Ontological Classi cation of Network Denial of Service Attacks: Basis for a Uni ed Detection Framework


Department of Computer Engineering and IT,Amirkabir University of Technology


In this paper we introduce the notion of a detection framework to facilitate the reasoning
and cooperation process of detection and response systems. The presented framework de nes four
dimensions as requirements to be satis ed: What to detect", Where to inspect", How to decide",
and How to alert". The rst dimension tries to unify the understanding of the problem between systems.
The second will introduce detection features and parameters. The third dimension exactly states how
intelligent systems or expert knowledge should be deployed, while the task of the fourth is to unify the
alert and message exchange format. To address the What to detect" aspect of our framework, we have
considered a network denial of service and have presented an ontology which relates three taxonomies
of DoS attacks, each from a di erent point of view: Attack Consequence, Attack Location and Attack
Scenario. For scenario based taxonomy, we present a decision tree-like structure, which can be used as
a base for attack detection. All these taxonomies are then related to each other in an ontology. An
implementation of this ontology using Web Ontology Language (OWL) might help IETF's IDMEF to
construct a base for a more accurate alert correlation.