An ontology-based modelling and reasoning for alerts correlation

SIEM is a modern and powerful security tool thanks to several functions that it provides to take benefit of collected data, such as normalisation and aggregation. The main important function is events correlation, when security operators can get a precise and quick picture about threats and attacks in real-time. The quality of that picture depends on the efficiency of the adopted reasoning approach to putting together pieces of information provided by several analysers. In this paper, we propose a semantic approach based on description logics (DLs) which is a powerful tool for knowledge representation and reasoning. Indeed, ontology provides a comprehensive environment to represent information for intrusion detection and allows easy maintaining of information or adding new ones. We implemented a rule-based engine for alert correlation based on the proposed ontology and two attack scenarios are carried out to show the usefulness of our approach.