Attack scenario reconstruction using intrusion semantics

Abstract Security information and event management (SIEM) systems receive a large number of alerts from different intrusion detection systems. They are expected, from these alerts, to make reliable and timely decisions regarding the types of ongoing attack scenarios and their priorities. However, the lack of an agreed-upon vocabulary for the representation of the domain knowledge makes it difficult for state-of-the-art SIEM systems to effectively manage these complex decisions. To overcome this problem, an ontology-based expert system approach can provide domain knowledge modeling as a foundation for disambiguation of meaning and automatic reasoning regarding ongoing attack scenarios. The proposed approach reconstructs attack scenarios by reasoning based on the evidences in the alert stream. The main idea of the proposed approach is to identify the causal relation between alerts using their similarity. This approach assumes that the similarity between two successive steps in an attack scenario is greater than that of two non-successive steps. Moreover, the similarity between the steps of the same attack scenario is greater than that between the steps of two different attack scenarios. The benefit of the proposed approach includes the fast and incremental reconstruction of known and unknown attack scenarios without expert intervention, which is an enormous step forward in developing expert and intelligent systems for cyber security. We evaluated the proposed technique by performing experiments on two known datasets: DARPA 2000 and MACCDC 2012. The results prove the advantages of the proposed approach with regard to completeness and soundness criteria.

[1]  Wan Li,et al.  An ontology-based intrusion alerts correlation system , 2010, Expert Syst. Appl..

[2]  José M. Fernandez,et al.  ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework , 2013, FPS.

[3]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[4]  Issa Traoré,et al.  Semantic aware attack scenarios reconstruction , 2013, J. Inf. Secur. Appl..

[5]  Wan Li,et al.  XSWRL, an Extended Semantic Web Rule Language and prototype implementation , 2011, Expert Syst. Appl..

[6]  Sean Bechhofer,et al.  The OWL API: A Java API for Working with OWL 2 Ontologies , 2009, OWLED.

[7]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[8]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[9]  Hervé Debar,et al.  An ontology-driven approach to model SIEM information and operations using the SWRL formalism , 2012, Int. J. Electron. Secur. Digit. Forensics.

[10]  Hervé Debar,et al.  A logic-based model to support alert correlation in intrusion detection , 2009, Inf. Fusion.

[11]  Steffen Staab,et al.  Measuring Similarity between Ontologies , 2002, EKAW.

[12]  Jiawei Han,et al.  gSpan: graph-based substructure pattern mining , 2002, 2002 IEEE International Conference on Data Mining, 2002. Proceedings..

[13]  Hongli Zhang,et al.  IDS alerts correlation using grammar-based approach , 2009, Journal in Computer Virology.

[14]  Muttukrishnan Rajarajan,et al.  Intrusion alert prioritisation and attack detection using post-correlation analysis , 2015, Comput. Secur..

[15]  Ali A. Ghorbani,et al.  Alert Correlation for Extracting Attack Strategies , 2006, Int. J. Netw. Secur..

[16]  Ali A. Ghorbani,et al.  An Online Adaptive Approach to Alert Correlation , 2010, DIMVA.

[17]  Jennifer Widom,et al.  SimRank: a measure of structural-context similarity , 2002, KDD.

[18]  A. Goldberg The nature of generalization in language , 2009 .

[19]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[20]  Ali A. Ghorbani,et al.  An incremental frequent structure mining framework for real-time alert correlation , 2009, Comput. Secur..

[21]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[22]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[23]  D. West Introduction to Graph Theory , 1995 .

[24]  David Sánchez,et al.  Ontology-based information content computation , 2011, Knowl. Based Syst..

[25]  Shambhu J. Upadhyaya,et al.  An alert fusion framework for situation awareness of coordinated multistage attacks , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[26]  Ludovic Mé,et al.  A Language Driven Intrusion Detection System for Event and Alert Correlation , 2004 .

[27]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[28]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[29]  Mahdi Aiash,et al.  Toward an Efficient Ontology-Based Event Correlation in SIEM , 2016, ANT/SEIT.

[30]  A. Tversky Features of Similarity , 1977 .

[31]  Wenke Lee,et al.  Attack plan recognition and prediction using causal networks , 2004, 20th Annual Computer Security Applications Conference.

[32]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.