Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Lajevardi, Amir Mohammadzade; Amini, Morteza

doi:10.1186/s40537-021-00532-9

Journal of Big Data

Table 3 Patterns of transition rules [16]

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

#	Rule
1	\(Subject(s_i) \wedge Subject(s_j) \wedge (s_i \xrightarrow {partOf} s_j ) \Longrightarrow me(s_j)= me(s_j) \cup me(s_i)\)
2	\(Subject(s_i) \wedge Subject(s_j) \wedge (s_i \xrightarrow {partOf} s_j ) \Longrightarrow ma(s_j)= ma(s_j) \cup ma(s_i)\)
3	\(Process(s_i) \wedge Process(s_j) \wedge (s_i \xrightarrow {parentOf} s_j ) \Longrightarrow me(s_j)= me(s_j) \cup me(s_i)\)
4	\(Process(s_i) \wedge Process(s_j) \wedge (s_i \xrightarrow {parentOf} s_j ) \Longrightarrow ma(s_j)= ma(s_j) \cup ma(s_i)\)
5	\(Event(e_i) \wedge Object(o_j) \wedge (o_j \xrightarrow {partOf} object(e_i) ) \wedge (action(e_i)=R) \Longrightarrow me(subject(e_i)):=me(subject(e_i)) \cup \{o_j\}\)
6	\(Event(e_i) \wedge Object(o_j) \wedge (o_j \xrightarrow {partOf} object(e_i) ) \wedge (action(e_i)=W ) \Longrightarrow ma(subject(e_i)):=ma(subject(e_i)) \cup \{o_j\}\)
7	\(Event(e_i) \wedge Object(o_j) \wedge (o_j \xrightarrow {partOf} object(e_i) ) \wedge (action(e_i)=D) \Longrightarrow ma(subject(e_i)):=ma(subject(e_i)) \cup \{o_j\}\)
8	\(Event(e_i) \wedge Event(e_j) \wedge action(e_i)=W \wedge action(e_j)=R \wedge object(e_i) = object(e_j) \wedge UT(subject(e_i)) \Rightarrow me(subject(e_j))= me(subject(e_j)) \cup me(subject(e_i))\)
9	\(Event(e_i) \wedge Event(e_j) \wedge action(e_i)=W \wedge action(e_j)=R \wedge object(e_i) \xrightarrow {partOf} object(e_j) \wedge UT(subject(e_i)) \Rightarrow me(subject(e_j))= me(subject(e_j)) \cup me(subject(e_i))\)
10	\(Event(e_i) \wedge Event(e_j) \wedge UT(subject(e_i)) \wedge (action(e_i)=W) \wedge (object(e_i)=subject(e_j)) \wedge (action(e_j)=W)\)
	\(\Rightarrow ma(subject(e_i)):=ma(subject(e_i)) \cup \{object(e_j)\}\)
11	\(Event(e_i) \wedge Event(e_j) \wedge UT(subject(e_i)) \wedge (action(e_i)=W) \wedge (object(e_i)=subject(e_j)) \wedge (action(e_j)=D)\)
	\(\Rightarrow ma(subject(e_i)):=ma(subject(e_i)) \cup \{object(e_j)\}\)
12	\(Event(e_i) \wedge Event(e_j) \wedge UT(subject(e_i)) \wedge (action(e_i)=C) \wedge (object(e_i)=subject(e_j)) \wedge (action(e_j)=W)\)
	\(\Rightarrow ma(subject(e_i)):=ma(subject(e_i)) \cup \{object(e_j)\}\)
13	\(Event(e_i) \wedge Event(e_j) \wedge UT(subject(e_i)) \wedge (action(e_i)=C) \wedge (object(e_i)=subject(e_j)) \wedge (action(e_j)=D)\)
	\(\Rightarrow ma(subject(e_i)):=ma(subject(e_i)) \cup \{object(e_j)\}\)

Back to article page