Learning to Customize Network Security Rules

TL;DR

This paper introduces a supervised learning approach to automatically generate firewall rules for cloud networks, improving security by accurately recommending IP allowances based on network traffic data.

Contribution

The paper presents a novel supervised learning method that predicts firewall rules from NetFlow data, reducing manual configuration and enhancing security in cloud environments.

Findings

Achieved ROC AUC of 0.92 in predicting firewall rules

Outperformed unsupervised baseline with ROC AUC of 0.58

Demonstrated effectiveness in blocking malicious traffic

Abstract

Security is a major concern for organizations who wish to leverage cloud computing. In order to reduce security vulnerabilities, public cloud providers offer firewall functionalities. When properly configured, a firewall protects cloud networks from cyber-attacks. However, proper firewall configuration requires intimate knowledge of the protected system, high expertise and on-going maintenance. As a result, many organizations do not use firewalls effectively, leaving their cloud resources vulnerable. In this paper, we present a novel supervised learning method, and prototype, which compute recommendations for firewall rules. Recommendations are based on sampled network traffic meta-data (NetFlow) collected from a public cloud provider. Labels are extracted from firewall configurations deemed to be authored by experts. NetFlow is collected from network routers, avoiding expensive collection from cloud VMs, as well as relieving privacy concerns. The proposed method captures network routines and dependencies between resources and firewall configuration. The method predicts IPs to be allowed by the firewall. A grouping algorithm is subsequently used to generate a manageable number of IP ranges. Each range is a parameter for a firewall rule. We present results of experiments on real data, showing ROC AUC of 0.92, compared to 0.58 for an unsupervised baseline. The results prove the hypothesis that firewall rules can be automatically generated based on router data, and that an automated method can be effective in blocking a high percentage of malicious traffic.