Information Technology Reference
In-Depth Information
3.1 Possible Scenarios
From the set of instanciated actions presented above and according to the def-
inition of action correlation, we can build several plausible scenarios which are
all correlated to the illegal file access intrusion objective. Fig. 4 shows the cor-
relation links existing in our example according to the actions timestamps and
hence exhibits the following possible scenarios:
- scenario 1: S 1 =( A, B, C, D, E, F, G, H, O )
- scenario 2: S 2 =( A, C, G, H, O )
- scenario 3: S 3 =( A, D, E, G, H, O )
- scenario 4: S 4 =( B, F, G, H, O )
- scenario 5: S 5 =( A, C, D, E, G, H, O )
- scenario 6: S 6 =( A, B, D, E, F, G, H, O )
- scenario 7: S 7 =( A, B, C, F, G, H, O )
H ). A and B
are initial states since Pre ( A ) is true and all predicates of Pre ( B ) are satisfied
by the initial system's state.
Any system administrator would easily conclude that the most dangerous
scenario among those seven possible scenarios is the first one which uses all the
actions. However we would like to be able to choose automatically the most
plausible scenario among those seven. More generally, given a set of action in-
stances, we would like to be able to build a set of possible scenarios and choose
the most plausible one among them. In order to achieve this, we introduce in
the next section two improvements which are the notion of anti-correlation and
the notion of weighted correlation.
Note that only scenario 1 involves all instanciated actions ( A
4 Weighted Correlation
The first improvement consists in introducing the notion of anti-correlation, or
negative influence, between two actions. Intuitively, A anti-correlates B if when A
is achieved, B cannot be imediately observed. More precisely, A anti-correlates
B is there exists an expression expr 1 in P ost ( A ), and an expression expr 2 in
Pre ( B ) such that expr 1 and
( expr 2 ) are unifiable.
not
Definition 8: Anti-correlation. We say that logical expressions E and F are anti
correlated if one of the following conditions is satisfied:
- there exists i in [1 ,m ] and j in [1 ,n ] such that expr E i
( expr F j ) are
and
not
unifiable through a mgu Θ .
- there exists i in [1 ,m ] and j in [1 ,n ] such that
( expr E i ) and expr F j
not
are
unifiable through a mgu Θ .
Search WWH ::




Custom Search