Remind that an anomaly in a securit

Remind that an anomaly in a security policy of a firewall is
defined as the existence of two or more filtering rules matching
the same packet. From this basic definition, and as noted
in [16], several related work has categorized different types of
firewall policy anomalies [17], [7], [18]. On the basis of theses
classifications, typically encountered firewall policy anomalies
types were defined and which are: shadowing, generalization,
correlation and redundancy. A complete study of anomaly
detection by our automata-based approach is our objective in
a near future. Nevertheless, we propose here to illustrate how
our automata-based modeling approach can be used to:
• detect anomalies in general, i.e. without determining
their category;
• detect one of the above mentioned anomalies, namely
shadowing anomaly.
1 ) H o w to d e te c t a n a n o m a ly in ge n e ra l: From Prop. 1,
we deduce the following proposition to detect the existence of
an anomaly in a security policy:
P ro p o si t i o n 3 : A security policy defined by n filtering
rules contains an anomaly if and only if the automaton B has
at least one reachable final state that contains two or more qim,
for example (E1 , E2, q34, E4, q54).
For example, the security policy of Section V contains
several anomalies, because the automaton of Figure 3 has
several reachable final states with two or three qim, such as
(E1 , E2, q34, E4, q54).
Note that those anomalies are not necessarily faults, the
objective of their detection is just to draw the attention of the
designer who will decide if they are undesirable or not.