1. Consider the concept of Time Based Inductive Learning we saw in class for Anomaly Detection. Consider that the security admin of an organization, sees a few snapshots of the system logs, and builds a trace of events that are sequential. The snapshots captured by the security admin reveal the trace of for one particular user (say Jane) as A->B->C->S>T->S->T->A->B->C->A->B->C->S. From this, compute the probabilities of occurrence of the following sequences which are the rules created by the security admin as acceptable for that user Jane.

Rule 1: A->B->C Compute the Probability:

Rule 2: S>T Compute the Probability:

Rule 3: C->S Compute the Probability:

Rule 4: T->A Compute the Probability:

For the purposes of this question, Let event A denote user logging incorrectly; even B denote user opening her email, and event C denote searching for a contact. As we can see, this trace is considered acceptable.

Based on these rules alone, if a sequence currently being logged appears in the form of A->B->F, will an anomaly be triggered? Answer Yes or No, with a simple justification. For this case, let event F denote sending an email with an attachment.

Depending on your answer above, what should the security admin do now in terms of modifying rules? Should the Admin add the above trace A->B->F as acceptable? Please justify.