Semantic aware attack scenarios reconstruction

Intrusion analysis is a resource intensive, complex and expensive process for any organization. The reconstruction of the attack scenario is an important aspect of such endeavor. We tackle in this paper several challenges overlooked by existing attack scenarios reconstruction techniques that undermine their performances. These include the ability to identify and extract novel attack patterns and the correlation of heterogeneous multisensor alerts. We propose a novel attack scenario reconstruction approach that analyzes both implicit and explicit relationships between intrusion alerts using semantic analysis and a new intrusion ontology. The proposed approach can reconstruct known and unknown attack scenarios and correlate alerts generated in multi-sensor IDS environment. Moreover, our approach can handle for the first time both novel attacks and false negative alerts generated by Intrusion Detection Systems (IDSs). Our experimental results show the potential of our approach and its advantages over previous approaches.