Menu

Test Queries

Andrew Marrington

Test Queries

DFRWS 2011 Release Test Queries

These test queries were described in the paper published at DFRWS 2011 with the version of CAT Detect released at that conference.

Complete Timeline

SELECT * FROM RecordedEvents UNION SELECT * FROM InferredEvents ORDER BY Time;

Baddie first session (consistent) (timeline A)

SELECT * FROM 
((SELECT * FROM RecordedEvents) 
UNION 
(SELECT * FROM InferredEvents)) AS AllEvents 
WHERE 
Time >= (SELECT Time FROM RecordedEvents WHERE EventID = 188) 
AND Time <= ( SELECT Time FROM RecordedEvents WHERE EventID = 146) 
ORDER BY Time;

Misattribution of authorship (inconsistent - Baddie has not logged in) (timeline B)

SELECT * FROM 
((SELECT * FROM RecordedEvents) 
UNION (SELECT * FROM InferredEvents)) AS AllEvents 
WHERE 
Time >= (SELECT Time FROM RecordedEvents WHERE EventID = 132) 
AND Time <= ( SELECT Time FROM RecordedEvents WHERE EventID = 76) 
ORDER BY Time;

Baddie first session (inconsistent - missing Baddie's login) (timeline C)

SELECT * FROM 
((SELECT * FROM RecordedEvents) 
UNION (SELECT * FROM InferredEvents)) AS AllEvents 
WHERE Time >= (SELECT Time FROM RecordedEvents WHERE EventID = 180) 
AND Time <= ( SELECT Time FROM RecordedEvents WHERE EventID = 146) 
ORDER BY Time;

Baddie logoff altered session (inconsistent) (timeline D)

Note that this timeline requires a test data modification in order to be shown as inconsistent.

SELECT * FROM 
((SELECT * FROM RecordedEvents) 
UNION (SELECT * FROM InferredEvents)) AS AllEvents 
WHERE Time >= (SELECT Time FROM RecordedEvents WHERE EventID = 188) 
AND Time <= ( SELECT Time FROM RecordedEvents WHERE EventID = 149) 
ORDER BY Time;

Related

Wiki: Setup instructions

MongoDB Logo MongoDB