In today’s interconnected world most organizations depend strongly upon IT systems, which are threatened on an unprecedented scale by increasingly sophisticated threats. Protecting vital information systems and maintaining the confidentiality, availability, and integrity of sensitive information has
Coping with such dynamically evolving threats has
In light of these developments, organizations must accept that their security can (and will) be compromised and need to shift their focus from defending increasingly ill-defined system perimeters towards (i) maximizing the chance of detecting and containing attacks, and (ii) quickly adapting defenses upon intelligence about new threats. This requires a novel approach to cybersecurity where reactive network security methods are complemented by continuous diagnostics and mitigation. However, reacting to threats in (near) real-time is
The SEPSES project aims to tackle these challenges by applying an innovative interdisciplinary approach at the intersection of state-of-the-art semantic technologies and security research. It will thereby bring meaning to disparate log data and make security information machine-interpretable in near (near) real-time. To resolve ambiguous representations, we will develop ontologies and ontology design patterns and leverage the resulting uniform conceptual model to semantically lift heterogeneous security data from various sources. By making security event information universally comprehensible, it will become possible to link security events with background knowledge and process the semantically enriched security event streams to automatically identify logical connections between events. To express such logical connections in an abstract manner, we will develop a semantic modeling approach for attack patterns. The explicit semantics will allow RDF stream processors to reason over incoming event streams in order to identify suspicious activities. To address the dynamic nature of the security domain, we will develop discovery techniques to identify emerging patterns of attack.
To validate our approach, we will (i) conduct expert interviews during the conceptualization phase, (ii) evaluate the performance of available stream reasoning engines in dimensions specific to our problem domain; (iii) simulate real-world event data sources and ensure that event patterns are identified reliably and consistently within generated sequences; and (iv) execute scenarios that involve both legitimate and illegitimate actions by actual users in a virtualized environment.
The results of the proposed project will facilitate the reuse of machine-processable security knowledge and provide a foundation for innovative security applications based on a well-defined domain terminology. The project will enable context-aware decision support and thereby overcome the limited scope and lack of interpretation capabilities of current security monitoring and response technologies such as virus scanners, intrusion detection systems (IDSs), and security incident and event management (SIEM) systems. Our research will result in pattern-based detection and alerting mechanisms and establish a foundation for tools that leverage the semantically rich security knowledge for event stream visualization, real-time and ex-post analytics, forensics, and semantic mining of large-scale event log archives. Furthermore, the project results will provide a framework for sharing threat intelligence across organizations (e.g., repository of machine-processable attack patterns in the Linked Open Data cloud).
In summary, our research will open up opportunities to complement human intuition and expertise with automated reasoning capabilities in order to provide actionable security insights, improve situational awareness and facilitate sharing of security knowledge. Overall, results will contribute towards a shift towards a more responsive and collaborative security management paradigm.