Skip to main content
Journal of Big Data

Table 6 Abstraction rules of subjects

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Abstraction rule

Abstraction condition

Abstraction operation

\(R_1S\)

\(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Thread(s_i) \wedge \exists s_j, Process(s_j) \wedge s_i \xrightarrow {partOf} s_j\)

\(e_i=\langle s_j,o_i,a_i, t_i\rangle\)

\(R_2S\)

\(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Process(s_i) \wedge \exists s_j, Process(s_j) \wedge s_i \xrightarrow {parentOf} s_j\)

\(e_i=\langle s_j,o_i,a_i, t_i\rangle\)

\(R_3S\)

\(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Process(s_i) \wedge \exists s_j, User(s_j) \wedge s_i \xrightarrow {partOf} s_j\)

\(e_i=\langle s_j,o_i,a_i, t_i\rangle\)

\(R_4S\)

\(\forall e_i=\langle s_i,o_i,a_i, t_i\rangle , Event(e_i) \wedge Process(s_i) \wedge \exists s_j, Host(s_j) \wedge s_i \xrightarrow {partOf} s_j\)

\(e_i=\langle s_j,o_i,a_i, t_i\rangle\)

Back to article page