An automated closed-loop framework to enforce security policies from anomaly detection

Due to the growing complexity and scale of IT systems, there is an increasing need to automate and streamline routine maintenance and security management procedures, to reduce costs and improve pro-ductivity. In the case of security incidents, the implementation and application of response actions re-quire significant effort s from operators and developers in translating policies to code. Even if Machine Learning (ML) models are used to find anomalies, they need to be regularly trained/updated to avoid be-coming outdated. In an evolving environment, a ML model with outdated training might put at risk the organization it was supposed to defend.To overcome those issues, in this paper we propose an automated closed-loop process with three stages. The first stage focuses on obtaining the Decision Trees (DT) that classify anomalies. In the second stage, DTs are translated into security Policies as Code based on languages recognized by the Policy Engine (PE). In the last stage, the translated security policies feed the Policy Engines that enforce them by converting them into specific instruction sets. We also demonstrate the feasibility of the proposed framework, by presenting an example that encompasses the three stages of the closed-loop process.The proposed framework may integrate a broad spectrum of domains and use cases, being able for in-stance to support the decide and the act stages of the ETSI Zero-touch Network & Service Management (ZSM) framework.(c) 2022 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license ( http://creativecommons.org/licenses/by-nc-nd/4.0/ )