Analysis of firewall policy rules using traffic mining techniques

Authors:
Muhammad Abedin;Syeda Nessa;Latifur Khan;Ehab Al-Shaer;Mamoun Awad
Affiliations:
Department of Computer Science, Erik Jonsson School of Engineering & Computer Science, The University of Texas at Dallas, 800 W. Campbell Road, MS EC31, Richardson, TX 75080, USA.;Department of Computer Science, Erik Jonsson School of Engineering & Computer Science, The University of Texas at Dallas, 800 W. Campbell Road, MS EC31, Richardson, TX 75080, USA.;Department of Computer Science, Erik Jonsson School of Engineering & Computer Science, The University of Texas at Dallas, P.O. Box 830688, EC 31, Richardson, TX 75083--0688, USA.;Department of Software & Information Systems, College of Computing and Informatics, University of North Carolina, 9201 University City Blvd, Charlotte, NC 28223, USA.;College of Information Technology, UAE University, P.O. Box 17555 CIT-UAE University, Al Ain, UAE
Venue:
International Journal of Internet Protocol Technology
Year:
2010

Citing 25
Cited 2

Conflict analysis for management policies

Proceedings of the fifth IFIP/IEEE international symposium on Integrated network management V : integrated management in a virtual world: integrated management in a virtual world
Packet classification using tuple space search

Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Building Internet firewalls (2nd ed.)

Building Internet firewalls (2nd ed.)
Implementing a distributed firewall

Proceedings of the 7th ACM conference on Computer and communications security
Internet packet filter management and rectangle geometry

SODA '01 Proceedings of the twelfth annual ACM-SIAM symposium on Discrete algorithms
TCP/IP and Related Protocols: IPv6, Frame Relay, and ATM

TCP/IP and Related Protocols: IPv6, Frame Relay, and ATM
Fault and Leak Tolerance in Firewall Engineering

HASE '98 The 3rd IEEE International Symposium on High-Assurance Systems Engineering
Fast Algorithms for Mining Association Rules in Large Databases

VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
Fast Firewall Implementations for Software and Hardware-Based Routers

ICNP '01 Proceedings of the Ninth International Conference on Network Protocols
Filtering postures: local enforcement for global policies

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Fang: A Firewall Analysis Engine

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
A data mining framework for constructing features and models for intrusion detection systems (computer security, network security)

A data mining framework for constructing features and models for intrusion detection systems (computer security, network security)
A machine learning approach to detecting attacks by identifying anomalies in network traffic

A machine learning approach to detecting attacks by identifying anomalies in network traffic
Mining concept-drifting data streams using ensemble classifiers

Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining
Firewall Design: Consistency, Completeness, and Compactness

ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
A Quantitative Study of Firewall Configuration Errors

Computer
Packet classification in large ISPs: design and evaluation of decision tree classifiers

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A Model of Stateful Firewalls and Its Properties

DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Algorithms for advanced packet classification with ternary CAMs

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Firewall Policies and VPN Configurations

Firewall Policies and VPN Configurations
Architecting the Lumeta firewall analyzer

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Diverse Firewall Design

IEEE Transactions on Parallel and Distributed Systems
Topological transformation approaches to optimizing TCAM-based packet classification systems

Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Detection and resolution of anomalies in firewall policy rules

DBSEC'06 Proceedings of the 20th IFIP WG 11.3 working conference on Data and Applications Security

Discovering access-control misconfigurations: new approaches and evaluation methodologies

Proceedings of the second ACM conference on Data and Application Security and Privacy
Classification of Log Files with Limited Labeled Data

Proceedings of Principles, Systems and Applications on IP Telecommunications

Quantified Score

Hi-index	0.00

Visualization

Abstract

The firewall is usually the first line of defence in ensuring network security. However, the management of manually configured firewall rules has proven to be complex, error-prone and costly for large networks. Even with error-free rules, presence of defects in the firewall implementation or device may make the network insecure. Evaluation of effectiveness of policy and correctness of implementation requires a thorough analysis of network traffic data. We present a set of algorithms that simplify this analysis. By analysing only the firewall log files using aggregation and heuristics, we regenerate the effective firewall rules, i.e., what the firewall is really doing. By comparing these with the original rules, we can easily find if there is any anomaly in the original rules, and if there is any defect in the implementation. Our experiments show that the effective firewall rules can be regenerated to a high degree of accuracy from a small amount of data.