ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework

  • Alireza Sadighian
  • José M. Fernandez
  • Antoine Lemay
  • Saman T. Zargar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8352)


Several alert correlation approaches have been proposed to date to reduce the number of non-relevant alerts and false positives typically generated by Intrusion Detection Systems (IDS). Inspired by the mental process of the contextualisation used by security analysts to weed out less relevant alerts, some of these approaches have tried to incorporate contextual information such as: type of systems, applications, users, and networks into the correlation process. However, these approaches are not flexible as they only perform correlation based on the narrowly defined contexts. information resources available to the security analysts while preserving the maximum flexibility and the power of abstraction in both the definition and the usage of such concepts, we propose ONTIDS, a context-aware and ontology-based alert correlation framework that uses ontologies to represent and store the alerts information, alerts context, vulnerability information, and the attack scenarios. ONTIDS employs simple ontology logic rules written in Semantic Query-enhance Web Rule Language (SQWRL) to correlate and filter out non-relevant alerts. We illustrate the potential usefulness and the flexibility of ONTIDS by employing its reference implementation on two separate case studies, inspired from the DARPA 2000 and UNB ISCX IDS evaluation datasets.


Intrusion detection Alert correlation Ontology Context-aware 



This research was sponsored in part by the Inter-networked Systems Security Strategic Research Network (ISSNet), funded by Canada’s Natural Sciences and Engineering Research Council (NSERC).


  1. 1.
    Li-Zhong, G., Hui-bo, J.: A novel intrusion detection scheme for network-attached storage based on multi-source information fusion. In: 2012 Eighth International Conference on Computational Intelligence and Security, pp. 469–473 (2009)Google Scholar
  2. 2.
    Thomas, C., Balakrishnan, N.: Improvement in intrusion detection with advances in sensor fusion. Trans. Inf. For. Sec. 4(3), 542–551 (2009)CrossRefGoogle Scholar
  3. 3.
    Dreger, H., Kreibich, C., Paxson, V., Sommer, R.: Enhancing the accuracy of network-based intrusion detection with host-based context. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 206–221. Springer, Heidelberg (2005)Google Scholar
  4. 4.
    Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 202–215 (2002)Google Scholar
  5. 5.
    Morin, B., Debar, H.: Correlation of intrusion symptoms: an application of chronicles. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 84–112. Springer, Heidelberg (2003)Google Scholar
  6. 6.
    Chen, L., Aritsugi, M.: An SVM-based masquerade detection method with online update using co-occurrence matrix. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 37–53. Springer, Heidelberg (2006)Google Scholar
  7. 7.
    Raftopoulos, E., Egli, M., Dimitropoulos, X.: Shedding light on log correlation in network forensics analysis. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2013. LNCS, vol. 7591, pp. 232–241. Springer, Heidelberg (2013)Google Scholar
  8. 8.
    Gagnon, F., Massicotte, F., Esfandiari, B.: Using contextual information for ids alarm classification (extended abstract). In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 147–156. Springer, Heidelberg (2009)Google Scholar
  9. 9.
    Sinha, S., Jahanian, F., Patel, J.M.: WIND: workload-aware intrusion detection. In: Kruegel, C., Zamboni, D. (eds.) RAID 2006. LNCS, vol. 4219, pp. 290–310. Springer, Heidelberg (2006)Google Scholar
  10. 10.
    Vorobiev, A., Bekmamedova, N.: An ontology-driven approach applied to information security. J. Res. Prac. Inf. Technol. 42(1), 61 (2010)Google Scholar
  11. 11.
    Coppolino, L., D’Antonio, S., Elia, I., Romano, L.: From intrusion detection to intrusion detection and diagnosis: An ontology-based approach. In: Lee, S., Narasimhan, P. (eds.) SEUS 2009. LNCS, vol. 5860, pp. 192–202. Springer, Heidelberg (2009)Google Scholar
  12. 12.
    Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.: Comprehensive approach to intrusion detection alert correlation. IEEE Trans. Depend. Secur. Comput. 1(3), 146–169 (2004)CrossRefGoogle Scholar
  13. 13.
    Cuppens, F., Ortalo, R.: LAMBDA: A language to model a database for detection of attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)Google Scholar
  14. 14.
    CVE: Common vulnerabilities exposures (CVE), the key to information sharing.
  15. 15.
    CAPEC: Common attack pattern enumeration and classification (capec).
  16. 16.
    Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An attack language for state-based intrusion detection. J. Comput. Secur. 10(1), 71–103 (2002)Google Scholar
  17. 17.
    Debar, H., Curry, D., Feinstein, B.: The intrusion detection message exchange format (idmef) (2007)Google Scholar
  18. 18.
    Mitre Corporation: A standardized common event expression (CEE) for event interoperability (2013)Google Scholar
  19. 19.
    Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration (LISA ’99), pp. 229–238. USENIX Association, Berkeley (1999)Google Scholar
  20. 20.
  21. 21.
    Zaraska, K.: Prelude ids: current state and development perspectives (2003).
  22. 22.
    Deraison, R.: The nessus project (2002).
  23. 23.
    Lyon, G.F.: Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure, USA (2009)Google Scholar
  24. 24.
    Nyulas, C., O’Connor, M., Tu, S.: Datamaster–a plug-in for importing schemas and data from relational databases into protege. In: Proceedings of the 10th International Protege Conference (2007)Google Scholar
  25. 25.
    Parsia, B., Sirin, E.: Pellet: An OWL-DL reasoner. In: Third International Semantic Web Conference-Poster, p. 18 (2004)Google Scholar
  26. 26.
    Friedman-Hill, E. et al.: Jess, the rule engine for the java platform (2003)Google Scholar
  27. 27.
    O’Connor, M., Das, A.: SQWRL: a query language for OWL. In: Proceedings of the 6th Workshop on OWL: Experiences and Directions (OWLED2009) (2009)Google Scholar
  28. 28.
    Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)CrossRefGoogle Scholar
  29. 29.
    MIT Lincoln Laboratory: 2000 DARPA intrusion detection scenario specific data sets (2000)Google Scholar
  30. 30.
    Hu, Y.: TIAA: A toolkit for intrusion alert analysis (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Alireza Sadighian
    • 1
  • José M. Fernandez
    • 1
  • Antoine Lemay
    • 1
  • Saman T. Zargar
    • 2
  1. 1.Department of Computer and Software EngineeringÉcole Polytechnique de MontréalMontréalCanada
  2. 2.School of Information SciencesUniversity of PittsburghPittsburghUSA

Personalised recommendations