From Intrusion Detection to Intrusion Detection and Diagnosis: An Ontology-Based Approach

Currently available products only provide some support in terms of Intrusion Prevention and Intrusion Detection, but they very much lack Intrusion Diagnosis features. We discuss the limitations of current Intrusion Detection System (IDS) technology, and propose a novel approach - which we call Intrusion Detection & Diagnosis System (ID2S) technology - to overcome such limitations. The basic idea is to collect information at several architectural levels, using multiple security probes, which are deployed as a distributed architecture, to perform sophisticated correlation analysis of intrusion symptoms. This makes it possible to escalate from intrusion symptoms to the adjudged cause of the intrusion, and to assess the damage in individual system components. The process is driven by ontologies. We also present preliminary experimental results, providing evidence that our approach is effective against stealthy and non-vulnerability attacks.

[1]  Saurabh Bagchi,et al.  SCIDIVE: a stateful and cross protocol intrusion detection architecture for voice-over-IP environments , 2004, International Conference on Dependable Systems and Networks, 2004.

[2]  Robert Gruber,et al.  PADS: a domain-specific language for processing ad hoc data , 2005, PLDI '05.

[3]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[4]  Markus Jakobsson,et al.  Stealth attacks in vehicular technologies , 2004, IEEE 60th Vehicular Technology Conference, 2004. VTC2004-Fall. 2004.

[5]  Eric Totel,et al.  Anomaly Detection with Diagnosis in Diversified Systems using Information Flow Graphs , 2008, SEC.

[6]  Ralf Steinmetz,et al.  A Cross-Layer Approach to Performance Monitoring of Web Services , 2006, WEWST@ECOWS.

[7]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[8]  Alessandro Cilardo,et al.  Adaptable Parsing of Real-Time Data Streams , 2007, 15th EUROMICRO International Conference on Parallel, Distributed and Network-Based Processing (PDP'07).