Method and system for analyzing security ruleset by generating a logically equivalent security rule-set
First Claim
1. A method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the method comprising:
- dividing the values specified by the at least one extrinsic field into a first space constituted by all extrinsic values specified in the at least one extrinsic field and a second space constituted by all non-extrinsic values specified in the at least one extrinsic field;
defining in the first space at least one extrinsic space comprising extrinsic values of the same type;
upon specifying atomic elements constituting the at least one extrinsic space, partitioning, by a processor, the at least one extrinsic space into two or more equivalence classes, wherein each atomic element in the at least one extrinsic space belongs to one and only one equivalence class, and wherein partitioning into equivalence classes is provided by mapping each atomic element of the at least one extrinsic space over all groups of extrinsic values specified for the security rule-set, each equivalence class constituted by one or more atomic elements of the at least one extrinsic space that appear in same groups exactly;
mapping, by the processor, said equivalence classes over the security rule-set;
analyzing, by the processor, the security rule-set using the results of mapping said equivalence classes over the security rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and
using the results of analyzing to generate, by the processor, a logically equivalent security rule-set specifying the rules in regard to the equivalent classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources.
4 Assignments
0 Petitions
Accused Products
Abstract
There are provided a rule-set analyzer and a method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field. The method comprises: upon specifying atomic elements constituting an extrinsic space corresponding to the at least one extrinsic field, partitioning, by a processor, the extrinsic space into two or more equivalence classes, wherein each atomic element in the extrinsic space belongs to one and only one equivalence class; mapping, by the processor, said equivalence classes over the rule-set; and analyzing, by the processor, the security rule-set using the results of mapping said equivalence classes over the rule-set.
54 Citations
12 Claims
-
1. A method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the method comprising:
-
dividing the values specified by the at least one extrinsic field into a first space constituted by all extrinsic values specified in the at least one extrinsic field and a second space constituted by all non-extrinsic values specified in the at least one extrinsic field; defining in the first space at least one extrinsic space comprising extrinsic values of the same type; upon specifying atomic elements constituting the at least one extrinsic space, partitioning, by a processor, the at least one extrinsic space into two or more equivalence classes, wherein each atomic element in the at least one extrinsic space belongs to one and only one equivalence class, and wherein partitioning into equivalence classes is provided by mapping each atomic element of the at least one extrinsic space over all groups of extrinsic values specified for the security rule-set, each equivalence class constituted by one or more atomic elements of the at least one extrinsic space that appear in same groups exactly; mapping, by the processor, said equivalence classes over the security rule-set; analyzing, by the processor, the security rule-set using the results of mapping said equivalence classes over the security rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and using the results of analyzing to generate, by the processor, a logically equivalent security rule-set specifying the rules in regard to the equivalent classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An analyzer to analyze an ordered security rule-set comprising a plurality of rules, and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the analyzer comprising:
-
a first interface to obtain data specifying a first space constituted by all extrinsic values specified in the at least one extrinsic field, data specifying a second space constituted by all non-extrinsic values specified in the at least one extrinsic field, and data specifying atomic elements constituting an extrinsic space defined in the first space and comprising extrinsic values of the same type; a second interface to obtain data specifying groups of extrinsic values specified to the security rule-set; and a processor operatively connected to the first interface and the second interface, the processor; to partition the extrinsic space into two or more equivalence classes by mapping each atomic element of the extrinsic space over all groups of extrinsic values specified to the security rule-set, wherein each equivalence class is constituted by one or more atomic elements of the extrinsic space that appear in same groups exactly, and wherein each atomic element in the extrinsic space belongs to one and only one equivalence class; to map said equivalence classes over the security rule-set; to analyze the security rule-set using the results of mapping said equivalence classes over the rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and to generate, using the results of analyzing the security rule-set, a logically equivalent security rule-set specifying the rules in regard to the equivalence classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory computer readable medium storing a computer readable program executable by a computer for causing the computer to perform a method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the method comprising:
-
dividing the values specified by the at least one extrinsic field into a first space constituted by all extrinsic values specified in the at least one extrinsic field and a second space constituted by all non-extrinsic values specified in the at least one extrinsic field; defining in the first space at least one extrinsic space comprising extrinsic values of the same type; upon specifying atomic elements constituting the at least one extrinsic space, partitioning the extrinsic space into two or more equivalence classes, wherein each atomic element in the extrinsic space belongs to one and only one equivalence class, and wherein partitioning into equivalence classes is provided by mapping each atomic element of the at least one extrinsic space over all groups of extrinsic values specified for the security rule-set, each equivalence class constituted by one or more atomic elements of the at least one extrinsic space that appear in same groups exactly; mapping said equivalence classes over the rule-set; analyzing the security rule-set using the results of mapping said equivalence classes over the rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and using the results of analyzing to generate a logically equivalent security rule-set specifying the rules in regard to the equivalent classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources.
-
-
12. A computer program product comprising a non-transitory computer readable medium storing computer readable program code embodied therein for causing a computer to perform a method of analyzing an ordered security rule-set comprising a plurality of rules and characterized by at least one extrinsic field specifying both extrinsic and non-extrinsic values, the method comprising:
-
dividing the values specified by the at least one extrinsic field into a first space constituted by all extrinsic values specified in the at least one extrinsic field and a second space constituted by all non-extrinsic values specified in the at least one extrinsic field; defining in the first space at least one extrinsic space comprising extrinsic values of the same type; upon specifying atomic elements constituting the at least one extrinsic space, partitioning the extrinsic space into two or more equivalence classes, wherein each atomic element in the extrinsic space belongs to one and only one equivalence class, and wherein partitioning into equivalence classes is provided by mapping each atomic element of the at least one extrinsic space over all groups of extrinsic values specified for the security rule-set, each equivalence class constituted by one or more atomic elements of the at least one extrinsic space that appear in same groups exactly; mapping said equivalence classes over the rule-set; analyzing the security rule-set using the results of mapping said equivalence classes over the rule-set, wherein analyzing the security rule-set in regard to the first space is provided independently from analyzing the security rule-set in regard to the second space; and using the results of analyzing to generate a logically equivalent security rule-set specifying the rules in regard to the equivalent classes, wherein the logically equivalent security rule-set is usable in operation of a security gateway to control at least one of (i) inbound and outbound traffic related to a network and (ii) access to network resources.
-
Specification