Information Technology Reference
In-Depth Information
Let a single alert
a
∈A
be a tuple
a
=(
t, s, d, c
)
while the following functions are
defined:
-
ts
(
a
)=
t
- returns
t ∈ T
, the timestamp of the alert
-
src
(
a
)=
s
- returns
s
∈
H
, the source host of the alerts
-
dst
(
a
)=
d
- returns
d
∈
H
, the destination host of the alert
-
class
(
a
)=
c
- returns
c
∈
C
, the classification of the alert
Let
I
be the set of impacts described by MulVAL [3] and
VR
be the set of known
vulnerabilities. Let
V
be a set of vertices defined as:
V
=
I×H×VR
(2)
For each triple
v
=(
im,h,r
)
,v
∈
V
, the following functions are defined:
-
imp
(
v
)=
im
- returns
im
∈I
, the impact of the vertex
-
host
(
v
)=
h
- returns
h
∈H
, the host if the vertex
-
ref
(
v
)=
r
- returns
r
∈VR
, the vulnerability reference of the vertex
V
2
is an
Let
AG
=(
V, E
)
be an AG with vertices
V
and edges
E
. An edge
e
∈
E
⊆
(
v, v
)
v
∈
ordered tuple of vertices
V
.
PAG
defines all the paths in the
AG. The path
P ∈ PAG
is defined as a set of edges
P
=(
v, v
)
∈
with
v
∈
V
∧
E
.
ord
(
P
)
defines
the number of edges in the path
P
.
in
(
v, P
)
depicts whether a vertex lies in the path:
v, v
)
∈
v
,v
in
(
v, P
):=
∃
(
P
∨∃
(
)
∈
P
(3)
3.2
Mapping
The mapping function
map
i
maps matching alerts to specific nodes in the AG and is
defined as:
map
i
:
a
→{
v
∈
V
|
Φ
i
(
a, v
)
}
(4)
There are different kinds of
Φ
i
(
a, v
)
defined in (5), (6), (7), (8), and (9) to parame-
terize the mapping function.
v
∈
v
))
Φ
1
(
a, v
):=
∃
V
:(
src
(
a
)=
host
(
∧
(
dst
(
a
)=
host
(
v
))
∧
(
class
(
a
)=
ref
(
v
))
(5)
v
∈
Φ
2
(
a, v
):=
∃
V
:(
dst
(
a
)=
dst
(
v
))
∧
(
class
(
a
)=
ref
(
v
))
(6)
v
∈
Φ
3
(
a, v
):=
∃
V
:(
class
(
a
)=
ref
(
v
))
(7)
v
∈
v
))
∧
(
Φ
4
(
a, v
):=
∃
V
:(
src
(
a
)=
host
(
dst
(
a
)=
host
(
v
))
(8)
Search WWH ::
Custom Search