{"title":"Fast and scalable method for resolving anomalies in firewall policies","authors":"Hassan Gobjuka, Kamal A. Ahmat","doi":"10.1109/INFCOMW.2011.5928927","DOIUrl":null,"url":null,"abstract":"In this paper, we investigate the problem of improving the performance and scalability of large firewall policies that comprise thousands of rules by detecting and resolving any potential conflicts among them. We present a novel, highly scalable data structure that requires O(n) space where n is the number of rules in the policy to represent the dependency among rules. After that, we describe a practical heuristic that utilizes our data structure to find conflicting rules, and consequently find an optimal ordering of consistent ones. Our algorithm has time complexity O(n2 log n), making it the fastest to-date known algorithm for firewall rule anomaly dis- covery and resolution. We validate the practicality of our algorithm through real-life firewall policies and synthetic firewall policies of large data. Performance results show that our heuristic algorithm achieves from 40% to 87% improvement in the number of comparisons overhead, comparatively with the original policies.","PeriodicalId":402219,"journal":{"name":"2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","volume":"16 5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-04-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INFCOMW.2011.5928927","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 10
Abstract
In this paper, we investigate the problem of improving the performance and scalability of large firewall policies that comprise thousands of rules by detecting and resolving any potential conflicts among them. We present a novel, highly scalable data structure that requires O(n) space where n is the number of rules in the policy to represent the dependency among rules. After that, we describe a practical heuristic that utilizes our data structure to find conflicting rules, and consequently find an optimal ordering of consistent ones. Our algorithm has time complexity O(n2 log n), making it the fastest to-date known algorithm for firewall rule anomaly dis- covery and resolution. We validate the practicality of our algorithm through real-life firewall policies and synthetic firewall policies of large data. Performance results show that our heuristic algorithm achieves from 40% to 87% improvement in the number of comparisons overhead, comparatively with the original policies.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
