Using Argumentation Logic for Firewall Policy Specification and Analysis

  • Arosha K. Bandara
  • Antonis Kakas
  • Emil C. Lupu
  • Alessandra Russo
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4269)


Firewalls are important perimeter security mechanisms that imple-ment an organisation’s network security requirements and can be notoriously difficult to configure correctly. Given their widespread use, it is crucial that network administrators have tools to translate their security requirements into firewall configuration rules and ensure that these rules are consistent with each other. In this paper we propose an approach to firewall policy specification and analysis that uses a formal framework for argumentation based preference reasoning. By allowing administrators to define network abstractions (e.g. subnets, protocols etc) security requirements can be specified in a declarative manner using high-level terms. Also it is possible to specify preferences to express the importance of one requirement over another. The use of a formal framework means that the security requirements defined can be automatically analysed for inconsistencies and firewall configurations can be automatically generated. We demonstrate that the technique allows any inconsistency property, including those identified in previous research, to be specified and automatically checked and the use of an argumentation reasoning framework provides administrators with information regarding the causes of the inconsistency.


Logic Programming Security Requirement Policy Rule Argumentation Framework Argumentation Logic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Al-Shaer, E.S., Hamed, H.H.: Firewall Policy Advisor for Anomaly Doscovery and Rule Editing. In: Proceedings of 8th IFIP/IEEE International Symposium on Integrated Network Management, Colarado Springs, CO. IEEE, Los Alamitos (2003)Google Scholar
  2. 2.
    Cisco. Cisco PIX Firewall Configuration White Paper (DOCID: 68815), Cisco Inc. (2006),
  3. 3.
    Al-Shaer, E.S., Hamed, H.H.: Discovery of Policy Anomalies in Distributed Firewalls. In: Proceedings of 23rd IEEE Communications Society Conference (INFOCOM), Hong Kong. IEEE, Los Alamitos (2004)Google Scholar
  4. 4.
    Dung, P.M.: On the acceptability of arguments and its fundamental role in nonmonotonic reasoning, logic programming and n-person games. Artificial Intelligence (77), 321–357 (1995)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Bondarenko, A., Dung, P.M., Kowalski, R.A., Toni, F.: An abstract argumentation theoretic approach to default reasoning. Artificial Intelligence 93, 63–101 (1997)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Kakas, A., Mancerella, P., Dung, P.M.: The acceptability semantics for logic programs. In: Proceedings of 11th International Conference on Logic Programming, Santa Marherita Ligure, Italy (1994)Google Scholar
  7. 7.
    Prakken, H., Sartor, G.: A system for defeasible argumentation, with defeasible priorities. In: Gabbay, D.M., Ohlbach, H.J. (eds.) FAPR 1996. LNCS (LNAI), vol. 1085. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  8. 8.
    Gorgias. Argumentation and Abduction,
  9. 9.
    Dimopoulos, Y., Nebel, B., Toni, F.: On the Computational Complexity of Assumption-based Argumentation for Default Reasoning. Artificial Intelligence 141, 57–78 (2002)MathSciNetCrossRefMATHGoogle Scholar
  10. 10.
    Mayer, A., Wool, A., Ziskind, E.: Offline firewall analysis. International Journal on Information Security 5(3), 125–144 (2006)CrossRefGoogle Scholar
  11. 11.
    Uribe, T.E., Cheung, S.: Automatic Analysis of Firewall and Network Intrusion Detection System Configurations. In: Proceedings of ACM Workshop on Formal Methods in Security Engineering, Washington, DC. ACM Press, New York (2004)Google Scholar
  12. 12.
    Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.-N., Mohapatra, P.: FIREMAN: a toolkit for FIREwall Modeling and ANalysis. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA (May 2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2006

Authors and Affiliations

  • Arosha K. Bandara
    • 1
  • Antonis Kakas
    • 2
  • Emil C. Lupu
    • 1
  • Alessandra Russo
    • 1
  1. 1.Department of ComputingImperial College LondonLondon
  2. 2.Department of Computer ScienceUniversity of CyprusCyprus

Personalised recommendations