Archive/Centrality-Based Rule Ordering for Firewall Policy Optimization via Probability Propagation in Dependency Graphs
Centrality-Based Rule Ordering for Firewall Policy Optimization via Probability Propagation in Dependency Graphs
Fadwa Bezzazi, Dounia Lotfi
3. Juli 2026
en

Abstract

Firewall rule ordering aims to improve packet filtering efficiency while preserving the dependency constraints that guarantee the intended security behavior of the policy. Existing approaches often rely either on local criteria, such as rule frequency, or on iterative optimization procedures whose behavior depends on initialization, parameter settings and search budget. In this paper, we propose PPCO, a deterministic dependency-aware rule ordering method based on propagated probability combined with descendant-based centrality. The proposed score reflects both the traffic relevance of a rule and its structural influence in the dependency graph. The structural component is essential, especially when some rules are inactive or have zero activation probability, since it prevents probability-based ties from violating dependency constraints. The final policy is obtained directly by sorting rules in a decreasing score order. Experiments were conducted on synthetic rule sets ranging from 50 to 2000 rules and on ClassBench-ng benchmark instances, showing that PPCO consistently achieves a competitive ordering quality among the compared deterministic methods under the considered experimental settings. The method remains stable as the policy size and dependency rate increase, produces zero dependency violations in all valid configurations, achieves the lowest score-coherence values, and maintains competitive execution times at large scales. These results suggest that PPCO provides an effective, robust, and computationally efficient solution for dependency-aware firewall rule ordering within the scope of the evaluated configurations.

IPC Classification

G06H04

Keywords

centrality-basedruleorderingfirewallpolicyoptimizationprobabilitypropagationdependencygraphsnetworkaimsimprovepacketfilteringefficiencywhilepreservingconstraintsguaranteeintendedsecuritybehaviorexisting
Diese Veröffentlichung zitieren

€ 4.00