学术文献库

Intrusion Prevention Systems (IPS), have long been the first layer of defense against malicious attacks. Most sensitive systems employ instances of them (e.g. Firewalls) to secure the network perimeter and filter out attacks or unwanted traffic. A firewall, similar to classifiers, has a boundary to decide which traffic sample is normal and which one is not. This boundary is defined by configuration and is managed by a set of rules which occasionally might also filter normal traffic by mistake. However, for some applications, any interruption of the normal operation is not tolerable e.g. in power plants, water distribution systems, gas or oil pipelines, etc. In this paper, we design a learning firewall that receives labelled samples and configures itself automatically by writing preventive rules in a conservative way that avoids false alarms. We design a new family of classifiers, called $\mathfrak{z}$-classifiers, that unlike the traditional ones which merely target accuracy, rely on zero false-positive as the metric for decision making. First, we analytically show why naive modification of current classifiers like SVM does not yield acceptable results and then, propose a generic iterative algorithm to accomplish this goal. We use the proposed classifier with CART at its heart to build a firewall for a Power Grid Monitoring System. To further evaluate the algorithm, we additionally test it on KDD CUP'99 dataset. The results confirm the effectiveness of our approach.