Fault localization for firewall policies

Jee Hyun Hwang, Tao Xie, Fei Chen, Alex X. Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Firewalls are the mainstay of enterprise security and the most widely adopted technology for protecting private networks. Ensuring the correctness of firewall policies through testing is important. In firewall policy testing, test inputs are packets and test outputs are decisions. Packets with unexpected (expected) evaluated decisions are classified as failed (passed) tests. Given failed tests together with passed tests, policy testers need to debug the policy to detect fault locations (such as faulty rules). Such a process is often time-consuming. To help reduce effort on detecting fault locations, we propose an approach to reduce the number of rules for inspection based on information collected during evaluating failed tests. Our approach ranks the reduced rules to decide which rules should be inspected first. We performed experiments on applying our approach. The empirical results show that our approach can reduce 56% of rules that are required for inspection in fault localization.

Original languageEnglish (US)
Title of host publicationProceedings - 28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009
Number of pages7
StatePublished - 2009
Externally publishedYes
Event28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009 - Niagara Falls, NY, United States
Duration: Sep 27 2009Sep 30 2009

Publication series

NameProceedings of the IEEE Symposium on Reliable Distributed Systems
ISSN (Print)1060-9857


Other28th IEEE International Symposium on Reliable Distributed Systems, SRDS 2009
Country/TerritoryUnited States
CityNiagara Falls, NY

ASJC Scopus subject areas

  • Software
  • Theoretical Computer Science
  • Hardware and Architecture
  • Computer Networks and Communications


Dive into the research topics of 'Fault localization for firewall policies'. Together they form a unique fingerprint.

Cite this