Verification of Computing Policies and Other Hard Problems
|
|
- Clara Rich
- 8 years ago
- Views:
Transcription
1 Verification of Computing Policies and Other Hard Problems Mohamed G Gouda University of Texas at Austin gouda@cs.utexas.edu Presentation at METIS
2 Computing Policy A computing policy is a formalism that can be used to specify: A firewall policy in the Internet A routing policy in the Internet An access control policy in an operating or database system In this presentation: Use the term firewall to mean a computing policy Use the term packet to mean a request 2
3 In this Presentation We outline a theory of the logical analysis of firewalls This theory consists of three parts: Describe an efficient method for verifying whether any given firewall satisfies any give property Show that the two problems of firewall verification and firewall redundancy checking are equivalent Show that every problem related to the logical analysis of firewalls, including verification and redundancy checking, is NP- hard 3
4 Projection and Division: Linear-Space Verification of Firewalls H. B. Acharya, M. G. Gouda University of Texas at Austin {acharya, ICDCS
5 In This Paper A firewall is a packet filter placed at the entry of a private network to decide which incoming packets are discarded or accepted In this paper, we discuss: How to specify firewalls How to specify firewall properties How to verify that a firewall satisfies its properties We show that the presented verification algorithm requires linear (in the size of the verified firewall) space 5
6 Fields Header of a packet has fields: x, y,. The value of each field is taken from an interval of nonnegative integers: x in [0, 9], y in [0, 9], Each packet is defined by the value of each of its fields. Example of a packet: (x = 0, y = 6) 6
7 Firewall F F is a sequence of rules: x in [1, 6] Λ y in [3, 7] discard x in [0, 2] Λ y in [1, 4] discard x in [3, 8] Λ y in [6, 6] accept x in [0, 9] Λ y in [0, 9] accept First Match: Apply to each packet the decision of the first rule that the packet matches. F accepts packet (x = 0, y = 6) F discards packet (x = 0, y = 4) 7
8 P is of form: A Discard Property P x in [ax, bx] Λ y in [ay, by] discard P specifies a set of packets that should be discarded by firewall For example, the discard property x in [0, 5] Λ y in [6, 8] discard states that the packets (0, 6), (0, 7), (0, 8), (1, 6), (1, 7), (1, 8), should be discarded. 8
9 Satisfiability A firewall F satisfies a discard property P iff F discards every packet that matches predicate of P For example, firewall x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept satisfies property x in [1, 2] Λ y in [5, 5] discard 9
10 Firewall Verification Problem Design an algorithm that takes a firewall F and a discard property P and determines whether F satisfies P 10
11 Complexity of Verification Algorithms F has d fields and n rules where d = 5 and n = 2,000 [Liu and Gouda 2004, 2007], [Al-Shaer 2007]: Time and space are O(n d ) [Acharya and Gouda 2009]: Probabilistic Verification Time and space are O(nd) [Acharya and Gouda 2010]: Deterministic Verification Time is O(n d+1 ), space is O(nd) 11
12 Overview of our New Algorithm If every Y i is (AS i accepts no packets) then F satisfies P else F does not satisfy P 12
13 Projection Firewall F: x in [1, 6] Λ y in [3, 7] discard x in [0, 2] Λ y in [1, 4] discard x in [3, 8] Λ y in [6, 6] accept x in [0, 9] Λ y in [0, 9] accept Property P: x in [0, 5] Λ y in [6, 8] discard Projection F/P: x in [1, 5] Λ y in [6, 7] discard x in [3, 5] Λ y in [6, 6] accept x in [0, 5] Λ y in [6, 8] accept 13
14 Theorem 1 A firewall F satisfies a discard property P iff the projection F/P accepts no packet 14
15 If you are Lucky, If first rule in F/P is accept then F does not satisfy P skip rest of algorithm If all rules in F/P are discard then F satisfies P skip rest of algorithm Otherwise, you are not lucky and you need to execute the rest of the algorithm to check whether F/P accepts no packet 15
16 Division Let F be a firewall and P be a discard property The firewall F/P can be divided into k small firewalls called accept slices of F/P and denoted: AS 1,, As k Each accept slice AS i consists of the i-th accept rule ar in F/P, preceded by all the discard rules that precede ar in F/P 16
17 Division Example F/P: AS 1 : AS 2 : x in [1, 5] Λ y in [6, 7] discard x in [3, 5] Λ y in [6, 6] accept x in [0, 5] Λ y in [6, 8] accept x in [1, 5] Λ y in [6, 7] discard x in [3, 5] Λ y in [6, 6] accept x in [1, 5] Λ y in [6, 7] discard x in [0, 5] Λ y in [6, 8] accept 17
18 Theorem 2 Let F be a firewall and P be a discard property The firewall F/P accepts no packet iff none of the accept slices of F/P accepts a packet 18
19 Reduction of AS i If the accept rule ar is covered by a discard rule in AS i Then remove ar from AS i. Now AS i accepts no packets and there is no need to probe AS i further Example AS 1 : x in [1, 5] Λ y in [6, 7] discard x in [3, 5] Λ y in [6, 6] accept Thus AS 1 accepts no packets 19
20 Probing of AS i AS 2 : x in [1, 5] Λ y in [6, 7] discard x in [0, 5] Λ y in [6, 8] accept Compute sets Sx and Sy from AS 2 : Sx = {0, 6}, Sy = {6, 8} Compute all probe packets in Sx X Sy (0, 6), (0, 8), (6, 6), (6, 8) Check whether AS 2 accepts any of these probe packets AS 2 accepts (0, 6), and we conclude that F does not satisfy P. 20
21 Experiment Results I 21
22 Experiment Results II 22
23 Concluding Remarks Complexity of this algorithm Time is O(n d+1 ) Space is O(nd) This complexity is the best that can be achieved as discussed later Three elegant ideas: projection, division, probing can be used in other algorithms to analyze firewalls 23
24 Firewall Verification and Redundancy Checking Are Equivalent H. B. Acharya, M. G. Gouda University of Texas at Austin {acharya, INFOCOM
25 In This Paper A firewall is a packet filter placed at the entry of a private network to decide which incoming packets are discarded or accepted Two problems related to analysis of firewalls: Verification Redundancy Checking These two problems were thought to be independent But we show that they are equivalent: Any algorithm that solves either problem with some complexity can solve the other with same complexity 25
26 Fields Header of a packet has fields: x, y, The value of each field is taken from an interval of nonnegative integers: x in [0, 9], y in [0, 9], Each packet is defined by the value of each of its fields. Example of a packet: (x = 0, y = 6) or (0, 6) 26
27 Firewall F F is a sequence of rules: x in [1, 6] Λ y in [3, 7] discard x in [0, 2] Λ y in [1, 4] discard x in [3, 8] Λ y in [6, 6] accept x in [0, 9] Λ y in [0, 9] accept First Match: Apply to each packet the decision of the first rule that the packet matches F accepts packet (x = 0, y = 6) F discards packet (x = 0, y = 4) 27
28 Property r is of form: Property r x in [ax, bx] Λ y in [ay, by] discard (or accept) r specifies a set of packets that should be discarded (or accepted) by the firewall For example, the property x in [0, 5] Λ y in [6, 8] discard states that the packets (0, 6), (0, 7), (0, 8), (1, 6), (1, 7), (1, 8), should be discarded. 28
29 Satisfiability Firewall F satisfies a discard (or accept) property r iff F discards (or accepts) every packet that matches predicate of r For example, firewall x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept satisfies property x in [1, 2] Λ y in [5, 5] discard 29
30 Firewall Verification Problem Design an algorithm that takes as input firewall F and property r and determines whether F satisfies r 30
31 Complexity of Verification Algorithms F has d fields and n rules, usually d = 5 and n = 2,000 [Liu and Gouda 2004, 2007], [Al-Shaer 2007]: Time and space are O((2n) d ) [Acharya and Gouda 2009]: Probabilistic Verification Time and space are O(nd) [Acharya and Gouda 2010]: Deterministic Verification Time is O(n d+1 ), space is O(nd) 31
32 Firewall Equivalence Two firewalls F and F are equivalent iff they accept the same set of packets and discard the same set of packets For example, firewall F: x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept and firewall F : x in [1, 3] Λ y in [3, 7] discard x in [2, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept are equivalent 32
33 Redundant Rules A rule r in a firewall F is redundant iff the two firewalls F and F-r are equivalent, where F-rl is firewall F after removing rule rl from it. For example the first rule in the following firewall is redundant: x in [7, 8] Λ y in [9, 9] accept x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept 33
34 Firewall Redundancy Checking Problem Design an algorithm that takes as input firewall F and rule r in F and determines whether r is redundant in F 34
35 Our Main Result The two problems Firewall Verification Firewall Redundancy Checking are equivalent: Any algorithm that solves either problem with some complexity can solve the other problem with the same complexity Use our 2010 firewall verification algorithm, whose time is O(n d+1 ) & space is O(nd), to solve both problems 35
36 Using Verification in Redundancy Checking Complexity of the redundancy checking part is not higher than that of the verification part 36
37 Using Redundancy Checking in Verification Complexity of the verification part is not higher than that of the redundancy checking part 37
38 Conjecture The firewall verification problem and the redundancy checking problem can both be generalized We believe that the two generalized problems are also equivalent But we have not yet worked out the details 38
39 Concluding Remarks Only one of two problems, firewall verification and firewall redundancy checking, needs to remain as an intellectual challenge We suggest that this problem be the firewall verification problem since we have an excellent solution for it [Acharya and Gouda in ICDCS 2010] Any progress that is made in solving the firewall verification problem can be mirrored in solving the other problem 39
40 Hardness of Firewall Analysis E. S. Elmallah (1) and M. G. Gouda (2) (1) University of Alberta (2) University of Texas at Austin NETYS
41 In This Paper A firewall is a packet filter placed at the entry of a private network to decide which incoming packets are discarded or accepted In this paper: Discuss how to specify firewalls and their properties Identify 13 problems related to firewall analysis Show that these problems are all NP-hard 41
42 Fields Header of a packet has fields: x, y,. The value of each field is taken from an interval of nonnegative integers: x in [0, 9], y in [0, 9], Each packet is defined by the value of each of its fields. Example of a packet: (x = 0, y = 6) or (0, 6) 42
43 Firewall F F is a sequence of rules: x in [1, 6] Λ y in [3, 7] discard x in [0, 2] Λ y in [1, 4] discard x in [3, 8] Λ y in [6, 6] accept x in [0, 9] Λ y in [0, 9] accept First Match: Apply to each packet the decision, discard or accept, of the first rule whose predicate matches the packet F accepts packet (x = 0, y = 6) F discards packet (x = 0, y = 4) 43
44 A Discard or Accept Property P of F A discard P is of the form: x in [ax, bx] Λ y in [ay, by] discard P specifies set of packets that should be discarded by firewall F An accept P is of the form: x in [ax, bx] Λ y in [ay, by] accept P specifies set of packets that should be discarded by firewall F For example, the discard property x in [0, 5] Λ y in [6, 8] discard states that the packets (0, 6), (0, 7), (0, 8), (1, 6), (1, 7), (1, 8), should be discarded by F 44
45 Satisfiability Firewall F satisfies a discard property P iff F discards every packet that matches the predicate of P Firewall F satisfies an accept property P iff F accepts every packet that matches the predicate of P For example, firewall x in [1, 6] Λ y in [3, 7] discard x in [0, 9] Λ y in [0, 9] accept satisfies discard property x in [1, 2] Λ y in [5, 5] discard 45
46 Slice-Probing-Discard Discard Slice: <predicate 1> <predicate.(n-1)> <ALL predicate> --> accept --> accept --> discard Problem: Design an algorithm that determines for any discard slice S whether S discards one packet This problem is NP-hard by (polynomial) translation from the NP-hard problem of 3-SAT 46
47 Slice-Probing-Accept Accept Slice: <predicate 1> <predicate.(n-1)> <ALL predicate> --> discard --> discard --> accept Problem: Design an algorithm that determines for any accept slice S whether S accepts a packet This problem is NP-hard by translation from the NP-hard problem of Slice-Probing-Discard. (Replace each discard by accept and vice versa.) 47
48 Firewall-Adequacy-Discard Problem: Design an algorithm that determines for any firewall F whether F discards a packet This problem is NP-hard by translation from the NP-hard problem of Slice-Probing-Discard. (View the discard slice as a firewall.) 48
49 Firewall-Adequacy-Accept Problem: Design an algorithm that determines for any firewall F whether F accepts a packet This problem is NP-hard by translation from the NP-hard problem of Firewall-Adequacy-Discard. (Replace each discard by accept and vice versa.) 49
50 Firewall-Completeness Problem: Design an algorithm that determines for any firewall F whether F ignores (i.e. neither discards nor accepts) a packet This problem is NP-hard by translation from the NP-hard problem of Slice-Probing-Discard. (View the discard slice minus its last rule as a firewall.) 50
51 Firewall-Verification-Discard Problem: Design an algorithm that determines for any firewall F and any discard property pp whether F satisfies pp This problem is NP-hard by translation from the NP-hard problem of Slice-Probing-Accept. (View the accept slice as a firewall and view the ALL discard property as a discard property.) 51
52 Firewall-Verification-Accept Problem: Design an algorithm that determines for any firewall F and any accept property pp whether F satisfies pp This problem is NP-hard by translation from the NP-hard problem of Firewall-Verification-Discard. (Replace each discard by accept and vice versa.) 52
53 Firewall-Implication-Discard Problem: Design an algorithm that determines for any two firewalls F1 and F2 whether every packet that is discarded by F1 is discarded by F2 This problem is NP-hard by translation from the NP-hard problem of Firewall-Verification-Discard. (View the firewall and the discard property as two firewalls.) 53
54 Firewall-Implication-Accept Problem: Design an algorithm that determines for any two firewalls F1 and F2 whether every packet that is accepted by F1 is accepted by F2 This problem is NP-hard by translation from the NP-hard problem of Firewall-Implication-Discard. (Replace each discard by accept and vice versa.) 54
55 Firewall-Redundancy-Discard Problem: Design an algorithm that determines for any firewall F and any discard rule dr in F whether the two firewalls F and F-{dr} discard the same set of packets This problem is NP-hard by translation from the NP-hard problem of Firewall-Verification-Discard. (View the discard property as a discard rule and place it at the top of the firewall.) 55
56 Firewall-Redundancy-Accept Problem: Design an algorithm that determines for any firewall F and any accept rule ar in F whether the two firewalls F and F-{ar} accept the same set of packets This problem is NP-hard by translation from the NP-hard problem of Firewall-Redundancy-Discard. (Replace each discard by accept and vice versa.) 56
57 Firewall-Equivalence-Discard Problem: Design an algorithm that determines for any two firewalls F1 and F2 whether F1 and F2 discard the same set of packets This problem is NP-hard by translation from the NP-hard problem of Firewall-Redundancy-Discard. (View the firewall and the firewall minus the discard rule as two firewalls.) 57
58 Firewall-Equivalence-Accept Problem: Design an algorithm that determines for any two firewalls F1 and F2 whether F1 and F2 accept the same set of packets This problem is NP-hard by translation from the NP-hard problem of Firewall-Equivalence-Discard. (Replace each discard by accept and vice versa.) 58
59 Where We Go from Here Use SAT-Solvers Adopt Integer Fields Accept Probabilistic Solutions 59
Firewall Verification and Redundancy Checking are Equivalent
Firewall Verification and Redundancy Checking are Equivalent H. B. Acharya University of Texas at Austin acharya@cs.utexas.edu M. G. Gouda National Science Foundation University of Texas at Austin mgouda@nsf.gov
More informationFirewall Design: Consistency, Completeness, Compactness
Firewall Design: Consistency, Completeness, Compactness Alex X. Liu alex@cs.utexas.edu Department of Computer Sciences The University of Texas at Austin Austin, Texas 78712-1188, U.S.A. March, 2004 Co-author:
More informationComplete Redundancy Detection in Firewalls
Complete Redundancy Detection in Firewalls Alex X. Liu and Mohamed G. Gouda Department of Computer Sciences, The University of Texas at Austin, Austin, Texas 78712-0233, USA {alex, gouda}@cs.utexas.edu
More informationFirewall Queries. Austin, Texas 78712-0233, U.S.A. {alex, gouda}@cs.utexas.edu 2 Department of Computer Science, Texas State University,
Firewall Queries Alex X. Liu 1, Mohamed G. Gouda 1, Huibo H. Ma 2, Anne HH. Ngu 2 1 Department of Computer Sciences, The University of Texas at Austin, Austin, Texas 78712-0233, U.S.A. {alex, gouda}@cs.utexas.edu
More informationA Model of Stateful Firewalls and its Properties
A Model of Stateful Firewalls and its Properties Mohamed G. Gouda and Alex X. Liu 1 Department of Computer Sciences, The University of Texas at Austin, Austin, Texas 78712-1188, U.S.A. Email: {gouda, alex}@cs.utexas.edu
More informationStructured Firewall Design
Structured Firewall Design Mohamed G. Gouda and Alex X. Liu Department of Computer Sciences The University of Texas at Austin Austin, Texas 78712-0233, U.S.A. {gouda, alex}@cs.utexas.edu Abstract. A firewall
More information(67902) Topics in Theory and Complexity Nov 2, 2006. Lecture 7
(67902) Topics in Theory and Complexity Nov 2, 2006 Lecturer: Irit Dinur Lecture 7 Scribe: Rani Lekach 1 Lecture overview This Lecture consists of two parts In the first part we will refresh the definition
More informationFirewall Policy Change-Impact Analysis
15 Firewall Policy Change-Impact Analysis ALEX X LIU, Michigan State University Firewalls are the cornerstones of the security infrastructure for most enterprises They have been widely deployed for protecting
More informationII. BASICS OF PACKET FILTERING
Use of Formal models for the Firewall Policy Optimization ShatanandPatil* and B. B. Meshram** *(Department of Computer Technology, Veermata Jijabai Technical Institute, Mumbai 19) *(Department of Computer
More informationHow To Design A Firewall As A Sequence Of Rules
Computer Networks 51 (2007) 1106 1120 www.elsevier.com/locate/comnet Structured firewall design q Mohamed G. Gouda, Alex X. Liu * Department of Computer Sciences, The University of Texas at Austin, Austin,
More informationThe K-Observer Problem in Computer Networks
The K-Observer Problem in Computer Networks H. B. Acharya 1, Taehwan Choi 1, Rida A. Bazzi 2, and Mohamed G. Gouda 1,3 1 The University of Texas at Austin, USA 2 Arizona State University, USA 3 The National
More informationReconciling multiple IPsec and firewall policies
Reconciling multiple IPsec and firewall policies Tuomas Aura, Moritz Becker, Michael Roe, Piotr Zieliński Submission to SPW 2007 Abstract Manually configuring large firewall policies can be a hard and
More informationOn the Unique Games Conjecture
On the Unique Games Conjecture Antonios Angelakis National Technical University of Athens June 16, 2015 Antonios Angelakis (NTUA) Theory of Computation June 16, 2015 1 / 20 Overview 1 Introduction 2 Preliminary
More informationit is easy to see that α = a
21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UF. Therefore
More informationBit Vector Algorithms Enabling High-Speed and Memory- Efficient Firewall Blacklisting
Bit Vector Algorithms Enabling High-Speed and Memory- Efficient Firewall Blacklisting Lane Thames Randal Abler David Keeling Georgia Institute of Technology Georgia Institute of Technology Georgia Institute
More informationQuantum and Non-deterministic computers facing NP-completeness
Quantum and Non-deterministic computers facing NP-completeness Thibaut University of Vienna Dept. of Business Administration Austria Vienna January 29th, 2013 Some pictures come from Wikipedia Introduction
More informationConsistency verification of stateful firewalls is not harder than the stateless case
Consistency verification of stateful firewalls is not harder than the stateless case Levente Buttyán Gábor Pék Ta Vinh Thong buttyan@crysys.hu pek@crysys.hu thong@crysys.hu Laboratory of Cryptography and
More informationFirewall Compressor: An Algorithm for Minimizing Firewall Policies
Firewall Compressor: An Algorithm for Minimizing Firewall Policies Alex X. Liu Eric Torng Chad R. Meiners Department of Computer Science and Engineering Michigan State University East Lansing, MI 48824,
More informationInternational Journal of Scientific & Engineering Research, Volume 4, Issue 8, August-2013 1300 ISSN 2229-5518
International Journal of Scientific & Engineering Research, Volume 4, Issue 8, August-2013 1300 Efficient Packet Filtering for Stateful Firewall using the Geometric Efficient Matching Algorithm. Shriya.A.
More information1. Nondeterministically guess a solution (called a certificate) 2. Check whether the solution solves the problem (called verification)
Some N P problems Computer scientists have studied many N P problems, that is, problems that can be solved nondeterministically in polynomial time. Traditionally complexity question are studied as languages:
More informationStatic Program Transformations for Efficient Software Model Checking
Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major
More informationThe Classes P and NP
The Classes P and NP We now shift gears slightly and restrict our attention to the examination of two families of problems which are very important to computer scientists. These families constitute the
More information2.1 Complexity Classes
15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look
More informationSOLVING POLYNOMIAL EQUATIONS
C SOLVING POLYNOMIAL EQUATIONS We will assume in this appendix that you know how to divide polynomials using long division and synthetic division. If you need to review those techniques, refer to an algebra
More informationTheoretical Computer Science (Bridging Course) Complexity
Theoretical Computer Science (Bridging Course) Complexity Gian Diego Tipaldi A scenario You are a programmer working for a logistics company Your boss asks you to implement a program that optimizes the
More informationNP-complete? NP-hard? Some Foundations of Complexity. Prof. Sven Hartmann Clausthal University of Technology Department of Informatics
NP-complete? NP-hard? Some Foundations of Complexity Prof. Sven Hartmann Clausthal University of Technology Department of Informatics Tractability of Problems Some problems are undecidable: no computer
More informationDesign and Implementation of Firewall Policy Advisor Tools
Design and Implementation of Firewall Policy Advisor Tools Ehab S. Al-Shaer and Hazem H. Hamed Multimedia Networking Research Laboratory School of Computer Science, Telecommunications and Information Systems
More informationCHAPTER 7 GENERAL PROOF SYSTEMS
CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes
More informationP versus NP, and More
1 P versus NP, and More Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 If you have tried to solve a crossword puzzle, you know that it is much harder to solve it than to verify
More informationAuthor's personal copy. Computer Networks 53 (2009) 2800 2809. Contents lists available at ScienceDirect. Computer Networks
Computer Networks 53 (2009) 2800 2809 Contents lists available at ScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet Firewall policy verification and troubleshooting Alex
More informationReducing the Size of Rule Set in a Firewall
Reducing the Size of Rule Set in a Firewall MyungKeun Yoon Shigang Chen Zhan Zhang Department of Computer & Information Science & Engineering University of Florida, Gainesville, FL 32611, USA 352 392 2713
More informationCoNP and Function Problems
CoNP and Function Problems conp By definition, conp is the class of problems whose complement is in NP. NP is the class of problems that have succinct certificates. conp is therefore the class of problems
More informationPolicy Distribution Methods for Function Parallel Firewalls
Policy Distribution Methods for Function Parallel Firewalls Michael R. Horvath GreatWall Systems Winston-Salem, NC 27101, USA Errin W. Fulp Department of Computer Science Wake Forest University Winston-Salem,
More informationChange-Impact Analysis of Firewall Policies
Change-Impact Analysis of Firewall Policies Alex X. Liu Department of Computer Science and Engineering Michigan State University East Lansing, MI 48824-1266, U.S.A alexliu@cse.msu.edu Abstract. Firewalls
More informationFirewall Compressor: An Algorithm for Minimizing Firewall Policies
Firewall Compressor: An Algorithm for Minimizing Firewall Policies Alex Liu, Eric Torng, Chad Meiners Department of Computer Science Michigan State University {alexliu,torng,meinersc}@cse.msu.edu Introduction
More informationFactoring Polynomials
Factoring Polynomials Hoste, Miller, Murieka September 12, 2011 1 Factoring In the previous section, we discussed how to determine the product of two or more terms. Consider, for instance, the equations
More informationOn strong fairness in UNITY
On strong fairness in UNITY H.P.Gumm, D.Zhukov Fachbereich Mathematik und Informatik Philipps Universität Marburg {gumm,shukov}@mathematik.uni-marburg.de Abstract. In [6] Tsay and Bagrodia present a correct
More information( ) FACTORING. x In this polynomial the only variable in common to all is x.
FACTORING Factoring is similar to breaking up a number into its multiples. For example, 10=5*. The multiples are 5 and. In a polynomial it is the same way, however, the procedure is somewhat more complicated
More informationCSC 373: Algorithm Design and Analysis Lecture 16
CSC 373: Algorithm Design and Analysis Lecture 16 Allan Borodin February 25, 2013 Some materials are from Stephen Cook s IIT talk and Keven Wayne s slides. 1 / 17 Announcements and Outline Announcements
More informationACL Based Dynamic Network Reachability in Cross Domain
South Asian Journal of Engineering and Technology Vol.2, No.15 (2016) 68 72 ISSN No: 2454-9614 ACL Based Dynamic Network Reachability in Cross Domain P. Nandhini a, K. Sankar a* a) Department Of Computer
More informationHow To Check If A Firewall Is Working Properly
Applied Artificial Intelligence, 23:758 788 Copyright 2009 Taylor & Francis Group, LLC ISSN: 0883-9514 print/1087-6545 online DOI: 10.1080/08839510903208088 VERIFICATION OF DISTRIBUTED FIREWALLS CONFIGURATION
More informationTutorial 8. NP-Complete Problems
Tutorial 8 NP-Complete Problems Decision Problem Statement of a decision problem Part 1: instance description defining the input Part 2: question stating the actual yesor-no question A decision problem
More informationAbout the inverse football pool problem for 9 games 1
Seventh International Workshop on Optimal Codes and Related Topics September 6-1, 013, Albena, Bulgaria pp. 15-133 About the inverse football pool problem for 9 games 1 Emil Kolev Tsonka Baicheva Institute
More informationChapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.
Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. We begin by defining the ring of polynomials with coefficients in a ring R. After some preliminary results, we specialize
More informationConsistency verification of stateful firewalls is not harder than the stateless case
RESEARCH Consistency verification of stateful firewalls is not harder than the stateless case LEVENTE BUTTYÁN, GÁBOR PÉK, TA VINH THONG Laboratory of Cryptography and Systems Security Budapest University
More informationDiagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, 2009. Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.
Diagonalization Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach. Ahto Buldas Ahto.Buldas@ut.ee Background One basic goal in complexity theory is to separate interesting complexity
More informationAn Approach for improving Network Performance using Cross-Domain Cooperative Secrecy-Maintaining Firewall Optimization
An Approach for improving Network Performance using Cross-Domain Cooperative Secrecy-Maintaining Firewall Optimization Yogita Nikhare 1 andprof. Anil Bende 2 1 M.TechScholar, Department of Computer Science
More informationGraph Security Testing
JOURNAL OF APPLIED COMPUTER SCIENCE Vol. 23 No. 1 (2015), pp. 29-45 Graph Security Testing Tomasz Gieniusz 1, Robert Lewoń 1, Michał Małafiejski 1 1 Gdańsk University of Technology, Poland Department of
More informationTransportation Polytopes: a Twenty year Update
Transportation Polytopes: a Twenty year Update Jesús Antonio De Loera University of California, Davis Based on various papers joint with R. Hemmecke, E.Kim, F. Liu, U. Rothblum, F. Santos, S. Onn, R. Yoshida,
More informationComplexity Theory. IE 661: Scheduling Theory Fall 2003 Satyaki Ghosh Dastidar
Complexity Theory IE 661: Scheduling Theory Fall 2003 Satyaki Ghosh Dastidar Outline Goals Computation of Problems Concepts and Definitions Complexity Classes and Problems Polynomial Time Reductions Examples
More informationFinal exam review, Fall 2005 FSU (CIS-5357) Network Security
Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection
More informationNotes on Determinant
ENGG2012B Advanced Engineering Mathematics Notes on Determinant Lecturer: Kenneth Shum Lecture 9-18/02/2013 The determinant of a system of linear equations determines whether the solution is unique, without
More informationOn the Relationship between Classes P and NP
Journal of Computer Science 8 (7): 1036-1040, 2012 ISSN 1549-3636 2012 Science Publications On the Relationship between Classes P and NP Anatoly D. Plotnikov Department of Computer Systems and Networks,
More informationApproximation Algorithms
Approximation Algorithms or: How I Learned to Stop Worrying and Deal with NP-Completeness Ong Jit Sheng, Jonathan (A0073924B) March, 2012 Overview Key Results (I) General techniques: Greedy algorithms
More informationTo Design and Implementation of Framework for Firewall Policy with Minimum Rule Set
To Design and Implementation of Framework for Firewall Policy with Minimum Rule Set Sachin Singh Department of Computer Science & Engineering, TMU, Moradabad, Uttar Pradesh, India Article Info Article
More informationResearch Article Batch Scheduling on Two-Machine Flowshop with Machine-Dependent Setup Times
Hindawi Publishing Corporation Advances in Operations Research Volume 2009, Article ID 153910, 10 pages doi:10.1155/2009/153910 Research Article Batch Scheduling on Two-Machine Flowshop with Machine-Dependent
More informationThe Division Algorithm for Polynomials Handout Monday March 5, 2012
The Division Algorithm for Polynomials Handout Monday March 5, 0 Let F be a field (such as R, Q, C, or F p for some prime p. This will allow us to divide by any nonzero scalar. (For some of the following,
More information3 1. Note that all cubes solve it; therefore, there are no more
Math 13 Problem set 5 Artin 11.4.7 Factor the following polynomials into irreducible factors in Q[x]: (a) x 3 3x (b) x 3 3x + (c) x 9 6x 6 + 9x 3 3 Solution: The first two polynomials are cubics, so if
More informationComputing Cubic Fields in Quasi-Linear Time
Computing Cubic Fields in Quasi-Linear Time K. Belabas Département de mathématiques (A2X) Université Bordeaux I 351, cours de la Libération, 33405 Talence (France) belabas@math.u-bordeaux.fr Cubic fields
More information5. Factoring by the QF method
5. Factoring by the QF method 5.0 Preliminaries 5.1 The QF view of factorability 5.2 Illustration of the QF view of factorability 5.3 The QF approach to factorization 5.4 Alternative factorization by the
More informationSERVING as the first line of defense against malicious
IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, VOL. 9, NO. 1, MARCH 2012 1 Systematic Structural Testing of Firewall Policies JeeHyun Hwang, Tao Xie, Fei Chen, and Alex X. Liu Abstract Firewalls
More informationUnderstanding Basic Calculus
Understanding Basic Calculus S.K. Chung Dedicated to all the people who have helped me in my life. i Preface This book is a revised and expanded version of the lecture notes for Basic Calculus and other
More informationDIVISIBILITY AND GREATEST COMMON DIVISORS
DIVISIBILITY AND GREATEST COMMON DIVISORS KEITH CONRAD 1 Introduction We will begin with a review of divisibility among integers, mostly to set some notation and to indicate its properties Then we will
More informationFixed-Point Logics and Computation
1 Fixed-Point Logics and Computation Symposium on the Unusual Effectiveness of Logic in Computer Science University of Cambridge 2 Mathematical Logic Mathematical logic seeks to formalise the process of
More informationA Simple Inventory System
A Simple Inventory System Section 1.3 Discrete-Event Simulation: A First Course Section 1.3: A Simple Inventory System customers. demand items.. facility. order items.. supplier Distributes items from
More informationCenter for Teacher Certification Austin Community College
TAKS Exit Exam 120 Problems to Success in Mathematics Tutors with Vision Project Center for Teacher Certification Austin Community College Abel L. Villarreal, mathematics teacher, learned long ago that
More informationJUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson
JUST THE MATHS UNIT NUMBER 1.8 ALGEBRA 8 (Polynomials) by A.J.Hobson 1.8.1 The factor theorem 1.8.2 Application to quadratic and cubic expressions 1.8.3 Cubic equations 1.8.4 Long division of polynomials
More information1 Formulating The Low Degree Testing Problem
6.895 PCP and Hardness of Approximation MIT, Fall 2010 Lecture 5: Linearity Testing Lecturer: Dana Moshkovitz Scribe: Gregory Minton and Dana Moshkovitz In the last lecture, we proved a weak PCP Theorem,
More informationFormal Verification and Linear-time Model Checking
Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging
More informationReal Roots of Univariate Polynomials with Real Coefficients
Real Roots of Univariate Polynomials with Real Coefficients mostly written by Christina Hewitt March 22, 2012 1 Introduction Polynomial equations are used throughout mathematics. When solving polynomials
More informationOrthogonal Projections and Orthonormal Bases
CS 3, HANDOUT -A, 3 November 04 (adjusted on 7 November 04) Orthogonal Projections and Orthonormal Bases (continuation of Handout 07 of 6 September 04) Definition (Orthogonality, length, unit vectors).
More informationConflict Classification and Analysis of Distributed Firewall Policies
Conflict Classification and Analysis of Distributed Firewall Policies 1 Ehab Al-Shaer and Hazem Hamed School of Computer Science DePaul University, Chicago, USA Email: {ehab, hhamed}@cs.depaul.edu Raouf
More informationPrivate Approximation of Clustering and Vertex Cover
Private Approximation of Clustering and Vertex Cover Amos Beimel, Renen Hallak, and Kobbi Nissim Department of Computer Science, Ben-Gurion University of the Negev Abstract. Private approximation of search
More informationIntroduction to Logic in Computer Science: Autumn 2006
Introduction to Logic in Computer Science: Autumn 2006 Ulle Endriss Institute for Logic, Language and Computation University of Amsterdam Ulle Endriss 1 Plan for Today Now that we have a basic understanding
More informationDISTRIBUTED FIREWALLS AND IDS INTEROPERABILITY CHECKING BASED ON A FORMAL APPROACH
DISTRIBUTED FIREWALLS AND IDS INTEROPERABILITY CHECKING BASED ON A FORMAL APPROACH Kamel Karoui 1, Fakher Ben Ftima 2 and Henda Ben Ghezala 3 1 RIADI, ENSI, University of Manouba, Manouba, Tunisia kamel.karoui@insat.rnu.tn
More informationPolynomials. Dr. philippe B. laval Kennesaw State University. April 3, 2005
Polynomials Dr. philippe B. laval Kennesaw State University April 3, 2005 Abstract Handout on polynomials. The following topics are covered: Polynomial Functions End behavior Extrema Polynomial Division
More informationPage 1. CSCE 310J Data Structures & Algorithms. CSCE 310J Data Structures & Algorithms. P, NP, and NP-Complete. Polynomial-Time Algorithms
CSCE 310J Data Structures & Algorithms P, NP, and NP-Complete Dr. Steve Goddard goddard@cse.unl.edu CSCE 310J Data Structures & Algorithms Giving credit where credit is due:» Most of the lecture notes
More informationExponential time algorithms for graph coloring
Exponential time algorithms for graph coloring Uriel Feige Lecture notes, March 14, 2011 1 Introduction Let [n] denote the set {1,..., k}. A k-labeling of vertices of a graph G(V, E) is a function V [k].
More informationHow To Teach Math
Mathematics K-12 Mathematics Introduction The Georgia Mathematics Curriculum focuses on actively engaging the students in the development of mathematical understanding by using manipulatives and a variety
More informationWhy? A central concept in Computer Science. Algorithms are ubiquitous.
Analysis of Algorithms: A Brief Introduction Why? A central concept in Computer Science. Algorithms are ubiquitous. Using the Internet (sending email, transferring files, use of search engines, online
More informationInteger Factorization using the Quadratic Sieve
Integer Factorization using the Quadratic Sieve Chad Seibert* Division of Science and Mathematics University of Minnesota, Morris Morris, MN 56567 seib0060@morris.umn.edu March 16, 2011 Abstract We give
More informationSERVING as the first line of defense against malicious
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 20, NO. X, XXX 2009 1 Firewall Policy Queries Alex X. Liu, Member, IEEE, and Mohamed G. Gouda, Member, IEEE Abstract Firewalls are crucial elements
More informationWhy Product of Probabilities (Masses) for Independent Events? A Remark
Why Product of Probabilities (Masses) for Independent Events? A Remark Vladik Kreinovich 1 and Scott Ferson 2 1 Department of Computer Science University of Texas at El Paso El Paso, TX 79968, USA, vladik@cs.utep.edu
More informationFactoring Algorithms
Institutionen för Informationsteknologi Lunds Tekniska Högskola Department of Information Technology Lund University Cryptology - Project 1 Factoring Algorithms The purpose of this project is to understand
More informationThe Online Set Cover Problem
The Online Set Cover Problem Noga Alon Baruch Awerbuch Yossi Azar Niv Buchbinder Joseph Seffi Naor ABSTRACT Let X = {, 2,..., n} be a ground set of n elements, and let S be a family of subsets of X, S
More informationManagement of Exceptions on Access Control Policies
Management of Exceptions on Access Control Policies J. G. Alfaro 1,2, F. Cuppens 1, and N. Cuppens-Boulahia 1 1 GET/ENST-Bretagne, 35576 Cesson Sévigné - France, {frederic.cuppens,nora.cuppens}@enst-bretagne.fr
More informationStiffie's On Line Scheduling Algorithm
A class of on-line scheduling algorithms to minimize total completion time X. Lu R.A. Sitters L. Stougie Abstract We consider the problem of scheduling jobs on-line on a single machine and on identical
More informationFirewall Design: Consistency, Completeness, and Compactness
C IS COS YS TE MS Firewall Design: Consistency, Completeness, an Compactness Mohame G. Goua an Xiang-Yang Alex Liu Department of Computer Sciences The University of Texas at Austin Austin, Texas 78712-1188,
More informationThe degree of a polynomial function is equal to the highest exponent found on the independent variables.
DETAILED SOLUTIONS AND CONCEPTS - POLYNOMIAL FUNCTIONS Prepared by Ingrid Stewart, Ph.D., College of Southern Nevada Please Send Questions and Comments to ingrid.stewart@csn.edu. Thank you! PLEASE NOTE
More informationRigorous Software Development CSCI-GA 3033-009
Rigorous Software Development CSCI-GA 3033-009 Instructor: Thomas Wies Spring 2013 Lecture 11 Semantics of Programming Languages Denotational Semantics Meaning of a program is defined as the mathematical
More informationLinear Programming. Widget Factory Example. Linear Programming: Standard Form. Widget Factory Example: Continued.
Linear Programming Widget Factory Example Learning Goals. Introduce Linear Programming Problems. Widget Example, Graphical Solution. Basic Theory:, Vertices, Existence of Solutions. Equivalent formulations.
More informationRevised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)
Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.
More information3.3. Solving Polynomial Equations. Introduction. Prerequisites. Learning Outcomes
Solving Polynomial Equations 3.3 Introduction Linear and quadratic equations, dealt within Sections 3.1 and 3.2, are members of a class of equations, called polynomial equations. These have the general
More informationFactoring & Primality
Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount
More informationTesting LTL Formula Translation into Büchi Automata
Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland
More informationMathematics Review for MS Finance Students
Mathematics Review for MS Finance Students Anthony M. Marino Department of Finance and Business Economics Marshall School of Business Lecture 1: Introductory Material Sets The Real Number System Functions,
More informationOffline sorting buffers on Line
Offline sorting buffers on Line Rohit Khandekar 1 and Vinayaka Pandit 2 1 University of Waterloo, ON, Canada. email: rkhandekar@gmail.com 2 IBM India Research Lab, New Delhi. email: pvinayak@in.ibm.com
More informationChapter 11. 11.1 Load Balancing. Approximation Algorithms. Load Balancing. Load Balancing on 2 Machines. Load Balancing: Greedy Scheduling
Approximation Algorithms Chapter Approximation Algorithms Q. Suppose I need to solve an NP-hard problem. What should I do? A. Theory says you're unlikely to find a poly-time algorithm. Must sacrifice one
More informationPUTNAM TRAINING POLYNOMIALS. Exercises 1. Find a polynomial with integral coefficients whose zeros include 2 + 5.
PUTNAM TRAINING POLYNOMIALS (Last updated: November 17, 2015) Remark. This is a list of exercises on polynomials. Miguel A. Lerma Exercises 1. Find a polynomial with integral coefficients whose zeros include
More informationModel Checking Firewall Policy Configurations
29 IEEE IEEE International Symposium on Policies on Policy for for Distributed Systems and and Networks Model Checking Firewall Policy Configurations Alan Jeffrey Security Research Department Bell Labs,
More information