Title: An ontology-based modelling and reasoning for alerts correlation
Authors: Tayeb Kenaza
Addresses: Ecole Militaire Polytechnique, BP 17 BEB 16111, Alger, Algeria
Abstract: SIEM is a modern and powerful security tool thanks to several functions that it provides to take benefit of collected data, such as normalisation and aggregation. The main important function is events correlation, when security operators can get a precise and quick picture about threats and attacks in real-time. The quality of that picture depends on the efficiency of the adopted reasoning approach to putting together pieces of information provided by several analysers. In this paper, we propose a semantic approach based on description logics (DLs) which is a powerful tool for knowledge representation and reasoning. Indeed, ontology provides a comprehensive environment to represent information for intrusion detection and allows easy maintaining of information or adding new ones. We implemented a rule-based engine for alert correlation based on the proposed ontology and two attack scenarios are carried out to show the usefulness of our approach.
Keywords: information security; intrusion detection; security information and event management system; SIEM; alert correlation; rules-based reasoning; ontology; ontology web language; OWL; Semantic Web Rule Language; SWRL.
International Journal of Data Mining, Modelling and Management, 2021 Vol.13 No.1/2, pp.65 - 80
Received: 27 Jul 2018
Accepted: 15 Jul 2019
Published online: 09 Feb 2021 *