Skip to main content

Table 5 Abstraction rules of actions

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Abstraction rule Abstraction step Abstraction condition Abstraction operation
\(R_1A\) 1.1 \(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge action(e_i)= C\) \(e_i=\langle s_i,o_i,W, t_i\rangle\)
1.2 \(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge action(e_i)= D\) \(e_i=\langle s_i,o_i,W, t_i\rangle\)
1.3 \(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge action(e_i)= A\) \(e_i=\langle s_i,o_i,R, t_i\rangle\)
1.4 \(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Process(s_i)\wedge Process(o_i)\wedge action(e_i)= E\) Delete \(e_i\) and add \(s_i \xrightarrow {parentOf} o_i\)