Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ontology-based Modeling of DDoS Attacks for Att...

Ontology-based Modeling of DDoS Attacks for Attack Plan Detection

Presented at IST2012 Conference.

Morteza Ansarinia

November 07, 2012
Tweet

More Decks by Morteza Ansarinia

Other Decks in Research

Transcript

  1. Ontology-based Modeling of DDoS Attacks for Attack Plan Detection M.

    Ansarinia, S. A. Asghari, A. Souzani, A. Ghaznavi
  2. • Attack Plan Detection • Resolve vulnerabilities, • Update system

    configurations, • Fix weaknesses, • Prevent consequences, • Stop multi-steps attacks, • prevent potential attacks. Introduction Why Attack Plan Detection?
  3. • more concrete knowledge of a domain comparing to relational

    databases and taxonomies. • Machine-understandable. • There is no common structure of attack scenarios. • Shared conceptualization of DDoS attacks. • Semantic-level representation. • logic and inference as a solution to decision-making problems. • Constructed from semi-informal data sources. Introduction Why Knowledge?
  4. Introduction Taxonomies and Ontologies Vocabulary Structure Taxonomy Taxonomy Relations +

    Constraints + Rules Ontology Ontology Instances Knowledge Base + + + = = =
  5. • Transform DDoS attacks information from being machine-readable to machine-

    understandable. • Employ knowledge to predict potential DDoS attacks regarding vulnerabilities, weaknesses, and prerequisites of such attacks. • Common semantic representation of attacks by which machines can communicate. Introduction Contributions
  6. Introduction Literature Review - Representations • Ontological representations of attacks

    are mostly limited to the general view of network attacks. non-specific view • Taxonomies for attacks, vulnerabilities, and weaknesses (Capec, CVE, and CWE). Lack of logical assumptions, rules, and reasoning • Statistical, analytical, and machine learning detection methods. Invariant, convergence problem, lack of extendability for new concepts, and curse of dimensionality • SVM • Clustering and classification algorithms. • K-Means, DBSCAN, OPTICS, SOM, etc • Evolutionary algorithms • Neural networks
  7. Method • Information parsing and conversion, from Capec, CWE, and

    CVE hierarchical concepts, to interrelated ontological representations (including concepts, relationships, attributes, and instances). • Semantic rule-based reasoning as detection strategy.
  8. Method System Architecture System Events IDS Logs Convert data to

    triples of type <s,p,o> Check consistency DDoS Attacks Knowledge Base Report inconsistency Reasoner DDoS Attack Ontology Manual User Inputs Direct Indirect Consistency SPARQL Queries Attack SWRL Rules DDoS Plan Detection Result Inconsistent Consistent Map triples to ontology entities
  9. Results Evaluation Method • Quantitative evaluation (OntoQA) of ontology and

    knowledge base. • Manual reporting interface, and test attack scenarios.
  10. Results Evaluation Architecture System Events IDS Logs Convert data to

    triples of type <s,p,o> Check consistency DDoS Attacks Knowledge Base Report inconsistency Reasoner DDoS Attack Ontology Manual User Inputs Direct Indirect Consistency SPARQL Queries Attack SWRL Rules DDoS Plan Detection Result Inconsistent Consistent Map triples to ontology entities
  11. Results Evaluation Metrics Inheritance Richness 76 Object Property Richness >12

    Data Property Richness >7 Hierarchical Levels 5 Concept Richness 64
  12. Results Conclusion • Ontological representation of attacks. • Semantics rules

    for attacks. • Automatic conversion of semi-informal knowledge sources. • Utilize inference as attack plan detector.
  13. Future Works • More descriptive model of DDoS attacks. •

    Higher level reasoning using psychological measures. • Feed IDS and system events as inputs. • Extends attacks domain. • Assets.
  14. ?