Accession Number : AD1046101


Title :   Cyber indicators of compromise: a domain ontology for security information and event management


Descriptive Note : Technical Report


Corporate Author : Naval Postgraduate School Monterey United States


Personal Author(s) : Rowell,Marsha D


Full Text : https://apps.dtic.mil/dtic/tr/fulltext/u2/1046101.pdf


Report Date : 01 Mar 2017


Pagination or Media Count : 103


Abstract : It has been said that cyber attackers are attacking at wire speed (very fast), while cyber defenders are defending at human speed (very slow). Researchers have been working to improve this asymmetry by automating a greater portion of what has traditionally been very labor-intensive work. This work is involved in both the monitoring of live system events (to detect attacks), and the review of historical system events (to investigate attacks). One technology that is helping to automate this work is Security Information and Event Management (SIEM). In short, SIEM technology works by aggregating log information, and then sifting through this information looking for event correlations that are highly indicative of attack activity. For example: Administrator successful local logon and (concurrently) Administrator successful remote logon. Such correlations are sometimes referred to as indicators of compromise (IOCs). Though IOCs for network-based data (i.e., packet headers and payload) are fairly mature (e.g., Snorts large rule-base), the field of end-device IOCs is still evolving and lacks any well-defined go-to standard accepted by all. This report addresses ontological issues pertaining to end-device IOCs development, including what they are, how they are defined, and what dominant early standards already exist.


Descriptors :   cyberattacks , cyberwarfare , ADVERSARY TECHNOLOGIES , ONTOLOGIES


Subject Categories : Unconventional Warfare
      Computer Systems Management and Standards


Distribution Statement : APPROVED FOR PUBLIC RELEASE