PRESENTED BY. Keywords Firewall : Any barrier that is intended to thwart the spread of a destructive agent. Computer Definition : A system designed to.

Slides:

Advertisements

Similar presentations

ACHIEVING NETWORK LEVEL PRIVACY IN WIRELESS SENSOR NETWORKS.

Advertisements

A DISTRIBUTED CSMA ALGORITHM FOR THROUGHPUT AND UTILITY MAXIMIZATION IN WIRELESS NETWORKS.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Secure Data Storage in Cloud Computing Submitted by A.Senthil Kumar( ) C.Karthik( ) H.Sheik mohideen( ) S.Lakshmi rajan( )

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

Managing Data Resources

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Abstract Shortest distance query is a fundamental operation in large-scale networks. Many existing methods in the literature take a landmark embedding.

Intrusion Detection System Marmagna Desai [ 520 Presentation]

INTRUSION DETECTION SYSTEM

LÊ QU Ố C HUY ID: QLU OUTLINE  What is data mining ?  Major issues in data mining 2.

Detection and Resolution of Anomalies in Firewall Policy Rules

Toward a Statistical Framework for Source Anonymity in Sensor Networks.

Abstract Load balancing in the cloud computing environment has an important impact on the performance. Good load balancing makes cloud computing more.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

Ihr Logo Data Explorer - A data profiling tool. Your Logo Agenda  Introduction  Existing System  Limitations of Existing System  Proposed Solution.

Presented by Group 2: Presented by Group 2: Shan Gao ( ) Shan Gao ( ) Dayang Yu ( ) Dayang Yu ( ) Jiayu Zhou ( ) Jiayu Zhou.

Secure Encounter-based Mobile Social Networks: Requirements, Designs, and Tradeoffs.

Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.

Layered Approach using Conditional Random Fields For Intrusion Detection.

Privacy-Preserving Public Auditing for Secure Cloud Storage

BestPeer++: A Peer-to-Peer Based Large-Scale Data Processing Platform.

Improving Network I/O Virtualization for Cloud Computing.

Privacy Preserving Data Sharing With Anonymous ID Assignment

m-Privacy for Collaborative Data Publishing

Protecting Sensitive Labels in Social Network Data Anonymization.

Identity-Based Secure Distributed Data Storage Schemes.

Accuracy-Constrained Privacy-Preserving Access Control Mechanism for Relational Data.

A System for Denial-of- Service Attack Detection Based on Multivariate Correlation Analysis.

Anomaly Detection via Online Over-Sampling Principal Component Analysis.

SECURITY POLICY ANALYZER FINAL MEETING Industrial Project (234313) Fall 2013 Supervisors: Yevgeny Fabrikant Students: Regev Brody, Yuval Adelstein COMPUTER.

Facilitating Document Annotation using Content and Querying Value.

Privacy Preserving Back- Propagation Neural Network Learning Made Practical with Cloud Computing.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Participatory Privacy: Enabling Privacy in Participatory Sensing

Presenting By CH . MADHURI(12QU1D5806) Under the supervision of

Supporting Privacy Protection in Personalized Web Search.

m-Privacy for Collaborative Data Publishing

A Scalable Two-Phase Top-Down Specialization Approach for Data Anonymization Using MapReduce on Cloud.

Multiparty Access Control for Online Social Networks : Model and Mechanisms.

Dynamic Control of Coding for Progressive Packet Arrivals in DTNs.

Privacy-Preserving and Content-Protecting Location Based Queries.

Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the Cloud.

ONLINE INTRUSION ALERT AGGREGATION WITH GENERATIVE DATA STREAM MODELING.

Facilitating Document Annotation Using Content and Querying Value.

Risk-Aware Mitigation for MANET Routing Attacks Submitted by Sk. Khajavali.

CAPTCHA AS GRAPHICAL PASSWORDS—A NEW SECURITY PRIMITIVE BASED ON HARD AI PROBLEMS ASHWINI B.

Online School Management System Supervisor Name: Ashraful Islam Juwel Lecturer of Asian University of Bangladesh Submitted By: Bikash Chandra SutrodhorID.

Fast Transmission to Remote Cooperative Groups: A New Key Management Paradigm.

INTRODUCTION About Project: About Project: Our project is based of the technology of cloud computing which is offering many pro’s to the world of computers.

Cooperative Caching in Wireless P2P Networks: Design, Implementation And Evaluation.

CAM: Cloud-Assisted Privacy Preserving Mobile Health Monitoring.

Secure and Practical Outsourcing of Linear Programming in Cloud Computing.

BY S.S.SUDHEER VARMA (13NT1D5816)

Management Information & Evaluation System

Under the Guidance of V.Rajashekhar M.Tech Assistant Professor

Under Guidance- Internal Guide- Ms. Shruti T.V

ITEC 3220A Using and Designing Database Systems

N-Tier Architecture.

An assessment framework for Intrusion Prevention System (IPS)

Hacker Detection in Wireless sensor network

ABSTRACT Recent work has shown that sink mobility along a constrained path can improve the energy efficiency in wireless sensor networks. Due to the.

ROBUST FACE NAME GRAPH MATCHING FOR MOVIE CHARACTER IDENTIFICATION

APARTMENT MAINTENANCE SYSTEM

Location Cloaking for Location Safety Protection of Ad Hoc Networks

Department Of Computer Science Engineering

Database System Architecture

An Introduction to Software Architecture

Protection Mechanisms in Security Management

Presentation transcript:

PRESENTED BY

Keywords Firewall : Any barrier that is intended to thwart the spread of a destructive agent. Computer Definition : A system designed to prevent unauthorized access to or from a private network Anomaly : Something that deviates from what is standard Policy : A proposed or adopted course or principle of action.

ABSTRACT Firewalls are the most widely deployed security mechanism to ensure the security of private networks in most businesses and institutions. The effectiveness of security protection provided by a firewall mainly depends on the quality of policy configured in the firewall. Unfortunately, designing and managing firewall policies are often error prone due to the complex nature of firewall configurations as well as the lack of systematic analysis mechanisms and tools.

ABSTRACT (Conti.) In this paper, we represent an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions. We also discuss a proof-of-concept implementation of a visualization-based firewall policy analysis tool called Firewall Anomaly Management Environment (FAME).

EXISTING SYSTEM Existing policy analysis tools, such as Firewall Policy Advisor and FIREMAN, with the goal of detecting policy anomalies have been introduced. Firewall Policy Advisor only has the capability of detecting pair wise anomalies in firewall rules. FIREMAN can detect anomalies among multiple rules by analyzing the relationships between one rule and the collections of packet spaces derived from all preceding rules.

DISADVANTAGES OF EXISTING SYSTEM FIREMAN also has limitations in detecting anomalies. For each firewall rule, FIREMAN only examines all preceding rules but ignores all subsequent rules when performing anomaly analysis. In addition, each analysis result from FIREMAN can only show that there is a misconfiguration between one rule and its preceding rules, but cannot accurately indicate all rules involved in an anomaly.

PROPOSED SYSTEM We represent a novel anomaly management framework for firewalls based on a rule-based segmentation technique to facilitate not only more accurate anomaly detection but also effective anomaly resolution.

Conti. Based on this technique, a network packet space defined by a firewall policy can be divided into a set of disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation (either conflicting or redundant) among those rules.

ADVANTAGES OF PROPOSED SYSTEM Efficient in detection of anomalies. Conflicts can be resolved by using our FAME tool. The proposed system resolves conflicts in each conflict correlation group independently.

H/W System Configuration:- Processor- Pentium –III RAM- 256 MB(min) Hard Disk- 20 GB Key Board- Standard Windows Keyboard Mouse- Two or Three Button Mouse Monitor- SVGA

S/W System Configuration:- Operating System: Windows 2000/XP / 7 Language : Java Technology : Swings, AWT, Socket Programming Database : Mysql

Firewall Policy

Firewall Policies Shadowing : In the above figure, R4 is shadowed by R3 Generalization : In the above figure R5 is a generalization of R4 Correlation : R2 correlates with R5 Redundancy : R1 is redundant with respect to R2

MODULES: Correlation of Packet Space Segment Action Constraint Generation Rule Reordering Data Package

Correlation of Packet Space Segment: The major benefit of generating correlation groups for the anomaly analysis is that anomalies can be examined within each group independently, because all correlation groups are independent of each other. Especially, the searching space for reordering conflicting rules in conflict resolution can be significantly lessened and the efficiency of resolving conflicts can be greatly improved.

Action Constraint Generation: Once a firewall policy are discovered and conflict correlation groups are identified, the risk assessment for conflicts is performed. A basic idea of automated strategy selection is that a risk level of a conflicting segment is used to directly determine the expected action taken for the network packets in the conflicting segment. If the risk level is very high, the expected action should deny packets considering the protection of network perimeters

Action Const conti… Deny-overrides: This strategy indicates that “deny” rules take precedence over “allow” rules. In general, a system administrator may directly take this strategy to harden his network if the risk level of a conflict is very high. Allow-overrides: This strategy states that “allow”rules take precedence over “deny” rules. A system administrator may apply this strategy to resolve a conflict, which has a lower risk level.

Action Const conti… High Majority Overrides First-match-overrides. This strategy states that the first matched rule takes precedence over others. This strategy can be directly converted to the existing firewall implementation. High-authority-overrides. This strategy states that a rule defined by an administrator with a higher authority level takes precedence.

Rule Reordering: The solution for conflict resolution is that all action constraints for conflicting segments can be satisfied by reordering conflicting rules. If we can find conflicting rules in order that satisfies all action constraints, this order must be the optimal solution for the conflict resolution.

Data Package: When conflicts in a policy are resolved, the risk value of the resolved policy should be reduced and the availability of protected network should be improved comparing with the situation prior to conflict resolution based on the threshold value data will be accept / reject by the server.

System Design

Use Case Diagram

Class Diagram

Activity Diagram

Sequence Diagram

FUTURE WORK Our future work includes usability studies to evaluate functionalities and system requirements of our policy visualization approach with subject matter experts. Also, we would like to extend our anomaly analysis approach to handle distributed firewalls.

REFERENCES [1] E. Al-Shaer and H. Hamed, “Discovery of Policy Anomalies in Distributed Firewalls,” IEEE INFOCOM ’04, vol. 4, pp , [2] A. Wool, “Trends in Firewall Configuration Errors: Measurin the Holes in Swiss Cheese,” IEEE Internet Computing, vol. 14, no. 4, pp , July/Aug [3] J. Alfaro, N. Boulahia-Cuppens, and F. Cuppens, “Complete Analysis of Configuration Rules to Guarantee Reliable Network Security Policies,” Int’l J. Information Security, vol. 7, no. 2, pp , [4] F. Baboescu and G. Varghese, “Fast and Scalable Conflict Detection for Packet Classifiers,” Computer Networks, vol. 42, no. 6, pp , [5] L. Yuan, H. Chen, J. Mai, C. Chuah, Z. Su, P. Mohapatra, and C. Davis, “Fireman: A Toolkit for Firewall Modeling and Analysis,” Proc. IEEE Symp. Security and Privacy, p. 15, 2006.

Thank You