Intrusion Alerts Correlation Based On Ontology

Network security problems came along with Internet. Nowadays, intrusion detection systems have been widely used, but they only offer security administrators a great lot of independent, low-level alerts, though there may be logical connections between them. Hence it is necessary to find an appropriate method to construct high-level attack scenarios from low-level attack alerts. This paper uses alerts correlation technology as this appropriate method. There are four types of alerts correlation technology: correlation based on sequence template, correlation based on prerequisites and consequences of intrusions, correlation based on comparability, and correlation based on statistical analysis. This paper employs the former two types.The alerts correlation system needs a knowledge base, where connections between attacks are stored. This paper adopts ontology technology to representing knowledge. As a new knowledge representation, ontology can restrictly define concepts and relationships between concepts. It can represent commonly recognized and shared knowledge. The paper uses ontology language OWL and rule language SWRL to descript attack knowledge. OWL is based on description logic, it has some inferring ability. SWRL combines Horn logic on the basis of OWL, it has stronger inferring ability. This paper makes use of their inferring ability to do alerts correlation.Inferring ability of OWL and SWRL is not enough for this paper's alerts correlation system, so XSWRL is introduced which extends SWRL by throwing away safety condition, i.e. allowing variables which don't occur in the antecedent of a rule occur in the consequent. Those variables are called "existentially quantified variables". XSWRL is implemented by modifying source code of Protégé.The main work of this paper is to implement XSWRL and to establish attack knowledge frame. A user interface is also developed for alerts correlation system. The innovation of this paper is: first, combining correlation based on sequence template and correlation based on prerequisites and consequences of intrusions; second, using ontology technology to descript attack knowledge; third, introducing and implementing XSWRL.