Firewall policy generation method, server, medium and program product

By automatically generating firewall policies by acquiring network topology information and communication mode instructions, the problem of time-consuming and laborious configuration of traditional firewalls is solved, and fast and accurate firewall policy generation and network security management are achieved.

CN122160079APending Publication Date: 2026-06-05ZTE CORP

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ZTE CORP
Filing Date
2024-12-05
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Traditional firewall configuration methods are time-consuming, labor-intensive, and error-prone, making it difficult to quickly and accurately build and adjust security policies that meet actual needs, and failing to meet the flexible security requirements in complex network environments.

Method used

By acquiring network topology information, determining the target path, and automatically generating firewall policies based on communication mode instructions, it provides an interactive user interface to simplify the configuration process, monitors data transmission using firewall nodes, and supports multiple communication modes and path checks.

Benefits of technology

It simplifies the firewall policy configuration process, improves configuration efficiency and accuracy, lowers the operational threshold, enhances network security and policy verification efficiency, and reduces the risk of policy omissions.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160079A_ABST
    Figure CN122160079A_ABST
Patent Text Reader

Abstract

The present disclosure provides a firewall policy generation method, comprising: obtaining network topology information; the network topology information comprising nodes in a network and an association relationship between the nodes, the network comprising at least two nodes; in a case where a selection instruction of selecting a first node and a second node from the nodes is received, determining a target path according to the network topology information; the target path being a path with the first node as a starting node and the second node as a terminating node, the target path comprising at least one firewall node; and generating a firewall policy in response to receiving a communication mode instruction for the target path. The present disclosure also provides a server, a computer readable medium and a computer program product.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of network security technology, and in particular to a firewall policy generation method, server, media, and program product. Background Technology

[0002] With the increasing complexity of network architectures and the diversification of business needs, the core network environment contains numerous network elements with intricate communication relationships, making network security requirements more stringent for operators. However, traditional firewall configuration methods not only rely on cumbersome command-line operations or specialized configuration software, but also require manually configuring complex network element communication relationships into the firewall. This process is time-consuming, labor-intensive, and prone to errors, seriously threatening the security and stability of the entire network.

[0003] Therefore, how to quickly and accurately build and adjust firewall architecture, and flexibly formulate security policies that meet actual needs, has become an urgent problem to be solved. Summary of the Invention

[0004] This disclosure provides a firewall policy generation method, server, media, and program product.

[0005] In a first aspect, embodiments of this disclosure provide a firewall policy generation method, which includes:

[0006] Obtain network topology information; the network topology information includes nodes in the network and the relationships between the nodes, and the network includes at least two nodes;

[0007] Upon receiving a selection instruction to select a first node and a second node from the nodes, a target path is determined based on the network topology information; the target path is a path that starts from the first node and ends at the second node, and the target path includes at least one firewall node;

[0008] For the target path, in response to receiving the communication mode instruction, a firewall policy is generated.

[0009] In a second aspect, embodiments of this disclosure provide a server, which includes a memory and a processor; the memory stores a computer program that can be executed by the processor, and when the computer program is executed by the processor, it implements the firewall policy generation method described in the first aspect.

[0010] Thirdly, embodiments of this disclosure provide a computer-readable medium having a computer program stored thereon, which, when executed by a processor, implements the firewall policy generation method described in the first aspect.

[0011] Fourthly, embodiments of this disclosure provide a computer program product, which includes a computer program that, when executed by a processor, implements the firewall policy generation method described in the first aspect.

[0012] In this embodiment of the disclosure, upon receiving a selection instruction to select a first node and a second node in the network, a target path is determined with the first node as the starting node, the second node as the ending node, and including at least one firewall node. Based on the communication mode instruction set for the target path, a firewall policy for the target path is automatically generated. This not only simplifies the configuration process of the firewall policy but also improves the configuration efficiency of the firewall policy. Attached Figure Description

[0013] In the accompanying drawings of the embodiments disclosed herein:

[0014] Figure 1 A flowchart illustrating a firewall policy generation method provided in this embodiment of the disclosure;

[0015] Figure 2 This is a schematic diagram of the process for obtaining network topology information provided in an embodiment of the present disclosure;

[0016] Figure 3 A schematic diagram of an exemplary user interface provided for an embodiment of this disclosure;

[0017] Figure 4 A schematic diagram of yet another exemplary user interface provided for embodiments of this disclosure;

[0018] Figure 5 A schematic diagram of the process for determining a target path provided in an embodiment of this disclosure;

[0019] Figure 6 A schematic diagram illustrating the process of generating firewall policies provided in this embodiment of the disclosure;

[0020] Figure 7 A schematic diagram illustrating yet another exemplary user interface provided for embodiments of this disclosure;

[0021] Figure 8 This is a schematic diagram of an exemplary target recognition result display window provided in an embodiment of the present disclosure;

[0022] Figure 9 A schematic diagram of the structure of an exemplary network model for detecting attack behavior provided in an embodiment of this disclosure;

[0023] Figure 10 This is a schematic diagram of the structure of a server provided in an embodiment of the present disclosure;

[0024] Figure 11A schematic diagram of the structure of an exemplary core network security management system provided in this disclosure embodiment;

[0025] Figure 12 A flowchart illustrating an exemplary firewall policy generation method provided in this disclosure embodiment;

[0026] Figure 13 A schematic flowchart illustrating an exemplary process for generating firewall policies and their communication matrix entries, provided for embodiments of this disclosure;

[0027] Figure 14 A schematic diagram illustrating an exemplary path echoing process provided for embodiments of this disclosure;

[0028] Figure 15 This is a schematic flowchart illustrating an exemplary download of a communication matrix table and a network topology diagram, provided for embodiments of this disclosure. Detailed Implementation

[0029] To enable those skilled in the art to better understand the technical solutions of this disclosure, the embodiments of this disclosure will be described in detail below with reference to the accompanying drawings.

[0030] The present disclosure will be described more fully below with reference to the accompanying drawings; however, the embodiments shown may be embodied in different forms, and the present disclosure should not be construed as limited to the embodiments set forth below. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will enable those skilled in the art to fully understand the scope of the disclosure.

[0031] The accompanying drawings of the embodiments disclosed herein are provided to further illustrate the embodiments of this disclosure and form part of the specification. They are used together with the detailed embodiments to explain this disclosure and do not constitute a limitation thereof. The above and other features and advantages will become more apparent to those skilled in the art from the description of the detailed embodiments with reference to the accompanying drawings.

[0032] This disclosure may be described with reference to plan and / or cross-sectional views using the ideal schematic diagrams of this disclosure. Therefore, the example illustrations may be modified according to manufacturing techniques and / or tolerances.

[0033] Where there is no conflict, the various embodiments of this disclosure and the features thereof in the embodiments may be combined with each other.

[0034] The terminology used in this disclosure is for the purpose of describing particular embodiments only and is not intended to limit the disclosure. The term "and / or" as used in this disclosure includes any and all combinations of one or more of the associated enumerated entries. The singular forms "a" and "the" as used in this disclosure are also intended to include the plural forms, unless the context clearly indicates otherwise. The terms "comprising," "made of," etc., as used in this disclosure specify the presence of the stated feature, integral, step, operation, element, and / or component, but do not exclude the presence or addition of one or more other features, integrals, steps, operations, elements, components, and / or groups thereof.

[0035] Unless otherwise specified, all terms used in this disclosure (including technical and scientific terms) have the same meaning as commonly understood by one of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with their meaning in the context of the relevant art and this disclosure, and will not be interpreted as having an idealized or overly formal meaning, unless expressly so defined in this disclosure.

[0036] This disclosure is not limited to the embodiments shown in the accompanying drawings, but includes modifications to the configuration based on the manufacturing process. Therefore, the areas illustrated in the drawings are schematic, and the shapes of the areas shown illustrate specific shapes of the areas of an element, but are not intended to be limiting.

[0037] In some related technologies, traditional network security protection systems are facing increasingly severe challenges, especially in the core network domain. Firewalls, as the first line of defense, play a crucial role in ensuring network security. However, with the increasing complexity of network architecture and the diversification of business needs, operators have become more stringent in their network security requirements due to the numerous network elements and intricate communication relationships within the core network environment. Traditional firewall configuration methods not only rely on cumbersome command-line operations or specialized configuration software but also require manually configuring complex network element communication relationships within the firewall. This process is time-consuming, labor-intensive, and prone to errors, seriously threatening the security and stability of the entire core network.

[0038] In other related technologies, more advanced configuration tools and optimized configuration processes have been developed to address the problems faced by traditional firewall configuration methods, but none of them have been able to solve the problem at its root.

[0039] Therefore, there is an urgent need for a solution that can quickly and accurately build and adjust firewall architecture, flexibly formulate security policies that meet actual needs, and simplify the firewall configuration process.

[0040] In a first aspect, embodiments of this disclosure provide a firewall policy generation method, referring to... Figure 1 It includes:

[0041] S1. Obtain network topology information; the network topology information includes nodes in the network and the relationships between the nodes, and the network includes at least two nodes;

[0042] S2. Upon receiving a selection instruction to select a first node and a second node from the nodes, a target path is determined based on the network topology information; the target path is a path that starts from the first node and ends at the second node, and the target path includes at least one firewall node.

[0043] S3. For the target path, in response to receiving the communication mode instruction, generate a firewall policy.

[0044] In this embodiment, the selection instruction specifies the start and end nodes of the target path containing the firewall policy to be generated. Based on this selection instruction, a target path is determined, starting from the first node, ending at the second node, and including at least one firewall node. According to the communication mode instruction set for the target path, the firewall policy for that target path is automatically generated. Compared to some related technologies that involve manually selecting paths and adding firewall policies one by one, this embodiment not only simplifies the firewall policy configuration process but also lowers the operational threshold for policy configuration, significantly reducing workload and improving the efficiency and accuracy of firewall policy configuration.

[0045] Network topology information describes the nodes and their relationships within the network. A node is a device that participates in data interaction within the network; it can be an independent device or a group of multiple independent network elements. In some embodiments, node types include independent network element nodes, node groups (composed of multiple network element nodes), and firewall nodes, but this disclosure is not limited to these. Relationships are based on the existence of at least two nodes in the network, and the connections, data interactions, and other relationships established between these two nodes.

[0046] The selection instruction is used to indicate the starting node (i.e., the first node) and the ending node (i.e., the second node) of the target path corresponding to the firewall policy. Both the first and second nodes are nodes selected from the network, and they are two different nodes. This disclosure embodiment does not impose any special restrictions on the node types of the first and second nodes. Each target path composed of the first and second nodes includes at least one firewall node. The firewall node is used to monitor and control data transmission in the target path, determining the data transmission behavior on the target path based on predefined network security requirements.

[0047] The communication mode instruction is used to indicate the communication mode corresponding to the target path.

[0048] In some embodiments, refer to Figure 2Step S1 includes:

[0049] S11. In response to a candidate node being dragged to the display window, a corresponding display node is generated in the display window;

[0050] S12. In response to receiving a node association instruction, generate the association relationship of the display nodes corresponding to the node association instruction, and generate a connection line in the display window to connect the corresponding display nodes.

[0051] S13. Determine the network topology information based on the displayed nodes and the associated relationships in the display window.

[0052] In the embodiments of this disclosure, an interactive user interface is provided to the user. Candidate nodes are set in a selection area. When constructing network topology information, candidate nodes of the selected node type in the selection area are dragged to the display window, thereby adding display nodes of that node type to the network topology information. Corresponding associations of the display nodes are added to the network topology information according to node association instructions, and the connecting lines between the associated display nodes are displayed in the display window. Based on the display nodes and associations, the network topology information is determined. By providing a user interface, users can quickly build and draw network topology information through simple operations, providing a more intuitive display of the network topology.

[0053] Candidate nodes are initial, unconfigured nodes categorized by node type, which can be dragged and dropped into the display window to construct network topology information. The display window is an interactive interface area for displaying and manipulating network topology information. This display window can implement various interactive functions, such as selecting nodes and their relationships within the network topology information, alignment lines, shortcut key support, graphic transformations, connection modes, node click events, node addition events, node embedding events, automatic node expansion, and mouse click events, etc., but this disclosure is not limited to these. This disclosure does not impose special restrictions on the functions used to implement the interactive functions of the display window; they can be the onMounted() function.

[0054] In some embodiments, the interactive user interface provided to users may be built using Vue3, Element-plus, Axios, Antv X6, JavaScript, etc., and this disclosure is not limited thereto.

[0055] In some embodiments, candidate nodes of each node type are displayed in the selection area and can be dragged to the first position in the display window to generate the corresponding display node at the first position. The display node can be an initial state node that has not yet been configured, or a node whose node parameters have been configured in response to a configuration command.

[0056] The node association command is used to indicate that there is a relationship between the selected display nodes. Specifically, the node association command must select at least two display nodes.

[0057] In some embodiments, in a display window that includes multiple display nodes, at least two display nodes are selected, and it is determined that these at least two display nodes have an association relationship in the network topology information, thereby displaying the connection line between the at least two display nodes in the display window. It is worth noting that the embodiments of this disclosure do not impose any special restrictions on the selection method of the at least two display nodes or the display format of the connection line. The display format of the connection line can be set differently for the connection line according to different association relationships.

[0058] As one embodiment of this disclosure, a connection is established using a shortcut key (e.g., the shift key on a keyboard) or a connection mode button. When the user presses the shortcut key or the connection mode button in the user interface, the changeLineMode() function is called to enable connection mode. With connection mode enabled, candidate nodes cannot be dragged to the display window, the display window cannot be moved, and clicking on a display node will not trigger the configuration of node parameters.

[0059] When the mouse button is clicked, the position of the first associated node and other information such as the node position are obtained according to the first event mousedown. When the mouse button is released, the position of the second associated node and other information such as the node position are obtained according to the second event mouseup. Thus, it is determined that an association relationship can be established between the first associated node and the second associated node.

[0060] Since a node can include multiple connection points, which are the starting points of the connecting lines, when the first event `mousedown` is triggered, the connection point corresponding to the first associated node is also obtained. Before the second event `mouseup` is triggered, the current position of the mouse can be used as the connection point corresponding to the second associated node. That is, when the mouse moves, the third event `mouseMove` is triggered, and the connection point corresponding to the second associated node will change accordingly until the mouse is released. Triggering the second event `mouseup` also includes using the current position of the mouse as the final determined connection point of the second associated node, thereby determining the first associated node (source node) and its connection point (source connection point), and the second associated node (target node) and its connection point (target connection point). Based on the source node, source connection point, target node, and target connection point, the connecting line between the first and second associated nodes can be accurately drawn in the display window.

[0061] Since firewall nodes are displayed in a table format in the display window, with the table header being the name of the firewall node and the remaining rows representing the security zones corresponding to the firewall, if the node type is a firewall node, the system will determine the row corresponding to the event within that firewall node and obtain the security zone involved in the firewall node to be associated with.

[0062] Furthermore, this disclosure does not impose any special restrictions on whether the mouse button is the left or right mouse button. In some embodiments, the button can also be any designated button in the keyboard peripheral.

[0063] In some embodiments, the firewall policy generation method further includes:

[0064] In response to the configuration command, node parameters are configured for the display node; the node parameters include at least one of IP (Internet Protocol) address, port, protocol, style, and node type.

[0065] The configuration instructions are used to specify the selected display node and configure node parameters for that node. This embodiment does not impose special restrictions on the type of node parameters, and may also include firewall zones, etc.

[0066] In this embodiment, an interactive user interface is provided to the user. When the user clicks on a displayed node, the node parameters of that node can be configured, which further improves the configuration efficiency based on network topology visualization.

[0067] In some embodiments, in response to configuration instructions, association attributes can also be configured for the connection line. That is, configuration instructions can also be used to indicate the constructed, selected connection line and configure association attributes for that connection line.

[0068] In some embodiments, a corresponding form (e.g., neForm, graphForm, wallForm) is set for each display node. This form is used to display the node parameters of the display node, and the form can be displayed in a specific interface area of ​​the display window. A corresponding listener event is set for each node parameter in the form. This listener event is triggered when the data corresponding to the node parameter changes. When the user edits or modifies the data of the node parameter in the specific interface area, clicks on the display node, or fills in data for the node parameter, the listener event is triggered in real time to update and display the data of the node parameter in the specific interface area.

[0069] As an example, a node click event is set to `graph.on('node:click',({e,x,y,node,view})=>{})` for each displayed node. When a user clicks a displayed node in a specific interface area, it indicates that the displayed node is selected. The variable `selectedNode` is used to indicate the selected displayed node. The value corresponding to the displayed node is assigned to `selectedNode` to indicate that the displayed node is selected. Then, the node data corresponding to the displayed node is assigned to the form. Because the node parameter data in the form changes, the listener event is triggered, that is, the node parameter data displayed in the specific interface area is updated to the latest data assigned to the form.

[0070] As another example, when a user enters the firewall name in the form for the selected firewall node, a listener event is triggered, and the node name of that firewall node displayed in a specific area of ​​the interface is updated to the newly entered firewall name.

[0071] As another example, when a user modifies the data of a node parameter, a listener event is triggered, and the data of that node parameter displayed in a specific area of ​​the interface is updated to the modified data.

[0072] As one embodiment of this disclosure, reference is made to... Figure 3 The user interface is provided to users. In the first area 301 of the user interface, multiple graphical nodes are provided. Among them, node 3011 is a candidate node of the node type of firewall node, node 3012 is a candidate node of the node type of group, and node 3013 is a candidate node of the node type of network element.

[0073] The second area 302 provides users with a canvas (i.e., a display window) for drawing network topology information, and displays the nodes that are selected and dragged into the second area 302, as well as the connection lines of the established relationships. In this second area 302, nodes 3021 and 3022 are both firewall nodes, displayed in a table format. The table header displays the firewall name (e.g., the firewall name of node 3021 is SHT-PM-FW), and the remaining rows display the zone names of the firewall's security zones (e.g., the zone names of the security zones of node 3021 are OAM-PLAT-U, OAM-NEXP, and OAM-SEC). Node 3023 is a group, consisting of multiple independent network elements. For example, node 3023 is composed of two independent network elements with IP addresses KPG-20.136.20.248-29 and KPG-20.141.0.74-27, respectively. Node 3024 is a network element node. Connector 3025 indicates an association between node 3024 and security zone OAM-PLAT-U in node 3021.

[0074] The third area 303 displays the attributes (i.e., node parameters or associated attributes) corresponding to the nodes or connecting lines. Configuration can be quickly completed by entering the desired attribute information in the input boxes within the third area 303. It should be noted that this embodiment does not impose any special restrictions on the distribution of areas in the user interface.

[0075] In some embodiments, the firewall policy generation method further includes:

[0076] In response to receiving a path echo command, the style of each display node corresponding to the path echo command is adjusted to an enhanced display style.

[0077] The path echo instruction is used to indicate the selected path and its corresponding enhanced display style. In some embodiments, the style of the displayed node includes style information such as width, height, and border style. An enhanced display style refers to a style that has a highlighted effect in the display window. This disclosure does not impose any special limitations on the type of style or enhanced display style indicated by the path echo instruction.

[0078] In this embodiment, by adjusting the style of each displayed node of the selected path to an enhanced display style, the path can be quickly highlighted and displayed. Especially after the firewall policy is generated, selecting the path corresponding to the firewall policy and traversing each displayed node in the path visually displays each displayed node and path direction (related to the communication mode) of the firewall policy, so that users can more intuitively understand the path corresponding to the firewall policy. This assists in completing the path check of the firewall policy, greatly improves the efficiency of policy verification, and avoids policy omissions.

[0079] As one embodiment of this disclosure, reference is made to... Figure 4 It provides a user interface for users, and provides a canvas (i.e. display window) in area 401 of the user interface for drawing network topology information. It also displays the nodes that are selected and dragged into area 401 and the connection lines of the established relationships.

[0080] Firewall policies are displayed in area 402 of the user interface. After the firewall policies are generated, the server backend stores the paths corresponding to the firewall policies. Firewall nodes with the firewall name SHT-PM-FW displayed in area 402 include security zones (i.e. target zones) OAM-NEXP and OAM-SEC. Clicking the Path button 4021 will display the path corresponding to security zone OAM-NEXP, which is the path within the dashed box 4011 in area 401.

[0081] By traversing the path and changing the style of each displayed node in the path to a highlight color, the path can be displayed. Compared with some related technologies that check the policy one by one within the network topology, the embodiments of this disclosure can improve the time-consuming and laborious problem of policy checking, prevent policy omissions, display the path more intuitively, and greatly improve the efficiency of policy verification.

[0082] In some embodiments, refer to Figure 5 Step S2 includes:

[0083] S21. Based on the network topology information, determine all first paths that start from the first node;

[0084] S22, Receive path selection instruction;

[0085] S23. If the first path selected by the path selection instruction is terminated by the second node and includes the firewall node, then the first path selected by the path selection instruction is determined as the target path.

[0086] The selection instruction specifies the start and end nodes of the target path where the firewall policy to be generated is located. Based on this selection instruction, a target path is determined that starts at the first node, ends at the second node, and includes at least one firewall node. The first path is the path that starts at the first node, and the path selection instruction instructs that all first paths be traversed.

[0087] In the embodiments of this disclosure, by traversing the first path, a target path is determined that terminates at the second node and includes the firewall node. Compared with some related technologies where the user selects the paths for creating the firewall policy, the embodiments of this disclosure can prevent path omissions and improve the comprehensiveness and efficiency of path selection.

[0088] In one embodiment of this disclosure, an initialized array (array length 2) is used to determine the target path. Two user clicks on a node are used as selection instructions to select a first node and a second node from the nodes. In response to receiving the user's first click on the first node, the `searchTree()` function is called recursively to obtain the first paths starting from the first node. All first paths are stored in the dictionary `allStrategy`, where the keys are the starting node (i.e., the first node) and the values ​​are the respective first paths. In response to receiving the user's second click on the second node, the first paths in the `allStrategy` dictionary are traversed according to the path selection instructions. It is determined whether each first path terminates at the second node and includes a firewall node. If so, the first path is determined as the target path and transmitted to the server backend. The server backend, in response to receiving a communication mode instruction, generates a firewall policy for the target path and displays the firewall policy on the user interface. After determining all target paths, the array is initialized.

[0089] In cases where network topology information changes (e.g., nodes are added or deleted), the first path starting from the first node may change. Therefore, all first paths stored in the dictionary allStrategy are cleared, and the searchTree() function is called again to recursively obtain each first path.

[0090] In some embodiments, the communication mode instruction is used to indicate whether the communication mode corresponding to the target path is a one-way communication mode or a two-way communication mode;

[0091] Among them, reference Figure 6 Step S3 includes:

[0092] S31. Extract each node, the relationship between each node, and the node parameters from the target path;

[0093] S32. Generate a firewall policy based on the node, the association relationship, and the node data; the firewall policy satisfies the network security requirements corresponding to the one-way communication mode or the network security requirements corresponding to the two-way communication mode.

[0094] In this embodiment, a corresponding firewall policy is automatically generated based on the target path and the communication mode indicated by the communication mode instruction. Selecting different communication modes for different target paths significantly enhances the flexibility, convenience, and accuracy of the operation, meeting diverse security needs in complex network environments.

[0095] The communication mode corresponding to the target path indicates the communication direction of that path. There is a close and clear correspondence between the target path and the firewall policy. Nodes (e.g., network devices, servers, or terminals) are the basic elements constituting network topology information. Paths visually represent the connections between nodes and describe the potential direction of data flow in the network. A path consists of nodes and connecting lines, with the connecting lines representing communication links between nodes. Each path corresponds to a communication mode, which indicates the communication flow direction and forms the basis for generating firewall policies. A firewall policy is a set of communication rules and behavioral guidelines for a target path that includes at least one firewall node. For example, it specifies whether communication is allowed between nodes, the communication direction, the protocols involved in the communication, and security rules. In complex network environments, policy formulation can effectively ensure network security, reliability, and communication efficiency.

[0096] In some embodiments, firewall policies are generated using Vue3 (Vue.js 3), Antv X6 (graph editing engine), and JavaScript technologies.

[0097] As one embodiment of this disclosure, reference is made to... Figure 7 This provides a user interface. When a user presses the strategy mode button in the user interface, the `changeStrategyMode()` function is called to enable strategy mode. When strategy mode is enabled, clicking on a display node will not trigger the configuration of node parameters.

[0098] When a user selects a target path (i.e., the path within the dashed box 7011) in the area 701 of the display window, a communication mode selection area 702 pops up. This communication mode selection area 702 includes three selectable buttons: button 7021 for the first-direction communication mode, button 7022 for the bidirectional communication mode, and button 7023 for the second-direction communication mode. Both the first-direction and second-direction communication modes are unidirectional communication modes.

[0099] In response to the triggering of any one of buttons 7021, 7022, and 7023, the information such as nodes, relationships, and node data extracted from the target path is encapsulated into policy data and sent to the server backend through the API (Application Programming Interface) for further verification and optimization. Finally, one or more firewall policies that meet the network security requirements of the corresponding communication mode are generated. The generated firewall policies are returned to the server frontend for display and storage for subsequent selection and management.

[0100] In some embodiments, the firewall policy generation method further includes:

[0101] Based on the network topology information, the firewall policy is executed to obtain firewall logs;

[0102] The firewall logs are input into multiple preset network models to identify attack behaviors, and intermediate identification results are obtained for each network model. The intermediate identification results include a first probability value for the existence of attack behavior and a second probability value for the absence of attack behavior.

[0103] If the sum of the first probability values ​​of each network model is greater than the sum of the second probability values ​​of each network model, the target identification result is determined to be an attack; if the sum of the first probability values ​​of each network model is less than or equal to the sum of the second probability values ​​of each network model, the target identification result is determined to be no attack.

[0104] Among them, firewall logs are network activity information recorded by each firewall node in the network topology information when executing firewall policies. Multiple preset network models represent different network models.

[0105] The embodiments of this disclosure utilize multiple network models to jointly identify intermediate identification results, and then add the intermediate identification results of multiple network models to obtain the target identification result. This can combine the predictive capabilities of two different network models to improve model performance.

[0106] In some embodiments, by utilizing multiple preset network models, the source address and port of an attack can be quickly identified, providing early warnings to users and enabling timely improvement of firewall policies and communication blacklists and whitelists, thereby reducing the risk of network intrusion and improving the quality of network security policy deployment.

[0107] This disclosure does not impose any special limitations on the attack behavior to be detected. In some embodiments, the attack behavior is DDoS (Distributed Denial of Service).

[0108] In some embodiments, the target identification results corresponding to each firewall log are displayed in the user interface so that users can check the operation status of the firewall policy at any time.

[0109] As an example, refer to Figure 8 After inputting firewall logs into multiple preset network models to identify attack behaviors and obtain target identification results, a display window showing the log analysis results pops up in the user interface. "File uploaded successfully" indicates that the file corresponding to the target identification result has been successfully updated, and prompts to execute the firewall policy. A total of 225,745 firewall logs were obtained. After inputting these firewall logs into multiple preset network models to identify attack behaviors, the target identification result was that the number of DDoS attacks was 128,046.

[0110] In some embodiments, the network model can be a VAE-LSTM (Variational Autoencoder Long Short-Term Memory) model or a SimpleCNN (Simple Convolutional Neural Network) model.

[0111] As one embodiment of this disclosure, reference is made to... Figure 9 When the network model is a VAE-LSTM model, the VAE-LSTM model includes a VAE encoder, a VAE embedding module, and an LSTM module. The training process of this VAE-LSTM model is as follows:

[0112] Obtain a large amount of feature data (i.e., firewall logs) of the VAE-LSTM model to be input. The firewall logs include source IP, destination IP, source port, destination port, etc.

[0113] The feature data is cleaned and normalized to obtain intermediate data;

[0114] 80% of the intermediate data was divided into the training set and 20% into the test set. The intermediate data was converted into PyTorch tensors, and a new dimension was added. The shape of the tensors was adjusted to meet the input requirements of the VAE-LSTM model layers.

[0115] The training set was used as the input to train the VAE-LSTM model. Using a preset learning rate of lr = 0.001, the model was trained and its parameters were tuned sequentially through the VAE encoder, VAE embedding module, and LSTM module to obtain the trained VAE-LSTM model. The test set was used as the input to test the VAE-LSTM model. The trained VAE-LSTM model achieved a 99.65% accuracy rate in identifying DDoS attacks, with a loss value of 0.0032.

[0116] The trained VAE-LSTM model is deployed in the network. After cleaning the collected firewall logs, they are input into the model, which accurately analyzes the firewall logs. Combined with the SimpleCNN model, the intermediate recognition results of the two models are added to determine whether a network attack has occurred. If a network attack is confirmed, the attack source address and port are output based on the firewall logs, thereby realizing the early warning function of firewall security management. It can also help users improve firewall policies and communication blacklists and whitelists in a timely manner, reducing the risk of network intrusion and greatly improving network security.

[0117] In some embodiments, the firewall policy generation method further includes:

[0118] For the target path, a communication matrix entry for the target path is constructed based on the network topology information and the communication mode instruction;

[0119] Display the communication matrix table composed of each of the aforementioned communication matrix entries;

[0120] In response to receiving a download command, the communication matrix table is exported.

[0121] The communication matrix table consists of communication matrix entries for each target path in the network topology information. The communication matrix entries are used to describe the communication relationship between the first node and the second node of the target path, including basic network node information, connection relationships between nodes, firewall configuration details, etc.

[0122] In this embodiment, since the path can intuitively reflect the connection relationship between each node, it consists of each node and a connecting line, which represents the communication link between the nodes. The target path is a path that includes at least one firewall node; that is, the target path includes at least a first node, a firewall node, a second node, a first connecting line between the first node and the firewall node, and a second connecting line between the second node and the firewall node. Therefore, the communication matrix entries for the target path include at least the information related to these five elements: the first node, the firewall node, the second node, the first connecting line, and the second connecting line, thus ensuring the comprehensiveness and accuracy of the communication matrix table data.

[0123] For each target path, based on the above information and the communication mode indicated in the communication mode command, the connection relationships, firewall policies, and communication modes between nodes in the target path are organized. If the communication mode is unidirectional, communication matrix entries are constructed according to the communication direction from the first node to the second node or from the second node to the first node. If the communication mode is bidirectional, communication matrix entries are constructed according to the communication directions from the first node to the second node and from the second node to the first node, respectively. The constructed communication matrix entries constitute the communication matrix table, which is displayed to the user on the user interface.

[0124] In some embodiments, the user interface for displaying the communication matrix table to the user is also provided with a delete button. When the user clicks the delete button, the globally unique identifier (UUID) of the communication matrix table entry to be deleted is sent to the server backend, so that the server backend can find the corresponding communication matrix table entry from the VOS (data storage system) based on the received UUID and perform the deletion operation. The VOS is used to store each communication matrix table entry.

[0125] Furthermore, in response to receiving a download instruction, a communication matrix table is exported. This download instruction instructs the communication matrix table to be exported in a specified export format. Exporting the communication matrix table can save firewall configuration time, prevent policy omissions, and improve network security. This embodiment of the disclosure does not impose special restrictions on the export format of the communication matrix table; for example, it can be an export format of a spreadsheet or text file.

[0126] In some embodiments, the user interface for displaying the communication matrix table to the user is also provided with an export button. When the user clicks the export button, the communication matrix table in VOS is exported in a specified format. The communication matrix table can clearly and intuitively reflect the relationship between each node in each target path, so that the user can perform data analysis and processing on the network and its firewall policies.

[0127] In some embodiments, the firewall policy generation method further includes:

[0128] The preset export function is called to convert the display nodes and the connecting lines into image data to obtain a network topology diagram.

[0129] The derived function is used to convert the nodes and connections in the network topology information into image data. This embodiment does not impose any special restrictions on the function type of the derived function.

[0130] In this embodiment, the exported function is called to convert the displayed nodes and connecting lines into image data, which can accurately and reliably realize the drawing of the network topology diagram, so that the network topology structure can be saved and viewed in image form.

[0131] In some embodiments, the user interface also includes a conversion button. When the conversion button is clicked, the exportPNG function is invoked to convert the communication matrix table in the display window into a network topology diagram.

[0132] In some embodiments, the server also integrates an intelligent model and a knowledge base to provide users with technical support, operation guidance, and personalized configuration suggestions during user interface interactions, greatly simplifying operation complexity and improving user experience and satisfaction. The intelligent model can utilize natural language processing and machine learning algorithms.

[0133] In the embodiments described above, upon receiving a selection instruction to select a first node and a second node in the network, a target path is determined, starting from the first node, ending at the second node, and including at least one firewall node. Based on the communication mode instruction set for the target path, a firewall policy for that target path is automatically generated. This not only simplifies the firewall policy configuration process but also improves its efficiency. Compared to some related technologies that require manually adding firewall policies one by one, this reduces the difficulty of firewall configuration for users, decreases repetitive workload, and ensures data accuracy.

[0134] Meanwhile, compared to some related technologies that involve manually sorting out network information and then outputting firewall communication matrix tables one by one, this embodiment provides a user interface that can intuitively display the network topology diagram. By dragging and dropping, filling in configuration information, and other operations on the user interface, network topology information can be quickly constructed, and communication matrix tables can be quickly output.

[0135] Secondly, this disclosure also provides a server, referring to... Figure 10 It includes a memory 1002 and a processor 1001; the memory 1002 stores a computer program that can be executed by the processor 1001, and when the computer program is executed by the processor 1001, it implements the firewall policy generation method described in the first aspect.

[0136] The processor 1001 and the memory 1002 are connected through one or more I / O interfaces 1003, which are configured to enable information exchange between the processor 1001 and the memory 1002.

[0137] The processor 1001 is a device with data processing capabilities, including but not limited to a central processing unit (CPU); the memory 1002 is a device with data storage capabilities, including but not limited to random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and flash memory (FLASH); the I / O interface (read / write interface) 1003 is connected between the processor 1001 and the memory 1002, enabling information exchange between the processor 1001 and the memory 1002, including but not limited to a data bus (Bus).

[0138] Thirdly, embodiments of this disclosure provide a computer-readable medium having a computer program stored thereon, which, when executed by a processor, implements the firewall policy generation method described in the first aspect.

[0139] Fourthly, embodiments of this disclosure provide a computer program product, which includes a computer program that, when executed by a processor, implements the firewall policy generation method described in the first aspect.

[0140] To enable those skilled in the art to more clearly understand the technical solutions provided by the embodiments of this disclosure, the technical solutions provided by the embodiments of this disclosure will be described in detail below through specific embodiments:

[0141] Example 1:

[0142] As an example, as a specific form of an embodiment of this disclosure, reference is made to... Figure 11 The core network security management system 1100 can assist users in constructing network topology in a graphical manner and generate corresponding firewall policies through communication mode commands. The system 1100 includes:

[0143] The visualization module 1101 is used to process the user's network design operations in the visualization interface and to display the input topology information file, including the drag-and-drop module, the connection module, and the policy module.

[0144] The drag-and-drop module responds to candidate nodes being dragged to the canvas (i.e., the display window), displaying the corresponding node on the canvas. Candidate nodes include core network element nodes, firewall nodes, and group nodes. The drag-and-drop module initializes the Stencil function and registers custom nodes with the stencil. After registering the node class with the stencil, users can drag and drop completed candidate nodes onto the canvas.

[0145] The drag-and-drop module uses the inject function in the Vue library to implement dependency injection: the inject function injects the getGraph function to obtain graph instances and the getNode function to obtain graph node instances.

[0146] The drag-and-drop module utilizes the `onMounted` function from the Vue library to implement lifecycle hooks: after the component is mounted, the callback function `onMounted(() => {...})` is executed, which retrieves the current candidate node using `getNode()` and updates the node parameters, namely, updating the values ​​of IP, port, protocol, and style type (including the candidate node width `nodeWidth` and candidate node height `nodeHeigth`); at the same time, it listens for the node's `change:data` event so that the node parameters are updated when the node data changes.

[0147] The drag-and-drop module uses the `ref` function from the Vue library to implement reactive data: the `ref` function creates reactive node reference parameters, which are initially set to empty string variables to store the various node parameters.

[0148] The drag-and-drop module uses the computed function in the Vue library to implement computed properties: a computed property neStyle is created by const neStyle = computed(() => {...}), and the returned object includes the width, height and border style of the node. This object is used as the style object of an element in the template, and the width and height adapt to the element.

[0149] The connection module is used to respond to the received node association command, generate the corresponding association relationship between display nodes, and generate the connection line connecting the corresponding display nodes in the canvas.

[0150] The policy module is used to display the generated firewall policies.

[0151] The firewall policy generation module 1102 is used to obtain network topology information based on the user's network design operations and input topology information file in the visual interface; extract the target path from the network topology information, which starts at the first node, ends at the second node, and includes at least one firewall node; and generate the firewall policy corresponding to the target path in response to receiving a communication mode instruction. Based on the network topology information and the generated firewall policy, it can also call exportPNG to convert the displayed nodes and connecting lines in the canvas into a PNG format network topology diagram, and download the communication matrix table corresponding to the firewall policy.

[0152] The path echo module 1103 is used to adjust the style of each displayed node in the target path corresponding to the path echo instruction to an enhanced display style after the firewall policy is generated, in response to receiving the path echo instruction.

[0153] The log detection module 1104 takes firewall logs as input and uses the VAE-LSTM and SimpleCNN models to detect DDoS attacks based on the firewall logs, thereby providing early warnings for firewall security management, assisting users in further improving firewall policies, and enhancing the quality of security policy deployment.

[0154] The intelligent assistant 1105 is used to respond to the detection of technical questions from users by providing technical support, operation guidance, and personalized configuration suggestions to users through the user interface.

[0155] The system 1100 enables the rapid construction and adjustment of network topology diagrams corresponding to firewall nodes, network element nodes, and their constituent group nodes through a visual interface. Based on the communication mode instructions set for the target path, it automatically and efficiently generates firewall policies for that target path, thereby not only improving the efficiency and accuracy of network management but also avoiding the risk of human configuration errors.

[0156] Example 2:

[0157] As an example, as a specific form of an embodiment of this disclosure, reference is made to... Figure 12 The system provides a visual interface for users, which includes at least an area for displaying multiple draggable candidate nodes, a canvas (i.e., a window displaying the network topology), and a configuration window. Firewall policy generation methods include:

[0158] Step 1201: Determine whether the user has redrawn the network topology diagram on the interface. If yes, proceed to step 1202; otherwise, proceed to step 1205.

[0159] Step 1202: In response to a candidate node being dragged onto the canvas, the display node is shown at the corresponding position on the canvas. And in response to a received configuration command, the node parameters for the display node corresponding to that configuration command are configured.

[0160] Step 1203: Turn on the connection switch. In response to the received node association instruction, generate the corresponding association relationship between display nodes and create connection lines in the canvas to connect the corresponding display nodes.

[0161] Step 1204: Turn on the policy switch and generate a firewall policy for each target path in response to the received communication mode instruction.

[0162] Step 1205: Import the pre-designed network topology file from the external network. This network topology file includes network topology information and firewall policies, which describes the nodes and their relationships in the network topology.

[0163] Step 1206 involves checking the target path of the generated firewall policy. When a user selects a firewall node in the canvas, they can view all firewall policies associated with that node and choose to display the target path corresponding to that policy. Similarly, the firewall logs obtained after executing the firewall policy are input into the trained intrusion detection model to provide users with early warnings.

[0164] Step 1207: Based on the designed network topology documents or the constructed network topology information, export the communication matrix table and network topology diagram corresponding to the network topology.

[0165] Reference Figure 13 The above step 1204 specifically includes:

[0166] Step 1301: Receive the selection instruction input by the user. The selection instruction indicates that a first node is selected as the starting node and a second node is selected as the ending node from multiple display nodes. Based on the selection instruction and network topology information, select the target path that includes at least one firewall node.

[0167] Step 1302: Determine whether the target path and its communication mode have been selected. If yes, proceed to step 1303; otherwise, return to and re-execute step 1301.

[0168] Step 1303: Return the target path, each node in the target path, and the communication mode corresponding to the target path to the server backend.

[0169] Step 1304: Determine whether the communication mode corresponding to the target path is a one-way communication mode or a two-way communication mode. If the communication mode is a one-way communication mode, proceed to step 1305. If the communication mode is a two-way communication mode, proceed to step 1306.

[0170] Step 1305: If the communication mode is a one-way communication mode, then construct a communication matrix entry according to the communication direction from the starting node to the ending node or from the ending node to the starting node of the target path.

[0171] Step 1306: If the communication mode is bidirectional communication mode, then construct one communication matrix entry according to the communication direction from the start node to the end node, and construct another communication matrix entry according to the communication direction from the end node to the start node.

[0172] Step 1307: Return each firewall policy and its corresponding communication matrix entries to the server front-end for display.

[0173] Reference Figure 14 The above step 1206 specifically includes:

[0174] Step 1401: Display the firewall policy at the front end of the server.

[0175] Step 1402: Determine whether to perform a delete operation or a path echo operation on the firewall policy. If the delete operation is performed, proceed to step 1403; if the path echo operation is performed, proceed to step 1404.

[0176] Step 1403: Feedback the firewall policy to be deleted to the server backend so that the server backend can find the corresponding communication matrix entry in the data storage system and perform the deletion operation.

[0177] Step 1404: Feedback the firewall policy for the path echo operation to be executed to the server backend.

[0178] Step 1405: Determine the target path corresponding to the firewall policy for the path echo operation to be executed, and feed the target path back to the server front-end so that the server front-end changes the color of each node on the target path to achieve the highlighting of the target path.

[0179] Reference Figure 15 The above step 1207 specifically includes:

[0180] Step 1501: Display network topology information on the front end.

[0181] Step 1502: Determine whether to download the communication matrix table or the network topology diagram. If the communication matrix table is to be downloaded, proceed to step 1503; if the network topology diagram is to be downloaded, proceed to step 1505.

[0182] Step 1503: Feed back the firewall policy of the network topology information displayed on the front end to the back end.

[0183] Step 1504: Generate a communication matrix table in XLSX format according to the specified data format based on the firewall policies.

[0184] Step 1505: Convert the network topology diagram in the canvas into a PNG image by calling the exportPNG function.

[0185] Step 1506: Feed back the communication matrix table or network topology diagram generated by the backend to the frontend, where it can be downloaded.

[0186] In the example above, the combination of a visual drag-and-drop interface with firewall policy management not only helps users build network topology in a graphical way through the visual drag-and-drop interface, but also automatically generates firewall policies corresponding to each target path, greatly simplifying the configuration process of network topology information and firewall policies. At the same time, the visualization displays the target paths, showing the paths more intuitively and greatly improving the efficiency of policy verification.

[0187] Among them, the processor is a device with data processing capabilities, including but not limited to the central processing unit (CPU); the memory is a device with data storage capabilities, including but not limited to random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and flash memory (FLASH); the I / O interface (read-write interface) is connected between the processor and the memory, enabling information exchange between the memory and the processor, including but not limited to the data bus (Bus).

[0188] Those skilled in the art will understand that all or some of the steps, systems, and devices disclosed above, as functional modules / units, can be implemented as software, firmware, hardware, or suitable combinations thereof.

[0189] In hardware implementations, the division between functional modules / units mentioned in the above description does not necessarily correspond to the division of physical components; for example, a physical component may have multiple functions, or a function or step may be executed by several physical components working together.

[0190] Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit (CPU), digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application-specific integrated circuit (ASIC). Such software may be distributed on a computer-readable medium, which may include computer storage media (or non-transitory media) and communication media (or transient media). As is known to those skilled in the art, the term computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technique for storing information (such as computer-readable instructions, data structures, program modules, or other data). Computer storage media include, but are not limited to, random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory (FLASH) or other disk storage; read-only optical disc (CD-ROM), digital versatile disc (DVD) or other optical disc storage; magnetic cartridges, magnetic tapes, disk storage or other magnetic storage; and any other media that can be used to store desired information and can be accessed by a computer. Furthermore, as is known to those skilled in the art, communication media typically contain computer-readable instructions, data structures, program modules, or other data in modulated data signals such as carrier waves or other transmission mechanisms, and may include any information delivery medium.

[0191] This disclosure has disclosed exemplary embodiments, and although specific terminology has been used, it is for general illustrative purposes only and should not be construed as limiting. In some instances, it will be apparent to those skilled in the art that features, characteristics, and / or elements described in conjunction with particular embodiments may be used alone, or in combination with features, characteristics, and / or elements described in conjunction with other embodiments, unless otherwise expressly indicated. Therefore, those skilled in the art will understand that various changes in form and detail may be made without departing from the scope of this disclosure as set forth by the appended claims.

Claims

1. A firewall policy generation method, comprising: Obtain network topology information; The network topology information includes the nodes in the network and the relationships between the nodes, and the network includes at least two nodes; Upon receiving a selection instruction to select a first node and a second node from the nodes, the target path is determined based on the network topology information; The target path is a path that starts from the first node and ends at the second node, and the target path includes at least one firewall node. For the target path, in response to receiving the communication mode instruction, a firewall policy is generated.

2. The method according to claim 1, wherein, The acquisition of network topology information includes: In response to a candidate node being dragged to the display window, a corresponding display node is generated in the display window; In response to receiving a node association instruction, the association relationship of the display nodes corresponding to the node association instruction is generated, and a connection line connecting the corresponding display nodes is generated in the display window; The network topology information is determined based on the displayed nodes and their relationships in the display window.

3. The method according to claim 2, wherein, Also includes: In response to the configuration command, node parameters are configured for the display node; the node parameters include at least one of Internet Protocol address (IP address), port, protocol, style, and node type.

4. The method according to claim 2, wherein, The method further includes: In response to receiving a path echo command, the style of each display node corresponding to the path echo command is adjusted to an enhanced display style.

5. The method according to claim 2, wherein, The method further includes: The preset export function is called to convert the display nodes and the connecting lines into image data to obtain a network topology diagram.

6. The method according to claim 1, wherein, Determining the target path based on the network topology information includes: Based on the network topology information, determine all first paths that start from the first node; Receive path selection instructions; If the first path selected by the path selection instruction terminates at the second node and includes the firewall node, then the first path selected by the path selection instruction is determined as the target path.

7. The method according to claim 1, wherein, The communication mode instruction is used to indicate whether the communication mode corresponding to the target path is a one-way communication mode or a two-way communication mode. The step of generating a firewall policy in response to receiving a communication mode instruction includes: Extract each node, the relationships between the nodes, and the node parameters from the target path; Based on the nodes, the relationships, and the node data, a firewall policy is generated; the firewall policy satisfies the network security requirements corresponding to a one-way communication mode or the network security requirements corresponding to a two-way communication mode.

8. The method according to claim 1, wherein, The method further includes: Based on the network topology information, the firewall policy is executed to obtain firewall logs; The firewall logs are input into multiple preset network models to identify attack behaviors, and intermediate identification results are obtained for each network model. The intermediate identification results include a first probability value for the existence of attack behavior and a second probability value for the absence of attack behavior. If the sum of the first probability values ​​of each network model is greater than the sum of the second probability values ​​of each network model, the target identification result is determined to be an attack; if the sum of the first probability values ​​of each network model is less than or equal to the sum of the second probability values ​​of each network model, the target identification result is determined to be no attack.

9. The method according to claim 1, wherein, The method further includes: For the target path, a communication matrix entry for the target path is constructed based on the network topology information and the communication mode instruction; Display the communication matrix table composed of each of the aforementioned communication matrix entries; In response to receiving a download command, the communication matrix table is exported.

10. A server comprising a memory and a processor; the memory storing a computer program executable by the processor, wherein the computer program, when executed by the processor, implements the firewall policy generation method according to any one of claims 1 to 9.

11. A computer-readable medium having a computer program stored thereon, which, when executed by a processor, implements the firewall policy generation method of any one of claims 1 to 9.

12. A computer program product comprising a computer program that, when executed by a processor, implements the firewall policy generation method of any one of claims 1 to 9.