Systems and methods for security configuration

US 10,659,498 B2
Filed: 05/31/2018
Issued: 05/19/2020
Est. Priority Date: 01/08/2016
Status: Active Grant

First Claim

Patent Images

1. A network security device comprising:

a memory configured to;

store a plurality of network events; and

store a set of network filter rules; and

a hardware processor connected to the memory, the hardware processor configured to;

receive a change to a set of network rules;

perform a first simulation of network traffic allowed and denied according to the current set of network rules and a second simulation of network traffic allowed and denied according to the changed set of network rules, the first simulation and second simulation utilizing at least a portion of the network events;

evaluate the use of computational resources during the first and second simulation;

calculate an entropy of strings matching a wildcard of a new network rule of the changed set of network rules to determine if the changed network rule is too broad;

provide an indication of the changes in allowed and denied traffic and the entropy of the new network rule for review of the changed set of network rules;

provide an indication of a performance impact of the changed set of network rules or rejecting the changed set of rules if the performance impact crosses a threshold;

receive an instruction to implement the changed set of network rules based on the review; and

filter network traffic according to the changed set of network rules.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of configuring a network security device includes receiving a changed set of network rules to replace a current set of network rules; using a plurality of network traffic events to perform a first simulation of according to the current set of network rules and a second simulation according to the changed set of network rules; comparing the results of the first and second simulation to identify changes in network traffic allowed and denied between the current set and the changed set of network rules; displaying the changes in allowed and denied traffic for review of the changed set of network rules; receiving an instruction to implement the changed set of network rules based on the review; and filtering network traffic according to the changed set of network rules.

Citations

18 Claims

1. A network security device comprising:
- a memory configured to;
  
  store a plurality of network events; and
  
  store a set of network filter rules; and
  
  a hardware processor connected to the memory, the hardware processor configured to;
  
  receive a change to a set of network rules;
  
  perform a first simulation of network traffic allowed and denied according to the current set of network rules and a second simulation of network traffic allowed and denied according to the changed set of network rules, the first simulation and second simulation utilizing at least a portion of the network events;
  
  evaluate the use of computational resources during the first and second simulation;
  
  calculate an entropy of strings matching a wildcard of a new network rule of the changed set of network rules to determine if the changed network rule is too broad;
  
  provide an indication of the changes in allowed and denied traffic and the entropy of the new network rule for review of the changed set of network rules;
  
  provide an indication of a performance impact of the changed set of network rules or rejecting the changed set of rules if the performance impact crosses a threshold;
  
  receive an instruction to implement the changed set of network rules based on the review; and
  
  filter network traffic according to the changed set of network rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The network security device of claim 1, wherein the network events are stored in a first-in-first out buffer.
  - 3. The network security device of claim 1, wherein the hardware processor is further configured to group and display the plurality of network events.
  - 4. The network security device of claim 1, wherein the hardware processor is further configured to display a performance impact of the changed set of network rules.
  - 5. The network security device of claim 4, wherein the performance impact includes a change in CPU utilization between the first simulation and the second simulation.
  - 6. The network security device of claim 1, wherein the hardware processor is further configured to:
    - calculate a ratio of allowed traffic between the current set of network rules and the changed set of network rules; and
      
      reject the changed set of network rules if the ratio crosses a threshold.
  - 7. The network security device of claim 1, wherein the hardware processor is further configured to log a set of alerts generated by the changed set of network rules but not by the current set of network rules.
  - 8. The network security device of claim 1, wherein the hardware processor is further configured to:
    - calculate a rule quality score for the changed set of network rules; and
      
      display the rule quality score or reject the changed set of rules if the rule quality score crosses a threshold.

9. A method for network security configuration, comprising:
- receiving a changed set of network rules to replace a current set of network rules;
  
  using a plurality of network traffic events to perform a first simulation of network traffic allowed and denied according to the current set of network rules and a second simulation of network traffic allowed and denied according to the changed set of network rules;
  
  evaluating the use of computational resources during the first and second simulation;
  
  calculating an entropy of strings matching a wildcard of a new network rule of the changed set of network rules to determine if the changed network rule is too broad;
  
  displaying the changes in allowed and denied traffic for review of the changed set of network rules;
  
  displaying an indication of a performance impact of the changed set of network rules or rejecting the changed set of rules if the performance impact crosses a threshold;
  
  receiving an instruction to implement the changed set of network rules based on the review; and
  
  filtering network traffic according to the changed set of network rules.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9, wherein the network events are stored in a first-in-first-out buffer.
  - 11. The method of claim 9, further comprising calculating a ratio of allowed traffic between the current set of network rules and the changed set of network rules, and reject the changed set of network rules if the ratio crosses a threshold.
  - 12. The method of claim 9, further comprising logging a set of alerts generated by the changed set of network rules but not by the current set of network rules.
  - 13. The method of claim 9, further comprising:
    - calculating a rule quality score for the changed set of network rules; and
      
      displaying the rule quality score or rejecting the changed set of rules if the rule quality score crosses a threshold.

14. A method for network security configuration, comprising:
- retrieving a plurality of network events;
  
  grouping and displaying the plurality of network events;
  
  receiving a changed network rule;
  
  simulating the effect of the changed network rule on the network events;
  
  using a processor to evaluate computational resources used by the changed network rule during the simulation and to reject the changed network rule if a performance impact crosses a threshold;
  
  calculating an entropy of strings matching a wildcard of the changed network rule to determine if the changed network rule is too broad;
  
  using a processor to evaluate the changed network rule based on a rule quality score crossing a threshold and to reject the changed network rule if the rule quality score crosses the threshold, the rule quality based at least in part on the calculated entropy; and
  
  filtering network traffic according to the changed network rule if the changed network rule is not rejected.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, wherein the plurality of network events are stored in a first-in-first-out buffer.
  - 16. The method of claim 14, further comprising evaluating the performance impact by comparing a processor usage of a current network rule and the changed network rule.
  - 17. The method of claim 14, further comprising evaluating the performance impact by comparing a memory usage of a current network rule and the changed network rule.
  - 18. The method of claim 14, further comprising calculating a ratio of allowed traffic between a current network rule and the changed network rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Original Assignee
SecureWorks Corp. (Dell Technologies Inc.)
Inventors
Kinder, Ross R., Ramsey, Jon R., Vidas, Timothy M., Danford, Robert
Primary Examiner(s)
Hailu, Teshome

Application Number

US15/994,655
Publication Number

US 20180288100A1
Time in Patent Office

719 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 41/0813   characterised by the condit...

H04L 41/145   involving simulating, desig...

H04L 41/147   for predicting network beha...

H04L 41/22   comprising specially adapte...

H04L 43/16   Threshold monitoring

H04L 63/0227   Filtering policies mail mes...

H04L 63/20   for managing network securi...

Systems and methods for security configuration

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for security configuration

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links