Predicting firewall rule ranking value
First Claim
1. A device, comprising:
- a memory; and
one or more processors to;
receive an input indicating a desired accuracy of predictions made using a model;
determine a size of a training set based on the desired accuracy indicated by the input;
train the model based on the size of the training set, match counts of match conditions corresponding to a plurality of firewall rules, and performing an analysis of the match counts, of the match conditions corresponding to the plurality of firewall rules, and ranking values corresponding to the plurality of firewall rules;
receive an unimplemented firewall rule comprising one or more first match condition values;
identify match counts of the one or more first match condition values based on identifying one or more second match condition values, corresponding to the plurality of firewall rules, that match the one or more first match condition values;
predict, based on the match counts of the one or more first match condition values, a ranking value corresponding to the unimplemented firewall rule using the model;
perform an action on a packet, with regard to the unimplemented firewall rule, based on the predicted ranking value;
determine an actual ranking value for the unimplemented firewall rule;
perform a comparison of the predicted ranking value and the actual ranking value;
update the model based on the comparison; and
replace the predicted ranking value with the actual ranking value after a particular quantity of packets have been received by the device or after a particular period of time has expired.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may obtain information regarding firewall rules. The information, for a firewall rule of the firewall rules, may include one or more match condition values and a ranking value. The firewall rule may be applicable to packets that are associated with packet information that matches the match condition values. A match condition value may be associated with a match count that identifies a quantity of times that packets match the match condition value. The ranking value may identify a quantity of times that the firewall rule has been applied to the packets. The device may obtain a new firewall rule. The device may predict a ranking value of the new firewall rule based on match condition values of the new firewall rule and/or based on analyzing the information regarding the plurality of firewall rules. The device may perform an action based on the predicted ranking value.
-
Citations
20 Claims
-
1. A device, comprising:
-
a memory; and one or more processors to; receive an input indicating a desired accuracy of predictions made using a model; determine a size of a training set based on the desired accuracy indicated by the input; train the model based on the size of the training set, match counts of match conditions corresponding to a plurality of firewall rules, and performing an analysis of the match counts, of the match conditions corresponding to the plurality of firewall rules, and ranking values corresponding to the plurality of firewall rules; receive an unimplemented firewall rule comprising one or more first match condition values; identify match counts of the one or more first match condition values based on identifying one or more second match condition values, corresponding to the plurality of firewall rules, that match the one or more first match condition values; predict, based on the match counts of the one or more first match condition values, a ranking value corresponding to the unimplemented firewall rule using the model; perform an action on a packet, with regard to the unimplemented firewall rule, based on the predicted ranking value; determine an actual ranking value for the unimplemented firewall rule; perform a comparison of the predicted ranking value and the actual ranking value; update the model based on the comparison; and replace the predicted ranking value with the actual ranking value after a particular quantity of packets have been received by the device or after a particular period of time has expired. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors of a device, cause the one or more processors to; receive an input indicating a desired accuracy of predictions made using a model; determine a size of a training set based on the desired accuracy indicated by the input; train the model based on the size of the training set, match counts of match conditions corresponding to a plurality of firewall rules, and performing an analysis of the match counts, of the match conditions corresponding to the plurality of firewall rules, and ranking values corresponding to the plurality of firewall rules; receive an unimplemented firewall rule comprising one or more first match condition values; identify match counts of the one or more first match condition values based on identifying one or more second match condition values, corresponding to the plurality of firewall rules, that match the one or more first match condition values; predict, based on the match counts of the one or more first match condition values, a ranking value corresponding to the unimplemented firewall rule using the model; perform an action on a packet, with regard to the unimplemented firewall rule, based on the predicted ranking value; determine an actual ranking value for the unimplemented firewall rule; perform a comparison of the predicted ranking value and the actual ranking value; update the model based on the comparison; and replace the predicted ranking value with the actual ranking value after a particular quantity of packets have been received by the device or after a particular period of time has expired. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method, comprising:
-
receiving, by a device, an input indicating a desired accuracy of predictions made using a model; determining, by the device, a size of a training set based on the desired accuracy indicated by the input; training, by the device, the model based on the size of the training set, match counts of match conditions corresponding to a plurality of firewall rules, and performing an analysis of the match counts, of the match conditions corresponding to the plurality of firewall rules, and ranking values corresponding to the plurality of firewall rules; receiving, by the device, an unimplemented firewall rule comprising one or more first match condition values; identifying, by the device, match counts of the one or more first match condition values based on identifying one or more second match condition values, corresponding to the plurality of firewall rules, that match the one or more first match condition values; predicting, by the device and based on the match counts of the one or more first match condition values, a ranking value corresponding to the unimplemented firewall rule using the model; performing, by the device and based on the predicted ranking value, an action on a packet with regard to the unimplemented firewall rule; determining, by the device, an actual ranking value for the unimplemented firewall rule; performing by the device, a comparison of the predicted ranking value and the actual ranking value; updating, by the device, the model based on the comparison; and replacing, by the device, the predicted ranking value with the actual ranking value after a particular quantity of packets have been received by the device or after a particular period of time has expired. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification