Semantic Cybersecurity Knowledge Graph (SEPSES CSKG)

• The topic outlines an ontology-driven framework that extracts and integrates cybersecurity data from diverse event streams.
• It employs semantic parsing pipelines and RAG-based LLM techniques to convert logs into queryable knowledge graphs for threat intelligence.
• It supports automated threat detection, sessionization, and MITRE ATT&CK mapping with robust evaluation metrics and real-world benchmarks.

The SEmantic Processing of Security Event Streams CyberSecurity Knowledge Graph (SEPSES CSKG) is a formalized, ontology-driven framework for extracting, integrating, and reasoning over cybersecurity-relevant information from diverse and heterogeneous event streams. Utilizing advanced log ontologies, semantic parsing pipelines, and LLMs, SEPSES CSKG is designed to facilitate actionable Cyber Threat Intelligence (CTI) by converting unstructured logs, threat feeds, and tabular vulnerability data into coherent, queryable knowledge graphs that support automated threat detection, alert triage, and downstream cyber defense analytics.

1. Formal Ontology and Schema Foundations

Central to SEPSES CSKG is an ontology that provides formal semantics to cybersecurity event structures, supporting both breadth (diverse CTI data types) and depth (detailed actor, vulnerability, and session modeling).

• Core Classes (representative from OntoLogX (Cotti et al., 1 Oct 2025) and related surveys (Lourenço et al., 18 Oct 2025)):
  • Event, Session, Actor, Vulnerability, Source, Parameter, Application, UserCredential (with UserPassword, UserName, UserEmail subclasses), IPAddress, NetworkEntity, ThreatActor, AttackTechnique, Tactic.
• Object Properties:
  • hasSource (Event → Source), hasSession (Event → Session), hasActor (Event → Actor), hasVulnerability (Event → Vulnerability), hasParameter ((Event ∪ Application) → Parameter), timestampOf (Event → TimeStamp), invokesApp (Event → Application), partOf ((Actor ∪ Parameter) → Session), hasSourceIP, mapsToTechnique, partOfTactic.
• Ontology Example (OWL-DL/SHACL snippet):

% Classes \texttt{Event \sqsubseteq prov:Entity.} \texttt{Actor \sqsubseteq Parameter.} \texttt{Vulnerability \sqsubseteq Parameter.} % Object Properties \texttt{hasSource: Event \rightarrow Source.} \texttt{hasSession: Event \rightarrow Session.} \texttt{hasActor: Event \rightarrow Actor.}

• Triple Structure:

$$KG = (E, R, T), \quad T \subseteq E \times R \times E$$

For SEPSES: $|E|\approx 3.8 \text{ million}$, $|R|=479$, classes $\approx$ several dozen (Jiomekong et al., 9 Nov 2025).

2. Semantic Log and Text Processing Pipelines

The pipeline ingests continuous streams—from host logs, network devices, or textual threat intelligence—and produces semantic RDF- or property-graph representations.

2.1 Ingestion and Preprocessing

• Raw logs: Syslog, Windows Event Log, IDS alerts (structured or unstructured).
• Preprocessing modules normalize timestamps (ISO 8601), extract JSON payloads if present, and tokenize raw text.
• For free text (e.g., CTI reports), spaCy-based NER models recognize 18 cybersecurity domain entities (Malware_Name, Vulnerability, Threat_Actor, etc.) (Hanks et al., 2022).

2.2 Entity and Concept Extraction

• Embedded NER: spaCy models use Bloom embeddings, residual CNNs, and attention pooling; key metrics: Precision = 70.77%, Recall = 60.53%, $F_1 = 65.25\%$ overall; Threat_Actor $F_1 = 100\%$ (Hanks et al., 2022).
• Regexes for structured patterns: timestamps, IPs, CVE-IDs ((?P<src_ip>\d+\.\d+\.\d+\.\d+), CVE-\d{4}-\d+).

2.3 RAG-based LLM Semantic Parsing

• Retrieval-Augmented Generation (RAG): Prompts are constructed from ontology schema, few-shot KG event JSONs (retrieved via FAISS + Elasticsearch, fused with Maximal Marginal Relevance), and the input log event.
• Main prompt: “Produce a JSON graph using classes & properties…” with ontology/SHACL excerpt inline (Cotti et al., 1 Oct 2025).
• Correction loop: JSON syntax → SHACL validation → custom semantic checks (one Event, no dangling edges), iteratively re-prompting if violations occur.

2.4 Graph Construction and Storage

• Triples are emitted per event. For example:

  ex:Event_1 a olx:Event ; olx:timestampOf "2022-01-21T03:49:44Z"^^xsd:dateTime ; olx:hasSource ex:Source_OpenVPN ; olx:hasActor ex:Actor_jhall ; olx:hasParameter ex:Param_CN_OpenVPN_CA .

• Backend: Neo4j 4.x with APOC for property graph storage, FAISS plugin for vector-based retrieval, Elasticsearch for text search (Cotti et al., 1 Oct 2025).

3. Sessionization, Inference, and MITRE ATT&CK Mapping

3.1 Session Aggregation

• Events are grouped into sessions by time-window and shared src_ip:

  for each Event e: for each session s: if e.src_ip == s.src_ip and (e.timestamp - s.last_timestamp) < ΔT: assign e to s else: create new session

  where ΔT = 15 minutes (default, tunable) (Cotti et al., 1 Oct 2025).

3.2 Higher-Level Tactic Inference

• Session sub-graphs and metadata supply features to an LLM ("Foundation-sec-8b", vLLM) for MITRE ATT&CK tactic prediction.
• Few-shot/zero-shot prompts, e.g.: “Assign one or more MITRE ATT&CK tactics (e.g., Reconnaissance, Persistence, Discovery)…”
• Empirical results: Precision = 0.83, Recall = 0.79, $F_1 = 0.81$ (Cowrie honeypot, 100 test sessions) (Cotti et al., 1 Oct 2025).

3.3 Symbolic Reasoning and SPARQL

• OWL 2 RL and SWRL rules encode domain logic:

$$\forall x,y.\; (x\,\texttt{hasSourceIP}\,y) \wedge \texttt{MaliciousIP}(y) \to \texttt{SuspiciousEvent}(x)$$

• Pattern queries:

  SELECT ?host (COUNT(?evt) AS ?failCount) WHERE { ?evt a sep:FailedLogin ; sep:involvesHost ?host . } GROUP BY ?host HAVING (?failCount > 5)

  (Lourenço et al., 18 Oct 2025)

4. Integration with Downstream Datasets and Benchmarks

SEPSES CSKG powers annotation, matching, and benchmarking in tabular and CTI-centric security datasets.

4.1 Secu-Table Pipeline

• Extracts ≈1,554 tables with >15,000 entities from CVE and CWE dumps (2022), normalizes to CSV, then annotates against SEPSES CSKG for ground-truth creation (Jiomekong et al., 9 Nov 2025).
• Key triple schema (examples):

  cwe:CWE-79 a sepses:ref/cwe#CWE ; rdfs:label "Cross-site scripting"@en ; sepses:relatedWeakness cwe:CWE-80, cwe:CWE-81 . cve:CVE-2018-6147 a sepses:ref/cve#CVE ; rdfs:label "Cell broadcast disable notification of new SMS reception"@en ; sepses:affectsConfiguration sepses:SCAP-XYZ ; sepses:hasWeakness cwe:CWE-20 .

• Entity/column/property linkers: Pseudocode-driven, SPARQL-based lookup, context disambiguation, with all assignments validated manually—no LLMs or embeddings used for ground-truth (Jiomekong et al., 9 Nov 2025).

4.2 STI and LLM Benchmarking

• Open and closed-source LLMs evaluated for semantic table interpretation (Falcon3-7B, Mistral-7B, GPT-4o-mini). Baseline $F_1$ scores: 0.30 (Falcon3-7B), 0.35 (Mistral-7B), 0.51 (GPT-4o-mini), measured on precise CEA/CTA/CPA metrics (Jiomekong et al., 9 Nov 2025).
• Error sources: Spelling variation, incomplete context, and incomplete KG coverage.

5. System Architecture and Deployment

• Microservices: All major pipeline steps are orchestrated via Python FastAPI services, orchestrated with RabbitMQ + Celery for distributed task management.
• Validation: SHACL validation is performed with pySHACL; semantic and cardinality constraints are enforced at KG generation time.
• Backends: Neo4j 4.x (property graphs), Apache Jena/Fuseki (RDF triples), Elasticsearch (text lookup), FAISS (vector).
• Deployment: Containerized via Docker and managed under Kubernetes for scalability and resilience (Cotti et al., 1 Oct 2025).
• LLM Serving: Qwen3 Coder 32B, Claude 3.5 (AWS Bedrock), Foundation-sec-8b (local vLLM); temperature=0.7, max_tokens=512 common.

6. Performance Evaluation, Metrics, and Empirical Results

Evaluation of SEPSES CSKG-driven systems is conducted at multiple phases, with both quantitative and qualitative metrics:

• KG Extraction (AIT-LDS Benchmark, Qwen3 Coder 32B, avg over 10 runs) (Cotti et al., 1 Oct 2025): | Configuration | Precision | Recall | F₁ | |-------------------------|-----------|--------|------| | Baseline (no retrieval) | 0.524 | 0.377 | 0.429| | Retrieval only | 0.722 | 0.679 | 0.687| | Structured + Correction | 0.520 | 0.426 | 0.458| | Full OntoLogX pipeline | 0.758 | 0.702 |0.717 |
• Ablation:
  • Retrieval accounted for the largest F₁ gain (+0.258 vs baseline).
  • Iterative correction reduced SHACL violations by ∼10×.
• Triple Extraction/Co-ref/LLM summarization (Lourenço et al., 18 Oct 2025):
  • Triple-stage: Precision 0.92, Recall 0.88, F₁ 0.90.
  • Co-reference accuracy: 0.85.
  • LLM summarization ROUGE-L: 0.74, novel-pattern detection +30%.
• Streaming NER (spaCy) (Hanks et al., 2022):
  • Macro-avg: Precision 70.77%, Recall 60.53%, F₁ 65.25%.
  • Per-type highlights: Threat_Actor F₁ 100%, Vulnerability F₁ 72.7%.
• Latency, TPR/FPR (Cognitive use case) (Narayanan et al., 2018):
  • Mean detection latency: $\mu_{latency} = 2.4$ s ($\sigma = 0.3$ s, 10 runs).
  • True Positive Rate: 100%, False Positive Rate: 5%.
  • Baseline SIEM: latency 5.8 s, TPR 80%.

7. Research Impact and Developments

SEPSES CSKG encapsulates the convergence of ontology-driven modeling, semantic parsing of event streams, and LLM-augmented reasoning for cyber defense. Its rigorous, schema-first workflow delivers interoperability and advanced threat intelligence fusion in streaming and batch modes. Datasets such as Secu-Table (Jiomekong et al., 9 Nov 2025) provide a critical testbed for evaluating STI and KG extraction systems grounded in SEPSES. Ongoing directions include integration with additional security sources (CPE, ATT&CK, OWASP), improved human-in-the-loop annotation, and deeper cross-domain linking (e.g., Wikidata) for enriched situational awareness.

The systematic pipeline, strong evaluation, and robust ground-truth construction supported by SEPSES CSKG establish it as a reproducible and extensible foundation for research and operational deployment in ontology-based cybersecurity knowledge engineering.