Dynamic Ordering of Firewall Rules Using a Novel Swapping Window-based Paradigm

Designing and implementing efficient firewall strategies in the age of the Internet of Things (IoT) is far from trivial. This is because, as time proceeds, an increasing number of devices will be connected, accessed and controlled on the Internet. Additionally, an ever-increasingly amount of sensitive information will be stored on various networks. A good and effi- cient firewall strategy will attempt to secure this information, and to also manage the large amount of inevitable network traffic that these devices create. The goal of this paper is to propose a framework for designing optimized firewalls for the IoT. This paper deals with two fundamental challenges/problems encountered in such firewalls. The first problem is associated with the so-called “Rule Matching” (RM) time problem. In this regard, we propose a simple condition for performing the swapping of the firewall’s rules, and by satisfying this condition, we can guarantee that apart from preserving the firewall’s consistency and integrity, we can also ensure a greedy reduction in the matching time. It turns out that though our proposed novel solution is relatively simple, it can be perceived to be a generalization of the algorithm proposed by Fulp [1]. However, as opposed to Fulp’s solution, our swapping condition considers rules that are not necessarily consecutive. It rather invokes a novel concept that we refer to as the “swapping window”. The second contribution of our paper is a novel “batch”- based traffic estimator that provides network statistics to the firewall placement optimizer. The traffic estimator is a subtle but modified batch-based embodiment of the Stochastic Learning Weak Estimator (SLWE) proposed by Oommen and Rueda [2]. The paper contains the formal properties of this estimator. Further, by performing a rigorous suite of experiments, we demonstrate that both algorithms are capable of optimizing the constraints imposed for obtaining an efficient firewal

Adaptive conflict-free optimization of rule sets for network security packet filtering devices

Packet filtering and processing rules management in firewalls and security gateways has become commonplace in increasingly complex networks. On one side there is a need to maintain the logic of high level policies, which requires administrators to implement and update a large amount of filtering rules while keeping them conflict-free, that is, avoiding security inconsistencies. On the other side, traffic adaptive optimization of large rule lists is useful for general purpose computers used as filtering devices, without specific designed hardware, to face growing link speeds and to harden filtering devices against DoS and DDoS attacks. Our work joins the two issues in an innovative way and defines a traffic adaptive algorithm to find conflict-free optimized rule sets, by relying on information gathered with traffic logs. The proposed approach suits current technology architectures and exploits available features, like traffic log databases, to minimize the impact of ACO development on the packet filtering devices. We demonstrate the benefit entailed by the proposed algorithm through measurements on a test bed made up of real-life, commercial packet filtering devices

Optimising Firewall Performance in Dynamic Networks

More and more devices connect to the internet, this means that a lot sensitive information will be stored in various networks. In order to secure this information and manage the large amount of inevitable network traffic that these devices create, an optimised firewall is needed. In order to meet this demand, the thesis proposes two algorithms for solving the problem. The first algorithm will minimise the rule matching time by using a simple condition for performing swapping that both preserves the firewall consistency, the firewall integrity and ensures a greedy reduction of the matching time. The solution is novel in itself and can be considered as a generalisation of the algorithm proposed by Fulp in the paper 'Optimization of network firewall policies using ordered sets and directed acyclical graphs'. The second algorithm will read the network traffic and provide network statistics to the first algorithm. The solution is a novel modification of the algorithm by Oommen and Rueda in the paper 'Stochastic learning-based weak estimation of multinomial random variables and its applications to pattern recognition in non-stationary environments'. It will be shown that both algorithms, through experiments, are able to satisfy the problem of optimising a firewall

On optimizing firewall performance in dynamic networks by invoking a novel swapping window-based paradigm

submittedVersionNivå

Towards Optimal Firewall Rule Ordering Utilizing Directed Acyclical Graphs," icccn

Abstract—Firewalls enforce a security policy by inspecting packets arriving or departing a network. This is often accomplished by sequentially comparing the policy rules with the header of an arriving packet until the first match is found. This process becomes time consuming as policies become larger and more complex. Therefore determining the appropriate action for arriving packets must be done as quickly as possible. The process of packet header matching can be improved if more popular rules appear earlier in the policy. Unfortunately, a simple sorting algorithm is not possible since the relative order of certain rules must be maintained in order to preserve the original policy intent. Utilizing Directed Acyclical Graphs (DAGs) to represent firewall policy, this paper will introduce a novel rule sorting technique. The technique is capable of considering sub-graphs of rules (inter-related by precedence constraints) and compare the advantage of placing and merging the rules that comprise them. Experimental results using a variety of policies will show that the proposed algorithm is able to find the optimal order in 98 % of the example policies, which is substantially higher than other methods. Index Terms—Security, network firewall, security policy, rule ordering I

Dynamics of Long-Life Assets: From Technology Adaptation to Upgrading the Business Model

Knowledge management; Business information system

Secure Information Sharing with Distributed Ledgers

In 2009, blockchain technology was first introduced as the supporting database technology for digital currencies. Since then, more advanced derivations of the technology have been developed under the broader term Distributed Ledgers, with improved scalability and support for general-purpose application logic. As a distributed database, they are able to support interorganizational information sharing while assuring desirable information security attributes like non-repudiation, auditability and transparency. Based on these characteristics, researchers and practitioners alike have begun to identify a plethora of disruptive use cases for Distributed Ledgers in existing application domains. While these use cases are promising significant efficiency improvements and cost reductions, practical adoption has been slow in the past years. This dissertation focuses on improving three aspects contributing to slow adoption. First, it attempts to identify application areas and substantiated use cases where Distributed Ledgers can considerably advance the security of information sharing. Second, it considers the security aspects of the technology itself, identifying threats to practical applications and detection approaches for these threats. And third, it investigates success factors for successful interorganizational collaborations using Distributed Ledgers

Behavior quantification as the missing link between fields: Tools for digital psychiatry and their role in the future of neurobiology

The great behavioral heterogeneity observed between individuals with the same psychiatric disorder and even within one individual over time complicates both clinical practice and biomedical research. However, modern technologies are an exciting opportunity to improve behavioral characterization. Existing psychiatry methods that are qualitative or unscalable, such as patient surveys or clinical interviews, can now be collected at a greater capacity and analyzed to produce new quantitative measures. Furthermore, recent capabilities for continuous collection of passive sensor streams, such as phone GPS or smartwatch accelerometer, open avenues of novel questioning that were previously entirely unrealistic. Their temporally dense nature enables a cohesive study of real-time neural and behavioral signals. To develop comprehensive neurobiological models of psychiatric disease, it will be critical to first develop strong methods for behavioral quantification. There is huge potential in what can theoretically be captured by current technologies, but this in itself presents a large computational challenge -- one that will necessitate new data processing tools, new machine learning techniques, and ultimately a shift in how interdisciplinary work is conducted. In my thesis, I detail research projects that take different perspectives on digital psychiatry, subsequently tying ideas together with a concluding discussion on the future of the field. I also provide software infrastructure where relevant, with extensive documentation. Major contributions include scientific arguments and proof of concept results for daily free-form audio journals as an underappreciated psychiatry research datatype, as well as novel stability theorems and pilot empirical success for a proposed multi-area recurrent neural network architecture.Comment: PhD thesis cop