SYSTEM AND METHOD FOR DETERMINING SYMANTIC EQUIVALENCE BETWEEN ACCESS CONTROL LISTS
First Claim
1. A method of processing access control lists in a computer network, the method comprising:
- obtaining a first access control list and storing it in memory;
generating an order-free equivalent for the first access control list, the order-free equivalent comprising a plurality of multidimensional rules for permitting or denying access to resources in the computer network; and
using the order-free equivalent to determine whether the first access control list is equivalent to a second access control list.
4 Assignments
0 Petitions
Accused Products
Abstract
Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting rules. An aspect of the invention determines whether two or more access control lists are equivalent or not. Order-dependent access control lists are converted into order-independent access control lists, which enable checking of semantic equivalence of different access control lists. Upon conversion to an order-independent access control list, lower-precedence rules in the order-free list are checked for overlap with a current higher precedence entry. If overlap exists, existing order-free rules are modified so that spinoff rules have no overlap with the current entry. This is done while maintaining semantic equivalence.
97 Citations
16 Claims
-
1. A method of processing access control lists in a computer network, the method comprising:
-
obtaining a first access control list and storing it in memory; generating an order-free equivalent for the first access control list, the order-free equivalent comprising a plurality of multidimensional rules for permitting or denying access to resources in the computer network; and using the order-free equivalent to determine whether the first access control list is equivalent to a second access control list. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus for processing access control lists in a computer network, the apparatus comprising:
-
memory for storing information of a plurality of access control lists; and processor means for obtaining a first access control list from among a set of access control lists and storing it in the memory, for generating an order-free equivalent for the first access control list, the order-free equivalent comprising a plurality of multidimensional entries for permitting or denying access to resources in the computer network, and for network, and for using the order-free equivalent to determine whether the first access control list is equivalent to a second access control list. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification