Reusable Annotations for Matching of Event Sequences to Construct Firewall Policies

Heric Flores-Huerta, Worcester Polytechnic Institute


Organizations of all types use firewall systems to protect their networks from threats. Those firewalls are governed by the policies used to configure them. The PEACE (Policy Enforcement and Access Control for End-points) system is a new combination, network-plus-host based firewall that gives analysts a novel new set of data to build policy attributes for. This data are semi-structured strings that represent the hierarchy of graphical user interface components that have been interacted with around the time that host sent a network request. The multivariate, hierarchical, semi-structured nature of this data can make it a laborious or non-intuitive task to create the string matching rules that are used by the firewall policies. We present a targeted, interactive, event-sequence based \cite{cappers2017exploring} tool for the purpose of building policies for the PEACE firewall system's graphical user interface data.