Algebraic Models to Detect and Solve Policy Conflicts

  • Cataldo Basile
  • Alberto Cappadonia
  • Antonio Lioy
Part of the Communications in Computer and Information Science book series (CCIS, volume 1)


The management of security for large and complex environments still represents an open problem and the policy-based systems are certainly one of the most innovative and effective solution to this problem. The policy, that at low level is expressed by sets of rules, becomes crucial for the consistency of the systems to be protected and it is necessary to check it for correctness. This paper presents a set-based model of rules that permits the static conflict detection and an axiomatic model of conflict resolution leading to semi-lattices theory to solve inconsistencies. We proved the effectiveness of the theory implementing an extensible tool supporting security officers in creating rules by providing an easy environment to identify the conflicts and to use manual as well as automatic resolution strategies.


security policy model policy conflicts detection policy conflicts resolution firewall rules analysis policy specification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Westerinen et al.: Terminology for Policy-Based Management. RFC-3198Google Scholar
  2. 2.
    Al-Shaer, E., Hamed, H.: Firewall Policy Advisor for Anomaly Discovery and Rule Editing. In: IFIP/IEEE Eighth International Symposium on Integrated Network Management (2003)Google Scholar
  3. 3.
    Lupu, E.C., Sloman, M.S.: Conflicts in Policy-Based, Distributed Systems Management. IEEE Trans. on Software Engineering 25(6) (1999)Google Scholar
  4. 4.
    Dunlop, N., Indulska, J., Raymond, K.: Methods for Conflict Resolution in Policy-Based Management Systems. In: EDOC 2003 (2003)Google Scholar
  5. 5.
    Al-Shaer, E., Hamed, H.: Modeling and management of firewall policies. IEEE Trans. Netw. Serv. Manage. 1(1) (2004)Google Scholar
  6. 6.
    Mayer, A., Wool, A., Ziskind, E.: Offline Firewall Analysis. Int. J. Inf. Secur. 5(3) (2006)Google Scholar
  7. 7.
    Bandara, A., Kakas, A., Lupu, E., Russo, A.: Using Argumentation Logic for Firewall Policy Specification and Analysis. In: 17th IFIP/IEEE Distributed Systems: Operations and Management (DSOM) (2006)Google Scholar
  8. 8.
    Uribe, T.E., Cheung, S.: Automatic Analysis of Firewall and Network Intrusion Detection System Configurations. In: Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. Washington, D.C., ACM Press, New York (2004).Google Scholar
  9. 9.
    Basile, C., Lioy, A.: Towards an Algebraic Approach to Solve Policy Conflicts. Workshop on Logical Foundations of an Adaptive Security Infrastructure (WOLFASI) (2004)Google Scholar
  10. 10.
    Castano, S., Fugini, M., Martella, G., Samarati, P.: Database Security. Addison Wesley, Reading (1994)Google Scholar
  11. 11.
    Szasz, G.: Théorie des treillis. Dunod Éditeur (1971)Google Scholar
  12. 12.
    POSITIF — Policy-based Security Tools and Framework. EU contract IST-2002-002314,
  13. 13.
    DESEREC — DEpendability and Security by Enhanced REConfigurability. EU contract IST-2004-026600

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Cataldo Basile
    • 1
  • Alberto Cappadonia
    • 1
  • Antonio Lioy
    • 1
  1. 1.Dipartimento di Automatica e InformaticaPolitecnico di TorinoTorinoItalia

Personalised recommendations