Cyberattacks are becoming increasingly difficult to detect and prevent due to their sophistication. In response, Autonomous Intelligent Cyber-defense Agents (AICAs) are emerging as crucial solutions. One prominent AICA agent is the Intrusion Response System (IRS), which is critical for mitigating threats after detection. IRS uses several Tactics, Techniques, and Procedures (TTPs) to mitigate attacks and restore the infrastructure to normal operations. Continuous monitoring of the enterprise infrastructure is an essential TTP the IRS uses. However, each system serves different purposes to meet operational needs. Integrating these disparate sources for continuous monitoring increases pre-processing complexity and limits automation, eventually prolonging critical response time for attackers to exploit. We propose a unified IRS Knowledge Graph ontology (IRSKG) that streamlines the onboarding of new enterprise systems as a source for the AICAs. Our ontology can capture system monitoring logs and supplemental data, such as a rules repository containing the administrator-defined policies to dictate the IRS responses. Besides, our ontology permits us to incorporate dynamic changes to adapt to the evolving cyber-threat landscape. This robust yet concise design allows machine learning models to train effectively and recover a compromised system to its desired state autonomously with explainability.

翻译：网络攻击日益复杂化，使其检测与防御难度不断攀升。在此背景下，自主智能网络防御代理（AICA）正成为关键解决方案。入侵响应系统（IRS）作为一种重要的AICA代理，在威胁检测后的缓解环节至关重要。IRS运用多种战术、技术与规程（TTP）来缓解攻击并将基础设施恢复至正常运营状态。对企业基础设施的持续监控是IRS采用的核心TTP之一。然而，现有系统为满足不同运维需求往往功能各异。整合这些异构数据源以实现持续监控，不仅增加了预处理复杂度，限制了自动化程度，最终更会延长关键响应时间，为攻击者提供可乘之机。本文提出一种统一的IRS知识图谱本体（IRSKG），可简化为AICA接入新企业系统的流程。该本体能够捕获系统监控日志及补充数据（例如包含管理员定义策略的规则库，用以指导IRS响应行为）。此外，本本体支持动态调整以适应不断演变的网络威胁态势。这种强健而简洁的设计使机器学习模型能够有效训练，并以可解释的方式自主将受攻击系统恢复至预期状态。