Submitted:
22 June 2026
Posted:
23 June 2026
You are already at the latest version
Abstract
Keywords:
1. Introduction
2. Background and Related Work
2.1. Two-Layer Filtering in a Cloud VPC
2.2. Related Work
3. Formal Model
3.1. Header Space and Boxes
3.2. Rules and the Two Layers
3.3. Semantics
4. Composition and Complexity
5. Cross-Layer Anomaly Taxonomy
| Anomaly | Scope | Decidable predicate | Severity |
| Fully shadowed | NACL | Eᵢ = ∅ | error |
| Partially shadowed | NACL | ∅ ⊊ Eᵢ ⊊ mᵢ | warning |
| Intra-SG redundant | SG | mⱼ ⊆ A(G\{mⱼ}) | warning |
| Dead SG rule | cross | mⱼ ∩ A(N) = ∅ | error |
| Φ-redundant SG | cross | (mⱼ∩A(N)) ⊆ A(G\{mⱼ}) | warning |
| Φ-ineffective NACL | cross | Eᵢ ∩ A(G) = ∅ (sufficient) | warning |
| Layer disagreement | cross | W_N ≠ ∅ / W_G ≠ ∅ | info |
6. Detection Algorithm
| Algorithm 1 (Two-layer anomaly detection). |
| Input: NACL N (ordered), SG G (set). Output: an anomaly report and Φ in DBD form. 1: Compute A(N) and the effective regions { Eᵢ } by the bucket (Definition 5). 2: Compute A(G) = ⋃ⱼ mⱼ as a disjoint union. 3: Compute Φ = A(N) ∩ A(G) as a DBD (grid or output-sensitive). 4: For each NACL rule i: test Eᵢ = ∅ (fully shadowed) and Eᵢ ⊊ mᵢ (partially shadowed). 5: For each SG rule mⱼ: test mⱼ ∩ A(N) = ∅ (dead) and (mⱼ ∩ A(N)) ⊆ A(G\{mⱼ}) (Φ-redundant). 6: Compute W_N = A(N) \ A(G) and W_G = A(G) \ A(N) (disagreement), and flag each Φ-ineffective NACL allow by the sufficient test Eᵢ ∩ A(G) = ∅. Complexity: O((k+t)^d) by Theorems 2 and 5; polynomial for fixed d. |
7. Normalization
8. Evaluation
8.1. Extending the Header Space: IPv6 and ICMP
9. Discussion
9.1. Interpretation and Practical Use
9.2. Threats to Validity
9.3. Limitations and Open Problems
10. Conclusion
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Wool, A. A quantitative study of firewall configuration errors. Computer [CrossRef] . 2004, 37, 62–67. [Google Scholar] [CrossRef]
- Gartner. Is the Cloud Secure? Gartner Research. 2019. Available online: https://www.gartner.com/smarterwithgartner/is-the-cloud-secure (accessed on 17 February 2026).
- Security, I.B.M. Cost of a Data Breach Report 2025. IBM. 2025. Available online: https://www.ibm.com/reports/data-breach (accessed on 17 February 2026).
- Amazon Web Services. Reachability Analyzer. Amazon VPC Documentation, 2024. Available online: https://docs.aws.amazon.com/vpc/ (accessed on 17 February 2026).
- Backes, J.; Bayless, S.; Cook, B.; Dodge, C.; Gacek, A.; Hu, A.J.; Kahsai, T.; Kocik, B.; Kotelnikov, E.; Kukovec, J.; et al. Reachability analysis for AWS-based networks. In Computer Aided Verification; [CrossRef]; Springer: Cham, Switzerland, 2019; pp. 231–241. [Google Scholar]
- Chomsiri, T.; He, X.; Nanda, P.; Tan, Z. Hybrid Tree-Rule firewall for high speed data transmission. IEEE Trans. Cloud Comput. CrossRef. 2020, 8, 1237–1249. [Google Scholar] [CrossRef]
- Chomsiri, T.; He, X.; Nanda, P. Limitation of listed-rule firewall and the design of Tree-Rule firewall. In Internet and Distributed Computing Systems; CrossRef; Springer: Berlin/Heidelberg, Germany, 2012; pp. 275–287. [Google Scholar]
- He, X.; Chomsiri, T.; Nanda, P.; Tan, Z. Improving cloud network security using the Tree-Rule firewall. Future Gener. Comput. Syst. CrossRef. 2014, 30, 116–126. [Google Scholar] [CrossRef]
- Al-Shaer, E.; Hamed, H. Firewall policy advisor for anomaly discovery and rule editing. In Integrated Network Management VIII; CrossRef; Springer: Boston, MA, USA, 2003; pp. 17–30. [Google Scholar]
- Al-Shaer, E.; Hamed, H. Modeling and management of firewall policies. IEEE Trans. Netw. Serv. Manag. CrossRef. 2004, 1, 2–10. [Google Scholar] [CrossRef]
- Yuan, L.; Mai, J.; Su, Z.; Chen, H.; Chuah, C.-N.; Mohapatra, P. FIREMAN: A toolkit for firewall modeling and analysis. In Proceedings of the IEEE Symposium on Security and Privacy, CrossRef. Berkeley, CA, USA, 21–24 May 2006; pp. 199–213. [Google Scholar]
- Pornavalai, C.; Chomsiri, T. Firewall policy analyzing by relational algebra. In Proceedings of the International Technical Conference on Circuits/Systems, Computers and Communications (ITC-CSCC), 2004. [Google Scholar]
- Chomsiri, T.; Pornavalai, C. Firewall rules analysis. In Proceedings of the International Conference on Security and Management (SAM), Las Vegas, NV, USA, June 2006; pp. 213–219. [Google Scholar]
- Kazemian, P.; Varghese, G.; McKeown, N. Header space analysis: Static checking for networks. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI), CrossRef. San Jose, CA, USA, 25–27 April 2012; pp. 113–126. [Google Scholar]
- Anderson, C.J.; Foster, N.; Guha, A.; Jeannin, J.-B.; Kozen, D.; Schlesinger, C.; Walker, D. NetKAT: Semantic foundations for networks. In Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), CrossRef. San Diego, CA, USA, 20–21 January 2014; pp. 113–126. [Google Scholar]
- Rahman, A.; Parnin, C.; Williams, L. The seven sins: Security smells in infrastructure as code scripts. In Proceedings of the IEEE/ACM International Conference on Software Engineering (ICSE), CrossRef. Montreal, QC, Canada, 25–31 May 2019; pp. 164–175. [Google Scholar]
- Bridgecrew. Checkov: Policy-as-Code for Infrastructure, 2024. Available online: https://www.checkov.io (accessed on 17 February 2026).
- Al-Shaer, E.; Hamed, H.; Boutaba, R.; Hasan, M. Conflict classification and analysis of distributed firewall policies. IEEE J. Sel. Areas Commun. CrossRef. 2005, 23, 2069–2084. [Google Scholar] [CrossRef]
- Eppstein, D.; Muthukrishnan, S. Internet packet filter management and rectangle geometry. In Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), CrossRef. Washington, DC, USA, 7–9 January 2001; pp. 827–835. [Google Scholar]
- Baboescu, F.; Varghese, G. Fast and scalable conflict detection for packet classifiers. In Proceedings of the 10th IEEE International Conference on Network Protocols (ICNP), CrossRef. Paris, France, 12–15 November 2002; pp. 270–279. [Google Scholar]
- Gupta, P.; McKeown, N. Algorithms for packet classification. IEEE Netw. CrossRef. 2001, 15, 24–32. [Google Scholar] [CrossRef]
- Taylor, D.E. Survey and taxonomy of packet classification techniques. ACM Comput. Surv. CrossRef. 2005, 37, 238–275. [Google Scholar] [CrossRef]
- Gouda, M.G.; Liu, A.X. Structured firewall design. Comput. Netw. CrossRef. 2007, 51, 1106–1120. [Google Scholar] [CrossRef]
- Prowler. Prowler: Open-Source Security Tool for AWS, Azure, GCP, and Kubernetes, 2024. Available online: https://prowler.com (accessed on 17 February 2026).



| Work | Target | Closed-form region | Rule-level anomaly | Cross-layer | Proof |
| Reachability tools [4], [5] | AWS path | No | No | Partial | Varies |
| Al-Shaer & Hamed [9], [10] | 1 ordered layer | Tree | Yes | No | Yes |
| FIREMAN [11] | 1+ ordered layers | BDD | Yes | No | Yes |
| Chomsiri & Pornavalai [12], [13] | 1 ordered layer | Rel. algebra | Yes | No | Partial |
| HSA [14] / NetKAT [15] | General | Yes | No | N/A | Yes |
| IaC scanners / CSPM [16], [17] | IaC / posture | No | Pattern | No | No |
| This work | NACL ∩ SG | Yes (Thm 1) | Yes | Yes | Yes |
| Rules | |A(N)| | |A(G)| | |Φ| avg | |Φ| max | Grid bound | Build (ms) |
| 4 | 2 | 3 | 1 | 5 | 2.7×10⁴ | 0.1 |
| 8 | 6 | 7 | 5 | 20 | 1.8×10⁵ | 0.3 |
| 12 | 11 | 22 | 22 | 53 | 5.4×10⁵ | 1.1 |
| 16 | 20 | 30 | 56 | 166 | 1.1×10⁶ | 3.0 |
| 20 | 31 | 55 | 93 | 251 | 2.0×10⁶ | 8.2 |
| 24 | 52 | 68 | 161 | 287 | 3.5×10⁶ | 12.5 |
| 28 | 68 | 89 | 207 | 579 | 5.1×10⁶ | 23.6 |
| 32 | 74 | 153 | 292 | 846 | 8.0×10⁶ | 43.2 |
| 36 | 92 | 144 | 367 | 1186 | 1.1×10⁷ | 56.8 |
| 40 | 94 | 129 | 314 | 670 | 1.4×10⁷ | 46.2 |
| 44 | 139 | 185 | 524 | 863 | 1.8×10⁷ | 88.4 |
| 48 | 161 | 210 | 639 | 1933 | 2.5×10⁷ | 139.4 |
| Configuration | NACL | SG | Dead SG | Φ-redun. | Shadowed | Disagree. (W_N, W_G) |
| Web tier | 2 | 3 | 1 | 1 | 1 | 6, 1 |
| Application tier | 2 | 3 | 1 | 3 | 1 | 0, 1 |
| Database tier | 3 | 1 | 0 | 0 | 2 | 4, 0 |
| Profile | d | Address | Packet checks | Mismatches | |Φ| (rules) | Grid bound |
| IPv4 (baseline) | 4 | 32-bit | 301,440 | 0 | 3783 (48) | 8.5×10⁷ |
| IPv6 | 4 | 128-bit | 301,440 | 0 | 5256 (48) | 8.5×10⁷ |
| ICMP | 6 | 32-bit | 362,880 | 0 | 70770 (48) | 7.8×10¹¹ |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).