資訊管理學報
胡雅涵;翁政雄;楊亞澄;
頁: 277-304
日期: 2016/07
摘要: 防火牆設備是企業最普遍的網路防護設施,隨著網路環境的改變,防火牆政策規則須不斷的更新,才能維持防火牆功能的正常運作。如何從防火牆日誌記錄中挖掘出有意義的規則,並且適時依據防火牆日誌記錄的變動篩選出不同樣式的規則,進而調整防火牆政策規則是一項有值得研究的議題。本研究嘗試整合關聯規則探勘(Association rule mining)及改變探勘(Change mining)技術,提出Change-Based Association Rule Mining(CBARM)方法。首先,從防火牆日誌記錄中挖掘出有意義的規則,進而運用改變探勘技術辨識出新興樣式(Emerging patterns)、新增樣式(Added patterns)及消失樣式(Perished Patterns)等3種不同樣式的關聯規則。最後,將具有不同樣式的關聯規則運用於防火牆政策規則的調整,藉以提升防火牆效率。經實驗結果得知:CBARM 方法效能提升(封包比對次數減少)相較於Apriori方法約95.19%至582.19%。平均而言,效能約提升212.10%。
關鍵字: 防火牆政策;防火牆日誌;資料探勘;關聯規則;改變探勘;
Abstract: Purpose-A firewall is the network security system most frequently used by enterprises. Because of changes in the dynamic network environment, firewall policy rules must be constantly updated to maintain efficient firewall operation. Thus, the aim of this study is to optimize firewall policy rules and improve firewall efficiency by using association rules discovered in firewall logs. Design/methodology/approach-This paper proposes change-based association rule mining (CBARM), which integrates association rule mining and change mining techniques, to discover meaningful firewall policy rules in firewall logs. Specifically, CBARM first determines pertinent association rules by using firewall logs from different time periods. Subsequently, the change mining technique is used to identify emerging, added, and perished patterns. Finally, the three types of patterns can be utilized to optimize the firewall policy rules and enhance firewall efficiency. The firewall logs were collected from a technology company in Central Taiwan. The total number of rules matched in the firewall was used as a performance measure. Findings - The experimental results revealed that the proposed CBARM outperformed the Apriori approach, reducing the number of compared network packets with firewall policy rules by approximately 95.19% to 582.19%. On average, the performance of the proposed CBARM was 212.10% more effective than that of the Apriori approach. Research limitations/implications-This study investigated the firewall logs from one company only. Evaluating the logs from other companies is critical for confirming validity. In addition, future studies can integrate other data mining and machine learning techniques to refine the performance of the proposed method. Practical implications-Two practical implications are provided. First, the association rule mining technique is proven to derive useful firewall policy rules in firewall logs. Second, using the change mining technique can facilitate evaluating the generated rules and applying such rules to optimize firewall policy rules. Originality/value-This study is the first to extend association rule mining and change mining techniques to the domain of firewall log analysis, creating a new approach to optimizing firewall policy rules.
Keywords: firewall policy;firewall log;data mining;association rule;change mining;
瀏覽次數: 14787 下載次數: 1280
引用 導入Endnote
頁: 277-304
日期: 2016/07
摘要: 防火牆設備是企業最普遍的網路防護設施,隨著網路環境的改變,防火牆政策規則須不斷的更新,才能維持防火牆功能的正常運作。如何從防火牆日誌記錄中挖掘出有意義的規則,並且適時依據防火牆日誌記錄的變動篩選出不同樣式的規則,進而調整防火牆政策規則是一項有值得研究的議題。本研究嘗試整合關聯規則探勘(Association rule mining)及改變探勘(Change mining)技術,提出Change-Based Association Rule Mining(CBARM)方法。首先,從防火牆日誌記錄中挖掘出有意義的規則,進而運用改變探勘技術辨識出新興樣式(Emerging patterns)、新增樣式(Added patterns)及消失樣式(Perished Patterns)等3種不同樣式的關聯規則。最後,將具有不同樣式的關聯規則運用於防火牆政策規則的調整,藉以提升防火牆效率。經實驗結果得知:CBARM 方法效能提升(封包比對次數減少)相較於Apriori方法約95.19%至582.19%。平均而言,效能約提升212.10%。
關鍵字: 防火牆政策;防火牆日誌;資料探勘;關聯規則;改變探勘;
Applying Association Rule and Change Mining Techniques for Firewall Policy Optimization
Abstract: Purpose-A firewall is the network security system most frequently used by enterprises. Because of changes in the dynamic network environment, firewall policy rules must be constantly updated to maintain efficient firewall operation. Thus, the aim of this study is to optimize firewall policy rules and improve firewall efficiency by using association rules discovered in firewall logs. Design/methodology/approach-This paper proposes change-based association rule mining (CBARM), which integrates association rule mining and change mining techniques, to discover meaningful firewall policy rules in firewall logs. Specifically, CBARM first determines pertinent association rules by using firewall logs from different time periods. Subsequently, the change mining technique is used to identify emerging, added, and perished patterns. Finally, the three types of patterns can be utilized to optimize the firewall policy rules and enhance firewall efficiency. The firewall logs were collected from a technology company in Central Taiwan. The total number of rules matched in the firewall was used as a performance measure. Findings - The experimental results revealed that the proposed CBARM outperformed the Apriori approach, reducing the number of compared network packets with firewall policy rules by approximately 95.19% to 582.19%. On average, the performance of the proposed CBARM was 212.10% more effective than that of the Apriori approach. Research limitations/implications-This study investigated the firewall logs from one company only. Evaluating the logs from other companies is critical for confirming validity. In addition, future studies can integrate other data mining and machine learning techniques to refine the performance of the proposed method. Practical implications-Two practical implications are provided. First, the association rule mining technique is proven to derive useful firewall policy rules in firewall logs. Second, using the change mining technique can facilitate evaluating the generated rules and applying such rules to optimize firewall policy rules. Originality/value-This study is the first to extend association rule mining and change mining techniques to the domain of firewall log analysis, creating a new approach to optimizing firewall policy rules.
Keywords: firewall policy;firewall log;data mining;association rule;change mining;
瀏覽次數: 14787 下載次數: 1280
引用 導入Endnote