An Integration of FDI and DX Techniques for Determining the Minimal Diagnosis in an Automatic Way

Two communities work in parallel in model-based diagnosis: FDI and DX. In this work an integration of the FDI and the DX communities is proposed. Only relevant information for the identification of the minimal diagnosis is used. In the first step, the system is divided into clusters of components, and each cluster is separated into nodes. The minimal and necessary set of contexts is then obtained for each cluster. These two steps automatically reduce the computational complexity since only the essential contexts are generated. In the last step, a signature matrix and a set of rules are used in order to obtain the minimal diagnosis. The evaluation of the signature matrix is on-line, the rest of the process is totally off-line.Ministerio de Ciencia y Tecnología DPI2003-07146-C02-0

Distributed Model-Based Diagnosis using Object-Relational Constraint Databases

This work presents a proposal to diagnose distributed systems utilizing model-based diagnosis using distributed databases. In order to improve aspects as versatility, persistence, easy composition and efficiency in the diagnosis process we use an Object Relational Constraint Database (ORCDB). Thereby we define a distributed architecture to store the behaviour of components as constraints in a relational database to diagnose a distributed system. This work proposes an algorithm to detect which components fail when their information is distributed in several databases, and all the information is not available in a global way. It is also offered a proposal to define, in execution time, the allocation of the sensors in a distributed system.Ministerio de Ciencia y Tecnología DPI2003-07146-C02-0

Behavioral pattern analysis of secure migration and communications in eCommerce using cryptographic protocols on a mobile MAS platform

Mobile Multi-Agent Systems (MAS) systems can be used with real success in a growing number of eCommerce applications nowadays. Security has been identified as numerous times by different researchers as a top criterion for the acceptance of mobile agent adoption. In this paper we present an in-depth analysis of behavior patterns of a mobile MAS platform when using different cryptographic protocols to assure communication and migration integrity and confidentiality. Different use case sceneries of eCommerce applications as well as many other aspects have been studied, such as overhead, different communication patterns, different loads and bandwidth issues. This work is also extensible to other mobile and non-mobile MAS platforms. The results obtained can be used and should be taken into account by designers and implementers of secure mobile and also non-mobile agent platforms and agents.European Union TeleCARE IST-2000-2760

Firewall Rule Set Inconsistency Characterization by Clustering

Firewall ACLs could have inconsistencies, allowing traffic that should be denied or vice-versa. In this paper, we analyze the inconsistency characterization problem as a separate problem of the diagnosis one, and propose definitions to characterize one-to-many inconsistencies. We identify the combinatorial part of the problem that causes exponential complexity in combined diagnosis and characterization algorithms proposed by other researchers. The problem is divided in several smaller combinatorial ones, which effectively reduces its complexity. Finally, we propose a heuristic to solve the problem in worst case polynomial time as a proof of concept

A heuristic polynomial algorithm for local inconsistency diagnosis in firewall rule sets

Firewall ACLs can contain inconsistencies. There is an inconsistency if different actions can be taken on the same flow of traffic, depending on the ordering of the rules. Inconsistent rules should be notified to the system administrator in order to remove them. Minimal diagnosis and characterization of inconsistencies is a combinatorial problem. Although many algorithms have been proposed to solve this problem, all reviewed ones work with the full ACL with no approximate heuristics, giving minimal and complete results, but making the problem intractable for large, real-life ACLs. In this paper we take a different approach. First, we deeply analyze the inconsistency diagnosis in firewall ACLs problem, and propose to split the process in several parts that can be solved sequentially: inconsistency detection, inconsistent rules identification, and inconsistency characterization. We present polynomial heuristic algorithms for the first two parts of the problem: detection and identification (diagnosis) of inconsistent rules. The algorithms return several independent clusters of inconsistent rules that can be characterized against a fault taxonomy. These clusters contains all inconsistent rules of the ACL (algorithms are complete), but the algorithms not necessarily give the minimum number of clusters. The main advantage of the proposed heuristic diagnosis process is that optimal characterization can be now applied to several smaller problems (the result of the diagnosis process) rather than to the whole ACL, resulting in an effective computational complexity reduction at the cost of not having the minimal diagnosis. Experimental results with real ACLs are given.Ministerio de Educación y Ciencia DPI2006-15476-C02-0

Model-Based Development of firewall rule sets: Diagnosing model inconsistencies

The design and management of firewall rule sets is a very difficult and error-prone task because of the difficulty of translating access control requirements into complex low-level firewall languages. Although high-level languages have been proposed to model firewall access control lists, none has been widely adopted by the industry. We think that the main reason is that their complexity is close to that of many existing low-level languages. In addition, none of the high-level languages that automatically generate firewall rule sets verifies the model prior to the code-generation phase. Error correction in the early stages of the development process is cheaper compared to the cost associated with correcting errors in the production phase. In addition, errors generated in the production phase usually have a huge impact on the reliability and robustness of the generated code and final system. In this paper, we propose the application of the ideas of Model-Based Development to firewall access control list modelling and automatic rule set generation. First, an analysis of the most widely used firewall languages in the industry is conducted. Next, a Platform-Independent Model for firewall ACLs is proposed. This model is the result of exhaustive analysis and of a discussion of different alternatives for models in a bottom-up methodology. Then, it is proposed that a verification stage be added in the early stages of the Model-Based Development methodology, and a polynomial time complexity process and algorithms are proposed to detect and diagnose inconsistencies in the Platform-Independent Model. Finally, a theoretical complexity analysis and empirical tests with real models were conducted, in order to prove the feasibility of our proposal in real environments

Fast algorithms for consistency-based diagnosis of firewall rule sets

Firewalls provide the first line of defence of nearly all networked institutions today. However, Firewall ACL management suffer some problems that need to be addressed in order to be effective. The most studied one is rule set consistency. There is an inconsistency if different actions can be taken on the same traffic, depending on the ordering of the rules. In this paper a new algorithm to diagnose inconsistencies in firewall rule sets is presented. Although many algorithms have been proposed to address this problem, the presented one is a big improvement over them, due to its low algorithmic and memory complexity, even in worst case. In addition, there is no need to pre-process in any way the rule set previous to the application of the algorithms. We also present experimental results with real rule sets that validate our proposal.Ministerio de Educación y Ciencia DPI2006-15476-C02-0

AFPL2, An Abstract Language for Firewall ACLs with NAT support

The design and management of firewall ACLs is a very hard and error-prone task. Part of this complexity comes from the fact that each firewall platform has its own low-level language with a different functionality, syntax, and development environment. Although high-level languages have been proposed to model firewall ACLs, none of them has been widely adopted by the industry due to a combination of factors: high complexity, no support of important features of firewalls, etc. In this paper the most important access control policy languages are reviewed, with special focus on the development of firewall ACLs. Based on this analysis, a new domain specific language for firewall ACLs (AFPL2) is proposed, supporting more features that other languages do not cover (e.g. NAT). As the result of our design methodology, AFPL2 is very lightweight and easy to use. AFPL2 can be translated to existing low-level firewall languages, or be directly interpreted by firewall platforms, and is an extension to a previously developed language.Ministerio de Eduación y Ciencia DPI2006-15476-C02-0

OPBUS: Risk-aware framework for the conformance of security-quality requirements in business processes

Several reports indicate that one of the most important business priorities is the improvement of business and IT management. Nowadays, business processes and in general service-based ones use other external services which are not under their jurisdiction. Organizations do not usually consider their exposition to security risks when business processes cross organizational boundaries. In this paper, we propose a risk aware framework for security-quality requirements in business processes management. This framework is focused on the inclusion of security issues from design to execution. The framework provides innovative mechanisms based on model-based diagnosis and constraint programming in order to carry out the risk assessment of business processes and the automatic check of the conformance of security requirements.Junta de Andalucía P08-TIC-04095Ministerio de Ciencia y Tecnología TIN2009-1371

A Quadratic, Complete, and Minimal Consistency Diagnosis Process for Firewall ACLs

Developing and managing firewall Access Control Lists (ACLs) are hard, time-consuming, and error-prone tasks for a variety of reasons. Complexity of networks is constantly increasing, as it is the size of firewall ACLs. Networks have different access control requirements which must be translated by a network administrator into firewall ACLs. During this task, inconsistent rules can be introduced in the ACL. Furthermore, each time a rule is modified (e.g. updated, corrected when a fault is found, etc.) a new inconsistency with other rules can be introduced. An inconsistent firewall ACL implies, in general, a design or development fault, and indicates that the firewall is accepting traffic that should be denied or vice versa. In this paper we propose a complete and minimal consistency diagnosis process which has worst-case quadratic time complexity with the number of rules in a set of inconsistent rules. There are other proposals of consistency diagnosis algorithms. However they have different problems which can prevent their use with big, real-life, ACLs: on the one hand, the minimal ones have exponential worst-case time complexity; on the other hand, the polynomial ones are not minimal.Ministerio de Eduación y Ciencia TIN2009-1371