Skip to main content
SpringerLink
Log in

ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8352))

Included in the following conference series:

Abstract

Several alert correlation approaches have been proposed to date to reduce the number of non-relevant alerts and false positives typically generated by Intrusion Detection Systems (IDS). Inspired by the mental process of the contextualisation used by security analysts to weed out less relevant alerts, some of these approaches have tried to incorporate contextual information such as: type of systems, applications, users, and networks into the correlation process. However, these approaches are not flexible as they only perform correlation based on the narrowly defined contexts. information resources available to the security analysts while preserving the maximum flexibility and the power of abstraction in both the definition and the usage of such concepts, we propose ONTIDS, a context-aware and ontology-based alert correlation framework that uses ontologies to represent and store the alerts information, alerts context, vulnerability information, and the attack scenarios. ONTIDS employs simple ontology logic rules written in Semantic Query-enhance Web Rule Language (SQWRL) to correlate and filter out non-relevant alerts. We illustrate the potential usefulness and the flexibility of ONTIDS by employing its reference implementation on two separate case studies, inspired from the DARPA 2000 and UNB ISCX IDS evaluation datasets.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Li-Zhong, G., Hui-bo, J.: A novel intrusion detection scheme for network-attached storage based on multi-source information fusion. In: 2012 Eighth International Conference on Computational Intelligence and Security, pp. 469–473 (2009)

    Google Scholar 

  2. Thomas, C., Balakrishnan, N.: Improvement in intrusion detection with advances in sensor fusion. Trans. Inf. For. Sec. 4(3), 542–551 (2009)

    Article  Google Scholar 

  3. Dreger, H., Kreibich, C., Paxson, V., Sommer, R.: Enhancing the accuracy of network-based intrusion detection with host-based context. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 206–221. Springer, Heidelberg (2005)

    Google Scholar 

  4. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 202–215 (2002)

    Google Scholar 

  5. Morin, B., Debar, H.: Correlation of intrusion symptoms: an application of chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 84–112. Springer, Heidelberg (2003)

    Google Scholar 

  6. Chen, L., Aritsugi, M.: An SVM-based masquerade detection method with online update using co-occurrence matrix. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 37–53. Springer, Heidelberg (2006)

    Google Scholar 

  7. Raftopoulos, E., Egli, M., Dimitropoulos, X.: Shedding light on log correlation in network forensics analysis. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2013. LNCS, vol. 7591, pp. 232–241. Springer, Heidelberg (2013)

    Google Scholar 

  8. Gagnon, F., Massicotte, F., Esfandiari, B.: Using contextual information for ids alarm classification (extended abstract). In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 147–156. Springer, Heidelberg (2009)

    Google Scholar 

  9. Sinha, S., Jahanian, F., Patel, J.M.: WIND: workload-aware intrusion detection. In: Kruegel, C., Zamboni, D. (eds.) RAID 2006. LNCS, vol. 4219, pp. 290–310. Springer, Heidelberg (2006)

    Google Scholar 

  10. Vorobiev, A., Bekmamedova, N.: An ontology-driven approach applied to information security. J. Res. Prac. Inf. Technol. 42(1), 61 (2010)

    Google Scholar 

  11. Coppolino, L., D’Antonio, S., Elia, I., Romano, L.: From intrusion detection to intrusion detection and diagnosis: An ontology-based approach. In: Lee, S., Narasimhan, P. (eds.) SEUS 2009. LNCS, vol. 5860, pp. 192–202. Springer, Heidelberg (2009)

    Google Scholar 

  12. Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Depend. Secur. Comput. 1(3), 146–169 (2004)

    Article  Google Scholar 

  13. Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)

    Google Scholar 

  14. CVE: Common vulnerabilities exposures (CVE), the key to information sharing. http://cve.mitre.org/

  15. CAPEC: Common attack pattern enumeration and classification (capec). http://capec.mitre.org/

  16. Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An attack language for state-based intrusion detection. J. Comput. Secur. 10(1), 71–103 (2002)

    Google Scholar 

  17. Debar, H., Curry, D., Feinstein, B.: The intrusion detection message exchange format (idmef) (2007)

    Google Scholar 

  18. Mitre Corporation: A standardized common event expression (CEE) for event interoperability (2013)

    Google Scholar 

  19. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration (LISA ’99), pp. 229–238. USENIX Association, Berkeley (1999)

    Google Scholar 

  20. Corporation, I.: IBM RealSecure. http://www-935.ibm.com/services/us/en/it-services/express-managed-protection-services-for-server.html

  21. Zaraska, K.: Prelude ids: current state and development perspectives (2003). http://www.prelude-ids.org/download/misc/pingwinaria/2003/paper.pdf

  22. Deraison, R.: The nessus project (2002). http://www.nessus.org

  23. Lyon, G.F.: Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure, USA (2009)

    Google Scholar 

  24. Nyulas, C., O’Connor, M., Tu, S.: Datamaster–a plug-in for importing schemas and data from relational databases into protege. In: Proceedings of the 10th International Protege Conference (2007)

    Google Scholar 

  25. Parsia, B., Sirin, E.: Pellet: An OWL-DL reasoner. In: Third International Semantic Web Conference-Poster, p. 18 (2004)

    Google Scholar 

  26. Friedman-Hill, E. et al.: Jess, the rule engine for the java platform (2003)

    Google Scholar 

  27. O’Connor, M., Das, A.: SQWRL: a query language for OWL. In: Proceedings of the 6th Workshop on OWL: Experiences and Directions (OWLED2009) (2009)

    Google Scholar 

  28. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)

    Article  Google Scholar 

  29. MIT Lincoln Laboratory: 2000 DARPA intrusion detection scenario specific data sets (2000)

    Google Scholar 

  30. Hu, Y.: TIAA: A toolkit for intrusion alert analysis (2004)

    Google Scholar 

Download references

Acknowledgements

This research was sponsored in part by the Inter-networked Systems Security Strategic Research Network (ISSNet), funded by Canada’s Natural Sciences and Engineering Research Council (NSERC).

Author information

Authors and Affiliations

  1. Department of Computer and Software Engineering, École Polytechnique de Montréal, Montréal, Canada

    Alireza Sadighian, José M. Fernandez & Antoine Lemay

  2. School of Information Sciences, University of Pittsburgh, Pittsburgh, PA, USA

    Saman T. Zargar

Authors
  1. Alireza Sadighian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. José M. Fernandez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Antoine Lemay
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Saman T. Zargar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alireza Sadighian .

Editor information

Editors and Affiliations

  1. Dept. Commun. & Electronique, Télécom ParisTech, Paris, France

    Jean Luc Danger

  2. Concordia Institute for Information Syst Concordia University Research Chair Tier, Concordia University, Montreal, Québec, Canada

    Mourad Debbabi

  3. École des Mines, Nancy, France

    Jean-Yves Marion

  4. RST Department, Rm A105-2, Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  5. Dalhousie University, Halifax, Nova Scotia, Canada

    Nur Zincir Heywood

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Sadighian, A., Fernandez, J.M., Lemay, A., Zargar, S.T. (2014). ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05302-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05301-1

  • Online ISBN: 978-3-319-05302-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation