Shadowing Overview

Note: You must understand shadowing when setting up a detection order.

Shadowing is about the theory of sets. If you have two sets and neither of the two sets is a subset of the other, there is no problem.

Shadowing set one and set two.

However, if one of the set is a subset of the other, there might be a problem with the two sets shadowing each other.

Shadowing set one as subset of set two.

For example:

- One target group (TG 1) with two paths: A\B\C = "X" and D\E\F = "Y".

- Another target group (TG 2) with one path: A\B\C = "X".

In this case the target groups will shadow each other, meaning that TG 2 is a subset of TG 1.

Now, assume that the data in the paths A\B\C = "Alpha" and D\E\F = "Bravo" is sent to EC:


<A>
		<B>
			<C>Alpha<C/>
		</B>
</A>
<D>
		<E>
			<F>Bravo<F/>
		</E>
</D>

With the detection order:

Shadowing TG2 and TG1

In this example, the two paths (A\B\C\) in both TG 2 and TG 1 have the same value "Alpha".

Then, EC tries to detect the message according to this detection order. EC will start to check if there is a match on TG 2 for the target (A\B\C = "Alpha"). EC finds a match on this target, so it will not continue to TG 1. This is because target (A\B\C) is included in TG 2.

This is called shadowing. It is when the target groups are ordered in such a way that a larger set will no longer be used because its target values are already included in a smaller set, and placed earlier in the detection order.

When the order is changed in pairs of target groups

Changing the order of two target groups affects the detection order of targets.

Changed order of target groups.

In the given example, the smaller set is placed after the larger set. EC will check if the first target group (TG) will have a match on the targets A\B\C and D\E\F. For as long as the TG 1 will have a match on both of its targets, TG 1 will be used. But if there is no match on both targets, EC will continue to find for a match on TG 2. EC will only proceed in the detection order list if TG 1 does not get a match on both targets.

For as long as the first target has a match on all the targets, that match is used. This explains the particular order of MVX_XZ_YQ target groups.

To avoid shadowing, the target groups are ordered with the largest set first and the smallest set last.