Ontology-based Attack Graph Enrichment
This work addresses the need for dynamic attack graph updates in cybersecurity, particularly for cyber-physical systems in smart cities, but it is incremental as it builds on existing logical attack graph methods.
The paper tackles the problem of outdated attack graphs in cybersecurity by enriching them with semantic augmentation and real-time monitoring data, resulting in updated predicates that verify if network changes allow attackers to achieve their goals or cause additional damage.
Attack graphs provide a representation of possible actions that adversaries can perpetrate to attack a system. They are used by cybersecurity experts to make decisions, e.g., to decide remediation and recovery plans. Different approaches can be used to build such graphs. We focus on logical attack graphs, based on predicate logic, to define the causality of adversarial actions. Since networks and vulnerabilities are constantly changing (e.g., new applications get installed on system devices, updated services get publicly exposed, etc.), we propose to enrich the attack graph generation approach with a semantic augmentation post-processing of the predicates. Graphs are now mapped to monitoring alerts confirming successful attack actions and updated according to network and vulnerability changes. As a result, predicates get periodically updated, based on attack evidences and ontology enrichment. This allows to verify whether changes lead the attacker to the initial goals or to cause further damage to the system not anticipated in the initial graphs. We illustrate the approach under the specific domain of cyber-physical security affecting smart cities. We validate the approach using existing tools and ontologies.