Distributed firewall anomaly detection through LTL model checking

Author

Halle, Sylvain ; Ngoupe, Eric Lunaud ; Villemaire, Roger ; Cherkaoui, Omar

Author_Institution

Univ. du Quebec a Chicoutimi, Chicoutimi, QC, Canada

fYear

2013

fDate

27-31 May 2013

Firstpage

194

Lastpage

201

Abstract

An anomaly in a firewall is a relationship between two of its rules that may hint at a possible misconfiguration of its filter. While checking anomalies within a single firewall is well understood, identifying anomalies across multiple firewalls in a network is a much harder problem that has only been studied for restricted cases. In particular, we show that the correct identification of anomalies must take into account the routing function performed in each node of the network. We introduce a formal model of firewalls and routing tables that generalizes past work on the topic; in particular, we show how the detection of anomalies in this model reduces to the model checking of particular instances of Linear Temporal Logic formulæ. An implementation of an anomaly detector that leverages existing model checkers reveals that distributed anomalies can be identified at a reasonable cost.

Keywords

firewalls; formal verification; telecommunication network routing; temporal logic; LTL model checking; distributed firewall anomaly detection; formal model; linear temporal logic; linear temporal logic formulæ; multiple firewalls; routing tables; Data structures; Detectors; Model checking; Radio frequency; Redundancy; Routing; Shadow mapping; Linear Temporal Logic; firewall; model checking; rules;

fLanguage

English

Publisher

ieee

Conference_Titel

Integrated Network Management (IM 2013), 2013 IFIP/IEEE International Symposium on

Conference_Location

Ghent

Print_ISBN

978-1-4673-5229-1

Type

conf

Filename

6572986