31 research outputs found
An Integration of FDI and DX Techniques for Determining the Minimal Diagnosis in an Automatic Way
Two communities work in parallel in model-based diagnosis:
FDI and DX. In this work an integration of the FDI and the DX communities
is proposed. Only relevant information for the identification of the
minimal diagnosis is used. In the first step, the system is divided into
clusters of components, and each cluster is separated into nodes. The
minimal and necessary set of contexts is then obtained for each cluster.
These two steps automatically reduce the computational complexity
since only the essential contexts are generated. In the last step, a signature
matrix and a set of rules are used in order to obtain the minimal
diagnosis. The evaluation of the signature matrix is on-line, the rest of
the process is totally off-line.Ministerio de Ciencia y Tecnolog铆a DPI2003-07146-C02-0
Distributed Model-Based Diagnosis using Object-Relational Constraint Databases
This work presents a proposal to diagnose distributed
systems utilizing model-based diagnosis using distributed
databases. In order to improve aspects as versatility, persistence,
easy composition and efficiency in the diagnosis
process we use an Object Relational Constraint Database
(ORCDB). Thereby we define a distributed architecture to
store the behaviour of components as constraints in a relational
database to diagnose a distributed system. This
work proposes an algorithm to detect which components fail
when their information is distributed in several databases,
and all the information is not available in a global way. It
is also offered a proposal to define, in execution time, the
allocation of the sensors in a distributed system.Ministerio de Ciencia y Tecnolog铆a DPI2003-07146-C02-0
Behavioral pattern analysis of secure migration and communications in eCommerce using cryptographic protocols on a mobile MAS platform
Mobile Multi-Agent Systems (MAS) systems can be
used with real success in a growing number of
eCommerce applications nowadays. Security has been
identified as numerous times by different researchers
as a top criterion for the acceptance of mobile agent
adoption. In this paper we present an in-depth analysis
of behavior patterns of a mobile MAS platform when
using different cryptographic protocols to assure
communication and migration integrity and
confidentiality. Different use case sceneries of
eCommerce applications as well as many other aspects
have been studied, such as overhead, different
communication patterns, different loads and
bandwidth issues. This work is also extensible to other
mobile and non-mobile MAS platforms. The results
obtained can be used and should be taken into account
by designers and implementers of secure mobile and
also non-mobile agent platforms and agents.European Union TeleCARE IST-2000-2760
Firewall Rule Set Inconsistency Characterization by Clustering
Firewall ACLs could have inconsistencies, allowing traffic that
should be denied or vice-versa. In this paper, we analyze the inconsistency
characterization problem as a separate problem of the diagnosis one, and propose
definitions to characterize one-to-many inconsistencies. We identify the
combinatorial part of the problem that causes exponential complexity in combined
diagnosis and characterization algorithms proposed by other researchers.
The problem is divided in several smaller combinatorial ones, which effectively
reduces its complexity. Finally, we propose a heuristic to solve the problem in
worst case polynomial time as a proof of concept
A heuristic polynomial algorithm for local inconsistency diagnosis in firewall rule sets
Firewall ACLs can contain inconsistencies. There is an inconsistency if different actions can be taken on the
same flow of traffic, depending on the ordering of the rules. Inconsistent rules should be notified to the
system administrator in order to remove them. Minimal diagnosis and characterization of inconsistencies is
a combinatorial problem. Although many algorithms have been proposed to solve this problem, all reviewed
ones work with the full ACL with no approximate heuristics, giving minimal and complete results, but
making the problem intractable for large, real-life ACLs. In this paper we take a different approach. First,
we deeply analyze the inconsistency diagnosis in firewall ACLs problem, and propose to split the process in
several parts that can be solved sequentially: inconsistency detection, inconsistent rules identification, and
inconsistency characterization. We present polynomial heuristic algorithms for the first two parts of the
problem: detection and identification (diagnosis) of inconsistent rules. The algorithms return several
independent clusters of inconsistent rules that can be characterized against a fault taxonomy. These clusters
contains all inconsistent rules of the ACL (algorithms are complete), but the algorithms not necessarily give
the minimum number of clusters. The main advantage of the proposed heuristic diagnosis process is that
optimal characterization can be now applied to several smaller problems (the result of the diagnosis process)
rather than to the whole ACL, resulting in an effective computational complexity reduction at the cost of not
having the minimal diagnosis. Experimental results with real ACLs are given.Ministerio de Educaci贸n y Ciencia DPI2006-15476-C02-0
Model-Based Development of firewall rule sets: Diagnosing model inconsistencies
The design and management of firewall rule sets is a very difficult and error-prone task because of the
difficulty of translating access control requirements into complex low-level firewall languages. Although
high-level languages have been proposed to model firewall access control lists, none has been widely
adopted by the industry. We think that the main reason is that their complexity is close to that of many
existing low-level languages. In addition, none of the high-level languages that automatically generate
firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early
stages of the development process is cheaper compared to the cost associated with correcting errors in
the production phase. In addition, errors generated in the production phase usually have a huge impact
on the reliability and robustness of the generated code and final system.
In this paper, we propose the application of the ideas of Model-Based Development to firewall access control
list modelling and automatic rule set generation. First, an analysis of the most widely used firewall
languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed.
This model is the result of exhaustive analysis and of a discussion of different alternatives for models
in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages
of the Model-Based Development methodology, and a polynomial time complexity process and algorithms
are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally,
a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove
the feasibility of our proposal in real environments
Fast algorithms for consistency-based diagnosis of firewall rule sets
Firewalls provide the first line of defence of nearly
all networked institutions today. However, Firewall
ACL management suffer some problems that need to be
addressed in order to be effective. The most studied
one is rule set consistency. There is an inconsistency if
different actions can be taken on the same traffic,
depending on the ordering of the rules. In this paper a
new algorithm to diagnose inconsistencies in firewall
rule sets is presented. Although many algorithms have
been proposed to address this problem, the presented
one is a big improvement over them, due to its low
algorithmic and memory complexity, even in worst
case. In addition, there is no need to pre-process in
any way the rule set previous to the application of the
algorithms. We also present experimental results with
real rule sets that validate our proposal.Ministerio de Educaci贸n y Ciencia DPI2006-15476-C02-0
AFPL2, An Abstract Language for Firewall ACLs with NAT support
The design and management of firewall ACLs is a
very hard and error-prone task. Part of this complexity comes
from the fact that each firewall platform has its own low-level
language with a different functionality, syntax, and development
environment. Although high-level languages have been proposed
to model firewall ACLs, none of them has been widely adopted by
the industry due to a combination of factors: high complexity, no
support of important features of firewalls, etc. In this paper the
most important access control policy languages are reviewed,
with special focus on the development of firewall ACLs. Based on
this analysis, a new domain specific language for firewall ACLs
(AFPL2) is proposed, supporting more features that other
languages do not cover (e.g. NAT). As the result of our design
methodology, AFPL2 is very lightweight and easy to use. AFPL2
can be translated to existing low-level firewall languages, or be
directly interpreted by firewall platforms, and is an extension to a
previously developed language.Ministerio de Eduaci贸n y Ciencia DPI2006-15476-C02-0
OPBUS: Risk-aware framework for the conformance of security-quality requirements in business processes
Several reports indicate that one of the most important business priorities is the improvement of business
and IT management. Nowadays, business processes and in general service-based ones use other external
services which are not under their jurisdiction. Organizations do not usually consider their exposition to
security risks when business processes cross organizational boundaries. In this paper, we propose a risk aware framework for security-quality requirements in business processes management. This framework is
focused on the inclusion of security issues from design to execution. The framework provides innovative
mechanisms based on model-based diagnosis and constraint programming in order to carry out the risk
assessment of business processes and the automatic check of the conformance of security requirements.Junta de Andaluc铆a P08-TIC-04095Ministerio de Ciencia y Tecnolog铆a TIN2009-1371
A Quadratic, Complete, and Minimal Consistency Diagnosis Process for Firewall ACLs
Developing and managing firewall Access Control
Lists (ACLs) are hard, time-consuming, and error-prone tasks
for a variety of reasons. Complexity of networks is constantly
increasing, as it is the size of firewall ACLs. Networks have
different access control requirements which must be translated
by a network administrator into firewall ACLs. During this task,
inconsistent rules can be introduced in the ACL. Furthermore,
each time a rule is modified (e.g. updated, corrected when a fault
is found, etc.) a new inconsistency with other rules can be
introduced. An inconsistent firewall ACL implies, in general, a
design or development fault, and indicates that the firewall is
accepting traffic that should be denied or vice versa. In this paper
we propose a complete and minimal consistency diagnosis process
which has worst-case quadratic time complexity with the number
of rules in a set of inconsistent rules. There are other proposals of
consistency diagnosis algorithms. However they have different
problems which can prevent their use with big, real-life, ACLs:
on the one hand, the minimal ones have exponential worst-case
time complexity; on the other hand, the polynomial ones are not
minimal.Ministerio de Eduaci贸n y Ciencia TIN2009-1371