$2.$

a$)$ Consider the concept of Time Based Inductive Learning we saw

in class for Anomaly Detection. Consider that the security admin of an

organization, sees a few snapshots of the system logs$,$ and builds a trace of

events that are sequental. The snapshots captured by the security admin

reveal the trace of for one parrticular user $($say Jane$)$ asA$BCSTSTABCABCS.$

From this, a$)$ compute the probabilities of occurrence of the following

sequences which are the rules created by the security admin as acceptable

for user Jane.

Rule $1$: $ABC$

Compute the probability:

Rule $2$: $ST$

Compute the probability:

Rule $3$: $CS$

Compute the probability:

Rule $4$: $TA$

Compute the probability:

b$)$ For the purposes of this question, let event A denote user logging in;

event $B$ denote user opening her email, and event $C$ denote searching for a

contact. As we can see, this trace is considered acceptable.

Based on these rules alone, if a sequence currently being logged appears in

the form of $ABF,$ will an anomaly be triggered? Answer Yes or No$,$ with

a simple justification. For this case, let event $F$ denote sending an email with

an attachment.

Depending on your answer above, what should the security admin do now

in terms of modifying rules. Should the Admin add the above trace $ABF$

as acceptable? Please justify.