Towards Real-Time Warning and Defense Strategy AI Planning for Cyber Security Systems Aided by Security Ontology

Abstract

Cyber security systems generally have the phenomena of passive defense and low-efficiency early warnings. Aiming at the above problems, this study proposes a real-time warning and plans an AI defense strategy for a cyber security system aided by a security ontology. First, we design a security defense ontology that integrates attack graphs, general purpose and domain-specific knowledge bases, and on this basis, we (1) develop an ontology-driven method of early warnings of real-time attacks, which supports non-intrusive scanning attack detection and (2) combine artificial intelligence planning and bounded rationality to recommend and automatically execute defense strategies in conventional defense scenarios. A case study has been performed, and the results indicate that: (1) the proposed method can quickly analyze network traffic data for real-time warnings, (2) the proposed method is highly feasible and has the ability to implement defense strategies autonomously, and (3) the proposed method performs the best, with a 5.4–11.4% increase in defense effectiveness against the state-of-the-art counterparts considering the APT29 attack. Overall, the proposed method holds the potential to increase the defense effectiveness against cyberattacks under high computing resource constraints.

1. Introduction

Attacks in cyberspace pose a serious threat to enterprises and organizations due to their low threshold and random and short attack time. Effective early warnings and the rapid implementation of targeted defense strategies are the keys to minimizing losses. A traditional cyber security system is usually constructed synchronously with the information system, and it is challenging to adapt it to the rapid evolution of attack methods and behaviors. When defending against highly automated and intelligent attacks [1,2], this relatively static security defense model has obvious limitations with passive defense and inefficient early warnings. Therefore, under the limited time, cognition, and information conditions of cyber security scenarios, the effectiveness of security defense is difficult to guarantee.

Establishing offensive and defensive security knowledge and threat intelligence systems is the basis for implementing active defense [3]. Current security technology has begun to enter the era of intelligence, and security strategy reasoning requires the establishment of formalized and standardized knowledge expressions. Thus, knowledge integration appropriate to specific security scenarios is essential. Among them, how to seamlessly connect heterogeneous knowledge collections, such as general knowledge and scene domain knowledge involved in security phenomena, as well as how to build a complete and easy-to-use security knowledge system, are the main difficulties. Hence, a solid theoretical foundation for cyber defense can be achieved by accurate definitions of security attributes and their relationships in the security knowledge system [4].

Early security warnings are the premise to the active defense of cyber security and the foundation for implementing security programs [5], which aim to detect cyberattacks as early as possible and give early alerts before assets suffer substantial damage. Performing efficient detection at the attack initiation stage is the key to adopting optimized security defense strategies. The ideal design should be able to analyze and capture basic data (such as network traffic) in the early stages of attacks. Capturing network traffic and deeply analyzing raw packet information are crucial for early attack warnings (such as scanning attacks) [6].

The ultimate goal of active defense is to achieve security goals based on defense strategies [7]. In order to prevent the impact of the intrusion before it causes substantial damage to the system, it is necessary to build a resilient defense system and adopt an active defense method to implement appropriate defense strategies. This will help avoid, transfer, and reduce the risks the information system faces. Planning of defense strategies first needs to determine the security measures required by assets and then recommends the appropriate defense strategy on this basis. Therefore, it is necessary to clarify the security attributes of asset functions, in which the importance of measuring defense strategies against different malicious goals is the premise, and how to recommend optimized defense strategies according to the existing risk factors of assets is the key. Considering the highly limited and normalized time, cognition, and information conditions in security scenarios, how to implement active and intelligent defense under high computing resource constraints and dynamic asset environment conditions is another key to the problem [8].

This paper studies the above problems and proposes a cyber defense strategy for an AI autonomous planning mechanism based on security ontologies.

The main contributions of this study are as follows:

1.

To the best of our knowledge, this study is the first to realize a real-time warning and autonomous defense system under high computing resource constraints and dynamic asset environment conditions using bounded rationality and AI planning.

2.

A security ontology is established as a security knowledge system, which formalizes and standardizes the multi-source heterogeneous security knowledge and provides a security knowledge graph for defense strategy reasoning. The security ontology also facilitates the detection of scanning attacks and is expected to provide efficient early warnings for active defense in the early stage of attacks.

2. Related Work

Cyber defense presents an active and intelligent development trend. This section first recaps the most salient works closely related to this study along this direction.

1.

Komar et al. presented an intelligent cyber defense system based on artificial immune systems (AIS) and artificial neural networks (ANN) to detect previously unknown (novel) cyber attacks (malicious code, intrusion detection, etc.) [9]. Their system can improve the reliability of intrusion detection in computer systems.

2.

Theron et al. described an autonomous intelligent malware counter and cyber defense method using intelligent agents [10]. The method supports a novel approach in actively formulating, adjusting, and executing autonomous security processes according to user-defined criteria.

3.

Vast et al. proposed an AI-based SQL optimizer and rewriter (SOAR) system to automatically generate threat intelligence and take appropriate actions [11]. Their system analyzed and collected data based on deep learning detection methods from various sources, such as firewalls, IDSs, etc.

4.

Widel et al. applied the Meta Attack Language framework to the selection of optimal countermeasures under a variety of budgetary restrictions [12]. The result was validated in practice on realistic models by expressing available resources of both monetary and time-like nature.

Security knowledge expression is often employed to provide high-coverage information support in cyber defense approaches. Specifically, ontology is one of the most popular methods to formalize a variety of security knowledge and a multitude of relationships:

1.

Multi-source heterogeneous information can be integrated by an ontology to realize cyber-situational awareness in cyber security systems [13].

2.

General knowledge and domain-specific knowledge can be constructed by an ontology to recommend security requirements [14].

The protection-detection-response (PDR) security model clarifies that an early attack warning is the premise of cyber defense implementation. Among attack detection and early warning approaches, an attack pattern is often obtained to detect abnormal behaviors by comparison with normal patterns:

1.

Approaches and practical solutions to the attacks can be detected by data mining methods to obtain patterns to generate early attack warnings [15].

2.

Neural network technologies and feature selection algorithms can be offered to learn attack patterns efficiently and identify intrusions effectively [16].

Inspired by the successes of the aforementioned works, this study intends to address the open issues in the research area of cyber defense via artificial intelligence techniques for early attack warnings and active intelligent defense. This study detects the early attacks by analyzing original packet information and implementing cyber defense strategies based on the security ontology associated with multi-source heterogeneous information.

The major objective of this study is to enable non-intrusive real-time early attack warnings and autonomous defense strategy implementation under high computing resource constraints as a contrast to existing works.

3. Cyber Security System Aided by Security Ontologies

This section introduces three pillar approaches in the cyber security system aided by security ontologies: (1) knowledge representation based on security ontologies, (2) ontology-aided early attack warnings and defense strategy recommendations, and (3) the automatic implementation of defense strategies based on AI planning. The overall design of the security system is depicted in Figure 1.

3.1. Knowledge Representation Based on Security Ontologies

The ontology has irreplaceable advantages in integrating multi-source heterogeneous knowledge. The domain ontology can be expressed as a quintuple set:

$$O=\left\{C,A,R,I,M\right\}$$

1.

where C is a set of concepts in a specific field, A is a set of concept attributes, R is a set of relationships between concepts in A, I is a set of instances, and M is a set of mapping relationships between I and C.

According to the characteristics of the ontology and the expression of the quintuple set, this section designs a security ontology for defense strategy recommendations and builds an adaptable intelligence foundation for the selection of a defense strategy. The security ontology for early attack warnings provides a formalized expression of its knowledge and can be utilized to perform reasoning and enforce security policies.

3.1.1. Ontology Design for Defense Strategy Recommendations

In order to realize defense strategy recommendations adaptive to asset security information, the security ontology design should lay a solid foundation for the necessary knowledge reasoning for defense strategy recommendations by taking into account both the process of the implementation of an attack and the requirements of the defense response.

Recently, problem domain ontology (PDO) technology has emerged in the representation of technical systems composed of a large number of heterogeneous components especially suitable for the understanding of security requirements and the representation of recommendations [14].

Ontology can be divided into general ontology and domain ontology, where general ontology refers to the ontology knowledge that can be widely used in various application scenarios and is the normative description of general knowledge; domain ontology is regarded as the normative description of knowledge in a specific field.

Considering ontology as a knowledge base, general ontology and domain ontology correspond to general knowledge and domain-specific knowledge, respectively. Generic knowledge is explicit and reusable knowledge that is agreed upon across the entire security domain, such as taxonomy and principles, while domain-specific knowledge is tacit knowledge that can be applied to a specific domain or embedded in the process and routine of a company, such as the architecture of a certain domain/enterprise.

Therefore, we draw on the knowledge expression idea of PDO and express the general security knowledge involved in the security knowledge system explicitly and the domain specific knowledge implicitly. The overall design principle not only covers the elements of the general security model but also facilitates the adaptive expansion of strong related knowledge of security scenarios.

When implementing an attack, it needs to meet certain conditions, such as reachability and accessibility. Note that the security knowledge base needs to fully express the conditions for vulnerability exploitation and the risk factors after the successful exploitation of vulnerabilities, which are often expressed through attack graphs in mainstream approaches [17].

In terms of defense response, core elements are firstly defined, such as assets, threats, risks, and vulnerabilities in the analysis model of risk recognition, as well as general knowledge related to security requirements and defense strategies. Then, domain-specific knowledge is explained according to the domain or enterprise architecture.

According to the characteristics of the security ontology analyzed above, an attack graph-enhanced security ontology, named Attack Graph Problem Domain Ontology (AG-PDO), is constructed, which integrates the attack graph, general knowledge, and specific domain knowledge. Since this section only focuses on the design of the ontology itself without considering the entities and their mapping relationships, AG-PDO is defined as the following triplet aside from the entity-related parts.

Define the attack graph-enhanced security ontology as $AG-PDO=\left\{SC,SA,SR\right\}$, where $SC=\left\{s{c}_1,s{c}_2,\dots ,s{c}_n\right\}$ is the concept set, $SA=\left\{s{a}_1,s{a}_2,\dots ,s{a}_n\right\}$ is the attribute set, and $SR=\left\{s{r}_1,s{r}_2,\dots ,s{r}_n\right\}$ is the relationship set between concepts.

Figure 2 describes the sets of $SC$, $SA$ and $SR$ in AG-PDO as follows:

1.

The main concept of $SC$ in AG-PDO includes: (1) explicit general knowledge: assets, threats, risks, vulnerabilities, security requirements, and defense strategies; (2)implicit domain-specific knowledge: system and domain architecture; (3) preconditions: the conditions that need to be met to exploit vulnerabilities; and (4) risk factors: new risks after the successful exploitation of vulnerabilities.

2.

Each concept contains the corresponding attribute $SA$, including character attributes, description attributes, and Boolean attributes.

3.

In the conceptual relationship $SR$, from the perspective of attack implementation, vulnerabilities that meet certain conditions can be exploited by threats, resulting in increased risk factors through AG-PDO expression; on the contrary, the goal of the defense response is to reduce risk factors existing in assets by deducing security measures that satisfy asset security requirements through AG-PDO expression. Thus, it can recommend and implement defense strategies and prevent malicious goals, thereby completing an effective security defense.

3.1.2. Ontology Design for Early Attack Warnings

The active defense mechanism also needs the support of early attack warnings, whose primary task is to integrate information and support logical reasoning for risk query and analysis. Furthermore, the security ontology is also designed to facilitate early warning implementation.

Reconnaissance is the first stage in a complete attack chain [18], in which attackers mainly collect target information through scanning attacks and other approaches and find services with weak security protection or known vulnerabilities. After that, it is able to provide a basis for the implementation of subsequent attack methods. Effective early warnings, such as scanning attacks, can be implemented in the early stage of reconnaissance to adopt corresponding security defense strategies as soon as possible to reduce the overall risk level of the system.

The information supporting the attack warning needs to be considered. Specific attributes of data packets (internal/external IP address) imply the specific intention of the attacker. The key information can be obtained through collecting real-time network traffic and integrating the information of original data packets. For example, statistics on data packets in the traffic show that if an external IP sends data packets to the same internal IP address multiple times, it indicates the attacker’s intention to conduct scanning attacks.

According to the characteristics of the information required for early attack warnings analyzed above, a network traffic-based ontology (NTO) is constructed. Meanwhile, the information of data packets and the corresponding relationship are formally expressed, as depicted in Figure 3. Similarly, since this section only focuses on the design of the ontology itself without considering the entities and their mapping relationships, the definition of the ontology follows the triplet aside from the entity-related parts.

We define the network traffic-based ontology as $NTO=\left\{NC,NA,NR\right\}$, where $NC=\left\{n{c}_1,n{c}_2,\dots ,n{c}_n\right\}$ is the concept set, $NA=\left\{n{a}_1,n{a}_2,\dots ,n{a}_n\right\}$ is the attribute set, and $NR=\left\{n{r}_1,n{r}_2,\dots ,n{r}_n\right\}$ is the relationship set between concepts.

Figure 3 illustrates the set of $NC$ and $NR$ in NTO as follows:

1.

The main concept of $NC$ includes the network session, network traffic, packet transmission, handshake, reset, protocol, destination and source node (IP and port).

2.

Each concept contains the corresponding attribute $NA$, including the character attribute, description attribute, Boolean attribute, etc.

3.

In the concept relationship $NR$: (1) packet transmission belongs to the network session as its atomic element; (2) the completion of the network session depends on the actual exchange of packets between the source and destination nodes; (3) before the data exchange, whether a handshake is required according to the protocol type should be determined; (4) the data packet in the handshake sequence can be captured by the three Boolean data attributes, i.e., the synchronous (SYN), acknowledgement (ACK), and reset (RES) attributes; (5) the session is usually reset after the two actual data packets are transmitted with data exchanged; and (6) all packets are sorted according to the order in which they were captured because the sequence of network events is more meaningful from the defender’s perspective than timestamps.

Note that when SYN is true, ACK is false, and RES is false, it is impossible to tell whether the packet represents the first phase of the handshake or is part of a scanning attack. Therefore, it is necessary to judge whether a node is subject to scanning attacks by evaluating the packet (session) properties exchanged between two nodes (see Section 3.2 for details).

3.2. Ontology-Aided Early Attack Warnings and Defense Strategy Recommendations

This section introduces how to use security ontologies to provide information support for attack warnings and defense strategy recommendations in cyber security.

3.2.1. Early Attack Warnings

Aiming at the basic characteristics of early attacks and the key information required for attack detection, the NTO-driven early warning is divided into two parts: (1) obtaining the original packet information required for early warnings and instantiating the construction of an NTO and (2) detecting and scanning attacks in real-time and providing early attack warnings by querying the NTO and analyzing statistical information.

The network traffic information related to attack warnings can be obtained through the NTO instance, where $NC$ and $NA$ contain the fields and attributes of original data packets, and the relationship between entities established in NR can greatly facilitate the query of the statistical information required for warnings.

In the early reconnaissance stage, attackers basically collect target information through scanning attacks, mainly for port scanning and system scanning. Among them, port scanning sends a set of messages to detect open ports on network nodes, while system scanning identifies the operating system type and the type of open network services for hosts by actively sending packets. Thus, it can select different penetration attack codes and configurations to implement targeted attacks.

In order to implement early attack warnings, network traffic information and instantiate NTO are first captured through Neo4j, and all source port and destination port pairs in NTO are queried to measure network traffic. Then, according to the characteristics of port scanning attacks, we query the number of times the same source in the NTO sends data packets to closed ports.

According to the characteristics, a system scanning attack can be determined by querying the number of times the source host sends data packets to the target host in the NTO. If the target host receives data packets from the same source host multiple times, and the source host also sends data packets to other hosts multiple times, this indicates that it is highly possible that a system scanning attack exists.

As mentioned above, through the NTO instance driving of real-time network traffic, the field information and statistical information of the original data packets are analyzed, which helps quickly judge whether there is a scanning attack and realize a non-invasive early attack warning.

3.2.2. Defense Strategy Recommendations

When an attack is detected in the early warning phase, defensive strategies should be recommended and implemented to keep assets safe. The AG-PDO-driven defense strategy recommendation consists of two parts: (1) converging general knowledge, domain-specific knowledge, preconditions for exploiting vulnerabilities, and risk factors generated after successful exploitation; and (2) conducting a risk assessment according to the security measures to support the query and recommend feasible defense strategies.

In other words, by instantiating AG-PDO to obtain security information related to defense strategy recommendations, $SC$ contains general knowledge, domain-specific knowledge, preconditions required for exploiting vulnerabilities, and risk factors generated after successfully exploiting vulnerabilities. Meanwhile, $SA$ stands for the concept attributes, and the relationships in $SR$ are used for Neo4j knowledge reasoning to acquire defense strategies for assets.

In order to recommend feasible targeted defense strategies to assets, the following steps are conducted:

1.

First, the function of assets is identified through log analysis, such as data storage.

2.

Then, according to the asset’s function, relevant security attributes, malicious goals, and types of defense strategies are confirmed to infer the required defense measures:

(a)

Security attributes include confidentiality (Co), integrity (In), availability (Av), authentication (Au), controllability (Ct), non-repudiation (Nr), etc. To simplify the description, this paper only considers the first four basic security attributes, i.e., Co, In, Av and Au.

(b)

Malicious goals are exposure (E), modification (M), destruction (Dt), and feign (F), corresponding to these security properties.

(c)

Types of defense strategies include prevent (P), monitor (D), and recover (R), as well as their importance measured as critical (C) or non-critical (N), where C represents the highest priority (this type of defense strategy is required), and N represents the lowest priority (this type of defense strategy is not required).

According to the function of assets, this paper measures the importance of each defense strategy type under different malicious goals and finally determines the required security measures.

Table 1. The calculation matrix of security measures required for assets.

Security Attribute	Malicious Goal	Type of Defense Strategy			Required Security Measures
		Prevent(P)	Monitor(D)	Recover(R)
Co	E	C	N	N	P
In	M	C	C	C	PDR
Av	Dt	N	C	C	DR
Au	F	N	C	N	D

shows an example of calculating the required security measures, for which the security measures required by the asset security attributes Co, In, Av, and Au are P, PDR, DR, and D, respectively. Based on this inference, the security measures required for the asset are prevent confidentiality (PCo), prevent integrity (PIn), detect integrity (DIn), recover integrity (RIn), detect availability (DAv), recover integrity (RAv), and detect authentication (DAu), respectively.

By evaluating the risk of the asset, the AG-PDO instance recommends defense strategies to meet the security measures required by the asset as follows:

1.

First, the possibility of loopholes in the asset platform and security configuration is evaluated. If there is a possibility, the security measures required by the current asset are obtained through Table 1.

2.

Subsequently, the threats to asset security, exploitable vulnerabilities, and malicious goals are obtained by querying the relationship in the AG-PDO instance.

3.

Moreover, the existing defense strategies are obtained, and the existence of risk factors (malicious goals that are not protected by defense strategies) is analyzed.

4.

Finally, the required defense strategy type is recommended according to the existing risk factors of the asset, and feasible defense strategies can be obtained by logical reasoning through AG-PDO.

3.3. Automatic Implementation of Defense Strategies Based on AI Planning

In order to automatically implement defense strategies based on AI planning and realize non-intrusive real-time early warnings and active intelligent defense under highly resource-constrained conditions, the planning process of intelligent agents that can autonomously implement early attack warnings and defense strategies is depicted in Figure 1.

After querying the NTO-integrated data packet information to realize non-intrusive early attack warnings and querying the AG-PDO recommended defense strategy for security measures required by the asset, a planning approach of defense strategies is generated and implemented by bounded rationality and AI planning to autonomously defend and monitor security status under the conditions of high computing resource constraints and dynamic asset environments.

3.3.1. Defense Strategy Planning

The automatic implementation of defense strategies has become an inevitable trend in large-scale security scenarios. AI planning can execute a series of defense strategies to achieve security goals from an initial state (no defense strategy implemented) to a goal state (defense strategies implemented). Therefore, a defense strategy planning mechanism is designed to solve automated planning problems with the help of the basic planning capability of the classic AI planning language STRIPS [19].

Note that the design of mainstream planners does not take the physical limitations of storage space and the availability of basic knowledge into account. However, time, cognition, and information are actually highly limited in conventional security scenarios. To conquer this challenge, we consider the advantages of the bounded rationality (BR) [20] method, which covers the limitations of time, cognition, and information. In this way, security planning within the scope of bounded rationality (marked as STRIPS-BR) is carried out to automatically implement defense strategies.

Table 2. The terminology of AI planning agent with bounded rationality.

Terminology	Description
$BR$–$A\left(T\right)$	Limited time during plan generation and implementation limits the number of states in the search space used to construct and evaluate the search tree.
$BR$–$A\left(C\right)$	Limited cognition during plan generation and implementation limits the depth of the agent’s search tree.
$BR$–$A\left(I\right)$	Limited information of the agent about the asset state during plan generation and implementation.
S–$BR$	The state of the assets that the agent knows within its cognitive scope.
G–$BR$	The set of goal propositions that the agent wishes to be true.
$CM$–$BR$	The defense strategy (countermeasure) that the agent knows within its cognitive scope.
$P^x$	$P^x$ is a plan generated by the STRIPS-BR planner, i.e., a sequence of defense strategies to be executed.
$P_{i,j}^x$	$P_{i,j}^x$ denotes the partial plan between time step $t=i$ and $t=j$ of $P^x$.
$O^x$	The outcome of the plan $P^x$ after execution.
$rank\left(s_i\right)$	The actual sequence of executed defense strategies, where $s_i$ is a proposition with a truth assignment at time step t.
$c{m}_t^x$	Some defense strategy in plan $P^x$ at time step t.
$w_t^x$	Some weight assigned to the defense strategy $c{m}_t^x$, as shown in Equation (3).
$U\left(P_{0,k}^x\right)$	Expected utility function for plan $P_{0,k}^x$ at time step t, as shown in Equation (2).

lists the terminology of the AI planning agent with bounded rationality inspired by the reference [21]. First, STRIPS-BR defines three constraints in bounded rationality: a time limit, a cognition limit, and an information limit:

1.

The time limit$BR$–$A\left(T\right)$ can be judged by checking whether the time count of the state has exceeded the limit.

2.

The cognition limit$BR$–$A\left(C\right)$ can be judged by checking whether the cognitive depth has exceeded the limit.

3.

The information limit$BR$–$A\left(I\right)$ includes unknown or incorrectly assumed asset states S–$BR$, goal propositions G–$BR$, and available limited defense strategies $CM$–$BR$.

Based on this information, a search tree can be established to obtain all plans $P^x$ that satisfy the goal state. The outcome after the execution of the defense strategy sequence in plan $P^x$ is $O^x$. $rank\left(s_i\right)$ is the sequence of the actually executed defense strategy.

In order to determine the planning solution with the highest utility, $U(P_{0,k}^x)$ is defined as the planning utility from the beginning to the $k^{th}$ defense strategy:

$$U(P_{0,k}^x)=\sum _{t=0}^k{w}_t^x$$

(2)

where $w_t^x$ is the weight of the $t^{th}$ defense strategy $c{m}_t^x$ in $P^x$:

$$w_t^x=in-degree+\alpha$$

(3)

where $in$-$degree$ refers to the in-degree of the defense strategy $c{m}_t^x$; $\alpha$ is a correlation factor, representing the correlation between the current defense strategy $c{m}_t^x$ and the previous defense strategy $c{m}_{t-1}^x$.

Figure 4 shows an example of calculating the in-degree of each defense strategy. DIn, PIn, and RIn, respectively, represent the type of defense strategy required by the asset. CM1, CM2, and CM3 stand for defense strategies to be executed, wherein CM1 belongs to DIn and PIn, CM2 belongs to PIn, and CM3 belongs to RIn. Since CM1 is related to both DIn and PIn, its in-degree value is recorded as 2. Similarly, the in-degree values of CM2 and CM3 are both 1.

After obtaining the in-degree of each defense strategy, $w_t^x$ at each time step is calculated as shown in Figure 5. $\alpha =0/0.2$, denoting that the types of the current defense strategy and the previous defense strategy are not the same.

Considering the limitations of bounded rationality, the most efficient plan needs to be selected according to the utility of the defense strategy by the following steps:

1.

Define $BR-A\left(T\right)$ to determine if there is enough time to traverse all candidate plans.

2.

Define $BR-A\left(C\right)$ to determine how many steps can be looked ahead at each time step.

3.

Calculate the utility $U(P_{0,k}^x)$ of each plan at time step t. The current highest one or more plans are seen as candidate plans before moving to the next time step $t+1$.

4.

As the time step increases, the plan with the highest utility at the last time step is obtained.

5.

If multiple plans have the same utility, choose the plan that executes the higher-weighted defense strategy first.

Figure 5 illustrates an example of finding the optimal plan. Assuming $BR-A\left(T\right)=15$ and $BR-A\left(C\right)=2$, the former shows that there is enough time to traverse all candidate plans, and the latter means we can look two steps ahead at each time step. At time step $t=0$, the utility of all plans from time step $t=0$ to time step $t=2$ is calculated with $BR-A\left(C\right)=2$. The utility of plan $P_{0,2}^1$ and plan $P_{0,2}^3$ achieves the highest ($U(P_{0,2}^1)=U(P_{0,2}^3)=3.2$) and are selected as candidate plans. At time step $t=1$, $U(P_{0,3}^1)=U(P_{0,3}^3)=4.2$, and the plan $P^1$ is obtained as the initial plan for executing a higher weight defense strategy first.

It is clear that by considering limited constraints of time, cognition, and information, STRIPS-BR can carry out security planning within the scope of bounded rationality and select the plan with the highest utility as the initial plan.

3.3.2. Plan Implementation

Once the initial plan is obtained, this plan is implemented immediately. During the execution, assets may still be exposed to new attacks. Hence, the intelligent agent monitors and analyzes log data at each time step t to determine if re-planning is necessary.

Suppose the asset is continuously attacked. If the defense plan of the previous attack has not been completely executed, the execution of this plan should be suspended, and a search tree is built to implement a new plan with the highest efficiency for the current attack. After the implementation of the new plan, the unimplemented plan for previous defense strategies is formulated and implemented.

By monitoring the plan execution process and re-planning when necessary, it is possible to pay attention to the urgently needed defense measures for the asset so as to realize active and intelligent defense in a dynamic environment with severe resource limitations.

In general, the defense strategy implementation method of bounded rational AI planning is feasible and can deploy defense strategies for the security measures required by assets.

4. Case Study

A case study has been carried out to verify the proposed AI planning method for real-time warnings and defense strategies of cyber security systems aided by security ontologies.

The testbed (Figure 6) consists of 9 nodes including 2 routers, 2 switches, and 5 common hosts.

4.1. Knowledge Representation Based on Security Ontologies

The security ontology can be divided into two parts: an ontology for defense strategy recommendations and an ontology for attack warnings.

4.1.1. Ontology for Defense Strategy Recommendations

A comprehensive defense-oriented strategy recommendation based on the AG-PDO ontology was constructed according to the general knowledge related to security, the domain-specific knowledge related to the domain, the preconditions that launch an attack by exploiting vulnerabilities from the attack graph, and the risk factors generated by attacks.

Figure 7 presents the instantiated security knowledge graph generated by the Neo4j platform according to the conceptual definition of AG-PDO. Taking the assets used to store log data in the network as an example, the related information and relationships are displayed in Figure 7. Nodes with different colors represent different types of entities, including assets (earth yellow), threats (pink), risks (red), vulnerabilities (blue), security requirements (blackish green), defense strategies (yellow), architecture (purple), and preconditions (green) for exploiting vulnerabilities.

In this example, the Windows 10 platform had potential risks that needed defense strategy recommendations. The log data asset had the risk of data misuse caused by the threat CAPEC-268 (audit log manipulation), providing conditions for malicious data tampering. In order to successfully exploit the vulnerability CWE-440 (expected behavior violation), having access rights (0 in Figure 7) was inevitable. Threat CAPEC-268 can be mitigated by the security requirement SR-11-6-2 (log and backup system), and the misuse risk can be reduced by the recommended defense strategy (file integrity monitoring (FIM)).

To this end, AG-PDO improved the coverage of security knowledge and provided more comprehensive and accurate information for recommending defense strategies.

4.1.2. Ontology for Early Attack Warnings

The network traffic ontology (NTO) for early attack warnings was constructed and instantiated by the Neo4j platform according to the data packet information captured in different time windows.

Nodes in Figure 8 with different colors represent different types of entities, including network traffic (blue), packet transmission (pink), IP (yellow), port (green), and handshake (wathet). The connection between nodes reflects their relationship. Among them, “has_member” and “member_of” indicate the relationship between network traffic and packet transmission, and “has_handshake” stands for whether packet transmission requires a handshake and provides “ACK”, “SYN”, and “RES” values (130878 indicates that “ACK” is TRUE, while “SYN” and “RES” are FALSE).

Figure 9 lists the attributes of packet transmission, including the grabbing order “order”, source node IP “srcNode”, destination node IP “dstNode”, source port “srcP”, destination port “dstP”, frame length “has_frame_len”, and protocol “use_protocol”.

The NTO collected real-time network traffic and provided original data packet fields and statistical information, thereby achieving real-time early attack warnings.

4.2. Ontology-Based Early Attack Warnings and Defense Strategy Recommendations

After instantiating the above two ontologies, logical reasoning provided a logical level of analysis to realize early attack warnings and defense strategy recommendations by querying aptitude questions through the security ontologies.

4.2.1. Security Warnings Based on Network Traffic Ontologies

Scanning attacks are the pre-procedure to attackers carrying out malicious activities. The detection of scanning attacks targets both port scanning attacks and system scanning attacks, which can issue early warnings before assets are substantially damaged.

To detect port scanning attacks, network traffic was first measured by collecting all sources and destination port pairs in the network event. With the help of the Neo4j reasoning engine, we queried the number of times the same source sent a packet to a closed port. If multiple attempts to communicate with a closed port occurred, it was considered that there may be a port scan attack. Figure 10 presents the source hosts with IP addresses “172.31.50.22” and “192.168.75.13” sending packets to the closed port many times, indicating a port scanning attack.

To detect system scanning attacks, it is necessary to count the number of times the source host sends packets to the target host. If the target host receives data packets from the same source host multiple times, and the source host also sends data packets to other hosts, it is considered that there is a high possibility of system scanning attacks. Figure 11 presents that port 139 sends data packets to multiple windows many times. Therefore, it was highly possible that there was a system scanning attack (port 0 means no port information, which can be ignored).

The experimental results show that according to the fields and statistical information of the original data packet, scanning attacks can be quickly captured without decrypting the packet to access confidential information. This enables active defense before assets are substantially damaged.

4.2.2. Recommendations of Defense Strategies Based on Security Ontologies

After an attack is detected, AG-PDO can obtain targeted defense strategy recommendations according to the security measures required by the asset.

Table 1 analyzes logs and identifies the required security strategies, namely DIn, PIn, and RIn. Figure 7 can be utilized to query defense strategy recommendations through risk assessments with the Neo4j reasoning engine. The log data has the misuse risk caused by threat CAPEC-268 exploiting vulnerability CWE-440. In order to reduce this risk, the log integrity should be monitored using the file integrity monitoring (FIM) defense strategy.

By analogy, all defense strategy recommendations are obtained by querying from AG-PDO, as shown in Figure 12. There are three defense strategies to be implemented: FIM belongs to DIn and PIn, vaccine agent (VA) belongs to PIn, and synchronize log data (SLD) belongs to RIn.

After obtaining the defense strategy through AG-PDO, how to automatically implement the defense strategy becomes the top priority.

4.3. Automatic Implementation of Defense Strategies Based on AI Planning

In order to realize the automatic implementation of defense strategies, an initial plan is generated and executed according to the obtained defense strategies. Then, the log is monitored during the execution process and re-planned when new attacks are found until all defense strategies are executed.

4.3.1. Defense Strategy Planning

AI planning selects the most efficient plan as the initial plan by scoring the defense strategy. The planning starts at the “start” node at time step $t=0$, as depicted in Figure 13. The planning process can be illustrated as follows:

1.

The agent can look three steps forward with the cognition limit $BR-A\left(C\right)=3$. At time steps $t=1,2,3$, the agent can move to a new state by implementing the defense strategy from time to time.

2.

With the time limit $BR-A\left(T\right)=12$, the first 12 states beyond the search tree cannot be obtained, and the last two paths will not be considered.

3.

The utility $U\left(P_{0,k}^x\right)$ of each plan $P^x$ is calculated, and the plan $P^1$ is chosen as the initial plan with the actual order FIM, VA, SLD.

4.3.2. Plan Implementation

After the initial plan is determined, FIM is performed at time step $t=1$. At time step $t=2$, the agent finds the attacker trying to tamper with the data and triggers re-planning.

When the new attack is found, the execution of the plan $P^1$ stops immediately, and a new plan is constructed whose defense strategy SLD is related to this attack, as shown in Figure 14. Starting at time step $t=2$, the agent executes the plan $P^{11}$ with the outcome $O^{11}$. The plan $P^{1\cup 11}$ is combined with the partially executed plan $P^1$ and the new plan $P^{11}$. The actual order of this new plan is $O^{11}$, with $rank\left(s_i\right)=SLD$ at time step $t=3$. Note that VA is not included in the outcome $O^{11}$ in the new order.

During the execution of the new plan $P^{1\cup 11}$, the agent first attempts to satisfy its prerequisites. If all of them are met, the agent executes the defense strategy SLD at time step $t=2$ and successfully conducts the plan $P^{1\cup 11}$ to generate the outcome $O^{1\cup 11}$.

After reaching the newly planned target SLD, a new search tree is constructed for the remaining defense strategy VA, which is added and executed at time step $t=3$. Figure 15 shows that the final plan $P^{1\cup 11\cup 12}$ is combined with the executed plan $P^{1\cup 11}$ and the new plan $P^{12}$.

After execution at time step $t=3$, all goals are achieved with a final actual defense strategy order of FIM, SLD, VA. It can be seen that the outcome $O^{1\cup 11\cup 12}$ is different from the outcome $O^1$ of the initial plan $P^1$ without re-planning.

This case shows that the proposed automatic implementation of defense strategies based on AI planning can obtain targeted defense strategies for the security measures required by assets to obtain the best plan. By re-planning, this approach is suitable to environmental changes during the execution of the plan and realizes the security goal by executing the sequence of defense strategies.

4.4. Discussion

Experiments were performed under the testbed described in Figure 6 to evaluate the overall performance of the proposed method in terms of (1) considering the finiteness of defense resources, (2) defense timeliness, and (3) defense effectiveness against an APT29 attack [22].

The MITRE ATT&CK [23] is a knowledge base of attack tactics and techniques created and maintained by MITRE that reflects the attacker’s attack lifecycle and the objectives of each attack phase. To defend against the APT29 attack techniques described in ATT&CK, the defense effectiveness ${\eta }_{defense}$ can be calculated as per Equation (4):

$${\eta }_{defense}=\frac{N_{A,total}-N_{A,success}}{N_D}\times 100$$

(4)

where $N_{A,total}$ denotes the total number of attacks performed, $N_{A,success}$ denotes the number of successful attacks, and $N_D$ denotes the number of defensive actions performed.

The constraints of this scheme are defined according to the actual network situation with $BR-A\left(T\right)={10}^{50}$ and $BR-A\left(C\right)=30$.

Table 3. Comparison amongst cyber defense approaches in terms of considering the finiteness of defense resources, defense timeliness, and defense effectiveness.

	Considering Finiteness of Defense Resources	Defense Timeliness		Defense Effectiveness
		Pre-Analysis	Real-Time Update
Reference [24]		✔	✔	49.57
Reference [25]	✔	✔		46.43
Proposed method	✔	✔	✔	52.38

presents the results by comparison with the state-of-the-art solutions, including machine learning [24] and game theory approaches [25]. Obviously, the proposed method outperforms the state-of-the-art approaches with the highest defense effectiveness considering the finiteness of defense resources and the timeliness of updating defense strategies in dynamic environments.

Overall, the proposed AI-planning-based real-time warning and defense strategy for cyber security systems can perform active and intelligent defense within the finiteness of defense resources, which holds potential in alleviating security problems caused by high constraints on computing resources and dynamic asset environments in large networks.

5. Conclusions

Aiming at the problem of low passive intelligence of security defense in current mainstream networks for security systems, this study has proposed an AI planning approach for real-time warning and defense strategies for cyber security systems aided by security ontology.

This study designs a security ontology to integrate highly multi-source heterogeneous and dynamically updated security knowledge, thereby giving information support for cyber defense. Logical reasoning is applied in non-intrusive real-time early attack warnings via the security ontology-integrated packet information. AI planning and bounded rationality are used to implement active and intelligent cyber defenses under highly limited time, cognition, and information conditions so as to alleviate security problems caused by high constraints on computing resources and dynamic asset environments.

Experimental results show that analyzing the network traffic data can effectively implement early scanning attack warnings, and the proposed method is highly feasible and has the ability to independently plan defense strategies. It significantly increases the effectiveness of the defense against cyberattacks under high computing resource constraints.

Note that the bounded rationality of the proposed method needs to be predefined, and the real security scene may have highly dynamic changes, which may have theoretical differences in the actual application. Further investigations are needed to focus on this problem and propose a proper solution to this variable.