Semantics is the study of meaning that is used for understanding human expression through language. It focuses on the relation between signifiers such as words, phrases, signs and symbols and what they stand for.
In IT security when we refer to semantics we usually refer to “Semantic Event Correlation”.
You have surely noticed these terms in the company brochures you received by email last week. While scrolling down the PDF, you could not avoid reading them in enlarged expressions such as bold text, titles etc. spread across the document. It was probably preceded by the terms “Machine Learning” (ML) or “Big Data”. Same page, different paragraph.
We have been hearing so many discussions about these subjects. They recently became buzzwords because every occasion is good to mention them (e.g. describing the value of a new application or emphasizing the scope of an upcoming feature).
With these terms being so overused, employees and managers start to not believe in them anymore, simply because at the end of the day, when trying these features out nobody clearly sees how they can help.
This often happens because people’s expectations are bigger than the real advantages that these tools can bring. When it comes to data protection and network monitoring, people tend to think that these tools could completely replace Information Security Analysts and take care of all the proper and intuitive consideration needed to solve an investigation.
Well, this is not the case.
In general, these tools should not replace human analysis but rather allow security experts to avoid spending too much time on repetitive or trivial tasks and to focus on compelling analysis. Then, the best thing to do is to identify what can be automated in the monitoring analysis process and start to think about the best algorithm that could help in this regard.
We know that many of the most successful Advanced Persistent Threat (APT) attacks [1] happen after months of patient data gathering and learning before, during and after infiltrating a network.
In order to discover these attacks, we need machine learning algorithms that look for anomalies over a long period of time and after that, we need to find ways to relate all the logs that might occur on the machines involved in those attacks.
Well, that is why we love semantics!
Thanks to semantics, we can in fact identify relationships among unstructured and un-mapped elements representing security-related events. Thus, we can understand in which context a log can fit by referring it to known descriptions of attack patterns or specific attack steps. Semantics will result in saving large amounts of time that analysts would otherwise be wasting in repetitive tasks.
Here is an example of the phases used in semantics to process text:
Ultimately, semantics helps indexing security-related logs in order to highlight pieces of information that do not necessarily share content with intelligence feeds, but are important to discover possible actions that could clearly show the hackers’ intent.
Now, are you starting to love semantics? Do you want to know more?
Feel free to comment on this article by using the best keywords to identify and label the topic you would like me to address. I will cluster them and provide you with the proper answers.
