Method and system for analyzing security ruleset by generating a logically equivalent security rule-set

US 8,806,569 B2
Filed: 02/07/2012
Issued: 08/12/2014
Est. Priority Date: 02/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing an initial ordered security rule-set comprising a plurality of rules, each rule comprising N≧

1 extrinsic fields, wherein the rule-set is associated with at least one data structure specifying groups of extrinsic values characterizing at least one extrinsic field, the method comprising;

upon specifying an extrinsic space constituted by atomic elements corresponding to extrinsic values characterizing an extrinsic field, partitioning said specified extrinsic space into two or more equivalence classes, wherein partitioning into equivalence classes is provided by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure, and wherein each atomic element in said extrinsic space belongs to one and only one equivalence class and each equivalence class is constituted by one or more atomic elements of the extrinsic space that appear in same groups exactly;

mapping said equivalence classes over the rule-set;

using the results of mapping the equivalence classes over the rule-set for generating, by a processor, a logically equivalent security rule-set, wherein each of the respective rules in the generated rule-set comprises N−

1 extrinsic fields;

responsive to a request related to conditions specified in the rule-set with regard to a given group non-specified in the at least one data structure, providing a new partitioning into equivalence classes by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure and over the given group;

generating a new logically equivalent security rule-set;

identifying equivalence classes corresponding to the given group; and

analyzing the conditions specified in the new logically equivalent rule-set for each of the identified equivalence classes.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a rule-set analyzer and a method of analyzing an ordered security rule-set comprising a plurality of rules comprising N≧1 extrinsic rule-fields. The method comprised: upon specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field, partitioning said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class; mapping said equivalence classes over the rule-set; and generating a logically equivalent security rule-set, wherein respective rules comprise N−1 extrinsic rule-fields.

49 Citations

View as Search Results

8 Claims

1. A method of analyzing an initial ordered security rule-set comprising a plurality of rules, each rule comprising N≧
- 1 extrinsic fields, wherein the rule-set is associated with at least one data structure specifying groups of extrinsic values characterizing at least one extrinsic field, the method comprising;
  
  upon specifying an extrinsic space constituted by atomic elements corresponding to extrinsic values characterizing an extrinsic field, partitioning said specified extrinsic space into two or more equivalence classes, wherein partitioning into equivalence classes is provided by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure, and wherein each atomic element in said extrinsic space belongs to one and only one equivalence class and each equivalence class is constituted by one or more atomic elements of the extrinsic space that appear in same groups exactly;
  
  mapping said equivalence classes over the rule-set;
  
  using the results of mapping the equivalence classes over the rule-set for generating, by a processor, a logically equivalent security rule-set, wherein each of the respective rules in the generated rule-set comprises N−
  
  1 extrinsic fields;
  
  responsive to a request related to conditions specified in the rule-set with regard to a given group non-specified in the at least one data structure, providing a new partitioning into equivalence classes by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure and over the given group;
  
  generating a new logically equivalent security rule-set;
  
  identifying equivalence classes corresponding to the given group; and
  
  analyzing the conditions specified in the new logically equivalent rule-set for each of the identified equivalence classes.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein at least one extrinsic field is selected from a group comprising a user field and an application field.
  - 3. The method of claim 1, wherein the extrinsic field is a non-numeric field, the method further comprising assigning a unique ID to each atomic element in the specified extrinsic space prior to partitioning the space into equivalence classes.

4. An analyzer configured to analyze an ordered security rule-set comprising a plurality of rules, each rule comprising N≧
- 1 extrinsic fields, wherein the rule-set is associated with at least one data structure specifying groups of extrinsic values characterizing at least one extrinsic field, the analyzer comprising;
  
  a first interface configured to obtain data specifying an extrinsic space constituted by atomic elements corresponding to extrinsic values characterizing the at least one extrinsic field;
  
  a second interface configured to obtain data specifying the groups of extrinsic values characterizing the at least one extrinsic field;
  
  a processor operatively connected to the first interface and the second interface and configured;
  
  to partition the extrinsic space into two or more equivalence classes, wherein partitioning into equivalence classes is provided by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure, and wherein each atomic element in the extrinsic space belongs to one and only one equivalence class and each equivalence class is constituted by one or more atomic elements of the extrinsic space that appear in same groups exactly;
  
  to map the equivalence classes over the rule-set; and
  
  to generate a logically equivalent security rule-set, wherein each of respective rules in the generated rule-set comprises N−
  
  1 extrinsic rule-fields,responsive to a request related to conditions specified in the rule-set with regard to a given group non-specified in the at least one data structures associated with the rule-set, to provide a new partitioning into equivalence classes by mapping each atomic element of said extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure and over the given group;
  
  to generate a new logically equivalent security rule-set;
  
  to identify equivalence classes corresponding to the given group; and
  
  to analyze the conditions specified in the new logically equivalent rule-set for each of the identified equivalence classes.
- View Dependent Claims (5, 6)
- - 5. The rule-set analyzer of claim 4, wherein at least one extrinsic field is selected from a group comprising a user field and an application field.
  - 6. The rule-set analyzer of claim 4, wherein the extrinsic field is a non-numeric field, the processor further operated to assign a unique ID to each atomic element in the specified extrinsic space prior to partitioning the space into equivalence classes.

7. A non-transitory computer readable medium storing a computer readable program executable by a computer for causing the computer to perform a method of analyzing an ordered security rule-set comprising a plurality of rules, each rule comprising N≧
- 1 extrinsic fields, wherein the rule-set is associated with at least one data structure specifying groups of extrinsic values characterizing at least one extrinsic field, the method comprising;
  
  upon specifying an extrinsic space constituted by atomic elements corresponding to extrinsic values characterizing the at least one extrinsic field, partitioning said specified extrinsic space into two or more equivalence classes, wherein partitioning into equivalence classes is provided by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure, and wherein each atomic element in said extrinsic space belongs to one and only one equivalence class and each equivalence class is constituted by one or more atomic elements of the extrinsic space that appear in same groups exactly;
  
  mapping said equivalence classes over the rule-set;
  
  using the results of mapping the equivalence classes over the rule-set for generating a logically equivalent security rule-set, wherein respective rules in the generated rule-set comprise N−
  
  1 extrinsic fields;
  
  responsive to a request related to conditions specified in the rule-set with regard to a given group non-specified in the at least one data structure, providing a new partitioning into equivalence classes by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure and over the given group;
  
  generating a new logically equivalent security rule-set;
  
  identifying equivalence classes corresponding to the given group; and
  
  analyzing the conditions specified in the new logically equivalent rule-set for each of the identified equivalence classes.

8. A computer program product comprising a non-transitory computer readable medium storing computer readable program code embodied therein for causing a computer to perform a method of analyzing an ordered security rule-set comprising a plurality of rules, each rule comprising N≧
- 1 extrinsic fields, wherein the rule-set is associated with at least one data structure specifying groups of extrinsic values characterizing at least one extrinsic field, the computer program product comprising;
  
  computer readable program code for causing the computer, upon specifying an extrinsic space constituted by atomic elements corresponding to extrinsic values characterizing the at least one extrinsic field, to partition said specified extrinsic space into two or more equivalence classes, wherein partitioning into equivalence classes is provided by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure, and wherein each atomic element in said extrinsic space belongs to one and only one equivalence class and each equivalence class is constituted by one or more atomic elements of the extrinsic space that appear in same groups exactly;
  
  computer readable program code for causing the computer to map said equivalence classes over the rule-set; and
  
  computer readable program code for causing the computer to generate a logically equivalent security rule-set, wherein respective rules in the generated rule-set comprise N−
  
  1 extrinsic fields; and
  
  computer readable program code for causing the computer, responsive to a request related to conditions specified in the rule-set with regard to a given group non-specified in the at least one data structure to provide a new partitioning into equivalence classes by mapping each atomic element of the extrinsic space over all groups of extrinsic values characterizing the at least one extrinsic field and comprised in the at least one data structure and over the given group;
  
  computer readable program code for causing the computer to generate a new logically equivalent security rule-set;
  
  computer readable program code for causing the computer to identify equivalence classes corresponding to the given group; and
  
  computer readable program code for causing the computer to analyze the conditions specified in the new logically equivalent rule-set for each of the identified equivalence classes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Lavi, Yoni
Primary Examiner(s)
Patel, Haresh N

Application Number

US13/367,795
Publication Number

US 20120204220A1
Time in Patent Office

917 Days
Field of Search

726 1- 7, 726 11- 15
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

H04L 63/0263 Rule management

Method and system for analyzing security ruleset by generating a logically equivalent security rule-set

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for analyzing security ruleset by generating a logically equivalent security rule-set

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links