Semantically-aware behavioral security analysis system for security information and event management

US 9,064,210 B1
Filed: 03/31/2012
Issued: 06/23/2015
Est. Priority Date: 03/31/2012
Status: Active Grant

First Claim

Patent Images

1. An apparatus comprising:

at least one processing device comprising a processor coupled to a memory and implementing a behavioral security analysis system, the behavioral security analysis system comprising;

a computational semantic parser configured to process data associated with a security information and event management system to generate a plurality of logical descriptors, the data comprising log data of the security information and event management system; and

a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors;

wherein the behavioral security descriptors are made accessible to an alerting engine of the security information and event management system and utilized to generate one or more security alerts; and

wherein the computational semantic parser comprises;

a syntactic decomposition module configured to decompose at least a portion of the log data into component elements comprising respective atomic syntactic units;

a lexical meaning assignment module configured to assign lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types, the metadata comprising position information and attributes associated with the atomic syntactic units;

a denotation assignment module configured to assign context denotation information to the component elements; and

a semantic recomposition module configured to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective ones of the component elements and a tree structure determined using the assigned lexical meanings and context denotation information.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A behavioral security analysis system comprises a computational semantic parser configured to process data associated with a security information and event management (SIEM) system to generate a plurality of logical descriptors, and a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors. The behavioral security descriptors are made accessible to an alerting engine of the SIEM system and utilized to generate one or more security alerts. The computational semantic parser may be operative, for example, to syntactically decompose a portion of the data into component elements, to assign lexical meanings and context denotation information to the component elements, and to apply semantic recomposition to generate a given logical descriptor based on a combinatorial tree having a structure determined using the assigned lexical meanings and context denotation information.

53 Citations

View as Search Results

20 Claims

1. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory and implementing a behavioral security analysis system, the behavioral security analysis system comprising;
  
  a computational semantic parser configured to process data associated with a security information and event management system to generate a plurality of logical descriptors, the data comprising log data of the security information and event management system; and
  
  a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors;
  
  wherein the behavioral security descriptors are made accessible to an alerting engine of the security information and event management system and utilized to generate one or more security alerts; and
  
  wherein the computational semantic parser comprises;
  
  a syntactic decomposition module configured to decompose at least a portion of the log data into component elements comprising respective atomic syntactic units;
  
  a lexical meaning assignment module configured to assign lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types, the metadata comprising position information and attributes associated with the atomic syntactic units;
  
  a denotation assignment module configured to assign context denotation information to the component elements; and
  
  a semantic recomposition module configured to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective ones of the component elements and a tree structure determined using the assigned lexical meanings and context denotation information.
- View Dependent Claims (2, 3, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1 wherein the behavioral security analysis system is implemented at least in part within the security information and event management system.
  - 3. The apparatus of claim 1 wherein the learning engine comprises a Bayesian learning engine.
  - 5. The apparatus of claim 1 wherein the alerting engine is configured to generate a given one of the security alerts upon detection of an event having particular characteristics associated with one or more of the behavioral security descriptors.
  - 6. The apparatus of claim 1 further comprising a database for storing at least a portion of the logical descriptors and the behavioral security descriptors.
  - 7. The apparatus of claim 1 wherein the lexicon of syntactic types comprises one or more explicit listings corresponding to computational semantic constructs defined in a lambda calculus.
  - 8. The apparatus of claim 1 wherein the lexicon of syntactic types comprises a plurality of entries and the denotation information comprises at least one of:
    - contextual modifications to at least one entry in the lexicon;
      
      at least one additional entry for the lexicon; and
      
      enriching attributes for at least one entry in the lexicon from one or more external sources.
  - 9. The apparatus of claim 1 wherein:
    - a given one of the logical descriptors comprises a given logical value representing the meaning of a message;
      
      the given logical value is computed based at least in part on a combination of;
      
      individual units of lexical meaning associated with at least two atomic syntactic units; and
      
      relational values of the individual units of lexical meaning associated with said at least two atomic syntactic units; and
      
      the given logical value is assigned one or more attributes associated with the security information and even management system, the one or more attributes including at least one of intent, outcome and disposition.

4. The apparatus of 3 wherein the Bayesian learning engine is configured to assign Bayesian risk scores to respective ones of the behavioral security descriptors based on one or more security threat models.

10. A method comprising the steps of:
- processing data associated with a security information and event management system in a computational semantic parser to generate a plurality of logical descriptors, the data comprising log data of the security information and event management system;
  
  generating a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors; and
  
  utilizing the behavioral security descriptors to generate one or more security alerts;
  
  wherein the processing step comprises;
  
  syntactically decomposing at least a portion of the log data into component elements comprising respective atomic syntactic units;
  
  assigning lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types the metadata comprising position information and attributes associated with the atomic syntactic units;
  
  assigning context denotation information to the component elements; and
  
  applying semantic recomposition to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective Ones of the component elements and a tree structure determined at least in part using the assigned lexical meanings and context denotation information.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10 wherein the processing, generating and utilizing steps are performed by at least one processing device of a processing platform.
  - 12. The method of claim 10 wherein the generating step comprises assigning Bayesian risk scores to respective ones of the behavioral security descriptors based on one or more security threat models.
  - 13. The method of claim 10 wherein the utilizing step comprises generating a given one of the security alerts upon detection of an event having particular characteristics associated with one or more of the behavioral security descriptors.
  - 14. The method of claim 10 further comprising the step of storing at least a portion of the logical descriptors and the behavioral security descriptors in a database.

15. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing device cause the at least one processing device:
- to process data associated with a security information and event management system in a computational semantic parser to generate a plurality of logical descriptors, the data comprising log data of the security information and event management system;
  
  to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors; and
  
  to utilize the behavioral security descriptors to generate one or more security alerts;
  
  wherein processing data associated with the security information and management system comprises;
  
  syntactically decomposing at least a portion of the log data into component elements comprising respective atomic syntactic units;
  
  assigning lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types, the metadata comprising position information and attributes associated with the atomic syntactic units;
  
  assigning context denotation information to the component elements; and
  
  applying semantic recomposition to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective ones of the component elements and a tree structure determined at least in part using the assigned lexical meanings and context denotation information.

16. An information processing system comprising:
- information technology infrastructure;
  
  a security information and event management system comprising an alerting engine for generating security alerts relating to at least a portion of the information technology infrastructure; and
  
  a behavioral security analysis system comprising;
  
  a computational semantic parser configured to process data associated with the security information and event management system to generate a plurality of logical descriptors the data comprising log data of the security information and event management system; and
  
  a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors;
  
  wherein the behavioral security descriptors are utilized by the alerting engine of the security information and event management system to generate one or more of the security alerts;
  
  wherein the behavioral security analysis system is implemented by at least one processing device comprising a processor coupled to a memory; and
  
  wherein the computational semantic parser comprises;
  
  a syntactic decomposition module configured to decompose at least a portion of the log data into component elements comprising respective atomic syntactic units;
  
  a lexical meaning assignment module configured to assign lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types, the metadata comprising position information and attributes associated with the atomic syntactic units;
  
  a denotation assignment module configured to assign context denotation information to the component elements; and
  
  a semantic recomposition module configured to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective ones of the component elements and a tree structure determined using the assigned lexical meanings and context denotation information.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The information processing system of claim 16 wherein the security information and event management system is at least partially implemented within the information technology infrastructure.
  - 18. The information processing system of claim 16 further comprising a security operations center associated with the information technology infrastructure, wherein the security information and event management system is implemented at least in part within the security operations center.
  - 19. The information processing system of claim 16 further comprising a database for storing at least a portion of the logical descriptors and the behavioral security descriptors.
  - 20. The information processing system of claim 16 wherein the information technology infrastructure comprises at least one processing platform having a plurality of processing devices with each such processing device of the processing platform comprising a processor coupled to a memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Hart, Catherine V.
Primary Examiner(s)
RIFKIN, BEN M

Application Number

US13/436,884
Time in Patent Office

1,179 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 40/211   Syntactic parsing, e.g. bas...

G06F 40/30   Semantic analysis

G06N 20/00   Machine learning

G06N 7/01   Probabilistic graphical mod...

Semantically-aware behavioral security analysis system for security information and event management

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Semantically-aware behavioral security analysis system for security information and event management

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links