SYSTEM AND METHOD FOR DETERMINING SYMANTIC EQUIVALENCE BETWEEN ACCESS CONTROL LISTS

US 20100199346A1
Filed: 12/10/2009
Published: 08/05/2010
Est. Priority Date: 02/02/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method of processing access control lists in a computer network, the method comprising:

obtaining a first access control list and storing it in memory;

generating an order-free equivalent for the first access control list, the order-free equivalent comprising a plurality of multidimensional rules for permitting or denying access to resources in the computer network; and

using the order-free equivalent to determine whether the first access control list is equivalent to a second access control list.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Aspects of the invention pertain to analyzing and modifying access control lists that are used in computer networks. Access control lists may have many individual rules that indicate whether information can be passed between certain devices in a computer network. The access control lists may include redundant or conflicting rules. An aspect of the invention determines whether two or more access control lists are equivalent or not. Order-dependent access control lists are converted into order-independent access control lists, which enable checking of semantic equivalence of different access control lists. Upon conversion to an order-independent access control list, lower-precedence rules in the order-free list are checked for overlap with a current higher precedence entry. If overlap exists, existing order-free rules are modified so that spinoff rules have no overlap with the current entry. This is done while maintaining semantic equivalence.

97 Citations

View as Search Results

16 Claims

1. A method of processing access control lists in a computer network, the method comprising:
- obtaining a first access control list and storing it in memory;
  
  generating an order-free equivalent for the first access control list, the order-free equivalent comprising a plurality of multidimensional rules for permitting or denying access to resources in the computer network; and
  
  using the order-free equivalent to determine whether the first access control list is equivalent to a second access control list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the first access control list includes a plurality of entries, and the method further comprises:
    - selecting first and second ones of the plurality of entries, the first entry having higher precedence in the first access control list than the second entry;
      
      determining whether the first entry completely encloses the second entry, and if the first entry complete encloses the second entry then the second entry is identified as being redundant, and if the first entry does not completely enclose the second entry then generating a spinoff of the second entry;
      
      storing any spinoffs of the second entry in memory; and
      
      repeating the selecting, the determining and the storing until all of the entries in the first access control list have been processed and the spinoffs form at least part of an order-free equivalent of the first access control list.
  - 3. The method of claim 2, further comprising creating a modified access control list that removes all redundant rules.
  - 4. The method of claim 2, wherein each spinoff includes at least one interval and a classification status.
  - 5. The method of claim 4, wherein the at least one interval represents at least one of an address or a port for the computer network.
  - 6. The method of claim 1, further comprising:
    - determining a volume of the first access control list based on the generated order-free equivalent; and
      
      wherein using the order-free equivalent to determine whether the first access control list is equivalent to the second access control list comprises comparing the volume of the first access control list to a volume of the second access control list to identify any semantic difference between the first and second access control lists.
  - 7. The method of claim 6, wherein determining the volume is based on a permit or deny classification status for each access control rules.
  - 8. The method of claim 6, wherein determining the volume includes calculating a volume-based hash function of the order-free equivalent of the first access control list.

9. An apparatus for processing access control lists in a computer network, the apparatus comprising:
- memory for storing information of a plurality of access control lists; and
  
  processor means for obtaining a first access control list from among a set of access control lists and storing it in the memory, for generating an order-free equivalent for the first access control list, the order-free equivalent comprising a plurality of multidimensional entries for permitting or denying access to resources in the computer network, and for network, and for using the order-free equivalent to determine whether the first access control list is equivalent to a second access control list.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9, wherein the first access control list includes a plurality of entries, and the processor means is configured to:
    - select first and second ones of the plurality of entries, the first entry having higher precedence in the first access control list than the second entry;
      
      determine whether the first entry completely encloses the second entry, and if the first entry complete encloses the second entry then the second entry is identified as being redundant, and if the first entry does not completely enclose the second entry then generating a spinoff of the second entry;
      
      store any spinoffs of the second entry in the memory; and
      
      repeat the selecting, the determining and the storing until all of the entries in the first access control list have been processed and the spinoffs form at least part of an order-free equivalent of the first access control list.
  - 11. The apparatus of claim 10, wherein the processor means is further configured to create a modified access control list that omits all redundant entries.
  - 12. The apparatus of claim 10, wherein each spinoff includes at least one interval and a classification status.
  - 13. The apparatus of claim 12, wherein the at least one interval represents at least one of an address or a port for the computer network.
  - 14. The apparatus of claim 9, the processor means being configured to determine a volume of the first access control list, wherein the order-free equivalent is used to determine whether the first access control list is equivalent to the second access control list by comparing the volume of the first access control list to a volume of the second access control list to identify any semantic difference between the first and second access control lists.
  - 15. The apparatus of claim 14, wherein determining the volume is based on a permit or deny classification status for each access control list.
  - 16. The apparatus of claim 14, wherein determining the volume includes calculating a volume-based hash function of the order-free equivalent of the first access control list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
TT Government Solutions, Inc. (Perspecta, Inc.)
Original Assignee
Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Inventors
Naidu, Aditya, Talpade, Rajesh, Ling, Yibei

Application Number

US12/634,975
Publication Number

US 20100199346A1
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

H04L 63/0263 Rule management

SYSTEM AND METHOD FOR DETERMINING SYMANTIC EQUIVALENCE BETWEEN ACCESS CONTROL LISTS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

97 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DETERMINING SYMANTIC EQUIVALENCE BETWEEN ACCESS CONTROL LISTS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links