GRAPH STRUCTURES FOR EVENT MATCHING
First Claim
Patent Images
1. A system for matching a system event to a rule comprising:
- a computer-readable data structure comprising a plurality of system event rules organizable as a partially ordered set;
a processor configured to analyze the computer-readable data structure to determine whether an event matches a description set of at least one rule from the plurality of system event rules.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for matching a system event to a rule is disclosed. The system includes a computer-readable data structure comprising a plurality of system event rules organizable as a partially ordered set. The system also includes a processor configured to analyze the computer-readable data structure to determine whether an event matches a description set of at least one rule from the plurality of system event rules. Methods and machine-readable mediums are also disclosed.
16 Citations
16 Claims
-
1. A system for matching a system event to a rule comprising:
-
a computer-readable data structure comprising a plurality of system event rules organizable as a partially ordered set; a processor configured to analyze the computer-readable data structure to determine whether an event matches a description set of at least one rule from the plurality of system event rules. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for matching a system event to a rule comprising:
-
generating a match set based an incoming system event; identifying at least one node, in a rule relations graph, associated with a set of fields that is a subset of, or equal to, the set of fields associated with the match set; and processing, using a computer, at least one rule associated with the at least one node. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system for matching a system event to a rule comprising:
-
a computer-readable data structure comprising a plurality of intrusion detection rules organizable as a partially ordered set; a processor configured to generate a match set based on the system event, the processor further configured to identify whether at least one rule, from a plurality of intrusion detection rules, is associated with a set of fields that is a subset of, or equal to, a set of fields associated with the match set, and whether the values associated with the set of fields associated with the at least one rule match the values associated with the set of fields associated with the match set, wherein the processor is further configured to initiate at least one response action associated with the at least one rule if the set of fields associated with the at least one rule is a subset of, or equal to, a set of fields associated with the match set, and if the values associated with the set of fields associated with the at least one rule match the value associated with the set of fields associated with the match set.
-
-
16. A machine-readable medium encoded with instructions for matching a system event to a rule, the instructions comprising code for:
-
generating a match set based an incoming system event; identifying at least one node, in a rule relations graph, associated with a set of fields that is a subset of or equal to, the set of fields associated with the match set; and processing at least one rule associated with the at least one node.
-
Specification