Ontology-based Modeling of DDoS Attacks for Attack Plan Detection

Transcript

1. Ontology-based Modeling of DDoS Attacks for Attack Plan Detection M.

   Ansarinia, S. A. Asghari, A. Souzani, A. Ghaznavi

2. Outline • Introduction • Review of Similar Studies • Proposed

   Method • Evaluation • Future Works

3. • Attack Plan Detection • Resolve vulnerabilities, • Update system

   configurations, • Fix weaknesses, • Prevent consequences, • Stop multi-steps attacks, • prevent potential attacks. Introduction Why Attack Plan Detection?

4. • more concrete knowledge of a domain comparing to relational

   databases and taxonomies. • Machine-understandable. • There is no common structure of attack scenarios. • Shared conceptualization of DDoS attacks. • Semantic-level representation. • logic and inference as a solution to decision-making problems. • Constructed from semi-informal data sources. Introduction Why Knowledge?

5. Introduction Taxonomies and Ontologies Vocabulary Structure Taxonomy Taxonomy Relations +

   Constraints + Rules Ontology Ontology Instances Knowledge Base + + + = = =

6. • Transform DDoS attacks information from being machine-readable to machine-

   understandable. • Employ knowledge to predict potential DDoS attacks regarding vulnerabilities, weaknesses, and prerequisites of such attacks. • Common semantic representation of attacks by which machines can communicate. Introduction Contributions

7. Introduction Knowledge Hierarchy Future Past Data Information What Undrestanding Why

   Cognition What to do Knowledge How to

8. Introduction Knowledge Hierarchy Future Past Data Information What Undrestanding Why

   Cognition What to do Knowledge How to ?

9. Introduction Literature Review - Representations • Ontological representations of attacks

   are mostly limited to the general view of network attacks. non-specific view • Taxonomies for attacks, vulnerabilities, and weaknesses (Capec, CVE, and CWE). Lack of logical assumptions, rules, and reasoning • Statistical, analytical, and machine learning detection methods. Invariant, convergence problem, lack of extendability for new concepts, and curse of dimensionality • SVM • Clustering and classification algorithms. • K-Means, DBSCAN, OPTICS, SOM, etc • Evolutionary algorithms • Neural networks

10. Introduction High-level Ontology Structure DDoS Attack Vulnerability Weakness Vulnerable System

    relatedTo causedBy relatedTo has (some)

11. Introduction Main Ontology Concepts

12. Method • Information parsing and conversion, from Capec, CWE, and

    CVE hierarchical concepts, to interrelated ontological representations (including concepts, relationships, attributes, and instances). • Semantic rule-based reasoning as detection strategy.

13. Method System Architecture System Events IDS Logs Convert data to

    triples of type <s,p,o> Check consistency DDoS Attacks Knowledge Base Report inconsistency Reasoner DDoS Attack Ontology Manual User Inputs Direct Indirect Consistency SPARQL Queries Attack SWRL Rules DDoS Plan Detection Result Inconsistent Consistent Map triples to ontology entities

14. Method Detection Rules

15. Results Evaluation Method • Quantitative evaluation (OntoQA) of ontology and

    knowledge base. • Manual reporting interface, and test attack scenarios.

16. Results Evaluation Architecture System Events IDS Logs Convert data to

    triples of type <s,p,o> Check consistency DDoS Attacks Knowledge Base Report inconsistency Reasoner DDoS Attack Ontology Manual User Inputs Direct Indirect Consistency SPARQL Queries Attack SWRL Rules DDoS Plan Detection Result Inconsistent Consistent Map triples to ontology entities
17. None
18. None

19. Results Evaluation Metrics Inheritance Richness 76 Object Property Richness >12

    Data Property Richness >7 Hierarchical Levels 5 Concept Richness 64

20. Results Conclusion • Ontological representation of attacks. • Semantics rules

    for attacks. • Automatic conversion of semi-informal knowledge sources. • Utilize inference as attack plan detector.

21. Future Works • More descriptive model of DDoS attacks. •

    Higher level reasoning using psychological measures. • Feed IDS and system events as inputs. • Extends attacks domain. • Assets.

22. ?