Main Article Content
This research proposes a combination of semantic web and datamining approach to examine alert logs and reconstruct attack scenarios that provide crucial evidences to understand about damaging effects, emerged from the attack scenarios. This method extracts information from low-level alerts using ontological knowledge that the candidate attack scenarios are generated using a relationship between alerts, defined by the applied Cyber kill-chain concept. Afterward, Association rule algorithm is applied to mine frequent attack sequential patterns from candidate attack scenarios. Experiments using the DARPA 2000 LLDOS 1.0 dataset indicated that the proposed approach is effective; it reduces the false alerts and extracts a useful information that can solve the direct problems and cut the analysis time. The comparison of the proposed approach with related alert-correlation approaches showed that the approach is more effective than others in particular completeness and soundness.
Al-Mamory, S. O., & Zhang, H. L. (2007, 15-19 Dec. 2007). Scenario Discovery Using Abstracted Correlation Graph. Paper presented at the 2007 International Conference on Computational Intelligence and Security (CIS 2007).
Apache. (2017). Apache Jena. Retrieved March 20, 2017, from http://jena.apache.org/
Borst, W. N. (1997). Construction of engineering ontologies for knowledge sharing and reuse: Universiteit Twente.
Bryant, B. D., & Saiedian, H. (2017). A novel kill-chain framework for remote security log analysis with SIEM software. Computers & Security, 67, 198-210.
de Alvarenga, S. C., Barbon, S., Miani, R. S., Cukier, M., & Zarpelão, B. B. (2018). Process mining and hierarchical clustering to help intrusion alert visualization. Computers & Security, 73, 474-491.
Debar, H., Curry, D. A., & Feinstein, B. S. (2007). The intrusion detection message exchange format (IDMEF), 2007. Request For Comments (Experimental).
García, V., Mollineda, R. A., & Sánchez, J. S. (2008). On the k-NN performance in a challenging scenario of imbalance and overlapping. [journal article]. Pattern Analysis and Applications, 11, 269-280.
Gruber, T. R. (1993). A translation approach to portable ontology specifications. Knowledge acquisition, 5, 199-220.
Guarino, N., Oberle, D., & Staab, S. (2009). What is an ontology? Handbook on ontologies (pp. 1-17): Springer.
Hahn, A., Thomas, R. K., Lozano, I., & Cardenas, A. (2015). A multi-layered and kill-chain based security analysis framework for cyber-physical systems. International Journal of Critical Infrastructure Protection, 11, 39-50.
Jungja, K., Ceong, H., & Yonggwan, W. (2009). Weighted association rule mining for item groups with different properties and risk assessment for networked systems. IEICE TRANSACTIONS on Information and Systems, 92, 10-15.
Li, W., & Tian, S. (2008, 20-22 Dec. 2008). XSWRL, an Extended Semantic Web Rule Language. Paper presented at the Intelligent Information Technology Application, 2008. IITA '08. Second International Symposium on.
Li, W., & Tian, S. (2010). An ontology-based intrusion alerts correlation system. Expert Systems with Applications, 37, 7138-7146.
Li, W., Zhi-tang, L., Dong, L., & Jie, L. (2007, July 30 2007-Aug. 1 2007). Attack scenario construction with a new sequential mining technique. Paper presented at the Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 2007. SNPD 2007. Eighth ACIS International Conference on.
López, V., Fernández, A., García, S., Palade, V., & Herrera, F. (2013). An insight into classification with imbalanced data: Empirical results and current trends on using data intrinsic characteristics. Information Sciences, 250, 113-141.
Martin, L. (2014). Cyber Kill Chain®. URL: http://cyber. lockheedmartin. com/hubfs/Gaining_the_Advantage_Cyber_Kill _Chain. pdf.
MIT Lincoln Lab. (2002). DARPA intrusion detection scenario specific datasets. from https://www.ll.mit.edu/ideval/data/2000/LLS_DDOS_1.0.html
Ning, P., Cui, Y., & Reeves, D. S. (2002). Constructing attack scenarios through correlation of intrusion alerts. Paper presented at the Proceedings of the 9th ACM Conference on Computer and Communications Security.
NIST Computer Security Division. (2005). NVD - National Vulnerability Database. Retrieved March 20, 2016, from https://nvd.nist.gov
NIST Computer Security Division. (2007). CPE - Common Platform Enumeration. Retrieved March 20, 2016, from https://nvd.nist.gov/cpe.cfm
NIST Computer Security Division. (2016). CVSS - Common Vulnerability Scoring System. Retrieved March 20, 2016, from https://nvd.nist.gov/cvss.cfm
Njogu, H. W., Jiawei, L., Kiere, J. N., & Hanyurwimfura, D. (2013). A comprehensive vulnerability based alert management approach for large networks. Future Generation Computer Systems, 29, 27-45.
Ontotext. (2017). Graph DB ™. 7.1. from http://ontotext.com/products/graphdb/
OWASP, T. Application Security Risks-2017, Open Web Application Security Project (OWASP).
Saad, S., & Traore, I. (2013). Semantic aware attack scenarios reconstruction. Journal of Information Security and Applications, 18, 53-67.
Sadighian, A., Fernandez, J. M., Lemay, A., & Zargar, S. T. (2014). ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework. In L. J. Danger, M. Debbabi, J.-Y. Marion, J. Garcia-Alfaro & N. Zincir Heywood (Eds.), Foundations and Practice of Security: 6th International Symposium, FPS 2013, La Rochelle, France, October 21-22, 2013, Revised Selected Papers (pp. 161-177). Cham: Springer International Publishing.
Snort. (2017). Retrieved March 20, 2017, from https://www.snort.org/
Studer, R., Benjamins, V. R., & Fensel, D. (1998). Knowledge engineering: principles and methods. Data & knowledge engineering, 25, 161-197.
The MITRE Corporation. (2006). CVE - Common Vulnerabilities and Exposures. Retrieved March 20, 2016, from https://cve.mitre.org/
The MITRE Corporation. (2010). CWE - Common Weakness Enumeration. Retrieved March 20, 2016, from https://cwe.mitre.org/
Yu-Xin, D., Hai-Sen, W., & Qing-Wei, L. (2008, 12-15 July 2008). Intrusion scenarios detection based on data mining. Paper presented at the Machine Learning and Cybernetics, 2008 International Conference on.