Skip to main content
SpringerLink
Log in

Modeling Computer Attacks: An Ontology for Intrusion Detection

  • Conference paper
Book cover Recent Advances in Intrusion Detection (RAID 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2820))

Included in the following conference series:

Abstract

We state the benefits of transitioning from taxonomies to ontologies and ontology specification languages, which are able to simultaneously serve as recognition, reporting and correlation languages. We have produced an ontology specifying a model of computer attack using the DARPA Agent Markup Language+Ontology Inference Layer, a descriptive logic language. The ontology’s logic is implemented using DAMLJessKB. We compare and contrast the IETF’s IDMEF, an emerging standard that uses XML to define its data model, with a data model constructed using DAML+OIL. In our research we focus on low level kernel attributes at the process, system and network levels, to serve as those taxonomic characteristics. We illustrate the benefits of utilizing an ontology by presenting use case scenarios within a distributed intrusion detection system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., Stoner, E.: State of the Practice of Intrusion Detection Technologies. Technical Report 99tr028, Carnegie Mellon - Software Engineering Institute (2000)

    Google Scholar 

  2. Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall PTR, Englewood Cliffs (1994)

    MATH  Google Scholar 

  3. Aslam, T., Krusl, I., Spafford, E.: Use of a Taxonomy of Security Faults. In: Proceedings of the 19th National Information Systems Security Conference (October 1996)

    Google Scholar 

  4. Brickley, D., Guha, R.: RDF Vocabulary Description Language 1.0: RDF Schema (2003), http://www.w3c.org/TR/rdf-schema/

  5. Mahalanobis, P.C.: On Tests and Meassures of Groups Divergence. International Journal of the Asiatic Society of Bengal (1930)

    Google Scholar 

  6. Curry, D., Debar, H.: Intrusion detection message exchange format data model and extensible markup language (xml) document type definition (January 2003), http://www.ietf.org/internetdrafts/draft-ietf-idwg-idmef-xml-10.txt

  7. Davis, R., Shrobe, H., Szolovits, P.: What is Knowledge Representation? AI Magazine 14(1), 17–33 (1993)

    Google Scholar 

  8. Doyle, J., Kohane, I., Long, W., Shrobe, H., Szolovits, P.: Event Recognition Beyond Signature and Anomaly. In: 2nd IEEE-SMC Information Assurance Workshop (June 2001)

    Google Scholar 

  9. Eckmann, S., Vigna, G., Kemmerer, R.: STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10(1/2), 71–104 (2002)

    Google Scholar 

  10. Feiertag, R., Kahn, C., Porras, P., Schackenberg, D., Staniford-Chen, S., Tung, B.: A Common Intrusion Specification Language (June 1999), http://www.isi.edu/brian/cidf/drafts/language.txt

  11. Fikes, R., McGuinness, D.L.: An Axiomatic Semantics for RDF, RDF-S, and DAML+OIL (December 2001), http://www.w3.org/TR/daml+oil-axioms

  12. Frank, G., Jenkins, J., Fikes, R.: JTP: An Object Oriented Modular Reasoning System, http://kst.stanford.edu/software/jtp

  13. Friedman-Hill, E.J.: Jess. The Java Expert System Shell (November 1977), http://herzberg.ca.sandia.gov/jess/docs/52/

  14. Glass, R.L., Vessey, I.: Contemporary Application-Domain Taxonomies. IEEE Software, 63–76 (July 1995)

    Google Scholar 

  15. Golub, G., Loan, C.: Matrix Computations. The Johns Hopkins University Press, Baltimore (1989)

    MATH  Google Scholar 

  16. Goubault-Larrecq, J.: An Introduction to LogWeaver (v2.8) (September 2001), http://www.lsv.ens-cachan.fr/goubault/DICO/tutorial.pdf

  17. Gruber, T.F.: A Translation Approach to Portable Ontologies. Knowledge Acquisition 5(2), 199–220 (1993)

    Article  Google Scholar 

  18. Guha, B., Mukherjee, B.: Network Security via Reverse Engineering of TCP Code: Vulnerability Analysis and Proposed Solutions. In: IEEE Networks, July/August 1997, pp. 40–48. IEEE, Los Alamitos (1997)

    Google Scholar 

  19. Haarslev, V., Moller, R.: RACER: Renamed ABox and Concept Expression Reasone (June 2001), http://www.cs.concordia.ca/faculty/haarslev/racer/index.html

  20. Haines, J.W., Rossey, L.M., Lippman, R.P., Cunningham, R.K.: Extending the DARPA Off-Line Intrusion Detection Evaluations. In: DARPA Information Survivability Conference and Exposition II, vol. 1, pp. 77–88. IEEE, Los Alamitos (2001)

    Chapter  Google Scholar 

  21. Horrocks, I., Sattler, U., Tobies, S.: Reasoning with Individuals for the Description Logic SHIQ. In: McAllester, D. (ed.) CADE 2000. LNCS, vol. 1831, Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  22. Hendler, J.: DARPA Agent Markup Language+Ontology Interface Layer (2001), http://www.daml.org/2001/03/daml+oil-index

  23. Joshi, A., Undercoffer, J.: On web semantics and data mining: Intrusion detection as a case study. In: Proceedings of the National Science Foundation Workshop on Next Generation Data Mining (2002)

    Google Scholar 

  24. Kahn, C., Bolinger, D., Schackenberg, D.: Communication in the Common Intrusion Detection Framework v 0.7 (June 1998), http://www.isi.edu/brian/cidf/drafts/communication.txt

  25. Kemmerer, R.A., Vigna, G.: Intrusion Detection: A Brief History and Overview. Security and Privacy a Supplement to IEEE Computer Magazine, 27–30 (April 2002)

    Google Scholar 

  26. Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s thesis, MIT (1999)

    Google Scholar 

  27. Koller, D., Pfeffer, A.: Probabilistic Frame-Based Systems. In: Proceedings of the Fifteenth National Conference on Artifical Intelligence, Madison, Wisconsin, July 1998, pp. 580–587. AAAI, Menlo Park (1998)

    Google Scholar 

  28. Kopena, J.: DAMLJessKB (October 2002), http://edge.mcs.drexel.edu/assemblies/software/damljesskb/articles/DAMLJessKB-2002.pdf

  29. Krishnapuram, R., Joshi, A., Nasraoui, O., Yi, L.: Low-Complexity Fuzzy Relational Clustering Algorithms forWeb Mining. IEEE transactions on Fuzzy Systems 9 ( August 2001)

    Google Scholar 

  30. Krusl, I.: Software Vulnerability Analysis. PhD thesis, Purdue (1998)

    Google Scholar 

  31. Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A Taxonomy of Computer Program Security Flaws. ACM Computing Surveys 26(3), 211–254 (1994)

    Article  Google Scholar 

  32. Lassila, O., Swick, R.R.: Resource Description Framework (RDF) Model and Syntax Specification (February 1999), http://www.w3.org/TR/1999/REC-rdf-syntax-19990222/

  33. Lindqvist, U., Jonsson, E.: How to Systematically Classify Computer Security Intrusions. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997, pp. 154 – 163 (1997)

    Google Scholar 

  34. Lindqvist, U., Porras, P.A.: Detecting computer and network misuse through the productionbased system toolset (p-best). In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 146–161. IEEE, Los Alamitos (1999)

    Google Scholar 

  35. Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Cunningham, R., Zissman, M.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: Proceedings of the DARPA Information Survivability Conference and Exposition, pp. 12–26 (2000)

    Google Scholar 

  36. McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security (November 2000)

    Google Scholar 

  37. Ning, P., Jajodia, S., Wang, X.S.: Abstraction-Based Intrusion in Distributed Environments. ACM Transactions on Information and Systems Security 4(4), 407–452 (2001)

    Article  Google Scholar 

  38. Noy, N.F., McGuinnes, D.L.: Ontology development 101: A guide to creating your fisrt ontology. Stanford University

    Google Scholar 

  39. Paxson, V.: Bro: A system for Detecting Network Intruders in Real Time. In: Proceedings of the 7th Symposium on USENIX Security (1998)

    Google Scholar 

  40. Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S.: Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool. In: Proceedings of NSPW-2001, pp. 53–59. ACM, New York (2001)

    Chapter  Google Scholar 

  41. Roesch. M.: Snort, version 1.8.3. an open source NIDS (August 2001), availble via www.snort.org

  42. Roger, M., Goubault-Larrecq, J.: Log Auditing through Model Checking. In: Proceedings of 14th the IEEE Computer Security Foundations Workshop (CSFW 2001), pp. 220–236 (2001)

    Google Scholar 

  43. Staab, S., Maedche, A.: Ontology Engineering Beyond the Modeling of Concepts and Relations. In: Proceedings of the 14th European Congress on Artificial Intelligence (2000)

    Google Scholar 

  44. Sumpson, G.G.: Principals of Animal Taxonomy. Columbia University Press (1961)

    Google Scholar 

  45. Undercoffer, J., Perich, F., Cedilnik, A., Kagal, L., Joshi, A.: A Secure Infrastructure for Service Discovery and Access in Pervasive Computing. Mobile Networks and Applications: Special Issue on Security 8(2), 113–126 (2003)

    Article  Google Scholar 

  46. Undercoffer, J., Pinkston, J.: An Empirical Analysis of Computer Attacks and Intrusions. Technical Report TR-CS-03-11, University of Maryland, Baltimore County (2002)

    Google Scholar 

  47. W3C. Extensible Markup Language (2003), http://www.w3c.org/XML/

  48. WEBSTERS. (ed.) Merriam-Webster’s Collegiate Dictionary. Merriam-Webster, Inc., tenth edition (1993)

    Google Scholar 

  49. Welty, C.: Towards a Semantics for the Web (2000), www.cs.vassar.edu/faculty/welty/papers/dagstuhl-2000.pdf

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Electrical Engineering, University of Maryland, Baltimore County, 1000 Hilltop Circle, Baltimore, MD, 21250, USA

    Jeffrey Undercoffer, Anupam Joshi & John Pinkston

Authors
  1. Jeffrey Undercoffer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anupam Joshi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John Pinkston
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California Santa Barbara, 93106-5110, Santa Barbara, CA, USA

    Giovanni Vigna

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

  3. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Undercoffer, J., Joshi, A., Pinkston, J. (2003). Modeling Computer Attacks: An Ontology for Intrusion Detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45248-5_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40878-9

  • Online ISBN: 978-3-540-45248-5

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation