Abstract

One of the fundamental challenges in real-world Intrusion Detection Systems (IDS) is the large number of redundant, non-relevant false positive alerts that they generate. In this paper, we propose an alert fusion approach that incorporates contextual information with the goal of leveraging the benefits of multi-sensor detection while reducing false positives. In order to allow for automated reasoning on the information resources available for the fusion process, we design a set of comprehensive and extensible ontologies, and implemented fusion and detection algorithms as simple rules in Ontologic Web Language Description Logic (OWL-DL), using the Semantic Query-Enhance Web Rule Language (SQWRL). To illustrate and evaluate our approach, we use one of the attack scenarios of the DARPA 2000 dataset. The results obtained show that our approach can reduce false positives, while achieving the same detection rates achieved by using the Snort and ISS RealSecure.