1. Sylvain Hallé
Sylvain Hallé, Éric Lunaud Ngoupé, Roger
Villemaire, Omar Cherkaoui
Fonds de recherche
sur la nature
et les technologies
CRSNG
NSERC
Distributed Firewall Anomaly Detection
Through LTL Model Checking
Université du Québec à Chicoutimi
CANADA
Université du Québec à Montréal
CANADA

2. Sylvain HalléSylvain Hallé
Firewalls
Incoming traffic
Filtered traffic
Source IP Port Dest. IP Port Decision
192.*
16.10.*
10.1.1.2
. . .
80
*
23
. . .
10.10.*
*
*
. . .
80
*
23
. . .
Accept
Reject
Accept
. . .

3. Sylvain HalléSylvain Hallé
What's wrong with this filter?
FSM
LTL
. . .
Algos
Tools
Rule # Interval Decision
1
2
3
4
5
Accept
Deny
Accept
Accept
Deny
50
2 3
3 9
33
92

4. Sylvain HalléSylvain Hallé
What's wrong with this filter?
FSM
LTL
. . .
Algos
Tools
Rule # Interval Decision
1
2
3
4
5
Accept
Deny
Accept
Accept
Deny
50
2 3
3 9
33
92
Rule 2's packets are already handled by Rule 1:
it is shadowed
Rules 2 and 3 apply a different decision to some
packets: they are correlated
All of Rule 5's packets are applied the same decision
as Rule 2: it is redundant

5. Sylvain Hallé
????
start
0
exact?
1
exact?
4
superset?
3
Ry ℜIM Rx
8
redundant
12
shadowed
11
general
13
correlated
14
none
15
proto
y=
proto
x
protoy
⊂ protox
proto
y ⊃ proto
x superset?
6
srcy
=srcx
srcy ⊇ srcx
dsty
⊆ dstx
actiony =actionx
actiony
≠ actionx
dsty
⊆ dstx
dsty
⊇ dstx
srcy ⊂ srcx
src
y ⊃
src
x
subset?
2
subset?
5
srcy
⊆ srcx
correlated?
7
srcy
⊃
srcx
srcy
⊂
srcx
dsty
⊆ dstx
dsty
⊃ dstx
dsty ⊃
dstx
dsty ⊃
dstx
dsty⊂dstx
src
y≠src
x
srcy≠srcx
srcy
≠srcx
dsty≠dstx
dsty≠dstx
dsty≠
dstx
dsty
≠ dstx
protoy
≠
protox
Rx
ℜIM
Ry
9
actiony
=actionx
actiony ≠ actionx
Rx ℜC Ry
10
actiony ≠ actionx
actiony
=actionx
Previous results
E. Al-Shaer & H. H. Hamed. Discovery of Policy
Anomalies in Distributed Firewalls. INFOCOM 2004.
For every pair of rules R , R ...x y

6. Sylvain Hallé
Previous results
B. Khorchani, S. Hallé, R. Villemaire. Firewall anomaly detection
with a model checker for visibility logic. IM 2012.
B
A
D
t
B
AB
A
A overlaps B
A ⋂ B
A occludes B
A ⊆ B
A obstructs B
A ⊇ B
◇*
φ
○*
φ
◻*
φ
some rule r', following r and such
that r' * r, satisfies φ
all rules r', following r and such
that r' * r, satisfy φ
the first rule r', following r and such
that r' * r, satisfies φ
a ⋀ d◇⋂( ) ⋁ d ⋀ a◇⋂( ) ◇⊇
TRUE
-1
a ⋀ a◇⊇( ) ⋁ d ⋀ d◇⊇( )-1 -1
Correlation Shadowing Redundancy

7. Sylvain Hallé
Routers
Incoming traffic
Outgoing traffic
Source Destination Next hop
192.*
16.10.*
10.1.1.2
. . .
10.*
16.10.*
50.1.*
. . .
R1
R2
R3
. . .

8. Sylvain Hallé
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

9. Sylvain Hallé
Rule 3.4 shadows Rule 1.2: packet accepted if enters
from Node 1, rejected if from Node 3
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

10. Sylvain Hallé
Rules 1.1 and 3.1 are spurious: a packet to 5 entering
from Node 3 is routed to Node 1 where it is dropped
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

11. Sylvain Hallé
Is Rule 1.5
redundant with
respect to Rule 3.3?
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

12. Sylvain Hallé
Is Rule 1.5
redundant with
respect to Rule 3.3?
Yes if Node 1 receives traffic only from Node 3...
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

13. Sylvain Hallé
Is Rule 1.5
redundant with
respect to Rule 3.3?
Yes if Node 1 receives traffic only from Node 3...
No otherwise!
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

14. Sylvain Hallé
Is Rule 2.3
shadowed
by Rule 3.1?
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

15. Sylvain Hallé
Is Rule 2.3
shadowed
by Rule 3.1?
No since no traffic ever flows from Node 3 to
Node 2 (all traffic is dropped at Node 1)
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

16. Sylvain Hallé
Is Rule 2.5
redundant
wrt Rule 1.4?
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

17. Sylvain Hallé
Is Rule 2.5
redundant
wrt Rule 1.4?
No since packets destined to 4-5 are never routed
to Node 1
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥
All together now

18. Sylvain Hallé
Issues
The presence of an anomaly between rules R and
R' depends on whether there is a possible path
from R to R'
...and also on the field ranges of each routing rule
along that path!

19. Sylvain Hallé
How to detect an anomaly
Keep track of an interval I of values and a decision
D, called a frozen interval and a frozen decision
In the beginning, set I to the full range of possible
values, and D to "undefined"
?
Frozen interval Frozen decision
①

20. Sylvain Hallé
How to detect an anomaly
Pick some ingress node as a starting point②
1 [5,8] : ⊥
2 [0,1] : ⊤
3 [6,8]: ⊥
4 [2,5]: ⊤
5 [9,9]: ⊤
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
[0,3] Device 1
[4,8] #
[9,9] Device 1
I Next hop
[0,8] Device 1
[9,9] #
I Next hop
Node 1
Node 2
Node 3
1 [5,8] : ⊤
2 [2,4] : ⊤
3 [9,9] : ⊤
4 [0,1]: ⊥

21. Sylvain Hallé
In every node visited, go through the firewall rules
one by one in order
1 [5,6] : ⊤
2 [0,4] : ⊤
3 [7,8] : ⊥
4 [9,9] : ⊤
5 [3,5] : ⊤
③
How to detect an anomaly
...

22. Sylvain Hallé
Once done scanning through the rules, pick one
routing entry...
Intersect the freeze interval with the entry chosen
...and move on to the destination node
④
[0,3] #
[4,8] Device 2
[9,9] Device 3
I Next hop
0 10 4 8
⋂ =
4 8
How to detect an anomaly

23. Sylvain Hallé
At some point in the walk (only once!), pick the
current firewall rule
Intersect the freeze interval with the rule chosen
Record the rule's decision in the freeze decision
⑤
7 8
⋂ =
3 [7,8] : ⊥
4 8 7 8
? ⊥
How to detect an anomaly

24. Sylvain Hallé
How to detect an anomaly
From this point on, compare the frozen interval/
decision with the interval/decision of every firewall
rule "visited"
⑥
5 [5,9] : ⊤
7 8
⊥
5 9
⊤
Frozen
Spuriousness anomaly
vs.

25. Sylvain Hallé
Solution #1
Repeat this process...
for every start point
and every path
by alternatively freezing every firewall rule
Σk!
k=1
n
non-cyclic paths between n nodes

26. Sylvain Hallé
Solution #2
For a given network, generate a Kripke structure
whose traces are all the walks behaving as in steps
① to ⑥
Send the problem to a model checker
Express anomalies as temporal
logic properties on these traces
(reachability problem)

27. Sylvain Hallé
Variables in the Kripke structure
Each state of the Kripke structure is a unique
assignment of values to 7 state variables
ιL ιR
⊥
ιD
3 [7,8] : ⊥
ρL ρR
ρDχ
Bounds of frozen
interval
Frozen
decision
Unique rule
number
Bounds of current
firewall rule interval
Current rule
decision

28. Sylvain Hallé
Transitions in the Kripke structure
Each transition between two states corresponds to
one of the following actions
ιR
ιD
3 [7,8] : ⊥
4 [9,9] : ⊤
ρL
ρR
ρD
χ
Moving to the next rule in the current firewall
ιL = a
= b
= d
= 3
= 7
= 8
= ⊥
ιR
ιD
ρL
ρR
ρD
χ
ιL = a
= b
= d
= 3
= 9
= 9
= ⊤

29. Sylvain Hallé
Transitions in the Kripke structure
Each transition between two states corresponds to
one of the following actions
ιR
ιD
3 [7,8] : ⊥
ρL
ρR
ρD
χ
Freezing the current firewall rule
ιL = a
= b
= ?
= 3
= 7
= 8
= ⊥
ιR
ιD
ρL
ρR
ρD
χ
ιL = max(a, 7)
= min(b, 8)
= ⊥
= 3
= 7
= 8
= ⊥

30. Sylvain Hallé
Transitions in the Kripke structure
Each transition between two states corresponds to
one of the following actions
ιR
ιD
[4,8]: Device 2
ρL
ρR
ρD
χ
Select an applicable routing table entry and move
to destination (first firewall rule)
ιL = a
= b
= d
= 3
= 7
= 8
= ⊥
ιR
ιD
ρL
ρR
ρD
χ
ιL = max(a, 4)
= min(b, 8)
= d
= 1
= 5
= 6
= ⊤
1 [5,6] : ⊤

31. Sylvain Hallé
LTL properties
Anomalies become properties on traces expressed in
Linear Temporal Logic (LTL)
Ex.: shadowing
ιR ιDρL ρR ρDιL =⊥≤ ∧ ≥ =⊤ ∧∧G ( )

32. Sylvain Hallé
Anomaly detector
Firewall rules
Routing table
Encoder
Decoder
Kripke structure
NuSMV
Counter-example
trace
Anomaly explanation
Node 1
Firewall rules
Routing table
Node n
. . .
Anomalies expressed
as LTL formulæ
Analysis tool

33. Sylvain Hallé
Sample input file
Node name: 0
0: 0, 0 : 0, 6, 7 : 0, deny
1: 0, 0 : 0, 0, 0 : 0, accept
2: 0, 0 : 0, 12, 13 : 0, accept
...
Routing table:
12, 14, 12
8, 9, 1
5, 7, 3
...

34. Sylvain Hallé
- Starting at Node 1
- Considering firewall rule 2 on Node 1: [1-5] accept
- Going to Node 2 through routing rule 2:
Node 1 -> [2-6] -> Node 2
- The considered interval becomes restricted to [2-5]
- Going to Node 3 through routing rule 1:
Node 2 -> [2-6] -> Node 3
- Shadowing anomaly with firewall rule 2 on
Node 3: [2-5] accept vs. [3-4] reject
Analysis tool
http://github.com/sylvainhalle/FirewallCheck
java -jar NetworkChecker.jar -s -i "./*.txt"

35. Sylvain Hallé
0.1
10
1,000
Time(s)
Total number of rules in network
50 100 150 250200
2-2-2 3-3-3
Empirical results

36. Sylvain Hallé
0.001
1
1,000
Time(s)
Number of nodes in network
1 5 10 20
50 rules 100 rules
Empirical results

37. Sylvain Hallé
The end
Thank you!
Questions?