| CPC H04L 63/20 (2013.01) | 20 Claims |
|
1. A computer device for generating a network security policy automatically based on network traffic comprising:
processor circuitry configured to:
receive network connection data for network connections in the network traffic, wherein each network connection is on a communication channel between two end points;
generate a graph based on the received network connection data comprising:
identifying nodes in the graph, wherein each node in the graph comprises an end point of a network connection in the network connection data;
generating edges between the identified nodes, wherein each edge of the generated edges:
is directional and connects a client node and a server node; and
represents communication on a communication channel from the client node to the server node;
for each of the nodes in the graph, generating a feature vector including:
an identifier of the node; and
for each communication channel of multiple predetermined communication channels, a representation of the communication channel based on:
the server node of each of the edges extending from the node as the client node on the communication channel;
the client node of each of the edges extending to the node as the server node on the communication channel; and
a collective representation of other communication channels not included in the predetermined communication channels;
generating a node embedding comprising an output vector for each of the nodes of the graph by applying a graph neural network to the feature vectors of the nodes in the graph, wherein:
the graph neural network is trained using a cost function modified by a weight setting function;
the cost function includes a distance-based cost function and a network functionality cost function;
the weight setting function is configured to modify a weight applied to the distance-based cost function and a weight applied to the network functionality cost function, such that:
a higher weight is first applied to the distance-based cost function than the network functionality cost function; and
a higher weight is later applied to the network functionality cost function than the distance-based cost function;
the distance-based cost function is configured to:
group together in space the output vectors for nodes that are connected by an edge; and
push apart in space the output vectors for nodes not connected by an edge; and
the network functionality cost function is configured to group together in space the output vectors for nodes based on a number of similar edges, such that:
the output vectors for nodes having more similar edges are pulled together in space while the output vectors for nodes having fewer similar edges are pushed apart in space,
wherein a similar edge is an edge having a same server node or a same client node;
generating the network security policy comprising:
identifying clusters in the output vectors of the generated node embedding;
generating network security rules for each of the identified clusters, such that the network connections included in the network connection data involving the nodes included in the cluster are permitted by the network security rules for the nodes included in the cluster; and
combining the network security rules to form the network security policy; and
outputting the generated network security policy.
|