Ontology-based Security Policy Translation

The security configuration of large networked ICT systems is a difficult and error-prone task. Quite often attacks are enabled by mis-configurations generated by human errors. Policybased network management has been proposed to cope with this problem: goals are expressed as high-level rules that are then translated into low-level configurations for network devices. While the concept is clear, there is a lack of tools supporting this strategy. We propose an ontology-based policy translation approach that mimics the behaviour of expert administrators, without their mistakes. Normally administrators are given the high-level security goals and then, through their knowledge of network topology and security best practice, derive the device configurations. In a similar way, we use an ontology to represent the domain knowledge and then perform reasoning (based on best practice rules) to create the configurations for network-level security controls (e.g., firewall and secure channels). If some information is missing from the ontology, the administrator is guided to provide the missing data. The configurations generated by our approach are represented in a vendor-independent format and therefore can be used with several kinds of devices.