The present invention relates generally to network security, and more particularly to automatic transformation of security event detection rules.
SIEM (Security Information and Event Management) events are processed by event processors (EPs) distributed across a network. Each of the event processors (EPs) is directly connected to one or more event sources (ESs) which raise events to the each of the event processors (EPs). Each of the event processors (EPs) carries a set of rules. When events from locally connected event sources (ESs) are processed, the set of rules are applied. When a security violation is detected, the event processor (EP) raises a security alert.
In distributed SIEM (Security Information and Event Management), when an event processor (EP) applies the rules, event processors (EPs) may need to be aware of events raised at remotes event processors (EPs). In this case, the EPs have to properly communicate with each other to share event information. If every event information is shared among the EPs, it often leads to poor performance due to substantial network traffic and redundant event processing on the EPs. This is the most challenging part of distributed SIEM (Security Information and Event Management).
A computer-implemented method for transformation of security information and event management (SIEM) rules and deploying the SIEM rules in a network of event processors is provided. The method is implemented by a computer system or a server. The computer-implemented method comprises converting the SIEM rules to formal representations; generating rule abstraction of the formal representations, by using an abstraction function; constructing a finite automaton based on the rule abstraction; eliminating irrelevant transitions in the finite automaton to generate an optimized finite automaton; generating optimized formal rules, based on the optimized finite automaton; converting the optimized formal rules to optimized SIEM rules; and deploying the optimized SIEM rules in a network of event processors. In the computer-implemented method, the optimized formal rules are defined for all of the event processors in the network, by assuming a single event processor without considering distribution of the event processors. In the computer-implemented method, the event processors share a state of a finite state machine, an event incurs a state transition of the finite state machine. In the computer-implemented method, when the state transition changes the state of the finite state machine, the event is passed to one or more remote event processors in the network. In the computer-implemented method, when the state transition does not change the state of the finite state machine, the event is consumed by a local event processor and is not passed to one or more remote event processors in the network. In the computer-implemented method, the state of the finite state machine is one of three categories: a normal and non-critical state, a normal but critical state, and an abnormal state. In the computer-implemented method, the state does not change to the abnormal state if the state is the normal and non-critical state. In the computer-implemented method, the state changes to the abnormal state if the state is the normal but critical state. In the computer-implemented method, an alert is raised if the state is the abnormal state.
In embodiments of the present invention, rules for processing event sources (ESs) should be defined without considering distribution of event processors (EPs) but just by assuming a single EP. Events raised to an EP are shared by remote EPs only when it is necessary for the event processing on the remote EPs so that network traffic is minimized and event processing redundancy is eliminated.
When the state transition actually changes the state, the event (for example the event e shown in
If the state of EP2 (220) is “e1_never_raised” (221), when EP1 (210) receives the event e2, EP2 (220) consumes the event e2 just locally. If the state of EP2 (220) is “e1_raised” (222), when EP2 (220) receives the event e2, EP2 (220) changes its state from “e1_raised” (222) to “on_alert” (223) and notifies EP1 (210) of the change of the finite state machine. Further, as soon as the state is changes, EP2 (220) raises a security alert.
ldap(t,printer, . . . )→offence when ∃t′<t·fw(t′,host, . . . )∈past_event
At step 302, the computer system or server generates rule abstraction of formal rules using an abstraction function. At this step, the inputs are the formal rules and the abstraction function α, and the output is abstracted rules. Abstraction of the formal rules using the abstraction function α simplifies the rules with no negative impact on the soundness of the rules. It is assumed that the abstraction function α is provided as a part of inputs to this step. For instance, the abstraction function α employed does conversion of events to alphabets, along with conditions to regular-expression matches. The input of the abstraction function α is as
name(_,host,_)a unqiue alphabet
condition regular expression match.
The output of the abstraction is as
b→offence when abstracted_past_event˜/.*a.*/
For the first use case described in later paragraphs,
fw(_,printer,_)‘a’
and
ldap(_,printer,_)‘b’
t′<t.fw(t′,printer, . . . )ϵpast_event abstracted_past_event˜/.*a.*/
At step 303, the computer system or server constructs a finite automaton. At this step, the input is the abstracted rules and the output is a single finite automaton (FA). The abstract rules are transformed into a state transition system (finite-state automaton). Rule processing using this FA has the following properties. (1) Soundness: If no offence is raised on the FA, it is guaranteed that rule processing with the original rules raise no offence. (2) Further simplification: If a transition does not change states, the transition (and the corresponding rule) can be safely eliminated without affecting the semantics of the rules. The mathematical expressions of the finite automaton are as follows.
states={q1,q2,offensive_raised}
where q1 and q2 respectively correspond with /.*a.*/ and complement (/.*a.*/)=/[^a]*/. Since an empty string (″) does not match /.*a.*/, initial states=q2
transitions={t1,t2,t3,t4)
where
t1:q1offence_raise (∵rule)
t2:q2q2(∵append(/[^a]*/,‘b’)∩/.*a.*/=ϕ
t3:q1q1(∵append(/.*a.*/, ‘a’)∩/.*a.*/ϕ
t4:q2q1(∵append(/[^a]*/,‘a’)∩/.*a.*/ϕ
At step 304, the computer system or server eliminates irrelevant transitions. At this step, the input is the single finite automaton and the output is an optimized finite automaton. The mathematical expressions of elimination of irrelevant transitions are as follows.
transitions={t1,t4)
t2 and t3 have been removed since (1) each of them remains in the same state and (2) they have no corresponding rules.
At step 305, the computer system or server generates optimized formal rules. At step 305, the inputs are the optimized finite automaton generated at step 304 and the formal rules generated at step 301. Another input is the mapping function m:
rule event processor
The outputs of step 305 are optimized formal rules. For the first use case described in later paragraphs, an optimized version of the original formal rule for t1 is
ldap(t,printer, . . . )→offence when state=q1
and a newly generated optimized version of the original formal rule for t4 and mapped to m(fw(t, printer, . . . )→ . . . ) is
fw(t,printer, . . . )→state: =q1 when state=q2
where m(fw(t, host, . . . )→ . . . )=the nearest event processor from the host.
At step 306, the computer system or server converts the optimized formal rules to optimized SIEM (Security Information and Event Management) rules. At this step, the input is the optimized formal rules and the output is the optimized STEM (Security Information and Event Management) rules.
At step 307, the computer system or server deploys the optimized STEM (Security Information and Event Management) rules in a network of event processors. The optimized SIEM rules are distributed over in a network of event processors and copied/shared by a plurality of event processors. For example, the computer system or server deploys the optimized SIEM (Security Information and Event Management) rules in event processor 1 (EP1 131), event processor 2 (EP1 132), and event processor 3 (EP1 133) in the network shown in
As shown in
ldap(t,printer, . . . )→offence when ∃t′<t·fw(t′,printer, . . . )∈past_event
Note that the “when . . . ” part of this rule can be regarded as a “critical condition”, that is, if this condition holds when a LDAP event occurs, the system will no longer stay in the normal state but turn into the abnormal (or “error”) state.
More specifically, this can be rephrased as: (1) If a “fw” (firmware) event has occurred in the past (P) and the latest event is “ldap” (Q), then the system no longer stays in the normal state. (2) If this is not the case, the system stays in the normal state. Based on this, the normal state can be defined as:
¬(P∧Q)≡¬P∨¬Q≡¬P∨(P∧¬Q)
The normal state is further divided into two following cases. (1) Non-Critical
Temporal logic is a well-known formalism for specifying relations between timed events. So, it seems natural to employ it to define rules formally. However, it turns out to be not that easy because of the following reasons. (1) Temporal logic is basically for defining and analyzing open-ended systems, that is, temporal formulas are supposed to hold at every moment of time (including future), whereas security rules focus on relations the past events and the current event. (2) Normality and abnormality are not distinguished in temporal logic. Thus, it is very difficult to capture “criticality” in temporal logic.
Among ϕ,
Given a sequence of the past events esP and the latest event e, the predicates ϕ and
As shown in
ϕα={esα|ϕα(esα)}.
Based on this, the following system of recursive equations is derived.
ϕα=ϕα·e(e≠ldap)
ϕα=ϕα·fw
where “·” in the above equations denotes the concatenation operator. By solving the above equations (i.e., maximal fixed point solution), ϕα and
As shown in
Referring to
Referring to
As shown in
The generated optimized formal rules are distributed over in a network of event processors, such as event processor EP1 (IoT gateway 402) and event processor EP2 (SIEM server 403) in the first use case shown in
The SIEM rule is as follows: For each entry event (or CAS event), if no motion detection has occurred within the last 1 minute, then an offence is raised due to potential anomaly of surveillance camera 901. The SIEM rule (semi-formal) is described as:
cas(t)→offence when ∀t′∈[t−1 min,t]·moton(t′)∈past_events
Note that the “when . . . ” part of the above rule can be regarded as a critical condition, that is, if this condition holds when a CAS event occurs, the system will no longer stay in a normal state but turn into an abnormal (or error) state. More specifically, this can be rephrased as follows: If no motion event has occurred within the last 1 minute (P) and a latest event is “lcas” (Q), then the system no longer stays in the normal state; If this is not the case, the system stays in the normal state. Based on this, the normal state can be defined as:
¬(P∧Q)≡¬P∨¬Q≡¬P∨(P∧¬Q)
The normal state is further divided into two following cases. (1) Non-Critical: One or more motion events have occurred in the last minutes (¬IP). (2) Critical: no motion event has occurred in the last minutes (P), though the latest event is not a CAS event (¬IQ). Let ϕ=P∧¬Q and
Given a sequence of the past events esP and the latest event e, the predicates ϕ,
Non-critical: One or more motion events have occurred within last 1 minute (¬P).
Critical: No motion event has occurred in the last 1 minute (P), and the latest event≠cas (¬Q).
ϕ(esP),e≠motion ∧e≠cas⇒ϕ(esP,e) a.
ϕ(esP),e=motion⇒¬ϕ(esP,e) b.
For the case that the system have been so far staying in the normal state:
ϕ(esP)∨
For the case that the transition is changed from the normal state to the abnormal state:
ϕ(esP)∨
In the same way as the first use case, ϕ and
SIEM (Security Information and Event Management) rules are as follows. When event processor EP1 1104 receives an entry event from event source ES1 1103, if the number of people in room 1107 is greater than 2N/3, EP1 104 raises an alert (alert1: too crowded). When event processor EP2 1106 receives an exit event from event source ES2 105, if the number of people in room 1107 is less than N/3, EP2 106 raises an alert (alert2: too few). N is the maximum number of people that room 1107 can hold. The SIEM rules (semi-formal) are described as:
enter→alert1 when n>2N/3
exit→alert2 when n<N/3
where n=|{enter∈past_events}|−|exit∈past_events|.
Note that the “when . . . ” part of the above rule can be regarded as a critical condition, that is, if this condition holds when an event occurs, the system will no longer stay in a normal state but turn into an abnormal (or error) state. More specifically, the above rules can be rephrased as follows: If n>2N/3 (P1) and the latest event is “enter” (Q1), then the system no longer stays in the normal state (alert1). If n<N/3 (P2) and the latest event is “exit” (Q2), the system no longer stays in the normal state (alert2). If n≥N/3 and n≤2N/3, then the system stays in the normal state. Note that the conditions that involve “n” are post-conditions are supposed to hold after events are raised. Thus, the system is in the normal state if and only both ¬(P1 ∧Q1) and ¬(P2 ∧Q2) hold. Let ϕ1=P1 ∧¬Q1,
The predicates ϕ1, ϕ2,
Non-critical 1: n≤2N/3 (¬P1).
Critical 1: n>2N/3 (P1) and the latest event is not “enter” (¬P1).
ϕ1(esP),e≠enter⇒ϕ1(esP,e)(n>2N/3) a.
ϕ1(esP),e≠enter ⇒¬ϕ1(esP,e)(n≤2N/3) b.
Abnormal 1:
ψ1(esP,e)≡ϕ1(esP)∧e=enter
Non-critical 2: n≥N/3 (¬P2).
Critical 2: n<N/3 (P2) and the latest event is not “exit” (¬P2).
ϕ2(esP),e≠exit⇒ϕ2(esP,e)(n<N/3) a.
ϕ2(esP),e≠exit⇒¬ϕ2(esP,e)(n≥N/3) b.
Abnormal 2:
ψ2(esP,e)≡ϕ2(esP)∧e=exit
In the same way as the first use case and the second use case, ϕ1, ϕ2,
Referring to
The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device, such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.
Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network (LAN), a wide area network (WAN), and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++, and conventional procedural programming languages, such as the C programming language, or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry in order to perform aspects of the present invention.
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture, including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus, or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.
Number | Name | Date | Kind |
---|---|---|---|
9306962 | Pinto | Apr 2016 | B1 |
9516053 | Muddu et al. | Dec 2016 | B1 |
20140040261 | Horne et al. | Feb 2014 | A1 |
20140244650 | Zhou et al. | Aug 2014 | A1 |
20140372105 | Manadhata et al. | Dec 2014 | A1 |
20150113646 | Lee | Apr 2015 | A1 |
20150222667 | Nayshtut et al. | Aug 2015 | A1 |
20150229661 | Balabine et al. | Aug 2015 | A1 |
20150341379 | Lefebvre et al. | Nov 2015 | A1 |
Entry |
---|
Aman et al. “Event Driven Adaptive Security in Internet of Things” BICOMM 2014 : The Eighth International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies. pp. 7-16. |
Coppolino et al. (2013) “Enhancing SIEM Technology to Protect Critical Infrastructures.” In: Hammerli B.M., Kalstad Svendsen N., Lopez J. (eds) Critical Information Infrastructures Security. CRITIS 2012. Lecture Notes in Computer Science, vol. 7722. Springer, Berlin Heidelberg. |
Kolios et al. “Data-Driven Event Triggering for IoT Applications” IEEE Internet of Things Journal, vol. 3, No. 6, Dec. 2016. pp. 1146-1158. |
Appendix P List of IBM Applications or Patents Treated as Related. Dated Dec. 8, 2017. Two pages. |
Hatsutori et al. U.S. Appl. No. 15/692,429, filed Aug. 31, 2017. |
Number | Date | Country | |
---|---|---|---|
Parent | 15692429 | Aug 2017 | US |
Child | 15840587 | US |