Predicting firewall rule ranking value

US 10,645,063 B2
Filed: 11/30/2017
Issued: 05/05/2020
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

a memory; and

one or more processors to;

receive an input indicating a desired accuracy of predictions made using a model;

determine a size of a training set based on the desired accuracy indicated by the input;

train the model based on the size of the training set, match counts of match conditions corresponding to a plurality of firewall rules, and performing an analysis of the match counts, of the match conditions corresponding to the plurality of firewall rules, and ranking values corresponding to the plurality of firewall rules;

receive an unimplemented firewall rule comprising one or more first match condition values;

identify match counts of the one or more first match condition values based on identifying one or more second match condition values, corresponding to the plurality of firewall rules, that match the one or more first match condition values;

predict, based on the match counts of the one or more first match condition values, a ranking value corresponding to the unimplemented firewall rule using the model;

perform an action on a packet, with regard to the unimplemented firewall rule, based on the predicted ranking value;

determine an actual ranking value for the unimplemented firewall rule;

perform a comparison of the predicted ranking value and the actual ranking value;

update the model based on the comparison; and

replace the predicted ranking value with the actual ranking value after a particular quantity of packets have been received by the device or after a particular period of time has expired.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may obtain information regarding firewall rules. The information, for a firewall rule of the firewall rules, may include one or more match condition values and a ranking value. The firewall rule may be applicable to packets that are associated with packet information that matches the match condition values. A match condition value may be associated with a match count that identifies a quantity of times that packets match the match condition value. The ranking value may identify a quantity of times that the firewall rule has been applied to the packets. The device may obtain a new firewall rule. The device may predict a ranking value of the new firewall rule based on match condition values of the new firewall rule and/or based on analyzing the information regarding the plurality of firewall rules. The device may perform an action based on the predicted ranking value.

Citations

20 Claims

1. A device, comprising:
- a memory; and
  
  one or more processors to;
  
  receive an input indicating a desired accuracy of predictions made using a model;
  
  determine a size of a training set based on the desired accuracy indicated by the input;
  
  train the model based on the size of the training set, match counts of match conditions corresponding to a plurality of firewall rules, and performing an analysis of the match counts, of the match conditions corresponding to the plurality of firewall rules, and ranking values corresponding to the plurality of firewall rules;
  
  receive an unimplemented firewall rule comprising one or more first match condition values;
  
  identify match counts of the one or more first match condition values based on identifying one or more second match condition values, corresponding to the plurality of firewall rules, that match the one or more first match condition values;
  
  predict, based on the match counts of the one or more first match condition values, a ranking value corresponding to the unimplemented firewall rule using the model;
  
  perform an action on a packet, with regard to the unimplemented firewall rule, based on the predicted ranking value;
  
  determine an actual ranking value for the unimplemented firewall rule;
  
  perform a comparison of the predicted ranking value and the actual ranking value;
  
  update the model based on the comparison; and
  
  replace the predicted ranking value with the actual ranking value after a particular quantity of packets have been received by the device or after a particular period of time has expired.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The device of claim 1, where the model is trained based on at least one of:
    - a linear regression analysis,a nonlinear regression analysis, a curve fitting analysis,a segment linear regression analysis, or a machine learning method.
  - 3. The device of claim 1, where the size of the training set is correlated with a level of the desired accuracy.
  - 4. The device of claim 1, where the one or more processors are further to:
    - perform a linear regression analysis to train the model based on using one or more of the match counts, of the match conditions corresponding to the plurality of firewall rules, as an independent variable and one or more of the ranking values as a dependent variable.
  - 5. The device of claim 1, where the one or more processors, when training the model, are to:
    - train the model based on an interaction term describing an interaction between two or more of the match counts of the match conditions corresponding to the plurality of firewall rules.
  - 6. The device of claim 5, where the interaction term is calculated based on a source internet protocol (IP) address match condition value and a destination IP address match condition value.
  - 7. The device of claim 1, where the one or more processors are further to:
    - compute a calibration ranking value of a particular firewall rule of the plurality of firewall rules using the model and one or more preliminary rules;
      
      perform a comparison of the calibration ranking value and a known ranking value of the particular firewall rule; and
      
      modify at least one of the one or more preliminary rules or the model based on the comparison.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors of a device, cause the one or more processors to;
  
  receive an input indicating a desired accuracy of predictions made using a model;
  
  determine a size of a training set based on the desired accuracy indicated by the input;
  
  train the model based on the size of the training set, match counts of match conditions corresponding to a plurality of firewall rules, and performing an analysis of the match counts, of the match conditions corresponding to the plurality of firewall rules, and ranking values corresponding to the plurality of firewall rules;
  
  receive an unimplemented firewall rule comprising one or more first match condition values;
  
  identify match counts of the one or more first match condition values based on identifying one or more second match condition values, corresponding to the plurality of firewall rules, that match the one or more first match condition values;
  
  predict, based on the match counts of the one or more first match condition values, a ranking value corresponding to the unimplemented firewall rule using the model;
  
  perform an action on a packet, with regard to the unimplemented firewall rule, based on the predicted ranking value;
  
  determine an actual ranking value for the unimplemented firewall rule;
  
  perform a comparison of the predicted ranking value and the actual ranking value;
  
  update the model based on the comparison; and
  
  replace the predicted ranking value with the actual ranking value after a particular quantity of packets have been received by the device or after a particular period of time has expired.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, cause the one or more processors to:
    - compute a calibration ranking value of a particular firewall rule of the plurality of firewall rules using the model and one or more preliminary rules;
      
      perform a comparison of the calibration ranking value and a known ranking value of the particular firewall rule; and
      
      modify at least one of the one or more preliminary rules or the model based on the comparison.
  - 10. The non-transitory computer-readable medium of claim 8, where the one or more instructions, that cause the one or more processors to predict the ranking value, cause the one or more processors to:
    - predict the ranking value based on using the match counts, of the one or more first match condition values, as inputs to the model.
  - 11. The non-transitory computer-readable medium of claim 8, where the one or more instructions, that cause the one or more processors to perform the action, cause the one or more processors to at least one of:
    - store the unimplemented firewall rule and the predicted ranking value in a data structure;
      
      provide at least one of the unimplemented firewall rule or the predicted ranking value to another device;
      
      orapply the unimplemented firewall rule based on the unimplemented firewall rule matching the packet.
  - 12. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, cause the one or more processors to:
    - reorder a set of firewall rules based on the predicted ranking value.
  - 13. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, cause the one or more processors to:
    - rank the unimplemented firewall rule above a particular firewall rule of the plurality of firewall rules based on the predicted ranking value; and
      
      check whether the unimplemented firewall rule applies to the packet before checking whether the particular firewall rule applies to the packet based on ranking the unimplemented firewall rule above the particular firewall rule.
  - 14. The non-transitory computer-readable medium of claim 8, where the model is trained based on at least one of:
    - a linear regression analysis,a nonlinear regression analysis,a curve fitting analysis,a segment linear regression analysis, ora machine learning method.

15. A method, comprising:
- receiving, by a device, an input indicating a desired accuracy of predictions made using a model;
  
  determining, by the device, a size of a training set based on the desired accuracy indicated by the input;
  
  training, by the device, the model based on the size of the training set, match counts of match conditions corresponding to a plurality of firewall rules, and performing an analysis of the match counts, of the match conditions corresponding to the plurality of firewall rules, and ranking values corresponding to the plurality of firewall rules;
  
  receiving, by the device, an unimplemented firewall rule comprising one or more first match condition values;
  
  identifying, by the device, match counts of the one or more first match condition values based on identifying one or more second match condition values, corresponding to the plurality of firewall rules, that match the one or more first match condition values;
  
  predicting, by the device and based on the match counts of the one or more first match condition values, a ranking value corresponding to the unimplemented firewall rule using the model;
  
  performing, by the device and based on the predicted ranking value, an action on a packet with regard to the unimplemented firewall rule;
  
  determining, by the device, an actual ranking value for the unimplemented firewall rule;
  
  performing by the device, a comparison of the predicted ranking value and the actual ranking value;
  
  updating, by the device, the model based on the comparison; and
  
  replacing, by the device, the predicted ranking value with the actual ranking value after a particular quantity of packets have been received by the device or after a particular period of time has expired.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - determining that the predicted ranking value satisfies a threshold; and
      
      preventing the unimplemented firewall rule from being implemented based on the predicted ranking value satisfying the threshold.
  - 17. The method of claim 15, further comprising:
    - determining that the predicted ranking value does not satisfy a threshold; and
      
      preventing the unimplemented firewall rule from being implemented based on the predicted ranking value not satisfying the threshold.
  - 18. The method of claim 15, where the one or more first match condition values includes at least one of:
    - a source internet protocol (IP) address value;
      
      a destination IP address value;
      
      a source network port value;
      
      a destination network port value;
      
      a protocol value;
      
      a range of IP address values;
      
      ora range of port values.
  - 19. The method of claim 15, where the action is a first action;
    - andwhere the method further comprises;
      
      determining that packet information associated with the packet matches each match condition value of a particular firewall rule of the plurality of firewall rules; and
      
      performing a second action indicated by the particular firewall rule based on the packet information matching each match condition value of the particular firewall rule.
  - 20. The method of claim 15, further comprising:
    - determining that a particular firewall rule of the plurality of firewall rules is applied; and
      
      implementing a match count, of the match counts of the match conditions corresponding to the plurality of firewall rules, corresponding to the particular firewall rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Tulasi, Vinuth
Primary Examiner(s)
Lynch, Sharon S

Application Number

US15/827,027
Publication Number

US 20180091474A1
Time in Patent Office

887 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Predicting firewall rule ranking value

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Predicting firewall rule ranking value

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links