A Semantic Approach to Situational Awareness for Intrusion Detection

We describe a situation--aware intrusion detection system that integrates heterogeneous sources of information to build and maintain a semantically rich knowledge base (KB) with information about cyber threats and vulnerabilities. Most current intrusion detection and prevention systems rely on signature--based approaches to detect attacks. When an attack signature is not available, such as for a new or significantly modified exploit, such systems are much less effective. Moreover, these intrusion detection systems are point--based solu-- tions that do not make effective use of heterogeneous data sources, which can provide im-- portant information related to intrusions which are not yet available as signature patterns. This information can also help detect low and slow attacks in which small intrusions that are spatially and temporally apart combine to build a more elaborate attack.

We have prototyped a system that uses the apptoach to recognize potential attacks. The knowledge base is constructed and kept current by integrating information from sev-- eral sources, represented as ontologies, rules and facts using the Semantic Web languages OWL and RDF. The ontologies and facts are kept current by integrating information from data from vulnerability databases such as NVD, concepts and facts extracted from text from various Web sources, including news, blog posts and chat rooms, and facts about the state of a system being protected produced by an IDS system such as Snort or Wireshark.

The foundation of our knowledge base rests on an OWL ontology developed by Under-- coffer [4] that provides a vocabulary for concepts, properties and relations to describe at-- tacks in terms of their the means (e.g., BufferOverFlow, synFlood), consequences (e.g., De-- nialOfService, PrivilegeEscalation) and targets (e.g., systems, processes, and software ver-- sions). We use natural language processing techniques including text classification, named entity recognition, entity linking and concept spotting to extract information from Web text and represent it using extensions to these ontologies [3]. The output of existing IDS sys-- tems at the network and host level [1] are also represented as RDF data using these ontolo-- gies. The results are integrated and reasoned over using the ontology axioms and custom rules to identify potential attacks. We evaluated our initial prototype system in a series of experiments on stack--based buffer overflow exploits in Adobe Reader and Acrobat [2] with promising results, demonstrating the feasibility of a situational awareness approach to de-- tecting new attacks.