research-article

Towards network security policy generation for configuration analysis and testing

Authors:

Ehab Al-ShaerAuthors Info & Claims

SafeConfig '09: Proceedings of the 2nd ACM workshop on Assurable and usable security configuration

Pages 45 - 52

https://doi.org/10.1145/1655062.1655072

Published: 09 November 2009 Publication History

Abstract

Access-control lists are an essential part in the security framework of any system. Researchers are always in need to have a repository of ready made policies for conducting research and development. Such policies, especially firewall policies which are the focus of our work, are needed to perform performance testing as well as configuration analysis.

In this paper we introduce a novel technique to perform access-control policy generation. The proposed approach learns policy parameters from a set of given policies. It generates policies that conform with natural policy-writing practices while following the grammar syntax required by the security device. A probabilistic learning approach is used to infer transition probabilities for the given policy grammar.

References

[1]

Ehab S. Al-Shaer and Hazem H. Hamed. Discovery of policy anomalies in distributed firewalls. In INFOCOM, 2004.

[2]

K. Al-Tawil and I. Al-Kaltham. Evaluation and Testing of Internet Firewalls. International Journal of Network Management, 9(3), 1999.

Digital Library

[3]

Zhiyi Chi. Statistical properties of probabilistic context-free grammars. Comput. Linguist., 25(1):131--160, 1999.

Digital Library

[4]

A. El-Atawy, T. Samak, Z. Wali, E. Al-Shaer, F. Lin, C. Pham, and S. Li. An automated framework for validating firewall policy enforcement. In POLICY, pages 151--160. IEEE Computer Society, 2007.

Digital Library

[5]

Anja Feldmann and S. Muthukrishnan. Tradeoffs for packet classification. In INFOCOM, pages 1193--1202, 2000.

[6]

K. Golnabi, R. Min, L. Khan, and E. Al-Shaer. Analysis of firewall policy rule using data mining techniques. In 10th IEEE/IFIP Network Operations and Management Symposium (NOMS 2006), 2006.

[7]

Mohamed G. Gouda and Alex X. Liu. Structured firewall design. Comput. Netw., 51(4):1106--1120, 2007.

Digital Library

[8]

R. Haeni. Firewall penetration testing. Technical report, The George Washington University Cyberspace Policy Institute, 2033 K St, Suite 340N, Washington, DC, 20006, US, January 1997.

[9]

Hazem Hamed, Ehab Al-Shaer, and Will Marrero. Modeling and verification of ipsec and vpn security policies. In ICNP '05: Proceedings of the 13TH IEEE International Conference on Network Protocols (ICNP'05), pages 259--278, 2005.

Digital Library

[10]

B. Hickman, D. Newman, S. Tadjudin, and T. Martin. Benchmarking methodology for firewall performance. RFC 3511, April 2003.

[11]

Alan Jeffrey and Taghrid Samak. Model checking firewall policy configurations. In IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY'09), 2009.

Digital Library

[12]

J. Jürjens and G. Wimmel. Specification-Based Testing of Firewalls. In Proceedings of the 4th International Conference on Perspectives of System Informatics (PSI'02), pages 308--316, 2001.

Digital Library

[13]

Alain Mayer, Avishai Wool, and Elisha Ziskind. Fang: A firewall analysis engine. sp, 00:0177, 2000.

[14]

Mark-Jan Nederhof and Giorgio Satta. Probabilistic parsing strategies. In ACL '04: Proceedings of the 42nd Annual Meeting on Association for Computational Linguistics, page 542, Morristown, NJ, USA, 2004. Association for Computational Linguistics.

Digital Library

[15]

D. Pao, Y. Keung Li, and P. Zhou. Efficient packet classification using tcams. Comput. Netw., 50(18):3523--3535, 2006.

Digital Library

[16]

T. Samak, A. El-Atawy, and E. Al-Shaer. Firecracker: A framework for inferring firewall policy using smart probing. In The 15th IEEE International Conference on Network Protocols (ICNP 2007), 2007.

[17]

Haoyu Song. Design and Evaluation of Packet Classification Systems. PhD thesis, School of Engineering and Applied Science, Washington University in St Louis, 2006.

Digital Library

[18]

David E. Taylor and Jonathan S. Turner. Classbench: a packet classification benchmark. IEEE/ACM Transaction on Networking, 15(3), 2007.

Digital Library

[19]

J. Walsh. Firewall testing: An in depth analysis. ICSA Labs Techncial report, June 2004.

[20]

Thomas Y. C. Woo. A modular approach to packet classification: Algorithms and results. In INFOCOM, pages 1213--1222, 2000.

[21]

Avishai Wool. Architecting the Lumeta Firewall Analyzer. In Proceedings of the Tenth USENIX Security Symposium, August 13--17, 2001, Washington, DC, USA, 2001.

Digital Library

[22]

L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, and P. Mohapatra. Fireman: A toolkit for firewall modeling and analysis. In 2006 IEEE Symposium on Security and Privacy (S&P 2006), pages 199--213, 2006.

Digital Library

[23]

K. Zheng and B. Liu. V6gene: A scalable ipv6 prefix generator for route lookup algorithm benchmark. In AINA '06: Proceedings of the 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06), pages 147--152, 2006.

Digital Library

Cited By

Ali MAl-Shaer ESamak T(2014)Firewall Policy ReconnaissanceIEEE Transactions on Information Forensics and Security10.1109/TIFS.2013.22968749:2(296-308)Online publication date: 1-Feb-2014
https://dl.acm.org/doi/10.1109/TIFS.2013.2296874
De Santis ACastiglione AFiore UPalmieri F(2011)An intelligent security architecture for distributed firewalling environmentsJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-011-0069-84:2(223-234)Online publication date: 30-Sep-2011
https://doi.org/10.1007/s12652-011-0069-8
Samak TAl-Shaer EGreenstadt R(2010)Synthetic security policy generation via network traffic clusteringProceedings of the 3rd ACM workshop on Artificial intelligence and security10.1145/1866423.1866433(45-53)Online publication date: 8-Oct-2010
https://dl.acm.org/doi/10.1145/1866423.1866433

Recommendations

Synthetic security policy generation via network traffic clustering
AISec '10: Proceedings of the 3rd ACM workshop on Artificial intelligence and security

Security policies are an essential part in the operations of any networking system. Test policies are always needed for conducting research and development. Such policies are required in various phases of research related to many problems as performance ...
Security policy compliance with violation management
FMSE '07: Proceedings of the 2007 ACM workshop on Formal methods in security engineering

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the ...
XACBench: a XACML policy benchmark
Abstract
XACML standard defines a declarative language to determine access control policies which are critical for deploying security solutions. It is important to evaluate the performance of policies defined by XACML, for applications such as policy ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SafeConfig '09: Proceedings of the 2nd ACM workshop on Assurable and usable security configuration

November 2009

88 pages

ISBN:9781605587783

DOI:10.1145/1655062

General Chairs:
Ehab Al-Shaer
UNC Charlotte
,
Mohamed Gouda
UT Austin
,
Program Chairs:
Jorge Lobo
IBM T. J. Watson Research Center
,
Sanjai Narain
Telcordia
,
Felix Wu
UC Davis

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '09

Sponsor:

SIGSAC

CCS '09: 16th ACM Conference on Computer and Communications Security 2009

November 9, 2009

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 22 of 61 submissions, 36%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
373
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Ali MAl-Shaer ESamak T(2014)Firewall Policy ReconnaissanceIEEE Transactions on Information Forensics and Security10.1109/TIFS.2013.22968749:2(296-308)Online publication date: 1-Feb-2014
https://dl.acm.org/doi/10.1109/TIFS.2013.2296874
De Santis ACastiglione AFiore UPalmieri F(2011)An intelligent security architecture for distributed firewalling environmentsJournal of Ambient Intelligence and Humanized Computing10.1007/s12652-011-0069-84:2(223-234)Online publication date: 30-Sep-2011
https://doi.org/10.1007/s12652-011-0069-8
Samak TAl-Shaer EGreenstadt R(2010)Synthetic security policy generation via network traffic clusteringProceedings of the 3rd ACM workshop on Artificial intelligence and security10.1145/1866423.1866433(45-53)Online publication date: 8-Oct-2010
https://dl.acm.org/doi/10.1145/1866423.1866433

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten