基于默认规则的防火墙优化方法

提出一种基于默认规则的防火墙优化方法,根据规则的匹配概率及防火墙日志,从默认规则中分离出简单规则,分析这些规则与原规则的关系,并合并成新的规则。评价规则对防火墙性能的影响,并选择性地加入防火墙规则库,实现防火墙线性匹配优化。实验结果表明,该方法在一般情况下能有效降低规则的平均匹配次数,提高防火墙性能。     

基于统计分析与规则冲突检测的防火墙优化

提出一种基于统计分析和规则冲突检测的防火墙优化方法,从防火墙规则的匹配概率入手,结合规则间的冲突检测,实现防火墙规则的精简和线型匹配优化。实验表明,该方法在一般情况下能对防火墙已有的规则进行精简,使其平均规则匹配次数减少40%,性能得到较大的提高。     

基于统计分析与规则冲突检测的防火墙优化

提出一种基于统计分析和规则冲突检测的防火墙优化方法,从防火墙规则的匹配概率入手,结合规则间的冲突检测,实现防火墙规则的精简和线型匹配优化.实验表明,该方法在一般情况下能对防火墙已有的规则进行精简,使其平均规则匹配次数减少40%,性能得到较大的提高.     

基于权重与匹配效率的防火墙规则集优化算法

研究并分析防火墙规则集的优化方法,给出规则与网络数据包的的匹配频率、匹配热度和规则权重的关系公式;设计并编写基于权重与基于匹配效率的规则集优化算法程序;最后通过对相应的实验数据的分析比较,得出两种算法均可较大幅度的降低防火墙规则集与网络数据包的匹配次数,从而优化防火墙性能的结论。     

一种基于统计分析的防火墙规则匹配优化方法

文章提出了一种基于统计分析的防火墙规则匹配优化方法。该方法对通过防火墙的数据包进行统计分析,并根据统计数据动态调整过滤规则的相对次序,使其和当前网络流量特性相一致,从而达到减少规则匹配时间、提高防火墙性能之目的。仿真结果表明,该方法在一定程度上提高了防火墙的性能。     

基于哈夫曼树的防火墙规则动态优化的研究

随着网络功能的不断增加,防火墙过滤规则集合日益庞大,已严重影响了网络整体性能。本文基于网络流量的特征,提出一种根据网络流量变化动态调整防火墙规则的防火墙规则优化方法,使得匹配网络数据包越多的规则越先与数据包相匹配,从而尽量减少数据包过滤时间。     

基于规则的防火墙匹配算法研究

传统防火墙包过滤过程是通过数据包与过滤规则顺序匹配,直到有一条规则匹配后即可停止。当过滤规则日益增多时,防火墙的吞吐量也不断下降,严重影响了网络的性能。该文提出并设计了快速的规则匹配算法,改变了以往的顺序匹配,极大地提高了防火墙的吞吐量和性能。     

一种基于冲突检测的无关联规则集匹配算法

防火墙已经成为网络安全体系中一个关键的角色,对防火墙的管理越来越受到重视。本文针对在防火墙管理中容易出现的过滤规则冲突问题和规则匹配效率问题,提出了一种基于冲突检测的无关联规则集匹配算法。本文通过对规则进行分析,确定了规则库中的规则应该符合的五个关系;通过对冲突规则的分类,得到了按照各种冲突的特性进行冲突检测产生的状态图,有助于对防火墙的现有规则库进行重写优化。本文在分析传统的线性顺序规则匹配算法和树形规则匹配算法的基础上,提出一种基于冲突检测的无关联规则集匹配算法,其平均比较次数为O(lg(n)),性能上大大优于现有的算法。     

Netfilter/iptables防火墙性能优化方案与实现

随着网络带宽的增加,匹配规则集的增大,对netfilter/iptables防火墙的性能要求也越来越高。文章在对netfilter/iptables工作机制进行分析的基础上,提出了基于防火墙规则分组的方法提高规则匹配效率的优化方案,并在Linux下进行了具体实现。测试结果表明这种方法能够有效提高防火墙的性能。     

一种性能优化的防火墙规则匹配算法

设计了一种防火墙规则匹配算法,该算法基于分治思想将规则集按照协议类型分割为多个子集,并根据规则之间的关系,将各子集分为无序组和有序组,通过设计哈希函数和索引算法对两组规则进行分别匹配。分析表明,该算法的效率远优于同类算法,大大提高了防火墙的工作性能。     

一种IPV6环境下的高性能规则匹配算法研究

防火墙是确保网络安全的关键设施,而规则匹配又是防火墙的核心技术。随着网络技术的发展,互联网体系结构正逐渐从IPV4向IPV6结构发展,原有的IPV4防火墙规则匹配算法很难直接应用于IPV6网络环境,因为IPV6协议所能表示的地址范围远远超过IPV4协议对应的地址范围。因此提出了一种适用于IPV6环境的高性能规则匹配算法HiPRM(High Performance Rule Matching)。HiPRM算法的核心思想是依据规则的协议和目的端口分布特征,先把整个规则集划分成多个子规则集,再利用位选取算法对规则的源和目的IPV6地址组合的特定位进行选取,然后据此构建二叉查找规则树,最后利用规则树把多个规则子集划分成若干个更小的规则集合。而当报文匹配到某个更小的规则集合时,在小规则集中利用线性匹配法确定具体匹配的对应规则。分析和测试表明,HiPRM算法可以在时间复杂度和空间复杂度较低的情况下实现报文的高速匹配,且具有较好的规则集适应性。     

Application of evolutionary algorithm in performance optimization of embedded network firewall

With the development of the network, the problem of network security is becoming increasingly serious. The importance of a firewall as the "first portal" to network security is obvious. In order to cope with a complex network environment, the firewall must formulate a large number of targeted rules to help it implement network security policies. Based on the characteristics of the cloud environment, this paper makes in-depth research on network security protection technology, and studies the network firewall system. The system implements unified configuration of firewall policy rules on the cloud management end and delivers them to the physical server where the virtual machine is located. Aiming at the characteristics of virtual machines sharing network resources through kernel bridges, a network threat model for virtual machines in a cloud environment is proposed. Through analysis of network security threats, a packet filtering firewall scheme based on kernel bridges is determined. Various conflict relationships between rules are defined, and a conflict detection algorithm is designed. Based on this, a rule order adjustment algorithm that does not destroy the original semantics of the rule table is proposed. Starting from the matching probability of the rules, simple rules are separated from the default rules according to the firewall logs, the relationships between these rules and the original rules are analyzed, and the rules are merged into new rules to evaluate the impact of these rules on the performance of the firewall. New rules are added to the firewall rule base to achieve linear firewall optimization. It can be seen from the experimental results that the optimization strategy proposed in this paper can effectively reduce the average number of matching rules and improve the performance of the firewall.     

一种基于统计分析的自适应性动态过滤规则优化方法

防火墙过滤规则是否合理直接影响到防火墙系统的性能,但是如何检查过滤规则之间的先后顺序对防火墙安全性的影响是至关重要的,为此提出了具有自适应特性的基于统计分析的动态过滤规则优化的方法。该方法根据统计数据动态调整过滤规则的相对次序,使其和当前网络流量特性相一致,并且具有自适应性,提高了防火墙系统智能,而且还可以检查出系统的有效过滤规则,以及检查防火墙过滤规则是否存在安全漏洞。     

Ant Colony Optimization based approach for efficient packet filtering in firewall

A firewall is a security guard placed at the point of entry between a private network and the outside network. The function of a firewall is to accept or discard the incoming packets passing through it based on the rules in a ruleset. Approaches employing Neural networks for packet filtering in firewall and packet classification using 2D filters have been proposed in the literature. These approaches suffer from the drawbacks of acceptance of packets from the IP address or ports not specified in the firewall rule set and a restricted search in the face of multiple occurrences of the same IP address or ports respectively. In this paper we propose an Ant Colony Optimization (ACO) based approach for packet filtering in the firewall rule set. Termed Ant Colony Optimization Packet Filtering algorithm (ACO-PF), the scheme unlike its predecessors, considers all multiple occurrences of the same IP address or ports in the firewall rule set during its search process. The other parameters of the rule matching with the compared IP address or ports in the firewall ruleset are retrieved and the firewall decides whether the packet has to be accepted or rejected. Also this scheme has a search space lesser than that of binary search in a worst case scenario. It also strictly filters the packets according to the filter rules in the firewall rule set. It is shown that ACO-PF performs well when compared to other existing packet filtering methods. Experimental results comparing the performance of the ACO-PF scheme with the binary search scheme, sequential search scheme and neural network based approaches are presented.     

Improving cloud network security using the Tree-Rule firewall

This study proposes a new model of firewall called the ‘Tree-Rule Firewall’, which offers various benefits and is applicable for large networks such as ‘cloud’ networks. The recently available firewalls (i.e., Listed-Rule firewalls) have their limitations in performing the tasks and are inapplicable for working on some networks with huge firewall rule sizes. The Listed-Rule firewall is mathematically tested in this paper to prove that the firewall potentially causes conflict rules and redundant rules and hence leads to problematic network security systems and slow functional speed. To overcome these problems, we show the design and development of Tree-Rule firewall that does not create conflict rules and redundant rules. In a Tree-Rule firewall, the rule positioning is based on a tree structure instead of traditional rule listing. To manage firewall rules, we implement a Tree-Rule firewall on the Linux platform and test it on a regular network and under a cloud environment respectively to show its performance. It is demonstrated that the Tree-Rule firewall offers better network security and functional speed than the Listed-Rule firewall. Compared to the Listed-Rule firewall, rules of the Tree-Rule firewall are easier to be created, especially on a large network such as a cloud network.     

基于Windows2000的防火墙设计

1.引言随着网络技术的迅速发展和网络应用的急剧膨胀,网络安全日益成为人们关注的问题。防火墙是置于内部可信网络和外部不可信网络之间、作为一个阻塞点来监视和抛弃应用层的流量以及传输层和网络层的数据包的系统或系统组,用以达到对网络连接的安全性管理。在本文中,我们将讨论一种基于Windows 2000新结构的防火墙设计,首先我们将介绍一般的防火墙结构和原理,针对这种结构的不足,引出我们设计的结构,并给出具体的设计实现原型和性能分析,最后给出结论。     

一种防火墙规则快速匹配方法

包过滤是防火墙的一项基本技术,一种快速的规则匹配方法,能极大地提高防火墙的吞吐量和性能。RFC算法是具有代表性的包分类算法,分类速度快。文章着眼于应用RFC算法提高防火墙访问控制列表（ACL）的搜索速度,对RFC算法的建立过程、算法的性能等作了简单介绍,对适合防火墙实际应用的RFC算法进行了阐述,并在防火墙上进行了测试验证。     

支持防火墙规则扩展的匹配算法HERAM

防火墙是一种重要的网络安全技术,但随着网络规模的发展,遇到了许多急需解决的问题,其中就有防火墙网络瓶颈的问题。提出一种新的规则匹配算法来解决这个问题,把多维的问题进行降维处理,根据规则之间有无关联性把规则进行分类处理,另外把新添加的规则运用散列表进行组织,从而做到在增加扩展性的同时,使时间效率不受大的影响。     

组合出入口访问控制的防火墙系统研究

针对军事网络特殊安全需求,提出了一种组合出人口访问控制的网络边界安全防护手段,在抗网络攻击方面,采用包过滤防火墙与基于神经网络和基于协议分析和规则匹配的入侵检测技术相结合的方法,提高入侵检测的准确性;在防信息泄密方面,在出口访问控制中引入身份认证机制及内容审查和过滤机制,可建立更灵活的安全审计和访问控制策略,有效阻截敏感或涉密信息外泄,实现对泄密源的有效跟踪。