ESASCF: expertise extraction, generalization and reply framework for optimized automation of network security compliance

Ghanem, Mohamed Chahine, Chen, Thomas, Ferrag, Mohamed Amine and Kettouch, Mohyi Eddine (2023) ESASCF: expertise extraction, generalization and reply framework for optimized automation of network security compliance. IEEE Access. ISSN 2169-3536

ESASCF_Expertise_Extraction_Generalization_and_Reply_Framework_for_Optimized_Automation_of_Network_Security_Compliance.pdf - Accepted Version
Available under License Creative Commons Attribution Non-commercial No Derivatives 4.0.

Download (3MB) | Preview
Official URL:

Abstract / Description

Organizations constantly exposed to cyber threats are compelled to comply with cyber security standards and policies for protecting their digital assets. Vulnerability assessment (VA) and pene- tration testing (PT) are widely adopted methods for security compliance (SC) to identify security gaps and anticipate security breaches. However, these methods for security compliance tend to be highly repetitive and resource-intensive. In this paper, we propose a novel method to tackle the ever-growing problem of efficiency in network security auditing by designing and developing an Expert-System Automated Security Compliance Framework (ESASCF). ESASCF enables industrial and open-source VA and PT tools to extract, process, store and re-use the expertise in similar scenarios or during periodic re-testing. ESASCF was tested on different size networks and proved efficient in terms of time efficiency and testing effectiveness. ESASCF takes over autonomously the SC in re-testing and offloading the human expert by automating repeated segments SC and thus enabling experts to prioritize important tasks in ad-hoc compliance tests. The obtained results show a performance improvement by cutting the time required for an expert to 50% in the context of typical corporate networks’ first security compliance and 20% in re-testing. In addition, the framework allows a long-term impact illustrated in the knowledge extraction, generalization, and re-utilization, which enables better SC confidence independent of the human expert skills, coverage, and wrong decisions resulting in false negatives.

Item Type: Article
Additional Information: Copyright © 2023 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Uncontrolled Keywords: penetration testing; vulnerability assessment; security audit; artificial intelligence; AI; automation; metasploit; nessus; ethical hacking; expert system; security compliance; PCI-DSS; HIPAA; ISO-27001
Subjects: 000 Computer science, information & general works
Department: School of Computing and Digital Media
Depositing User: Dr Mohamed Chahine Ghanem
Date Deposited: 20 Nov 2023 10:28
Last Modified: 20 Nov 2023 10:28


Downloads per month over past year

Downloads each year

Actions (login required)

View Item View Item