Ontology-based Attack Graph Enrichment

TL;DR

This paper presents an ontology-based method to enrich and update logical attack graphs in cybersecurity, incorporating real-time attack evidence and network changes to improve threat assessment accuracy.

Contribution

It introduces a semantic augmentation process for attack graphs, enabling dynamic updates based on attack evidence and network modifications, enhancing their relevance and accuracy.

Findings

Enriched attack graphs reflect real-time attack evidence.

Dynamic updates improve threat detection accuracy.

Validated approach in cyber-physical security for smart cities.

Abstract

Attack graphs provide a representation of possible actions that adversaries can perpetrate to attack a system. They are used by cybersecurity experts to make decisions, e.g., to decide remediation and recovery plans. Different approaches can be used to build such graphs. We focus on logical attack graphs, based on predicate logic, to define the causality of adversarial actions. Since networks and vulnerabilities are constantly changing (e.g., new applications get installed on system devices, updated services get publicly exposed, etc.), we propose to enrich the attack graph generation approach with a semantic augmentation post-processing of the predicates. Graphs are now mapped to monitoring alerts confirming successful attack actions and updated according to network and vulnerability changes. As a result, predicates get periodically updated, based on attack evidences and ontology enrichment. This allows to verify whether changes lead the attacker to the initial goals or to cause further damage to the system not anticipated in the initial graphs. We illustrate the approach under the specific domain of cyber-physical security affecting smart cities. We validate the approach using existing tools and ontologies.