Policy Mining : a Bottom-Up Approach Toward Network Security Management

Abstract : This thesis is devoted to a bottom-Up approachfor the management of network security policies fromhigh abstraction level with low cost and high confidence.We show that the Network Role Based Access Control(Net-RBAC) model is adapted to the specification ofnetwork access control policies. We propose policymining, a bottom-Up approach that extracts from thedeployed rules on a firewall the corresponding policymodeled with Net-RBAC. We devise a generic algorithmbased on matrix factorization, that could adapt most ofthe existing role mining techniques to extract instancesof Net-RBAC. Furthermore, knowing that the large andmedium networks are usually protected by multiplefirewalls, we handle the problem of integration of Net-RBAC policies resulting from policy mining over severalfirewalls. We demonstrate how to verify securityproperties related to the deployment consistency overthe firewalls. Besides, we provide assistance tools foradministrators to analyze role mining and policy miningresults as well. We formally define the problem ofcomparing sets of roles and evidence that it is NPcomplete.We devise an algorithm that projects rolesfrom one set into the other set based on Booleanexpressions. This approach is useful to measure howcomparable the two configurations of roles are, and tointerpret each role. Emphasis on the presence ofshadowed roles in the role configuration will be put as itincreases the time complexity of sets of rolescomparison. We provide a solution to detect differentcases of role shadowing. Each of the abovecontributions is rooted on a sound theoreticalframework, illustrated by real data examples, andsupported by experiments.
Keywords : NetRBAC
Document type :
Complete list of metadatas

Cited literature [96 references]  Display  Hide  Download

Contributor : Abes Star <>
Submitted on : Tuesday, March 10, 2015 - 6:21:28 PM
Last modification on : Wednesday, September 5, 2018 - 1:30:09 PM
Long-term archiving on : Thursday, June 11, 2015 - 12:00:56 PM


Version validated by the jury (STAR)


  • HAL Id : tel-01129078, version 1



Safaà Hachana. Policy Mining : a Bottom-Up Approach Toward Network Security Management. Other [cs.OH]. ISAE-ENSMA Ecole Nationale Supérieure de Mécanique et d'Aérotechique - Poitiers, 2014. English. ⟨NNT : 2014ESMA0017⟩. ⟨tel-01129078⟩



Record views


Files downloads