Construction Method of Cybersecurity Knowledge Graph Based on Ontology

doi:10.3969/j.issn.1671-1122.2025.03.008

Abstract

Abstract:

With the rapid development of information technology, the connection between cyberspace and the real world has become increasingly close. Applying knowledge graph technology to the field of cybersecurity allows for the extraction and integration of fragmented, valuable security knowledge from vast amounts of data in cyberspace, providing support for decision-making. Existing methods face issues such as the lack of a unified standard for ontology models and poor knowledge extraction performance. This paper proposed an ontology-based method for constructing a cybersecurity knowledge graph, which included two models: named entity recognition and relation extraction. The named entity recognition model integrated the BERT pre-trained model, bidirectional long short-term memory network, multi-head attention mechanism, and conditional random fields; the relation extraction model combined the BERT pre-trained model, self-attention mechanism and convolutional neural network. These two models improved the accuracy of named entity recognition and enhanced the accuracy and automation of relation extraction tasks. The proposed method for constructing the cybersecurity knowledge graph can integrate and analyze cybersecurity data, enabling intelligent retrieval of cybersecurity knowledge and automatic updates and expansion of the knowledge graph.

Key words: cybersecurity, knowledge graph, ontology, knowledge extraction

CLC Number:

TP309

XU Zhishuang, ZHANG Kun, FAN Junchao, CHANG Xiaolin. Construction Method of Cybersecurity Knowledge Graph Based on Ontology[J]. Netinfo Security, 2025, 25(3): 451-466.

Figures/Tables 25

References 31

[1]	REN Yitong, XIAO Yanjun, ZHOU Yinghai, et al. CSKG4APT: A Cybersecurity Knowledge Graph for Advanced Persistent Threat Organization Attribution[J]. IEEE Transactions on Knowledge and Data Engineering, 2022, 35(6): 5695-5709.
[2]	JIANG Yuning, JEUSFELD M A, DING Jianguo, et al. Model-Based Cybersecurity Analysis: Extending Enterprise Modeling to Critical Infrastructure Cybersecurity[J]. Business & Information Systems Engineering, 2023, 65(6): 643-676.
[3]	SIKOS L F. Cybersecurity Knowledge Graphs[J]. Knowledge and Information Systems, 2023, 65(9): 3511-3531.
[4]	LIU Kai, WANG Fei, DING Zhaoyun, et al. Recent Progress of Using Knowledge Graph for Cybersecurity[J]. Electronics, 2022, 11(15): 2287-2314.
[5]	WANG Gaosheng, LIU Peipei, HUANG Jintao, et al. KnowCTI: Knowledge-Based Cyber Threat Intelligence Entity and Relation Extraction[J]. Computers & Security, 2024, 141(6): 1-12.
[6]	WANG Xiaodi, HUANG Cheng, LIU Jiayong. Research Overview on Knowledge Graphs for Open Source Intelligence in Cybersecurity[J]. Netinfo Security, 2023, 23(6): 11-21.
	王晓狄, 黄诚, 刘嘉勇. 面向网络安全开源情报的知识图谱研究综述[J]. 信息网络安全, 2023, 23(6):11-21.
[7]	LI Hongyi, ZE Shi, PAN Chengwei, et al. Cybersecurity Knowledge Graphs Construction and Quality Assessment[J]. Complex & Intelligent Systems, 2024, 10(1): 5-16.
[8]	CHEN Jiarui, LU Yiqin, ZHANG Yang, et al. A Management Knowledge Graph Approach for Critical Infrastructure Protection: Ontology Design, Information Extraction and Relation Prediction[J]. International Journal of Critical Infrastructure Protection, 2023, 43(4): 3-7.
[9]	PREUVENEERS D, JOOSEN W. An Ontology-Based Cybersecurity Framework for AI-Enabled Systems and Applications[J]. Future Internet, 2024, 16(3): 4-18.
[10]	GRANDIN A. An Ontology of Cyberspace as a Basis for Decision-Making in Cyberoperations[C]// IEEE. International Conference on Cyber Warface and Security. New York: IEEE, 2024: 84-94.
[11]	BUGHIO K S, COOK D M, SHAH S A A. Developing a Novel Ontology for Cybersecurity in Internet of Medical Things-Enabled Remote Patient Monitoring[J]. Sensors, 2024, 24(9): 5-20.
[12]	BERNARDINI A, D’ALTERIO F, SAGRATELLA L, et al. “Work-in-Progress” Structuring the Complexity: an Ontological Approach to Analyze the Cybersecurity of a 5G Service[C]// IEEE. 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). New York: IEEE, 2024: 691-700.
[13]	KOUGIOUMTZIDOU A, PAPOUTSIS A, KAVALLIEROS D, et al. An End-to-End Framework for Cybersecurity Taxonomy and Ontology Generation and Updating[C]// IEEE. 2024 IEEE International Conference on Cyber Security and Resilience (CSR). New York: IEEE, 2024: 247-254.
[14]	XU Derong, CHEN Wei, PENG Wenjun, et al. Large Language Models for Generative Information Extraction: A Survey[J]. Frontiers of Computer Science, 2024, 18(6): 2-14.
[15]	WANG Yaxin, ZHANG Jian. Electronic Medical Record Fingerprint Feature Extraction Based on Few-Shot Named Entity Recognition Technology[J]. Netinfo Security, 2024, 24(10): 1537-1543.
	王亚欣, 张健. 基于少样本命名实体识别技术的电子病历指纹特征提取[J]. 信息网络安全, 2024, 24(10):1537-1543.
[16]	STUDIAWAN H, HASAN M F, PRATOMO B A. Rule-Based Entity Recognition for Forensic Timeline[C]// IEEE. 2023 Conference on Information Communications Technology and Society (ICTAS). New York: IEEE, 2023: 1-6.
[17]	HU Chenxi, WU Tao, LIU Chunsheng, et al. Joint Contrastive Learning and Belief Rule Base for Named Entity Recognition in Cybersecurity[J]. Cybersecurity, 2024, 7(1): 3-12.
[18]	SARHAN M, LAYEGHY S, MOUSTAFA N, et al. Feature Extraction for Machine Learning-Based Intrusion Detection in IoT Networks[J]. Digital Communications and Networks, 2024, 10(1): 205-216.
[19]	MUMTAZ G, AKRAM S, IQBAL M W, et al. Classification and Prediction of Significant Cyber Incidents (SCI) Using Data Mining and Machine Learning (DM-ML)[J]. IEEE Access, 2023, 11: 94486-94496.
[20]	LI Jiao, ZHANG Yuqing, WU Yabiao. Large Language Model Data Augmentation Methods for Relationship Extraction in Cybersecurity[J]. Netinfo Security, 2024, 24(10): 1477-1483.
	李娇, 张玉清, 吴亚飚. 面向网络安全关系抽取的大语言模型数据增强方法[J]. 信息网络安全, 2024, 24(10):1477-1483.
[21]	WANG Fei, DING Zhaoyun, LIU Kai, et al. Multi-Relation Extraction for Cybersecurity Based on Ontology Rule-Enhanced Prompt Learning[J]. Electronics, 2024, 13(12): 1-25.
[22]	AHMED K, KHURSHID S K, HINA S. CyberEntRel: Joint Extraction of Cyber Entities and Relations Using Deep Learning[J]. Computer & Security, 2024, 136(1): 1-11.
[23]	JI Bin, LI Shasha, XU Hao, et al. Span-Based Joint Entity and Relation Extraction Augmented with Sequence Tagging Mechanism[J]. Science China Information Sciences, 2024, 67(5): 1-15.
[24]	CHEN S S, HWANG R H, SUN C Y, et al. Enhancing Cyber Threat Intelligence with Named Entity Recognition Using BERT-CRF[C]// IEEE. IEEE Global Communiacations Conference 2023. New York: IEEE, 2023: 7532-7537.
[25]	LIU Yafei, WEI Siqi, HUANG Haijun, et al. Naming Entity Recognition of Citrus Pests and Diseases Based on the BERT-BiLSTM-CRF Model[J]. Expert Systems with Applications, 2023, 234(27): 1-10.
[26]	PAN Xuefeng, CAO Yuanyuan, HOU Xiaorui, et al. Named Entity Recognition of TCM Electronic Medical Records Based on the ALBERT-BiLSTM-CRF Model[C]// IEEE. 2022 12th International Conference on Information Technology in Medicine and Education (ITME 2022). New York: IEEE, 2022: 575-582.
[27]	KE Jia, WANG Weiji, CHEN Xiaojun, et al. Medical Entity Recognition and Knowledge Map Relationship Analysis of Chinese EMRs Based on Improved BiLSTM-CRF[J]. Computers and Electrical Engineering, 2023, 108(4): 1-18.
[28]	360 Total Security. Security Report[EB/OL]. (2024-05-09) [2024-11-14]. https://cert.360.cn/report.
	360安全安全报告[EB/OL]. (2024-05-09) [2024-11-14]. https://cert.360.cn/report.
[29]	National Computer Network Emergency Response Technical Team/Coordination Center of China. Security Report[EB/OL]. (2023-06-28) [2024-11-20]. https://www.cert.org.cn/publish/main/17/index.html.
	国家计算机网络应急技术处理协调中心. 安全报告[EB/OL]. (2023-06-28)[2024-11-20]. https://www.cert.org.cn/publish/main/17/index.html.
[30]	KAUR K, KAUR P. BERT-CNN: Improving BERT for Requirements Classification Using CNN[J]. Procedia Computer Science, 2023, 218(3): 2604-2611.
[31]	BELLO A, NG S C, LEUNG M F. A BERT Framework to Sentiment Analysis of Tweets[J]. Sensors, 2023, 23(1): 1-14.

符号	含义	符号	含义
B-administrator	管理员实体的开始部分	I-network	网络实体的其余部分
I-administrator	管理员实体的其余部分	B-attacker	攻击者实体的开始部分
B-host	主机实体的开始部分	I-attacker	攻击者实体的其余部分
I-host	主机实体的其余部分	B-attack_mode	攻击方式实体的开始部分
B-system	操作系统实体的开始部分	I-attack_mode	攻击方式实体的其余部分
I-system	操作系统实体的其余部分	B-loophole	漏洞实体的开始部分
B-hardware	硬件实体的开始部分	I-loophole	漏洞实体的其余部分
I-hardware	硬件实体的其余部分	B-malware	恶意软件实体的开始部分
B-software	软件实体的开始部分	I-malware	恶意软件实体的其余部分
I-software	软件实体的其余部分	B-virus	病毒实体的开始部分
B-ip	IP实体的开始部分	I-virus	病毒实体的其余部分
I-ip	IP实体的其余部分	B-defender	防御者实体的开始部分
B-port	端口实体的开始部分	I-defender	防御者实体的其余部分
I-port	端口实体的其余部分	B-defense_mode	防御方式实体的开始部分
B-service	服务实体的开始部分	I-defense_mode	防御方式实体的其余部分
I-service	服务实体的其余部分	O	非实体
B-network	网络实体的开始部分	—	—

数据集	训练集/个	测试集/个	验证集/个
语句数	3101	886	443
实体总数	2513	718	359
管理员	120	12	8
主机	159	46	20
操作系统	100	53	6
硬件	114	21	25
软件	129	30	32
IP	120	12	8
端口	160	12	8
服务	100	12	9
网络	49	11	9
攻击者	219	66	37
攻击方式	276	58	58
漏洞	185	92	10
恶意软件	294	113	28
病毒	104	97	42
防御者	222	50	28
防御方式	162	33	31

名称	配置信息
CPU	AMD Ryzen Threadripper 3970X 32-Core Processor
内存	251 GB
操作系统	Ubuntu 20.04.5 LTS
开发框架	Python 3.7.16
编程语言	PyTorch 1.13.1

名称	数值
batch_size	8
num_train_epochs	15
max_seq_length	202
learning_rate	1e-5
dropout	0.5
clip	0.5

模型	Precision	Recall	F1值
BERT-BiLSTM-MHA-CRF	84.52%	89.29%	86.84%
BERT-BiLSTM-CRF	82.55%	86.49%	84.48%
BERT-CRF	71.68%	82.01%	76.50%
BERT-MHA-CRF	75.28%	81.35%	78.19%
ALBERT-BiLSTM-CRF	84.13%	83.53%	83.83%
Word2vec-BiLSTM-CRF	79.05%	87.83%	83.21%