Software Engineering Institute

This presentation was given at FloCon 2023, an annual conference that focuses on applying any and all collected data to defend enterprise networks.

Knowledge graphs (KGs) are a fast trending topic offering much promise to security monitoring and remediation efforts. Starting with a brief introduction to KGs for beginners, the core value proposition of KGs to security will be framed. The talk will include emerging developments of interest to those with existing experience. In addition to the application of KGs to security monitoring and remediation, a broader security perspective on the application of KGs to detect abuse and misinformation will be given.

For beginners, a brief introduction to KGs will be provided, summarizing the core value propositions. KGs are graph-based data representations that embody semantic context in complex domains. KGs are applied in many industries and evidence much promise for improving security monitoring and detection.

Although KGs trace back more than two decades to the semantic web (and much further back in terms of the concept of ontologies), it has been only recently that a combination of best practices, technical tools, development platforms (cloud in particular), and computing power have converged to make KGs a commonly viable prospect.

In the realm of security, we have witnessed the growth of cyber ontologies and the emergence of tools utilizing graph-based representations of infrastructure, attacks, and defensive plays. Given the fundamental substrate of technical networks in security, there is a natural affinity to storing network representations and interactions in graph form.

KGs, in particular, address a blind spot in machine learning (ML) for security -- namely, the limitation of correlation-not-causation. Whereas many common ML algorithms rely upon extrapolated correlations, there is a growing recognition that focused security detection and remediation require context regarding the connection between entities surfaced in data representations.

Detection and remediation depend on an understanding of the interleaving of networks, devices, users, roles, organizations, and (increasingly) content. KGs are uniquely capable of encoding and analyzing overlapping complex security contexts.

Recognizing that KGs have a long history, current developments will be situated with reference to past understanding. The talk will conclude with a perspective on emerging developments, including the extended security context of misinformation and abuse.

In terms of the genesis of this talk, the observation that KGs hold great promise to security practice arose from a FloCon-inspired 2018-2021 research project on trends in the application of data science to security. The results of this research were published as ‘Cybersecurity Data Science’ (Mongeau & Hajdasinski, 2021). Therein, KGs surfaced as a niche but notable trend. The growth of cyber ontologies in particular pointed toward the promising ability to combine structured knowledge representations with machine learning.

Starting with a brief introduction to KGs, this presentation will introduce key value propositions of KGs to security. An examination of prior art will frame current efforts. The talk will balance newcomer interests with insights relevant to those with KG experience. The conclusion will extrapolate to emerging developments and prospects.

Key learning points include:

• What are knowledge graphs (KGs)?
• Why are KGs suddenly a hot topic?
• How are KGs relevant to security?
• How are KGs being applied now?
• How do KGs address the extended security context of misinformation?
• What are the best practices in security KG proof-of-concept (PoC) and operationalization efforts?
• Where do we see security KGs developing in the future?

The larger foundation for this talk rests upon guidance surfaced in the FloCon-inspired research project and Springer publication, ‘Cybersecurity Data Science: Best Practices in an Emerging Profession’ (Mongeau & Hajdasinski, 2021).