Behavior Ontology: A Framework to Detect Attack Patterns for Security

This paper presents a new method to detect attack patterns in security-critical systems, based on a new notion of Behavior Ontology. Generally security-critical systems are large and complex, and are subject to be attacked by attackers in every possible way. Therefore it is very complicated to detect various attacks systematically in some semantic structure. This paper handles the complication with Behavior Ontology, where patterns of attacks in the systems are defined as a sequence of actions on class ontology for the systems. By the nature of the actions, the attack patterns can be abstracted in hierarchical order, forming a lattice or a lattice of lattices, based on inclusion relations. Once the behavior ontology for the attach patterns are defined, the attacks in the target systems can be detected both semantically and hierarchically in the structure of the ontology. Compared with other attack models, the analysis on the behavior ontology shows that the approach in the paper is very effective and efficient in time and space. The approach can be considered as the first attempt to detect attack patterns with the notion of behavior ontology.