Abstract
In order to provide cyber environment security, analysts need to analyze a large number of security events on a daily basis and take proper actions to alert their clients of potential threats. The increasing cyber traffic drives a need for a system to assist security analysts to relate security events to known attack patterns. This paper describes the enhancement of an existing Intrusion Detection System (IDS) with the automatic mapping of snort alert messages to known attack patterns. The approach relies on pre-clustering snort messages before computing their similarity to known attack patterns in Common Attack Pattern Enumeration and Classification (CAPEC). The system has been deployed in our partner company and when evaluated against the recommendations of two security analysts, achieved an f-measure of 64.57%.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
with the parameters \(FV=0.98\) and \(t=0\) (see Sect. 3.1).
References
Schatz, D., Bashroush, R., Wall, J.: Towards a more representative definition of cyber security. J. Digital Forensics Secur. Law 12(2), 8 (2017)
Ashoor, A.S., Gore, S.: Importance of intrusion detection system (IDS). Int. J. Sci. Eng. Res. 2(1), 1–4 (2011)
Roesch, M.: Snort: lightweight intrusion detection for networks. In: Proceedings of the 13th Conference on System Administration, LISA 1999, Seattle, Washington, USA, pp. 229–238, November 1999
Nicandro, S., Fung, B.C.M., Khokhar, R.H.: Mining known attack patterns from security-related events. Peer J. Comput. Sci. 1, e25 (2015)
Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)
More, S., Matthews, M., Joshi, A., Finin, T.: A knowledge-based approach to intrusion detection modeling. In: Proceedings of the IEEE Symposium on Security and Privacy Workshop (SPW), San Francisco, California, USA, pp. 75–81. IEEE, May 2012
Mulwad, V., Li, W., Joshi, A., Finin, T., Viswanathan, K.: Extracting information about security vulnerabilities from web text. In: Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology (WI-IAT), Lyon, France, vol. 3, pp. 257–260. IEEE, August 2011
Atallah, M.J., McDonough, C.J., Raskin, V., Nirenburg, S.: Natural language processing for information assurance and security: an overview and implementations. In: Proceedings of the 2001 Workshop on New Security Paradigms, Ballycotton, County Cork, Ireland, pp. 51–65, September 2001
Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S.: Ontology in information security: a useful theoretical foundation and methodological tool. In: Proceedings of the 2001 Workshop on New Security Paradigms, Cloudcroft, New Mexico, pp. 53–59. ACM (2001)
Undercoffer, J., Joshi, A., Finin, T., Pinkston, J.: Using DAML+ OIL to classify intrusive behaviours. Knowl. Eng. Rev. 18(3), 221–241 (2003)
Undercoffer, J., Joshi, A., Pinkston, J.: Modeling computer attacks: an ontology for intrusion detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 113–135. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45248-5_7
Undercoffer, J., Pinkston, J., Joshi, A., Finin, T.: Proceedings of the IJCAI Workshop on Ontologies and Distributed Systems, Acapulco, Mexico, pp. 47–58, August 2004
National Cyber Security Division. National Vulnerability Database (NVD) (2017). https://nvd.nist.gov
Finin, T., Syed, Z.: Creating and exploiting a web of semantic data. In: Filipe, J., Fred, A., Sharp, B. (eds.) Agents and Artificial Intelligence, pp. 3–21. Springer, Berlin Heidelberg (2011)
Nadeau, D., Sekine, S.: A survey of named entity recognition and classification. Lingvisticae Investigationes 30(1), 3–26 (2007)
UMBC Ebiquity. Index of /ontologies/cybersecurity/ids. (2014). http://ebiquity.umbc.edu/ontologies/cybersecurity/ids/
MITRE. Common Weakness Enumeration (CWE) (2017). https://cwe.mitre.org/index.html
MITRE. Common Attack Pattern Enumeration and Classification (CAPEC) (2017). https://capec.mitre.org/
Acknowledgement
The authors would like to thank the anonymous reviewers for their feedback on the paper. This work was financially supported by an Engage Grant from the Natural Sciences and Engineering Research Council of Canada (NSERC).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Ma, X., Davoodi, E., Kosseim, L., Scarabeo, N. (2018). Semantic Mapping of Security Events to Known Attack Patterns. In: Silberztein, M., Atigui, F., Kornyshova, E., Métais, E., Meziane, F. (eds) Natural Language Processing and Information Systems. NLDB 2018. Lecture Notes in Computer Science(), vol 10859. Springer, Cham. https://doi.org/10.1007/978-3-319-91947-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-91947-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-91946-1
Online ISBN: 978-3-319-91947-8
eBook Packages: Computer ScienceComputer Science (R0)