Search

US-12621266-B2 - Systems and methods for probability-based inline rule inspection

US12621266B2US 12621266 B2US12621266 B2US 12621266B2US-12621266-B2

Abstract

Systems and methods for probability-based inline rule inspection include performing inline monitoring between one or more endpoints and the internet; receiving a payload based on the inline monitoring; and performing traffic inspection of the payload based on one or more rules, wherein each of the one or more rules are inspected based on a probability assigned thereto, and wherein the probability assigned to each of the one or more rules can be a function of an execution time of each of the one or more rules and a historic effectiveness of each of the one or more rules.

Inventors

  • Juan Gomez
  • Anna George
  • Jane Joseph
  • Kanti Varanasi
  • Nikhil Bhatia
  • Pankaj Kumar

Assignees

  • ZSCALER, INC.

Dates

Publication Date
20260505
Application Date
20240624

Claims (20)

  1. 1 . A method comprising steps of: performing inline monitoring between one or more endpoints and the internet; receiving a payload based on the inline monitoring; logging, in log data generated from the inline monitoring, for each of the one or more rules (i) an average processing time for the rule and (ii) a hit ratio indicating historic effectiveness of the rule over a preconfigured time window; computing, for each of the one or more rules, a probability assigned to the rule as a function of the average processing time and the hit ratio; and performing traffic inspection of the payload based on one or more rules, wherein each of the one or more rules are inspected based on the probability assigned thereto, such that the probability determines a frequency with which the rule is applied to inspect received payloads.
  2. 2 . The method of claim 1 , wherein each of the one or more rules are inspected concurrently for the payload, by parallel evaluation of the rules using multi-threading or parallel computing such that the payload is simultaneously examined against a plurality of the rules.
  3. 3 . The method of claim 2 , wherein each of the one or more rules are inspected concurrently by different processors.
  4. 4 . The method of claim 1 , wherein the probability assigned to each of the one or more rules is based on an execution time of each of the one or more rules.
  5. 5 . The method of claim 1 , wherein the probability assigned to each of the one or more rules is based on a historic effectiveness of each of the one or more rules, wherein the historic effectiveness comprises a hit ratio for the rule indicating how many times the rule has been triggered over a preconfigured time window, the hit ratio being determined from log data generated by the inline monitoring, and wherein a higher hit ratio corresponds to a higher probability for the rule.
  6. 6 . The method of claim 1 , wherein the probability assigned to each of the one or more rules is a function of an execution time of each of the one or more rules and a historic effectiveness of each of the one or more rules, wherein: (a) the execution time comprises an average processing time for the rule determined from log data of inline monitoring; and (b) the historic effectiveness comprises a hit ratio for the rule determined from the log data over a preconfigured time window, such that rules having higher average processing times and lower hit ratios are assigned lower probabilities than rules having lower average processing times and higher hit ratios.
  7. 7 . The method of claim 6 , wherein the execution time of each of the one or more rules and the historic effectiveness of each of the one or more rules is based on global log data.
  8. 8 . The method of claim 6 , wherein the execution time of each of the one or more rules and the historic effectiveness of each of the one or more rules is based on tenant-based log data, wherein the inline monitoring is performed for a specific tenant.
  9. 9 . The method of claim 6 , wherein the steps further include: selecting the one or more rules from a plurality of rules based on a probability assigned to each of the plurality of rules.
  10. 10 . The method of claim 9 , wherein the selecting is performed at preconfigured time intervals, and wherein the one or more selected rules are inspected for every payload encountered during a duration of a time interval subsequent to the selecting.
  11. 11 . A non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors to perform steps of: performing inline monitoring between one or more endpoints and the internet; receiving a payload based on the inline monitoring; logging, in log data generated from the inline monitoring, for each of the one or more rules (i) an average processing time for the rule and (ii) a hit ratio indicating historic effectiveness of the rule over a preconfigured time window; computing, for each of the one or more rules, a probability assigned to the rule as a function of the average processing time and the hit ratio; and performing traffic inspection of the payload based on one or more rules, wherein each of the one or more rules are inspected based on the probability assigned thereto, such that the probability determines a frequency with which the rule is applied to inspect received payloads.
  12. 12 . The non-transitory computer-readable medium of claim 11 , wherein each of the one or more rules are inspected concurrently for the payload, by parallel evaluation of the rules using multi-threading or parallel computing such that the payload is simultaneously examined against a plurality of the rules.
  13. 13 . The non-transitory computer-readable medium of claim 12 , wherein each of the one or more rules are inspected concurrently by different processors.
  14. 14 . The non-transitory computer-readable medium of claim 11 , wherein the probability assigned to each of the one or more rules is based on an execution time of each of the one or more rules.
  15. 15 . The non-transitory computer-readable medium of claim 11 , wherein the probability assigned to each of the one or more rules is based on a historic effectiveness of each of the one or more rules, wherein the historic effectiveness comprises a hit ratio for the rule indicating how many times the rule has been triggered over a preconfigured time window, the hit ratio being determined from log data generated by the inline monitoring, and wherein a higher hit ratio corresponds to a higher probability for the rule.
  16. 16 . The non-transitory computer-readable medium of claim 11 , wherein the probability assigned to each of the one or more rules is a function of an execution time of each of the one or more rules and a historic effectiveness of each of the one or more rules, wherein: (a) the execution time comprises an average processing time for the rule determined from log data of inline monitoring; and (b) the historic effectiveness comprises a hit ratio for the rule determined from the log data over a preconfigured lime window, such that rules having higher average processing times and lower hit ratios are assigned lower probabilities than rules having lower average processing times and higher hit ratios.
  17. 17 . The non-transitory computer-readable medium of claim 16 , wherein the execution time of each of the one or more rules and the historic effectiveness of each of the one or more rules is based on global log data.
  18. 18 . The non-transitory computer-readable medium of claim 16 , wherein the execution time of each of the one or more rules and the historic effectiveness of each of the one or more rules is based on tenant-based log data, wherein the inline monitoring is performed for a specific tenant.
  19. 19 . The non-transitory computer-readable medium of claim 16 , wherein the steps further include: selecting the one or more rules from a plurality of rules based on a probability assigned to each of the plurality of rules.
  20. 20 . The non-transitory computer-readable medium of claim 19 , wherein the selecting is performed at preconfigured time intervals, and wherein the one or more selected rules are inspected for every payload encountered during a duration of a time interval subsequent to the selecting.

Description

FIELD OF THE DISCLOSURE The present disclosure generally relates to network and cloud security. More particularly, the present disclosure relates to systems and methods for probability-based inline rule inspection. BACKGROUND OF THE DISCLOSURE Traffic inspection rules are fundamental to network security, providing a structured approach to analyzing and filtering network traffic to detect and prevent cyber threats. These rules emerged with the growth of networked systems and the increasing complexity of cyber threats. In the early days of network security, simple firewalls with basic rule sets were sufficient to manage traffic and protect against common threats. However, as cyber threats evolved in sophistication and diversity, the need for more advanced and comprehensive inspection techniques became apparent. As networks and threats continued to grow in complexity, the limitations of traditional rule-based systems became evident, particularly in terms of performance and scalability. The introduction of the advanced techniques described herein allow for more accurate and efficient detection of sophisticated threats. BRIEF SUMMARY OF THE DISCLOSURE The present disclosure relates to systems and methods for probability-based inline rule inspection. In various embodiments, the present disclosure includes a method having steps, a processing device configured to implement the steps, a cloud-based system configured to implement the steps, and as a non-transitory computer-readable medium storing instructions for programming one or more processors to execute the steps. The steps include performing inline monitoring between one or more endpoints and the internet; receiving a payload based on the inline monitoring; and performing traffic inspection of the payload based on one or more rules, wherein each of the one or more rules are inspected based on a probability assigned thereto. The steps can further include wherein each of the one or more rules can be inspected concurrently for the payload. Each of the one or more rules can be inspected concurrently by different processors. The probability assigned to each of the one or more rules can be based on an execution time of each of the one or more rules. The probability assigned to each of the one or more rules can be based on a historic effectiveness of each of the one or more rules. The probability assigned to each of the one or more rules can be a function of an execution time of each of the one or more rules and a historic effectiveness of each of the one or more rules. The execution time of each of the one or more rules and the historic effectiveness of each of the one or more rules can be based on global log data. The execution time of each of the one or more rules and the historic effectiveness of each of the one or more rules can be based on tenant-based log data, wherein the inline monitoring is performed for a specific tenant. The steps can include selecting the one or more rules from a plurality of rules based on a probability assigned to each of the plurality of rules. The selecting can be performed at preconfigured time intervals, wherein the one or more selected rules are inspected for every payload encountered during the duration of a time interval subsequent to the selecting. BRIEF DESCRIPTION OF THE DRAWINGS The present disclosure is illustrated and described herein with reference to the various drawings, in which like reference numbers are used to denote like system components/method steps, as appropriate, and in which: FIG. 1A is a network diagram of three example network configurations of cybersecurity monitoring and protection of a user. FIG. 1B is a logical diagram of the cloud operating as a zero-trust platform. FIG. 2 is a block diagram of a server. FIG. 3 is a block diagram of a computing device. FIG. 4 is a diagram of an exemplary network configuration illustrating an application on computing devices configured to operate through the cloud. FIG. 5 is a flow diagram comparing serial rule evaluation vs. parallel rule evaluation. FIG. 6 is a flow diagram of a rule selection process. FIG. 7 is a flowchart of a process for optimizing rule inspection for payloads. FIG. 8 is a diagram comparing traditional traffic inspection to offset traffic inspection. FIG. 9 is a diagram showing concurrent inspection of various pieces of a payload. FIG. 10 is a flowchart of a process for offset traffic inspection. DETAILED DESCRIPTION OF THE DISCLOSURE Again, the present disclosure relates to systems and methods for probability-based inline rule inspection. The present disclosure provides various mechanisms for optimizing traffic inspection for inline utilization. In various embodiments, concurrent rule inspection is described. Further, probabilities can be assigned to rules, wherein the probabilities are utilized to select a set of rules to be utilized for inspection. In various embodiments, the rule probabilities can be based on various factors such as historic rul