Andy Walker

Nardine Basta, Firas Ben Hmida, Houssem Jmal et al.

In today's enterprise network landscape, the combination of perimeter and distributed firewall rules governs connectivity. To address challenges arising from increased traffic and diverse network architectures, organizations employ automated tools for firewall rule and access policy generation. Yet, effectively managing risks arising from dynamically generated policies, especially concerning critical asset exposure, remains a major challenge. This challenge is amplified by evolving network structures due to trends like remote users, bring-your-own devices, and cloud integration. This paper introduces a novel graph neural network model for identifying weighted shortest paths. The model aids in detecting network misconfigurations and high-risk connectivity paths that threaten critical assets, potentially exploited in zero-day attacks -- cyber-attacks exploiting undisclosed vulnerabilities. The proposed Pro-ZD framework adopts a proactive approach, automatically fine-tuning firewall rules and access policies to address high-risk connections and prevent unauthorized access. Experimental results highlight the robustness and transferability of Pro-ZD, achieving over 95% average accuracy in detecting high-risk connections. \

Mahmood Yousefi-Azar, Mohamed-Ali Kaafar, Andy Walker

Micro-segmentation is a network security technique that requires delivering services for each unique segment. To do so, the first stage is defining these unique segments (a.k.a security groups) and then initializing policy-driven security controls. In this paper, we propose an unsupervised learning technique that covers both the security grouping and policy creation. For the network asset grouping, we develop a distance-based machine learning algorithm using the dynamic behavior of the assets. That is, after observing the entire network logs, our unsupervised learning algorithm suggests partitioning network assets into the groups. A key point of this un-supervised technique is that the grouping is only generated during the training phase and remains valid during the testing phase. The outcome of the grouping stage is then fed into the rules (security policies) creation stage enabling to establish the security groups as the lowest granularity of firewall rules. We conducted both quantitative and qualitative experiments and demonstrate the good performance of our network micro-segmentation approach. We further developed a prototype to validate the run-time performance of our approach at scale in a real-world environment. The hyper-parameters of our approach provides users with a flexible model to be fine-tuned to adapt very easily with the enterprise's security governance.