Policy block creation with context-sensitive policy line classification

US 9,992,232 B2
Filed: 04/18/2016
Issued: 06/05/2018
Est. Priority Date: 01/14/2016
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

at a management entity in communication with a plurality of network devices;

uploading from a network that includes the plurality of network devices, data representing policy rules configured on the plurality of network devices obtained from configuration files for the plurality of network devices;

comparing the data representing the policy rules for similarities in order to group together policy rules based on their similarities, wherein comparing comprises comparing pairs of policy rules across configuration files for the plurality of network devices to generate a similarity score indicating similarity between two rules of a given pair of policy rules, the comparing further including generating a plurality of sub-classifications, each containing a set of policy rule statements from a first configuration file and a set of policy rule statements from a second configuration file whose similarity score is above a threshold;

storing data representing a plurality of clusters, each cluster representing a group of policy rules that have been grouped together;

generating one or more configuration policies to be applied across the plurality of network devices using the data representing each of the plurality of clusters, while maintaining context of policy rule processing; and

sending data to the network to deploy the one or more configuration policies on the plurality of network devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Presented herein are techniques for creating a policy block comprised of a group of lines of rules/statements across configuration files for network devices. An algorithm is provided that determines when multiple policies are to be merged together into one policy. In one embodiment, data is uploaded from a network that includes a plurality of network devices. The data represents policy rules configured on the plurality of network devices. The data representing the policy rules is compared for similarities in order to group together policy rules based on their similarities. Data is stored representing a plurality of clusters, each cluster representing a group of policy rules that have been grouped together. One or more configuration policies are generated to be applied across the plurality of network devices using the data representing each of the plurality of clusters, while maintaining context of policy rule processing.

Citations

20 Claims

1. A method comprising:
- at a management entity in communication with a plurality of network devices;
  
  uploading from a network that includes the plurality of network devices, data representing policy rules configured on the plurality of network devices obtained from configuration files for the plurality of network devices;
  
  comparing the data representing the policy rules for similarities in order to group together policy rules based on their similarities, wherein comparing comprises comparing pairs of policy rules across configuration files for the plurality of network devices to generate a similarity score indicating similarity between two rules of a given pair of policy rules, the comparing further including generating a plurality of sub-classifications, each containing a set of policy rule statements from a first configuration file and a set of policy rule statements from a second configuration file whose similarity score is above a threshold;
  
  storing data representing a plurality of clusters, each cluster representing a group of policy rules that have been grouped together;
  
  generating one or more configuration policies to be applied across the plurality of network devices using the data representing each of the plurality of clusters, while maintaining context of policy rule processing; and
  
  sending data to the network to deploy the one or more configuration policies on the plurality of network devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein uploading comprises uploading the data from the plurality of network devices at a remote location to a centralized management entity.
  - 3. The method of claim 2, wherein comparing comprises comparing every pair of policy rules across configuration files for the plurality of network devices to generate a similarity score indicating similarity between two rules of a given pair of policy rules.
  - 4. The method of claim 1, further comprising combining the plurality of sub-classifications across the configuration files for the plurality of network devices.
  - 5. The method of claim 4, wherein combining comprises:
    - for a given policy rule statement of the first configuration file, generating an incidence matrix between lines of the first configuration file and a plurality of sub-classifications that refer to the first configuration file.
  - 6. The method of claim 1, wherein comparing comprises comparing a given policy rule statement against each of the plurality of clusters to determine whether there is sufficient similarity between the given policy rule statement and a particular cluster of the plurality of clusters so as to assign membership of the given policy rule statement to the particular cluster.
  - 7. The method of claim 6, wherein comparing comprises comparing a group of plurality policy rule statements against each of the plurality of clusters to determine whether there is sufficient similarity between the group of policy rule statements and a particular cluster of the plurality of clusters so as to assign membership of the group of policy rule statements to the particular cluster.
  - 8. The method of claim 7, further comprising generating, for each group of policy rule statements, a stamp based on one or more attributes of policy rule statements and such that each of the plurality of clusters has one or more stamps associated therewith according to the one or more groups of policy rule statements which are a member of the cluster, and wherein comparing comprises comparing the stamp of a particular group of policy rule statements with one or more stamps of each of the plurality of clusters.
  - 9. The method of claim 1, wherein the network devices are network security devices.

10. An apparatus comprising:
- a network interface unit configured to enable communications over a network that includes a plurality of network devices;
  
  a processor coupled to the network interface unit, wherein the processor is configured to;
  
  upload from the network, data representing policy rules configured on the plurality of network devices obtained from configuration files for the plurality of network devices;
  
  compare the data representing the policy rules for similarities in order to group together policy rules based on their similarities by comparing pairs of policy rules across configuration files for the plurality of network devices to generate a similarity score indicating similarity between two rules of a given pair of policy rules, including generating a plurality of sub-classifications, each containing a set of policy rule statements from a first configuration file and a set of policy rule statements from a second configuration file whose similarity score is above a threshold;
  
  store data representing a plurality of clusters, each cluster representing a group of policy rules that have been grouped together;
  
  generate one or more configuration policies to be applied across the plurality of network devices using the data representing each of the plurality of clusters, while maintaining context of policy rule processing; and
  
  send, via the network interface unit, data to the network to deploy the one or more configuration policies on the plurality of network devices.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus of claim 10, wherein the processor is configured to compare every pair of policy rules across configuration files for the plurality of network devices to generate a similarity score indicating similarity between two rules of a given pair of policy rules.
  - 12. The apparatus of claim 10, wherein the processor is configured to compare a given policy rule statement against each of the plurality of clusters to determine whether there is sufficient similarity between the given policy rule statement and a particular cluster of the plurality of clusters so as to assign membership of the given policy rule statement to the particular cluster.
  - 13. The apparatus of claim 12, wherein the processor is configured to compare a group of plurality policy rule statements against each of the plurality of clusters to determine whether there is sufficient similarity between the group of policy rule statements and a particular cluster of the plurality of clusters so as to assign membership of the group of policy rule statements to the particular cluster.
  - 14. The apparatus of claim 13, wherein the processor is further configured to generate, for each group of policy rule statements, a stamp based on one or more attributes of policy rule statements and such that each of the plurality of clusters has one or more stamps associated therewith according to the one or more groups of policy rule statements which are a member of the cluster, and wherein the processor is configured to compare the stamp of a particular group of policy rule statements with one or more stamps of each of the plurality of clusters.
  - 15. The apparatus of claim 10, wherein the processor is configured to combine the plurality of sub-classifications across the configuration files for the plurality of network devices, by, for a given policy rule statement of the first configuration file, generating an incidence matrix between lines of the first configuration file and a plurality of sub-classifications that refer to the first configuration file.

16. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed by a processor of a management entity in communication with a plurality of network devices, wherein the instructions are operable to cause the processor to perform operations comprising:
- uploading from a network that includes a plurality of network devices, data representing policy rules configured on the plurality of network devices obtained from configuration files for the plurality of network devices;
  
  comparing the data representing the policy rules for similarities in order to group together policy rules based on their similarities, wherein comparing comprises comparing pairs of policy rules across configuration files for the plurality of network devices to generate a similarity score indicating similarity between two rules of a given pair of policy rules, the comparing including generating a plurality of sub-classifications, each containing a set of policy rule statements from a first configuration file and a set of policy rule statements from a second configuration file whose similarity score is above a threshold;
  
  storing data representing a plurality of clusters, each cluster representing a group of policy rules that have been grouped together;
  
  generating one or more configuration policies to be applied across the plurality of network devices using the data representing each of the plurality of clusters, while maintaining context of policy rule processing; and
  
  sending data to the network to deploy the one or more configuration policies on the plurality of network devices.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The non-transitory computer readable storage media of claim 16, wherein the instructions for comparing comprise instructions for comparing every pair of policy rules across configuration files for the plurality of network devices to generate a similarity score indicating similarity between two rules of a given pair of policy rules.
  - 18. The non-transitory computer readable storage media of claim 16, wherein the instructions operable for comparing comprise instructions operable for comparing a given policy rule statement against each of the plurality of clusters to determine whether there is sufficient similarity between the given policy rule statement and a particular cluster of the plurality of clusters so as to assign membership of the given policy rule statement to the particular cluster.
  - 19. The non-transitory computer readable storage media of claim 18, wherein the instructions operable for comparing include instructions operable for comparing a group of plurality policy rule statements against each of the plurality of clusters to determine whether there is sufficient similarity between the group of policy rule statements and a particular cluster of the plurality of clusters so as to assign membership of the group of policy rule statements to the particular cluster.
  - 20. The non-transitory computer readable storage media of claim 19, further comprising instructions operable for generating, for each group of policy rule statements, a stamp based on one or more attributes of policy rule statements and such that each of the plurality of clusters has one or more stamps associated therewith according to the one or more groups of policy rule statements which are a member of the cluster, and wherein the instructions for comparing include instructions operable for comprises comparing the stamp of a particular group of policy rule statements with one or more stamps of each of the plurality of clusters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Hollingshead, Daniel, Vasant, Sachin, Dotan, Yedidya, Miglani, Umesh Kumar, Knjazihhin, Denis
Primary Examiner(s)
Schwartz, Darren B

Application Number

US15/131,604
Publication Number

US 20170208094A1
Time in Patent Office

778 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0263   Rule management

H04L 63/20   for managing network securi...

Policy block creation with context-sensitive policy line classification

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Policy block creation with context-sensitive policy line classification

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links