Packet filtering in firewalls is one of the useful techniques for network security. This technique examines network packets and determines whether to accept or deny them based on an ordered set of filters. If conflicts exist in filters of a firewall for example one filter is never executed because of the prevention of a preceding filter the behavior of the firewall might be different from the administrator's intention. For this reason it is necessary to detect conflicts in a set of filters. Previous researches that focused on detecting conflicts in filters paid considerable attention to conflicts caused by one filter affecting another but they did not consider conflicts caused by a combination of multiple filters. We developed a method of detecting conflicts caused by a combination of filters affecting another individual filter based on their spatial relationships. We also developed two methods of finding all requisite filter combinations from a given combination of filters that intrinsically cause errors to another filter based on top-down and bottom-up algorithms. We implemented prototype systems to determine how effective the methods we developed were. The experimental results revealed that the detecting conflicts method and the method of finding all requisite filter combinations based on the bottom-up algorithm can be used for practical firewall policies.

Packet filtering in firewalls is one of the useful techniques for network security. This technique examines network packets and determines whether to accept or deny them based on an ordered set of filters. If conflicts exist in filters of a firewall, for example, one filter is never executed because of the prevention of a preceding filter, the behavior of the firewall might be different from the administrator's intention. For this reason, it is necessary to detect conflicts in a set of filters. Previous researches that focused on detecting conflicts in filters paid considerable attention to conflicts caused by one filter affecting another, but they did not consider conflicts caused by a combination of multiple filters. We developed a method of detecting conflicts caused by a combination of filters affecting another individual filter based on their spatial relationships. We also developed two methods of finding all requisite filter combinations from a given combination of filters that intrinsically cause errors to another filter based on top-down and bottom-up algorithms. We implemented prototype systems to determine how effective the methods we developed were. The experimental results revealed that the detecting conflicts method and the method of finding all requisite filter combinations based on the bottom-up algorithm can be used for practical firewall policies.