IRSKG: Unified Intrusion Response System Knowledge Graph Ontology for Cyber Defense

TL;DR

A unified IRS Knowledge Graph ontology (IRSKG) is proposed that streamlines the onboarding of new enterprise systems as a source for the AICAs and allows machine learning models to train effectively and recover a compromised system to its desired state autonomously with explainability.

Abstract

Cyberattacks are becoming increasingly difficult to detect and prevent due to their sophistication. In response, Autonomous Intelligent Cyber-defense Agents (AICAs) are emerging as crucial solutions. One prominent AICA agent is the Intrusion Response System (IRS), which is critical for mitigating threats after detection. IRS uses several Tactics, Techniques, and Procedures (TTPs) to mitigate attacks and restore the infrastructure to normal operations. Continuous monitoring of the enterprise infrastructure is an essential TTP the IRS uses. However, each system serves different purposes to meet operational needs. Integrating these disparate sources for continuous monitoring increases pre-processing complexity and limits automation, eventually prolonging critical response time for attackers to exploit. We propose a unified IRS Knowledge Graph ontology (IRSKG) that streamlines the onboarding of new enterprise systems as a source for the AICAs. Our ontology can capture system monitoring logs and supplemental data, such as a rules repository containing the administrator-defined policies to dictate the IRS responses. Besides, our ontology permits us to incorporate dynamic changes to adapt to the evolving cyber-threat landscape. This robust yet concise design allows machine learning models to train effectively and recover a compromised system to its desired state autonomously with explainability.

Figures (8)

• Figure 1: AICA Intrusion Response System Knowledge Graph (IRSKG) ontology to store different senses: enterprise system logs, Rules of Engagements (RoEs), and AI/ML model input.
• Figure 2: Graph model built using Property Graph (PG), also called Labeled Property Graph (LPG). A partial yet simple illustration of a TCP packet flow between a Web browser and an Intranet-hosted Web Server.
• Figure 3: AICA Prototype - Self Adaptive-Autonomic Computing System based MAPE-K 1160055(SA-ACS) framework implementation. The IRS components are responsible for recovering the enterprise system(s) to its desired state in the event of a security breach. The prototype interacts with enterprise systems via the percepts and actuators. The former gathers the logs, while the latter fixes the breached enterprise system(s). The IRS-Plan component uses the logs and the rules to create a computation model. The IRS-Constrained Action component determines the final breach mitigation action(s) following RoE.
• Figure 4: Illustration of IRSKG: A Graph-based model that represents enterprise system information such as System logs, System monitoring logs, Chat conversation logs, IRS rules, and input data for the computational model training.
• Figure 5: A generalized Network System IRSKG: represents network logs, IRS rules, and the computation model input to train a GNN. For example, for the network logs, the IRSKG Nodes, $N_i$, represents the source and the destination IPs. Edges, $E_{ij}$, represents the action the source wants to take on the target, e.g., SYN represents an action when a source wants to connect with a destination.