A specification method for analyzing fine grained network security mechanism configurations

摘要

Quick evolution, heterogeneity, interdependence between equipment, and many other factors induce high complexity to network security analysis. Although several approaches have proposed different analysis tools, achieving this task requires experienced and proficient security administrators who can handle all these parameters. The challenge is not to propose a temporary solution but to offer a building block for this large domain, though no approach can be optimal for all tasks. In previous papers, we have proposed a novel formal model of equipment configuration built on data flow attribute-based approach to detect network security conflicts. In this paper, we extend the previous proposed model in order to make it more generic by proving it can handle microscopic analysis. We define a formal analysis method for network security mechanisms. Therefore, we specify our approach in Colored Petri Networks to automate the conflicts analysis and test it on a fine-grained firewall scenario.