Attack scenario reconstruction using intrusion semantics

Security information and event management (SIEM) systems receive a large number of alerts from different intrusion detection systems. They are expected, from these alerts, to make reliable and timely decisions regarding the types of ongoing attack scenarios and their priorities. However, the lack of an agreed-upon vocabulary for the representation of the domain knowledge makes it difficult for state-of-the-art SIEM systems to effectively manage these complex decisions. To overcome this problem, an ontology-based expert system approach can provide domain knowledge modeling as a foundation for disambiguation of meaning and automatic reasoning regarding ongoing attack scenarios. The proposed approach reconstructs attack scenarios by reasoning based on the evidences in the alert stream. The main idea of the proposed approach is to identify the causal relation between alerts using their similarity. This approach assumes that the similarity between two successive steps in an attack scenario is greater than that of two non-successive steps. Moreover, the similarity between the steps of the same attack scenario is greater than that between the steps of two different attack scenarios. The benefit of the proposed approach includes the fast and incremental reconstruction of known and unknown attack scenarios without expert intervention, which is an enormous step forward in developing expert and intelligent systems for cyber security. We evaluated the proposed technique by performing experiments on two known datasets: DARPA 2000 and MACCDC 2012. The results prove the advantages of the proposed approach with regard to completeness and soundness criteria.