技术领域technical field
本发明涉及通信领域,尤其涉及一种策略优化装置及方法。The present invention relates to the communication field, in particular to a policy optimization device and method.
背景技术Background technique
随着互联网的日益普及,人们能够便利地获取信息和资源的同时也经常受到病毒和黑客等攻击,网络安全也得到了越来越多的关注。防火墙作为保护内网安全、隔离外网攻击的有效手段备受青睐。With the increasing popularity of the Internet, people can conveniently obtain information and resources, but they are often attacked by viruses and hackers, and network security has also received more and more attention. As an effective means to protect the security of the internal network and isolate attacks from the external network, firewalls are favored.
由于防火墙设备数量的逐渐增加,防火墙上配置的策略数量巨大,且策略数量存在不断增长的趋势,并且防火墙上配置的策略中存在大量有包含关系的策略或重复策略。策略的管理工作包括对防火墙上配置的策略进行优化。面对数量多且配置复杂的策略,策略的管理工作变的异常艰难。Due to the gradual increase in the number of firewall devices, the number of policies configured on the firewall is huge, and the number of policies tends to increase continuously. In addition, there are a large number of included policies or repeated policies among the policies configured on the firewall. Policy management includes optimizing the policies configured on the firewall. Faced with a large number of policies with complex configurations, policy management becomes extremely difficult.
现有技术中通常采用静态配置的方法进行策略优化,即根据策略管理人员的经验和历史数据进行策略优化,此种策略优化方法效率和准确度都很低,且容易造成策略覆盖范围过大的问题。若根据策略命中计数器来统计策略的使用频率,进而优化策略,由于策略命中计数器统计的策略命中次数是一个累计值,没有时间上的概念,当策略频繁变更时,导致策略命中计数器统计的策略使用频率不准确。In the prior art, the static configuration method is usually used for policy optimization, that is, policy optimization is carried out based on the experience and historical data of policy managers. This kind of policy optimization method has low efficiency and accuracy, and it is easy to cause excessive policy coverage. question. If the usage frequency of the policy is counted according to the policy hit counter, and then the policy is optimized, since the number of policy hits counted by the policy hit counter is a cumulative value, there is no concept of time, when the policy is frequently changed, the policy usage counted by the policy hit counter The frequency is not accurate.
综上所述,采用现有技术对防护墙上配置的策略进行优化时,存在效率低、准确度低的问题。To sum up, there are problems of low efficiency and low accuracy when using the existing technology to optimize the configuration strategy on the protective wall.
发明内容Contents of the invention
本发明提供了一种策略优化装置及方法,用以为防火墙上配置的策略提供优化方案,进而提高策略管理的效率和准确度。The invention provides a policy optimization device and method, which are used to provide an optimization scheme for policies configured on a firewall, thereby improving the efficiency and accuracy of policy management.
第一方面,本发明提供一种策略优化装置,包括:In a first aspect, the present invention provides a strategy optimization device, including:
信息获取单元,用于获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;an information acquisition unit, configured to acquire the initial policy of the firewall, and acquire the flow logs collected by the collector within a preset time range;
中间策略生成单元,用于根据所述信息获取单元获取的所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理,生成中间策略;An intermediate policy generation unit, configured to flatten the initial policy according to one or more of the common objects in the initial policy acquired by the information acquisition unit, and generate an intermediate policy;
流量日志记录确定单元,用于根据所述中间策略生成单元生成的所述中间策略的匹配索引查找所述信息获取单元获取的所述流量日志,确定多条流量日志记录;所述匹配索引包括策略标识、防火墙标识以及所述公共对象中的一个或多个;A traffic log record determination unit, configured to search the traffic log obtained by the information acquisition unit according to the matching index of the intermediate policy generated by the intermediate policy generating unit, and determine a plurality of traffic log records; the matching index includes policy one or more of the identity, the firewall identity, and the public object;
命中策略生成单元,用于根据所述流量日志记录确定单元确定的多条流量日志记录和所述中间策略生成单元生成的中间策略,生成多条命中策略,每条命中策略对应一条流量日志记录,每条命中策略包括对应的流量日志记录和所述中间策略;A hit policy generating unit is configured to generate multiple hit policies according to the multiple traffic log records determined by the traffic log record determination unit and the intermediate policy generated by the intermediate policy generation unit, each hit policy corresponding to a traffic log record, Each hit policy includes a corresponding traffic log record and the intermediate policy;
优化方案生成单元,用于根据所述命中策略生成单元生成的多条命中策略,生成所述初始策略的优化方案。An optimization plan generation unit, configured to generate an optimization plan for the initial strategy according to the multiple hit strategies generated by the hit strategy generation unit.
结合第一方面,在第一种可能的实现方式中,所述信息获取单元在获取防火墙的初始策略之前,还用于:With reference to the first aspect, in a first possible implementation manner, before obtaining the initial policy of the firewall, the information obtaining unit is further configured to:
接收策略优化请求消息,所述策略优化请求消息包括所述防火墙的标识和预设时间范围。A policy optimization request message is received, where the policy optimization request message includes the identifier of the firewall and a preset time range.
结合第一方面,在第二种可能的实现方式中,所述公共对象包括地址集和服务协议集中的至少一个;With reference to the first aspect, in a second possible implementation manner, the common object includes at least one of an address set and a service protocol set;
所述中间策略生成单元根据所述信息获取单元获取的所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理时,具体用于执行以下操作中的至少一个:The intermediate policy generation unit is specifically configured to perform at least one of the following operations when flattening the initial policy according to one or more of the common objects in the initial policy acquired by the information acquisition unit :
将所述初始策略中的地址集拆分成单个地址;和splitting the set of addresses in said initial policy into individual addresses; and
将所述初始策略中的服务协议集拆分成单个服务协议。Splitting the set of service agreements in the initial policy into individual service agreements.
结合第一方面,以及第一方面的第一或第二种可能的实现方式,在第三种可能的实现方式中,所述优化方案生成单元具体用于:With reference to the first aspect, and the first or second possible implementation of the first aspect, in a third possible implementation, the optimization scheme generation unit is specifically configured to:
根据所述多条命中策略,生成所述初始策略的精简方案;或者Generate a simplified solution of the initial strategy according to the multiple hit strategies; or
根据所述多条命中策略,生成所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy is generated according to the multiple hit policies.
结合第一方面的第三种可能的实现方式,在第一方面的第四种可能的实现方式中,所述优化方案生成单元根据所述多条命中策略,生成所述初始策略的精简方案时,具体用于:With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, when the optimization scheme generating unit generates the simplified scheme of the initial strategy according to the multiple hit strategies , specifically for:
设置合并参数,所述合并参数包括源地址、目的地址、服务协议以及网段范围中的至少一个;Set a combination parameter, the combination parameter includes at least one of source address, destination address, service agreement and network segment range;
根据每条命中策略包括的流量日志记录和所述中间策略,确定每条命中策略中的合并参数;According to the traffic log records included in each hit strategy and the intermediate strategy, determine the merge parameters in each hit strategy;
将所述多条命中策略中具有相同合并参数的命中策略进行合并,生成一个或多个合并后的命中策略;Merging the hit strategies with the same merging parameters among the multiple hit strategies to generate one or more merged hit strategies;
根据所述一个或多个合并后的命中策略,生成所述初始策略的精简方案。According to the one or more merged hit policies, a condensed solution of the initial policy is generated.
结合第一方面的第四种可能的实现方式,在第一方面的第五种可能的实现方式中,所述优化方案生成单元设置合并参数时,具体用于:In combination with the fourth possible implementation of the first aspect, in the fifth possible implementation of the first aspect, when the optimization scheme generation unit sets the merging parameters, it is specifically used for:
设置颗粒度权值,所述颗粒度权值用于表示风险等级;Setting a granularity weight, the granularity weight is used to represent the risk level;
根据所述颗粒度权值,分别确定源地址权值、目的地址权值以及服务协议权值;Determine the source address weight, the destination address weight, and the service agreement weight respectively according to the granularity weight;
根据预设的源地址、目的地址以及服务协议与权值之间的对应关系,分别确定所述源地址、所述目的地址以及所述服务协议;respectively determining the source address, the destination address, and the service agreement according to the preset correspondence between the source address, the destination address, and the service agreement and the weight;
将确定的所述源地址、所述目的地址以及所述服务协议设置为合并参数。Set the determined source address, destination address and service agreement as merge parameters.
结合第一方面的第三种可能的实现方式,在第一方面的第六种可能的实现方式中,所述优化方案生成单元根据所述多条命中策略,生成所述初始策略的优先级调整方案时,具体用于:With reference to the third possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the optimization plan generation unit generates the priority adjustment of the initial strategy according to the multiple hit strategies In the program, it is specifically used for:
根据所述多条命中策略,统计所述预设时间范围内,所述初始策略的使用频率;According to the plurality of hit strategies, count the usage frequency of the initial strategy within the preset time range;
根据所述初始策略的使用频率,生成在所述预设时间范围内所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy within the preset time range is generated according to the usage frequency of the initial policy.
结合第一方面、第一方面的第一种至第六种中任意一种可能的实现方式,在第一方面的第七种可能的实现方式中,所述优化方案生成单元在所述命中策略生成单元根据所述流量日志记录确定单元确定的多条流量日志记录和所述中间策略生成单元生成的中间策略,生成多条命中策略之后,还用于:With reference to the first aspect and any one of the first to sixth possible implementations of the first aspect, in a seventh possible implementation of the first aspect, the optimization plan generating unit After the generating unit generates multiple hit policies according to the multiple traffic log records determined by the traffic log record determining unit and the intermediate policy generated by the intermediate policy generating unit, it is also used for:
根据所述命中策略生成单元生成的所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案。According to the multiple hit policies generated by the hit policy generating unit, determine a security policy adjustment scheme based on the application in the initial policy within the preset time range.
结合第一方面的第七种可能的实现方式,在第一方面的第八种可能的实现方式中,所述优化方案生成单元根据所述命中策略生成单元生成的所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案时,具体用于:With reference to the seventh possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, the optimization plan generation unit determines, according to the multiple hit strategies generated by the hit strategy generation unit When adjusting the scheme based on the security policy applied in the initial policy within the preset time range, it is specifically used for:
确定所述多条命中策略中的应用标识;Determining the application identifiers in the multiple hit strategies;
统计所述多条命中策略中同一应用标识的使用频率;Counting the frequency of use of the same application identifier in the multiple hit strategies;
根据所述多条命中策略中的每个应用标识的使用频率以及预设的应用与安全策略的对应关系,确定所述预设时间范围内每个应用标识对应的应用的安全策略调整方案。第二方面,本发明提供一种策略优化方法,包括:According to the usage frequency of each application identifier in the plurality of hit policies and the preset correspondence relationship between the application and the security policy, determine the security policy adjustment scheme for the application corresponding to each application identifier within the preset time range. In a second aspect, the present invention provides a strategy optimization method, including:
获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;Obtain the initial policy of the firewall, and obtain the traffic logs collected by the collector within the preset time range;
根据所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理,得到中间策略;flattening the initial strategy according to one or more of the common objects in the initial strategy to obtain an intermediate strategy;
根据所述中间策略的匹配索引查找所述流量日志,得到多条流量日志记录;所述匹配索引包括策略标识、防火墙标识以及所述公共对象中的一个或多个;Searching the traffic log according to the matching index of the intermediate policy to obtain multiple traffic log records; the matching index includes one or more of a policy identifier, a firewall identifier, and the public object;
根据所述多条流量日志记录和所述中间策略,生成多条命中策略,每条命中策略对应一条流量日志记录,每条命中策略包括对应的流量日志记录和所述中间策略;Generate multiple hit policies according to the multiple traffic log records and the intermediate policy, each hit policy corresponds to a traffic log record, and each hit policy includes a corresponding traffic log record and the intermediate policy;
根据所述多条命中策略,生成所述初始策略的优化方案。According to the multiple hit strategies, an optimization scheme of the initial strategy is generated.
结合第二方面,在第一种可能的实现方式中,在所述获取防火墙的初始策略之前,所述方法还包括:With reference to the second aspect, in a first possible implementation manner, before acquiring the initial policy of the firewall, the method further includes:
接收策略优化请求消息,所述策略优化请求消息包括所述防火墙的标识和预设时间范围。A policy optimization request message is received, where the policy optimization request message includes the identifier of the firewall and a preset time range.
结合第二方面,在第二种可能的实现方式中,所述公共对象包括地址集和服务协议集中的至少一个;With reference to the second aspect, in a second possible implementation manner, the common object includes at least one of an address set and a service protocol set;
根据所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理,包括以下操作中的至少一个:According to one or more of the common objects in the initial policy, flattening the initial policy includes at least one of the following operations:
将所述初始策略中的地址集拆分成单个地址;和splitting the set of addresses in said initial policy into individual addresses; and
将所述初始策略中的服务协议集拆分成单个服务协议。Splitting the set of service agreements in the initial policy into individual service agreements.
结合第二方面,以及第二方面的第一或第二种可能的实现方式,在第三种可能的实现方式中,所述根据所述多条命中策略,生成所述初始策略的优化方案,包括:With reference to the second aspect, and the first or second possible implementation manner of the second aspect, in a third possible implementation manner, generating an optimization scheme of the initial strategy according to the multiple hit strategies, include:
根据所述多条命中策略,生成所述初始策略的精简方案;或者Generate a simplified solution of the initial strategy according to the multiple hit strategies; or
根据所述多条命中策略,生成所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy is generated according to the multiple hit policies.
结合第二方面的第三种可能的实现方式,在第二方面的第四种可能的实现方式中,所述根据所述多条命中策略,生成所述初始策略的精简方案,包括:With reference to the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the generating a simplified solution of the initial strategy according to the multiple hit strategies includes:
设置合并参数,所述合并参数包括源地址、目的地址、服务协议以及网段范围中的至少一个;Set a combination parameter, the combination parameter includes at least one of source address, destination address, service agreement and network segment range;
根据每条命中策略包括的流量日志记录和所述中间策略,确定每条命中策略中的合并参数;According to the traffic log records included in each hit strategy and the intermediate strategy, determine the merge parameters in each hit strategy;
将所述多条命中策略中具有相同合并参数的命中策略进行合并,生成一个或多个合并后的命中策略;Merging the hit strategies with the same merging parameters among the multiple hit strategies to generate one or more merged hit strategies;
根据所述一个或多个合并后的命中策略,生成所述初始策略的精简方案。According to the one or more merged hit policies, a condensed solution of the initial policy is generated.
结合第二方面的第四种可能的实现方式,在第二方面的第五种可能的实现方式中,所述设置合并参数,包括:With reference to the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the setting the merging parameters includes:
设置颗粒度权值,所述颗粒度权值用于表示风险等级;Setting a granularity weight, the granularity weight is used to represent the risk level;
根据所述颗粒度权值,分别确定源地址权值、目的地址权值以及服务协议权值;Determine the source address weight, the destination address weight, and the service agreement weight respectively according to the granularity weight;
根据预设的源地址、目的地址以及服务协议与权值之间的对应关系,分别确定所述源地址、所述目的地址以及所述服务协议;respectively determining the source address, the destination address, and the service agreement according to the preset correspondence between the source address, the destination address, and the service agreement and the weight;
将确定的所述源地址、所述目的地址以及所述服务协议设置为合并参数。Set the determined source address, destination address and service agreement as merge parameters.
结合第二方面的第三种可能的实现方式,在第二方面的第六种可能的实现方式中,所述根据所述多条命中策略,生成所述初始策略的优先级调整方案,包括:With reference to the third possible implementation manner of the second aspect, in a sixth possible implementation manner of the second aspect, the generating the priority adjustment scheme of the initial strategy according to the multiple hit strategies includes:
根据所述多条命中策略,统计所述预设时间范围内,所述初始策略的使用频率;According to the plurality of hit strategies, count the usage frequency of the initial strategy within the preset time range;
根据所述初始策略的使用频率,生成在所述预设时间范围内所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy within the preset time range is generated according to the usage frequency of the initial policy.
结合第二方面、第二方面的第一种至第六种中任意一种可能的实现方式,在第二方面的第七种可能的实现方式中,所述根据所述多条流量日志记录和所述中间策略,生成多条命中策略之后,所述方法还包括:With reference to the second aspect and any one of the first to sixth possible implementations of the second aspect, in the seventh possible implementation of the second aspect, according to the multiple traffic log records and In the intermediate strategy, after generating multiple hit strategies, the method further includes:
根据所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案。According to the multiple hit policies, determine a security policy adjustment scheme based on the application in the initial policy within the preset time range.
结合第二方面的第七种可能的实现方式,在第二方面的第八种可能的实现方式中,所述根据所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案,包括:With reference to the seventh possible implementation manner of the second aspect, in an eighth possible implementation manner of the second aspect, according to the multiple hit strategies, determining within the preset time range based on the initial strategy The security policy adjustment plan for applications in , including:
确定所述多条命中策略中的应用标识;Determining the application identifiers in the multiple hit strategies;
统计所述多条命中策略中同一应用标识的使用频率;Counting the frequency of use of the same application identifier in the multiple hit strategies;
根据所述多条命中策略中的每个应用标识的使用频率以及预设的应用与安全策略的对应关系,确定所述预设时间范围内每个应用标识对应的应用的安全策略调整方案。According to the usage frequency of each application identifier in the plurality of hit policies and the preset correspondence relationship between the application and the security policy, determine the security policy adjustment scheme for the application corresponding to each application identifier within the preset time range.
本发明中,通过获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;根据初始策略中的公共对象中的一个或多个,对初始策略进行扁平化处理,得到中间策略;根据中间策略的匹配索引查找流量日志,得到多条流量日志记录;根据多条流量日志记录和中间策略,生成多条命中策略;根据多条命中策略,生成初始策略的优化方案,进而可以根据生成的初始策略的优化方案对防火墙的初始策略进行优化,以提高防火墙策略管理的效率和准确度。本发明中生成策略优化方案是基于预设时间范围内的,相对于现有的策略优化方案,准确性更高。In the present invention, by obtaining the initial policy of the firewall and the traffic logs collected by the collector within the preset time range; according to one or more of the public objects in the initial policy, the initial policy is flattened to obtain the intermediate strategy; search the traffic log according to the matching index of the intermediate strategy, and obtain multiple traffic log records; generate multiple hit strategies according to the multiple traffic log records and the intermediate strategy; generate an optimization plan for the initial strategy according to the multiple hit strategies, and then can The initial policy of the firewall is optimized according to the generated optimization scheme of the initial policy, so as to improve the efficiency and accuracy of policy management of the firewall. The generation strategy optimization scheme in the present invention is based on the preset time range, and compared with the existing strategy optimization scheme, the accuracy is higher.
附图说明Description of drawings
图1为本发明实施例提供的一种策略优化装置结构示意图;FIG. 1 is a schematic structural diagram of a strategy optimization device provided by an embodiment of the present invention;
图2为本发明实施例提供的一种策略优化方法流程示意图;FIG. 2 is a schematic flowchart of a strategy optimization method provided by an embodiment of the present invention;
图3为本发明实施例提供的另一种策略优化方法流程示意图;FIG. 3 is a schematic flowchart of another strategy optimization method provided by an embodiment of the present invention;
图4为本发明实施例提供的一种根据预设颗粒度生成初始策略精简方案的方法流程示意图;FIG. 4 is a schematic flow diagram of a method for generating an initial policy simplification scheme according to a preset granularity provided by an embodiment of the present invention;
图5为本发明实施例提供的另一种策略优化装置结构示意图。Fig. 5 is a schematic structural diagram of another strategy optimization device provided by an embodiment of the present invention.
具体实施方式detailed description
本发明实施例提供了一种策略优化装置及方法,用以为防火墙上配置的策略提供优化方案,进而提高策略管理的效率和准确度。Embodiments of the present invention provide a policy optimization device and method, which are used to provide an optimization scheme for policies configured on a firewall, thereby improving the efficiency and accuracy of policy management.
如图1所示,本发明实施例提供了一种策略优化装置,包括:As shown in Figure 1, an embodiment of the present invention provides a policy optimization device, including:
信息获取单元11,用于获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;An information acquisition unit 11, configured to acquire the initial policy of the firewall, and acquire traffic logs collected by the collector within a preset time range;
中间策略生成单元12,用于根据所述信息获取单元11获取的所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理,生成中间策略;An intermediate policy generation unit 12, configured to flatten the initial policy according to one or more of the common objects in the initial policy acquired by the information acquisition unit 11, and generate an intermediate policy;
流量日志记录确定单元13,用于根据所述中间策略生成单元12生成的所述中间策略的匹配索引查找所述信息获取单元11获取的所述流量日志,确定多条流量日志记录;所述匹配索引包括策略标识、防火墙标识以及所述公共对象中的一个或多个;A traffic log record determining unit 13, configured to search the traffic log obtained by the information acquiring unit 11 according to the matching index of the intermediate policy generated by the intermediate policy generating unit 12, and determine a plurality of traffic log records; the matching The index includes one or more of a policy identifier, a firewall identifier, and the common object;
命中策略生成单元14,用于根据所述流量日志记录确定单元13确定的多条流量日志记录和所述中间策略生成单元12生成的中间策略,生成多条命中策略,每条命中策略对应一条流量日志记录,每条命中策略包括对应的流量日志记录和所述中间策略;Hit policy generating unit 14, configured to generate multiple hit policies according to the plurality of traffic log records determined by said traffic log record determining unit 13 and the intermediate policy generated by said intermediate policy generating unit 12, each hit policy corresponding to one flow Log records, each hit policy includes corresponding traffic log records and the intermediate policy;
优化方案生成单元15,用于根据所述命中策略生成单元14生成的多条命中策略,生成所述初始策略的优化方案。An optimization scheme generation unit 15 is configured to generate an optimization scheme for the initial strategy according to the multiple hit strategies generated by the hit strategy generation unit 14 .
较佳地,所述信息获取单元11在获取防火墙的初始策略之前,还用于:Preferably, before acquiring the initial policy of the firewall, the information acquiring unit 11 is further configured to:
接收策略优化请求消息,所述策略优化请求消息包括所述防火墙的标识和预设时间范围。A policy optimization request message is received, where the policy optimization request message includes the identifier of the firewall and a preset time range.
较佳地,所述公共对象包括地址集和服务协议集中的至少一个;Preferably, the public object includes at least one of an address set and a service protocol set;
所述中间策略生成单元12根据所述信息获取单元11获取的所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理时,具体用于执行以下操作中的至少一个:The intermediate policy generating unit 12 is specifically configured to perform the following operations when flattening the initial policy according to one or more of the common objects in the initial policy acquired by the information acquiring unit 11 at least one:
将所述初始策略中的地址集拆分成单个地址;和splitting the set of addresses in said initial policy into individual addresses; and
将所述初始策略中的服务协议集拆分成单个服务协议。Splitting the set of service agreements in the initial policy into individual service agreements.
较佳地,所述优化方案生成单元15具体用于:Preferably, the optimization scheme generating unit 15 is specifically used for:
根据所述多条命中策略,生成所述初始策略的精简方案;或者Generate a simplified solution of the initial strategy according to the multiple hit strategies; or
根据所述多条命中策略,生成所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy is generated according to the multiple hit policies.
较佳地,所述优化方案生成单元15根据所述多条命中策略,生成所述初始策略的精简方案时,具体用于:Preferably, when the optimization scheme generating unit 15 generates the simplified scheme of the initial strategy according to the multiple hit strategies, it is specifically used for:
设置合并参数,所述合并参数包括源地址、目的地址、服务协议以及网段范围中的至少一个;Set a combination parameter, the combination parameter includes at least one of source address, destination address, service agreement and network segment range;
根据每条命中策略包括的流量日志记录和所述中间策略,确定每条命中策略中的合并参数;According to the traffic log records included in each hit strategy and the intermediate strategy, determine the merge parameters in each hit strategy;
将所述多条命中策略中具有相同合并参数的命中策略进行合并,生成一个或多个合并后的命中策略;Merging the hit strategies with the same merging parameters among the multiple hit strategies to generate one or more merged hit strategies;
根据所述一个或多个合并后的命中策略,生成所述初始策略的精简方案。According to the one or more merged hit policies, a condensed solution of the initial policy is generated.
较佳地,所述优化方案生成单元15设置合并参数时,具体用于:Preferably, when the optimization scheme generation unit 15 sets the merging parameters, it is specifically used for:
设置颗粒度权值,所述颗粒度权值用于表示风险等级;Setting a granularity weight, the granularity weight is used to represent the risk level;
根据所述颗粒度权值,分别确定源地址权值、目的地址权值以及服务协议权值;Determine the source address weight, the destination address weight, and the service agreement weight respectively according to the granularity weight;
根据预设的源地址、目的地址以及服务协议与权值之间的对应关系,分别确定所述源地址、所述目的地址以及所述服务协议;Determine the source address, the destination address, and the service agreement respectively according to the preset correspondence between the source address, the destination address, and the service agreement and the weight;
将确定的所述源地址、所述目的地址以及所述服务协议设置为合并参数。Set the determined source address, destination address and service agreement as merge parameters.
较佳地,所述优化方案生成单元15根据所述多条命中策略,生成所述初始策略的优先级调整方案时,具体用于:Preferably, when the optimization scheme generation unit 15 generates the priority adjustment scheme of the initial strategy according to the multiple hit strategies, it is specifically used for:
根据所述多条命中策略,统计所述预设时间范围内,所述初始策略的使用频率;According to the plurality of hit strategies, count the usage frequency of the initial strategy within the preset time range;
根据所述初始策略的使用频率,生成在所述预设时间范围内所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy within the preset time range is generated according to the usage frequency of the initial policy.
较佳地,所述优化方案生成单元15在所述命中策略生成单元14根据所述流量日志记录确定单元13确定的多条流量日志记录和所述中间策略生成单元12生成的中间策略,生成多条命中策略之后,还用于:Preferably, the optimization plan generation unit 15 generates multiple traffic log records determined by the traffic log record determination unit 13 and the intermediate policy generated by the intermediate policy generation unit 12 in the hit strategy generation unit 14. After the article hits the policy, it is also used to:
根据所述命中策略生成单元生成的所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案。According to the multiple hit policies generated by the hit policy generating unit, determine a security policy adjustment scheme based on the application in the initial policy within the preset time range.
较佳地,所述优化方案生成单元15根据所述命中策略生成单元14生成的所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案时,具体用于:Preferably, the optimization scheme generation unit 15 determines the security policy adjustment scheme based on the application in the initial policy within the preset time range according to the multiple hit policies generated by the hit policy generation unit 14 , specifically for:
确定所述多条命中策略中的应用标识;Determining the application identifiers in the multiple hit strategies;
统计所述多条命中策略中同一应用标识的使用频率;Counting the frequency of use of the same application identifier in the multiple hit strategies;
根据所述多条命中策略中的每个应用标识的使用频率以及预设的应用与安全策略的对应关系,确定所述预设时间范围内每个应用标识对应的应用的安全策略调整方案。According to the usage frequency of each application identifier in the plurality of hit policies and the preset correspondence relationship between the application and the security policy, determine the security policy adjustment scheme for the application corresponding to each application identifier within the preset time range.
本实施例中的所述装置具体可以为服务器。The device in this embodiment may specifically be a server.
本发明实施例一中,信息获取单元11获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;中间策略生成单元12根据信息获取单元11获取的初始策略中的公共对象中的一个或多个,对初始策略进行扁平化处理,得到中间策略;流量日志记录确定单元13根据中间策略生成单元12生成的中间策略的匹配索引查找信息获取单元11获取的流量日志,得到多条流量日志记录;命中策略生成单元14根据流量日志记录确定单元13确定的多条流量日志记录和中间策略生成单元12生成的中间策略,生成多条命中策略;优化方案生成单元15根据命中策略生成单元14生成的多条命中策略,生成初始策略的优化方案,进而可以根据生成的初始策略的优化方案对防火墙的初始策略进行优化,以提高防火墙策略管理的效率和准确度。In Embodiment 1 of the present invention, the information acquisition unit 11 acquires the initial policy of the firewall, and acquires the traffic logs collected by the collector within a preset time range; the intermediate policy generation unit 12 acquires public objects in the initial policy according to the information acquisition unit 11 One or more of the initial policies are flattened to obtain an intermediate policy; the traffic log record determination unit 13 searches the traffic log obtained by the information acquisition unit 11 according to the matching index of the intermediate policy generated by the intermediate policy generation unit 12, and obtains multiple flow log records; the hit strategy generation unit 14 generates multiple hit strategies according to the multiple flow log records determined by the flow log record determination unit 13 and the intermediate strategy generated by the intermediate strategy generation unit 12; the optimization scheme generation unit 15 generates according to the hit strategy The multiple hit policies generated by unit 14 generate an optimization scheme of the initial policy, and then optimize the initial policy of the firewall according to the generated optimization scheme of the initial policy, so as to improve the efficiency and accuracy of firewall policy management.
下面分别对本发明实施例中防火墙策略和流量日志作简要概述:The firewall policies and traffic logs in the embodiments of the present invention are briefly summarized below:
防火墙的策略:防火墙设备的策略用于对经过防火墙的数据包进行过滤和内容安全检测,策略可以根据五元组(源地址、源端口、目的地址、目的端口、协议号)中的一个或多个以及其他信息生成。Firewall policy: The policy of the firewall device is used to filter and inspect the content security of the data packets passing through the firewall. and other information generation.
流量日志:防火墙部署在外部网络和受保护网络之间,当有流量通过防火墙时会产生会话。会话经过一段时间老化后,防火墙会记录流量日志。流量日志中包含五元组、用户、应用和攻击类型等相关信息,通过查看流量日志,管理员可以获知网络中的流量特征,了解当前网络的安全策略配置的生效情况。以Syslog日志为例,Syslog常被称为系统日志或系统记录,是一种用来在互联网协议,例如传输控制协议(英文:TransmissionControlProtocol,简称:TCP)、因特网协议(英文:InternetProtocol,简称:IP)中传递记录档讯息的标准,如下是一条示例性的Syslog日志记录:Traffic log: The firewall is deployed between the external network and the protected network, and a session will be generated when traffic passes through the firewall. After the session ages out for a period of time, the firewall records traffic logs. The traffic log contains relevant information such as quintuple, user, application, and attack type. By viewing the traffic log, the administrator can know the traffic characteristics in the network and understand the effectiveness of the current network security policy configuration. Take the Syslog log as an example. Syslog is often called a system log or a system record. ), the standard for passing log file messages, the following is an example Syslog log record:
<187>2012-03-0716:23:07Eudemon8000E-X3%%01SEC/4/POLICYDENY(l):protocol=1,source-ip=21.21.21.1,source-port=1024,destination-ip=21.21.21.1,destination-port=208,time=2000/04/0206:24:42,interzone-trust(public)-local(public)inbound,policy=0<187>2012-03-0716:23:07Eudemon8000E-X3%%01SEC/4/POLICYDENY(l):protocol=1, source-ip=21.21.21.1, source-port=1024, destination-ip=21.21.21.1 ,destination-port=208,time=2000/04/0206:24:42,interzone-trust(public)-local(public)inbound,policy=0
如图2所示,本发明实施例提供了一种策略优化方法,所述方法的执行主体可以为服务器,所述方法包括:As shown in Figure 2, an embodiment of the present invention provides a method for policy optimization, the execution subject of the method may be a server, and the method includes:
S21、获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;S21. Obtain the initial policy of the firewall, and obtain the traffic logs collected by the collector within a preset time range;
S22、根据所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理,得到中间策略;S22. Perform flattening processing on the initial policy according to one or more of the common objects in the initial policy to obtain an intermediate policy;
S23、根据所述中间策略的匹配索引查找所述流量日志,得到多条流量日志记录;所述匹配索引包括策略标识、防火墙标识以及所述公共对象中的一个或多个;S23. Search the traffic log according to the matching index of the intermediate policy, and obtain multiple traffic log records; the matching index includes one or more of a policy identifier, a firewall identifier, and the public object;
S24、根据所述多条流量日志记录和所述中间策略,生成多条命中策略,每条命中策略对应一条流量日志记录,每条命中策略包括对应的流量日志记录和所述中间策略;S24. Generate multiple hit policies according to the multiple traffic log records and the intermediate policy, each hit policy corresponds to a traffic log record, and each hit policy includes a corresponding traffic log record and the intermediate policy;
S25、根据所述多条命中策略,生成所述初始策略的优化方案。S25. Generate an optimization scheme of the initial strategy according to the multiple hit strategies.
较佳地,在S21获取防火墙的初始策略之前,所述方法还包括:Preferably, before S21 acquiring the initial policy of the firewall, the method further includes:
接收策略优化请求消息,所述策略优化请求消息包括所述防火墙的标识和预设时间范围。A policy optimization request message is received, where the policy optimization request message includes the identifier of the firewall and a preset time range.
较佳地,所述公共对象包括地址集和服务协议集中的至少一个;Preferably, the public object includes at least one of an address set and a service protocol set;
S22中根据所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理,包括以下操作中的至少一个:In S22, flattening the initial policy according to one or more of the public objects in the initial policy includes at least one of the following operations:
将所述初始策略中的地址集拆分成单个地址;和splitting the set of addresses in said initial policy into individual addresses; and
将所述初始策略中的服务协议集拆分成单个服务协议。Splitting the set of service agreements in the initial policy into individual service agreements.
具体的,若对初始策略进行扁平化处理的公共对象为地址集,由于初始策略中的公共对象中引用的源地址或目的地址是以地址集的形式存在的,而流量日志中源地址或目的地址是以单个地址的形式存在的,因此需要将初始策略中的地址集拆分成单个地址的形式才能与流量日志进行匹配。同理,若对所述初始策略进行扁平化处理的公共对象为服务协议集,由于所述初始策略中的公共对象中引用的服务协议是以服务协议集的形式存在的,流量日志中服务协议是以单个服务协议的形式存在的,因此需要将所述初始策略中的服务协议集拆分成单个服务协议的形式才能与流量日志进行匹配。Specifically, if the public object for flattening the initial policy is an address set, since the source address or destination address referenced in the public object in the initial policy exists in the form of an address set, and the source address or destination address in the traffic log Addresses exist in the form of a single address, so the address set in the initial policy needs to be split into the form of a single address to match with the traffic log. Similarly, if the public object for flattening the initial policy is a service protocol set, since the service protocol referenced in the public object in the initial policy exists in the form of a service protocol set, the service protocol in the traffic log Exists in the form of a single service agreement, so the service agreement set in the initial policy needs to be split into a form of a single service agreement to match with the traffic log.
较佳地,S25中根据所述多条命中策略,生成所述初始策略的优化方案,包括:Preferably, in S25, an optimization scheme for the initial strategy is generated according to the multiple hit strategies, including:
根据所述多条命中策略,生成所述初始策略的精简方案;或者Generate a simplified solution of the initial strategy according to the multiple hit strategies; or
根据所述多条命中策略,生成所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy is generated according to the multiple hit policies.
较佳地,所述根据所述多条命中策略,生成所述初始策略的精简方案,包括:Preferably, the generating a simplified solution of the initial strategy according to the multiple hit strategies includes:
设置合并参数,所述合并参数包括源地址、目的地址、服务协议以及网段范围中的至少一个;Set a combination parameter, the combination parameter includes at least one of source address, destination address, service agreement and network segment range;
根据每条命中策略包括的流量日志记录和所述中间策略,确定每条命中策略中的合并参数;According to the traffic log records included in each hit strategy and the intermediate strategy, determine the merge parameters in each hit strategy;
将所述多条命中策略中具有相同合并参数的命中策略进行合并,生成一个或多个合并后的命中策略;Merging the hit strategies with the same merging parameters among the multiple hit strategies to generate one or more merged hit strategies;
根据所述一个或多个合并后的命中策略,生成所述初始策略的精简方案。According to the one or more merged hit policies, a condensed solution of the initial policy is generated.
具体的,所述设置合并参数的方法包括:Specifically, the method for setting the merging parameters includes:
设置颗粒度权值,所述颗粒度权值用于表示风险等级;Setting a granularity weight, the granularity weight is used to represent the risk level;
根据所述颗粒度权值,分别确定源地址权值、目的地址权值以及服务协议权值;Determine the source address weight, the destination address weight, and the service agreement weight respectively according to the granularity weight;
根据预设的源地址、目的地址以及服务协议与权值之间的对应关系,分别确定所述源地址、所述目的地址以及所述服务协议;respectively determining the source address, the destination address, and the service agreement according to the preset correspondence between the source address, the destination address, and the service agreement and the weight;
将确定的所述源地址、所述目的地址以及所述服务协议设置为合并参数。Set the determined source address, destination address and service agreement as merge parameters.
较佳地,所述根据所述多条命中策略,生成所述初始策略的优先级调整方案,包括:Preferably, the generating the priority adjustment scheme of the initial policy according to the multiple hit policies includes:
根据所述多条命中策略,统计所述预设时间范围内,所述初始策略的使用频率;According to the plurality of hit strategies, count the usage frequency of the initial strategy within the preset time range;
根据所述初始策略的使用频率,生成在所述预设时间范围内所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy within the preset time range is generated according to the usage frequency of the initial policy.
较佳地,在S24根据所述多条流量日志记录和所述中间策略,生成多条命中策略之后,所述方法还包括:Preferably, after S24 generates multiple hit policies according to the multiple traffic log records and the intermediate policy, the method further includes:
根据所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案。According to the multiple hit policies, determine a security policy adjustment scheme based on the application in the initial policy within the preset time range.
较佳地,所述根据所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案,包括:Preferably, the determining the security policy adjustment scheme based on the application in the initial policy within the preset time range according to the multiple hit policies includes:
确定所述多条命中策略中的应用标识;Determining the application identifiers in the multiple hit strategies;
统计所述多条命中策略中同一应用标识的使用频率;Counting the frequency of use of the same application identifier in the multiple hit strategies;
根据所述多条命中策略中的每个应用标识的使用频率以及预设的应用与安全策略的对应关系,确定所述预设时间范围内每个应用标识对应的应用的安全策略调整方案。According to the usage frequency of each application identifier in the plurality of hit policies and the preset correspondence relationship between the application and the security policy, determine the security policy adjustment scheme for the application corresponding to each application identifier within the preset time range.
本发明实施例中,服务器获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;根据初始策略中的公共对象中的一个或多个,对初始策略进行扁平化处理,得到中间策略;根据中间策略的匹配索引查找流量日志,得到多条流量日志记录;根据多条流量日志记录和中间策略,生成多条命中策略;根据多条命中策略,生成初始策略的优化方案,进而可以根据生成的初始策略的优化方案对防火墙的初始策略进行优化,以提高防火墙策略管理的效率和准确度。本发明中生成策略优化方案是基于预设时间范围内的,相对于现有的策略优化方案,准确性更高。In the embodiment of the present invention, the server obtains the initial policy of the firewall, and obtains the traffic logs collected by the collector within a preset time range; according to one or more of the public objects in the initial policy, the initial policy is flattened, Obtain the intermediate policy; search the traffic log according to the matching index of the intermediate policy, and obtain multiple traffic log records; generate multiple hit policies according to the multiple traffic log records and the intermediate policy; generate an optimization plan for the initial policy according to the multiple hit policies, Furthermore, the initial policy of the firewall can be optimized according to the generated optimization scheme of the initial policy, so as to improve the efficiency and accuracy of policy management of the firewall. The generation strategy optimization scheme in the present invention is based on the preset time range, and compared with the existing strategy optimization scheme, the accuracy is higher.
在图2所示的一种策略优化方法的基础上,如图3所示,本发明实施例提供了另一种策略优化方法,:On the basis of the strategy optimization method shown in Figure 2, as shown in Figure 3, the embodiment of the present invention provides another strategy optimization method:
S301、确定预设时间范围和防火墙标识。S301. Determine a preset time range and a firewall identifier.
其中,预设时间范围用于指示获取采集器在预设时间范围内采集的流量日志,例如:获取采集器在近一个月内采集的流量日志,所述流量日志包括dataflow日志和Syslog日志;所述防火墙的标识用于指示获取所述标识对应的防火墙的初始策略。所述预设时间范围和防火墙标识可以根据管理员发送的策略优化请求消息确定,管理员预先设置所述预设时间范围和防火墙的标识。Wherein, the preset time range is used to indicate to obtain the traffic logs collected by the collector within the preset time range, for example: to obtain the traffic logs collected by the collector within the past month, and the traffic logs include dataflow logs and Syslog logs; The identifier of the firewall is used to indicate to obtain the initial policy of the firewall corresponding to the identifier. The preset time range and firewall identifier may be determined according to a policy optimization request message sent by an administrator, and the administrator presets the preset time range and firewall identifier.
S302、获取所述防火墙标识对应的防火墙的初始策略,以及获取采集器在所述预设时间范围内采集的流量日志。S302. Obtain an initial policy of the firewall corresponding to the firewall identifier, and obtain traffic logs collected by the collector within the preset time range.
其中,获取的流量日志可以包括多条流量日志记录;获取的初始策略可以为一个或多个。本实施例以获取一条初始策略为例进行说明。在获取多个初始策略的情况下,对每个初始策略的处理过程是相同的。每条流量日志记录包括策略标识、防火墙标识(用于标识所述流量日志记录来自哪个防火墙)以及公共对象等信息;所述初始策略包括策略标识、防火墙标识以及策略引用的公共对象等信息;公共对象包括一个或多个,例如地址集、时间段、服务集等,其中,地址集是IP地址的集合,服务集是协议和端口的集合,例如对于常见的超文本传送协议(英文:HyperTextTransferProtocol,简称:HTTP)服务,其对应的协议是HTTP,端口是80。Wherein, the acquired traffic log may include multiple traffic log records; the acquired initial policy may be one or more. In this embodiment, the acquisition of an initial policy is taken as an example for illustration. In the case of obtaining multiple initial strategies, the processing procedure for each initial strategy is the same. Each traffic log record includes information such as policy identification, firewall identification (for identifying which firewall the traffic log record comes from) and public objects; the initial policy includes information such as policy identification, firewall identification, and public objects referenced by the policy; public The object includes one or more, such as address set, time period, service set, etc., wherein, the address set is a collection of IP addresses, and the service set is a collection of protocols and ports, for example, for the common hypertext transfer protocol (English: HyperTextTransferProtocol, Abbreviation: HTTP) service, its corresponding protocol is HTTP, port is 80.
采集器周期性地采集流量日志,并将采集时间满足某个时间段的流量日志整理在一起,以便缩短查找流量日志的时间,提高流量日志查询效率。例如:采集器每隔5分钟采集一次流量日志,根据流量日志的采集时间,将同一个小时内采集的流量日志整理在一起,将同一天内采集的流量日志整理在一起;时间段除类似一小时、一天的时间单位外,也可以是类似三小时、5天的时间段。较佳地,采集器将整理后的流量日志统计在同一张表格中,所述表格的一项代表一条流量日志记录。The collector collects traffic logs periodically, and organizes the traffic logs whose collection time meets a certain period of time, so as to shorten the time for searching traffic logs and improve the query efficiency of traffic logs. For example: the collector collects traffic logs every 5 minutes. According to the collection time of the traffic logs, the traffic logs collected in the same hour are sorted together, and the traffic logs collected in the same day are sorted together; 1. In addition to the time unit of one day, it can also be a time period similar to three hours or five days. Preferably, the collector collects the sorted traffic logs in the same table, and an item of the table represents a traffic log record.
S303、根据所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理,得到中间策略。S303. Perform flattening processing on the initial policy according to one or more common objects in the initial policy to obtain an intermediate policy.
公共对象包括地址集和服务协议集中的至少一个。The public objects include at least one of an address set and a service protocol set.
若对所述初始策略进行扁平化处理的公共对象为地址集,由于所述初始策略中的公共对象中引用的源地址或目的地址是以地址集的形式存在的,流量日志中源地址或目的地址是以单个地址的形式存在的,因此需要将所述初始策略的公共对象中的地址集拆分成单个地址的形式才能与流量日志进行匹配。此时,S303具体包括:将所述初始策略中的地址集拆分成单个地址,得到所述中间策略。If the public object for flattening the initial policy is an address set, since the source address or destination address referenced in the public object in the initial policy exists in the form of an address set, the source address or destination address in the traffic log The address exists in the form of a single address, so the address set in the public object of the initial policy needs to be split into the form of a single address to match with the traffic log. At this point, S303 specifically includes: splitting the address set in the initial policy into individual addresses to obtain the intermediate policy.
若对所述初始策略进行扁平化处理的公共对象为服务协议集,由于所述初始策略中的公共对象中引用的服务协议是以服务协议集的形式存在的,流量日志中服务协议是以单个服务协议的形式存在的,因此需要将所述初始策略的公共对象中的服务协议集拆分成单个服务协议的形式才能与流量日志进行匹配。此时,S303具体包括:将所述初始策略中的服务协议集拆分成单个服务协议,得到所述中间策略。If the public object for flattening the initial policy is a service protocol set, since the service protocol referenced in the public object in the initial policy exists in the form of a service protocol set, the service protocol in the traffic log is a single The form of the service agreement exists, so the service agreement set in the public object of the initial policy needs to be split into the form of a single service agreement to match with the traffic log. At this time, S303 specifically includes: splitting the service agreement set in the initial policy into a single service agreement to obtain the intermediate policy.
需要说明的是,除地址集和/或服务协议集外,公共对象中还包括其他集合,例如用户组、应用组、时间段等,本发明实施例中可以根据所述初始策略中的公共对象中任意一个或多个,对所述初始策略进行扁平化处理。It should be noted that, in addition to the address set and/or service protocol set, the public object also includes other sets, such as user groups, application groups, time periods, etc., in the embodiment of the present invention, according to the public object in the initial policy Any one or more of them, flatten the initial strategy.
S304、根据所述中间策略的匹配索引查找所述流量日志,得到多条流量日志记录。S304. Search the traffic log according to the matching index of the intermediate policy, and obtain multiple traffic log records.
具体的,可以将中间策略中的部分信息作为匹配索引来查找流量日志。所述匹配索引包括策略标识、防火墙标识以及所述公共对象中的一个或多个。其中,所述策略标识与所述初始策略的标识相同;所述防火墙标识用于标识所述初始策略来自哪个防火墙。所述公共对象为所述初始策略的公共对象中的一个或多个。需要说明的是,所述匹配索引并不局限于策略标识、防火墙标识以及公共对象,也可以包含其他信息。Specifically, part of the information in the intermediate policy can be used as a matching index to find traffic logs. The matching index includes one or more of a policy ID, a firewall ID, and the public object. Wherein, the policy identifier is the same as the identifier of the initial policy; the firewall identifier is used to identify which firewall the initial policy comes from. The public objects are one or more of the public objects of the initial policy. It should be noted that the matching index is not limited to policy identifiers, firewall identifiers, and public objects, and may also include other information.
S305、根据所述多条流量日志记录和所述中间策略,生成多条命中策略。S305. Generate multiple hit policies according to the multiple traffic log records and the intermediate policy.
其中,每条命中策略对应一条流量日志记录,每条命中策略包括对应的流量日志记录和所述中间策略。较佳地,命中策略按照如下数据结构进行存储,此数据结构中记录的信息均来源于查找到的流量日志记录和所述中间策略:Wherein, each hit policy corresponds to a traffic log record, and each hit policy includes the corresponding traffic log record and the intermediate policy. Preferably, the hitting strategy is stored according to the following data structure, and the information recorded in this data structure is all derived from the found traffic log records and the intermediate strategy:
structHitPolicyResultstructHitPolicyResult
{{
unsignedlongtime;//命中策略中流量日志的采集时间unsignedlongtime; //The collection time of the traffic log in the hit policy
unsignedlongdeviceId;//防火墙标识unsignedlongdeviceId;//Firewall ID
unsignedlongpolicyId;//策略标识unsignedlongpolicyId; //policy ID
unsignedlongamount;//命中策略次数unsignedlongamount;//Number of hit strategies
unsignedlongprotoclId;//协议标识unsignedlongprotoclId;//Protocol ID
unsignedlonguseId;//用户标识unsignedlonguseId; //User ID
unsignedlongappId;//应用标识unsignedlongappId; / / application identification
stringaction;//动作stringaction; // action
stringinterzone;//安全域间stringinterzone;//Security interzone
stringdirection;//域方向stringdirection; // domain direction
stringsrcip;//源IPstringsrcip; // source IP
stringdstip;//目的IPstringdstip;//destination IP
stringsrcport;//源端口stringsrcport; //source port
stringdstport;//目的端口stringdstport;//destination port
stringprotocol;//协议stringprotocol;//protocol
stringuser;//用户stringuser; //user
List<string>secProf;//此命中策略适用的安全应用List<string>secProf;//Security application to which this hit policy applies
};};
S306、根据所述多条命中策略,生成所述初始策略的优化方案,以及基于应用的安全策略调整方案。S306. Generate an optimization scheme of the initial policy and an application-based security policy adjustment scheme according to the multiple hit policies.
初始策略的优化方案主要包括两部分,分别是初始策略精简方案和初始策略优先级调整方案。所述初始策略的优化方案和基于应用的安全策略调整方案。具体如下:The optimization scheme of the initial policy mainly includes two parts, which are the initial policy simplification scheme and the initial policy priority adjustment scheme. The optimization scheme of the initial policy and the adjustment scheme of the security policy based on the application. details as follows:
一、初始策略的精简方案1. Simplified plan of the initial strategy
初始策略精简方案是指,针对所述多条命中策略,通过合并具有相同合并参数的命中策略,将所述初始策略精简成一个或多个合并后的命中策略,以达到精简初始策略,缩小初始策略覆盖范围的目的。The initial policy simplification scheme refers to that, for the multiple hit policies, by merging the hit policies with the same combination parameters, the initial policy is simplified into one or more combined hit policies, so as to simplify the initial policy and reduce the initial Purpose of Policy Coverage.
其中,所述合并参数可以是源地址、目的地址、服务协议以及网段中的至少一个。例如,针对命中策略,将具有相同源地址的命中策略进行合并,形成多个合并后的命中策略,方案将初始策略精简成多个合并后的命中策略。Wherein, the combination parameter may be at least one of source address, destination address, service protocol and network segment. For example, for the hit strategy, the hit strategies with the same source address are merged to form multiple merged hit strategies, and the scheme simplifies the initial strategy into multiple merged hit strategies.
本发明实施例中提供一种根据预设颗粒度生成初始策略精简方案的方法,如图4所示,具体方法流程如下:An embodiment of the present invention provides a method for generating an initial policy simplification plan according to a preset granularity, as shown in FIG. 4 , and the specific method flow is as follows:
S401、设置颗粒度权值;S401, setting granularity weights;
颗粒度是指策略访问范围的抽象计算数值粒度,颗粒度权值主要是根据源地址权值、目的地址权值和服务协议权值计算出来的权值,源地址、目的地址和服务协议作为合并命中策略的合并参数。设置颗粒度权值后,可以根据颗粒度权值,确定源地址权值、目的地址权值和服务协议权值的范围,进而确定源地址、目的地址和服务协议,根据确定的源地址、目的地址和服务协议合并所述多个命中策略,形成一个或多个合并后的命中策略,根据所述一个或多个合并后的命中策略,生成所述初始策略的精简方案。Granularity refers to the numerical granularity of the abstract calculation of the policy access scope. The granularity weight is mainly calculated based on the source address weight, destination address weight and service agreement weight. The source address, destination address and service agreement are combined as Merge parameters for the hit strategy. After setting the granularity weight, you can determine the scope of the source address weight, destination address weight and service agreement weight according to the granularity weight, and then determine the source address, destination address and service agreement. The address and service agreement merges the multiple hit policies to form one or more combined hit policies, and generates a simplified solution of the initial policy according to the one or more combined hit policies.
颗粒度权值越大,利用所述颗粒度权值合并后的命中策略的覆盖范围越大,安全漏洞越大;颗粒度权值越小,利用所述颗粒度权值合并后的命中策略的覆盖范围越小,安全漏洞越小。具体的,颗粒度权值与源地址、目的地址和服务协议之间的关系可以用如下公式表示:The larger the granularity weight, the greater the coverage of the hit strategy after the combination of the granularity weight, and the greater the security hole; the smaller the granularity weight, the greater the coverage of the hit strategy after the combination of the granularity weight. The smaller the coverage area, the smaller the security gap. Specifically, the relationship between the granular weight and the source address, destination address, and service agreement can be expressed by the following formula:
Pv=Sa+Da+SpPv=Sa+Da+Sp
上述公式中,Pv表示颗粒度权值,颗粒度权值的范围是1~100;In the above formula, Pv represents the granularity weight, and the granularity weight ranges from 1 to 100;
Sa表示源地址权值,源地址权值与源地址之间的对应关系包括:源地址权值的范围为1~40。源地址值权值为40时,对应的源地址包括任何地址(用any表示);源地址权值为30时,对应的源地址为A类子网地址;源地址权值为20时,对应的源地址为B类子网地址;源地址权值为10时,对应的源地址为C类子网地址;源地址权值为1时,对应的源地址为单个地址。Sa represents the weight of the source address, and the corresponding relationship between the weight of the source address and the source address includes: the weight of the source address ranges from 1 to 40. When the weight of the source address value is 40, the corresponding source address includes any address (indicated by any); when the weight of the source address is 30, the corresponding source address is a class A subnet address; when the weight of the source address is 20, the corresponding The source address is a class B subnet address; when the weight of the source address is 10, the corresponding source address is a class C subnet address; when the weight of the source address is 1, the corresponding source address is a single address.
其中,子网(英文:communicationsubnet)是由用作信息交换的节点计算机和通信线路组成的独立的通信系统,它承担全网的数据传输、转接、加工和交换等通信处理工作。因特网(英文:Internet)组织机构定义了五种因特网协议(英文:InternetProtocol,简称:IP)地址,IP地址有三种基本类型,分别为A、B、C三类子网地址,不同类型的子网地址由网络号的第一组数字来表示。其中,A类子网地址的第一组数字为1~126,B类地址的第一组数字为128~191,C类地址的第一组数字为192~223。例如:网络号是202.206.64--79,它的第一组数字为202,因此202.206.64.34是C类子网地址,而159.266.1.1则是B类子网地址。Da表示目的地址权值,目的地址权值与目的地址之间的对应关系包括:目的地址权值的范围为1~40。目的地址权值为40时,对应的目的地址包括任何地址(用any表示);目的地址权值为30时,对应的目的地址为A类子网地址;目的地址权值为20时,对应的目的地址为B类子网地址;目的地址权值为10时,对应的目的地址为C类子网地址;目的地址权值为1时,对应的源地址为单个地址。Among them, the subnet (English: communication subnet) is an independent communication system composed of node computers and communication lines used for information exchange. It undertakes communication processing tasks such as data transmission, transfer, processing and exchange of the entire network. The Internet (English: Internet) organization defines five Internet Protocol (English: Internet Protocol, referred to as: IP) addresses. There are three basic types of IP addresses, which are A, B, and C subnet addresses. Different types of subnets The address is represented by the first digit of the network number. Among them, the first group of numbers of a class A subnet address is 1-126, the first group of numbers of a class B address is 128-191, and the first group of numbers of a class C address is 192-223. For example: the network number is 202.206.64--79, its first group of numbers is 202, so 202.206.64.34 is a class C subnet address, and 159.266.1.1 is a class B subnet address. Da represents the weight of the destination address, and the corresponding relationship between the weight of the destination address and the destination address includes: the weight of the destination address ranges from 1 to 40. When the weight of the destination address is 40, the corresponding destination address includes any address (indicated by any); when the weight of the destination address is 30, the corresponding destination address is a class A subnet address; when the weight of the destination address is 20, the corresponding The destination address is a class B subnet address; when the weight of the destination address is 10, the corresponding destination address is a class C subnet address; when the weight of the destination address is 1, the corresponding source address is a single address.
Sp表示服务协议权值,服务协议权值与服务协议之间的对应关系包括:服务协议权值的范围为1~20。服务协议权值为20时,对应的服务协议包括任何协议(用any表示);服务协议权值为1时,对应的服务协议为单个协议。Sp represents the weight of the service agreement, and the corresponding relationship between the weight of the service agreement and the service agreement includes: the weight of the service agreement ranges from 1 to 20. When the weight of the service agreement is 20, the corresponding service agreement includes any agreement (indicated by any); when the weight of the service agreement is 1, the corresponding service agreement is a single agreement.
颗粒度权值范围为1~20时,对应的安全风险等级为低,颗粒度权值范围为21~30时,对应的安全风险等级为中,颗粒度权值范围为41~100时,对应的安全风险等级为高。When the granularity weight ranges from 1 to 20, the corresponding security risk level is low; when the granularity weight ranges from 21 to 30, the corresponding security risk level is medium; when the granularity weight ranges from 41 to 100, the corresponding The security risk level is high.
颗粒度、源地址、目的地址、服务协议以及安全风险等级之间的对应关系是预先设置的,可以如下表一所示:The corresponding relationship among granularity, source address, destination address, service protocol and security risk level is preset, as shown in Table 1 below:
表一Table I
需要说明的是,各权值并不局限于本发明实施例中提供的值,可以根据实际情况进行设置。It should be noted that the weight values are not limited to the values provided in the embodiments of the present invention, and may be set according to actual conditions.
S402、根据所述颗粒度权值,分别确定源地址权值、目的地址权值以及服务协议权值。S402. Determine the source address weight, the destination address weight, and the service agreement weight respectively according to the granularity weight.
S403、根据预设的源地址、目的地址以及服务协议与权值之间的对应关系,分别确定源地址、目的地址以及服务协议。S403. Determine the source address, the destination address, and the service agreement respectively according to the preset correspondence between the source address, the destination address, and the service agreement and the weight.
具体的,根据实际情况,S402中根据所述颗粒度权值所确定的源地址权值、目的地址权值以及服务协议权值的情况可能有所不同,然后S403中根据预设的源地址、目的地址以及服务协议与权值之间的对应关系,分别确定源地址、目的地址以及服务协议。例如:当所述颗粒度权值为31时,可以将源地址权值、目的地址权值以及服务协议权值分别确定为1、10和20,此时对应的源地址、目的地址以及服务协议分别为单个地址、C类子网地址和任何协议;当所述颗粒度权值为31时,也可以将源地址权值、目的地址权值以及服务协议权值分别确定为10、1和20,此时对应的源地址、目的地址以及服务协议分别为C类子网地址、单个地址和任何协议。Specifically, according to the actual situation, the source address weight, destination address weight, and service agreement weight determined according to the granularity weight in S402 may be different, and then in S403 according to the preset source address, The corresponding relationship between the destination address, the service agreement and the weight determines the source address, the destination address and the service agreement respectively. For example: when the granularity weight is 31, the source address weight, destination address weight, and service agreement weight can be determined as 1, 10, and 20, respectively. At this time, the corresponding source address, destination address, and service agreement They are a single address, a class C subnet address, and any protocol; when the granularity weight is 31, the source address weight, destination address weight, and service protocol weight can also be determined as 10, 1, and 20, respectively. , the corresponding source address, destination address, and service protocol are Class C subnet address, single address, and any protocol, respectively.
S404、将所述多条命中策略中具有所述源地址、目的地址以及服务协议的命中策略合并,得到一条或多条合并后的命中策略,生成所述初始策略的精简方案。S404. Merge the hit policies with the source address, destination address, and service protocol among the multiple hit policies to obtain one or more merged hit policies, and generate a simplified solution of the initial policy.
其中,所述精简方案具体包括将所述初始策略精简成所述一个或多个合并后的命中策略。Wherein, the simplification solution specifically includes condensing the initial policy into the one or more merged hit policies.
二、初始策略的优先级调整方案2. The priority adjustment plan of the initial strategy
初始策略的优先级调整方案是指,根据所述多条命中策略,统计所述预设时间范围内,所述初始策略的使用频率;根据所述初始策略的使用频率,生成在所述预设时间范围内所述初始策略的优先级调整方案。The priority adjustment scheme of the initial strategy refers to, according to the multiple hit strategies, counting the use frequency of the initial strategy within the preset time range; according to the use frequency of the initial strategy, generating The prioritization scheme for the initial policy described within the time frame.
具体的,当在预设时间范围内所述初始策略的使用频率较高时,生成在预设时间范围内调高所述初始策略的优先级的方案;当在预设时间范围内所述初始策略的使用频率较低时,生成在预设时间范围内调低所述初始策略的优先级的方案;当在预设时间范围内没有使用所述初始策略时,生成在预设时间范围内调低所述初始策略的优先级,或者生成在预设时间范围内删除所述初始策略的方案。其中,所述初始策略的使用频率与所述初始策略的优先级调整之间的对应关系,可以根据经验或历史数据进行设置,本发明实施例中并不限制。Specifically, when the use frequency of the initial policy is high within the preset time range, generate a plan to increase the priority of the initial policy within the preset time range; When the use frequency of the strategy is low, generate a plan to reduce the priority of the initial strategy within the preset time range; Lower the priority of the initial policy, or generate a plan to delete the initial policy within a preset time range. Wherein, the corresponding relationship between the usage frequency of the initial policy and the priority adjustment of the initial policy may be set according to experience or historical data, which is not limited in this embodiment of the present invention.
三、基于应用的安全策略调整方案3. Application-based security policy adjustment scheme
基于应用的安全策略调整方案是指,针对所述多个命中策略,统计在所述预设时间范围内每个应用标识的出现次数,再结合应用与安全策略的对应关系,给出在预设时间范围内针对初始策略中的每个应用的安全策略调整方案。The application-based security policy adjustment scheme refers to counting the number of occurrences of each application identifier within the preset time range for the multiple hit policies, and then combining the corresponding relationship between the application and the security policy, and giving the Security policy adjustment scenarios for each app in the initial policy during the time frame.
针对所述多个命中策略,在预设时间范围内命中策略中一个应用标识出现的次数越多,说明在此段时间范围内所述应用标识对应的应用使用较频繁。基于应用的安全策略调整方案例如:在预设时间范围内点对点(英文:PeertoPeer,简称:P2P)下载应用的使用频率较高,则调整方案建议管理员开启统一资源定位器(英文:UniformResourceLocator,简称:URL)过滤和应用行为过滤;在预设时间范围内简单邮件传送协议(英文:SimpleMailTransferProtocol,简称:SMTP)应用的使用频率较高,则调整方案建议管理员开启邮件过滤和内容安全过滤。For the multiple hit strategies, the more times an application identifier appears in the hit strategy within a preset time range, it means that the application corresponding to the application identifier is used more frequently within this period of time range. Application-based security policy adjustment scheme. For example: within the preset time range, peer-to-peer (English: PeertoPeer, referred to as: P2P) application download frequency is high, then the adjustment plan recommends that the administrator enable the Uniform Resource Locator (English: UniformResourceLocator, referred to as : URL) filtering and application behavior filtering; within the preset time range, Simple Mail Transfer Protocol (English: SimpleMailTransferProtocol, abbreviated: SMTP) applications are frequently used, the adjustment plan recommends that administrators enable mail filtering and content security filtering.
其中,根据应用与安全策略的对应关系,能够查询当任一应用开启时需要采取的安全策略。应用与安全策略的对应关系是根据历史数据以及管理员的策略管理经验设置的,可以实时的进行维护,包括增加应用与安全策略的对应关系和删除应用与安全策略的对应关系。应用与安全策略的对应关系采用如下数据结构:Wherein, according to the corresponding relationship between the application and the security policy, the security policy to be adopted when any application is started can be queried. The correspondence between applications and security policies is set based on historical data and the administrator's policy management experience, and can be maintained in real time, including adding and deleting correspondence between applications and security policies. The corresponding relationship between applications and security policies adopts the following data structure:
structappProfilestructappProfile
{{
Stringapplication;//应用Stringapplication; //application
StringsecPorfile;//安全策略内容StringsecPorfile; //Security policy content
}}
应用与安全策略的对应关系列表举例如下表二所示:An example of the corresponding relationship list between applications and security policies is shown in Table 2 below:
表二Table II
需要说明的时,应用与安全策略的对应关系的数据结构并不局限于本发明实施例中提供的数据结构。应用与安全策略的对应关系列表并不局限于本发明实施例中提供的表二。It should be noted that the data structure of the corresponding relationship between the application and the security policy is not limited to the data structure provided in the embodiment of the present invention. The list of correspondences between applications and security policies is not limited to Table 2 provided in the embodiment of the present invention.
本实施例中,服务器通过获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;根据初始策略中的公共对象中的一个或多个,对初始策略进行扁平化处理,得到中间策略;根据中间策略的匹配索引查找流量日志,得到多条流量日志记录;根据多条流量日志记录和中间策略,生成多条命中策略;根据多条命中策略,生成初始策略的优化方案以及基于所述初始策略中的应用的安全策略调整方案,进而可以根据生成的初始策略的优化方案和基于所述初始策略中的应用的安全策略调整方案对防火墙的初始策略进行优化,以提高防火墙策略管理的效率和准确度。In this embodiment, the server obtains the initial policy of the firewall and the traffic logs collected by the collector within a preset time range; according to one or more of the public objects in the initial policy, the initial policy is flattened, Obtain the intermediate policy; search the traffic log according to the matching index of the intermediate policy to obtain multiple traffic log records; generate multiple hit policies according to the multiple traffic log records and the intermediate policy; generate an optimization plan for the initial policy and Based on the security policy adjustment scheme applied in the initial policy, the initial policy of the firewall can be optimized according to the generated optimization scheme of the initial policy and the security policy adjustment scheme based on the application of the initial policy, so as to improve the firewall policy Efficiency and accuracy of management.
如图5所示,本发明实施例提供了另一种策略优化装置,包括:As shown in Figure 5, the embodiment of the present invention provides another strategy optimization device, including:
处理器51,用于获取防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;Processor 51, configured to obtain the initial policy of the firewall, and obtain the traffic log collected by the collector within a preset time range;
存储器52,用于存储所述处理器51获取的防火墙的初始策略,以及获取采集器在预设时间范围内采集的流量日志;A memory 52, configured to store the initial policy of the firewall acquired by the processor 51, and acquire traffic logs collected by the collector within a preset time range;
所述处理器51,还用于根据所述存储器52存储的所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理,生成中间策略;根据所述中间策略的匹配索引查找所述存储器52存储的所述流量日志,确定多条流量日志记录;所述匹配索引包括策略标识、防火墙标识以及所述公共对象中的一个或多个;根据所述多条流量日志记录和所述中间策略,生成多条命中策略,每条命中策略对应一条流量日志记录,每条命中策略包括对应的流量日志记录和所述中间策略;根据所述多条命中策略,生成所述初始策略的优化方案。The processor 51 is further configured to flatten the initial strategy according to one or more of the public objects in the initial strategy stored in the memory 52 to generate an intermediate strategy; according to the intermediate strategy Search the traffic log stored in the memory 52 using a matching index to determine a plurality of traffic log records; the matching index includes one or more of the policy identifier, the firewall identifier, and the public object; according to the plurality of traffic Log records and the intermediate strategy generate multiple hit strategies, each hit strategy corresponds to a flow log record, and each hit strategy includes the corresponding flow log record and the intermediate strategy; according to the multiple hit strategies, generate the Describe the optimization scheme of the initial strategy.
所述存储器52,还用于存储所述处理器51生成的所述初始策略的优化方案。The memory 52 is further configured to store the optimization scheme of the initial strategy generated by the processor 51 .
较佳地,所述装置还包括:收发器53,用于在所述处理器51获取防火墙的初始策略之前,接收策略优化请求消息,所述策略优化请求消息包括所述防火墙的标识和预设时间范围;Preferably, the device further includes: a transceiver 53, configured to receive a policy optimization request message before the processor 51 obtains the initial policy of the firewall, and the policy optimization request message includes the identification and preset time limit;
所述处理器51,还用于确定所述收发器53接收的所述策略优化请求消息。The processor 51 is further configured to determine the policy optimization request message received by the transceiver 53 .
较佳地,所述公共对象包括地址集和服务协议集中的至少一个;Preferably, the public object includes at least one of an address set and a service protocol set;
所述处理器51根据所述初始策略中的公共对象中的一个或多个,对所述初始策略进行扁平化处理时,具体用于执行以下操作中的至少一个:The processor 51 is specifically configured to perform at least one of the following operations when flattening the initial policy according to one or more of the common objects in the initial policy:
将所述初始策略中的地址集拆分成单个地址;和splitting the set of addresses in said initial policy into individual addresses; and
将所述初始策略中的服务协议集拆分成单个服务协议。Splitting the set of service agreements in the initial policy into individual service agreements.
较佳地,所述处理器51根据所述多条命中策略,生成所述初始策略的优化方案时,具体用于:Preferably, when the processor 51 generates the optimization scheme of the initial strategy according to the multiple hit strategies, it is specifically used for:
根据所述多条命中策略,生成所述初始策略的精简方案;或者Generate a simplified solution of the initial strategy according to the multiple hit strategies; or
根据所述多条命中策略,生成所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy is generated according to the multiple hit policies.
较佳地,所述处理器51根据所述多条命中策略,生成所述初始策略的精简方案时,具体用于:Preferably, when the processor 51 generates the simplified solution of the initial strategy according to the multiple hit strategies, it is specifically used for:
设置合并参数,所述合并参数包括源地址、目的地址、服务协议以及网段范围中的至少一个;Set a combination parameter, the combination parameter includes at least one of source address, destination address, service agreement and network segment range;
根据每条命中策略包括的流量日志记录和所述中间策略,确定每条命中策略中的合并参数;According to the traffic log records included in each hit strategy and the intermediate strategy, determine the merge parameters in each hit strategy;
将所述多条命中策略中具有相同合并参数的命中策略进行合并,生成一个或多个合并后的命中策略;Merging the hit strategies with the same merging parameters among the multiple hit strategies to generate one or more merged hit strategies;
根据所述一个或多个合并后的命中策略,生成所述初始策略的精简方案。According to the one or more merged hit policies, a condensed solution of the initial policy is generated.
较佳地,所述处理器51设置所述合并参数时,具体用于:Preferably, when the processor 51 sets the merging parameter, it is specifically used for:
设置颗粒度权值,所述颗粒度权值用于表示风险等级;Setting a granularity weight, the granularity weight is used to represent the risk level;
根据所述颗粒度权值,分别确定源地址权值、目的地址权值以及服务协议权值;Determine the source address weight, the destination address weight, and the service agreement weight respectively according to the granularity weight;
根据预设的源地址、目的地址以及服务协议与权值之间的对应关系,分别确定所述源地址、所述目的地址以及所述服务协议;respectively determining the source address, the destination address, and the service agreement according to the preset correspondence between the source address, the destination address, and the service agreement and the weight;
将确定的所述源地址、所述目的地址以及所述服务协议设置为合并参数。Set the determined source address, destination address and service agreement as merge parameters.
较佳地,所述处理器51根据所述多条命中策略,生成所述初始策略的优先级调整方案时,具体用于:Preferably, when the processor 51 generates the priority adjustment scheme of the initial policy according to the multiple hit policies, it is specifically used for:
根据所述多条命中策略,统计所述预设时间范围内,所述初始策略的使用频率;According to the plurality of hit strategies, count the usage frequency of the initial strategy within the preset time range;
根据所述初始策略的使用频率,生成在所述预设时间范围内所述初始策略的优先级调整方案。A priority adjustment scheme of the initial policy within the preset time range is generated according to the usage frequency of the initial policy.
较佳地,所述处理器51在根据所述多条流量日志记录和所述中间策略,生成多条命中策略之后,还用于:Preferably, after generating multiple hit policies according to the multiple traffic log records and the intermediate policy, the processor 51 is further configured to:
根据所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案。According to the multiple hit policies, determine a security policy adjustment scheme based on the application in the initial policy within the preset time range.
较佳地,所述处理器51根据所述多条命中策略,确定所述预设时间范围内基于所述初始策略中的应用的安全策略调整方案时,具体用于:Preferably, when the processor 51 determines the security policy adjustment scheme based on the application in the initial policy within the preset time range according to the multiple hit policies, it is specifically used for:
确定所述多条命中策略中的应用标识;Determining the application identifiers in the multiple hit strategies;
统计所述多条命中策略中同一应用标识的使用频率;Counting the frequency of use of the same application identifier in the multiple hit strategies;
根据所述多条命中策略中的每个应用标识的使用频率以及预设的应用与安全策略的对应关系,确定所述预设时间范围内每个应用标识对应的应用的安全策略调整方案。According to the usage frequency of each application identifier in the plurality of hit policies and the preset correspondence relationship between the application and the security policy, determine the security policy adjustment scheme for the application corresponding to each application identifier within the preset time range.
本发明实施例四中,通过所述处理器51、所述存储器52以及所述收发器53,生成初始策略的优化方案和基于所述初始策略中的应用的安全策略调整方案,进而可以根据生成的初始策略的优化方案和基于所述初始策略中的应用的安全策略调整方案对防火墙的初始策略进行优化,以提高防火墙策略管理的效率和准确度。本发明中生成策略优化方案是基于预设时间范围内的,相对于现有的策略优化方案,准确性更高。本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。In Embodiment 4 of the present invention, the processor 51, the memory 52, and the transceiver 53 generate an optimization scheme of the initial policy and a security policy adjustment scheme based on the application in the initial policy, and then the generated The initial policy optimization scheme and the security policy adjustment scheme based on the application in the initial policy optimize the initial policy of the firewall, so as to improve the efficiency and accuracy of firewall policy management. The generation strategy optimization scheme in the present invention is based on the preset time range, and compared with the existing strategy optimization scheme, the accuracy is higher. Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在所述计算机可读存储器中的指令产生包括指令装置的制造品,所述指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, so The instruction means implements the functions specified in one or more procedures of the flow chart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While preferred embodiments of the invention have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, it is intended that the appended claims be construed to cover the preferred embodiment as well as all changes and modifications which fall within the scope of the invention.
显然,本领域的技术人员可以对本发明实施例进行各种改动和变型而不脱离本发明实施例的范围。这样,倘若本发明实施例的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。Apparently, those skilled in the art can make various changes and modifications to the embodiments of the present invention without departing from the scope of the embodiments of the present invention. Thus, if the modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and equivalent technologies, the present invention also intends to include these modifications and variations.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410796184.7ACN105791213B (en) | 2014-12-18 | 2014-12-18 | Policy optimization device and method |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410796184.7ACN105791213B (en) | 2014-12-18 | 2014-12-18 | Policy optimization device and method |
| Publication Number | Publication Date |
|---|---|
| CN105791213Atrue CN105791213A (en) | 2016-07-20 |
| CN105791213B CN105791213B (en) | 2020-01-10 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410796184.7AActiveCN105791213B (en) | 2014-12-18 | 2014-12-18 | Policy optimization device and method |
| Country | Link |
|---|---|
| CN (1) | CN105791213B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603749A (en)* | 2017-01-06 | 2017-04-26 | 浙江中都信息技术有限公司 | Efficient method of mapping from dynamic IP to host |
| CN108418801A (en)* | 2018-02-01 | 2018-08-17 | 杭州安恒信息技术股份有限公司 | A kind of firewall policy optimization method and system based on big data analysis |
| CN109413020A (en)* | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of tactics configuring method and device of firewall |
| CN109639743A (en)* | 2018-12-13 | 2019-04-16 | 成都亚信网络安全产业技术研究院有限公司 | A kind of firewall policy detection method and equipment |
| CN111277586A (en)* | 2020-01-17 | 2020-06-12 | 武汉思普崚技术有限公司 | Method and device for adjusting firewall security policy |
| CN111935186A (en)* | 2020-10-09 | 2020-11-13 | 四川新网银行股份有限公司 | Optimization method of network security policy |
| CN112437058A (en)* | 2020-11-11 | 2021-03-02 | 中国电子科技集团公司第三十研究所 | Firewall security policy automatic generation method based on session flow log |
| CN112637179A (en)* | 2020-12-17 | 2021-04-09 | 深信服科技股份有限公司 | Firewall policy analysis method, device, equipment and storage medium |
| CN113282558A (en)* | 2021-05-25 | 2021-08-20 | 深圳Tcl新技术有限公司 | Log collection method and device, storage medium and electronic equipment |
| CN113572780A (en)* | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Equipment security policy configuration method |
| CN114465771A (en)* | 2021-12-30 | 2022-05-10 | 奇安信科技集团股份有限公司 | Method, device and firewall for automatically recommending security policy based on firewall traffic |
| CN115842664A (en)* | 2022-11-23 | 2023-03-24 | 紫光云技术有限公司 | Public cloud network flow security implementation method |
| CN115883110A (en)* | 2021-08-05 | 2023-03-31 | 中国移动通信集团浙江有限公司 | Firewall policy optimization method, device, equipment and storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101714997A (en)* | 2010-01-15 | 2010-05-26 | 中国工商银行股份有限公司 | Firewall strategy-generating method, device and system |
| CN102594770A (en)* | 2011-01-07 | 2012-07-18 | 张咏 | Adaptive optimizing method based on cloud storage firewall |
| US8621552B1 (en)* | 2007-05-22 | 2013-12-31 | Skybox Security Inc. | Method, a system, and a computer program product for managing access change assurance |
| CN104135461A (en)* | 2013-05-02 | 2014-11-05 | 中国移动通信集团河北有限公司 | Firewall policy processing method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8621552B1 (en)* | 2007-05-22 | 2013-12-31 | Skybox Security Inc. | Method, a system, and a computer program product for managing access change assurance |
| CN101714997A (en)* | 2010-01-15 | 2010-05-26 | 中国工商银行股份有限公司 | Firewall strategy-generating method, device and system |
| CN102594770A (en)* | 2011-01-07 | 2012-07-18 | 张咏 | Adaptive optimizing method based on cloud storage firewall |
| CN104135461A (en)* | 2013-05-02 | 2014-11-05 | 中国移动通信集团河北有限公司 | Firewall policy processing method and device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106603749A (en)* | 2017-01-06 | 2017-04-26 | 浙江中都信息技术有限公司 | Efficient method of mapping from dynamic IP to host |
| CN108418801A (en)* | 2018-02-01 | 2018-08-17 | 杭州安恒信息技术股份有限公司 | A kind of firewall policy optimization method and system based on big data analysis |
| CN109413020A (en)* | 2018-04-28 | 2019-03-01 | 武汉思普崚技术有限公司 | A kind of tactics configuring method and device of firewall |
| CN109413020B (en)* | 2018-04-28 | 2020-07-31 | 武汉思普崚技术有限公司 | Firewall policy configuration method and device |
| CN109639743A (en)* | 2018-12-13 | 2019-04-16 | 成都亚信网络安全产业技术研究院有限公司 | A kind of firewall policy detection method and equipment |
| CN111277586A (en)* | 2020-01-17 | 2020-06-12 | 武汉思普崚技术有限公司 | Method and device for adjusting firewall security policy |
| CN111935186A (en)* | 2020-10-09 | 2020-11-13 | 四川新网银行股份有限公司 | Optimization method of network security policy |
| CN112437058B (en)* | 2020-11-11 | 2022-02-08 | 中国电子科技集团公司第三十研究所 | Firewall security policy automatic generation method based on session flow log |
| CN112437058A (en)* | 2020-11-11 | 2021-03-02 | 中国电子科技集团公司第三十研究所 | Firewall security policy automatic generation method based on session flow log |
| CN112637179A (en)* | 2020-12-17 | 2021-04-09 | 深信服科技股份有限公司 | Firewall policy analysis method, device, equipment and storage medium |
| CN113282558A (en)* | 2021-05-25 | 2021-08-20 | 深圳Tcl新技术有限公司 | Log collection method and device, storage medium and electronic equipment |
| CN113572780A (en)* | 2021-07-28 | 2021-10-29 | 中国南方电网有限责任公司 | Equipment security policy configuration method |
| CN115883110A (en)* | 2021-08-05 | 2023-03-31 | 中国移动通信集团浙江有限公司 | Firewall policy optimization method, device, equipment and storage medium |
| CN115883110B (en)* | 2021-08-05 | 2025-09-12 | 中国移动通信集团浙江有限公司 | Firewall policy optimization method, device, equipment and storage medium |
| CN114465771A (en)* | 2021-12-30 | 2022-05-10 | 奇安信科技集团股份有限公司 | Method, device and firewall for automatically recommending security policy based on firewall traffic |
| CN114465771B (en)* | 2021-12-30 | 2024-04-05 | 奇安信科技集团股份有限公司 | Method and device for automatically recommending security policy based on firewall flow and firewall |
| CN115842664A (en)* | 2022-11-23 | 2023-03-24 | 紫光云技术有限公司 | Public cloud network flow security implementation method |
| Publication number | Publication date |
|---|---|
| CN105791213B (en) | 2020-01-10 |
| Publication | Publication Date | Title |
|---|---|---|
| CN105791213B (en) | Policy optimization device and method | |
| US12355645B2 (en) | Aggregation of select network traffic statistics | |
| US11968235B2 (en) | System and method for cybersecurity analysis and protection using distributed systems | |
| US10425383B2 (en) | Platforms for implementing an analytics framework for DNS security | |
| CN104506538B (en) | Machine learning type domain name system security defence method and device | |
| US10164846B2 (en) | Network flow analysis | |
| CN104580216B (en) | A kind of system and method limited access request | |
| WO2011143542A1 (en) | Systems and methods for identifying malicious domains using internet-wide dns lookup patterns | |
| CN103457909B (en) | A kind of Botnet detection method and device | |
| US12218969B2 (en) | Malicious CandC channel to fixed IP detection | |
| US12184688B2 (en) | Profiling domain name system (DNS) traffic | |
| HK1204728A1 (en) | System and method for generating blacklist of requests to access from network | |
| CN112788039B (en) | DDoS attack identification method, device and storage medium | |
| CN108347447B (en) | P2P botnet detection method and system based on periodic communication behavior analysis | |
| CN102387158A (en) | Packet filtering method for preventing DDoS attack in cloud environment | |
| Korec | B.: Malware Detection based on periodic behavior | |
| Rüedlinger et al. | FeedMeter: evaluating the quality of community-driven threat intelligence | |
| Singh et al. | Distilling command and control network intrusions from network flow metadata using temporal pagerank | |
| Alfasi et al. | Botnet Mapping Based on Intersections of Traces | |
| Gailis et al. | DETECTING AND BLOCKING OF UNWANTED DOMAIN NAME SYSTEM RECORDS TO PREVENT TRACKING AND IMPROVE SECURITY ON LOCAL COMPUTER NETWORKS | |
| HK1239974B (en) | Method for identifying network access source based on network address and device | |
| CN119995906A (en) | Threat detection method, device, equipment and storage medium | |
| CN120238345A (en) | A method, device, equipment and medium for determining threat intelligence life cycle | |
| Wang et al. | Understanding IP address multiplexing with large-scale SSL/TLS flow analysis | |
| CN119814426A (en) | Anti-DDoS attack collaborative mitigation architecture and method |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |