An ontology-based intrusion alerts correlation system

Alert correlation techniques effectively improve the quality of alerts reported by intrusion detection systems, and are sufficient to support rapid identification of ongoing attacks or predict an intruder's next likely goal. In our previous work, an alert correlation approach based on our XSWRL ontology has been proposed. This paper focuses on how to develop the intrusion alerts correlation system according to our alert correlation approach. At first, the multi-agent system architecture consisting of agents and sensors is shown. The sensors collect security relevant information, and the agents process the information. Then we present each modules of the system in detail. The State Sensor collects information about security state and the Local State Agent and Center State Agent preprocess the security state information and convert it to ontology. The Attack Sensor collects information about attack and the Local Alert Agent and Center Alert Agent preprocess the alert information and convert it to ontology. The Attack Correlator correlates the attacks and outputs the attack sessions.

[1]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[2]  Deborah L. McGuinness,et al.  OWL Web ontology language overview , 2004 .

[3]  Deborah A. Frincke,et al.  Improving the quality of alerts and predicting intruder's next goal with Hidden Colored Petri-Net , 2007, Comput. Networks.

[4]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[5]  Peng Ning,et al.  Hypothesizing and reasoning about attacks missed by intrusion detection systems , 2004, TSEC.

[6]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[7]  Giuseppe Ateniese Verifiable encryption of digital signatures and applications , 2004, TSEC.

[8]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[9]  Wei-Yang Lin,et al.  Intrusion detection by machine learning: A review , 2009, Expert Syst. Appl..

[10]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[11]  Robert P. Goldman,et al.  Plan recognition in intrusion detection systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[12]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.

[13]  Wan Li,et al.  XSWRL, an Extended Semantic Web Rule Language , 2008, 2008 Second International Symposium on Intelligent Information Technology Application.

[14]  Zhuge Jian A Network Attack Plan Recognition Algorithm Based on the Extended Goal Graph , 2006 .

[15]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[16]  Stephen Taylor,et al.  Validation of Sensor Alert Correlators , 2003, IEEE Secur. Priv..

[17]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[18]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[19]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[20]  Nirwan Ansari,et al.  Description logics for an autonomic IDS event analysis system , 2006, Comput. Commun..

[21]  Ian Horrocks,et al.  OWL rules: A proposal and prototype implementation , 2005, J. Web Semant..

[22]  Ellis Horowitz,et al.  Fundamentals of data structures in C , 1976 .

[23]  Thomas R. Gruber,et al.  A Translation Approach to Portable Ontologies , 1993 .

[24]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[25]  Frédéric Cuppens,et al.  Managing alerts in a multi-intrusion detection environment , 2001, Seventeenth Annual Computer Security Applications Conference.

[26]  Robert K. Cunningham,et al.  Building Scenarios from a Heterogeneous Alert Stream , 2001 .

[27]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[28]  Grigoris Antoniou,et al.  DR-Prolog: A System for Defeasible Reasoning with Rules and Ontologies on the Semantic Web , 2007, IEEE Transactions on Knowledge and Data Engineering.

[29]  Diego Calvanese,et al.  The Description Logic Handbook: Theory, Implementation, and Applications , 2003, Description Logic Handbook.

[30]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[31]  Ellis Horowitz,et al.  Fundamentals of Data Structures , 1984 .

[32]  Anupam Joshi,et al.  Modeling Computer Attacks: An Ontology for Intrusion Detection , 2003, RAID.

[33]  Thomas R. Gruber,et al.  A translation approach to portable ontology specifications , 1993, Knowl. Acquis..

[34]  Zhuge Jian An Attack Knowledge Model Based on Object-Oriented Technology , 2004 .

[35]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[36]  Wan Li,et al.  Intrusion Alerts Correlation Model Based on XSWRL Ontology , 2008, 2008 Second International Symposium on Intelligent Information Technology Application.

[37]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[38]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[39]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.