From Context to Rules: Toward Unified Detection Rule Generation

TL;DR

This paper introduces UniRule, a unified framework for detection rule generation that leverages semantic projection spaces to handle diverse contexts and languages, outperforming traditional LLM methods.

Contribution

It formalizes detection rule generation as a unified mapping problem and proposes UniRule, a novel RAG framework with dual semantic spaces for improved rule generation.

Findings

UniRule outperforms pure LLM generation with a Bradley-Terry coefficient of 0.52.

Experiments across 12 scenarios demonstrate the effectiveness of semantic projection.

The framework handles arbitrary contexts and languages within a single system.

Abstract

Existing methods for detection rule generation are tightly coupled to specific input-output combinations, requiring dedicated pipelines for each. We formalize this problem as a unified mapping f:C*L->R and characterize optimal rules through semantic distance. We propose UniRule, an agentic RAG framework built on dual semantic projection spaces: detection intent and detection logic. This design enables retrieval and generation across arbitrary contexts and target languages within a single system. Experiments across 12 scenarios (3 languages, 4 context types, 12,000 pairwise comparisons) show that UniRule significantly outperforms pure LLM generation with a Bradley-Terry coefficient of 0.52, validating semantic projection as an effective abstraction for unified rule generation. Together, the formalization, method, and evaluation provide an initial framework for studying detection rule generation as a unified task.