LLMs, LMMs, their Improvement Suggestions and the Path towards AGI
Knowledge Graph for Cybersecurity: An Introduction By Kabul Kurniawan
1. Knowledge Graph for Cybersecurity:
an Introduction
Presented By:
Kabul Kurniawan, S.Kom, M.Cs.
At: As-Salam Leaders Talk (ALT)
Vienna, 02/05/2021
2. Outline:
• Knowledge Graph
• Cybersecurity
• Knowledge graph for Cybersecurity
• Use Case
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan 2
4. Google Knowledge Graph – Things not Strings
https://blog.google/products/search/introducing-knowledge-graph-things-not/
4
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
5. Google Knowledge Graph – Things not Strings
5
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
6. Resource Description Framework (RDF)
• Graph-based data model
• Subject-predicate-object triples
• Use of URIs as globally unique identifiers
7
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
8. RDF-Graph
:Kabul :Guntur
:hasColleague
• Object of one statement may be the subject of another statement
• The result is a directed labelled (multi-)graph
• The object of a triple is a resource or a literal
9
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
9. RDF-Graph
:Kabul :Guntur
:UniWien
:studyAt
:hasColleague
• Object of one statement may be the subject of another statement
• The object of a triple is a resource or a literal
• The result is a directed labelled (multi-)graph 10
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
10. RDF-Graph
:Kabul :Guntur
:UniWien
:hasColleague
:studyAt :studyAt
• Object of one statement may be the subject of another statement
• The object of a triple is a resource or a literal
• The result is a directed labelled (multi-)graph 11
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
11. RDF-Serialization
@prefix : <http://example.org#>.
:Kabul :hasColleague :Guntur ;
:studyAt :UniWien.
:Guntur :studyAt :UniWien.
RDF (TURTLE)
:Kabul :Guntur
:UniWien
:studyAt :studyAt
:hasColleague
<http://example.org#Kabul> <http://example.org#hasColleague> <http://example.org#Guntur> .
<http://example.org#Kabul> <http://example.org#studyAt> <http://example.org#UniWien> .
<http://example.org#Guntur> <http://example.org#studyAt> <http://example.org#UniWien> .
N-triples
How do we manipulate RDF Graph?
12
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
12. SPARQL (SPARQL Protocol and RDF Query Language)
Lets us:
• Retrieve and manipulate data stored in RDF
• Explore data by querying unknown relationships
• Perform complex joins of disparate databases in a single, simple query
• Etc.
13
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
13. SPARQL Query Example
:Kabul :Guntur
:UniWien
SPARQL Query : Who is Kabul’s colleague?
SELECT
?o
WHERE {
:Kabul :hasColleague ?o
}
?o
:Guntur
:studyAt :studyAt
:hasColleague
Result:
14
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
14. SPARQL Query Example:
SPARQL Query : Where does Kabul study?
SELECT ?o
WHERE {
:Kabul :studyAt ?o
}
?o
:UniWien
Result:
:Kabul :Guntur
:UniWien
:studyAt :studyAt
:hasColleague
15
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
15. SPARQL Query
:Kabul :Guntur
:UniWien
SPARQL Query : Who study at UniWien?
SELECT ?s
WHERE {
?s :studyAt :UniWien
}
Result:
?s
:Kabul
:Guntur
:studyAt :studyAt
:hasColleague
16
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
16. Background Linking:
:Kabul :Guntur
:UniWien
:studyAt
:hasColleague
:studyAt
Datasource 1 (Internal) Datasource 2 (External) : DBPedia
dp:University_Of_Vienna
dbo:City
dp:Vienna dp:Austria
dbo:Country
owl:sameAs
Datasourcess can be varied and located at different location
Generate linking between existing graph onto an Internal/External Background Knowledge
How can we retrieve data from different/multiple heterogeneous data sources?
17
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
18. SPARQL Query Federation : Example
Query : In which city do Kabul and Guntur study?
SELECT ?s ?city
WHERE {
?s :studyAt ?o.
SERVICE <http://dbpedia.org/sparql> {
?o owl:sameAs ?org.
?org dbo:City ?city. }
}
Results:
?s ?city
:Kabul dp:Vienna
:Guntur dp:Vienna
:Kabul :Guntur
:UniWien
:studyAt
:hasColleague
:studyAt
Datasource 1 (Internal) Datasource 2 (External)
dp:University_Of_Vienna
dbo:City
dp:Vienna dp:Austria
dbo:Country
owl:sameAs
19
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
19. Datasource 2 (External) DBPedia
Query : Construct triple indicating city where
Kabul and Guntur works !?
CONSTRUCT ?s :liveIn ?city.
WHERE {
?s :studyAt ?o.
SERVICE <http://dbpedia.org/sparql> {
?o owl:sameAs ?org.
?org dbo:City ?city. }
}
:Kabul :Guntur
:UniWien
dp:University_Of_Vienna
dp:Vienna
dp:Austria
dbo:City
dbo:Country
:liveIn
:studyAt
:hasColleague
:studyAt
Datasource 1
owl:sameAs
subj predicate object
:Kabul :liveIn dp:Vienna
:Guntur :liveIn dp:Vienna
Result:
CONSTRUCT Query
Generating new Triples from Existing one
Based on a certain patterns
20
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
21. Cybersecurity & Information Security
Cyber security is the practice of defending
computers, servers, mobile devices, electronic
systems, networks, and data from malicious attacks
[1].
Information Security : The practice of preventing
unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction of
information [2].
[1] https://www.kaspersky.com/resource-center/definitions/what-is-cyber-security
[2] https://www.geeksforgeeks.org/what-is-information-security 22
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
22. Cybersecurity Risks
Serious Impact:
Business process
disruptions,
Sensitive data thefts,
Privacy loss,
Decreased
trustworthiness,
Reputational damages,
etc.
https://www.linkedin.com/pulse/data-exfiltration-do-you-know-where-your-antonio-
fernandes/
23
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
23. ATT&CK Matrix for Enterprise
https://attack.mitre.org/ 24
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
24. ATT & CK Model
MITRE ATT&CK: Design and Philosophy 25
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
25. ATT & CK Model : Example
MITRE ATT&CK: Design and Philosophy 26
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
26. Related Cybersecurity Information/Tool
CTI (Cyber-threat Intelligence)
ICT Asset information
Log Data/Traces
SIEM/Tools/AV
Analyst
integration
contextualization ?
Interpretation ?
27
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
29. Semantic Log Analysis (Architecture)
Kurniawan K., Ekelhart A., Ekaputra F., Kiesling E. (2020) Cross-Platform File System Activity Monitoring and Forensics – A Semantic Approach. In: Hölbl M., Rannenberg K.,
Welzer T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham.
https://doi.org/10.1007/978-3-030-58201-2_26
30
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
30. Log Extraction & KG Construction
{
"timestamp":"2018−04−09T07:37:47.000Z",
“message”:”Mounted Huge Pages File System”,
"program":"systemd“,
"host":"kabul−VirtualBox“,
"pid":"1“,
….
}
Extracted Log Data
Raw Log
Data
Extracted
Log data
(example) Raw Log Data
Apr 9 09:37:47 kabul-VirtualBox systemd[1]: Mounted Huge Pages File System.
Other Technique(s) :
(Unstructured Log)
- Named Entity Recognition
- Entity Resolution
31
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
32. Use Case: Log analysis and Exploration
33
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
33. Use Case: File Access History
Query Evaluation:
Result:
Visualization
FileServer (Linux) Workstation (Windows)
34
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
34. Use Case:
Stream Detection
Query Evaluation:
Result:
Analyst
Cybersecurity
Knowledge-Base
Internal
Background
Knowledge
35
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
35. Summary
• Knowledge Graph provides flexible graph representation, integration,
contextualization and linking.
• SPARQL can be used to manipulate RDF Graph, perform query
federation and semantic integration.
• Cybersecurity information are complex, heterogeneous, dispersed
resources.
• Knowledge Graph can be potentially used to address cybersecurity
challenges (e.g. resource integration, log analysis, monitoring etc.)
36
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
36. Related Topic…
• Distributed Analysis (Decentralization)
• Scalable (Stream) Log Analysis
• Attack Graph Discovery and Construction
• Anomaly detection (combination with machine learning)
• Etc.
37
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan
37. Thank you:
Twitter: @kabulkurniawan
Web: kabulkurniawan.github.io
Email: kabulkurniawan@gmail.com
38
Knowledge Graph for Cybersecurity: an Introduction by Kabul Kurniawan