Multi-stage security ruleset filtering to reduce attack coverage redundancy

The invention claimed is: 1 . A method comprising: managing growth of a second plurality of security rules to increase attack coverage without increasing rule redundancy, wherein managing growth comprises, filtering a first plurality of security rules based on rule matching against the second plurality of security rules, wherein filtering the first plurality of security rules yields a first subset of the first plurality of security rules that does not have a match in the second plurality of security rules; filtering the first subset of the first plurality of security rules based on traffic matching, wherein filtering based on traffic matching comprises enforcing the first subset of the first plurality of security rules on-a network traffic dataset already covered by at least a subset of the second plurality of security rules, wherein filtering the first subset of the first plurality of security rules yields a second subset of security rules not triggered by the network traffic dataset; and updating the second plurality of security rules to include the second subset of security rules to increase the attack coverage of the second plurality of security rules. 2 . The method of claim 1 , wherein filtering the first plurality of security rules based on rule matching comprises searching successively according to decreasing degrees of rule matching. 3 . The method of claim 2 , wherein searching successively according to decreasing degrees of rule matching comprises searching for complete rule matching and then for partial rule matching. 4 . The method of claim 1 , wherein filtering the first plurality of security rules based on rule matching against the second plurality of security rules comprises filtering based on rule instance matching and rule components matching. 5 . The method of claim 4 , wherein filtering based on rule instance matching comprises, for each of the first plurality of security rules, searching a repository hosting the second plurality of security rules for one of a literal match with the security rule of the first plurality of security rules and a literal match of a compact representation of the security rule of the first plurality of security rules. 6 . The method of claim 4 , wherein filtering based on rule components matching comprises searching a repository hosting the second plurality of security rules for different subsets of rule components. 7 . The method of claim 6 , wherein searching the repository for different subsets of rule components comprises searching, for each of those of the first plurality of security rules not filtered out based on rule instance matching and indicating a vulnerability identifier, a matching vulnerability identifier in the repository and then searching, for each of those of the first plurality of security rules not filtered out by the rule instance matching and the vulnerability identifier matching, the repository for matching rule components corresponding to attack signatures. 8 . The method of claim 6 , wherein a subset of rule components comprises at least two rule header components, at least two rule options components, or at least one rule header component and at least one rule options component. 9 . The method of claim 1 , wherein updating the second plurality of security rules to include the second subset of security rules comprises at least one of converting the second subset of security rules to a language of the second plurality of security rules, converting the second subset of security rules to a format of the second plurality of security rules, and modifying at least one of the second plurality of security rules based on a first of the second subset of security rules. 10 . One or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions to: update coverage of a first security ruleset without introducing coverage redundancy, wherein the instructions to update coverage of the first security ruleset comprise instructions to, determine which security rules in a second security ruleset do not have a complete or partial match in the first security ruleset; for those of the second security ruleset that do not have a complete or partial match in the first security ruleset, determine which security rules of the second security ruleset are triggered when enforced on cyberattack samples of network traffic that also trigger one or more of the security rules in the first security ruleset; and update the first security ruleset to include those of the second security ruleset that do not have a complete or partial match in the first security ruleset and that are not triggered by the cyberattack samples that trigger the one or more of the security rules in the first security ruleset. 11 . The non-transitory machine-readable media of claim 10 , wherein the instructions to determine which security rules in the second security ruleset do not have a complete match in the first security ruleset comprise instructions to search a repository hosting the first security ruleset for instance matches or compact representation matches. 12 . The non-transitory machine-readable media of claim 10 , wherein the instructions to determine which security rules in a second security ruleset do not have a partial match comprise instructions to search a repository hosting the first security ruleset for matches of multiple rule components corresponding to traffic matching criteria. 13 . The non-transitory machine-readable media of claim 10 , wherein the instructions to determine which security rules in a second security ruleset do not have a complete or partial match in the first security ruleset comprise instructions to successively filter out those security rules of the second security ruleset with a complete match and then those remaining security rules with a partial match. 14 . The non-transitory machine-readable media of claim 13 , wherein the instructions to filter out those remaining security rules with a partial match after filtering out those of the security rules with a complete match comprise instructions to first filter based on a highest match confidence rule component and then filter based on a combination of rule components that collectively have sufficient match confidence. 15 . The non-transitory machine-readable media of claim 10 , wherein the instructions to update coverage of a first security ruleset comprise instructions to obtain security rulesets for processing from different sources, wherein the security rulesets include the second security ruleset and the second security ruleset is from one of the different sources. 16 . The non-transitory machine-readable media of claim 10 , wherein the instructions to update the first security ruleset comprise at least one of instructions to convert those of the second security ruleset not filtered out to a language of the first security ruleset, instructions to convert those of the second security ruleset not filtered out to a format of the first security ruleset, and instructions to modify at least one security rule of the first security ruleset based on a first security rule of those of the second security ruleset not filtered out. 17 . An apparatus comprising: a processor; and a non-transitory machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, manage growth of a resident security ruleset to increase attack coverage without increasing rule redundancy, wherein the instructions to manage growth comprise instructions to, in a first