using hierarchical change mining to manage network
play

Using Hierarchical Change Mining to Manage Network Security Policy - PowerPoint PPT Presentation

Jun 06, 2023 •33 likes •463 views

Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver, Nick Foti, Sergey Bratus, Dan Rockmore, and Sean W. Smith Presented by Gabriel A. Weaver Dartmouth College Network services change and evolve.

  1. Using Hierarchical Change Mining to Manage Network Security Policy Evolution Gabriel A. Weaver, Nick Foti, Sergey Bratus, Dan Rockmore, and Sean W. Smith Presented by Gabriel A. Weaver Dartmouth College

  2. Network services change and evolve. Therefore managing security requires us to manage security policy evolution.

  3. Case 1: If practitioners don't change policies as services change, systems are vulnerable.

  4. Case 2: If practitioners make changes to the policy as services change, then errors may be accidentally introduced.

  5. Before this paper, little research had been done on the general problem of security policy evolution.

  6. 03 04 05 06 07 08 09 10 11

  7. Tapiador McDaniel [20] Lim et al. [19] et al. [30] 03 04 05 06 07 08 09 10 11

  8. Tapiador McDaniel [20] Lim et al. [19] et al. [30] 03 04 05 06 07 08 09 10 11 Benson Sung Plonka Sun et al. [1] et al. [29] et al. [24] et al. [28]

  9. We recognize that security policies are hierarchically-structured texts. We propose a general method to mine changes within these structures.

  10. Outline Two real-world examples security policy evolution problem hierarchical policy structure current approach, our approach & initial results Conclude

  11. Outline Two real-world examples Identity Management Switch/Router Configuration Conclude

  12. Identity Management Changelogs insufficient

  13. The Security Policy Evolution Problem Jun Dec Jan

  14. The Security Policy Evolution Problem Jun Dec Jan

  15. The Security Policy Evolution Problem Jun Dec Jan

  16. Hierarchical Policy Structure: RFC 3647 3 Identification and Authentication 1 2 3 3 1 2 3 1 2 3 SDG version 1.5.1

  17. Hierarchical Policy Structure: RFC 3647 3 Identification and Authentication 3.1 Initial Registration 1 2 3 3 1 2 3 1 2 3 SDG version 1.5.1

  18. Hierarchical Policy Structure: RFC 3647 3 Identification and Authentication 3.1 Initial Registration 3.1.1 Types of Names The subject name is... 1 2 3 3 1 2 3 1 2 3 SDG version 1.5.1

  19. Hierarchical Policy Structure: RFC 3647 3 Identification and Authentication 3.1 Initial Registration 3.1.1 Types of Names The subject name is... 1 2 3 3 3.1.2 Name Meanings The subject name... 1 2 3 1 2 3 SDG version 1.5.1

  20. Hierarchical Policy Structure: RFC 3647 3 Identification and Authentication 3.1 Initial Registration 3.1.1 Types of Names The subject name is... 1 2 3 3 3.1.2 Name Meanings The subject name... 3.1.3 Rules for 1 2 3 Interpreting Name Forms 1 2 3 SDG version 1.5.1

  21. Current Solution: Changelogs 0%,(! 1(.2! 340! #-55(&,+! "66728297! 926! 92"2:;"266"669<92929 4&*,*%=!>(.+*-&! "6672;2"8! 92629! ?..%,@5!A-..(A,*-&! ! ! #$%&'(D! #(.,*E*A%,(! @+(.! 5@+,! F(! "66B2C2"<! 9262"! ! ! %GG.->(H!F/!@+(.!%H5*&*+,.%,-.2! "66B2828! "26! 92"2:;"266"669<9292" I-=*A/!40!%&H!3J!K%5(!A-..(A,*-&! 0(=(,( "# L$(! .@=(! -E! %AA-@&,! .('*+,.%,*-&! %GG=*A%,*-&2! "6682C2"! "29! ! ! M00 "# L$(! .@=(! -E! G(.+-&%=! *&E-.5%,*-&! @+(!G@.G-+(2! ! #$%&'( "# J+(.!A(.,*E*A%,(!>%=*H*,/!G(.*-H2! "66<2"2"9! :26! 92"2:;"266"669<9292: N(5(H*%=!%A,*-&!F%+(H!-&!(O,(.&%=!%@H*,2! #$%&'(D! 3.'%&*P%,*-&+! ,-! Q$*A$! ,$(! KMN?R4!#M!*++@(+!A(.,*E*A%,(+! "66<2;29B! C26! 92"2:;"266"669<9292C #$%&'(D!M,,.*F@,(+!*&!%!A(.,*E*A%,(! M00D!I.%A,*A(+!-E!,$(!SNM! #$%&'(D! L$(! .@=(! -E! ,$(! %GG=*A%,*-&! E-.! "66;2B298! C29! ! ! A(.,*E*A%,(!.(&(Q%=T!.(>*+*-&!-E!,/G-+! #$%&'(D! M&! (U@*G5(&,! E-.! G.-,(A,*-&! "66;2<29;! C2"! ! ! E.-5!E*.(!H%5%'(! !

  22. Current Solution: Changelogs 0%,(! 1(.2! 340! #-55(&,+! "66728297! 926! 92"2:;"266"669<92929 4&*,*%=!>(.+*-&! "6672;2"8! 92629! ?..%,@5!A-..(A,*-&! ! ! #$%&'(D! #(.,*E*A%,(! @+(.! 5@+,! F(! "66B2C2"<! 9262"! ! ! %GG.->(H!F/!@+(.!%H5*&*+,.%,-.2! "66B2828! "26! 92"2:;"266"669<9292" I-=*A/!40!%&H!3J!K%5(!A-..(A,*-&! 0(=(,( "# L$(! .@=(! -E! %AA-@&,! .('*+,.%,*-&! %GG=*A%,*-&2! Delete "6682C2"! "29! ! ! M00 "# L$(! .@=(! -E! G(.+-&%=! *&E-.5%,*-&! @+(!G@.G-+(2! ! ADD #$%&'( "# J+(.!A(.,*E*A%,(!>%=*H*,/!G(.*-H2! Change "66<2"2"9! :26! 92"2:;"266"669<9292: N(5(H*%=!%A,*-&!F%+(H!-&!(O,(.&%=!%@H*,2! #$%&'(D! 3.'%&*P%,*-&+! ,-! Q$*A$! ,$(! KMN?R4!#M!*++@(+!A(.,*E*A%,(+! "66<2;29B! C26! 92"2:;"266"669<9292C #$%&'(D!M,,.*F@,(+!*&!%!A(.,*E*A%,(! M00D!I.%A,*A(+!-E!,$(!SNM! #$%&'(D! L$(! .@=(! -E! ,$(! %GG=*A%,*-&! E-.! "66;2B298! C29! ! ! A(.,*E*A%,(!.(&(Q%=T!.(>*+*-&!-E!,/G-+! #$%&'(D! M&! (U@*G5(&,! E-.! G.-,(A,*-&! "66;2<29;! C2"! ! ! E.-5!E*.(!H%5%'(! !

  23. Our Approach: Edit Distance 1 1 1 2 3 1 2 3 1 2 1 2 3 Tree Edit Distance = 1 "Added Section 1.3.3"

  24. Our Approach: Edit Distance 1 1 1 1 2 3 1 2 3 1 2 3 1 2 1 2 3 1 2 3 Word Edit Distance > 0 "Added description to Section 1.3.2"

  25. Initial Results Reference Description wordED treeED SDG. In Sec 6.1.1, added 12 0 1_5_1:6.1.1 more description AIST. Added Section 21 1 1_1:1.4.3 1.4.3 IUCC. Changed 4.6.1 to 0 0 1_5:4.6.1 add logging of ...

  26. Initial Results: Changelogs are Insufficient Reference Description wordED treeED SDG. In Sec 6.1.1, added 12 0 1_5_1:6.1.1 more description AIST. Added Section 21 1 1_1:1.4.3 1.4.3 IUCC. Changed 4.6.1 to 0 0 1_5:4.6.1 add logging of ... Out of 178 reported changes, 9 never actually occurred!

  27. Identity Management Changelogs insufficient

  28. Switch/Router Configuration Hierarchical Diffing Change Querying

  29. The Security Policy Evolution Problem VOIP

  30. The Security Policy Evolution Problem 911 VOIP

  31. The Security Policy Evolution Problem 911 VOIP

  32. Hierarchical Policy Structure: Cisco IOS ! vlan 820 name VOIP_Phones_FratRow ! interface FastEthernet0/1 interface vlan_820 FastEthernet0/1 name_VOIP_Phones switchport_voice auto_qos_voip _FratRow _vlan_820 _cisco-phone kappa-theta version 1.3

  33. Hierarchical Policy Structure: Cisco IOS ! vlan 820 name VOIP_Phones_FratRow ! interface FastEthernet0/1 switchport voice vlan 820 interface vlan_820 FastEthernet0/1 name_VOIP_Phones switchport_voice auto_qos_voip _FratRow _vlan_820 _cisco-phone kappa-theta version 1.3

  34. Hierarchical Policy Structure: Cisco IOS ! vlan 820 name VOIP_Phones_FratRow ! interface FastEthernet0/1 switchport voice vlan 820 interface vlan_820 auto qos voip cisco-phone FastEthernet0/1 ! name_VOIP_Phones switchport_voice auto_qos_voip _FratRow _vlan_820 _cisco-phone kappa-theta version 1.3

  35. Current Practitioner Solution: Really Awesome New Cisco Config Differ (RANCID) diff -u kappa-theta1.3 kappa-theta1.4 @@ -107,6 +109,13 @@ switchport voice vlan 820 + switchport port-security maximum 1 vlan voice + switchport port-security mac-address beef.feed.face vlan voice auto qos voip cisco-phone

  36. Current Solutions Don't Leverage Hierarchical Structure of CiscoIOS RANCID: diff -u kappa-theta1.3 kappa-theta1.4 @@ -107,6 +109,13 @@ Plonka et al.: LOC, file counts, stanzas Sung et al.: superblocks

  37. Our Approach: Edit Distance interface interface FastEthernet0/1 FastEthernet0/1 switchport_voice auto_qos_voip switchport_voice auto_qos_voip _vlan_820 _cisco-phone _vlan_820 _cisco-phone switchport_port switchport_port _security_max... _security_mac... Tree Edit Distance = 2

  38. Initial Results Total Reference Hits treeED /root/interface* 1542 80 global 304 278 /root/vlan* 28 25 /root/ip* 18 18 /root/logging* 0 0 /root/bridge* 0 0

  39. Hierarchical Querying Total Reference Hits treeED /root/interface* 1542/628 80/628 /root/interface*/switchport* 247 247 /root/interface_FastEthernet0_8 17 17 /switchport* /root/interface_FastEthernet0_8 2 2 /switchport_voice*

  40. Switch/Router Configuration Hierarchical Diffing Change Querying

  41. Outline Two real-world examples Identity Management Switch/Router Configuration Conclude

  42. 1 Security policies must be changed and synchronized in order to maintain security. 2 We can model many of policies as hierarchically-structured texts. 3 We propose a unified methodology to detect and manage change.

  43. Thank You! Questions? Gabriel A. Weaver gabriel.a.weaver@dartmouth.edu IGTF Data: http://pkipolicy.appspot.com/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hierarchical Task Network (HTN) Planning Jos Luis Ambite* [* Based in part on presentations by

Hierarchical Task Network (HTN) Planning Jos Luis Ambite* [* Based in part on presentations by

Hierarchical Task Network (HTN) Planning Jos Luis Ambite* [* Based in part on presentations by Dana Nau and Rao Kambhampati] 1 Hierarchical Decomposition 2 Task Reduction 3 Hierarchical Planning Brief History Originally developed about

545 views • 35 slides
Hierarchical Network Models Motivation Social Networks in Education Independent network

Hierarchical Network Models Motivation Social Networks in Education Independent network

Hierarchical Network Models Motivation Social Networks in Education Independent network replications Teacher networks within schools (Frank et al., 2004; Moolenaar et al., 2010; Spillane et al., 2012; Weinbaum et al., 2008) Student

679 views • 18 slides
Data Mining: Concepts and Techniques Chapter 9 Graph mining and Social Network Analysis

Data Mining: Concepts and Techniques Chapter 9 Graph mining and Social Network Analysis

Data Mining: Concepts and Techniques Chapter 9 Graph mining and Social Network Analysis Li Xiong Slides credits: Jiawei Han and Micheline Kamber 1 April 2, 2008 Graph Mining and Social Network Analysis Graph mining Frequent

879 views • 62 slides
Hierarchical Clustering 36-350: Data Mining 25 September 2006 Last time... Unsupervised

Hierarchical Clustering 36-350: Data Mining 25 September 2006 Last time... Unsupervised

Hierarchical Clustering 36-350: Data Mining 25 September 2006 Last time... Unsupervised learning problems; finding clusters K means divide into k clusters to minimize within- cluser variance*cluster size local search, local

386 views • 11 slides
Hierarchical Network-on-Chip and Traffic Compression for Spiking Neural Network Implementations

Hierarchical Network-on-Chip and Traffic Compression for Spiking Neural Network Implementations

Magee Campus Hierarchical Network-on-Chip and Traffic Compression for Spiking Neural Network Implementations Snaider Carrillo , Jim Harkin, Liam McDaid University of Ulster, Magee Campus Sandeep Pande, Seamus Cawley, Brian McGinley, Fearghal

810 views • 38 slides
Long term challenges in reflecting network costs: Pricing and other solutions to manage network

Long term challenges in reflecting network costs: Pricing and other solutions to manage network

Long term challenges in reflecting network costs: Pricing and other solutions to manage network challenges. (feat. Network Opportunity Maps) Chris Dunstan (Research Director, ISF) AER Tariff Structure Statement Forum 14 December, 2015

610 views • 43 slides
Hierarchical Clustering Class Algorithmic Methods of Data Mining Program M. Sc. Data Science

Hierarchical Clustering Class Algorithmic Methods of Data Mining Program M. Sc. Data Science

Hierarchical Clustering Class Algorithmic Methods of Data Mining Program M. Sc. Data Science University Sapienza University of Rome Semester Fall 2017 Slides by Carlos Castillo http://chato.cl/ Sources: Mohammed J. Zaki, Wagner Meira,

959 views • 33 slides
BSF Proposals 1 Content Context and Aims Strategy for Change Capacity to Manage

BSF Proposals 1 Content Context and Aims Strategy for Change Capacity to Manage

Transforming Rotherham Learning BSF Proposals 1 Content Context and Aims Strategy for Change Capacity to Manage change Next Steps 2 Context 4 Star Council Strong CYPS Improving Educational Outcomes

495 views • 16 slides
Data Mining Techniques: Partitioning Methods: K-Means Cluster Analysis Hierarchical

Data Mining Techniques: Partitioning Methods: K-Means Cluster Analysis Hierarchical

Cluster Analysis Overview Introduction Foundations: Measuring Distance (Similarity) Data Mining Techniques: Partitioning Methods: K-Means Cluster Analysis Hierarchical Methods Mirek Riedewald Density-Based Methods Many slides

487 views • 19 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

774 views • 20 slides
This is a brief overview of the Hierarchical Task Network planning process. The planner solves a

This is a brief overview of the Hierarchical Task Network planning process. The planner solves a

This is a brief overview of the Hierarchical Task Network planning process. The planner solves a problem by hierarchical decomposition of abstract tasks into concrete actions. The planner is given an abstract task: something that is not complete and

627 views • 35 slides
History Earlier models: Hierarchical, Network (ch. 10 &amp; 11) The Relational Model

History Earlier models: Hierarchical, Network (ch. 10 &amp; 11) The Relational Model

History Earlier models: Hierarchical, Network (ch. 10 &amp; 11) The Relational Model complex to implement and use; widely used Introduced by Codd &amp; Date (IBM), 1970 Semantically poor; tractable to analyze Textbook 6.1-6.4

7.52k views • 3 slides
CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun yzsun@ccs.neu.edu November 16, 2015 Methods to Learn Matrix Data Text Set Data Sequence Time Series Graph &amp; Images Data Data Network Classification

936 views • 38 slides
CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun

CS6220: DATA MINING TECHNIQUES Mining Graph/Network Data Instructor: Yizhou Sun yzsun@ccs.neu.edu March 16, 2016 Methods to Learn Matrix Data Text Set Data Sequence Time Series Graph &amp; Images Data Data Network Classification

724 views • 54 slides
Hierarchical Task Network (HTN) Planning Section 11.2 Sec. 11.2 p.1/25 Outline Example

Hierarchical Task Network (HTN) Planning Section 11.2 Sec. 11.2 p.1/25 Outline Example

Hierarchical Task Network (HTN) Planning Section 11.2 Sec. 11.2 p.1/25 Outline Example Primitive vs. non-primitive operators HTN planning algorithm Practical planners Additional references used for the slides: desJardins , M. (2001).

381 views • 25 slides
Hierarchical Routing EECS 228 Abhay Parekh parekh@eecs.berkeley.edu Hierarchical Routing Is

Hierarchical Routing EECS 228 Abhay Parekh parekh@eecs.berkeley.edu Hierarchical Routing Is

Hierarchical Routing EECS 228 Abhay Parekh parekh@eecs.berkeley.edu Hierarchical Routing Is a natural way for routing 5 7 to scale 4 4 8 RIP Size 6 6 Network Administration Governance 11 2 2 10 Exploits address

854 views • 48 slides
Payment D39PZ: Procurement and Contracts 2 Lecture Plan 1. Payment principles 2. Payment under

Payment D39PZ: Procurement and Contracts 2 Lecture Plan 1. Payment principles 2. Payment under

...last week (or things you should now understand) the difference between a certificate and an instruction the difference between an instruction and a Variation the role of certificates in controlling money and time the

874 views • 59 slides
Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1 CS 136, Fall 2014 Outline Properties of keys Key management Key servers Certificates Lecture 5 Page 2 CS 136, Fall 2014

1.02k views • 68 slides
Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG

Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG

OSG Summer Workshop Lubbock, 2011 Security infrastructure, certificates and responsibilities Anand Padmanabhan for the OSG Security team Aug 10th, 2011 OSG Security 1 OSG Security OSG Security model A high level overview Aug 10th, 2011

714 views • 37 slides
WHY RECALIBRATE? To ensure you are getting the most accurate and reliable results for your

WHY RECALIBRATE? To ensure you are getting the most accurate and reliable results for your

WHY RECALIBRATE? To ensure you are getting the most accurate and reliable results for your testing/application Quality system compliance Regular check on the health of your load cell WHY DO LOAD CELL OUTPUTS CHANGE?

268 views • 15 slides
EVERY C L O UD HA S A SIL VER L INING A PRIM ER O N S U RPLU S PRO C EED IN G S FO R FO

EVERY C L O UD HA S A SIL VER L INING A PRIM ER O N S U RPLU S PRO C EED IN G S FO R FO

11/7/2018 EVERY C L O UD HA S A SIL VER L INING A PRIM ER O N S U RPLU S PRO C EED IN G S FO R FO REC LO S U RE PREV EN TIO N A D V O C A TES Aya na Robe rtson Me lissa Ysa g uirre Asso c ia te Dire c to r Se nio r Sta ff Atto rne

294 views • 15 slides
First Quarter 2020 Results May 5, 2020 Disclaimer Some of the statements above, including

First Quarter 2020 Results May 5, 2020 Disclaimer Some of the statements above, including

First Quarter 2020 Results May 5, 2020 Disclaimer Some of the statements above, including statements regarding cost savings and other financial or other benefits of the acquisition of Radius, the ability and timing to satisfy the closing

470 views • 30 slides
Third quarter 2011 Results Disclaimer Figures included in this presentation are unaudited. On 21

Third quarter 2011 Results Disclaimer Figures included in this presentation are unaudited. On 21

1 1 3 November 2011 Third quarter 2011 Results Disclaimer Figures included in this presentation are unaudited. On 21 April 2011, BNP Paribas issued a restatement of its quarterly results for 2010 reflecting the raising of the consolidation

1.03k views • 74 slides
Introduction to Corporate Finance (Welch, Chapter 01) Ivo Welch UCLA Anderson School, Corporate

Introduction to Corporate Finance (Welch, Chapter 01) Ivo Welch UCLA Anderson School, Corporate

Introduction to Corporate Finance (Welch, Chapter 01) Ivo Welch UCLA Anderson School, Corporate Finance, Winter 2017 December 15, 2016 Did you bring your calculator? Did you read these notes and the chapter ahead of time? 1/1 Leitmotif of

371 views • 14 slides

More recommend