Methods and system for automated or user-assisted grouping and management of groups in cloud infrastructure and network

Disclosed are methods and apparatus for implementing in an electronic device that includes a processor and memory. Virtual resources, which are associated with an execution of a user’s applications in a cloud resource configuration including virtual machines, network services and storage, are identified. A first topology map of the virtual resources, including a plurality of nodes, is generated. The first topology map, including the nodes, is output. A vector, which is associated with each node, said vector including one or more features associated with each node, is generated. Based upon the vectors, a distribution of the plurality of nodes within two or more groups is determined. A second topology map, including each of the node groups in one of a collapsed format, wherein only a identifier of the node group is output or an expanded format, wherein a portion of the plurality of nodes the node group are output, is output.

United States Patent: 9,800,470 | Issued: Oct 24, 2017 | See Patent

Assessing network and device compliance with security policies

All of the transit services that each device is expected to provide are determined and contrasted with the transit configuration of each device. Because the transit configuration of each device may be state-dependent, the service items within each application service are processed in sequential order. Sequences of service items are associated with connection groups, and each of the routes associated with each connection group is determined based on the sequential order of the service items. The configuration of each device along each route is processed to determine the services that will be permitted or denied, based on its current configuration. Each desired transit service item is compared to the transit configuration provided by each device to identify any inconsistencies and/or violations.

United States Patent: 8,955,032 | Issued: Feb 10, 2015 | See Patent

Analyzing security compliance within a network

A security policy database identifies the intended security policies within a network, a traffic generator provides test traffic that is configured to test each defined security policy, and a simulator simulates the propagation of this traffic on a model of the network. The model of the network includes the configuration data associated with each device, and thus, if devices are properly configured to enforce the intended security policies, the success/failure of the simulated test traffic will conform to the intended permit/deny policy of each connection. Differences between the simulated message propagation and the intended security policies are reported to the user, and diagnostic tools are provided to facilitate identification of the device configuration data that accounts for the observed difference. Additionally, if a network’s current security policy is unknown, test traffic is generated to reveal the actual policy in effect, to construct a baseline intended security policy.

United States Patent: 8,898,734 | Issued: Nov 25, 2014 | See Patent

Identifying and analyzing network configuration differences

A contextual and semantic analysis of network entities facilitates a mapping and comparison of the entities between network models. The system includes a plurality of refine handler and match handler pairs that use rules that are specific to the type of network entities being analyzed. The refine handler analyzes the network model to identify the entities for which its rules apply, and the match handler processes these identified entities to establish a pairing between corresponding entities in each model. A sequence of refine-match processes are applied to the network models, typically in accordance with a hierarchy of rules until each entity is identified as a matched, added, or removed entity. A difference handler processes the identified pairings to provide a difference analysis that facilitates a meaningful interpretation of the configuration changes, and a user interface provides an interactive environment to view the differences from different perspectives.

United States Patent: 8,493,883 | Issued: Jul 23, 2013 | See Patent

Verifying data consistency among structured files

A scalable comparison structure and methodology is provided that is suitable for comparing select data content in hundreds or thousands of files in an efficient manner. Section delimiters are defined to identify the sections of the files within which the select data content is located, and sets of unique sections are identified based on the select data content within the section. Thereafter, comparisons and reports are based on these unique content sections. If multiple files include a common set of data, a single unique content section is used to represent these multiple files. File groups are optionally defined, and different sets of select data content can be compared based on these file groups. The result of the comparison is presented in multiple hierarchical forms, including an identification of which files are different from each other, and an identification of the differences among the unique content segments.

United States Patent: 8,166,004 | Issued: Apr 24, 2012 | See Patent

Aggregating policy criteria parameters into ranges for efficient network analysis

A network configuration is processed to identify each policy and the criteria associated with each policy. The criteria of the policies are processed to identify a non-overlapping set of ranges of the criteria parameter, each range being associated with a particular policy or set of policies. In a preferred embodiment, the criteria include the protocol, the source and destination IP addresses, and the source and destination ports, and a default range is defined for each criteria parameter.

United States Patent: 8,005,945 | Issued: Aug 23, 2011 | See Patent