Predicting firewall rule ranking value

US 9,838,354 B1
Filed: 06/26/2015
Issued: 12/05/2017
Est. Priority Date: 06/26/2015
Status: Active Grant

First Claim

Patent Images

1. A firewall device, comprising:

a memory to store instructions; and

one or more processors of the firewall device to execute the instructions to;

obtain information regarding a plurality of firewall rules,the information including information for a particular firewall rule of the plurality of firewall rules,the information for the particular firewall rule including one or more match condition values and a ranking value,

the particular firewall rule being applicable to packets that are associated with packet information that matches the one or more match condition values associated with the particular firewall rule,

a match condition value, of the one or more match condition values, being associated with a match count that identifies a quantity of times that packets, received by the firewall device, are associated with packet information that matches the match condition value, and

the ranking value identifying a quantity of times that the particular firewall rule has been applied to the packets received by the firewall device;

perform a linear regression analysis of match counts and ranking values associated with the plurality of firewall rules to train a model that describes a relationship between the match counts and the ranking values associated with the plurality of firewall rules;

automatically determine a size of a training set of match condition values and ranking values for the model, based on receiving an indication for a desired accuracy of predictions made using the model, to reduce processing power used by the firewall device to check the plurality of firewall rules;

determine that the particular firewall rule applies to a first packet received by the firewall device based on checking whether the one or more match condition values match packet information associated with the first packet;

obtain a new firewall rule, associated with no ranking information, that includes a first match condition value, of the one or more match condition values, and a second match condition value, of the one or more match condition values,where the first match condition value is associated with a first firewall rule, of the plurality of firewall rules, and with a first match count, andwhere the second match condition value is associated with a second firewall rule, of the plurality of firewall rules, and with a second match count,the second firewall rule being different from the first firewall rule;

predict a particular ranking value, as a predicted ranking value, of the new firewall rule based on the first match count and the second match count and based on analyzing the information regarding the plurality of firewall rules; and

perform an action on a second packet, with regard to the new firewall rule, based on the predicted ranking value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may obtain information regarding firewall rules. The information, for a firewall rule of the firewall rules, may include one or more match condition values and a ranking value. The firewall rule may be applicable to packets that are associated with packet information that matches the match condition values. A match condition value may be associated with a match count that identifies a quantity of times that packets match the match condition value. The ranking value may identify a quantity of times that the firewall rule has been applied to the packets. The device may obtain a new firewall rule. The device may predict a ranking value of the new firewall rule based on match condition values of the new firewall rule and/or based on analyzing the information regarding the plurality of firewall rules. The device may perform an action based on the predicted ranking value.

43 Citations

View as Search Results

20 Claims

1. A firewall device, comprising:
- a memory to store instructions; and
  
  one or more processors of the firewall device to execute the instructions to;
  
  obtain information regarding a plurality of firewall rules,the information including information for a particular firewall rule of the plurality of firewall rules,the information for the particular firewall rule including one or more match condition values and a ranking value,
  
  the particular firewall rule being applicable to packets that are associated with packet information that matches the one or more match condition values associated with the particular firewall rule,
  
  a match condition value, of the one or more match condition values, being associated with a match count that identifies a quantity of times that packets, received by the firewall device, are associated with packet information that matches the match condition value, and
  
  the ranking value identifying a quantity of times that the particular firewall rule has been applied to the packets received by the firewall device;
  
  perform a linear regression analysis of match counts and ranking values associated with the plurality of firewall rules to train a model that describes a relationship between the match counts and the ranking values associated with the plurality of firewall rules;
  
  automatically determine a size of a training set of match condition values and ranking values for the model, based on receiving an indication for a desired accuracy of predictions made using the model, to reduce processing power used by the firewall device to check the plurality of firewall rules;
  
  determine that the particular firewall rule applies to a first packet received by the firewall device based on checking whether the one or more match condition values match packet information associated with the first packet;
  
  obtain a new firewall rule, associated with no ranking information, that includes a first match condition value, of the one or more match condition values, and a second match condition value, of the one or more match condition values,where the first match condition value is associated with a first firewall rule, of the plurality of firewall rules, and with a first match count, andwhere the second match condition value is associated with a second firewall rule, of the plurality of firewall rules, and with a second match count,the second firewall rule being different from the first firewall rule;
  
  predict a particular ranking value, as a predicted ranking value, of the new firewall rule based on the first match count and the second match count and based on analyzing the information regarding the plurality of firewall rules; and
  
  perform an action on a second packet, with regard to the new firewall rule, based on the predicted ranking value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The firewall device of claim 1, where the one or more processors are further to:
    - assign a rank to the new firewall rule, relative to the plurality of firewall rules, based on the predicted ranking value associated with the new firewall rule and based on the ranking values associated with the plurality of firewall rules.
  - 3. The firewall device of claim 2, where the one or more processors are further to:
    - determine an actual ranking value of the new firewall rule based on applying the new firewall rule to one or more packets; and
      
      modify the rank of the new firewall rule, relative to the plurality of firewall rules, based on the actual ranking value and based on the ranking values associated with the plurality of firewall rules.
  - 4. The firewall device of claim 1, where the one or more processors, when predicting the particular ranking value of the new firewall rule, are to:
    - predict the particular ranking value of the new firewall rule by using the first match condition value and the second match condition value as inputs into the model.
  - 5. The firewall device of claim 1, where the one or more processors are further to:
    - determine an actual ranking value of the new firewall rule based on applying the new firewall rule to one or more packets; and
      
      replace the predicted ranking value with the actual ranking value; and
      
      where the one or more processors, when performing the action, are to;
      
      perform the action based on the actual ranking value.
  - 6. The firewall device of claim 1, where the one or more processors are further to:
    - delete the new firewall rule based on the predicted ranking value satisfying a threshold.
  - 7. The firewall device of claim 1, where the one or more processors are further to train the model using at least one of:
    - a nonlinear regression analysis,a curve fitting analysis,a segment linear analysis, ora machine learning method.

8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors of a firewall device, cause the one or more processors to;
  
  obtain information regarding a plurality of firewall rules,the information including information for a particular firewall rule of the plurality of firewall rules,the information for the particular firewall rule including one or more match condition values and a ranking value,
  
  the particular firewall rule being applicable to packets that are associated with packet information that matches the one or more match condition values associated with the particular firewall rule,
  
  a match condition value, of the one or more match condition values, being associated with a match count that identifies a quantity of times that packets, received by the firewall device, are associated with packet information that matches the match condition value, and
  
  the ranking value identifying a quantity of times that the particular firewall rule has been applied to the packets received by the firewall device;
  
  perform a linear regression analysis of match counts and ranking values associated with the plurality of firewall rules to train a model that describes a relationship between the match counts and the ranking values associated with the plurality of firewall rules;
  
  automatically determine a size of a training set of match condition values and ranking values for the model, based on receiving an indication for a desired accuracy of predictions made using the model, to reduce processing power used by the firewall device to check the plurality of firewall rules;
  
  determine that the particular firewall rule applies to a first packet received by the firewall device based on checking whether the one or more match condition values match packet information associated with the first packet;
  
  obtain a new firewall rule, associated with no ranking information, that includes a first match condition value, of the one or more match condition values, and a second match condition value, of the one or more match condition values,where the first match condition value is associated with a first firewall rule, of the plurality of firewall rules and with a first match count, andwhere the second match condition value is associated with a second firewall rule, of the plurality of firewall rules and with a second match countthe second firewall rule being different from the first firewall rule;
  
  predict a particular ranking value, as a predicted ranking value, of the new firewall rule based on the first match count and the second match count and based on processing the information regarding the plurality of firewall rules; and
  
  perform an action on a second packet, with regard to the new firewall rule, based on the predicted ranking value.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - train the model based on the information regarding the plurality of firewall rules, to determine the predicted ranking value.
  - 10. The non-transitory computer-readable medium of claim 9, where the one or more instructions, that cause the one or more processors to predict the particular ranking value of the new firewall rule, cause the one or more processors to:
    - predict the particular ranking value of the new firewall rule based on inputting, to the model, one or more match counts corresponding to the first match condition value and the second match condition value of the new firewall rule.
  - 11. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - assign a rank to the new firewall rule, in relation to the plurality of firewall rules, based on the predicted ranking value and based on the ranking values of the plurality of firewall rules.
  - 12. The non-transitory computer-readable medium of claim 11,where the new firewall rule is associated with a first rank;
    - where the first rank is higher than a second rank associated with flail the second firewall rule, and lower than a third rank associated with a third firewall rule; and
      
      where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to;
      
      receive another packet;
      
      determine that the third firewall rule does not apply to the other packet;
      
      determine that the new firewall rule applies to the other packet after determining that the third firewall rule does not apply to the other packet; and
      
      apply the new firewall rule to the other packet.
  - 13. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine an actual ranking value of the new firewall rule based on applying the new firewall rule to one or more packets; and
      
      where the one or more instructions, that cause the one or more processors to perform the action, cause the one or more processors to;
      
      perform the action based on the actual ranking value.
  - 14. The non-transitory computer-readable medium of claim 8, where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - obtain another new firewall rule after obtaining the new firewall rule; and
      
      predict a ranking value for the other new firewall rule.

15. A method, comprising:
- obtaining, by a firewall device, information regarding a plurality of firewall rules,the information including information for a particular firewall rule of the plurality of firewall rules,the information for the particular firewall rule including one or more match condition values and a ranking value,the particular firewall rule being applicable to packets that are associated with packet information that matches the one or more match condition values associated with the particular firewall rule,a match condition value, of the one or more match condition values, being associated with a match count that identifies a quantity of times that packets, received by the firewall device, are associated with packet information that matches the match condition value, andthe ranking value identifying a quantity of times that the particular firewall rule has been applied to the packets received by the firewall device;
  
  performing, by the firewall device, a linear regression analysis of match counts and ranking values associated with the plurality of firewall rules to train a model that describes a relationship between the match counts and the ranking values associated with the plurality of firewall rules;
  
  automatically determining, by the firewall device, a size of a training set of match condition values and ranking values for the model, based on receiving an indication for a desired accuracy of predictions made using the model, to reduce processing power used by the firewall device to check the plurality of firewall rules;
  
  determining, by the firewall device, that the particular firewall rule applies to a first packet received by the firewall device based on checking whether the one or more match condition values match packet information associated with the first packet;
  
  obtaining, by the firewall device, a new firewall rule that includes a first match condition value, of the one or more match condition values, and a second match condition value, of the one or more match condition values,where the first match condition value is associated with a first firewall rule of the plurality of firewall rules and a first match count, andwhere the second match condition value is associated with a second firewall rule of the plurality of firewall rules and a second match count,the second firewall rule being different from the first firewall rule;
  
  predicting, by the firewall device, a particular ranking value, as a predicted ranking value, of the new firewall rule based on the first match count and the second match count and based on the information regarding the plurality of firewall rules; and
  
  performing, by the firewall device, an action on a second packet, with regard to the new firewall rule, based on the predicted ranking value.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising:
    - determining a position, in a particular order, of the new firewall rule relative to positions of the plurality of firewall rules,the position of the new firewall rule being determined based on the predicted ranking value and based on the ranking values of the plurality of firewall rules.
  - 17. The method of claim 16, further comprising:
    - determining an actual ranking value based on applying the new firewall rule to at least one packet; and
      
      where performing the action comprises;
      
      performing the action based on the actual ranking value.
  - 18. The method of claim 15, further comprising:
    - training the model based on the information regarding the plurality of firewall rules.
  - 19. The method of claim 18, where the training set is a first training set;
    - andwhere training the model comprises;
      
      training the model using a second training set larger than the first training set.
  - 20. The method of claim 15, further comprising:
    - storing the new firewall rule;
      
      receiving a third packet that is associated with packet information;
      
      determining that the first match condition value and the second match condition value match the packet information associated with the third packet; and
      
      applying the new firewall rule to the third packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Tulasi, Vinuth
Primary Examiner(s)
Lynch, Sharon

Application Number

US14/752,355
Time in Patent Office

893 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Predicting firewall rule ranking value

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Predicting firewall rule ranking value

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links