Realtime triggering framework

US 10,536,476 B2
Filed: 07/21/2016
Issued: 01/14/2020
Est. Priority Date: 07/21/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

generating a trigger registration for a selected triggering type;

storing the generated trigger registration in a triggering persistency;

analyzing a received event from an event persistency;

comparing data associated with the analyzed event with the triggering persistency; and

based on the comparison, processing, using a pattern execution framework, an enterprise threat detection (ETD) pattern data object to perform actions responsive to the received event, wherein the ETD pattern is translated into a structured query language (SQL) query, and wherein the ETD pattern contains paths connected over references and each path contains subsets representing conditions; and

upon detection of an alert based on processing of the ETD pattern, transmitting a pattern identification of the ETD pattern to a high-frequency computational daemon thread or a job which processes one or more other ETD patterns corresponding to the ETD pattern in parallel and by triggering separate processing threads to execute each other ETD pattern, wherein each separate processing thread completes processing of a particular other ETD pattern and ends with no return to the high-frequency computational daemon thread or the job.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method generates a trigger registration for a selected triggering type. The generated trigger registration is stored in a triggering persistency. A received event from an event persistency is analyzed and data associated with the analyzed event is compared with the triggering persistency. Based on the comparison and using a pattern execution framework, an enterprise threat detection (ETD) pattern is processed to perform actions responsive to the received event.

197 Citations

20 Claims

1. A computer-implemented method, comprising:
- generating a trigger registration for a selected triggering type;
  
  storing the generated trigger registration in a triggering persistency;
  
  analyzing a received event from an event persistency;
  
  comparing data associated with the analyzed event with the triggering persistency; and
  
  based on the comparison, processing, using a pattern execution framework, an enterprise threat detection (ETD) pattern data object to perform actions responsive to the received event, wherein the ETD pattern is translated into a structured query language (SQL) query, and wherein the ETD pattern contains paths connected over references and each path contains subsets representing conditions; and
  
  upon detection of an alert based on processing of the ETD pattern, transmitting a pattern identification of the ETD pattern to a high-frequency computational daemon thread or a job which processes one or more other ETD patterns corresponding to the ETD pattern in parallel and by triggering separate processing threads to execute each other ETD pattern, wherein each separate processing thread completes processing of a particular other ETD pattern and ends with no return to the high-frequency computational daemon thread or the job.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the triggering type includes one of the group consisting of by event and by pattern.
  - 3. The computer-implemented method of claim 1, wherein the trigger registration is stored in a triggering persistency registration list.
  - 4. The computer-implemented method of claim 3, comprising determining that the data associated with the analyzed event matches registered content or one or more semantic value trigger registrations in the triggering persistency registration list.
  - 5. The computer-implemented method of claim 1, comprising:
    - instantiating a processing thread to process the ETD pattern; and
      
      delegating the processing of the ETD pattern from the processing thread to the pattern execution framework.
  - 6. The computer-implemented method of claim 1, comprising determining that execution of the ETD pattern generates an additional event.
  - 7. The computer-implemented method of claim 6, comprising determining whether a triggering registration for the additional event exists in the triggering persistency.

8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising:
- generating a trigger registration for a selected triggering type;
  
  storing the generated trigger registration in a triggering persistency;
  
  analyzing a received event from an event persistency;
  
  comparing data associated with the analyzed event with the triggering persistency; and
  
  based on the comparison, processing, using a pattern execution framework, an enterprise threat detection (ETD) pattern data object to perform actions responsive to the received event, wherein the ETD pattern is translated into a structured query language (SQL) query, and wherein the ETD pattern contains paths connected over references and each path contains subsets representing conditions; and
  
  upon detection of an alert based on processing of the ETD pattern, transmitting a pattern identification of the ETD pattern to a high-frequency computational daemon thread or a job which processes one or more other ETD patterns corresponding to the ETD pattern in parallel and by triggering separate processing threads to execute each other ETD pattern, wherein each separate processing thread completes processing of a particular other ETD pattern and ends with no return to the high-frequency computational daemon thread or the job.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory, computer-readable medium of claim 8, wherein the triggering type includes one of the group consisting of by event and by pattern.
  - 10. The non-transitory, computer-readable medium of claim 8, wherein the trigger registration is stored in a triggering persistency registration list.
  - 11. The non-transitory, computer-readable medium of claim 10, comprising one or more instructions to determine that the data associated with the analyzed event matches registered content or one or more semantic value trigger registrations in the triggering persistency registration list.
  - 12. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to:
    - instantiate a processing thread to process the ETD pattern; and
      
      delegate the processing of the ETD pattern from the processing thread to the pattern execution framework.
  - 13. The non-transitory, computer-readable medium of claim 8, comprising one or more instructions to determine that execution of the ETD pattern generates an additional event.
  - 14. The non-transitory, computer-readable medium of claim 13, comprising one or more instructions to determine whether a triggering registration for the additional event exists in the triggering persistency.

15. A computer-implemented system, comprising:
- a hardware processor interoperably coupled with a computer memory and configured to perform operations comprising;
  
  generating a trigger registration for a selected triggering type;
  
  storing the generated trigger registration in a triggering persistency;
  
  analyzing a received event from an event persistency;
  
  comparing data associated with the analyzed event with the triggering persistency; and
  
  based on the comparison, processing, using a pattern execution framework, an enterprise threat detection (ETD) pattern data object to perform actions responsive to the received event, wherein the ETD pattern is translated into a structured query language (SQL) query, and wherein the ETD pattern contains paths connected over references and each path contains subsets representing conditions; and
  
  upon detection of an alert based on processing of the ETD pattern, transmitting a pattern identification of the ETD pattern to a high-frequency computational daemon thread or a lob which processes one or more other ETD patterns corresponding to the ETD pattern in parallel and by triggering separate processing threads to execute each other ETD pattern, wherein each separate processing thread completes processing of a particular other ETD pattern and ends with no return to the high-frequency computational daemon thread or the job.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-implemented system of claim 15, wherein the triggering type includes one of the group consisting of by event and by pattern.
  - 17. The computer-implemented system of claim 15, wherein the trigger registration is stored in a triggering persistency registration list.
  - 18. The computer-implemented system of claim 17, configured to determine that the data associated with the analyzed event matches registered content or one or more semantic value trigger registrations in the triggering persistency registration list.
  - 19. The computer-implemented system of claim 15, configured to:
    - instantiate a processing thread to process the ETD pattern; and
      
      delegate the processing of the ETD pattern from the processing thread to the pattern execution framework.
  - 20. The computer-implemented system of claim 15, configured to:
    - determine that execution of the ETD pattern generates an additional event; and
      
      determine whether a triggering registration for the additional event exists in the triggering persistency.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Pritzkau, Eugen, Nos, Kathrin, Rodeck, Marco, Chrosziel, Florian, Hassforther, Jona, Merkel, Rita, Menke, Thorsten, Kunz, Thomas, Seifert, Hartwig, Mehta, Harish, Peng, Wei-Guo, Luo, Lin, Zhang, Nan, Dinkova, Hristina
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/216,201
Publication Number

US 20180027010A1
Time in Patent Office

1,272 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 43/106   using time related informat...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

Realtime triggering framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

197 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Realtime triggering framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

197 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others