Network security policies provide high-level directives regarding acceptable and unacceptable use of the network. Organizations specify these high-level directives in policy documents written using human-readable natural language. The challenge is to convert these natural language policies to the network configurations/specifications needed to enforce the policy. Network administrators, who are responsible for enforcing the policies, typically translate the policies manually, which is a challenging and error-prone process. As a result, network operators (as well as the policy authors) often want to verify that network policies are being correctly enforced. In this paper, we propose Network Policy Conversation Engine (NPCE), a system designed to help network operators (or policy writers) interact with the network using natural language (similar to the language used in the network policy statements themselves) to understand whether policies are being correctly enforced. The system leverages emerging big data collection and analysis techniques to record flow and packet level activity throughout the network that can be used to answer users policy questions. The system also takes advantage of recent advances in Natural Language Processing (NLP) to translate natural language policy questions into the corresponding network queries. To evaluate our system, we demonstrate a wide range of policy questions - inspired by actual networks policies posted on university websites - that can be asked of the system to determine if a policy violation has occurred.
|Title of host publication||30th International Conference on Computer Communications and Networks, ICCCN 2021|
|State||Published - Jul 2021|
|Event||30th International Conference on Computer Communications and Networks, ICCCN 2021 - Virtual, Athens, Greece|
Duration: Jul 19 2021 → Jul 22 2021
|Name||Proceedings - International Conference on Computer Communications and Networks, ICCCN|
|Conference||30th International Conference on Computer Communications and Networks, ICCCN 2021|
|Period||7/19/21 → 7/22/21|
Bibliographical noteFunding Information:
This work was supported in part by the National Science Foundation under Grant ACI-1642134.
© 2021 IEEE.
ASJC Scopus subject areas
- Computer Networks and Communications
- Hardware and Architecture