FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
Distributed Firewall Anomaly Detection Through LTL Model Checking
1. Sylvain Hallé
Sylvain Hallé, Éric Lunaud Ngoupé, Roger
Villemaire, Omar Cherkaoui
Fonds de recherche
sur la nature
et les technologies
CRSNG
NSERC
Distributed Firewall Anomaly Detection
Through LTL Model Checking
Université du Québec à Chicoutimi
CANADA
Université du Québec à Montréal
CANADA
4. Sylvain HalléSylvain Hallé
What's wrong with this filter?
FSM
LTL
. . .
Algos
Tools
Rule # Interval Decision
1
2
3
4
5
Accept
Deny
Accept
Accept
Deny
50
2 3
3 9
33
92
Rule 2's packets are already handled by Rule 1:
it is shadowed
Rules 2 and 3 apply a different decision to some
packets: they are correlated
All of Rule 5's packets are applied the same decision
as Rule 2: it is redundant
5. Sylvain Hallé
????
start
0
exact?
1
exact?
4
superset?
3
Ry ℜIM Rx
8
redundant
12
shadowed
11
general
13
correlated
14
none
15
proto
y=
proto
x
protoy
⊂ protox
proto
y ⊃ proto
x superset?
6
srcy
=srcx
srcy ⊇ srcx
dsty
⊆ dstx
actiony =actionx
actiony
≠ actionx
dsty
⊆ dstx
dsty
⊇ dstx
srcy ⊂ srcx
src
y ⊃
src
x
subset?
2
subset?
5
srcy
⊆ srcx
correlated?
7
srcy
⊃
srcx
srcy
⊂
srcx
dsty
⊆ dstx
dsty
⊃ dstx
dsty ⊃
dstx
dsty ⊃
dstx
dsty⊂dstx
src
y≠src
x
srcy≠srcx
srcy
≠srcx
dsty≠dstx
dsty≠dstx
dsty≠
dstx
dsty
≠ dstx
protoy
≠
protox
Rx
ℜIM
Ry
9
actiony
=actionx
actiony ≠ actionx
Rx ℜC Ry
10
actiony ≠ actionx
actiony
=actionx
Previous results
E. Al-Shaer & H. H. Hamed. Discovery of Policy
Anomalies in Distributed Firewalls. INFOCOM 2004.
For every pair of rules R , R ...x y
6. Sylvain Hallé
Previous results
B. Khorchani, S. Hallé, R. Villemaire. Firewall anomaly detection
with a model checker for visibility logic. IM 2012.
B
A
D
t
B
AB
A
A overlaps B
A ⋂ B
A occludes B
A ⊆ B
A obstructs B
A ⊇ B
◇*
φ
○*
φ
◻*
φ
some rule r', following r and such
that r' * r, satisfies φ
all rules r', following r and such
that r' * r, satisfy φ
the first rule r', following r and such
that r' * r, satisfies φ
a ⋀ d◇⋂( ) ⋁ d ⋀ a◇⋂( ) ◇⊇
TRUE
-1
a ⋀ a◇⊇( ) ⋁ d ⋀ d◇⊇( )-1 -1
Correlation Shadowing Redundancy
8. Sylvain Hallé
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
9. Sylvain Hallé
Rule 3.4 shadows Rule 1.2: packet accepted if enters
from Node 1, rejected if from Node 3
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
10. Sylvain Hallé
Rules 1.1 and 3.1 are spurious: a packet to 5 entering
from Node 3 is routed to Node 1 where it is dropped
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
11. Sylvain Hallé
Is Rule 1.5
redundant with
respect to Rule 3.3?
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
12. Sylvain Hallé
Is Rule 1.5
redundant with
respect to Rule 3.3?
Yes if Node 1 receives traffic only from Node 3...
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
13. Sylvain Hallé
Is Rule 1.5
redundant with
respect to Rule 3.3?
Yes if Node 1 receives traffic only from Node 3...
No otherwise!
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
14. Sylvain Hallé
Is Rule 2.3
shadowed
by Rule 3.1?
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
15. Sylvain Hallé
Is Rule 2.3
shadowed
by Rule 3.1?
No since no traffic ever flows from Node 3 to
Node 2 (all traffic is dropped at Node 1)
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
16. Sylvain Hallé
Is Rule 2.5
redundant
wrt Rule 1.4?
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
17. Sylvain Hallé
Is Rule 2.5
redundant
wrt Rule 1.4?
No since packets destined to 4-5 are never routed
to Node 1
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now
18. Sylvain Hallé
Issues
The presence of an anomaly between rules R and
R' depends on whether there is a possible path
from R to R'
...and also on the field ranges of each routing rule
along that path!
19. Sylvain Hallé
How to detect an anomaly
Keep track of an interval I of values and a decision
D, called a frozen interval and a frozen decision
In the beginning, set I to the full range of possible
values, and D to "undefined"
?
Frozen interval Frozen decision
①
20. Sylvain Hallé
How to detect an anomaly
Pick some ingress node as a starting point②
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
21. Sylvain Hallé
In every node visited, go through the firewall rules
one by one in order
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
③
How to detect an anomaly
...
22. Sylvain Hallé
Once done scanning through the rules, pick one
routing entry...
Intersect the freeze interval with the entry chosen
...and move on to the destination node
④
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
0 10 4 8
⋂ =
4 8
How to detect an anomaly
23. Sylvain Hallé
At some point in the walk (only once!), pick the
current firewall rule
Intersect the freeze interval with the rule chosen
Record the rule's decision in the freeze decision
⑤
7 8
⋂ =
3 [7,8] : ⊥
4 8 7 8
? ⊥
How to detect an anomaly
24. Sylvain Hallé
How to detect an anomaly
From this point on, compare the frozen interval/
decision with the interval/decision of every firewall
rule "visited"
⑥
5 [5,9] : ⊤
7 8
⊥
5 9
⊤
Frozen
Spuriousness anomaly
vs.
25. Sylvain Hallé
Solution #1
Repeat this process...
for every start point
and every path
by alternatively freezing every firewall rule
Σk!
k=1
n
non-cyclic paths between n nodes
26. Sylvain Hallé
Solution #2
For a given network, generate a Kripke structure
whose traces are all the walks behaving as in steps
① to ⑥
Send the problem to a model checker
Express anomalies as temporal
logic properties on these traces
(reachability problem)
27. Sylvain Hallé
Variables in the Kripke structure
Each state of the Kripke structure is a unique
assignment of values to 7 state variables
ιL ιR
⊥
ιD
3 [7,8] : ⊥
ρL ρR
ρDχ
Bounds of frozen
interval
Frozen
decision
Unique rule
number
Bounds of current
firewall rule interval
Current rule
decision
28. Sylvain Hallé
Transitions in the Kripke structure
Each transition between two states corresponds to
one of the following actions
ιR
ιD
3 [7,8] : ⊥
4 [9,9] : ⊤
ρL
ρR
ρD
χ
Moving to the next rule in the current firewall
ιL = a
= b
= d
= 3
= 7
= 8
= ⊥
ιR
ιD
ρL
ρR
ρD
χ
ιL = a
= b
= d
= 3
= 9
= 9
= ⊤
29. Sylvain Hallé
Transitions in the Kripke structure
Each transition between two states corresponds to
one of the following actions
ιR
ιD
3 [7,8] : ⊥
ρL
ρR
ρD
χ
Freezing the current firewall rule
ιL = a
= b
= ?
= 3
= 7
= 8
= ⊥
ιR
ιD
ρL
ρR
ρD
χ
ιL = max(a, 7)
= min(b, 8)
= ⊥
= 3
= 7
= 8
= ⊥
30. Sylvain Hallé
Transitions in the Kripke structure
Each transition between two states corresponds to
one of the following actions
ιR
ιD
[4,8]: Device 2
ρL
ρR
ρD
χ
Select an applicable routing table entry and move
to destination (first firewall rule)
ιL = a
= b
= d
= 3
= 7
= 8
= ⊥
ιR
ιD
ρL
ρR
ρD
χ
ιL = max(a, 4)
= min(b, 8)
= d
= 1
= 5
= 6
= ⊤
1 [5,6] : ⊤
31. Sylvain Hallé
LTL properties
Anomalies become properties on traces expressed in
Linear Temporal Logic (LTL)
Ex.: shadowing
ιR ιDρL ρR ρDιL =⊥≤ ∧ ≥ =⊤ ∧∧G ( )