A description logic based approach for IDS security information management

The upsurge of network Distributed Denial of Service (DDoS) attacks on computer networks demands great effort in network security management. Currently, Intrusion Detection Systems (IDSs) are used to secure computer networks. However, IDSs may generate a huge volume of alerts, making it hard for security administrators to uncover hidden attack scenarios. In this paper, we propose a Description Logic-based approach for IDS event semantic analysis, which allows inferring attack scenarios and enabling the attack knowledge semantic queries. With Attack Knowledge Base consisting of Abox and Tbox, IDS alerts are converted into machine-understandable uniform alert streams. The ontology and attack instances of Attack Knowledge Base are applied to derive attack scenarios. Then the attack semantic query is implemented by spreading activation technique, which enables administrators to query the intrusion states of the networks.