Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

An Inference Method of Stateless Firewall Policy Considering Attack Detection Threshold

공격 탐지 임계값을 고려한 비상태기반 방화벽 정책 추론 방법

  • Published : 2015.04.30
Download PDF
⟨ Previous Next ⟩

Abstract

Inferring firewall policy is to discover firewall policy by analyzing response packets as results of active probing without any prior information. However, a brute-force approach for generating probing packets is unavailable because the probing packets may be regarded as attack traffic and blocked by attack detection threshold of a firewall. In this paper, we propose a firewall policy inference method using an efficient probing algorithm which considers the number of source IP addresses, maximum probing packets per second and interval size of adjacent sweep lines as inference parameters to avoid detection. We then verify whether the generated probing packets are classified as network attack patterns by a firewall, and present the result of evaluation of the correctness by comparing original firewall policy with inferred firewall policy.

방화벽 정책 추론은 사전지식 없이 특정 네트워크로의 능동적 탐지기법을 이용한 응답 패킷 분석으로 방화벽 정책을 발견한다. 하지만, 외부에서 특정 네트워크로 추론 패킷을 어떻게 전송하는가에 따라 방화벽에 설정된 공격 탐지 임계값에 의해 네트워크 공격으로 탐지되기 때문에 무분별하게 패킷을 전송하는 방법은 유효하지 않다. 본 논문에서는 방화벽의 공격 탐지 임계값을 고려하여 네트워크 공격으로 탐지되지 않는 범위 내에서 추론 변수를 활용한 패킷 전송 알고리즘을 제안한다. 그리고 제안하는 알고리즘에의해 전송되는 패킷이 네트워크 공격으로 탐지되는가를 검증한다. 마지막으로 우리는 실제 방화벽 정책과 추론된 정책을 비교하여 제안된 알고리즘의 정확성을 검증한 결과를 제시한다.

Keywords

References

  1. K. Scarfone, and P. Hoffman, Guidelines on Firewalls and Firewall Policy, NIST(National Institute of Standards and Technology) Special Publication 800-41 Revision 1, pp. 1-48, Sept. 2009.
  2. K. Salah, K. Sattar, M. Sqalli, and E. Al-Shaer, "A Probing Technique for Discovering Last-Matching Rules of a Network Firewall," in Proc. International Conference on Innovations in Information Technology (IIT), pp. 578-582, Dec. 2008. http://dx.doi.org/10.1109/INNOVATIONS.2008.4781670
  3. R. J. Barnett, and B. Irwin, "Towards a Taxonomy of Network Scanning Techniques," in Proc. annual research conference of the south african institute of computer scientists and information technologists on IT research in developing countries: riding the wave of technology (SAICSIT), pp. 1-7, 2008. http://dx.doi.org/10.1145/1456659.1456660
  4. Nmap, Retrieved Mar. 18, 2015, from http://nmap.org
  5. Hping, Retrieved Mar. 18, 2015, from http://www.hping.org
  6. H. Hamed, A. El-Atawy, and E. Al-Shaer, "Adaptive Statistical Optimization Techniques for Firewall Packet Filtering," in Proc. the 25th IEEE International Conference on Computer Communications (INFOCOM), pp. 1-12, Apr. 2006. http://dx.doi.org/10.1109/INFOCOM.2006.129
  7. J. Mirkovic, and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM SIGCOMM Computer Communications Review, vol. 34, issue 2, pp. 39-53, Apr. 2004. http://dx.doi.org/10.1145/997150.997156
  8. T. Samak, A. El-Atawy, and E. Al-Shaer, "FireCracker: A Framework for Inferring Firewall Policies using Smart Probing," in Proc. IEEE International Conference on Network Protocols (ICNP), pp. 294-303, Oct. 2007. http://dx.doi.org/10.1109/ICNP.2007.4375860
  9. H. Kim, and H. Ju, "Efficient Method for Inferring a Firewall Policy," in Proc. Asia-Pacific Network Operations and Management Symposium (APNOMS), pp. 1-8, Sept. 2011. http://dx.doi.org/10.1109/APNOMS.2011.6077015
  10. H. Kim, W. Pak, and H. Ju, "Correlation analysis between inference accuracy and inference parameters for stateless firewall policy," in Proc. Asia-Pacific Network Operations and Management Symposium (APNOMS), pp. 1-6, Sept. 2013.
  11. S. Jeon, and J. Jeon, "A Secure Clustering Methodology and an Arrangement of Functional Firewall for the Enhancement of Performance in the Inbound Network," Journal of Korea Information and Communications Society (J-KICS), vol. 35, no. 7, pp. 1050-1057, July 2010.
  12. A. Mayer, A. Wool, and E. Ziskind, "Fang: a firewall analysis engine," in Proc. IEEE Symposium on Security and Privacy (S&P), pp. 177-187, May, 2000. http://dx.doi.org/10.1109/SECPRI.2000.848455
  13. A. Wool, "Architecting the Lumeta Firewall Analyzer," in Proc. the 10th conference on USENIX Security Symposium, vol. 10, no. 7, pp. 1-13, Aug. 2001.
  14. J. Hwang, T. Xie, F. Chen, and A. X. Liu, "Systematic Structural Testing of Firewall Policies," IEEE Transactions on Network and Service Management, vol. 9, issue 1, pp. 1-11, Mar. 2012. http://dx.doi.org/10.1109/TNSM.2012.012012.100092
  15. T. Abbes, A. Bouhoula, and M. Rusinowitch, "An Inference System for Detecting Firewall Filtering Rules Anomalies," in Proc. ACM Symposium on Applied Computing (SAC), pp. 2122-2128, Mar. 2008. http://dx.doi.org/10.1145/1363686.1364197
  16. A. El-Atawy, T. Samak, Z. Wali, and E. Al-Shaer, "An Automated Framework for Validating Firewall Policy Enforcement," in Proc. 8th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 151-160, June 2007. http://dx.doi.org/10.1109/POLICY.2007.5
  17. H. Hamed, and E. Al-Shaer, "On autonomic optimization of firewall policy organization," Journal of High Speed Networks-Managing security policies: Modeling, verification and configuration, vol. 15, no. 3, pp. 209-227, July 2006.
  18. E. Al-Shaer, and H. Hamed, "Discovery of policy anomalies in distributed firewalls," in Proc. 23th AnnualJoint Conference of the IEEE Computer and Communications Societies (INFOCOM), vol. 4, pp. 2605-2616, Mar. 2004. http://dx.doi.org/10.1109/INFCOM.2004.1354680
  19. E. Al-Shaer, and H. Hamed, "Firewall Policy Advisor for anomaly discovery and rule editing," in Proc. IFIP/IEEE 8th International Symposium on Integrated Network Management (IM), pp. 17-30, Mar. 2003. http://dx.doi.org/10.1109/INM.2003.1194157
  20. S. Fortune, "A Sweepline Algorithm for Voronoi Diagrams," Algorithmica, vol. 2, issue 1-4, pp. 153-174, Nov. 1987. http://dx.doi.org/10.1007/BF01840357
  21. D. Goldsmith, and M. Schiffman, Firewalking: A traceroute-like analysis of ip packet responses to determine gateway access control lists, White paper, Cambridge Technology Partners, Oct. 1998.
  22. W. Eddy, TCP SYN Flooding Attacks and Common Mitigations, RFC 4987, IETF, Aug. 2007.