Skip to main content

Table 2 Steps of policy violation detection for file removal example according to Figure 2 [16]

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats



Sample (based on Fig. 2).

Step 1

Event Interception

\(e_1=\langle s_1, o_1, R, t_1\rangle ,\ e_2= \langle s_1, o_2, W, t_2 \rangle ,\ e_3= \langle s_2,o_2, R, t_3 \rangle\)

Step 2

Event Normalization

Using OWL-DL to define the events and initiate the me and ma.

Memory/Manipulation Storage (MStore)

\(me(s_1)=\{o_1\}\), \(ma(s_1)=\{o_2\}\), \(me(s_2)=\{o_2\}\), \(ma(s_2)=\varnothing\)

Step 3

Individual Storage

\(Event(e_1), Subject(q_1), Object(o_1), ...\)

System Ontology (TBox)

\(\sqsubseteq , \ partOf,\ parentOf\), .

Relation Rules (RBox)

\((time(e_i)< time(e_j) \wedge object(e_i)=object(e_j) \wedge action(e_i)=W\) \(\wedge action(e_j)=R ) \Longrightarrow e_i \overset{tewr}{\sim } e_j\)

Inference Engine

\(e_2 \overset{tewr}{\sim } e_3\)

Step 4

ABox and MStore

\(e_2 \overset{tewr}{\sim } e_3, me(s_1)=\{o_1\}, ma(s_1)=\{o_2\}, me(s_2)=\{o_2\},ma(s_2)=\varnothing\)

System Ontology (TBox)

\(\sqsubseteq , \ partOf,\ parentOf\), .

Indirect Access Rules (RBox)

\(\forall e_i,e_j, ( Event(e_i) \wedge Event(e_j) \wedge e_i \overset{tewr}{\sim } e_j \Rightarrow me(subject(e_j))=\) \(me(subject(e_j)) \cup me(subject(e_i)) )\)

Inference Engine

\(\varvec{ me(s_2)=me(s_2) \cup me(s_1)}\)

Step 5

Memory/Manipulation Storage (MStore)

\(me(s_1)=\{o_1\},\ ma(s_1)=\{o_2\},me(s_2)=\{o_2\} \cup \varvec{\{o_1\}}\)

Security Policy Store (PStore)

\(o_1 \notin me(s_2)\)

Policy Checker