This is an English translation of patent application CN109391590, "一种面向网络访问控制的规则描述方法及构建方法、介质", filed in .

CN109391590.en.html
This HTML file for offline reading
CN109391590.pdf
Original Chinese PDF
CN109391590.en.zip
Source code for this HTML version of the English translation

Discussion thread

Posted .

A description method, construction method, and medium for network access control rules

(19) China National Intellectual Property Administration

(12) Patent application

(10) Application publication no.
CN 109391590 A
(43) Application publication date
2019.02.26
(21) Application no.
201710665613.0
(22) Application date
2017.08.07
(71) Applicant
Institute of Information Engineering, Chinese Academy of Sciences
Address A89 Minzhuang Road, Haidian District, Beijing 100093
(72) Inventor
  • 刘庆云 (Liu Qingyun)
  • 郑超 (Zheng Chao)
(74) Patent Agency
Beijing Joyshine Intellectual Property Office (General Partnership) 11200
Agent 司立彬 (Si Libin)
(51) Int. Cl.
H04L 29/06 (2006.01)

Claims 1 page
Specification 4 pages
Drawings 1 page

(54) Title of Invention
A description method, construction method, and medium for network access control rules

(57) Abstract
The invention discloses a description method, construction method, and medium for network access control rules. The rules description method of the invention is characterized in that each rule comprises three levels, namely range configuration, grouping configuration, and compilation configuration; wherein a range configuration is used to describe the network behavior to be matched; a grouping configuration comprises many range configurations, that is, the grouping configuration is used to describe a set of network behaviors to be matched; and a compilation configuration is used to describe the strategy to be adopted when traffic conforms to the network behaviors described in the grouping configuration. Based on the rules described in the invention, efficient, precise, and flexible access control can be realized.

Claims

  1. A description method for network access control rules, characterized in that each rule comprises three levels, namely range configuration, grouping configuration, and compilation configuration; wherein a range configuration is used to describe the network behavior to be matched; a grouping configuration comprises many range configurations, that is, the grouping configuration is used to describe a set of network behaviors to be matched; and a compilation configuration is used to describe the strategy to be adopted when traffic conforms to the network behaviors described in the grouping configuration.

  2. A rules description method according to claim 1, characterized in that one rule comprises many range configurations, and one range configuration belongs to only one grouping configuration; and that one grouping configuration may be reused in a many different compilation configurations.

  3. A rules description method according to either claim 1 or claim 2, characterized in that the many range configurations in a grouping configuration are in an “OR” relation, and the range configuration groups in a compilation configuration are in an “AND” or “NOT” relation.

  4. A rules description method according to claim 1, characterized in that the range configuration is a fixed field in a network transmission protocol or network transmission data.

  5. A rules description method according to claim 1, characterized in that the description information of a range configuration r comprises: matching location, range type, and matching content.

  6. A rules description method according to claim 5, characterized in that the range type is a string, an IP address, a numerical interval, or a hash value.

  7. A rules description method according to claim 1, characterized in that each of the range configurations, grouping configurations, and compilation configurations is provided with an “effective” flag.

  8. A construction method for network access control rules, comprising the following steps:

    1. Create a grouping configuration and assign a unique grouping configuration ID; then add range configurations within the grouping configuration and assign a range configuration ID to each range configuration, and store the corresponding relation between the range configuration ID and the grouping configuration ID; and determine the matching location and matching content of the range configuration;

    2. Create a compilation configuration and assign a compilation configuration ID, establish a subordinate relation between the compilation configuration ID and the grouping configuration ID, and determine whether the range configuration groups in the compilation configuration are in “AND” or “NOT” relations.

  9. A method according to claim 8, characterized in that the matching location is a field obtained by parsing a network transmission protocol or its payload.

  10. A computer-readable storage medium for storing computer programs, characterized in storing computer programs and rules as described by the rules description method according to any of the claims 1 to 7, the computer program comprising instructions, and the instructions comprising the steps as defined in the method according to any of the claims 8 to 9.

Specification

A description method, construction method, and medium for network access control rules

Technical field

  1. The invention belongs to the field of network security and relates to a method of description, method of construction, and medium for network access control rules.

Background

  1. In recent years, with the development of various types of technologies and an increasingly severe network security situation, enterprises and organizations have a strong demand for internal network access control.

  2. In intrusion detection scenarios, in order to prevent internal users from accessing risky websites, such as phishing websites and Trojan horse websites, access to such websites will be prohibited by creating blacklists, for example. In data leakage prevention scenarios, in order to prevent important corporate data from being stolen by insiders or attackers, access control techniques are also used to prevent said problem.

  3. There are currently two approaches to describing network access behaviors. One is based on attribute labeling, such as role-based access control (RBAC) or task-based access control (TBAC). The other is based on network behavioral characteristics, among which SNORT rules have been the most widely used. However, with an increasing complexity of rules, there are a large number of duplicate rules, such as a set of malicious IP addresses that are repeated in many SNORT rules, which affects the efficiency of rule execution and is not conducive to maintenance.

Summary

  1. In view of the technical problems existing in the prior art, the purpose of the invention is to provide a description method, construction method, and medium for describing network access control rules. Based on the rules described in the invention, efficient, precise, and flexible access control can be realized. The rule description model of the invention is referred to as MAAT.

  2. The invention contains two main aspects. (1) According to the characteristics of network access control scenarios, the rules are divided into three levels: compilation configuration, grouping configuration, and range configuration, wherein the range configuration is used to describe the access behavior, the grouping configuration is used to describe a set of access behaviors, and the compilation configuration is used to describe the strategy to be adopted when traffic conforms to the access behaviors. (2) From the perspective of optimizing execution efficiency and facilitating configuration management, the forms and combination relations of each type of configuration are defined.

  3. The rules description method of the invention is shown in Figure 1, which includes the following contents:

    1. In order to facilitate standardized description of rules, rules are divided into three levels: compilation configuration, grouping configuration, and range configuration. In order to facilitate structured storage and independent additions and deletions, each configuration has its own independent “effective” flag. Together, the three levels of configuration describe an access control rule, where the range configuration and grouping configuration describe the network behavior to be matched, and the compilation configuration describes the strategy to be adopted when the behavior is matched.

    1. Range configuration is the finest granular description of network access behaviors in the access control rule. The configuration of specified fields of network transmission protocols or data is determined based on the granularity of access control. Range configuration types include: strings, IP addresses, numeric intervals, hash values, and others. Examples:

    1. Example 1, the UserAgent in a specified HTTP protocol contains the substrings “Chrome” and “11.8.1”.

    1. Example 2, the domain name in a specified HTTP protocol ends with “.emodao.com”.

    1. Example 3, the specified client IP address belongs to the class-C network 202.118.101.*.

    1. Grouping configuration describes a combination of many range configurations in an access control rule. It is a set of range configurations that contains an unlimited number of range configurations. A range configuration record belongs to only one grouping configuration.

    1. Compilation configuration describes the strategy to be adopted when network access behavior matches an access control rule.

    1. An access control rule comprises multiple of the three types of configuration under the following combination relations:

    1. the multiple range configurations in a grouping configuration are in an “OR” relation;

    1. the multiple range configuration groups in a compilation configuration are in “AND” or “NOT” relations;

    1. a grouping configuration may be reused in multiple compilation configurations to facilitate access strategy development and increase the efficiency of rule usage. For example, a certain grouping configuration is a set of many IP addresses, which can prohibit IPs within that group from accessing many different URLs.

  15. It can be formally described as below:

    • A range configuration r can be described as (matching location : range type : matching content).

    • A grouping configuration g can be described as (r1|r2|…|rrn), and the Boolean operators can only be ‘OR’ operators. For example, there are two range configurations r1 and r2 in grouping configuration g1, where r1 = “URL in the HTTP protocol contains www.abc.com”, r2 = “URL in the HTTP protocol contains 1.html”. During matching, the following three input URLs will hit the grouping configuration g1: ww.abc.com/1.html, www.abc.com/2.html, and www.efg.com/1.html.

    • A compilation configuration c can be described as c = (g1&g2&(!g3)&…&gn,strategy), where the Boolean operators can only be ‘AND’ operators or ‘NOT’ operators, and strategy denotes the strategy to be executed after a rule is hit.

  19. Positive effects of the invention compared to the prior art:

  20. The invention describes access control rules using a three-level model of compilation, grouping, and range, which can realize the Boolean operations of AND, OR, and NOT for network access characteristics. The utilization of the grouping reuse mechanism improves rule expression with limited rule capacity. Each level of rules has an independent “effective” flag, which makes it easy to make changes to the access control rules. It is formally guaranteed that there will be no false hits in any sub-rule loading order.

  21. The storage of the rule description model of the invention may be in the form of a structured database table, row–column text file, or json-format text file.

Description of drawings

  1. Figure 1 is a structure diagram for describing access control rules.

Specific embodiment

  1. The rules description method of the invention is described in detail below in conjunction with examples.

  2. The construction of the access control rules of the invention includes the following three steps:

    1. Construct characteristics of network access behaviors; i.e., the conditions to be met by the enforcement of access control rules.

    1. Record a grouping configuration ID if said existing grouping configuration is reused; otherwise, creating a grouping configuration and assigning a unique grouping configuration ID to it.

    1. Add a range configuration within the grouping configuration; for each range configuration the grouping configuration contains, assign to it a range configuration ID and store the relation between the range configuration ID and the grouping configuration ID to which the range configuration belongs; after that, determine the matching location and matching content for the range configuration.

    1. Record said grouping configuration ID.

    1. Go back to step a) if there are other conditions; otherwise, finish.

    1. Assign a compilation configuration ID to establish a subordinate relation with the grouping configuration ID recorded in the previous step, and determine whether g or !g (NOT g) is used between range configuration groups.

    1. Determine a strategy to be executed after the network behavior characteristics are matched, specifically including:

    1. business classification for the management of rules;

    1. modes of disposal, including banning, surveillance, release, etc., which can be flexibly expanded;

    1. disposal parameters, including whether to record logs or blacklist, which can be flexibly expanded;

  13. The number of groups is also included in the configuration, to overcome the problem that range configurations or grouping configurations in multiple tables in structured data storage cannot be atomically distributed, thus avoiding false hits.

  14. It should be noted that the matching location is a specific field obtained after parsing a network transmission protocol and its payload. The number of matching locations is determined by the granularity of access control. For example, to control access to a certain phishing website phishing-site.com, the effective location can be defined to be the HOST field of the HTTP protocol, with the specific rule being the string “phishing-site.com”.

  15. The specific contents can be categorized formally as follows:

    1. String rules to describe matching rules for strings; e.g., URLs or cookies that can be used to match HTTP traffic, or domain names in the DNS protocol. From the perspective of matching methods, the rules can be divided into single string matching (which may be subdivided into substring matching, right matching, left matching, and exact matching), AND expressions, regular expressions, and substring matching with offsets (i.e., rules that specify that a certain string appears in a certain position);

    1. IP address rules to match the transmission addresses of network data; e.g., detected TCP connections to harmful hosts. These include IPv4 addresses and IPv6 addresses, specifically described by information such as address type, source IP address, source IP mask, source port, source port mask, destination IP, destination IP mask, destination port, destination port mask, protocol (e.g., tcp or udp), and direction.

    1. Numerical rules to determine whether a numerical value, such as a file size, lies in a certain interval. These are described by two fields: numerical lower bound and numerical upper bound.

    1. Hash rules to match whether a file being transmitted is a match for a target, such as a Trojan horse, virus, or internal document. These determine whether the transmission data matches the rules based on the hash value. The hash values can be a cryptographic hash such as MD5 or SHA1 for an exact match, or a fuzzy hash for a similarity match.

    1. Other rules added as needed.

  21. For example, consider the following access control rule:

  22. Access to www.phishing-site.com and www.virus-site.com is blocked for the IP addresses 192.168.0.1 and 192.168.0.2, and an alert log is generated.

  23. It is constructed as follows:

    1. Construct characteristics of network access behaviors.

    1. Create a grouping configuration ID = g1.

    1. Add a range configuration within g1, assigning a range configuration ID = r1, and set r1 to be an IP rule with a matching location of client IP whose value is 192.168.0.1;

    1. Continue to add a range configuration within g1, assigning a range configuration ID = r1, and similarly, set r2 to be an IP rule with a matching location of client IP whose value is 192.168.0.2;

    1. Create a grouping configuration ID = g2.

    1. Add a range configuration within g2, assigning a range configuration ID = r3, and set r3 to be a string rule with a matching location of a URL in HTTP protocol whose value is www.phishing-site.com, single-string matching, and the matching method is substring matching.

    1. Add a range configuration within g2, assigning a range configuration ID = r4, and set r4 to be a string rule with a matching location of a URL in the HTTP protocol whose value is www.virus-site.com, single-string matching, and the matching method is substring matching.

    1. Assign a compilation configuration ID = c1, which contains two groups, g1 and g2. The groups are in an AND relation; i.e., g1 & g2.

    1. Set the strategy to be executed after matching c1 as: block, and generate an alarm log.

  33. Configuration execution process: When network traffic arrives, first of all, the field information of the protocol is obtained after message capture, flow reduction, and protocol parsing. For example, for the HTTP protocol, the IP address, URL, referer, cookies and other information can be obtained. For each field (range) parsed, it can be matched using the range configuration. If the matching result of a certain group of range configurations hits a certain compilation configuration’s strategy combination, the compilation configuration is returned and the action is executed according to the definition of said compilation configuration’s strategy.

  34. The invention also provides a computer-readable storage medium for storing computer programs, characterized in that it stores a computer program and rules described by the rules description method, the computer program comprising instructions, and the instructions comprising the steps in the rule construction method.

Specification drawings

Rectangular boxes are arranged in three columns. On the left, there are 9 boxes labeled “Range configuration”; in the center, 3 boxes labeled “Configuration group”; and on the right, 2 boxes labeled “Compilation configuration”. The range configurations are gathered in groups of three, and each group is connected by lines to a distinct configuration group. Continuing to the right, the first configuration group is connected to the first compilation configuration; the last configuration group is connected to the second compilation configuration; and the middle configuration group is connected to both. The first group of 3 range configurations is labeled with a bracketed flyout: “The relation between range configurations in the group are set as OR.” The configuration groups are labeled with dashed-line flyout: “The configuration groups are in an AND relation.” The middle configuration group is additionally labeled with a dashed-line flyout: “The same configuration group can take part in many compilation configurations”.
Figure 1