1 / 17

Semantic Approach for Attack Knowledge Extraction in Intrusion Detection Systems

Semantic Approach for Attack Knowledge Extraction in Intrusion Detection Systems. Wei Yan New Jersey Institute of Technology NYMAN 2004 Sep 10, 2004. Overview. Motivation Semantic scheme Attack scenario knowledge extraction Semantic query Conclusion.

netis
Download Presentation

Semantic Approach for Attack Knowledge Extraction in Intrusion Detection Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Semantic Approach for Attack Knowledge Extraction in Intrusion Detection Systems Wei Yan New Jersey Institute of Technology NYMAN 2004 Sep 10, 2004

  2. Overview • Motivation • Semantic scheme • Attack scenario knowledge extraction • Semantic query • Conclusion

  3. Current IDS problems • Manual review • time consuming and difficult • security staff often not available • Alert correlation • lack of accepted universal alert standard IDMEF-XML • vendor-specific correlation tools • Syntax-oriented approaches • need semantic processing

  4. Semantic Solution • Combine NLP and Semantic Web • NLP-mature enough to acquire semantics from semi-constructed texts • SW- semantic information retrieval • Syntactic alerts  semantic alert streams • Attack scenario knowledge extraction • Manipulate attack knowledge offline for answering the semantic queries

  5. Alerts representation formalism • Alert description • attack scenario – a sequence of attack events • attack event – attack action • attack action – semantic role • PCTCG make raw alerts accessible to machines • Scalable and flexible • lies above alert syntax layer • without modifying existing alert formats

  6. Attack knowledge extraction semantic scheme

  7. Ontological semantics • Define semantic role-semantic attribute pair • attack scenario – a sequence of attack events • attack event – attack action • Present behavior semantic space by WH-questions

  8. Case Grammar • Deep semantic-Relations between verb and other components • Attack action more universal than alert format • attack event – attack action • attack action – semantic role

  9. Principal-subordinate Consequence Tagging Case Grammar (PCTCG) • M-alert messages set with sensor name • C- set of semantic roles between alerts • F- set of arguments (case fillers) • S - subordinate keywords.

  10. 2-Atom Alert Semantic Network (2-AASN) • Semantic relations between two alerts • node – alert • edge- PCTCG semantic attribute/subordinate keyword • 2-tuple slot • <subordinate, subordinate keyword> • <semantic attributes, case filler>

  11. Generate 2-AASN • Input-two alerts and IDS sensor name • alerts  PCTCG stream • If semantic matching between case filler and subordinate keyword, fills the slot: Node1:case filler <semantic role, node2:subordinate keyword> • Extract semantic relation • semantic operation • semantic rules

  12. Attack semantic context • Generate attack scenario instances • attack scenario classes-all possible combinations of attack strategies • Alert context window size(ACW) • only consider alerts within ACW Mutual information

  13. Attack scenario class of DARPA 2000 Set Snort home net : 172.16.112.0, and 172.16.115.0

  14. Attack knowledge semantic query • Less attention paid to attack knowledge semantic query interface. • traditional keyword search • semantic content: flexible in answering sophisticated queries • Weight mapping- attack scenario instance graph • Spread Activation • given initial node & destination node • return other nodes closely related to initial node

  15. Query 1:whether the vulnerability sadmind cause DDos attacks • initial node:vulnerabilitysadmind (1) • destination node: DDos (9) • Query 2: what consequence the RPC Sadmind overflow event • initial node:(3) • destination node: -

  16. Future work • Enrich plan library • Enrich attack taxonomy • Simulate the benchmark datasets QUESTIONS?

More Related