In recent years, with the advancement of technology, including the development of 5G networks and cloud services, enterprise network structure has transformed. To facilitate user convenience, corporate resources must be made accessible, leading to a thinner boundary in the company's network infrastructure. This increased accessibility, however, exposes vulnerabilities in identity authentication, providing opportunities for hackers to exploit and carry out cyberattacks. Information security defense has become an urgent priority with the proliferation of diverse attack strategies.
This study proposes an automated firewall rule generation method to effectively prevent network intrusion incidents. This method leverages existing resources within the enterprise environment without increasing the corporate budget, aiming to strengthen defenses against network attacks. It primarily involves analyzing event logs such as Windows Event Log and Palo Alto Next-Generation Firewall Log. Upon detecting critical security threats, this method promptly identifies the source IP under attack and automatically adds rules in the firewall to block network access from that IP.
This framework system architecture continuously monitors event logs. Once any detection algorithm detects signs of intrusion, such as attempted access to system files or brute-force login attempts, it immediately extracts relevant event information. Analyzing the event records before and after the incident identifies the event's origin and captures pertinent network information, such as destination IP addresses and port numbers. Ultimately, the system automatically configures firewall rules to block threatening IPs, ensuring proactive defense. Compared to traditional approaches requiring manual analysis of event logs to add firewall rules, this automated method significantly reduces the risk caused by human operational delays, enhances response efficiency, and saves on operational costs for enterprises. Moving forward, this framework system can be integrated with various log systems and utilize diverse detection algorithms to continually improve algorithms and enhance event detection and rule generation accuracy, thereby constructing a more robust network protection mechanism.