Automatic transformation of security event detection rules

US 10,586,051 B2
Filed: 08/31/2017
Issued: 03/10/2020
Est. Priority Date: 08/31/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors, the method comprising:

converting the SIEM rules to formal representations;

generating rule abstraction of the formal representations, by using an abstraction function;

constructing a finite automaton based on the rule abstraction;

eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton;

generating optimized formal rules, based on the optimized finite automaton;

converting the optimized formal rules to optimized SIEM rules; and

deploying the optimized SIEM rules in the network of the event processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method, a computer program product, and a computer system for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors. A computer system or server converts the SIEM rules to formal representations. The computer system or server generates rule abstraction of the formal representations, by using an abstraction function. The computer system or server constructs a finite automaton based on the rule abstraction. The computer system or server eliminates irrelevant transitions in the finite automaton to generate an optimized finite automaton. The computer system or server generates optimized formal rules, based on the optimized finite automaton. The computer system or server converts the optimized formal rules to optimized SIEM rules. The computer or server deploys the optimized SIEM rules in the network of the event processors.

32 Citations

18 Claims

1. A computer-implemented method for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors, the method comprising:
- converting the SIEM rules to formal representations;
  
  generating rule abstraction of the formal representations, by using an abstraction function;
  
  constructing a finite automaton based on the rule abstraction;
  
  eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton;
  
  generating optimized formal rules, based on the optimized finite automaton;
  
  converting the optimized formal rules to optimized SIEM rules; and
  
  deploying the optimized SIEM rules in the network of the event processors.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein the optimized formal rules are defined for all of the event processors in the network, by assuming a single event processor without considering distribution of the event processors.
  - 3. The computer-implemented method of claim 1, wherein the event processors share a state of a finite state machine, an event incurs a state transition of the finite state machine.
  - 4. The computer-implemented method of claim 3, wherein, when the state transition changes the state of the finite state machine, the event is passed to one or more remote event processors in the network.
  - 5. The computer-implemented method of claim 3, wherein, when the state transition does not change the state of the finite state machine, the event is consumed by a local event processor and is not passed to one or more remote event processors in the network.
  - 6. The computer-implemented method of claim 3, wherein the state of the finite state machine is one of three categories:
    - a normal and non-critical state, a normal but critical state, and an abnormal state, wherein the state does not change to the abnormal state if the state is the normal and non-critical state, wherein the state changes to the abnormal state if the state is the normal but critical state, wherein an alert is raised if the state is the abnormal state.

7. A computer program product for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors, the computer program product comprising a non-transitory computer readable storage medium having program code embodied therewith, the program code executable to:
- convert the SIEM rules to formal representations;
  
  generate rule abstraction of the formal representations, by using an abstraction function;
  
  construct a finite automaton based on the rule abstraction;
  
  eliminate irrelevant transitions in the finite automaton to generate an optimized finite automaton;
  
  generate optimized formal rules, based on the optimized finite automaton;
  
  convert the optimized formal rules to optimized SIEM rules; and
  
  deploy the optimized SIEM rules in the network of the event processors.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, wherein the optimized formal rules are defined for all of the event processors in the network, by assuming a single event processor without considering distribution of the event processors.
  - 9. The computer program product of claim 7, wherein the event processors share a state of a finite state machine, an event incurs a state transition of the finite state machine.
  - 10. The computer program product of claim 9, wherein, when the state transition changes the state of the finite state machine, the event is passed to one or more remote event processors in the network.
  - 11. The computer program product of claim 9, wherein, when the state transition does not change the state of the finite state machine, the event is consumed by a local event processor and is not passed to one or more remote event processors in the network.
  - 12. The computer program product of claim 9, wherein the state of the finite state machine is one of three categories:
    - a normal and non-critical state, a normal but critical state, and an abnormal state, wherein the state does not change to the abnormal state if the state is the normal and non-critical state, wherein the state changes to the abnormal state if the state is the normal but critical state, wherein an alert is raised if the state is the abnormal state.

13. A computer system for transformation of security information and event management (STEM) rules and deploying the STEM rules in a network of event processors, the computer system comprising:
- one or more processors, one or more computer readable tangible storage devices, and program instructions stored on at least one of the one or more computer readable tangible storage devices for execution by at least one of the one or more processors, the program instructions executable to;
  
  convert the SIEM rules to formal representations;
  
  generate rule abstraction of the formal representations, by using an abstraction function;
  
  construct a finite automaton based on the rule abstraction;
  
  eliminate irrelevant transitions in the finite automaton to generate an optimized finite automaton;
  
  generate optimized formal rules, based on the optimized finite automaton;
  
  convert the optimized formal rules to optimized SIEM rules; and
  
  deploy the optimized SIEM rules in the network of the event processors.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer system of claim 13, wherein the optimized formal rules are defined for all of the event processors in the network, by assuming a single event processor without considering distribution of the event processors.
  - 15. The computer system of claim 13, wherein the event processors share a state of a finite state machine, an event incurs a state transition of the finite state machine.
  - 16. The computer system of claim 15, wherein, when the state transition changes the state of the finite state machine, the event is passed to one or more remote event processors in the network.
  - 17. The computer system of claim 15, wherein, when the state transition does not change the state of the finite state machine, the event is consumed by a local event processor and is not passed to one or more remote event processors in the network.
  - 18. The computer system of claim 15, wherein the state of the finite state machine is one of three categories:
    - a normal and non-critical state, a normal but critical state, and an abnormal state, wherein the state does not change to the abnormal state if the state is the normal and non-critical state, wherein the state changes to the abnormal state if the state is the normal but critical state, wherein an alert is raised if the state is the abnormal state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hatsutori, Yoichi, Mishina, Takuya, Sato, Naoto, Satoh, Fumiko
Primary Examiner(s)
Zaidi, Syed A

Application Number

US15/692,429
Publication Number

US 20190065755A1
Time in Patent Office

922 Days
Field of Search

726 3
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/14   for detecting or protecting...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

Automatic transformation of security event detection rules

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Automatic transformation of security event detection rules

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others