Policy Mining : a Bottom-Up Approach Toward Network Security Management. (Techniques de rôle mining pour la gestion de politiques de sécurité : application à l'administration de la sécurité réseau)

Today’s corporations rely entirely on their information systems, usually connected to the Internet. Network access control, mainly ensured by firewalls, has become a paramount necessity. Yet, the management of manually configured firewall rules is complex, error prone, and costly for large networks. Using high abstract models such as the Role Based Access Control (RBAC) model has proved to be e cient in the definition and management of access control policies. Recent interest in role mining, which is the bottom-up approach for automatic RBAC configuration from the already deployed authorizations, has promoted further the development of this model. This thesis is devoted to a bottom-up approach for the management of network security policies from high abstraction level with low cost and high confidence. Thus we show that the Network Role Based Access Control (Net-RBAC) model is more adapted to the specification of network access control policies than the RBAC model. We propose policy mining, a bottom-up approach that extracts from the deployed rules on a firewall the corresponding policy modeled with Net-RBAC. We devise a generic algorithm based on matrix factorization, that could adapt most of the existing role mining techniques to extract instances of Net-RBAC. Furthermore, knowing that the large and medium networks are usually protected by more than one firewall, we aim to provide a complete automatic bottom-up framework for network policy mining. We handle the problem of integration of Net-RBAC policies resulting from policy mining over several firewalls. We demonstrate how to verify security properties related to the deployment consistency over the firewalls in the meantime. Besides, our comprehensive analysis of research axes around role mining, enables us to note that literature lacks a clear basis for appraising and leveraging the learning outcomes of role mining process. In this thesis, we provide assistance tools for administrators to analyze role mining and policy mining results as well. We formally define the problem of comparing sets of roles and evidence that the problem is NP-complete. Then, we devise an algorithm that maps the inherent relationship between the sets based on Boolean expressions, and projects roles from one set into the other set. This