Cybersecurity Ontology (CyberOnto) and Situational Awareness (CyberSA) help teamwork in Cyber Incident Responses, Control, Containment, and Countermeasures (CIRC3). We integrate Artificial Intelligence (AI) and Knowledge Graph (KG) technologies to automate CyberSA capabilities.
CyberSA has become a reliable practice to optimize CyberOps (Onwubiko, 2020). It helps define the frameworks for complex team-based tasks of "gathering information, perceiving and understanding the state of the world, and predicting states of the world forward in time." (Gutzwiller et al., 2020).
As per this recent study "research and our additional professional field observations in government, industry, and academia suggest that the utility of SA analysis and measurement has yet to be realized in cyberspace".
This research project, linked to a new product development initiative, aims to build a CyberSA measurement method that could help cybersecurity response teams cope with complexity of fast-paced attacks-defense scenarios.
To build this measurement method, we will use an existing cybersecurity ontology, serving as the source of best practices in our Artificial Intelligence (AI) architecture. Cyber Ontologies have been demonstrated to offer reliable CyberOps automation (Syed, 2020; Alenezi, et al., 2020).
We propose to use a recent Knowledge Graph (KG) and ontology by MITRE integrating the ATT&CK and D3FEND frameworks (Kaloroumakis and Smith, 2021). This new free, open-source asset goes beyond recent advances in intelligent CyberSA (Liu, et al., 2022).
By extending this open source ontology, we will develop semantic reasoning testing CyberSA capabilities in actual scenarios of Cyber Incident Responses, Control, Containment, and Countermeasures (CIRC3). It will be open-source and attempt to integrate with other initiatives in cybersecurity ontology-driven automation (Grigoriadis, et al., 2022). It can also integrate with ontologies aimed at defining cybersecurity knowledge domains and applications, where CIRC3 team members can be actively integrated as "automation with humans in the loop", liking people's skills and competencies directly to CyberSA capabilities (Léger, 2021). It should also help enable AI-powered cyber defense, which depends on fast and dynamic team learning and knowledge distribution across warfare units (Chen, 2021).
The countermeasures recommended by the semantic reasoning queries will serve as an optimal gold standard representing the best practice. We will then compare the actual CIRC3 tasks and actions by the team, helping to measure the degree of departure from protocol.
Hence, the higher the proximity of team practice to protocol, the higher CyberSA should implicitely be. It will be measured using traditional metrics in KG proximity among nodes and links. Also, the tool will be tested for accuracy, with AI techniques being added to improve its performance. Metrics will include F1 measure and Matthews Correlation Coefficient (MCC) to evaluate the quality of our ontology inference capabilities.
The results of this research could serve cybersecurity team leadership with more attention to how CyberSA impacts the quality of threat response. It may become a valuable asset to integrate with other open source CyberSA solutions, helping to support teamwork effectiveness (Husák, et al., 2022).
Alenezi, Mamdouh, Hamid Abdul Basit, Faraz Idris Khan, and Maham Anwar Beg. 2020. “A Comparison Study of Available Sofware Security Ontologies.” Pp. 499–504 in Proceedings of the Evaluation and Assessment in Software Engineering. https://dl.acm.org/doi/abs/10.1145/3383219.3383292
Chen, Jim, (2021), "AI-powered defend forward strategy", ECCWS Conference, pp.52-60.
Grigoriadis, C., A. M. Berzovitis, I. Stellios, and P. Kotzanikolaou. 2022. A Cybersecurity Ontology to Support Risk Information Gathering in Cyber-Physical Systems. Vol. 13106 LNCS. Springer Science and Business Media Deutschland GmbH. https://link.springer.com/chapter/10.1007/978-3-030-95484-0_2
Gutzwiller, Robert, Josiah Dykstra, and Bryan Payne. 2020. “Gaps and Opportunities in Situational Awareness for Cybersecurity.” Digital Threats: Research and Practice 1(3):1–6. https://dl.acm.org/doi/abs/10.1145/3384471
Husák, Martin, Lukáš Sadlek, Stanislav Špaček, Martin Laštovička, Michal Javorník, and Jana Komárková. 2022. “CRUSOE: A Toolset for Cyber Situational Awareness and Decision Support in Incident Handling.” Computers & Security 102609. https://doi.org/10.1016/j.cose.2022.102609 with repo at https://github.com/CSIRT-MU/CRUSOE
Kaloroumakis, Peter E., and Michael J. Smith. 2021. Toward a Knowledge Graph of Cybersecurity Countermeasures. Technical report, MITRE. https://d3fend.mitre.org/resources/D3FEND.pdf
Léger, Marc-André. 2021. “Implementing Information Technology Management with an Ontology of Cybersecurity Professional Skills.” Ph.D. in Information Science and Technology, Université du Québec en Outaouais (UQO). https://github.com/ITriskMgr/MOACCO
Liu, Kai, Fei Wang, Zhaoyun Ding, Sheng Liang, Zhengfei Yu, and Yun Zhou. 2022. “A Review of Knowledge Graph Application Scenarios in Cyber Security.” ArXiv:2204.04769 [Cs]. https://arxiv.org/abs/2204.04769
Onwubiko, Cyril. 2020. “CyberOps: Situational Awareness in Cybersecurity Operations.” International Journal on Cyber Situational Awareness 5(1):82–107. https://doi.org/10.22619/IJCSA.2020.100134
Syed, Romilla. 2020. “Cybersecurity Vulnerability Management: A Conceptual Ontology and Cyber Intelligence Alert System.” Information & Management 57:103334. https://doi.org/10.1016/j.im.2020.103334