Ontological Classi cation of Network Denial of Service Attacks: Basis for a Uni ed Detection Framework

Abstract

In this paper we introduce the notion of a detection framework to facilitate the reasoning and cooperation process of detection and response systems. The presented framework de nes four dimensions as requirements to be satis ed: What to detect", Where to inspect", How to decide", and How to alert". The rst dimension tries to unify the understanding of the problem between systems. The second will introduce detection features and parameters. The third dimension exactly states how intelligent systems or expert knowledge should be deployed, while the task of the fourth is to unify the alert and message exchange format. To address the What to detect" aspect of our framework, we have considered a network denial of service and have presented an ontology which relates three taxonomies of DoS attacks, each from a di erent point of view: Attack Consequence, Attack Location and Attack Scenario. For scenario based taxonomy, we present a decision tree-like structure, which can be used as a base for attack detection. All these taxonomies are then related to each other in an ontology. An implementation of this ontology using Web Ontology Language (OWL) might help IETF's IDMEF to construct a base for a more accurate alert correlation.