防火墙配置规则集优化关键技术研究

发布时间：2018-04-14 02:38

本文选题：防火墙规则集 + 判定树模型　；参考：《哈尔滨工程大学》2014年硕士论文

【摘要】：二十一世纪是信息技术高速发展的时代,随着移动互联网的高速崛起,随时随地的信息交流成为人们日常生活中不可缺少的一部分。伴随着信息技术高速发展的网络信息安全问题,也逐渐被人们所重视。作为网络信息安全研究中重要的一部分,防火墙技术也日益被人们所重视。本文主要针对防火墙配置规则集进行研究,分别从防火墙有效规则集的分解算法和防火墙规则集的动态优化算法两个方向,展开了防火墙配置规则集的相关研究。针对防火墙有效规则集的分解算法,本文首先提出了一种防火墙规则集的优化原则,针对防火墙规则的五种问题提出了相关的优化原则。然后提出了一种基于判定树的规则分类算法,在本算法中构造了判定树模型,对原有防火墙规则集中的规则进行分类,在对规则进行分类的同时,使用判定树模型并不会改变原有冗余规则之间的优先级。接着提出了一种基于掩码拆分的规则分解算法,在本算法中根据IP地址的特点,提出了一种掩码拆分算法,用于分解原有的IP地址,同时根据防火墙规则集的优化原则,消除其中的无效规则,得到一个有效规则集。最后详细分析了判定树在本算法中的重要作用,并通过对比实验描述了判定树模型可以提高掩码拆分算法的时间复杂度。针对防火墙规则集的动态优化算法,防火墙规则的优先级是本算法的研究重点。本文首先分析了现有动态优化中使用的统计分析算法,然后提出了一种改进的统计分析算法,经过分析发现统计分析算法自身存在的一些不足,最终提出了一种基于堆结构的防火墙规则集动态优化算法。在基于堆结构的动态优化算法中,本文构造了一个改进的堆模型,用于存放防火墙规则集,同时根据改进的堆模型提出了一种动态调整算法,使得本算法能够完成对于防火墙规则集的动态调整功能。在本算法的实验部分,分别分析了原有统计分析算法、改进后的统计分析算法和基于堆结构的动态优化算法的规则匹配效率,得出了基于堆结构的动态优化算法在规则匹配效率上优于原先两种算法的结论。
[Abstract]:The 21 century is the era of rapid development of information technology. With the rapid rise of mobile Internet, information exchange at any time and anywhere has become an indispensable part of people's daily life.With the rapid development of information technology, network information security has been paid more and more attention.As an important part of network information security research, firewall technology has been paid more and more attention.In this paper, the firewall configuration rule set is mainly studied. From the decomposition algorithm of firewall effective rule set and the dynamic optimization algorithm of firewall rule set, the related research of firewall configuration rule set is carried out.Aiming at the decomposition algorithm of firewall effective rule set, this paper first puts forward an optimization principle of firewall rule set, and puts forward related optimization principles aiming at five problems of firewall rule.Then, a rule classification algorithm based on decision tree is proposed. In this algorithm, a decision tree model is constructed to classify the rules in the original firewall rule set, and at the same time, the rules are classified.Using the decision tree model does not change the priority between the original redundancy rules.Then a rule decomposition algorithm based on mask splitting is proposed. In this algorithm, according to the characteristics of IP address, a mask splitting algorithm is proposed, which is used to decompose the original IP address, and at the same time, according to the optimization principle of firewall rule set.Eliminate invalid rules and get a valid rule set.Finally, the important role of decision tree in this algorithm is analyzed in detail, and the time complexity of the mask splitting algorithm is improved by comparing the decision tree model.For the dynamic optimization algorithm of firewall rule set, the priority of firewall rule is the focus of this algorithm.This paper first analyzes the existing statistical analysis algorithms used in dynamic optimization, and then proposes an improved statistical analysis algorithm.Finally, a dynamic optimization algorithm of firewall rule set based on heap structure is proposed.In the dynamic optimization algorithm based on heap structure, an improved heap model is constructed to store the firewall rule set, and a dynamic adjustment algorithm is proposed according to the improved heap model.This algorithm can accomplish the dynamic adjustment function for firewall rule set.In the experimental part of this algorithm, the rule matching efficiency of the original statistical analysis algorithm, the improved statistical analysis algorithm and the dynamic optimization algorithm based on heap structure are analyzed respectively.It is concluded that the dynamic optimization algorithm based on heap structure is superior to the former two algorithms in rule matching efficiency.
【学位授予单位】：哈尔滨工程大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】