Semantically-aware behavioral security analysis system for security information and event management
First Claim
1. An apparatus comprising:
- at least one processing device comprising a processor coupled to a memory and implementing a behavioral security analysis system, the behavioral security analysis system comprising;
a computational semantic parser configured to process data associated with a security information and event management system to generate a plurality of logical descriptors, the data comprising log data of the security information and event management system; and
a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors;
wherein the behavioral security descriptors are made accessible to an alerting engine of the security information and event management system and utilized to generate one or more security alerts; and
wherein the computational semantic parser comprises;
a syntactic decomposition module configured to decompose at least a portion of the log data into component elements comprising respective atomic syntactic units;
a lexical meaning assignment module configured to assign lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types, the metadata comprising position information and attributes associated with the atomic syntactic units;
a denotation assignment module configured to assign context denotation information to the component elements; and
a semantic recomposition module configured to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective ones of the component elements and a tree structure determined using the assigned lexical meanings and context denotation information.
9 Assignments
0 Petitions
Accused Products
Abstract
A behavioral security analysis system comprises a computational semantic parser configured to process data associated with a security information and event management (SIEM) system to generate a plurality of logical descriptors, and a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors. The behavioral security descriptors are made accessible to an alerting engine of the SIEM system and utilized to generate one or more security alerts. The computational semantic parser may be operative, for example, to syntactically decompose a portion of the data into component elements, to assign lexical meanings and context denotation information to the component elements, and to apply semantic recomposition to generate a given logical descriptor based on a combinatorial tree having a structure determined using the assigned lexical meanings and context denotation information.
53 Citations
20 Claims
-
1. An apparatus comprising:
-
at least one processing device comprising a processor coupled to a memory and implementing a behavioral security analysis system, the behavioral security analysis system comprising; a computational semantic parser configured to process data associated with a security information and event management system to generate a plurality of logical descriptors, the data comprising log data of the security information and event management system; and a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors; wherein the behavioral security descriptors are made accessible to an alerting engine of the security information and event management system and utilized to generate one or more security alerts; and wherein the computational semantic parser comprises; a syntactic decomposition module configured to decompose at least a portion of the log data into component elements comprising respective atomic syntactic units; a lexical meaning assignment module configured to assign lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types, the metadata comprising position information and attributes associated with the atomic syntactic units; a denotation assignment module configured to assign context denotation information to the component elements; and a semantic recomposition module configured to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective ones of the component elements and a tree structure determined using the assigned lexical meanings and context denotation information. - View Dependent Claims (2, 3, 5, 6, 7, 8, 9)
-
-
4. The apparatus of 3 wherein the Bayesian learning engine is configured to assign Bayesian risk scores to respective ones of the behavioral security descriptors based on one or more security threat models.
-
10. A method comprising the steps of:
-
processing data associated with a security information and event management system in a computational semantic parser to generate a plurality of logical descriptors, the data comprising log data of the security information and event management system; generating a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors; and utilizing the behavioral security descriptors to generate one or more security alerts; wherein the processing step comprises; syntactically decomposing at least a portion of the log data into component elements comprising respective atomic syntactic units; assigning lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types the metadata comprising position information and attributes associated with the atomic syntactic units; assigning context denotation information to the component elements; and applying semantic recomposition to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective Ones of the component elements and a tree structure determined at least in part using the assigned lexical meanings and context denotation information. - View Dependent Claims (11, 12, 13, 14)
-
-
15. A computer program product comprising a non-transitory processor-readable storage medium having encoded therein executable code of one or more software programs, wherein the one or more software programs when executed by at least one processing device cause the at least one processing device:
-
to process data associated with a security information and event management system in a computational semantic parser to generate a plurality of logical descriptors, the data comprising log data of the security information and event management system; to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors; and to utilize the behavioral security descriptors to generate one or more security alerts; wherein processing data associated with the security information and management system comprises; syntactically decomposing at least a portion of the log data into component elements comprising respective atomic syntactic units; assigning lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types, the metadata comprising position information and attributes associated with the atomic syntactic units; assigning context denotation information to the component elements; and applying semantic recomposition to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective ones of the component elements and a tree structure determined at least in part using the assigned lexical meanings and context denotation information.
-
-
16. An information processing system comprising:
-
information technology infrastructure; a security information and event management system comprising an alerting engine for generating security alerts relating to at least a portion of the information technology infrastructure; and a behavioral security analysis system comprising; a computational semantic parser configured to process data associated with the security information and event management system to generate a plurality of logical descriptors the data comprising log data of the security information and event management system; and a learning engine coupled to the computational semantic parser and configured to generate a plurality of behavioral security descriptors based at least in part on at least a subset of the logical descriptors; wherein the behavioral security descriptors are utilized by the alerting engine of the security information and event management system to generate one or more of the security alerts; wherein the behavioral security analysis system is implemented by at least one processing device comprising a processor coupled to a memory; and wherein the computational semantic parser comprises; a syntactic decomposition module configured to decompose at least a portion of the log data into component elements comprising respective atomic syntactic units; a lexical meaning assignment module configured to assign lexical meanings to the component elements utilizing metadata associated with the component elements and a lexicon of syntactic types, the metadata comprising position information and attributes associated with the atomic syntactic units; a denotation assignment module configured to assign context denotation information to the component elements; and a semantic recomposition module configured to generate a given logical descriptor based on at least one combinatorial tree having nodes associated with respective ones of the component elements and a tree structure determined using the assigned lexical meanings and context denotation information. - View Dependent Claims (17, 18, 19, 20)
-
Specification