Learning to Customize Network Security Rules

Security is a major concern for organizations who wish to leverage cloud computing. In order to reduce security vulnerabilities, public cloud providers o‚er €rewall functionalities. When properly con€gured, a €rewall protects cloud networks from cyber-aŠacks. However, proper €rewall con€guration requires intimate knowledge of the protected system, high expertise and on-going maintenance. As a result, many organizations do not use €rewalls e‚ectively, leaving their cloud resources vulnerable. In this paper, we present a novel supervised learning method, and prototype, which compute recommendations for €rewall rules. Recommendations are based on sampled network trac meta-data (NetFlow) collected from a public cloud provider. Labels are extracted from €rewall con€gurations deemed to be authored by experts. NetFlow is collected from network routers, avoiding expensive collection from cloud VMs, as well as relieving privacy concerns. Œe proposed method captures network routines and dependencies between resources and €rewall con€guration. Œe method predicts IPs to be allowed by the €rewall. A grouping algorithm is subsequently used to generate a manageable number of IP ranges. Each range is a parameter for a €rewall rule. We present results of experiments on real data, showing ROC AUC of 0.92, compared to 0.58 for an unsupervised baseline. Œe results prove the hypothesis that €rewall rules can be automatically generated based on router data, and that an automated method can be e‚ective in blocking a high percentage of malicious trac.