Method of generating security rule-set and system thereof

US 8,646,031 B2
Filed: 12/15/2011
Issued: 02/04/2014
Est. Priority Date: 12/16/2010
Status: Active Grant

First Claim

Patent Images

1. A method of generating a security rule-set using a computer comprising a processor operatively coupled to a memory, the method comprising:

a) obtaining in the memory a group of log records of communication events resulting from traffic related to the security gateway;

b) generating by the processor, a preliminary rule-set of permissive rules, said set covering the obtained group of log records;

c) generating, by the processor and with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the obtained group of log records; and

d) generating, by the processor, an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records,wherein generating the operational rule-set comprises recursive dividing the rules in respective preliminary rule-set and generating a respective rule-set of non-overlapping rules until the generated rule-set of non-overlapping rules matches a predefined criterion.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a method of automated generation of a security rule-set and a system thereof. The method comprises: obtaining a group of log records of communication events resulting from traffic related to the security gateway; generating a preliminary rule-set of permissive rules, said set covering the obtained group of log records; generating, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the group of log records; and generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records.

Citations

18 Claims

1. A method of generating a security rule-set using a computer comprising a processor operatively coupled to a memory, the method comprising:
- a) obtaining in the memory a group of log records of communication events resulting from traffic related to the security gateway;
  
  b) generating by the processor, a preliminary rule-set of permissive rules, said set covering the obtained group of log records;
  
  c) generating, by the processor and with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the obtained group of log records; and
  
  d) generating, by the processor, an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records,wherein generating the operational rule-set comprises recursive dividing the rules in respective preliminary rule-set and generating a respective rule-set of non-overlapping rules until the generated rule-set of non-overlapping rules matches a predefined criterion.
- View Dependent Claims (2, 3, 4, 5, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the obtained group of log records comprises amount of log records matching a predefined threshold.
  - 3. The method of claim 1, wherein the obtained group of log records comprises all log records collected during a substantial collection period.
  - 4. The method of claim 1, wherein the obtained group of log records comprises log records selected among collected log records, wherein the selection is provided in accordance with values specified in at least one field of the collected log records.
  - 5. The method of claim 1 wherein traffic related to the security gateway is selected from a group comprising traffic controlled by the security gateway and traffic between source and destination addresses to be controlled by the security gateway.
  - 7. The method of claim 1 further comprising generating a tree structure representing at a respective level each of the recursive generated rule-sets of non-overlapping rules.
  - 8. The method of claim 7 further comprising traversing the generated tree structure in order to generate the operational rule-set matching a predefined criterion selected from a group comprising criteria related, at least, to extra coverage and criteria related, at least, to a number of rules in the operational rule set.
  - 9. The method of claim 1 wherein generating the rule-set of non-overlapping rules comprises:
    - a) marking by a certain mark all log records in the obtained group of log records;
      
      b) selecting in preliminary rule-set a rule with the maximal ratio between number of covered log records marked by said certain mark and the volume of an address space of the respective rule;
      
      c) adding the selected rule to the rule-set of non-overlapping rules;
      
      d) removing said certain mark from the log records covered by said rule;
      
      e) removing from preliminary rule-set all rules overlapping with the selected rule; and
      
      f) repeating steps b)-e) until removing said certain mark from all log records in the obtained group of log records.
  - 10. The method of claim 1 wherein generating the rule-set of non-overlapping rules comprises:
    - a) marking by a certain mark all log records in the obtained group of log records;
      
      b) selecting in preliminary rule-set a rule with the maximal ratio between number of covered log records marked by said certain mark and the volume of the address space of the respective rule;
      
      c) adding the selected rule to the rule-set of non-overlapping rules;
      
      d) removing said certain mark from the log records covered by said rule;
      
      e) generating a new preliminary rule-set covering remained log records marked by the certain mark and characterized by address space non-overlapping with the address space of the selected rule andf) repeating steps b)-e) until removing said certain mark from all log records in the obtained group of log records.

6. A method of generating a security rule-set using a computer comprising a processor operatively coupled to a memory, the method comprising:
- a) obtaining in the memory a group of log records of communication events resulting from traffic related to the security gateway;
  
  b) generating by the processor, a preliminary rule-set of permissive rules, said set covering the obtained group of log records;
  
  c) generating, by the processor and with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the obtained group of log records; and
  
  d) generating, by the processor, an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records,wherein generating the preliminary rule-set comprises defining an address space covering the obtained group of log records and generating 2R permissive rules, wherein each of R non-overlapping equal-size rules controls respective part of traffic resulting from dividing the destination range characterizing said defined address space into R parts whilst maintaining the source range of said address space, and wherein each of other R non-overlapping rules controls a respective part of traffic resulting from dividing the source range of said defined address space into R parts whilst maintaining the destination range of said address space, and wherein R is natural number R>
  
  1.

11. A system capable of automated generation of a security rule-set, the system comprising:
- an interface operable to obtain a group of log records of communication events resulting from traffic related to the security gateway;
  
  a memory operatively coupled to the interface and operable to store the obtained group of log records; and
  
  a processor operatively coupled to the memory and operable to;
  
  generate a preliminary rule-set of permissive rules, said set covering the obtained group of log records;
  
  generate, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the obtained group of log records; and
  
  generate an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records,wherein the generation of the operational rule-set comprises recursive dividing the rules in respective preliminary rule-set and generating a respective rule-set of non-overlapping rules until the generated rule-set of non-overlapping rules matches a predefined criterion, thus giving rise to the operational rule-set.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 11 wherein the processor is further operable to generate a tree structure representing at a respective level each of the recursive generated rule-sets of non-overlapping rules.
  - 14. The system of claim 13 wherein the processer is further operable to traverse the generated tree structure in order to generate the operational rule-set matching a predefined criterion selected from a group comprising criteria related, at least, to extra coverage and criteria related, at least, to a number of rules in the operational rule set.
  - 15. The system of claim 11 wherein the generation of the rule-set of non-overlapping rules comprises:
    - a) marking by a certain mark all log records in the obtained group of log records;
      
      b) selecting in preliminary rule-set a rule with the maximal ratio between number of covered log records marked by said certain mark and the volume of an address space of the respective rule;
      
      c) adding the selected rule to the rule-set of non-overlapping rules;
      
      d) removing said certain mark from the log records covered by said rule;
      
      e) removing from preliminary rule-set all rules overlapping with the selected rule; and
      
      f) repeating steps b)-e) until removing said certain mark from all log records in the obtained group of log records.
  - 16. The system of claim 11 wherein the generation of the rule-set of non-overlapping rules comprises:
    - a) marking by a certain mark all log records in the obtained group of log records;
      
      b) selecting in preliminary rule-set a rule with the maximal ratio between number of covered log records marked by said certain mark and the volume of an address space of the respective rule;
      
      c) adding the selected rule to the rule-set of non-overlapping rules;
      
      d) removing said certain mark from the log records covered by said rule;
      
      e) generating a new preliminary rule-set covering remained log records marked by the certain mark and characterized by an address space non-overlapping with an address space of the selected rule; and
      
      f) repeating steps b)-e) until removing said certain mark from all log records in the obtained group of log records.
  - 17. The system of claim 11, wherein the obtained group of log records comprises log records selected among collected log records, wherein the selection is provided in accordance with values specified in at least one field of the collected log records.

12. A system capable of automated generation of a security rule-set, the system comprising:
- an interface operable to obtain a group of log records of communication events resulting from traffic related to the security gateway;
  
  a memory operatively coupled to the interface and operable to store the obtained group of log records; and
  
  a processor operatively coupled to the memory and operable to;
  
  generate a preliminary rule-set of permissive rules, said set covering the obtained group of log records;
  
  generate, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the obtained group of log records; and
  
  generate an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records,wherein the generation of the preliminary rule-set comprises defining an address space covering the obtained group of log records and generating 2R permissive rules, wherein each of R non-overlapping equal-size rules controls respective part of traffic resulting from dividing the destination range characterizing said defined address space into R parts whilst maintaining the source range of said address space, and wherein each of other R non-overlapping rules controls a respective part of traffic resulting from dividing the source range of said defined address space into R parts whilst maintaining the destination range of said address space, and wherein R is natural number R>
  
  1.

18. A computer program product comprising a non-transitory computer useable medium having computer readable program code embodied therein for automated generation of a security rule-set, the computer program product comprising:
- a) computer readable program code for enabling the computer to obtain a group of log records of communication events resulting from traffic related to the security gateway;
  
  b) computer readable program code for enabling the computer to generate a preliminary rule-set of permissive rules, said set covering the obtained group of log records;
  
  c) computer readable program code for enabling the computer to generate, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the obtained group of log records; and
  
  d) computer readable program code for enabling the computer to generate an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records,wherein generating the operational rule-set comprises recursive dividing the rules in respective preliminary rule-set and generating a respective rule-set of non-overlapping rules until the generated rule-set of non-overlapping rules matches a predefined criterion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Lavi, Yoni, Gronich, Yoram, Schechtman, Haggai
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
BROWN, ANTHONY D

Application Number

US13/326,517
Publication Number

US 20120180104A1
Time in Patent Office

782 Days
Field of Search

726/1, 726/11, 726/12, 726/22, 709223-224
US Class Current

726/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Method of generating security rule-set and system thereof

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method of generating security rule-set and system thereof

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links