Saman Taghavi Zargar

ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework

Several alert correlation approaches have been proposed to date to reduce the number of non-relevant alerts and false positives typically generated by Intrusion Detection Systems (IDS). Inspired by the mental process of the contextualisation used by security analysts to weed out less relevant alerts, some of these approaches have tried to incorporate contextual information such as: type of systems, applications, users, and networks into the correlation process. However, these approaches are not flexible as they only perform correlation based on the narrowly defined contexts. information resources available to the security analysts while preserving the maximum flexibility and the power of abstraction in both the definition and the usage of such concepts, we propose ONTIDS, a context-aware and ontology-based alert correlation framework that uses ontologies to represent and store the alerts information, alerts context, vulnerability information, and the attack scenarios. ONTIDS employs simple ontology logic rules written in Semantic Query-enhance Web Rule Language (SQWRL) to correlate and filter out non-relevant alerts. We illustrate the potential usefulness and the flexibility of ONTIDS by employing its reference implementation on two separate case studies, inspired from the DARPA 2000 and UNB ISCX IDS evaluation datasets.

Semantic-based context-aware alert fusion for distributed Intrusion Detection Systems

One of the fundamental challenges in real-world Intrusion Detection Systems (IDS) is the large number of redundant, non-relevant false positive alerts that they generate. In this paper, we propose an alert fusion approach that incorporates contextual information with the goal of leveraging the benefits of multi-sensor detection while reducing false positives. In order to allow for automated reasoning on the information resources available for the fusion process, we design a set of comprehensive and extensible ontologies, and implemented fusion and detection algorithms as simple rules in Ontologic Web Language Description Logic (OWL-DL), using the Semantic Query-Enhance Web Rule Language (SQWRL). To illustrate and evaluate our approach, we use one of the attack scenarios of the DARPA 2000 dataset. The results obtained show that our approach can reduce false positives, while achieving the same detection rates achieved by using the Snort and ISS RealSecure.

MMUF: An Optimized Scheduling Algorithm for Dynamically Reconfigurable Real-Time Systems

In this paper we compare our proposed hybrid scheduling algorithm which is a modification of Maximum Urgency First (MUF) scheduling algorithm with MUF scheduling algorithm. The maximum urgency first algorithm combines the advantages of fixed and dynamic scheduling to provide the dynamically changing systems with flexible scheduling. This algorithm, however, has a major shortcoming due to its scheduling mechanism which may cause a critical task to miss its deadline. The modified maximum urgency first scheduling algorithm resolves the mentioned problem. We have made a comparison between our proposed algorithm and maximum urgency first algorithm using simulation and results are presented. It is shown that modified maximum urgency first is superior to maximum urgency first, since it usually has less task preemption and hence, less related overhead. It also leads to less failed non-critical tasks in overloaded situations and leads to less average response time for tasks. Moreover, in most cases, MMUF better utilizes the CPU than MUF does.