An ontology-based approach to react to network attacks

To address the evolution of security incidents in current communication networks it is important to react quickly and efficiently to an attack. The RED (Reaction after Detection) project is defining and designing solutions to enhance the detection/reaction process, improving the overall resilience of IP networks to attacks and help telecommunication and service providers to maintain sufficient quality of service and respect service level agreements. Within this project, a main component is in charge of instantiating new security policies that counteract the network attacks. This paper proposes an ontology-based approach to instantiate these security policies. This technology provides a way to map alerts into attack contexts, which are used to identify the policies to be applied in the network to solve the threat. For this, ontologies to describe alerts and policies are defined, using inference rules to perform such mappings.

[1]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[2]  Deborah L. McGuinness,et al.  Owl web ontology language guide , 2003 .

[3]  Brett Benyo,et al.  Representation and reasoning for DAML-based policy and domain services in KAoS and nomads , 2003, AAMAS '03.

[4]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[5]  H. Lan,et al.  SWRL : A semantic Web rule language combining OWL and ruleML , 2004 .

[6]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[7]  Nora Cuppens-Boulahia,et al.  High Level Conflict Management Strategies in Advanced Access Control Models , 2007, ICS@SYNASC.

[8]  Robert A. Martin Managing Vulnerabilities in Networked Systems , 2001, Computer.

[9]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[10]  F. Autrel,et al.  MotOrBAC 2 : a security policy tool , 2008 .

[11]  Anupam Joshi,et al.  Modeling Computer Attacks: An Ontology for Intrusion Detection , 2003, RAID.

[12]  Timothy W. Finin,et al.  A policy language for a pervasive computing environment , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[13]  Frédéric Cuppens,et al.  Decentralized Publish-Subscribe System to Prevent Coordinated Attacks via Alert Correlation , 2004, ICICS.

[14]  Julio Berrocal,et al.  Ontology-Based Policy Refinement Using SWRL Rules for Management Information Definitions in OWL , 2006, DSOM.

[15]  Frédéric Cuppens,et al.  Modelling contexts in the Or-BAC model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[16]  Andrea Westerinen,et al.  Policy Core Information Model - Version 1 Specification , 2001, RFC.

[17]  Nora Cuppens-Boulahia,et al.  Using Contextual Security Policies for Threat Response , 2006, DIMVA.

[18]  Costas Lambrinoudakis,et al.  An ontology description for SIP security flaws , 2007, Comput. Commun..