TY - GEN
T1 - Frame-based attack representation and real-time first order logic automatic reasoning
AU - Yan, Wei
AU - Hou, Edwin
AU - Ansari, Nirwan
PY - 2005
Y1 - 2005
N2 - Internet has grown by several orders of magnitude in recent years, prompting network security as a great concern. Hence, Intrusion Detection Systems (IDSs) are used to timely detect intrusions and defend against attack attempts. However, the current IDS technology generates a huge volume of alert events due to false alarm alerts, and requires costly alert manual reviewing due to the lack of intelligence in IDS. As a solution, Security Information Management (SIM) is a growing area of interest in network security. In this paper, we propose FAR-FAR (Frame-based Attack Representation and First-order logic Automatic Reasoning) system in SIM to relieve the administrator from the time-consuming and costly alert manual reviewing. With the backward-chaining, FAR-FAR can make real-time reasoning for network attack scenarios. In FAR-FAR, the aggregated alerts from different IDS agents are converted into uniform frame-structured streams by Case Grammar. Afterwards, First-order logic production rules are used to extract the hidden attack scenarios. Our simulation results show that FAR-FAR's attack scenario reasoning rate for the incoming alerts are generally far less than the incoming alerts' inter-arrival time. This guarantees FAR-FAR to automatically reason the attack plans in real time and predict possible attack attempts at an early stage.
AB - Internet has grown by several orders of magnitude in recent years, prompting network security as a great concern. Hence, Intrusion Detection Systems (IDSs) are used to timely detect intrusions and defend against attack attempts. However, the current IDS technology generates a huge volume of alert events due to false alarm alerts, and requires costly alert manual reviewing due to the lack of intelligence in IDS. As a solution, Security Information Management (SIM) is a growing area of interest in network security. In this paper, we propose FAR-FAR (Frame-based Attack Representation and First-order logic Automatic Reasoning) system in SIM to relieve the administrator from the time-consuming and costly alert manual reviewing. With the backward-chaining, FAR-FAR can make real-time reasoning for network attack scenarios. In FAR-FAR, the aggregated alerts from different IDS agents are converted into uniform frame-structured streams by Case Grammar. Afterwards, First-order logic production rules are used to extract the hidden attack scenarios. Our simulation results show that FAR-FAR's attack scenario reasoning rate for the incoming alerts are generally far less than the incoming alerts' inter-arrival time. This guarantees FAR-FAR to automatically reason the attack plans in real time and predict possible attack attempts at an early stage.
KW - Attack Scenario
KW - First-order Logic
KW - IDS
KW - Network Security
UR - http://www.scopus.com/inward/record.url?scp=33745726026&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33745726026&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:33745726026
SN - 0780389328
SN - 9780780389328
T3 - ITRE 2005 - 3rd International Conference on Information Technology: Research and Education - Proceedings
SP - 225
EP - 229
BT - ITRE 2005 - 3rd International Conference on Information Technology
T2 - ITRE 2005 - 3rd International Conference on Information Technology: Research and Education
Y2 - 27 June 2005 through 30 June 2005
ER -