This work proposes the first transferable, proactive framework for mitigating zero-day threats in complex networks, where dynamically generated firewall policies often expose critical assets and fail to defend against unknown vulnerabilities. By integrating graph neural networks with a weighted shortest path algorithm, the framework precisely identifies high-risk connections and misconfigurations, and automatically optimizes firewall rules to block potential attack paths. Experimental results demonstrate that the approach achieves an average accuracy exceeding 95% in detecting high-risk connections, significantly enhancing both the robustness of security policies and their adaptability across diverse network environments.

In today's enterprise network landscape, the combination of perimeter and distributed firewall rules governs connectivity. To address challenges arising from increased traffic and diverse network architectures, organizations employ automated tools for firewall rule and access policy generation. Yet, effectively managing risks arising from dynamically generated policies, especially concerning critical asset exposure, remains a major challenge. This challenge is amplified by evolving network structures due to trends like remote users, bring-your-own devices, and cloud integration. This paper introduces a novel graph neural network model for identifying weighted shortest paths. The model aids in detecting network misconfigurations and high-risk connectivity paths that threaten critical assets, potentially exploited in zero-day attacks -- cyber-attacks exploiting undisclosed vulnerabilities. The proposed Pro-ZD framework adopts a proactive approach, automatically fine-tuning firewall rules and access policies to address high-risk connections and prevent unauthorized access. Experimental results highlight the robustness and transferability of Pro-ZD, achieving over 95% average accuracy in detecting high-risk connections. \