Détection d'intrusion à l'aide d'un système expert basé sur l'ontologie

ABSTRACT: Computer attacks are an important reality today. Their ubiquity is explained by the fact that attackers can take advantage of the growing complexity of the information systems environment. This is due to a massive computerization of activities, such as the storage of personal data, and the integration of new technologies, such as wireless technologies. The lure of gain is increasing and the attack surfaces are bigger than ever. Traditional defence mechanisms are struggling to adapt to this heterogeneous environment due to the broad spectrum of information it contains. It is through detection rules that defence systems perform intrusion detection. Unfortunately, the languages in which these detection rules are written have several weaknesses. On the one hand, their writings require great expertise. On the other hand, these languages make it difficult to make concepts of different natures interact. Humans have been involved in the intrusion detection process to address this weakness. Thereby, intrusion detection is subject to human weaknesses, such as reliability and performance. We propose to computerize the intrusion detection process with the use of an expert system. This type of tool is a system that replicates the reasoning of a human expert. The expert system that we propose is DIOSE (Détection d'Intrusion avec l'Ontologie par un Système Expert). It will be based on ontologies, which are methods of representation of knowledge that make it possible to explain a concept so that it can be understood by a machine. The uses of ontological database provide flexibility that makes it possible to move from a detection based only on events, to a detection based on both events, event contexts and vulnerabilities. This is to improve the detection of computer attacks by correlating different information collected. A representation of knowledge with the ontology will also allow to use the abstraction to bring the language of the rules of detection of intrusion closer to the language of the expert.

Abstract

Computer attacks are an important reality today. Their ubiquity is explained by the fact that attackers can take advantage of the growing complexity of the information systems environment. This is due to a massive computerization of activities, such as the storage of personal data, and the integration of new technologies, such as wireless technologies. The lure of gain is increasing and the attack surfaces are bigger than ever. Traditional defence mechanisms are struggling to adapt to this heterogeneous environment due to the broad spectrum of information it contains. It is through detection rules that defence systems perform intrusion detection. Unfortunately, the languages in which these detection rules are written have several weaknesses. On the one hand, their writings require great expertise. On the other hand, these languages make it difficult to make concepts of different natures interact. Humans have been involved in the intrusion detection process to address this weakness. Thereby, intrusion detection is subject to human weaknesses, such as reliability and performance. We propose to computerize the intrusion detection process with the use of an expert system. This type of tool is a system that replicates the reasoning of a human expert. The expert system that we propose is DIOSE (Détection d'Intrusion avec l'Ontologie par un Système Expert). It will be based on ontologies, which are methods of representation of knowledge that make it possible to explain a concept so that it can be understood by a machine. The uses of ontological database provide flexibility that makes it possible to move from a detection based only on events, to a detection based on both events, event contexts and vulnerabilities. This is to improve the detection of computer attacks by correlating different information collected. A representation of knowledge with the ontology will also allow to use the abstraction to bring the language of the rules of detection of intrusion closer to the language of the expert.