基于答案集程序的防火墙策略分析方法
摘要
防火墙是最常用的安全技术产品之一,其作用是阻断外部攻击进入内部网络。使用防火墙,最重要的是正确配置防火墙策略。可是,防火墙策略的语义不明问题,导致配置防火墙策略是一项既繁琐又易出错的工作。人为配置错误造成安全隐患,留下安全漏洞。
针对配置防火墙策略的语义不明问题,本文提出了防火墙策略分析方法,包括:策略查询方法、策略比较方法和策略验证方法。
本文总结了策略理解难的两个原因:规则次序敏感和使用环境复杂。对此,本文提出使用答案集程序查询防火墙策略的方法。首先,答案集程序支持非单调推理,能处理规则次序敏感问题;其次,答案集程序有很强的知识表达能力,能描述防火墙的使用环境。策略查询方法将防火墙策略和网络拓扑表示为答案集程序,并计算其语义。然后,将语义中的谓词转化为关系模型,存入数据库供管理员查询。该方法不仅能查询单防火墙策略,也能查询分级防火墙策略;不仅能查询单规则链策略,也能查询多规则链策略;不仅能单数据包查询,也能全局查询。
本文论述了比较防火墙策略的三个目的:检测一致性、学习、检查更新效果,并提出了两个比较问题:单防火墙策略比较和路由路径比较。前者比较两个或多个防火墙策略的异同;后者比较两个网络节点间所有路由路径上访问控制策略的异同。在策略查询方法基础上,策略比较方法增加比较策略和路由路径的推理规则。通过该规则,策略比较方法不仅能查找策略不同,而且能定位造成不同的规则;不仅能查找路由路径的不同,而且能依次列出路径上的节点。
防火墙策略与安全策略的关系是代码与设计的关系,因此,它们之间的一致性问题是管理员最关心的问题。本文指出该问题的本质是语义等价问题,即防火墙策略和网络拓扑共同作用的访问控制语义是否等于安全策略的访问控制语义。在策略查询方法和策略比较方法的基础上,本文提出了策略验证方法。该方法将安全策略、防火墙策略和网络拓扑都用答案集程序表示,通过推理规则,比较两者访问控制策略语义的区别,验证两者的一致性。
最后,本文总结了分析方法的缺陷和需要改进的地方,展望了将来的研究。
Firewall is one of the most widely adopted technology which are designed to block unauthorized access. The single most important factor of firewall's security is how to configure firewall policies. However, it's a tedious and error-prone job to config-ure firewall policies, because the semantics of firewall policies is hard to judge. Any configuration flaw causes security problems.
In this paper, I propose three approaches to analyze firewall policies:an approach to query firewall policies, an approach to compare firewall policies and an approach to verify firewall policies.
First of all, I present two reasons why firewall policies are difficult to understand. One is that rules of firewall policies are sensitive to rule order, and the other is that the environment that firewalls are deployed is complex. According to two reasons, I propose an approach to query firewall policies based on answer set programming(ASP). Firstly, ASP is a non-monotonic logic which can reason about rule order. Secondly, Asp is capable of representing all kinds of knowledge which means ASP can describe firewall environment. I represent firewall polices and network topology with answer set programs, and compute semantics of them. Further more, I transform the predicates of the semantics into relation models which can be queried by means of SQL. This approach can not only query single firewall, but also diverse firewall; not only simple chain, but also multiple chains; not only query a single packet, but also query overall access control policies.
Secondly, I present three purposes of comparing firewall policies:verifying consis-tency, learning from experts, checking policies update. And then, I present two com-paring problems:the simple firewall policies comparing problem and the routing paths comparing problem The former one is to find the differences between the semantics of firewall policies, and the later one is to find the differences between access control policies of different routing paths from source to destination. In this paper, I propose a comparing approach which is based on the querying approach and adds rules about comparing firewall policies and routing paths to the answer set programs. The approach not only can find differences between the semantics of firewall policies, but also can lo-cate the rules which cause the differences; not only can find the differences between access control policies of different routing paths, but also can list the net nodes in the routing paths.
Thirdly, firewall policies are codes compared to security polices which are designs, so verifying the consistency between them is the most concerned problem for adminis-trators. In this paper, I point out that the kernel of consistency is the consistency of access control policies'semantics between firewall policies and security polices. I pro-pose a approach to verify the semantics consistency based on the comparing approach. First of all, I use answer set programs to represent security policies, firewall policies and network topology. Then, I compute the semantics of both and verify the consistency by comparing the semantics of them.
At last, I sum the whole article and propose the future research direction.
针对配置防火墙策略的语义不明问题,本文提出了防火墙策略分析方法,包括:策略查询方法、策略比较方法和策略验证方法。
本文总结了策略理解难的两个原因:规则次序敏感和使用环境复杂。对此,本文提出使用答案集程序查询防火墙策略的方法。首先,答案集程序支持非单调推理,能处理规则次序敏感问题;其次,答案集程序有很强的知识表达能力,能描述防火墙的使用环境。策略查询方法将防火墙策略和网络拓扑表示为答案集程序,并计算其语义。然后,将语义中的谓词转化为关系模型,存入数据库供管理员查询。该方法不仅能查询单防火墙策略,也能查询分级防火墙策略;不仅能查询单规则链策略,也能查询多规则链策略;不仅能单数据包查询,也能全局查询。
本文论述了比较防火墙策略的三个目的:检测一致性、学习、检查更新效果,并提出了两个比较问题:单防火墙策略比较和路由路径比较。前者比较两个或多个防火墙策略的异同;后者比较两个网络节点间所有路由路径上访问控制策略的异同。在策略查询方法基础上,策略比较方法增加比较策略和路由路径的推理规则。通过该规则,策略比较方法不仅能查找策略不同,而且能定位造成不同的规则;不仅能查找路由路径的不同,而且能依次列出路径上的节点。
防火墙策略与安全策略的关系是代码与设计的关系,因此,它们之间的一致性问题是管理员最关心的问题。本文指出该问题的本质是语义等价问题,即防火墙策略和网络拓扑共同作用的访问控制语义是否等于安全策略的访问控制语义。在策略查询方法和策略比较方法的基础上,本文提出了策略验证方法。该方法将安全策略、防火墙策略和网络拓扑都用答案集程序表示,通过推理规则,比较两者访问控制策略语义的区别,验证两者的一致性。
最后,本文总结了分析方法的缺陷和需要改进的地方,展望了将来的研究。
Firewall is one of the most widely adopted technology which are designed to block unauthorized access. The single most important factor of firewall's security is how to configure firewall policies. However, it's a tedious and error-prone job to config-ure firewall policies, because the semantics of firewall policies is hard to judge. Any configuration flaw causes security problems.
In this paper, I propose three approaches to analyze firewall policies:an approach to query firewall policies, an approach to compare firewall policies and an approach to verify firewall policies.
First of all, I present two reasons why firewall policies are difficult to understand. One is that rules of firewall policies are sensitive to rule order, and the other is that the environment that firewalls are deployed is complex. According to two reasons, I propose an approach to query firewall policies based on answer set programming(ASP). Firstly, ASP is a non-monotonic logic which can reason about rule order. Secondly, Asp is capable of representing all kinds of knowledge which means ASP can describe firewall environment. I represent firewall polices and network topology with answer set programs, and compute semantics of them. Further more, I transform the predicates of the semantics into relation models which can be queried by means of SQL. This approach can not only query single firewall, but also diverse firewall; not only simple chain, but also multiple chains; not only query a single packet, but also query overall access control policies.
Secondly, I present three purposes of comparing firewall policies:verifying consis-tency, learning from experts, checking policies update. And then, I present two com-paring problems:the simple firewall policies comparing problem and the routing paths comparing problem The former one is to find the differences between the semantics of firewall policies, and the later one is to find the differences between access control policies of different routing paths from source to destination. In this paper, I propose a comparing approach which is based on the querying approach and adds rules about comparing firewall policies and routing paths to the answer set programs. The approach not only can find differences between the semantics of firewall policies, but also can lo-cate the rules which cause the differences; not only can find the differences between access control policies of different routing paths, but also can list the net nodes in the routing paths.
Thirdly, firewall policies are codes compared to security polices which are designs, so verifying the consistency between them is the most concerned problem for adminis-trators. In this paper, I point out that the kernel of consistency is the consistency of access control policies'semantics between firewall policies and security polices. I pro-pose a approach to verify the semantics consistency based on the comparing approach. First of all, I use answer set programs to represent security policies, firewall policies and network topology. Then, I compute the semantics of both and verify the consistency by comparing the semantics of them.
At last, I sum the whole article and propose the future research direction.
引文
[1]Aviel D. Rubin, Daniel Geer, Marcus J. Ranum. web security sourcebook. Wiley Computer Publishing,1997.
[2]中国互联网发展状况统计报告(2009年7月).http://research.cnnic.cn/.
[3]中国互联网网络安全报告(2008年上半年).http://www.cert.org.cn/articles/docs/common/2008112124134.shtml.
[4]InformationWeek Global Security Survey 2006:Controlled Chaos. http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml? articleID=190301155.
[5]InformationWeek. Accenture Global Information Security Survey 2007. http://www.informationweek.com/whitepaper/Security/Privacy/2007-informationweek/accenture-global-information-wp1213826038953;jsessionid=null? articleID=21800009.
[6]2008 Security Survey:We're Spending More, But Data's No Safer Than Last Year. http://www.informationweek.com/news/security/management/showArticle.jhtml? articleID=208800942&pgno=2&queryText=&isPrev=.
[7]The 6th Annual Global Security Survey:Protecting what matters. http://www.deloitte.com/dtt/article/0,1002,cid%253D243032,00.html.
[8]陈诚.网络安全大市场防火墙成主力军.信息安全与通信保密.2005(3):54.
[9]2009-2010年中国信息安全产品市场研究年度报告.http://www.BaoGaoBaoGao.com /2010-03/2009.2010xinxianquanchanpinshichangy/.2010.
[10]Jeff Sedayao. Cisco IOS Access Lists. O'Reilly & Associates, Inc.2001.
[11]Avishai Wool. A Quantitative Study of Firewall Configuration Errors. Computer.2004, 37(6):62-67.
[12]RedSeal. RedSeal Network Advisor 4.1. http://www.redseal.net/products/redseal-network-advisor.2010.
[13]Mohanded G. Gouda, Alex X. Liu. Firewall Design:Consistency, Completeness and Compactness. Proceedings of the 24th IEEE International Conference on Distributed Computer System.2004:320-327.
[14]Mohanded G. Gouda, Alex X. Liu. Structured Firewall Design. Computer Networks. 2007(51):1106-1120.
[15]Alex X. Liu, Mohamed G. Gouda. Diverse Firewall Design. IEEE Transaction on Parar-llel and Distributed Systems.2008(19):1-14.
[16]Alex X. Liu. Formal Verification of Firewall Policies. Proceedings of the 8th International Conference on Communication.2008:(1494-1498)
[17]Alex X. Liu, Mohamed G. Gouda, Huibo Heidi Ma, Anne HH. Ngu. Firewall Queries. Proceedings of the 8th International Conference on Principles of Distributed Systems. 2004(3544):1611-3349.
[18]Alex X. Liu, Mohamed G.Gouda. Complete Redundancy Detection in Firewalls. Proceedings of 19th Annual IFIP Conference on Data and Applications Security. 2005(3654):196-209.
[19]Scott Hazelhurst, Anton Fatti, Andrew Henwood. Binary Decision Diagram Representa-tions Of Firewall And Router Access Lists. Technical Report TR-Wits-CS-1998-3.1998.
[20]Scott Hazelhurst. Algorithms for Analysing Firewall and Router Access Lists. Technical Report TR-Wits-CS-1999-5.1999.
[21]Seott Hazelhurst, Adi Attar, Raymond Sinnappan. Algorithms for Improving the De-pendability of Firewall and Filter Rule Lists. Proceedings the International Conference on Dependable Systems and Networks.2000:576-585.
[22]Mikkel Christiansen, Emmanuel Fleur. An Interval Decision Diagram Bassed Firewall. Proceedings of the 3rd International Conference on Networking.2004.
[23]Mikkel Christiansen, Emmanuel Fleur. An MTIDD Based Firewall Using Decision Dia-grams for Packet Filtering. Teleeommunieation Systems.2004(27):297-319.
[24]Lihua Yuan, Jianning Mai, Zhendong Su. FIREMAN:A Toolkit for Firewall Modeling and Analysis. Proceedings of the 2006 IEEE Symposium on Security and Privacy.2006: 199-213.
[25]Ehab Al-Shaer, Hazem Hamed. Design and Implementation of Firewall Policy Advisor Tools. Technical Report.2002.
[26]Ehab Al-Shaer, Hazem Hamed. Firewall Policy Advisor for Anomaly Detection and Rule Editing. Proceedings of IFIP/IEEE Eighth International Symposium on Integrated Network Management.2003:17-30.
[27]Ehab Al-Shaer, Hazem Hamed. Management and Translation of Filtering Security Poli-cies. Proceedings of the IEEE ICC'03.2003(1):256-260.
[28]Ehab Al-Shaer, Hazem Hamed. Modeling and Management of Firewall Policies. IEEE Journal on Selected areas in Communication.2004.
[29]Ehab Al-Shaer, Hazem Hamed. Discovery of Policy Anomalies in Distributed Firewalls. Proceedings of the IEEE INFOCOM'04.2004(4):2605-2616.
[30]Ehab Al-Shaer, Hazem Hamed, Raouf Boutaba, and Masum Hasan. Conflict Classifica-tion and Analysis of Distributed Firewall Policies. IEEE Journal on Selected areas in Communication.2005(10):2069-2084.
[31]Yair Bartal, Alain Mayer, Kobbi Nissim, Avishai Wool. Firmato:A Novel Fire-wall Management Toolkit. ACM Transactions on Computer Systems (TOCS) archive. 2004(22):381-420.
[32]Alain Mayer, Avishai Wool, Elisha Ziskind. Fang:A Firewall Analysis Engine. Proceed-ings of IEEE Symposium on Security and Privacy.2000(177-187).
[33]Avishai Wool. Architecting the Lumeta Firewall Analyzer. Proceedings of the 10th con-ference on USENIX Security Symposium.2001(10):7-20.
[34]Alain Mayer, Avishai Wool, Elisha Ziskind. Offline Firewall Analysis. International Jour-nal of Information Security.2006(5):125-144.
[35]Pasi Eronen, Jukka Zitting. An Expert System for Analyzing Firewall Rules. Proceedings of 6th Nordic Workshop on Secure IT-Systems.2001:100-107.
[36]Flemming Nielson, Hanne Riis Nielson, ReneRydhof Hansen. Validating Firewalls Using Flow Logics. Theoretical Computer Science.2002(283):381-418.
[37]Arosha K. Bandara, Antonis Kakas, Emil C. Lupu, Alessandra Russo. Using Argumen-tation Logic for Firewall Policy Specification and Analysis. Large Scale Management of Distributed System.2006(4269):185-196.
[38]S. Pozo, R. Ceballos, R. M. Gasca. CSP-Based Firewall Rule Set Diagnosis using Security Policies. Proceedings of 2nd International Conference on Availability, Reliability and Security.2007:723-729.
[39]Tomaas E. Uribe, Steven Cheung. Automatic Analysis of Firewall and Network Intrusion Detection System Configurations. Journal of Computer Security.2007(15):691-715.
[40]Adiseshu Hari, Subhash Suri, Guru Parulkar. Detecting and Resolving Packet Filter Conflicts. Proceedings of Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies.2000(3):1203-1212.
[41]Muhammad Abedin, Syeda Nessa, Latifur Khan, Bhavani Thuraisingham. Detection and Resolution of Anomalies in Firewall Policy Rules. Data and Applications Security. 2006(4127):15-29.
[42]Rason, R.S. Bhuvaneswaran, Yoshiaki Katayamal, Naohisa Takahashi. Analysis Meth-ods of Firewall Policies by Using Spatial Relationships between Filters. Proceedings of Conference on Signal Processing, Communications and Networking.2007:348-354.
[43]Robert Marmorstein, Phil Kearns. Firewall Analysis with Policy-Based Host Classifica-tion. Proceedings of LISA'06:20th Large Installation System Administration Confer-ence.2006:41-51.
[44]Bin Zhang, Ehab Al-Shaer, Radha Jagadeesan, James Riely, Corin Pitcher. Specifica-tions of A High-level Conflict-Free Firewall Policy Language for Multi-domain Networks. Proceedings of Symposium on Access control Models and Technologies'07.2007:185-194.
[45]Robert Marmorstein, Phil Kearns. Assisted Firewall Policy Repair Using Examples and History. Proceedings of the 21st Large Installation System Administration Conference. 2007:27-37.
[46]Korosh Golnabi, Richard K. Min, Latifur Khan, Ehab Al-Shaer. Analysis of Firewall Policy Rules Using Data Mining Techniques. Proceedings of 10th IEEE/IFIP, Network Operations and Management Symposium.2006:305-315.
[47]Rasool Jalili, Mohsen Rezvani. Specification and Verification of Security Policies in Fire-walls. Proceedings of Information and Communication Technology, First Eur Asian Con-ference.2002(2510):154-163.
[48]陈文惠.防火墙系统策略配置研究.中国科技大学,博士论文.2007.
[49]Jiawei Han, Micheline Kamber. Data Mining:Concepts and Techniques. Morgan Kauf-mann.2000.
[50]李林.防火墙规则集关键技术研究.电子科技大学,博士论文.2009.
[51]曾旷怡,杨家海.访问控制列表的优化问题.软件学报,2007(4):978-986.
[52]王晓薇,李锋.防火墙包过滤规则正确性的研究.沈阳师范大学学报(自然科学版),2003(3):200-203.
[53]周晓俊,谢小权.防火墙规则冲突分析算法改进及应用.高性能计算技术.2005(10):60-63.
[54]赵启斌,梁京章.防火墙过滤规则异常的研究.计算机工程.2005(12):158-160.
[55]John Wylie Lloyd. Foundations of Logic Programming. Springer.1987.
[56]Chitta Baral and Michael Gelfond. Logic Programming and Knowledge Representation. Journal of Logic Programming.1994.
[57]Franz Baader, Diego Calvanese, Deborah McGuinness, Daniel Nardi, Peter Patel-Schneider. The description logic handbook:theory, implementation, and applications. Cambrige University Press.2003.
[58]Amir Pnueli. The temporal logic of programs. Mathematics & Computer Science.1997.
[59]Esra Erdem. Theory and applications of answer set programming. The University of Texas at Austin.2002.
[60]Chitta Baral. Knowledge Representation, Reasoning and Declarative Problem Solving. Cambridge University Press.2003.
[61]John McCarthy. Circumscription-A Form of Non-Monotonic Reasoning. Artificial In-telligence.1980.
[62]Stefano Ceri, Georg Gottlob, Letizia Tanca. Logic Programming and Databases. Springer-Verlag New York, Inc.1990.
[63]Michael Gelfond, Vladimir Lifschitz. The Stable Model Semantics for Logic Program-ming. Proceedings of the 5th International Conference on Logic Programming. The MIT Press.1988:1070-1080.
[64]Martin Gebser, Lengning Liu, Gayathri Namasivayam, Andre Neumann, Torsten Schaub, Miroslaw Truszczynski. The first answer set programming system competition. Proceedings of 9th International Conference on Logic Programming and Nonmonotonic Reasoning.2007:3-17.
[65]Ilkka Niemela. Answer Set Programming:A Declarative Approach to Solving Search Problems. Logics in Artificial Intelligence.2006(4160):15-18.
[66]卿斯汉.防火墙的现状与发展趋势.信息化建设.2003(9).
[67]John Wack, Ken Cutler, Jamie Pole. Guidelines on Firewalls and Firewall Policy. Com-puter Security.2002.
[68]Cheswick William R, Bellovin Steven M. Firewalls and Internet Security:repelling the wily hacker. Addison-Wesley Publishing Co.1994.
[69]郭方方.集群防火墙系统的研究.哈尔滨工程大学,博士论文.2006.
[70]王卫平,陈文惠,朱卫未,陈华平,杨杰.分布式防火墙策略配置错误的分析与检测.中国科学院研究生院学报.2007,24(2):257-265.
[71]Sotiris Ioannidis. Distributed Firewalls. login.1999:39-47.
[72]Sotiris Ioannidis, Angelos D. Keromytis, Steve M. Bellovin, Jonathan M. Smith. Imple-menting a distributed firewall. Proceedings of Computer and Communications Security (CCS).2000.
[73]李春艳.分级防火墙系统中动态访问控制技术研究.哈尔滨工程大学,博士论文.2004.
[74]Linux netfilter. http://www.netfilter.org.
[75]Robert Marmorstein, Phil Kearns. A Tool for Automated iptables Firewall Analysis. 2005 USENIX Annual Technical Conference.2005:71-82.
[76]蒙杨.高安全等级防火墙核心技术研究、设计与实现.中国科学院软件研究所信息安全技术工程研究中心,博士论文.2001.
[77]Sidney Cobb. Establishing firewall policy. Southcon Conference Record.1996:198-205.
[78]Keith Clark. Negation as failure. Logic and Data Bases.1978:293-322.
[79]John McCarthy. Programs with Common Sense. Proceedings of the Teedington Confer-ence on the Mechanization of Thought Processes,1960:756-91.
[80]A. Colmerauer, H. Kanoui, R. Pasero and P. Roussel. Un Systeme de Communication Homme Machine en Francais. Technical report Groupe de Intelligence Artificielle Uni-versitae de Aix Marseille Ⅱ, Marseille.1973.
[81]Robert Kowalski. Predicate logic as A Programming Language. Information Processing. 1974:569-574.
[82]M. H. Van Emden, Robert Kowalski. The Semantics of Predicate Logic as a Program-ming Language. Journal of the ACM.1976(4):733-742.
[83]Robert Kowalski. Algorithm= Logic+Control. Communications of the ACM. 1979(22):424-436.
[84]Xinming Ou. A Logic-programming Approach to Network Security Analysis. Doctoral Thesis. UMI Order Number:AAI3188673. Princeton University.2005.
[85]Yannis Dimopoulos, Bernhard Nebel, Jana Koehler. Encoding Planning Problems in Nonmonotonic Logic Programs. Proceedings of the 4th European Conference on Plan-ning.1997:169-181.
[86]Vladimir Lifschitz. Answer Set Planning. Proceedings of the 16th International Confer-ence on Logic Programming.1999:25-37.
[87]Ilkka Niemela. Logic Programs with Stable Model Semantics as A Constraint Program-ming Paradigm. Annals of Mathematics and Artificial Intelligence.1999(25):241-273.
[88]Marcello Balduccini, Michael Gelfond, Richard Watson,Matthew Barry. An A-Prolog Decision Support System for the Space Shuttle. Proceedings of the Third International Symposium on Practical Aspects of Declarative Languages.2001:169-183.
[89]Juha Tiihonen, Timo Soininen, Ilkka Niemela, and Reijo Sulonen. A Practical Tool for Masscustomising Configurable Products. Proceedings of the 14th International Confer-ence on Engineering Design.2003:1290-1299.
[90]Tommi Syrjanen. A Rule-based Formal Model for Software Configuration. Research Report A55, Helsinki University of Technology, Laboratory for Theoretical Computer Science.1999.
[91]Keijo Heljanko. Using Logic Programs with Stable Model Semantics to Solve Dead-lock and Reachability Problems for 1-safe Petri Nets. Fundamental Informaticae. 1999(37):247-268.
[92]Javier Esparza, Keijo Heljanko. Implementing LTL Model Checking with Net Unfold-ings. Proceedings of the 8th International SPIN Workshop on Model Checking ofSoft-ware.2001:37-56.
[93]Keijo Heljanko, Ilkka Niemela. Bounded LTL Model Checking with Stable Models. The-ory and Practice of Logic Programming,2003(3):519-550.
[94]Esra Erdem, Vladimir Lifschitz, Martin D. F. Wang. Wire Routing and Satisfiability Planning. Proceedings of the 1st International Conference on Computational Logic, Au-tomated Deduction:Putting Theory into Practice.2000:822-836.
[95]Deborah East, Miroslaw Truszczynski. More on Wire Routing with ASP. Proceedings of the AAAI Spring 2001 Symposium on Answer Set Programming:Towards Efficient and Scalable Knowledge Representation and Reasoning.2001:39-44.
[96]Esra Erdem, Martin D. F. Wang. Rectilinear Steiner Tree Construction Using Answer Set Programming. Proceedings of the 20th International Conference on Logic Programming. 2004(3132):386-399.
[97]Tran Cao Son, Jorge Lobo. Reasoning about Policies Using Logic Programs. Proceedings of the AAAI Spring 2001 Symposium on Answer Set Programming:Towards Efficient and Scalable Knowledge Representation and Reasoning.2001:210-216.
[98]Luigia Carlucci Aiello, Fabio Massacci. Verifying Security Protocols as Planning in Logic Programming. ACM Transactions on Computational Logic.2001(2):542-580.
[99]Tuomas Aura, Matt Bishop, Dean Sniegowski. Analyzing Single-server Network Inhibi-tion. Proceedings of the IEEE Computer Security Foundations Workshop.2000:108 117.
[100]Esra Erdem, Vladimir Lifschitz, Don Ringe. Temporal Phylogenetic Networks and Logic Programming. Theory and Practice of Logic Programming.2006(6):539-558.
[101]Wolfgang Faber, Gianluigi Greco, Nicola Leone. Magic Sets and Their Application to Data Integration. Proceedings of the 10th International Conference on Database Theory. 2005(3363):306-320.
[102]Michae Gelfond, Joel Galloway. Diagnosing Dynamic Systems in A-Prolog. Proceedings of the AAAI Spring 2001 Symposium on Answer Set Programming:Towards Efficient and Scalable Knowledge Representation and Reasoning.2001:160-166.
[103]Tommi Syrjanen. Lparse 1.0 user's manual. http://www.tcs.hut.fi/Software/smodels/lparse.ps.gz.2000.
[104]Ilkka Niemela, Patrick Simons. Efficient Implementation of the Well-founded and Stable Model Semantics. Proceedings of the Joint International Conference and Symposium on Logic Programming.1996:289-303.
[105]Patrik Simons. Extending and Implementing the Stable Model Semantics. Doctoral dis-sertation. April 2000.
[106]Patrick Simons, Ilkka Niemela, Timo Soininen. Extending and Implementing the Stable Model Semantics. Artificial Intelligence.2002(138):181-234.
[107]Thomas Eiter, Nicola Leone, Cristinel Mateis, Gerald Pfeifer, Francesco Scarcello. A Deductive System for Non-Monotonic Reasoning. Proceedings of the 4th International Conference on Logic Programming and Nonmonotonic Reasoning.1997:364-375.
[108]Thomas Eiter, Nicola Leone, Cristinel Mateis, Gerald Pfeifer, Tu Wien, Francesco Scar-nello. The KR System DLV:Progress Report, Comparisons and Benchmarks. Proceed-ings of the 6th International Conference on Principles of Knowledge Representation and Reasoning.1998:406-417.
[109]Yuliya Lierler, Marco Maratea. Cmodels-2:SAT-based Answer Set Solver Enhanced to Non-tight Programs. Proceedings of the 7th International Conference on Logic Program-ming and Nonmonotonic Reasoning.2004(2923):246-250.
[110]Fangzhen Lin, Yuting Zhao. ASSAT:Computing Answer Sets of A Logic Program by SAT Solvers. Proceedings of the 18th National Conference on Artificial Intelligence. 2002:112-117.
[111]Martin Gebser, Lengning Liu, Gayathri Namasivayam, Andre Neumann, Torsten Schaub, Miroslaw Truszczynski. The first answer set programming system competition. Proceedings of 9th International Conference on Logic Programming and Nonmonotonic Reasoning.2007:3-17.
[112]Michael Gelfond, Vladimir Lifschitz. The Stable Model Semantics for Logic Program-ming. Proceedings of the 5th International Conference on Logic Programming. The MIT Press.1988:1070-1080.
[113]Michael Gelfond, Vladimir Lifschitz. Classical Negation in Logic Programs and Disjunc-tive Databases. New Generation Computing.1991 (28):265-287.
[114]Chiaki Sakama, Katsumi Inoue. Prioritized Logic Programming and Its Application to Commonsense Reasoning. Artificial Intelligence.2000(123):185-222.
[115]Joxan Jaffar, Michael J. Maher. Constraint Logic Programming:A Survey. Journal of logic programming.1994(19):503-581.
[116]Jean-Yves Girard. Linear logic. Theoretical Computer Science. London Mathematical. 1987(50):1-102.
[117]Stephen Muggleton. Inductive Logic Programming. New Generation Computing. 1991(8):295-318.
[118]A. Kakas, R. Kowalski, F. Toni. Abductive Logic Programming. Journal of Logic and Computation.1993(2):719-770.
[119]武汉大学网络拓扑图.http://nic.whu.edu.cn/ns/nic/2007/1201/article_12.html.
[120]Krzysztof R. Apt, Howard A. Blair, Adrian Walker. Towards a Theory of Declarative Knowledge. Foundations of Deductive Databases and Logic Programming,1988:89-148.
[121]Alan van Gelser. Negation as Failure Using Tight Derivations for General Logic Pro-grams. Foundations of Deductive Databases and Logic Programming,1988:149-176.
[122]Shujing Wang, Yan Zhang. Handling Distributed Authorization with Delegation through Answer Set Programming. International Journal of Information Security,2007(6):27-46.
[123]S. Cobb. Establishing firewall policy. The 1996 Southcon Conference.1996:198-205.
[124]Christoph Ludwig Schuba. On the modeling, design, and implementation of firewall technology. Doctoral Thesis. Purdue University West Lafayette.1997.
[125]Charles C. Zhang, Marianne Winslett, Carl A. Gunter. On the Safety and Efficiency of Firewall Policy Deployment. Proceedings of the 2007 IEEE Symposium on Security and Privacy.2007:33-50.
[2]中国互联网发展状况统计报告(2009年7月).http://research.cnnic.cn/.
[3]中国互联网网络安全报告(2008年上半年).http://www.cert.org.cn/articles/docs/common/2008112124134.shtml.
[4]InformationWeek Global Security Survey 2006:Controlled Chaos. http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml? articleID=190301155.
[5]InformationWeek. Accenture Global Information Security Survey 2007. http://www.informationweek.com/whitepaper/Security/Privacy/2007-informationweek/accenture-global-information-wp1213826038953;jsessionid=null? articleID=21800009.
[6]2008 Security Survey:We're Spending More, But Data's No Safer Than Last Year. http://www.informationweek.com/news/security/management/showArticle.jhtml? articleID=208800942&pgno=2&queryText=&isPrev=.
[7]The 6th Annual Global Security Survey:Protecting what matters. http://www.deloitte.com/dtt/article/0,1002,cid%253D243032,00.html.
[8]陈诚.网络安全大市场防火墙成主力军.信息安全与通信保密.2005(3):54.
[9]2009-2010年中国信息安全产品市场研究年度报告.http://www.BaoGaoBaoGao.com /2010-03/2009.2010xinxianquanchanpinshichangy/.2010.
[10]Jeff Sedayao. Cisco IOS Access Lists. O'Reilly & Associates, Inc.2001.
[11]Avishai Wool. A Quantitative Study of Firewall Configuration Errors. Computer.2004, 37(6):62-67.
[12]RedSeal. RedSeal Network Advisor 4.1. http://www.redseal.net/products/redseal-network-advisor.2010.
[13]Mohanded G. Gouda, Alex X. Liu. Firewall Design:Consistency, Completeness and Compactness. Proceedings of the 24th IEEE International Conference on Distributed Computer System.2004:320-327.
[14]Mohanded G. Gouda, Alex X. Liu. Structured Firewall Design. Computer Networks. 2007(51):1106-1120.
[15]Alex X. Liu, Mohamed G. Gouda. Diverse Firewall Design. IEEE Transaction on Parar-llel and Distributed Systems.2008(19):1-14.
[16]Alex X. Liu. Formal Verification of Firewall Policies. Proceedings of the 8th International Conference on Communication.2008:(1494-1498)
[17]Alex X. Liu, Mohamed G. Gouda, Huibo Heidi Ma, Anne HH. Ngu. Firewall Queries. Proceedings of the 8th International Conference on Principles of Distributed Systems. 2004(3544):1611-3349.
[18]Alex X. Liu, Mohamed G.Gouda. Complete Redundancy Detection in Firewalls. Proceedings of 19th Annual IFIP Conference on Data and Applications Security. 2005(3654):196-209.
[19]Scott Hazelhurst, Anton Fatti, Andrew Henwood. Binary Decision Diagram Representa-tions Of Firewall And Router Access Lists. Technical Report TR-Wits-CS-1998-3.1998.
[20]Scott Hazelhurst. Algorithms for Analysing Firewall and Router Access Lists. Technical Report TR-Wits-CS-1999-5.1999.
[21]Seott Hazelhurst, Adi Attar, Raymond Sinnappan. Algorithms for Improving the De-pendability of Firewall and Filter Rule Lists. Proceedings the International Conference on Dependable Systems and Networks.2000:576-585.
[22]Mikkel Christiansen, Emmanuel Fleur. An Interval Decision Diagram Bassed Firewall. Proceedings of the 3rd International Conference on Networking.2004.
[23]Mikkel Christiansen, Emmanuel Fleur. An MTIDD Based Firewall Using Decision Dia-grams for Packet Filtering. Teleeommunieation Systems.2004(27):297-319.
[24]Lihua Yuan, Jianning Mai, Zhendong Su. FIREMAN:A Toolkit for Firewall Modeling and Analysis. Proceedings of the 2006 IEEE Symposium on Security and Privacy.2006: 199-213.
[25]Ehab Al-Shaer, Hazem Hamed. Design and Implementation of Firewall Policy Advisor Tools. Technical Report.2002.
[26]Ehab Al-Shaer, Hazem Hamed. Firewall Policy Advisor for Anomaly Detection and Rule Editing. Proceedings of IFIP/IEEE Eighth International Symposium on Integrated Network Management.2003:17-30.
[27]Ehab Al-Shaer, Hazem Hamed. Management and Translation of Filtering Security Poli-cies. Proceedings of the IEEE ICC'03.2003(1):256-260.
[28]Ehab Al-Shaer, Hazem Hamed. Modeling and Management of Firewall Policies. IEEE Journal on Selected areas in Communication.2004.
[29]Ehab Al-Shaer, Hazem Hamed. Discovery of Policy Anomalies in Distributed Firewalls. Proceedings of the IEEE INFOCOM'04.2004(4):2605-2616.
[30]Ehab Al-Shaer, Hazem Hamed, Raouf Boutaba, and Masum Hasan. Conflict Classifica-tion and Analysis of Distributed Firewall Policies. IEEE Journal on Selected areas in Communication.2005(10):2069-2084.
[31]Yair Bartal, Alain Mayer, Kobbi Nissim, Avishai Wool. Firmato:A Novel Fire-wall Management Toolkit. ACM Transactions on Computer Systems (TOCS) archive. 2004(22):381-420.
[32]Alain Mayer, Avishai Wool, Elisha Ziskind. Fang:A Firewall Analysis Engine. Proceed-ings of IEEE Symposium on Security and Privacy.2000(177-187).
[33]Avishai Wool. Architecting the Lumeta Firewall Analyzer. Proceedings of the 10th con-ference on USENIX Security Symposium.2001(10):7-20.
[34]Alain Mayer, Avishai Wool, Elisha Ziskind. Offline Firewall Analysis. International Jour-nal of Information Security.2006(5):125-144.
[35]Pasi Eronen, Jukka Zitting. An Expert System for Analyzing Firewall Rules. Proceedings of 6th Nordic Workshop on Secure IT-Systems.2001:100-107.
[36]Flemming Nielson, Hanne Riis Nielson, ReneRydhof Hansen. Validating Firewalls Using Flow Logics. Theoretical Computer Science.2002(283):381-418.
[37]Arosha K. Bandara, Antonis Kakas, Emil C. Lupu, Alessandra Russo. Using Argumen-tation Logic for Firewall Policy Specification and Analysis. Large Scale Management of Distributed System.2006(4269):185-196.
[38]S. Pozo, R. Ceballos, R. M. Gasca. CSP-Based Firewall Rule Set Diagnosis using Security Policies. Proceedings of 2nd International Conference on Availability, Reliability and Security.2007:723-729.
[39]Tomaas E. Uribe, Steven Cheung. Automatic Analysis of Firewall and Network Intrusion Detection System Configurations. Journal of Computer Security.2007(15):691-715.
[40]Adiseshu Hari, Subhash Suri, Guru Parulkar. Detecting and Resolving Packet Filter Conflicts. Proceedings of Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies.2000(3):1203-1212.
[41]Muhammad Abedin, Syeda Nessa, Latifur Khan, Bhavani Thuraisingham. Detection and Resolution of Anomalies in Firewall Policy Rules. Data and Applications Security. 2006(4127):15-29.
[42]Rason, R.S. Bhuvaneswaran, Yoshiaki Katayamal, Naohisa Takahashi. Analysis Meth-ods of Firewall Policies by Using Spatial Relationships between Filters. Proceedings of Conference on Signal Processing, Communications and Networking.2007:348-354.
[43]Robert Marmorstein, Phil Kearns. Firewall Analysis with Policy-Based Host Classifica-tion. Proceedings of LISA'06:20th Large Installation System Administration Confer-ence.2006:41-51.
[44]Bin Zhang, Ehab Al-Shaer, Radha Jagadeesan, James Riely, Corin Pitcher. Specifica-tions of A High-level Conflict-Free Firewall Policy Language for Multi-domain Networks. Proceedings of Symposium on Access control Models and Technologies'07.2007:185-194.
[45]Robert Marmorstein, Phil Kearns. Assisted Firewall Policy Repair Using Examples and History. Proceedings of the 21st Large Installation System Administration Conference. 2007:27-37.
[46]Korosh Golnabi, Richard K. Min, Latifur Khan, Ehab Al-Shaer. Analysis of Firewall Policy Rules Using Data Mining Techniques. Proceedings of 10th IEEE/IFIP, Network Operations and Management Symposium.2006:305-315.
[47]Rasool Jalili, Mohsen Rezvani. Specification and Verification of Security Policies in Fire-walls. Proceedings of Information and Communication Technology, First Eur Asian Con-ference.2002(2510):154-163.
[48]陈文惠.防火墙系统策略配置研究.中国科技大学,博士论文.2007.
[49]Jiawei Han, Micheline Kamber. Data Mining:Concepts and Techniques. Morgan Kauf-mann.2000.
[50]李林.防火墙规则集关键技术研究.电子科技大学,博士论文.2009.
[51]曾旷怡,杨家海.访问控制列表的优化问题.软件学报,2007(4):978-986.
[52]王晓薇,李锋.防火墙包过滤规则正确性的研究.沈阳师范大学学报(自然科学版),2003(3):200-203.
[53]周晓俊,谢小权.防火墙规则冲突分析算法改进及应用.高性能计算技术.2005(10):60-63.
[54]赵启斌,梁京章.防火墙过滤规则异常的研究.计算机工程.2005(12):158-160.
[55]John Wylie Lloyd. Foundations of Logic Programming. Springer.1987.
[56]Chitta Baral and Michael Gelfond. Logic Programming and Knowledge Representation. Journal of Logic Programming.1994.
[57]Franz Baader, Diego Calvanese, Deborah McGuinness, Daniel Nardi, Peter Patel-Schneider. The description logic handbook:theory, implementation, and applications. Cambrige University Press.2003.
[58]Amir Pnueli. The temporal logic of programs. Mathematics & Computer Science.1997.
[59]Esra Erdem. Theory and applications of answer set programming. The University of Texas at Austin.2002.
[60]Chitta Baral. Knowledge Representation, Reasoning and Declarative Problem Solving. Cambridge University Press.2003.
[61]John McCarthy. Circumscription-A Form of Non-Monotonic Reasoning. Artificial In-telligence.1980.
[62]Stefano Ceri, Georg Gottlob, Letizia Tanca. Logic Programming and Databases. Springer-Verlag New York, Inc.1990.
[63]Michael Gelfond, Vladimir Lifschitz. The Stable Model Semantics for Logic Program-ming. Proceedings of the 5th International Conference on Logic Programming. The MIT Press.1988:1070-1080.
[64]Martin Gebser, Lengning Liu, Gayathri Namasivayam, Andre Neumann, Torsten Schaub, Miroslaw Truszczynski. The first answer set programming system competition. Proceedings of 9th International Conference on Logic Programming and Nonmonotonic Reasoning.2007:3-17.
[65]Ilkka Niemela. Answer Set Programming:A Declarative Approach to Solving Search Problems. Logics in Artificial Intelligence.2006(4160):15-18.
[66]卿斯汉.防火墙的现状与发展趋势.信息化建设.2003(9).
[67]John Wack, Ken Cutler, Jamie Pole. Guidelines on Firewalls and Firewall Policy. Com-puter Security.2002.
[68]Cheswick William R, Bellovin Steven M. Firewalls and Internet Security:repelling the wily hacker. Addison-Wesley Publishing Co.1994.
[69]郭方方.集群防火墙系统的研究.哈尔滨工程大学,博士论文.2006.
[70]王卫平,陈文惠,朱卫未,陈华平,杨杰.分布式防火墙策略配置错误的分析与检测.中国科学院研究生院学报.2007,24(2):257-265.
[71]Sotiris Ioannidis. Distributed Firewalls. login.1999:39-47.
[72]Sotiris Ioannidis, Angelos D. Keromytis, Steve M. Bellovin, Jonathan M. Smith. Imple-menting a distributed firewall. Proceedings of Computer and Communications Security (CCS).2000.
[73]李春艳.分级防火墙系统中动态访问控制技术研究.哈尔滨工程大学,博士论文.2004.
[74]Linux netfilter. http://www.netfilter.org.
[75]Robert Marmorstein, Phil Kearns. A Tool for Automated iptables Firewall Analysis. 2005 USENIX Annual Technical Conference.2005:71-82.
[76]蒙杨.高安全等级防火墙核心技术研究、设计与实现.中国科学院软件研究所信息安全技术工程研究中心,博士论文.2001.
[77]Sidney Cobb. Establishing firewall policy. Southcon Conference Record.1996:198-205.
[78]Keith Clark. Negation as failure. Logic and Data Bases.1978:293-322.
[79]John McCarthy. Programs with Common Sense. Proceedings of the Teedington Confer-ence on the Mechanization of Thought Processes,1960:756-91.
[80]A. Colmerauer, H. Kanoui, R. Pasero and P. Roussel. Un Systeme de Communication Homme Machine en Francais. Technical report Groupe de Intelligence Artificielle Uni-versitae de Aix Marseille Ⅱ, Marseille.1973.
[81]Robert Kowalski. Predicate logic as A Programming Language. Information Processing. 1974:569-574.
[82]M. H. Van Emden, Robert Kowalski. The Semantics of Predicate Logic as a Program-ming Language. Journal of the ACM.1976(4):733-742.
[83]Robert Kowalski. Algorithm= Logic+Control. Communications of the ACM. 1979(22):424-436.
[84]Xinming Ou. A Logic-programming Approach to Network Security Analysis. Doctoral Thesis. UMI Order Number:AAI3188673. Princeton University.2005.
[85]Yannis Dimopoulos, Bernhard Nebel, Jana Koehler. Encoding Planning Problems in Nonmonotonic Logic Programs. Proceedings of the 4th European Conference on Plan-ning.1997:169-181.
[86]Vladimir Lifschitz. Answer Set Planning. Proceedings of the 16th International Confer-ence on Logic Programming.1999:25-37.
[87]Ilkka Niemela. Logic Programs with Stable Model Semantics as A Constraint Program-ming Paradigm. Annals of Mathematics and Artificial Intelligence.1999(25):241-273.
[88]Marcello Balduccini, Michael Gelfond, Richard Watson,Matthew Barry. An A-Prolog Decision Support System for the Space Shuttle. Proceedings of the Third International Symposium on Practical Aspects of Declarative Languages.2001:169-183.
[89]Juha Tiihonen, Timo Soininen, Ilkka Niemela, and Reijo Sulonen. A Practical Tool for Masscustomising Configurable Products. Proceedings of the 14th International Confer-ence on Engineering Design.2003:1290-1299.
[90]Tommi Syrjanen. A Rule-based Formal Model for Software Configuration. Research Report A55, Helsinki University of Technology, Laboratory for Theoretical Computer Science.1999.
[91]Keijo Heljanko. Using Logic Programs with Stable Model Semantics to Solve Dead-lock and Reachability Problems for 1-safe Petri Nets. Fundamental Informaticae. 1999(37):247-268.
[92]Javier Esparza, Keijo Heljanko. Implementing LTL Model Checking with Net Unfold-ings. Proceedings of the 8th International SPIN Workshop on Model Checking ofSoft-ware.2001:37-56.
[93]Keijo Heljanko, Ilkka Niemela. Bounded LTL Model Checking with Stable Models. The-ory and Practice of Logic Programming,2003(3):519-550.
[94]Esra Erdem, Vladimir Lifschitz, Martin D. F. Wang. Wire Routing and Satisfiability Planning. Proceedings of the 1st International Conference on Computational Logic, Au-tomated Deduction:Putting Theory into Practice.2000:822-836.
[95]Deborah East, Miroslaw Truszczynski. More on Wire Routing with ASP. Proceedings of the AAAI Spring 2001 Symposium on Answer Set Programming:Towards Efficient and Scalable Knowledge Representation and Reasoning.2001:39-44.
[96]Esra Erdem, Martin D. F. Wang. Rectilinear Steiner Tree Construction Using Answer Set Programming. Proceedings of the 20th International Conference on Logic Programming. 2004(3132):386-399.
[97]Tran Cao Son, Jorge Lobo. Reasoning about Policies Using Logic Programs. Proceedings of the AAAI Spring 2001 Symposium on Answer Set Programming:Towards Efficient and Scalable Knowledge Representation and Reasoning.2001:210-216.
[98]Luigia Carlucci Aiello, Fabio Massacci. Verifying Security Protocols as Planning in Logic Programming. ACM Transactions on Computational Logic.2001(2):542-580.
[99]Tuomas Aura, Matt Bishop, Dean Sniegowski. Analyzing Single-server Network Inhibi-tion. Proceedings of the IEEE Computer Security Foundations Workshop.2000:108 117.
[100]Esra Erdem, Vladimir Lifschitz, Don Ringe. Temporal Phylogenetic Networks and Logic Programming. Theory and Practice of Logic Programming.2006(6):539-558.
[101]Wolfgang Faber, Gianluigi Greco, Nicola Leone. Magic Sets and Their Application to Data Integration. Proceedings of the 10th International Conference on Database Theory. 2005(3363):306-320.
[102]Michae Gelfond, Joel Galloway. Diagnosing Dynamic Systems in A-Prolog. Proceedings of the AAAI Spring 2001 Symposium on Answer Set Programming:Towards Efficient and Scalable Knowledge Representation and Reasoning.2001:160-166.
[103]Tommi Syrjanen. Lparse 1.0 user's manual. http://www.tcs.hut.fi/Software/smodels/lparse.ps.gz.2000.
[104]Ilkka Niemela, Patrick Simons. Efficient Implementation of the Well-founded and Stable Model Semantics. Proceedings of the Joint International Conference and Symposium on Logic Programming.1996:289-303.
[105]Patrik Simons. Extending and Implementing the Stable Model Semantics. Doctoral dis-sertation. April 2000.
[106]Patrick Simons, Ilkka Niemela, Timo Soininen. Extending and Implementing the Stable Model Semantics. Artificial Intelligence.2002(138):181-234.
[107]Thomas Eiter, Nicola Leone, Cristinel Mateis, Gerald Pfeifer, Francesco Scarcello. A Deductive System for Non-Monotonic Reasoning. Proceedings of the 4th International Conference on Logic Programming and Nonmonotonic Reasoning.1997:364-375.
[108]Thomas Eiter, Nicola Leone, Cristinel Mateis, Gerald Pfeifer, Tu Wien, Francesco Scar-nello. The KR System DLV:Progress Report, Comparisons and Benchmarks. Proceed-ings of the 6th International Conference on Principles of Knowledge Representation and Reasoning.1998:406-417.
[109]Yuliya Lierler, Marco Maratea. Cmodels-2:SAT-based Answer Set Solver Enhanced to Non-tight Programs. Proceedings of the 7th International Conference on Logic Program-ming and Nonmonotonic Reasoning.2004(2923):246-250.
[110]Fangzhen Lin, Yuting Zhao. ASSAT:Computing Answer Sets of A Logic Program by SAT Solvers. Proceedings of the 18th National Conference on Artificial Intelligence. 2002:112-117.
[111]Martin Gebser, Lengning Liu, Gayathri Namasivayam, Andre Neumann, Torsten Schaub, Miroslaw Truszczynski. The first answer set programming system competition. Proceedings of 9th International Conference on Logic Programming and Nonmonotonic Reasoning.2007:3-17.
[112]Michael Gelfond, Vladimir Lifschitz. The Stable Model Semantics for Logic Program-ming. Proceedings of the 5th International Conference on Logic Programming. The MIT Press.1988:1070-1080.
[113]Michael Gelfond, Vladimir Lifschitz. Classical Negation in Logic Programs and Disjunc-tive Databases. New Generation Computing.1991 (28):265-287.
[114]Chiaki Sakama, Katsumi Inoue. Prioritized Logic Programming and Its Application to Commonsense Reasoning. Artificial Intelligence.2000(123):185-222.
[115]Joxan Jaffar, Michael J. Maher. Constraint Logic Programming:A Survey. Journal of logic programming.1994(19):503-581.
[116]Jean-Yves Girard. Linear logic. Theoretical Computer Science. London Mathematical. 1987(50):1-102.
[117]Stephen Muggleton. Inductive Logic Programming. New Generation Computing. 1991(8):295-318.
[118]A. Kakas, R. Kowalski, F. Toni. Abductive Logic Programming. Journal of Logic and Computation.1993(2):719-770.
[119]武汉大学网络拓扑图.http://nic.whu.edu.cn/ns/nic/2007/1201/article_12.html.
[120]Krzysztof R. Apt, Howard A. Blair, Adrian Walker. Towards a Theory of Declarative Knowledge. Foundations of Deductive Databases and Logic Programming,1988:89-148.
[121]Alan van Gelser. Negation as Failure Using Tight Derivations for General Logic Pro-grams. Foundations of Deductive Databases and Logic Programming,1988:149-176.
[122]Shujing Wang, Yan Zhang. Handling Distributed Authorization with Delegation through Answer Set Programming. International Journal of Information Security,2007(6):27-46.
[123]S. Cobb. Establishing firewall policy. The 1996 Southcon Conference.1996:198-205.
[124]Christoph Ludwig Schuba. On the modeling, design, and implementation of firewall technology. Doctoral Thesis. Purdue University West Lafayette.1997.
[125]Charles C. Zhang, Marianne Winslett, Carl A. Gunter. On the Safety and Efficiency of Firewall Policy Deployment. Proceedings of the 2007 IEEE Symposium on Security and Privacy.2007:33-50.