AutoSeg：通过配置分析自动生成微分段策略

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-29 DOI:10.1016/j.cose.2025.104591

Andong Chen , Zhaoxuan Jin , Zhenyuan Li , Yan Chen , Yu Ning , Ying Wang

{"title":"AutoSeg：通过配置分析自动生成微分段策略","authors":"Andong Chen , Zhaoxuan Jin , Zhenyuan Li , Yan Chen , Yu Ning , Ying Wang","doi":"10.1016/j.cose.2025.104591","DOIUrl":null,"url":null,"abstract":"<div><div>Micro-segmentation isolates network segments within different parts of an application, reducing potential attack surfaces. This technique has become increasingly common for enhancing security in cloud application infrastructures. Despite its benefits, the complexity of managing numerous service interactions can make defining and maintaining micro-segmentation policies challenging and prone to errors. Previous solutions have attempted to simplify policy creation, but gaps remain in their applicability, auditability, and response times.</div><div>In this paper, we proposed the first configuration-based approach, AugoSeg, which automates the generation of micro-segmentation policies for cloud-native applications. By analyzing network configurations in service containers, AugoSeg identifies service dependencies and automatically creates corresponding policies. This system specifically targets commonly used, behavior-focused configurations, addressing the shortcomings of earlier systems through its design.</div><div>We systematically evaluated AugoSeg, using the 184 services from 61 popular projects, covering 14 programming languages. The results illustrated that AugoSeg can completely model service dependencies for over 96.7% of projects and formulate restrictive policies in an average time of 7.13 s. It effectively restricts attackers’ lateral movements within networks. This evaluation not only underscores the efficiency of AugoSeg but also demonstrates its practical applicability in cloud environments, setting a new approach for micro-segmentation in cloud-native security.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104591"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"AutoSeg: Automatic micro-segmentation policy generation via configuration analysis\",\"authors\":\"Andong Chen , Zhaoxuan Jin , Zhenyuan Li , Yan Chen , Yu Ning , Ying Wang\",\"doi\":\"10.1016/j.cose.2025.104591\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Micro-segmentation isolates network segments within different parts of an application, reducing potential attack surfaces. This technique has become increasingly common for enhancing security in cloud application infrastructures. Despite its benefits, the complexity of managing numerous service interactions can make defining and maintaining micro-segmentation policies challenging and prone to errors. Previous solutions have attempted to simplify policy creation, but gaps remain in their applicability, auditability, and response times.</div><div>In this paper, we proposed the first configuration-based approach, AugoSeg, which automates the generation of micro-segmentation policies for cloud-native applications. By analyzing network configurations in service containers, AugoSeg identifies service dependencies and automatically creates corresponding policies. This system specifically targets commonly used, behavior-focused configurations, addressing the shortcomings of earlier systems through its design.</div><div>We systematically evaluated AugoSeg, using the 184 services from 61 popular projects, covering 14 programming languages. The results illustrated that AugoSeg can completely model service dependencies for over 96.7% of projects and formulate restrictive policies in an average time of 7.13 s. It effectively restricts attackers’ lateral movements within networks. This evaluation not only underscores the efficiency of AugoSeg but also demonstrates its practical applicability in cloud environments, setting a new approach for micro-segmentation in cloud-native security.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"157 \",\"pages\":\"Article 104591\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-07-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825002809\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002809","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

微段隔离了应用程序不同部分的网段，减少了潜在的攻击面。这种技术在增强云应用程序基础设施中的安全性方面变得越来越普遍。尽管有好处，但管理大量服务交互的复杂性可能会使定义和维护微分段策略具有挑战性，并且容易出错。以前的解决方案尝试简化策略创建，但是在适用性、可审核性和响应时间方面仍然存在差距。在本文中，我们提出了第一种基于配置的方法AugoSeg，它可以自动生成云原生应用程序的微分段策略。通过分析服务容器中的网络配置，AugoSeg可以识别服务依赖关系，并自动创建相应的策略。该系统专门针对常用的、以行为为中心的配置，通过其设计解决了早期系统的缺点。我们系统地评估了AugoSeg，使用了61个热门项目的184个服务，涵盖了14种编程语言。结果表明，AugoSeg可以在7.13 s的平均时间内完成96.7%以上项目的服务依赖关系建模，并制定限制性政策。它有效地限制了攻击者在网络中的横向移动。这一评价不仅强调了AugoSeg的效率，也证明了其在云环境中的实际适用性，为云原生安全中的微分割开辟了新的途径。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

AutoSeg: Automatic micro-segmentation policy generation via configuration analysis

Micro-segmentation isolates network segments within different parts of an application, reducing potential attack surfaces. This technique has become increasingly common for enhancing security in cloud application infrastructures. Despite its benefits, the complexity of managing numerous service interactions can make defining and maintaining micro-segmentation policies challenging and prone to errors. Previous solutions have attempted to simplify policy creation, but gaps remain in their applicability, auditability, and response times.

In this paper, we proposed the first configuration-based approach, AugoSeg, which automates the generation of micro-segmentation policies for cloud-native applications. By analyzing network configurations in service containers, AugoSeg identifies service dependencies and automatically creates corresponding policies. This system specifically targets commonly used, behavior-focused configurations, addressing the shortcomings of earlier systems through its design.

We systematically evaluated AugoSeg, using the 184 services from 61 popular projects, covering 14 programming languages. The results illustrated that AugoSeg can completely model service dependencies for over 96.7% of projects and formulate restrictive policies in an average time of 7.13 s. It effectively restricts attackers’ lateral movements within networks. This evaluation not only underscores the efficiency of AugoSeg but also demonstrates its practical applicability in cloud environments, setting a new approach for micro-segmentation in cloud-native security.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.