Method and system for management of security rule set

US 8,468,113 B2
Filed: 09/20/2010
Issued: 06/18/2013
Est. Priority Date: 05/18/2009
Status: Active Grant

First Claim

Patent Images

1. A method of automated managing a security rule-set, the method comprising:

a. obtaining data characterizing a connectivity request;

b. automated recognizing all possible combinations of values in the connectivity request;

c. automated verifying each combination of values in the connectivity request against a first rule-set;

d. calculating one or more values characterizing relative amount of satisfied and dissatisfied combinations in the request;

e. automated comparing the calculated values or derivatives thereof with a predefined threshold; and

f. automated classifying the connectivity request in accordance with comparison results.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a method of automated managing two or more security rule-sets and a system thereof. The method comprises: obtaining data characterizing a first rule-set and a second rule-set; automated recognizing all possible combinations of values in the first and the second rule-sets; automated verifying each combination of values in the second rule-set against the first rule-set; calculating one or more values characterizing the differences in allowable and rejectable traffic in the first rule-set and the second rule-set; automated comparing the calculated values and/or derivatives thereof with a predefined threshold; and automated classifying the relationship between the first rule-set and the second rule-set in accordance with comparison results. The method may further comprise obtaining a connectivity request; automated verifying each combination of values in the connectivity request against the first rule-set and the second rule-set; and automated classifying the second rule-set with regard to the connectivity request, wherein the second rule-set comprises extra allowable traffic resulting from amending the first rule set.

29 Citations

View as Search Results

22 Claims

1. A method of automated managing a security rule-set, the method comprising:
- a. obtaining data characterizing a connectivity request;
  
  b. automated recognizing all possible combinations of values in the connectivity request;
  
  c. automated verifying each combination of values in the connectivity request against a first rule-set;
  
  d. calculating one or more values characterizing relative amount of satisfied and dissatisfied combinations in the request;
  
  e. automated comparing the calculated values or derivatives thereof with a predefined threshold; and
  
  f. automated classifying the connectivity request in accordance with comparison results.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - a. amending the first rule-set, thus giving rise to a second rule set comprising extra allowed traffic resulting from the amended;
      
      b. automated verifying each combination of values in the connectivity request against the second rule-set;
      
      c. calculating one or more values selected from a group comprising values characterizing relative amount of extra allowed traffic and values characterizing relative amount of dissatisfied traffic in the connectivity request;
      
      d. automated comparing the calculated values or derivatives thereof with a predefined threshold; and
      
      e. automated classifying the second rule-set in accordance with comparison results.
  - 3. The method of claim 2 wherein at least one value characterizing relative amount of extra allowed traffic is selected from a group comprising:
    - a. values characterizing a relation between allowed traffic in the second rule-set and traffic allowed in the first rule-set;
      
      b. values characterizing a relation between entire added traffic and traffic which needs to be added in accordance with the connectivity request; and
      
      c. values characterizing a relation between allowed traffic that has not been requested and traffic allowed in the first rule-set.
  - 4. The method of claim 2 wherein at least one value characterizing relative amount of dissatisfied requested traffic is selected from a group comprising:
    - a. values characterizing a relation between requested traffic dissatisfied resulting from amendment and requested traffic satisfied resulting from the amendment;
      
      b. values characterizing a relation between requested traffic dissatisfied resulting from the amendment and entire requested traffic; and
      
      c. values characterizing a relation between requested traffic dissatisfied resulting from the amendment and requested traffic dissatisfied before the amendment.
  - 5. The method of claim 1 further comprising generating a verification report.
  - 6. The method of claim 1 wherein the verification is provided with regard to one or more rules within the first rule-set.
  - 7. The method of claim 2 comprising verifying one or more certain rules in the second rule-set against the connectivity request, thereby enabling considering possible side effects related to amending said certain rules.
  - 8. A computer program embodied on a non-transitory computer readable medium comprising computer program code means for performing all the steps of claim 1 when said program is run on a computer.

9. A system capable of automated managing a security rule-set, the system comprising:
- a. an interface operable to obtain data characterizing a connectivity request;
  
  b. means for automated recognizing all possible combinations of values in the connectivity request;
  
  c. means for automated verifying each combination of values in the connectivity request against a first rule-set;
  
  d. means for automated calculating one or more values characterizing relative amount of satisfied and dissatisfied combinations in the request;
  
  e. means for automated comparing the calculated values or derivatives thereof with a predefined threshold; and
  
  f. means for automated classifying the connectivity request in accordance with comparison results.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9 further comprising:
    - a. means for obtaining a second rule-set comprising extra allowed traffic resulting from the amending the first rule-set;
      
      b. means for automated verifying each combination of values in the connectivity request against the second rule-set;
      
      c. means for automated calculating one or more values selected from a group comprising values characterizing relative amount of extra allowed traffic and values characterizing relative amount of dissatisfied traffic in the connectivity request;
      
      d. means for automated comparing the calculated values or derivatives thereof with a predefined threshold; and
      
      e. means for automated classifying the second rule-set in accordance with comparison results.
  - 11. The system of claim 10 wherein at least one value characterizing relative amount of extra allowed traffic is selected from a group comprising:
    - a. value characterizing a relation between allowed traffic in the second rule-set and traffic allowed in the first rule-set;
      
      b. value characterizing a relation between entire added traffic and traffic which needs to be added in accordance with the connectivity request; and
      
      c. value characterizing a relation between allowed traffic that has not been requested and traffic allowed in the first rule-set.
  - 12. The system of claim 10 wherein at least one value characterizing relative amount of dissatisfied requested traffic is selected from a group comprising:
    - a. value characterizing a relation between requested traffic dissatisfied resulting from amendment and requested traffic satisfied resulting from the amendment;
      
      b. value characterizing a relation between requested traffic dissatisfied resulting from the amendment and entire requested traffic; and
      
      c. value characterizing a relation between requested traffic dissatisfied resulting from the amendment and requested traffic dissatisfied before the amendment.
  - 13. The system of claim 9 further comprising generating a verification report.

14. A method of automated managing two or more security rule-sets, the method comprising:
- a. obtaining data characterizing a first rule-set and a second rule-set;
  
  b. automated recognizing all possible combinations of values in the first and the second rule-sets;
  
  c. automated verifying each combination of values in the second rule-set against the first rule-set;
  
  d. calculating one or more values characterizing the differences in allowable and rejectable traffic in the first rule-set and the second rule-set;
  
  e. automated comparing the calculated values or derivatives thereof with a predefined threshold; and
  
  f. automated classifying the relationship between the first rule-set and the second rule-set in accordance with comparison results.
- View Dependent Claims (15, 16, 17, 18)
- - 15. A computer program embodied on a non-transitory computer readable medium comprising computer program code means for performing all the steps of claim 14 when said program is run on a computer.
  - 16. The method of claim 14 wherein the second rule-set comprises extra allowable traffic resulting from amending the first rule set, the method further comprising:
    - a. obtaining a connectivity request;
      
      b. automated recognizing all possible combinations of values in the connectivity request;
      
      c. automated verifying each combination of values in the connectivity request against the first rule-set and the second rule-set;
      
      d. calculating one or more values selected from a group comprising values characterizing relative amount of extra allowed traffic and values characterizing relative amount of dissatisfied traffic in the connectivity request;
      
      e. automated comparing the calculated values or derivatives thereof with a predefined threshold; and
      
      f. automated classifying, in accordance with comparison results, the second rule-set with regard to the connectivity request.
  - 17. The method of claim 16 wherein at least one value characterizing relative amount of extra allowed traffic is selected from a group comprising:
    - a. value characterizing a relation between allowed traffic in the second rule-set and traffic allowed in the first rule-set;
      
      b. value characterizing a relation between entire added traffic and traffic which needs to be added in accordance with the connectivity request; and
      
      c. value characterizing a relation between allowed traffic that has not been requested and traffic allowed in the first rule-set.
  - 18. The method of claim 16 wherein at least one value characterizing relative amount of dissatisfied requested traffic is selected from a group comprising:
    - a. value characterizing a relation between requested traffic dissatisfied resulting from amendment and requested traffic satisfied resulting from the amendment;
      
      b. value characterizing a relation between requested traffic dissatisfied resulting from the amendment and entire requested traffic; and
      
      c. value characterizing a relation between requested traffic dissatisfied resulting from the amendment and requested traffic dissatisfied before the amendment.

19. A system capable of automated managing a security rule-set, the system comprising:
- a. means for obtaining data characterizing a first rule-set and a second rule-set;
  
  b. means for automated recognizing all possible combinations of values in the first and the second rule-sets;
  
  c. means for automated verifying each combination of values in the second rule-set against the first rule-set;
  
  d. means for calculating one or more values characterizing the differences in allowable and rejectable traffic in the first rule-set and the second rule-set;
  
  e. means for automated comparing the calculated values or derivatives thereof with a predefined threshold; and
  
  f. means for automated classifying the relationship between the first rule-set and the second rule-set in accordance with comparison results.
- View Dependent Claims (20, 21, 22)
- - 20. The system of claim 19 wherein the second rule-set comprises extra allowable traffic resulting from amending the first rule set, the system further comprising:
    - a. means for obtaining a connectivity request;
      
      b. means for automated recognizing all possible combinations of values in the connectivity request;
      
      c. means for automated verifying each combination of values in the connectivity request against the first rule-set and the second rule-set;
      
      d. means for calculating one or more values selected from a group comprising values characterizing relative amount of extra allowed traffic and values characterizing relative amount of dissatisfied traffic in the connectivity request;
      
      e. means for automated comparing the calculated values or derivatives thereof with a predefined threshold; and
      
      f. means for automated classifying, in accordance with comparison results, the second rule-set with regard to the connectivity request.
  - 21. The system of claim 20 wherein at least one value characterizing relative amount of extra allowed traffic is selected from a group comprising:
    - a. value characterizing a relation between allowed traffic in the second rule-set and traffic allowed in the first rule-set;
      
      b. value characterizing a relation between entire added traffic and traffic which needs to be added in accordance with the connectivity request; and
      
      c. value characterizing a relation between allowed traffic that has not been requested and traffic allowed in the first rule-set.
  - 22. The system of claim 20 wherein at least one value characterizing relative amount of dissatisfied requested traffic is selected from a group comprising:
    - a. value characterizing a relation between requested traffic dissatisfied resulting from amendment and requested traffic satisfied resulting from the amendment;
      
      b. value characterizing a relation between requested traffic dissatisfied resulting from the amendment and entire requested traffic; and
      
      c. value characterizing a relation between requested traffic dissatisfied resulting from the amendment and requested traffic dissatisfied before the amendment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Harrison, Reuven, Cogan, Amir, Barkan, Tomer
Primary Examiner(s)
Gaffin, Jeffrey A
Assistant Examiner(s)
Hill, Stanley K

Application Number

US12/885,929
Publication Number

US 20110060713A1
Time in Patent Office

1,002 Days
Field of Search

706/47, 713/100, 726/12
US Class Current

706/47
CPC Class Codes

G06F 21/604   Tools and structures for ma...

G06N 5/02   Knowledge representation; S...

H04L 63/20   for managing network securi...

H04L 65/765   intermediate

Method and system for management of security rule set

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Method and system for management of security rule set

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others