面向防火墙和IDS/IPS协同防御的策略冲突检测算法

系统仿真学报 ›› 2015, Vol. 27 ›› Issue (11): 2770-2777.

• 信息、控制、决策与仿真 • 上一篇下一篇

面向防火墙和IDS/IPS协同防御的策略冲突检测算法

邱松¹, 焦健², 张东阳³

1.襄垣和信发电有限公司工程部,太原 030001;
2.北京信息科技大学计算机学院,北京 100192;
3.华北电力大学计算机学院,保定 071002

收稿日期:2014-04-19 修回日期:2014-07-27 出版日期:2015-11-08 发布日期:2020-08-05
作者简介:邱松(1982-),男,河北大城县,学士,工程师,研究方向为网络及信息管理;焦健(1978-),男,博士,副教授,研究方向为网络安全;张东阳(1981-),男,硕士,研究方向为计算机测控技术。
基金资助:
国家自然科学基金项目(61370065)

Policies Conflict Detection Algorithm Coordinated Defense-oriented of Firewall and IDS/IPS

Qiu Song¹, Jiao Jian², Zhang Dongyang³

1. Department of Engineering, Xiangyuan Hexin Power Co. Ltd. , Taiyuan 030001, China;
2. Department of Computer, Beijing Information Science & Technology University. Beijing 100192, China;
3. Department of Computer, North China Electric Power University, Baoding 071002, China

Received:2014-04-19 Revised:2014-07-27 Online:2015-11-08 Published:2020-08-05

摘要/Abstract

摘要： 为应对分布式、复杂的网络攻击威胁,防火墙和IDS(Intrusion Detection System)/IPS(Intrusion Prevention System)协同防御的需求越来越迫切。由于IDS/IPS对入侵判断不确定等问题的存在,当防火墙策略和IDS/IPS策略中的规则对同样数据包执行的动作矛盾时,会产生冲突。冲突会导致允许非法访问或者阻断合法访问。通过研究面向防火墙和IDS/IPS协同防御的策略冲突检测算法。给出了防火墙策略和IDS/IPS策略的语义模型,实现了策略冲突的分类,设计基于OBDD(ordered binary decision diagram,有序决策二叉图)的策略冲突检测算法,在实际场景下验证了算法的正确性和可扩展性,并分析了冲突的分布比例。

关键词: 防火墙, 协同防御, 冲突检测, 有序决策二叉图

Abstract: Coping with the distributed and complex threaten of networking attack, the requirement of coordinated defense of Firewall and IDS/IPS are becoming more and more urgent. As the existence of uncertainty of the judgment of Intrusion performed by IDS/IPS, Firewall and IDS/IPS often perform contradict action, that the same package matched the both rules of Firewall and IDS/IPS, and conflict arose, which would lead to illegal access control or deny of legal access control. The policies conflict detection algorithm of coordinated defense of Firewall and IDS/IPS were researched. The semantic models of firewall policy and IDS/IPS policy were proposed, the classification of the policies conflicts was proposed, and the conflicts detection algorithm of policies were proposed using OBDD (ordered binary decision diagram). The experiment demonstrates the correctness and scalability of the algorithm, and the proportion of the conflicts in real network scenario.

Key words: firewall, coordinated defense, conflict detection, ordered binary decision diagram

中图分类号:

TP301

邱松, 焦健, 张东阳. 面向防火墙和IDS/IPS协同防御的策略冲突检测算法[J]. 系统仿真学报, 2015, 27(11): 2770-2777.

Qiu Song, Jiao Jian, Zhang Dongyang. Policies Conflict Detection Algorithm Coordinated Defense-oriented of Firewall and IDS/IPS[J]. Journal of System Simulation, 2015, 27(11): 2770-2777.

参考文献

[1] Karen Scarfone, Peter Mell. Guide to Intrusion Detection and Prevention Systems (IDPS) [EB/OL]. (2007-02) [2014-06].http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf.
[2] Andy Cuff Intrusion Detection Terminology [EB/OL]. (2010-02) [2014-06] www.securityfocus.com/infocus/1728
[3] Al-Shae E S, Hamed H H. Firewall Policy Advisor for anomaly discovery and rule editing[C]// IFIP/IEEE Eighth International Symposium on Integrated Network Management. USA: IEEE, 2003 (5): 17-30.
[4] E Al-Shaer, H Hamed.Discovery of policy anomalies in distributed firewalls[C]// IEEE INFOCOM. USA: IEEE, 2004(4): 2605-2616.
[5] Al-Shaer E, Hamed H, Boutaba R, et al. Conflict classification and analysis of distributed firewall policies[J]. IEEE Journal on Selected Areas in Communications (S0733-8716), 2005, 23(10): 2069-2084.
[6] Hu H, Ahn G J, Kulkarni K.FAME: a firewall anomaly management environment[C]// Proceedings of the 3rd ACM workshop on Assurable and usable security configuration. USA: ACM, 2010: 17-26.
[7] Hu H, Ahn G J, Kulkarni K.Detecting and resolving firewall policy anomalies[J]. IEEE Transactions on Dependable and Secure Computing (S1545-5971), 2012, 9(3): 318-331.
[8] Hamed H, Al-Shaer E, Marrero W. Modeling and verification of IPSec and VPN security policies [C]// 13th IEEE International Conference on Network Protocols. USA: IEEE, 2005 (11).
[9] Hamed H, Al-Shaer E.Taxonomy of conflicts in network security policies[J]. Communications Magazine (S0163-6804), 2006, 44(3): 134-141.
[10] S Ferraresi, S Pesic, L Trazza, et al. Automatic Conflict Analysis and Resolution of Traffic Filtering Policy for Firewall and Security Gateway[C]// IEEE International Conference on Communications. USA: IEEE, 2007: 1304-1310.
[11] Gobjuka H, Ahmat K A.Fast and scalable method for resolving anomalies in firewall policies[C]// 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). USA: IEEE. 2011: 828-833.
[12] Stakhanova N, L Yao, A A Ghorbani. Classification and Discovery of Rule Misconfigurations in Intrusion Detection and Response Devices[C]// Privacy, Security, Trust and the Management of e-Business, 2009. USA: IEEE. 2009: 29-37.
[13] J Alfaro, N Boulahia-Cuppens, F Cuppens.Complete analysis of configuration rules to guarantee reliable network security policies[J]. International Journal of Information Security (S1615-5262), 2008, 7(2): 103-122.
[14] A Westerinen, J Schnizlein, J Strassner, et al. Terminology for Policy-Based Management [EB/OL]. (2001-11) [2014-07] http://www.rfc-editor.org/rfc/rfc3198.txt
[15] J Lind-Nielsen. The buddy obdd package [Z/OL]. http://www.bddportal.org/buddy.html.2005.
[16] 古天龙, 徐周波. 有序二叉决策图及应用 [M]. 北京: 科学出版社, 2000: 30-45.

面向防火墙和IDS/IPS协同防御的策略冲突检测算法

Policies Conflict Detection Algorithm Coordinated Defense-oriented of Firewall and IDS/IPS

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	邓向阳, 张立民, 方伟, 汤淼. 基于双向汇聚引导蚁群算法的机器人路径规划[J]. 系统仿真学报, 2022, 34(5): 1101-1108.
[2]	宁涛, 苟涛, 刘向东. 考虑低碳约束的生鲜农产品冷链物流策略仿真研究[J]. 系统仿真学报, 2022, 34(4): 797-805.
[3]	李建锋, 卢迪, 李贺香. 一种改进的原子搜索算法[J]. 系统仿真学报, 2022, 34(3): 490-502.
[4]	董君, 叶春明. 半导体晶圆节能分布式制造与预维护联合优化[J]. 系统仿真学报, 2022, 34(3): 584-602.
[5]	孙小晴, 程昊, 张潞瑶, 季伟东, 王旭. 一种基于空间分割搜索策略的自然计算方法[J]. 系统仿真学报, 2021, 33(11): 2589-2605.
[6]	王付宇, 汤涛. 双种群鱼群算法在分布式投资组合的应用[J]. 系统仿真学报, 2021, 33(9): 2074-2084.
[7]	段红, 邱晓刚. 网络化仿真及其发展趋势[J]. 系统仿真学报, 2021, 33(7): 1526-1533.
[8]	段红, 邱晓刚, 谢旭, 鞠儒生. 仿真学科知识领域构成研究[J]. 系统仿真学报, 2021, 33(4): 763-772.
[9]	刘景森, 袁蒙蒙, 李煜. 基于改进樽海鞘群算法求解工程优化设计问题[J]. 系统仿真学报, 2021, 33(4): 854-866.
[10]	顾菊平, 程天宇, 王建平, 华亮, 赵凤申, 蒋凌. 基于几何特征不变量的快速3D医学图像配准[J]. 系统仿真学报, 2020, 32(11): 2105-2111.
[11]	倪婉璐, 季伟东, 孙小晴. 自适应动态控制种群分组的自然计算方法[J]. 系统仿真学报, 2020, 32(10): 1884-1894.
[12]	陆湛文, 程新功, 张永峰. 基于共识粒子群的全局优化求解方法[J]. 系统仿真学报, 2020, 32(10): 1936-1942.
[13]	张潞瑶, 季伟东, 程昊. 基于LLE降维思想的自然计算方法[J]. 系统仿真学报, 2020, 32(10): 1943-1955.
[14]	何奕涛, 李珺, 郝丽艳. 具有引力机制的细菌觅食算法[J]. 系统仿真学报, 2020, 32(9): 1724-1735.
[15]	刘长良, 王梓齐. 基于严格二叉树编码和GA的模糊树结构学习[J]. 系统仿真学报, 2020, 32(8): 1473-1480.