Cooperative Ontology Model For Distributed Intrusion Detection System

With the rapid development of network applications, original and simple attackpatterns have become multi-step and complex attack patterns. Moreover, a largenumber of heterogeneous distributed intrusion detection systems are deployed in theheterogeneous networks. They have different detection principles, differentdeployment schemes and different detection performance. It is so hard for thesedistributed intrusion detection system to work together that they are inability toprotect comprehensively Global Information Infrastructure. How to integrateheterogeneous intrusion detection systems in heterogeneous networks and how tomake them work together have been hot issues.A cooperative ontology model for distributed intrusion detection system isproposed in this paper. In this model, entities in the real scenario are instantiated intoinstances in the ontology. Threat states of system are inferred by analyzing details ofinstances. Consequen states of system are inferred by current threat states and attacksin real time. With the advantage of ontology, heterogeneous intrusion detectionsystems can share knowledge and security state. And they can understand each other.They can work together by inferring attacks and try to prevent transregionallarge-scale security incidentsThis model is a unified three levels information security ontology model. Themodel cotains three levels: global level, domain level and local level. In the globallevel, there is single ontology, which is represented common semantic model of allinformation. Global level only offers concept interfaces of different domain ontolgiesand brief descriptions of their relationships. But it does not involve in concretedomain knowledge.This paper focuses on domain level. Domain ontologies are created by domainknowledge and inherit by global ontology structure. Ontologies in the domain levelare fused by ontology model in the wire network and ontology model in the wirelessnetwork. Ontology model in the wire network includes two parts: model research andrelated algorithm research. In the model research, a series of methods of creating,instatiating and inferring ontology model are proposed. Different entites in the realscenario are mapped into ontologies in the model. All details of real scenario aredescribed. On the basis of this, a new threat state is proposed. Some important detailsare correlated with threat states. This process is achieved by the method of inferringby rules. Consequence states are inferred by attacks in real time and current threatstate of system. Consequence state can be the next threat state. The old implicit causalrelationships between attacks transformed into the new inferred causal relationshipsbetween attacks and security states. A new mis-configuration vulnerability inferencemethod is also proposed. Configuration entites are described by ontology andconfiguration instances are correlated with other instances. Their important details arecorrelated with mis-configuration vulnerability instances. This process is achieved bythe method of inferring by rules. In addition, new concrete system framework andworkflow are also proposed. In the related algorithm research, three related algorithmsare proposed according to demand of system framework. They are respectivelyparallel anomaly detection algorithm based on hierarchical clustering, hybrid intrusiondetection system based on hierarchical clustering and decision trees and intrusionclassifier based on multiple feature selection. The first algorithm is a parallel anomalydetection algorithm running multicore system. The second algorithm is a light hybridintrusion detection system. The first two types of intrusion detection algorithms havethe following characteristics: hybrid, light and parallel. The third algorithm combinesdifferent feature selection algorithm with attack classification algorithms. Theultimate goal is to achieve the maximum classification accuracy of optimal subset.Ontology in the wireless model includes two parts: model reseach and relatedalgorithm research. In the model research, mobile Ad Hoc network, as our majorresearch object, are mapped into ontology by methods of wire network. Our platformof Internet of things, as the real scenario, is instantiated. In the related algorithmresearch, an anomaly detection algorithm against black hole is proposed.