An ontology-based intrusion alerts correlation system

Expert Systems with Applications

Volumn 37, Issue 10, 2010, Pages 7138-7146

  Li, Wan ^a   Tian, Shengfeng ^a  

^a BEIJING JIAOTONG UNIVERSITY   (China)

Author keywords

Alert correlation; Intrusion detection; Ontology; System integration and implementation

Indexed keywords

MERCURY (METAL); MULTI AGENT SYSTEMS; ONTOLOGY;

ALERT CORRELATION; INTRUSION ALERTS; INTRUSION DETECTION SYSTEMS; MULTI-AGENT SYSTEM ARCHITECTURE; ONTOLOGY-BASED; RAPID IDENTIFICATION; STATE INFORMATION; SYSTEM INTEGRATION;

INTRUSION DETECTION;

EID: 81355154787     PISSN: 09574174     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.eswa.2010.03.068     Document Type: Article

References (45)

1. Antoniou, G., & Bikakis, A. (2007). DR-Prolog: A system for defeasible reasoning with rules and ontologies on the semantic web. IEEE Transactions on Knowledge and Data Engineering, 19(2), 233-245. (Pubitemid 46104026)
2. Axelsson, S. (2000). The base-rate fallacy and its implication for the difficulty of intrusion detection. ACM Transactions on Information and System Security, 3(3), 186-205.
3. Baader, F., Calvanese, D., McGuinness, D. L., Nardi, D., & Patel-Schneider, P. F. (2003). The description logic handbook: Theory, implementation, and applications. Cambridge University Press.
4. Cuppens, F. (2001). Managing alerts in a multi-intrusion detection environment. In Proceedings of the 17th annual computer security applications conference (pp. 22-31). New Orleans, Louisiana, USA.
5. Cuppens, F., & Miege, A. (2002). Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE symposium on security and privacy (pp. 202-215). Oakland, California, USA. (Pubitemid 34648114)
6. Cuppens, F., & Ortalo, R. (2000). LAMBDA: A language to model a database for detection of attacks. Proceedings of the 3rd international workshop on the recent advances in intrusion detection, RAID 2000, Lecture notes in computer science (Vol. 1907, pp. 197-216). Springer-Verlag.
7. CVE (2009). Common vulnerabilities and exposures (CVE). MITRE Corporation. Accessed 25.06.09.
8. Dain, O. M., & Cunningham, R. K. (2001a). Building scenarios from a heterogeneous alert stream. In Proceedings of the 2001 IEEE workshop on information assurance and security (pp. 231-235). West Point, NY, USA.
9. Dain, O. M., & Cunningham, R. K. (2001b). Fusing a heterogeneous alert stream into scenarios. In Proceedings of the 2001 ACM workshop on data mining for security application (pp. 1-13). Philadelphia, Pennsylvania, USA.
10. DARPA (2000). 2000 DARPA intrusion detection scenario specific data sets, Lincoln laboratory scenario (DDoS) 1.0. Accessed 25.06.09.
11. Debar, H., & Wespi, A. (2001). Aggregation and correlation of intrusion-detection alerts. In Proceedings of the 4th international symposium on recent advances in intrusion detection (RAID 2001). Lecture Notes in Computer Science (Vol. 2212, pp. 85-103). Springer-Verlag. (Pubitemid 33352002)
12. Debar, H., Curry, D., Feinstein, B. (2007). RFC4765: The intrusion detection message exchange format (IDMEF). .
13. DIG (2009). Accessed 25.06.09.
14. dom4j (2009). Accessed 25.06.09.
15. Eckmann, S. T., Vigna, G., & Kemmerer, R. A. (2002). STATL: An attack language for state-based intrusion detection. Journal of Computer Security, 10(1), 71-104.
16. FaCT++, (2009). Accessed 25.06.09.
17. Geib, C. W., & Goldman, R. P. (2001). Plan recognition in intrusion detection systems. In Proceedings of the DARPA information survivability conference and exposition II. (DISCEX'01) (Vol. 1, pp. 46-55). Anaheim, California, USA.
18. Gruber, T. F. (1993). A translation approach to portable ontologies. Knowledge Acquisition, 5(2), 99-220.
19. Haines, J., Ryder, D. K., Tinnel, L., & Taylor, S. (2003). Validation of sensor alert correlators. IEEE Security and Privacy, 1(1), 46-56.
20. Horowitz, E., Sahni, S., & Mehta, D. (1995). Fundamentals of data structures in C++. New York, NY, USA: W. H. Freeman.
21. Horrocks, I., Patel-Schneider, P. F., Boley, H., Tabet, S., Grosof, B., & Dean, M. (2004). SWRL: A semantic web rule language combining OWL and RuleML. W3C member submission 21 May 2004. Latest version is available at .
22. Horrocks, I., Patel-Schneider, P. F., Bechhofer, S., & Tsarkov, D. (2005). OWL rules: a proposal and prototype implementation. Journal of Web Semantics, 3(1), 23-40. (Pubitemid 40891657)
23. Jess (2009). Accessed 25.06.09.
24. Kemmerer, R., & Vigna, G. (2002). Intrusion detection: A brief history and overview". IEEE Computer (Supplement to Computer Magazine on Security and Privacy), 35(4), 27-30.
25. Li, W., & Tian, S. (2008). XSWRL, an extended semantic web rule language. In Proceedings of the 2008 international symposium on intelligent information technology application (IITA2008) (Vol. 1, pp. 437-441). Shanghai, China.
26. Li, W., Zhu, Y., & Tian, S. (2008). Intrusion alerts correlation model based on XSWRL ontology. In Proceedings of the 2008 international symposium on intelligent information technology application (IITA2008) (Vol. 1, pp. 894-898). Shanghai, China.
27. McGuinness, D. L., & Harmelen, F. V. (2004). OWL web ontology language overview. W3C recommendation 10 February 2004. Latest version is available at .
28. Morin, B., & Debar, H. (2003). Correlation of intrusion symptoms: An application of chronicles. In Proceedings of the 6th international symposium on recent advances in intrusion detection (RAID2003). Lecture Notes in Computer Science (Vol. 2820, pp. 94-112). Springer-Verlag.
29. Mu, C. (2006). Research on automated intrusion response system. Ph. D. dissertation, Beijing Jiaotong University, Beijing, China [in Chinese].
30. Ning, P., Cui, Y., Reeves, D. S., & Xu, D. (2004). Techniques and tools for analyzing intrusion alerts. ACM Transactions on Information and System Security, 7(2), 274-318.
31. Ning, P., Cui, Y., & Reeves, D. S. (2002). Constructing attack scenarios through correlation of intrusion alerts. In Proceedings of the 9th ACM conference on computer and communications security (pp. 245-254). Washington, DC, USA.
32. Ning, P., & Xu, D. (2004). Hypothesizing and reasoning about attacks missed by intrusion detection systems. ACM Transactions on Information and System Security, 7(4), 1-37.
33. Porras, P. A., & Neumann, P. G. (1997). EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th national information systems security conference (pp. 353-365). Baltimore, Maryland, USA.
34. Protégé (2009). Accessed 25.06.09.
35. Racer (2009). Accessed 25.06.09.
36. Raskin, V., Hempelmann, C. F., Triezenberg, K. E., & Nirenburg, S. (2001). Ontology in information security: A useful theoretical foundation and methodological tool. In Proceedings of the new security paradigms workshop 2001 (pp. 53-59). Cloudcroft, New Mexico, USA.
37. Tsai, C.-F., Hsu, Y.-F., Lin, C.-Y., & Lin, W.-Y. (2009). Intrusion detection by machine learning: A review. Expert Systems with Applications, 36(10), 11994-12000.
38. Undercoffer, J., Joshi, A., & Pinkston, J. (2003). Modeling computer attacks: An ontology for intrusion detection. In Proceedings of the 6th international symposium on recent advances in intrusion detection (RAID 2003). Lecture notes in computer science (Vol. 2820, pp. 113-135). Springer-Verlag.
39. Undercoffer, J., Joshi, A., Finin, T., & Pinkston, J. (2003). A target-centric ontology for intrusion detection. In Proceedings of the 18th international joint conference on artificial intelligence (pp. 47-58). Acapulco, Mexico.
40. Valdes, A., & Skinner, K. (2001). Probabilistic alert correlation. In Proceedings of the 4th international symposium on recent advances in intrusion detection (RAID 2001). Lecture notes in computer science (Vol. 2212, pp. 54-68). Springer-Verlag. (Pubitemid 33352000)
41. Valeur, F., Vigna, G., Kruegel, C., & Kemmerer, R. A. (2004). A comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing, 1(3), 146-169.
42. Yan, W., Hou, E., & Ansari, N. (2006). Description logics for an autonomic IDS event analysis system. Computer Communications, 29(15), 2841-2852.
43. Yu, D., & Frincke, D. (2007). Improving the quality of alerts and predicting intruder's next goal with hidden colored petri-net. Computer Networks, 51(3), 632-654. (Pubitemid 44792518)
44. Zhuge, J., Han, X., Ye, Z., & Zou, W. (2006). A network attack plan recognition algorithm based on the extended goal graph. Chinese Journal of Computers, 29(8), 1356-1366 [in Chinese]. (Pubitemid 44513480)
45. Zhuge, J., Xu, H., & Pan, A. (2004). An attack knowledge model based on objectoriented technology. Journal of Computer Research and Development, 41(7), 1110-1116 [in Chinese].