Lists
Lists
Ghanem, Mohamed Chahine, Chen, Thomas, Ferrag, Mohamed Amine and Kettouch, Mohyi Eddine (2023) ESASCF: expertise extraction, generalization and reply framework for optimized automation of network security compliance. IEEE Access. ISSN 2169-3536
|
Text
ESASCF_Expertise_Extraction_Generalization_and_Reply_Framework_for_Optimized_Automation_of_Network_Security_Compliance.pdf - Accepted Version Available under License Creative Commons Attribution Non-commercial No Derivatives 4.0. Download (3MB) | Preview |
Abstract / Description
Organizations constantly exposed to cyber threats are compelled to comply with cyber security standards and policies for protecting their digital assets. Vulnerability assessment (VA) and pene- tration testing (PT) are widely adopted methods for security compliance (SC) to identify security gaps and anticipate security breaches. However, these methods for security compliance tend to be highly repetitive and resource-intensive. In this paper, we propose a novel method to tackle the ever-growing problem of efficiency in network security auditing by designing and developing an Expert-System Automated Security Compliance Framework (ESASCF). ESASCF enables industrial and open-source VA and PT tools to extract, process, store and re-use the expertise in similar scenarios or during periodic re-testing. ESASCF was tested on different size networks and proved efficient in terms of time efficiency and testing effectiveness. ESASCF takes over autonomously the SC in re-testing and offloading the human expert by automating repeated segments SC and thus enabling experts to prioritize important tasks in ad-hoc compliance tests. The obtained results show a performance improvement by cutting the time required for an expert to 50% in the context of typical corporate networks’ first security compliance and 20% in re-testing. In addition, the framework allows a long-term impact illustrated in the knowledge extraction, generalization, and re-utilization, which enables better SC confidence independent of the human expert skills, coverage, and wrong decisions resulting in false negatives.
| Item Type: | Article |
|---|---|
| Additional Information: | Copyright © 2023 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. |
| Uncontrolled Keywords: | penetration testing; vulnerability assessment; security audit; artificial intelligence; AI; automation; metasploit; nessus; ethical hacking; expert system; security compliance; PCI-DSS; HIPAA; ISO-27001 |
| Subjects: | 000 Computer science, information & general works |
| Department: | School of Computing and Digital Media |
| Depositing User: | Dr Mohamed Chahine Ghanem |
| Date Deposited: | 20 Nov 2023 10:28 |
| Last Modified: | 20 Nov 2023 10:28 |
| URI: | https://repository.londonmet.ac.uk/id/eprint/8897 |
Downloads
Downloads per month over past year
Downloads each year
Actions (login required)
 |
View Item |