An Ontology for Cyber Incident Root Cause Analysis from Event Logs

Abstract:

The digital transformation, combined with the constant growth of the technology has made cyber-incident analysis, from massive and heterogeneous event logs, more complex and more time consuming. Security analysts need, more than ever, cognitive guidance and help for carrying out their activities effectively. As far as we are aware, there exists neither a unique knowledge source where they could seek the missing knowledge, nor approaches to guide or support their reasoning. The contribution of this paper constitutes a first step towards a solution to this issue. We propose an ontology that contains all the knowledge allowing security analysts efficiently carrying out investigation activities within massive and heterogeneous event logs. Then, we show how we exploit it in the approach we proposed as part of a national project dedicated to this issue.