Method of generating security rule-set and system thereof
First Claim
1. A method of generating a security rule-set using a computer comprising a processor operatively coupled to a memory, the method comprising:
- a. obtaining in the memory a group of log records of communication events resulting from traffic related to a security gateway;
b. providing by the processor the following;
i. generating a first rule-set of permissive rules, said set covering the obtained group of log records;
ii. selecting in the first rule-set a rule with the maximal ratio between a number of log records covered by the selected rule and the volume of the address space of the selected rule;
iii. including the selected rule into a second rule-set;
iv. amending the first rule-set of permissive rules to cover only log records from the obtained group of log records that are non-overlapping with the address space of the selected rules in the second rule-set;
v. repeating steps ii)-iv) thereby generating a rule-set of non-overlapping rules covering the obtained group of log records, the generated rule-set corresponding to the second rule-set after the obtained group of log records comprises no records that are non-overlapping with the address space of the selected rules in the second rule-set; and
vi. generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rules to the obtained group of log records.
5 Assignments
0 Petitions
Accused Products
Abstract
There are provided a method of generation of a security rule-set and a system thereof. The method includes: obtaining a group of log records of communication events resulting from traffic related to the security gateway; generating a preliminary rule-set of permissive rules, said set covering the obtained group of log records; generating, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the group of log records; and generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records.
-
Citations
17 Claims
-
1. A method of generating a security rule-set using a computer comprising a processor operatively coupled to a memory, the method comprising:
-
a. obtaining in the memory a group of log records of communication events resulting from traffic related to a security gateway; b. providing by the processor the following; i. generating a first rule-set of permissive rules, said set covering the obtained group of log records; ii. selecting in the first rule-set a rule with the maximal ratio between a number of log records covered by the selected rule and the volume of the address space of the selected rule; iii. including the selected rule into a second rule-set; iv. amending the first rule-set of permissive rules to cover only log records from the obtained group of log records that are non-overlapping with the address space of the selected rules in the second rule-set; v. repeating steps ii)-iv) thereby generating a rule-set of non-overlapping rules covering the obtained group of log records, the generated rule-set corresponding to the second rule-set after the obtained group of log records comprises no records that are non-overlapping with the address space of the selected rules in the second rule-set; and vi. generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rules to the obtained group of log records. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system capable of automated generation of a security rule-set, the system comprising:
-
an interface operable to obtain a group of log records of communication events resulting from traffic related to a security gateway; a memory operatively coupled to the interface and operable to store the obtained group of log records; and a processor operatively coupled to the memory and operable to; a. generate a first rule-set of permissive rules, said set covering the obtained group of log records; b. select in the first rule-set a rule with the maximal ratio between a number of log records covered by the selected rule and the volume of the address space of the selected rule; c. include the selected rule into a second rule-set; d. amend the first rule-set of permissive rules to cover only log records from the obtained group of log records that are non-overlapping with the address space of the selected rules in the second rule-set; e. repeat steps b)-d) thereby generating a rule-set of non-overlapping rules covering the obtained group of log records, the generated rule-set corresponding to the second rule-set after the obtained group of log records comprises no records that are non-overlapping with the address space of the selected rules in the second rule-set; and f. generate an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rules to the obtained group of log records. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer program product comprising a non-transitory computer useable medium having computer readable program code embodied therein for automated generation of a security rule-set, the computer program product comprising:
-
a. computer readable program code for enabling the computer to obtain a group of log records of communication events resulting from traffic related to a security gateway; b. computer readable program code for enabling the computer to generating a first rule-set of permissive rules, said set covering the obtained group of log records; c. computer readable program code for enabling the computer to select in the first rule-set a rule with the maximal ratio between a number of log records covered by the selected rule and the volume of the address space of the selected rule; d. computer readable program code for enabling the computer to include the selected rule into a second rule-set; e. computer readable program code for enabling the computer to amend the first rule-set of permissive rules to cover only log records from the obtained group of log records that are non-overlapping with the address space of the selected rules in the second rule-set; f. computer readable program code for enabling the computer to repeat steps ii)-iv) thereby generating a rule-set of non-overlapping rules covering the obtained group of log records, the generated rule-set corresponding to the second rule-set after the obtained group of log records comprises no records that are non-overlapping with the address space of the selected rules in the second rule-set; and g. computer readable program code for enabling the computer to generate an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rules to the obtained group of log records.
-
Specification