Description logics for an autonomic IDS event analysis system

Internet has grown by several orders of magnitude in recent years, and this growth has escalated the importance of computer security. Intrusion Detection System (IDS) is used to protect computer networks. However, the overwhelming flow of log data generated by IDS hamper security administrators from uncovering the hidden attack scenarios. Therefore, the autonomic IDS event analysis system is essential to make the IDS console smarter and more efficient. In this paper, we propose an IDS autonomic event analysis system represented by description logics, which allows inferring the attack scenarios and enabling the attack knowledge semantic queries. The modified case grammar PCTCG is used to convert raw alerts into frame-structured alert streams, and the alert semantic network 2-AASN is used to generate the attack scenarios, which can then inform the security administrator. Afterwards, based on the alert contexts, attack scenario instances are extracted, and attack semantic query results on attack scenario instances using spreading activation technique are forwarded to the security administrator.

[1]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[2]  Ian Horrocks,et al.  Querying the Semantic Web: A Formal Approach , 2002, SEMWEB.

[3]  Sergei Nirenburg,et al.  Why NLP Should Move into IAS , 2002, RAODMAP@COLING.

[4]  Frank Smadja,et al.  Retrieving Collocations from Text: Xtract , 1993, CL.

[5]  Donald Loritz,et al.  The analysis of noun sequences using semantic information extracted from on-line dictionaries , 1996 .

[6]  Timothy W. Finin,et al.  Information retrieval on the semantic web , 2002, CIKM '02.

[7]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[8]  Diego Calvanese,et al.  The Description Logic Handbook , 2007 .

[9]  Daniel Schwabe,et al.  A hybrid approach for searching in the semantic web , 2004, WWW '04.

[10]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[11]  Robert K. Cunningham,et al.  Building Scenarios from a Heterogeneous Alert Stream , 2001 .

[12]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[13]  Kenneth Ward Church,et al.  Word Association Norms, Mutual Information, and Lexicography , 1989, ACL.

[14]  Wei Yan,et al.  Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks , 2004, 29th Annual IEEE International Conference on Local Computer Networks.

[15]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.

[16]  Robert L. Mercer,et al.  An information theoretic approach to the automatic determination of phonemic baseforms , 1984, ICASSP.