- 期刊
運用關聯規則及改變探勘技術於防火牆政策規則優化
Applying Association Rule and Change Mining Techniques for Firewall Policy Optimization
摘要
防火牆設備是企業最普遍的網路防護設施,隨著網路環境的改變,防火牆政策規則須不斷的更新,才能維持防火牆功能的正常運作。如何從防火牆日誌記錄中挖掘出有意義的規則,並且適時依據防火牆日誌記錄的變動篩選出不同樣式的規則,進而調整防火牆政策規則是一項有值得研究的議題。本研究嘗試整合關聯規則探勘(Association rule mining)及改變探勘(Change mining)技術,提出Change-Based Association Rule Mining(CBARM)方法。首先,從防火牆日誌記錄中挖掘出有意義的規則,進而運用改變探勘技術辨識出新興樣式(Emerging patterns)、新增樣式(Added patterns)及消失樣式(Perished Patterns)等3種不同樣式的關聯規則。最後,將具有不同樣式的關聯規則運用於防火牆政策規則的調整,藉以提升防火牆效率。經實驗結果得知:CBARM 方法效能提升(封包比對次數減少)相較於Apriori方法約95.19%至582.19%。平均而言,效能約提升212.10%。
並列摘要
Purpose-A firewall is the network security system most frequently used by enterprises. Because of changes in the dynamic network environment, firewall policy rules must be constantly updated to maintain efficient firewall operation. Thus, the aim of this study is to optimize firewall policy rules and improve firewall efficiency by using association rules discovered in firewall logs. Design/methodology/approach-This paper proposes change-based association rule mining (CBARM), which integrates association rule mining and change mining techniques, to discover meaningful firewall policy rules in firewall logs. Specifically, CBARM first determines pertinent association rules by using firewall logs from different time periods. Subsequently, the change mining technique is used to identify emerging, added, and perished patterns. Finally, the three types of patterns can be utilized to optimize the firewall policy rules and enhance firewall efficiency. The firewall logs were collected from a technology company in Central Taiwan. The total number of rules matched in the firewall was used as a performance measure. Findings - The experimental results revealed that the proposed CBARM outperformed the Apriori approach, reducing the number of compared network packets with firewall policy rules by approximately 95.19% to 582.19%. On average, the performance of the proposed CBARM was 212.10% more effective than that of the Apriori approach. Research limitations/implications-This study investigated the firewall logs from one company only. Evaluating the logs from other companies is critical for confirming validity. In addition, future studies can integrate other data mining and machine learning techniques to refine the performance of the proposed method. Practical implications-Two practical implications are provided. First, the association rule mining technique is proven to derive useful firewall policy rules in firewall logs. Second, using the change mining technique can facilitate evaluating the generated rules and applying such rules to optimize firewall policy rules. Originality/value-This study is the first to extend association rule mining and change mining techniques to the domain of firewall log analysis, creating a new approach to optimizing firewall policy rules.
參考文獻
延伸閱讀
- 葛泰成(2011)。應用分析網路程序法於自相關製程關鍵管制因素之研究〔碩士論文,國立虎尾科技大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0028-2106201112022300
- 陳垂呈(2006)。有效率探勘關聯規則之演算法。科學與工程技術期刊,2(4),83-91。https://doi.org/10.7117/JSET.200612.0083
- 王務本(2011)。關聯式分類演算法結合規則優先權以改善分類之準確度〔碩士論文,淡江大學〕。華藝線上圖書館。https://doi.org/10.6846/TKU.2011.00175
- 邱鼎穎 (2008). On Frequent Sequence Mining and online Classification Techniques [doctoral dissertation, National Tsing Hua University]. Airiti Library. https://www.airitilibrary.com/Article/Detail?DocID=U0016-0903200911353515
- 鄭心祺(2004)。Using Sampling Method in Privacy Preserving of Association Rule Mining〔碩士論文,元智大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0009-0112200611311131