TY - GEN
T1 - Analysis of firewall policy rules using data mining techniques
AU - Golnabi, Korosh
AU - Min, Richard K.
AU - Khan, Latifar
AU - Al-Shaer, Ehab
PY - 2006
Y1 - 2006
N2 - Firewall is the de facto core technology of today's network security and defense. However, the management of firewall rules has been proven to be complex, error-prone, costly and inefficient for many large-networked organizations. These firewall rules are mostly custom-designed and hand-written thus in constant need for tuning and validation, due to the dynamic nature of the traffic characteristics, ever-changing network environment and its market demands. One of the main problems that we address in this paper is that how much the firewall rules are useful, up-to-dated, well-organized or efficient to reflect the current characteristics of network traffics. In this paper, we present a set of techniques and algorithms to analysis and manage firewall policy rules: (1) Data Mining technique to deduce efficient firewall policy rules by mining its network traffic log based on its frequency, (2) Filtering-Rule Generalization (FRG) to reduce the number of policy rules by generalization, and (3) a technique to identify any decaying rule and a set of few dominant rules, to generate a new set of efficient firewall policy rules. The anomaly detection based on the mining exposes many hidden but not detectable by analyzing only the firewall policy rules, resulting in two new types of the anomalies. As a result of these mechanisms, network security administrators can automatically review and update the rules. We have developed a prototype system and demonstrated usefulness of our approaches.
AB - Firewall is the de facto core technology of today's network security and defense. However, the management of firewall rules has been proven to be complex, error-prone, costly and inefficient for many large-networked organizations. These firewall rules are mostly custom-designed and hand-written thus in constant need for tuning and validation, due to the dynamic nature of the traffic characteristics, ever-changing network environment and its market demands. One of the main problems that we address in this paper is that how much the firewall rules are useful, up-to-dated, well-organized or efficient to reflect the current characteristics of network traffics. In this paper, we present a set of techniques and algorithms to analysis and manage firewall policy rules: (1) Data Mining technique to deduce efficient firewall policy rules by mining its network traffic log based on its frequency, (2) Filtering-Rule Generalization (FRG) to reduce the number of policy rules by generalization, and (3) a technique to identify any decaying rule and a set of few dominant rules, to generate a new set of efficient firewall policy rules. The anomaly detection based on the mining exposes many hidden but not detectable by analyzing only the firewall policy rules, resulting in two new types of the anomalies. As a result of these mechanisms, network security administrators can automatically review and update the rules. We have developed a prototype system and demonstrated usefulness of our approaches.
KW - Data mining
KW - Firewall
KW - Network security
KW - Policy
UR - http://www.scopus.com/inward/record.url?scp=34250729673&partnerID=8YFLogxK
U2 - 10.1109/noms.2006.1687561
DO - 10.1109/noms.2006.1687561
M3 - Conference contribution
AN - SCOPUS:34250729673
SN - 1424401429
SN - 9781424401420
T3 - IEEE Symposium Record on Network Operations and Management Symposium
SP - 305
EP - 315
BT - 10th IEEE/IFIP Network Operations and Management Symposium, NOMS 2006
PB - Institute of Electrical and Electronics Engineers Inc.
ER -