Skip to main content

Table 7 Abstraction rules of objects

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Abstraction rule Abstraction step Abstraction condition Abstraction operation
\(R_1O\) 1.1 \(\forall e_i=\langle s_i,o_i,R, t_i\rangle , Event(e_i) \wedge Object(o_i) \wedge \exists o_j, Object(o_j) \wedge o_i \xrightarrow {partOf} o_j\) \(e_i=\langle s_i, partOf (o_j),R, t_i\rangle\)
1.2 \(\forall e_i=\langle s_i,o_i,W, t_i\rangle , Event(e_i) \wedge Object(o_i) \wedge \exists o_j, Object(o_j) \wedge o_i \xrightarrow {partOf} o_j\) \(e_i=\langle s_i, partOf ( o_j),W, t_i\rangle\)