S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems

As cyber threats increasingly utilize automated and adaptive attacks to bypass or overwhelm static defenses, the role of intrusion detection and response systems (IDRS) as an active defense layer is becoming more critical. To remain effective against current attacks IDRS must be capable of automating detection of, and response to, threats in their specific environment. Different operating characteristics, detection capabilities, and response actions all contribute to make each environment unique, complicating this automation. In this work we consider IDRS automation in three areas: detector tuning, detector correlation, and response selection. We motivate and present a novel, more finely-grained model of threats, detectors, and responses called S-MAIDS: A Semantic Model of Automated Intrusion Detection Systems. Based on the concept of a "signal" (an observable indicator of an attack), we show the utility of combining such a model with an existing measure of IDRS performance to facilitate automated tuning, cross-system correlation, and response selection. We support our claims through several case-studies demonstrating the application of this model, and provide the model as an OWL ontology.