Policy Mining : a Bottom-Up Approach Toward Network Security Management

Abstract : This thesis is devoted to a bottom-Up approachfor the management of network security policies fromhigh abstraction level with low cost and high confidence.We show that the Network Role Based Access Control(Net-RBAC) model is adapted to the specification ofnetwork access control policies. We propose policymining, a bottom-Up approach that extracts from thedeployed rules on a firewall the corresponding policymodeled with Net-RBAC. We devise a generic algorithmbased on matrix factorization, that could adapt most ofthe existing role mining techniques to extract instancesof Net-RBAC. Furthermore, knowing that the large andmedium networks are usually protected by multiplefirewalls, we handle the problem of integration of Net-RBAC policies resulting from policy mining over severalfirewalls. We demonstrate how to verify securityproperties related to the deployment consistency overthe firewalls. Besides, we provide assistance tools foradministrators to analyze role mining and policy miningresults as well. We formally define the problem ofcomparing sets of roles and evidence that it is NPcomplete.We devise an algorithm that projects rolesfrom one set into the other set based on Booleanexpressions. This approach is useful to measure howcomparable the two configurations of roles are, and tointerpret each role. Emphasis on the presence ofshadowed roles in the role configuration will be put as itincreases the time complexity of sets of rolescomparison. We provide a solution to detect differentcases of role shadowing. Each of the abovecontributions is rooted on a sound theoreticalframework, illustrated by real data examples, andsupported by experiments.
Keywords : NetRBAC
Document type :
Theses
Complete list of metadatas

Cited literature [96 references]  Display  Hide  Download

https://tel.archives-ouvertes.fr/tel-01129078
Contributor : Abes Star <>
Submitted on : Tuesday, March 10, 2015 - 6:21:28 PM
Last modification on : Wednesday, September 5, 2018 - 1:30:09 PM
Long-term archiving on : Thursday, June 11, 2015 - 12:00:56 PM

File

2014ESMA0017.pdf
Version validated by the jury (STAR)

Identifiers

  • HAL Id : tel-01129078, version 1

Collections

Citation

Safaà Hachana. Policy Mining : a Bottom-Up Approach Toward Network Security Management. Other [cs.OH]. ISAE-ENSMA Ecole Nationale Supérieure de Mécanique et d'Aérotechique - Poitiers, 2014. English. ⟨NNT : 2014ESMA0017⟩. ⟨tel-01129078⟩

Share

Metrics

Record views

396

Files downloads

458