Network-level access control policies are often specified by various people (network, application, and security administrators), and this may result in conflicts or suboptimal policies. We have defined a new formal model for policy representation that is independent of the actual enforcement elements, along with a procedure that allows the easy identification and removal of inconsistencies and anomalies. Additionally, the policy can be translated to the model used by the target access control element to prepare it for actual deployment. In particular, we show that every policy can be translated into one that uses the "First Matching Rule" resolution strategy. Our policy model and optimization procedure have been implemented in a tool that experimentally demonstrates its applicability to real-life cases.
This paper introduces an approach towards automatic enforcement of security policies in NFV networks and dynamic adaptation to network changes. The approach relies on a refinement model that allows the dynamic transformation of high-level security requirements into configuration settings for the Network Security Functions (NSFs), and optimization models that allow the optimal selection of the NSFs to use. These models are built on a formalization of the NSF capabilities, which serves to unequivocally describe what NSFs are able to do for security policy enforcement purposes. The approach proposed is the first step towards a security policy aware NFV management, orchestration, and resource allocation system-a paradigm shift for the management of virtualized networks-and it requires minor changes to the current NFV architecture. We prove that our approach is feasible, as it has been implemented by extending the OpenMANO framework and validated on several network scenarios. Furthermore, we prove with performance tests that policy refinement scales well enough to support current and future virtualized networks.
Code protections aim at blocking (or at least delaying) reverse engineering and tampering attacks to critical assets within programs. Knowing the way hackers understand protected code and perform attacks is important to achieve a stronger protection of the software assets, based on realistic assumptions about the hackers' behaviour. However, building such knowledge is difficult because hackers can hardly be involved in controlled experiments and empirical studies.The FP7 European project Aspire has given the authors of this paper the unique opportunity to have access to the professional penetration testers employed by the three industrial partners. In particular, we have been able to perform a qualitative analysis of three reports of professional penetration test performed on protected industrial code.Our qualitative analysis of the reports consists of open coding, carried out by 7 annotators and resulting in 459 annotations, followed by concept extraction and model inference. We identified the main activities: understanding, building attack, choosing and customizing tools, and working around or defeating protections. We built a model of how such activities take place. We used such models to identify a set of research directions for the creation of stronger code protections.2 https://aspire-fp7.eu
When critical assets or functionalities are included in a piece of software accessible to the end users, code protections are used to hinder or delay the extraction or manipulation of such critical assets. The process and strategy followed by hackers to understand and tamper with protected software might differ from program understanding for benign purposes. Knowledge of the actual hacker behaviours while performing real attack tasks can inform better ways to protect the software and can provide more realistic assumptions to the developers, evaluators, and users of software protections.
Network function virtualization (NFV) is a new networking paradigm that virtualizes single network functions. NFV introduces several advantages compared to classical approaches, such as the dynamic provisioning of functionality or the implementation of scalable and reliable services (e.g., adding a new instance to support demands). NFV also allows the deployment of security controls, like firewalls or VPN gateways, as virtualized network functions. However, currently there is not an automatic way to select the security functions to enable and to configure the selected ones according to a set of user's security requirements. This paper presents a first approach towards the integration of network and security policy management into the NFV framework. By adding to the NFV architecture a new software component, the Policy Manager, we provide NFV with an easy and effective way for users to specify their security requirements and a process that hides all the details of the correct deployment and configuration of security functions. To perform its tasks, the Policy Manager uses policy refinement techniques.
Application firewalls are increasingly used to inspect upper layer protocols (as HTTP) that are target or vehicle of several attacks and are not properly addressed by network firewalls. Like other security controls, application firewalls need to be carefully configured, as errors have a significant impact on service security and availability. However, currently no technique is available to analyse their configuration for correctness and consistency. This paper extends a previous model for analysis of packet filters to the policy anomaly analysis in application firewalls. Both rule pair and multi-rule anomalies are detected, hence reducing the likelihood of conflicting and suboptimal configurations. The expressiveness of this model has been successfully tested against the features of Squid, a popular web caching proxy offering various access control capabilities. The tool implementing this model has been tested on various scenarios and exhibits good performance.
The current device-centric protection model against security threats has serious limitations. On the one hand, the proliferation of user terminals such as smart-phones, tablets, notebooks, smart TVs, game consoles and desktop computers makes it extremely difficult to achieve the same level of protection regardless of the device used. On the other hand, when various users share devices (e.g., parents and kids using the same devices at home), the set up of distinct security profiles, policies, and protection rules for the different users of a terminal is far from trivial. In light of this, this paper advocates for a paradigm shift in user protection. In our model, the protection is decoupled from the users' terminals, and it is provided by the access network through a Trusted Virtual Domain (TVD). Each TVD provides unified and homogeneous security for a single user, irrespective of the terminal employed. We describe a user-centric model, where non-technically savvy users can define their own profiles and protection rules in an intuitive way. We show that our model can harness from the virtualization power offered by nextgeneration access networks, especially, from Network Functions Virtualization (NFV) in the Points of Presence (POPs) at the edge of Telecom operators. We also analyze the distinctive features of our model, and the challenges faced based on the experience gained in the development of a proof-of-concept.
This paper presents a classification of the anomalies that can appear when designing or implementing communication protection policies. Together with the already known intra- and inter-policy anomaly types, we introduce a novel category, the inter-technology anomalies, related to security controls implementing different technologies, both within the same network node and among different network nodes. Through an empirical assessment, we prove the practical significance of detecting this new anomaly class. Furthermore, this paper introduces a formal model, based on first-order logic rules that analyses the network topology and the security controls at each node to identify the detected anomalies and suggest the strategies to resolve them. This formal model has manageable computational complexity and its implementation has shown excellent performance and good scalability.Comment: Published on IEEE/ACM Transactions on Networkin
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.