Policy mining: A bottom-up approach toward a model based firewall management

Safaà Hachana, Frédéric Cuppens, Nora Cuppens-Boulahia, Vijay Atluri, Stephane Morucci

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations


Todays enterprises rely entirely on their information systems, usually connected to the internet. Network access control, mainly ensured by firewalls, has become a paramount necessity. Still, the management of manually configured firewall rules is complex, error prone, and costly for large networks. The use of high abstract models such as role based access control RBAC has proved to be very efficient in the definition and management of access control policies. The recent interest in role mining which is the bottom-up approach for automatic RBAC configuration from the already deployed authorizations is likely to further promote the development of this model. Recently, an extension of RBAC adapted to the specificities of network access control, which we refer to as NS-RBAC model, has been proposed. However, no effort has been made to extend the bottom-up approach to configure this model. In this paper, we propose an extension of role mining techniques to facilitate the adoption of a model based framework in the management of network access control. We present policy mining, a bottom-up approach that extracts instances of the NS-RBAC model from the deployed rules on a firewall. We provide a generic algorithm that could adapt most of the existing role mining solutions to the NS-RBAC model. We illustrate the feasibility of our solution by experimentations on real and synthetic data.

Original languageEnglish (US)
Title of host publicationInformation Systems Security - 9th International Conference, ICISS 2013, Proceedings
Number of pages15
StatePublished - 2013
Event9th International Conference on Information Systems Security, ICISS 2013 - Kolkata, India
Duration: Dec 16 2013Dec 20 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8303 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Other9th International Conference on Information Systems Security, ICISS 2013

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)


  • Access Control
  • Firewall
  • IT Security
  • Network Security
  • RBAC
  • Role Mining


Dive into the research topics of 'Policy mining: A bottom-up approach toward a model based firewall management'. Together they form a unique fingerprint.

Cite this