170 likes | 287 Views
Semantic Approach for Attack Knowledge Extraction in Intrusion Detection Systems. Wei Yan New Jersey Institute of Technology NYMAN 2004 Sep 10, 2004. Overview. Motivation Semantic scheme Attack scenario knowledge extraction Semantic query Conclusion.
E N D
Semantic Approach for Attack Knowledge Extraction in Intrusion Detection Systems Wei Yan New Jersey Institute of Technology NYMAN 2004 Sep 10, 2004
Overview • Motivation • Semantic scheme • Attack scenario knowledge extraction • Semantic query • Conclusion
Current IDS problems • Manual review • time consuming and difficult • security staff often not available • Alert correlation • lack of accepted universal alert standard IDMEF-XML • vendor-specific correlation tools • Syntax-oriented approaches • need semantic processing
Semantic Solution • Combine NLP and Semantic Web • NLP-mature enough to acquire semantics from semi-constructed texts • SW- semantic information retrieval • Syntactic alerts semantic alert streams • Attack scenario knowledge extraction • Manipulate attack knowledge offline for answering the semantic queries
Alerts representation formalism • Alert description • attack scenario – a sequence of attack events • attack event – attack action • attack action – semantic role • PCTCG make raw alerts accessible to machines • Scalable and flexible • lies above alert syntax layer • without modifying existing alert formats
Ontological semantics • Define semantic role-semantic attribute pair • attack scenario – a sequence of attack events • attack event – attack action • Present behavior semantic space by WH-questions
Case Grammar • Deep semantic-Relations between verb and other components • Attack action more universal than alert format • attack event – attack action • attack action – semantic role
Principal-subordinate Consequence Tagging Case Grammar (PCTCG) • M-alert messages set with sensor name • C- set of semantic roles between alerts • F- set of arguments (case fillers) • S - subordinate keywords.
2-Atom Alert Semantic Network (2-AASN) • Semantic relations between two alerts • node – alert • edge- PCTCG semantic attribute/subordinate keyword • 2-tuple slot • <subordinate, subordinate keyword> • <semantic attributes, case filler>
Generate 2-AASN • Input-two alerts and IDS sensor name • alerts PCTCG stream • If semantic matching between case filler and subordinate keyword, fills the slot: Node1:case filler <semantic role, node2:subordinate keyword> • Extract semantic relation • semantic operation • semantic rules
Attack semantic context • Generate attack scenario instances • attack scenario classes-all possible combinations of attack strategies • Alert context window size(ACW) • only consider alerts within ACW Mutual information
Attack scenario class of DARPA 2000 Set Snort home net : 172.16.112.0, and 172.16.115.0
Attack knowledge semantic query • Less attention paid to attack knowledge semantic query interface. • traditional keyword search • semantic content: flexible in answering sophisticated queries • Weight mapping- attack scenario instance graph • Spread Activation • given initial node & destination node • return other nodes closely related to initial node
Query 1:whether the vulnerability sadmind cause DDos attacks • initial node:vulnerabilitysadmind (1) • destination node: DDos (9) • Query 2: what consequence the RPC Sadmind overflow event • initial node:(3) • destination node: -
Future work • Enrich plan library • Enrich attack taxonomy • Simulate the benchmark datasets QUESTIONS?