Department of Computer Engineering and IT,Amirkabir University of Technology
In this paper we introduce the notion of a detection framework to facilitate the reasoning
and cooperation process of detection and response systems. The presented framework denes four
dimensions as requirements to be satised: What to detect", Where to inspect", How to decide",
and How to alert". The rst dimension tries to unify the understanding of the problem between systems.
The second will introduce detection features and parameters. The third dimension exactly states how
intelligent systems or expert knowledge should be deployed, while the task of the fourth is to unify the
alert and message exchange format. To address the What to detect" aspect of our framework, we have
considered a network denial of service and have presented an ontology which relates three taxonomies
of DoS attacks, each from a dierent point of view: Attack Consequence, Attack Location and Attack
Scenario. For scenario based taxonomy, we present a decision tree-like structure, which can be used as
a base for attack detection. All these taxonomies are then related to each other in an ontology. An
implementation of this ontology using Web Ontology Language (OWL) might help IETF's IDMEF to
construct a base for a more accurate alert correlation.