CSIHO: An Ontology for Computer Security Incident Handling

  • Guilherme Baesso Moreira IME
  • Vanusa Menditi Calegario Centro Dom Vital
  • Julio Cesar Duarte IME
  • Anderson Fernandes Pereira dos Santos IME

Resumo


The information technology advancements in the last decades led the society to a growing process of dependency on computer systems and Internet-based services. This complex and dynamic scenario implies more challenging cyberdefense initiatives, but, although the industry is applying countless efforts to ensure the Information Security, considerable growth in frequency and severity of incidents is still observed. The primary objective of this work is to present a new model for incident handling, described as an ontology, which is easily extensible and integrable with other models, besides allowing logical inferences and simplifying the knowledge transfer within a collaborative cyber defense context. Among its contributions, the creation of the Computer Security Incident Handling Ontology (CSIHO), in OWL format, can be highlighted. In order to demonstrate the applicability of the ontology, SPARQL queries were created based on competency questions derived from CSIHO, which, as far as we know, is the first cyber security ontology that focuses on incident handling and defines and implements the fundamental concepts of security events while also supporting the recording of temporal aspects of an incident.

Referências

Ab Rahman, N. H. and Choo (2015). A survey of information security incident handling in the cloud. Computers & Security, 49:45–69.

Baskerville, R., Spagnoletti, P., and Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & management, 51(1):138–151.

Blackwell, C. (2010). A security ontology for incident analysis. In Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, page 46. ACM.

CERT.br (2018). Estatísticas dos incidentes reportados ao cert.br - valores acumulados de 1999 a 2017. 03 abr. de 2018.

Cichonski, P., Millar, T., Grance, T., and Scarfone, K. (2012). Computer Security Incident Handling Guide : Recommendations of the National Institute of Standards and Technology. Technical Report NIST SP 800-61r2, National Institute of Standards and Technology. DOI: 10.6028/NIST.SP.800-61r2.

Computer World (2017). Maioria das empresas brasileiras não tem plano de resposta a incidentes. 27 mar. de 2017.

DuCharme, B. (2013). Learning SPARQL: querying and updating with SPARQL 1.1. O’Reilly Media, 2 edition.

F-Secure (2017). F-secure state of cyber security 2017. 17 fev. de 2017.

Grispos, G. (2016). On the enhancement of data quality in security incident response investigations. PhD thesis, University of Glasgow, Glasgow.

Healey, J. (2016). Winning and losing in cyberspace. In International Conference on Cyber Conflict (CyCon), pages 37–49. IEEE. 08 fev. de 2017.

ISO/IEC 27035 (2011). Information technology – Security techniques – Information security incident management. ISO/IEC, Genebra, Suíça.

Jakus, G., Milutinović, V., Omerović, S., and Tomažič, S. (2013). Concepts, ontologies, and knowledge representation. Springer.

Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., and Kirda, E. (2015). Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, volume 9148, pages 3–24. Springer International Publishing, Milan.

Mavroeidis, V. and Bromander, S. (2017). Cyber threat intelligence model: An evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence. In European Intelligence and Security Informatics Conference (EISIC), Athens, Greece. IEEE. 03 mar. de 2018.

Moreira, G. B., Calegario, V. M., Duarte, J. C., and dos Santos, A. F. P. (2017). A era dos crypto ransomwares: um estudo de caso sobre o wannacry. In Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 509–516, Brasília. Sociedade Brasileira de Computação. 19 nov. de 2017.

Mundie, D. A., Ruefle, R., Dorofee, A. J., Perl, S. J., McCloud, J., and Collins, M. (2014). An incident management ontology. In STIDS, pages 62–71.

Noy, N. F. and McGuinness, D. L. (2000). Ontology development 101: A guide to creating your first ontology. 05 nov. de 2017.

O Globo (2015). Investimento em segurança da informação cresce mais no país - 2015. 08 fev. de 2017.

O’Sullivan, K. and Turnbull, B. (2015). The cyber simulation terrain: Towards an open source cyber effects simulation ontology. In Australian Information Warfare Conference, pages 14–23. Security Research Institute, Edith Cowan University. 05 nov. de 2017.

Shadbolt, N., Berners-Lee, T., and Hall, W. (2006). The semantic web revisited. IEEE intelligent systems, 21(3):96–101.

Silva, P. C. d. and Fagundes, L. L. (2014). Simo: Security incident management ontology. In Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 302–305, Brasília. Sociedade Brasileira de Computação. 05 nov. de 2017.

Syed, Z., Padia, A., Finin, T., Mathews, M. L., and Joshi, A. (2016). Uco: A unified cybersecurity ontology. In AAAI Workshop: Artificial Intelligence for Cyber Security. 05 nov. de 2017.
Publicado
25/10/2018
MOREIRA, Guilherme Baesso; CALEGARIO, Vanusa Menditi; DUARTE, Julio Cesar; SANTOS, Anderson Fernandes Pereira dos. CSIHO: An Ontology for Computer Security Incident Handling. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 18. , 2018, Natal. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2018 . p. 1-14. DOI: https://doi.org/10.5753/sbseg.2018.4239.