SEPSES-CSKG is a cybersecurity knowledge graph that integrates and links critical information such as vulnerabilities, weaknesses and attack patterns from various publicly available sources. The Knowledge Graph is continuously updated to reflect changes in various data sources used as inputs, i.e., CAPEC, CPE, CVE, CVSS, and CWE. This engine is designed as a RDF generation mechanism from several CyberSecurity resources. In our server, we add additional bash command to run it continuously, but we didn't provide the script here.
New! Several additional resources for Industrial Control System Cybersecurity (ICS-Sec) has been included, i.e., MITRE ATT&CK (Enterprise and ICS) and ICSA (Industrial Control System Advisory). Detail information can be found here.
Several vocabularies are developed to represent the SEPSES-CSKG knowledge graphs, as follows:
| Prefix | Description | Link |
|---|---|---|
| capec | Common Attack Pattern Enumeration and Classification (CAPEC) | http://w3id.org/sepses/vocab/ref/capec |
| cwe | Common Weakness Enumeration (CWE) | http://w3id.org/sepses/vocab/ref/cwe |
| cve | Common Vulnerabilities and Exposures (CVE) | http://w3id.org/sepses/vocab/ref/cve |
| cvss | Common Vulnerability Scoring System (CVSS) | http://w3id.org/sepses/vocab/ref/cvss |
| cpe | Common Platform Enumeration (CPE) | http://w3id.org/sepses/vocab/ref/cpe |
To run this prototype, the prerequisite is that you have a JDK 8+ and Maven installed in your computer.
Additionally, the config.properties is build for local Jena fuseki installation. Make sure that:
- the
config.propertiesis available (and adjust it if necessary; especially with regards to the triplestore/fuseki installation) - you have an empty repo called 'sepses' in your fuseki/virtuoso installation
- you can also run it without storing the data to triplestore using "dummy" as storage
- currently still need an active sparql endpoint (TODO: to fix this).
The following steps are required to run the engine:
- run
mvn cleanto build the required jar files from thelibfolder - run
mvn install -DskipTests=trueto build the application- optionally, you can also run the tests (without the
-DskipTests=true) to run checks of extracted data against a set of SHACL constraints to make sure that the conversion for each source is correctly defined
- optionally, you can also run the tests (without the
- run
java -jar target/cyber-kb-<version>-jar-with-dependencies.jar -p <type-of-source>- replace
<type-of-source>with one of the following: capec, cwe, cve, cat, icsa ) - replace
<version>with the version of the Cyber-KB - (optional) you can also add
-vas parameter to activate SHACL constraint checking- Note: this option may add a significant time to the process (especially for CPE)
- replace
The prototype will then
- (i) generate the RDF graph from these sources and create necessary linking
- (ii) (optional) check the generated RDF data against a set of SHACL constraints (using constraints from
src/main/resources/shacl/*.ttl) - (iii) store the data in the triplestore
We have tried and tested it in OSX (Intel i7@3,1GHz, OSX Mojave, 16GB RAM). The benchmark result (excluding SHACL check) is available in the following link
Example queries are now added (example-queries.txt), which can be tested in our SPARQL endpoint.
Other interface beyond SPARQL are also provided, such as Linked Data Interface (example), Triple Pattern Fragment and Dump-files (in .turtle and .HDT).
The ECS-SEC KG Engine is written by SEPSES team and released under the MIT license.