Automatic transformation of security event detection rules
First Claim
1. A computer-implemented method for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors, the method comprising:
- converting the SIEM rules to formal representations;
generating rule abstraction of the formal representations, by using an abstraction function;
constructing a finite automaton based on the rule abstraction;
eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton;
generating optimized formal rules, based on the optimized finite automaton;
converting the optimized formal rules to optimized SIEM rules; and
deploying the optimized SIEM rules in the network of the event processors.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer-implemented method, a computer program product, and a computer system for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors. A computer system or server converts the SIEM rules to formal representations. The computer system or server generates rule abstraction of the formal representations, by using an abstraction function. The computer system or server constructs a finite automaton based on the rule abstraction. The computer system or server eliminates irrelevant transitions in the finite automaton to generate an optimized finite automaton. The computer system or server generates optimized formal rules, based on the optimized finite automaton. The computer system or server converts the optimized formal rules to optimized SIEM rules. The computer or server deploys the optimized SIEM rules in the network of the event processors.
32 Citations
18 Claims
-
1. A computer-implemented method for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors, the method comprising:
-
converting the SIEM rules to formal representations; generating rule abstraction of the formal representations, by using an abstraction function; constructing a finite automaton based on the rule abstraction; eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton; generating optimized formal rules, based on the optimized finite automaton; converting the optimized formal rules to optimized SIEM rules; and deploying the optimized SIEM rules in the network of the event processors. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer program product for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors, the computer program product comprising a non-transitory computer readable storage medium having program code embodied therewith, the program code executable to:
-
convert the SIEM rules to formal representations; generate rule abstraction of the formal representations, by using an abstraction function; construct a finite automaton based on the rule abstraction; eliminate irrelevant transitions in the finite automaton to generate an optimized finite automaton; generate optimized formal rules, based on the optimized finite automaton; convert the optimized formal rules to optimized SIEM rules; and deploy the optimized SIEM rules in the network of the event processors. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer system for transformation of security information and event management (STEM) rules and deploying the STEM rules in a network of event processors, the computer system comprising:
-
one or more processors, one or more computer readable tangible storage devices, and program instructions stored on at least one of the one or more computer readable tangible storage devices for execution by at least one of the one or more processors, the program instructions executable to; convert the SIEM rules to formal representations; generate rule abstraction of the formal representations, by using an abstraction function; construct a finite automaton based on the rule abstraction; eliminate irrelevant transitions in the finite automaton to generate an optimized finite automaton; generate optimized formal rules, based on the optimized finite automaton; convert the optimized formal rules to optimized SIEM rules; and deploy the optimized SIEM rules in the network of the event processors. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification