METHOD OF ANALYZING SECURITY RULESET AND SYSTEM THEREOF

US 20120204220A1
Filed: 02/07/2012
Published: 08/09/2012
Est. Priority Date: 02/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing an ordered security rule-set comprising a plurality of rules comprising N≧

1 extrinsic rule-fields, the method comprising;

upon specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field, partitioning said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class;

mapping said equivalence classes over the rule-set; and

generating a logically equivalent security rule-set, wherein respective rules comprise N−

1 extrinsic rule-fields.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a rule-set analyzer and a method of analyzing an ordered security rule-set comprising a plurality of rules comprising N≧1 extrinsic rule-fields. The method comprised: upon specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field, partitioning said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class; mapping said equivalence classes over the rule-set; and generating a logically equivalent security rule-set, wherein respective rules comprise N−1 extrinsic rule-fields.

114 Citations

View as Search Results

16 Claims

1. A method of analyzing an ordered security rule-set comprising a plurality of rules comprising N≧
- 1 extrinsic rule-fields, the method comprising;
  
  upon specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field, partitioning said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class;
  
  mapping said equivalence classes over the rule-set; and
  
  generating a logically equivalent security rule-set, wherein respective rules comprise N−
  
  1 extrinsic rule-fields.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein at least one extrinsic rule-field is selected from a group comprising a user field and an application field.
  - 3. The method of claim 1 wherein the extrinsic rule-field is a non-numeric rule-field, the method further comprising assigning a unique ID to each atomic element in the specified extrinsic space prior to partitioning the space into equivalence classes.
  - 4. The method of claim 1, wherein partitioning into equivalence classes is provided by mapping each atomic element in the specified extrinsic space to the rules it appears in, and wherein each equivalence class is constituted by one or more atomic elements of said extrinsic space that appear in the same rules exactly.
  - 5. The method of claim 1 wherein the rule-set is associated with one or more data structures specifying groups of values characterizing said extrinsic rule-field, and wherein partitioning into equivalence classes is provided by mapping each atomic element of said extrinsic space over all groups comprised in said at least one data structure, and wherein each equivalence class is constituted by one or more atomic elements of said extrinsic space that appear in the same groups exactly.
  - 6. The method of claim 5 further comprising:
    - responsive to a request related to conditions specified in the rule-set with regard to a given group specified in said one or more data structures, identifying equivalence classes corresponding to the given group; and
      
      analyzing the conditions specified in the logically equivalent rule-set for each of the identified equivalence classes.
  - 7. The method of claim 5 further comprising:
    - responsive to a request related to conditions specified in the rule-set with regard to a given group non-specified in said one or more data structures, providing a new partitioning into equivalence classes by mapping each atomic element of said extrinsic space over all groups comprised in said at least one data structure and over said given group;
      
      generating a new logically equivalent security rule-set;
      
      identifying equivalence classes corresponding to the given group; and
      
      analyzing the conditions specified in the new logically equivalent rule-set for each of the identified equivalence classes.

8. A rule-set analyzer operable to analyze an ordered security rule-set comprising a plurality of rules comprising N≧
- 1 extrinsic rule-fields, the rule-set analyzer comprising;
  
  a rule interface operable to obtain data specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field;
  
  a processor operatively connected to the rule interface and operable to;
  
  partition said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class;
  
  map said equivalence classes over the rule-set; and
  
  generate a logically equivalent security rule-set, wherein respective rules comprise N−
  
  1 extrinsic rule-fields.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The rule-set analyzer of claim 8, wherein at least one extrinsic rule-field is selected from a group comprising a user field and an application field.
  - 10. The rule-set analyzer of claim 8 wherein the extrinsic rule-field is a non-numeric rule-field, the processor further operable to assign a unique ID to each atomic element in the specified extrinsic space prior to partitioning the space into equivalence classes.
  - 11. The rule-set analyzer of claim 8, wherein the processor is operable to provide to partitioning into equivalence classes by mapping each atomic element in the specified extrinsic space to the rules it appears in, and wherein each equivalence class is constituted by one or more atomic elements of said extrinsic space that appear in the same rules exactly.
  - 12. The rule-set analyzer of claim 8 further comprising a group interface operatively coupled to the processor and operable to obtain data specifying groups of values characterizing said extrinsic rule-field, and wherein the processor is operable to provide partitioning into equivalence classes by mapping each atomic element of said extrinsic space over all groups comprised in said at least one data structure, and wherein each equivalence class is constituted by one or more atomic elements of said extrinsic space that appear in the same groups exactly.
  - 13. The rule-set analyzer of claim 12 wherein the processor is further operable:
    - responsive to a request related to conditions specified in the rule-set with regard to a given group, to identify equivalence classes corresponding to the given group, and to analyze the conditions specified in the logically equivalent rule-set for each of the identified equivalence classes.
  - 14. The rule-set analyzer of claim 12 wherein the processor is further operable:
    - responsive to a request related to conditions specified in the rule-set with regard to a given group non-specified in one or more data structures associated with the rule-set, to provide a new partitioning into equivalence classes by mapping each atomic element of said extrinsic space over all groups comprised in said at least one data structure and over said given group, to generate a new logically equivalent security rule-set, to identify equivalence classes corresponding to the given group, and to analyze the conditions specified in the new logically equivalent rule-set for each of the identified equivalence classes.

15. A non-transitory computer readable medium storing a computer readable program executable by a computer for causing the computer to perform a method of analyzing an ordered security rule-set comprising a plurality of rules comprising N≧
- 1 extrinsic rule-fields, the method comprising;
  
  upon specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field, partitioning said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class;
  
  mapping said equivalence classes over the rule-set; and
  
  generating a logically equivalent security rule-set, wherein respective rules comprise N−
  
  1 extrinsic rule-fields.

16. A computer program product comprising a non-transitory computer readable medium storing computer readable program code embodied therein for causing the computer to perform a method of analyzing an ordered security rule-set comprising a plurality of rules comprising N≧
- 1 extrinsic rule-fields, the computer program product comprising;
  
  computer readable program code for causing the computer, upon specifying an extrinsic space constituted by atomic elements corresponding to the values characterizing an extrinsic rule-field, to partition said specified extrinsic space into two or more equivalence classes, wherein each atomic element in said extrinsic space belongs to one and only one equivalence class;
  
  computer readable program code for causing the computer to map said equivalence classes over the rule-set; and
  
  computer readable program code for causing the computer to generate a logically equivalent security rule-set, wherein respective rules comprise N−
  
  1 extrinsic rule-fields.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
LAVI, Yoni

Granted Patent

US 8,806,569 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

H04L 63/0263 Rule management

METHOD OF ANALYZING SECURITY RULESET AND SYSTEM THEREOF

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

METHOD OF ANALYZING SECURITY RULESET AND SYSTEM THEREOF

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others