The Analysis of Firewall Policy Through Machine Learning and Data Mining

The Analysis of Firewall Policy Through Machine Learning and Data Mining

Firewalls are primary components for ensuring the network and information security. For this purpose, they are deployed in all commercial, governmental and military networks as well as other large-scale networks. The security policies in an institution are implemented as firewall rules. An anomaly i...

Full description

Saved in:
Bibliographic Details
Published in:Wireless personal communications Vol. 96; no. 2; pp. 2891 - 2909
Main Authors: Ucar, Erdem, Ozhan, Erkan
Format: Journal Article
Language:English
Published: New York Springer US 01-09-2017
Springer Nature B.V
Subjects:
Anomalies
Artificial intelligence
Bayesian analysis
Communications Engineering
Computer Communication Networks
Cybersecurity
Data mining
Engineering
Feature extraction
Firewalls
Machine learning
Military communications
Networks
Policies
Security management
Signal,Image and Speech Processing
Firewall logs
Firewall rule
Computer security
Machine learning
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Firewalls are primary components for ensuring the network and information security. For this purpose, they are deployed in all commercial, governmental and military networks as well as other large-scale networks. The security policies in an institution are implemented as firewall rules. An anomaly in these rules may lead to serious security gaps. When the network is large and policies are complicated, manual cross-check may be insufficient to detect anomalies. In this paper, an automated model based on machine learning and high performance computing methods is proposed for the detection of anomalies in firewall rule repository. To achieve this, firewall logs are analysed and the extracted features are fed to a set of machine learning classification algorithms including Naive Bayes, kNN, Decision Table and HyperPipes. F-measure, which combines precision and recall, is used for performance evaluation. In the experiments, kNN has shown the best performance. Then, a model based on the F-measure distribution was envisaged. 93 firewall rules were analysed via this model. The model anticipated that 6 firewall rules cause anomaly. These problematic rules were checked against the security reports prepared by experts and each of them are verified to be an anomaly. This paper shows that anomalies in firewall rules can be detected by analysing large scale log files automatically with machine learning methods, which enables avoiding security breaches, saving dramatic amount of expert effort and timely intervention.
ISSN:0929-6212
1572-834X
DOI:10.1007/s11277-017-4330-0