Information Technology Reference
In-Depth Information
v
∈
Φ
5
(
a, v
):=
∃
V
:(
dst
(
a
)=
host
(
v
))
(9)
We will refer to match modes when using a specific
Φ
i
(
a, v
)
. The match modes are
named as follows:
-
Φ
1
(
a, v
)
- match mode
cvesrcdst
-
Φ
2
(
a, v
)
- match mode
cvedst
-
Φ
3
(
a, v
)
- match mode
cve
-
Φ
4
(
a, v
)
- match mode
srcdst
-
Φ
5
(
a, v
)
- match mode
dst
3.3 Aggregation
Let
A
⊂A
be the set of alert that is supposed to be aggregated. Let
th
be a threshold
and
x
∈
A, y
∈
A
two alerts, then the relation
R
A
is defined as:
A
2
:
R
A
=
{
(
x, y
)
∈
(
|
ts
(
x
)
−
ts
(
y
)
|
<th
)
∧
(
src
(
x
)=
src
(
y
))
∧
(
dst
(
x
)=
dst
(
y
))
∧
(
class
(
x
)=
class
(
y
))
}
(10)
R
A
defines an equivalence relation on the transitive closure of
R
A
. The alert ag-
gregation combines alerts that are similar but where created together in a short time,
i.e., the difference of the timestamps is below a certain threshold
th
.Itdefinesasetof
equivalence classes
A
/R
A
over the equivalence relation
R
A
.
3.4 Alert Dependencies
Let
A
m
⊂
A
be the set of alerts that have been matched to a node in an AG:
A
m
=
{
[
a
]
∈
A
/R
A
|
map
i
(
a
)
=
∅}
(11)
The alert dependencies are represented by a graph
DG
=(
A
m
,E
m,k
)
, with
E
m,k
as defined in (12).
A
/R
A
)
2
|
(12)
The set
E
m,k
can be parameterized by the functions
Ψ
k
as shown in (13), (14), and
(15).
E
m,k
=
{
([
x
]
,
[
y
])
∈
(
Ψ
k
([
x
]
,
[
y
])
}
Ψ
1
([
x
]
,
[
y
]) := (
ts
([
x
])
<ts
([
y
]))
∧
(
∃
(
v, w
)
∈
E
:(
v
∈
maps
i
(
x
)
∧
w
∈
maps
i
(
y
)))
(13)
Ψ
2
([
x
]
,
[
y
]) := (
ts
([
x
])
<ts
([
y
]))
∧
(
∃
P
∈
PAG
:(
ord
(
P
)=
n
)
∧
(
∃
v, w
:
(
v
∈
maps
i
(
x
)
∧
w
∈
maps
i
(
y
)
∧
in
(
v, P
)
∧
in
(
w, P
))))
(14)
Search WWH ::
Custom Search