Security on Top of Security: Detecting Malicious Firewall Policy Changes via K-Means Clustering

As a company grows, so does its infrastructure—especially its information technology (IT) infrastructure. Maintaining a transparent and manageable firewall policy during this period of rapid upscaling is nigh impossible. The situation is further complicated when multiple people—or even multiple teams—deploy and maintain these firewall policies. Different people often tackle a problem differently, developing different solutions, which, in turn, lead to different firewall policies. Inconsistencies in firewall policies are particularly problematic when it comes to updating, patching, and testing firewalls. Motivated by these issues, in this work, we collaborate with a telecommunications company and construct a web application that leverages machine learning to detect anomalies in firewall policies. The machine learning models can use firewall logs from internal firewalls, and, therefore, can learn the intricacies of traffic on a given network. The models can then predict the expected output from the network logs; anomalies can be identified if the expected values differ from the predicted values. In our evaluation, we collect data from the participating telecommunications company, implement our solution using the k-means clustering algorithm, and evaluate its performance against the collected data.