摘要
防火墙规则集中存在的配置错误主要来源于规则的添加、删除等更新操作。因此进行规则更新时,需要使用测试算法判断更新操作的正确性。现有的测试算法仅从被添加或被删除规则的顶点选取测试数据包,不能检测出所有因规则冲突而导致的配置错误。基于此,提出了一种针对规则更新操作的测试数据包选取算法PCRU。该算法从两处选取测试数据包,即被添加或者被删除的规则的顶点和规则冲突区域。理论分析和仿真实验表明,与现有测试算法相比,在进行规则更新时,PCRU算法只需使用少量的测试数据包,即可检测出所有因规则冲突而导致的配置错误。
The deployment errors in firewall rule sets mainly come from rules updating. And hence test algorithms should be employed to verify the correctness of updating when rules are added or deleted. Current test algorithms only choose test packets from apexes of added or deleted rules, which cannot detect deployment errors caused by rule conflicts. This paper proposed a test packet-choosing algorithm for rules updating, which was named packet choosing rule updating (PCRU). PCRU chose test packets from the apexes of rules and from conflicting areas. The results of simulations show that PCRU can detect the deployment errors caused by rule conflicts when rule uodating at the cost of a small number of test packets.
出处
《计算机应用研究》
CSCD
北大核心
2009年第5期1919-1921,共3页
Application Research of Computers
基金
国家信息产业部生产发展基金资助项目