(19)
(11)EP 3 779 807 A1

(12)EUROPEAN PATENT APPLICATION

(43)Date of publication:
17.02.2021 Bulletin 2021/07

(21)Application number: 19191478.7

(22)Date of filing:  13.08.2019
(51)Int. Cl.: 
G06N 5/02  (2006.01)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(71)Applicant: Rohde & Schwarz GmbH & Co. KG
81671 München (DE)

(72)Inventor:
  • Finsterbusch, Michael
    81671 München (DE)

(74)Representative: Prinz & Partner mbB 
Patent- und Rechtsanwälte Rundfunkplatz 2
80335 München
80335 München (DE)

  


(54)ADAPTIVE RULE EVALUATION SYSTEM AS WELL AS METHOD FOR AUTOMATICALLY ADAPTING A RULE EVALUATION


(57) An adaptive rule evaluation system comprises an input (12) for receiving time variant input data, a rule match processing module (14), an evaluation processing module (16), and an adjustment processing module (18). The rule match processing module (14) is configured to process the time variant input data by means of applying at least one rule on the time variant input data. The at least one rule comprises at least one criterion assigned to a characteristic of the time variant input data. The characteristic is time variant. The evaluation processing module (16) is configured to profile the rule processing. The adjustment processing module (18) is configured to determine an adjusted rule processing. Further, a method for automatically adapting a rule evaluation with respect to time variant input data is described.




Description


[0001] The invention relates to an adaptive rule evaluation system. Further, the invention relates to a method for automatically adapting a rule evaluation with respect to time variant input data.

[0002] In the state of the art, rule evaluation systems are known that apply at least one (matching) rule on input data in order to identify whether or not a certain criterion is met by the input data, particularly by a characteristic of the input data, resulting in a match of the respective rule. Typically, a rule is assigned to several criteria that are taken into account in order to identify whether or not the input data matches the respective rule or vice versa.

[0003] Furthermore, the rule evaluation system may apply different rules on the input data in order to identify if at least a certain rule of the several rules matches, particularly if all rules match. As each of the several rules are applied in a certain order and each rule comprises at least one criterion, the respective criteria assigned to the several rules are also applied on the input data in a certain order. Put differently, a certain criterion is checked first, another criterion is checked afterwards and so on.

[0004] The respective order in which the criteria or rather the rules are evaluated is fixed, which results in a varying performance of the rule evaluation system in case of time variant input data having changing characteristics assigned to the criteria of the rules applied.

[0005] Accordingly, there is a need for a rule evaluation system as well as a method having improved performance properties while evaluating time variant input data.

[0006] The invention provides an adaptive rule evaluation system that comprises an input for receiving time variant input data, a rule match processing module, an evaluation processing module as well as an adjustment processing module. The rule match processing module is configured to process the time variant input data by means of applying at least one rule on the time variant input data. The at least one rule comprises at least one criterion assigned to a characteristic of the time variant input data. The characteristic is time variant. The evaluation processing module is configured to profile the rule processing. The adjustment processing module is configured to determine an adjusted rule processing.

[0007] Further, the invention provides a method for automatically adapting a rule evaluation with respect to time variant input data. The method comprises the steps:
  • receiving time variant input data;
  • processing the time variant input data by means of applying at least one rule on the time variant input data, wherein the at least one rule comprises at least one criterion assigned to a characteristic of the time variant input data, wherein the characteristic is time variant;
  • profiling the rule processing; and
  • determining an adjusted rule processing.


[0008] The invention is based on the finding that time variant input data can be processed in an improved manner while adjusting the rule processing with respect to the time variant input data, particularly the time variant characteristic(s) of the input data. This adjustment or rather adaption of the rule processing might relate to the order in which criteria of the rule(s) are evaluated, as the respective order is not fixed, but flexible, namely adaptable. Depending on the profiling of the rule processing, the information might be obtained that it would be better for the overall performance of the rule evaluation to evaluate a certain criterion firstly and another one lastly. Put differently, the profiling of the rule processing might reveal that the order of the criteria and/or the rule(s) applied shall be varied or rather adapted in order to improve the performance of the rule evaluation.

[0009] Generally, more than one rule, namely several rules, may be applied on the time variant input data.

[0010] Furthermore, a single rule may comprise more than one criterion, namely several criteria.

[0011] Accordingly, several criteria may be applied on the time variant input data. The several criteria may be assigned to a single rule or to more than one rule, namely several rules.

[0012] Further, more than one characteristic of the input data, namely several characteristics, may be checked by the rule evaluation, particularly the method and/or the rule evaluation system.

[0013] Hence, the rule processing corresponds to applying the at least one criterion, particularly the several criteria, on the time variant input data in order to evaluate whether or not the at least one criterion, particularly the several criteria, are matched by the time variant input data, namely its characteristic(s) being time variant.

[0014] As mentioned above, the rule processing, namely the order in which the criteria are evaluated, is profiled and evaluated by means of the evaluation processing module in order identify an optimization potential of the rule processing. After the profiling, namely the evaluation of the current rule processing, it is possible to adapt the rule processing with respect to the characteristic(s) of the input data, which change(s) over time, namely the time variant input data. Thus, the adjusted rule processing, also called adapted rule processing, might be obtained.

[0015] In fact, the rule processing is done by means of the rule match processing module when the at least one rule is applied on the time variant input data. Thus, the rule processing inter alia relates to the order of the criteria or rather rule(s) applied. Put differently, the rule processing inter alia relates to the order of the criteria being checked with respect to a matching.

[0016] Thus, the order of the criteria is determined by means of the evaluation processing module and, further, the order of the criteria determined may also be evaluated by means of the evaluation processing module in order identify the optimization potential of the rule processing.

[0017] Accordingly, it is possible to identify an optimal order of the criteria used for evaluation of the time variant input data, as the optimal order depends on the time variant input data, the at least one rule applied and/or its at least one criterion. Put differently, the adaptive rule evaluation system takes all information available into account, namely the time variant input data, particularly its characteristic(s), the at least one rule applied on the time variant input data as well as its at least one criterion. While doing so, the adaptive rule evaluation system is enabled to adapt the rule processing, namely the order of rules and/or criteria applied on the time variant input data, in order to improve the overall performance of the rule evaluation system.

[0018] The rule evaluation system is adaptive, as the order of criteria applied is not fixed, but can be adapted automatically by the rule evaluation system in an adaptive manner.

[0019] An aspect provides that the adjustment processing module is configured to forward the adjusted rule processing to the rule match processing module in order to be applied on the time variant input data. Thus, the adjusted rule processing is applied on the time variant input data. Hence, the adjusted rule processing previously determined by means of the adjustment processing module is used by the rule match processing module in order to evaluate the time variant input data with respect to the adjusted rule processing, namely the adapted one.

[0020] For instance, the adjusted rule processing relates to an optimized rule processing. The rule processing is optimized with respect to its performance, as certain criteria may be evaluated firstly in order to directly identify whether or not a dedicated rule is hit by the time variant input data.

[0021] Generally, such criteria are evaluated at the beginning of the rule processing that can reduce the number of criteria to be checked next in order to reduce the overall efforts. This, however, inter alia depends on the time variant input data itself, particularly its characteristic(s).

[0022] According to another aspect, the rule match processing module is configured to identify a rule hit when all criteria of the at least one rule applied match. Hence, a rule hit is identified when all criteria of the at least one rule applied match. Thus, a single rule may comprise several criteria, which are applied on the time variant input data, wherein a matching rule or rather a rule hit is only identified in case of all criteria matching the input data or vice versa. As mentioned above, each single rule may comprise only one criterion, resulting in several criteria assigned to several (different) rules.

[0023] Put differently, the rule processing may be assigned to several criteria applied that, however, may be assigned to a single rule or rather several (different) rules, namely at least one rule.

[0024] Particularly, the evaluation processing module is configured to profile the rule processing after identifying a rule hit. Thus, the rule processing is profiled after a rule hit was identified. Accordingly, the rule processing is only determined and evaluated in case of an existing rule hit identified previously.

[0025] Further, the evaluation processing module may be configured to profile the rule processing continuously. Hence, the rule processing is profiled continuously. Thus, a continuous evaluation of the rule processing, particularly its impact on the rule processing, is ensured, resulting in an improved performance of the rule evaluation system.

[0026] In addition, the adjustment processing module may be configured to determine the adjusted rule processing at least one of continuously, on demand and at runtime. Hence, the adjusted rule processing is determined at least one of continuously, on demand and at runtime. Put differently, the adjusted rule processing is determined continuously, on demand and/or at runtime. This may be selected by a user of the rule evaluation system whether or not the adjusted rule processing is determined continuously or on demand.

[0027] Hence, the output of the evaluation processing module is always forwarded to the adjustment processing module. However, the adjustment processing module may selectively, for instance on demand, determine the adjusted rule processing based on the data received from the evaluation processing module, namely its output.

[0028] According to an aspect, the evaluation processing module is connected to the rule match processing module. Alternatively or additionally, the adjustment processing module is connected to the evaluation processing module. Alternatively or additionally, the adjustment processing module is connected to the rule match processing module. Thus, the different modules may be separately formed and interconnected with each other (via data lines) in order to exchange the respective data gathered and obtained by means of processing the gathered data.

[0029] According to another aspect, the rule match processing module, the evaluation processing module and the adjustment processing module are established by a single module. Thus, all modules of the adaptive rule evaluation system are established by a single module, namely a common module. Thus, the respective output data of the rule match processing module, the evaluation processing module and/or the adjustment processing module is exchanged internally.

[0030] Further, the rule match processing module, the evaluation processing module and/or the adjustment processing module are established on a common chip. Accordingly, the entire adaptive rule evaluation system may be established on a common chip, as the respective modules of the rule evaluation system are established on the common chip. Thus, a cost-efficient arrangement of the rule evaluation system is provided.

[0031] In general, the method for automatically adapting the rule evaluation with respect to time variant input data may be performed by the adaptive rule evaluation system.

[0032] Moreover, the method for automatically adapting the rule evaluation with respect to time variant input data may use the adaptive rule evaluation system described above.

[0033] Further characteristics and advantages of the claimed subject matter will be apparent from the following description as well as the accompanying drawings, to which reference is made. In the drawings:
  • Figure 1 schematically shows an adaptive rule evaluation system according to the invention, and
  • Figure 2 shows a flow-chart of a method for automatically adapting a rule evaluation with respect to time variant input data according to the invention.


[0034] The detailed description set forth below in connection with the appended drawings, where like numerals reference like elements, is intended as a description of various embodiments of the disclosed subject matter and is not intended to represent the only embodiments. Each embodiment described in this disclosure is provided merely as an example or illustration and should not be construed as preferred or advantageous over other embodiments. The illustrative examples provided herein are not intended to be exhaustive or to limit the claimed subject matter to the precise forms disclosed.

[0035] In Figure 1, an adaptive rule evaluation system 10 is shown that comprises an input 12 for receiving time variant input data, for instance data streams.

[0036] The rule evaluation system 10 further comprises a rule match processing module 14 that is assigned to the input 12. Further, the rule evaluation system 10 comprises an evaluation processing module 16 that is connected with the rule match processing module 14. The evaluation processing module 16 is further connected to an adjustment processing module 18, which in turn is connected with the rule match processing module 14.

[0037] In fact, data is exchanged between the modules 14 to 18 in series, which means that the evaluation processing module 16 gathers data from the rule match processing module 14, wherein the evaluation processing module 16 processes the respective data gathered and forwards output data to the adjustment processing module 18, which in turn processes the data gathered from the evaluation processing module 16 in order to forward output data towards the rule match processing module 14.

[0038] As also shown in Figure 1, the adaptive rule evaluation system 10 further comprises a rule input 20 via which defined rules are provided for the rule match processing module 14. Accordingly, the rule match processing module 14 is assigned to the rule input 20.

[0039] The rule input 20 may be assigned to a data storage 22 in which defined rules as well as criteria of the respective rules are stored. The rule match processing module 14 may access the storage 22. Alternatively, the defined rules are forwarded to the rule match processing module 14 automatically.

[0040] The respective rules may also be stored within the rule match processing module 14 itself.

[0041] In the shown embodiment, the different modules 14 to 18 are established by separate modules, as the respective modules 14 to 18 are interconnected with each other, for instance via respective data lines.

[0042] However, the modules 14 to 18 may also be established by a single module.

[0043] Irrespective thereof, the respective modules 14 to 18 may be established on a common chip 24, as shown in Figure 1. In fact, the entire adaptive rule evaluation system 10 may be established on the common chip 24.

[0044] The adaptive rule evaluation system 10 is generally configured to automatically adapt a rule evaluation with respect to time variant input data as will be described hereinafter with reference to Figure 2.

[0045] In a first step S1, time variant input data is received via the input 12, which is forwarded to the rule match processing module 14.

[0046] In a second step S2, the rule match processing module 14 processes the time variant input data by means of applying at least one rule on the time variant input data. The at least one rule applied on the time variant input data may relate to one of the defined rules that the rule match processing module 14 receives from the storage 22 via the rule input 20. As mentioned above, the respective rule(s) may also be stored within the rule match processing module 14 itself.

[0047] Generally, the at least one rule comprises at least one criterion that is assigned to a characteristic of the time variant input data, which is time variant. Put differently, the characteristic(s) of the time variant input data are evaluated by the respective rule applied, particularly the criteria assigned thereto, in order to identify a rule hit or rather a matching criterion.

[0048] In a third step S3, the rule processing done by means of the rule match processing module 14 is profiled by means of the evaluation processing module 16. The rule processing relates to applying the at least one rule on the time variant input data, particularly the several criteria assigned to the at least one rule.

[0049] The profiling relates to a measuring and evaluation of the rule(s) and/or criteria that are applied on the time variant input data. In fact, the evaluation processing module 16 identifies/determines the order of the criteria applied on the time variant input data. This order identified/determined is further evaluated in order to verify whether or not an optimization potential is present with respect to the overall performance of the rule evaluation system 10.

[0050] In a fourth step S4, an adjusted rule processing is determined by the adjustment processing module 18 that receives the profile data (output data) of the evaluation processing module 16.

[0051] The adjusted rule processing determined by the adjustment processing module 18 relates to an optimized rule processing. This means that an optimized order of the criteria applied on the time variant input data is determined in order to improve the performance of the rule evaluation system 10.

[0052] In a fifth step S5, the adjusted rule processing is forwarded to the rule match processing module 14 by means of the adjustment processing module 18. Hence, the rule match processing module 14 receives the adjusted rule processing, namely the optimized one.

[0053] In a sixth step S6, the rule match processing module 14 applies the adjusted rule processing on the time variant input data in order to improve the performance of the rule evaluation system 10. Put differently, the order of the criteria applied on the time variant input data is changed due to the adjusted rule processing or rather adapted rule processing.

[0054] In fact, the rule processing does not correspond to a fixed order of the criteria applied, as the order is adjusted by the rule evaluation system 10 in an adaptive manner, which inter alia depends on the input data itself, particularly its characteristic(s). Hence, the rule evaluation system 10 is an adaptive one.

[0055] Besides the input data itself, the adaption may depend on the rule(s) and/or criteria applied.

[0056] In general, the rule match processing module 14 identifies a rule hit when all criteria of the at least one rule applied match with the input data or rather vice versa. This means that a rule hit or rather a rule match takes place in case of all criteria assigned to the at least one rule applied are fulfilled by the characteristics of the time variant input data.

[0057] According to a certain embodiment, the evaluation processing module 16 may only profile the rule processing after a rule hit has been identified previously by the rule match processing module 14. This ensures that the rule processing is only adapted or rather optimized in case of a rule hit.

[0058] Generally, the rule processing may be profiled continuously by the evaluation processing module 16 so that continuous determination and evaluation of the order of the criteria applied is ensured.

[0059] Further, the adjustment processing module 18 may receive the output data of the evaluation processing module 16, namely the evaluation data, continuously so as to determine the adjusted rule processing in a continuous manner. However, the adjustment processing module 18 may also determine the adjusted rule processing only on demand and/or at runtime.

[0060] For instance, defined rules may relate to finding malicious network traffic sent to databases. A certain rule may check the IP addresses, TCP ports and patterns in content. The IP addresses, TCP ports and patterns correspond to the characteristics of the input data, wherein the input data relates to the traffic data.

[0061] The criteria assigned to the IP addresses and TCP ports will always match for any kind of database traffic, but not for other traffic such as HTTP, mails and so on.

[0062] Accordingly, if the rule is only used to observe a subnet with the databases, the criteria assigned to the IP addresses and TCP ports will always match and, thus, a lot of checks are done that are superfluous. Therefore, the overall performance could be improved by first checking the criterion assigned to the pattern such that it is verified at the beginning whether or not the data traffic shows a certain pattern. If this check is positive, the other criteria might be check.

[0063] This ensures that the relevant criterion is checked at the beginning in order to avoid checking all criteria in case that the decisive one is the last one to be checked with respect to the specific input data and/or the rule applied on the specific input data.

[0064] However, if the rule mentioned above is not used to only observe a subnet with the databases, but the entire network, it makes sense to adapt the rule processing, namely the order of the criteria applied, in order to improve the overall performance.

[0065] Thus, the same rule may be used in different ways, as the rule processing is adapted by means of the adaptive rule evaluation system 10.

[0066] This is only one example, as the input data to be evaluated may also relate to e-mail content or any other kind of data such that the respective characteristics to be checked by applying certain criteria may be different. In fact, the inventive concept may be applied to different kinds of data to be processed.

[0067] In general, an improved rule evaluation system 10 is provided with regard to processing time variant input data, as the order of the criteria applied on the time variant input data is adapted with respect to the time variant input data itself, the rule(s) applied as well as the criteria assigned to the at least one rule applied.


Claims

1. An adaptive rule evaluation system (10), comprising:

- an input (12) for receiving time variant input data;

- a rule match processing module (14);

- an evaluation processing module (16); and

- an adjustment processing module (18);

wherein the rule match processing module (14) is configured to process the time variant input data by means of applying at least one rule on the time variant input data, wherein the at least one rule comprises at least one criterion assigned to a characteristic of the time variant input data, wherein the characteristic is time variant,
wherein the evaluation processing module (16) is configured to profile the rule processing, and
wherein the adjustment processing module (18) is configured to determine an adjusted rule processing.
 
2. The adaptive rule evaluation system (10) according to claim 1, characterized in that the adjustment processing module (18) is configured to forward the adjusted rule processing to the rule match processing module (14) in order to be applied on the time variant input data.
 
3. The adaptive rule evaluation system (10) according to claim 1 or 2, characterized in that the adjusted rule processing relates to an optimized rule processing.
 
4. The adaptive rule evaluation system (10) according to any of the preceding claims, characterized in that the rule match processing module (14) is configured to identify a rule hit when all criteria of the at least one rule applied match.
 
5. The adaptive rule evaluation system (10) according to claim 4, characterized in that the evaluation processing module (16) is configured to profile the rule processing after identifying a rule hit.
 
6. The adaptive rule evaluation system (10) according to any of the preceding claims, characterized in that the evaluation processing module (16) is configured to profile the rule processing continuously.
 
7. The adaptive rule evaluation system (10) according to any of the preceding claims, characterized in that the adjustment processing module (18) is configured to determine the adjusted rule processing at least one of continuously, on demand and at runtime.
 
8. The adaptive rule evaluation system (10) according to any of the preceding claims, characterized in that the evaluation processing module (16) is connected to the rule match processing (14) module and/or wherein the adjustment processing module (18) is connected to the evaluation processing module (16) and/or wherein the adjustment processing module (18) is connected to the rule match processing module (14).
 
9. The adaptive rule evaluation system (10) according to any of claims 1 to 7, characterized in that the rule match processing module (14), the evaluation processing module (16) and the adjustment processing module (18) are established by a single module.
 
10. The adaptive rule evaluation system (10) according to any of the preceding claims, characterized in that the rule match processing module (14), the evaluation processing module (16) and/or the adjustment processing module (18) are established on a common chip (24).
 
11. A method for automatically adapting a rule evaluation with respect to time variant input data, the method comprising the following steps:

- Receiving time variant input data;

- Processing the time variant input data by means of applying at least one rule on the time variant input data, wherein the at least one rule comprises at least one criterion assigned to a characteristic of the time variant input data, wherein the characteristic is time variant;

- Profiling the rule processing; and

- Determining an adjusted rule processing.


 
12. The method of claim 11, characterized in that the adjusted rule processing is applied on the time variant input data.
 
13. The method of claim 11 or 12, characterized in that a rule hit is identified when all criteria of the at least one rule applied match.
 
14. The method of claim 13, characterized in that the rule processing is profiled after a rule hit was identified.
 
15. The method of any of claims 11 to 14, characterized in that the rule processing is profiled continuously and/or wherein the adjusted rule processing is determined at least one of continuously, on demand and at runtime.
 




Drawing