Skip to main content

Table 2 Steps of policy violation detection for file removal example according to Figure 2 [16]

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Step Component Sample (based on Fig. 2).
Step 1 Event Interception \(e_1=\langle s_1, o_1, R, t_1\rangle ,\ e_2= \langle s_1, o_2, W, t_2 \rangle ,\ e_3= \langle s_2,o_2, R, t_3 \rangle\)
Step 2 Event Normalization Using OWL-DL to define the events and initiate the me and ma.
Memory/Manipulation Storage (MStore) \(me(s_1)=\{o_1\}\), \(ma(s_1)=\{o_2\}\), \(me(s_2)=\{o_2\}\), \(ma(s_2)=\varnothing\)
Step 3 Individual Storage \(Event(e_1), Subject(q_1), Object(o_1), ...\)
System Ontology (TBox) \(\sqsubseteq , \ partOf,\ parentOf\), .
Relation Rules (RBox) \((time(e_i)< time(e_j) \wedge object(e_i)=object(e_j) \wedge action(e_i)=W\) \(\wedge action(e_j)=R ) \Longrightarrow e_i \overset{tewr}{\sim } e_j\)
Inference Engine \(e_2 \overset{tewr}{\sim } e_3\)
Step 4 ABox and MStore \(e_2 \overset{tewr}{\sim } e_3, me(s_1)=\{o_1\}, ma(s_1)=\{o_2\}, me(s_2)=\{o_2\},ma(s_2)=\varnothing\)
System Ontology (TBox) \(\sqsubseteq , \ partOf,\ parentOf\), .
Indirect Access Rules (RBox) \(\forall e_i,e_j, ( Event(e_i) \wedge Event(e_j) \wedge e_i \overset{tewr}{\sim } e_j \Rightarrow me(subject(e_j))=\) \(me(subject(e_j)) \cup me(subject(e_i)) )\)
Inference Engine \(\varvec{ me(s_2)=me(s_2) \cup me(s_1)}\)
Step 5 Memory/Manipulation Storage (MStore) \(me(s_1)=\{o_1\},\ ma(s_1)=\{o_2\},me(s_2)=\{o_2\} \cup \varvec{\{o_1\}}\)
Security Policy Store (PStore) \(o_1 \notin me(s_2)\)
Policy Checker Alert