Multi-dimensional Classification and Verification for Network Security Policy
- 주제(키워드) Netweork Security , Security Policy , Intrusion Detection , firewall
- 발행기관 고려대학교 대학원
- 지도교수 Heejo Lee
- 발행년도 2010
- 학위수여년월 2010. 8
- 학위구분 박사
- 학과 일반대학원 컴퓨터·전파통신공학과
- 원문페이지 111 p
- 실제URI http://www.dcollection.net/handler/korea/000000024044
- 본문언어 영어
- 제출원본 000045608306
초록/요약
Security policies are usually implemented as a sequence of rules and are used in various network security devices, such as Network Intrusion Detection Systems (NIDS), firewalls, switches, and routers. They make a decision whether a packet is normal or malicious, or whether a packet is allowed or discarded. Since attack methods are increasing rapidly, a huge number of security rules are generated and maintained in security devices. Under attack or during heavy traffic, the high cost of policy inspection severely diminishes detection performance. When incorrectly configured, policy creates security holes and prevents the system from quickly deciding whether to allow or deny a packet. Based on rule analysis, the proposed methods grouped the signatures of attack rules either by a multi-dimensional classification or simply by in-out traffic. The proposed methods avoid unnecessary payload scans and reduce the number of patterns to be checked by rule-based packet classification. Performance improvements are dependent on a given networking environment, but the experimental result shows that the proposed methods outperform the most recent Snort. Also, we proposed new methods for solving policy anomalies. After classifying rules by in-out traffic, the proposed methods detect anomalies among rules and generate new rules without configuration errors in both single and multiple security devices. The proposed methods cut the overlapping regions among rules and find the normal domain regions of rule predicates. The proposed methods not only reduce computation overhead, but they also block unnecessary traffic among distributed devices. The proposed methods require multi-dimensional computation to classify attack signatures and inspect policy anomalies. We have designed a bitmap array data structure called the Predicates Bitmap Construct (PBC) for multi-dimensional operation. PBC is applied not only to inspect the signature of a security policy, but also to verify the integrity of the security policy. This dissertation presents the detailed process for the fast inspection of attack signatures and the consistent management of a security policy.
more목차
1. INTRODUCTION 1
1.1 Motivation and Problem Statements 1
1.1.1 Intrusion Detection 2
1.1.2 Policy Anomaly 5
1.2 Contributions and Outline of the Dissertation 7
2. RELATED WORK 9
2.1 Intrusion Detection 9
2.2 Policy Anomaly 15
3. PACKET CLASSIFICATION AND POLICY ANOMALY 22
3.1 Packet Classification 22
3.2 Policy Configuration Management 27
3.2.1 Existing Policy Anomalies 28
3.2.2 Asymmetry Anomaly 33
3.3 Example of Policy Anomaly 34
4. PREDICATE BITMAP CONSTRUCTOR 37
5. MULTI-DIMENSIONAL PACKET CLASSIFICATION 42
5.1 Address Group Classification and Detection 42
5.2 Unified Predicates Classification and Detection 45
5.3 Evaluation 48
5.3.1 Performance Analysis 49
5.3.2 Experiments 52
5.3.3 Discussion 58
6. DETECTING ANOMALY AND REWRITING RULES 63
6.1 Intra-policy Detection and Correction 63
6.2 Inter-policy Detection and Correction 71
6.3 Avoiding Anomaly in Distributed Firewall 78
6.4 Implementation and Experiments 82
7. CONCLUSION 88
REFERENCES 90
