Method of configuring a security gateway and system thereof
First Claim
1. A method of configuring a security gateway by means of a processor operatively coupled to a memory, the method comprising:
- a) accommodating in the memory an initial rule-set;
b) obtaining log records of communication events corresponding to the initial rule-set to obtain a sufficient amount of log records;
c) generating, with the processor, a transformation-based rule-set by transforming the obtained log records into respective rules, wherein each obtained log record is transformed into a respective rule with source, destination and service fields corresponding to source, destination and service values in the transformed obtained log record, and wherein an action in the rule is defined as “
Accept”
; and
d) generating an operable rule-set by processing, with the processor, the transformation-based rule-set, whereingenerating the operable rule-set by processing of transformation-based rule-set comprises;
a) identifying and removing duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein each remaining rule is provided with an initial hit count characterizing a number of respective duplicated rules before removing; and
b) consolidating the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein each consolidated rule is provided with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule.
4 Assignments
0 Petitions
Accused Products
Abstract
There is provided a rule-set generator and a method of automated configuration of a security gateway. The method comprises setting-up an initial rule-set; obtaining log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records; transforming the obtained log records into respective rules, wherein source, destination and service fields in each rule correspond to source, destination and service values in respective obtained log record, and the action in all rules is defined as “Accept”, thus giving rise to a transformation-based rule-set; and processing the transformation-based rule-set so as to generate an operable rule-set by processing the transformation-based rule-set.
-
Citations
26 Claims
-
1. A method of configuring a security gateway by means of a processor operatively coupled to a memory, the method comprising:
-
a) accommodating in the memory an initial rule-set; b) obtaining log records of communication events corresponding to the initial rule-set to obtain a sufficient amount of log records; c) generating, with the processor, a transformation-based rule-set by transforming the obtained log records into respective rules, wherein each obtained log record is transformed into a respective rule with source, destination and service fields corresponding to source, destination and service values in the transformed obtained log record, and wherein an action in the rule is defined as “
Accept”
; andd) generating an operable rule-set by processing, with the processor, the transformation-based rule-set, wherein generating the operable rule-set by processing of transformation-based rule-set comprises; a) identifying and removing duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein each remaining rule is provided with an initial hit count characterizing a number of respective duplicated rules before removing; and b) consolidating the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein each consolidated rule is provided with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 24)
-
-
17. A rule-set generator comprising:
-
a) a first memory configured to accommodate an initial rule-set to be used for configuring a security gateway; b) a second memory configured to accommodate log records of communication events corresponding to the initial rule-set; c) a processor operatively coupled to the first repository and the second repository, the processor being configured to; i) generate a transformation-based rule-set by transforming said accommodated log records into respective rules, wherein each obtained log record is transformed into a respective rule with source, destination and service fields corresponding to source, destination and service values in the transformed log record, and wherein an action in the rule is defined as “
Accept”
; andii) generate an operable rule-set by processing the transformation-based rule-set, wherein the processor is further configured to generate the operable rule-set by processing the transformation-based rule-set as follows; a) to identify and remove duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein to provide each remaining rule with an initial hit count characterizing a number of respective duplicated rules before removing; and b) to consolidate the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein to provide each consolidated rule with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule. - View Dependent Claims (18, 19, 20, 21, 22, 23, 25)
-
-
26. A computer program product comprising a non-transitory computer readable medium storing computer readable program code for a computer generating a rule-set, the computer program product comprising:
-
computer readable program code for causing the computer to accommodate in a memory an initial rule-set; computer readable program code for causing the computer to obtain log records of communication events corresponding to the initial rule-set so as to obtain a sufficient amount of log records; computer readable program code for causing the computer to generate a transformation-based rule-set by transforming the obtained log records into respective rules, wherein each obtained log record is transformed into a respective rule with source, destination and service fields corresponding to source, destination and service values in the transformed obtained log record, and wherein an action in the rule is defined as “
Accept”
; andcomputer readable program code for causing the computer to generate an operable rule-set by processing the transformation-based rule-set, wherein the computer readable program code is further configured to cause the computer to generate the operable rule-set by processing the transformation-based rule-set as follows; a) to identify and remove duplicate rules among the transformation-based rules, thus giving rise to remaining rules, wherein to provide each remaining rule with an initial hit count characterizing a number of respective duplicated rules before removing; and b) to consolidate the remaining rules by source, destination and service respectively, thus giving rise to consolidated rules, wherein to provide each consolidated rule with a consolidated hit count calculated by summarizing the initial hit counts of the rules consolidated in the respective consolidated rule.
-
Specification