Firewall Policy Management Through Sliding Window Filtering Method Using Data Mining Techniques

As the number of security incidents had been sharply growing, the issue of security-defense draws more and more attention from network community in past years. Firewall is known one of the most popular security-defense mechanism for corporations. It is the first defense-line for security infrastructure of corporations to against external intrusions and threats. A firewall will filter packets by following its policy rules to avoid suspicious intruder executing illegal actions and damaging internal network. Well-designed policy rules can increase the security-defense effect to against security risk. In this paper, we apply association rule mining to analyze network logs and detect anomalous behaviors, such as connections those shown frequently in short period with the same source IP and port. From these anomalous behaviors, we could inference useful, up-to-dated and efficient firewall policy rules. Comparing with the method proposed in [18], we utilize incremental mining to handle the increasingly changed traffic log data. The proposed method can highly enhance the execution performance in data analyzing. Experimental results show that the execution efficiency of our method is better than that of traditional methods when dealing with large-sized log files.

[1]  Philip S. Yu,et al.  Using a Hash-Based Method with Transaction Trimming for Mining Association Rules , 1997, IEEE Trans. Knowl. Data Eng..

[2]  Michael J. A. Berry,et al.  Data mining techniques - for marketing, sales, and customer support , 1997, Wiley computer publishing.

[3]  David Taniar,et al.  ODAM: An optimized distributed association rule mining algorithm , 2004, IEEE Distributed Systems Online.

[4]  Juan M. Estévez-Tapiador,et al.  Concepts and Attitudes for Internet Security (A review of Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition by William R. Cheswick, Steven M. Bellovin, and Aviel D. Rubin). , 2003 .

[5]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[6]  Shamkant B. Navathe,et al.  An Efficient Algorithm for Mining Association Rules in Large Databases , 1995, VLDB.

[7]  David Wai-Lok Cheung,et al.  A General Incremental Technique for Maintaining Discovered Association Rules , 1997, DASFAA.

[8]  Jian Pei,et al.  Mining frequent patterns without candidate generation , 2000, SIGMOD '00.

[9]  Albert G. Greenberg,et al.  Simulation study of firewalls to aid improved performance , 2006, 39th Annual Simulation Symposium (ANSS'06).

[10]  Ming-Syan Chen,et al.  Sliding-window filtering: an efficient algorithm for incremental mining , 2001, CIKM '01.

[11]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[12]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[13]  Ray-I Chang,et al.  INTRUSION DETECTION BY BACKPROPAGATION NEURAL NETWORKS WITH SAMPLE-QUERY AND ATTRIBUTE-QUERY , 2007 .

[14]  Rajeev Motwani,et al.  Dynamic itemset counting and implication rules for market basket data , 1997, SIGMOD '97.

[15]  Jean-François Boulicaut,et al.  Comprehensive Log Compression with Frequent Patterns , 2003, DaWaK.

[16]  Atul Prakash,et al.  FACE: a firewall analysis and configuration engine , 2005, The 2005 Symposium on Applications and the Internet.

[17]  Gaston H. Gonnet,et al.  New Indices for Text: Pat Trees and Pat Arrays , 1992, Information Retrieval: Data Structures & Algorithms.

[18]  Jiawei Han,et al.  Maintenance of discovered association rules in large databases: an incremental updating technique , 1996, Proceedings of the Twelfth International Conference on Data Engineering.

[19]  Albert G. Greenberg,et al.  Traffic-Aware Firewall Optimization Strategies , 2006, 2006 IEEE International Conference on Communications.

[20]  Mohammed J. Zaki Parallel and distributed association mining: a survey , 1999, IEEE Concurr..

[21]  R. Power CSI/FBI computer crime and security survey , 2001 .

[22]  David Wai-Lok Cheung,et al.  Efficient Mining of Association Rules in Distributed Databases , 1996, IEEE Trans. Knowl. Data Eng..

[23]  Sushil Jajodia,et al.  An Architecture for Anomaly Detection , 2002, Applications of Data Mining in Computer Security.

[24]  Das Amrita,et al.  Mining Association Rules between Sets of Items in Large Databases , 2013 .

[25]  Esko Ukkonen,et al.  Constructing Suffix Trees On-Line in Linear Time , 1992, IFIP Congress.

[26]  Charu C. Aggarwal,et al.  A Tree Projection Algorithm for Generation of Frequent Item Sets , 2001, J. Parallel Distributed Comput..

[27]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[28]  Sushil Jajodia,et al.  ADAM: a testbed for exploring the use of data mining in intrusion detection , 2001, SGMD.

[29]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[30]  Philip S. Yu,et al.  Using a Hash-Based Method with Transaction Trimming and Database Scan Reduction for Mining Associati , 1997 .

[31]  Ramakrishnan Srikant,et al.  Fast algorithms for mining association rules , 1998, VLDB 1998.

[32]  Ehab Al-Shaer,et al.  Analysis of Firewall Policy Rules Using Data Mining Techniques , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[33]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .