RefinementEngine: Automating Intent-to-Device Filtering Policy Deployment under Network Constraints

Abstract: Translating security intent into deployable network enforcement rules and maintaining their effectiveness despite evolving cyber threats remains a largely manual process in most Security Operations Centers (SOCs). In large and heterogeneous networks, this challenge is complicated by topology-dependent reachability constraints and device-specific security control capabilities, making the process slow, error-prone, and a recurring source of misconfigurations. This paper presents RefinementEngine, an engine that automates the refinement of high-level security intents into low-level, deployment-ready configurations. Given a network topology, devices, and available security controls, along with high-level intents and Cyber Threat Intelligence (CTI) reports, RefinementEngine automatically generates settings that implement the desired intent, counter reported threats, and can be directly deployed on target security controls. The proposed approach is validated through real-world use cases on packet and web filtering policies derived from actual CTI reports, demonstrating both correctness, practical applicability, and adaptability to new data.

• The paper demonstrates a deterministic pipeline, combining neurosymbolic inference and LLM-based extraction to convert high-level intents into deployable filtering policies.
• The paper validates the system with real CTI-driven scenarios, achieving perfect intent coverage with minimal device allocations and zero policy gaps.
• The paper bridges theory and practice by automating complex policy deployment under network constraints, reducing manual errors in SOC operations.

Automated Policy Refinement under Network Constraints: The RefinementEngine Architecture

Problem Statement and Motivation

Operationalizing high-level security intents into deployable device-level policy is a critical bottleneck in Security Operations Centers (SOCs), particularly within large-scale, heterogeneous network environments. Manual translation from intent languages to native control rules invites misconfigurations, redundancy, policy gaps, and poor responsiveness to evolving threat intelligence. The heterogeneity of control capabilities, coupled with topological reachability constraints, amplifies the difficulty. Existing approaches typically address only fragments of the pipeline, such as manual specification, translation, anomaly analysis, or isolated deployment validation.

Addressing this gap, RefinementEngine systematically automates the refinement and device allocation of network filtering policies, beginning from human-readable security intent and cyber threat intelligence (CTI) input, culminating in control-specific, deployable configurations. The engine is capability-aware and topology-aware, supporting adaptive integration of new CTI-derived Indicators of Compromise (IoCs) and generalizing across router- and application-level filtering scenarios.

System Architecture

The system architecture is designed as a deterministic pipeline—Extractor, Refiner, Converter, and Translator—operating on formalized representations of intent (HSPL), intermediate policy artifacts (MSPL), network topology (TOSCA), and CTI-derived IoCs (CLIPS templates and facts). Symbolic reasoning and strict rule substrate provided by CLIPS, combined with AI-based entity extraction from input reports, enable robust automation without the pitfalls of generative AI in mission-critical inference.

Figure 1: Architecture and end-to-end workflow of RefinementEngine, encompassing entity extraction, reasoning, configuration, and translation.

The Extractor utilizes deterministic LLM-based (greedy decoding, explicit device placement) and CLIPS-driven neurosymbolic logic to extract structured IoCs from unstructured threat reports, countering known LLM unreliability in the security context. The Refiner maps the intent, network, and extracted entities, performing multi-path reachability analysis and minimum-cover enforcement point selection under device capability constraints. The Converter serializes device-aligned artifacts as MSPL for the Translator, which executes model-driven, schema-grounded conversion to target-native rules (e.g., iptables, ModSecurity), ensuring reproducibility and semantic fidelity.

Policy Allocation and Refinement Semantics

Policy allocation assigns enforcement to the minimal covering set of devices along all relevant network paths, factoring device-specific support for required security primitives. The selection algorithm promotes consolidation by exploiting shared subpaths and excludes devices lacking the instrumental controls. Where enforcement is impossible (e.g., no device covers all paths with compatible controls), the system flags the intent as unenforceable, precluding policy gaps.

Policy refinement implements a two-stage translation: HSPL (abstract subject-object-action) $\to$ MSPL (control- and device-aligned policy) $\to$ low-level configuration. The CLIPS substrate encodes all device, capability, and path metadata, underpinned by a Security Capability Model (SCM) that is both formal and extensible. The approach supports seamless accommodation of novel IoC attributes, dynamically extending CLIPS templates—demonstrated by the transparent handling of web domain IoCs in the validation scenarios.

Empirical Validation

Two real-world CTI-driven scenarios demonstrate the system's correctness and adaptability: IP packet filtering for CoinMiner malware and application-layer filtering for NanoCore-related malicious domains.

Scenario 1: IP Packet Filtering

A CTI report indicating an offending IP address is parsed and the corresponding intent expressed in HSPL. RefinementEngine extracts the destination IP, maps the topology, and allocates enforcement to the minimal device set intersecting all Eve $\to$ Bob paths, prioritizing security controls that explicitly support packet filtering (i.e., iptables-compatible firewalls). The resulting rules ensure bidirectional traffic interception, and empirical packet traces confirm complete suppression post-deployment.

Figure 2: Topology for Test scenario 1—multiple redundant paths between compromised and target endpoint.

Scenario 2: Web Filtering

A subsequent CTI source prescribes blocking web access to a malicious domain, embedded in complex HTTP traffic. RefinementEngine extends its knowledge representation, learning the domain IoC type within the CLIPS framework. Reachability analysis reveals that only ModSecurity WAF at the network ingress supports the necessary application-layer rule implementation. Only the WAF is configured, and validation confirms that only requests to the reported domain are blocked, without leaking low-level layer information to network-level firewalls.

Figure 3: Topology for Test scenario 2, highlighting the required use of an application-layer WAF for domain-based filtering.

Key Claims and Numerical Results

• The architecture yields deterministic, reproducible device/rule assignments across heterogeneous environments, avoiding both redundant allocation and under-enforcement.
• All validation scenarios show perfect intent coverage with the minimum device set, yielding no unnecessary configuration and zero leakage along bypass paths.
• The pipeline auto-adapts to previously unseen IoC attribute types (domains vs. IPs) without manual reprogramming.
• Empirical results (packet trace and HTTP response verification) confirm enforcement correctness: malicious flows are comprehensively dropped without false positives on benign flows.
• The reliance on CLIPS-based symbolic inference ensures auditable and inspectable policy derivation, advantageous for regulatory and incident review.

Theoretical and Practical Implications

From a theoretical perspective, this work advances the state-of-the-art in policy management by tightly integrating capability-aware, topology-constrained allocation with formalized rule translation. It bridges the gap between high-level security governance and low-level artifact generation, explicitly addressing device heterogeneity—a gap generally overlooked in previous SDN/NFV placement literature as well as intent-based frameworks.

On the practical front, the system promises to drastically diminish SOC analyst burden, decrease risk of rule misconfiguration, and offer a pathway for realistic, lifecycle policy maintenance in dynamic organizations. Its pipeline is extensible to additional control classes and new IoC types—potentially integrating richer CTI artifacts (e.g., protocol payload signatures, behavioral indicators).

This work situates itself as a complementary downstream phase to CTI extraction and normalization efforts, providing a missing automation link between structured intelligence and actionable, context-constrained enforcement. This is crucial, as empirical studies show most CTI sharing fails to produce deployable rules or does so with poor coverage and slow adaptation.

Future Directions

Anticipated research directions include:

• Integrating advanced optimization techniques for policy placement, extending beyond minimum-cover to performance- and risk-aware criteria.
• Broadening the enforcement pipeline to additional device classes (e.g., IDSs, custom DPI engines) and supporting richer composition of intents (including dependency and conflict analysis).
• Deeper coupling of AI-based extraction with formal verification for continuous policy validation and closed-loop configuration.

Conclusion

The RefinementEngine system operationalizes full-cycle, automated, deterministic refinement and allocation of network filtering policies under real-world constraints. By combining neurosymbolic inference, AI-based CTI parsing, and model-driven rule generation, it achieves robust coverage, adaptive extensibility, and significant reductions in manual effort and error. Both theoretical bases and practical validations underline its efficacy and suitability for modern, complex security operations. Continued development toward richer policy semantics and integration with broader cyber-defense ecosystems will further enhance its applicability and resilience.