Master Thesis Online
Automatic and on-the-fly Firewalls Configuration
Rossetto, Vincent 
Promoteur(s) :
Donnet, Benoît
Date de soutenance : 24-jui-2021/25-jui-2021 • URL permanente : http://hdl.handle.net/2268.2/11610
Tous les fichiers (archive ZIP)
decisionTree.png
binaryDecisionTree.png
heatmap3.pngDétails
| Titre : | Automatic and on-the-fly Firewalls Configuration |
| Auteur : | Rossetto, Vincent
|
| Date de soutenance : | 24-jui-2021/25-jui-2021 |
| Promoteur(s) : | Donnet, Benoît
|
| Membre(s) du jury : | Mathy, Laurent
Leduc, Guy
|
| Langue : | Anglais |
| Nombre de pages : | 114 |
| Discipline(s) : | Ingénierie, informatique & technologie > Sciences informatiques |
| URL complémentaire : | https://github.com/vinci-r/TFE |
| Institution(s) : | Université de Liège, Liège, Belgique |
| Diplôme : | Master en sciences informatiques, à finalité spécialisée en "computer systems security" |
| Faculté : | Mémoires de la Faculté des Sciences appliquées |
Résumé
[en] Automation has the potential to improve reliability and efficiency wherever it takes root. However, firewalls are still configured manually, which is difficult and error prone. As a firewall is essentially a program that determines whether incoming traffic is legitimate or malicious, firewall configuration, given a representative dataset of recorded traffic, can be treated as a classification problem, i.e. a discrete output supervised machine learning problem. The possibility of using a machine learning framework for automatic firewall configuration was studied. A training dataset, composed both of legitimate traffic and attacks, was generated and statistically described both in terms of packets and flows. With the guidance of the statistical observations, per-packet and per-flow features were defined, and the performance of classification algorithms using those features was evaluated. The benefits of a potential feature pre-processing were evaluated. It was found to be useful and even necessary in some cases. A limitation was found in the use of classification algorithms in the form of their lack of interpretability. Practical use of firewalls requires that they can be reconfigured in the case where they make the wrong decision. Such classification errors cannot be avoided completely even with a dataset containing enough examples. This necessity makes the direct use of opaque classifiers for automatic firewall configuration impossible. In conjunction with performance constraints, the most realistic solution consists in configurating classical rule-based firewalls. Rule extraction techniques from opaque classifiers are discussed. The decision tree algorithm was used both to extract rules directly from data and from models built using other classification algorithms. Both approaches yielded a similar classification performance. Finally, rules were extracted from decision trees and translated into a valid format to configure a firewall based on mmb (Modular MiddleBox) using a subset of the per-packet features.
Fichier(s)
Document(s)
Annexe(s)
decisionTree.png
Description: Example of a decision tree for packet data
Taille: 14.21 kB
Format: image/png
binaryDecisionTree.png
Description: Example of a binary decision tree
Taille: 22.88 kB
Format: image/png
heatmap3.png
Description: Heatmap for the accuracy of the predictions of different classification algorithms
Taille: 107.42 kB
Format: image/png
Citer ce mémoire
L'Université de Liège ne garantit pas la qualité scientifique de ces travaux d'étudiants ni l'exactitude de l'ensemble des informations qu'ils contiennent.
