運用關聯規則及改變探勘技術於防火牆政策規則優化

Applying Association Rule and Change Mining Techniques for Firewall Policy Optimization

胡雅涵(Ya-Han Hu)；翁政雄(Cheng-Hsiung Weng)；楊亞澄(Ya-Cheng Yang)

防火牆政策 ； 防火牆日誌 ； 資料探勘 ； 關聯規則 ； 改變探勘 ； firewall policy ； firewall log ； data mining ； association rule ； change mining

資訊管理學報

23卷3期（2016 / 07 / 01）

277 - 304

繁體中文

防火牆設備是企業最普遍的網路防護設施，隨著網路環境的改變，防火牆政策規則須不斷的更新，才能維持防火牆功能的正常運作。如何從防火牆日誌記錄中挖掘出有意義的規則，並且適時依據防火牆日誌記錄的變動篩選出不同樣式的規則，進而調整防火牆政策規則是一項有值得研究的議題。本研究嘗試整合關聯規則探勘（Association rule mining）及改變探勘（Change mining）技術，提出Change-Based Association Rule Mining（CBARM）方法。首先，從防火牆日誌記錄中挖掘出有意義的規則，進而運用改變探勘技術辨識出新興樣式（Emerging patterns）、新增樣式（Added patterns）及消失樣式（Perished Patterns）等3種不同樣式的關聯規則。最後，將具有不同樣式的關聯規則運用於防火牆政策規則的調整，藉以提升防火牆效率。經實驗結果得知：CBARM 方法效能提升（封包比對次數減少）相較於Apriori方法約95.19%至582.19%。平均而言，效能約提升212.10%。

Purpose-A firewall is the network security system most frequently used by enterprises. Because of changes in the dynamic network environment, firewall policy rules must be constantly updated to maintain efficient firewall operation. Thus, the aim of this study is to optimize firewall policy rules and improve firewall efficiency by using association rules discovered in firewall logs. Design/methodology/approach-This paper proposes change-based association rule mining (CBARM), which integrates association rule mining and change mining techniques, to discover meaningful firewall policy rules in firewall logs. Specifically, CBARM first determines pertinent association rules by using firewall logs from different time periods. Subsequently, the change mining technique is used to identify emerging, added, and perished patterns. Finally, the three types of patterns can be utilized to optimize the firewall policy rules and enhance firewall efficiency. The firewall logs were collected from a technology company in Central Taiwan. The total number of rules matched in the firewall was used as a performance measure. Findings - The experimental results revealed that the proposed CBARM outperformed the Apriori approach, reducing the number of compared network packets with firewall policy rules by approximately 95.19% to 582.19%. On average, the performance of the proposed CBARM was 212.10% more effective than that of the Apriori approach. Research limitations/implications-This study investigated the firewall logs from one company only. Evaluating the logs from other companies is critical for confirming validity. In addition, future studies can integrate other data mining and machine learning techniques to refine the performance of the proposed method. Practical implications-Two practical implications are provided. First, the association rule mining technique is proven to derive useful firewall policy rules in firewall logs. Second, using the change mining technique can facilitate evaluating the generated rules and applying such rules to optimize firewall policy rules. Originality/value-This study is the first to extend association rule mining and change mining techniques to the domain of firewall log analysis, creating a new approach to optimizing firewall policy rules.

1. 李瑞庭、楊富丞、李偉誠(2012)。探勘封閉性多維度區間樣式。資訊管理學報，19(1)，161-184。
   連結：
2. 翁政雄(2011)。從購買意願資料中挖掘高度相關性的關聯規則。資訊管理學報，18(4)，119-138。
   連結：
3. 黃仁鵬、藍國誠(2007)。高效率探勘關聯規則之演算法─EFI。資訊管理學報，14(2)，139-167。
   連結：
4. 鄭麗珍、李麗美(2014)。探勘不平衡資料集中之突顯樣式─以國道事故資料為實證研究。資訊管理學報，21(2)，161-183。
   連結：
5. 龔旭陽、林美賢、林靖祐、賴威光(2010)。針對重要稀少性資料之一種有效率關聯式探勘方法設計。資訊管理學報，17(1)，133-155。
   連結：
6. CSI (2011), 'Computer Crime and Security Survey 2011', available at http://www.ncxgroup.com/wp-content/uploads/2012/02/CSIsurvey2010.pdf (accessed 7 December 2013).
7. Agrawal, R.,Imieliński, T.,Swami, A.(1993).Mining association rules between sets of items in large databases.ACM SIGMOD Record,22(2),207-216.
8. Agrawal, R.,Srikant, R.(1994).Fast algorithms for mining association rules.Proceedings of the 20th International Conference on Very Large Data Bases (VLDB'94),Santiago, Chile:
9. Ahn, K.I.(2012).Effective product assignment based on association rule mining in retail.Expert Systems with Applications,39(16),12551-12556.
10. Al Abdulmohsin, I.M.(2009).Techniques and algorithms for access control list optimization.Computers & Electrical Engineering,35(4),556-566.
11. Al-Shaer, E.S.,Hamed, H.H.(2004).Discovery of policy anomalies in distributed firewalls.Proceedings of Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies (INFOCOM 2004),Hong Kong, China:
12. Al-Shaer, E.S.,Hamed, H.H.(2003).Firewall policy advisor for anomaly discovery and rule editing.Proceedings of IFIP/IEEE Eighth International Symposium on Integrated Network Management (IM 2003),Colorado Springs, USA:
13. Bailey, J.,Manoukian, T.,Ramamohanarao, K.(2003).A fast algorithm for computing hypergraph transversals and its application in mining emerging patterns.Proceedings of the Third IEEE International Conference on Data Mining (ICDM 03),Melbourne, Florida, USA:
14. Böttcher, M.,Spott, M.,Nauck, D.,Kruse, R.(2009).Mining changing customer segments in dynamic markets.Expert Systems with Applications,36(1),155-164.
15. Casado, M.,Garfinkel, T.,Akella, A.,Freedman, M. J.,Boneh, D.,McKeown, N.,Shenker, S.(2006).SANE: a protection architecture for enterprise networks.Proceedings of the 15th USENIX Security Symposium,Vancouver, B.C., Canada:
16. Ceci, M.,Appice, A.,Caruso, C.,Malerba, D.(2008).Discovering emerging patterns for anomaly detection in network connection data.Proceedings of the 17th International Symposium (ISMIS 2008),Toronto, Canada:
17. Chang, R.I.,Chang, K.W.(2009).C-SWF Incremental Mining Algorithm for Firewall Policy Management.Journal of Information, Technology and Society,9,45-62.
18. Chang, R.I.,Lai, L.B.,Su, W.D.,Wang, J.C.,Kouh, J.S.(2007).Intrusion detection by backpropagation neural networks with sample-query and attribute-query.International Journal of Computational Intelligence Research,3(1),6-10.
19. Chen, M.C.,Chiu, A.L.,Chang, H.H.(2005).Mining changes in customer behavior in retail marketing.Expert Systems with Applications,28(4),773-781.
20. Dam, H.K.,Ghose, A.(2015).Mining version histories for change impact analysis in business process model repositories.Computers in Industry,67,72-85.
21. Dong, G.,Li, J.(1999).Efficient mining of emerging patterns: discovering trends and differences.Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining,San Diego, CA, USA:
22. El-Atawy, A.,Samak, T.,Wali, Z.,Al-Shaer, E.(2007).An automated framework for validating firewall policy enforcement.Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY 2007),Bologna, Italy:
23. Feng, W.,Zhang, Q.,Hu, G.,Huang, J.X.(2014).Mining network data for intrusion detection through combining SVMs with ant colony networks.Future Generation Computer Systems,37,127-140.
24. Ganti, V.,Gehrke, J.,Ramakrishnan, R.(1999).CACTUS-clustering categorical data using summaries.Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining,San Diego, CA, USA:
25. Golnabi, K.,Min, R.K.,Khan, L.,Al-Shaer, E.(2006).Analysis of firewall policy rules using data mining techniques.Proceedings of the 10th IEEE/IFIP Network Operations and Management Symposium (NOMS 2006),Vancouver, Canada:
26. Hamed, H.,Al-Shaer, E.(2006).Dynamic rule-ordering optimization for high-speed firewall filtering.Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security (ASIACCS'06),Taipei, Taiwan:
27. Hamed, H.,Al-Shaer, E.(2006).On autonomic optimization of firewall policy organization.Journal of High Speed Networks,15(3),209-227.
28. Hamed, H.,El-Atawy, A.,Al-Shaer, E.(2006).On dynamic optimization of packet matching in high-speed firewalls.IEEE Journal on Selected Areas in Communications,24(10),1817-1830.
29. Hanguang, L.,Yu, N.(2012).Intrusion detection technology research based on apriori algorithm.Physics Procedia,24,1615-1620.
30. Hossain, S.M.S.,Rahman, S.M.,Kabir, M.F.(2012).Network proxy log mining: association rule based security and performance enhancement for proxy server.Computer Science and Engineering,49,9852-9857.
31. Hu, H.,Ahn, G.J.,Kulkarni, K.(2012).Detecting and resolving firewall policy anomalies.IEEE Transactions on Dependable and Secure Computing,9(3),318-331.
32. Huang, T.C.K.(2012).Mining the change of customer behavior in fuzzy time-interval sequential patterns.Applied Soft Computing,12(3),1068-1086.
33. Huang, Z.,Gan, C.,Lu, X.,Huan, H.(2013).Mining the changes of medical behaviors for clinical pathways.Studies in Health Technology and Informatics,192,117-121.
34. Jeffrey, A.,Samak, T.(2009).Model checking firewall policy configurations.Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY 2009),London, UK:
35. Kamsu-Foguem, B.,Rigal, F.,Mauget, F.(2013).Mining association rules for the quality improvement of the production process.Expert Systems with Applications,40(4),1034-1045.
36. Katic, T.,Pale, P.(2007).Optimization of firewall rules.Proceedings of the 29th International Conference on Information Technology Interfaces (ITI 2007),Cavtat/Dubrovnik, Croatia:
37. Kim, J.K.,Song, H.S.,Kim, H.K.(2005).Detecting the change of customer behavior based on decision tree analysis.Expert Systems,22(4),193-205.
38. Lee, W.,Stolfo, S.J.(1998).Data mining approaches for intrusion detection.Proceedings of the 7th USENIX Security Symposium,San Antonio, Texas:
39. Li, C.,Reichert, M.,Wombacher, A.(2011).Mining business process variants: Challenges, scenarios, algorithms.Data & Knowledge Engineering,70(5),409-434.
40. Li, G.,Law, R.,Vu, H.Q.,Rong, J.,Zhao, X.R.(2015).Identifying emerging hotel preferences using Emerging Pattern Mining technique.Tourism Management,46,311-321.
41. Li, J.,Wong, L.(2002).Identifying good diagnostic gene groups from gene expression profiles using the concept of emerging patterns.Bioinformatics,18(5),725-734.
42. Liu, A.X.,Torng, E.,Meiners, C.R.(2008).Firewall compressor: an algorithm for minimizing firewall policies.Proceedings of the 27th Conference on Computer Communications (INFOCOM 2008),Phoenix, AZ, USA:
43. Lubna, K.,Cyiac, R.,Karun, K.(2013).Firewall log analysis and dynamic rule re-ordering in firewall policy anomaly management framework.Proceedings of the International Conference on Green Computing, Communication and Conservation of Energy (ICGCE 2013),Chennai, India:
44. Masud, M.M.,Mustafa, U.,Trabelsi, Z.(2014).A data driven firewall for faster packet filtering.Proceedings of the International Conference on Communications and Networking (COMNET 2014),Hammamet, Tunisia:
45. Mohammad, M.N.,Sulaiman, N.,Muhsin, O.A.(2011).A novel intrusion detection system by using intelligent data mining in weka environment.Procedia Computer Science,3,1237-1242.
46. Mustafa, U.,Masud, M.M.,Trabelsi, Z.,Wood, T.,Al Harthi, Z.(2013).Firewall performance optimization using data mining techniques.Proceedings of the 9th International Wireless Communications and Mobile Computing Conference (IWCMC 2013),Cagliari, Sardinia, Italy:
47. Park, J.H.,Lee, H.G.,Park, J.H.(2010).Real-time diagnosis system using incremental emerging pattern mining.Proceedings of the 5th International Conference on Ubiquitous Information Technologies and Applications (CUTE 2010),Sanya, Hainan, China:
48. Rao, C.S.,Rama, B.R.,Mani K.N.(2011).Firewall policy management through sliding window filtering method using data mining techniques.International Journal of Computer Science & Engineering Survey,2(2),39-55.
49. Saboori, E.,Parsazad, S.,Sanatkhani, Y.(2010).Automatic firewall rules generator for anomaly detection systems with Apriori algorithm.Proceedings of the 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE 2010),Chengdu, China:
50. Salah, K.,Elbadawi, K.,Boutaba, R.(2012).Performance modeling and analysis of network firewalls.IEEE Transactions on Network and Service Management,9(1),12-21.
51. Sherhod, R.,Gillet, V.J.,Judson, P.N.,Vessey, J.D.(2012).Automating knowledge discovery for toxicity prediction using jumping emerging pattern mining.Journal of Chemical Information and Modeling,52(11),3074-3087.
52. Shie, B.E.,Yu, P.S.,Tseng, V.S.(2013).Mining interesting user behavior patterns in mobile commerce environments.Applied Intelligence,38(3),418-435.
53. Shih, M.J.,Liu, D.R.,Hsu, M.L.(2010).Discovering competitive intelligence by mining changes in patent trends.Expert Systems with Applications,37(4),2882-2890.
54. Song, H.S.,kyeong Kim, J.,Kim, S.H.(2001).Mining the change of customer behavior in an internet shopping mall.Expert Systems with Applications,21(3),157-168.
55. Sreelaja, N.K.,Pai, G.A.(2010).Ant Colony Optimization based approach for efficient packet filtering in firewall.Applied Soft Computing,10(4),1222-1236.
56. Tsai, C.Y.,Shieh, Y.C.(2009).A change detection method for sequential patterns.Decision Support Systems,46(2),501-511.
57. US-GAO(2013).CYBERSECURITY: National strategy, roles, and responsibilities need to be better defined and more effectively implemented.
58. Vaarandi, R.(2013).Detecting anomalous network traffic in organizational private networks.Proceedings of IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA 2013),San Diego, CA, USA:
59. Wang, G.,Zhao, Y.,Zhao, X.,Wang, B.,Qiao, B.(2010).Efficiently mining local conserved clusters from gene expression data.Neurocomputing,73(7-9),1425-1437.
60. Winding, R.,Wright, T.,Chapple, M.(2006).System anomaly detection: mining firewall logs.Proceedings of Securecomm and Workshops,Baltimore, MD, USA:
61. Wu, R.C.,Chen, R.S.,Chen, C.C.(2005).Data mining application in customer relationship management of credit card business.Proceedings of the 29th Annual International Computer Software and Applications Conference (COMPSAC 2005),Edinburgh, UK:
62. Yuan, L.,Chen, H.,Mai, J.,Chuah, C.N.,Su, Z.,Mohapatra, P.(2006).FIREMAN: a toolkit for firewall modeling and analysis.Proceedings of IEEE Symposium on Security and Privacy (S&P'06),Oakland, CA, USA:
63. Zwicky, E.D.,Cooper, S.,Chapman, D.B.(2000).Building internet firewalls.O'Reilly Media, Inc.

1. 魏慧美,郭隆興,林子堯(2023)。教師在職進修研習課程大數據關聯規則研究初探：以2017年全國國中語文領域國文科教師為例。測驗學刊，70(3)，221-248。