Information Technology Reference
In-Depth Information
3.1 Possible Scenarios
From the set of instanciated actions presented above and according to the def-
inition of action correlation, we can build several plausible scenarios which are
all correlated to the illegal file access intrusion objective. Fig. 4 shows the cor-
relation links existing in our example according to the actions timestamps and
hence exhibits the following possible scenarios:
-
scenario 1:
S
1
=(
A, B, C, D, E, F, G, H, O
)
-
scenario 2:
S
2
=(
A, C, G, H, O
)
-
scenario 3:
S
3
=(
A, D, E, G, H, O
)
-
scenario 4:
S
4
=(
B, F, G, H, O
)
-
scenario 5:
S
5
=(
A, C, D, E, G, H, O
)
-
scenario 6:
S
6
=(
A, B, D, E, F, G, H, O
)
-
scenario 7:
S
7
=(
A, B, C, F, G, H, O
)
H
).
A
and
B
are initial states since
Pre
(
A
) is true and all predicates of
Pre
(
B
) are satisfied
by the initial system's state.
Any system administrator would easily conclude that the most dangerous
scenario among those seven possible scenarios is the first one which uses all the
actions. However we would like to be able to choose automatically the most
plausible scenario among those seven. More generally, given a set of action in-
stances, we would like to be able to build a set of possible scenarios and choose
the most plausible one among them. In order to achieve this, we introduce in
the next section two improvements which are the notion of anti-correlation and
the notion of weighted correlation.
Note that only scenario 1 involves all instanciated actions (
A
−
4 Weighted Correlation
The first improvement consists in introducing the notion of anti-correlation, or
negative influence, between two actions. Intuitively,
A
anti-correlates
B
if when
A
is achieved,
B
cannot be imediately observed. More precisely,
A
anti-correlates
B
is there exists an expression
expr
1
in
P ost
(
A
), and an expression
expr
2
in
Pre
(
B
) such that
expr
1
and
(
expr
2
) are unifiable.
not
Definition 8: Anti-correlation.
We say that logical expressions
E
and
F
are anti
correlated if one of the following conditions is satisfied:
-
there exists
i
in [1
,m
] and
j
in [1
,n
] such that
expr
E
i
(
expr
F
j
) are
and
not
unifiable through a mgu
Θ
.
-
there exists
i
in [1
,m
] and
j
in [1
,n
] such that
(
expr
E
i
) and
expr
F
j
not
are
unifiable through a mgu
Θ
.