Kai Liu,Fei Wang,Zhaoyun Ding,Sheng Liang,Zhengfei Yu,Yun Zhou

DOI: https://doi.org/10.3390/electronics11152287

IF: 2.9

2022-07-23

Electronics

Abstract:In today's dynamic complex cyber environments, Cyber Threat Intelligence (CTI) and the risk of cyberattacks are both increasing. This means that organizations need to have a strong understanding of both their internal CTI and their external CTI. The potential for cybersecurity knowledge graphs is evident in their ability to aggregate and represent knowledge about cyber threats, as well as their ability to manage and reason with that knowledge. While most existing research has focused on how to create a full knowledge graph, how to utilize the knowledge graph to tackle real-world industrial difficulties in cyberattack and defense situations is still unclear. In this article, we give a quick overview of the cybersecurity knowledge graph's core concepts, schema, and building methodologies. We also give a relevant dataset review and open-source frameworks on the information extraction and knowledge creation job to aid future studies on cybersecurity knowledge graphs. We perform a comparative assessment of the many works that expound on the recent advances in the application scenarios of cybersecurity knowledge graph in the majority of this paper. In addition, a new comprehensive classification system is developed to define the linked works from 9 core categories and 18 subcategories. Finally, based on the analyses of existing research issues, we have a detailed overview of various possible research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiaojuan Zhao,Rong Jiang,Yue Han,Aiping Li,Zhichao Peng

DOI: https://doi.org/10.1016/j.cose.2023.103524

IF: 5.105

2023-01-01

Computers & Security

Abstract:The development of key technologies of knowledge graph (KG) has promoted the development of machine cognition technology, and the combination of KG and industry as well as scenario-based landing have also made breakthroughs in succession. In the field of cybersecurity, with the intelligent upgrading of defense technology, there is an urgent need for a mature and effective technical system to provide knowledge and intelligent reasoning support for the offensive and defensive games in strong adversarial and high dynamic environment. As a domain KG, cybersecurity KG (CKG) just meets this requirement. KG for cybersecurity is not a recent invention; its predecessor is the earliest semantic networks and ontologies, and the KG is small in scale and the relations are relatively simple. Through investigation, we found that most studies that explicitly mentioned CKG, still tend to construct a cybersecurity ontology first, and then extract semantic triples based on ontology. Of course, there are also some studies that try to build such a graph from a higher dimension to express the rich semantics. In order to apply mature techniques of KG construction and reasoning, we believe that the construction of CKG should also follow the Open-domain KG. Therefore, we conducted a comprehensive review and detailed comparison of CKG-related works, discussed the dilemma of CKG application, and then proposed future research opportunities for CKG. This work can help researchers keep up with recent research trends.

Ryan Barron,Maksim E. Eren,Manish Bhattarai,Selma Wanna,Nicholas Solovyev,Kim Rasmussen,Boian S. Alexandrov,Charles Nicholas,Cynthia Matuszek

2024-03-26

Abstract:Much of human knowledge in cybersecurity is encapsulated within the ever-growing volume of scientific papers. As this textual data continues to expand, the importance of document organization methods becomes increasingly crucial for extracting actionable insights hidden within large text datasets. Knowledge Graphs (KGs) serve as a means to store factual information in a structured manner, providing explicit, interpretable knowledge that includes domain-specific information from the cybersecurity scientific literature. One of the challenges in constructing a KG from scientific literature is the extraction of ontology from unstructured text. In this paper, we address this topic and introduce a method for building a multi-modal KG by extracting structured ontology from scientific papers. We demonstrate this concept in the cybersecurity domain. One modality of the KG represents observable information from the papers, such as the categories in which they were published or the authors. The second modality uncovers latent (hidden) patterns of text extracted through hierarchical and semantic non-negative matrix factorization (NMF), such as named entities, topics or clusters, and keywords. We illustrate this concept by consolidating more than two million scientific papers uploaded to arXiv into the cyber-domain, using hierarchical and semantic NMF, and by building a cyber-domain-specific KG.

Artificial Intelligence

Ezekia Gilliard,Jinshuo Liu,Ahmed Abubakar Aliyu

DOI: https://doi.org/10.1049/cmu2.12736

IF: 1.345

2024-02-28

IET Communications

Abstract:In our interconnected world, cyber threats continuously evolve, presenting unprecedented challenges to cybersecurity. Conventional methods such as anomaly‐based and feature‐based approaches are encountering limitations and proving inadequate. The utilization of knowledge graph reasoning, leveraging graph structures, emerges as a promising paradigm shift in the landscape of cyberattack detection. This scholarly work delves into contemporary cybersecurity research, examining the potential of knowledge graph reasoning and proposing an innovative methodology with three principal objectives: optimizing data preparation for knowledge graph embedding models, establishing semantic foundations for network analysis via the system state graph ontology, and elevating network attack recognition through knowledge graph inference techniques. The study conducts experiments, comparing the proposed approach against existing methodologies, and demonstrates its efficacy in addressing the challenges associated with the escalating volume of network data. This approach signifies a promising trajectory towards automating network attack recognition and fortifying network security by seamlessly integrating knowledge graphs. In today's digital landscape, cybercriminals are constantly evolving their tactics, making it challenging for traditional cybersecurity methods to keep up. To address this issue, this study explores the potential of knowledge graph reasoning as a more adaptable and sophisticated approach to identify and counter network attacks. By leveraging graph structures imbued with human‐like thinking, this method enhances the resilience of cybersecurity systems. The study focuses on three critical aspects: data preparation, semantic foundations, and knowledge graph inference techniques. Through an in‐depth analysis of these components, the research aims to reveal how knowledge graph reasoning can improve cyberattack detection and enhance the overall efficacy of cybersecurity measures, including intrusion detection systems. The proposed approach has undergone extensive experimentation to validate its effectiveness compared to existing methods. The results of the experiment have shown a remarkable advancement in accuracy, speed, and recall for recognition, surpassing current methods. This achievement is a notable contribution in the realm of managing big data in cybersecurity. The study establishes a foundation for the automation of network attack detection, ultimately enhancing overall network security.

engineering, electrical & electronic

Kai Zhang,Jingju Liu

DOI: https://doi.org/10.1088/1757-899x/768/5/052103

2020-01-01

IOP Conference Series Materials Science and Engineering

Abstract:The development of artificial intelligence technology has advanced by leaps and bounds and made significant progress in many areas. Many researchers have begun to apply artificial intelligence technology to the cyber security domain. Knowledge graphs can describe the concepts, entities and their relationships in the objective world in a structured way. Applying knowledge graph to the cyber security domain can organize, manage, and utilize massive amounts of information in cyberspace in a better way. In this paper, the common cyber security assessment models and their shortcomings is summarized, the research progress of ontology-based knowledge representation is discussed, thus leading to a conclusion that ontology-based knowledge representation can completely and accurately represent the complex knowledge of heterogeneous systems in the cyber security domain. Then we introduce the concept of knowledge graph, summarize the application progress of knowledge graphs in the cyber security domain, and discuss directions of future research.

Zuoguang Wang,Hongsong Zhu,Peipei Liu,Limin Sun

DOI: https://doi.org/10.1186/s42400-021-00094-6

2021-08-02

Abstract:Abstract Social engineering has posed a serious threat to cyberspace security. To protect against social engineering attacks, a fundamental work is to know what constitutes social engineering. This paper first develops a domain ontology of social engineering in cybersecurity and conducts ontology evaluation by its knowledge graph application. The domain ontology defines 11 concepts of core entities that significantly constitute or affect social engineering domain, together with 22 kinds of relations describing how these entities related to each other. It provides a formal and explicit knowledge schema to understand, analyze, reuse and share domain knowledge of social engineering. Furthermore, this paper builds a knowledge graph based on 15 social engineering attack incidents and scenarios. 7 knowledge graph application examples (in 6 analysis patterns) demonstrate that the ontology together with knowledge graph is useful to 1) understand and analyze social engineering attack scenario and incident, 2) find the top ranked social engineering threat elements (e.g. the most exploited human vulnerabilities and most used attack mediums), 3) find potential social engineering threats to victims, 4) find potential targets for social engineering attackers, 5) find potential attack paths from specific attacker to specific target, and 6) analyze the same origin attacks.

computer science, information systems, interdisciplinary applications, software engineering

Yulu Qi,Zhaoquan Gu,Yangyang Mei,Kaihan Lin,Aiping Li

DOI: https://doi.org/10.1109/besc57393.2022.9995070

2022-01-01

Abstract:The corpora in cybersecurity knowledge base is characterized by multi-entity and weak relation. In order to solve the problem that entity extraction, entity links and entity disambiguation can lead to wrong knowledge, a knowledge graph construction method for security knowledge base is proposed. At the conceptual level, the cybersecurity ontology model and ontology-instance model are constructed based on the five-tuple model structure, and the ontology-instance model is classified and associated from the horizontal and vertical perspectives. In the data layer, the ontology features are combined with the named entity recognition model. While recognizing entities, the ontology-instance model is optimized. By comparing with other entity recognition models, the accuracy and efficiency of the optimized ontology-instance model are verified.

Damodar Panigrahi,Shaswata Mitra,Subash Neupane,Sudip Mittal,Benjamin A. Blakely

2024-11-24

Abstract:Cyberattacks are becoming increasingly difficult to detect and prevent due to their sophistication. In response, Autonomous Intelligent Cyber-defense Agents (AICAs) are emerging as crucial solutions. One prominent AICA agent is the Intrusion Response System (IRS), which is critical for mitigating threats after detection. IRS uses several Tactics, Techniques, and Procedures (TTPs) to mitigate attacks and restore the infrastructure to normal operations. Continuous monitoring of the enterprise infrastructure is an essential TTP the IRS uses. However, each system serves different purposes to meet operational needs. Integrating these disparate sources for continuous monitoring increases pre-processing complexity and limits automation, eventually prolonging critical response time for attackers to exploit. We propose a unified IRS Knowledge Graph ontology (IRSKG) that streamlines the onboarding of new enterprise systems as a source for the AICAs. Our ontology can capture system monitoring logs and supplemental data, such as a rules repository containing the administrator-defined policies to dictate the IRS responses. Besides, our ontology permits us to incorporate dynamic changes to adapt to the evolving cyber-threat landscape. This robust yet concise design allows machine learning models to train effectively and recover a compromised system to its desired state autonomously with explainability.

Cryptography and Security,Artificial Intelligence,Machine Learning

Yan Jia,Yulu Qi,Huaijun Shang,Rong Jiang,Aiping Li

DOI: https://doi.org/10.1016/j.eng.2018.01.004

IF: 12.834

2018-01-01

Engineering

Abstract:Cyberattack forms are complex and varied, and the detection and prediction of dynamic types of attack are always challenging tasks. Research on knowledge graphs is becoming increasingly mature in many fields. At present, it is very significant that certain scholars have combined the concept of the knowledge graph with cybersecurity in order to construct a cybersecurity knowledge base. This paper presents a cybersecurity knowledge base and deduction rules based on a quintuple model. Using machine learning, we extract entities and build ontology to obtain a cybersecurity knowledge base. New rules are then deduced by calculating formulas and using the path-ranking algorithm. The Stanford named entity recognizer (NER) is also used to train an extractor to extract useful information. Experimental results show that the Stanford NER provides many features and the useGazettes parameter may be used to train a recognizer in the cybersecurity domain in preparation for future work.

Jiarui Chen,Yiqin Lu,Yang Zhang,Fang Huang,Jiancheng Qin

DOI: https://doi.org/10.1016/j.ijcip.2023.100634

IF: 3.683

2023-08-25

International Journal of Critical Infrastructure Protection

Abstract:Critical Infrastructures (CI) underpin the basic functioning of society and the economy. Proper governance of CI security management remains a crucial challenge. This study aims to construct a knowledge graph for modeling CI protection. While the previous research has focused on threat intelligence modeling and open knowledge bases, they miss considering the defense side. Accordingly, we propose a knowledge graph for critical infrastructure protection, CIPKG, that extends the management ontology to include the defense side. It addresses the cross-industry and cross-time information gaps that occur in the process of CI protection management, making it more comprehensive in structure than the existing knowledge graph. We employ simplified Structured Threat Information Expression as attack ontology and design a new ontology for the defense side, which could combine with the existing threat ontology to form the CI protection knowledge graph. To dynamically extract information from emerging knowledge, we employ a Bi-directional Long Short-Term Memory and Conditional Random Field model with pre-trained cybersecurity domain-specific Bidirectional Encoder Representations from Transformers to recognize the named entities from CI regulations and standards. To associate the threat part with the management portion of the knowledge graph, we adopt the Knowledge Graph Bidirectional Encoder Representations from Transformer model to capture the semantic information and predict the relationship between threat and management. After information extraction and relation prediction, we build a knowledge graph with 529,360 nodes and about 3,335,000 edges.

engineering, multidisciplinary,computer science, information systems

Peng Gao,Xiaoyuan Liu,Edward Choi,Bhavna Soman,Chinmaya Mishra,Kate Farris,Dawn Song

DOI: https://doi.org/10.48550/arXiv.2101.07769

2021-02-27

Abstract:To remain aware of the fast-evolving cyber threat landscape, open-source Cyber Threat Intelligence (OSCTI) has received growing attention from the community. Commonly, knowledge about threats is presented in a vast number of OSCTI reports. Despite the pressing need for high-quality OSCTI, existing OSCTI gathering and management platforms, however, have primarily focused on isolated, low-level Indicators of Compromise. On the other hand, higher-level concepts (e.g., adversary tactics, techniques, and procedures) and their relationships have been overlooked, which contain essential knowledge about threat behaviors that is critical to uncovering the complete threat scenario. To bridge the gap, we propose SecurityKG, a system for automated OSCTI gathering and management. SecurityKG collects OSCTI reports from various sources, uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors, and constructs a security knowledge graph. SecurityKG also provides a UI that supports various types of interactivity to facilitate knowledge graph exploration.

Cryptography and Security,Artificial Intelligence,Computation and Language,Databases

Yulu Qi,Rong Jiang,Yan Jia,Aiping Li

DOI: https://doi.org/10.3390/electronics9091413

IF: 2.9

2020-01-01

Electronics

Abstract:In 2012, Google first proposed the knowledge graph and applied it in the field of intelligent searching. Subsequently, knowledge graphs have been used for in-depth association analysis in different fields. In recent years, composite attacks have been discovered through association analysis in the field of cyber security. This paper proposes an attack analysis framework for cyber-attack and defense test platforms, which stores prior knowledge in a cyber security knowledge graph and attack rule base as data that can be understood by a computer, sets the time interval of analysis on the Spark framework, and then mines attack chains from massive data with spatiotemporal constraints, so as to achieve the balance between automated analysis and real-time accurate performance. The experimental results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipment. With the rational expectation about more exposure of attacks and faster upgrade of security equipment, it is necessary and meaningful to constantly improve the cyber security knowledge graph in the attack analysis framework.

Huaijun Shang,Rong Jiang,Aiping Li,Wei Wang

DOI: https://doi.org/10.1109/dsc.2017.55

2017-01-01

Abstract:There are some independent cyber security knowledge bases for different aspect now. In the internet, there is also much cyber security related content which exists in the form of text. Fusion of these cyber security related information can be a meaningful work. In this paper, we propose a framework to integrate existing cyber security knowledge base and extract cyber security related information from text. In the framework, we construct a vulnerability-centric ontology and train a Stanford named entity recognizer to extract cyber security related entity from text. Finally, through experiment, we verify the importance of one feature named useGazette to training a named entity recognizer in cyber security domain.

Zhihao Yan,Jingju Liu

DOI: https://doi.org/10.1109/ISPCEM52197.2020.00055

2020-01-01

Abstract:With the development of information technology and the increasing complexity cyber environment, the volume of data involved in cybersecurity is also increasing rapidly and the risks of cybersecurity are also increased. There is an urgent need to find correlation and attack patterns from fragmented and massive multi-source heterogeneous cyberspace related data. The construction of cyberspace securi...

Guowei Shen,Wanling Wang,Qilin Mu,Yanhong Pu,Ya Qin,Miao Yu

DOI: https://doi.org/10.1155/2020/8883696

2020-12-26

Wireless Communications and Mobile Computing

Abstract:Industrial control systems (ICS) involve many key industries, which once attacked will cause heavy losses. However, traditional passive defense methods of cybersecurity have difficulty effectively dealing with increasingly complex threats; a knowledge graph is a new idea to analyze and process data in cybersecurity analysis. We propose a novel overall framework of data-driven industrial control network security defense, which integrated fragmented multisource threat data with an industrial network layout by a cybersecurity knowledge graph. In order to better correlate data to construct a knowledge graph, we propose a distant supervised relation extraction model ResPCNN-ATT; it is based on a deep residual convolutional neural network and attention mechanism, reduces the influence of noisy data in distant supervision, and better extracts deep semantic features in sentences by using deep residuals. We empirically demonstrate the performance of the proposed method in the field of general cybersecurity by using dataset CSER; the model proposed in this paper achieves higher accuracy than other models. And then, the dataset ICSER was used to construct a cybersecurity knowledge graph (CSKG) on the basis of analyzing specific industrial control scenarios, visualizing the knowledge graph for further security analysis to the industrial control system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kai Liu,Fei Wang,Zhaoyun Ding,Sheng Liang,Zhengfei Yu,Yun Zhou

DOI: https://doi.org/10.48550/arXiv.2204.04769

2022-04-10

Cryptography and Security

Abstract:Facing the dynamic complex cyber environments, internal and external cyber threat intelligence, and the increasing risk of cyber-attack, knowledge graphs show great application potential in the cyber security area because of their capabilities in knowledge aggregation, representation, management, and reasoning. However, while most research has focused on how to develop a complete knowledge graph, it remains unclear how to apply the knowledge graph to solve industrial real challenges in cyber-attack and defense scenarios. In this review, we provide a brief overview of the basic concepts, schema, and construction approaches for the cyber security knowledge graph. To facilitate future research on cyber security knowledge graphs, we also present a curated collection of datasets and open-source libraries on the knowledge construction and information extraction task. In the major part of this article, we conduct a comparative review of the different works that elaborate on the recent progress in the application scenarios of the cyber security knowledge graph. Furthermore, a novel comprehensive classification framework is created to describe the connected works from nine primary categories and eighteen subcategories. Finally, we have a thorough outlook on several promising research directions based on the discussion of existing research flaws.

Charalampos Bratsas,Efstathios Konstantinos Anastasiadis,Alexandros K. Angelidis,Lazaros Ioannidis,Rigas Kotsakis,Stefanos Ougiaroglou

DOI: https://doi.org/10.3390/jcp4030025

2024-08-01

Journal of Cybersecurity and Privacy

Abstract:The amount of data related to cyber threats and cyber attack incidents is rapidly increasing. The extracted information can provide security analysts with useful Cyber Threat Intelligence (CTI) to enhance their decision-making. However, because the data sources are heterogeneous, there is a lack of common representation of information, rendering the analysis of CTI complicated. With this work, we aim to review ongoing research on the use of semantic web tools such as ontologies and Knowledge Graphs (KGs) within the CTI domain. Ontologies and KGs can effectively represent information in a common and structured schema, enhancing interoperability among the Security Operation Centers (SOCs) and the stakeholders on the field of cybersecurity. When fused with Machine Learning (ML) and Deep Learning (DL) algorithms, the constructed ontologies and KGs can be augmented with new information and advanced inference capabilities, facilitating the discovery of previously unknown CTI. This systematic review highlights the advancements of this field over the past and ongoing decade and provides future research directions.

computer science, information systems, interdisciplinary applications, software engineering

Changchang Ma,Denghui Zhang,Junjian Zhang,Le Wang,Hao Li,Zhaoquan Gu

DOI: https://doi.org/10.1109/DSC59305.2023.00091

2023-01-01

Abstract:Effective data collecting is crucial for comprehensively understanding and analyzing cyberspace security. As the data related cybersecurity is highly complicated which involves network traffic, system log, security alerts, etc. Traditional methods of data collection, such as total data collection and partial collection, are susceptible to data overload, resulting in a decrease in data analysis efficiency. Furthermore, these methods fail to emphasize the correlation among the collected data. To address these issues, we propose a targeted data collection framework based on cybersecurity knowledge graph in this paper. This framework aims to tailor the collection targets and establish specific collection rules based on different tasks and assets, thereby enhancing the efficiency and accuracy of cybersecurity data analysis. By examining data sources that may be impacted by cybersecurity vulnerabilities, the framework designs specific correlated collection rules for these sources. Comparative experiments with other data collection methods show that the proposed framework can reduce time consumption by 43% and storage space by 54% for the attack detection tasks.

Siqi Sun,Cheng Huang,Tiejun Wu,Yi Shen

DOI: https://doi.org/10.1155/2023/4464974

IF: 8.993

2023-01-01

International Journal of Intelligent Systems

Abstract:As the complexity of cyberattacks continues to increase, multistage combination attacks have become the primary method of attack. Attackers plan and organize a series of attack steps, using various attack tools to achieve specific goals. Extracting knowledge about these tools is of great significance for both defense and tracing of attacks. We have noticed that there is a wealth of security tool-related knowledge within the open-source community, but research in this area is limited. It is challenging to achieve large-scale automated security tool information extraction. To address this, we propose automated knowledge graph construction architecture, named SecTKG, for open-source security tools. Our approach involves designing a security tool ontology model to describe tools, users, and relationships, which guides the extraction of security tool knowledge. In addition, we develop advanced entity recognition and classification methods, ensuring efficient and accurate knowledge extraction. As far as we know, this work is the first to construct the large-scale security tool knowledge graph, containing 4 million entities and 10 million relationships. Furthermore, we investigate the tendencies and particularities of security tools based on the SecTKG and developed a security tool influence-measuring application. The research fills a gap in the field of automated security tools’ knowledge extraction and provides a foundation for future research and practical applications.

Zhaohan Xi,Tianyu Du,Changjiang Li,Ren Pang,Shouling Ji,Xiapu Luo,Xusheng Xiao,Fenglong Ma,Ting Wang

2023-06-22

Abstract:Knowledge graph reasoning (KGR) -- answering complex logical queries over large knowledge graphs -- represents an important artificial intelligence task, entailing a range of applications (e.g., cyber threat hunting). However, despite its surging popularity, the potential security risks of KGR are largely unexplored, which is concerning, given the increasing use of such capability in security-critical domains. This work represents a solid initial step towards bridging the striking gap. We systematize the security threats to KGR according to the adversary's objectives, knowledge, and attack vectors. Further, we present ROAR, a new class of attacks that instantiate a variety of such threats. Through empirical evaluation in representative use cases (e.g., medical decision support, cyber threat hunting, and commonsense reasoning), we demonstrate that ROAR is highly effective to mislead KGR to suggest pre-defined answers for target queries, yet with negligible impact on non-target ones. Finally, we explore potential countermeasures against ROAR, including filtering of potentially poisoning knowledge and training with adversarially augmented queries, which leads to several promising research directions.

Cryptography and Security,Artificial Intelligence