Toward an Intent-Based and Ontology-Driven Autonomic Security Response in Security Orchestration Automation and Response

TL;DR

This paper introduces an ontology-driven, intent-based framework for enhancing autonomous security responses in SOAR platforms, integrating high-level cyber defense intents with decision-theoretic automation for adaptive attack mitigation.

Contribution

It proposes a unified ontology-driven security intent model and a two-tiered methodology for integrating these intents into decision-theoretic autonomic cyber defense systems.

Findings

Demonstrates integration within next-gen SOAR platforms.

Shows improved flexibility and persistency in automated responses.

Validates approach through a practical use case.

Abstract

Modern Security Orchestration, Automation, and Response (SOAR) platforms must rapidly adapt to continuously evolving cyber attacks. Intent-Based Networking has emerged as a promising paradigm for cyber attack mitigation through high-level declarative intents, which offer greater flexibility and persistency than procedural actions. In this paper, we bridge the gap between two active research directions: Intent-Based Cyber Defense and Autonomic Cyber Defense, by proposing a unified, ontology-driven security intent definition leveraging the MITRE-D3FEND cybersecurity ontology. We also propose a general two-tiered methodology for integrating such security intents into decision-theoretic Autonomic Cyber Defense systems, enabling hierarchical and context-aware automated response capabilities. The practicality of our approach is demonstrated through a concrete use case, showcasing its integration within next-generation Security Orchestration, Automation, and Response platforms.