Abstract
In 2012, Google first proposed the knowledge graph and applied it in the field of intelligent searching. Subsequently, knowledge graphs have been used for in-depth association analysis in different fields. In recent years, composite attacks have been discovered through association analysis in the field of cyber security. This paper proposes an attack analysis framework for cyber-attack and defense test platforms, which stores prior knowledge in a cyber security knowledge graph and attack rule base as data that can be understood by a computer, sets the time interval of analysis on the Spark framework, and then mines attack chains from massive data with spatiotemporal constraints, so as to achieve the balance between automated analysis and real-time accurate performance. The experimental results show that the analysis accuracy depends on the completeness of the cyber security knowledge graph and the precision of the detection results from security equipment. With the rational expectation about more exposure of attacks and faster upgrade of security equipment, it is necessary and meaningful to constantly improve the cyber security knowledge graph in the attack analysis framework.
Highlights
The knowledge graph was proposed by Google in 2012 and successfully applied to search engines afterwards [1]
The number of simulated attacks is denoted as F1, the number of single-step attacks obtained by matching with the security knowledge graph is denoted as F2, the number of effective single-step attacks obtained by matching with the scene knowledge graph is denoted as F3, the number of invalid attacks is denoted as F4, the number of attacks obtained by association analysis is denoted as F5, matching of the analyzed attack with the simulated attack and the number of successful matches is recorded as F6 and the efficiency of the attack analysis is recorded as R
The core of this paper is to apply a cyber security knowledge graph to attack analysis, which is divided into a security knowledge graph and a scene knowledge graph
Summary
The knowledge graph was proposed by Google in 2012 and successfully applied to search engines afterwards [1]. The data source of the scene knowledge graph depends on all the information about the current attack. The premise of the attack analysis in this paper is the understanding of the general steps of testing cyber-attacks, and the experience of security analysis at the same time, with the help of the security device detection results and the characteristics of attacks. It involves a lot of human work, and since the experience is different among different people, the time and accuracy of the analysis will be different. After association analysis (composite attack rule base and space-time attribute constraints) of these effective single-step attacks, the single-step attacks related to the same composite attack are respectively associated and output in the form of attack chains
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
