Security Policy Pre-evaluation towards Risk Analysis

Nowadays, security policy evaluation becomes a very hot topic since high QoP(quality of protection) is required by more and more people. Most of the researchers focus on the security policy evaluation after they have been enforced into real application systems via some real attacks. However, before security policy enforcement, the policy themselves may also contain some anomalies which shouldn't be ignored. In this paper, we pointed out the importance of security policy pre-evaluation which focuses on security policy evaluation before policy enforcement. In addition we propose a framework for it towards risk analysis. As a concrete example, we show how to apply our framework to firewall security policies. Finally we discuss about the difficulty of our proposal and show future work interests.

[1]  Antonio Lioy,et al.  Why to adopt a security metric? A brief survey , 2006, Quality of Protection.

[2]  Ehab Al-Shaer,et al.  Vulnerability analysis For evaluating quality of protection of security policies , 2006, QoP '06.

[3]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Peter S. Browne,et al.  Bayesian probabilistic risk analysis , 1985, PERV.

[5]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[6]  Vernon J. Richardson,et al.  Assessing the risk in e-commerce , 2001, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[7]  Antonio Lioy,et al.  A generic overall framework for network security evaluation , 2005 .

[8]  O. Sami Saydjari Is risk a good security metric? , 2006, QoP '06.

[9]  Ehab Al-Shaer,et al.  Policy segmentation for intelligent firewall testing , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[10]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.

[11]  K. Fowler Giving meaning to measurement , 2001 .

[12]  Steven M. Bellovin,et al.  Policy Algebras for Hybrid Firewalls , 2007 .

[13]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.