Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks

Wei Yan; Edwin Hou; Nirwan Ansari

Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks

Research output: Contribution to conference › Paper › peer-review

Abstract

The increasing use of Intrusion Detection System and a relatively high false alarm rate can lead to a huge volume of alerts. This makes it very difficult for security administrators to analyze and detect network attacks. Our solution for this problem is to make the alerts machine understandable. In this paper, we propose a novel way to convert the raw alerts into machine understandable uniform streams, correlate the streams, and extract the attack scenario knowledge. The modified case grammar Principal-subordinate Consequence Tagging Case Grammar and the 2-Atom Alert Semantic Network are used to generate the attack scenario classes. Alert mutual information is also applied to calculate the alert semantic context window size. Based on the alert context, the attack scenario instances are extracted and the attack scenario descriptions are forwarded to the security administrator.

Original language	English (US)
Pages	110-117
Number of pages	8
State	Published - 2004
Event	Proceedings - 29th Annual IEEE International Conference on Local Computer Networks, LCN 2004 - Tampa, FL, United States Duration: Nov 16 2004 → Nov 18 2004

Other

Other	Proceedings - 29th Annual IEEE International Conference on Local Computer Networks, LCN 2004
Country/Territory	United States
City	Tampa, FL
Period	11/16/04 → 11/18/04

All Science Journal Classification (ASJC) codes

General Engineering

Cite this

@conference{79366caefdcd42bf8f22be5a770e03bd,

title = "Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks",

abstract = "The increasing use of Intrusion Detection System and a relatively high false alarm rate can lead to a huge volume of alerts. This makes it very difficult for security administrators to analyze and detect network attacks. Our solution for this problem is to make the alerts machine understandable. In this paper, we propose a novel way to convert the raw alerts into machine understandable uniform streams, correlate the streams, and extract the attack scenario knowledge. The modified case grammar Principal-subordinate Consequence Tagging Case Grammar and the 2-Atom Alert Semantic Network are used to generate the attack scenario classes. Alert mutual information is also applied to calculate the alert semantic context window size. Based on the alert context, the attack scenario instances are extracted and the attack scenario descriptions are forwarded to the security administrator.",

author = "Wei Yan and Edwin Hou and Nirwan Ansari",

year = "2004",

language = "English (US)",

pages = "110--117",

note = "Proceedings - 29th Annual IEEE International Conference on Local Computer Networks, LCN 2004 ; Conference date: 16-11-2004 Through 18-11-2004",

}

Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks. / Yan, Wei; Hou, Edwin ; Ansari, Nirwan.
2004. 110-117 Paper presented at Proceedings - 29th Annual IEEE International Conference on Local Computer Networks, LCN 2004, Tampa, FL, United States.

Research output: Contribution to conference › Paper › peer-review

TY - CONF

T1 - Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks

AU - Yan, Wei

AU - Hou, Edwin

AU - Ansari, Nirwan

PY - 2004

Y1 - 2004

N2 - The increasing use of Intrusion Detection System and a relatively high false alarm rate can lead to a huge volume of alerts. This makes it very difficult for security administrators to analyze and detect network attacks. Our solution for this problem is to make the alerts machine understandable. In this paper, we propose a novel way to convert the raw alerts into machine understandable uniform streams, correlate the streams, and extract the attack scenario knowledge. The modified case grammar Principal-subordinate Consequence Tagging Case Grammar and the 2-Atom Alert Semantic Network are used to generate the attack scenario classes. Alert mutual information is also applied to calculate the alert semantic context window size. Based on the alert context, the attack scenario instances are extracted and the attack scenario descriptions are forwarded to the security administrator.

AB - The increasing use of Intrusion Detection System and a relatively high false alarm rate can lead to a huge volume of alerts. This makes it very difficult for security administrators to analyze and detect network attacks. Our solution for this problem is to make the alerts machine understandable. In this paper, we propose a novel way to convert the raw alerts into machine understandable uniform streams, correlate the streams, and extract the attack scenario knowledge. The modified case grammar Principal-subordinate Consequence Tagging Case Grammar and the 2-Atom Alert Semantic Network are used to generate the attack scenario classes. Alert mutual information is also applied to calculate the alert semantic context window size. Based on the alert context, the attack scenario instances are extracted and the attack scenario descriptions are forwarded to the security administrator.

UR - http://www.scopus.com/inward/record.url?scp=20544433820&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=20544433820&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:20544433820

SP - 110

EP - 117

T2 - Proceedings - 29th Annual IEEE International Conference on Local Computer Networks, LCN 2004

Y2 - 16 November 2004 through 18 November 2004

ER -

Extracting attack knowledge using principal-subordinate consequence tagging case grammar and alerts semantic networks

Abstract

Other

All Science Journal Classification (ASJC) codes

Other files and links

Fingerprint

Cite this