[English translation] A description method, construction method, and medium for network access control rules (patent application CN109391590, 2017) #444
Description
This is another Chinese publication translated to English, like the previous #434, #435, #437. This time, it is a patent rather than a research paper.
一种面向网络访问控制的规则描述方法及构建方法、介质
A description method, construction method, and medium for network access control rules
刘庆云 (Liu Qingyun), 郑超 (Zheng Chao)
Institute of Information Engineering, Chinese Academy of Sciences
Online English HTML
English PDF
Original Chinese PDF
Google Patents (English)
This patent application describes MAAT, a way of describing network access control rules; e.g. firewall rules. The application doesn't demonstrate a concrete syntax, but abstractly describes a way of constructing rules according to a specific hierarchy of three levels called "configurations" (配置). The three levels of a MAAT rule are ([0008]):
- Compilation configuration (编译配置)
- Grouping configuration (分组配置)
- Range configuration (域配置)
- Grouping configuration (分组配置)
A compilation configuration consists of one or grouping configurations (each grouping configuration optionally negated with a NOT), and is satisfied when all of its grouping configurations are satisfied. A grouping configuration consists of one or more range configurations and is satisfied with any of the range configurations is satisfied. A rule is thus an AND of ORs; i.e., a formula in conjunctive normal form (though the patent application does not use that term). Every configuration at every level additionally has its own "effective" flag so that it may be individually enabled or disabled ([0008], [0024]).
At the highest level, a compilation configuration is an AND of grouping configurations, each optionally negated: c = g1 & !g2 & !g3 & … & gn. A compilation configuration describes a strategy that should be executed when all the grouping configurations are matched. Examples of strategies include "allow", "block", "log", with configurable parameters ([0035]–[0038]).
At the intermediate level, a grouping configuration is an OR of range configurations: g = r1 | r2 | r3 | … | rn. One grouping configuration may be reused in many compilation configurations.
At the lowest level, a range configuration is a granular matching rule on a single network protocol field. It is a triple: (matching location, range type, matching content). Matching location names a protocol field, for example "HTTP host header", or "IP packet destination address". Range type specifies how the content is to be matched, for example by string equality, or IP network membership (more examples of range types appear below). Matching content is what to match against: for example a string, a range of integers, or a hash value. Put simply, a range configuration is predicate on a protocol field that can be flexibly defined. For unknown reasons, a given range configuration may appear in only one grouping configuration ([0013]).
Paragraphs [0042]–[0046] list examples of range configurations. (Confusingly, these paragraphs use the word "rule" (规则) to refer to a low-level range configuration. The same word "rule" is used elsewhere to refer to an entire hierarchy up to the highest level.)
[0042] 1. String rules to describe matching rules for strings; e.g., URLs or cookies that can be used to match HTTP traffic, or domain names in the DNS protocol. From the perspective of matching methods, the rules can be divided into single string matching (which may be subdivided into substring matching, right matching, left matching, and exact matching), AND expressions, regular expressions, and substring matching with offsets (i.e., rules that specify that a certain string appears in a certain position);
[0043] 2. IP address rules to match the transmission addresses of network data; e.g., detected TCP connections to harmful hosts. These include IPv4 addresses and IPv6 addresses, specifically described by information such as address type, source IP address, source IP mask, source port, source port mask, destination IP, destination IP mask, destination port, destination port mask, protocol (e.g., tcp or udp), and direction.
[0044] 3. Numerical rules to determine whether a numerical value, such as a file size, lies in a certain interval. These are described by two fields: numerical lower bound and numerical upper bound.
[0045] 4. Hash rules to match whether a file being transmitted is a match for a target, such as a Trojan horse, virus, or internal document. These determine whether the transmission data matches the rules based on the hash value. The hash values can be a cryptographic hash such as MD5 or SHA1 for an exact match, or a fuzzy hash for a similarity match.
[0046] 5. Other rules added as needed.
Paragraphs [0048]–[0058] give an example of the construction of a specific rule: "access to www.phishing-site.com and www.virus-site.com is blocked for the IP addresses 192.168.0.1 and 192.168.0.2, and an alert log is generated."
- c1 = g1 & g2
strategy = block, and generate an alert log
The strategy of a compilation configuration, separate from the matching formula, is reminiscent of the formalization of Tschantz et al. Section IV-B: "Each step of an attack corresponds to some sort of detection, or an action taken based on a previous detection."
The HTTP user agent strings "Chrome" and "11.8.1" appear in paragraph [0010]. There never seems to have been a release of Chrome with that version number, but Chrome 11 first appeared in 2011. The HTTP domain name ".emodao.com" in paragraph [0011] was, according to the Wayback Machine, a pornography forum that operated between 2005 and 2010. It seems to have been defunct in 2017, when this patent application was filed. It had a sub-forum dedicated to censorship circumvention. The class-C network 202.118.101.* in paragraph [0012] belongs to Tsinghua University in CERNET.
The term "grouping configuration" (分组配置) is instead written "configuration group" (配置分组) in Figure 1. The inconsistency exists in the original Chinese as well.