A Learning Framework for Transitioning Network Intrusion Alerts Management System to Ontology

Intrusion detection is not new in the area of information security. It is crucial for the intrusion alerts management system to correlate the collected intrusion alerts to reflect the causal relationships between the attack steps and construct the attack scenarios. Most of these systems, however, have been built on the relational database logging the intrusion alerts. The relational database has been proven to be a very useful model and applied in the wide area. But their persisting limitation lies in the flat structure which is not capable of representing the complex relations. An ontology is an explicit specification of a conceptualization using an agreed vocabulary. In this paper, ontology is put into use and a learning framework is presented which depicts how the intrusion alerts ontology can be learned and further enriched exploiting both the database schema and the stored data. Moreover, we introduce the vulnerabilities database to refine the ontology hierarchy and the restriction of classes and apply the ontology design pattern to represent the sequence of a series of events. The whole transitioning process is implemented in OBNAMS, an intrusion alerts management system constructed on the learned ontology automating the consisted steps.