Invented by ISRAEL; Erez, GOLDMAN; Lior, KATZ; Natan, CHECK POINT SOFTWARE TECHNOLOGIES LTD.

In today’s world, keeping computer networks safe is more important than ever. A new patent offers a way to use smart computer programs to make building network security policies easier and more secure. Let’s break down this invention so you can understand how it fits into the world, how it builds on old ideas, and what makes it special.

Background and Market Context

Network security is a big deal for companies and people everywhere. Every time you visit a website, send an email, or use an app, your computer is part of a network. Networks let computers talk to each other. But, if networks are not safe, bad actors can steal information, stop work from getting done, or cause big problems for businesses and regular folks.

In the old days, most networks were simple. There were only a few computers, and it was easy to control who could talk to whom. Security rules were often made by hand, with people writing down which computers could send or receive information. These rules were called security policies, and they worked like a list of who is allowed in and who is not. As networks grew, especially with the rise of the internet, cloud computing, and the Internet of Things (IoT), things got complicated. There are now millions of computers, phones, servers, smart devices, and apps all trying to talk to each other. Each has its own needs and risks.

This growth made it hard for people to keep up. Building security policies by hand takes a lot of time and leaves room for mistakes. For example, if someone forgets to allow a certain connection, a needed app might stop working. If they allow too much, hackers might get in. Many businesses have learned the hard way that even small mistakes can lead to big security breaches. Plus, every time a new device or program is added, the rules may need to be changed again.

Companies have tried to solve this problem in different ways. Some use special tools to help build rules, but these often need expert users and lots of manual work. Others try to use machine learning, letting computers learn from network traffic to guess what rules are needed. But, most old solutions treat each connection or device separately, missing the big picture of how everything fits together and talks. This can lead to rules that are either too strict, breaking things, or too loose, letting risks slip through.

In the modern market, there is a huge need for tools that can build security rules quickly, correctly, and with less work from people. Businesses want systems that can keep up with changes, spot new risks, and keep everything running smoothly. This is especially true as more workplaces move to the cloud, use more apps, and connect more devices. The right solution would not only make things safer but also save time and money.

Scientific Rationale and Prior Art

To understand why this invention matters, it helps to look at how others have tried to solve these problems. The science behind network security policies is all about deciding who is allowed to talk to whom, and on which channels. In the past, people made rules by hand, using things like IP addresses (the numbers that identify computers), ports (the “doors” to apps and services), and protocols (the languages computers use to talk). This is called rule-based security.

Later, as networks got bigger, some tools started to help. Firewalls could be programmed to block or allow traffic based on rules. Some systems could even group devices together, like putting all printers in one group and all servers in another. But still, most decisions were based on lists and tables, which are hard to manage as networks grow.

Then, machine learning came along. Some tools tried to watch network traffic and find patterns, like noticing when two computers always talk to each other. These tools might suggest rules based on what they see. But, most of these tools only look at simple patterns, like “if these two IP addresses talk a lot, make a rule for them.” They usually don’t see the whole network as a big picture.

Another big idea is using graphs to represent networks. In math and computer science, a graph is a set of points (called nodes) connected by lines (called edges). In a network, each computer or device can be a node, and each connection between them can be an edge. This way, you can see how everything is linked together. Some older tools have used graphs to map out networks, but they often stop short of using the full power of graph science.

A newer science called graph neural networks (GNNs) has made it possible for computers to learn from graphs. GNNs can find groups of similar nodes, spot unusual patterns, and even predict how changes will affect the whole network. This is very different from old tools, which look at things one by one.

Some previous inventions have started to use machine learning and graphs, but they usually have limits. They might only look at one type of connection, or they might not update rules automatically as things change. Others might need a lot of training or manual work before they work well.

What makes this new invention stand out is how it brings together all these ideas. It builds a graph from real network traffic, uses smart math to see how all the parts fit together, and then uses a graph neural network to group things and build rules. It even changes how it learns over time, first focusing on connections, then on how similar things work. This lets it make rules that are both safe and flexible, and it does it all automatically.

Invention Description and Key Innovations

Now, let’s look at what this invention does and why it’s so special. The heart of the invention is a computer device that can watch network traffic, figure out who is talking to whom, and then build a set of security rules all by itself.

The process starts by gathering data about every connection in the network. Each time two devices talk, that information is collected. This includes who started the talk (the client), who answered (the server), and what channel they used (like a port, app, or website). All this data is used to build a graph. In this graph, each device or endpoint is a node, and each connection is an edge. The edges show the direction of the talk, from client to server. If two nodes talk over different channels, there will be more edges between them, one for each channel.

Next, the system looks at each node and builds a feature vector for it. This is just a way to describe each device in numbers that a computer can understand. The feature vector might include the device’s address, which channels it uses, and how much it talks on each channel. For the most common channels (like web traffic or email), it keeps detailed info. For less common channels, it groups them together so the computer isn’t overwhelmed.

Here’s where the magic happens: the system uses a graph neural network (GNN) to learn from this data. The GNN looks at all the feature vectors and tries to find patterns. But it does this in a special way. At first, it focuses on which nodes are connected, grouping together nodes that talk to each other a lot. This uses what’s called a distance-based cost function. The idea is, if two devices are connected, their computer “representations” should be close together. If they never talk, their representations should be far apart.

After some time, the system switches its focus. Now, it looks at how similar nodes are, based on how many edges they have in common. For example, if two devices both talk to the same server on the same port, they are probably similar. This uses a network functionality cost function. The GNN adjusts itself so that similar devices are grouped together, even if they don’t talk directly.

The clever part is how the system changes its learning over time. At first, it cares more about direct connections. Later, it cares more about similar behavior. This is done using a weight setting function, which changes the importance of each cost function as the computer learns. This lets the system find the best groups, or clusters, of devices.

Once the groups are found, the system can build network security rules for each group. If a group of devices all talk to the same places, the rule says they are allowed to do that. If they don’t talk to certain places, the rule blocks those connections. The system then puts all the rules together to make a complete security policy. This policy can be sent to firewalls or other network devices, which then use it to keep the network safe.

The invention has some other smart touches. It can work with different kinds of nodes – not just IP addresses, but also users or apps. It can use different channels for grouping, like URLs or parts of URLs. It can add up how much traffic goes over each connection, giving more weight to busy connections. And it can work with different kinds of graph neural networks, like graph attention networks, which can focus more on important connections.

One more thing: the system can update itself as new traffic comes in. This means that as the network changes, the security policy can change too, all without needing people to do lots of extra work.

Conclusion

This patent describes a powerful new way to make network security policies faster, safer, and with less work. By watching real traffic, building a big-picture graph, and using smart learning, it can group devices and build rules that keep networks safe and running. It solves old problems of manual work and mistakes, and it keeps up as networks grow and change. For anyone who cares about computer security, this invention is a big step forward.

Click here https://ppubs.uspto.gov/pubwebapp/ and search 20250220049.