Abstract
We state the benefits of transitioning from taxonomies to ontologies and ontology specification languages, which are able to simultaneously serve as recognition, reporting and correlation languages. We have produced an ontology specifying a model of computer attack using the DARPA Agent Markup Language+Ontology Inference Layer, a descriptive logic language. The ontology’s logic is implemented using DAMLJessKB. We compare and contrast the IETF’s IDMEF, an emerging standard that uses XML to define its data model, with a data model constructed using DAML+OIL. In our research we focus on low level kernel attributes at the process, system and network levels, to serve as those taxonomic characteristics. We illustrate the benefits of utilizing an ontology by presenting use case scenarios within a distributed intrusion detection system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., Stoner, E.: State of the Practice of Intrusion Detection Technologies. Technical Report 99tr028, Carnegie Mellon - Software Engineering Institute (2000)
Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall PTR, Englewood Cliffs (1994)
Aslam, T., Krusl, I., Spafford, E.: Use of a Taxonomy of Security Faults. In: Proceedings of the 19th National Information Systems Security Conference (October 1996)
Brickley, D., Guha, R.: RDF Vocabulary Description Language 1.0: RDF Schema (2003), http://www.w3c.org/TR/rdf-schema/
Mahalanobis, P.C.: On Tests and Meassures of Groups Divergence. International Journal of the Asiatic Society of Bengal (1930)
Curry, D., Debar, H.: Intrusion detection message exchange format data model and extensible markup language (xml) document type definition (January 2003), http://www.ietf.org/internetdrafts/draft-ietf-idwg-idmef-xml-10.txt
Davis, R., Shrobe, H., Szolovits, P.: What is Knowledge Representation? AI Magazine 14(1), 17–33 (1993)
Doyle, J., Kohane, I., Long, W., Shrobe, H., Szolovits, P.: Event Recognition Beyond Signature and Anomaly. In: 2nd IEEE-SMC Information Assurance Workshop (June 2001)
Eckmann, S., Vigna, G., Kemmerer, R.: STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10(1/2), 71–104 (2002)
Feiertag, R., Kahn, C., Porras, P., Schackenberg, D., Staniford-Chen, S., Tung, B.: A Common Intrusion Specification Language (June 1999), http://www.isi.edu/brian/cidf/drafts/language.txt
Fikes, R., McGuinness, D.L.: An Axiomatic Semantics for RDF, RDF-S, and DAML+OIL (December 2001), http://www.w3.org/TR/daml+oil-axioms
Frank, G., Jenkins, J., Fikes, R.: JTP: An Object Oriented Modular Reasoning System, http://kst.stanford.edu/software/jtp
Friedman-Hill, E.J.: Jess. The Java Expert System Shell (November 1977), http://herzberg.ca.sandia.gov/jess/docs/52/
Glass, R.L., Vessey, I.: Contemporary Application-Domain Taxonomies. IEEE Software, 63–76 (July 1995)
Golub, G., Loan, C.: Matrix Computations. The Johns Hopkins University Press, Baltimore (1989)
Goubault-Larrecq, J.: An Introduction to LogWeaver (v2.8) (September 2001), http://www.lsv.ens-cachan.fr/goubault/DICO/tutorial.pdf
Gruber, T.F.: A Translation Approach to Portable Ontologies. Knowledge Acquisition 5(2), 199–220 (1993)
Guha, B., Mukherjee, B.: Network Security via Reverse Engineering of TCP Code: Vulnerability Analysis and Proposed Solutions. In: IEEE Networks, July/August 1997, pp. 40–48. IEEE, Los Alamitos (1997)
Haarslev, V., Moller, R.: RACER: Renamed ABox and Concept Expression Reasone (June 2001), http://www.cs.concordia.ca/faculty/haarslev/racer/index.html
Haines, J.W., Rossey, L.M., Lippman, R.P., Cunningham, R.K.: Extending the DARPA Off-Line Intrusion Detection Evaluations. In: DARPA Information Survivability Conference and Exposition II, vol. 1, pp. 77–88. IEEE, Los Alamitos (2001)
Horrocks, I., Sattler, U., Tobies, S.: Reasoning with Individuals for the Description Logic SHIQ. In: McAllester, D. (ed.) CADE 2000. LNCS, vol. 1831, Springer, Heidelberg (2000)
Hendler, J.: DARPA Agent Markup Language+Ontology Interface Layer (2001), http://www.daml.org/2001/03/daml+oil-index
Joshi, A., Undercoffer, J.: On web semantics and data mining: Intrusion detection as a case study. In: Proceedings of the National Science Foundation Workshop on Next Generation Data Mining (2002)
Kahn, C., Bolinger, D., Schackenberg, D.: Communication in the Common Intrusion Detection Framework v 0.7 (June 1998), http://www.isi.edu/brian/cidf/drafts/communication.txt
Kemmerer, R.A., Vigna, G.: Intrusion Detection: A Brief History and Overview. Security and Privacy a Supplement to IEEE Computer Magazine, 27–30 (April 2002)
Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s thesis, MIT (1999)
Koller, D., Pfeffer, A.: Probabilistic Frame-Based Systems. In: Proceedings of the Fifteenth National Conference on Artifical Intelligence, Madison, Wisconsin, July 1998, pp. 580–587. AAAI, Menlo Park (1998)
Kopena, J.: DAMLJessKB (October 2002), http://edge.mcs.drexel.edu/assemblies/software/damljesskb/articles/DAMLJessKB-2002.pdf
Krishnapuram, R., Joshi, A., Nasraoui, O., Yi, L.: Low-Complexity Fuzzy Relational Clustering Algorithms forWeb Mining. IEEE transactions on Fuzzy Systems 9 ( August 2001)
Krusl, I.: Software Vulnerability Analysis. PhD thesis, Purdue (1998)
Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A Taxonomy of Computer Program Security Flaws. ACM Computing Surveys 26(3), 211–254 (1994)
Lassila, O., Swick, R.R.: Resource Description Framework (RDF) Model and Syntax Specification (February 1999), http://www.w3.org/TR/1999/REC-rdf-syntax-19990222/
Lindqvist, U., Jonsson, E.: How to Systematically Classify Computer Security Intrusions. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997, pp. 154 – 163 (1997)
Lindqvist, U., Porras, P.A.: Detecting computer and network misuse through the productionbased system toolset (p-best). In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 146–161. IEEE, Los Alamitos (1999)
Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Cunningham, R., Zissman, M.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: Proceedings of the DARPA Information Survivability Conference and Exposition, pp. 12–26 (2000)
McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security (November 2000)
Ning, P., Jajodia, S., Wang, X.S.: Abstraction-Based Intrusion in Distributed Environments. ACM Transactions on Information and Systems Security 4(4), 407–452 (2001)
Noy, N.F., McGuinnes, D.L.: Ontology development 101: A guide to creating your fisrt ontology. Stanford University
Paxson, V.: Bro: A system for Detecting Network Intruders in Real Time. In: Proceedings of the 7th Symposium on USENIX Security (1998)
Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S.: Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool. In: Proceedings of NSPW-2001, pp. 53–59. ACM, New York (2001)
Roesch. M.: Snort, version 1.8.3. an open source NIDS (August 2001), availble via www.snort.org
Roger, M., Goubault-Larrecq, J.: Log Auditing through Model Checking. In: Proceedings of 14th the IEEE Computer Security Foundations Workshop (CSFW 2001), pp. 220–236 (2001)
Staab, S., Maedche, A.: Ontology Engineering Beyond the Modeling of Concepts and Relations. In: Proceedings of the 14th European Congress on Artificial Intelligence (2000)
Sumpson, G.G.: Principals of Animal Taxonomy. Columbia University Press (1961)
Undercoffer, J., Perich, F., Cedilnik, A., Kagal, L., Joshi, A.: A Secure Infrastructure for Service Discovery and Access in Pervasive Computing. Mobile Networks and Applications: Special Issue on Security 8(2), 113–126 (2003)
Undercoffer, J., Pinkston, J.: An Empirical Analysis of Computer Attacks and Intrusions. Technical Report TR-CS-03-11, University of Maryland, Baltimore County (2002)
W3C. Extensible Markup Language (2003), http://www.w3c.org/XML/
WEBSTERS. (ed.) Merriam-Webster’s Collegiate Dictionary. Merriam-Webster, Inc., tenth edition (1993)
Welty, C.: Towards a Semantics for the Web (2000), www.cs.vassar.edu/faculty/welty/papers/dagstuhl-2000.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Undercoffer, J., Joshi, A., Pinkston, J. (2003). Modeling Computer Attacks: An Ontology for Intrusion Detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-540-45248-5_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40878-9
Online ISBN: 978-3-540-45248-5
eBook Packages: Springer Book Archive