[0001] This application claims priority to U.S . Provisional Pat App. Ser. No. 62 288,676 filed on January 29, 2016, incorporated herein by reference in its entirety.

BACKGROUND

Technical Field

[0002] The present invention relates to quer languages and more particularl to risky behavior query construction and execution.

Description of the Related Art

[0003] Today, it is difficult for system administrators to cope with vulnerabilities without monitoring a s understanding system behaviors. Considering the massive scale and event-driven characteristics of the monitoring data, there lacks an effective query language for users to easily and efficiently query this data for secnrity-related behaviors, Existing languages, such as Structured Query Language (SQL) and gr h query-languages, are either too verbose or not efficient for such tasks,

[0004] Currently, there is no effective tool specifically tailored to querying massive system event data for seciuity-related behaviors. The most popular general purpose querying tool, SQL, has several drawbacks. First, SQL is verbose in expressing events. For example,, if the user wants to quer the even "Whether the process ⁴ cat' opens the Hie Vetc/passwd' on a machine", SQL needs to explicitly specify three table names (i.e., file table, process table, file event table) and specify table join conditions. Second, SQL cannot handle time-windows effectively. For example, the user is not able to easily query results in a certain time period without calculating the UTC timestainps first and fill into SQL queries. Also, optimization opportunities- related to- time windows cannot be considered easily in the quer execution engine. Third, SQL Is cnmbereome to specify multi-events and their temporal relationships. For example, "Process pi open file fl, then after 10 minutes, process i open another tile f2." In addition to SQL and relational database, graph database technologies face the indexing problem arid are not scalable to large datasets.

[0005] Thus, there is a need for a query language that overcomes the aforementioned problems of the prior art.

SUMMARY

[0006] According to an aspect of the present invention, a system is provided. The system includes a Temporal Behavior Query Language (TBQL) server having a processor and a memory operably coupled to the processor. The TBQL server is configured to construct a TBQL query using a grammar inference technique based on syntactic sugar to expedite query construction. The TBQL server is farther configured to execute the TBQL query to generate TBQL query results,

[0007] According to another aspect of the present invention, a eompuier-implemented method is provided. The method includes constructing, b a Temporal Behavior Query Language (TBQL) server having a processor and a memory operably coupled to the processor, a TBQL query using a grammar inference technique based on syntactic sugar to expedite query Construction. The method further includes executing., by the TBQL server, the TBQL quer to generate TBQL quer results.

[0008] According to yet another aspect of the present invention, a system is provided. The system includes a Temporal Behavior Quer Language (TBQL) server having a processor and a memory opexably coupled to the processor. The TBQL server is configured to construct a TBQL query based on user input. The TBQL server is further configured to execute the TBL query using at least one data partitioning technique that partitions query related data based on at least one of an involved time and an involved agent.

[0009] These and other features and advantages will become apparent from the following detailed description of illustrative embodiments thereof, which is to be read in connection with the accompanying drawings:

BRIEF DESCRIPTION OF DRAWINGS

[0010] The disclosure will provide details in the following descriptio of preferred embodiments with reference to the following figures wherein:

[0011 J FIG, I shows a block diagram of ait exemplary processing system .1 0 to which the present invention ma b appl ied, in accordance with an embodiment of the present invention;

[0012] FIG. 2 shows a block diagram of an exemplary environment 200 to which the present invention can be applied, in accordance with an embodiment of the present invention; and [0013] FIG. 3 shows a high-level block/flow diagram of an exemplary system/method

300 for risky behavior query construction and execution, in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

[0014] The present invention is directed to risky behavior query construction and execution.

[0015] hi an embodiment, TBQL is proposed as a domain-specific language for querying risky behaviors among massive system event data. TBQL is able to query single-events (e.g., reading of an item (e.g., a password, etc.), process listening on port 80, user history probing, etc.), multi-events (i.e-, _s a combination of multiple single-events with event relationship constraints), subqueries (results of multi-event query are used as attribute constraints of another multi-event query), and causal dependencies (mlbmtation flow of system events, e.g., process p i writes to f le f 1, and then process p2 reads from the file fl). Moreover, TBQL has lots of built-in syntactic sugar to make the typing even simpler.

[0016] TBQL adopts the syntax format of {subject-operation-object} to specify event patterns, where system entities are represented as -Subjects and objects, and interactions- among system entities are represented as operations initiated by subjects and targeted on objects. An example event pattern expressed using TBQL is Ql : (proc pi write file fl }. This syntax is quite user-friendly, since it is inspired by the subject-verb-object (SVO) sentence structure, which is the most commonly used sentence structure in terms of the number of speakers. To ease the task of specifying relationships among events, TBQL provides a syntax to directly support the following two major types of relationships: attribute relationship; and temporal relationship. An attribute relationship allows users to use an event's attributes to constrain the search of another event. For example, in the .query Ql. the user may further specify (with i .exe name - 'Hchrome.exe'}., which means th process pi should have a name ending with, "ehrome.exe", which is the name of the Google® Chrome browser. The temporal relationship allows users to me an event's temporal information to constrain the search of anotiier event. For example, in the query Q2: {proc pi write file fl as evtl proc p2 read file fl as evt2), the user may specify {with evi l before evt2} _> which means the event where the process pi writes to the file fl should occur before the event where the process p2 reads from the file fl .

[0017] To allow users to easily reconstruct causal dependencies between historical events, TBQL provides a path syntax that expresses event paths in the temporal graph of system monitoring data. For example, the query Q3 : { backward: file .fl [" ehronie,exe"] <- [write] proc pi -> execute] file 12} will first search for the events matched by the first event pattern { file fl "%chrome.exe"] <- [write] proc pi } and the search backward in time for the events matched by the second event pattern { proc i ~>[e eciite] file 12}. In the query, the direction of each arrow points from the subject to the object of the event pattern, and the keyword backward indicates the events found by the second event pattern should occur before the events found by the fi st event pattern. The keyword forward can be used to track dependencies between events forward in time. To track dependencies of events across hosts, the operation {->[co.nnect]} should be used. For example, the query (proc pl['%apache% ^, ₎ agentid ~ 1] ->[eoaneet] proc p2[agentici=2]} searches for the network events where the process apache at the host with id I sends data to the process p2 at the host with id 2. The temporal order of the events -at the same host is enforced strictly based on the sequence number assigned by the deployed agents _* while the temporal order of the events at different hosts is adjusted based on th network events matched between the hosts,

[0018] FIG. 1 shows a block diagram of an exemplary processing system 100 to which the invention principles may be applied., in accordance with an embodiment of the present invention. The processing system 100 includes at least one processor (CPU) 104 operatively coupled to other components via a system bus 102. A cache 106, a Read Only Memory (ROM) 108, a Random Access Memory (RAM) 1 10, an input/output (I/O) adapter 120, a sound adapter 130, a network adapter 1 0, a user interlace adapter 150, and a displa adapter 160, are operatively coupled to the system bus 102,

[0019] A first storage device 122 and a second storage device 124 are operatively coupled to system bus 102 by the I/ adapter 120. The storage devices 122 and 124 can be any of a disk storage device (e.g., a magnetic or optical disk storage device), solid state magnetic device, and so forth. The storage devices 322 and 124 cat* be the same type of storage device or different types of storage devices.

[0020] A speaker 132 is operatively coupled to system bus 102 by the sound adapter 330. A transceiver 142 is operatively coupled to system bus 102 by network adapter 140.

A display device 162 is operatively coupled to system bus 102 by display adapter 160.

[002 ] A first user input, device 152. a second user input device 154, and a third user input device 156 are operatively coupled to system bus 102 by user interface adapter 1 0, The user input devices 152, 154, and 156 can be any of a keyboard, a mouse, a keypad, an image capture device, a motion sensing device, a microphone, a device incorporating the functionality of at least two of the preceding devices, and. so forth..: Of course, other types of input devices can also be used, while ^■ maintaining the spirit of the present invention. The user input devices 152, 154 _» and 156 can be the same .type of user input device or different types of user input devices. The user input devices 152, 154, and 156 are used to input and output information to and from system 100,

[0022] Of course, the processing .system 100 may also include other elements (hot shown), as readily contemplated by on of skill in the art, as well as omit certain elemen ts . For example, various other input devices and/or output devices can be included in processing system 100, depending upon the particular implementation of the same, as readily understood by one of ordinary skill in tire art. For example, various types of wireless and/or wired input and/or output, devices can be used. Moreover; additional processors, controllers, memories, and so forth, in various configurations can also be utilized as readily appreciated by one of ordinary skill in the. art. These and other variations of the processing system 100 are readily contemplated by one of ordinary skill in the art given the teachings of the present invention provided herein.

[0023] Moreover, it is to be appreciated that environment 200 described below with respect to FIG. 2 is an environment for implementing respective embodiments of the present invention, part, or all of processing system 100 may be implemented in one o more of the elements of environment 200.

[0024] Further, it is to be appreciated thai processing system 1 0 may perform at least part of the method described herein including, for example, at least part, of method 300 of FIG, 3. Similarly, part or all of system 200 may be used to perform at least part of method 300 of FIG. 3. [0025] FIG. 2 shows a block diagram of an exemplary environment 200 to which the present invention cm be applied, in accordance with an embodiment of the present invention.

[0026] The■environment 200 includes a user 201 , a TBQL query ser er 202» ami a set of monitored systems 203.

[0027] Communication between, the user 201, the TBQL query server 202, and the set of monitored systems 203 can occur over one or more networks. For the sake of illustration, communications between the user 201 and the TBQL server 202 occur ove a set of networks 281 , and communications between the TBQL server 202 and the set of monitored systems 203 occur over a set of networks 282, It is to be appreciated that the sets of networks 281 and 282 can include and/or involve any type of network(s) as readily appreeiated by one of ordinary skill in the art given the teachings of the present invention provided herein, wh ile maintaining the spirit of the present i nvention .

[0028] The TBQL server 202 is configured to construct or assisting in constructing TBQL queries based on input, from the user 201. For example, as the user types in order to form a TBQL query, the TBQL server 202 can complete some of the typing started by the user, and/or providing likely suggestions for the next letter or words or related concepts and/or providing- likely -suggestions for the queries themselves that th user can select for execution with respect to a particular behavtor(s) of interest. For example, in an embodiment, the TBQL server 202 ca suggest a set of TBQL queries responsive to one or more user inputs "hinting" at the parameters/objects of interest to the user 201 related to behaviors such as risky behaviors occurring in the set of monitored systems 203. Thus, as used herein with respect to quer construction b the TBQL server 202, the ter "construct ^* ' can refer to the TBQL server 202 assisting the user 201 in constructing a BQL query or can refer to ^' the TBQL server 2Q2 and the user 201 cooperatively constructing the TBQL query ,

[002 ] in an enibodioie , in suggesting TBQL queries to the user 201 , the TBQL server 202 ca use probability-based techniques to determine a set of likely (probable) TBQL que ies of interest to the user. In an embodiment, in suggesting TBQL queries to the user 201 , the TBQL server 202 can use history information, such as history information relating to prior queries, and/or prior risers, and/or so forth . These and other basis for suggesting TBQL queries are readily contemplated by one of ordinary skill in the art, give the teachings of the present invention provided herein, while maintaining the spirit of the present invention,

[0030] in an. embodiment, the number of TBQL queries suggested to the user can be constrained to a particular number based on user input,

[0031] The TBQL queries can be and/or otherwise involve multi-event queries, single event queries, path queries, and so forth.

[0032 J In an embodiment, the TBQL server 202 can use grammar inference to make it easier for the user to type in TBQL queries, in an embodiment, the TBQL server 202 can use syntactic suga to make it easier for the user to type in TBQL queries, in an embodiment, the grammar- inference can use the syntactic sugar.

[0033] in an embodiment, the TBQL server 202 can employ performance optimisations. The performance optimizations can include, but are not limited to, data partitioning and parallel execution. In an embodiment, the data partitioning and parallel execution can be implemented with respect to a temporal system events domain, that efficiently executes the query and produces query results.

[0034] Regarding data partitioning, the same can in volve partitioning query related data (e.g.,, query execution related data) by time arid/or by agent.

[0035] For example, regarding partitioning by time, the query can be partitioned by involved times relating to data dependency, such as when a part of a query most be completed before another part of the query, and so forth. As a further example regarding partitioning by time, parts of a query relating to different (nmlti) temporal events can be partitioned based on the timing of the respective occurrences of the temporal events. These and other time partitioning basis are readi ly determined by one of ordinary skill in the a given the teachings of the present invention provided herein, while maintaining the spirit of the present invention.

[0036] Regarding partitioning by agent, the same can involve, for example, partitioning based which agent from a set of possible agents collected and/or monitored and or sent information relating to a query, and/or so forth.

[0037] Regarding parallel execution, in one example relating to the same, separate portions of a query (e.g., related to separate events, separate databases to be accessed, and so forth) can be executed in parallel, depending upon the data dependencies implicated by the query.

[0038] The set of monitored systems 203 can include any type o system for which ^• monitoring is desired, in an embodiment, the systems 203 in the set are monitored for risky behaviors. As is evident to one of ordinary skill in the art, the parameters being monitored depend upon the particular implementation including, for example, but not limited to, the types of systems being monitored, the type of data being monitored, and so forth. The TBQL queries can include m l -event or single-event queries directed to such monitored systems 203 including, for example, risky behaviors relating to such monitored systems.

[0039] in an embodiment, the TBQL queries are directed to security-related- behaviors. The security-related behaviors can, in turn, relate to, for example, but are not limited to, processes, files, sockets, and so forth. Moreover, the security related behaviors can, in torn, relate to, actions performed with respect to certain entities of the set of monitored, systems 203. Thus, for example, the TBQL queries can relate to actions such as, for example, bat not limited to, open, close, read, write, and so forth. The preceding types of behaviors and examples thereof axe merely illustrative. As readily appreciated by on of ordinary skill in the art, the present invention can be configured to monitor any type of behavior and any related action.

[0040] In an embodiment, the monitored beha viors can be in the form of traces of how system entities (e.g., processes, files, and sockets) interact with each other at the operating system level. In a embodiment, the monitoring data can be a series of system events, with the subject and object being system entities and operation being the type of action (e.g., open, close, read, write) that the subject performs on the object. In an embodiment, the monitoring data is essentially a heterogeneous temporal graph with nodes being system entities and edges being their interactions with timestamps.

[0041 ] FIG. 3 shows a high-level block/flow diagram of an exemplary system/method 300 for risky behavior query eonstructioo and execution, in accordance with an embodiment of the present invention. The system 300 caa be considered as a querying system". [0042] ί» block 302, provide a TBQL server. Blocks 31 1 aid 312 are directly subordinate to block 302 in. the implied hierarchy 399 of operations depicted in FIG. 3, [0043] la block 3 1 1, perform a TBQL quer construction. The TBQL query can be cominicteci to be directed to risky behaviors. For example, risky behaviors to which the TBQL query can. be directed include, but are not limited to: not employing, certain security measures or protocols (e.g., operating without a validated and/or otherwise unknown certificate), and so forth. Blocks 321, 322, and 323 are directly subordinate to block 31 1 in the hierarchy 399.

[0044] In block 321 , perform a multi-event query. Block 341 is directly subordinate to block 321 in the hierarchy 399.

[0045] In block 322, perform a path query.

[0046] in block 323, perform a grammar inference.

[0047] In block 341 , perform a sing! e-eveat query .

[0048] In block 312, perform a TBQL query execution. Block 331 is directly subordinate to block 312 in the hierarchy 399,

[0049] In block 331 , perform an optimization. Blocks 351 and 352 are directly subordinate to block 331 in tire hierarchy 399,

[0050] in block 351, perform a data partition operation. Blocks 3.61 and 362 are directl subordinate to block 351 in the hierarchy 399.

[0051 ] in block 352, perform a parallel execution,

[0052] In block 361 , perform the data partition operation by time.

[0053] In block 362, perform the data partition operation by agent. [0054] ί» describing the relationships between the blocks in the hierarchy 399 of FIG, 3, the term "directly subordinate" refers to one or more blocks that have operations that are part of the block to which it is directly subordinate to. Thus, for example, blocks 361 and 362, related to partitioning by time and by agent, respectively, are two exemplary ways in which the data partition operation 351 (that blocks 361 and 362 are directly subordinate to) can be performed.

[0055] The querying system 300 includes and/or otherwise involves TBQL query construction 311 and TBQL query execution 312. The querying system 300 supports multi-event queries 321 (including single-event such as 'cai/etc/passwd') as well as path queries 322 (e.g., process p2 start process pi then open fife: fl). A multi-event, query can be used, as a subquery within another multi-event query. In TBQL query execution 312; an -efficient and intelligent query pl ner/executor is provided that optimizes the execution based on a user's .input The grammar inference 331 is used in conjunction with syntax sugars to make the query typing concise and efficient. The dat partition 351 and parallel execution 352 are specifically designed for the temporal, system events domain that efficiently executes the query and produces results.

[0056] A description will now be given regarding competitive and/or commercial advantages provided by the present invention. For example, no previous competitive solution is specialized for querying risky behaviors among massive system event data. Compared to general quer languages like SQL and Cypher, TBQL has several competitive properties including but not limited to: (1) concise; (2) expressive; (3) intuitive; and (4) efficient. Regarding the property of being concise, TBQL requires users to do less typing to query complex behaviors. Regarding the property of being expressive, TBQL is owerful for specifying security-relate behaviors, including single-event, multi-events, and abnormal events, Regarding the property of being inmitive, TBQL describes events directly in the form of subject operation-object and is straightforward- to write. Regarding the property of being efficient, TBQL is a domain-specific language- tailored to system events directly and equipped with an optimized quer execution engine that is scalable to massive data.

[0057] Embodiments described herein may be entirely hardware, entirely software or including both hardware and software elements. In a preferred embodiment, tie present invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, etc,

[0O58J Embodiments may include a computer program product accessible from a computer-usable or computer-readable medium providing program code for use- by or in connection with a computer or any instruction execution system. A computer-usable or computer readable medium may include any apparatus that stores, communicates, propagates, or transports the program for use by or in connection with the instruction execution system, apparatus, or device. The medium can be magnetic, optical, electronic, electromagnetic, infrared, or semiconductor system (or apparatus o device) or a propagation medium. The medium may include a computer-readable storage medium such as a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk, etc,

[0059] Each computer program may be tangibly stored in a machine-readable storage media or device (e.g., program memory or magnetic disk) readable by a general or special purpose programmable computer, for configuring and control ling operation of a computer when the. storage media or device is read by the computer to perform the procedures described herein. The inventive system may also be considered to be embodied in a computer-readable storage medium^ configured with a computer program, where the storage -medium so configured causes a computer to operate in a specific and predefmed maimer to perform the functions described herein.

[0060] A data processing system suitable for storing and/or executing program code may include at least one processor coupled directly or indirectly to memory elements through a system bus. The memory elements can include local memory employed during actual .execution of the program code, bulk storage, and cache memories which provide temporary Storage of at least some program code to reduce the number of times code is retrieved from bulk storage during execution. Input/output or I/O devices (including hut not limited to keyboards, displays, pointing devices, etc.) may be coupled to the system either directly or through intervening I/O controllers.

[0061 ] Network adapters may also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks. Modems, cable modem and Ethernet cards are jest a few of the currently available types of network adapters.

[0062] Reference in the specification to "one embodiment" or "an embodiment" of the present invention, as well as other variations thereof, means that a particular feature, structure, characteristic, and so forth described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrase "in one embodiment" or "in an embodiment'', as well any other variations, appearing in various places throughout the specification are not .necessarily all referring to the same .embodimen

[0063] It is io be appreciated that the use of any of the .following " ^* ', _. "and or", and "at least one o ';, for example, in the cases of "A B", " . and/or B" and "at least one of A and B" _? is intended to encompass the selection of the .first listed option (A) only, or the selection of the second listed option (B) only, or the selection of both options (A and B). As a farther example, in the cases of " A. B, and or C" and "at. least one of A, B, and. C, such phrasing is intended to encompass the selection of the first listed option (A) only, or the selection of the second listed option (B) only, or the selection of the third listed option (C) only, or the selection of the first and the second listed options (A and B) only, or the selection of the first and third listed options (A and C) only, or the selection of the second and third listed options ( B and C) only, or the selection of all three options (A and B and€)- This may be extended, as readily apparent by one of ordinary skill in this and related arts, for as many items listed.

[0064] The foregoing is to be understood as being in every respect illustrative and exemplary, but not restrictive, and the scope of the inventio disclosed herein is not to be determined from the Detailed Description, but rather from the claims as interpreted according to the MI breadth permitted by the patent laws. It is to be understood that the embodiments shown and described herein are onl illustrative of the principles of the present invention and that those skilled in the art may implement various modifications without departing from the scope and spirit of the invention . Those skilled in the art could implement various other feature combinations without departing from the scope aod spirit of the invention. Having thus described aspects of the ^' invention, wit the detail and particularity required by the patent laws, what is- claimed and desired protected by Letters Patent ss set forth in the appended claims.