Traffic access control polices play a critical role in the security and performance of computer networks. This proposal presents a theoretical foundation and practical techniques to study of the impact of policies on network security and performance. This project proposes to develop a framework to validate end-to-end security properties across different security devices. Ideally, such a framework would enable the discovery of policy inconsistencies and of security violations, and assist to correct the problems. The second part of this proposal presents novel traffic-driven statistical policy optimization techniques that adapt the policy structure dynamically to minimize packet matching overhead and distribute the filtering load. Special effort has been taken to show that these techniques are efficient, robust, and practically deployable.
We expect the results of this research to lay foundations for new research directions in the area of policy verification, and optimization. Moreover, the results of this research can benefit other areas such as security testing and evaluation, anomaly detection, and network defense. Thus, in general, we expect this project to significantly improve both the enforcement and performance of network security.