Skip to main content
SpringerLink
Log in
Book cover

International Conference on Networked Systems

NETYS 2019: Networked Systems pp 250–266Cite as

Efficient Security Policy Management Using Suspicious Rules Through Access Log Analysis

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 11704))

Abstract

Logs record the events and actions performed within an organization’s systems and networks. Usually, log data should conform with the security policy in use. However, access logs may show the occurrence of unauthorized accesses which may be due to security breaches, such as intrusions or conflicting rules in security policies. Due to the huge amount of log data generated every day and presumed to grow over time, analyzing access logs becomes a hard task that requires enormous computational resources. In this paper, we suggest a method that analyses an access log, and uses the obtained results to determine whether an Attribute-Based Access Control (ABAC) security policy contains conflicting rules. This access log-based approach allows to obtain an efficient conflict detection method, since conflicts are searched among suspicious rules, instead of all the rules of the policy. Those suspicious rules are identified by analyzing the access log. To improve efficiency even more, the access log is decomposed into clusters which are analyzed separately. Furthermore, cluster representatives make the proposed approach scalable for continuous access log case. The scalability is confirmed by experiment results, and our approach effectively identifies conflicts with an average recall of 95.65%.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://www.linuxjournal.com/content/creating-centralized-syslog-server.

  2. 2.

    https://www.cisco.com/c/en_ca/products/security/asa-5500-series-next-generation-firewalls/index.html.

References

  1. Ayache, M., Erradi, M., Khoumsi, A., Freisleben, B.: Analysis and verification of XACML policies in a medical cloud environment. Scalable Comput. Pract. Experience 17(3), 189–206 (2016)

    Google Scholar 

  2. Breier, J., Branišová, J.: A dynamic rule creation based anomaly detection method for identifying security breaches in log records. Wireless Pers. Commun. 94(3), 497–511 (2017). https://doi.org/10.1007/s11277-015-3128-1

    Article  Google Scholar 

  3. Celebi, M.E., Kingravi, H.A., Vela, P.A.: A comparative study of efficient initialization methods for the k-means clustering algorithm. Expert Syst. Appl. 40(1), 200–210 (2013)

    Article  Google Scholar 

  4. Du, M., Li, F., Zheng, G., Srikumar, V.: DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1285–1298 (2017)

    Google Scholar 

  5. Dunlop, N., Indulska, J., Raymond, K.: Dynamic conflict detection in policy-based management systems. In: Proceedings Sixth International Enterprise Distributed Object Computing Conference, 2002, EDOC 2002, IEEE, pp. 15–26 (2002)

    Google Scholar 

  6. Gu, Z., Pei, K., Wang, Q., Si, L., Zhang, X., Xu, D.: LEAPS: detecting camouflaged attacks with statistical learning guided by program analysis. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), IEEE, pp. 57–68 (2015)

    Google Scholar 

  7. Guo, S.: Analysis and Evaluation of Similarity Metrics in Collaborative Filtering Recommender System. Master’s thesis, Lapland University of Applied Sciences (2014)

    Google Scholar 

  8. He, P., Zhu, J., Zheng, Z., Lyu, M.R.: Drain: an online log parsing approach with fixed depth tree. In: 2017 IEEE International Conference on Web Services (ICWS), IEEE, pp. 33–40 (2017)

    Google Scholar 

  9. Hong, J., Liu, C.C., Govindarasu, M.: Integrated anomaly detection for cyber security of the substations. IEEE Trans. Smart Grid 5(4), 1643–1653 (2014)

    Article  Google Scholar 

  10. Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Secure Comput. 10(6), 341–354 (2013)

    Article  Google Scholar 

  11. Kent, K., Souppaya, M.: Guide to computer security log management. NIST special publication 92 (2006)

    Google Scholar 

  12. Khoumsi, A., Erradi, M., Krombi, W.: A formal basis for the design and analysis of firewall security policies. J. King Saud Univ. Comput. Inf. Sci. 30(1), 51–66 (2016)

    Google Scholar 

  13. Kriegel, H.P., Kröger, P., Sander, J., Zimek, A.: Density-based clustering. Wiley Interdisc. Rev. Data Min. Knowl. Discov. 1(3), 231–240 (2011)

    Article  Google Scholar 

  14. Lin, Q., Zhang, H., Lou, J.G., Zhang, Y., Chen, X.: Log clustering based problem identification for online service systems. In: Proceedings of the 38th International Conference on Software Engineering Companion, ACM, pp. 102–111 (2016)

    Google Scholar 

  15. Lou, J.G., Fu, Q., Yang, S., Xu, Y., Li, J.: Mining invariants from console logs for system problem detection. In: USENIX Annual Technical Conference (2010)

    Google Scholar 

  16. Nagaraj, K., Killian, C., Neville, J.: Structured comparative analysis of systems logs to diagnose performance problems. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, USENIX Association, p. 26 (2012)

    Google Scholar 

  17. Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical object log format for normalisation of security events. In: 9th International Conference on Information Assurance and Security, IEEE, pp. 25–30 (2013)

    Google Scholar 

  18. Shang, W., Nagappan, M., Hassan, A.E., Jiang, Z.M.: Understanding log lines using development knowledge. In: 2014 IEEE International Conference on Software Maintenance and Evolution (ICSME), IEEE, pp. 21–30 (2014)

    Google Scholar 

  19. St-Martin, M., Felty, A.P.: A verified algorithm for detecting conflicts in XACML access control rules. In: Proceedings of the 5th ACM SIGPLAN Conference on Certified Programs and Proofs, ACM, pp. 166–175 (2016)

    Google Scholar 

  20. Studiawan, H., Payne, C., Sohel, F.: Graph clustering and anomaly detection of access control log for forensic purposes. Digit. Invest. 21, 76–87 (2017)

    Article  Google Scholar 

  21. Xu, Z., Stoller, S.D.: Mining attribute-based access control policies. IEEE Trans. Dependable Secure Comput. 12(5), 533–545 (2015)

    Article  Google Scholar 

  22. Yagoub, I., Khan, M.A., Jiyun, L.: IT equipment monitoring and analyzing system for forecasting and detecting anomalies in log files utilizing machine learning techniques. In: 2018 International Conference on Advances in Big Data, Computing and Data Communication Systems (icABCD), IEEE, pp. 1–6 (2018)

    Google Scholar 

  23. Yuan, D., et al.: Be conservative: enhancing failure diagnosis with proactive logging. OSDI 12, 293–306 (2012)

    Google Scholar 

  24. Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: IEEE International Conference on Web Services (ICWS 2005), IEEE (2005)

    Google Scholar 

  25. Zhu, J., He, P., Fu, Q., Zhang, H., Lyu, M.R., Zhang, D.: Learning to log: helping developers make informed logging decisions. In: Proceedings of the 37th International Conference on Software Engineering, IEEE Press, vol. 1, pp. 415–425 (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. ITM Team, ENSIAS, Mohammed V University in Rabat, Rabat, Morocco

    Maryem Ait El Hadj & Mohammed Erradi

  2. Department of Electrical and Computer Engineering, University of Sherbrooke, Sherbrooke, Canada

    Ahmed Khoumsi

  3. Conception and Systems Laboratory, FSR, Mohammed V University in Rabat, Rabat, Morocco

    Yahya Benkaouz

Authors
  1. Maryem Ait El Hadj
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmed Khoumsi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yahya Benkaouz
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohammed Erradi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maryem Ait El Hadj .

Editor information

Editors and Affiliations

  1. Uppsala University, Uppsala, Uppsala Län, Sweden

    Mohamed Faouzi Atig

  2. Augusta University, Augusta, GA, USA

    Alexander A. Schwarzmann

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ait El Hadj, M., Khoumsi, A., Benkaouz, Y., Erradi, M. (2019). Efficient Security Policy Management Using Suspicious Rules Through Access Log Analysis. In: Atig, M., Schwarzmann, A. (eds) Networked Systems. NETYS 2019. Lecture Notes in Computer Science(), vol 11704. Springer, Cham. https://doi.org/10.1007/978-3-030-31277-0_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-31277-0_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-31276-3

  • Online ISBN: 978-3-030-31277-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation