Accession Number:



Cyber indicators of compromise: a domain ontology for security information and event management

Descriptive Note:

Technical Report

Corporate Author:

Naval Postgraduate School Monterey United States

Personal Author(s):

Report Date:


Pagination or Media Count:



It has been said that cyber attackers are attacking at wire speed very fast, while cyber defenders are defending at human speed very slow. Researchers have been working to improve this asymmetry by automating a greater portion of what has traditionally been very labor-intensive work. This work is involved in both the monitoring of live system events to detect attacks, and the review of historical system events to investigate attacks. One technology that is helping to automate this work is Security Information and Event Management SIEM. In short, SIEM technology works by aggregating log information, and then sifting through this information looking for event correlations that are highly indicative of attack activity. For example Administrator successful local logon and concurrently Administrator successful remote logon. Such correlations are sometimes referred to as indicators of compromise IOCs. Though IOCs for network-based data i.e., packet headers and payload are fairly mature e.g., Snorts large rule-base, the field of end-device IOCs is still evolving and lacks any well-defined go-to standard accepted by all. This report addresses ontological issues pertaining to end-device IOCs development, including what they are, how they are defined, and what dominant early standards already exist.

Subject Categories:

  • Unconventional Warfare
  • Computer Systems Management and Standards

Distribution Statement: