Because of firewall filter conflicts;filters may not be in accordance with administrators' meaning so that this leads to security vulnerabilities. Therefore we need correctness test to solve this problem. Most of the current test pack ets choice algorithms choose packets at random or from the apex of filters in the correctness test However these methods neglect the areas that contain conflicting filters and hence cannot detect all error produced by filter conflicts. This paper presented a test packets choice algorithm aiming at filter conflicts to address this problem. The algorithm treats two filters as the basic processed object and computes their area that contains conflicting filters. We not only choose test packets from the apex of filters but from the areas that contain conflicting filters as welL Compared to current test pack ets choice algorithms;the algorithm proposed by this paper can detect all error produced by filter conflicts with adding only a little packets. This paper proves the algorithm and experiments verify its good performance.%在防火墙规则集正确性测试中,现有的测试数据包选取算法大多随机选取数据包和从规则顶点选取数据包.然而,这种做法忽略了存在规则不一致性的区域,从而导致不能检测出所有因规则不一致性而产生的配置错误.针对这一情况,提出了一种针对规则集不一致性的测试数据包选取算法.该算法以两条规则为基本单位,计算其不一致性区域.算法不但从规则顶点选取数据包,而且从规则集不一致性区域选取数据包.测试表明,与常见测试数据包选取算法相比,该算法只需增加少量测试数据包,就能检测出所有因规则不一致性而带来的配置错误.
展开▼
