Method of generating security rule-set and system thereof

US 9,021,549 B2
Filed: 01/02/2014
Issued: 04/28/2015
Est. Priority Date: 12/16/2010
Status: Active Grant

First Claim

Patent Images

1. A method of generating a security rule-set using a computer comprising a processor operatively coupled to a memory, the method comprising:

a. obtaining in the memory a group of log records of communication events resulting from traffic related to a security gateway;

b. providing by the processor the following;

i. generating a first rule-set of permissive rules, said set covering the obtained group of log records;

ii. selecting in the first rule-set a rule with the maximal ratio between a number of log records covered by the selected rule and the volume of the address space of the selected rule;

iii. including the selected rule into a second rule-set;

iv. amending the first rule-set of permissive rules to cover only log records from the obtained group of log records that are non-overlapping with the address space of the selected rules in the second rule-set;

v. repeating steps ii)-iv) thereby generating a rule-set of non-overlapping rules covering the obtained group of log records, the generated rule-set corresponding to the second rule-set after the obtained group of log records comprises no records that are non-overlapping with the address space of the selected rules in the second rule-set; and

vi. generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rules to the obtained group of log records.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a method of generation of a security rule-set and a system thereof. The method includes: obtaining a group of log records of communication events resulting from traffic related to the security gateway; generating a preliminary rule-set of permissive rules, said set covering the obtained group of log records; generating, with the help of mapping the generated preliminary rule-set to the obtained group of log records, a rule-set of non-overlapping rules covering the group of log records; and generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rule to the obtained group of log records.

Citations

17 Claims

1. A method of generating a security rule-set using a computer comprising a processor operatively coupled to a memory, the method comprising:
- a. obtaining in the memory a group of log records of communication events resulting from traffic related to a security gateway;
  
  b. providing by the processor the following;
  
  i. generating a first rule-set of permissive rules, said set covering the obtained group of log records;
  
  ii. selecting in the first rule-set a rule with the maximal ratio between a number of log records covered by the selected rule and the volume of the address space of the selected rule;
  
  iii. including the selected rule into a second rule-set;
  
  iv. amending the first rule-set of permissive rules to cover only log records from the obtained group of log records that are non-overlapping with the address space of the selected rules in the second rule-set;
  
  v. repeating steps ii)-iv) thereby generating a rule-set of non-overlapping rules covering the obtained group of log records, the generated rule-set corresponding to the second rule-set after the obtained group of log records comprises no records that are non-overlapping with the address space of the selected rules in the second rule-set; and
  
  vi. generating an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rules to the obtained group of log records.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the obtained group of log records comprises amount of log records matching a predefined threshold.
  - 3. The method of claim 1, wherein the obtained group of log records comprises all log records collected during a substantial collection period.
  - 4. The method of claim 1, wherein the obtained group of log records comprises log records selected among collected log records, wherein the selection is provided in accordance with values specified in at least one field of the collected log records.
  - 5. The method of claim 1, wherein traffic related to the security gateway is selected from a group comprising traffic controlled by the security gateway and traffic between source and destination addresses to be controlled by the security gateway.
  - 6. The method of claim 1, wherein generating the operational rule-set comprises recursive dividing the rules in respective first rule-set and generating a respective rule-set of non-overlapping rules until the generated rule-set of non-overlapping rules matches a predefined criterion.
  - 7. The method of claim 1, wherein generating the first rule-set comprises defining an address space covering the obtained group of log records and generating 2R permissive rules, wherein each of R non-overlapping equal-size rules controls respective part of traffic resulting from dividing the destination range characterizing said defined address space into R parts whilst maintaining the source range of said address space, and wherein each of other R non-overlapping rules controls a respective part of traffic resulting from dividing the source range of said defined address space into R parts whilst maintaining the destination range of said address space, and wherein R is natural number R>
    - 1.
  - 8. The method of claim 6 further comprising generating a tree structure representing at a respective level each of the recursive generated rule-sets of non-overlapping rules.
  - 9. The method of claim 8 further comprising traversing the generated tree structure in order to generate the operational rule-set matching a predefined criterion selected from a group comprising criteria related, at least, to extra coverage and criteria related, at least, to a number of rules in the operational rule set.

10. A system capable of automated generation of a security rule-set, the system comprising:
- an interface operable to obtain a group of log records of communication events resulting from traffic related to a security gateway;
  
  a memory operatively coupled to the interface and operable to store the obtained group of log records; and
  
  a processor operatively coupled to the memory and operable to;
  
  a. generate a first rule-set of permissive rules, said set covering the obtained group of log records;
  
  b. select in the first rule-set a rule with the maximal ratio between a number of log records covered by the selected rule and the volume of the address space of the selected rule;
  
  c. include the selected rule into a second rule-set;
  
  d. amend the first rule-set of permissive rules to cover only log records from the obtained group of log records that are non-overlapping with the address space of the selected rules in the second rule-set;
  
  e. repeat steps b)-d) thereby generating a rule-set of non-overlapping rules covering the obtained group of log records, the generated rule-set corresponding to the second rule-set after the obtained group of log records comprises no records that are non-overlapping with the address space of the selected rules in the second rule-set; and
  
  f. generate an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rules to the obtained group of log records.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system of claim 10, wherein the generation of the operational rule-set comprises recursive dividing the rules in respective first rule-set and generating a respective rule-set of non-overlapping rules until the generated rule-set of non-overlapping rules matches a predefined criterion, thus giving rise to the operational rule-set.
  - 12. The system of claim 10, wherein the generation of the first rule-set comprises defining an address space covering the obtained group of log records and generating 2R permissive rules, wherein each of R non-overlapping equal-size rules controls respective part of traffic resulting from dividing the destination range characterizing said defined address space into R parts whilst maintaining the source range of said address space, and wherein each of other R non-overlapping rules controls a respective part of traffic resulting from dividing the source range of said defined address space into R parts whilst maintaining the destination range of said address space, and wherein R is natural number R>
    - 1.
  - 13. The system of claim 10, wherein the processor is further operable to generate a tree structure representing at a respective level each of the recursive generated rule-sets of non-overlapping rules.
  - 14. The system of claim 13, wherein the processor is further operable to traverse the generated tree structure in order to generate the operational rule-set matching a predefined criterion selected from a group comprising criteria related, at least, to extra coverage and criteria related, at least, to a number of rules in the operational rule set.
  - 15. The system of claim 10, wherein the obtained group of log records comprises log records selected among collected log records, wherein the selection is provided in accordance with values specified in at least one field of the collected log records.
  - 16. The system of claim 10, wherein traffic related to the security gateway is selected from a group comprising traffic controlled by the security gateway and traffic between source and destination addresses to be controlled by the security gateway.

17. A computer program product comprising a non-transitory computer useable medium having computer readable program code embodied therein for automated generation of a security rule-set, the computer program product comprising:
- a. computer readable program code for enabling the computer to obtain a group of log records of communication events resulting from traffic related to a security gateway;
  
  b. computer readable program code for enabling the computer to generating a first rule-set of permissive rules, said set covering the obtained group of log records;
  
  c. computer readable program code for enabling the computer to select in the first rule-set a rule with the maximal ratio between a number of log records covered by the selected rule and the volume of the address space of the selected rule;
  
  d. computer readable program code for enabling the computer to include the selected rule into a second rule-set;
  
  e. computer readable program code for enabling the computer to amend the first rule-set of permissive rules to cover only log records from the obtained group of log records that are non-overlapping with the address space of the selected rules in the second rule-set;
  
  f. computer readable program code for enabling the computer to repeat steps ii)-iv) thereby generating a rule-set of non-overlapping rules covering the obtained group of log records, the generated rule-set corresponding to the second rule-set after the obtained group of log records comprises no records that are non-overlapping with the address space of the selected rules in the second rule-set; and
  
  g. computer readable program code for enabling the computer to generate an operational rule-set by processing the generated rule-set of non-overlapping rules, said processing including mapping the generated rule-set of non-overlapping rules to the obtained group of log records.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Gronich, Yoram, Schechtman, Haggai, Lavi, Yoni
Primary Examiner(s)
BROWN, ANTHONY D

Application Number

US14/146,410
Publication Number

US 20140123216A1
Time in Patent Office

481 Days
Field of Search

726/1, 726 11- 12, 726/22, 709223-224
US Class Current

726/1
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Method of generating security rule-set and system thereof

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method of generating security rule-set and system thereof

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links