Search

US-20260129026-A1 - METHOD AND SYSTEM FOR DETECTION OF RULESET MISCONFIGURATION

US20260129026A1US 20260129026 A1US20260129026 A1US 20260129026A1US-20260129026-A1

Abstract

A method and system for detecting ruleset misconfiguration in a computer network. The method including: generating a set of sample data flows; evaluating each of the set of sample data flows against a predetermined definition to generate a flow descriptor for each of the set of sample data flows; evaluating each of the flow descriptors against a ruleset; and generating a summary of how each of the flow descriptors perform with respect to the ruleset. The system including: a data flow sample retrieval module configured to generate flows; a policy engine configured to store and retrieve a ruleset; a packet processing engine configured to evaluate each of the data flows against a predetermined definition to generate a flow descriptor for each flows, evaluate each of the flow descriptors against a ruleset; and generate a summary of how each of the flow descriptors perform with respect to the ruleset.

Inventors

  • Anders WALDENBORG
  • Martin TELLGREN
  • Alexander HAVANG

Assignees

  • SANDVINE CORPORATION

Dates

Publication Date
20260507
Application Date
20251229

Claims (20)

  1. 1 . A method of detecting ruleset misconfiguration in a computer network, the method comprising: generating a set of sample data flows; evaluating each of the set of sample data flows against a predetermined definition to generate a flow descriptor for each of the set of sample data flows; evaluating each of the flow descriptors against a ruleset; and generating a summary of how each of the flow descriptors perform with respect to the ruleset.
  2. 2 . The method of claim 1 , wherein evaluating each of the flow descriptors against a ruleset comprises: determining if the ruleset blocks access for at least one of the sample data flows to the predetermined definition.
  3. 3 . The method of claim 2 , wherein the predetermined definition is an essential service.
  4. 4 . The method of claim 3 , wherein the essential service is a predetermined server location, or predetermined IP address or predetermined service.
  5. 5 . The method of claim 2 , further comprising: determining a percentage of the set of sample data flows adversely affected by the ruleset; determining if the percentage is higher than a predetermined threshold percentage; and if the percentage is higher than the predetermined threshold percentage determining the ruleset is misconfigured.
  6. 6 . The method of claim 1 , further comprising: determining a response for implementation by the computer network if ruleset misconfiguration is detected.
  7. 7 . The method of claim 6 , wherein the response is not implementing the ruleset.
  8. 8 . The method of claim 6 , wherein a ruleset misconfiguration is detected if the ruleset violates an end user licensing agreement.
  9. 9 . The method of claim 1 , wherein generating a set of sample data flows comprises: weighted sampling, wherein a weight is associated with a subscriber id and the weight is decreased when a sample is taken.
  10. 10 . The method of claim 1 , wherein generating a set of sample data flows comprises: updating a pool of sample data flows at predetermined intervals.
  11. 11 . A system for determining ruleset misconfiguration in a computer network comprising: a data flow sample retrieval module configured to generate a set of sample data flows; a policy engine configured to store and retrieve at least one ruleset; and a packet processing engine configured to evaluate each of the set of sample data flows against a predetermined definition to generate a flow descriptor for each of the set of sample data flows, evaluate each of the flow descriptors against a ruleset; and generate a summary of how each of the flow descriptors perform with respect to the ruleset.
  12. 12 . The system of claim 11 , wherein the packet processing engine when evaluating each of the flow descriptors against a ruleset is configured to determine if the ruleset blocks access for at least one of the sample data flows to the predetermined definition.
  13. 13 . The system of claim 12 , wherein the predetermined definition is an essential service.
  14. 14 . The system of claim 13 , wherein the essential service is a predetermined server location, or predetermined IP address or predetermined service.
  15. 15 . The system of claim 12 , wherein the packet processing engine is configured to: determine a percentage of the set of sample data flows adversely affected by the ruleset; determine if the percentage is higher than a predetermined threshold percentage; and if the percentage is higher than the predetermined threshold percentage determine the ruleset is misconfigured.
  16. 16 . The system of claim 11 , further wherein the packet processing engine is further configured to determine a response for implementation by the computer network if ruleset misconfiguration is detected.
  17. 17 . The system of claim 16 , wherein the response is not implementing the ruleset.
  18. 18 . The system of claim 16 , wherein a ruleset misconfiguration is detected if the ruleset violates an end user licensing agreement.
  19. 19 . The system of claim 11 , wherein the data flow sample retrieval module is configured to provide for weighted sampling, wherein a weight is associated with a subscriber id and the weight is decreased when a sample is taken.
  20. 20 . The system of claim 11 , wherein the data flow sample retrieval module is configured to update a pool of sample data flows at predetermined intervals.

Description

RELATED APPLICATIONS This application is a continuation of U.S. patent application Ser. No. 17/994,167, filed Nov. 25, 2022, which claims the benefit of U.S. Provisional Patent Application No. 63/283,324, filed on Nov. 26, 2021, which are hereby incorporated herein by reference in their entirety. FIELD The disclosure is generally directed at processing computer network data, and more specifically, at a method and system for detection of ruleset misconfiguration. BACKGROUND Use of the Internet continues to grow at a rapid pace. As such, Internet data traffic continues to grow with new websites and online applications, or “apps”, being introduced to networks that come alongside existing traffic with current online offerings. Internet or computer network data traffic requires processing by network components or devices within a network system in order to handle or monitor the data traffic that is being transmitted to and from devices and/or servers within the network. Different networking components, or products, within the network, will apply different policies to the data packets that are passing through these components. Examples of networking components include, but are not limited to, firewalls, load balancers, and the like. As the packets pass through the network components, the packets are processed, such as by applying or checking policies with respect to the packets. The policies that are applied may be used to block network data from arriving at its intended destination or to re-direct the data packets. This may be problematic if the policy or policies being applied have been misconfigured or incorrectly implemented. This may result in data packets being incorrectly re-directed or terminated by these network components due to the misconfigured ruleset, or policy. Therefore, there is a need for a method and system for detection of ruleset misconfiguration. SUMMARY There is provided a method of detecting ruleset misconfiguration in a computer network, the method including: generating a set of sample data flows; evaluating each of the set of sample data flows against a predetermined definition to generate a flow descriptor for each of the set of sample data flows; evaluating each of the flow descriptors against a ruleset; and generating a summary of how each of the flow descriptors perform with respect to the ruleset. In some cases, evaluating each of the flow descriptors against a ruleset may include determining if the ruleset blocks access for at least one of the sample data flows to the predetermined definition. In some cases, the predetermined definition may be an essential service. In some cases, the essential service may be a predetermined server location, or predetermined IP address or predetermined service. In some cases, the method further may further include: determining a percentage of the set of sample data flows adversely affected by the ruleset; determining if the percentage is higher than a predetermined threshold percentage; and if the percentage is higher than the predetermined threshold percentage determining the ruleset is misconfigured. In some case, the method may further include determining a response for implementation by the computer network if ruleset misconfiguration is detected. In some cases, the response may be to not implementing the ruleset. In some cases, the ruleset misconfiguration may be detected if the ruleset violates an end user licensing agreement. In some cases, generating a set of sample data flows may include: weighted sampling, wherein a weight is associated with a subscriber id and the weight is decreased when a sample is taken In some cases, generating a set of sample data flows may include: updating a pool of sample data flows at predetermined intervals. In another aspect, there is provided a system for determining ruleset misconfiguration in a computer network the system including: a data flow sample retrieval module configured to generate a set of sample data flows; a policy engine configured to store and retrieve at least one ruleset; and a packet processing engine configured to evaluate each of the set of sample data flows against a predetermined definition to generate a flow descriptor for each of the set of sample data flows, evaluate each of the flow descriptors against a ruleset; and generate a summary of how each of the flow descriptors perform with respect to the ruleset. In some cases, the packet processing engine when evaluating each of the flow descriptors against a ruleset may be configured to determine if the ruleset blocks access for at least one of the sample data flows to the predetermined definition. In some cases, the packet processing engine may be configured to: determine a percentage of the set of sample data flows adversely affected by the ruleset; determine if the percentage is higher than a predetermined threshold percentage; and if the percentage is higher than the predetermined threshold percentage determine the ruleset is misconf