Skip to main content

Table 4 Patterns of untrusted subjects rules [16]

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

# Rule Description
1 \(Subject(s_i) \wedge Subject(s_j) \wedge (s_i \xrightarrow {partOf} s_j ) \wedge UT(s_i) \Longrightarrow UT(s_j)\) Untrusted subpart
2 \(Event(e_i) \wedge Event(e_j) \wedge e_i \overset{tewr}{\sim } e_j \wedge UT(subject(e_i)) \Rightarrow UT(object(e_j)\) Untrusted input
3 \(Event(e_i) \wedge Event(e_j) \wedge e_i \overset{tiwr}{\sim } e_j \wedge UT(subject(e_i)) \Rightarrow UT(subject(e_j)\) Untrusted input
4 \(Event(e_i) \wedge Event(e_j) \wedge e_i \overset{piwr}{\sim } e_j \wedge UT(subject(e_i)) \Rightarrow UT(subject(e_j)\) Untrusted input
5 \(Event(e_i) \wedge UT(subject(e_i)) \wedge (action(e_i)= W) \wedge Subject(object(e_i)) \Rightarrow UT(object(e_i)\) Injection