# Firewall Anomaly Detection Based on Double Decision Tree

^{*}

## Abstract

**:**

## 1. Introduction

## 2. Related Work

## 3. Formal Definition

#### 3.1. Preliminaries

**Definition**

**1.**

#### 3.2. Formalization of Rule

_{i}denote the conditional filter field, which represents the set of all values that the rule may adopt under this field. For example, if f

_{i}is the filter field value of the source IP, which is 192.168.1.*, the rule matches the IP address range from 192.168.1.0 to 192.168.1.255.

_{i}be the filter field that indicates the set of all values of the field. For example, when F

_{i}is srcIP or dstIP, the value of the filter field F

_{i}is the IP from 0.0.0.0 to 255.255.255.255.

#### 3.3. Formalization of Decision Tree

^{T}be the set of terminal nodes and 2

^{N}be the nonterminal nodes.

## 4. Asymmetric Double Decision Tree-Based Detection

#### 4.1. Equivalent Decision Tree Construction

_{i}which will be added and each outgoing side e

_{i}of the node F

_{i}in the tree:

_{i+}

_{1}and F

_{i+}

_{1}, and then compare the disjoint part (${f}_{i}-{f}_{i}\cap I({e}_{i})$) with each other edge (${e}_{j},(j\ne i)$). Algorithm 1 shows the pseudocode of the Equivalent Decision Tree Construction.

Algorithm 1: Equivalent Decision Tree Construction (RuleSet) |

Input: firewall rule set <r_{1}, r_{2}, ⋯, r_{n}>Output: equivalent decision tree f’Step:1: f’ = f _{1} × ⋯ × f_{d} × f_{action} →r_{1} v ← f’.root;2: new map (v, e); 3: for i = 2 to n do 4: space = ∅; 5: Append(v, r _{i}, space, map);6: spaces.add(space); /*anomalies of paired rules*/ 7: anomalyDecisionTreeConstruction (spaces); 8: end for9: return f’10: End11: Append (v, f _{m} × ⋯ × f_{d} × f_{action}→r, map(v, e);/*insert into tree*/12: if (f_{m}-(I(e_{1})⋃I(e_{2})⋃⋯I(e_{k})) ≠ ∅) then /*new edge is overlap with node’s edge */13: I(e) = f _{m}-(I(e_{1})⋃I(e_{2})⋃⋯I(e_{k})); /* take out the effective part of new one */14: insert (v, e, f _{m+}_{1} × ⋯ × f_{d} × f_{action}→r);15: map.add(v, e); 16: end if17: if m ≤ d then18: for j=1 to k do19: if (I(e_{j})∩f_{m} ≠ ∅ ∧ m ≠ d) then /* none-leaf node*/20: space = space× (I(e _{j})∩f_{m}); /*anomalous path*/21: Append (e _{j}.point, f_{m+}_{1} × ⋯ × f_{d} × f_{action}→r, space); 22: else if (I(e_{j})∩f_{m} ≠ ∅ ∧ m = d)then23: space = space× (I(e _{j})∩f_{m}); 24: end for25: end if |

#### 4.2. Anomaly Decision Tree Construction

_{i}which will be added and each outgoing side e

_{i}of the node F

_{i}in the decision tree:

_{j}(j ≠ i).

_{k+}

_{1}in the node. The value of the new edge is the intersection of the edge which will be added and the current edge ($I\left({e}_{k+1}\right)={f}_{i}\cap I\left({e}_{i}\right)$). The subgraph of the new edge is the subtree of the current edge e

_{i}. Replace the value of the current edge with the value of the edge which will be added ($I\left({e}_{i}\right)\leftarrow (I\left({e}_{i}\right)-{f}_{i})$), then continue to match the subtree of the new edge with the next node f

_{i+}

_{1}and finally generate a tree of anomalies. Algorithm 2 shows the pseudocode of the Anomaly Decision Tree Construction.

Algorithm 2: Anomaly Decision Tree Construction (Space) |

Input: anomaly space <f_{1}, f_{2}, ⋯, fn>Output: anomaly decision tree f’Steps:1: f’= f _{1} × ⋯ × f_{d} × f_{action}→r_{1}; v ← f’.root;2: for i = 2 to n do 3: append(v, r _{i}); 4: end for5: return f’6: End7: Append (v, f _{m} × ⋯ × f_{d} × f_{action}→r);8: if (f_{m}-(I(e_{1})⋃I(e_{2})⋃⋯I(e_{k})) ≠ ∅) then/*new edge is overlap with node’s edge */9: I(e)= f _{m}-(I(e_{1})⋃I(e_{2})⋃⋯I(e_{k})); 10: insert (v, e, f _{m+}_{1} × ⋯ × f_{d} × f_{action}→r);11: end if12: if m ≤ d then13: for j = 1 to k do14: if (I(e_{j})∩f_{m} ≠ ∅ ∧ m ≠ d) then15: I(new_e) = I(e _{j})∩f_{m}; /*overlap became a new edge*/16: insert (e _{j}.father, new_e, e_{j}.f_{m+}_{1} × ⋯ × e_{j}.f_{d} × e_{j}.f_{action}→r);17: Append (new_e.point, f _{m+}_{1} × ⋯ × f_{d} × f_{action}→r); 18: I(e _{j}) = I(e_{j}) − f_{m};19: else if (I(e_{j})∩f_{m} ≠ ∅ ∧ m = d) then/*leaf node*/20: insert (e _{j}.father, new_e, e_{j}.f_{m+}_{1} × ⋯ × e_{j}.f_{d} × e_{j}.f_{action}→r);21: I(e _{j}) = I(e_{j}) − f_{m};22: end for23: end if |

#### 4.3. Equivalent Decision Tree Optimization

Algorithm 3: Tree Optimization (Root, Branch) |

Input: the root of equivalent decision tree v and branch of equivalent decision tree map(v, e)Output: Optimized Decision Tree f’Steps:1: cut (v, map(v, e)); 2: End3: Cut(v, map(v, e)); 4: acceptMap = map.getAccept(); /*get “accept” paths*/ 5: denyMap = map.getDeny(); 6: for (v’: map.keySet) do7: if (hasBranch(v’)) then;/* judge whether there is no sub-branch*/8: map.remove(v’); 9: end if10: end for11: int accept = getAcceptPathCount(acceptMap);/*count “accept” paths*/ 12: int deny = getDenyPathCount(denyMap); 13: if (accept > deny) then14: v.removeEdge(acceptMap);/* simplification */ 15: f’.add(f _{deny}); /*keep equivalent*/16: else then17: v.removeEdge(denyMap); 18: f’.add(f _{accept}); |

#### 4.4. Incremental Detection

## 5. Evaluation and Experimental Results

## 6. Conclusions and Future Work

## Author Contributions

## Funding

## Data Availability Statement

## Conflicts of Interest

## References

- Daly, J.; Bruschi, V.; Linguaglossa, L.; Pontarelli, S.; Rossi, D.; Tollet, J.; Torng, E.; Yourtchenko, A. Tuplemerge: Fast software packet processing for online packet classification. IEEE/ACM Trans. Netw.
**2019**, 27, 1417–1431. [Google Scholar] [CrossRef] - Liu, A.X.; Khakpour, A.R.; Hulst, J.W.; Ge, Z.; Pei, D.; Wang, J. Firewall fingerprinting and denial of firewalling attacks. IEEE Trans. Inf. Forensics Secur.
**2017**, 12, 1699–1712. [Google Scholar] [CrossRef] - Jartelius, M. The 2020 Data Breach Investigations Report—A CSO’s perspective. Netw. Secur.
**2020**, 2020, 9–12. [Google Scholar] [CrossRef] - Clincy, V.; Shahriar, H. Web Application Firewall: Network Security Models and Configuration. In Proceedings of the 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), Tokyo, Japan, 23–27 July 2018; Volume 1, pp. 835–836. [Google Scholar]
- Kaur Chahal, J.; Bhandari, A.; Behal, S. Distributed denial of service attacks: A threat or challenge. New Rev. Inf. Netw.
**2019**, 24, 31–103. [Google Scholar] [CrossRef] - Xu, X. Cultural communication in double-layer coupling social network based on association rules in big data. Pers. Ubiquitous Comput.
**2020**, 24, 57–74. [Google Scholar] [CrossRef] - Hande, Y.; Muddana, A. A Survey on Intrusion Detection System for Software Defined Networks (SDN). In Research Anthology on Artificial Intelligence Applications in Security; IGI Global: Hersey, PA, USA, 2021; pp. 467–489. [Google Scholar]
- Al-Shaer, E.; Hamed, H.; Boutaba, R.; Hasan, M. Conflict classification and analysis of distributed firewall policies. IEEE J. Sel. Areas Commun.
**2005**, 23, 2069–2084. [Google Scholar] [CrossRef] - Hu, H.; Ahn, G.J.; Kulkarni, K. Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secur. Comput.
**2012**, 9, 318–331. [Google Scholar] [CrossRef] - Saâdaoui, A.; Ben Youssef Ben Souayeh, N.; Bouhoula, A. FARE: FDD-based firewall anomalies resolution tool. J. Comput. Sci.
**2017**, 23, 181–191. [Google Scholar] [CrossRef] - Chao, C.S.; Yang, S.J.H. A Novel Mechanism for Anomaly Removal of Firewall Filtering Rules. J. Internet Technol.
**2020**, 21, 949–957. [Google Scholar] - Lu, N.; Yang, Y. Application of evolutionary algorithm in performance optimization of embedded network firewall. Microprocess. Microsyst.
**2020**, 76, 103087. [Google Scholar] [CrossRef] - Gutierrez, R.J.; Bauer, K.W.; Boehmke, B.C.; Saie, C.M.; Bihl, T.J. Cyber anomaly detection: Using tabulated vectors and embedded analytics for efficient data mining. J. Algorithms Comput. Technol.
**2018**, 12, 293–310. [Google Scholar] [CrossRef] [Green Version] - Yin, Y.; Tateiwa, Y.; Wang, Y.; Zhang, G.; Takahashi, N.; Zhang, C. An Analysis Method for IPv6 Firewall Policy. In Proceedings of the 2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS), Zhangjiajie, China, 10–12 August 2019; pp. 1757–1762. [Google Scholar]
- Lorenz, C.; Clemens, V.; Schrotter, M.; Schnor, B. Continuous Verification of Network Security Compliance. IEEE Trans. Netw. Serv. Manag.
**2021**, 19, 1729–1745. [Google Scholar] [CrossRef] - Kim, H.; Ko, S.; Kim, D.S.; Kim, H.K. Firewall Ruleset Visualization Analysis Tool Based on Segmentation. In Proceedings of the 2017 IEEE Symposium on Visualization for Cyber Security (VizSec), Phoenix, AZ, USA, 2 October 2017; pp. 1–8. [Google Scholar]
- Lee, H.; Lee, S.; Kim, K.; Kim, H.K. HSViz: Hierarchy Simplified Visualizations for Firewall Policy Analysis. IEEE Access
**2021**, 9, 71737–71753. [Google Scholar] [CrossRef] - Ucar, E.; Ozhan, E. The analysis of firewall policy through machine learning and data mining. Wirel. Pers. Commun.
**2017**, 96, 2891–2909. [Google Scholar] [CrossRef] - Breier, J.; Branišová, J. A dynamic rule creation based anomaly detection method for identifying security breaches in log records. Wirel. Pers. Commun.
**2017**, 94, 497–511. [Google Scholar] [CrossRef] - Vartouni, A.M.; Kashi, S.S.; Teshnehlab, M. An anomaly detection method to detect web attacks using Stacked Auto-Encoder. In Proceedings of the 2018 6th Iranian Joint Congress on Fuzzy and Intelligent Systems, CFIS, Kerman, Iran, 28 February–2 March 2018; pp. 131–134. [Google Scholar]
- Funk, R.; Epp, N.; Cappo, C. Anomaly-based Web Application Firewall using HTTP-specific features and One-Class SVM. Rev. Eletrônica Argent.-Bras. Tecnol. Inf. Comun.
**2018**. [Google Scholar] [CrossRef] - Moradi Vartouni, A.; Teshnehlab, M.; Sedighian Kashi, S. Leveraging deep neural networks for anomaly-based web application firewall. IET Inf. Secur.
**2019**, 13, 352–361. [Google Scholar] [CrossRef] - Togay, C.; Kasif, A.; Catal, C.; Tekinerdogan, B. A Firewall Policy Anomaly Detection Framework for Reliable Network Security. IEEE Trans. Reliab.
**2022**, 71, 339–347. [Google Scholar] [CrossRef] - Valenza, F.; Cheminod, M. An Optimized Firewall Anomaly Resolution. J. Internet Serv. Inf. Secur.
**2020**, 10, 22–37. [Google Scholar]

**Figure 2.**The process of creating an equivalent decision tree. (

**a**) The first rule inserts into a tree; (

**b**) the second rule takes out the effective part and inserts it into the tree.

**Figure 4.**The decision tree of the example policy. (

**a**) The first rule inserts into the tree; (

**b**) the final decision tree of anomalies.

**Figure 6.**Relationship between the number of rules and the storage space of the equivalent decision tree.

Source | Destination | ||||
---|---|---|---|---|---|

Protocol | Address | Port | Address | Port | Action |

1: tcp | 140.192.37.20 | any | * | 80 | deny |

2: tcp | 140.192.37.* | any | * | 80 | accept |

3: tcp | * | any | 161.120.33.40 | 80 | accept |

Number of Rules | Approach Name | Process Time (s) |
---|---|---|

100 | HSViz | 2470 |

PolicyVis | 364 | |

ours | 238 | |

200 | HSViz | 3760 |

PolicyVis | 1954 | |

ours | 2062 | |

300 | HSViz | 6147 |

PolicyVis | 4587 | |

ours | 3935 | |

400 | HSViz | 9842 |

PolicyVis | 7340 | |

ours | 6254 | |

500 | HSViz | 18,578 |

PolicyVis | 13,413 | |

ours | 8797 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Lin, Z.; Yao, Z.
Firewall Anomaly Detection Based on Double Decision Tree. *Symmetry* **2022**, *14*, 2668.
https://doi.org/10.3390/sym14122668

**AMA Style**

Lin Z, Yao Z.
Firewall Anomaly Detection Based on Double Decision Tree. *Symmetry*. 2022; 14(12):2668.
https://doi.org/10.3390/sym14122668

**Chicago/Turabian Style**

Lin, Zhiming, and Zhiqiang Yao.
2022. "Firewall Anomaly Detection Based on Double Decision Tree" *Symmetry* 14, no. 12: 2668.
https://doi.org/10.3390/sym14122668