Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Related Work
References
All Topics
Computer Science
Machine Learning

Ontology-Driven Data Semantics Discovery for Cyber-Security

Profile image of Sarah KushnerSarah KushnerProfile image of Marcello BalducciniMarcello Balduccini
https://doi.org/10.1007/978-3-319-19686-2_1
visibility

description

16 pages

link

1 file

Abstract

We present an architecture for data semantics discovery capable of extracting semantically-rich content from human-readable files without prior specification of the file format. The architecture, based on work at the intersection of knowledge representation and machine learning , includes machine learning modules for automatic file format identification , tokenization, and entity identification. The process is driven by an ontology of domain-specific concepts. The ontology also provides an abstraction layer for querying the extracted data. We provide a general description of the architecture as well as details of the current implementation. Although the architecture can be applied in a variety of domains, we focus on cyber-forensics applications, aiming to allow one to parse data sources, such as log files, for which there are no readily-available parsing and analysis tools, and to aggregate and query data from multiple , diverse systems across large networks. The key contributions of our work are: the development of an architecture that constitutes a substantial step toward solving a highly-practical open problem; the creation of one of the first comprehensive ontologies of cyber assets; the development and demonstration of an innovative, non-trivial combination of declarative knowledge specification and machine learning.

Related papers

An Ontology-Based Forensic Analysis Tool
mohammed alzaabi

The analysis of forensic investigation results has generally been identified as the most complex phase of a digital forensic investigation. This phase becomes more complicated and time consuming as the storage capacity of digital devices is increasing, while at the same time the prices of those devices are decreasing. Although there are some tools and techniques that assist the investigator in the analysis of digital evidence, they do not adequately address some of the serious challenges, particularly with the time and effort required to conduct such tasks. In this paper, we consider the use of semantic web technologies and in particular the ontologies, to assist the investigator in analyzing digital evidence. A novel ontology-based framework is proposed for forensic analysis tools, which we believe has the potential to influence the development of such tools. The framework utilizes a set of ontologies to model the environment under investigation. The evidence extracted from the environment is initially annotated using the Resource Description Framework (RDF). The evidence is then merged from various sources to identify new and implicit information with the help of inference engines and classification mechanisms. In addition, we present the ongoing development of a forensic analysis tool to analyze content retrieved from Android smart phones. For this purpose, several ontologies have been created to model some concepts of the smart phone environment.

View PDFchevron_right
Annual ADFSL Conference on Digital Forensics , Security and Law 2013 Jun 12 th , 8 : 45 AM An Ontology-Based Forensic Analysis Tool
Andy Jones

2017

The analysis of forensic investigation results has generally been identified as the most complex phase of a digital forensic investigation. This phase becomes more complicated and time consuming as the storage capacity of digital devices is increasing, while at the same time the prices of those devices are decreasing. Although there are some tools and techniques that assist the investigator in the analysis of digital evidence, they do not adequately address some of the serious challenges, particularly with the time and effort required to conduct such tasks. In this paper, we consider the use of semantic web technologies and in particular the ontologies, to assist the investigator in analyzing digital evidence. A novel ontology-based framework is proposed for forensic analysis tools, which we believe has the potential to influence the development of such tools. The framework utilizes a set of ontologies to model the environment under investigation. The evidence extracted from the env...

View PDFchevron_right
An Intelligent Forensic Framework towards Cloud: Its Ontological Aspects
SUCHANA DATTA

International Journal of Computer Applications, 2016

Cloud Computing, a relatively new concept and all its associated methodologies offer uncountable advantages nowadays. These advantages range from integrating different systems, offering guarantee over searching mean distribution and to software tools integration, used by various cloud service providers and consumers. So all these provisions are not only making our lives easier but attract lots of intruders and malicious actors to perform various cloud crimes. This paper aims to contribute towards the design of an ontology based cloud forensic framework with a view to identify the malicious actors. The proposed framework consists of mainly two components-Ontology-Enabled Forensic Blackboard (OFB) and Ontology-Enabled Forensic Controller and Processor (OFCP). The main function of OFB is to communicate with the investigators after receiving the classified crime incident scene collected from VM snapshots where ontology base is used spontaneously to distribute the investigators" request for proper information relevant to the investigation. Whereas, the function of the OFCP is to interact with different Cloud Malicious Actor Identifier (CMAI) so that accurate information can be gathered based on the distributed request with the help of a meta-ontology framework that acquire and restructure data using different AI reasoning tools and finally the mapping with its corresponding requests is done.

View PDFchevron_right
Ontological Engineering Approach Towards Botnet Detection in Network Forensics
Amandeep Verma

INTERNATIONAL JOURNAL OF COMPUTERS & TECHNOLOGY

The abundance in the usage of Internet, in every arena of life from social to personal, commercial to domestic and other aspects of life as well, leads the rise in cybercrime at an upsetting speed. More illegal activities as a result of cyber crime, reason to tempts many network attacks and threats. Network forensics is the branch of fornesics that deals in the detection of network attacks. Botnet is one of the most common attacks, but hazardos. It  is a network of hacked computers It  involves the capturing, storing and then analysis of the network packets, in order to identify the source of the attack.  Various methods based on this approach for botnet detection are suggested in literature but there is no generalized method to represent the basic methodology used by any of the botnet detection method. With such guidelines, the comparison among the various implementations, a roadmap for the new implementation, development of reusable implementations can be addressed. According...

View PDFchevron_right
Developing cyberspace data understanding
Gilbert Peterson

Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research - CSIIRW '10, 2010

Current intrusion detection systems (IDS) generate a large number of specific alerts, but do not provide actionable information. Many times, these alerts must be analyzed by a network defender, a time consuming and tedious task which can occur hours or days after an attack. Improved understanding of the cyberspace domain can lead to great advancements in cyberspace situational awareness research and development. This thesis applies the Cross Industry Standard Process for Data Mining (CRISP-DM) to develop an understanding about a host system under attack. Data is generated by launching scans and exploits at a machine outfitted with a set of hostbased data collectors. Through knowledge discovery, features are identified within the data collected which can be used to enhance host-based intrusion detection. By discovering relationships between the data collected and controlled events, false positive alerts were reduced by over 91% when compared to a leading open source IDS. This method of searching for hidden forensic evidence relationships enhances understanding of novel attacks and vulnerabilities, bolstering ones ability to defend the cyberspace domain. The methodology presented in this thesis, as well as the features identified, can be used to further situational awareness research. iv Dedicated to Grammy and Grampy, who have filled my childhood and beyond with warm and happy memories.

View PDFchevron_right
A target-centric ontology for intrusion detection
Tim Finin

2003

Abstract We have produced an ontology specifying a model of computer attack. Our ontology is based upon an analysis of over 4,000 classes of computer intrusions and their corresponding attack strategies and is categorized according to: system component targeted, means of attack, consequence of attack and location of attacker. We argue that any taxonomic characteristics used to define a computer attack be limited in scope to those features that are observable and measurable at the target of the attack.

View PDFchevron_right
A cyber forensics ontology: Creating a new approach to studying cyber forensics
Marcus Rogers

Digital Investigation, 2006

Ontology Model Cyber forensics Curriculum Certification Specialization a b s t r a c t

View PDFchevron_right
Mind the Gap: On Bridging the Semantic Gap between Machine Learning and Information Security
Nick Johnson

ArXiv, 2020

Despite the potential of Machine learning (ML) to learn the behavior of malware, detect novel malware samples, and significantly improve information security (InfoSec) we see few, if any, high-impact ML techniques in deployed systems, notwithstanding multiple reported successes in open literature. We hypothesize that the failure of ML in making high-impacts in InfoSec are rooted in a disconnect between the two communities as evidenced by a semantic gap---a difference in how executables are described (e.g. the data and features extracted from the data). Specifically, current datasets and representations used by ML are not suitable for learning the behaviors of an executable and differ significantly from those used by the InfoSec community. In this paper, we survey existing datasets used for classifying malware by ML algorithms and the features that are extracted from the data. We observe that: 1) the current set of extracted features are primarily syntactic, not behavioral, 2) datase...

View PDFchevron_right
DIALOG: A framework for modeling, analysis and reuse of digital forensic knowledge
Mohand Kechadi

Digital Investigation, 2009

This paper presents DIALOG (Digital Investigation Ontology); a framework for the management, reuse, and analysis of Digital Investigation knowledge. DIALOG provides a general, application independent vocabulary that can be used to describe an investigation at different levels of detail. DIALOG is defined to encapsulate all concepts of the digital forensics field and the relationships between them. In particular, we concentrate on the Windows Registry, where registry keys are modeled in terms of both their structure and function. Registry analysis software tools are modeled in a similar manner and we illustrate how the interpretation of their results can be done using the reasoning capabilities of ontology.

View PDFchevron_right
Knowledge Sharing and Reuse in Digital Forensics
Patrick Hayes

2010

Digital investigation involves examining large volumes of data from heterogeneous sources. We offer a framework for facilitating examination and synthesis of this mountain of data using ontology matching and machine learning technology.

View PDFchevron_right

References (15)

  1. S. Alspaugh, B. Chen, J. Lin, A. Ganapathi, M. Hearst, and R. Katz, "Analyzing log analysis: an empirical study of user log mining," in Conference on Large Installation System Administration (LISA), 2014.
  2. A. Bartoli, G. Davanzo, A. De Lorenzo, M. Mauri, E. Medvet, and E. Sorio, "Auto- matic Synthesis of Regular Expressions from Examples with Genetic Programming," Proceedings of the 14th Annual Conference Companion on Genetic and Evolution- ary Computation, 2012.
  3. L. Bitincka, A. Ganapathi, S. Sorkin, and S. Zhang, "Optimizing data analysis with a semistructured time series database," in Proceedings of the 2010 workshop on managing systems via log analysis and machine learning techniques (SLAML '10), 2010.
  4. W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz, "Tupni: Automatic reverse engineering of input formats," in Proceedings of the 15th ACM Conference on Computer and Communications Security, ACM, 2008.
  5. A. Doan, P. Domingos, and A. Y. Halevy, "Reconciling Schemas of Disparate Data Sources: A Machine-Learning Approach," ACM SIGMOD Record, vol. 30, no. 2, p. 509-520, 2001.
  6. K. F. White, D. Walker, K. Q. Zhu, and Peter, "From dirt to shovels: fully automatic tool generation from ad hoc data," ACM SIGPLAN Notices, vol. 43, no. 1, p. 421- 434, 2008.
  7. K. Fisher, D. Walker, and K. Q. Zhu, "LearnPADS: automatic tool generation from ad hoc data," in Proceedings of the 2008 ACM SIGMOD International Conference on Management of Data, p. 1299-1302, 2008.
  8. K. Fisher and D. Walker, "The PADS project: an overview," in Proceedings of the 14th International Conference on Database Theory, 2011, ACM, 2011.
  9. S. Hangal, "Seaview: Using Fine-Grained Type Inference to Aid Log File Analysis." (2011).
  10. V. Le and S. Gulwani, "FlashExtract: A framework for data extraction by ex- amples." Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. ACM, 2014.
  11. B. Scholkopf, et. al., "Estimating the support of a high-dimensional distribution," Neural Computation, vol. 13, no. 7, pp. 1443-1471, 2001.
  12. W. Shang, M. Nagappan, A. E. Hassan, and Z. M. Jiang, "Understanding Log Lines Using Developmental Knowledge," in 2014 IEEE International Conference on Software Maintenance and Evolution, 2014.
  13. R. J. Walls, E. G. Learned-Miller, and B. N. Levine, "Forensic Triage for Mobile Phones with DEC0DE," in USENIX Security Symposium, 2011.
  14. Wu, Lin and Weng, "Probability estimates for multi-class classification by pairwise coupling," JMLR 5:975-1005, 2004.
  15. D. Yuan, H. Mai, W. Xiong, L. Tan, Y. Zhou, and S. Pasupathy, "SherLog: er- ror diagnosis by connecting clues from run-time logs," ACM SIGARCH Computer Architecture News, vol. 38, no. 1, p. 143-154, 2010.

Related papers

Ontology-based Intelligent Network-Forensics Investigation
Sherif Saad

We propose, in this paper, a new ontology for network forensics analysis. The proposed ontology is the first cyber forensics to integrate both network forensics domain knowledge and problem solving knowledge. As such it can be used as a knowledge-base for developing sophisticated intelligent network forensics systems to support complex chain of reasoning. We use a real life network intrusion scenario to show how our ontology can be integrated and used in intelligent network forensics systems.

View PDFchevron_right
Semantic Representation and Integration of Digital Evidence
Oliver Popov

Procedia Computer Science, 2013

The ever-increasing complexity and sophistication of computer and network attacks challenge society's dependability on digital infrastructure. Digital investigations recover and reconstruct the digital trails of such events and may employ practices from various subfields (computer, network forensics), each with its own set of techniques and tools. Integration of evidence from heterogeneous sources of data (e.g. disk images, network packet captures, logs) is often a manual and timeconsuming process relying significantly on the investigator's expertise. In this paper, we propose and develop an approach, based on the Semantic Web framework, for ontologically representing and integrating digital evidence. The presented approach enhances existing forensic analysis techniques by providing partial and eventually full automation of the investigative process.

View PDFchevron_right
A Semantic Approach for Semi-Automatic Detection of Sensitive Data
C. Du Mouza

We propose an innovative approach and its implementation as an expert system to achieve the semiautomatic detection of candidate attributes for scrambling sensitive data. Our approach is based on semantic rules that determine which concepts have to be scrambled, and on a linguistic component that retrieves the attributes that semantically correspond to these concepts. Because attributes cannot be considered independently from each other, we also address the challenging problem of the propagation of the scrambling process through the entire database. One main contribution of our approach is to provide a semi-automatic process for the detection of sensitive data. The underlying knowledge is made available through production rules, operationalizing the detection of the sensitive data. A validation of our approach using four different databases is provided.

View PDFchevron_right
Semantic Modelling of Digital Forensic Evidence
tahar Kechadi

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2011

The reporting of digital investigation results are traditionally carried out in prose and in a large investigation may require successive communication of findings between different parties. Popular forensic suites aid in the reporting process by storing provenance and positional data but do not automatically encode why the evidence is considered important. In this paper we introduce an evidence management methodology to encode the semantic information of evidence. A structured vocabulary of terms, ontology, is used to model the results in a logical and predefined manner. The descriptions are application independent and automatically organised. The encoded descriptions aim to help the investigation in the task of report writing and evidence communication and can be used in addition to existing evidence management techniques.

View PDFchevron_right
Semantic forensics: An application of ontological semantics to information assurance
Christian F. Hempelmann

Proceedings of the …, 2004

The paper deals with the latest application of natural language processing (NLP), specifically of ontological semantics (ONSE) to natural language information assurance and security (NL IAS). It demonstrates how the existing ideas, methods, and resources of ontological ...

View PDFchevron_right

Related topics

  • Classification (Machine Learning)
  • Semantic Web technology - Ontolo...
  • Declarative Programming
  • Knowledge Representation and Rea...

    • Cited by

    Reachability Matrix Ontology: A Cybersecurity Ontology
    Nicole Dalia Cilia

    Applied Artificial Intelligence, 2019

    In this paper, we describe the Reachability Matrix Ontology (RMO). RMO aims to describe the networks and the cybersecurity domain in order to compute the reachability information (reachability matrix). Reachability Matrix determines if a node can reach another node (via ISO/OSI layers protocol). To achieve this objective RMO describes the network's elements, the network connectivity information, and the access control policies. RMO also provides some SWRL rules able to calculate the Reachability Matrix. Besides RMO and SWRL rules, there are also a set of SPARQL queries to refine the computation of the Reachability Matrix. To the best of our knowledge, RMO represents an innovative approach to the computation of the reachability matrix. Following we will describe our approach based on a strategy that exploits a combination of OWL, description logic rules and SPARQL queries.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved