Semantic Mapping of Security Events to Known Attack Patterns

  • Xiao Ma
  • Elnaz Davoodi
  • Leila KosseimEmail author
  • Nicandro Scarabeo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10859)


In order to provide cyber environment security, analysts need to analyze a large number of security events on a daily basis and take proper actions to alert their clients of potential threats. The increasing cyber traffic drives a need for a system to assist security analysts to relate security events to known attack patterns. This paper describes the enhancement of an existing Intrusion Detection System (IDS) with the automatic mapping of snort alert messages to known attack patterns. The approach relies on pre-clustering snort messages before computing their similarity to known attack patterns in Common Attack Pattern Enumeration and Classification (CAPEC). The system has been deployed in our partner company and when evaluated against the recommendations of two security analysts, achieved an f-measure of 64.57%.


Semantic similarity Clustering Cyber security 



The authors would like to thank the anonymous reviewers for their feedback on the paper. This work was financially supported by an Engage Grant from the Natural Sciences and Engineering Research Council of Canada (NSERC).


  1. 1.
    Schatz, D., Bashroush, R., Wall, J.: Towards a more representative definition of cyber security. J. Digital Forensics Secur. Law 12(2), 8 (2017)Google Scholar
  2. 2.
    Ashoor, A.S., Gore, S.: Importance of intrusion detection system (IDS). Int. J. Sci. Eng. Res. 2(1), 1–4 (2011)Google Scholar
  3. 3.
    Roesch, M.: Snort: lightweight intrusion detection for networks. In: Proceedings of the 13th Conference on System Administration, LISA 1999, Seattle, Washington, USA, pp. 229–238, November 1999Google Scholar
  4. 4.
    Nicandro, S., Fung, B.C.M., Khokhar, R.H.: Mining known attack patterns from security-related events. Peer J. Comput. Sci. 1, e25 (2015)CrossRefGoogle Scholar
  5. 5.
    Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)CrossRefGoogle Scholar
  6. 6.
    More, S., Matthews, M., Joshi, A., Finin, T.: A knowledge-based approach to intrusion detection modeling. In: Proceedings of the IEEE Symposium on Security and Privacy Workshop (SPW), San Francisco, California, USA, pp. 75–81. IEEE, May 2012Google Scholar
  7. 7.
    Mulwad, V., Li, W., Joshi, A., Finin, T., Viswanathan, K.: Extracting information about security vulnerabilities from web text. In: Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence and Intelligent Agent Technology (WI-IAT), Lyon, France, vol. 3, pp. 257–260. IEEE, August 2011Google Scholar
  8. 8.
    Atallah, M.J., McDonough, C.J., Raskin, V., Nirenburg, S.: Natural language processing for information assurance and security: an overview and implementations. In: Proceedings of the 2001 Workshop on New Security Paradigms, Ballycotton, County Cork, Ireland, pp. 51–65, September 2001Google Scholar
  9. 9.
    Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S.: Ontology in information security: a useful theoretical foundation and methodological tool. In: Proceedings of the 2001 Workshop on New Security Paradigms, Cloudcroft, New Mexico, pp. 53–59. ACM (2001)Google Scholar
  10. 10.
    Undercoffer, J., Joshi, A., Finin, T., Pinkston, J.: Using DAML+ OIL to classify intrusive behaviours. Knowl. Eng. Rev. 18(3), 221–241 (2003)CrossRefGoogle Scholar
  11. 11.
    Undercoffer, J., Joshi, A., Pinkston, J.: Modeling computer attacks: an ontology for intrusion detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 113–135. Springer, Heidelberg (2003). Scholar
  12. 12.
    Undercoffer, J., Pinkston, J., Joshi, A., Finin, T.: Proceedings of the IJCAI Workshop on Ontologies and Distributed Systems, Acapulco, Mexico, pp. 47–58, August 2004Google Scholar
  13. 13.
    National Cyber Security Division. National Vulnerability Database (NVD) (2017).
  14. 14.
    Finin, T., Syed, Z.: Creating and exploiting a web of semantic data. In: Filipe, J., Fred, A., Sharp, B. (eds.) Agents and Artificial Intelligence, pp. 3–21. Springer, Berlin Heidelberg (2011)Google Scholar
  15. 15.
    Nadeau, D., Sekine, S.: A survey of named entity recognition and classification. Lingvisticae Investigationes 30(1), 3–26 (2007)CrossRefGoogle Scholar
  16. 16.
    UMBC Ebiquity. Index of /ontologies/cybersecurity/ids. (2014).
  17. 17.
    MITRE. Common Weakness Enumeration (CWE) (2017).
  18. 18.
    MITRE. Common Attack Pattern Enumeration and Classification (CAPEC) (2017).

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Xiao Ma
    • 1
  • Elnaz Davoodi
    • 1
  • Leila Kosseim
    • 1
    Email author
  • Nicandro Scarabeo
    • 2
  1. 1.Department of Computer Science and Software EngineeringConcordia UniversityMontréalCanada
  2. 2.Hitachi Systems Security Inc.BlainvilleCanada

Personalised recommendations