International Conference on Computing, Communication and Automation (ICCCA2015)
CSAAES: An Expert System for Cyber Security
Attack Awareness
Cheshta Rani
Computer Science and Engineering Department
Thapar University
Patiala, India
mehtacheshta@gmail.com
Abstract— Internet today is used by almost all the people,
organizations etc. With this vast usage of internet, a lot of
information is exposed on the internet. This information is
available to the hackers. So a lot of attacks occur in the computer
systems through internet. These attacks may destroy the
information present on a particular system or use the system to
perform other type of attacks. We need to provide protection
from these attacks. User faces some problem in the functioning of
the computer but has no means of identifying and solving the
problems. Knowledge about different type of attacks and their
effects on the system is available from various sources. The
handling of various attacks is also available, but the way to
identify which attack is being performed on the computer system
is difficult. The expert system designed here can identify which
type of attack is being performed on the system, their symptoms
and ways to solve these attacks i.e. countermeasures. It is a
platform for cyber attacks security awareness among internet
users.
Keywords—expert system; security; attacks; countermeasures;
security framework.
I. INTRODUCTION
With the development of internet and communication
system cyber movement started into new era. Internet is used
by all people and government agencies for their business
activities, personal affairs etc. this information system has
improved the efficiency to a large extent but the risk of cyber
threats and computer security attacks is increased. The
attackers find the vulnerabilities present in the system
application or operating system and use that to exploit the
system.
Most of these attacks occur due to misconfigured software,
vulnerable software or open ports present in the system. This
led the computer user and organization to use security tools to
prevent the system from the security attacks. They provide the
information but that is scattered. When user faces problems in
the computer he/she does not know the reason due to which
the problems is occurring and what should be done to remove
the problems from the computer. For removing the attack we
need to identify the attack and then apply the appropriate
countermeasure to remove that. So there is a need to design
ISBN:978-1-4799-8890-7/15/$31.00 ©2015 IEEE
Shivani Goel
Computer Science and Engineering Department
Thapar University
Patiala, India
shivani@thapar.edu
the system that will provide the users the information about
the reasons of the problem (due to attack) and how the
problem can be solved. For this an expert system CSAAES is
designed that will provide the required information from its
rules and databases by querying it. The aim of the expert
system is twofold. To make the user know about important
information about various cyber attacks and also to provide
awareness about all possible symptoms and countermeasures.
II. LITERATURE REVIEW
As proposed by [1] an expert system called OPENSke that
was designed by using Drool’s tool. This system took system
information as input and identified the vulnerability found.
System information was the information of the network such
as hosts present in the system, user account, assets and
applications running on them. Vulnerabilities found was the
output of any vulnerability scanner such as OVAL scanner or
NESSUS etc. that provides the vulnerability found in the
system [1]. This gave as output weaknesses found
compromised software or assets and executed attack pattern.
Weaknesses found in described by the CWE (Common
Weakness Enumeration) that have satisfied current
vulnerability in the system. It also told about the software or
the assets that have been compromised were risky to use.
Executed attack pattern constitute a list of CAPEC (Common
Attack Pattern Enumeration and Classification) attack
patterns. This system was experimented on several different
systems and identified the vulnerability present. The major
drawback of the system was that it had not taken into
consideration the role of time in execution of attacks. In this
system information about the network needed to be entered
manually, so could also be automated to detect the network
topology and run the system on frequent basis. Rules in this
system were executed arbitrarily and this could be improved
by going through the workflow process.
Kerim Goztepe[2] designed fuzzy rule based expert system
for cyber security named as Fuzzy Rule Based Cyber Expert
System(FRBCES). Major parts in this were data collection,
defining variables i.e. input and output and then
implementation. Input variables used in this were cyber
technique, cyber intruder’s target, cyber intruder, aim of cyber
intruder. Techniques used for this were DOS attack, network
242
 International Conference on Computing, Communication and Automation (ICCCA2015)
attacks, worm, malware, social engineering, Trojan horse etc.
Cyber intruder could be inside or outside the organization,
special staff, hacker or any enemy. Aim of the intruder was
identified as to gain control of the system, block web pages,
capturing critical information, etc. Output provided by this
was hardware, software or user i.e. what needed to be done
with these components. For example in case of software-
provide solution such as use special software or update
system. This system uses Mamdani fuzzy inference engine or
system.
In expert system for computer security presented in this
paper, data about cyber attacks, their symptoms and
countermeasures is collected from the different papers of the
journals and conferences online sources. Different authors
classify the security and security threat each has its own view.
K Ahmed et.al [3] define the security attack as active and
passive attack and these attack use technique such as
interruption, interception, modifications and fabrications.
Attacks that use interception as technique are traffic analysis,
release of message content and sniffing. Modification
technique include MITM (Man-In-The Middle). Similarly
other technique fabrications include attacks such as replay
attack and identify spoofing. DOS attack and its variants
(DDOS and DRDOS) and SQL injection comes under
Interruption.
D. Welch [4] defined wireless network attack taxonomy. This
was designed based upon the security principles they affect
and their countermeasures. For example threat violating
confidentiality, integrity and availability. Threats that affect
the confidentiality of the system are traffic analysis, active and
passive sniffing. The threats or attack that affect integrity of
the system are session hijacking, replay attack, unauthorized
access to the computer or network. The solutions to remove
these attacks are implement firewall to block undesirable
traffic, mutual authentication and encryption.
According to [5], DOS attack in networks can occur at
different layers like physical layer, network layer and transport
layer. Simplest of the DOS attack is to consume all the
resources of the victim by sending a large number of packets.
In [6] security threats in wireless sensor networks are
defined and these are classified as attack on the different
layers. The attacks can be broadly classified as modification,
interruption and fabrication.
III. LAVERAGING THE EXPERT SYSTEM
Expert system is very popular branch of artificial
intelligence research. It is popular because of its ability to
reason over a problem based upon its current understanding of
the situation. Reasoning means a system has some information
and is required to provide the information that it was not
informed explicitly.
243
A. Structure of an expert system
Knowledge must be presented in a comprehensible format
to perform any kind of reasoning in the expert system this is
known as knowledge representation. Expert system consists of
two components: knowledge base and logical reasoner.
Knowledge base is first component of an expert system and it
is collection of information that is in a well defined
representation. The second component of an expert system is
the logical reasoner which performs all of the necessary
reasoning over the previously built knowledge base. With this
logical reasoner we conclude new information from previous
built knowledge base.
B. Rule chaining
The logical reasoned of the expert system operates over
well defined rules. The rules in this are represented as IF-
THEN statements as shown below. Once the IF condition is
satisfied THEN part is executed.
IF
<conditional expression>
THEN
<knowledge insert, update or retract
statement>
Fig. 1. Expert system’s rule syntax
Rule chaining can be in two modes:
• Forward chaining
• Backward chaining
When IF part of the statement is satisfied the THEN part is
executed which may be addition of new information or
manipulation of the knowledge base. This is called forward
chaining. Other type is backward chaining in which it proves
that whether goal can be reached from the current
understanding of situation or system.
C. Inputs and output of the system
For the expert system developed here, inputs and outputs of
the system are shown in figure 2.
Inputs:
• Symptoms: These are the observed patterns in the
system.
• Attack type: These are the attack about which the
user want to get information
Outputs :
• Problem (possible attack) present: It is problem
or type of possible attack present in the system
that is analyzed based upon the observed
symptom(s) entered.
 International Conference on Computing, Communication and Automation (ICCCA2015)
• Remedies: These refer to the countermeasures to
be used for handling attacks proactively as well
as reactively.
or the problems faced while using the system. The problems
listed are abnormal program termination, computer shutdown
abruptly, loss of access to the network, cannot get information,
get false information etc. These are the problems faced while
working on the computer system or network. The expert
system asks for entering the observed symptoms by clicking
the checkboxes against the problem you faced. In figure 4 two
symptoms are selected these are abnormal program
termination and computer shutdown.

The expert system here can identify 18 possible types of

attacks and total symptoms observed in this are 25.

Fig. 2. Inputs and outputs of expert system

D. Data collection
Data for this system is collected from different sources
like books, paper from journals and conferences and
online sources. Various cyber attacks about which
awareness is provided in CSAAES is shown in figure 3.

Fig. 4. Selecting symptoms faced

After that it shows attack present in the system. According

to the symptoms selected DOS (Denial Of Service) attack is
present in the system.

Fig. 3. Potential cyber attacks

Denial of Service(DOS) attack, mole, data theft, malware,

control over a system, data modification, packet sniffing,
Trojan horse, eavesdropping is potential attacks present in the
system or network [7-9]. These attacks harm the
confidentiality, integrity and availability of the information.
Fig. 5. Attack present in system
IV. IMPLEMENTATION
This expert system is implemented using Visual Studio If user wants to see how to solve the attack present in the
10.0 framework and ASP.NET to manage interfaces and SQL system then click on countermeasures. This will show the
server 2008 to manage the database. Rules for this are countermeasures e.g. figure 6 shows countermeasures to DOS
managed in dot net framework at backend. It has two subparts attack.
in menu at left: attack identifier and information. Attack
identifier provides the prompt to enter the observed symptoms

244
 International Conference on Computing, Communication and Automation (ICCCA2015)
Fig. 6. Countermeasures of DOS attack.
V. CONCLUSION
Security is essential for safe working of any system. Many
types of attacks have been identified by various researchers at
various levels. Though users know about the attacks, seldom
they know the symptoms by which they can identify the attack
being performed on their systems. The expert system designed
here can provide this information in detail to the user.
Moreover, the knowledge about different type of attacks, their
symptoms, their effects on the system and how these can be
handled is collected and included in the expert system. This
system takes two types of input from the users namely
observed symptoms and the attack type. It provides the
possible suspects for attacks based on the observed symptoms.
It also provides the remedies for the identified attack if
required by the user. Users can also select an attack type and
get detailed information about it. The system is tested against
various inputs and is identifying various attacks correctly. The
expert system is capable of identifying many possible security
attacks based on observed symptoms. By also providing the
countermeasures for all the attacks, it is surely a platform for
security awareness.
245
In future this system can be modified to provide the
attacks based upon frequency that is problem that is faced
more by the users will be asked first and based upon the
symptom that user has entered it will ask for the next
symptom. The system can be made dynamic as the user can
enter problem faced by him if that is not present in the list.
That symptom will be later analyzed and user is provided with
the solution of that problem. This way the system can be
improved further.
REFERENCES
[1] M.M. Gamal, B. Hasan, and A.F. Hegazy, “A Security Analysis
Framework Powered by an Expert System,” International Journal of
Computer Science and Security (IJCSS), Vol. 4, no. 6, pp. 505-527, Feb.
2011.
[2] K. Goztepe, “Designing a Fuzzy Rule Based Expert System for Cyber
Security,” International Journal Of Information Security Science, vol.1,
no.1, 2012
[3] K. Ahmad, S. Verma, N. Kumar, and J. Shekhar, “Classification of
Internet Security Attacks,” Proceedings of the 5th National Conference,
March 2011.
[4] D. Welch, “Wireless Security Threat Taxonomy,” Information
Assurance Workshop. IEEE Systems, Man and Cybernetics Society, pp
76-83, June 2003.
[5] G. Kulkarni, R. Shelk , K. Gaikwad, V. Solanke , S. Gujar, and P.
Khatawkar, “Wireless Sensor Network Security Threats,”
[6] M. Panda “Security Threats at Each Layer of Wireless Sensor
Networks,” International Journal of Advanced Research in Computer
Science and Software Engineering, vol. 3, no. 11, Nov. 2013.
[7] C. Wilson, “Computer Attack and Cyber Terrorism: Vulnerabilities and
Policy Issues for Congress”, Congressional Research Service Report for
Congress, Oct. 17 2003.
[8] J. Moteff, and P. Parfomak, “Critical Infrastructure and Key Assets:
Definition and Identification”, Congressional Research Service Report
for Congress, Oct. 1, 2004.
[9] J. A. Chandler, “Security in Cyberspace: Combatting Distributed Denial
of Service Attacks,” University of Ottawa Law & Technology Journal,
pp. 231-261, 2004.