A situation assessment framework for cyber security information relevance reasoning

Cyber security is one of the most serious economic and national challenges faced by nations all over the world. When a cyber security incident occurs, the critical question that security administrators are concerned about is: What has happened? Cyber situation assessment is critical to making correct and timely defense decisions by the analysts. STIX ontology, which was developed by taking advantage of existing cyber security related standards, is used to represent cyber threat information and infer important features of the cyber situation that help decision makers form their situational awareness. However, due to the widespread application of information technology, security analysts face a challenge in information overload. There are still huge volumes of low level observations captured by various sensors and network tools that need to be used to derive the high level intelligence queries such as potential courses of action and future impact. Therefore, identification of the relevant cyber threat information for a specific query is a crucial procedure for cyber situation assessment. In this paper, we leverage the STIX ontology to represent cyber threat information in a logical framework. In order to recognize specific situation types and identify the minimal and sufficient information for answering a query automatically, we propose an information relevance reasoning mechanism based on situation theory. Finally, we implement our proposed framework using a dataset generated by Skaion corporation.