IRSKG: Unified Intrusion Response System Knowledge Graph Ontology for Cyber Defense

TL;DR

This paper introduces IRSKG, a unified knowledge graph ontology for intrusion response systems that enhances integration, automation, and adaptability in cyber defense, enabling more effective autonomous threat mitigation.

Contribution

The paper presents a novel ontology that unifies disparate monitoring sources and policies, improving automation and adaptability of intrusion response systems in cybersecurity.

Findings

Enables effective training of machine learning models for cyber defense

Supports dynamic updates to adapt to evolving threats

Facilitates autonomous system recovery with explainability

Abstract

Cyberattacks are becoming increasingly difficult to detect and prevent due to their sophistication. In response, Autonomous Intelligent Cyber-defense Agents (AICAs) are emerging as crucial solutions. One prominent AICA agent is the Intrusion Response System (IRS), which is critical for mitigating threats after detection. IRS uses several Tactics, Techniques, and Procedures (TTPs) to mitigate attacks and restore the infrastructure to normal operations. Continuous monitoring of the enterprise infrastructure is an essential TTP the IRS uses. However, each system serves different purposes to meet operational needs. Integrating these disparate sources for continuous monitoring increases pre-processing complexity and limits automation, eventually prolonging critical response time for attackers to exploit. We propose a unified IRS Knowledge Graph ontology (IRSKG) that streamlines the onboarding of new enterprise systems as a source for the AICAs. Our ontology can capture system monitoring logs and supplemental data, such as a rules repository containing the administrator-defined policies to dictate the IRS responses. Besides, our ontology permits us to incorporate dynamic changes to adapt to the evolving cyber-threat landscape. This robust yet concise design allows machine learning models to train effectively and recover a compromised system to its desired state autonomously with explainability.