In today’s interconnected world most organizations depend strongly upon IT systems, which are threatened on an unprecedented scale by increasingly sophisticated threats. Protecting vital information systems and maintaining the confidentiality, availability, and integrity of sensitive information has therefore become a key concern for virtually any organization. The severe financial impact of security incidents, the potentially drastic trust and reputation damages, and the need to exercise due diligence and fiduciary responsibility has motivated organizations to sharply increase their expenditure on information security in recent years. Widely publicized data breach cases suggest, however, that these investments have not been completely successful in precluding successful attacks. One explanation is that today’s sophisticated threat actors combine multiple attack vectors, including client-side attacks, to bypass traditional perimeter security. Furthermore, they rapidly update their tactics to maintain an advantage against advances in security safeguards.

Coping with such dynamically evolving threats has therefore become increasingly difficult. As a consequence, organizations are frequently unaware of attempted attacks and their potential impact. In addition, most organizations fail to, or are slow to detect security incidents and understand their root cause. Oftentimes, this leaves attackers free to extract data over a long timeframe, which can cause severe operational and business impact.

In light of these developments, organizations must accept that their security can (and will) be compromised and need to shift their focus from defending increasingly ill-defined system perimeters towards (i) maximizing the chance of detecting and containing attacks, and (ii) quickly adapting defenses upon intelligence about new threats. This requires a novel approach to cybersecurity where reactive network security methods are complemented by continuous diagnostics and mitigation. However, reacting to threats in (near) real-time is only possible if the necessary information is available in (near) real-time. ICT components (e.g., servers, network devices, client endpoints) and their software (e.g., operating systems, firewalls, anti-virus software, mail servers, web servers, applications) continuously generate vast amounts of log data that can point to security-relevant events. To identify related events, such as sequences of attack steps that lead to an objective, it is necessary to integrate information from various sources and link individual indicators of compromise. These isolated indicators are often inconspicuous on their own and it is therefore necessary to collect, consolidate, and integrate disparate log information. This poses a significant challenge due to data heterogeneity, high information throughput, and the (near) realtime requirements.

The SEPSES project aims to tackle these challenges by applying an innovative interdisciplinary approach at the intersection of state-of-the-art semantic technologies and security research. It will thereby bring meaning to disparate log data and make security information machine-interpretable in near (near) real-time. To resolve ambiguous representations, we will develop ontologies and ontology design patterns and leverage the resulting uniform conceptual model to semantically lift heterogeneous security data from various sources. By making security event information universally comprehensible, it will become possible to link security events with background knowledge and process the semantically enriched security event streams to automatically identify logical connections between events. To express such logical connections in an abstract manner, we will develop a semantic modeling approach for attack patterns. The explicit semantics will allow RDF stream processors to reason over incoming event streams in order to identify suspicious activities. To address the dynamic nature of the security domain, we will develop discovery techniques to identify emerging patterns of attack.

To validate our approach, we will (i) conduct expert interviews during the conceptualization phase, (ii) evaluate the performance of available stream reasoning engines in dimensions specific to our problem domain; (iii) simulate real-world event data sources and ensure that event patterns are identified reliably and consistently within generated sequences; and (iv) execute scenarios that involve both legitimate and illegitimate actions by actual users in a virtualized environment.

The results of the proposed project will facilitate the reuse of machine-processable security knowledge and provide a foundation for innovative security applications based on a well-defined domain terminology. The project will enable context-aware decision support and thereby overcome the limited scope and lack of interpretation capabilities of current security monitoring and response technologies such as virus scanners, intrusion detection systems (IDSs), and security incident and event management (SIEM) systems. Our research will result in pattern-based detection and alerting mechanisms and establish a foundation for tools that leverage the semantically rich security knowledge for event stream visualization, real-time and ex-post analytics, forensics, and semantic mining of large-scale event log archives. Furthermore, the project results will provide a framework for sharing threat intelligence across organizations (e.g., repository of machine-processable attack patterns in the Linked Open Data cloud).

In summary, our research will open up opportunities to complement human intuition and expertise with automated reasoning capabilities in order to provide actionable security insights, improve situational awareness and facilitate sharing of security knowledge. Overall, results will contribute towards a shift towards a more responsive and collaborative security management paradigm.