ONTIDS: A flexible context-aware and ontology-based alert correlation framework

In order to reduce the numbers of non-relevant alerts and false positives typically generated by Intrusion Detection Systems (IDS) in real-world situations, several alert correlation approaches that integrate and jointly analyse the alert streams of different alert sensors have been proposed. Inspired by the mental process of contextualisation used by security analysts to weed out less relevant alerts, some of these approaches have tried to incorporate into the correlation process contextual information such as type of systems, applications, users, and networks. However, they tend to be limited in flexibility, as they only perform correlation based on narrowly defined definitions of context. In order to provide a method to automate the analysis of the various information resources available to the security analyst, while preserving maximum flexibility and power of abstraction in the definition and use of such concepts, we propose the ONTIDS ontology-based correlation alert framework. ONTIDS uses ontologies to represent and store information on alerts, context and vulnerability information, and attack scenarios, and uses simple ontology logic rules written in Semantic Query-Enhance Web Rule Language (SQWRL) to correlate and filter out non-relevant alerts. We illustrate the potential usefulness and flexibility of our framework by describing a reference implementation that we use on two separate analysis case study scenarios, inspired from the DARPA 2000 and UNB ISCX IDS evaluation datasets.