Abstract
As a company grows, so does its infrastructure—especially its information technology (IT) infrastructure. Maintaining a transparent and manageable firewall policy during this period of rapid upscaling is nigh impossible. The situation is further complicated when multiple people—or even multiple teams—deploy and maintain these firewall policies. Different people often tackle a problem differently, developing different solutions, which, in turn, lead to different firewall policies. Inconsistencies in firewall policies are particularly problematic when it comes to updating, patching, and testing firewalls. Motivated by these issues, in this work, we collaborate with a telecommunications company and construct a web application that leverages machine learning to detect anomalies in firewall policies. The machine learning models can use firewall logs from internal firewalls, and, therefore, can learn the intricacies of traffic on a given network. The models can then predict the expected output from the network logs; anomalies can be identified if the expected values differ from the predicted values. In our evaluation, we collect data from the participating telecommunications company, implement our solution using the k-means clustering algorithm, and evaluate its performance against the collected data.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
WEKA: The Data Platform for Cloud & AI. https://www.weka.io/
Abassi, R., Fatmi, S.G.E.: Towards an automated firewall security policies validation process. Crisis 267–272, 2008 (2008)
Andalib, A., Babamir, S.M.: Anomaly detection of policies in distributed firewalls using data log analysis. J. Supercomput. 79(17), 19473–19514 (2023)
Al-Shaer, E., Hamed, H.H.: Discovery of policy anomalies in distributed firewalls. INFOCOM 2605–2616, 2004 (2004)
Al-Shaer, E., Hamed, H.H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE J. Sel. Areas Commun. 23(10), 2069–2084 (2005)
Abedin, M., Nessa, S., Khan, L., Thuraisingham, B.: Detection and resolution of anomalies in firewall policy rules. DBSec 15–29, 2006 (2006)
Adao, P., Focardi, R., Guttman, J.D., Luccio, F.L.: Localizing firewall security policies. In: Proceedings of CSF, pp. 194–209 (2016)
Bringhenti, D., Marchetto, G., Sisto, R., Valenza, F., Yusupov, J.: Automated firewall configuration in virtual networks. IEEE Trans. Dependable Secur. Comput. 20(2), 1559–1576 (2023)
Lampe, B., Meng, W.: A survey of deep learning-based intrusion detection in automotive applications. Expert Syst. Appl. 221(119771), 1–23 (2023)
Jin, Z., Liang, Z., Wang, Y., Meng, W.: Mobile network traffic pattern classification with incomplete a priori information. Comput. Commun. 166, 262–270 (2021)
Calugar, A.N., Meng, W., Zhang, H.: Towards artificial neural network based intrusion detection with enhanced hyperparameter tuning. In: Proceedings of IEEE GLOBECOM, pp. 2627–2632 (2022)
Ceragioli, L., Degano, P., Galletta, L.: Can my firewall system enforce this policy? Comput. Secur. 117, 102683 (2022)
Chen, F., Liu, A.X., Hwang, J., Xie, T.: First step towards automatic correction of firewall policy faults. ACM Trans. Auton. Adapt. Syst. 7(2), 27:1-27:24 (2012)
Cuppens, N., Zerkane, S., Li, Y., Espes, D., Parc, P.L., Cuppens, F.: Firewall policies provisioning through SDN in the cloud. In: Proceedings of DBSec, pp. 293–310 (2017)
Gao, S., Li, Z., Yao, Y., Xiao, B., Guo, S., Yang, Y.: Software-defined firewall: enabling malware traffic detection and programmable security control. In: Proceedings of AsiaCCS, pp. 413–424 (2018)
Kovacevic, I., Stengl, B., Gros, S.: Systematic review of automatic translation of high-level security policy into firewall rules. In: Proceedings of MIPRO, pp. 1063–1068 (2022)
Klement, F., Pohls, H.C., Katzenbeisser, S.: Man-in-the-OBD: a modular, protocol agnostic firewall for automotive dongles to enhance privacy and security. In: Proceedings of ADIoT, pp. 143–164 (2022)
Li, W., Meng, W., Kwok, L.F.: Surveying trust-based collaborative intrusion detection: state-of-the-art, challenges and future directions. IEEE Commun. Surv. Tutor. 24(1), 280–305 (2022)
Kilincer, I.F., Ertam, F., Sengur, A.: Machine learning methods for cyber security intrusion detection: datasets and comparative study. Comput. Netw. 188, 107840 (2021)
Lorenz, C., Schnor, B.: Policy anomaly detection for distributed IPv6 firewalls. In: Proceedings of SECRYPT, pp. 210–219 (2015)
Lorenz, C., Schnor, B.: Policy anomaly detection for distributed IPv6 firewalls. SECRYPT 210–219, 2015 (2015)
Macfarlane, R., Buchanan, W.J., Ekonomou, E., Uthmani, O., Fan, L., Lo, O.: Formal security policy implementations in network firewalls. Comput. Secur. 31(2), 253–270 (2012)
Matsumoto, S., Bouhoula, A.: Automatic verification of firewall configuration with respect to security policy requirements. In: Proceedings of CISIS, pp. 123–130 (2008)
Meng, W., Li, W., Kwok, L.F.: EFM: enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism. Comput. Secur. 43, 189–204 (2014)
Ferraresi, S., Pesic, S., Trazza, L., Baiocchi, A.: Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway. ICC 1304–1310, 2007 (2007)
Hu, H., Ahn, G.J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secur. Comput. 9(3), 318–331 (2012)
Neville, U., Foley, S.N.: Reasoning about firewall policies through refinement and composition. J. Comput. Secur. 26(2), 207–254 (2018)
Ucar, E., Ozhan, E.: The analysis of firewall policy through machine learning and data mining. Wirel. Pers. Commun. 96(2), 2891–2909 (2017)
Togay, C., Kasif, A., Catal, C., Tekinerdogan, B.: A firewall policy anomaly detection framework for reliable network security. IEEE Trans. Reliab. 71(1), 339–347 (2022)
Xu, Y., et al.: Intrusion detection based on fusing deep neural networks and transfer learning. In: Proceedings of IFTC, pp. 212–223 (2019)
Sun, X., Meng, W., Chiu, W.Y., Lampe, B.: TDL-IDS: towards a transfer deep learning based intrusion detection system. In: The 2022 IEEE Global Communications Conference (IEEE GLOBECOM 2022), pp. 2603–2608. IEEE (2022)
Zhang, J., Feng, H., Liu, B., Zhao, D.: Survey of technology in network security situation awareness. Sensors 23(5), 2608 (2023)
Acknowledgments
We would like to thank the participating company for supporting the data collection and analysis.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Pyke, M.S.C., Meng, W., Lampe, B. (2024). Security on Top of Security: Detecting Malicious Firewall Policy Changes via K-Means Clustering. In: Kim, D.D., Chen, C. (eds) Machine Learning for Cyber Security. ML4CS 2023. Lecture Notes in Computer Science, vol 14541. Springer, Singapore. https://doi.org/10.1007/978-981-97-2458-1_10
Download citation
DOI: https://doi.org/10.1007/978-981-97-2458-1_10
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-97-2457-4
Online ISBN: 978-981-97-2458-1
eBook Packages: Computer ScienceComputer Science (R0)