Skip to main content

Table 10 An example of events abstraction process

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

# \(L_0\) \(L_1 (R_1A)\) \(L_2 (L_1 \wedge R_1S)\) \(L_3 (L_2 \wedge R_1O)\) End of abstraction
1 \(e_1= \langle s_1, o_1, C, t_1 \rangle\) \(e_1= \langle s_1,o_1, {\varvec{W}}, t_1 \rangle\) \(\varvec{ (Redundant)}\)
2 \(e_2= \langle s_1, o_1, W, t_2 \rangle\) \(e_2= \langle s_1,o_1, W, t_2 \rangle\) \(e_2= \langle \varvec{p_1},o_1, W, t_2 \rangle\) \(e_2= \langle p_1,\varvec{p_2}, W, t_2 \rangle\) \(\varvec{(Redundant)}\)
3 \(e_3= \langle s_1, o_2, C, t_3 \rangle\) \(e_3= \langle s_1,o_2, {\varvec{W}}, t_3 \rangle\) \(e_3= \langle \varvec{p_1}, o_2, W, t_3 \rangle\) \(e_3= \langle p_1,\varvec{p_2}, W, t_3 \rangle\) \(\varvec{ (Redundant)}\)
4 \(e_4= \langle s_1, o_3, W, t_4 \rangle\) \(e_4= \langle s_1,o_3, W, t_4 \rangle\) \(e_4= \langle \varvec{p_1}, o_3, W, t_4\rangle\) \(e_4= \langle p_1, \varvec{p_2}, W, t_4 \rangle\) \(e_4= \langle p_1, p_2, W, t_4 \rangle\)
5 \(e_5= \langle s_1, o_2, E, t_5 \rangle\) \(\varvec{(Deleted)}\)
6 \(e_6= \langle o_2, o_4, D, t_6 \rangle\) \(e_6= \langle o_2, o_4, {\varvec{W}}, t_6 \rangle\) \(e_6= \langle \varvec{p_2}, o_4, W, t_6 \rangle\) \(e_6= \langle p_2, \varvec{o_4}, W, t_6 \rangle\) \(e_6= \langle p_2, o_4, W, t_6 \rangle\)