Ontology-based Modeling of DDoS Attacks for Attack Plan Detection M. Ansarinia, S. A. Asghari, A. Souzani, A. Ghaznavi 

Outline • Introduction • Review of Similar Studies • Proposed Method • Evaluation • Future Works 

• Attack Plan Detection • Resolve vulnerabilities, • Update system configurations, • Fix weaknesses, • Prevent consequences, • Stop multi-steps attacks, • prevent potential attacks. Introduction Why Attack Plan Detection? 

• more concrete knowledge of a domain comparing to relational databases and taxonomies. • Machine-understandable. • There is no common structure of attack scenarios. • Shared conceptualization of DDoS attacks. • Semantic-level representation. • logic and inference as a solution to decision-making problems. • Constructed from semi-informal data sources. Introduction Why Knowledge? 

Introduction Taxonomies and Ontologies Vocabulary Structure Taxonomy Taxonomy Relations + Constraints + Rules Ontology Ontology Instances Knowledge Base + + + = = = 

• Transform DDoS attacks information from being machine-readable to machine- understandable. • Employ knowledge to predict potential DDoS attacks regarding vulnerabilities, weaknesses, and prerequisites of such attacks. • Common semantic representation of attacks by which machines can communicate. Introduction Contributions 

Introduction Knowledge Hierarchy Future Past Data Information What Undrestanding Why Cognition What to do Knowledge How to 

Introduction Knowledge Hierarchy Future Past Data Information What Undrestanding Why Cognition What to do Knowledge How to ? 

Introduction Literature Review - Representations • Ontological representations of attacks are mostly limited to the general view of network attacks. non-specific view • Taxonomies for attacks, vulnerabilities, and weaknesses (Capec, CVE, and CWE). Lack of logical assumptions, rules, and reasoning • Statistical, analytical, and machine learning detection methods. Invariant, convergence problem, lack of extendability for new concepts, and curse of dimensionality • SVM • Clustering and classification algorithms. • K-Means, DBSCAN, OPTICS, SOM, etc • Evolutionary algorithms • Neural networks 

Introduction High-level Ontology Structure DDoS Attack Vulnerability Weakness Vulnerable System relatedTo causedBy relatedTo has (some) 

Introduction Main Ontology Concepts 

Method • Information parsing and conversion, from Capec, CWE, and CVE hierarchical concepts, to interrelated ontological representations (including concepts, relationships, attributes, and instances). • Semantic rule-based reasoning as detection strategy. 

Method System Architecture System Events IDS Logs Convert data to triples of type Check consistency DDoS Attacks Knowledge Base Report inconsistency Reasoner DDoS Attack Ontology Manual User Inputs Direct Indirect Consistency SPARQL Queries Attack SWRL Rules DDoS Plan Detection Result Inconsistent Consistent Map triples to ontology entities 

Method Detection Rules 

Results Evaluation Method • Quantitative evaluation (OntoQA) of ontology and knowledge base. • Manual reporting interface, and test attack scenarios. 

Results Evaluation Architecture System Events IDS Logs Convert data to triples of type Check consistency DDoS Attacks Knowledge Base Report inconsistency Reasoner DDoS Attack Ontology Manual User Inputs Direct Indirect Consistency SPARQL Queries Attack SWRL Rules DDoS Plan Detection Result Inconsistent Consistent Map triples to ontology entities 

No content

No content

Results Evaluation Metrics Inheritance Richness 76 Object Property Richness >12 Data Property Richness >7 Hierarchical Levels 5 Concept Richness 64 

Results Conclusion • Ontological representation of attacks. • Semantics rules for attacks. • Automatic conversion of semi-informal knowledge sources. • Utilize inference as attack plan detector. 

Future Works • More descriptive model of DDoS attacks. • Higher level reasoning using psychological measures. • Feed IDS and system events as inputs. • Extends attacks domain. • Assets. 

?