Synthetic security policy generation via network traffic clustering
作者: Taghrid Samak , Ehab Al-Shaer
关键词:
摘要: Security policies are an essential part in the operations of any networking system. Test always needed for conducting research and development. Such required various phases related to many problems as performance optimization, device testing, configuration analysis.In this paper, we introduce a novel technique that utilizes trace repositories generate traffic-driven firewall policies. An online clustering mechanism is designed developed infer rule criteria policy structure from traffic. The approach generates relevant environment while satisfying structural features specified by testing requirements. Clustering parameters tuned fit need domain. High level (policy size, distinct rules, specificity, etc) mapped algorithm input parameters. evaluation shows flexibility well accuracy generated compared actual administrator-defined
acm.org
sci-hub.se 参考文章(28)
Jan Jürjens, Guido Wimmel, Specification-Based Testing of Firewalls international andrei ershov memorial conference on perspectives of system informatics. pp. 308- 316 ,(2001) , 10.1007/3-540-45575-2_31
Avishai Wool, Architecting the Lumeta firewall analyzer usenix security symposium. pp. 7- 7 ,(2001)
K. Golnabi, R.K. Min, L. Khan, E. Al-Shaer, Analysis of Firewall Policy Rules Using Data Mining Techniques network operations and management symposium. pp. 305- 315 ,(2006) , 10.1109/NOMS.2006.1687561
Khalid Al-Tawil, Ibrahim A. Al-Kaltham, Evaluation and testing of internet firewalls International Journal of Network Management. ,vol. 9, pp. 135- 149 ,(1999) , 10.1002/(SICI)1099-1190(199905/06)9:3<135::AID-NEM311>3.0.CO;2-5
Taghrid Samak, Adel El-Atawy, Ehab Al-Shaer, Towards network security policy generation for configuration analysis and testing Proceedings of the 2nd ACM workshop on Assurable and usable security configuration. pp. 45- 52 ,(2009) , 10.1145/1655062.1655072
Derek Pao, Yiu Keung Li, Peng Zhou, Efficient packet classification using TCAMs Computer Networks. ,vol. 50, pp. 3523- 3535 ,(2006) , 10.1016/J.COMNET.2006.01.009
Adel El-Atawy, Taghrid Samak, Zein Wali, Ehab Al-Shaer, Frank Lin, Christopher Pham, Sheng Li, An Automated Framework for Validating Firewall Policy Enforcement ieee international workshop on policies for distributed systems and networks. pp. 151- 160 ,(2007) , 10.1109/POLICY.2007.5
Taghrid Samak, Adel El-Atawy, Ehab Al-Shaer, FireCracker: A Framework for Inferring Firewall Policies using Smart Probing international conference on network protocols. pp. 294- 303 ,(2007) , 10.1109/ICNP.2007.4375860
Edith Cohen, Carsten Lund, Packet classification in large ISPs: design and evaluation of decision tree classifiers measurement and modeling of computer systems. ,vol. 33, pp. 73- 84 ,(2005) , 10.1145/1064212.1064222
P. Gupta, B. Prabhakar, S. Boyd, Near-optimal routing lookups with bounded worst case performance international conference on computer communications. ,vol. 3, pp. 1184- 1192 ,(2000) , 10.1109/INFCOM.2000.832490