Using DAML+ OIL to classify intrusive behaviours

We have produced an ontology specifying a model of computer attack. Our ontology is based upon an analysis of over 4,000 classes of computer intrusions and their corresponding attack strategies and is categorized according to: system component targeted, means of attack, consequence of attack and location of attacker. We argue that any taxonomic characteristics used to define a computer attack be limited in scope to those features that are observable and measurable at the target of the attack. We present our model as a target-centric ontology that is to be refined and expanded over time. We state the benefits of forgoing dependence upon taxonomies, in favor of ontologies, for the classification of computer attacks and intrusions. We have specified our ontology using the DARPA Agent Markup Language + Ontology Inference Layer and have prototyped it using DAMLJessKB. We present our model as a target-centric ontology and illustrate the benefits of utilizing an ontology lieu of a taxonomy, by presenting a use case scenario of a distributed intrusion detection system.
Date: January 16, 2004
Book Title: Knowledge Engineering Review
Type: Article
Edition: Special Issue on Ontologies for Distributed Systems
Volume: 18
Number: 3
Pages: 221-241
Publisher: Cambridge University Press
Google scholar: AK44Swl66xYJ
Google citations: 3 citations


  author = "Anupam Joshi and Tim Finin and John Pinkston",
  title = "{Using DAML+ OIL to classify intrusive behaviours}",
  month = "January",
  year = "2004",
  edition = "Special Issue on Ontologies for Distributed Systems",
  pages = "221-241",
  number = "3",
  volume = "18",
  journal = "Knowledge Engineering Review",
  publisher = "Cambridge University Press",