With the development of key information infrastructure technologies such as cloud computing, 5G, IoT, and the Industrial Internet, cyberspace has linked industrial physical systems, social systems of humans, and network information systems, becoming the cornerstone of the development of the digital economy. Meanwhile, the attack surface in cyberspace is extended and expanded accordingly, and information asymmetry between attackers and defenders in cyberspace becomes more and more obvious. With the escalation of the attack-defense confrontation, the integration of attack defense technologies with automation and smart technologies has become one of the inevitable trends in the development of cyber security technology. The security knowledge graph, a knowledge graph specific to the security domain, is the key to realizing cognitive intelligence in cyber security, and it also lays an indispensable technological foundation for dealing with advanced, continuous and complex threats and risks in cyberspace.
What is the knowledge graph?
Knowledge graph is a concept proposed by Google. In essence, it is a semantic network composed of the entities (concepts), their interrelations, and the associated attributes. It can effectively represent the semantic relationships between entities (concepts) with a structured data organizational structure.
The knowledge graph technology is one of the key technologies for general AI and domain-specific AI. With the semantic knowledge organizational structure, the knowledge graph fully integrates machine algorithms and domain knowledge, which greatly facilitates the smart development of knowledge engineering. The knowledge graph has been widely used in application scenarios such as intelligent recommendation, intelligent search, general cognitive reasoning, human-computer interaction and Q&A, and intelligent decision support.
Knowledge graphs can be divided into general knowledge graphs and domain-specific knowledge graphs by application scenario. General knowledge graphs, such as Freebase, Wikidata, DBpedia and other large-scale knowledge bases, are mainly used in universal intelligent search and recommendation scenarios, providing a broad and basic knowledge association infrastructure. However, domain-specific knowledge graphs build a deep knowledge space based on a knowledge subdomain to serve specific query and analysis needs in that knowledge domain.
What is the security knowledge graph?
The security knowledge graph is specific to the cyber security domain. As an efficient organizational form of security knowledge such as entities and concepts, it can give full play to the advantages of knowledge integration. In particular, it can integrate fragmented multi-source heterogeneous security data and provide data analysis and knowledge reasoning for threat modeling, risk analysis, and attack reasoning in cyber security, thus accelerating the shift from perceptual intelligence to cognitive intelligence.
It has the following advantages:
- Efficiently integrate massive fragmented multi-source heterogeneous security data via the knowledge graph framework
- Provide visualized, relation-based and systematic security knowledge based on the graphic language, which is intuitive and efficient
- Simulate the thinking process of security experts for threat discovery, verification, and reasoning with built-in security semantics
What can the security knowledge graph do?
The figure below shows the basic framework of the security knowledge graph, including the key technologies of the cyber security knowledge graph such as ontology modeling, graph building, knowledge representation, and graph reasoning. These key technologies can solve key problems at different levels, such as unified data modeling, entity extraction and relationship building, reasoning and analysis of complex semantics, and scenario-based application adaptation, thus helping build a security application with perceptual, cognitive, and decision-making intelligence. For knowledge/intelligence/data subsets in different security subdomains, the security knowledge graph can provide targeted and optimized reasoning services, including attack and threat modeling, threat intelligence correlation and attribution, energy efficiency improvement for enterprise intelligent security operation, and software supply chain security. The following outlines several application scenarios:
- ATT&CK threat modeling: models attack behaviors in different stages of the attack life cycle based on ATT&CK. The security knowledge graph generally contains basic threat modeling knowledge and threat & attack data, and can provide a more fine-grained and dynamic modeling theoretical framework based on the fusion and abstraction of threat-related knowledge.
- APT threat tracking: allows threat subject profiling and automatic attribution of APT attacker gangs through the extraction of key elements from threat intelligence and dynamic behavioral reasoning, and assists the comprehensive analysis and evidence collection of attack events.
- Enterprise intelligent security operation: allows event risk profiling, attack path investigation, and response strategy recommendation based on the security knowledge graph, provides rich contexts with security semantics, effectively supports the comprehensive analysis and strategy deployment of dynamic events, and reduces the dependence of security operation on experts’ experience and knowledge.
- Cyberspace mapping: fulfills tasks such as semantic search, query, intelligent Q&A and knowledge reasoning on the knowledge graph specific to cyberspace mapping, performs correlation analysis and data fusion and aggregation of information such as assets, vulnerabilities, security mechanisms, and attack modes, and fully grasps cyberspace assets and their conditions.
- Software supply chain security: builds a knowledge graph for the software supply chain, and completes risk identification, high risk recommendation, impact scope analysis, and decision-making on mitigation measures of the software supply chain using the correlation and reasoning functions of the knowledge graph.
- Security & Safety converged industrial system protection: uses big data analysis and graph mining technologies to comprehensively analyze the coupling relationship between the information layer and the physical layer in the modern industrial control system, thus enabling intelligent assistance and automatic processing with capabilities like decision making, risk prediction, accident analysis, and attack identification.
NSFOCUS will post a series of articles detailing the application of the security knowledge graph in the above scenarios, hoping to bring readers a new way of technical thinking and help cyber security intelligence enter the stage of cognitive intelligence.