Faculté des Sciences appliquées
Faculté des Sciences appliquées

Automatic and on-the-fly Firewalls Configuration

Rossetto, Vincent ULiège
Promotor(s) : Donnet, Benoît ULiège
Date of defense : 24-Jun-2021/25-Jun-2021 • Permalink :
Title : Automatic and on-the-fly Firewalls Configuration
Author : Rossetto, Vincent ULiège
Date of defense  : 24-Jun-2021/25-Jun-2021
Advisor(s) : Donnet, Benoît ULiège
Committee's member(s) : Mathy, Laurent ULiège
Leduc, Guy ULiège
Language : English
Number of pages : 114
Discipline(s) : Engineering, computing & technology > Computer science
Complementary URL :
Institution(s) : Université de Liège, Liège, Belgique
Degree: Master en sciences informatiques, à finalité spécialisée en "computer systems security"
Faculty: Master thesis of the Faculté des Sciences appliquées


[en] Automation has the potential to improve reliability and efficiency wherever it takes root. However, firewalls are still configured manually, which is difficult and error prone. As a firewall is essentially a program that determines whether incoming traffic is legitimate or malicious, firewall configuration, given a representative dataset of recorded traffic, can be treated as a classification problem, i.e. a discrete output supervised machine learning problem. The possibility of using a machine learning framework for automatic firewall configuration was studied. A training dataset, composed both of legitimate traffic and attacks, was generated and statistically described both in terms of packets and flows. With the guidance of the statistical observations, per-packet and per-flow features were defined, and the performance of classification algorithms using those features was evaluated. The benefits of a potential feature pre-processing were evaluated. It was found to be useful and even necessary in some cases. A limitation was found in the use of classification algorithms in the form of their lack of interpretability. Practical use of firewalls requires that they can be reconfigured in the case where they make the wrong decision. Such classification errors cannot be avoided completely even with a dataset containing enough examples. This necessity makes the direct use of opaque classifiers for automatic firewall configuration impossible. In conjunction with performance constraints, the most realistic solution consists in configurating classical rule-based firewalls. Rule extraction techniques from opaque classifiers are discussed. The decision tree algorithm was used both to extract rules directly from data and from models built using other classification algorithms. Both approaches yielded a similar classification performance. Finally, rules were extracted from decision trees and translated into a valid format to configure a firewall based on mmb (Modular MiddleBox) using a subset of the per-packet features.



Access Master_thesis.pdf
Size: 1.01 MB
Format: Adobe PDF
Access Summary.pdf
Size: 74.91 kB
Format: Adobe PDF


Access decisionTree.png
Description: Example of a decision tree for packet data
Size: 14.21 kB
Format: image/png
Access binaryDecisionTree.png
Description: Example of a binary decision tree
Size: 22.88 kB
Format: image/png
Access heatmap3.png
Description: Heatmap for the accuracy of the predictions of different classification algorithms
Size: 107.42 kB
Format: image/png


  • Rossetto, Vincent ULiège Université de Liège > Master sc. informatiques, à fin.


Committee's member(s)

  • Mathy, Laurent ULiège Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Systèmes informatiques répartis et sécurité
    ORBi View his publications on ORBi
  • Leduc, Guy ULiège Université de Liège - ULiège > Dép. d'électric., électron. et informat. (Inst.Montefiore) > Réseaux informatiques
    ORBi View his publications on ORBi
  • Total number of views 71
  • Total number of downloads 114

All documents available on MatheO are protected by copyright and subject to the usual rules for fair use.
The University of Liège does not guarantee the scientific quality of these students' works or the accuracy of all the information they contain.