International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 A Framework for Security Components Anomalies Severity Evaluation and Classification Kamel Karoui1 , Fakher Ben Ftima2 and Henda Ben Ghezala3 1 RIADI, ENSI, University of Manouba, Manouba, Tunisia kamel.karoui@insat.rnu.tn 2 RIADI, ENSI, University of Manouba, Manouba, Tunisia fakher.benftima@infcom.rnu.tn 3 RIADI, ENSI, University of Manouba, Manouba, Tunisia Henda.bg@cck.rnu.tn ABSTRACT Security components such as firewalls, IDS and IPS, are the most widely adopted security devices for network protection. These components are often implemented with several errors (or anomalies) that are sometimes critical. To ensure the security of their networks, administrators should detect these anomalies and correct them. Before correcting the detected anomalies, the administrator should evaluate and classify these latter to determine the best strategy to correct them. In this work, we propose a framework to assess and classify the detected anomalies using a three evaluation criteria: a quantitative evaluation, a semantic evaluation and multi-anomalies evaluation. The proposed process, convenient in an audit process, will be detailed by a case study to demonstrate its usefulness. KEYWORDS Anomaly severity evaluation, anomaly severity classification, semantic evaluation, quantitative evaluation, multi-anomalies evaluation. 1. INTRODUCTION Rules in a security component can be misconfigured, which implies many conflicts. A misconfiguration or a conflict between rules means that the security component, may either: - accept some malicious packets, which consequently create security holes. -discard some legitimate packets, which consequently disrupt normal traffic. Both cases could cause irreparable consequences. Unfortunately, it has been observed that most security components are implemented with anomalies. Depending on the nature of the anomaly, it can be critical, less critical or benign. Considering the impact of these anomalies on the network security, such errors cannot be tolerated [2]. There are several researches that have proposed for anomalies detection and correction but rare those who are interested in the anomalies severity and their impact on network security. The evaluation and classification of anomalies severity provide the administrator with: -many correction scenarios -a classification of rules to be corrected according to their criticality -an overview of the security component vulnerabilities DOI : 10.5121/ijnsa.2013.5405 67 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 In this paper, we propose firstly an evaluation metrics of the anomalies severity based on the following criteria: -a quantitative criterion: to get an idea of the number of rules involved in the anomaly. -a semantic criterion: to assess the impact of the misconfiguration on the services provided (HTTP,FTP,..) -a multi-anomalies criterion: to study the impact of the composition of many anomalies together. By combining the three metrics together, we can measure the impact of each anomaly on the security component rule base. For this, we will classify these anomalies severity importance according to their nature, namely; shadowing anomaly, generalization anomaly, redundancy anomaly and correlation anomaly. This classification will determine rules that cause the security component vulnerability. The remaining parts of the paper are organized as follows: section 1 introduces related works in security component anomalies detection and correction. Section 2 schematizes the proposed approach model. Sections 3 to 5 detail the proposed process steps and section 6 concludes the paper. 2. RELATED WORKS As presented in the introduction, a lot of research has been proposed for the security components analysis, misconfigurations’ detection and correction. Most research focuses on the firewalls network policy; in [10], [7] and [6] the authors propose a model for firewalls properties analysis and anomalies detection. Also, the authors of [5] and [4] suggest another model to detect firewalls misconfigurations in central and distributed architectures. In [1], the authors analyze firewall rules using an expert system whereas the authors of [8] analyze firewalls with relational algebra. In [3], the authors put forward a model for IPsec and VPN verification. However, these security components (homogenous or heterogeneous) may conflict when they are installed together on a network. In this context, [2] propose a solution for firewalls and IDS misconfigurations detection. In reviewing these few references, we note that there is no works that assessed the severity of anomalies before correcting them. The study of the severity can give the administrator more information about the vulnerability of the component. In addition, the classification step exploits this information by illustrating the impact of these errors on the network security by a set of diagrams. In this work, we will develop these two concepts; we begin by detailing our proposed approach in the following section, we will 3. THE PROPOSED APPROACH In order to evaluate and classify the security component anomalies severity, we propose an approach composed of several steps schematized in figure 1. In the case study, we will apply our approach to firewalls. However, the approach should apply for all security components based on filtering attributes. Below, we will briefly present these steps: -Step A: Security component anomalies detection Usually, most security components’ base rule contains some misconfigurations. This step consists in checking the security component’ base rule to detect anomalies. For the firewall, we enumerate 68 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 four kinds of anomalies, namely; shadowing anomaly, generalization anomaly, redundancy anomaly and correlation anomaly. We will not detail this section because it is not the purpose of the paper. For more details, refer to [9]. In the next step, we will evaluate the severity of the detected anomalies (See step A in figure 1). - Step B: The security component anomalies' severity importance evaluation The detected anomalies in step A will be classified into several sub-sets: - Shadowing anomalies sub-set: contains rules that are shadowed by other rules in the base rule. -Generalization anomalies sub-set: contains rules that are generalized by other rules in the base rule. -Redundancy anomalies sub-set: contains rules that are redundant to other rules in the base rule. -Correlation anomalies sub-set: contains rules that are correlated to other rules in the base rule. These sub-sets will allow us to evaluate each anomaly severity importance using a three metrics; a quantitative metric, a semantic metric and multi-anomalies metric (See step B in figure 1). - Step C: Anomalies severity importance classification The defined metrics in step B, will be exploited together in order to classify the anomalies severity. We will classify the severity importance according to the shadowing level degree, the generalization level degree, the redundancy level degree and the correlation level degree. (See step C in figure 1). -Step D: Security component anomalies correction This step consists in correcting the detected anomalies in step B. The correction strategy depends on the classification results returned in step C. We will not detail this section because it is not the purpose of the paper (see step D in figure 1). In the process presented in figure 1, the gray colored part (steps A and D) is the part already made in several research works. The blue-colored part (steps B and C) is the part that we propose and detail in the following sections. 69 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 Figure 1. The proposed approach 4. FORMAL SECURITY COMPONENT’S BASE RULE VERIFICATION (STEP A) Generally, security components are specified by a set of formal rules which can be filtering or alerting ones. A rule defines a decision (such as "deny", "alert", "accept", or "pass") that applies over a set of condition attributes (such as, "source address", "destination address", "source port", "destination port", "protocol", "attack class", etc. ). Let's take a security component composed of a set Q of t rules (ri  Q with 1  i  t). A rule ri in the set Q is represented formally as follows: ri: ri[A1] ri[A2]…. ri[An] where -A1, A2… An-1 are the rule ri attributes’. For example, in table 1, the attribute A 2=Protocol. -ri[Am] is the attribute Am value with (1 ≤ m ≤ n) . For example, in table 1, r3[A2]=TCP. - An is the attribute “Decision”. For example, in table 1, A7 is the decision attribute and r3[A7]=deny. For more details about rules formalization, refer to [4]. 70 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 An anomaly in a security component base rule can be the result of the following cases [5]: -The existence of two or more rules that may match the same packet. -The existence of a rule that can never be activated. We note that a rule ri is activated if there is an IP packet that was accepted or rejected by applying the rule ri. There are four different anomalies that may exist among rules in a security component base rule, namely: -Shadowing anomaly: a rule rj is shadowed by a previous rule ri when ri matches all the packets that match rj and the two rules have different decisions, such that the shadowed rule rj will never be activated (see example in section 4.1). -The generalization anomaly: The generalization anomaly is the reverse of the shadowing anomaly i.e. in a base rule Q, a rule rj is a generalization of a preceding rule ri if, on the one hand, the rule rj can match all the packets that match the rule ri and , on the other hand, the two rules have different decisions (see example in section 4.1). -The redundancy anomaly: In a base rule Q, a rule rj is redundant to a rule ri if rj performs the same decision on the same packets as ri . In the way, if the redundant rule rj is removed, the safety of the security component will not be affected (see example in section 4.1). - The correlation anomaly: In a base rule Q, the rule rj is correlated to ri if, on the one hand, the first rule ri matches some packets that match the second rule rj , and the second rule rj matches some packets that match the first rule ri and, on the other hand, the two rules have different decisions (see example in section 4.1). For more details about the security component anomalies, refer to [5]. 4.1 Case study Let’s take a security component Fw, composed of a base rule Q. Each rule ri belonging to Q has the following attributes: “Packet length”, “Protocol”, “Source address”, “Destination address”, “Source port”, “Destination port” and “Decision”. Table 1. The security component Fw base rule By analyzing the security component Fw, we note that there some anomalies detailed as follows: -For the shadowing anomaly, we note that r2 is shadowed by r1. More precisely: 71 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 (r2 [A1 ] = r1 [A1 ]) ∧ (r2 [A2 ] = r1 [A2 ]) ∧ ( r2 [A3 ] ⊂ r1 [A3 ]) ∧ (r2 [A4 ] = r1 [A4 ]) ∧ (r2 [A5 ] ⊂ r1 [A5 ]) ∧ (r2 [A6 ] ⊂ r1 [A6 ]) ∧ (r2 [A7 ] ≠ r1 [A7 ]) Also, in the same table, we note that (r4 and r6 are shadowed by r1), ( r5 and r7 are shadowed by r2), ( r6 is shadowed by r3) , (r5 and r7 are shadowed by r4) and (r6 is shadowed by r5). -For the generalization anomaly, we note that r2 is generalized by r3. More precisely: (r2 [ A1 ] = r3 [ A1 ]) ∧ (r2 [A2 ] = r3 [A2 ]) ∧ (r2 [A3 ] ⊂ r3 [A3 ]) ∧ (r2 [A4 ] = r3 [A4 ]) ∧ (r2 [ A5 ] ⊂ r3 [ A5 ]) ∧ (r2 [A6 ] ⊂ r3 [A6 ]) ∧ (r2 [A7 ] ≠ r3 [A7 ]) -For the redundancy anomaly, we note that r3 is redundant to r1. More precisely: (r3 [ A1 ] = r1 [ A1 ]) ∧ (r3 [ A2 ] = r1 [ A2 ]) ∧ (r3 [A3 ] ⊂ r1 [A3 ]) ∧ (r3 [A4 ] = r1 [A4 ]) ∧ (r3 [ A5 ] = r1 [ A5 ]) ∧ (r3 [ A6 ] = r1 [ A6 ]) ∧ (r3 [A7 ] = r1 [A7 ]) Also, in the same table, we note that (r5 and r7 are redundant to r1), (r5 and r7 are redundant to r3), (r6 is redundant to r2) and (r6 is redundant to r4). -For the correlation anomaly, we note that r4 is correlated to r3. More precisely: (r3 [ A1 ] ⊃ r4 [ A1 ]) ∧ (r3 [A2 ] = r4 [A2 ]) ∧ (r3 [A3 ] ⊂ r4 [A3 ]) ∧ (r3 [A4 ] = r4 [A4 ]) ∧ (r3 [ A5 ] ⊃ r4 [ A5 ]) ∧ (r3 [A6 ] ⊃ r4 [A6 ]) ∧ (r3 [A7 ] ≠ r4 [A7 ]) Also, in the same table, we note that (r7 is correlated to r6) and (r7 is correlated to r4). In the next section, we will first evaluate the severity importance of these anomalies in order to classify them. 5. THE SECURITY COMPONENT EVALUATION (STEP B) ANOMALIES SEVERITY IMPORTANCE After detecting the security component anomalies (see section 4), we will gather them in four subsets that we will define in the next sub-section. Then, we will evaluate their criticality degree by a set of metrics. 5.1 Anomalies sub-sets definition For each one of the anomalies' categories namely, "Shadowing", "Generalization", "Redundancy" and "Correlation", we associate respectively sub-sets S, G, R and C which contain rules belonging to that category. Let's take a security component composed of a set Q of t rules (ri  Q with 1  i  t). We define these sub-sets as follows: • The set of shadowing rules: S = ri ∈ Q ∃ rj ∈ Q ∀1 ≤ m ≤ (n - 1), rj [A m ] ⊆ r[A i m ] ∧ rj [ A n ] ≠ ri [ A n ] with 1 ≤ i < j ≤ t (1) { } We note that |S| is the sub-set S cardinality i.e. the number of shadowed rules. • The set of generalizing rules: G = {rj ∈ Q ∃ri ∈ Q ∀1 ≤ m ≤ (n - 1), r[A i m ] ⊆ rj [A m ] ∧ rj [ A n ] ≠ ri [ A n ] with 1 ≤ i < j ≤ t} (2) We note that |G| is the sub-set G cardinality i.e. the number of generalized rules. 72 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 • The set of redundant rules: { } R = ri ∈ Q ∃ rj ∈ Q ∀1 ≤ m ≤ (n - 1), rj [A m ] ⊆ r[A i m ] ∧ ri [ A n ] = rj [ A n ] with 1 ≤ i < j ≤ t ( 3) We note that |R| is the sub-set R cardinality i.e. the number of redundant rules. • The set of correlated rules: i m ] ⊂ rj [A m ]) ∨ (r[A i m ] ⊃ rj [A m ] ) ∨ (ri [A m ] = rj [A m ])  ri ∈ Q ∃rj ∈ Q ∀1 ≤ m ≤ (n - 1) , (r[A  ∧  (4) C =   ri [ A n ] ≠ rj [ A n ] with 1 ≤ i < j ≤ t We note that |C| is the sub-set C cardinality i.e. the number of correlated rules. Now, we will define new sub-sets allowing us to evaluate the anomalies’ impact of each rule belonging to the defined sub-sets (S, G, R and C) on the other rules, as follows: • For each element ri belonging to S, we define the set of shadowed rules: S ( ri ) = {rj ∈ Q ∀1 ≤ m ≤ (n - 1), rj [A m ] ⊆ r[i A m ] ∧ rj [ A n ] ≠ ri [ A n ] with 1 ≤ i < j ≤ t} (5) • For each element ri belonging to G, we define the set of generalized rules: G (ri ) = {rj ∈ Q ∀1 ≤ m ≤ (n - 1), r[i Am ] ⊆ rj[Am ] ∧ rj [ An ] ≠ ri [ An ] with 1 ≤ i < j ≤ t} (6) • For each element ri belonging to R, we define the set of redundant rules: R ( ri ) = {rj ∈ Q ∀1 ≤ m ≤ (n - 1), rj [A m ] ⊆ r[i A m ] ∧ ri [ A n ] = rj [ A n ] with 1 ≤ i < j ≤ t} (7) • For each element ri belonging to C, we define the set of correlated rules: m ] = rj[ A m ])  i m ] ⊂ rj [A m ]) ∨ (r[A i m ] ⊃ rj [A m ] ) ∨ (r[A i  rj ∈ Q ∀1 ≤ m ≤ (n - 1) , (r[A  ∧  (8) C ( ri ) =    ri [ A n ] ≠ rj [ A n ] with 1 ≤ i < j ≤ t  5.1.1 Case study Applying the four sub-sets (1),(2),(3) and (4) defined above, on the example in Table 1, we obtain the following results: • S={r1,r2, r3, r4, r5}. We can verify that rules in the sub-set S are rules that are shadowing other rules in the set Q. • G={r3}. We can verify that rules in the sub-set G are rules that are generalizing other rules in the set Q. • R={r1, r2, r3, r4 }. We can verify that rules in the sub-set R are rules that are redundant to other rules in the set Q. • C={r3, r4, r6 }. We can verify that rules in the sub-set C are rules that are correlating other rules in the set Q. Taking into account the defined sub-sets S, G, R and C, we will apply (5),(6),(7) and (8) on the example in Table 1.We obtain the following results: - Rules subjected to the shadowing anomaly (see Table 1) as are classified follows: S ( r1 ) = {r2 ,r4 ,r6 } We can verify that rules in the sub-set S(r1) are rules that are shadowed by r1 in the set Q. 73 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 S ( r2 ) = {r5 ,r7 } We can verify that rules in the sub-set S(r2) are rules that are shadowed by r2 in the set Q. S ( r3 ) = {r6 } We can verify that rules in the sub-set S(r3) are rules that are shadowed by r3 in the set Q. S ( r4 ) = {r5 ,r7 } We can verify that rules in the sub-set S(r4) are rules that are shadowed by r4 in the set Q. S ( r5 ) = {r6 } We can verify that rules in the sub-set S(r5) are rules that are shadowed by r5 in the set Q. -Rules subjected to the generalization anomaly (see Table 1) are classified as follows: G ( r3 ) = {r2 } We can verify that rules in the sub-set G(r3) are rules that are generalized by r3 in the set Q. -Rules subjected to the redundant anomaly (see Table 1) are classified as follows: R ( r1 ) = {r3 ,r5 ,r7 } We can verify that rules in the sub-set R(r1) are rules that are redundant to r1 in the set Q. R ( r3 ) = {r5 ,r7 } We can verify that rules in the sub-set R(r3) are rules that are redundant to r3 in the set Q. R ( r2 ) = {r6 } We can verify that rules in the sub-set R(r2) are rules that are redundant to r2 in the set Q. R ( r4 ) = {r6 } We can verify that rules in the sub-set R(r4) are rules that are redundant to r4 in the set Q. -Rules subjected to the correlation anomaly (see Table 1) are classified as follows: C ( r3 ) = {r4 } We can verify that rules in the sub-set C(r3) are rules that are correlated to r3 in the set Q. C ( r6 ) = {r7 } We can verify that rules in the sub-set C(r6) are rules that are correlated to r6 in the set Q. C ( r4 ) = {r7 } We can verify that rules in the sub-set C(r4) are rules that are correlated to r4 in the set Q. 5.2 Anomalies severity importance evaluation In this section, we will evaluate the anomalies severity regarding three criteria; namely quantitative, semantic and multi-anomalies. 5.2.1 Quantitative importance evaluation The quantitative evaluation is a metric based on the number of rules involved in the anomaly. The cardinality of the four sub-sets ( S , G , R and C ) can give us some indications of these anomalies importance. 74 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 For that, we associate a quantitative coefficients MS, MG, MR and MC to each element ri belonging respectively to the sub-set S, G, R and C. These coefficients express the quantitative importance of each type of error. They are defined as follows: S(r) G(r) R (r) C(r) i i i i MS (r) (9) ; MG (r) (10) ; MR (r) (11) and MC (r) (12) where t is the i = i = i = i = t −1 t −1 t −1 t −1 number of rules in the set Q. 5.2.2 Case study In our case study, the shadowing anomaly coefficient (9) is defined as follows: S(r1 ) 3 S(r ) 2 = = 0,333 ; MS (r2 ) = 2 = = 0,222 ; t −1 9 t −1 9 S(r4 ) 2 S(r5 ) 1 MS (r4 ) = = = 0,222 ; MS (r5 ) = = = 0,111 t −1 9 t −1 9 MS (r1 ) = MS (r3 ) = S(r3 ) 1 = = 0,111 ; t −1 9 MR (r3 ) = R (r3 ) 2 = = 0,222 ; t −1 9 The generalization anomaly coefficient (10) is defined as follows: G(r3 ) 1 MG (r3 ) = = = 0,111 t −1 9 The redundancy anomaly coefficient (11) is defined as follows: R (r1 ) 3 = = 0,333 ; t −1 9 R (r1 ) 1 MR (r4 ) = = = 0,111 t −1 9 MR (r1 ) = MR (r2 ) = R (r2 ) 1 = = 0,111 ; t −1 9 Finally, the correlation anomaly coefficient (12) is defined as follows: MC (r3 ) = C(r3 ) 1 C(r4 ) 1 C(r6 ) 1 = = 0,111 ; MC (r4 ) = = = 0,111 ; MC (r6 ) = = = 0,111 t −1 9 t −1 9 t −1 9 Taking into account the quantitative evaluation criterion, the shadowing anomaly coefficient MS(r1) is greater than the other shadowing anomaly coefficients seeing that r1 shadows more rules. Thus, the shadowing error is more important and will have higher priority in the correction process. Generally, correcting the most important shadowing rule decreases the number of shadowed rules. As long as, the redundancy anomaly coefficient MR(r1) is greater than the other redundancy anomaly coefficients seeing that r1 is redundant to more rules. Therefore, the redundancy error is also important and will have higher priority in the correction process. As defined below, the quantitative coefficient M is based on the number of rules of each sub-set. Although it gives us a first indicator of the anomalies severity importance, nevertheless, some reserves can be expressed: 75 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 • The indicators MR(ri) or MG(ri) can be very bad (approximate to 1) but not really critical seeing that this rule can be rarely activated. • In the same way, the indicators MS(ri) or MC(ri) can be very good (approximate to 0) but probably points out a serious problem if this rule is often activated. To remedy to the previous reserves, we propose a complementary metric called semantic evaluation. This metric takes into account the semantic of the services involved in the anomaly and gives us an overview of the rule vulnerability degree. 5.2.3 Semantic importance evaluation To propose such a metric, the administrator will order rules regarding one or more filtering attributes (except the attribute "Decision"). As an example, for an e-commerce website, the administrator will give importance to the port 8080. For an FTP server, it will give importance to the port 23 and 25. Let choose for example the attribute "destination port" which is, generally, the most important service among the others attributes. In this case, the administrator must classify services offered by the network according to the importance of "destination port" number. From this classification, we bind each rule to the service to which it is referred and associate an indicator relating to the importance of that service. Let's suppose that we have z services in the network and a rule ri using to a service classified kth by the administrator. We associate to ri the value: v(ri) = z-k+1 with 1 ≤ k ≤ t If the attribute value is “ANY”, this means that this attribute can take any services value provided by the network. For this, it is assigned by the value of the best classified service plus one. Based on v(ri) , we define semantic evaluation coefficients MS’, MG’, MR’ and MC’ for respectively the defined sub-sets S, G, R and C as follows : v(r) i M'S (r)i = (13) where ri belongs to the sub-set S Max(v(r)) i +1 v(r) i M'G (r) (14) where ri belongs to the sub-set G i = Max(v(r)) i +1 v(r) i M'R (r)i = (15) where ri belongs to the sub-set R Max(v(r)) i +1 v(r) i M'C (r)i = (16) where ri belongs to the sub-set C Max(v(r)) i +1 5.2.4 Case study Based on the defined metrics (13), (14), (15) and (16), we suppose that the administrator has classified the services offered by the attribute "Destination Port ". We notice that, in our case study, the filtering rules use four destination ports (see Table 1) that are; the HTTP port (80), the FTP port (21), the TELNET port (23) and the SMTP port (25) classified by importance as follows: 76 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 1. HTTP (this service will have the value 4-1+1=4) 2. SMTP (this service will have the value 4-2+1=3) 3. TELNET (this service will have the value 4-3+1=2) 4. FTP (this service will have the value 4-4+1=1) The service ANY, will have the value of the best classified service plus one. In our case, it will have the value 5. In our case, the associated values to each rule representing a given service are the following: v (r2 ) = v (r4 ) = v (r5 ) = v (r6 ) = v (r7 ) = 4 since r2 , r4 , r5 , r6 and r7 are related to the HTTP port. v (r9 ) = 2 since r9 is related to the TELNET port. v (r8 ) = 3 since r8 is related to the SMTP port. v (r10 ) = 1 since r10 is related to the FTP port. v (r1 ) = v (r3 ) = 5 r1 and r3 are related to any port. The four metrics sub-sets MS’, MG’, MR’ and MC’ are calculated as follows: 5 4 = 0,83 ; MS '(r2 ) = MR '(r2 ) = = 0,66 ; 6 6 5 4 MS '(r3 ) = MG '(r3 ) = MR '(r3 ) = MC '(r3 ) = = 0,83 ; MS '(r4 ) = MR '(r4 ) = MC '(r4 ) = = 0,66 ; 6 6 4 4 MS '(r5 ) = = 0,66 ; MC '(r6 ) = = 0,66 6 6 MS '(r1 ) = MR '(r1 ) = Taking into account the semantic evaluation criterion, we note that: • Each rule with the destination port value “ANY” gains importance. • There are rules involved in several errors. For example, rule r3 has an impact on all anomalies categories. In the next section, we will consider this criterion because it increases the errors severity. 5.2.5 Multi-anomalies importance evaluation Sometimes, a rule is involved in several anomalies. We are talking about “multi-anomalies” categories. In the case of firewall anomalies, there are simple errors category, double errors category, triple errors category and quadruple errors category. For example, as presented in the sub-section 5.2.4, r3 is involved in the shadowing error category, the generalization error category, the correlation error category and the redundancy error category. Also, r2 is involved in the shadowing error category and the redundancy error category. These categories are detailed as follows: • Simple error category: The simple error category is defined as follows:  ri ∉ ( S ∩ R ) ∧ ri ∉ ( S ∩ G) ∧ ri ∉ ( S ∩ C )   SM = ri ∈ ( S ∨ R ∨ G ∨ C ) ∧    (17)  ∧ri ∉ (R ∩ G) ∧ ri ∉ (R ∩ C ) ∧ ri ∉ ( G ∩ C )    77 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 • Double errors category: The double error category is defined as follows: • Triple errors category: The triple error category is defined as follows:  ri ∈ ( S ∩ G) ∨ ( S ∩ R ) ∨ ( S ∩ C ) ∨ ( G ∩ R ) ∨ ( G ∩ C ) ∨ (R ∩ C )   DB =   (18) ∧ ri ∉ ( S ∩ G ∩ R ) ∧ ri ∉ ( S ∩ G ∩ C ) ∧ ri ∉ ( S ∩ R ∩ C ) ∧ ri ∉ ( C ∩ R ∩ G )   { } TR = ri ∈ ( S ∩ G ∩ R ) ∨ ( S ∩ G ∩ C ) ∨ ( S ∩ R ∩ C ) ∨ ( G ∩ R ∩ C )  ∧ ri ∉ ( S ∩ G ∩ R ∩ C ) (19) • Quadruplet errors category: The quadruplet error category is defined as follows: QD = {S ∩ G ∩ R ∩ C} (20) In order to show the impact of the multi-anomalies categories, the administrator will associate a weight to each category of error. In the case of firewalls, if a rule ri belongs to the SM category, it " " " will associate to it a coefficient M"S (r) i = MG (r) i = MC (r) i = MR (r) i = 0,25 . If a rule ri belongs to the " " " DB category, it will associate to it a coefficient M"S (r) i = MG (r) i = MR (r) i = MC (r) i = 0,5 . If a rule ri belongs to the TR category, it will associate to it a " " " " coefficient MS (r) i = MG (r) i = MR (r) i = MC (r) i = 0,75 and finally, if a rule ri belongs to the QD " " " category, it will associate to it a coefficient M"S (r) i = MG (r) i = MC (r) i = MR (r) i =1. 5.2.6 Case study Based on (1), (2), (3) and (4), rules involving anomalies are r1, r2 , r3 , r4 , r5 and r6. Applying (17), (18), (19) and (20), in our case study, we have: - r5 ∈ SM = {S} , it will have a coefficient M"S (r5 ) = 0,25 - r6 ∈ SM = {C} , it will have a coefficient M"C (r6 ) = 0,25 - r1 ∈DB = {S ∩ R} , it will have a coefficient M"S (r1 ) = MR" (r1 ) = 0,5 - r2 ∈DB = {S ∩ R} , it will have a coefficient M"S (r2 ) = MR" (r2 ) = 0,5 - r4 ∈ TR = {S ∩ R ∩ C} , it will have a coefficient M"S (r4 ) = MR" (r4 ) = M"C (r4 ) = 0,75 - r3 ∈ QD = {S ∩ G ∩ R ∩ C} , it will have a coefficient M"S (r3 ) = M"G (r3 ) = M"C (r3 ) = MR" (r3 ) = 1 6. CLASSIFICATION OF THE ANOMALIES IMPORTANCE (STEP C) In section 5, we have proposed, for each rule, three metrics M, M' and M". Gathering these three metrics together give us an interesting measure MM'M" that we can incorporate either in an audit process or for assessing security component vulnerability. In this section, we will exploit this measure and classify the anomalies severity importance relatively to the shadowing anomaly importance. The purpose of this classification is to schematize the impact of the shadowing anomaly severity in a rule. Also, this classification will determine the vulnerable services and sources of attack rules. The exploitation of these results will allow the administrator to decide the order of rules correction and review the security of important services. For a significant evaluation, we propose a classification based on acceptable thresholds. In the next section, we will classify only the shadowing anomaly. The same study can 78 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 be made for other types of anomalies i.e. the generalization, the redundancy and the correlation anomalies. 6.1 The shadowing anomaly importance classification In this section, we suppose that the administrator has defined acceptable shadowing thresholds SMS , SMS' and SMS" for respectively MS , MS' and MS" metrics. According to MS , MS' and MS" values, we propose the following notations: • MS + if the value MS ≤ SMS and MS − if the value MS > SMS '+ • MS if the value MS' ≤ SMS' and MS' − if the value MS' > SMS' • MS" + if the value MS" ≤ SMS" and MS"− if the value MS" > SMS" In this way, we can classify the shadowing importance degree compared to the associated SM S , SMS' and SMS" values. The shadowing anomaly importance degree in a rule can belong to one of the eight following classes: MS +M'S +M"S + , MS −M'S +M"S + , MS +M'S −M"S + , MS +M'S +M"S − , MS −M'S +M"S − , MS −M'S −M"S + , MS +M'S −M"S − , MS −M'S −M"S − Figure 2, gives a classification of the eight shadowing anomaly importance classes in a rule from the worst one ( MS −M'S −M"S − ) to the best one ( MS +M'S +M"S + ). Figure 2. Classification of the shadowing anomaly importance classes The ideal is that the rule belongs to the class MS +M'S +M"S + i.e. the three metrics are lower than their respective thresholds SMS , SMS' and SMS" . A rule belonging to the class MS −M'S −M"S − is a critical ' rule since all its metrics are higher than their respective thresholds SMS , SMS and SMS" . In figure 2, we notice that the measure classes MS +M'S −M"S + and MS +M'S +M"S − (as far as MS −M'S +M"S − and MS −M'S −M"S + ) are classified with the same rank. From our point of view, the semantic measure MS' and the multi-anomalies measure MS" are equivalent considering that they have generally the same importance. However, the administrator can give more importance to one of these two metrics and thus change the classification. 79 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 6.1.1 Case study Based on the shadowing evaluation metrics defined above, we suppose that the administrator has fixed the thresholds values as follows: SMS = 0,2 ; SMS' = 0,7 and SMS" = 0,6 . If we take the shadowing rule r1 values: MS ( r1 ) = 0,333 ; MS' (r1 ) = 0,83 and MS" (r1 ) = 0,5 ( see sections 5.2.2, 5.2.4 and 5.2.6) , this latter belongs to the class MS −M'S −M"S + (see figure 3). This class is 5th according to the proposed classification in figure 2, which implies that the rule r1 is critical. Figure 3. The rule r1 shadowing anomaly importance representation To further specify the impact of the shadowing rule r1, we will illustrate its evaluations values relatively to the acceptable thresholds defined above in a three-dimensional benchmark composed of three axes: the axis Ms, the axis M’s and the axis M”s . In figure 4, the thresholds values defined above represent the vertexes of the green triangle. The shadowing r1 evaluation values MS (r1 ) , MS' (r1 ) and MS" (r1 ) represent the vertexes of the red triangle. Any red triangle included/coinciding in/to the green triangle indicates that its metrics values are acceptables. Exceeding any side of the triangle indicates that the corresponding measure is critical. Figure 4. The rule r1 shadowing anomaly evaluation metrics representation 80 International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.4, July 2013 In our case study, the vertexes of the red triangle represent the rule r1 evaluation values. We note that these latter exceed those of the green triangle on the side of axes M s and M’s. Based on results returned in sections 5.2.2 and 5.2.4, this is explained as follows: -From the side of the axis Ms, the quantitative measure Ms (r1) exceeds the threshold SMs, this is due to the large number of rules masked by r1. -From the side of the axis M’s, the semantic measure M’s(r1) exceeds the threshold S M’s. This is due to the value ANY in the “destination port” attribute, that accepts all incoming flow and therefore, this port can be easily attacked. 7. CONCLUSION In this paper, we evaluated the severity importance of anomalies with 3 manners; a quantitative evaluation, a semantic evaluation and a multi-anomalies evaluation. The quantitative evaluation showed us the number of rules involved in each type of anomaly. However, this first metric lack of semantic i.e. it does not display the impact of the anomaly on the security component base rules. As a complementary metric, we have defined the semantic metric. This metric allows us to determine the degree of vulnerability of each service involved in the anomaly. In addition, we noted that there are rules involved in more than one anomaly. Therefore, we proceeded to a "multi-anomalies" assessment to show the impact of anomalies combination on the rule. In addition, we exploited this information by classifying the impact of these errors on the network security by a set of diagrams. REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] P. Eronen, and J. Zitting, 2001. An Expert System for Analyzing Firewall Rules. Proceedings of 6th Nordic Workshop on Secure IT-Systems. J. Garcia-Alfaro, F.Cuppens, and N. Cuppens-Boulahia, Analysis of Policy Anomalies on Distributed Network Security Setups. Proceedings of the 11th European Symposium on research in computer security (ESORICS 2006), Hamburg, Germany. H. Hamed, E. Al-Shaer, and W. Marrero, Modeling and Verification of IPsec and VPN Security Policies. Proc. 13th IEEE Int’l Conf. Network Protocols (ICNP ’2005), pp. 259-278. E. Al-Shaer, H.Hamed, R. Boutaba, M. Hasan, Conflict classification and analysis of distributed firewall policies, IEEE Journal on Selected Areas in Communications (JSAC) 2005, pp. 2069–2084. E. Al-Shaer, and H. Hamed, Discovery of Policy Anomalies in Distributed Firewalls, Proc. IEEE INFOCOM ’2004, pp. 2605-2615. A.X. Liu, and M. Gouda, Complete Redundancy Detection in Firewalls, Proc. 19th Ann. IFIP Conf. Data and Applications Security (2005), pp. 196-209. M. Gouda, and A.X. Liu, A Model of Stateful Firewalls and Its Properties, Proc. IEEE Int’l Conf. Dependable Systems and Networks (DSN ’2005), pp. 320-327. SP. Pornavalai, and T. Chomsiri, Analyzing Firewall Policy with Relational Algebra and its Application. Australian Telecommunication Networks and Applications Conference (ATNAC 2004), Australia. F. Ben Ftima, K. Karoui and H. Ben Ghezala, A multi-agent framework for anomalies detection on distributed firewalls using data mining techniques. Springer Verlag “Data Mining and Multi-agent Integration", 2009. ISBN: 978-1-4419-0523-9, pp267-278.[10]A.X. Liu, Firewall Policy Verification and Troubleshooting, Proc. IEEE Int’l Conf. Comm. (ICC) 2008. 81