An artificial intelligence-based firewall policy automatic optimization method

By using an AI-based automatic firewall policy optimization method, redundancy, conflicts, and blind spots in firewall policies are automatically identified and optimized, solving the problems of low efficiency and reliance on experience in existing technologies, and achieving efficient and secure policy management.

CN122339844APending Publication Date: 2026-07-03BEIJING ZHENGYANG TIANCHENG TECH DEV CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING ZHENGYANG TIANCHENG TECH DEV CO LTD
Filing Date
2026-06-02
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing firewall systems suffer from inefficient policy management, reliance on experience, inability to automate optimization, lack of dynamic adaptability and intelligent decision-making, resulting in high operation and maintenance costs and increased security risks.

Method used

Using an artificial intelligence-based approach, traffic data and rule-hitting information are collected and preprocessed. Algorithms such as time series decomposition, frequent itemset mining, and lightweight gradient boosting decision tree models are used to automatically identify redundancy, conflicts, and blind spots, generate optimization suggestions, and automatically execute optimizations after administrator review or authorization.

Benefits of technology

It enables automated and intelligent firewall policy optimization, reducing administrator workload, improving security and performance, dynamically adapting to business changes, and reducing the risk of human error.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122339844A_ABST
    Figure CN122339844A_ABST
Patent Text Reader

Abstract

The application discloses a kind of based on artificial intelligence's firewall policy automatic optimization method, comprising: collecting firewall traffic data and rule hit information obtains original traffic log, obtains standardized traffic data after pre-processing, obtains structured policy data by parsing policy configuration, according to standardized traffic data and structured policy data, executes rule activity analysis, redundancy detection, conflict detection and coverage blind area analysis, generates optimization suggestion according to analysis result and automatically executes policy optimization, executes rollback and feedback operation after execution.The application can automatically identify and clean invalid policy, merge redundant policy, detect policy conflict and supplement coverage blind area, improve firewall performance, reduce management cost, enhance security, realize the adaptive intelligent optimization of policy.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of computer network and network security technology, and in particular relates to an automatic optimization method for firewall policies based on artificial intelligence. Background Technology

[0002] In enterprise firewall systems, as the scale of enterprise networks continues to expand, the number of access control policies increases dramatically. A large number of redundant, conflicting, outdated, or even invalid policies remain in the configuration for a long time, leading to a decline in firewall performance, an increase in security risks, and difficulties in operation and maintenance management.

[0003] Currently, the main technologies related to policy management in firewall systems include the following solutions: 1. Manual Audit: Security experts periodically export configurations and manually analyze them one by one. This method is time-consuming, error-prone, and relies on expert experience. For large networks with thousands of policies, a complete audit may take several weeks.

[0004] 2. Static analysis tools: These tools analyze rules based on their logical relationships, such as using set operations to detect redundancy and conflicts. However, this method cannot determine whether a rule is actually being used by traffic, and it is easy to misjudge rules that may be useful but have not been used recently as useless.

[0005] 3. Policy Hit Count: Some firewalls offer a "policy hit count" function. By counting the number of traffic packets matched by each rule, administrators can determine whether a rule is active and then manually clean it up. However, this method still requires manual intervention and cannot automatically complete the optimization operation.

[0006] The aforementioned prior art has the following disadvantages: 1. Inefficiency: Manual auditing or relying on hit counts requires administrators to invest a significant amount of time, making it difficult to cope with frequently changing business needs. For large networks with thousands of policies, manual optimization is virtually impossible.

[0007] 2. Reliance on experience: Detecting policy conflicts requires professional knowledge, and ordinary operation and maintenance personnel may not be able to discover potential problems, resulting in long-term security risks.

[0008] 3. Lack of automation: Existing solutions can only provide suggestions and cannot automatically perform optimizations. Administrators still need to manually adjust the configuration, which poses a risk of misoperation.

[0009] 4. Lack of dynamic adaptability: The effectiveness of a strategy often changes with business needs. Static analysis cannot be combined with real-time traffic trends for optimization, resulting in optimization results lagging behind business changes.

[0010] 5. Lack of intelligent decision-making: Existing solutions cannot intelligently determine the "true effectiveness" of strategies based on historical traffic data. For example, some rules may not have been hit recently, but they will only be triggered under specific conditions. Simply deleting them may lead to business interruption.

[0011] Therefore, how to automatically, efficiently, and intelligently optimize firewall policies, reduce operation and maintenance costs, and improve security and device performance is a technical problem that urgently needs to be solved. Summary of the Invention

[0012] To address the aforementioned technical problems, this invention proposes an automatic firewall policy optimization method based on artificial intelligence, thereby resolving the issues present in the prior art.

[0013] To achieve the above objectives, this invention provides an artificial intelligence-based automatic firewall policy optimization method, comprising: Collect traffic data and rule hit information from the firewall data plane to obtain raw traffic logs; The raw traffic logs are preprocessed to obtain standardized traffic data; Parse the currently effective firewall policy configuration to obtain structured policy data; Based on the standardized traffic data and the structured policy data, an artificial intelligence algorithm is used to perform intelligent policy analysis to obtain analysis results; the intelligent policy analysis includes rule activity analysis, redundancy detection, conflict detection, and coverage blind spot analysis. Optimization suggestions are generated based on the analysis results; Automatically execute strategy optimization based on the aforementioned optimization suggestions; After performing policy optimization, rollback and feedback operations are performed to complete the automatic optimization of firewall policies based on artificial intelligence.

[0014] Optionally, traffic data and rule hit information in the firewall data plane are collected, including: capturing the five-tuple information of each traffic flow, the matching rule ID, the processing action and the timestamp in real time, and writing the captured data into shared memory as the raw traffic log.

[0015] Optionally, the preprocessing of the raw traffic logs includes: performing log cleaning, IP segment merging, port service mapping, and time window division on the raw traffic logs to obtain the standardized traffic data.

[0016] Optionally, the rule activity analysis process includes: The time series decomposition algorithm is used to decompose the historical hit count time series of each rule into trend, seasonal and residual terms, identify the periodic activity patterns of the rules, and mark the rules that have no hits for 90 consecutive days and have no significant periodic pattern as potentially expired rules.

[0017] Optionally, the redundancy detection process includes: A frequent itemset mining algorithm is used to extract frequent itemsets from the standardized traffic data. The frequent itemsets are combinations of communication pairs whose support meets preset requirements. The frequent itemsets are matched with the structured policy data. When at least three rules cover the same frequent itemset and have the same action, it is determined to be redundant and a merging suggestion is generated.

[0018] Optionally, the collision detection process includes: Based on the structured strategy data, rule condition intersection analysis is performed to statically identify candidate conflict rule pairs with overlapping conditions and inconsistent actions; a lightweight gradient boosting decision tree model is used to rank the candidate conflict rule pairs by severity, and conflict detection results are output in order of severity score.

[0019] Optionally, the process of coverage blind spot analysis includes: Traffic that is not matched by any rules is extracted from the standardized traffic data. This traffic is then clustered by network segment and service. A risk assessment is conducted based on traffic volume, service criticality, source credibility, and duration. Supplementary strategy recommendations are automatically generated based on the comprehensive score.

[0020] Optionally, the process of generating optimization suggestions based on the analysis results includes: Suggestions are output in the order of priority: deleting invalid rules, correcting conflicting rules, merging redundant rules, and adding supplementary rules. The automatic execution of policy optimization based on the optimization suggestions includes: one-click execution after administrator approval or automatic execution after authorization, and backing up the current configuration before automatic execution.

[0021] This invention also provides an artificial intelligence-based automatic firewall policy optimization system for implementing the above method, comprising: The data acquisition module is used to capture traffic quintuples and rule hit information in real time and output raw traffic logs; The data preprocessing module, connected to the data acquisition module, is used to perform log cleaning, IP segment merging, port service mapping, and time window division on the raw traffic logs, and output standardized traffic data. The policy configuration parsing module is used to periodically read firewall policies, convert them into structured data, and output structured policy data. The strategy intelligent analysis module is connected to the data preprocessing module and the strategy configuration parsing module, respectively, and is used to perform strategy intelligent analysis based on the standardized traffic data and the structured strategy data, and output optimization suggestions; An optimization execution module is connected to the strategy intelligent analysis module and is used to automatically perform strategy optimization based on the optimization suggestions. The rollback and feedback closed-loop module is connected to the optimization execution module and the strategy intelligent analysis module. It is used to back up the configuration before executing the strategy optimization, support one-click rollback, and monitor the effect after execution and feed it back to the strategy intelligent analysis module.

[0022] Optionally, the strategy intelligent analysis module includes: The activity analysis unit is used to mark potential expired rules using a time series decomposition algorithm; A redundancy detection unit is used to identify redundant rules and generate merging suggestions using a frequent itemset mining algorithm. The conflict detection unit is used to rank candidate conflict pairs by severity using static intersection analysis combined with a lightweight gradient boosting decision tree model. The blind spot analysis unit is used to cluster and perform four-dimensional risk assessment on traffic that has not been hit, and to generate supplementary suggestions.

[0023] Compared with the prior art, the present invention has the following advantages and technical effects: 1. Improve operational efficiency: Automatically identify invalid policies, reducing the workload of manual auditing for administrators. Taking a medium-sized network with 2000 policies as an example, manual auditing would require two people per week, while this solution can complete the analysis and generate suggestions within 10 minutes.

[0024] 2. Enhance security: Promptly remove expired policies to avoid security vulnerabilities; detect and correct policy conflicts to prevent rule bypass; reduce security risks through coverage blind spot analysis.

[0025] 3. Optimize system performance: Reduce the number of redundant policies to lower firewall CPU and memory consumption. On a certain model of firewall in the company, tests were conducted using simulated mixed traffic (including HTTP, SQL injection, port scanning, etc.). The results showed that reducing the number of policies by 30% improved the firewall's new connection performance by 10%-15%.

[0026] 4. Dynamically adapt to business changes: The AI ​​engine continuously learns traffic trends, ensuring that strategy configurations always match current business needs and preventing strategy rigidity.

[0027] 5. Reduce the risk of human error: Scripts can be generated for review before automated execution, and a one-click rollback mechanism is provided to avoid accidental operation.

[0028] 6. High scalability: This solution is not only applicable to firewall policy optimization, but can also be extended to policy optimization of other network devices. Attached Figure Description

[0029] The accompanying drawings, which form part of this application, are used to provide a further understanding of this application. The illustrative embodiments and descriptions of this application are used to explain this application and do not constitute an undue limitation of this application. In the drawings: Figure 1 This is a flowchart of a method according to an embodiment of the present invention; Figure 2 This is a system module architecture diagram of an embodiment of the present invention. Detailed Implementation

[0030] It should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other. This application will now be described in detail with reference to the accompanying drawings and embodiments.

[0031] It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions, and although a logical order is shown in the flowchart, in some cases the steps shown or described may be executed in a different order than that shown here.

[0032] Example 1 like Figure 1 As shown, this embodiment provides an automatic firewall policy optimization method based on artificial intelligence, including: Collect traffic data and rule hit information from the firewall data plane to obtain raw traffic logs; The raw traffic logs are preprocessed to obtain standardized traffic data; Parse the currently effective firewall policy configuration to obtain structured policy data; Based on the standardized traffic data and the structured policy data, an artificial intelligence algorithm is used to perform intelligent policy analysis to obtain analysis results; the intelligent policy analysis includes rule activity analysis, redundancy detection, conflict detection, and coverage blind spot analysis. Optimization suggestions are generated based on the analysis results; Automatically execute strategy optimization based on the aforementioned optimization suggestions; After performing policy optimization, rollback and feedback operations are performed to complete the automatic optimization of firewall policies based on artificial intelligence.

[0033] Collect traffic data and rule hit information from the firewall data plane, including: capturing the five-tuple information of each traffic flow, the matching rule ID, the processing action and the timestamp in real time, and writing the captured data into shared memory as the raw traffic log.

[0034] The preprocessing of the raw traffic logs includes: performing log cleaning, IP segment merging, port service mapping, and time window division on the raw traffic logs to obtain the standardized traffic data.

[0035] The process of rule activity analysis includes: The time series decomposition algorithm is used to decompose the historical hit count time series of each rule into trend, seasonal and residual terms, identify the periodic activity patterns of the rules, and mark the rules that have no hits for 90 consecutive days and have no significant periodic pattern as potentially expired rules.

[0036] The redundancy detection process includes: A frequent itemset mining algorithm is used to extract frequent itemsets from the standardized traffic data. The frequent itemsets are combinations of communication pairs whose support meets preset requirements. The frequent itemsets are matched with the structured policy data. When at least three rules cover the same frequent itemset and have the same action, it is determined to be redundant and a merging suggestion is generated.

[0037] The collision detection process includes: Based on the structured strategy data, rule condition intersection analysis is performed to statically identify candidate conflict rule pairs with overlapping conditions and inconsistent actions; a lightweight gradient boosting decision tree model is used to rank the candidate conflict rule pairs by severity, and conflict detection results are output in order of severity score.

[0038] The process of coverage blind spot analysis includes: Traffic that is not matched by any rules is extracted from the standardized traffic data. This traffic is then clustered by network segment and service. A risk assessment is conducted based on traffic volume, service criticality, source credibility, and duration. Supplementary strategy recommendations are automatically generated based on the comprehensive score.

[0039] The process of generating optimization suggestions based on the analysis results includes: Suggestions are output in the order of priority: deleting invalid rules, correcting conflicting rules, merging redundant rules, and adding supplementary rules. The automatic execution of policy optimization based on the optimization suggestions includes: one-click execution after administrator approval or automatic execution after authorization, and backing up the current configuration before automatic execution.

[0040] like Figure 2 As shown, this embodiment also provides an artificial intelligence-based automatic firewall policy optimization system for implementing the above method, including: The data acquisition module is used to capture traffic quintuples and rule hit information in real time and output raw traffic logs; The data preprocessing module, connected to the data acquisition module, is used to perform log cleaning, IP segment merging, port service mapping, and time window division on the raw traffic logs, and output standardized traffic data. The policy configuration parsing module is used to periodically read firewall policies, convert them into structured data, and output structured policy data. The strategy intelligent analysis module is connected to the data preprocessing module and the strategy configuration parsing module, respectively, and is used to perform strategy intelligent analysis based on the standardized traffic data and the structured strategy data, and output optimization suggestions; An optimization execution module is connected to the strategy intelligent analysis module and is used to automatically perform strategy optimization based on the optimization suggestions. The rollback and feedback closed-loop module is connected to the optimization execution module and the strategy intelligent analysis module. It is used to back up the configuration before executing the strategy optimization, support one-click rollback, and monitor the effect after execution and feed it back to the strategy intelligent analysis module.

[0041] The strategy intelligent analysis module includes: The activity analysis unit is used to mark potential expired rules using a time series decomposition algorithm; A redundancy detection unit is used to identify redundant rules and generate merging suggestions using a frequent itemset mining algorithm. The conflict detection unit is used to rank candidate conflict pairs by severity using static intersection analysis combined with a lightweight gradient boosting decision tree model. The blind spot analysis unit is used to cluster and perform four-dimensional risk assessment on traffic that has not been hit, and to generate supplementary suggestions.

[0042] 1. Data acquisition module; Traffic feature collection points are embedded in the firewall data plane to capture the five-tuple information (source IP, destination IP, protocol, source port, destination port), matching rule ID, processing action, timestamp, and other information for each traffic item in real time. The collected data is written to shared memory for the control plane to read.

[0043] 2. Data preprocessing module; Preprocess the raw traffic logs: Log cleaning: Filter out invalid records, such as empty packets, error packets, etc.

[0044] IP segment merging: Aggregating discrete IP addresses into network segments to reduce data dimensionality.

[0045] Port service mapping: Mapping discrete ports to service types (e.g., mapping 80 to HTTP) to facilitate subsequent pattern recognition.

[0046] Time window segmentation: Traffic data is aggregated by hour to form time series data.

[0047] 3. Strategy configuration parsing module; Periodically read the currently effective access control policy configuration of the firewall, parse the matching conditions (source IP range, destination IP range, port range, protocol type, time range, etc.), action, priority, and enabled status of each rule, and convert them into structured data and store them in the policy database.

[0048] 4. Strategic intelligent analysis module; This module employs multiple machine learning algorithms to comprehensively analyze traffic logs and policy configurations: 4.1 Rule Activity Analysis; A time series decomposition algorithm is used to decompose the historical hit count time series of each rule into trend, seasonal, and residual terms. Periodic activity patterns of the rules are identified (such as traffic peaks at the end of each month or quarter). Rules with no hits for 90 consecutive days and no significant periodic pattern are marked as "potentially expired rules".

[0049] 4.2 Rule redundancy detection; A frequent itemset mining algorithm is used to extract frequently occurring communication pairs from traffic logs. These frequent itemsets are then matched with policy rules; if three or more rules cover the same frequent itemset and have identical actions, it is considered redundant. Merging suggestions are provided, generating a new merged rule expression. (Note: "Frequent itemset" refers to a combination of communication pairs (source IP range, destination IP range, protocol, destination port) that frequently appear in the traffic logs.) 4.3 Rule conflict detection; First, through rule condition intersection analysis, candidate conflicting rule pairs with overlapping conditions and inconsistent actions are statically identified (rule conflict is essentially static, determined by whether conditions overlap and actions are consistent, and is unrelated to whether traffic hits). Based on this, a lightweight gradient boosting decision tree (LightGBM) is used as the ranking model to rank the candidate conflicting rule pairs by severity. The model uses the attributes of conflicting rule pairs (priority difference, traffic hit ratio, condition overlap ratio, rule creation time difference, etc.) as features to learn the actual business impact of each conflict pair. After training, the model outputs a severity score (0-1) for each candidate conflict pair; a higher score indicates a greater impact on actual business and requires priority handling. The system outputs conflict detection results from high to low scores and provides suggestions for priority adjustment or condition refinement.

[0050] 4.4 Strategy Coverage Blind Spot Analysis; Analyze traffic not matched by any rules, clustering it by source IP segment, destination IP segment, and service. Assess the traffic risk under default actions and suggest whether supplementary strategies are needed. The risk assessment comprehensively considers factors such as traffic volume (daily traffic ≥1000 packets or ≥5% of traffic is considered high risk), service criticality, source credibility, and duration. Based on the comprehensive score, decide whether to automatically generate supplementary strategy suggestions.

[0051] The strategy intelligent analysis module outputs optimization suggestions, as shown in the example below: multiple suggestions are arranged in priority order: delete invalid rules > correct conflicting rules > merge redundant rules > add supplementary rules, and within the same level, they are sorted by risk score.

[0052] Deletion rule ID 101: No matching traffic within 90 days, no periodic pattern; Merge rule IDs 105, 106, and 107: all allow department A to access business system B, it is recommended to merge them into one rule; Rule IDs 110 and 111 are conflicting; it is recommended to adjust their priority or modify the condition range. Add rule ID: A large amount of traffic from network segment C to server D was detected that was not covered by the policy. It is recommended to add an allow rule (here, "large amount" means daily traffic ≥ 1000 packets, and the threshold is configurable).

[0053] 6. Automated execution module (optimized execution module); Supports two modes: Recommended mode: Generate an optimization report, display it through a web interface, and allow administrators to review and execute it with one click; Automatic mode: Automatically applies optimization suggestions under administrator authorization, and supports phased rollout.

[0054] 7. Rollback and feedback closed-loop module; Automatically back up the current configuration before each optimization execution; Supports one-click rollback; After optimization, continuous monitoring is performed to evaluate the optimization effect, and the results are fed back to the artificial intelligence engine for model iteration.

[0055] 8. Compatibility and scalability design; The newly added AI analysis module is independent of the original strategy management module and does not affect existing functions. It adopts a modular design and can be expanded in the future to support policy optimization for other network devices.

[0056] End-to-end implementation; Taking the optimization of a company's firewall policy as an example, the policy library contains 2,000 rules, covering 8 departments and 4 security domains.

[0057] (1) Data collection: The firewall data plane captures traffic quintuples and rule IDs in real time. About 5 million records are collected in a week, of which 4.85 million are effective after cleaning, and 1,987 effective rules are parsed.

[0058] (2) Activity analysis: The time-series decomposition algorithm analyzed 1987 rules. 152 rules that had no hits for 90 consecutive days were marked as "potentially expired". 23 rules that showed periodic activity at the end of the month (related to the financial system) were retained.

[0059] (3) Redundancy detection: The FP-Growth algorithm (1% support) extracted 87 frequently communicating pairs and found 14 redundant pairs (involving 57 rules). For example, rule IDs 105 / 106 / 107 all allow "R&D Department (10.1.1.0 / 24) → Test Server (10.2.3.0 / 24): SSH", which is merged into one rule; rule IDs 201 / 202 / 203 all reject "any → Financial System (10.3.0.0 / 16)", which is merged into one rule. It is expected to reduce 43 rules.

[0060] (4) Conflict detection: Static intersection analysis revealed 23 candidate conflict pairs. LightGBM assessed the severity: the conflict interval "10.1.2.0 / 24→10.5.0.0 / 16:80" between rule ID110 (allow 10.1.0.0 / 16→any:80) and rule ID 111 (reject 10.1.2.0 / 24→10.5.0.0 / 16:any) scored 0.82 (120,000 hits in 30 days); 3 pairs with scores <0.1 were only filed.

[0061] (5) Blind spot analysis: Clustering identified 12 blind spots. "External IP → DMZ file server (10.4.5.0 / 24):HTTPS" daily traffic 3200 packets (6.8%), risk score 78 points, automatic generation of supplementary strategies; 5 blind spots with scores <40 points are only reported.

[0062] (6) Optimize execution: By priority (delete 152 items → fix 2 groups of high conflicts → merge 14 groups → add 6 items), the number of policies is reduced to 1798 after one-click execution (reduction of 9.5%), and automatic backup supports rollback.

[0063] (7) Effect verification: 7 days of monitoring showed that the performance of newly established connections improved by 12%, conflict alarms were cleared, blind zone traffic decreased from 8.2% to 1.1%, and audit time decreased from 16 hours / week to 2 hours / week.

[0064] This invention combines AI-driven joint analysis of traffic logs and policy configuration: it not only statically analyzes rules, but also judges the validity and conflict of rules through actual traffic data to avoid misjudgments.

[0065] This invention is based on the identification of periodic active rules by time series decomposition: it uses a time series decomposition algorithm to identify the periodic active patterns of rules, avoiding the mistaken deletion of "low-frequency but necessary" rules.

[0066] This invention is based on redundancy detection in frequent itemset mining: by analyzing actual communication pairs, it accurately identifies the overlap of rule coverage and proposes scientific merging suggestions.

[0067] This invention is a conflict detection based on a static analysis and ranking model: First, candidate conflict pairs are statically identified through rule condition intersection analysis (the essence of conflict is determined by the overlap of conditions, which is unrelated to whether the traffic hits the target). Then, the LightGBM model is used to score and rank the conflict pairs according to their severity, and the conflicts that have the greatest impact on actual business are processed first.

[0068] This invention features an automated execution and feedback loop: it supports the automatic application of optimization suggestions and forms a feedback loop through continuous monitoring, thereby continuously improving the accuracy of the model.

[0069] This invention features minimal modifications and high compatibility: the AI ​​analysis module is designed independently, without affecting the original strategy management function, and the upgrade is smooth.

[0070] The above are merely preferred embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A method for automatically optimizing firewall policies based on artificial intelligence, characterized in that, Includes the following steps: Collect traffic data and rule hit information from the firewall data plane to obtain raw traffic logs; The raw traffic logs are preprocessed to obtain standardized traffic data; Parse the currently effective firewall policy configuration to obtain structured policy data; Based on the standardized traffic data and the structured policy data, an artificial intelligence algorithm is used to perform intelligent policy analysis to obtain analysis results; the intelligent policy analysis includes rule activity analysis, redundancy detection, conflict detection, and coverage blind spot analysis. Optimization suggestions are generated based on the analysis results; Automatically execute strategy optimization based on the aforementioned optimization suggestions; After performing policy optimization, rollback and feedback operations are performed to complete the automatic optimization of firewall policies based on artificial intelligence.

2. The automatic firewall policy optimization method based on artificial intelligence according to claim 1, characterized in that, Collect traffic data and rule hit information from the firewall data plane, including: capturing the five-tuple information of each traffic flow, the matching rule ID, the processing action and the timestamp in real time, and writing the captured data into shared memory as the raw traffic log.

3. The automatic firewall policy optimization method based on artificial intelligence according to claim 1, characterized in that, The preprocessing of the raw traffic logs includes: performing log cleaning, IP segment merging, port service mapping, and time window division on the raw traffic logs to obtain the standardized traffic data.

4. The automatic optimization method for firewall policies based on artificial intelligence according to claim 1, characterized in that, The process of rule activity analysis includes: The time series decomposition algorithm is used to decompose the historical hit count time series of each rule into trend, seasonal and residual terms, identify the periodic activity patterns of the rules, and mark the rules that have no hits for 90 consecutive days and have no significant periodic pattern as potentially expired rules.

5. The automatic firewall policy optimization method based on artificial intelligence according to claim 1, characterized in that, The redundancy detection process includes: A frequent itemset mining algorithm is used to extract frequent itemsets from the standardized traffic data. The frequent itemsets are combinations of communication pairs whose support meets preset requirements. The frequent itemsets are matched with the structured policy data. When at least three rules cover the same frequent itemset and have the same action, it is determined to be redundant and a merging suggestion is generated.

6. The automatic firewall policy optimization method based on artificial intelligence according to claim 1, characterized in that, The collision detection process includes: Based on the structured strategy data, rule condition intersection analysis is performed to statically identify candidate conflict rule pairs with overlapping conditions and inconsistent actions; a lightweight gradient boosting decision tree model is used to rank the candidate conflict rule pairs by severity, and conflict detection results are output in order of severity score.

7. The automatic firewall policy optimization method based on artificial intelligence according to claim 1, characterized in that, The process of coverage blind spot analysis includes: Traffic that is not matched by any rules is extracted from the standardized traffic data. This traffic is then clustered by network segment and service. A risk assessment is conducted based on traffic volume, service criticality, source credibility, and duration. Supplementary strategy recommendations are automatically generated based on the comprehensive score.

8. The automatic optimization method for firewall policies based on artificial intelligence according to claim 1, characterized in that, The process of generating optimization suggestions based on the analysis results includes: Suggestions are output in the order of priority: deleting invalid rules, correcting conflicting rules, merging redundant rules, and adding supplementary rules. The automatic execution of policy optimization based on the optimization suggestions includes: one-click execution after administrator approval or automatic execution after authorization, and backing up the current configuration before automatic execution.

9. An artificial intelligence-based automatic firewall policy optimization system, used to implement the method described in any one of claims 1-8, characterized in that, include: The data acquisition module is used to capture traffic quintuples and rule hit information in real time and output raw traffic logs; The data preprocessing module, connected to the data acquisition module, is used to perform log cleaning, IP segment merging, port service mapping, and time window division on the raw traffic logs, and output standardized traffic data. The policy configuration parsing module is used to periodically read firewall policies, convert them into structured data, and output structured policy data. The strategy intelligent analysis module is connected to the data preprocessing module and the strategy configuration parsing module, respectively, and is used to perform strategy intelligent analysis based on the standardized traffic data and the structured strategy data, and output optimization suggestions; An optimization execution module is connected to the strategy intelligent analysis module and is used to automatically perform strategy optimization based on the optimization suggestions. The rollback and feedback closed-loop module is connected to the optimization execution module and the strategy intelligent analysis module. It is used to back up the configuration before executing the strategy optimization, support one-click rollback, and monitor the effect after execution and feed it back to the strategy intelligent analysis module.

10. The system of claim 9, wherein, The strategy intelligent analysis module includes: The activity analysis unit is used to mark potential expired rules using a time series decomposition algorithm; A redundancy detection unit is used to identify redundant rules and generate merging suggestions using a frequent itemset mining algorithm. The conflict detection unit is used to rank candidate conflict pairs by severity using static intersection analysis combined with a lightweight gradient boosting decision tree model. The blind spot analysis unit is used to cluster and perform four-dimensional risk assessment on traffic that has not been hit, and to generate supplementary suggestions.