Academia.eduAcademia.edu

Outline

Title
Abstract
Figures
Introduction
Intrusion Data and Classes
Conclusion
References
All Topics
Computer Science
Cybersecurity

Contextual Fuzzy Cognitive Map for Intrusion Response System

Profile image of Montaceur ZaghdoudMontaceur Zaghdoud

Abstract

An intrusion response system is charged with minimizing any losses caused by intrusion. It remains ineffective if the response to the intrusion does not bring the timely and adequate corrections required by the victim system. This paper proposes a new intrusion response system based on contextual fuzzy cognitive map. In this intrusion response system framework, a new ontology is defined based upon conceptual graphs in order to describe relationships between different intrusion concepts and recognize suspect connection as an intrusion which belongs to known intrusion class (DOS, PROBING, U2R or R2U). Fuzzy cognitive maps are used to assess the negative impact of an intrusion on the victim system. Specifying appropriate remedies for all damages which are caused by intrusion is considered as main task of intrusion response system. There are two kinds of remedies: direct or indirect remedies, the former is accomplished by acting directly on the victim system but the later is considered as remotely acting on damaged system. The proposed intrusion response system is multilayer system. The first layer is charged with the identification of the intrusion suspect intrusion using conceptual graphs to build a new ontology. The second layer assesses the effect of intrusion on the victim system using a fuzzy cognitive map. The third layer recommends a response in two ways: automatically by acting through a mobile agent, or manually by alerting the appropriate security administrator.

Figures (5)
Figure 1: Intrusion Response Strategy The second step is charged by defining possible damages caused by intrusion on victim computer/information system using fuzzy cognitive map which describes possible influences between components of victim system. The third and final step of proposed response strategy should make valuable direct (automated) or indirect (not automated) response by sending advising message to system administrator or by charging mobile agents by appropriate remedies and correctives.
Figure 1: Intrusion Response Strategy The second step is charged by defining possible damages caused by intrusion on victim computer/information system using fuzzy cognitive map which describes possible influences between components of victim system. The third and final step of proposed response strategy should make valuable direct (automated) or indirect (not automated) response by sending advising message to system administrator or by charging mobile agents by appropriate remedies and correctives.
In this paper, we use conceptual graph to represent intrusion relationships which can show possible relation between intrusion and type or class of intrusion (DOS, PROBING, U2R, R2U). Figure 4 shows an illustration of this application. It describes relationship between concepts: Iswep, Mscan, Nmap, Saint and satan are types of intrusion class probing. Probing is a class of Intrusions.
In this paper, we use conceptual graph to represent intrusion relationships which can show possible relation between intrusion and type or class of intrusion (DOS, PROBING, U2R, R2U). Figure 4 shows an illustration of this application. It describes relationship between concepts: Iswep, Mscan, Nmap, Saint and satan are types of intrusion class probing. Probing is a class of Intrusions.
Conversely, eij<0 denotes negative causality— whenever concept Ci increases, there is a decrease in Cj by the degree eij. The higher the absolute value for eij, the greater the effect of the cause. FCMs can be successfully used to capture causal knowledge and to support causal inference[21]. A FCM graph can be equivalently defined by a square matrix, called connection matrix, which stores all weight values for edges between corresponding concepts represented by rows and columns. The system of n nodes can be represented by nxn connection matrix [36]. An example of FCM model and its connection matrix are shown as follow:
Conversely, eij<0 denotes negative causality— whenever concept Ci increases, there is a decrease in Cj by the degree eij. The higher the absolute value for eij, the greater the effect of the cause. FCMs can be successfully used to capture causal knowledge and to support causal inference[21]. A FCM graph can be equivalently defined by a square matrix, called connection matrix, which stores all weight values for edges between corresponding concepts represented by rows and columns. The system of n nodes can be represented by nxn connection matrix [36]. An example of FCM model and its connection matrix are shown as follow:
Ivean Balepinet et al. developed a system map which represents dependencies between the resources. If an edge is directed from node A to node B, it means that A provides some service to B, B depends on A, and, most likely, A produces information that B consumes [3]. Figure 7: Fuzzy cognitive map of mutual intrusion negative influences .
Ivean Balepinet et al. developed a system map which represents dependencies between the resources. If an edge is directed from node A to node B, it means that A provides some service to B, B depends on A, and, most likely, A produces information that B consumes [3]. Figure 7: Fuzzy cognitive map of mutual intrusion negative influences .

Related papers

Definition of response metrics for an ontology-based Automated Intrusion Response Systems
Victor Villagra

Computers & Electrical Engineering, 2012

ABSTRACT The main purpose of an AIRS (Automated Intrusion Response System) is to choose and execute the optimum response when the different security-event network detection sources detect security intrusions. The inference of the most suitable response should be made according to a set of response metrics that specify different rules for selecting a specific response according to some context and input parameters and the weight associated with each of them. Furthermore, the Semantic Web Rule Language (SWRL) can be used to specify these response metrics, providing an open and extensible framework for the behavior description of an AIRS, able to be integrated with the increasing number of Semantic Web tools. The aim of this paper is to study and characterize these metrics, as well as defining a set of response metrics for an AIRS, specifying these metrics with SWRL rules and testing their execution with Semantic Web current technologies. Finally, some results are shown concerning the inferred responses and performance of this SWRL-based reasoning.

View PDFchevron_right
ALGORITHM OF FORMING KNOWLEDGEBASE FOR DECISION TAKING SUPPORT SYSTEMS IN CYBER SECURITY TASKS
IAEME Publication

IAEME, 2019

In the article herein, we offer the total structure of modular decision taking support system in cyber security tasks. There is described the model for fuzzy inference subsystem. Being based on the fuzzy inference rules on the input values, which can be obtained from the sensors, multiagent systems, SIEM systems, determining the threats availability, cyberattacks, anomalies, it has been proposed to specify output values for evaluating the critically important computer systems protection degree by means of decision taking support system. The model is based on the supposition, that input magnitudes for the fuzzy inference subsystems have been obtained as a result of fuzzification procedure in the corresponding module. Every element of output value characterizes the availability or absence of fuzzy situation signs, connected with anomalies, attacks or other attempts of unauthorized interference into the critically important computer systems operation. There is offered an algorithm of forming the knowledgebase of fuzzy (emergency) and standard situations in the critically important computer systems. The algorithm differs from the known ones by the fact, that it has allowed forming the aggregate of standard variants cases for reacting at the threats, anomalies and attacks in the critically important computer systems, as well, inference rules for the fuzzy authentication, which are, first and foremost, linked with the task-oriented destructive impact at the critically important computer systems. Fuzzy logic inference module usage allows maintaining the display of the most vulnerable CICS's components condition as a multiparameter "image". Obtained multiparameter "image" might be applied in the decision taking support system for the CICS protection qualitative assessment.

View PDFchevron_right
Application of Ontologies and Formal Behaviour Decisions for Automated Intrusion Response Systems
Verónica Mateos Lanchas

J. Res. Pract. Inf. Technol., 2014

Automated intrusion reaction is an important problem in network security nowadays, because just intrusion detection is usually not enough to manage the proliferation of the attacks in networks. The existing AIRS use different mechanisms to infer the optimum response when a security incident is detected, but there is no standardized framework that models all the elements used in the reaction process. This paper proposes an ontology-based approach for automatically responding against intrusions. An intrusion response ontology which formally defines all the information needed in the intrusion response process is defined, and inference rules are specified using formal behaviour languages. Finally, some results are shown concerning the evaluation of this approach in a Denial of Service use case.

View PDFchevron_right
A Cognitive Approach to Intrusion Detection
Paul Benjamin

2007 IEEE Symposium on Computational Intelligence in Security and Defense Applications, 2007

The VMSoar project at Pace University is building a cognitive agent for cybersecurity. The project's objective is to create an intelligent agent that can model and understand the activities of users who are on the network, and that can communicate with network administrators in English to alert them to illegal or suspicious activities. VMSoar can understand users' activities because it is capable of performing these activities itself. It knows how to perform both legal and illegal activities, and uses this knowledge to explore simulations of the activity on a network. It can also probe information stored on a machine to assess the legality of past activity. Research in cybersecurity is difficult is due to the extremely large amount of data that must be analyzed to detect illegal activities. In addition, new exploits are developed frequently. Most current projects in this area are attempting to build some level of intelligence into their systems; however, those projects are focusing primarily on statistical data mining approaches. The VMSoar project is unique in its approach to building an intelligent security agent. The VMSoar agent is based on Soar, a mature cognitive architecture that is used in universities and corporations around the world. I.

View PDFchevron_right
Intelligent Risk Identification and Analysis in IT Network Systems
Masoud Mohammadian

IFIP advances in information and communication technology, 2011

With ever increasing application of information technologies in every day activities, organizations face the need for applications that provides better security. The existence of complex IT systems with multiple interdependencies creates great difficulties for Chief Security Officers to comprehend and be aware of all potential risks in such systems. Intelligent decision making for IT security is a crucial element of an organization's success and its competitive position in the marketplace. This paper considers the implementation of an integrated attack graph and a Fuzzy Cognitive Maps (FCM) to provide facilities to capture and represent complex relationships in IT systems. By using FCMs the security of IT systems can regularly be reviewed and improved. What-if analysis can be performed to better understand vulnerabilities of a designed system. Finally an integrated system consisting of FCM, Attack graphs and Genetic Algorithms (GA) is used to identify vulnerabilities of IT systems that may not be apparent to Chief Security Officers.

View PDFchevron_right
An Innovative Ontological Approach for Intrusion Detection System
Tejendra Thakur

2016

In this era of technology Intrusion Detection System (IDS) is one of the fastest developing technology in computer security area Author has projected methodology of using ontology exhibiting to signify IDS knowledge. This model will effectively represent semantic knowledge behind IDS and assistances to concluding high level security policies. This model can also help in recognizing rules and helps in creating effective rule set for IDS. Author makes an innovative approach for above mention domain and implement ontology the system for IDS-SNORT. In information technology, ontology is a prescribed designation and definition of the categories, properties, and interrelationships of the entities which actually or logically happen for a specific domain of dissertation. This proposed work is an engagement of two different things together and that is Snort and Ontology. After engagement with each other it provides to ontological knowledge base which help us to create better rules for snort.

View PDFchevron_right
Decision Making For Network Health Assessment In An Intelligent Intrusion Detection System Architecture
Ambareen Siraj

International Journal of Information Technology and Decision Making, 2004

This paper describes the use of artificial intelligence techniques in the creation of a network-based decision engine for decision support in an Intelligent Intrusion Detection System (IIDS). In order to assess overall network health, the decision engine fuses outputs from different intrusion detection sensors serving as "experts" and then analyzes the integrated information to present an overall security view of the system for the security administrator. This paper reports on the workings of a decision engine that has been successfully embedded into the IIDS architecture being built at the Center for Computer Security Research, Mississippi State University. The decision engine uses Fuzzy Cognitive Maps (FCM)s and fuzzy rule-bases for causal knowledge acquisition and to support the causal knowledge reasoning process.

View PDFchevron_right
An intelligent decision support system for intrusion detection and response
Fabio Gonzalez

2001

The paper describes the design of a genetic classifier-based intrusion detection system, which can provide active detection and automated responses during intrusions. It is designed to be a sense and response system that can monitor various activities on the network (ie looks for changes such as malfunctions, faults, abnormalities, misuse, deviations, intrusions, etc.).

View PDFchevron_right
From Intrusion Detection to Intrusion Detection and Diagnosis: An Ontology-Based Approach
Luigi Coppolino

2009

Currently available products only provide some support in terms of Intrusion Prevention and Intrusion Detection, but they very much lack Intrusion Diagnosis features. We discuss the limitations of current Intrusion Detection System (IDS) technology, and propose a novel approach - which we call Intrusion Detection & Diagnosis System (ID2S) technology - to overcome such limitations. The basic idea is to collect information at several architectural levels, using multiple security probes, which are deployed as a distributed architecture, to perform sophisticated correlation analysis of intrusion symptoms. This makes it possible to escalate from intrusion symptoms to the adjudged cause of the intrusion, and to assess the damage in individual system components. The process is driven by ontologies. We also present preliminary experimental results, providing evidence that our approach is effective against stealthy and non-vulnerability attacks.

View PDFchevron_right
Expanding Topological Vulnerability Analysis to Intrusion Detection through the Incident Response Intelligence System
Dimitrios Patsos, Sarandis Mitropoulos

Vulnerability assessment and intrusion detection have been well-established practices in the security industry and compose a vital part of virtually any modern security standard. Nevertheless, since these two practices have been developed in parallel, security experts have no formal means to correlate the security knowledge produced and maintained by these practices as well as to compare this information to real world attacking scenarios. In this paper, we formally re-address the relationships between vulnerabilities, exploits and intrusion detection signatures through the examination, , analysis and correlation of the security information contained in them. We then propose the Incident Response Intelligence System (IRIS) that models the context of discovered vulnerabilities, calculates their significance, finds and analyzes potential exploit code and defines the necessary intrusion detection signatures that combat possible attacks, using standardized techniques. The IRIS architecture and operations as well as implementation issues are presented. Finally, we present detailed evaluation results obtained from real-world application scenarios, including a survey of the users' experience, to highlight the contribution of IRIS in the theory and practice of incident response.

View PDFchevron_right

References (37)

  1. Anuar N.B., Papadaki M., Furnell S.M., Clarke N.L.: An investigation and survey of response options for Intrusion Response Systems (IRSs) Proceedings of the 9th Annual Information Security South Africa Conference, Sandton, South Africa, 2 -4 August, pp1-8, ISBN: 978-1-4244-5493-8, (2010)
  2. Arfaoui N., Jemili F., Zaghdoud M., Ben Ahmed M.: Comparative Study Between Bayesian Network And Possibilistic Network in Intrusion Detection », In Proc. of the International Conference on Security and Cryptography, Secrypt, Portugal (2006).
  3. Ivan B., Sergei M., Jeff R., and Karl L.: Using Specification-Based Intrusion Detection for Automated Response. International symposium on recent advances in intrusion detection N o 6, Pittsburgh PA , USA: September 08, 2003 , vol. 2820, pp. 136-154 (2003).
  4. Baudrit C. and Dubois D. : Représentation et propagation de connaissances imprécises et incertaines: Application à l'évaluation des risques liées aux sites et aux sols pollués. Université Toulouse III -Paul Sabatier, Toulouse, France, Mars (2006).
  5. Bauer D. S. and Koblentz M. E.: NIDX: An Expert System for Real-Time Network Intrusion Detection," Proceedings of the Computer Networking Symposium, pp. 90-106, Washington, DC, April (1998).
  6. Boonthum C., Toida S. and Levinstein I. B.: Paraphrasing Recognition through Conceptual Graph, Department of Computer Science, Old Dominion Universiy, Norfolk, Virginia, USA, (2003)
  7. Cuppens F. and Ortalo R.: LAMBDA: A language to model a database for detection of attacks. In Third International Workshop on the Recent Advances in Intrusion Detection (RAID'2000), Toulouse, France, (2000).
  8. DARPA. Knowledge Discovery in Databases, 1999. DARPA archive. Task Description http://www.kdd.ics.uci.edu/databases/kddcup99/task.ht m Accessed October 10, (2007)
  9. DARPA Cyber Panel Program. DARPA cyber panel program grand challenge problem (GCP). http://www.grandchallengeproblem.net/, Accessed October 10, (2007).
  10. Eng, P., Haug, M.: Automatic Response to Intrusion Detection. Faculty of Engineering and Science, Agder University College, June (2004).
  11. Fessi B. A., Hamdi M., Benabdallah S., Boudriga N.: Automated Intrusion Response System: Surveys and Analysis. In Proceedings of Security and Management'2008. pp.149-155, (2008).
  12. Gruber T.: Ontology, Encyclopedia of Database Systems. Ling Liu and M. Tamer Özsu (Eds.), Springer- Verlag, (2008).
  13. Hayes, P. J.: The Second Naïve Physics Manifesto. Hobbs and Moore (eds.), Formal Theories of the Common-Sense World, Norwood: Ablex, (1985).
  14. Jemili F., Zaghdoud M., Benahmed M.: HIDPAS: Hybrid Intrusion Detection and Prediction multiAgent System. International Journal of Computer Science and Information Security, Vol. 5, No.1, (2009).
  15. Jemili F., Zaghdoud M., Ben Ahmed M.: Intrusion Detection based on Hybrid Propagation in Bayesian Networks. In Proc. of the IEEE International Conference on Intelligence and security informatics, ISI (2009).
  16. Jemili F., Zaghdoud M., Ben Ahmed M.: Attack Prediction based on Hybrid Propagation in Bayesian Networks. In Proc. of the Internet Technology And Secured Transactions Conference, ICITST (2009).
  17. Kosko, B.: Fuzzy cognitive maps. International Journal of Man-Machine Studies.1986 (24) pp: 65- 75 (1986).
  18. Kosko, B.: Neural networks and fuzzy systems: A dynamical systems approach tomachine intelligence. Englewood Cliffs, NJ: Prentice Hall.(1992).
  19. Kosko, B.: Fuzzy engineering. Upper Saddle River, NJ: Prentice Hall.(1997).
  20. Kruegel C., Darren M. W., Robertson F. V. : Bayesian Event Classification for Intrusion Detection Reliable Software Group. University of California, Santa Barbara, (2003).
  21. Lee, K. C. and Kim H. S.: A causal knowledge driven inference engine for expert system. In Proceedings of the annual Hawaii international conference on system science. pp: 284-293 (1998).
  22. Mukherjee B., Heberlein T. L. and Levitt K. N.: Network intrusion detection. IEEE Network. 8(3):26{41, May/June (1994).
  23. Onashoga S. A., Akinde A. D., and Sodiya A. S.: A Strategic Review of Existing Mobile Agent-Based Intrusion Detection Systems. Issues in Informing Science and Information Technology Volume 6, (2009).
  24. Rash M. et al.: Snort 2.1 Intrusion Detection, Chapter 12: Acrive Response, pp 605-670, Second edition, Syngress Publishing, (2004).
  25. Scarfon C., Mell P.: Guide of Intrusion Detection and Prevention System. National Institute of Standard and Tachnologies, NIST, Special Publication, 800-04, February (2007).
  26. Sebring M. M. et al.: Expert Systems in Intrusion Detection: A Case Study. Proceedings, 11th National Computer Security Conference, pp. 74-81, October (1988).
  27. Siraj A., Bridges S. M. and Vaughn R. B.: Fuzzy Cognitive Maps for Decision Support in an Intelligent Intrusion System. Department of Computer Science Mississippi State University Misstate, MS 39762, (2000).
  28. Smaha S. E.: Haystack: An Intrusion Detection System. Fourth Aerospace Computer Security Applications Conference, Orlando Florida, pp. 37- 44, December (1988).
  29. Sowa J. F.: Conceptual Structures: information Processing in Mind and Machine. Addison-Wesley, MA (1983).
  30. Sowa, J. F.: Conceptual Structures. Information Processing in Mind and Machine, Reading, MA: Addison Wesley, (1984).
  31. Sowa, J. F.: Conceptual Graphs as a Universal Knowledge Representation. Computers Math. Application, 23(2-5): pp:75-93 (1992).
  32. Stakhanova, N., Basu, S., Wong, J.: Taxonomy of Intrusion Response Systems. International Journal of Information and Computer Security, Vol. 1, No. 1, (2006).
  33. Stakhanova N., Basu S., Wong J.: A Taxonomy of Intrusion Response Systems. International Journal of Information and Computer Security, Volume 1, Issue ½, Jannuary (2007).
  34. Tarantola C.: Ontology Engineering by Fuzzy Cognitive Maps. National Conference on Radio communications and Broadcasting, KKRRiT, VISNET, Warsaw, 16-18 June (2004).
  35. Tolman E.C., "Cognitive Maps in Rats and Men", Psychological Review, 42, 55, pp: 189-208, (1948).
  36. Wang a.b H., Wang a.b Li, Application of Improved Fuzzy Cognitive Map Based on Fuzzy Neural Network in Intrusion Detection, Journal of Information & Computational Science 10: 1 (2013) 271-278, Available at http://www.joics.com.
  37. Yue H., Chun-Mei L.: Partitioning Study of Complex System, WSEAS TRANSACTIONS on SYSTEMS, Issue 12, Volume 7, ISSN: 1109-2777, December (2008).

Related papers

Fuzzy cognitive maps for decision support in an intelligent intrusion detection system
Ambareen Siraj

2001

The "health" of a computer network needs to be assessed and protected in much the same manner as the health of a person. The task of an intrusion detection system is to protect a computer system by detecting and diagnosing attempted breaches of the integrity of the system. A robust intrusion detection system for a computer network will necessarily use multiple sensors, each providing different types information about some aspect of the monitored system. In addition, the sensor data will often be analyzed in several different ways. We describe a decision engine for an intelligent intrusion detection system that fuses information from different intrusion detection modules using a causal knowledge based inference technique. Fuzzy Cognitive Maps (FCMs) and fuzzy rule-bases are used for the causal knowledge acquisition and to support the causal knowledge reasoning process.

View PDFchevron_right
Collective computer incident response using cognitive maps
Mohd Hamdi Abd Shukor

2004 IEEE International Conference on Systems, Man and Cybernetics, SMC 2004, 2004

Incident response is becoming an important activity in organizations as security intrusions are increasing rapidly. Cooperation and view sharing within incident response team are very important for successful incident handling. In this paper, we introduce a causal map based method helping the incident response team members reasoning collectively about security incidents. In this method, we use heuristics to help reasoning within causal maps and we propose a sensitivity analysis approach for assessing the error propagation introduced by the causal maps used in this paper. http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1398448&tag=1

View PDFchevron_right
Computer and Network Security: Ontological and Multi-agent System for Intrusion Detection
Ahmed Aloui

Journal of Digital Information Management

Today the security aspect is a backbone of every computer system, particularly when this system contains sensitive information. When we use our computers and connect to the network or use web services, we trust that our personal and sensitive information (images, passwords, credit card number …etc) are confidential and well secured by the used security system. Unfortunately, the hackers may succeed to gain access to the system and misuse our information. Generally, the aim of the intrusion is to find new ways to annoy, steal and harm parts of computer systems. Moreover, with the possibility of connecting several computers and networks, the necessity of protecting the whole data and machines from attackers (hackers) that try to get some confident information to use for their own benefit or just destroy or modify valuable information was born. At this point IDS appears to help users, companies or institutions to detect when they are getting compromised. In this paper, we develop an intrusion detection system using multi agent system, ontological techniques (IDSMAO) and misuse method.

View PDFchevron_right
A Survey on different Ontological Approach and Intrusion Detection System
Tejendra Thakur

In information technology, an ontology is a prescribed designation and definition of the categories, properties, and interrelationships of the entities which actually or logically happen for a specific domain of dissertation. Ontologies are a means to logically and fundamentally model that illuminates the structure of a system, i.e., the suitable substances and relations that emerge from its surveillance. Ontology is essentially spawned to explain its elements which are: concepts (classes), instances, individuals or facts, attributes and relations. Intrusion Detection System (IDS) as the name indicates discovers intrusion in the network. It involves both intrusions from intimate and from exterior the network.. In short, IDS is the 'burglar alarm' for the network because much like a intruder alarm, IDS detects the presence of an attack in the network and raises an alert. This paper provides ontological approach for IDS and also provide knowledge based ontological approach.

View PDFchevron_right
An ontology-based approach to react to network attacks
Jorge Vergara

2008 Third International Conference on Risks and Security of Internet and Systems, 2008

To address the evolution of security incidents in current communication networks it is important to react quickly and efficiently to an attack. The RED (Reaction after Detection) project is defining and designing solutions to enhance the detection/reaction process, improving the overall resilience of IP networks to attacks and help telecommunication and service providers to maintain sufficient quality of service and respect service level agreements. Within this project, a main component is in charge of instantiating new security policies that counteract the network attacks. This paper proposes an ontology-based approach to instantiate these security policies. This technology provides a way to map alerts into attack contexts, which are used to identify the policies to be applied in the network to solve the threat. For this, ontologies to describe alerts and policies are defined, using inference rules to perform such mappings.

View PDFchevron_right

Related topics

  • Information Security
  • Computer Security
  • Mobile Agent
  • Intrusion Response System
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved