Ontological Classification of Network Denial of Service Attacks: Basis for a Unified Detection Framework

In this paper we introduce the notion of a detection framework to facilitate the reasoning and cooperation process of detection and response systems. The presented framework defines four dimensions as requirements to be satisfied: "What to detect", "Where to inspect", "How to decide", and "How to alert". The first dimension tries to unify the understanding of the problem between systems. The second will introduce detection features and parameters. The third dimension exactly states how intelligent systems or expert knowledge should be deployed, while the task of the fourth is to unify the alert and message exchange format. To address the "What to detect" aspect of our framework, we have considered a network denial of service and have presented an ontology which relates three taxonomies of DoS attacks, each from a different point of view: Attack Consequence, Attack Location and Attack Scenario. For scenario based taxonomy, we present a decision tree-like structure, which can be used as a base for attack detection. All these taxonomies are then related to each other in an ontology. An implementation of this ontology using Web Ontology Language (OWL) might help IETF's IDMEF to construct a base for a more accurate alert correlation.