Skip to main content
Springer Nature Link
Log in

Matching Knowledge Graphs for Cybersecurity Countermeasures Selection

  • Conference paper
  • First Online:
Science of Cyber Security (SciSec 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 15441))

Included in the following conference series:

  • 106 Accesses

Abstract

As cyberattacks continue to increase, detecting and performing remediation actions m is essential. This paper presents an approach to automate the countermeasures selection process to deal with a vulnerability exploitation performed by a cyberattack. We propose an approach to match two knowledge graphs, one from a vulnerability ontology, Vulnerability Description Ontology (VDO), and the other is the countermeasures knowledge graph, D3FEND, to mitigate cyberattack impacts. Our approach uses machine learning and an inference system to match entities from VDO and D3FEND to select candidate countermeasures to an attack. Our contribution aims to automatically select countermeasures intended to be part of an incident response playbook for a vulnerability. We show our approach application to a WannaCry use-case scenario. We validate our countermeasures selection approach by comparing the countermeasures automatically selected with those proposed in the literature for a WannaCry attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/usnistgov/vulntology.

  2. 2.

    https://d3fend.mitre.org/.

  3. 3.

    https://attack.mitre.org/.

  4. 4.

    https://github.com/phDimplKS/graph-matching.

References

  1. Adamov, A., Carlsson, A.: The state of ransomware. Trends and mitigation techniques. In: 2017 IEEE East-West Design Test Symposium (EWDTS), pp. 1–8 (2017)

    Google Scholar 

  2. Aljaidi, M., et al.: NHS WannaCry ransomware attack: technical explanation of the vulnerability, exploitation, and countermeasures. In: 2022 International Engineering Conference on Electrical, Energy, and Artificial Intelligence (EICEEAI), pp. 1–6. IEEE (2022)

    Google Scholar 

  3. Alshaikh, H., Ramadan, N., Ahmed, H.: Ransomware prevention and mitigation techniques. Int. J. Comput. Appl. 177(40), 31–39 (2020)

    MATH  Google Scholar 

  4. Azmy, M., Shi, P., Lin, J., Ilyas, I.F.: Matching entities across different knowledge graphs with graph embeddings. arXiv preprint arXiv:1903.06607 (2019)

  5. Booth, H., Turner, C.: Vulnerability description ontology (VDO): a framework for characterizing vulnerabilities. Technical report, National Institute of Standards and Technology (2016)

    Google Scholar 

  6. CCCS: Security control catalogue (2012). https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33

  7. CIS: CIS critical security controls (2024). https://www.cisecurity.org/controls

  8. Doynikova, E., Kotenko, I.: Countermeasure selection based on the attack and service dependency graphs for security incident management. In: Risks and Security of Internet and Systems: 10th International Conference, CRiSIS 2015, Mytilene, Lesbos Island, Greece, 20–22 July 2015, Revised Selected Papers 10, pp. 107–124. Springer (2016)

    Google Scholar 

  9. Emek, Y., Kutten, S., Shalom, M., Zaks, S.: Hierarchical b-matching. In: Bureš, T., et al. (eds.) SOFSEM 2021. LNCS, vol. 12607, pp. 189–202. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-67731-2_14

    Chapter  MATH  Google Scholar 

  10. Gupta, M., Rees, J., Chaturvedi, A., Chi, J.: Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decis. Support Syst. 41(3), 592–603 (2006)

    Article  MATH  Google Scholar 

  11. Hogan, A., et al.: Knowledge graphs. ACM Comput. Surv. 54(4) (2021). https://doi.org/10.1145/3447772

  12. Horridge, M., Knublauch, H., Rector, A., Stevens, R., Wroe, C.: A practical guide to building owl ontologies using the protégé-owl plugin and co-ode tools edition 1.0. University of Manchester (2004)

    Google Scholar 

  13. Hung, B.W.K., Jayasumana, A.P., Bandara, V.W.: Detecting radicalization trajectories using graph pattern matching algorithms. In: 2016 IEEE Conference on Intelligence and Security Informatics (ISI), pp. 313–315 (2016)

    Google Scholar 

  14. Kaloroumakis, P.E., Smith, M.J.: Toward a knowledge graph of cybersecurity countermeasures. Technical report (2021)

    Google Scholar 

  15. Kotenko, I., Doynikova, E.: Countermeasure selection in SIEM systems based on the integrated complex of security metrics. In: 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing, pp. 567–574. IEEE (2015)

    Google Scholar 

  16. Li, Z., Zeng, J., Chen, Y., Liang, Z.: Attackg: constructing technique knowledge graph from cyber threat intelligence reports. In: European Symposium on Research in Computer Security, pp. 589–609. Springer (2022)

    Google Scholar 

  17. Ma, L., Zhang, Y.: Using word2vec to process big text data. In: 2015 IEEE International Conference on Big Data (Big Data), pp. 2895–2897. IEEE (2015)

    Google Scholar 

  18. Malik, A.W., Anwar, Z., Rahman, A.U.: A novel framework for studying the business impact of ransomware on connected vehicles. IEEE Internet Things J. 10(10), 8348–8356 (2023). https://doi.org/10.1109/JIOT.2022.3209687

    Article  MATH  Google Scholar 

  19. Mos, M.A., Chowdhury, M.M.: The growing influence of ransomware. In: 2020 IEEE International Conference on Electro Information Technology (EIT), pp. 643–647 (2020). https://doi.org/10.1109/EIT48999.2020.9208254

  20. Nespoli, P., Papamartzivanos, D., Gómez Mármol, F., Kambourakis, G.: Optimal countermeasures selection against cyber attacks: a comprehensive survey on reaction frameworks. IEEE Commun. Surv. Tutor. 20(2), 1361–1396 (2018). https://doi.org/10.1109/COMST.2017.2781126

    Article  Google Scholar 

  21. Park, Y., Reeves, D., Mulukutla, V., Sundaravel, B.: Fast malware classification by automated behavioral graph matching. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research. CSIIRW 2010. Association for Computing Machinery, New York (2010)

    Google Scholar 

  22. Pershina, M., Yakout, M., Chakrabarti, K.: Holistic entity matching across knowledge graphs. In: 2015 IEEE International Conference on Big Data (Big Data), pp. 1585–1590. IEEE (2015)

    Google Scholar 

  23. Portisch, J., Costa, G., Stefani, K., Kreplin, K., Hladik, M., Paulheim, H.: Ontology matching through absolute orientation of embedding spaces. In: The Semantic Web: ESWC 2022 Satellite Events: Hersonissos, Crete, Greece, 29 May–2 June 2022, Proceedings, pp. 153–157. Springer (2022)

    Google Scholar 

  24. Ristoski, P., Paulheim, H.: RDF2Vec: RDF graph embeddings for data mining. In: Groth, P., et al. (eds.) ISWC 2016. LNCS, vol. 9981, pp. 498–514. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46523-4_30

    Chapter  MATH  Google Scholar 

  25. Saint-Hilaire, K., Cuppens, F., Cuppens, N., Garcia-Alfaro, J.: Automated enrichment of logical attack graphs via formal ontologies. In: Meyer, N., Grocholewska-Czuryło, A. (eds.) ICT Systems Security and Privacy Protection, pp. 59–72. Springer, Cham (2024). https://doi.org/10.1007/978-3-031-56326-3_5

  26. Saint-Hilaire, K., Cuppens, F., Cuppens-Boulahia, N., Hadji, M.: Optimal automated generation of playbooks. 38th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2024) (2024)

    Google Scholar 

  27. Šulc, V.: Current ransomware trends. In: International Days of Science, vol. 31 (2021)

    Google Scholar 

  28. Swarup, V.: Remediation graphs for security patch management. In: IFIP International Information Security Conference, pp. 17–28. Springer (2004)

    Google Scholar 

  29. Viduto, V., Maple, C., Huang, W., López-Peréz, D.: A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decis. Support Syst. 53(3), 599–610 (2012)

    Article  Google Scholar 

  30. Zhang, Y., Jin, R., Zhou, Z.H.: Understanding bag-of-words model: a statistical framework. Int. J. Mach. Learn. Cybern. 1, 43–52 (2010)

    Article  MATH  Google Scholar 

Download references

Acknowledgements

This work was supported by the Mitacs Accelerate International program, IRT SystemX, and the Cyber Resilience of Transport Infrastructure and Supply Chains (CRITiCAL) Chair.

Author information

Authors and Affiliations

  1. Polytechnique Montréal, Montréal, Canada

    Kéren A. Saint-Hilaire, Christopher Neal, Frédéric Cuppens & Nora Boulahia-Cuppens

  2. IRT SystemX, Palaiseau, France

    Kéren A. Saint-Hilaire, Christopher Neal & Makhlouf Hadji

Authors
  1. Kéren A. Saint-Hilaire
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christopher Neal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nora Boulahia-Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Makhlouf Hadji
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kéren A. Saint-Hilaire .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Jun Zhao

  2. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Appendix A Additional Background Definitions

Appendix A Additional Background Definitions

Word2Vec. Word2Vec [17] is a popular word embeddings model used to address the limitations of the bag-of-words model [30], which is a type of vector space model that simplifies text data representation in Natural Language Processing (NLP) and Information Retrieval (IR). A bag-of-words vector represents text describing the occurrence of words within a document. In Word2Vec, each token becomes a vector with the length of a determined number.

RDF2Vec. RDF2Vec, created by Ristoski et al. [24], is an unsupervised technique built on Word2Vec. RDF2Vec first creates sentences that can be fed to Word2Vec by extracting walks of a certain depth from a KG to make the embedding. A vector of latent numerical features represents each entity in the KG. We calculate the similarity of the vectors to match their embeddings using a distance metric.

Cosine Similarity. Cosine similarity is a metric for measuring distance when the magnitude of the vectors does not matter. Mathematically, cosine similarity calculates the cosine of the angle between two vectors projected in a multi-dimensional space. Considering two vectors A and B; we can measure their cosine similarity using Formula 1.

$$\begin{aligned} \cos (AB)=\frac{A.B}{||A||||B||} \end{aligned}$$
(1)

where, A.B is the dot product of the vectors A and B, ||A|| and ||B|| are the length (magnitude) of the two vectors A and B, and ||A||||B|| is the regular product of the vectors A and B.

If \(A=B\), \(\cos (AB)=1\); in this case A and B are fully similar. If \(A.B=0\), then A and B are in opposite directions, so A.B is negative, and one or both vectors are zero vectors, \(\cos (AB)=0\); in this case A and B are opposite.

Precision. Precision measures the number of positive prediction correctly predicted. So, it is calculated by dividing the number of true positive prediction (TP) by all positive prediction i.e. True Positive (TP) + False Positive (FP).

$$ Precision=\frac{TP}{TP+FP} $$

Recall. Recall gives a percentage of true positives instances by a model. It is the number of well predicted positives divided by the total number of positives (True Positive + False Negative (FN)).

$$ Recall=\frac{TP}{TP+FN} $$

F1 Score. Either precision and recall can not evaluate a machine learning model separately. F1 score allows combining precision and recall. So, it can provide a good evaluation of a model performance. It is calculating as follow:

$$ F1 Score=2 \cdot \frac{Recall \cdot Precision}{Recall + Precision} $$

Rights and permissions

Reprints and permissions

Copyright information

© 2025 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Saint-Hilaire, K.A., Neal, C., Cuppens, F., Boulahia-Cuppens, N., Hadji, M. (2025). Matching Knowledge Graphs for Cybersecurity Countermeasures Selection. In: Zhao, J., Meng, W. (eds) Science of Cyber Security. SciSec 2024. Lecture Notes in Computer Science, vol 15441. Springer, Singapore. https://doi.org/10.1007/978-981-96-2417-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-981-96-2417-1_7

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-96-2416-4

  • Online ISBN: 978-981-96-2417-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics