Skip to main content
Search
Search
Quick Search anywhere
Quick Search anywhere
Quick Search anywhere
Quick Search anywhere
Quick Search anywhere
Quick Search anywhere
Advanced Search
Skip main navigation
No Access

An ontology-driven approach to model SIEM information and operations using the SWRL formalism

Published Online:August 6, 2012pp 104-123https://doi.org/10.1504/IJESDF.2012.048412

Abstract

The management of security events, from the risk analysis to the selection of appropriate countermeasures, has become a major concern for security analysts and IT administrators. Furthermore, the fact that network and system devices are heterogeneous, increases the difficulty of these administrative tasks. This paper introduces an ontology-driven approach to address the aforementioned problems. The proposed model takes into account two aspects: the information and the operations that are manipulated by SIEM environments in order to reach the desired goals. The model uses ontologies to provide simplicity on the description of concepts, relationships and instances of the security domain. The semantics web rule languages are used to describe the logic rules needed to infer relationships among individuals and classes. A case study on Botnets is presented at the end of this paper to illustrate a concrete utilisation of our model.

Keywords

security events, event management, security information and event management, SIEM, ontology, SWRL, semantics, logic rules, data model, heterogeneity, reasoning

References

  • 1. Abdoli, F. , Kahani, M. (2009). ‘Ontology-based distributed intrusion detection system’. Proceedings of the 14th International CSI Computer Conference. 65-70 Google Scholar
  • 2. Cuppens-Boulahia, N. , Cuppens, F. , Lopez, J. , Vasquez, E. , Guerra, J. , Debar, H. (2009). ‘An ontology-based approach to react to network attacks’. International Journal of Information and Computer Security. 3, 3–4, 280-305 AbstractGoogle Scholar
  • 3. Danyliw, R. , Mejier, J. , Demchenko, Y. (2007). ‘The incident object description exchange format’. RFC 5070 Google Scholar
  • 4. Debar, H. , Curry, D. , Feinsten, B. (2007). ‘Intrusion detection message exchange format’. RFC 4765 Google Scholar
  • 5. Eiter, T. , Ianni, G. , Polleres, A. , Schindlauer, R. , Tompis, H. (2006). ‘Reasoning with rules and ontologies’. in Reasoning Web 2006. 93-127 Google Scholar
  • 6. Fenz, S. , Ekelhart, A. (2009). ‘Formalizing information security knowledge’. ACM Symposium on Information, Computer and Communication Security, 183-194 Google Scholar
  • 7. Gerhards, R. , GmbH A (2009). ‘The syslog protocol’. RFC 5424 Google Scholar
  • 8. Giuseppini, G. , Burnett, M. (2005). ‘Microsoft log parser toolkit’. Chapter 5: Managing Snort Alerts. Syngress Publishing Inc., 147-163 Google Scholar
  • 9. Gonzalez Granadillo, G. , Ben Mustapha, Y. , Hachem, N. , Debar, H. (2011). ‘An ontology-based model for SIEM environments’. 7th International Conference on Global Security Safety and Sustainability Google Scholar
  • 10. Hachem, N. , Ben Mustapha, Y. , Gonzalez Granadillo, G. , Debar, H. (2011). ‘Botnets: lifecycle and taxonomy’. 6th Conference on Network Architecture and Information Systems Security Google Scholar
  • 11. Herzog, A. , Shahmehri, N. , Duma, C. (2007). ‘An ontology of information security’. International Journal of Information Security and Privacy. 1, 4, 1-23 Google Scholar
  • 12. Horridge, M. , Jupp, S. , Moulton, G. , Rector, A. , Stevens, R. , Wroe, C. (2007). ‘A practical guide to building OWL ontologies using Protégé 4 and CO-ODE tools’. 1.1 Ed, The University Of Manchester Google Scholar
  • 13. Lopez, J. , Villagra, V. , Holdago, P. , de Frutos, E. , Sanz, I. (2009). ‘A semantic web approach to share alerts among security information management systems’. Proc. Iberic Web Application Security Conference (IBWAS’09). Google Scholar
  • 14. Miller, D. , Harris, S. , Harper, A. , Van Dyke, S. , Blask, C. (2010). Security Information and Event Management (SIEM) Implementation. Florida, USA:McGraw Hill Google Scholar
  • 15. Morin, B. , Me, L. , Debar, H. , Ducasse, M. (2009). ‘M4D4: a logical framework to support alert correlation in intrusion detection’. Information Fusion Internationale. 10, 4, 285-299 Google Scholar
  • 16. Nguyen, V. (2011). ‘Ontologies and information systems: a literature survey’. Command, Control, Communications and Intelligence Division. Defence Science and Technology Organisation DSTO-TN-1002 Google Scholar
  • 17. Razzaq, A. , Hur, A. , Ahmed, H. , Haider, N. (2009). ‘Ontology based application level intrusion detection system by using Bayesian filter’. 2nd International Conference on Computer, Control and Communication, 1-6 Google Scholar
  • 18. ‘How to install COMODO firewall’. available at https://security.ngoinabox.org/en/comodoinstallation Security in a Box Google Scholar
  • 19. Undercoffer, J. , Joshi, A. , Pinkston, J. (2003). ‘Modeling computer attacks: an ontology for intrusion detection’. 6th International Symposium on Recent Advances in Intrusion Detection, 113-135 Google Scholar
  • 20. (2004). ‘SWRL: a semantic web rule language combining OWL and RuleML’. W3C Member Submission Google Scholar
  • 21. (2008). ‘SPARQL query language for RDF. W3C Recommendation’. W3C Recommendation Google Scholar
  • 22. (2009). ‘OWL 2 web ontology language. W3C Recommendation’. W3C Recommendation Google Scholar
  • 23. Zhang, Z. (2005). ‘Ontology query languages for semantic web: a performance evaluation’. University of Georgia, Master thesis Google Scholar
Next article