Computer Science

Computer Science ›› 2020, Vol. 47 ›› Issue (5): 306-312.doi: 10.11896/jsjkx.190500038

• Information Security • Previous Articles     Next Articles

Network Security Configuration Generation Framework Based on Genetic Algorithm Optimization

BAI Wei1, PAN Zhi-song1, XIA Shi-ming1, CHENG Ang-xuan2   

  1. 1 Command &Control Engineering College,Army Engineering University of PLA,Nanjing 210014,China
    2 Unit 93117,PLA,Nanjing 210018,China
  • Received:2019-05-07 Online:2020-05-15 Published:2020-05-19
  • About author:BAI Wei,born in 1983,Ph.D,lecturer.His main research interests include network security,security policy and security management.
    PAN Zhi-song,born in 1973,Ph.D,professor,Ph.D supervisor.His main research interests include artificial intelligence and network security.
  • Supported by:
    This work was supported by the National Key Research Development Program of China(2017YFB0802800)

PDF (PC)

795

Abstract: It is an important task in network security management to configure network security equipment reasonably and enforce access controls upon the information systems.With the increase of network size,there will be complex inter-dependent relationships among user privileges.Traditionally,access control lists are always generated manually according to the business requirements under the principle of least privilege,where the inter-dependent relationships are neglected.The network users may be granted with more privileges than they deserve,which may introduce vulnerabilities to network security.In this paper,a security configuration generation framework based on genetic algorithm optimization was proposed.Firstly,the framework extracts the user privilege information and network semantic information based on the network planning information and configurations information.And a network security risk assessment model is used to assess the network risk under different security configuration.Then,all possible access control configurations are encoded as genes.And initial population are generated based on the pre-determined genetic operators and super parameters.Finally,a better individual is generated according to the genetic algorithm.The framework cannot only compare the network security risks under different security configurations,but also search for the optimal solution of security configuration within the possible configuration space,thus realizing the automatic generation of network security device access control strategy.The framework is validated by constructing a simulated network environment with 20 devices and 30 services.In this simulation environment,the framework can find a better security configuration with no more than 10 generations of iteration under the condition of 150 population samples.Experimental data show that the framework can automatically generate reasonable network security configuration according to network security requirements.

Key words: Genetic algorithm, Multi-domain configuration, Network security, Security strategy, User privilege

CLC Number: 

  • TP309
[1]HARI A,SURI S,PARULKAR G.Detecting and resolvingpacket filter conflicts[C]//Proceedings IEEE INFOCOM 2000 Conference on Computer Communications.Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies,2000:1203-1212.
[2]HAMED H,AL-SHAER E,MARRERO W.Modeling and verification of IPSec and VPN security policies[C]//13TH IEEE International Conference on Network Protocols(ICNP'05).2005:269-278.
[3]HU H,AHN G J,KULKARNI K.FAME:a firewall anomaly management environment[C]//Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.2010:17-26.
[4]GOBJUKA H,AHMAT K A.Fast and scalable method for resolving anomalies in firewall policies[C]//2011 IEEE Conference on Computer Communications Workshops(INFOCOM WKSHPS).2011:828-833.
[5]MANSMANN F,GOBEL T,CHESWICK W.Visual analysis of complex firewall configurations[C]//Proceedings of the Ninth International Symposium on Visualization for Cyber Security.2012:1-8.
[6]CLARK P G,AGAH A.Modeling Firewalls for Behavior Analysis[J].Procedia Computer Science,2015,62:159-166.
[7]SAÂDAOUI A,BEN Y B S N,BOUHOULA A.FARE:FDD-based firewall anomalies resolution tool[J].Journal of Computational Science,2017,23:181-191.
[8]KHOUMSI A,ERRADI M,KROMBI W.A formal basis for the design and analysis of firewall security policies[J].Journal of King Saud University - Computer and Information Sciences,2018,30(1):51-66.
[9]LUPU E C,SLOMAN M.Conflicts in policy-based distributed systems management[J].IEEE Transactions on Software Engineering,1999,25(6):852-869.
[10]MACFARLANE R,BUCHANAN W,EKONOMOU E,et al.Formal security policy implementations in network firewalls[J].Computers & Security,2012,31(2):253-270.
[11]GARCIA A J,CUPPENS F,CUPPENS B N,et al.Management of stateful firewall misconfiguration[J].Computers & Security,2013,39:64-85.
[12]HACHANA S,CUPPENS B N,CUPPENS F.Mining a high level access control policy in a network with multiple firewalls[J].Journal of Information Security and Applications,2015,20:61-73.
[13]MUTHUKUMARAN T.Secure Interoperation Model for Different User Authentication System using Multi Level Security(MLS)[J].International Journal of Advanced Research in Computer and Communication Engineering,2015,4(5):596-600.
[14]JARRAYA Y,EGHTESADI A,SADRI S,et al.Verification of Firewall Reconfiguration for Virtual Machines Migrations in the Cloud[J].Computer Networks,2015,93(P3):480-491.
[15]BASILE C,CANAVESE D,PITSCHEIDER C,et al.Assessing network authorization policies via reachability analysis[J].Computers & Electrical Engineering,2017,64:110-131.
[16]PROBST C W,HANSEN R R.An extensible analysable system model[J].Elsevier Advanced Technology Publications,2008,13(4):235-246.
[17]KOTENKO I,STEPASHKIN M,DOYNIKOVA E.Security Analysis of Information Systems Taking into Account Social Engineering Attacks[C]//the 19th International Euromicro Conference on Parallel,Distributed and Network-Based Processing.2011:611-618.
[18]DIMKOV T.Alignment of organizational security policies:theory and practice[D].Enschede:University of Twente,2012.
[19]BAI W,PAN Z,GUO S,et al.MDC-Checker:A Novel Network Risk Assessment Framework for Multiple Domain Configurations[J].Computers & Security,2019,86:388-401.
[1] LIU Jie-ling, LING Xiao-bo, ZHANG Lei, WANG Bo, WANG Zhi-liang, LI Zi-mu, ZHANG Hui, YANG Jia-hai, WU Cheng-nan. Network Security Risk Assessment Framework Based on Tactical Correlation [J]. Computer Science, 2022, 49(9): 306-311.
[2] ZHAO Dong-mei, WU Ya-xing, ZHANG Hong-bin. Network Security Situation Prediction Based on IPSO-BiLSTM [J]. Computer Science, 2022, 49(7): 357-362.
[3] DU Hong-yi, YANG Hua, LIU Yan-hong, YANG Hong-peng. Nonlinear Dynamics Information Dissemination Model Based on Network Media [J]. Computer Science, 2022, 49(6A): 280-284.
[4] DENG Kai, YANG Pin, LI Yi-zhou, YANG Xing, ZENG Fan-rui, ZHANG Zhen-yu. Fast and Transmissible Domain Knowledge Graph Construction Method [J]. Computer Science, 2022, 49(6A): 100-108.
[5] YANG Hao-xiong, GAO Jing, SHAO En-lu. Vehicle Routing Problem with Time Window of Takeaway Food ConsideringOne-order-multi-product Order Delivery [J]. Computer Science, 2022, 49(6A): 191-198.
[6] LYU Peng-peng, WANG Shao-ying, ZHOU Wen-fang, LIAN Yang-yang, GAO Li-fang. Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network [J]. Computer Science, 2022, 49(6A): 588-593.
[7] SHEN Biao, SHEN Li-wei, LI Yi. Dynamic Task Scheduling Method for Space Crowdsourcing [J]. Computer Science, 2022, 49(2): 231-240.
[8] ZHANG Shi-peng, LI Yong-zhong. Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions [J]. Computer Science, 2021, 48(9): 345-351.
[9] WU Shan-jie, WANG Xin. Prediction of Tectonic Coal Thickness Based on AGA-DBSCAN Optimized RBF Neural Networks [J]. Computer Science, 2021, 48(7): 308-315.
[10] CHEN Hai-biao, HUANG Sheng-yong, CAI Jie-rui. Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid [J]. Computer Science, 2021, 48(6A): 491-497.
[11] WANG Jin-heng, SHAN Zhi-long, TAN Han-song, WANG Yu-lin. Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network [J]. Computer Science, 2021, 48(6): 338-342.
[12] ZHENG Zeng-qian, WANG Kun, ZHAO Tao, JIANG Wei, MENG Li-min. Load Balancing Mechanism for Bandwidth and Time-delay Constrained Streaming Media Server Cluster [J]. Computer Science, 2021, 48(6): 261-267.
[13] ZHANG Kai, LIU Jing-ju. Attack Path Analysis Method Based on Absorbing Markov Chain [J]. Computer Science, 2021, 48(5): 294-300.
[14] LIU Quan-ming, LI Yin-nan, GUO Ting, LI Yan-wei. Intrusion Detection Method Based on Borderline-SMOTE and Double Attention [J]. Computer Science, 2021, 48(3): 327-332.
[15] ZUO Jian-kai, WU Jie-hong, CHEN Jia-tong, LIU Ze-yuan, LI Zhong-zhi. Study on Heterogeneous UAV Formation Defense and Evaluation Strategy [J]. Computer Science, 2021, 48(2): 55-63.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.