Example: barber

Toward a Knowledge Graph of Cybersecurity Countermeasures

Toward a Knowledge Graph ofCybersecurity CountermeasuresPeter E. KaloroumakisThe MITRE CorporationAnnapolis Junction, J. SmithThe MITRE CorporationAnnapolis Junction, This paper describes our research and developmenttoward a precise, unambiguous, and information-dense knowl-edge Graph of Cybersecurity Countermeasures . In project workfor our sponsors we have repeatedly encountered the need fora model that can identify and precisely specify cybersecuritycountermeasure components and capabilities. Furthermore, itis necessary that practitioners know not only what threats acapability claims to address, but, specifically how those threatsare addressed from an engineering perspective, and underwhat circumstances the solution would work.

Assessment Language (OVAL ... created the Cyber Threat Framework to serve as a shared lexicon to characterize and categorize cyber threat events [13]. The National Security Agency’s Technical Cyber Threat ... cyber knowledge architecture and provide a useful survey of cyber-related knowledge representations and standards to

Fullscreen Download

Tags:

  Assessment, Threats, Survey, Cyber, Cyber threat

Information

Domain:

Source:

Link to this page:

Please notify us if you found a problem with this document:

Other abuse

Transcription of Toward a Knowledge Graph of Cybersecurity Countermeasures

1 Toward a Knowledge Graph ofCybersecurity CountermeasuresPeter E. KaloroumakisThe MITRE CorporationAnnapolis Junction, J. SmithThe MITRE CorporationAnnapolis Junction, This paper describes our research and developmenttoward a precise, unambiguous, and information-dense knowl-edge Graph of Cybersecurity Countermeasures . In project workfor our sponsors we have repeatedly encountered the need fora model that can identify and precisely specify cybersecuritycountermeasure components and capabilities. Furthermore, itis necessary that practitioners know not only what threats acapability claims to address, but, specifically how those threatsare addressed from an engineering perspective, and underwhat circumstances the solution would work.

2 This knowledgeis essential to estimate operational applicability, vulnerabilities,and develop enterprise solutions comprising multiple address this recurring need in the near-term, we createdD3 FEND, a framework in which we encode a countermeasureknowledge base, but more specifically, a Knowledge Graph . Thegraph contains semantically rigorous types and relations thatdefine both the key concepts in the Cybersecurity countermeasuredomain and the relations necessary to link those concepts toeach other.

3 We ground each of the concepts and relations toparticular references in the Cybersecurity literature. Numeroussources of research and development literature were analyzed,including a targeted sample of over 500 countermeasure patentsdrawn from the Patent Office corpus over the years 2001 to2018. To demonstrate the value of this approach in practice, wedescribe how the Graph supports queries that can inferentiallymap Cybersecurity Countermeasures to offensive TTPs. As partof a larger vision, we outline future D3 FEND work to leveragethe linked open data available on research literature and applymachine learning, in particular semi-supervised methods, to assistin maintaining the D3 FEND Knowledge Graph over time.

4 Finally,we welcome community feedback on Terms Countermeasures , Cybersecurity , cyber defense,intrusion detection, Knowledge acquisition, Knowledge engineer-ing, Knowledge Graph , linked data, network security, ontology,procedures, tactics, techniques, TTPsI. INTRODUCTIONThe Cybersecurity defense market comprises more than5,000 companies [1]. More than 6,000 Cybersecurity patentapplications were filed in 2018 (Figure 1). cyber defenseteams also implement their own Countermeasures to addresswhat vendor products do not.

5 These custom capabilities areoften shared through open-source software communities. In acycle of adaptation, Countermeasures are rapidly developed inresponse to rapidly changing offensive by the United States Department of Defense. Approved for PublicRelease; Distribution Unlimited. Case 20-2034. Copyright 2021 The MITREC orporation. All Rights countermeasureis any process or tech-nology developed to negate or offset offensive cyber activi-ties. It is not enough to understand what a countermeasuredoes what it detects, what it prevents.

6 We must understandhow it does it. A security architect must understand theirorganization s Countermeasures precisely what they do, howthey do it, and their limitations if Countermeasures are tobe effectively employed. A red team conducting an exerciseto identify security gaps must plan their engagement withexpert Knowledge of a countermeasure s functionality if theyare to evade it. A venture capitalist considering a cybersecuritystartup must understand what problem it is trying to solve,whether and how it has been solved before, and why theproposed solution is better or Cybersecurity Knowledge bases do not explain withenough fidelity and structure what these Countermeasures doto meet these needs, we reviewed prominent Knowledge basesdiscussed in section II.

7 Furthermore, no framework or modelexists that has had its Knowledge content sustained at the rateof change in the Cybersecurity space. D3 FEND establishesa fine-grained semantic model of Countermeasures , their prop-erties, relationships, and history of development. We have alsodefined a semantic model of a portion of MITRE s ATT&CK framework [15] to represent the offensive TTPs with the samecommon, standardized semantic language (OWL DL). Thisenables us to incorporate ATT&CK by mapping its conceptsdirectly to D3 FEND s model of defensive techniques and ar-tifacts.

8 D3 FEND provides a methodology for curating contentinto new Knowledge and tying it to its source information inmeaningful ways. Finally, this paper provides a research roadmap for harvesting and analyzing content at the industry space, using and extending the promising human languagetechnologies and semi-supervised s longer-term goals are to (1) create a sustain-able Knowledge framework for characterizing and relatingcybersecurity countermeasure technology; and (2) accelerateknowledge discovery and acquisition efforts required to keeppace with technological changes in the cyber domain.

9 TheD3 FEND Knowledge Graph we have constructed can be di-rectly embedded within the much larger web of datasetsavailable within the Linked Open Data Cloud [41]. Thesewill be used to connect our Knowledge to research literature,organizations, authors, inventors, and investors. We believethe representation chosen also provides a strong foundationfor research furthering automation, including paper explains how we collected and analyzed data toproduce the initial version of the model. In the following sec-tions we discuss related work, our methodology, the resultingknowledge Graph of countermeasure techniques, and finallyour roadmap for future RELATEDWORKR elated prior work includes early Cybersecurity standardsand formats, government and commercial Cybersecurity threatframeworks and Knowledge bases, commercial product tax-onomies, and formal information modeling in cybersecurityand other MITRE-initiated Cybersecurity Standards and FormatsOver the past two decades.

10 MITRE has developed standardlanguages and formats to capture Cybersecurity information:Common Vulnerabilities and Exposures (CVE ) [2], CommonWeakness Enumeration (CWE ) [3], Open Vulnerability andAssessment Language (OVAL ) [4], Common Platform Enu-meration (CPE ) [5], Common Event Expression (CEE )[6], Common Attack Pattern Enumeration and Classification(CAPEC ) [7], Malware Attribute Enumeration and Charac-terization (MAEC ) [8], and cyber Observables (CybOX )[9] languages. These shared vocabularies and disambiguatingreferences are useful for Cybersecurity practitioners to recordand exchange cyber threat Knowledge .

Show more