Abstract
Cyberattacks are becoming increasingly difficult to detect and prevent due to their sophistication. In response, Autonomous Intelligent Cyber-defense Agents (AICAs) are emerging as crucial solutions. One prominent AICA agent is the Intrusion Response System (IRS), which is critical for mitigating threats after detection. IRS uses several Tactics, Techniques, and Procedures (TTPs) to mitigate attacks and restore the infrastructure to normal operations. Continuous monitoring of the enterprise infrastructure is an essential TTP the IRS uses. However, each system serves different purposes to meet operational needs. Integrating these disparate sources for continuous monitoring increases pre-processing complexity and limits automation, eventually prolonging critical response time for attackers to exploit. We propose a unified IRS Knowledge Graph ontology (IRSKG) that streamlines the onboarding of new enterprise systems as a source for the AICAs. Our ontology can capture system monitoring logs and supplemental data, such as a rules repository containing the administrator-defined policies to dictate the IRS responses. Besides, our ontology permits us to incorporate dynamic changes to adapt to the evolving cyber-threat landscape. This robust yet concise design allows machine learning models to train effectively and recover a compromised system to its desired state autonomously with explainability.
Abstract (translated)
网络攻击因其复杂性而变得越来越难以检测和预防。为此,自主智能网络安全代理(AICAs)正在成为关键解决方案之一。其中一种突出的AICA是入侵响应系统(IRS),它在检测到威胁后对于减轻风险至关重要。IRS使用多种战术、技术和程序(TTPs)来缓解攻击并恢复基础设施的正常运行。持续监控企业基础设施是IRS使用的TTP中的一项重要技术。然而,每个系统的用途不同,以满足运营需求。将这些不同的来源整合用于持续监控会增加预处理复杂性,并限制自动化,最终延长关键响应时间,让攻击者有更多机会利用漏洞。 我们提出了一种统一的入侵响应系统知识图谱本体(IRSKG),它简化了新的企业系统的集成过程,作为AICAs的数据源。我们的本体可以捕获系统监控日志和补充数据,如包含管理员定义策略以决定IRS响应规则库。此外,我们的本体允许我们整合动态变化以适应不断演变的网络威胁态势。这种强大而简洁的设计使得机器学习模型能够有效地训练,并自主地将受损系统恢复到其期望的状态,同时保持可解释性。
URL
https://arxiv.org/abs/2411.15672