Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Rule conflict detection method and system aimed at large-scale packet classification rule set

A conflict detection and packet classification technology, applied in transmission systems, digital transmission systems, electrical components, etc., can solve the problems of algorithm space complexity that cannot meet the requirements, only support, and too many bit vector operations.

Active Publication Date: 2014-01-15
NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT +1
View PDF3 Cites 19 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The ASBV algorithm has two disadvantages: (1) the ASBV algorithm only supports the rules represented by prefixes; (2) there are too many bit vector operations
(3) The space complexity is too large
For the DBBV algorithm, when adding or deleting rules, the balanced binary tree also needs to be adjusted, so the efficiency of incremental update rules is low
For some applications, such as the UTM system, because it supports the coordination and linkage of various security modules, its rules are constantly added and deleted; Thousands of levels have risen to millions of levels, and the space complexity of these algorithms cannot meet the requirements

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Rule conflict detection method and system aimed at large-scale packet classification rule set
  • Rule conflict detection method and system aimed at large-scale packet classification rule set
  • Rule conflict detection method and system aimed at large-scale packet classification rule set

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0073] The principles and features of the present invention are described below in conjunction with the accompanying drawings, and the examples given are only used to explain the present invention, and are not intended to limit the scope of the present invention.

[0074] According to the prefixes of the source IP component and the destination IP component of the rule, the rules are divided into three types: full-prefix rules, non-full-prefix rules and no-prefix rules. When the prefix length of the source IP and the destination IP of the parsed rule are both 32, or when the prefix length of one of the source IP and the destination IP is 0 and the prefix length of the other is 32, the rule is divided into full prefixes rule; when the prefix length of the source IP or destination IP of the parsed rule is between 1-31, the rule is divided into a non-full prefix rule; when the prefix length of the source IP and destination IP of the parsed rule is When 0, the rule is classified as...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention relates to a rule conflict detection method and system aimed at a large-scale packet classification rule set. The method includes the first step of receiving and analyzing a rule, the second step of dividing the analyzed rule into a full-prefix rule, a non-full-prefix rule and a non-prefix rule, the third step of organizing a full-prefix rule set in a source IP and target IP double-layer hash table HSIP-DIP or in a target IP hash table H*-DIP and correspondingly adding or deleting or inquiring the rules in the HSIP-DIP or the H*-DIP, the fourth step of organizing a non-full-prefix rule set in a source IP and target IP double-dimension Tire tree TSIP-TDIP and adding or deleting or inquiring the rules in the TSIP-TDIP, the fifth step of organizing a non-prefix rule set in a link table L*-* and adding or deleting or inquiring the rules in the L*-*, and the sixth step of traversing each rule in the HSIP-DIP, each rule in the H*-DIP, each rule in the TSIP-TDIP and each rule in the L*-* to serve as detected rules and detecting all rules which conflict with the detected rules. The rule conflict detection method and system solve the problem that in the prior art, a rule conflict algorithm has defects.

Description

technical field [0001] The invention relates to the field of network packet classification, in particular to a rule conflict detection method and system for a large-scale packet classification rule set. Background technique [0002] With the evolution of the Internet architecture and the development of Internet applications, the traditional routing technology based on a single IP address domain can no longer meet the needs of network services and network security. Packet classification technology, because it can perform fine-grained classification of network traffic based on multiple fields in the header of network data packets (usually source IP address, destination IP address, source port, destination port, protocol number), has been used in routers, It has been widely used in various network security devices such as firewalls and security gateways. [0003] The packet classification technology is realized based on the configuration rule set in the packet classification e...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L12/24H04L12/26
Inventor 云晓春陈训逊王东安张晓明张永铮王曦杜飞王勇臧天宁
Owner NAT COMP NETWORK & INFORMATION SECURITY MANAGEMENT CENT
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com