Filters








578 Hits in 5.4 sec

Directed Acyclic Graph Modeling of Security Policies for Firewall Testing

Tugkan Tuglular, Özgur Kaya, Can Arda Müftüoglu, Fevzi Belli
2009 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement  
This paper proposes modeling of firewall rules via directed acyclic graphs (DAG), from which test cases can be automatically generated for firewall testing.  ...  Security policies used in firewalls are ordered set of rules where each rule is represented as a predicate and an action.  ...  The directed acyclic graph representation of firewall rules fulfills these requirements. Directed Acyclic Graphs DAG is a directed graph with no directed circuits.  ... 
doi:10.1109/ssiri.2009.52 dblp:conf/ssiri/TuglularKMB09 fatcat:mza7sbm6nbg4rmobwyblcwdtda

Modeling Firewalls for Behavior Analysis

Patrick G. Clark, Arvin Agah
2015 Procedia Computer Science  
This work makes use of recent efforts to model firewall policies in a concise efficient data structure referred to as a Firewall Policy Diagram (FPD).  ...  This work presents a software behavioral model of the capabilities found in firewall type devices and a process for taking vendor specific nuances to a common implementation.  ...  Modeling Traffic Solution Space In the previous sections we have gone through a detailed explanation of how individual elements of a firewall may be abstracted into a directed acyclic graph that may be  ... 
doi:10.1016/j.procs.2015.08.429 fatcat:7jljq43xzbcmhnjvn37ituym4y

Feedback Control Based Test Case Instantiation for Firewall Testing

Tugkan Tuglular, Gurcan Gercek
2010 2010 IEEE 34th Annual Computer Software and Applications Conference Workshops  
Thus, a firewall should be tested with respect to its intended security policy.  ...  We propose a feedback control based approach for test case generation to detect mismatches between firewall's expected and executed behavior.  ...  In this work, we use FDD [9] notion for modeling, whereas in our previous work [10] , we used directed acyclic graph concept to deal with rule dependencies, which is implicitly handled by FDD.  ... 
doi:10.1109/compsacw.2010.42 dblp:conf/compsac/TuglularG10 fatcat:zmcgflwcsndkxdx3l736xnetcu

Mutation-Based Evaluation of Weighted Test Case Selection for Firewall Testing

Tugkan Tuglular, Gurcan Gercek
2011 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement  
test data pools for each field of firewall policy.  ...  As part of network security testing, an administrator needs to know whether the firewall enforces the security policy as expected or not.  ...  In this work, we use FDD [9] notion for modeling, whereas in our previous work [10] , we used directed acyclic graph concept to deal with rule dependencies, which is implicitly handled by FDD.  ... 
doi:10.1109/ssiri.2011.22 dblp:conf/ssiri/TuglularG11 fatcat:bv6we352frcltblnkce2kqlefe

Fast and scalable method for resolving anomalies in firewall policies

Hassan Gobjuka, Kamal A. Ahmat
2011 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)  
We validate the practicality of our algorithm through real-life firewall policies and synthetic firewall policies of large data.  ...  In this paper, we investigate the problem of improving the performance and scalability of large firewall policies that comprise thousands of rules by detecting and resolving any potential conflicts among  ...  For each test set, we generated the 50 policies of the same size using Rovniagin and Wools [9] model of generating firewall synthetic rules.  ... 
doi:10.1109/infcomw.2011.5928927 fatcat:4ryh5wwndjfkpgd4pakzt3trbm

FIREMAN: a toolkit for firewall modeling and analysis

Lihua Yuan, Hao Chen, Jianning Mai, Chen-Nee Chuah, Zhendong Su, P. Mohapatra
2006 2006 IEEE Symposium on Security and Privacy (S&P'06)  
FIREMAN performs symbolic model checking of the firewall configurations for all possible IP packets and along all possible data paths.  ...  Security concerns are becoming increasingly critical in networked systems. Firewalls provide important defense for network security.  ...  A BDD is a directed acyclic graph that can compactly and canonically represent a set of boolean expressions.  ... 
doi:10.1109/sp.2006.16 dblp:conf/sp/YuanMSCCM06 fatcat:67wnfy3z5nbvtjnje5hwa4pit4

POMDPs Make Better Hackers: Accounting for Uncertainty in Penetration Testing

Carlos Sarraute, Olivier Buffet, Jörg Hoffmann
2021 PROCEEDINGS OF THE THIRTIETH AAAI CONFERENCE ON ARTIFICIAL INTELLIGENCE AND THE TWENTY-EIGHTH INNOVATIVE APPLICATIONS OF ARTIFICIAL INTELLIGENCE CONFERENCE  
Penetration Testing is a methodology for assessing network security, by generating and executing possible hacking attacks. Doing so automatically allows for regular and systematic testing.  ...  By contrast, we herein model the attack planning problem in terms of partially observable Markov decision processes (POMDP).  ...  We assume that programs are organized in a hierarchical manner, the operating system being at the root of a directed acyclic graph, and a program having as its parents the programs it directly depends  ... 
doi:10.1609/aaai.v26i1.8363 fatcat:uwfuieqcjjhmtndhjnnq5pwpba

Model Checking Firewall Policy Configurations

Alan Jeffrey, Taghrid Samak
2009 2009 IEEE International Symposium on Policies for Distributed Systems and Networks  
To mitigate this problem, there has been recent interest in the use of model checking techniques for analyzing the behavior of firewall policy configurations, and reporting anomalies.  ...  The use of firewalls to enforce access control policies can result in extremely complex networks.  ...  INTRODUCTION Firewall configuration is a crucial element of implementing a network security policy.  ... 
doi:10.1109/policy.2009.32 dblp:conf/policy/JeffreyS09 fatcat:wz4qdo5j75bs7oecxze34rgeeu

Firmato

Yair Bartal, Alain Mayer, Kobbi Nissim, Avishai Wool
2004 ACM Transactions on Computer Systems  
of the security policy and of the network topology; (2) a model definition language, which we use as an interface to define an instance of the entity-relationship model; (3) a model compiler, translating  ...  We implemented a prototype of our toolkit to work with several commercially available firewall products. This prototype was used to control an operational firewall for several months.  ...  for representing both the (firewall independent) security policy and the network topology.  ... 
doi:10.1145/1035582.1035583 fatcat:wwdtuwfx3rdnpkm2twuqowcm2m

Asynchronous policy evaluation and enforcement

Matthew Burnside, Angelos D. Keromytis
2008 Proceedings of the 2nd ACM workshop on Computer security architectures - CSAW '08  
Evaluating and enforcing policies in large-scale networks is one of the most challenging and significant problems facing the network security community today.  ...  We evaluate the system by testing it against pre-recorded traffic containing known and unknown attacks and show that it is capable of processing events at more than 10x the required rate for a deployed  ...  Government to reproduce and distribute reprints for Governmental purposes notwith-standing any copyright notation thereon.  ... 
doi:10.1145/1456508.1456517 dblp:conf/ccs/BurnsideK08 fatcat:h6k5slziqbblrefpykl37h2eq4

Removing the Reliance on Perimeters for Security using Network Views

Iffat Anjum, Daniel Kostecki, Ethan Leba, Jessica Sokal, Rajit Bharambe, William Enck, Cristina Nita-Rotaru, Bradley Reaves
2022 Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies  
Traditional enterprise security relies on network perimeters to define and enforce network security policies.  ...  NetViews) for least-privilege network access control where each host has a different, limited view of the other hosts and services within a network.  ...  Any findings and opinions expressed in this material are those of the authors and do not necessarily reflect the views of the funding agencies.  ... 
doi:10.1145/3532105.3535029 fatcat:luosafmnnzaudpvnrslgycwh5q

POMDPs Make Better Hackers: Accounting for Uncertainty in Penetration Testing [article]

Carlos Sarraute Core Security Technologies, ,
2013 arXiv   pre-print
Penetration Testing is a methodology for assessing network security, by generating and executing possible hacking attacks. Doing so automatically allows for regular and systematic testing.  ...  By contrast, we herein model the attack planning problem in terms of partially observable Markov decision processes (POMDP).  ...  We assume that programs are organized in a hierarchical manner, the operating system being at the root of a directed acyclic graph, and a program having as its parents the programs it directly depends  ... 
arXiv:1307.8182v1 fatcat:yjfgiijg25fdlbxpwsgvvkwyri

Research on Multi-Target Network Security Assessment with Attack Graph Expert System Model

Yunpeng Li, Xi Li, Yi-Zhang Jiang
2021 Scientific Programming  
For all kinds of loop phenomena of directed attribute attack graph, the general method of eliminating loop is given to get an acyclic attack graph.  ...  Searching for practical security risk assessment methods is a research hotspot in the field of network security. Network attack graph model is an active detection technology for the attack path.  ...  give the idea of eliminating the loop, and get the acyclic attack graph. e second part of the experiment is to calculate the path complexity of acyclic attack graph, according to different values can  ... 
doi:10.1155/2021/9921731 fatcat:o2jcewlhnnaktfk4pv7vplaoaa

On optimizing firewall performance in dynamic networks by invoking a novel swapping window -based paradigm

Ratish Mohan, Anis Yazidi, Boning Feng, John Oommen
2018 International Journal of Communication Systems  
The goal of this paper is to propose a framework for designing optimized firewalls for the IoT. This paper deals with two fundamental challenges/problems encountered in such firewalls.  ...  A good and efficient firewall strategy will attempt to secure this information, and to also manage the large amount of inevitable network traffic that these devices create.  ...  In order to accurately model a firewall policy with relationships, one uses a Directed Acyclic Graph, DAG G = (R, E), rather than a list.  ... 
doi:10.1002/dac.3773 fatcat:5w6wlipjinabzi3e727z43jknu

Towards Automated Network Mitigation Analysis (extended) [article]

Patrick Speicher, Marcel Steinmetz, Jörg Hoffmann, Michael Backes, Robert Künnemann
2019 arXiv   pre-print
Penetration testing is a well-established practical concept for the identification of potentially exploitable security weaknesses and an important component of a security audit.  ...  Providing a holistic security assessment for networks consisting of several hundreds hosts is hardly feasible though without some sort of mechanization.  ...  These arose from early attack graph variants, and developed into 'Graphical Security Models' [24] : Directed acyclic AND/OR graphs organizing known possible attacks into a top-down refinement hierarchy  ... 
arXiv:1705.05088v2 fatcat:5pglsqeh2vfg5nfucugyzu7quq
« Previous Showing results 1 — 15 out of 578 results