Unsupervised aggregation of security rules

摘要

A processing device comprises a processor coupled to a memory and is configured to obtain at least one rule set utilized to detect malicious activity in a computer network, to determine one or more trigger conditions for each of a plurality of rules of the at least one rule set, to identify alerts generated responsive to the determined trigger conditions, to compute correlations between respective pairs of the plurality of rules based on the identified alerts, and to aggregate groups of two or more of the plurality of rules into respective aggregated rules based at least in part on the computed correlations. The aggregated rules are illustratively applied in conjunction with remaining unaggregated ones of the plurality of rules of the one or more rule sets to detect malicious activity in the computer network. The processing device may be implemented in a computer network or network security system.

主权项

1. A method comprising steps of:
obtaining at least one rule set utilized to detect malicious activity in a computer network; determining one or more trigger conditions for each of a plurality of rules of said at least one rule set; identifying alerts generated responsive to the determined trigger conditions; computing correlations between respective pairs of the plurality of rules based on the identified alerts as a function of numbers of trigger conditions for which respective first and second rules of a given one of the pairs of rules generate one or more alerts; aggregating groups of two or more of the plurality of rules into respective aggregated rules based at least in part on the computed correlations; and applying the aggregated rules in conjunction with remaining unaggregated ones of the plurality of rules of the one or more rule sets to detect malicious activity in the computer network; wherein the steps are performed by at least one processing device comprising a processor coupled to a memory.