Skip to main content
SpringerLink
Log in
Book cover

International Conference on Applications of Natural Language to Information Systems

NLDB 2018: Natural Language Processing and Information Systems pp 91–98Cite as

Semantic Mapping of Security Events to Known Attack Patterns

  • Conference paper
  • First Online:

  • 2491 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10859))

Abstract

In order to provide cyber environment security, analysts need to analyze a large number of security events on a daily basis and take proper actions to alert their clients of potential threats. The increasing cyber traffic drives a need for a system to assist security analysts to relate security events to known attack patterns. This paper describes the enhancement of an existing Intrusion Detection System (IDS) with the automatic mapping of snort alert messages to known attack patterns. The approach relies on pre-clustering snort messages before computing their similarity to known attack patterns in Common Attack Pattern Enumeration and Classification (CAPEC). The system has been deployed in our partner company and when evaluated against the recommendations of two security analysts, achieved an f-measure of 64.57%.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    with the parameters \(FV=0.98\) and \(t=0\) (see Sect. 3.1).

References

  1. Schatz, D., Bashroush, R., Wall, J.: Towards a more representative definition of cyber security. J. Digital Forensics Secur. Law 12(2), 8 (2017)

    Google Scholar 

  2. Ashoor, A.S., Gore, S.: Importance of intrusion detection system (IDS). Int. J. Sci. Eng. Res. 2(1), 1–4 (2011)

    Google Scholar 

  3. Roesch, M.: Snort: lightweight intrusion detection for networks. In: Proceedings of the 13th Conference on System Administration, LISA 1999, Seattle, Washington, USA, pp. 229–238, November 1999

    Google Scholar 

  4. Nicandro, S., Fung, B.C.M., Khokhar, R.H.: Mining known attack patterns from security-related events. Peer J. Comput. Sci. 1, e25 (2015)

    Article  Google Scholar 

  5. Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)

    Article  Google Scholar 

  6. More, S., Matthews, M., Joshi, A., Finin, T.: A knowledge-based approach to intrusion detection modeling. In: Proceedings of the IEEE Symposium on Security and Privacy Workshop (SPW), San Francisco, California, USA, pp. 75–81. IEEE, May 2012

    Google Scholar 

  7. Mulwad, V., Li, W., Joshi, A., Finin, T., Viswanathan, K.: Extracting information about security vulnerabilities from web text. In: Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology (WI-IAT), Lyon, France, vol. 3, pp. 257–260. IEEE, August 2011

    Google Scholar 

  8. Atallah, M.J., McDonough, C.J., Raskin, V., Nirenburg, S.: Natural language processing for information assurance and security: an overview and implementations. In: Proceedings of the 2001 Workshop on New Security Paradigms, Ballycotton, County Cork, Ireland, pp. 51–65, September 2001

    Google Scholar 

  9. Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S.: Ontology in information security: a useful theoretical foundation and methodological tool. In: Proceedings of the 2001 Workshop on New Security Paradigms, Cloudcroft, New Mexico, pp. 53–59. ACM (2001)

    Google Scholar 

  10. Undercoffer, J., Joshi, A., Finin, T., Pinkston, J.: Using DAML+ OIL to classify intrusive behaviours. Knowl. Eng. Rev. 18(3), 221–241 (2003)

    Article  Google Scholar 

  11. Undercoffer, J., Joshi, A., Pinkston, J.: Modeling computer attacks: an ontology for intrusion detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 113–135. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45248-5_7

    Chapter  Google Scholar 

  12. Undercoffer, J., Pinkston, J., Joshi, A., Finin, T.: Proceedings of the IJCAI Workshop on Ontologies and Distributed Systems, Acapulco, Mexico, pp. 47–58, August 2004

    Google Scholar 

  13. National Cyber Security Division. National Vulnerability Database (NVD) (2017). https://nvd.nist.gov

  14. Finin, T., Syed, Z.: Creating and exploiting a web of semantic data. In: Filipe, J., Fred, A., Sharp, B. (eds.) Agents and Artificial Intelligence, pp. 3–21. Springer, Berlin Heidelberg (2011)

    Google Scholar 

  15. Nadeau, D., Sekine, S.: A survey of named entity recognition and classification. Lingvisticae Investigationes 30(1), 3–26 (2007)

    Article  Google Scholar 

  16. UMBC Ebiquity. Index of /ontologies/cybersecurity/ids. (2014). http://ebiquity.umbc.edu/ontologies/cybersecurity/ids/

  17. MITRE. Common Weakness Enumeration (CWE) (2017). https://cwe.mitre.org/index.html

  18. MITRE. Common Attack Pattern Enumeration and Classification (CAPEC) (2017). https://capec.mitre.org/

Download references

Acknowledgement

The authors would like to thank the anonymous reviewers for their feedback on the paper. This work was financially supported by an Engage Grant from the Natural Sciences and Engineering Research Council of Canada (NSERC).

Author information

Authors and Affiliations

  1. Department of Computer Science and Software Engineering, Concordia University, 1515 Ste-Catherine Street West, Montréal, Québec, H3G 2W1, Canada

    Xiao Ma, Elnaz Davoodi & Leila Kosseim

  2. Hitachi Systems Security Inc., 955 Boulevard Michéle-Bohec Suite 244, Blainville, Québec, J7C 5J6, Canada

    Nicandro Scarabeo

Authors
  1. Xiao Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elnaz Davoodi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Leila Kosseim
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nicandro Scarabeo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Leila Kosseim .

Editor information

Editors and Affiliations

  1. Université de Franche-Comté, Besançon, France

    Max Silberztein

  2. Conservatoire National des Arts et Métiers, Paris, France

    Faten Atigui

  3. Conservatoire National des Arts et Métiers, Paris, France

    Elena Kornyshova

  4. Conservatoire National des Arts et Métiers, Paris, France

    Elisabeth Métais

  5. University of Salford, Manchester, United Kingdom

    Farid Meziane

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ma, X., Davoodi, E., Kosseim, L., Scarabeo, N. (2018). Semantic Mapping of Security Events to Known Attack Patterns. In: Silberztein, M., Atigui, F., Kornyshova, E., Métais, E., Meziane, F. (eds) Natural Language Processing and Information Systems. NLDB 2018. Lecture Notes in Computer Science(), vol 10859. Springer, Cham. https://doi.org/10.1007/978-3-319-91947-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-91947-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-91946-1

  • Online ISBN: 978-3-319-91947-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation