Method and system for mapping between connectivity requests and a security rule set

US 8,914,841 B2
Filed: 11/23/2011
Issued: 12/16/2014
Est. Priority Date: 11/24/2010
Status: Active Grant

First Claim

Patent Images

1. A system capable of automatically mapping between a connectivity request and an ordered security rule-set, the system comprising:

a memory;

an interface operable to obtain data characterizing a first plurality of combinations of values specified in at least one connectivity request;

a processor operatively coupled to the interface and the memory, the processor to;

automatically recognize at least one rule within the rule-set, said rule controlling at least part of traffic requested in said at least one connectivity request, wherein the recognizing is provided by comparing the first plurality of combinations specified in the connectivity request with at least one second plurality of combinations, each of said at least one second plurality being firstly specified by a respective rule within the rule-set and matches connectivity-related actions specified in said at least one connectivity request;

automatically evaluate a ratio between an un-shadowed volume requested by said at least one connectivity request in said recognized at least one rule and the overall un-shadowed volume of said recognized at least one rule, thereby giving rise to a conformity ratio characterizing the relationship between said at least one connectivity request and said recognized at least one rule, wherein the evaluation results indicate if said at least one connectivity request requires rule-set amendments in order to be accepted; and

automatically classify said at least one connectivity request with respect to said at least one rule and/or said at least one rule with respect to said at least one connectivity request in accordance with said conformity ratio, wherein a classifying result is indicative of involvement of said recognized at least one rule in business needs associated with said at least one connectivity request.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system capable of automated mapping between a connectivity request and an ordered security rule-set and a method of operating thereof. The system includes an interface operable to obtain data characterizing at least one connectivity request; a module for automated recognizing at least one rule within the rule-set, the rule controlling traffic requested in the at least one connectivity request, wherein the recognizing is provided by comparing a set of combinations specified in the connectivity request with a set of combinations specified in the rule and matching connectivity-related actions specified in the connectivity request; a module for automated evaluating relationship between traffic controlled by the recognized at least one rule and traffic requested in the at least one connectivity request; and a module for automated classifying, in accordance with evaluation results, the at least one connectivity request with respect to the at least one rules and/or vice versa.

Citations

16 Claims

1. A system capable of automatically mapping between a connectivity request and an ordered security rule-set, the system comprising:
- a memory;
  
  an interface operable to obtain data characterizing a first plurality of combinations of values specified in at least one connectivity request;
  
  a processor operatively coupled to the interface and the memory, the processor to;
  
  automatically recognize at least one rule within the rule-set, said rule controlling at least part of traffic requested in said at least one connectivity request, wherein the recognizing is provided by comparing the first plurality of combinations specified in the connectivity request with at least one second plurality of combinations, each of said at least one second plurality being firstly specified by a respective rule within the rule-set and matches connectivity-related actions specified in said at least one connectivity request;
  
  automatically evaluate a ratio between an un-shadowed volume requested by said at least one connectivity request in said recognized at least one rule and the overall un-shadowed volume of said recognized at least one rule, thereby giving rise to a conformity ratio characterizing the relationship between said at least one connectivity request and said recognized at least one rule, wherein the evaluation results indicate if said at least one connectivity request requires rule-set amendments in order to be accepted; and
  
  automatically classify said at least one connectivity request with respect to said at least one rule and/or said at least one rule with respect to said at least one connectivity request in accordance with said conformity ratio, wherein a classifying result is indicative of involvement of said recognized at least one rule in business needs associated with said at least one connectivity request.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1, wherein the connectivity-related actions are selected from a group comprising accepting, denying, authenticating and encrypting actions.
  - 3. The system of claim 1 wherein the conformity ratio is calculated separately for fields of said recognized at least one rule.

4. A method of automatically managing an ordered security rule-set using a rule-set manager, the method comprising:
- obtaining data characterizing first pluralities of combinations of values specified, respectively, in one or more of connectivity requests;
  
  automatically recognizing by the rule-set manager at least one connectivity request requesting traffic at least partially controlled by a certain rule from the rule-set, thereby giving rise to at least one connectivity request engaged with respect to said certain rule, wherein the recognizing is provided by comparing a first plurality of combinations of values specified in said at least one connectivity request with a second plurality of combinations of values, said second plurality is firstly specified in said certain rule and matches connectivity-related actions specified in said certain connectivity request;
  
  automatically evaluating a ratio between an un-shadowed volume requested by said engaged connectivity request in said certain rule and the overall un-shadowed volume of said certain rule, thereby giving rise to a conformity ratio being indicative of a degree of satisfaction of said engaged connectivity request by said certain rule, wherein evaluating is provided by the rule-set manager and the evaluation results indicate if said at least one connectivity request requires rule-set amendments in order to be accepted; and
  
  in accordance with said conformity ratio, automatically classifying by the rule-set manager said certain rule with respect to said at least one engaged connectivity request, wherein a classifying result is indicative of involvement of said certain rule in business needs associated with said engaged connectivity request.
- View Dependent Claims (5, 6, 7, 8, 9)
- - 5. The method of claim 4, wherein the connectivity-related actions are selected from a group comprising accepting, denying, authenticating and encrypting actions.
  - 6. The method of claim 4 wherein the conformity ratio is calculated separately for fields of said certain rule.
  - 7. The method of claim 4 further comprising evaluating relationship between traffic controlled by the entire rule-set and traffic requested in all respectively engaged connectivity requests, wherein evaluating comprises calculating a ratio between an un-shadowed volume requested in the entire rule-set and the overall un-shadowed volume of the rule-set, thereby giving rise to a conformity ratio indicative of a degree of justification of the rule-set by business needs.
  - 8. The method of claim 7 further comprising classifying the entire rule-set, wherein the entire rule-set is classified as requiring amendment if the calculated conformity ratio does not match a predefined criterion related to compliance of the rule-set.
  - 9. The method of claim 4 wherein said engaged connectivity request requests allowance of respective traffic and said un-shadowed volume in said certain rule is un-shadowed allowable volume.

10. A method of automatically managing an ordered security rule-set using a rule-set manager, the method comprising:
- obtaining data characterizing a first plurality of combinations of values specified in a certain connectivity request;
  
  automatically recognizing by the rule-set manager at least one rule from the rule-set, said rule at least partially controlling traffic requested in said certain connectivity request, thereby giving rise to at least one rule engaged with respect to said certain connectivity request, wherein the recognizing is provided by comparing the first plurality of combinations of values specified in said certain connectivity request with at least one second plurality of combinations of values, each of at least one second plurality is firstly specified in respective rules from the rule-set and match connectivity-related actions specified in said certain connectivity request;
  
  automatically evaluating a ratio between an un-shadowed volume requested by said at least one connectively request in said at least one engaged rule and the overall un-shadowed volume of said at least one engaged rule, thereby giving rise to a conformity ratio characterizing a degree of satisfaction of said certain connectivity request by said at least one engaged rule, wherein the evaluating is provided by the rule-set manager and the evaluation results indicate if said at least one connectivity request requires rule-set amendments in order to be accepted; and
  
  in accordance with said conformity ratio, automatically classifying by the rule-set manager said certain connectivity request with respect to said at least one engaged rule, wherein a classifying result is indicative of involvement of said at least one engaged rule in business needs associated with said certain connectivity request.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the connectivity-related actions are selected from a group comprising accepting, denying, authenticating and encrypting actions.
  - 12. The method of claim 10 wherein the conformity ratio is calculated separately for fields of said certain rule.
  - 13. The method of claim 10 further comprising evaluating relationship between traffic requested in all connectivity requests and traffic controlled by all respectively engaged rules in the rule-set, wherein evaluating comprises calculating a ratio between an un-shadowed volume requested in all engaged rules and the overall un-shadowed volume of all engaged rules.
  - 14. The method of claim 10 further comprising:
    - automatically recognizing at least two rules belonging to different rule-sets and engaged with respect to said certain connectivity request, wherein different rule-sets correspond to different revisions of a security policy;
      
      automatically evaluating relationship between the traffic requested in said certain connectivity request and traffic controlled by engaged rules corresponding to said different rule-sets;
      
      in accordance with the evaluation result, automatically classifying said different rule-sets and/or respective revisions of the security policy.
  - 15. The method of claim 10 wherein said at least one connectively request requests allowance of respective traffic and un-shadowed volume in said at least one engaged rule is un-shadowed allowable volume.

16. A computer program product comprising a non-transitory computer useable medium having computer readable program code embodied therein for collecting information relating to a communication network and to nodes operating therein, the computer program product comprising:
- computer readable program code for enabling the computer to obtain data characterizing first pluralities of combinations of values specified, respectively, in one or more of connectivity requests;
  
  computer readable program code for enabling the computer to recognize at least one connectivity request requesting traffic at least partially controlled by a certain rule from the rule-set, thereby giving rise to at least one connectivity request engaged with respect to said certain rule, wherein the recognition is provided by comparing a first plurality of combinations of values specified in said one or more connectivity requests with a second plurality of combinations of values, said second plurality being firstly specified in said certain rule and matches connectivity-related actions specified in said certain connectivity request;
  
  computer readable program code for enabling the computer to evaluate a ratio between an un-shadowed volume requested by said engaged connectivity request in said certain rule and the overall un-shadowed volume of said certain rule, thereby giving rise to a conformity ratio being indicative of a degree of satisfaction of said engaged connectivity request by said certain rule, wherein the evaluation results indicate if said at least one connectivity request requires rule-set amendments in order to be accepted; and
  
  computer readable program code for enabling the computer, to classify said certain rule with respect to said at least one engaged connectivity request in accordance with said conformity ratio, wherein a classifying result is indicative of involvement of said certain rule in business needs associated with said at least one engaged connectivity request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Harrison, Reuven
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
LYNCH, SHARON S

Application Number

US13/303,425
Publication Number

US 20120192246A1
Time in Patent Office

1,119 Days
Field of Search

726/1, 726/11, 726/13, 726/14, 726/47, 713/166, 379/111
US Class Current

726/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Method and system for mapping between connectivity requests and a security rule set

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for mapping between connectivity requests and a security rule set

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links