Politecnico di Torino (logo)

Towards the automatic refinement of high-level security policies in computer networks

Mattia Bencivenga

Towards the automatic refinement of high-level security policies in computer networks.

Rel. Cataldo Basile, Antonio Lioy. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (951kB) | Preview

In the academic world, there are countless examples of policy-based security management work, but given the ever-increasing difficulty of maintaining and managing a secure network, this topic remains very current. Policy-based management is an approach that allows simpler and more effective management of distributed networks and systems by deploying a set of policies to control network behaviour. A good policy refinement job needs to be carried out to ensure that the policy-based management approach can be truly effective. Policy refinement is the process of transforming a high-level abstract policy specification into low-level, concrete policies that can be enforced on the managed system. This part is certainly the most critical and complex to perform, as it must consider numerous variables. First of all, there is the human component that could lead to error, and this is because the high-level policies are defined, according to the needs, by expert personnel or by simple users. Once this aspect has been overcome, there are the intrinsic difficulties of the task to be solved. In fact, the policy refinement work is characterized by various phases, each of which has its particular difficulties. The first phase is called requirements identification and consists in identifying the capabilities necessary to enforce a high-level user policy. This operation is undoubtedly the most complex to carry out. It consists of processing the policy to determine all the security controls necessary to apply the policy and the identification of the PSAs that can enforce the policy. The second phase is called non-enforceability analysis and consists in reporting the inability to apply the defined policy. The last phase is the actual generation of the policy using an abstract vendor-independent and device-independent language. The goal in policy refinement works is to emulate the behaviour of good network administrators. To do this, we have chosen to use an expert system called CLIPS, a computer program that simulates the abilities of a human expert to make decisions. Rather than using traditional procedural code, expert systems are supposed to handle complicated issues by using forward reasoning through bodies of knowledge, which are mostly expressed as if-then rules. Thanks to CLIPS, it is possible to carry out the enrichment, i.e., the extrapolation of information from the high-level policy that allows the acquisition of useful knowledge for generating the medium-level policy. In addition to the information extracted thanks to CLIPS, information about the network topology and general prior knowledge is required. That is information that a network administrator may have, which allows better identification of the necessary capabilities. This information is stored in ad-hoc databases. The developed tool successfully refines filtering and protection policies. It generates medium-level policies that are correct and follow the most up-to-date best practices. Furthermore, the proposed solution has been integrated into a complete framework that has allowed the validation of the refinement of high-level policies up to valid low-level configurations for the end devices.

Relators: Cataldo Basile, Antonio Lioy
Academic year: 2021/22
Publication type: Electronic
Number of Pages: 109
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: UNSPECIFIED
URI: http://webthesis.biblio.polito.it/id/eprint/22803
Modify record (reserved for operators) Modify record (reserved for operators)