Using semantic networks to counter cyber threats

Intrusion detection is one of the most challenging tasks and of highest priority in the cyber security field; however, traditional intrusion detection techniques often fail to handle the complex and uncertain network attack correlation tasks. We propose the usage of semantic networks that build relationships among network attacks and assist in automatically identifying and predicting related attacks. Also, our method can increase the precision in detecting probable attacks. Experimental results show that our Semantic Network using the Anderberg similarity measure performs better in terms of precision and recall compared to existing correlation approaches in the cyber security domain. Specifically, our contributions are as follows: (1) We automatically construct a first mode Semantic Network from characterizing features of network attacks using similarity. (2) The first mode semantic network is calibrated by adding external semantic rules provided by domain experts, in order to generate a more adaptable second mode semantic network. (3) We evaluated the prediction capability of the semantic networks by experimenting with various similarity measures including Anderberg, Jaccard, Simple Matching and traditional correlation coefficients; we discovered that the “Anderberg” similarity coefficients outperform all other tested similarity measures in terms of precision and recall.