Predicting firewall rule ranking value
First Claim
1. A firewall device, comprising:
- a memory to store instructions; and
one or more processors of the firewall device to execute the instructions to;
obtain information regarding a plurality of firewall rules,the information including information for a particular firewall rule of the plurality of firewall rules,the information for the particular firewall rule including one or more match condition values and a ranking value,
the particular firewall rule being applicable to packets that are associated with packet information that matches the one or more match condition values associated with the particular firewall rule,
a match condition value, of the one or more match condition values, being associated with a match count that identifies a quantity of times that packets, received by the firewall device, are associated with packet information that matches the match condition value, and
the ranking value identifying a quantity of times that the particular firewall rule has been applied to the packets received by the firewall device;
perform a linear regression analysis of match counts and ranking values associated with the plurality of firewall rules to train a model that describes a relationship between the match counts and the ranking values associated with the plurality of firewall rules;
automatically determine a size of a training set of match condition values and ranking values for the model, based on receiving an indication for a desired accuracy of predictions made using the model, to reduce processing power used by the firewall device to check the plurality of firewall rules;
determine that the particular firewall rule applies to a first packet received by the firewall device based on checking whether the one or more match condition values match packet information associated with the first packet;
obtain a new firewall rule, associated with no ranking information, that includes a first match condition value, of the one or more match condition values, and a second match condition value, of the one or more match condition values,where the first match condition value is associated with a first firewall rule, of the plurality of firewall rules, and with a first match count, andwhere the second match condition value is associated with a second firewall rule, of the plurality of firewall rules, and with a second match count,the second firewall rule being different from the first firewall rule;
predict a particular ranking value, as a predicted ranking value, of the new firewall rule based on the first match count and the second match count and based on analyzing the information regarding the plurality of firewall rules; and
perform an action on a second packet, with regard to the new firewall rule, based on the predicted ranking value.
1 Assignment
0 Petitions
Accused Products
Abstract
A device may obtain information regarding firewall rules. The information, for a firewall rule of the firewall rules, may include one or more match condition values and a ranking value. The firewall rule may be applicable to packets that are associated with packet information that matches the match condition values. A match condition value may be associated with a match count that identifies a quantity of times that packets match the match condition value. The ranking value may identify a quantity of times that the firewall rule has been applied to the packets. The device may obtain a new firewall rule. The device may predict a ranking value of the new firewall rule based on match condition values of the new firewall rule and/or based on analyzing the information regarding the plurality of firewall rules. The device may perform an action based on the predicted ranking value.
43 Citations
20 Claims
-
1. A firewall device, comprising:
-
a memory to store instructions; and one or more processors of the firewall device to execute the instructions to; obtain information regarding a plurality of firewall rules, the information including information for a particular firewall rule of the plurality of firewall rules, the information for the particular firewall rule including one or more match condition values and a ranking value,
the particular firewall rule being applicable to packets that are associated with packet information that matches the one or more match condition values associated with the particular firewall rule,
a match condition value, of the one or more match condition values, being associated with a match count that identifies a quantity of times that packets, received by the firewall device, are associated with packet information that matches the match condition value, and
the ranking value identifying a quantity of times that the particular firewall rule has been applied to the packets received by the firewall device;perform a linear regression analysis of match counts and ranking values associated with the plurality of firewall rules to train a model that describes a relationship between the match counts and the ranking values associated with the plurality of firewall rules; automatically determine a size of a training set of match condition values and ranking values for the model, based on receiving an indication for a desired accuracy of predictions made using the model, to reduce processing power used by the firewall device to check the plurality of firewall rules; determine that the particular firewall rule applies to a first packet received by the firewall device based on checking whether the one or more match condition values match packet information associated with the first packet; obtain a new firewall rule, associated with no ranking information, that includes a first match condition value, of the one or more match condition values, and a second match condition value, of the one or more match condition values, where the first match condition value is associated with a first firewall rule, of the plurality of firewall rules, and with a first match count, and where the second match condition value is associated with a second firewall rule, of the plurality of firewall rules, and with a second match count, the second firewall rule being different from the first firewall rule; predict a particular ranking value, as a predicted ranking value, of the new firewall rule based on the first match count and the second match count and based on analyzing the information regarding the plurality of firewall rules; and perform an action on a second packet, with regard to the new firewall rule, based on the predicted ranking value. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors of a firewall device, cause the one or more processors to; obtain information regarding a plurality of firewall rules, the information including information for a particular firewall rule of the plurality of firewall rules, the information for the particular firewall rule including one or more match condition values and a ranking value,
the particular firewall rule being applicable to packets that are associated with packet information that matches the one or more match condition values associated with the particular firewall rule,
a match condition value, of the one or more match condition values, being associated with a match count that identifies a quantity of times that packets, received by the firewall device, are associated with packet information that matches the match condition value, and
the ranking value identifying a quantity of times that the particular firewall rule has been applied to the packets received by the firewall device;perform a linear regression analysis of match counts and ranking values associated with the plurality of firewall rules to train a model that describes a relationship between the match counts and the ranking values associated with the plurality of firewall rules; automatically determine a size of a training set of match condition values and ranking values for the model, based on receiving an indication for a desired accuracy of predictions made using the model, to reduce processing power used by the firewall device to check the plurality of firewall rules; determine that the particular firewall rule applies to a first packet received by the firewall device based on checking whether the one or more match condition values match packet information associated with the first packet; obtain a new firewall rule, associated with no ranking information, that includes a first match condition value, of the one or more match condition values, and a second match condition value, of the one or more match condition values, where the first match condition value is associated with a first firewall rule, of the plurality of firewall rules and with a first match count, and where the second match condition value is associated with a second firewall rule, of the plurality of firewall rules and with a second match count the second firewall rule being different from the first firewall rule; predict a particular ranking value, as a predicted ranking value, of the new firewall rule based on the first match count and the second match count and based on processing the information regarding the plurality of firewall rules; and perform an action on a second packet, with regard to the new firewall rule, based on the predicted ranking value. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A method, comprising:
-
obtaining, by a firewall device, information regarding a plurality of firewall rules, the information including information for a particular firewall rule of the plurality of firewall rules, the information for the particular firewall rule including one or more match condition values and a ranking value, the particular firewall rule being applicable to packets that are associated with packet information that matches the one or more match condition values associated with the particular firewall rule, a match condition value, of the one or more match condition values, being associated with a match count that identifies a quantity of times that packets, received by the firewall device, are associated with packet information that matches the match condition value, and the ranking value identifying a quantity of times that the particular firewall rule has been applied to the packets received by the firewall device; performing, by the firewall device, a linear regression analysis of match counts and ranking values associated with the plurality of firewall rules to train a model that describes a relationship between the match counts and the ranking values associated with the plurality of firewall rules; automatically determining, by the firewall device, a size of a training set of match condition values and ranking values for the model, based on receiving an indication for a desired accuracy of predictions made using the model, to reduce processing power used by the firewall device to check the plurality of firewall rules; determining, by the firewall device, that the particular firewall rule applies to a first packet received by the firewall device based on checking whether the one or more match condition values match packet information associated with the first packet; obtaining, by the firewall device, a new firewall rule that includes a first match condition value, of the one or more match condition values, and a second match condition value, of the one or more match condition values, where the first match condition value is associated with a first firewall rule of the plurality of firewall rules and a first match count, and where the second match condition value is associated with a second firewall rule of the plurality of firewall rules and a second match count, the second firewall rule being different from the first firewall rule; predicting, by the firewall device, a particular ranking value, as a predicted ranking value, of the new firewall rule based on the first match count and the second match count and based on the information regarding the plurality of firewall rules; and performing, by the firewall device, an action on a second packet, with regard to the new firewall rule, based on the predicted ranking value. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification