Frame-based attack representation and real-time first order logic automatic reasoning

Internet has grown by several orders of magnitude in recent years, prompting network security as a great concern. Hence, intrusion detection systems (IDSs) are used to timely detect intrusions and defend against attack attempts. However, the current IDS technology generates a huge volume of alert events due to false alarm alerts, and requires costly alert manual reviewing due to the lack of intelligence in IDS. As a solution, security information management (SIM) is a growing area of interest in network security. In this paper, we propose FAR-FAR (frame-based attack representation and first-order logic automatic reasoning) system in SIM to relieve the administrator from the time-consuming and costly alert manual reviewing. With the backward-chaining, FAR-FAR can make real-time reasoning for network attack scenarios. In FAR-FAR, the aggregated alerts from different IDS agents are converted into uniform frame-structured streams by case grammar. Afterwards, first-order logic production rules are used to extract the hidden attack scenarios. Our simulation results show that FAR-FAR's attack scenario reasoning rate for the incoming alerts are generally far less than the incoming alerts' inter-arrival time. This guarantees FAR-FAR to automatically reason the attack plans in real time and predict possible attack attempts at an early stage.