Optimizing network microsegmentation policy for cyber resilience

IF 1 Q3 ENGINEERING, MULTIDISCIPLINARY

Journal of Defense Modeling and Simulation-Applications Methodology Technology-JDMS Pub Date : 2021-10-08 DOI:10.1177/15485129211051386

S. Noel, Vipin Swarup, K. Johnsgard

{"title":"Optimizing network microsegmentation policy for cyber resilience","authors":"S. Noel, Vipin Swarup, K. Johnsgard","doi":"10.1177/15485129211051386","DOIUrl":null,"url":null,"abstract":"This paper describes an approach for improving cyber resilience through the synthesis of optimal microsegmentation policy for a network. By leveraging microsegmentation security architecture, we can reason about fine-grained policy rules that enforce access for given combinations of source address, destination address, destination port, and protocol. Our approach determines microsegmentation policy rules that limit adversarial movement within a network according to assumed attack scenarios and mission availability needs. For this problem, we formulate a novel optimization objective function that balances cyberattack risks against accessibility to critical network resources. Given the application of a particular set of policy rules as a candidate optimal solution, this objective function estimates the adversary effort for carrying out a particular attack scenario, which it balances against the extent to which the solution restricts access to mission-critical services. We then apply artificial intelligence techniques (evolutionary programming) to learn microsegmentation policy rules that optimize this objective function.","PeriodicalId":44661,"journal":{"name":"Journal of Defense Modeling and Simulation-Applications Methodology Technology-JDMS","volume":"47 1","pages":"57 - 79"},"PeriodicalIF":1.0000,"publicationDate":"2021-10-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Defense Modeling and Simulation-Applications Methodology Technology-JDMS","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1177/15485129211051386","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"ENGINEERING, MULTIDISCIPLINARY","Score":null,"Total":0}

引用次数: 3

Abstract

This paper describes an approach for improving cyber resilience through the synthesis of optimal microsegmentation policy for a network. By leveraging microsegmentation security architecture, we can reason about fine-grained policy rules that enforce access for given combinations of source address, destination address, destination port, and protocol. Our approach determines microsegmentation policy rules that limit adversarial movement within a network according to assumed attack scenarios and mission availability needs. For this problem, we formulate a novel optimization objective function that balances cyberattack risks against accessibility to critical network resources. Given the application of a particular set of policy rules as a candidate optimal solution, this objective function estimates the adversary effort for carrying out a particular attack scenario, which it balances against the extent to which the solution restricts access to mission-critical services. We then apply artificial intelligence techniques (evolutionary programming) to learn microsegmentation policy rules that optimize this objective function.

查看原文本刊更多论文

优化网络微分段策略的网络弹性

本文描述了一种通过综合网络最优微分段策略来提高网络弹性的方法。通过利用微段安全体系结构，我们可以推断出对源地址、目标地址、目标端口和协议的给定组合强制访问的细粒度策略规则。我们的方法确定了微分段策略规则，根据假设的攻击场景和任务可用性需求，限制网络内的对抗运动。针对这个问题，我们制定了一个新的优化目标函数，以平衡网络攻击风险与关键网络资源的可访问性。给定一组特定策略规则的应用程序作为候选最优解决方案，此目标函数估计对手执行特定攻击场景的努力，并将其与解决方案限制访问关键任务服务的程度进行平衡。然后，我们应用人工智能技术(进化编程)来学习优化该目标函数的微分割策略规则。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Defense Modeling and Simulation-Applications Methodology Technology-JDMS ENGINEERING, MULTIDISCIPLINARY-

CiteScore

2.80

自引率

12.50%

发文量