Automatic Synthesis of Network Security Services: A First Step

Abstract

In the network security life cycle, security needs are initialized by network operators and typically documented in natural languages, and later implemented and deployed in developed/acquired security appliances, typically written in a programming language by third-party developers. However, oftentimes, those security appliances/programs may not quite match the urgent and fast-evolving security needs since the whole developing/deployment procedure is very time-consuming. In this paper, we propose a novel framework, AUTOSEC, to aid network operators in building up or rapid prototyping operational network security services directly from high-level service needs as automatically as possible. AUTOSEC helps bridge the huge gap from human intents in natural language descriptions to the deliverable network security services. More specifically, AUTOSEC utilizes Natural Language Processing (NLP) techniques to infer security intents from natural language descriptions, and then performs Interactive Synthesis to assist users to validate and refine parsed intents if necessary. AUTOSEC further lever-ages Software-Defined Networking (SDN) and Network Function Virtualization (NFV) techniques to automatically compose and instantiate security services in terms of refined security intents. In the evaluation, we demonstrate the early success of AUTOSEC with security policy descriptions collected from various data sources including research papers, appliance descriptions, real-world security standards, and human-written policies.