Using Domain Knowledge to Facilitate Cyber Security Analysis

Network attack classification is an essential component in intrusion detection in that it can improve the performance of intrusion detection system. Several machine-learning methods have been applied in correlating attacks. There is one inherent limitation with these approaches that they strongly rely on datasets, and consequently their models for attack classification can hardly generalize beyond the training data. To address the above limitation, we propose to utilize domain knowledge in form of taxonomy and ontology to improve attack correlation in cyber security. In addition, we expect that the attack correlation results of machine-learning techniques can be used to refine the original attack taxonomy. The proposed methods are evaluated with several experiments. The findings of the experiments suggest that domain knowledge and machine-learning technique should be used together on attack classification tasks