The past few years have witnessed significant increase in DDoS attacks on Internet, prompting network security as a great concern. With the attacks getting more sophisticated, automatically reasoning the attack scenarios in real time and categorizing those scenarios become a critical challenge. However,the overwhelming flow of events generated by Intrusion Detection System (IDS) sensors make it hard for security administrators to uncover hidden attack plans. This paper presents a semantic vector space model to extract and categorize attack scenarios based on First-order Logics (FOL) and linguistics. The modified Case Grammar is introduced to formalize the heterogeneous IDS alerts into uniform structured alert streams. The attack resolution is then used to generate attack semantic network. Afterwards, mutual information is used to determine the alert semantic context range. Based on the attack ontology and alert contexts, attack scenarios are extracted and the alerts are represented as attack semantic space vectors. Finally text categorization technique are used to categorize the intrusion stages. The preliminary results show our model has better performance than the traditional alert correlations.

network security, intrusion detection, first-order logics, resolution