research-article

Open access

Beyond NVD: Cybersecurity meets the Semantic Web.

Authors:

Raúl Aranovich,

Benyamin Ahmadnia,

Matthew Bishop,

Vladimir Filkov,

Kenji SagaeAuthors Info & Claims

NSPW '21: Proceedings of the 2021 New Security Paradigms Workshop

Pages 59 - 69

https://doi.org/10.1145/3498891.3501259

Published: 27 December 2021 Publication History

All formats PDF

Abstract

Cybersecurity experts rely on the knowledge stored in databases like the NVD to do their work, but these are not the only sources of information about threats and vulnerabilities. Much of that information flows through social media channels. In this paper we argue that security experts and general users alike can benefit from the technologies of the Semantic Web, merging heterogeneous sources of knowledge in an ontological representation. We present a system that has an ontology of vulnerabilities at its core, but that is enhanced with NLP tools to identify cybersecurity-related information in social media and to launch queries over heterogeneous data sources. The transformative power of Semantic Web technologies for cybersecurity, which has been proven in the biomedical field, is evaluated and discussed.

References

[1]

Afsah Anwar, Ahmed Abusnaina, Songqing Chen, Frank Li, and David A. Mohaisen. 2020. Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses. CoRR abs/2006.15074(2020). arXiv:2006.15074https://arxiv.org/abs/2006.15074

[2]

Shahab Bayati and Marzieh Heidary. 2016. Information security in software engineering, analysis of developers communications about security in social q&a website. In Pacific-Asia Workshop on Intelligence and Security Informatics. Springer, 193–202.

Digital Library

[3]

Harold Booth and Christopher Turner. 2016. Vulnerability description ontology (vdo): a framework for characterizing vulnerabilities. Technical Report. National Institute of Standards and Technology.

[4]

Robert Byers, David Waltermire, Christopher Turner, 2020. Collaborative Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities (CNAs) and Authorized Data Publishers. Technical Report. National Institute of Standards and Technology.

[5]

Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the Impact of Security Vulnerabilities in the Npm Package Dependency Network. In Proceedings of the 15th International Conference on Mining Software Repositories(Gothenburg, Sweden) (MSR ’18). Association for Computing Machinery, New York, NY, USA, 181–191. https://doi.org/10.1145/3196398.3196401

Digital Library

[6]

Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers). Association for Computational Linguistics, Minneapolis, Minnesota, 4171–4186. https://doi.org/10.18653/v1/N19-1423

[7]

Nuno Dionísio, Fernando Alves, Pedro M Ferreira, and Alysson Bessani. 2019. Cyberthreat detection from twitter using deep neural networks. In 2019 International Joint Conference on Neural Networks (IJCNN). IEEE, 1–8.

[8]

Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicolas Weaver, David Adrian, Vern Paxson, Michael Bailey, 2014. The matter of heartbleed. In Proceedings of the 2014 conference on internet measurement conference. 475–488.

Digital Library

[9]

Christiane Fellbaum. 1998. WordNet: An Electronic Lexical Database. MIT Press, Cambridge, MA.

[10]

First.org. 2019. Computer Security Incident Response Team (CSIRT) Services Framework Version 2.1. https://www.first.org/standards/frameworks/csirts/FIRST_CSIRT_Services_Framework_v2.1.0.pdf/ [Online; posted November-2019].

[11]

Assane Gueye and Peter Mell. 2021. A Historical and Statistical Studyof the Software Vulnerability Landscape. arXiv preprint arXiv:2102.01722(2021).

[12]

Minzhe Guo and Ju An Wang. 2009. An ontology-based approach to model common vulnerabilities and exposures in information security. In ASEE Southest Section Conference.

[13]

Almut Herzog, Nahid Shahmehri, and Claudiu Duma. 2007. An ontology of information security. International Journal of Information Security and Privacy (IJISP) 1, 4(2007), 1–23.

[14]

Pascal Hitzler. 2021. A review of the semantic web field. Commun. ACM 64, 2 (2021), 76–83.

Digital Library

[15]

Hannes Holm and Khalid Khan Afridi. 2015. An expert-based investigation of the common vulnerability scoring system. Computers & Security 53(2015), 18–30.

Digital Library

[16]

Ian Horrocks. 2008. Ontologies and the semantic web. Commun. ACM 51, 12 (2008), 58–67.

Digital Library

[17]

Jay Jacobs, Sasha Romanosky, Idris Adjerid, and Wade Baker. 2020. Improving vulnerability remediation through better exploit prediction. Journal of Cybersecurity 6, 1 (2020), tyaa015.

[18]

Yuning Jiang, Manfred A. Jeusfeld, and Jianguo Ding. 2021. Evaluating the Data Inconsistency of Open-Source Vulnerability Repositories. The 16th International Conference on Availability, Reliability and Security (2021).

[19]

Richard P Lippman, David J Weller-Fahy, Alyssa C Mensch, William M Campbell, Joseph P Campbell, William W Streilein, and Kevin M Carter. 2017. Toward finding malicious cyber discussions in social media. In AAAI Workshops.

[20]

Peter Mell. 1999. Understanding the world of your enemy with I-CAT (Internet-Categorization of Attacks Toolkit). Technical Report. NATIONAL INST OF STANDARDS AND TECHNOLOGY GAITHERSBURG MD COMPUTER SECURITY DIV.

[21]

George A. Miller. 1995. WordNet: A Lexical Database for English. Communications of the ACM Vol. 38, No. 11(1995), 39–41.

[22]

Éamonn Ó Muirí. 2019. Framing software component transparency: Establishing a common software bill of material (SBOM). (2019).

[23]

Tayyaba Nafees, Natalie Coull, Ian Ferguson, and Adam Sampson. 2017. Idea-Caution Before Exploitation: The Use of Cybersecurity Domain Knowledge to Educate Software Engineers Against Software Vulnerabilities. 133–142. https://doi.org/10.1007/978-3-319-62105-0_9

[24]

Gede Artha Azriadi Prana, Abhishek Sharma, Lwin Khin Shar, Darius Foo, Andrew E Santosa, Asankhaya Sharma, and David Lo. 2021. Out of sight, out of mind? How vulnerable dependencies affect open-source projects. Empirical Software Engineering 26, 4 (2021), 1–34.

[25]

Pranav Rajpurkar, Jian Zhang, Konstantin Lopyrev, and Percy Liang. 2016. SQuAD: 100,000+ Questions for Machine Comprehension of Text. In Proceedings of the 2016 Conference on Empirical Methods in Natural Language Processing. Association for Computational Linguistics, Austin, Texas, 2383–2392. https://doi.org/10.18653/v1/D16-1264

[26]

Abdul Razzaq, Zahid Anwar, H Farooq Ahmad, Khalid Latif, and Faisal Munir. 2014. Ontology for attack detection: An intelligent approach to web application security. computers & security 45(2014), 124–146.

[27]

Victor Sanh, Lysandre Debut, Julien Chaumond, and Thomas Wolf. 2019. DistilBERT, a distilled version of BERT: smaller, faster, cheaper and lighter. CoRR abs/1910.01108(2019). arxiv:1910.01108http://arxiv.org/abs/1910.01108

[28]

Clemens Sauerwein, Christian Sillaber, Michael M Huber, Andrea Mussmann, and Ruth Breu. 2018. The tweet advantage: An empirical analysis of 0-day vulnerability information shared on twitter. In IFIP International Conference on ICT Systems Security and Privacy Protection. Springer, 201–215.

[29]

Blake Shepard, Cynthia Matuszek, C. Bruce Fraser, William Wechtenhiser, David Crabbe, Zelal Güngördü, John Jantos, Todd Hughes, Larry Lefkowitz, Michael Witbrock, Doug Lenat, and Erik Larson. 2005. A knowledge-based approach to network security: Applying Cyc in the domain of network risk assessment. In IN PROC. OF THE 17TH INNOVATIVE APPLICATIONS OF ARTIFICIAL INTELLIGENCE CONFERENCE. AAAI Press AAAI Press / The MIT Press, 1563–1568.

[30]

Jonathan M Spring, Allen Householder, Eric Hatleback, Art Manion, Madison Oliver, Vijay Sarvapalli, Laurie Tyzenhaus, and Charles Yarbrough. 2021. Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0). Technical Report. CARNEGIE-MELLON UNIV PITTSBURGH PA.

[31]

Michael Stone, Chinedum Irrechukwu, Harry Perper, Devin Wynne, and Leah Kauffman. 2018. IT Asset Management. Technical Report. NATIONAL INST. OF STANDARDS AND TECHNOLOGY.

[32]

Margus Välja, Fredrik Heiding, Ulrik Franke, and Robert Lagerström. 2020. Automating threat modeling using an ontology framework. Cybersecurity 3, 1 (2020), 1–20.

[33]

Jeff Williams and Arshan Dabirsiaghi. 2012. The Unfortunate Reality of Insecure Libraries. (2012). https://www.scribd.com/document/175866686/Aspect-Security-the-Unfortunate-Reality-of-Insecure-Libraries

[34]

Thomas Wolf, Lysandre Debut, Victor Sanh, Julien Chaumond, Clement Delangue, Anthony Moi, Pierric Cistac, Tim Rault, Remi Louf, Morgan Funtowicz, Joe Davison, Sam Shleifer, Patrick von Platen, Clara Ma, Yacine Jernite, Julien Plu, Canwen Xu, Teven Le Scao, Sylvain Gugger, Mariama Drame, Quentin Lhoest, and Alexander Rush. 2020. Transformers: State-of-the-Art Natural Language Processing. In Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing: System Demonstrations. Association for Computational Linguistics, Online, 38–45. https://doi.org/10.18653/v1/2020.emnlp-demos.6

[35]

Xin-Li Yang, David Lo, Xin Xia, Zhi-Yuan Wan, and Jian-Ling Sun. 2016. What security questions do developers ask? a large-scale study of stack overflow posts. Journal of Computer Science and Technology 31, 5 (2016), 910–924.

[36]

Emrah Yasasin, Julian Prester, Gerit Wagner, and Guido Schryen. 2020. Forecasting IT security vulnerabilities–An empirical analysis. Computers & Security 88(2020), 101610.

Digital Library

[37]

Su Zhang, Xinming Ou, and Doina Caragea. 2015. Predicting cyber risks through national vulnerability database. Information Security Journal: A Global Perspective 24, 4-6(2015), 194–206.

Digital Library

[38]

Shi Zong, Alan Ritter, Graham Mueller, and Evan Wright. 2019. Analyzing the Perceived Severity of Cybersecurity Threats Reported on Social Media. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers). Association for Computational Linguistics, Minneapolis, Minnesota, 1380–1390. https://doi.org/10.18653/v1/N19-1140

Cited By

Maunero NDe Rosa FPrinetto P(2023)Towards Cybersecurity Risk Assessment Automation: an Ontological Approach2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361456(0628-0635)Online publication date: 14-Nov-2023
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361456
Shaked AMargalit O(2022)Sustainable Risk Identification Using Formal OntologiesAlgorithms10.3390/a1509031615:9(316)Online publication date: 2-Sep-2022
https://doi.org/10.3390/a15090316
Islam SAbba AIsmail UMouratidis HPapastergiou S(2022)Vulnerability prediction for secure healthcare supply chain service deliveryIntegrated Computer-Aided Engineering10.3233/ICA-22068929:4(389-409)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.3233/ICA-220689

Recommendations

Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures
Abstract
Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks ...
The Design and Application of a Unified Ontology for Cyber Security
Information Systems Security
Abstract
Ontology enables semantic interoperability, making it highly valuable for cyber threat hunting. Community-driven frameworks like MITRE ATT &CK, D3FEND, ENGAGE, CWE and CVE have been developed to combat cyber threats. However, manually navigating ...
Cybersecurity Ontology for Dynamic Analysis of IT Systems
Abstract
Today’s IT systems are characterized by a high complexity and the increasing number of sub-systems, as well as the physical equipment needed. That raises the problem of keeping the whole architecture secure, as it has been revealed in recent years ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

NSPW '21: Proceedings of the 2021 New Security Paradigms Workshop

October 2021

122 pages

ISBN:9781450385732

DOI:10.1145/3498891

Copyright © 2021 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 December 2021

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

NSPW '21

NSPW '21: New Security Paradigms Workshop

October 25 - 28, 2021

Virtual Event, USA

Acceptance Rates

Overall Acceptance Rate 98 of 265 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
1,186
Total Downloads

Downloads (Last 12 months)416
Downloads (Last 6 weeks)37

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Maunero NDe Rosa FPrinetto P(2023)Towards Cybersecurity Risk Assessment Automation: an Ontological Approach2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361456(0628-0635)Online publication date: 14-Nov-2023
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361456
Shaked AMargalit O(2022)Sustainable Risk Identification Using Formal OntologiesAlgorithms10.3390/a1509031615:9(316)Online publication date: 2-Sep-2022
https://doi.org/10.3390/a15090316
Islam SAbba AIsmail UMouratidis HPapastergiou S(2022)Vulnerability prediction for secure healthcare supply chain service deliveryIntegrated Computer-Aided Engineering10.3233/ICA-22068929:4(389-409)Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.3233/ICA-220689
Zerouali AMens TDecan ADe Roover C(2022)On the impact of security vulnerabilities in the npm and RubyGems dependency networksEmpirical Software Engineering10.1007/s10664-022-10154-127:5Online publication date: 1-Sep-2022
https://dl.acm.org/doi/10.1007/s10664-022-10154-1

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents