| Firewall is the core element of network security, the firewall through the security policy rules to decide whether the network packets go in or out, prevent the protected network from being attacked and unauthorized access. Therefore, the performance of firewall policy rules processing network packets directly affects the security performance of the network. Filtering rules are stored in the form as a rule list, so the number of time and the number of packets processed by the firewall is linearly dependent. In order to meet the security requirements of large network, the firewall policy becomes more complex, and the number of rules is increasing. The number of rules will inevitably become a bottleneck of firewall filtering efficiency. How to break through the bottleneck is a hot issue at present study. On the other hand, with the promotion of network broadband speed, data traffic is increasing, how to in line with the network security requirements to ensure firewall can quickly to the data packet filtering processing to meet the requirements of high-speed network has become the focus of network organizations at all levels. The increase of the number of rules and the increase of the network speed will inevitably increase the filtering time and the potential network security threats. Therefore, the optimization of the firewall rule filtering has a forward-looking and practical significance.The primary task and contribution are as follows:Firstly, Aiming at networks with a large number of firewall rules, in order to reduce the number of rules and rule filtering times while firewall's performance do not change, a firewall policy rules merging model based on rule-service is presented. The model detects the rules in a fast way using a algorithm based on rule service first, then it resolves the conflicts segment by using action constraint strategy. And then, running the rule merging algorithm in a set of rules with no anomalies based on service and reduce the number of rules and improve the efficiency.Secondly, In order to reduce average matching times, total processing time and improve matching accuracy of firewall rules, this paper presented a new method driven by offline flow traces data. Firstly, this method calculate matching frequency of each rule in a certain period time. Then it dynamic reorders each rule's matching label. Secondly, it regards each rule as a class and created an decision tree classifier using offline internet trace and log files. Then the classifier will predict which rule is the most likely going to be matched for each coming packet. If correct, then the corresponding action of the matched rule is taken, otherwise, the packet will be matched by reordered rules one by one. At the same time, through update the training data, the classifier and rules' matching order is update dynamically. |
PDF Full Text Request