KNOWLEDGE BASE IN ENTERPRISE THREAT DETECTION

US 20170178025A1
Filed: 12/22/2015
Published: 06/22/2017
Est. Priority Date: 12/22/2015
Status: Active Application

First Claim

Patent Images

1. A computer-implemented method, comprising:

accessing a log file including a plurality of log entries;

analyzing each log entry of the plurality of log entries to identify components of each log entry, wherein the components of the particular log entry indicate an event, wherein the event is associated with roles, and wherein each role is associated with one or more attributes;

determining semantic meaning of the event associated with the particular log entry, wherein a mapping is performed by applying contextual information from one or more semantic meaning models stored in a knowledgebase to the identified components of each log entry to derive semantic meaning for the particular log entry;

modeling the derived semantic meaning for the particular log entry; and

recording the modeled semantic meaning in the knowledgebase as a new semantic meaning model for future use.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A log file including a plurality of log entries is accessed. Each log entry of the plurality of log entries is analyzed to identify components of each log entry. The components of the particular log entry indicate an event. The event is associated with roles. Each role is associated with one or more attributes. Semantic meaning of the event associated with the particular log entry is determined. A mapping is performed by applying contextual information from one or more semantic meaning models stored in a knowledgebase to the identified components of each log entry to derive semantic meaning for the particular log entry. The derived semantic meaning is modeled for the particular log entry. The modeled semantic meaning is recorded in the knowledgebase as a new semantic meaning model for future use.

34 Citations

View as Search Results

20 Claims

1. A computer-implemented method, comprising:
- accessing a log file including a plurality of log entries;
  
  analyzing each log entry of the plurality of log entries to identify components of each log entry, wherein the components of the particular log entry indicate an event, wherein the event is associated with roles, and wherein each role is associated with one or more attributes;
  
  determining semantic meaning of the event associated with the particular log entry, wherein a mapping is performed by applying contextual information from one or more semantic meaning models stored in a knowledgebase to the identified components of each log entry to derive semantic meaning for the particular log entry;
  
  modeling the derived semantic meaning for the particular log entry; and
  
  recording the modeled semantic meaning in the knowledgebase as a new semantic meaning model for future use.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, comprising pre-loading the knowledgebase with one or more models of derived semantic meaning.
  - 3. The method of claim 1, comprising assigning a log entry type to each of the plurality of log entries.
  - 4. The method of claim 3, wherein the assignment of a log entry type is based on text-based components of each log entry and determined using either string comparison or regular expression evaluation.
  - 5. The method of claim 3, wherein for structured log entries, the log entry type can be determined for the log entry using or more fields of each structured log entry.
  - 6. The method of claim 3, wherein events are related using event relations of varying event relation types.
  - 7. The method of claim 1, comprising mapping the identified components to a log entry model.

8. A non-transitory, computer-readable medium storing computer-readable instructions, the instructions executable by a computer and configured to:
- access a log file including a plurality of log entries;
  
  analyze each log entry of the plurality of log entries to identify components of each log entry, wherein the components of the particular log entry indicate an event, wherein the event is associated with roles, and wherein each role is associated with one or more attributes;
  
  determine semantic meaning of the event associated with the particular log entry, wherein a mapping is performed by applying contextual information from one or more semantic meaning models stored in a knowledgebase to the identified components of each log entry to derive semantic meaning for the particular log entry;
  
  model the derived semantic meaning for the particular log entry; and
  
  record the modeled semantic meaning in the knowledgebase as a new semantic meaning model for future use.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, comprising pre-loading the knowledgebase with one or more models of derived semantic meaning.
  - 10. The non-transitory, computer-readable medium of claim 8, comprising assigning a log entry type to each of the plurality of log entries.
  - 11. The non-transitory, computer-readable medium of claim 10, wherein the assignment of a log entry type is based on text-based components of each log entry and determined using either string comparison or regular expression evaluation.
  - 12. The non-transitory, computer-readable medium of claim 10, wherein for structured log entries, the log entry type can be determined for the log entry using or more fields of each structured log entry.
  - 13. The non-transitory, computer-readable medium of claim 10, wherein events are related using event relations of varying event relation types.
  - 14. The non-transitory, computer-readable medium of claim 8, comprising mapping the identified components to a log entry model.

15. A system, comprising:
- a memory;
  
  at least one hardware processor interoperably coupled with the memory and configured to;
  
  access a log file including a plurality of log entries;
  
  analyze each log entry of the plurality of log entries to identify components of each log entry, wherein the components of the particular log entry indicate an event, wherein the event is associated with roles, and wherein each role is associated with one or more attributes;
  
  determine semantic meaning of the event associated with the particular log entry, wherein a mapping is performed by applying contextual information from one or more semantic meaning models stored in a knowledgebase to the identified components of each log entry to derive semantic meaning for the particular log entry;
  
  model the derived semantic meaning for the particular log entry; and
  
  record the modeled semantic meaning in the knowledgebase as a new semantic meaning model for future use.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, comprising pre-loading the knowledgebase with one or more models of derived semantic meaning.
  - 17. The system of claim 15, comprising assigning a log entry type to each of the plurality of log entries.
  - 18. The system of claim 17, wherein the assignment of a log entry type is based on text-based components of each log entry and determined using either string comparison or regular expression evaluation.
  - 19. The system of claim 17, wherein for structured log entries, the log entry type can be determined for the log entry using or more fields of each structured log entry.
  - 20. The system of claim 17, wherein events are related using event relations of varying event relation types.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Mehta, Harish, Merkel, Rita, Rodeck, Marco, Pritzkau, Eugen, Kunz, Thomas, Al-Hujaj, Omar Alexander, Carullo, Lukas, Seifert, Hartwig, Thomas, Susan Marie

Application Number

US14/978,963
Publication Number

US 20170178025A1
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2465   Query processing support fo...

G06F 21/552   involving long-term monitor...

G06N 20/00   Machine learning

G06N 5/022   Knowledge engineering; Know...

G06N 5/025   Extracting rules from data

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

KNOWLEDGE BASE IN ENTERPRISE THREAT DETECTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

KNOWLEDGE BASE IN ENTERPRISE THREAT DETECTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links