Learning to Customize Network Security Rules

Security is a major concern for organizations who wish to leverage cloud computing. In order to reduce security vulnerabilities, public cloud providers offer firewall functionalities. When properly configured, a firewall protects cloud networks from cyber-attacks. However, proper firewall configuration requires intimate knowledge of the protected system, high expertise and on-going maintenance. As a result, many organizations do not use firewalls effectively, leaving their cloud resources vulnerable. In this paper, we present a novel supervised learning method, and prototype, which compute recommendations for firewall rules. Recommendations are based on sampled network traffic meta-data (NetFlow) collected from a public cloud provider. Labels are extracted from firewall configurations deemed to be authored by experts. NetFlow is collected from network routers, avoiding expensive collection from cloud VMs, as well as relieving privacy concerns. The proposed method captures network routines and dependencies between resources and firewall configuration. The method predicts IPs to be allowed by the firewall. A grouping algorithm is subsequently used to generate a manageable number of IP ranges. Each range is a parameter for a firewall rule. We present results of experiments on real data, showing ROC AUC of 0.92, compared to 0.58 for an unsupervised baseline. The results prove the hypothesis that firewall rules can be automatically generated based on router data, and that an automated method can be effective in blocking a high percentage of malicious traffic.

[1]  Scott D. Stoller,et al.  Algorithms for mining meaningful roles , 2012, SACMAT '12.

[2]  Lior Rokach,et al.  Introduction to Recommender Systems Handbook , 2011, Recommender Systems Handbook.

[3]  Katherine B Lyons,et al.  A Recommender System in the Cyber Defense Domain , 2014 .

[4]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[5]  E. Al-Shaer,et al.  Firewall Policy Advisor for anomaly discovery and rule editing , 2003, IFIP/IEEE Eighth International Symposium on Integrated Network Management, 2003..

[6]  Ehsan Saboori,et al.  Automatic firewall rules generator for anomaly detection systems with Apriori algorithm , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[7]  Issa M. Khalil,et al.  Security Concerns in Cloud Computing , 2013, 2013 10th International Conference on Information Technology: New Generations.

[8]  K. Popovic,et al.  Cloud computing security issues and challenges , 2010, The 33rd International Convention MIPRO.

[9]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[10]  Ehab Al-Shaer,et al.  Analysis of Firewall Policy Rules Using Data Mining Techniques , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[11]  S. O. Kuyoro,et al.  Cloud computing security issues and challenges , 2011 .

[12]  Komminist Weldemariam,et al.  Early Detection of Security Misconfiguration Vulnerabilities in Web Applications , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[13]  Ian Molloy,et al.  Generative models for access control policies: applications to role mining over logs with attribution , 2012, SACMAT '12.

[14]  Vince Fuller,et al.  Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan , 2006, RFC.