Rule compiler for computer network policy enforcement systems
First Claim
1. A method for compiling rules for an integrated policy enforcement system for a computer network, the integrated policy enforcement system comprising modules for implementing policies on network traffic, the method comprising the steps of:
- a. receiving an input, the input comprising description of expressions and values of the expressions;
b. processing the input, wherein the step of processing the input comprises;
i. creating an expression value tree for the expressions used in the rules;
ii. creating an mutually exclusive set of values for an expression based on the expression value tree, wherein the mutually exclusive set of values for the expression is used for creating a modified set of rules; and
iii. assigning expression weights to the expressions in the modified set of rules, wherein the expression weights are used for defining a tree generation process;
c. generating a rule tree-graph data structure using the tree generation process, the rule tree-graph data structure comprising a tree data structure and a graph data structure, wherein the step of generating the rule tree-graph data structure comprises the steps of;
i. creating an expression value matrix based on relations between the expressions and the values of the expressions;
ii. receiving a cutoff value;
iii. defining the tree generation process based on the cutoff value and the expression weights of the expressions in the modified set of rules; and
iv. applying the tree generation process upon the expression value matrix; and
d. outputting policy files from the rule tree-graph data structure, the policy files being used by the modules for implementing policies on the network traffic.
2 Assignments
0 Petitions
Accused Products
Abstract
An integrated policy enforcement system for a computer network implements several policies on the network traffic. A rule compiler compiles these policies and converts them into a rule tree-graph, which is then used to provide desired behavior to the network traffic comprising data packets. The rule compiler comprises three sub-modules namely—a rule input module, a rule tree generator module and a rule output module. The rule input module receives the input for the rule compiler and prepares the input for the rule tree generator module. The rule tree generator module generates the rule tree-graph. The rule tree-graph is a data structure comprising tree data structure and graph data structure. Such a data structure combines the properties of tree data structure and graph data structure, and enhances the performance of the policy enforcement systems by striking a balance between the memory requirement for storing the data structure and the processing capabilities of the system required to process the network traffic. The Output module converts the rule tree-graph to policy files, which can be downloaded to various modules of the policy enforcement systems.
39 Citations
11 Claims
-
1. A method for compiling rules for an integrated policy enforcement system for a computer network, the integrated policy enforcement system comprising modules for implementing policies on network traffic, the method comprising the steps of:
-
a. receiving an input, the input comprising description of expressions and values of the expressions; b. processing the input, wherein the step of processing the input comprises; i. creating an expression value tree for the expressions used in the rules; ii. creating an mutually exclusive set of values for an expression based on the expression value tree, wherein the mutually exclusive set of values for the expression is used for creating a modified set of rules; and iii. assigning expression weights to the expressions in the modified set of rules, wherein the expression weights are used for defining a tree generation process; c. generating a rule tree-graph data structure using the tree generation process, the rule tree-graph data structure comprising a tree data structure and a graph data structure, wherein the step of generating the rule tree-graph data structure comprises the steps of; i. creating an expression value matrix based on relations between the expressions and the values of the expressions; ii. receiving a cutoff value; iii. defining the tree generation process based on the cutoff value and the expression weights of the expressions in the modified set of rules; and iv. applying the tree generation process upon the expression value matrix; and d. outputting policy files from the rule tree-graph data structure, the policy files being used by the modules for implementing policies on the network traffic. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for compiling rules for an integrated policy enforcement system for a computer network, the integrated policy enforcement system comprising modules for implementing policies on network traffic, the method comprising the steps of:
-
a. receiving an input, the input comprising rules and related information; b. processing the input to generate an output, wherein the step of processing the input comprises the steps of; i. creating an expression relationship structure from the input, wherein the input is obtained from an expression resource file; ii. adding adjacencies to the expression relationship structure; iii. splitting OR'"'"'ed conditions in the rules to generate a first set of modified set of rules; iv. adding implicit expressions to the first set of modified rules to generate a second set of modified rules; v. adding implicit rules to the second set of modified rules to generate a third set of modified rules; vi. extracting IP based expressions and their values from the third set of modified rules; vii. creating mutually exclusive sets of IP buckets from the values of the IP based expressions in the third set of modified rules; viii. modifying the third set of modified rules according to the mutually exclusive sets of IP buckets to create a final set of rules; and ix. assigning expression weights to different expressions by using the final set of rules and a weight criteria; c. generating a data structure using the output of the processing step; and d. outputting policy files from the data structure.
-
-
9. A method for compiling rules for an integrated policy enforcement system for a computer network, the integrated policy enforcement system comprising modules for implementing policies on network traffic, the method comprising the steps of:
-
a. receiving an input, the input comprising the rules and related information; b. processing the input to generate an output; c. generating a data structure using the output of the processing step, wherein the step of generating the data structure further comprises the steps of; i. creating an expression value matrix, wherein the step of creating the expression value matrix further comprises creating the expression value matrix by processing expression weights, an expression relationship structure with added adjacencies and a final set of rules, the expression value matrix consisting of cells, the rows of the expression value matrix corresponding to the final set of rules, the columns of the expression value matrix denoting the expressions in decreasing order of the expression weights, the cell being assigned a specific value if an expression corresponding to the column must possess that value for the corresponding rule represented by the row, the cell being assigned “
Do Not Care (*)”
if the value of the expression does not make a difference to the satisfaction of the corresponding rule, the cell being assigned “
Not Applicable (NA)”
if the value of an expression does not have significance for evaluation of the corresponding rule;ii. defining a tree graph procedure; and iii. applying the tree graph procedure upon the first column of the expression value matrix; and d. outputting policy files from the data structure.
-
-
10. A system for compiling rules for an integrated policy enforcement system for computer networks, the integrated policy enforcement system comprising modules for implementing policies on network traffic, the system for compiling the rules receives a cutoff value, expression data, rules and a weight criteria, the expression data comprising definitions of a plurality of expressions, an expression denoting a property of the network traffic, the rule comprising an action associated with conditions, a condition comprising the plurality of expressions and their corresponding values, the system for compiling rules comprising:
-
a. a rule input module for processing an input and generating an output, wherein the rule input module further comprises; i. means for creating an expression relationship structure from the expression data; ii. means for adding adjacencies to the expression relationship structure; iii. means for splitting OR'"'"'ed conditions in the rules to generate a first set of modified rules; iv. means for adding implicit expressions to the first set of modified rules to generate a second set modified rules; v. means for adding implicit rules to the second set of modified rules to generate a third set of modified rules; vi. means for extracting IP based expressions and their values from the third set of modified rules; vii. means for creating mutually exclusive sets of IP buckets and an IP lookup object model from the values of the IP based expressions in the third set of modified rules; viii. means for modifying the third set of modified rules according to the mutually exclusive sets of IP buckets to create a final set of rules; and ix. means for assigning expression weights to different expressions by using the final set of rules and the weight criteria; b. a rule tree generator module that generates a rule tree-graph structure from the output generated by the rule input module; and c. an output module for outputting policy files from the rule tree-graph structure and object models. - View Dependent Claims (11)
-
Specification