Modeling Computer Attacks: A Target-Centric Ontology for Intrusion Detection

We have produced an ontology specifying a model of computer attacks. Our ontology is based upon an analysis of over 4,000 classes of computer attacks and their corresponding attack strategies, and is model is categorized according to: system component targeted, means of attack, consequence of attack and location of attacker. Our analysis indicates that non-kernel space applications are most likely to be attacked with the attack originating remotely. These attacks most often result in the attacker gaining root access. We argue that any taxonomic characteristics used to define a computer attack be limited in scope to those features that are observable and measurable at the target of the attack. We present our attack model first as a taxonomy and convert it to a target-centric ontology that will be refined and expanded over time. We state the benefits of forgoing dependence upon taxonomies for the classification of computer attacks and intrusions, in favor of ontologies. We illustrate the benefits of utilizing an ontology by comparing a use case scenario of our ontology and the IETF’s Intrusion Detection Exchange Message Format Data Model.