Master Thesis Online
Automatic and on-the-fly Firewalls Configuration
Rossetto, Vincent 
Promotor(s) :
Donnet, Benoît
Date of defense : 24-Jun-2021/25-Jun-2021 • Permalink : http://hdl.handle.net/2268.2/11610
All files (archive ZIP)
decisionTree.png
binaryDecisionTree.png
heatmap3.pngDetails
| Title : | Automatic and on-the-fly Firewalls Configuration |
| Author : | Rossetto, Vincent
|
| Date of defense : | 24-Jun-2021/25-Jun-2021 |
| Advisor(s) : | Donnet, Benoît
|
| Committee's member(s) : | Mathy, Laurent
Leduc, Guy
|
| Language : | English |
| Number of pages : | 114 |
| Discipline(s) : | Engineering, computing & technology > Computer science |
| Complementary URL : | https://github.com/vinci-r/TFE |
| Institution(s) : | Université de Liège, Liège, Belgique |
| Degree: | Master en sciences informatiques, à finalité spécialisée en "computer systems security" |
| Faculty: | Master thesis of the Faculté des Sciences appliquées |
Abstract
[en] Automation has the potential to improve reliability and efficiency wherever it takes root. However, firewalls are still configured manually, which is difficult and error prone. As a firewall is essentially a program that determines whether incoming traffic is legitimate or malicious, firewall configuration, given a representative dataset of recorded traffic, can be treated as a classification problem, i.e. a discrete output supervised machine learning problem. The possibility of using a machine learning framework for automatic firewall configuration was studied. A training dataset, composed both of legitimate traffic and attacks, was generated and statistically described both in terms of packets and flows. With the guidance of the statistical observations, per-packet and per-flow features were defined, and the performance of classification algorithms using those features was evaluated. The benefits of a potential feature pre-processing were evaluated. It was found to be useful and even necessary in some cases. A limitation was found in the use of classification algorithms in the form of their lack of interpretability. Practical use of firewalls requires that they can be reconfigured in the case where they make the wrong decision. Such classification errors cannot be avoided completely even with a dataset containing enough examples. This necessity makes the direct use of opaque classifiers for automatic firewall configuration impossible. In conjunction with performance constraints, the most realistic solution consists in configurating classical rule-based firewalls. Rule extraction techniques from opaque classifiers are discussed. The decision tree algorithm was used both to extract rules directly from data and from models built using other classification algorithms. Both approaches yielded a similar classification performance. Finally, rules were extracted from decision trees and translated into a valid format to configure a firewall based on mmb (Modular MiddleBox) using a subset of the per-packet features.
File(s)
Document(s)
Annexe(s)
decisionTree.png
Description: Example of a decision tree for packet data
Size: 14.21 kB
Format: image/png
binaryDecisionTree.png
Description: Example of a binary decision tree
Size: 22.88 kB
Format: image/png
heatmap3.png
Description: Heatmap for the accuracy of the predictions of different classification algorithms
Size: 107.42 kB
Format: image/png
Cite this master thesis
The University of Liège does not guarantee the scientific quality of these students' works or the accuracy of all the information they contain.
