Keywords

1 Introduction

Today, there are many types of computer security threats and these threats increase everyday. As a result of this increase, cyber-attacks have become a part of our daily lives. Cyber-attacks cause personal, financial, professional and also emotional damages. Unfortunately, most of the losses still can not be prevented. Thus, computer security has a significant importance in today’s world and it is at the top of the international agendas. As there are several approaches to ensure security, Intrusion Detection System (IDS) is one of the critical detection approaches to protect computer systems. IDS, monitors the events in the computer or the network, analyzes them in order to detect the unauthorized or malicious activities within the computer or the network, and generates alerts when it observes potentially malicious activities. There are two types of IDS: Host IDS (HIDS) and Network IDS (NIDS). HIDS is an intrusion detection that monitors and analyzes the computer system, detects malicious activity and malwares on the host system, logs the activity and notifies the user. On the other hand, NIDS monitors and analyzes all the data passing through the network. The most effective protection is provided by a combination of both NIDS and HIDS. Our proposed IDS model aims to provide both of these technologies in a single ontology-based IDS system.

In this work, an IDS ontology is developed and implemented by using Semantic Web technologies. As this is an ongoing work, the presented work is part of an HIDS. Therefore, the aim of the proposed system is to detect intrusions that may violate the security aspects of a computer system and to increase the performance of intrusion detection systems. For this purpose, we used ontologies as a database for the rule-based intrusion detection system. First, we created an IDS ontology. Later, all the processes and services that work on a computer system are added as individuals to the IDS ontology by using Facebook’s osquery [1]. Also, we parsed malwares from Symantec’s website [2] and added these malwares to the IDS ontology in order to compare with the processes and services that are working within the existing computer system. Finally, if any threat listed in the IDS ontology occurs in the working system, the proposed ontology based IDS system lists the malicious activities and malwares, and notifies the user. The paper is organized as follows: Sect. 2 presents the related work. Section 3 explains the IDS ontology. Section 4 presents the first implementation of the relevant ontology. Finally, Sect. 5 concludes and summarizes the future work.

2 Background

The purpose of our entire work is to implement a rule-based intrusion detection system by using Semantic Web technologies. Since IDS needs to monitor and analyze all the data passing through the network (NIDS) and processes in a single computer system (HIDS), the IDS needs to be very fast for this analysis in order to detect the malwares or malicious activities. Therefore, we used ontologies in order to use a semantic reasoner and a rule engine to detect intrusions and to improve performance of IDS. Also, the aim of the proposed model is to support both HIDS and NIDS for a better security. So far, as a result of our research, we have not found an ontology based IDS system that supports both HIDS and NIDS. And also, there is not much published research based on ontology use in IDS. In [3], an ontology is specified to model attacks. While the proposed attack ontology is based on DAML + OIL [4], our IDS ontology is based on OWL2 [5]. Also, our model and IDS ontology focus on IDS as a whole system, however the attack ontology just models attacks. An IDS based on ontology for web attacks is proposed in [6]. However, the proposed ontology and its concepts are inadequate to model an IDS system and just deals with web attacks. A rule status monitoring algorithm is given in [7]. The algorithm searches through the rules and reports whether they are enabled or disabled, and then reports it. This work does not use ontologies and Semantic Web technologies. In [8], a rule and a cluster based intrusion detection system for wireless sensor networks (WSN) is presented. The proposed system uses a relational database to store and manipulate data, and focuses on attacks in WSN. In our work, we focus on both HIDS and NIDS and use ontologies instead of relational database and osquery results instead of log-audit data.

3 IDS Ontology

An ontology is an explicit formal specifications of a conceptualization [9]. As a consequence, ontologies are used to share a common understanding among users or agents, to enable reuse of the domain knowledge, to analyze the domain knowledge, to make explicit domain assumptions and to separate the domain knowledge from the operational knowledge [10]. While developing the Intrusion Detection System (IDS) Ontology, we used the ontology development steps defined in [10].

The IDS ontology has been developed to implement an intrusion detection system that examines the processes and services of a device and the devices connected to the network, and also the packets on the network to which these devices are connected. As this is an ongoing work, IDS ontology is still being developed.

In the IDS ontology, the enumerated IDS terms are listed as: Device , DatabaseServer , ManagedDevice , NetworkManagementSystem , Packet , SignaturedPacket , Process , Service , Software , Malware , destination , destinationMac , destinationPort , information , ack , fin , payload , syn , win , name , os , protocol , source , sourcePort , sourceMac , type . The classes, object and data type properties defined in the IDS ontology are shown in Figs. 1, 2 and 3, respectively.

Fig. 1.
figure 1

The class hierarchy of IDS ontology.

Full size image
Fig. 2.
figure 2

The object property hierarchy of IDS ontology.

Full size image
Fig. 3.
figure 3

The data property hierarchy of IDS ontology.

Full size image

The classes are defined according to the following purposes: Device is used to store the devices in the network, DatabaseServer is used to store the list of malwares and harmful packets. The list will be taken from Symantec’s [2] website, ManagedDevice is used to store devices that are controlled in the network, NetworkManagementSystem is used to store devices that in which the intrusion detection system is executed, Packet is used to store the packets that come from internet, SignaturedPacket is a subclass of Packet and used to store harmful or malicious packets, Process is used to store processes that work in the device, Service is used to store services that work in the device, Software is used to store software, Malware is a subclass of Software and used to store malwares that are detected in the device.

The object properties are defined according to the following purposes: manages is the action of a NetworkManagementSystem (Network Management System) to manage other ManagedDevice s on the network, receives is the action of receiving a Packet from a Device , runsOn is the action of the Software in a Device . Table 1 shows the domain and range information for the defined object properties.

Table 1. Domain and Range information of the object properties.
Full size table

The data properties are defined according to the following purposes: destination is the final device that the Packet arrives, destinationMAC is the MAC address of the Packet’ s destination, destinationPort is the port number of the Packet’ s destination, information is the data in the Packet , ack is the signal to acknowledge the receipt of the Packet , fin is used to give information about whether the Packet transfer is finished or not, payload is the essential data that is being carried within a Packet , syn is used for synchronization with the Packet source, win is used for the window size, os is the operating system of the Device , source indicates the Device where the Packet comes from, sourceMAC is the MAC address of the Packet ’s source, sourcePort is the port number of the Packet ’s source, type is the type of the malware (for example: Virus, Trojan, etc.).

4 Implementation

In order to detect intrusions by using IDS ontology, first we parsed malwares from Symantec’s website [2] to a csv file. Then, by using Jena [11], these malwares are written as individuals to IDS ontology’s Malware class. We used Facebook’s osquery [1] to create the individuals of Process and Service classes. These individuals belong to the working computer system. The automatically added individuals of Process and Service classes, and Malware classes are given in Fig. 4.

Fig. 4.
figure 4

Individuals of Process , Service and Malware classes.

Full size image

The implementation compares the individuals of Malware class with the individuals of Process and Service classes to detect intrusions. If it finds a match between individuals in these classes of the IDS ontology, then an intrusion is detected and a warning message is shown as seen in Fig. 5.

Fig. 5.
figure 5

Detecting intrusion in a computer system.

Full size image

5 Conclusion

As information technology has become a key component for critical infrastructures, intrusion detection systems also become increasingly important due to the increased cyber-attacks in recent years. Our project aims to develop an ontology based IDS including both NIDS and HIDS for an effective security. As this is an ongoing project, in this work, we developed an IDS ontology and implemented this ontology to detect intrusions in a computer system. The proposed work is a part of HIDS. As a future work, IDS ontology will be extended according to provide NIDS. For this purpose, Live Network Scan tab seen in Fig. 5 will be activated and pcap4j [12] library will be used for the implementation. Besides, log analysis, event correlation and policy enforcement will be added to the intended ontology-based IDS model. New rules will be added in order to detect which devices are affected by interprocess dependencies and which processes are affected from which malwares.