Towards automatic creation of usable security configuration

Authors:
Bin Zhang;Ehab Al-Shaer
Affiliations:
AssurableNet Research Center, School of Computing, DePaul University, Chicago, IL;Center of Cyber Defense & Network Assurance, Department of Software & Information Systems, University of North Carolina, Charlotte, Charlotte, NC
Venue:
INFOCOM'10 Proceedings of the 29th conference on Information communications
Year:
2010

Citing 8
Cited 2

Knapsack problems: algorithms and computer implementations

Knapsack problems: algorithms and computer implementations
Modeling and Verification of IPSec and VPN Security Policies

ICNP '05 Proceedings of the 13TH IEEE International Conference on Network Protocols
A scalable approach to attack graph generation

Proceedings of the 13th ACM conference on Computer and communications security
Optimal security hardening using multi-objective optimization on attack tree models of networks

Proceedings of the 14th ACM conference on Computer and communications security
Configuration management at massive scale: system design and experience

ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Declarative Infrastructure Configuration Synthesis and Debugging

Journal of Network and Systems Management
Sat-solving approaches to context-aware enterprise network security management

IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Attack graph based evaluation of network security

CMS'06 Proceedings of the 10th IFIP TC-6 TC-11 international conference on Communications and Multimedia Security

Automated management of network access control from design to enforcement

Proceedings of the 15th ACM symposium on Access control models and technologies
On synthesizing distributed firewall configurations considering risk, usability and cost constraints

Proceedings of the 7th International Conference on Network and Services Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

The objective of this work is to create usable security architecture that will minimize network risk while considering usability and budget. We propose and formulate a novel framework for automatic creation of network security architecture including configuration rules and device placements in order to minimize risk while satisfying the business requirements, service usability and budget constraints. Our framework also automates the creation of external and internal Demilitarized Zones (DMZ) to improve security by increasing isolation. We formalize this as an optimization problem and show that it is NP-hard. We then provide heuristic approximation algorithms. The implemented systems, called SecBuilder, were evaluated under different network sizes, topologies and security requirements. Our evaluation study shows that the results obtained by SecBuilder are close to the theoretical lower bound and the performance is scalable with the network size.