Skip to main content
SpringerLink
Log in

Policy Mining: A Bottom-Up Approach toward a Model Based Firewall Management

  • Conference paper
Information Systems Security (ICISS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8303))

Included in the following conference series:

Abstract

Todays enterprises rely entirely on their information systems, usually connected to the internet. Network access control, mainly ensured by firewalls, has become a paramount necessity. Still, the management of manually configured firewall rules is complex, error prone, and costly for large networks. The use of high abstract models such as role based access control RBAC has proved to be very efficient in the definition and management of access control policies. The recent interest in role mining which is the bottom-up approach for automatic RBAC configuration from the already deployed authorizations is likely to further promote the development of this model. Recently, an extension of RBAC adapted to the specificities of network access control, which we refer to as NS-RBAC model, has been proposed. However, no effort has been made to extend the bottom-up approach to configure this model. In this paper, we propose an extension of role mining techniques to facilitate the adoption of a model based framework in the management of network access control. We present policy mining, a bottom-up approach that extracts instances of the NS-RBAC model from the deployed rules on a firewall. We provide a generic algorithm that could adapt most of the existing role mining solutions to the NS-RBAC model. We illustrate the feasibility of our solution by experimentations on real and synthetic data.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Macfarlane, R., Buchanan, W.J., Ekonomou, E., Uthmani, O., Fan, L., Lo, O.: Review of security policy implementations. Computers & Security (COMPSEC) 2(31), 253–270 (2011)

    Google Scholar 

  2. Titov, A., Zaborovsky, V.: Firewall configuration based on specifications of access policy and network environment (2010)

    Google Scholar 

  3. Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: Dimitrakos, T., Martinelli, F. (eds.) Formal Aspects in Security and Trust, pp. 203–218. Springer, Heidelberg (2004)

    Google Scholar 

  4. Hachana, S., Cuppens-Boulahia, N., Cuppens, F.: Role mining to assist authorization governance: How far have we gone? International Journal of Secure Software Engineering (IJSSE) 3(4) (2012)

    Google Scholar 

  5. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. standard, NIST (2001)

    Google Scholar 

  6. Fuchs, L., Pernul, G., Sandhu, R.S.: Roles in information security - a survey and classification of the research area. Computers & Security 30(8), 748–769 (2011)

    Article  Google Scholar 

  7. Macfarlane, R., Buchanan, W.J., Ekonomou, E., Uthmani, O., Fan, L., Lo, O.: Formal security policy implementations in network firewalls. Computers & Security (COMPSEC) 31(2), 253–270 (2012)

    Article  Google Scholar 

  8. Mallouli, W., Orset, J.M., Cavalli, A., Cuppens, N., Cuppens, F.: A formal approach for testing security rules (2007)

    Google Scholar 

  9. Vaidya, J., Atluri, V., Guo, Q.: The role mining problem: finding a minimal descriptive set of roles. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, SACMAT 2007, pp. 175–184. ACM (June 2007)

    Google Scholar 

  10. Frank, M., Buhmann, J.M., Basin, D.: On the definition of role mining. In: Proceeding of the 15th ACM Symposium on Access Control Models and Technologies, SACMAT 2010, pp. 35–44. ACM (June 2010)

    Google Scholar 

  11. Tongaonkar, A.S.: Fast pattern-matching techniques for packet filtering. The graduate school in partial fulfillment of the requirements for the degree of master of science in computer science, Stony Brook University (May 2004)

    Google Scholar 

  12. Vaidya, J., Atluri, V., Warner, J.: Roleminer: mining roles using subset enumeration. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 144–153. ACM (November 2006)

    Google Scholar 

  13. Klema, V.C., Laub, A.J.: The singular value decomposition: Its computation and some applications. IEEE Transactions on Automatic Control 25(2), 164–176 (1980)

    Article  MathSciNet  MATH  Google Scholar 

  14. Ganter, B., Wille, R.: Formal Concept Analysis - Mathematical Foundations. Springer (1999)

    Google Scholar 

  15. Krajca, P., Outrata, J., Vychodil, V.: Parallel recursive algorithm for FCA. In: Proceedings of the Sixth International Conference on Concept Lattices and Their Applications, vol. 433, pp. 71–82 (2008)

    Google Scholar 

  16. Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., Lobo, J.: Mining roles with multiple objectives. ACM Transactions on Information and System Security (TISSEC) 13, 36:1–36:35 (2010)

    Google Scholar 

  17. Tongaonkar, A., Inamdar, N., Sekar, R.: Inferring higher level policies from firewall rules. In: Proceedings of the 21st Large Installation System Administration Conference, LISA 2007 (November 2007)

    Google Scholar 

  18. Marmorstein, R.M., Kearns, P.: Firewall analysis with policy-based host classification. In: Proceedings of the 20th conference on Large Installation System Administration, LISA 2006, pp. 41–51. USENIX Association, Berkeley (2006)

    Google Scholar 

  19. Abedin, M., Nessa, S., Khan, L., Al-Shaer, E., Awad, M.: Analysis of firewall policy rules using traffic mining techniques. Int. J. Internet Protocol Technology 5(1-2) (2010)

    Google Scholar 

  20. Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., Tarjan, R.E.: Fast exact and heuristic methods for role minimization problems. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, SACMAT 2008, pp. 1–10. ACM (June 2008)

    Google Scholar 

  21. Kemp, C., Tenenbaum, J.B., Griffiths, T.L., Yamada, T., Ueda, N.: Learning systems of concepts with an infinite relational model. In: Proceedings of the 21st National Conference on Artificial Intelligence, vol. 1, pp. 381–388 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Swid Web Performance Service, France

    Safaà Hachana, Nora Cuppens-Boulahia & Stephane Morucci

  2. Dépt. LUSSI, Institut Telecom-Mines/Telecom Bretagne, France

    Frédéric Cuppens & Nora Cuppens-Boulahia

  3. École Nationale Supérieure de Mécanique et d’Aérotechnique, Dépt. LIAS, France

    Safaà Hachana

  4. CIMIC, Rutgers University, USA

    Vijay Atluri

Authors
  1. Safaà Hachana
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nora Cuppens-Boulahia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vijay Atluri
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Stephane Morucci
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Electronics & Communication Sciences Unit, Indian Statistical Institute, 203, B. T. Road, 700108, Kolkata, India

    Aditya Bagchi

  2. Computer Science Department, Colorado State University, 1873 Campus Delivery, 80523, Fort Collins, CO, USA

    Indrakshi Ray

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hachana, S., Cuppens, F., Cuppens-Boulahia, N., Atluri, V., Morucci, S. (2013). Policy Mining: A Bottom-Up Approach toward a Model Based Firewall Management. In: Bagchi, A., Ray, I. (eds) Information Systems Security. ICISS 2013. Lecture Notes in Computer Science, vol 8303. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45204-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-45204-8_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-45203-1

  • Online ISBN: 978-3-642-45204-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation