Skip to main content

Table 6 Abstraction rules of subjects

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Abstraction rule Abstraction condition Abstraction operation
\(R_1S\) \(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Thread(s_i) \wedge \exists s_j, Process(s_j) \wedge s_i \xrightarrow {partOf} s_j\) \(e_i=\langle s_j,o_i,a_i, t_i\rangle\)
\(R_2S\) \(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Process(s_i) \wedge \exists s_j, Process(s_j) \wedge s_i \xrightarrow {parentOf} s_j\) \(e_i=\langle s_j,o_i,a_i, t_i\rangle\)
\(R_3S\) \(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Process(s_i) \wedge \exists s_j, User(s_j) \wedge s_i \xrightarrow {partOf} s_j\) \(e_i=\langle s_j,o_i,a_i, t_i\rangle\)
\(R_4S\) \(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Process(s_i) \wedge \exists s_j, Host(s_j) \wedge s_i \xrightarrow {partOf} s_j\) \(e_i=\langle s_j,o_i,a_i, t_i\rangle\)