[English translation] A description method, construction method, and medium for network access control rules (patent application CN109391590, 2017) #444
Comments
wkrp
added
China
reading group
The string "MAAT" appears in just this one place. It is not explained what "MAAT" may stand for. This patent application might be compared to the much earlier (and in fact now expired) patent CN1556627 from 2004 (媒体网站内容监管信息统一存储和交互方法 Medium network station content monitoring information unified storage and alternating method), which is about a uniform XML-based representation of network monitoring information, as well as a way of distributing that information using SOAP. Just as the MAAT patent doesn't shown any real syntax, CN1556627 doesn't show any real XML. The related patents CN1349190 (网络媒体安全中央监管系统 Central network medium safety monitoring system) and CN100466533 (网络媒体内容安全宏观监管方法 Network medium content safety macromonitoring method), from the same time period and the same inventors, talk about a hierarchical arrangement of "supervising centers" (监管中心) and the exchange of content security rules between them. |
|
Let's look at the inventors of the patent. The awardee organization is the Institute of Information Engineering (IIE, 中国科学院信息工程研究所), a large information security research organization, consisting of many subsidiary labs and teams. 刘庆云 (Liu Qingyun) (b. 1980) is a senior engineer in IIE. With 郑超 (Zheng Chao), he is one of the authors of the MVMP paper "A Flexible and Efficient Container-based NFV Platform for Middlebox Networking", previously discussed in #282.
郑超 (Zheng Chao) (b. 1984) has appeared on this forum many times, most notably for his affiliation with Geedge Networks, reported to be the company responsible for implementing VPN blocks in Myanmar in 2024. With 刘庆云 (Liu Qingyun), he is one of the authors of "A Flexible and Efficient Container-based NFV Platform for Middlebox Networking", previously discussed in #282. He is also one of the authors of "Understanding the Network Traffic Constraints for Deep Packet Inspection by Passive Measurement", discussed in #275. |
A description method, construction method, and medium for network access control rules
刘庆云 (Liu Qingyun), 郑超 (Zheng Chao)
Institute of Information Engineering, Chinese Academy of Sciences
Online English HTML
English PDF
Original Chinese PDF
Google Patents (English)
This patent application describes MAAT, a way of describing network access control rules; e.g. firewall rules. The application doesn't demonstrate a concrete syntax, but abstractly describes a way of constructing rules according to a specific hierarchy of three levels called "configurations" (配置). The three levels of a MAAT rule are ([0008]):
A compilation configuration consists of one or grouping configurations (each grouping configuration optionally negated with a NOT), and is satisfied when all of its grouping configurations are satisfied. A grouping configuration consists of one or more range configurations and is satisfied with any of the range configurations is satisfied. A rule is thus an AND of ORs; i.e., a formula in conjunctive normal form (though the patent application does not use that term). Every configuration at every level additionally has its own "effective" flag so that it may be individually enabled or disabled ([0008], [0024]).
At the highest level, a compilation configuration is an AND of grouping configurations, each optionally negated: c = g1 & !g2 & !g3 & … & gn. A compilation configuration describes a strategy that should be executed when all the grouping configurations are matched. Examples of strategies include "allow", "block", "log", with configurable parameters ([0035]–[0038]).
At the intermediate level, a grouping configuration is an OR of range configurations: g = r1 | r2 | r3 | … | rn. One grouping configuration may be reused in many compilation configurations.
At the lowest level, a range configuration is a granular matching rule on a single network protocol field. It is a triple: (matching location, range type, matching content). Matching location names a protocol field, for example "HTTP host header", or "IP packet destination address". Range type specifies how the content is to be matched, for example by string equality, or IP network membership (more examples of range types appear below). Matching content is what to match against: for example a string, a range of integers, or a hash value. Put simply, a range configuration is predicate on a protocol field that can be flexibly defined. For unknown reasons, a given range configuration may appear in only one grouping configuration ([0013]).
Paragraphs [0042]–[0046] list examples of range configurations. (Confusingly, these paragraphs use the word "rule" (规则) to refer to a low-level range configuration. The same word "rule" is used elsewhere to refer to an entire hierarchy up to the highest level.)
Paragraphs [0048]–[0058] give an example of the construction of a specific rule: "access to www.phishing-site.com and www.virus-site.com is blocked for the IP addresses 192.168.0.1 and 192.168.0.2, and an alert log is generated."
strategy = block, and generate an alert log
The strategy of a compilation configuration, separate from the matching formula, is reminiscent of the formalization of Tschantz et al. Section IV-B: "Each step of an attack corresponds to some sort of detection, or an action taken based on a previous detection."
The HTTP user agent strings "Chrome" and "11.8.1" appear in paragraph [0010]. There never seems to have been a release of Chrome with that version number, but Chrome 11 first appeared in 2011. The HTTP domain name ".emodao.com" in paragraph [0011] was, according to the Wayback Machine, a pornography forum that operated between 2005 and 2010. It seems to have been defunct in 2017, when this patent application was filed. It had a sub-forum dedicated to censorship circumvention. The class-C network 202.118.101.* in paragraph [0012] belongs to Tsinghua University in CERNET.
The term "grouping configuration" (分组配置) is instead written "configuration group" (配置分组) in Figure 1. The inconsistency exists in the original Chinese as well.
The text was updated successfully, but these errors were encountered: