorithm. According to producing valid-rule-set and altering the detection object from original-rule-set to valid-rule-set, optimize the process of detection and locate the range of the anomaly. The experiment results show that, in the presence of a certain degree of redundancy in original-rule-set, the method can enhance the effect of detection.

Key words: firewall rules, anomalies detection, state transition, performance optimiztion

CLC Number:

TP309

Sisi CHEN, Jin YANG, Tao LI. Research on an Anomalies Detection Method for Firewall Rules[J]. Netinfo Security, 2018, 18(10): 78-84.

Figures/Tables 7

References 15

[1]	EHAB S.HAZEM H H.Firewall Policy Advisor for Anomaly Discovery and Rule Editing[M].Berlin:Integrated Network Management VIII. Springer US, 2003:17-30.
[2]	CHEN Mingqi, HONG Xuehai, WANG Wei, et al.The Development Trends of the Network Security and Information Technology[J]. Netinfo Security, 2015,15(4):1-4.
	陈明奇,洪学海,王伟,等. 关于网络安全和信息技术发展态势的思考[J]. 信息网络安全, 2015,15(4):1-4.
[3]	EHAB S.HAZEM H H.Modeling and Management of Firewall Policies[J]. IEEE Transactions on Network and System Management, 2004, 20(1):2-10
[4]	CHENG Yong, QIN Zufu, FU Jianming.Application of OBDD to Design Rule Database of Firewall[J]. Journal of Wuhan University(Natural Science Edition), 2006(1):77-80.
	程勇, 秦祖福, 傅建明. 有序二叉决策图在防火墙规则库设计中的应用[J]. 武汉大学学报(理学版), 2006(1):77-80.
[5]	LI Lin, LU Xianliang.A Filter Conflicts Resolving Algorithm Based on Cutting Mapping[J]. Acta Electronica Sinica, 2008(2):408-412.
	李林, 卢显良. 一种基于切割映射的规则冲突消除算法[J]. 电子学报, 2008(2):408-412.
[6]	SUN Yun, LUO Junyong, LIU Yan.Analysis Method of Firewall Rule Configuration Anomalies[J]. Computer Engineering, 2009,35(02):164-166.
	孙云, 罗军勇, 刘炎. 一种防火墙规则配置异常分析方法[J]. 计算机工程, 2009,35(02):164-166.
[7]	LI Hongjun, LANG Weimin, DENG Gang.Research on An Effective Integrity Check Scheme for Big Data Center[J]. Netinfo Security, 2016,16(5):1-8.
	李宏军, 郎为民, 邓刚. 一种高效的大数据中心完整性检查方案研究[J]. 信息网络安全, 2016,16(5):1-8.
[8]	SHI Ronghua, MO Rui, ZHAO Wentao.An Irrelative Rule Set M atch Algorithm Based on Collision Detection[J]. Computer Engineering & Science, 2010,32(10):1-4,19.
	施荣华, 莫锐, 赵文涛. 一种基于冲突检测的无关联规则集匹配算法[J]. 计算机工程与科学, 2010,32(10):1-4,19.
[9]	LIAO Xiaoju.Rule Anomalies Detection in Firewalls[C]// Intelligent Information Technology Application Association.Proceedings of 2011 International Conference on Advanced Materials and Computer Science(ICAMCS 2011 Part2), May 1, 2011, Chengdu, China.Beijing: China Academic Journal Electronic, 2011:822-827
[10]	SUN Liqin, PAN Li.Firewall Policy Conflict Detection and Conflict Rules Visualization[J]. Information Security and Communications Privacy, 2012,12(5):75-77,83.
	孙立琴, 潘理. 防火墙策略冲突检测及冲突策略可视化[J]. 信息安全与通信保密, 2012,12(5):75-77,83.
[11]	XU Yan, DONG Tao.A Fast Algorithm for Detecting Firewall Rule Conflict[J]. Computer Technology and Development, 2013,23(9):128-130,134.
	徐艳, 董涛. 一种防火墙规则冲突快速检测算法[J]. 计算机技术与发展, 2013,23(9):128-130,134.
[12]	LI Zhong, LI Xiao.Modified Firewall Rules Matching Algorithm[J]. Application Research of Computers, 2013,30(4):1205-1207.
	李中, 李晓. 一种性能优化的防火墙规则匹配算法[J]. 计算机应用研究, 2013,30(4):1205-1207.
[13]	WANG Haitao.Research and Design of the Next Generation of Operation Security Audit System[J]. Netinfo Security, 2016,16(6):81-85.
	王海涛. 下一代运维安全审计系统研究与设计[J]. 信息网络安全, 2016,16(6):81-85.
[14]	YIN Yi, WANG Yun.Analysis Method of Inclusion Relations between Firewall Rules[J]. Journal of Computer Applications, 2015,35(11):3083-3086,3101.
	殷奕, 汪芸. 防火墙规则间包含关系的解析方法[J]. 计算机应用, 2015,35(11):3083-3086,3101.
[15]	GAO Fei, CAO Bo, ZHUANG Yan.Firewall Rules Optimization Algorithm Based on Default Rules and Conflict Detection[J]. Journal of Anhui University of Science and Technology( Natural Science), 2015,35(4):70-76.
	高飞, 曹波, 庄严. 基于默认规则及冲突检测的防火墙规则优化算法[J]. 安徽理工大学学报(自然科学版), 2015,35(4):70-76.

order	F₁	F₂	action
1	[30,50]	[20,40]	accept
2	[20,40]	[ 0,25]	deny
3	[25,40]	[10,20]	accept

order	V(r)		action
order	F₁	F₂	action
1	[30,50]	[20,40]	accept
2	[20,29]	[0,25]	deny
2	[30,40]	[0,19]	deny

order	pro	s_ip	s_port	d_ip	d_port	action
1	TCP	192.168.11.20-50	ANY	192.168.1.20-40	ANY	accept
2	TCP	192.168.11.10-40	ANY	192.168.1.2-30	ANY	accept
3	TCP	192.168.11.20-40	ANY	192.168.1.10-40	ANY	accept
4	TCP	192.168.11.2-20	ANY	192.168.1.2-50	ANY	deny
5	TCP	192.168.11.10-50	ANY	192.168.1.2-50	ANY	deny

冲突规则	冲突范围
序号	pro	s_ip	s_port	d_ip	d_port
1、4	TCP	192.168.11.20	ANY	192.168.1.20-40	ANY
2、4	TCP	192.168.11.10-19	ANY	192.168.1.2-30	ANY
2、4	TCP	192.168.11.20	ANY	192.168.1.2-19	ANY
1、5	TCP	192.168.11.20-50	ANY	192.168.1.20-40	ANY
2、5	TCP	192.168.11.10-19	ANY	192.168.1.2-30	ANY
2、5	TCP	192.168.11.20-40	ANY	192.168.1.2-19	ANY