Cite this paper as: AlEroud A., Karabatis G. (2013) A System for Cyber Attack Detection Using Contextual Semantics. In: Uden L., Herrera F., Bajo Pérez J., ...
A System for Cyber Attack Detection Using Contextual Semantics Ahmed AlEroud and George Karabatis Department of Information Systems, University of Maryland, Baltimore County (UMBC) 1000 Hilltop Circle, Baltimore, MD 21250, USA {Ahmed21,Georgek}@umbc.edu
Abstract. In this paper, we present a layered cyber-attack detection system with semantics and context capabilities. The described approach has been implemented in a prototype system which uses semantic information about related attacks to infer all possible suspicious network activities from connections between hosts. The relevant attacks generated by semantic techniques are forwarded to context filters that use attack context profiles and host contexts to filter out irrelevant attacks. The prototype system is evaluated on the KDD 1999 intrusion detection dataset, where the experimental results have shown competitive precision and recall values of the system compared with previous approaches. Keywords: Context, Context-aware Cyber Security, Semantic Networks.
1 Introduction Internet communications and distributed network environments have become rich media for electronic data transfer. Due to huge amounts of data transmission, it becomes vital to build effective security policies and threat-detection systems that are capable of analyzing network data. There has been a significant amount of work performed in the area of intrusion detection; however, most of the recent approaches focus on processing alerts with no semantics or context aware capabilities. Providing semantic capabilities on the top of Intrusion Detection Systems (IDS) can have a great benefit in inferring possible relationships between network attacks. Additionally, context aware capabilities can be utilized to filter out most of false positive alerts about possible attacks. The current IDSs are broadly categorized as host-based or network-based. In host-based IDSs, the system is only aware of the host environment. By contrast, network-based IDSs have a better knowledge of events happening at the network level. Both networkbased and host-based IDSs utilize rule engines to disseminate alerts, with a significant number of such alerts being false alarms due to the lack of contextual information concerning hosts and network events. To address this problem, we propose a layered attack detection system that utilizes semantics and context. The
L. Uden et al. (Eds.): 7th International Conference on KMO, AISC 172, pp. 431–442. © Springer-Verlag Berlin Heidelberg 2013 springerlink.com
432
A. AlEroud and G. Karabatis
system is designed to detect all relevant attacks occurring under particular contexts. It consists of one semantic layer and two context layers. The semantic layer is represented by semantic networks [1, 2] which are graphs with nodes representing attacks and edges modeling semantic relationships between attacks; we use semantic networks to infer all relevant attacks in a sequence of suspicious network connections events. By contrast, context layers are applied on top of semantic networks to filter out irrelevant attacks by matching them with contextual information about attack profiles and network hosts. The contributions of this paper are three-fold: First, we utilize an automatic approach to create a semantic network of relevant attacks using the KDD 1999 dataset [3]. Second, we apply the Conditional Entropy Theory [4] to create attack context profiles based on attack features. Context profiles are then used to filter out all non-relevant predictions made by the semantic network. Finally, we create host context filters consisting of contextual facts about hosts and attacks. We employ a logical based approach to filter out attacks based on host-attack contexts. The context filters are applied in a layered manner to filter semantic network predictions. The reminder of this paper is organized as follows: The next section describes the approach used in creating system semantics and contexts layers. Section 3 reports our experiment with the KDD 1999 intrusion detection dataset. Section 4 presents the related work with an emphasis on various techniques and methods which are related to semantics and context in the cyber security domain. Section 5 provides conclusions and points out future work.
2 The Approach In this section, we provide an overview of our approach and a description of the prototype system. Figure 1 illustrates the major components in our system. The detection process occurs in two phases: First, the attack detection models are built using historical audit network data, and then we use these models in a layered manner to simulate the actual detection on network evaluation data. We use a network data repository (Audit Network Data in Fig. 1) to store a set of events collected by network sensors, as well as their characteristics. We use the publicly available intrusion detection dataset (KDD 1999) [3] as the network data repository. Although some researchers have identified drawbacks in KDD 1999 [5, 6], this dataset is nevertheless one of the most widely datasets in evaluating intrusion detection systems. The KDD 1999 is formatted as a set of network connection records labeled as normal activities or attacks. Each connection record has 41 features, which characterize that particular connection in terms of connection protocols, the services requested, etc. The attacks found in the KDD 1999 dataset are also categorized in one of four categories: 1. User to root (U2R), 2. Remote to local (R2L), 3. Denial of service (DOS), and 4. Probe Attacks. Before using our system we create the semantic network model, the simple Bayesian network model, and the attack context profiles, as are explained next.
A System for Cyber Attack Detection Using Contextual Semantics
Host Info DB
Evaluation Data
Audit Network Data
433
Bayesian Net Layer
Semantic Net Layer
Simple Bayes Net Model
Semantic Net Model
Attack Alerts Host Context Filter
Contexts Profiles Filter
Layered Context Filter
Data Preprocessing
Fig. 1 Major System Components
2.1 Semantic Network Creation Process The semantic network we create is a graph with nodes representing attacks and edges connecting relevant attacks. Each node in the created semantic network represents one of the 22 attacks in KDD 1999 dataset. Normal activity is also treated as a node (although it is not an attack). The semantic network is created based on similarities of attack features. The numbers on edges represent the degree of relevance between nodes. A semantic network is described as follows [7]: Definition (1) [semantic network]: Let …, be the set of attacks where each ∈ has a binary feature vector of values …, . The semantic network , is a directed graph where is set of nodes | | | and each edge links two | is a set of edges, and and relevant attacks , and has a relevant score , where 0 , 1. The semantic network is created as follows: All numerical features in the KDD 1999 dataset are discretized. Then, a universal feature vector is generated as the union of all unique dataset feature values. This is denoted by …, where n is the number of unique feature values in the dataset, and v is the number of unique values in feature fi domain. The universal feature vector is then used to build the attack feature frequency vector for all attacks. Each attack feature frequency vector consists of the frequency value for each feature that occurs in a specific attack. We automatically assign relevance scores between attacks on semantic networks using the Anderberg similarity coefficient measure [8], which calculates similarity between two binary vectors. Since Anderberg is a
434
A. AlEroud and G. Karabatis
binary similarity measure, we convert the attack feature frequency vectors to binary vectors of zeros and ones using a cutoff data transformation method [9]. For instance, the teardrop attack usually occurs when the connection protocol is User Datagram Protocol (UDP), therefore, the binary vector of teardrop attack includes the value 1 for the entry (Protocol is UDP, attack is teardrop), whereas if the connection protocol is the Transmission Control Protocol (TCP), then the binary vector of teardrop attack includes the value 0 for the entry (Protocol is TCP, attack is teardrop). 0.88
Ftp write
Buffer overflow
0.68
0.71
IP sweep
Guess password
0.57
0.44 Perl
Rootkit
Fig. 2 A partial semantic network for some KDD 1999 Attacks
The binary feature vectors are then used to compute the Anderberg similarity between pairs of attacks, and to further calculate the relevance scores on the edges of the semantic network. Figure 2 illustrates a partial semantic network for some attacks in KDD 1999 dataset. The path between “Buffer overflow”, which is in the U2R category, and “Guess password”, which is a R2L category of attack, is used in calculating the relevance score between these two attacks by multiplying all scores on that path 0.68 0.57 0.44 0.71 0.125. This represents one possible relevance score, however, we should infer the most accurate semantic relationship between these two attacks, which is the maximum relevance score using all possible paths between these two attacks[7].
2.2 Simple Bayesian Network Prediction Our system requires an initial node to start searching in the semantic network to identify relevant attacks. To provide such node we create a simple Bayesian network model which takes as input the connection records in the database, and provides as output the attack with the highest probability for the corresponding connection record (see Fig. 1).We extract the conditional probabilities from the simple Bayesian network model and then we calculate the combined probability of any attack as follows. |
|
·
|
…,
|
1
A System for Cyber Attack Detection Using Contextual Semantics
435
| is the probability of attack Where given the feature vector F with n features, under the assumption that such features are independent. The semantic network identifies all attacks relevant to the initial input node, based on the relevance score bounded by a user-defined threshold identified (a lower threshold results in more attacks retrieved by the semantic network, and a higher threshold results in fewer attacks). However, not all the relevant attacks have the same context; therefore, context filters are applied to allow attacks that are both relevant and within context.
2.3 Context Filters Module The main purpose of the context module is to identify attacks that are relevant and specific to a particular context, and at the same time to filter out irrelevant attacks reducing the amount of false positives alerts. In our system the context module recognizes two types of context: attack context profiles, and host contexts. The attack context profiles are used to discard attacks which do not match a given set of context profiles. The context profile of each attack consists of features which minimize the conditional entropy [4], and thus the uncertainty about that attack by observing specific values of these features. The second type of context is the host context which is used to discard attacks which do not match the target host context in terms of host vulnerabilities, application types, running services, and the affected platforms. The following two sections describe both context types in detail. 2.3.1 Conditional Entropy Attack Context Profiles Conditional entropy calculates the degree of uncertainty of one random variable given another [4]. The conditional entropy is strongly related to information and probability theories. In the context of cyber security, conditional entropy can be defined as the amount of information needed to infer the degree of uncertainty about one event based on the occurrence of another. We used the KDD 1999 connection record features to build the context profiles of different attacks in the dataset. The conditional entropies are calculated by utilizing the conditional probabilities of attacks given the values of their features, and the probability distribution of the feature values in the data set. Thus, we first calculate the conditional entropy of attack in the dataset given a specific observed value of feature x. Then we calculate the sum of conditional entropies of all attacks given a specific feature, this value is called global conditional entropy. The conditional entropy is described as follows [4]: Definition (2) [Conditional entropy]: The conditional entropy (H) of variable y given variable x is the sum of entropies for all values of variable y given values of | ∑ ∑ variable x. It is denoted by , log . | An important factor in building attack context profiles is the individual contribution of a specific feature on the occurrence of a particular attack. To address this issue, we calculate the sum of conditional entropies of a specific attack y with respect to all values of a specific feature x. This sum is called the
436
A. AlEroud and G. Karabatis
local conditional entropy of a specific attack y given feature x. The lower the value of local conditional entropy of attack y given feature x, the lower the degree of uncertainty about the context of occurrence of attack y given specific values for x. Features which produce smaller global and local conditional entropy values convey better quality information; consequently, they are used in building attack context profiles. For any feature x selected in the context profile of attack y, the values of x which give a conditional probability value greater than 0 of attack y are used to build one context profile rule for attack y, where the context profile rule is a set of feature values which are used to minimize the uncertainty about the context of each attack. To build the context profile of attack , we select the set of features which give the lowest m values of the global conditional entropy, and the set of features which give the lowest n values of the local conditional entropy of attack . The features which are common between these two sets are used to build the context profiles rules for attack . The intersection of such features in a a sequence of events, minimizes the uncertainty about the context of attack , due to its low entropy. The value m is selected based on global features selection on KDD 1999 dataset. The first 14 highly ranked features are used in several works [10]. By contrast, the value n is selected based on the local feature selection method used in [11] to select the best features for each of the KDD attacks categories. On average, 7 features were selected by domain experts for each category. Thus, the common features between the first 14 features which gives low global conditional entropy values and the first 7 features which gives low local conditional entropy values (for specific attack) are the set of features used to create each attack context profile. We created 15 unique context profiles. Some context profiles match more than one attack as some attacks have the same context, thus each of the 22 attacks has one context profile. We did not create any context profiles for the normal category, since it does not correspond to any attacks. The context profiles are then used to automatically filter out any attack which does not match its corresponding profile. Any connection record that has no matching context profile is treated as a normal activity and hence no further context filtering is performed on that connection. 2.3.2 Host Context The entropy-based context profiles, which form the first context filter, deal with features of attacks and they are not aware of contextual information about network hosts such as a host having a patch against a predicted attack. We address this situation by incorporating as much contextual information about hosts and their environment as possible to further filter out the potential attacks that were generated by semantic networks and survived the entropy-based attack context profile filters. Host contexts contain facts about a specific host; each fact is of a specific type t, which can be about host vulnerabilities, host operating system, the installed applications, the running services, the host patches, etc. The facts in the host contexts are modeled as predicates, and implemented using a relational database. The definition of host contextual facts is given below.
A System for Cyber Attack Detection Using Contextual Semantics
437
Definition (3) [Host context]: The context of host h denoted by c (h), is a set of predicates … . Each predicate is represented as a host context fact f of type …, represent the facts about host h such, the expression t, where , is true, that is, (h) has the context (c) iff ∀ ∈ . Each predicate is represented as a logical fact d of type . In addition to host context facts, we create a set of attack context facts; these facts represent the conditions that should exist on a target host h, that can lead to specific attack y and they are different from the conditional entropy based facts. The format of attack facts is similar to host context facts. We use the context fact predicates in a disjunctive normal form to match all host context facts with attack facts of the same type. The conjunctive normal form is also used to match host context facts of different types with attack facts. The context of an attack A on host h matches the context c(h) of host h, when at least one host context fact of each type t matches one or more fact of the attack A for the same type t as defined below: Definition(4) [Context Matching]: Given all context facts .., ∈ of of host h and all context facts .., of attack detected on host host h by a semantic network, the attack (Al) matches the context c(h) of host h iff ∀ ∈ {t}(∃ ∈ | = . The following example shows a scenario of a Perl attack predicted by semantic network on host h. Perl is one of the U2R attacks which can lead to denial of service on the target host. The context facts about operating system, vulnerabilities, and running applications on a target host h are as follows: hasOS(h, redhat linux 5.0), hasVulnerability(h, CVE-1999-1386), has Application (h, Apache server 1.3.1). In addition, the following facts represent the context facts required for a Perl attack on target host h: isOS(h, redhat linux5.0), existVulnerability(h, CVE-1999-1386), given these facts about host h, the perl attack is in the context of host h, due to the fact that the conjunctive normal expression evaluates to True by matching context facts about perl attack with those about host h. We used the layered context filtering as a final step in our system. The layered context filtering is performed by applying host context filter on the output of the entropy based contexts profiles filter. The layered context filtering is performed as follows: If Al is an attack included in the results of entropy context profiles filter and if it matches host h context c(h), then attack Al will be included in the final attacks alert list.
3 Experiments and Evaluation In order to evaluate our system, we performed two types of experiments using the KDD 1999 dataset. The first type of experiments evaluated the quality of the answers of semantic networks using several relevance thresholds denoted by t, and then utilizing only the entropy context profiles. The second experiment evaluated
A. AlEroud and G. Karabattis
438
the layered attack detectiion approach, which consisted of using simple Bayesiaan networks layer to make initial detection, and then semantic network layer tto retrieve relevant attacks, and applying both attacks contexts profiles and hoost context filters. We developed our system in an Oracle database. Additionally, w we used Weka [12] and Knim me [13] data mining tools to perform data preprocessinng tasks and to extract the p probability distributions of the simple Bayesian networrk model. The KDD 1999 daataset was divided into two parts, the training part and thhe evaluation one: The first part (training one) was used in three tasks, first, to traiin simple the simple Bayessian network, and then to create semantic network annd context profiles. The ssecond part (the evaluation one) was used in ouur experiments. We used thee 10% version of KDD dataset, which consists of 494,0220 connections, 97,278 of w which are normal connections, and 396,744 are attackks distributed among all 4 ccategories (DOS, R2L, U2R, and PROBE).We selecteed 75% of the dataset connecction records to be in the training part, representing abouut 370,515 connection recorrds, and 123,505 connections representing about 25% oof connection records to be in evaluation part. Both experiments were performed oon a desktop machine with IIntel(R) core ™ 2 CPU 2.4 GHZ and 2-GBYTES RAM M. We used precision, recaall, and F- measure as our metrics defined below iin formulas (2), (3), and (4) respectively:
Semantic Network an nd Context profiles/Averag ge P SN SN+Conteext profiles 1.00 0.80 0.60 0.40 0.20 0.00
4
Semantic Network and Context profiles/Average R SN+Context profiles SN
Relevance thresholld t
Fig. 3 Average P (SN and co ontext profiles)
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
1.00 0.80 0.60 0.40 0.20 0.00
3
Average Recall
Average Precision
2
Relevance threshold t
Fig. 4 Average R (SN and context profiles)
TP, FP, and FN are the true positives, false positives, and false negativees respectively. The true po m ositives are the number of attacks retrieved by system layers which are considered relevant to connection record under evaluation. Foor normal connection record ds (i.e., no attack), the number of relevant predictions is mal expected to be 1, as the reelevant answer for normal connections should be norm only. The false positive rrate is the number of irrelevant attack predictions for thhe connection record under evaluation. The first type of experiments measured thhe usefulness of applying co ontext profiles as filters on the related attacks that werre recommended by the seemantic networks. The semantic network retrieves thhe relevant attacks based o on the relevance score threshold t. Lower relevancce
A System for Cyber Attack Detection D Using Contextual Semantics
4339
1 0.8 0 0 0.6 0 0.4 0 0.2 0
Semantic Network and Context profiles/Average F SN SN+Context profiles
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Average F
thresholds result in moree retrieved attacks; however, some false positives arre expected. Higher relevan nce thresholds retrieve fewer but very relevant attackks; however some relevant ones may be missed. Figures 3 and 4 show the precisioon and recall results of using g both semantic networks and attack context profiles foor detecting attacks which are supposed to be relevant based on semantics annd A observed in figure 3, the precision values are higheer context of occurrence. As (better) when semantic networks n and context profiles are used, compared witth precision values of using only semantic networks without context profiles. At thhe 0.7 relevance threshold, semantic s networks with no context profiles achieve 0.661 precision compared to 0.85 0 when the contexts profiles filter is used to filteer semantic network resultss. It can be observed from the results that the contexxt profiles filter removes most m of false positives (normal activities), which arre included in semantic neetwork results. The semantic network has a superioor average recall, which is almost a 1 at the 0.1 and 0.2 semantic relevance thresholdds. Recall results reported on figure 4 shows that the context profile filters misseed some relevant attacks, beyond the 0.7 relevance threshold, when the recall valuees of the semantic network and a context profiles filters start to decline. However, botth recall lines are convergen nt beyond the 0.7 threshold. This decline shows that thhe semantic network starts missing m some relevant attacks beyond the 0.7 threshold.
Relevance threshold t
Fig. 5 Average F measure (S SN with context profiles)
Figure 5 shows the F measure values for the first experiment. The observeed results show that using th he semantic network with context profiles, has a better F measure values at all sem mantic relevance thresholds between 0.1 and 0.9. The beest F measure value when seemantic network and context profiles are used together is 0.8; this value is obtaineed at 0.7 relevance threshold. By contrast, this value is approximately 0.68 when n the semantic network is used without contexts profilees filter. To The second type of experiment was performed to compare thhe performance of (1) Semaantic network without any context filters, (2) Semanttic network with host conteext filter, and (3) Semantic network with both contexxt filters (context profiles, and a host context). The semantic network predictions arre used as inputs to contexts profiles filter. The contexts profiles filter checks thesse predictions, and filters ou ut attacks which do not match any context profile. Thhe outputs of the context prrofiles filter are then used as inputs to the host contexxt
A. AlEroud and G. Karabattis
440
Semantic Network And All Context Filters /Average F SN SN+Host Context SN+ All context filters 1 0 0.8 0 0.6 0 0.4 0 0.2 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Average F
filter. In the current imp plementation, we collected about 100 vulnerabilities tto create host contexts. Thee collected vulnerabilities cover all attacks in the KDD 1999 dataset confirmed by b several vulnerability databases [14, 15]. In total, 222 host contexts were createed, all attacks predicted by context profiles which do noot match host context are disscarded by host context filter.
Relevancy threshold t
Fig. 6 Average F measure (S SN, and all context Filters)
Figure 6 shows the reesults of F- measure values for the second experimennt. When both context filteers are used after semantic network, the best F valuue obtained at the 0.7 relevance threshold is 0.92. As observed in figure 6, the best F value at 0.7 relevance sccore obtained of applying the host context filter on thhe results of semantic netwo ork is about 0.71 which is lower than when both contexxt filters are applied. The host h context filter showed some limitations in handlinng normal connections when n no context profiling was used. When both context filteers were used together, a supeerior precision was achieved, resulting in a better F-valuue (see figure 6).
4 Related Work Several research articles are relevant to this work. In [17] a four layer semanttic schema was presented to extract attack scenarios and attack knowledge; howeveer, the presented approach did not utilize any host-based context matching. Thhe authors of [18] proposeed a web attack detection system using semantics oof application headers. Thee described system was designed to detect header annd payload based attacks. In [19] the authors developed a prototype to deteect suspicious activities in wireless w sensor networks by correlating data in time annd spatial domains. In [20] the latent semantic analysis was utilized for securitty attacks detection at run tiime. The approach achieved high accuracy; however, thhe process requires selectin ng features at run time using latent semantic analysiis, which is computationally expensive. By contrast, we used pre-calculated semanttic networks to minimize run n time computation. The authors of [21] used contextuual information about hosts and a their vulnerabilities with the goal of minimizing falsse alarm rate for intrusion detection. d Based on their results, the system minimizeed
A System for Cyber Attack Detection Using Contextual Semantics
441
the false alarm rate. In [22] the authors studied the effect of correlating IDS attack signatures with static and dynamic network information to derive network context. In [23] vulnerability analysis was used as a context information source to minimize false alarm rates. Event correlation was used in [24] to infer events within the same context. The authors of [25] used entropy based measures to build normal and anomaly contexts.
5 Conclusions and Future Work We designed, implemented, and evaluated a new contextual semantics approach for detecting cyber-attacks. The semantic layer is represented by semantic network which models semantic relationships between attacks in order to infer all relevant attacks given in a sequence of events. The context layer consists of two filters that can be applied on the top of semantic network predictions, to filter out irrelevant attacks by matching them with contextual information on attack profiles and network hosts. We found that our layered approach, which consists of the semantic network and both context filters, can achieve more than 99% precision on the KDD 1999 dataset. The value of F-measure was more than 92% as well. The proposed approach is promising in cyber-attack prediction problem. We are planning to evaluate our system using different datasets. Currently, we are working on building a complete context information repository in our system by adding more contextual information filters. Acknowledgments. This work was partially supported by a grant from Northrop-Grumman Corporation, USA.
References 1. Sowa, J.: Semantic Networks. In: Shapiro, S.C. (ed.) Encyclopedia of Artificial Intelligence, pp. 1493–1511. Wiley, New York (1992) 2. Sowa, J.: Semantic Networks, http://www.jfsowa.com/pubs/semnet.htm 3. Knowledge discovery in databases DARPA archive. Task Description, http://www.kdd.ics.uci.edu/databases/kddcup99/task.html 4. Shannon, C.: The Mathematical Theory of Communication. University of Illinois Press (1949) 5. McHugh, J.: Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262–294 (2001) 6. Kayacik, G., Zincir, A.: Analysis of Three Intrusion Detection System Benchmark Datasets Using Machine Learning Algorithms. In: IEEE Intelligence and Security Informatics, Atlanta, USA (2005) 7. Karabatis, G., Chen, Z., Janeja, V.P., Lobo, T., Advani, M., Lindvall, M., Feldmann, R.L.: Using Semantic Networks and Context in Search for Relevant Software Engineering Artifacts. In: Spaccapietra, S., Delcambre, L. (eds.) Journal on Data Semantics XIV. LNCS, vol. 5880, pp. 74–104. Springer, Heidelberg (2009)
442
A. AlEroud and G. Karabatis
8. Duarte, J., Dos, S., Melo, L.: Comparison of Similarity Coefficients Based On Rapid Markers In The Common Bean. Genetics and Molecular Biology 22(3), 427–432 (1999) 9. Pensa, R., Leschi, C., Besson, J., Boulicaut, J.: Assessment of Discretization Techniques For Relevant Pattern Discovery From Gene Expression Data. In: 4th Workshop on Data Mining in Bioinformatics (2004) 10. Güneş, A., Nur, Z., Malcolm, I.: Selecting Features for Intrusion Detection: A Feature Relevance Analysis on KDD 99. In: Third Annual Conference on Privacy, Security and Trust, PST, Canada (2005) 11. Kumar, K., Nath, B., Kotagiri, R.: Layered Approach Using Conditional Random Fields for Intrusion Detection. IEEE Transactions on Dependable and Secure Computing 7(1), 35–49 (2010) 12. Weka Data mining and machine learning software, http://www.cs.waikato.ac.nz/ml/weka/ 13. Konstanz Information Miner, http://www.knime.org/ 14. IBM Internet Security Systems, http://xforce.iss.net/xforce/xfdb/588 15. National Vulnerability Database, http://web.nvd.nist.gov/view/vuln/search?execution=e2s1 16. Mrutyunjaya, P., Manas, R.: A Comparative Study of Data Mining Algorithms for Network Intrusion Detection. In: First International Conference on Emerging Trends in Engineering and Technology, pp. 505–507 (2008) 17. Wei, Y.: Semantic Approach for Attack Knowledge Extraction in Intrusion Detection Systems. In: 29th Annual IEEE International Conference on Local Computer Networks (2004) 18. Vaidehil, V., Srinivasan, N., Anand, P., Balajil, A., Prashanthl, V., Sangeethal, S.: A Semantics Based Application Level Intrusion Detection System. In: International Conference on Signal Processing, Communications and Networking (2007) 19. Ganesh, K., Sekar, M., Vaidehi, V.: Semantic Intrusion Detection System Using Pattern Matching and State Transition Analysis. In: International Conference in Recent Trends in Information Technology (2011) 20. Lassez, J., Rossi, R., Sheel, S., Mukkamala, S.: Signature Based Intrusion Detection using Latent Semantic Analysis. In: IEEE International Joint Conference on Computational Intelligence, pp. 1068–1074 (2008) 21. Lexi, P., Benedikt, W., Volker, W.: A Context Aware Network-IDS. In: 13th Nordic Workshop on Secure IT Systems, NordSec Copenhagen, Denmark (2008) 22. Frédéric, M., Mathieu, C., Lionel, B., Yvan, L.: Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases. In: Third Annual Conference on Privacy, Security and Trust, Fredericton, New Brunswick, Canada (2005) 23. Liu, X., Xiao, D.: Using Vulnerability Analysis to Model Attack Scenario for Collaborative Intrusion Detection. In: 10th International Conference on Advanced Communication Technology, pp. 1273–1277 (2008) 24. Zhou, J., Heckman, M., Reynolds, B., Carlson, A., Bishop, M.: Modeling Network Intrusion Detection Alerts For Correlation. ACM Transactions and Information System Security 10(1), 1–31 (2007) 25. Gu, Y., McCallum, A., Towsley, D.: Detecting anomalies in network using maximum entropy estimation. In: ACM SIG-COMM Conference on Internet Measurement, pp. 345–351 (2005)
