Browse > Article
http://dx.doi.org/10.7472/jksii.2015.16.2.27

An Inference Method of Stateless Firewall Policy Considering Attack Detection Threshold  

Kim, Hyeonwoo (Computer Engineering, Keimyung University)
Kwon, Dongwoo (Computer Engineering, Keimyung University)
Ju, Hongtaek (Computer Engineering, Keimyung University)
Publication Information
Journal of Internet Computing and Services / v.16, no.2, 2015 , pp. 27-40 More about this Journal
Abstract
Inferring firewall policy is to discover firewall policy by analyzing response packets as results of active probing without any prior information. However, a brute-force approach for generating probing packets is unavailable because the probing packets may be regarded as attack traffic and blocked by attack detection threshold of a firewall. In this paper, we propose a firewall policy inference method using an efficient probing algorithm which considers the number of source IP addresses, maximum probing packets per second and interval size of adjacent sweep lines as inference parameters to avoid detection. We then verify whether the generated probing packets are classified as network attack patterns by a firewall, and present the result of evaluation of the correctness by comparing original firewall policy with inferred firewall policy.
Keywords
Stateless Firewall; Policy Inference; Attack Detection Threshold; Active Probing; Inference Parameters; Sweep-line Algorithm;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 K. Scarfone, and P. Hoffman, Guidelines on Firewalls and Firewall Policy, NIST(National Institute of Standards and Technology) Special Publication 800-41 Revision 1, pp. 1-48, Sept. 2009.
2 K. Salah, K. Sattar, M. Sqalli, and E. Al-Shaer, "A Probing Technique for Discovering Last-Matching Rules of a Network Firewall," in Proc. International Conference on Innovations in Information Technology (IIT), pp. 578-582, Dec. 2008. http://dx.doi.org/10.1109/INNOVATIONS.2008.4781670   DOI
3 R. J. Barnett, and B. Irwin, "Towards a Taxonomy of Network Scanning Techniques," in Proc. annual research conference of the south african institute of computer scientists and information technologists on IT research in developing countries: riding the wave of technology (SAICSIT), pp. 1-7, 2008. http://dx.doi.org/10.1145/1456659.1456660   DOI
4 Nmap, Retrieved Mar. 18, 2015, from http://nmap.org
5 Hping, Retrieved Mar. 18, 2015, from http://www.hping.org
6 H. Hamed, A. El-Atawy, and E. Al-Shaer, "Adaptive Statistical Optimization Techniques for Firewall Packet Filtering," in Proc. the 25th IEEE International Conference on Computer Communications (INFOCOM), pp. 1-12, Apr. 2006. http://dx.doi.org/10.1109/INFOCOM.2006.129   DOI
7 J. Mirkovic, and P. Reiher, "A Taxonomy of DDoS Attack and DDoS Defense Mechanisms," ACM SIGCOMM Computer Communications Review, vol. 34, issue 2, pp. 39-53, Apr. 2004. http://dx.doi.org/10.1145/997150.997156   DOI
8 T. Samak, A. El-Atawy, and E. Al-Shaer, "FireCracker: A Framework for Inferring Firewall Policies using Smart Probing," in Proc. IEEE International Conference on Network Protocols (ICNP), pp. 294-303, Oct. 2007. http://dx.doi.org/10.1109/ICNP.2007.4375860   DOI
9 H. Kim, and H. Ju, "Efficient Method for Inferring a Firewall Policy," in Proc. Asia-Pacific Network Operations and Management Symposium (APNOMS), pp. 1-8, Sept. 2011. http://dx.doi.org/10.1109/APNOMS.2011.6077015   DOI
10 H. Kim, W. Pak, and H. Ju, "Correlation analysis between inference accuracy and inference parameters for stateless firewall policy," in Proc. Asia-Pacific Network Operations and Management Symposium (APNOMS), pp. 1-6, Sept. 2013.
11 S. Jeon, and J. Jeon, "A Secure Clustering Methodology and an Arrangement of Functional Firewall for the Enhancement of Performance in the Inbound Network," Journal of Korea Information and Communications Society (J-KICS), vol. 35, no. 7, pp. 1050-1057, July 2010.
12 A. Mayer, A. Wool, and E. Ziskind, "Fang: a firewall analysis engine," in Proc. IEEE Symposium on Security and Privacy (S&P), pp. 177-187, May, 2000. http://dx.doi.org/10.1109/SECPRI.2000.848455   DOI
13 A. Wool, "Architecting the Lumeta Firewall Analyzer," in Proc. the 10th conference on USENIX Security Symposium, vol. 10, no. 7, pp. 1-13, Aug. 2001.
14 J. Hwang, T. Xie, F. Chen, and A. X. Liu, "Systematic Structural Testing of Firewall Policies," IEEE Transactions on Network and Service Management, vol. 9, issue 1, pp. 1-11, Mar. 2012. http://dx.doi.org/10.1109/TNSM.2012.012012.100092   DOI
15 T. Abbes, A. Bouhoula, and M. Rusinowitch, "An Inference System for Detecting Firewall Filtering Rules Anomalies," in Proc. ACM Symposium on Applied Computing (SAC), pp. 2122-2128, Mar. 2008. http://dx.doi.org/10.1145/1363686.1364197   DOI
16 A. El-Atawy, T. Samak, Z. Wali, and E. Al-Shaer, "An Automated Framework for Validating Firewall Policy Enforcement," in Proc. 8th IEEE International Workshop on Policies for Distributed Systems and Networks, pp. 151-160, June 2007. http://dx.doi.org/10.1109/POLICY.2007.5   DOI
17 S. Fortune, "A Sweepline Algorithm for Voronoi Diagrams," Algorithmica, vol. 2, issue 1-4, pp. 153-174, Nov. 1987. http://dx.doi.org/10.1007/BF01840357   DOI
18 H. Hamed, and E. Al-Shaer, "On autonomic optimization of firewall policy organization," Journal of High Speed Networks-Managing security policies: Modeling, verification and configuration, vol. 15, no. 3, pp. 209-227, July 2006.
19 E. Al-Shaer, and H. Hamed, "Discovery of policy anomalies in distributed firewalls," in Proc. 23th AnnualJoint Conference of the IEEE Computer and Communications Societies (INFOCOM), vol. 4, pp. 2605-2616, Mar. 2004. http://dx.doi.org/10.1109/INFCOM.2004.1354680   DOI
20 E. Al-Shaer, and H. Hamed, "Firewall Policy Advisor for anomaly discovery and rule editing," in Proc. IFIP/IEEE 8th International Symposium on Integrated Network Management (IM), pp. 17-30, Mar. 2003. http://dx.doi.org/10.1109/INM.2003.1194157   DOI
21 D. Goldsmith, and M. Schiffman, Firewalking: A traceroute-like analysis of ip packet responses to determine gateway access control lists, White paper, Cambridge Technology Partners, Oct. 1998.
22 W. Eddy, TCP SYN Flooding Attacks and Common Mitigations, RFC 4987, IETF, Aug. 2007.