Research And Application Of Network Security Strategy Optimization Technology In Complex Network Environment

In recent years,with the rapid development and wide application of Internet,Internet of Things and cloud computing,the importance of network security has become increasingly prominent,and it has even risen to the height of national military and economic security.Network security strategy realizes the management of network security by forwarding and filtering network data packets,which is one of the most widely used ways in network security management.Conflicts,redundancies and errors inevitably exist in the network security strategy of manual configuration.Especially with the development and application of new network technologies such as TCAM and SDN,this situation has become increasingly serious,and the optimization of network security strategy is imminent.The main research work of this paper includes the following three parts:1)Research on TCAM-oriented network security policies compression technologyIn recent years,TCAM supports efficient concurrent rule matching,which can greatly improve the performance of network security policy matching.More and more network security policies adopt TCAM storage.However,the storage capacity of TCAM is limited and the cost is expensive.Therefore,the research of TCAM-oriented network security policy compression technology has gradually become a research hotspot.However,the current studies mainly have the problems of not using high-dimensional data,poor compression effect and non-circular compression.In this paper,a TCAM-oriented network security policy compression technology based on bipartite graph is proposed,through which network security policy can be reduced.Slightly converted to the result of bipartite graph,the order relationship of network security policies can be visually displayed,and then the nodes in bipartite graph can be output through the topological sorting algorithm.Because the compression of network security policies is a NP-hard problem,our study takes the A~*Star greedy algorithm as the revenue function in the process of topological sorting,and uses the local optimal solution of the revenue calculated by A~*-Star greedy algorithm to replace the global one.The experimental results show that the proposed network security strategy technology can be compressed cyclically,and can be further compressed on the basis of other research methods.The compression efficiency is better than the existing research methods.2)Research on SDN-oriented network security policies placement technologyNetwork security policy placement technology for SDN has become a research hotspot in recent years,but the current studies do not consider the impact of the location relationship of network devices on network security policy placement.For the first time,the placement technology of network security policy proposed in this paper considers the influence of the location relationship of network devices on the placement of network security policy,and puts forward the placement strategy of network security policy for different location relationships of network devices.In the process of policy implementation,in order to solve the problem of low efficiency of network policy coverage by existing policies,this paper proposes a new network security policy representation model,OPTree.And designs an insertion and query algorithm for OPTree.The algorithm analysis and test results show that OPTree has very efficient query performance,and considers the network in the process of network security policy placement.The location relationship of safety equipment is necessary.3)Research on network reachability query engine based on network security policiesNetwork reachability is one of the key indicators reflecting the function and performance of the network.A quick and intuitive understanding of network accessibility is of great guiding significance for network optimization and network security management.Existing network accessibility query methods and tools depend on the online status of network devices and consume network bandwidth.The results are instantaneous and inaccurate,and can not reflect the actual situation of the network.As the most widely used network security management measure,the network security policy can better reflect the network accessibility.Therefore,this paper proposes a network accessibility query scheme based on network security policy.This scheme is a new offline network accessibility query scheme,which does not depend on device status and consume network bandwidth.Firstly,the network reachability model based on network security policy is constructed.Combining RDF technology and graph database management technology,we construct a network reachability knowledge graph.On this basis,we propose a structured query language for network reachability,called NRQL,and designed the construction algorithm and analysis algorithm,and finally constructed the prototype system of network reachablity query engine to provide users with convenient and fast network reachability query service.