Modeling Computer Attacks: An Ontology for Intrusion Detection

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2820)


We state the benefits of transitioning from taxonomies to ontologies and ontology specification languages, which are able to simultaneously serve as recognition, reporting and correlation languages. We have produced an ontology specifying a model of computer attack using the DARPA Agent Markup Language+Ontology Inference Layer, a descriptive logic language. The ontology’s logic is implemented using DAMLJessKB. We compare and contrast the IETF’s IDMEF, an emerging standard that uses XML to define its data model, with a data model constructed using DAML+OIL. In our research we focus on low level kernel attributes at the process, system and network levels, to serve as those taxonomic characteristics. We illustrate the benefits of utilizing an ontology by presenting use case scenarios within a distributed intrusion detection system.


Intrusion Detection Resource Description Framework Intrusion Detection System Service Attack Resource Description Framework Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Allen, J., Christie, A., Fithen, W., McHugh, J., Pickel, J., Stoner, E.: State of the Practice of Intrusion Detection Technologies. Technical Report 99tr028, Carnegie Mellon - Software Engineering Institute (2000)Google Scholar
  2. 2.
    Amoroso, E.G.: Fundamentals of Computer Security Technology. Prentice-Hall PTR, Englewood Cliffs (1994)zbMATHGoogle Scholar
  3. 3.
    Aslam, T., Krusl, I., Spafford, E.: Use of a Taxonomy of Security Faults. In: Proceedings of the 19th National Information Systems Security Conference (October 1996)Google Scholar
  4. 4.
    Brickley, D., Guha, R.: RDF Vocabulary Description Language 1.0: RDF Schema (2003),
  5. 5.
    Mahalanobis, P.C.: On Tests and Meassures of Groups Divergence. International Journal of the Asiatic Society of Bengal (1930)Google Scholar
  6. 6.
    Curry, D., Debar, H.: Intrusion detection message exchange format data model and extensible markup language (xml) document type definition (January 2003),
  7. 7.
    Davis, R., Shrobe, H., Szolovits, P.: What is Knowledge Representation? AI Magazine 14(1), 17–33 (1993)Google Scholar
  8. 8.
    Doyle, J., Kohane, I., Long, W., Shrobe, H., Szolovits, P.: Event Recognition Beyond Signature and Anomaly. In: 2nd IEEE-SMC Information Assurance Workshop (June 2001)Google Scholar
  9. 9.
    Eckmann, S., Vigna, G., Kemmerer, R.: STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Security 10(1/2), 71–104 (2002)Google Scholar
  10. 10.
    Feiertag, R., Kahn, C., Porras, P., Schackenberg, D., Staniford-Chen, S., Tung, B.: A Common Intrusion Specification Language (June 1999),
  11. 11.
    Fikes, R., McGuinness, D.L.: An Axiomatic Semantics for RDF, RDF-S, and DAML+OIL (December 2001),
  12. 12.
    Frank, G., Jenkins, J., Fikes, R.: JTP: An Object Oriented Modular Reasoning System,
  13. 13.
    Friedman-Hill, E.J.: Jess. The Java Expert System Shell (November 1977),
  14. 14.
    Glass, R.L., Vessey, I.: Contemporary Application-Domain Taxonomies. IEEE Software, 63–76 (July 1995)Google Scholar
  15. 15.
    Golub, G., Loan, C.: Matrix Computations. The Johns Hopkins University Press, Baltimore (1989)zbMATHGoogle Scholar
  16. 16.
    Goubault-Larrecq, J.: An Introduction to LogWeaver (v2.8) (September 2001),
  17. 17.
    Gruber, T.F.: A Translation Approach to Portable Ontologies. Knowledge Acquisition 5(2), 199–220 (1993)CrossRefGoogle Scholar
  18. 18.
    Guha, B., Mukherjee, B.: Network Security via Reverse Engineering of TCP Code: Vulnerability Analysis and Proposed Solutions. In: IEEE Networks, July/August 1997, pp. 40–48. IEEE, Los Alamitos (1997)Google Scholar
  19. 19.
    Haarslev, V., Moller, R.: RACER: Renamed ABox and Concept Expression Reasone (June 2001),
  20. 20.
    Haines, J.W., Rossey, L.M., Lippman, R.P., Cunningham, R.K.: Extending the DARPA Off-Line Intrusion Detection Evaluations. In: DARPA Information Survivability Conference and Exposition II, vol. 1, pp. 77–88. IEEE, Los Alamitos (2001)CrossRefGoogle Scholar
  21. 21.
    Horrocks, I., Sattler, U., Tobies, S.: Reasoning with Individuals for the Description Logic SHIQ. In: McAllester, D. (ed.) CADE 2000. LNCS, vol. 1831, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Hendler, J.: DARPA Agent Markup Language+Ontology Interface Layer (2001),
  23. 23.
    Joshi, A., Undercoffer, J.: On web semantics and data mining: Intrusion detection as a case study. In: Proceedings of the National Science Foundation Workshop on Next Generation Data Mining (2002)Google Scholar
  24. 24.
    Kahn, C., Bolinger, D., Schackenberg, D.: Communication in the Common Intrusion Detection Framework v 0.7 (June 1998),
  25. 25.
    Kemmerer, R.A., Vigna, G.: Intrusion Detection: A Brief History and Overview. Security and Privacy a Supplement to IEEE Computer Magazine, 27–30 (April 2002)Google Scholar
  26. 26.
    Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s thesis, MIT (1999)Google Scholar
  27. 27.
    Koller, D., Pfeffer, A.: Probabilistic Frame-Based Systems. In: Proceedings of the Fifteenth National Conference on Artifical Intelligence, Madison, Wisconsin, July 1998, pp. 580–587. AAAI, Menlo Park (1998)Google Scholar
  28. 28.
  29. 29.
    Krishnapuram, R., Joshi, A., Nasraoui, O., Yi, L.: Low-Complexity Fuzzy Relational Clustering Algorithms forWeb Mining. IEEE transactions on Fuzzy Systems 9 ( August 2001)Google Scholar
  30. 30.
    Krusl, I.: Software Vulnerability Analysis. PhD thesis, Purdue (1998)Google Scholar
  31. 31.
    Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A Taxonomy of Computer Program Security Flaws. ACM Computing Surveys 26(3), 211–254 (1994)CrossRefGoogle Scholar
  32. 32.
    Lassila, O., Swick, R.R.: Resource Description Framework (RDF) Model and Syntax Specification (February 1999),
  33. 33.
    Lindqvist, U., Jonsson, E.: How to Systematically Classify Computer Security Intrusions. In: Proceedings of the 1997 IEEE Symposium on Security and Privacy, May 1997, pp. 154 – 163 (1997)Google Scholar
  34. 34.
    Lindqvist, U., Porras, P.A.: Detecting computer and network misuse through the productionbased system toolset (p-best). In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, May 1999, pp. 146–161. IEEE, Los Alamitos (1999)Google Scholar
  35. 35.
    Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Cunningham, R., Zissman, M.: Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation. In: Proceedings of the DARPA Information Survivability Conference and Exposition, pp. 12–26 (2000)Google Scholar
  36. 36.
    McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security (November 2000)Google Scholar
  37. 37.
    Ning, P., Jajodia, S., Wang, X.S.: Abstraction-Based Intrusion in Distributed Environments. ACM Transactions on Information and Systems Security 4(4), 407–452 (2001)CrossRefGoogle Scholar
  38. 38.
    Noy, N.F., McGuinnes, D.L.: Ontology development 101: A guide to creating your fisrt ontology. Stanford UniversityGoogle Scholar
  39. 39.
    Paxson, V.: Bro: A system for Detecting Network Intruders in Real Time. In: Proceedings of the 7th Symposium on USENIX Security (1998)Google Scholar
  40. 40.
    Raskin, V., Hempelmann, C.F., Triezenberg, K.E., Nirenburg, S.: Ontology in Information Security: A Useful Theoretical Foundation and Methodological Tool. In: Proceedings of NSPW-2001, pp. 53–59. ACM, New York (2001)CrossRefGoogle Scholar
  41. 41.
    Roesch. M.: Snort, version 1.8.3. an open source NIDS (August 2001), availble via
  42. 42.
    Roger, M., Goubault-Larrecq, J.: Log Auditing through Model Checking. In: Proceedings of 14th the IEEE Computer Security Foundations Workshop (CSFW 2001), pp. 220–236 (2001)Google Scholar
  43. 43.
    Staab, S., Maedche, A.: Ontology Engineering Beyond the Modeling of Concepts and Relations. In: Proceedings of the 14th European Congress on Artificial Intelligence (2000)Google Scholar
  44. 44.
    Sumpson, G.G.: Principals of Animal Taxonomy. Columbia University Press (1961)Google Scholar
  45. 45.
    Undercoffer, J., Perich, F., Cedilnik, A., Kagal, L., Joshi, A.: A Secure Infrastructure for Service Discovery and Access in Pervasive Computing. Mobile Networks and Applications: Special Issue on Security 8(2), 113–126 (2003)CrossRefGoogle Scholar
  46. 46.
    Undercoffer, J., Pinkston, J.: An Empirical Analysis of Computer Attacks and Intrusions. Technical Report TR-CS-03-11, University of Maryland, Baltimore County (2002)Google Scholar
  47. 47.
    W3C. Extensible Markup Language (2003),
  48. 48.
    WEBSTERS. (ed.) Merriam-Webster’s Collegiate Dictionary. Merriam-Webster, Inc., tenth edition (1993)Google Scholar
  49. 49.
    Welty, C.: Towards a Semantics for the Web (2000),

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Department of Computer Science and Electrical EngineeringUniversity of Maryland, Baltimore CountyBaltimoreUSA

Personalised recommendations