Title: Analysis of firewall policy rules using traffic mining techniques

Authors: Muhammad Abedin, Syeda Nessa, Latifur Khan, Ehab Al-Shaer, Mamoun Awad

Addresses: Department of Computer Science, Erik Jonsson School of Engineering & Computer Science, The University of Texas at Dallas, 800 W. Campbell Road, MS EC31, Richardson, TX 75080, USA. ' Department of Computer Science, Erik Jonsson School of Engineering & Computer Science, The University of Texas at Dallas, 800 W. Campbell Road, MS EC31, Richardson, TX 75080, USA. ' Department of Computer Science, Erik Jonsson School of Engineering & Computer Science, The University of Texas at Dallas, P.O. Box 830688, EC 31, Richardson, TX 75083-0688, USA. ' Department of Software & Information Systems, College of Computing and Informatics, University of North Carolina, 9201 University City Blvd, Charlotte, NC 28223, USA. ' College of Information Technology, UAE University, P.O. Box 17555 CIT-UAE University, Al Ain, UAE

Abstract: The firewall is usually the first line of defence in ensuring network security. However, the management of manually configured firewall rules has proven to be complex, error-prone and costly for large networks. Even with error-free rules, presence of defects in the firewall implementation or device may make the network insecure. Evaluation of effectiveness of policy and correctness of implementation requires a thorough analysis of network traffic data. We present a set of algorithms that simplify this analysis. By analysing only the firewall log files using aggregation and heuristics, we regenerate the effective firewall rules, i.e., what the firewall is really doing. By comparing these with the original rules, we can easily find if there is any anomaly in the original rules, and if there is any defect in the implementation. Our experiments show that the effective firewall rules can be regenerated to a high degree of accuracy from a small amount of data.

Keywords: network security; firewall log analysis; firewall rule analysis; firewall rule anomaly detection; firewall implementation validation; network traffic mining; internet protocol; firewalls.

DOI: 10.1504/IJIPT.2010.032611

International Journal of Internet Protocol Technology, 2010 Vol.5 No.1/2, pp.3 - 22

Published online: 09 Apr 2010 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article