We experimentally demonstrated the case for migrating from taxonomic classification systems and their syntactical representation languages to ontologies and semantically rich ontology specification languages. We created a data model of the relationships that hold between the low-level data and instances of attacks and intrusions. We used the DARPA Agent Markup Language + Ontology Inference Layer to specify the data model as a ontology and the Java Theorem Prover, a sound and complete First Order Logic theorem prover, to reason over and classify instances data that were deemed to be anomalous in the first phase of our process. Our classification mechanism achieved an F-Measure of .9776. The overall F-Measure of our dual-phase process was .9718.

Ignoring the characteristics of the data population is a classic mistake that is made when evaluating intrusion systems. This is also referred to as the base-rate fallacy. When evaluating the posterior probability (the probability of an alarm given an intrusion) of our process, we achieved a score of .998.