2021 IEEE International Conference on Communications Workshops (ICC Workshops) | 978-1-7281-9441-7/20/$31.00 ©2021 IEEE | DOI: 10.1109/ICCWorkshops50388.2021.9473869
A Framework For Intelligent DDoS Attack
Detection and Response using SIEM and Ontology
Salva Daneshgadeh Çakmakçı Helmar Hutschenreuter
University of Bremen
Bremen, Germany
salva@uni-bremen.de
Abstract—In this paper, we propose an intelligent DDoS detection and response framework. It employs a Security Information
and Event Management (SIEM) tool to detect different types of
DDoS attacks using its incident detection engine. Additionally,
it has an inference engine to automatically infer potential
countermeasures to respond to and recover from DDoS attacks.
The inference system continuously reasons for each reported
incident and provides suggestions to keep the system stable. We
model explicit knowledge of an IT-dependent organization at
a high-level using ontologies for the organization, IT, security,
and DDoS attacks. We demonstrate the connections of these
ontologies with the inference system and a SIEM. This paper
is a part of ongoing research for securing the maritime port
ecosystem. The proposed framework not only automates the
detection of DDoS attacks but also supports the implementation
of automatic countermeasures. The framework can be used as a
guide for cyber attack resilience in IT-dependent organizations
by preventing, detecting, responding to and recovering from
different types of cyber attacks.
Index Terms—SIEM, Ontology, Inference System, Intelligent
Attack Detection, DDoS Response, DDoS Recovery
I. I NTRODUCTION
Distributed Denial of Service (DDoS) is one of the relatively
old, but still effective attack techniques. DDoS attacks are very
popular because DDoS tools are usually easy to access and
launch, but they can cause catastrophic effects on networks.
DDoS attacks target the availability of internet-based services
and applications. Many types of DDoS attacks such as flood
and amplification attacks cause a huge volume of traffic or
broadcast on an IP address to bombard a victim’s machine
and consume its bandwidth. As a result, the victim’s machine
is overwhelmed by fake traffic that is similar to real one.
This similarity between DDoS attacks and real traffic makes
it difficult to distinguish legitimate user traffic from attacks.
According to Corero [1], the frequency of DDoS attacks and
their complexity tend to increase while their size and duration
decrease. Academia and industry investigated mainly DDoS
attack detection mechanisms while neglecting response and
recovery for cyber resilience. At best a list of countermeasures,
to be applied manually by skilled individuals, are provided.
A. Ontology
An ontology is a “specific, formal representation of a shared
conceptualization of a domain” [2]. An ontology defines
the explicit knowledge associated with specific objects in a
978-1-7281-9441-7/21/$31.00 ©2021 IEEE
Christian Maeder
Thomas Kemmerich
University of Bremen
University of Bremen
University of Bremen
Bremen, Germany
Bremen, Germany
Bremen, Germany
hutschen@uni-bremen.de c.maeder@uni-bremen.de thomas.kemmerich@uni-bremen.de
machine-readable form. Ontologies may support communication, inference and reuse; informal ontologies are represented
by natural languages [3]. However, ontologies should be
written in a formal language like the Web Ontology Language
(OWL). OWL is the most popular web ontology language
with semantics that support deriving knowledge by logical
inferences using automated reasoners. Although OWL does
not have a clear separation between TBoxes and ABoxes
[4], it makes sense to conceptually distinguish these kinds
of knowledge. A TBox mainly describes static knowledge
(e.g., classes and properties) whereas an ABox concentrates
on dynamic and frequently changing knowledge (e.g., objects
of classes or individuals).
B. Artificial Intelligence and Ontology
Gruber [5] defined an ontology as a set of representational terms in the context of Artificial Intelligence (AI).
In this fashion, an ontology formally specifies the concepts
of an interesting domain with human-readable text where
the relationships, constraints and well-defined uses of terms
are explicitly expressed. Ontologies are used for organizing
information and representing knowledge for systems based
on AI [6]. In recent years, ontologies have been used in
many domains such as health care, industrial control systems
and environmental monitoring to elicit useful knowledge from
collected data. Ontologies can actually fill in the gap between
data generation and usage. Razzaq et al. [7] proposed an
intelligent ontology-based application-level Intrusion Detection System (IDS) using a Bayesian filter to protect zeroday attacks. The rule engine of their proposed IDS was able
to communicate with a knowledge-base and to automatically
generate rules against web application attacks. Roda and
Musulin [8] proposed an ontology-based framework with
symbol-based reasoning. Their framework utilizes semantic
technologies to describe the state or condition of a dynamic
process. Subsequently, these descriptions are used to analyze
raw sensor data for the detection of errors, problems or faults.
Khairkar et al. [9] made a literature review on different types
of traditional and AI-enabled intrusion detection systems and
discussed that there is a need for an intrusion detection system
that is able to understand the context of the attack and the
target domain for making intelligent decisions. They suggested
the usage of semantic web and ontology concepts for analyzing
Authorized licensed use limited to: Nottingham Trent University. Downloaded on October 18,2023 at 00:55:17 UTC from IEEE Xplore. Restrictions apply.
security logs, for raising alarms and for giving real-time
responses, but provided no guideline to develop such a system.
Pardo et al. [10] proposed a context-aware anomaly detection
framework for smart homes. Their framework uses ontologies
to detect (hardware, software, network, operator and context)
anomalies and respond to them.
Ontological-based cybersecurity is a relatively new approach in the literature especially when it comes to intelligent
attack detection using ontologies. Recently, Hutschenreuter
et al. [11] proposed an ontology-based cybersecurity and
resilience framework to prevent, detect, respond to and recover
from cyber incidents.
C. DDoS Attack Detection
We classify DDoS attack detection mechanisms into
three groups: signature-based, systematic, and intelligent. A
signature-based detection compares the characteristics of the
captured traffic to the well-defined characteristics of previous attacks (e.g., IDS). Statistical analysis (e.g., moving
average) and information theory (e.g., Shannon entropy) are
well-known examples of systematic mechanisms (see [12]–
[14]). Intelligent detection algorithms employ techniques like
Machine Learning (ML) [15]–[17], Deep Learning (DL) [18],
[19], and ontologies [20]–[22] to model the behavior of attacks
using feature vectors (for ML and DL) and the knowledge
about attacks and their environments (for ontologies). Intelligent detection algorithms are suitable to detect zero-day
attacks but exhibit high false-alarm rates.
D. Our Contribution
This study presents a novel intelligent DDoS attack detection framework by integrating SIEM, state-of-the-art security tools, ontologies and logical inferences to detect and
countermeasure DDoS attacks. Ontologies feed an inference
engine to select the most appropriate DDoS recovery and
response measures in an intelligent manner. As a result,
the human error-prone and time-consuming tasks of attack
response and recovery are automated and accelerated. The
proposed framework can be used to detect different types of
attacks in different domains and applications only by updating
a knowledge-base containing knowledge of attack types, the
IT infrastructure and its environment. The knowledge-base can
also be updated by lessons learned from former attacks.
II. P ROPOSED F RAMEWORK
Our proposed algorithm combines three components: Security Tools like firewalls, anti-virus, IDS/IPS, and SIEM for
DDoS attack detection, Ontologies, and an Inference System
for automatic response and recovery (Figure 2).
A. SIEM
Security Event and Information Management (SIEM) is a
security technology that ingests events and logs from different
sources like applications, systems, and network components.
Logs are parsed and normalized and can be collected by
an agent-based method, that requires agent software on all
TABLE I
DD O S DETECTION METHODS .
Features
Ng
Technique
Rule-based
Ng
Correlation
M eanN g
Ng
Statistical
ML
Ng , EIP
Anomaly
DDoS attack condition
Ng > 1000
Ng > 1000 and some IP addresses that are suspicious based
on threat intelligence
Ng > 1.5 ∗ M eanN g
Support Vector Machine Algorithm [24]
E-KOAD
devices, or by an agent-less method, where embedded devices
like routers, printers, or a firewall send their logs to a remote
data collector [23]. Preprocessing converts non-structural logs
into a common format that can be consumed by an intrusion
detection engine. Logs are usually given as plain text and a
parser (regular expression) separates different fields inside a
log. Finally, field names and data are normalized and sent to
the intrusion detection engine to spot potential attacks (see
Figure 1).
The intrusion detection module consists of simple correlation rules (correlating events from different sources) or uses
more advanced techniques like statistical analysis, ML, DL,
or anomaly detection. Table I gives an overview of different
algorithms that can be part of the intrusion detection engine
to detect DDoS attacks. The number of HTTP GET requests
from a web application is denoted by Ng , whereas M eanN g
denotes the mean number of requests from previous days for
a statistical analysis. The Kernel Online Anomaly Detection
(KOAD) [17] considers the entropy of IP addresses (EIP )
and the Mahalanobis distance.
The command and execution module is responsible for
configuring the IT infrastructure. It receives inferred measures
from the inference system and applies them as a command
script. Commands may change access control policies or apply
management actions (e.g., block user accounts , change router
configurations [25].
B. DDoS Detection by SIEM
This section presents a detailed example of how network
flow data is used by a SIEM to detect abnormal activities that
may be DDoS attacks. A complete guideline to utilize and
adjust a SIEM is beyond the scope of this paper. For demonstration, we used the normal and DDoS traffic data from the
CIC-IDS2017 [26] benchmark dataset. It includes traffic flow
based on captured network traffic (PCAP). The CICFlowMeter
[27] was used to create attributes like timestamps, source and
destination IP addresses, ports, protocols, etc. In practice, any
network flow capturing tool like NetFlow [28] can be used to
collect network flows based on the IP addresses that enters
an organization’s interface. Here, we directly uploaded related
CSV files to the free and open Elastic SIEM [29]. We did not
use any machine learning or anomaly detection capability of
SIEM’s analytical engine to detect DDoS attacks. The aim
of this use case is to show that a skilled security analyst
Authorized licensed use limited to: Nottingham Trent University. Downloaded on October 18,2023 at 00:55:17 UTC from IEEE Xplore. Restrictions apply.
Fig. 1. Example of raw and normalized firewall logs.
between classes. Soft-IT and Hard-IT are connected via the
Device class. Therefore, instances of the classes Subject and
Object will be assigned to IT devices from the Hard-IT
infrastructure. In practice, both an ABox and the TBox of the
ontology should be modeled for a complete knowledge base.
ABoxes contain concrete instances of the classes and roles. For
example, there may be two instances of the class User (U1 and
U2) and one instance of the class Group (G1). Subsequently,
the member role could be used to assign both users to the
same group G1 to indicate that users U1 and U2 have equal
group privileges. Our TBox describes the high level and the
general IT infrastructure of an organization, therefore it can
be basically reused for IT infrastructure of other organizations.
On the other hand, an ABox completely depends on the actual
IT infrastructure of an organization. The following box shows
a small part of an ABox created using Python and the library
”Owlready2” [31].
Fig. 2. Proposed intrusion detection and response framework.
might manually explore data using the visualization features
of Kibana [30] and write pre-built rules to detect anomalies or
attacks. Figure 3 clearly demonstrate the abnormal behavioral
of network traffic between the timestamps 4:00 and 4:15.
The SIEM supports simple threshold settings for an alarming network traffic that indicates a DDoS attack. For instance,
one can add a query rule that raises a DDoS alarm if the
number of connections per minute increases to three times of
the average number from the last hour.
C. Ontology of IT Infrastructures
The formal model of an IT infrastructure encompasses the
explicit knowledge of an IT system and its environment inside
an organization. Figure 4 shows a corresponding TBox with
subclasses Hard-IT and Soft-IT. Soft-IT describes operating
systems, applications, and virtual machines that provide services or are used by employees to access stored data. Hard-IT
represents the physical infrastructure like devices (e.g., PCs,
routers), links (e.g., wired or wireless), and the network (e.g.,
inter- or intranet). The security measures protected both Softand Hard-IT infrastructures.
Dotted lines indicate inheritance between classes. Roles
are depicted by solid arrows and represent the relationships
managing director pc = PC(“managing director pc”)
it administrator pc = PC(“it administrator pc”)
employees pc1 = PC(“employees pc1”)
employees pc2 = PC(“employees pc2”)
mail server = Server(“mail server”)
employee1 = User(“employee1”)
employee2 = User(“employee2”)
employees = Group(“employees”)
mail group = Group(“mail group”)
management = Group(“management”)
it administrator = User(“it administrator”)
it administrators = Group(“it administrators”)
mail service = Service(“mail service”)
customer data = Data(“customer data”)
personnel data = Data(“personnel data”)
wlan access point = AccessPoint(“wlan access point”)
wlan access point.linkToDevices(WirelessLink, Intranet(“lan”),
managing director pc, it administrator pc, employees pc1,
employees pc2)
employees.addUsers(employee1,employee2)
employees.ValidForDevices(mail server, employees pc1, employees pc2)
mail group.ValidForDevices(mail server)
mail server.hostsObjects(mail service, mails)
management.permitAccessToObjects(customer data, personnel data,
mail service)
D. Ontology of Cybersecurity
The bottom left part of Figure 5 shows the three organizational classes BusinessProcess, Role and Employee.
Business processes need infrastructures to be run on and
the responsibility for infrastructures is controlled by roles
given to employees. The TBox for cybersecurity can also be
used for any organization or application scenario. Security
measures reduce threats and support security objectives that
are threatened by threats. Our security ontology describes
Authorized licensed use limited to: Nottingham Trent University. Downloaded on October 18,2023 at 00:55:17 UTC from IEEE Xplore. Restrictions apply.
(a) Total number of destination IP addresses per minute
(b) Mean of Average Inter Arrival Time (IAT) for flows per minute
Fig. 3. Network traffic bar graph presentations created using Kiban queries.
Fig. 4. TBox for an IT infrastructure.
which infrastructure should be protected by which security
measure. The classes ManualMeasure and TechnicalMeasure
are subclasses of the class ResponseRecoveryMeasure. They
are used to differentiate between technical (e.g., changing a
firewall rule) and manual measures (e.g., more investigation by
a cybersecurity analyst). The role integratesTechnicalMeasure
and its inverse role isIntegratedByInfrastructure shows the
application of technical measures to the infrastructure.
E. Ontology of DDoS Attacks
Figure 6 demonstrates a general TBox for DDoS attacks that
consists of the classes Attack and Technology. The class DDoS
is a subclass of Attack and has two more subclasses BandwidthExhaustion and ResourceExhaustion. Bandwidth exhaustion overwhelms a network with unwanted traffic and resource
exhaustion consumes a noticeable amount of resources. Both
types of attack can target a server or a process of a victim
and prevent responses to legitimate requests [32]. The DDoS
attacks are further classified by the subclasses Flood, Amplification, ProtocolExploit and MalformedPacket.
F. Inference System
Given TBoxes and ABoxes for all ontologies described
above, the inference system is able to determine which business processes are working and which security objects are
met. As an inference engine an OWL reasoner like HermiT
[33] that comes with Protégé [34] is expected to work for our
purposes. For an attack the consequences for the infrastructure
can be derived. The degraded infrastructure in turn determines
the affected business processes and security objectives. From
a larger set of a priori known measures, those measures can be
inferred that counter the degrading effects. An actual choice
of a measure or several measures will be based on some
simulation. A measure is temporarily added as a new fact to
the formal model and consequences are derived anew. Only
if this leads to an improvement, the measure will actually be
proposed or automatically taken.
III. F RAMEWORK IN P RACTICE
The DDoS detection module of SIEM analyzes different
logs from different resources using its built-in DDoS
detection algorithms and raises an alarm when it detects
a DDoS attack against one of the servers or web-based
Authorized licensed use limited to: Nottingham Trent University. Downloaded on October 18,2023 at 00:55:17 UTC from IEEE Xplore. Restrictions apply.
Fig. 5. TBox for Cybersecurity.
•
•
•
•
•
•
•
•
•
•
Fig. 6. TBox for DDoS attack.
applications. Consequently, a notification message which
includes information about the attack type and the system
(Hard- or Soft-IT infrastructure) under attack is sent to the
inference system. Finally, the inference system takes the
following steps to suggest countermeasures.
1) A DDoS attack is added with its type and initial target as a
fact to the formal ontology model.
2) The impact of the attack on connected parts of the infrastructure and on business processes can be derived. Also the
possibility of co-occurring attacks could be considered if
suitably modeled in the ontology.
3) Potential measures to respond to or recover from the given
DDoS (and possible co-occurring) attacks will be suggested.
4) The effectiveness of a measure is tested by temporarily adding
the measure as a fact to the underlying formal model.
5) Only if the extended ontology improves the situation for
business processes and security objectives, the measure is sent
as effective measure to the SIEM. The measure is kept in
the formal model as long as the causing degradation of the
infrastructure persists.
6) The steps 4 to 5 are repeated as long as the situation improves
and no further risks threaten business processes.
A. DDoS Attack Countermeasures
The inference system sends a message for each effective
measure to the SIEM. The potential list of response and
recovery messages are as following [21], [32], [35]:
Filter the attack streams.
Enable privileged access (e.g., IP-based).
Block IP addresses with suspicious geo-location info.
Increase bandwidth of connections.
Locate proxy servers in front of the server.
Distribute arriving requests between proxy servers via the
load balancer.
Enlarge the backlog queue for requests.
Increase the timeout of connections in backlog.
Check for other potential attacks.
Inform responsible people or authorities.
The inference system suggests the most compatible measures because it has the knowledge about the IT infrastructure,
security objectives, DDoS types, and measures. For example,
if a detection algorithm is able to distinguish DDoS attacks
from Flash Events (FE) [36], then the inference system will
send a “Increase Bandwidth” message for a FE incident and a
“Block Suspicious IP Addresses” message for a DDoS attack.
The inference system might suggest to investigate potential
concurrent attacks like data ex-filtration. According to [37]
small DDoS attacks may be used to distract staff and launch
a main attack.
IV. D ISCUSSION
According to Gartner, worldwide information security expenditure will reach $170.4 billion in 2022. Phishing, whaling,
malware, social engineering, ransomware and DDoS attacks
are among the top common cyber security attacks in different
fields like healthcare, finance, or governments [38]. The fundamental knowledge for the detection of mentioned attacks is
almost identical for all organizations and domains. Ontologies
can grasp, share, and reuse this common information security
knowledge (IT assets, attack types, protective measures, attack
countermeasures, and so on) thus avoiding duplicated efforts
and rebuilding everything from scratch. However, the elementary knowledge-base should keep up with new IT technologies
and their vulnerabilities or with special security requirements
of individual or sector-based organizations. The ultimate goal
Authorized licensed use limited to: Nottingham Trent University. Downloaded on October 18,2023 at 00:55:17 UTC from IEEE Xplore. Restrictions apply.
of our proposed framework is to formalize and represent the
concepts of common knowledge in the field of attack detection.
V. C ONCLUSION AND F UTURE W ORK
The ontologies for IT infrastructures, cybersecurity, and
DDoS attacks create a powerful construct for selecting appropriate recovery and response measures for various kinds
of DDoS attacks. Our proposed framework opens areas for
further research for example for extending the ontologies,
modeling different attacks and finding an efficient protocol for
the communication between SIEM and the inference system
or developing an ontology-based SIEM. Our framework could
be a cost-effective approach to increase the automation level
of cybersecurity in different industries and compensate for the
lack of security specialists. The approach only requires the
modeling of some organization-specific knowledge in addition
to given security tools and a SIEM. The detailed modeling of
ABoxes and experimental evaluation of the proposed algorithm
is left for future work.
ACKNOWLEDGMENTS
This work was supported by the German Federal Ministry
of Transport and Digital Infrastructure (BMVI) under the grant
19H18012E (SecProPort project).
R EFERENCES
[1] Corero, “H1 trends report summary of inputs,” 2020. [Online].
Available: https://go.corero.com/corero-h1-2020-trends-report-download
[2] M. Uschold and M. Gruninger, “Ontologies: Principles, methods and
applications,” The Knowledge Engineering Review, vol. 11, no. 2, pp.
93–136, 1996.
[3] V. Nguyen, “Ontologies and information systems: a literature survey,”
Australia: DSTO Defence Science and Technology Organisation, 2011.
[4] S. Brockmans, R. Volz, A. Eberhart, and P. Löffler, “Visual modeling
of OWL DL ontologies using UML,” in International Semantic Web
Conference. Springer, 2004, pp. 198–213.
[5] T. R. Gruber, “Toward principles for the design of ontologies used
for knowledge sharing?” International Journal of Human-Computer
Studies, vol. 43, no. 5, pp. 907–928, 1995. [Online]. Available:
http://www.sciencedirect.com/science/article/pii/S1071581985710816
[6] W. S. Mark, T. Donneau-Golencer, and M. Yarlagadda, “Adaptive
ontology,” 2014, US Patent 8,918,431.
[7] A. Razzaq, H. F. Ahmed, A. Hur, and N. Haider, “Ontology based
application level intrusion detection system by using bayesian filter,” in
2009 2nd International Conference on Computer, Control and Communication, 2009, pp. 1–6.
[8] F. Roda and E. Musulin, “An ontology-based framework to support
intelligent data analysis of sensor measurements,” Expert Systems with
Applications, vol. 41, no. 17, pp. 7914–7926, 2014.
[9] A. D. Khairkar, D. D. Kshirsagar, and S. Kumar, “Ontology for detection
of web attacks,” in 2013 International Conference on Communication
Systems and Network Technologies. IEEE, 2013, pp. 612–615.
[10] E. Pardo, D. Espes, and P. Le Parc, “A framework for anomaly diagnosis
in smart homes based on ontology,” in The 7th International Conference
on Ambient Systems, Networks and Technologies (ANT 2016), 2016.
[11] H. Hutschenreuter, S. D. Çakmakçı, C. Maeder, and T. Kemmerich,
“Ontology-based cybersecurity and resilience framework,” in 7th International Conference on Information Systems Security and Privacy, 2021,
accepted.
[12] S. M. T. Nezhad, M. Nazari, and E. A. Gharavol, “A novel DoS and
DDoS attacks detection algorithm using arima time series model and
chaotic system in computer networks.” IEEE Communications Letters,
vol. 20, no. 4, pp. 700–703, 2016.
[13] M. H. Bhuyan, D. Bhattacharyya, and J. K. Kalita, “An empirical
evaluation of information metrics for low-rate and high-rate DDoS attack
detection,” Pattern Recognition Letters, vol. 51, pp. 1–7, 2015.
[14] S. Behal, K. Kumar, and M. Sachdeva, “D-FACE: An anomaly based
distributed approach for early detection of DDoS attacks and flash
events,” Journal of Network and Computer Applications, vol. 111, pp.
49–63, 2018.
[15] Y. Gu, K. Li, Z. Guo, and Y. Wang, “Semi-supervised k-means DDoS
detection method using hybrid feature selection algorithm,” IEEE Access, vol. 7, pp. 64 351–64 365, 2019.
[16] G. Fernandes Jr, L. F. Carvalho, J. J. Rodrigues, and M. L. Proença Jr,
“Network anomaly detection using ip flows with principal component
analysis and ant colony optimization,” Journal of Network and Computer
Applications, vol. 64, pp. 1–11, 2016.
[17] S. D. Çakmakçı, T. Kemmerich, T. Ahmed, and N. Baykal, “Online
DDoS attack detection using mahalanobis distance and kernel-based
learning algorithm,” Journal of Network and Computer Applications,
vol. 168, no. 102756, 2020.
[18] X. Yuan, C. Li, and X. Li, “DeepDefense: Identifying DDoS attack
via deep learning,” in International Conference on Smart Computing
(SMARTCOMP). IEEE, 2017, pp. 1–8.
[19] Q. Niyaz, W. Sun, and A. Y. Javaid, “A deep learning based DDoS
detection system in software-defined networking (SDN),” EAI Endorsed
Transactions on Security and Safety, vol. 4, no. 12, 2017.
[20] J. Pinkston, J. Undercoffer, A. Joshi, and T. Finin, “A target-centric
ontology for intrusion detection,” in IJCAI Workshop on Ontologies in
Distributed Systems, 18th International Joint Conference on Artificial
Intelligence, 2003.
[21] S. Ramanauskaite and A. Cenys, “Taxonomy of DoS attacks and their
countermeasures,” Open Computer Science, vol. 1, no. 3, pp. 355–366,
2011.
[22] A. Razzaq, Z. Anwar, H. F. Ahmad, K. Latif, and F. Munir, “Ontology
for attack detection: An intelligent approach to web application security,”
computers & security, vol. 45, pp. 124–146, 2014.
[23] NXLog, “Agent-based versus agent-less log collection — which option
is best?” 2019. [Online]. Available: https://nxlog.co/agent-based-versusagent-less
[24] S. Daneshgadeh, N. Baykal, and Ş. Ertekin, “DDoS attack modeling and
detection using SMO,” in 16th International Conference on Machine
Learning and Applications (ICMLA). IEEE, 2017, pp. 432–436.
[25] G. G. Granadillo, Y. B. Mustapha, N. Hachem, and H. Debar, “An
ontology-based model for siem environments,” in Global Security, Safety
and Sustainability & e-Democracy. Springer, 2011, pp. 148–155.
[26] CIC, “Intrusion detection evaluation dataset,” 2017. [Online]. Available:
https://www.unb.ca/cic/datasets/ids-2017.html
[27] CIC,
“Cicflowmeter,”
2020.
[Online].
Available:
https://github.com/CanadianInstituteForCybersecurity/CICFlowMeter
[28] CISCO, “Introduction to cisco ios netflow - a technical overvie,” 2012.
[29] Elastic, “Siem at the speed of elasticsearch.” [Online]. Available:
https://www.elastic.co/siem
[30] Elastic, “Your window into the elastic stack.” [Online]. Available:
https://www.elastic.co/kiban
[31] J.-B. Lamy, “Owlready: Ontology-oriented programming in python
with automatic classification and high level constructs for biomedical
ontologies,” Artificial intelligence in medicine, vol. 80, pp. 11–28, 2017.
[32] S. Specht and R. Lee, “Taxonomies of distributed denial of service
networks, attacks, tools and countermeasures,” CEL2003-03, Princeton
University, Princeton, NJ, USA, 2003.
[33] HermiT, “HermiT OWL Reasoner,” 2013. [Online]. Available:
http://www.hermit-reasoner.com
[34] M. A. Musen, “The Protégé project: A look back and a look forward,”
AI Matters, vol. 1, no. 4, pp. 4–12, 2015.
[35] H. Beitollahi and G. Deconinck, “Analyzing well-known countermeasures against distributed denial of service attacks,” Computer Communications, vol. 35, no. 11, pp. 1312–1332, 2012.
[36] S. Daneshgadeh, T. Ahmed, T. Kemmerich, and N. Baykal, “Detection
of DDoS attacks and flash events using shannon entropy, KOAD and
mahalanobis distance,” in 22nd Conference on Innovation in Clouds,
Internet and Networks and Workshops (ICIN). IEEE, 2019, pp. 222–
229.
[37] Corero, “Corero & GTT DDoS trends report Q2–Q3 2017.”
[Online]. Available: https://www.gtt.net/media/1443/corero-q2-q3-trendreports.pdf
[38] Statistic, “134 cybersecurity statistics and trends for 2021.” [Online].
Available: https://www.varonis.com/blog/cybersecurity-statistics/
Authorized licensed use limited to: Nottingham Trent University. Downloaded on October 18,2023 at 00:55:17 UTC from IEEE Xplore. Restrictions apply.