Queryable Semantics to Detect Cyber-Attacks: A Flow-Based Detection Approach

Ahmed F. AlEroud, George Karabatis

Research output: Contribution to journalArticlepeer-review

17 Scopus citations


Cyber-attacks continue to increase worldwide, leading to significant loss or misuse of information assets. Most of the existing intrusion detection systems rely on per-packet inspection, a resource consuming task in today's high speed networks. A recent trend is to analyze netflows (or simply flows) instead of packets, a technique performed at a relative low level leading to high false alarm rates. Since analyzing raw data extracted from flows lacks the semantic information needed to discover attacks, a novel approach is introduced, which uses contextual information to automatically identify and query possible semantic links between different types of suspicious activities extracted from flows. Time, location, and other contextual information mined from flows is applied to generate semantic links among alerts raised in response to suspicious flows. These semantic links are identified through an inference process on probabilistic semantic link networks (SLNs), which receive an initial prediction from a classifier that analyzes incoming flows. The SLNs are then queried at run-time to retrieve other relevant predictions. We show that our approach can be extended to detect unknown attacks in flows as variations of known attacks. An extensive validation of our approach has been performed with a prototype system on several benchmark datasets yielding very promising results in detecting both known and unknown attacks.

Original languageEnglish (US)
Article number7562536
Pages (from-to)207-223
Number of pages17
JournalIEEE Transactions on Systems, Man, and Cybernetics: Systems
Issue number2
StatePublished - Feb 2018
Externally publishedYes


  • Context
  • information security
  • intrusion detection
  • netflow
  • network attacks
  • semantic link network (SLN)

ASJC Scopus subject areas

  • Software
  • Control and Systems Engineering
  • Human-Computer Interaction
  • Computer Science Applications
  • Electrical and Electronic Engineering


Dive into the research topics of 'Queryable Semantics to Detect Cyber-Attacks: A Flow-Based Detection Approach'. Together they form a unique fingerprint.

Cite this