Characterizing network behavior features using a cyber-security ontology
Abstract
This paper discusses the use of an ontology to characterize network behavior features. Efficient and timely threat detection requires careful examination of network packets as well as integration of observed packet level behaviors into a coherent view of the network. We focus on a method to capture the semantic properties of packet transmission at different levels of granularity, making the case for using modular ontologies as a tool to capture and integrate behaviors for threat detection. This study extends the existing work on ontologies of cyber security, embracing a holistic approach and providing a well-grounded modular representation of network behaviors. We demonstrate how beaconing behavior is represented using a vocabulary of network behavior features. Then, we show how this approach can be used to detect malware beaconing to a command-and-control server. Further implications and extensions are discussed in the context of network intrusion and cyber security.