Method and system for analyzing security ruleset by generating a logically equivalent security rule-set

US 9,578,030 B2
Filed: 07/10/2014
Issued: 02/21/2017
Est. Priority Date: 02/07/2011
Status: Active Grant

First Claim

Patent Images

1. A method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the method comprising:

dividing the values specified by the at least one extrinsic field into a first space constituted by all extrinsic values specified in the at least one extrinsic field and a second space constituted by all non-extrinsic values specified in the at least one extrinsic field;

defining in the first space at least one extrinsic space comprising extrinsic values of the same type;

upon specifying atomic elements constituting the at least one extrinsic space, partitioning, by a processor, the at least one extrinsic space into two or more equivalence classes, wherein each atomic element in the at least one extrinsic space belongs to one and only one equivalence class, and wherein partitioning into equivalence classes is provided by mapping each atomic element of the at least one extrinsic space over all groups of extrinsic values specified for the security rule-set, each equivalence class constituted by one or more atomic elements of the at least one extrinsic space that appear in same groups exactly;

mapping, by the processor, said equivalence classes over the security rule-set;

analyzing, by the processor, the security rule-set using the results of mapping said equivalence classes over the security rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and

using the results of analyzing to generate, by the processor, a logically equivalent security rule-set specifying the rules in regard to the equivalent classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There are provided a rule-set analyzer and a method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field. The method comprises: upon specifying atomic elements constituting an extrinsic space corresponding to the at least one extrinsic field, partitioning, by a processor, the extrinsic space into two or more equivalence classes, wherein each atomic element in the extrinsic space belongs to one and only one equivalence class; mapping, by the processor, said equivalence classes over the rule-set; and analyzing, by the processor, the security rule-set using the results of mapping said equivalence classes over the rule-set.

54 Citations

12 Claims

1. A method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the method comprising:
- dividing the values specified by the at least one extrinsic field into a first space constituted by all extrinsic values specified in the at least one extrinsic field and a second space constituted by all non-extrinsic values specified in the at least one extrinsic field;
  
  defining in the first space at least one extrinsic space comprising extrinsic values of the same type;
  
  upon specifying atomic elements constituting the at least one extrinsic space, partitioning, by a processor, the at least one extrinsic space into two or more equivalence classes, wherein each atomic element in the at least one extrinsic space belongs to one and only one equivalence class, and wherein partitioning into equivalence classes is provided by mapping each atomic element of the at least one extrinsic space over all groups of extrinsic values specified for the security rule-set, each equivalence class constituted by one or more atomic elements of the at least one extrinsic space that appear in same groups exactly;
  
  mapping, by the processor, said equivalence classes over the security rule-set;
  
  analyzing, by the processor, the security rule-set using the results of mapping said equivalence classes over the security rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and
  
  using the results of analyzing to generate, by the processor, a logically equivalent security rule-set specifying the rules in regard to the equivalent classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising assigning a unique ID to each atomic element in the extrinsic space prior to partitioning the at least one extrinsic space into equivalence classes.
  - 3. The method of claim 1 further comprising:
    - responsive to a request related to one or more conditions specified in the security rule-set with regard to a given group specified for the security rule-set, identifying equivalence classes corresponding to the given group; and
      
      analyzing the one or more conditions specified in the logically equivalent rule-set for each of the identified equivalence classes.
  - 4. The method of claim 1, wherein the at least one extrinsic field is selected from a group constituted by a user field and an application field.
  - 5. The method of claim 1, wherein the at least one extrinsic field is selected from a group constituted by a source field and a destination field, and the specified extrinsic values are selected from a group constituted by virtual machine names and security group names.

6. An analyzer to analyze an ordered security rule-set comprising a plurality of rules, and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the analyzer comprising:
- a first interface to obtain data specifying a first space constituted by all extrinsic values specified in the at least one extrinsic field, data specifying a second space constituted by all non-extrinsic values specified in the at least one extrinsic field, and data specifying atomic elements constituting an extrinsic space defined in the first space and comprising extrinsic values of the same type;
  
  a second interface to obtain data specifying groups of extrinsic values specified to the security rule-set; and
  
  a processor operatively connected to the first interface and the second interface, the processor;
  
  to partition the extrinsic space into two or more equivalence classes by mapping each atomic element of the extrinsic space over all groups of extrinsic values specified to the security rule-set, wherein each equivalence class is constituted by one or more atomic elements of the extrinsic space that appear in same groups exactly, and wherein each atomic element in the extrinsic space belongs to one and only one equivalence class;
  
  to map said equivalence classes over the security rule-set;
  
  to analyze the security rule-set using the results of mapping said equivalence classes over the rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and
  
  to generate, using the results of analyzing the security rule-set, a logically equivalent security rule-set specifying the rules in regard to the equivalence classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The analyzer of claim 6, wherein the extrinsic field specifies non-numeric extrinsic values, the processor further to assign a unique ID to each atomic element in the extrinsic space prior to partitioning the space into equivalence classes.
  - 8. The analyzer of claim 6, wherein the processor further:
    - to generate a logically equivalent security rule-set specifying the rules with regard to the equivalence classes;
      
      responsive to a request related to one or more conditions specified in the security rule-set with regard to a given group specified for the security rule-set, to identify equivalence classes corresponding to the given group; and
      
      to analyze the one or more conditions specified in the logically equivalent security rule-set for each of the identified equivalence classes.
  - 9. The analyzer of claim 6, wherein at least one extrinsic field is selected from a group constituted by a user field and an application field.
  - 10. The analyzer of claim 6, wherein the at least one extrinsic field is selected from a group constituted by a source field and a destination field, and the specified extrinsic values are selected from a group constituted by virtual machine names and security group names.

11. A non-transitory computer readable medium storing a computer readable program executable by a computer for causing the computer to perform a method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the method comprising:
- dividing the values specified by the at least one extrinsic field into a first space constituted by all extrinsic values specified in the at least one extrinsic field and a second space constituted by all non-extrinsic values specified in the at least one extrinsic field;
  
  defining in the first space at least one extrinsic space comprising extrinsic values of the same type;
  
  upon specifying atomic elements constituting the at least one extrinsic space, partitioning the extrinsic space into two or more equivalence classes, wherein each atomic element in the extrinsic space belongs to one and only one equivalence class, and wherein partitioning into equivalence classes is provided by mapping each atomic element of the at least one extrinsic space over all groups of extrinsic values specified for the security rule-set, each equivalence class constituted by one or more atomic elements of the at least one extrinsic space that appear in same groups exactly;
  
  mapping said equivalence classes over the rule-set;
  
  analyzing the security rule-set using the results of mapping said equivalence classes over the rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and
  
  using the results of analyzing to generate a logically equivalent security rule-set specifying the rules in regard to the equivalent classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources.

12. A computer program product comprising a non-transitory computer readable medium storing computer readable program code embodied therein for causing a computer to perform a method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the method comprising:
- dividing the values specified by the at least one extrinsic field into a first space constituted by all extrinsic values specified in the at least one extrinsic field and a second space constituted by all non-extrinsic values specified in the at least one extrinsic field;
  
  defining in the first space at least one extrinsic space comprising extrinsic values of the same type;
  
  upon specifying atomic elements constituting the at least one extrinsic space, partitioning the extrinsic space into two or more equivalence classes, wherein each atomic element in the extrinsic space belongs to one and only one equivalence class, and wherein partitioning into equivalence classes is provided by mapping each atomic element of the at least one extrinsic space over all groups of extrinsic values specified for the security rule-set, each equivalence class constituted by one or more atomic elements of the at least one extrinsic space that appear in same groups exactly;
  
  mapping said equivalence classes over the rule-set;
  
  analyzing the security rule-set using the results of mapping said equivalence classes over the rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and
  
  using the results of analyzing to generate a logically equivalent security rule-set specifying the rules in regard to the equivalent classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tufin Software Technologies Ltd.
Original Assignee
Tufin Software Technologies Ltd.
Inventors
Lavi, Yoni
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US14/328,028
Publication Number

US 20140325590A1
Time in Patent Office

957 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604   Tools and structures for ma...

H04L 63/0263   Rule management

H04L 63/10   for controlling access to d...

Method and system for analyzing security ruleset by generating a logically equivalent security rule-set

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

54 Citations

12 Claims

Specification

Use Cases

Quick Links

Others

Method and system for analyzing security ruleset by generating a logically equivalent security rule-set

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

12 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others