Skip to main content

Table 8 Event abstraction levels

From: Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Abstraction level Abstraction rules Average event reduction rate Average impact on detecting very slow attacks Average impact on detecting slow attacks
\(L_0\) No abstraction 0 % 0 % 0 %
\(L_1\) \(R_1A\) 12 % +2.8 % 0 %
\(L_2\) \(L_1 \wedge R_1S\) 7 % +0.12 % 0 %
\(L_3\) \(L_2 \wedge R_1O\) 11 % +1.5 % −0.9 %
\(L_4\) \(L_3 \wedge R_2S\) 18 % +3.24 % 0 %
\(L_5\) \(L_4 \wedge R_3S\) 47 % −1.11 % −6.8 %
\(L_6\) \(L_5 \wedge R_4S\) 51 % −4.3 % −12.12