Description
Date depot: 12 avril 2023
Titre: Linear Temporal Logic Meets Existential Rules for Cybersecurity
Directrice de thèse:
Lina MROUEH (LISITE)
Encadrant :
Nouredine TAMANI (LISITE)
Encadrant :
Saad EL JAOUHARI (LISITE)
Domaine scientifique: Sciences et technologies de l'information et de la communication
Thématique CNRS : Données et connaissances
Resumé: Context :
Malware behavior, forensics processes, post-mortem analysis, or anomaly detections are common functionalities in cybersecurity that require from the analysts to go through large amounts of data, which are generally stored as logs in the considered systems. The effectiveness of the analysis process relies on the how effective the process of knowledge extraction is performed and how coherent the courses of events are represented and correctly reconstructed for the reasoning processes. The quality of the process is often related to time. The time dimension is considered as the main metadata that allows for a correct reasoning over consistent knowledge bases modeling the courses of the events of interest, which occurred within the system.
Knowledge Representation and Knowledge Engineering [1] have achieved major advancements at both theoretical and algorithmic/computation levels. From ontologies to existential rules, passing through linked open data, Knowledge representation languages and tools evolved to define Web 3.0.
From the state of the art, we can identify the engineering work introduced in [3] for event detection based on knowledge graphs. These events are complex and characterized by their richly attributed signals, spatio-temporal correlation, and contextual and environmental factors. The authors introduced Kronos (for Dynamic Knowledge extraction), which supports automatic extraction integration and search from the context rich events (ones with anomaly-based event model) and semantic knowledge from sensors data streams, which can lead administrators to actionable knowledge. This is done via online event discovery via anomaly detection over data stream, a windows-based correlation inference which provides the users with analytical event queries to do the search in the rich context.
To integrate time into logical frameworks, many research works focused on combining temporal logics with Description Logics from theoretical point of view such as [4-8] to name a few. Moreover, Linear Temporal Logic (denoted LTL) [2] was introduced to formally establishing the temporal relationship among events to construct consistent and coherent course of actions according to time dependent events recorded for a given system. Detecting inconsistencies in such systems is an important problem to tackle from both theoretical and practical viewpoints.
The language of the Linear Temporal Logic extends the language of Boolean (propositional) logic by the operations N for next and U for until [9]. The formulas of LTL are built up from a set of atomic propositions and are closed under applications of Boolean operators and the following time operators (often called operations):
• N for next is a unary operation such that formula Nφ means that statement φ holds in the next time point (or state),
• U for until is a binary operation such that formula φUψ means that φ holds until ψ will be true,
• Pr for previous is a unary operation such that formula Prφ means that statement φ was true at the
immediate previous time point,
• S for since is a binary operation such that formula φSψ means that φ holds since ψ has been true.
Semantics for LTL consists of infinite transition systems. Formally they are represented as linear Kripke structures based on the natural numbers.
Challenges:
It is well-known that the reasoning over a logical-based knowledge base requires to check its consistency. Consistency checking is from theoretical point of view an NP-Complete problem. This why we explore in this PhD thesis project the possibility to reduce the complexity of the reasoning processes from computation (programming) point of view, by considering time as part of the logical representation of a given domain and not as a metadata that may be used afterward in reasoning processing.
From theoretical point of view, the proposed topic is twofold:
- Time-based Knowledge representation to attach a timed semantics to a given domain,
- Explore the linearity of time model for efficient reasoning in Time-based Knowledge Base.
From application point of view, the objectives, challenges, and tasks to achieve in this PhD thesis are as follows:
- Design and implement a Time-based knowledge base for malware behavior to protect the system from such attacks,
- Design and implement a reasoning algorithm tailored for malware behavior,
- Test and evaluate the effectiveness of the proposed approach.
Required skills:
- Engineering degree or a master’s degree in applied mathematics or Computer Science,
- Appetency for cybersecurity,
- Expertise in knowledge representation and data engineering,
- Good programming skills in C++
Advisors:
- Prof. Lina MROUEH (lina.mroueh@isep.fr)
- Dr. Nouredine TAMANI (nouredine.tamani@isep.fr)
- Dr. Saad EL JAOUHARI (saad.el-jaouhari@isep.fr)