Top

Wireless Personal Communications

Published in:

17-05-2017

The Analysis of Firewall Policy Through Machine Learning and Data Mining

Authors: Erdem Ucar, Erkan Ozhan

Published in: Wireless Personal Communications | Issue 2/2017

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Firewalls are primary components for ensuring the network and information security. For this purpose, they are deployed in all commercial, governmental and military networks as well as other large-scale networks. The security policies in an institution are implemented as firewall rules. An anomaly in these rules may lead to serious security gaps. When the network is large and policies are complicated, manual cross-check may be insufficient to detect anomalies. In this paper, an automated model based on machine learning and high performance computing methods is proposed for the detection of anomalies in firewall rule repository. To achieve this, firewall logs are analysed and the extracted features are fed to a set of machine learning classification algorithms including Naive Bayes, kNN, Decision Table and HyperPipes. F-measure, which combines precision and recall, is used for performance evaluation. In the experiments, kNN has shown the best performance. Then, a model based on the F-measure distribution was envisaged. 93 firewall rules were analysed via this model. The model anticipated that 6 firewall rules cause anomaly. These problematic rules were checked against the security reports prepared by experts and each of them are verified to be an anomaly. This paper shows that anomalies in firewall rules can be detected by analysing large scale log files automatically with machine learning methods, which enables avoiding security breaches, saving dramatic amount of expert effort and timely intervention.

previous article Design of a Hybrid Transceiver Through P-Spice Simulation for Establishing Underwater Optical Wireless Communication Link

next article An Alternative Architecture for SIM-Based Mobile NFC Services

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Al-Shaer, E. (2004). Managing firewall and network-edge security policies. In 2004 IEEE/IFIP Network Operations and Management Symposium (Vol. 1, p. 926). Seoul: IEEE. doi:10.1109/NOMS.2004.1317810.

Al-Shaer, E., Hamed, H., Boutaba, R., & Hasan, M. (2005). Conflict classification and analysis of distributed firewall policies. IEEE Journal on Selected Areas in Communications, 23(10), 2069–2084. doi:10.1109/JSAC.2005.854119.CrossRef

Al-Shaer, E. S., & Hamed, H. H. (2003). Firewall policy advisor for anomaly discovery and rule editing. In G. Goldszmidt & J. Schnwlder (Eds.), Integrated network management VIII: Managing it all (p. 1730). Boston, MA: Springer. doi:10.1007/978-0-387-35674-7.

Alpaydın, E. (2010). Introduction to machine learning (2nd ed.). Cambridge, MA, London: MIT Press.MATH

Breier, J., & Branišová, J. (2015). A dynamic rule creation based anomaly detection method for identifying security breaches in log records. Wireless Personal Communications,. doi:10.1007/s11277-015-3128-1.

Caruso, C., Malerba, D., & Papagni, D. (2005). Learning the daily model of network traffic. In Foundations of Intelligent Systems(pp. 131–141). Saratoga Springs, NY. http://link.springer.com/chapter/10.1007/11425274_14.

Chen, N., Shou, G., Hu, Y., & Guo, Z. (2009). An experimental research of traffic identification algorithms in broadband network. In 2009 International Symposium on Computer Network and Multimedia Technology(pp. 1–4). Wuhan: IEEE. doi:10.1109/CNMT.2009.5374758.

Chmura Kraemer, H., Periyakoil, V. S., & Noda, A. (2002). Kappa coefficients in medical research. Statistics in Medicine, 21(14), 2109–2129. doi:10.1002/sim.1180.CrossRef

Cohen, J. (1960). A coefficient of agreement for nominal scales. Educational and Psychological Measurement, 20, 37–46. doi:10.1177/001316446002000104.CrossRef

10.

Cover, T., & Hart, P. (1967). Nearest neighbour pattern classification. IEEE Transactions on Information Theory, 13(1), 2127. doi:10.1109/TIT.1967.1053964.CrossRefMATH

11.

Eisenstein, J., & Davis, R. (2004). Visual and linguistic information in gesture classification. In Proceedings of the 6th International Conference on Multimodal Interfaces—ICMI04, (p. 113). New York, NY: ACM Press. doi:10.1145/1027933.1027954.

12.

Frei, A., & Rennhard, M. (2008). Histogram matrix: Log file visualization for anomaly detection. In ARES 2008—3rd International Conference on Availability, Security, and Reliability, Proceedings (pp. 610–617). doi:10.1109/ARES.2008.148.

13.

Golnabi, K., Min, R. K., Khan, L., & Al-Shaer, E. (2006). Analysis of firewall policy rules using data mining techniques. In 10th IEEE/IFIP Network Operations and Management Symposium NOMS 2006 (Vol. 5, pp. 305–315). IEEE. doi:10.1109/NOMS.2006.1687561.

14.

Gouda, M. G., & Liu, A. X. (2007). Structured firewall design. Computer Networks, 51(4), 1106–1120. doi:10.1016/j.comnet.2006.06.015.CrossRefMATH

15.

Han, J., & Kamber, M. (2006). Data mining concepts and techniques. In J. Gray (Ed.), Data mining: Concepts and techniques (2nd ed.). San Francisco, CA: Morgan Kaufmann Publishers.

16.

Holte, R. C. (1993). Very simple classification rules perform well on most commonly used datasets. Machine Learning, 11(1), 63–91.CrossRefMATH

17.

Hu, H., Ahn, G. J., & Kulkarni, K. (2012). Detecting and resolving firewall policy anomalies. IEEE Transactions on Dependable and Secure Computing, 9(3), 318–331. doi:10.1109/TDSC.2012.20.CrossRef

18.

Hunt, R. (1998). Internet/intranet firewall security-policy, architecture and transaction services. Computer Communications, 21(13), 1107–1123. doi:10.1016/S0140-3664(98)00173-X.CrossRef

19.

Kerdegari, H., Samsudin, K., Ramli, A. R., & Mokaram, S. (2012). Evaluation of fall detection classification approaches. In 2012 4th International Conference on Intelligent and Advanced Systems (ICIAS2012) (Vol. 1, pp. 131–136). Kuala Lumpur: IEEE. doi:10.1109/ICIAS.2012.6306174.

20.

Khan, B., Khan, M. K., Mahmud, M., & Alghathbar, K. S. (2010). Security analysis of firewall rule sets in computer networks. In 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies (pp. 51–56). Venice: IEEE. doi:10.1109/SECURWARE.2010.16.

21.

Kowalski, K., & Beheshti, M. (2006). Analysis of log files intersections for security enhancement. In Third International Conference on Information Technology: New Generations (ITNG06) (pp. 452–457). Las Vegas: IEEE. doi:10.1109/ITNG.2006.32

22.

Lai, K., & Kelley, K. (2011). Accuracy in parameter estimation for targeted effects in structural equation modeling: Sample size planning for narrow confidence intervals. Psychological Methods, 16(2), 127–148. doi:10.1037/a0021764.CrossRef

23.

Liu, A. X. (2012). Firewall policy change-impact analysis. ACM Transactions on Internet Technology, 11(4), 1–24. doi:10.1145/2109211.2109212.CrossRef

24.

Maratea, A., Petrosino, A., & Manzo, M. (2014). Adjusted F-measure and kernel scaling for imbalanced data learning. Information Sciences, 257, 331–341. doi:10.1016/j.ins.2013.04.016.CrossRef

25.

Moses, K. P., & Devadas, M. D. (2012). An approach to reduce root mean square error in toposheets. European Journal of Scientific Researach, 91(2), 268–274.

26.

Nilsson, N. J. (1998). Introduction to Machine Learning. Stanford, CA. Retrieved from http://robotics.stanford.edu/people/nilsson/mlbook.html.

27.

NIST. (2016). National Vulnerability Database. Technical report, National Institute of Standarts and Information Technology Laboratory, Gaithersburg, MD. https://nvd.nist.gov/home.cfm.

28.

Olson, D. L., & Delen, D. (2008). Advanced data mining techniques(1st edn.). Berlin, Heidelberg: Springer. doi:10.1007/978-3-540-76917-0.

29.

Parker, A., de Cortázar-Atauri, I. G., Chuine, I., Barbeau, G., Bois, B., Boursiquot, J. M., et al. (2013). Classification of varieties for their timing of flowering and veraison using a modelling approach: A case study for the grapevine species Vitis vinifera L. Agricultural and Forest Meteorology, 180, 249–264. doi:10.1016/j.agrformet.2013.06.005.CrossRef

30.

Pietraszek, T., & Tanner, A. (2005). Data mining and machine learning towards reducing false positives in intrusion detection. Information Security Technical Report, 10(3), 169–183. doi:10.1016/j.istr.2005.07.001.CrossRef

31.

Shinder, T. W., Amon, C., Shimonski, R. J., & Shinder, D. L. (2003). The best damn firewall book period. Rockland, MA: Syngress Publishing. doi:10.1016/B978-193183690-6/50046-7.

32.

Smith, M. C., & Peterson, G. D. (2005). Parallel application performance on shared high performance reconfigurable computing resources. Performance Evaluation, 60(1–4), 107–125. doi:10.1016/j.peva.2004.10.004.CrossRef

33.

Smusz, S., Kurczab, R., & Bojarski, A. J. (2013). A multidimensional analysis of machine learning methods performance in the classification of bioactive compounds. Chemometrics and Intelligent Laboratory Systems, 128, 89–100. doi:10.1016/j.chemolab.2013.08.003.CrossRef

34.

Tran, T., Al-Shaer, E. S., & Boutaba, R. (2007). 055 PolicyVis: Firewall security policy visualization and inspection. In Proceedings of the 21st conference on Large Installation System Administration Conference USENIX Association (Vol. 7, pp. 1–16). http://usenix.org/event/lisa07/tech/full_papers/tran/tran.pdf.

35.

Viera, A. J., & Garrett, J. M. (2005). Understanding inter observer agreement: The kappa statistic. Family Medicine, 37(5), 360–363, http://www.ncbi.nlm.nih.gov/pubmed/15883903.

36.

Winding, R., Wright, T., & Chapple, M. (2006). System anomaly detection: Mining firewall logs. In 2006 Securecomm and Workshops (pp. 1–5). Baltimore, MD: IEEE. doi:10.1109/SECCOMW.2006.359572.

37.

Witten, I. H., & Frank, E. (2005). Data mining practical machine learning tools and techniques (2nd ed.). San Francisco, CA: Morgan Kaufmann Publishers Inc.MATH

38.

Witten, I. H., Frank, E., & Hall, M. A. (2011). Data mining practical machine learning tools and techniques (3rd ed.). Burlington, MA: Elsevier Inc.

39.

Yoon, M., Chen, S., & Zhang, Z. (2010). Minimizing the maximum firewall rule set in a network with multiple firewalls. IEEE Transactions on Computers, 59(2), 218–230. doi:10.1109/TC.2009.172.MathSciNetCrossRefMATH

Title: The Analysis of Firewall Policy Through Machine Learning and Data Mining
Authors: Erdem Ucar
Erkan Ozhan
Publication date: 17-05-2017
Publisher: Springer US
Published in: Wireless Personal Communications / Issue 2/2017
Print ISSN: 0929-6212
Electronic ISSN: 1572-834X
DOI: https://doi.org/10.1007/s11277-017-4330-0

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 2/2017

Enhance the Performance of EDCA Protocol by Adapting Contention Window

An Anomaly Detection Method Based on Normalized Mutual Information Feature Selection and Quantum Wavelet Neural Network

A Combinatorial Key Predistribution Scheme for Two-Layer Hierarchical Wireless Sensor Networks

A Location-Independent Energy Balanced Node-Covered Scheduling Algorithm

An Approach to Defend Global Eavesdropper in Sensor Networks

Spatial–Temporal Aspects Integrated Probabilistic Intervals Models of Query Generation and Sink Attributes for Energy Efficient WSN