Cyberthreat risk identification based on constructing entity-event ontologies from publicly available texts

Abstract. Aim. Out of the currently used methods of ensuring cyber security the most productive ones are traffic analysis, malware detection, denial of unauthorized access to internal networks, incident analysis and other methods of corporate perimeter protection. The efficiency of such methods however depends on the timeliness and quality of threat data. The Aim of the paper is to study the ways of improving the cyber threat awareness and capabilities to analyze texts in open sources for the purpose of cyberattack prediction, identification and monitoring of new threats, detection of zero-day vulnerabilities before they are made public and leaks are discovered. Methods. Publicly available knowledge on cyber security is acquired through continuous collection of data from the Internet (including fragments of its non-indexed part and specialized sources) and other public data networks (including a large number of specialized resources and sites in the TOR network). The collected texts in various languages are analyzed using methods of natural language processing for the purpose of extracting entities and events that are then grouped into canonical entities and events, and all of that information is used for continuous updating of a subject-matter event-entity ontology. It includes general forms of entities and events required for the context and specialized forms of events and entities for purposes of cyber security (technical identifiers, attack vectors, attack surfaces, hashes, identifiers, etc.) Such ontology can function as a knowledge base and be used for structured queries by cyber security analysts. Results. The proposed method and the system based upon it can be used for analyzing computer security information, monitoring, detection of zero-day vulnerabilities before they are made public and leaks are discovered. The information retrieved by the system can be used as highly informative features in statistical models. The latter served as the basis for a classifier that defines the risk of exploits for a specific vulnerability, as well as an IP address scoring system that can be used for automatic blocking. Additionally, a method was developed for risk-based ranking of events and entities associated with cyber threats that allows identifying – within the abundance of available information – the entities and events that require special attention, as well as taking timely and appropriate preventive measures. Conclusion. The proposed method is of direct practical value as regards the problems of analytics, risk-based ranking and monitoring of cyber threats, and can be used for the analysis of large volumes of text-based information and creation of informative features for improving the quality of machine learning models used in computer security.

cybersecurity, railway infrastructure security, knowledge extraction, semantic web, ontology, natural language processing

1. Kühner H., Seider D. Security Engineering für den Schienenverkehr. Eisenbahn Ingenieur Kompendium 2018:245-264.

2. Makarov B.A. Topicality of cybersecurity on railway transport. Railway Equipment Journal 2015;3(31):10-15.

3. Kiseliova E.M. [Railways as an object of cyber security]. www.eduherald.ru; 2018 [accessed 15.06.2020]. Available at: http://www.eduherald.ru/ru/article/view?id=19179. (in Russ.)

4. McNeil N., Bridges R.A., Iannacone M.D., Czejdo B., Perez N., Goodall J.R. Pace: Pattern accurate computationally efficient bootstrapping for timely discovery of cyber-security concepts. 12th International Conference on Machine Learning and Applications 2013;2:60-65.

5. Kuzmina N.M., Ridley M.K. About automatic construction in information systems of civil aviation ontology of the subject field on the corps of texts. Scientific Bulletin of The State Scientific Research Institute of Civil Aviation 2018;21:122-131. (in Russ.)

6. Kuzmina N.M., Ridley M.K. Architecture of ontology construction and semantic search system. Scientific Bulletin of the State Scientific Research Institute of Civil Aviation 2019;28:103-113. (in Russ.)

7. Bergner S., Lechner U. Cybersecurity ontology for critical infrastructures. Proceedings of the 9th International Joint Conference on Knowledge Discovery, Knowledge Engineering and Knowledge Management 2017;2:80-85.

8. Trabelsi S., Plate H., Abida A., Aoun M., Zouaoui A., Missaoui C., Gharbi S., Ayari A. Mining social networks for software vulnerabilities monitoring. 7th International Conference on New Technologies, Mobility and Security (NTMS) 2015:1-7. DOI:10.1109/NTMS.2015.7266506.