Kai Liu,Fei Wang,Zhaoyun Ding,Sheng Liang,Zhengfei Yu,Yun Zhou

DOI: https://doi.org/10.3390/electronics11152287

IF: 2.9

2022-07-23

Electronics

Abstract:In today's dynamic complex cyber environments, Cyber Threat Intelligence (CTI) and the risk of cyberattacks are both increasing. This means that organizations need to have a strong understanding of both their internal CTI and their external CTI. The potential for cybersecurity knowledge graphs is evident in their ability to aggregate and represent knowledge about cyber threats, as well as their ability to manage and reason with that knowledge. While most existing research has focused on how to create a full knowledge graph, how to utilize the knowledge graph to tackle real-world industrial difficulties in cyberattack and defense situations is still unclear. In this article, we give a quick overview of the cybersecurity knowledge graph's core concepts, schema, and building methodologies. We also give a relevant dataset review and open-source frameworks on the information extraction and knowledge creation job to aid future studies on cybersecurity knowledge graphs. We perform a comparative assessment of the many works that expound on the recent advances in the application scenarios of cybersecurity knowledge graph in the majority of this paper. In addition, a new comprehensive classification system is developed to define the linked works from 9 core categories and 18 subcategories. Finally, based on the analyses of existing research issues, we have a detailed overview of various possible research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yulu Qi,Zhaoquan Gu,Aiping Li,Xiaojuan Zhang,Muhammad Shafiq,Yangyang Mei,Kaihan Lin

DOI: https://doi.org/10.1016/j.compeleceng.2023.108660

IF: 4.152

2023-01-01

Computers & Electrical Engineering

Abstract:The Cyber-Physical System covers a wide range of applications, many of which are involved in critical infrastructure, and the cybersecurity attacks on them become more and more threatening. Currently, most of the comprehensive analysis of compound attacks depend on the experience of security analysts. To improve the efficiency and accuracy of compound attack research, this paper introduces a knowledge graph into compound attack detection and constructs a cybersecurity knowledge graph based on the knowledge of known attacks. The cybersecurity knowledge graph can carry out correlation analysis on real-time data to restore the attack process. The main work of this paper is to construct the cybersecurity knowledge graph and to apply mining found compound attacks automatically. Besides, a multi-dimensional data association analysis algorithm based on dynamic clustering mechanism, and an attack chain complementation-pruning method based on optimal reaching path queries are proposed to solve the problem of low efficiency in correlation analysis caused by redundant data and the problem of missing and misunderstandings in the collection data. Experiments show that the cyber security knowledge graph construction method and attack chain optimization-pruning method proposed in this paper improve the accuracy and efficiency of attack chain mining.

Shaowen Wang,Hao Hu,Tao Lin,Yan Liu,Anand Padmanabhan,Kiumars Soltani

DOI: https://doi.org/10.1145/2744700.2744704

2015-01-01

SIGSPATIAL Special

Abstract:CyberGIS is an interdisciplinary field combining advanced cyberinfrastructure, geographic information science and systems (GIS), spatial analysis and modeling, and a number of geospatial domains to improve research productivity and enable scientific breakthroughs. It has emerged as a new-generation GIS that enables synergistic advances in data-driven knowledge discovery, visualization and visual analytics, and collaborative problem solving and decision making. This paper describes a cutting-edge cyberGIS software environment from a system perspective. Two case studies focus on elucidating BioScope: a data-driven and computationally intensive cyberGIS application for bioenergy supply chain optimization, and MovePattern: interactive and multi-scale visual analytics for complex and massive movement data extracted from the Twitter steaming application programming interfaces. These studies demonstrate widely accessible capabilities of cyberGIS for resolving the variety, velocity, and volume of spatial big data to enable unprecedented data-intensive knowledge discovery.

Yan Jia,Yulu Qi,Huaijun Shang,Rong Jiang,Aiping Li

DOI: https://doi.org/10.1016/j.eng.2018.01.004

IF: 12.834

2018-01-01

Engineering

Abstract:Cyberattack forms are complex and varied, and the detection and prediction of dynamic types of attack are always challenging tasks. Research on knowledge graphs is becoming increasingly mature in many fields. At present, it is very significant that certain scholars have combined the concept of the knowledge graph with cybersecurity in order to construct a cybersecurity knowledge base. This paper presents a cybersecurity knowledge base and deduction rules based on a quintuple model. Using machine learning, we extract entities and build ontology to obtain a cybersecurity knowledge base. New rules are then deduced by calculating formulas and using the path-ranking algorithm. The Stanford named entity recognizer (NER) is also used to train an extractor to extract useful information. Experimental results show that the Stanford NER provides many features and the useGazettes parameter may be used to train a recognizer in the cybersecurity domain in preparation for future work.

Kun Li,Huachun Zhou,Zhe Tu,Bohao Feng

DOI: https://doi.org/10.1007/978-981-15-9129-7_8

2020-01-01

Abstract:The access of massive terminal devices has brought new security risks to the existing Internet, so traditional cybersecurity data sets are difficult to reflect the modern and complex network attack environment. Therefore, how to realize the standardization and integration of cybersecurity data, so as to continuously store and update malicious traffic information under massively connected terminals, has become a critical issue to be solved urgently. Therefore, based on the knowledge graph, we built a standardized cybersecurity ontology, and introduced the implementation process of the cybersecurity knowledge base (CSKB) from five stages of knowledge acquisition, knowledge fusion/extraction, know-ledge storage, knowledge inference, and knowledge update, aiming at providing a reliable basis for real-time cybersecurity protection solutions. Experiments prove that the knowledge stored in CSKB can effectively realize the specification and integration of security data.

Yulu Qi,Rong Jiang,Yan Jia,Aiping Li

DOI: https://doi.org/10.3390/electronics9091413

IF: 2.9

2020-01-01

Electronics

Abstract:In 2012, Google first proposed the knowledge graph and applied it in the field of intelligent searching. Subsequently, knowledge graphs have been used for in-depth association analysis in different fields. In recent years, composite attacks have been discovered through association analysis in the field of cyber security. This paper proposes an attack analysis framework for cyber-attack and defense test platforms, which stores prior knowledge in a cyber security knowledge graph and attack rule base as data that can be understood by a computer, sets the time interval of analysis on the Spark framework, and then mines attack chains from massive data with spatiotemporal constraints, so as to achieve the balance between automated analysis and real-time accurate performance. The experimental results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipment. With the rational expectation about more exposure of attacks and faster upgrade of security equipment, it is necessary and meaningful to constantly improve the cyber security knowledge graph in the attack analysis framework.

Xiaofeng Zhong,Yue Zhang,Jingju Liu,Guozheng Yang,Shicheng Zhou,Peng Wang

DOI: https://doi.org/10.1109/iccc54389.2021.9674377

2021-01-01

Abstract:Knowledge graph technology can solve the problem of mapping from data to entities, concepts to relationships. Triggered by the problem of building a knowledge graph in the field of cybersecurity, this paper studies the method for building a knowledge graph of cybersecurity based on cyber assets, it adopts the relatively novel named entity identification method in the knowledge graph construction process, and uses the method of pattern recognition realizes an automated cyber assets scanning tool based on knowledge graph. This paper provides new ideas for the realization of automated and intelligent cyber assets census, and will also prepare for the intelligent penetration test.

Ezekia Gilliard,Jinshuo Liu,Ahmed Abubakar Aliyu

DOI: https://doi.org/10.1049/cmu2.12736

IF: 1.345

2024-02-28

IET Communications

Abstract:In our interconnected world, cyber threats continuously evolve, presenting unprecedented challenges to cybersecurity. Conventional methods such as anomaly‐based and feature‐based approaches are encountering limitations and proving inadequate. The utilization of knowledge graph reasoning, leveraging graph structures, emerges as a promising paradigm shift in the landscape of cyberattack detection. This scholarly work delves into contemporary cybersecurity research, examining the potential of knowledge graph reasoning and proposing an innovative methodology with three principal objectives: optimizing data preparation for knowledge graph embedding models, establishing semantic foundations for network analysis via the system state graph ontology, and elevating network attack recognition through knowledge graph inference techniques. The study conducts experiments, comparing the proposed approach against existing methodologies, and demonstrates its efficacy in addressing the challenges associated with the escalating volume of network data. This approach signifies a promising trajectory towards automating network attack recognition and fortifying network security by seamlessly integrating knowledge graphs. In today's digital landscape, cybercriminals are constantly evolving their tactics, making it challenging for traditional cybersecurity methods to keep up. To address this issue, this study explores the potential of knowledge graph reasoning as a more adaptable and sophisticated approach to identify and counter network attacks. By leveraging graph structures imbued with human‐like thinking, this method enhances the resilience of cybersecurity systems. The study focuses on three critical aspects: data preparation, semantic foundations, and knowledge graph inference techniques. Through an in‐depth analysis of these components, the research aims to reveal how knowledge graph reasoning can improve cyberattack detection and enhance the overall efficacy of cybersecurity measures, including intrusion detection systems. The proposed approach has undergone extensive experimentation to validate its effectiveness compared to existing methods. The results of the experiment have shown a remarkable advancement in accuracy, speed, and recall for recognition, surpassing current methods. This achievement is a notable contribution in the realm of managing big data in cybersecurity. The study establishes a foundation for the automation of network attack detection, ultimately enhancing overall network security.

engineering, electrical & electronic

WangShaowen,HuHao,LinTao,LiuYan,PadmanabhanAnand,SoltaniKiumars

2015-01-01

SIGSPATIAL Special

Abstract:CyberGIS is an interdisciplinary field combining advanced cyberinfrastructure, geographic information science and systems (GIS), spatial analysis and modeling, and a number of geospatial domains to...

Peng Wang,Jingju Liu,Qian Yao,Xinli Xiong

DOI: https://doi.org/10.1007/978-3-031-40292-0_8

2023-01-01

Abstract:Cybersecurity knowledge graph can well organize and manage cybersecurity data. However, there are still some challenges in the utilization of cybersecurity knowledge graph. Due to the limited cognitive ability and cyberspace exploration ability of human beings, the data in cybersecurity knowledge graph is incomplete. With the continuous changes of cyberspace, there are many unseen entities in the newly added data, and it is difficult to use this kind of data. In order to realize knowledge graph completion in scalable scenarios, we propose a knowledge graph completion method, which uses meta-learning to transfer knowledge from seen entities to unseen entities. It also utilizes a new scoring function to model the relationships between entities from multiple perspectives such as spatial rotation and angle transformation. For improving the robust expression of samples, it uses the correlation matrix and multi-head attention mechanism to explore the relationships between samples. To mitigate the catastrophic forgetting problem, a new self-distillation algorithm is designed to enhance the robustness of the trained model. We construct knowledge graph based on cybersecurity data, and conduct knowledge graph completion experiments. The experiments show that our method is effective in dealing with the problem of cybersecurity knowledge graph completion in scalable scenarios.

Xiaojuan Zhao,Rong Jiang,Yue Han,Aiping Li,Zhichao Peng

DOI: https://doi.org/10.1016/j.cose.2023.103524

IF: 5.105

2023-01-01

Computers & Security

Abstract:The development of key technologies of knowledge graph (KG) has promoted the development of machine cognition technology, and the combination of KG and industry as well as scenario-based landing have also made breakthroughs in succession. In the field of cybersecurity, with the intelligent upgrading of defense technology, there is an urgent need for a mature and effective technical system to provide knowledge and intelligent reasoning support for the offensive and defensive games in strong adversarial and high dynamic environment. As a domain KG, cybersecurity KG (CKG) just meets this requirement. KG for cybersecurity is not a recent invention; its predecessor is the earliest semantic networks and ontologies, and the KG is small in scale and the relations are relatively simple. Through investigation, we found that most studies that explicitly mentioned CKG, still tend to construct a cybersecurity ontology first, and then extract semantic triples based on ontology. Of course, there are also some studies that try to build such a graph from a higher dimension to express the rich semantics. In order to apply mature techniques of KG construction and reasoning, we believe that the construction of CKG should also follow the Open-domain KG. Therefore, we conducted a comprehensive review and detailed comparison of CKG-related works, discussed the dilemma of CKG application, and then proposed future research opportunities for CKG. This work can help researchers keep up with recent research trends.

Kai Liu,Fei Wang,Zhaoyun Ding,Sheng Liang,Zhengfei Yu,Yun Zhou

DOI: https://doi.org/10.48550/arXiv.2204.04769

2022-04-10

Cryptography and Security

Abstract:Facing the dynamic complex cyber environments, internal and external cyber threat intelligence, and the increasing risk of cyber-attack, knowledge graphs show great application potential in the cyber security area because of their capabilities in knowledge aggregation, representation, management, and reasoning. However, while most research has focused on how to develop a complete knowledge graph, it remains unclear how to apply the knowledge graph to solve industrial real challenges in cyber-attack and defense scenarios. In this review, we provide a brief overview of the basic concepts, schema, and construction approaches for the cyber security knowledge graph. To facilitate future research on cyber security knowledge graphs, we also present a curated collection of datasets and open-source libraries on the knowledge construction and information extraction task. In the major part of this article, we conduct a comparative review of the different works that elaborate on the recent progress in the application scenarios of the cyber security knowledge graph. Furthermore, a novel comprehensive classification framework is created to describe the connected works from nine primary categories and eighteen subcategories. Finally, we have a thorough outlook on several promising research directions based on the discussion of existing research flaws.

Guowei Shen,Wanling Wang,Qilin Mu,Yanhong Pu,Ya Qin,Miao Yu

DOI: https://doi.org/10.1155/2020/8883696

2020-12-26

Wireless Communications and Mobile Computing

Abstract:Industrial control systems (ICS) involve many key industries, which once attacked will cause heavy losses. However, traditional passive defense methods of cybersecurity have difficulty effectively dealing with increasingly complex threats; a knowledge graph is a new idea to analyze and process data in cybersecurity analysis. We propose a novel overall framework of data-driven industrial control network security defense, which integrated fragmented multisource threat data with an industrial network layout by a cybersecurity knowledge graph. In order to better correlate data to construct a knowledge graph, we propose a distant supervised relation extraction model ResPCNN-ATT; it is based on a deep residual convolutional neural network and attention mechanism, reduces the influence of noisy data in distant supervision, and better extracts deep semantic features in sentences by using deep residuals. We empirically demonstrate the performance of the proposed method in the field of general cybersecurity by using dataset CSER; the model proposed in this paper achieves higher accuracy than other models. And then, the dataset ICSER was used to construct a cybersecurity knowledge graph (CSKG) on the basis of analyzing specific industrial control scenarios, visualizing the knowledge graph for further security analysis to the industrial control system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhihao Yan,Jingju Liu

DOI: https://doi.org/10.1109/ISPCEM52197.2020.00055

2020-01-01

Abstract:With the development of information technology and the increasing complexity cyber environment, the volume of data involved in cybersecurity is also increasing rapidly and the risks of cybersecurity are also increased. There is an urgent need to find correlation and attack patterns from fragmented and massive multi-source heterogeneous cyberspace related data. The construction of cyberspace securi...

Peng Wang,Jingju Liu,Xiaofeng Zhong,Shicheng Zhou

DOI: https://doi.org/10.3390/electronics12081837

IF: 2.9

2023-01-01

Electronics

Abstract:Penetration testing is an effective method of making computers secure. When conducting penetration testing, it is necessary to fully understand the various elements in the cyberspace. Prediction of future cyberspace state through perception and understanding of cyberspace can assist defenders in decision-making and action execution. Accurate cyberspace detection information is the key to ensuring successful penetration testing. However, cyberspace situation awareness still faces the following challenges. Due to the limited detection capability, the information obtained from cyberspace detection intelligence is incomplete. There are some errors in the cyberspace detection intelligence, which may mislead the penetration testing workers. The knowledge graph can store and manage the cybersecurity data. In order to ensure the integrity and accuracy of cyberspace information, we design a knowledge graph completion model called CSNT to complete cybersecurity data. CSNT uses the BiLSTM to capture the interaction information between entities and relationships. It models the relationship between entities by combining the neural network and tensor decomposition. The Pearson Mix Net is designed to control the generation of joint vectors. We also design a novel self-distillation strategy to reduce catastrophic forgetting during model training. After learning the relationship pattern between entities in the cyberspace detection intelligence, the model can be used to mine the knowledge not found in the cybersecurity detection intelligence and correct the erroneous records. Experiments show that our method has certain advantages for the knowledge graph completion.

Yulu Qi,Zhaoquan Gu,Yangyang Mei,Kaihan Lin,Aiping Li

DOI: https://doi.org/10.1109/besc57393.2022.9995070

2022-01-01

Abstract:The corpora in cybersecurity knowledge base is characterized by multi-entity and weak relation. In order to solve the problem that entity extraction, entity links and entity disambiguation can lead to wrong knowledge, a knowledge graph construction method for security knowledge base is proposed. At the conceptual level, the cybersecurity ontology model and ontology-instance model are constructed based on the five-tuple model structure, and the ontology-instance model is classified and associated from the horizontal and vertical perspectives. In the data layer, the ontology features are combined with the named entity recognition model. While recognizing entities, the ontology-instance model is optimized. By comparing with other entity recognition models, the accuracy and efficiency of the optimized ontology-instance model are verified.

Ryan Barron,Maksim E. Eren,Manish Bhattarai,Selma Wanna,Nicholas Solovyev,Kim Rasmussen,Boian S. Alexandrov,Charles Nicholas,Cynthia Matuszek

2024-03-26

Abstract:Much of human knowledge in cybersecurity is encapsulated within the ever-growing volume of scientific papers. As this textual data continues to expand, the importance of document organization methods becomes increasingly crucial for extracting actionable insights hidden within large text datasets. Knowledge Graphs (KGs) serve as a means to store factual information in a structured manner, providing explicit, interpretable knowledge that includes domain-specific information from the cybersecurity scientific literature. One of the challenges in constructing a KG from scientific literature is the extraction of ontology from unstructured text. In this paper, we address this topic and introduce a method for building a multi-modal KG by extracting structured ontology from scientific papers. We demonstrate this concept in the cybersecurity domain. One modality of the KG represents observable information from the papers, such as the categories in which they were published or the authors. The second modality uncovers latent (hidden) patterns of text extracted through hierarchical and semantic non-negative matrix factorization (NMF), such as named entities, topics or clusters, and keywords. We illustrate this concept by consolidating more than two million scientific papers uploaded to arXiv into the cyber-domain, using hierarchical and semantic NMF, and by building a cyber-domain-specific KG.

Artificial Intelligence

Yulu Qi,Rong Jiang,Aiping Li,Zhaoquan Gu,Yan Jia

DOI: https://doi.org/10.1007/978-3-030-71590-8_12

2021-01-01

Abstract:Information security is an important part of Internet security. As more and more industries rely on the Internet, it has become urgent to protect information security of these industries, spawned local area networks (LANs), intranets and so on. With the development of information sensor technology, the Internet of Things (IoT) that interconnects physical devices has emerged. As a unity of computing process and physical process, the Cyber-physical systems (CPS) is the next generation intelligent system which integrates computing, communication and controlling capabilities. CPS covers a wide range of applications and critical infrastructures, including intelligent transportation systems, telemedicine, smart grids, aerospace, and many other fields. The APT attacks are typically conducted directly against these critical infrastructures around the world, which would incur severe consequences. It is meaningful to protect these information by detecting the APT attacks timely and accurately, and effective defensive measures could be adopted. Although the APT attacks seem destructive, the attack process are complex and changeable. In essence, the attack process usually follows certain rules. In this chapter, we introduce a distributed framework for detecting the APT attacks. Cyber security knowledge graph stores existing knowledge and the attack rules, which plays an important role in analyzing the attacks. We first analyze potential attack events by the proposed distributed framework on Spark, then we mine the attack chains from massive data with the spatial and temporal characteristics. These steps could help identify complicated attacks. We also conduct extensive experiments, the results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipments. With the rational expectation about more exposure of attacks and faster upgrade of security equipments, it is sufficient and necessary to improve the cyber security knowledge graph constantly for better performance.KeywordsMDATAAPT attackCyberspace securityDistributed framework

Junbo Jia,Li Yang,Yuchen Wang,Anyuan Sang

DOI: https://doi.org/10.1016/j.cose.2024.104194

IF: 5.105

2025-01-01

Computers & Security

Abstract:Cybersecurity experts are actively exploring and implementing automated technologies to extract and present attack information from Cyber Threat Intelligence. However, there are multiple relations among security entities within Cyber Threat Intelligence, a feature that existing technologies often overlook. Additionally, integrating external security knowledge into cyber threat intelligence intuitively during analysis and presentation poses challenges. We propose the Hyper Attack Graph (HAG) framework, the first work to apply hypergraph data structures in the analysis of cyber threat intelligence. Our approach uses a joint extraction model that incorporates a multi-head selection mechanism, effectively addressing the extraction of multiple relations among security entities. We use hypergraph to display tactics and techniques in cyber threat intelligence. Our evaluation of the HAG framework on 685 real-world cyber threat intelligence reports shows an increase in the F1 score for security entity extraction by 11.12% and for relation extraction by 6.71% over existing efforts. Furthermore, HAG’s ability to visually represent external security knowledge on hypergraphs demonstrates its potential as a valuable tool in cybersecurity analysis.

Siqi Sun,Cheng Huang,Tiejun Wu,Yi Shen

DOI: https://doi.org/10.1155/2023/4464974

IF: 8.993

2023-01-01

International Journal of Intelligent Systems

Abstract:As the complexity of cyberattacks continues to increase, multistage combination attacks have become the primary method of attack. Attackers plan and organize a series of attack steps, using various attack tools to achieve specific goals. Extracting knowledge about these tools is of great significance for both defense and tracing of attacks. We have noticed that there is a wealth of security tool-related knowledge within the open-source community, but research in this area is limited. It is challenging to achieve large-scale automated security tool information extraction. To address this, we propose automated knowledge graph construction architecture, named SecTKG, for open-source security tools. Our approach involves designing a security tool ontology model to describe tools, users, and relationships, which guides the extraction of security tool knowledge. In addition, we develop advanced entity recognition and classification methods, ensuring efficient and accurate knowledge extraction. As far as we know, this work is the first to construct the large-scale security tool knowledge graph, containing 4 million entities and 10 million relationships. Furthermore, we investigate the tendencies and particularities of security tools based on the SecTKG and developed a security tool influence-measuring application. The research fills a gap in the field of automated security tools’ knowledge extraction and provides a foundation for future research and practical applications.