Optimizing network microsegmentation policy for cyber resilience

This paper describes an approach for improving cyber resilience through the synthesis of optimal microsegmentation policy for a network. By leveraging microsegmentation security architecture, we can reason about fine-grained policy rules that enforce access for given combinations of source address, destination address, destination port, and protocol. Our approach determines microsegmentation policy rules that limit adversarial movement within a network according to assumed attack scenarios and mission availability needs. For this problem, we formulate a novel optimization objective function that balances cyberattack risks against accessibility to critical network resources. Given the application of a particular set of policy rules as a candidate optimal solution, this objective function estimates the adversary effort for carrying out a particular attack scenario, which it balances against the extent to which the solution restricts access to mission-critical services. We then apply artificial intelligence techniques (evolutionary programming) to learn microsegmentation policy rules that optimize this objective function.