Clone event in TC3 theia interpretation

[aanand300]

Can someone please explain what does EVENT_CLONE means in TC3 theia dataset? Specifically, I'm curious to understand how the "subject" and "predicateObject" are related in the clone event.

[Chaves2021]

You can check it at CDM18.avdl, stated in the readme file as human-readable version of CDM used by the consumer to create avro files and then creates the json files. It's on lines 336 and 337:

 336         /* Subject -> Object */
 337         EVENT_CLONE,                  // clone a subject

[aanand300]

Hi @Chaves2021 thanks for pointing that out. However, when I look at the TC3 theia-6r dataset I'm finding some entries in the json logs like the following:

{"datum":{"com.bbn.tc.schema.avro.cdm18.Event":{"uuid":"F7EE2E0B-C022-2415-DE16-020000000010","sequence":{"long":1741},"type":"EVENT_CLONE","threadId":{"int":3636},"hostId":"0A00063C-5254-00F0-0D60-000000000070","subject":{"com.bbn.tc.schema.avro.cdm18.UUID":"340EE419-0000-0000-0000-000000000020"},"predicateObject":{"com.bbn.tc.schema.avro.cdm18.UUID":"3A0EE519-0000-0000-0000-000000000020"},"predicateObjectPath":null,"predicateObject2":{"com.bbn.tc.schema.avro.cdm18.UUID":"00000000-0000-0000-0000-000000000000"},"predicateObject2Path":null,"timestampNanos":1523380782174760695,"name":{"string":"clone"},"parameters":null,"location":null,"size":null,"programPoint":null,"properties":{"map":{}}}},"CDMVersion":"18","source":"SOURCE_LINUX_THEIA"}

where the subject seems like a fluxbox process with "path" /usr/bin/fluxbox and the predicate object seems like a firefox process with "path" /home/admin/Downloads/firefox/firefox. Do you know why the effect of clone changes the path (if it is really just the clone system call)?
(Also, do you know why the "cmdLine" "string" of subject and predicate object are different?)

Just for reference the subject and predicate object log entries are as follows respectively:
Subject-

{"datum":{"com.bbn.tc.schema.avro.cdm18.Subject":{"uuid":"340EE419-0000-0000-0000-000000000020","type":"SUBJECT_PROCESS","cid":3636,"parentSubject":{"com.bbn.tc.schema.avro.cdm18.UUID":"8C081700-0000-0000-0000-000000000020"},"hostId":"0A00063C-5254-00F0-0D60-000000000070","localPrincipal":"EC000000-0000-0000-0000-000000000060","startTimestampNanos":1523380781445905515,"unitId":null,"iteration":null,"count":null,"cmdLine":{"string":"fluxbox"},"privilegeLevel":null,"importedLibraries":null,"exportedLibraries":null,"properties":{"map":{"tgid":"3636","path":"/usr/bin/fluxbox","ppid":"2188"}}}},"CDMVersion":"18","source":"SOURCE_LINUX_THEIA"}

Object-

{"datum":{"com.bbn.tc.schema.avro.cdm18.Subject":{"uuid":"3A0EE519-0000-0000-0000-000000000020","type":"SUBJECT_PROCESS","cid":3642,"parentSubject":{"com.bbn.tc.schema.avro.cdm18.UUID":"8C081700-0000-0000-0000-000000000020"},"hostId":"0A00063C-5254-00F0-0D60-000000000070","localPrincipal":"EC000000-0000-0000-0000-000000000060","startTimestampNanos":1523380782174724294,"unitId":null,"iteration":null,"count":null,"cmdLine":{"string":"/usr/bin/firefox"},"privilegeLevel":null,"importedLibraries":null,"exportedLibraries":null,"properties":{"map":{"tgid":"3636","path":"/home/admin/Downloads/firefox/firefox","ppid":"2188"}}}},"CDMVersion":"18","source":"SOURCE_LINUX_THEIA"}