As part of NUMERYX’s cybersecurity research, our CIFRE PhD students are carrying out research in Artificial Intelligence, High Performance Computing, Self Driven Network and Machine Learning.

The fruits of this research are not only used to enhance our products, but are also the subject of scientific publications.

The latest is from our PhD student Wafik Zahwa, which will be presented at the 9th IEEE International Conference on Network Softwarization (NetSoft2023), taking place June 19-23, 2023 in Madrid, Spain. IEEE NetSoft was created as a flagship conference to address the “Softwarization” of networks and systemic trends concerning the convergence of Cloud Computing, Software-Defined Networking (SDN), and Network Function Virtualization (NFV).

This year, the theme of the conference and the main objective of the NetSoft workshop is to integrate “Support for security, safety, trust and confidentiality in virtualized environments”.

We’re very proud to see new advances in this field, and so we’re presenting you with a simplified summary of what we’ve been working on.

Presented this June 19, 2023 afternoon, Wafik’s presentation is part of Technical Session 3 – Security Automation, Configuration and Verification, in the “Automated Placement of In-Network ACL Rules” section.

What is the role of a firewall?

Imagine that your network is like a house, and the Internet is like a busy street outside. Now imagine that a firewall is a security guard or watchman standing at the entrance to your house, controlling who is allowed in and out.

Just as a security guard checks the identity and purpose of people entering a building, a firewall checks and monitors the flow of data in and out of your computer or network. It acts as a filter, letting safe, authorized data through, while blocking or alerting you to potentially harmful or unauthorized data.

How can we protect our network?

Packets on the Internet are initiated from a source and directed to a destination. So, to protect our network and ensure secure data transfer, a firewall must be installed on the switches between source and destination.

What’s more, there are several possible paths between a source and a destination, and it’s difficult to know which path a packet is taking. Consequently, the firewall must be installed on all paths between source and destination.

The growing number of network control requirements makes the size of the firewall too large, but switch memory is often very limited and doesn’t allow the entire firewall to be installed.

We therefore propose to divide the firewall into sub-firewalls and distribute them over all the paths between source and destination.

In this direction, our first paper entitled “Automated Placement of In-Network ACL Rules” proposes three alternative algorithms based on graph theory and reinforcement learning to automatically distribute firewalls across network filtering devices.

These strategies are aimed not only at obtaining a valid solution, but also at minimizing the memory footprint of these devices.

This is the first step in our research to create a self-directed network. In future work, we hope to exploit AI mechanisms to create and distribute firewalls in networks.

Through this article, we would like to thank Wafik Zahwa for his research work, the University of Lorraine and the Loria research laboratory, which is supervising this thesis with the Resist team, andInria (Institut National pour la Recherche en Sciences et Technologie du Numérique) with two PhDs.