Automatic transformation of security event detection rules
First Claim
1. A computer-implemented method for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors, the method comprising:
- converting the SIEM rules to formal representations;
generating rule abstraction of the formal representations, by using an abstraction function;
constructing a finite automaton based on the rule abstraction;
eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton;
generating optimized formal rules, based on the optimized finite automaton;
converting the optimized formal rules to optimized SIEM rules; and
deploying the optimized SIEM rules in the network of the event processors;
wherein the optimized formal rules are defined for all of the event processors in the network, by assuming a single event processor without considering distribution of the event processors;
wherein the event processors share a state of a finite state machine, an event incurs a state transition of the finite state machine;
wherein, when the state transition changes the state of the finite state machine, the event is passed to one or more remote event processors in the network;
wherein, when the state transition does not change the state of the finite state machine, the event is consumed by a local event processor and is not passed to one or more remote event processors in the network;
wherein the state of the finite state machine is one of three categories;
a normal and non-critical state, a normal but critical state, and an abnormal state;
wherein the state does not change to the abnormal state if the state is the normal and non-critical state;
wherein the state changes to the abnormal state if the state is the normal but critical state; and
wherein an alert is raised if the state is the abnormal state.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented method for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors. A computer system or server converts the SIEM rules to formal representations. The computer system or server generates rule abstraction of the formal representations, by using an abstraction function. The computer system or server constructs a finite automaton based on the rule abstraction. The computer system or server eliminates irrelevant transitions in the finite automaton to generate an optimized finite automaton. The computer system or server generates optimized formal rules, based on the optimized finite automaton. The computer system or server converts the optimized formal rules to optimized SIEM rules. The computer or server deploys the optimized SIEM rules in the network of the event processors.
13 Citations
1 Claim
-
1. A computer-implemented method for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors, the method comprising:
-
converting the SIEM rules to formal representations; generating rule abstraction of the formal representations, by using an abstraction function; constructing a finite automaton based on the rule abstraction; eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton; generating optimized formal rules, based on the optimized finite automaton; converting the optimized formal rules to optimized SIEM rules; and deploying the optimized SIEM rules in the network of the event processors; wherein the optimized formal rules are defined for all of the event processors in the network, by assuming a single event processor without considering distribution of the event processors; wherein the event processors share a state of a finite state machine, an event incurs a state transition of the finite state machine; wherein, when the state transition changes the state of the finite state machine, the event is passed to one or more remote event processors in the network; wherein, when the state transition does not change the state of the finite state machine, the event is consumed by a local event processor and is not passed to one or more remote event processors in the network; wherein the state of the finite state machine is one of three categories;
a normal and non-critical state, a normal but critical state, and an abnormal state;wherein the state does not change to the abnormal state if the state is the normal and non-critical state; wherein the state changes to the abnormal state if the state is the normal but critical state; and wherein an alert is raised if the state is the abnormal state.
-
Specification