Models and strategies for automated security policy refinement

In the rapidly evolving cybersecurity domain, refining high-level security policies is essential to effectively manage network threats' increasing complexity and diversity. This thesis builds on prior research that established a sophisticated refinement process to transform high-level policy directives into technical configurations that can be subsequently applied to network devices. This approach starts with parsing high-level specifications and network topology data to derive enforceable rules that align with the underlying network architecture and security requirements. Central to this process is using a Domain-Specific Language to craft expert systems called CLIPS, which enrich the achieved policy interpretations by extracting essential details from the abstract policy definitions. This thesis work introduced several enhancements that aim to optimize the policy refinement process for complex network systems by incorporating advanced methodologies and tools to streamline the alignment of security measures with network architectures and ensure that the configurations are functional and pertinent to the specific operational environments. For instance, it supports the selection of combinations of NSFs, instead of a single NSF, to fulfil the entire set of needed capabilities and provide a more granular selection of security controls. It also enables smart updates of technical configurations when high-level policies are updated, reducing the need for complete reconfiguration from scratch. A significant advancement involves introducing a standardized TOSCA-based model for network topology description. This model provides a structured representation of network layouts and device features, which is crucial for properly applying security policies. The effectiveness of the proposed solutions is demonstrated through rigorous testing, confirming their ability to generate accurate and up-to-date configurations and concrete low-level policies, which can be enforced over various network scenarios. This thesis extends the use cases of the existing policy refinement system, providing a more scalable and flexible solution and building the basis for future developments in automated security policy management.