Mining a high level access control policy in a network with multiple firewalls

A policy mining approach that aims to automatically extract a high level of abstraction policy from the rules configured on a firewall has been recently proposed (Hachana et al., 2013). This technique is likely to considerably facilitate firewall management. However, protecting the information system of a business organization usually requires the enforcement of more than one firewall. In this paper, we augment the policy mining approach by an additional processing for a network access control policy mining. We develop the problem of integration of Net-RBAC (Hachana, 2014) policies resulting from policy mining over several firewalls in order to mine a high level network policy. Moreover, we show how to verify security properties related to the deployment consistency over the firewalls. We illustrate the network policy mining approach by a realistic example, and we experimentally evaluate the performance of our merger algorithms.