Cybersecurity knowledge graph enabled attack chain detection for cyber-physical systems

Abstract

The Cyber-Physical System covers a wide range of applications, many of which are involved in critical infrastructure, and the cybersecurity attacks on them become more and more threatening. Currently, most of the comprehensive analysis of compound attacks depend on the experience of security analysts. To improve the efficiency and accuracy of compound attack research, this paper introduces a knowledge graph into compound attack detection and constructs a cybersecurity knowledge graph based on the knowledge of known attacks. The cybersecurity knowledge graph can carry out correlation analysis on real-time data to restore the attack process. The main work of this paper is to construct the cybersecurity knowledge graph and to apply mining found compound attacks automatically. Besides, a multi-dimensional data association analysis algorithm based on dynamic clustering mechanism, and an attack chain complementation-pruning method based on optimal reaching path queries are proposed to solve the problem of low efficiency in correlation analysis caused by redundant data and the problem of missing and misunderstandings in the collection data. Experiments show that the cyber security knowledge graph construction method and attack chain optimization-pruning method proposed in this paper improve the accuracy and efficiency of attack chain mining.