Table 2 Steps of policy violation detection for file removal example according to Figure 2 [16]
Step | Component | Sample (based on Fig. 2). |
|---|---|---|
Step 1 | Event Interception | \(e_1=\langle s_1, o_1, R, t_1\rangle ,\ e_2= \langle s_1, o_2, W, t_2 \rangle ,\ e_3= \langle s_2,o_2, R, t_3 \rangle\) |
Step 2 | Event Normalization | Using OWL-DL to define the events and initiate the me and ma. |
Memory/Manipulation Storage (MStore) | \(me(s_1)=\{o_1\}\), \(ma(s_1)=\{o_2\}\), \(me(s_2)=\{o_2\}\), \(ma(s_2)=\varnothing\) | |
Step 3 | Individual Storage | \(Event(e_1), Subject(q_1), Object(o_1), ...\) |
System Ontology (TBox) | \(\sqsubseteq , \ partOf,\ parentOf\), . | |
Relation Rules (RBox) | \((time(e_i)< time(e_j) \wedge object(e_i)=object(e_j) \wedge action(e_i)=W\) \(\wedge action(e_j)=R ) \Longrightarrow e_i \overset{tewr}{\sim } e_j\) | |
Inference Engine | \(e_2 \overset{tewr}{\sim } e_3\) | |
Step 4 | ABox and MStore | \(e_2 \overset{tewr}{\sim } e_3, me(s_1)=\{o_1\}, ma(s_1)=\{o_2\}, me(s_2)=\{o_2\},ma(s_2)=\varnothing\) |
System Ontology (TBox) | \(\sqsubseteq , \ partOf,\ parentOf\), . | |
Indirect Access Rules (RBox) | \(\forall e_i,e_j, ( Event(e_i) \wedge Event(e_j) \wedge e_i \overset{tewr}{\sim } e_j \Rightarrow me(subject(e_j))=\) \(me(subject(e_j)) \cup me(subject(e_i)) )\) | |
Inference Engine | \(\varvec{ me(s_2)=me(s_2) \cup me(s_1)}\) | |
Step 5 | Memory/Manipulation Storage (MStore) | \(me(s_1)=\{o_1\},\ ma(s_1)=\{o_2\},me(s_2)=\{o_2\} \cup \varvec{\{o_1\}}\) |
Security Policy Store (PStore) | \(o_1 \notin me(s_2)\) | |
Policy Checker | Alert |