[1]赖清楠.AT4FP:面向运行防火墙的安全策略异常检测工具[J].计算机技术与发展,2025,(06):77-86.[doi:10.20165/j.cnki.ISSN1673-629X.2025.0030]
 LAI Qing-nan.AT4FP:An Anomaly Detection Tool for Security Policies in Operational Firewalls[J].,2025,(06):77-86.[doi:10.20165/j.cnki.ISSN1673-629X.2025.0030]
点击复制

AT4FP:面向运行防火墙的安全策略异常检测工具()

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
期数:
2025年06期
页码:
77-86
栏目:
网络空间安全
出版日期:
2025-06-10

文章信息/Info

Title:
AT4FP:An Anomaly Detection Tool for Security Policies in Operational Firewalls
文章编号:
1673-629X(2025)06-0077-10
作者:
赖清楠12
1. 北京大学 计算中心,北京 100871;
2. 北京大学 长沙计算与数字经济研究院,湖南 长沙 410205
Author(s):
LAI Qing-nan12
1. Computing Center,Peking University,Beijing 100871,China;
2. PKU-Changsha Institute for Computing and Digital Economy,Changsha 410205,China
关键词:
异常检测安全策略算法设计自动化运维网络安全
Keywords:
anomaly detectionsecurity policiesalgorithm designautomated operations and maintenancecyber security
分类号:
TP393
DOI:
10.20165/j.cnki.ISSN1673-629X.2025.0030
摘要:
随着网络规模的扩大和业务的持续增长,防火墙安全策略规则数量的急剧增加给网络运维团队带来了重大挑战。策略冲突和异常可能导致严重的安全漏洞,因此开发有效的策略分析工具至关重要。 该文设计了一种名为 AT4FP 的安全策略分析工具,该工具采用基于区间树和状态图的检测算法,旨在快速且准确地识别策略间的潜在冲突和异常,从而预防潜在的安全风险。 为了验证该工具的有效性,使用生成的策略数据和实际运行的安全策略数据进行了实验,并将其与现有开源安全策略分析工具进行了对比。 结果表明,AT4FP 在检测效率和实用性方面均有显著提升,能够有效检测并分析真实运行防火墙上的策略异常,为运维人员提供了有价值的参考。 基于 AT4FP 工具,提出了一个自动化策略异常处理的框架 AFPR,框架通过 API 接口与防火墙交互,采用 AT4FP 工具发现异常策略,使用策略引擎技术自动化处理异常,通过策略匹配日志进行监控与验证,实现了从检测到处理的全流程自动化,极大地提高了异常策略处理效率。
Abstract:
With the expansion of network scale and continuous business growth,the rapid increase in firewall security policy rules poses significant challenges to network operation and maintenance teams. Policy conflicts and anomalies can lead to serious security vulnerabilities,making the development of effective policy analysis tools crucial. We introduce a security policy analysis tool named AT4FP,which employs a detection algorithm based on interval trees and state diagrams. It is designed to quickly and accurately identify potential conflicts and anomalies between policies,thereby preventing potential security risks. To validate the effectiveness of this tool,we conducted experiments using both generated policy data and actual operational security policy data,comparing it with existing open - source security policy analysis tools. The results demonstrate that AT4FP significantly improves detection efficiency and practicality,ef-fectively detecting and analyzing policy anomalies on real operational firewalls,providing valuable insights for maintenance personnel.Based on the AT4FP tool,we propose an Automated Firewall Policy Anomaly Resolution Framework (AFPR). The framework interacts with firewalls through API interfaces,uses the AT4FP tool to identify anomalous policies,employs a policy engine for automated anomaly resolution,and monitors and verifies through policy matching logs, achieving full automation from detection to resolution, greatly enhancing the efficiency of handling anomalous policies.

相似文献/References:

[1]高峥 陈蜀宇 李国勇.混合入侵检测系统的研究[J].计算机技术与发展,2010,(06):148.
 GAO Zheng,CHEN Shu-yu,LI Guo-yong.Research of a Hybrid Intrusion Detection System[J].,2010,(06):148.
[2]李睿 肖维民.基于孤立点挖掘的异常检测研究[J].计算机技术与发展,2009,(06):168.
 LI Rui,XIAO Wei-min.Research on Anomaly Intrusion Detection Based on Outlier Mining[J].,2009,(06):168.
[3]汪慧敏.基于改进负选择算法的异常检测[J].计算机技术与发展,2009,(08):41.
 WANG Hui-min.Anomaly Detection Using Modified Negative Selection Algorithm[J].,2009,(06):41.
[4]赵辉 张鹏.网络异常的主动检测与特征分析[J].计算机技术与发展,2009,(08):159.
 ZHAO Hui,ZHANG Peng.Active Detection and Feature Analysis About Network Anomaly[J].,2009,(06):159.
[5]陈丹伟 黄秀丽 任勋益.基于人工神经网络入侵检测模型的探讨[J].计算机技术与发展,2009,(12):143.
 CHEN Dan-wei,HUANG Xiu-li,REN Xun-yi.An Approach to IDS Model Based on Artificial Neuron Network[J].,2009,(06):143.
[6]涂溢彬 饶云波[] 廖云 周明天.蜜网系统在检测新型Rootkit中的应用[J].计算机技术与发展,2008,(01):181.
 TU Yi-bin,RAO Yun-bo,LIAO Yun,et al.Honeynet System Applied in New Pattern Rootkit[J].,2008,(06):181.
[7]柏海滨 李俊.基于支持向量机的入侵检测系统的研究[J].计算机技术与发展,2008,(04):137.
 BAI Hai-bin,LI Jun.Research of Intrusion Detection System Based on Support Vector Machine[J].,2008,(06):137.
[8]廖光忠 卢娜.基于Linux的网络入侵防御系统的研究和设计[J].计算机技术与发展,2008,(06):134.
 LIAO Guang-zhong,LU Na.Research and Design of IPS Based on Linux[J].,2008,(06):134.
[9]周莉 黄宪 陆建德.Linux2.6内核IPSec支持机构的研究与分析[J].计算机技术与发展,2007,(05):191.
 ZHOU Li,HUANG Xian,LU Jian-de.Research and Analysis of IPSec Support Mechanism in Linux Kernel 2.6[J].,2007,(06):191.
[10]许高建.无线网络的构建和安全策略研究[J].计算机技术与发展,2007,(07):156.
 XU Gao-jian.Research on Constructing Wireless Network & Safety Tactic[J].,2007,(06):156.

更新日期/Last Update: 2025-06-10