Toward an Efficient Ontology-Based Event Correlation in SIEM

Abstract Cooperative intrusion detection use several intrusion detection systems (IDS) and analyzers in order to build a reliable overview of the monitored system trough a central security information and event management system (SIEM). In such environment, the definition of a shared vocabulary describing the exchanged information between tools is prominent. Since these pieces of information are structured, we propose in this paper to use an ontological representation based on Description Logics (DLs) which is a powerful tool for knowledge representation. Moreover, DLs are able to ensure a decidable reasoning. An alert correlation prototype is presented using this ontology, and an illustrative attack scenario is carried out to show the usefulness of the proposed ontology.

[1]  Junho Choi,et al.  Ontology-based access control model for security policy reasoning in cloud computing , 2013, The Journal of Supercomputing.

[2]  Huwaida Tagelsir Elshoush,et al.  Alert correlation in collaborative intelligent intrusion detection systems - A survey , 2011, Appl. Soft Comput..

[3]  Chi-Chun Lo,et al.  Using ontologies to perform threat analysis and develop defensive strategies for mobile security , 2017, Inf. Technol. Manag..

[4]  Hervé Debar,et al.  A serial combination of anomaly and misuse IDSes applied to HTTP traffic , 2004, 20th Annual Computer Security Applications Conference.

[5]  Salem Benferhat,et al.  Conflicts Handling in Cooperative Intrusion Detection: A Description Logic Approach , 2010, 2010 22nd IEEE International Conference on Tools with Artificial Intelligence.

[6]  Christopher Leckie,et al.  A survey of coordinated attacks and collaborative intrusion detection , 2010, Comput. Secur..

[7]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[8]  Rasool Jalili,et al.  Alert Correlation Algorithms: A Survey and Taxonomy , 2013, CSS.

[9]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[10]  John Strassner,et al.  Knowledge Engineering Using Ontologies , 2008 .

[11]  Yarden Katz,et al.  Pellet: A practical OWL-DL reasoner , 2007, J. Web Semant..

[12]  Ju An Wang,et al.  OVM: an ontology for vulnerability management , 2009, CSIIRW '09.

[13]  Timothy W. Finin,et al.  A Knowledge-Based Approach to Intrusion Detection Modeling , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[14]  Steffen Staab,et al.  International Handbooks on Information Systems , 2013 .

[15]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[16]  Ryan Ribeiro de Azevedo,et al.  An Autonomic Ontology-Based Multiagent System for Intrusion Detection in Computing Environments , 2010 .

[17]  Lina Wang,et al.  Semantic description and verification of security policy based on ontology , 2014, Wuhan University Journal of Natural Sciences.

[18]  M. Kahani,et al.  Ontology-based distributed intrusion detection system , 2009, 2009 14th International CSI Computer Conference.

[19]  Hervé Debar,et al.  A logic-based model to support alert correlation in intrusion detection , 2009, Inf. Fusion.

[20]  Boris Motik,et al.  OWL 2 Web Ontology Language: structural specification and functional-style syntax , 2008 .

[21]  Ian Horrocks,et al.  FaCT++ Description Logic Reasoner: System Description , 2006, IJCAR.

[22]  Zheng Luo,et al.  Ontology-based model of network and computer attacks for security assessment , 2013, Journal of Shanghai Jiaotong University (Science).