Electronics 11 02287
Electronics 11 02287
Electronics 11 02287
Review
Recent Progress of Using Knowledge Graph for Cybersecurity
Kai Liu 1 , Fei Wang 1 , Zhaoyun Ding 1, *, Sheng Liang 2 , Zhengfei Yu 1 and Yun Zhou 1
1 Science and Technology on Information Systems Engineering Laboratory, National University of Defense
Technology, Changsha 410073, China; liukai18@nudt.edu.cn (K.L.); wangfei@nudt.edu.cn (F.W.);
yuzhengfei19@nudt.edu.cn (Z.Y.); zhouyun@nudt.edu.cn (Y.Z.)
2 Center for Information and Language Processing (CIS), University of Munich (LMU),
80538 Munich, Germany; shengliang@cis.lmu.de
* Correspondence: zyding@nudt.edu.cn
Abstract: In today’s dynamic complex cyber environments, Cyber Threat Intelligence (CTI) and
the risk of cyberattacks are both increasing. This means that organizations need to have a strong
understanding of both their internal CTI and their external CTI. The potential for cybersecurity
knowledge graphs is evident in their ability to aggregate and represent knowledge about cyber
threats, as well as their ability to manage and reason with that knowledge. While most existing
research has focused on how to create a full knowledge graph, how to utilize the knowledge graph
to tackle real-world industrial difficulties in cyberattack and defense situations is still unclear. In
this article, we give a quick overview of the cybersecurity knowledge graph’s core concepts, schema,
and building methodologies. We also give a relevant dataset review and open-source frameworks
on the information extraction and knowledge creation job to aid future studies on cybersecurity
knowledge graphs. We perform a comparative assessment of the many works that expound on the
recent advances in the application scenarios of cybersecurity knowledge graph in the majority of
this paper. In addition, a new comprehensive classification system is developed to define the linked
works from 9 core categories and 18 subcategories. Finally, based on the analyses of existing research
Citation: Liu, K.; Wang, F.; Ding, Z.; issues, we have a detailed overview of various possible research directions.
Liang, S.; Yu, Z.; Zhou, Y. Recent
Progress of Using Knowledge Graph Keywords: cybersecurity knowledge graph; construction technology; application scenarios;
for Cybersecurity. Electronics 2022, 11, cyberthreat intelligence extraction; cyberattack analysis; cyber threat prediction
2287. https://doi.org/10.3390/
electronics11152287
security assessment and analysis, and association analysis, which was limited to the secu-
rity assessment region. Noel [19] summarized the graph-based approaches for evaluating
and enhancing network security in two major aspects: the “when” aspect and the “where”
aspect. The first dimension covers three particular phases (prevention phase, detection
phase, and reaction phase) of the security process. In the second dimension, it gave an
expectation that incorporates various operational components (i.e., network infrastructure,
cybersecurity posture, cybersecurity threats, and mission dependencies) into a unified
knowledge base for many cybersecurity tasks. The other articles reviewed the research of
CSKG mainly from the dimensions of data sources, ontology design [20], construction tech-
nologies [21], and reasoning methods [22]. As a part of the review, Ding et al. [23] briefly
attempted to illustrate several application directions of CSKG based on the introduction of
CSKG construction technologies. However, none of the survey papers mentioned above
focused on the challenging problem of how to utilize the CSKGs to solve practical issues.
The goal of this paper is to motivate and give an introduction to the application sce-
nario of KGs in cybersecurity. To provide a comprehensive survey of the existing literature,
this paper first gives a summary of the background and construction methods of the CSKG.
We applied a relevant set of keywords: cybersecurity knowledge graph, cybersecurity
knowledge representation, cybersecurity ontology, threat intelligence extraction, cyberse-
curity information extraction, cybersecurity knowledge graph application, graph-based
analytics, and association analysis. These keywords are restricted to the title, keywords,
and abstract search archives published between 2004 and 2022. There were 113 publications
in total found after the database search. The primary content of this paper focuses on
providing an overview of existing application scenarios of CSKGs and related datasets
found in practice. At the end, we discuss the research field’s future directions.
Our main works are as follows:
• A comprehensive review of existing application scenarios of CSKG. We propose a
novel classification framework for conducting a comprehensive review of the applica-
tion scenarios of CSKG based on an investigation of the background and construction
technology of CSKG.
• We summarize the relevant datasets. To facilitate CSKGs’ future research, we provide
a review of datasets and the analysis of open-source libraries for two tasks: the CSKG
construction task and the task of information extraction.
• Future directions. This survey summarizes each category and suggests possible
future study directions.
The rest of this paper is organized as follows. In Section 2, an overview of the
construction methods for CSKG, including definitions, the building flow, ontology, named
entity recognition methods, and relationship extraction approaches, is given. The usual
datasets, as well as their inadequacies, are presented in Section 3 to aid in the application
of CSKG and the extraction of information. In Section 4, an overview of the application
progress of the KGs in the cybersecurity domain is given. In Section 5, we discuss the
shortcomings of existing research before prospecting future research opportunities. Finally,
we conclude this paper in Section 6.
Ontology
model
Technologies
Guide Guide Guide
layer
Refined
Cyber Entities
Data Knowledge
security Relations Application
layer graph
original data Attributes
sis [40], threat actor analysis [41], etc., as shown in Figure 2. Building a generic network
security ontology in today’s complex cyber environment is a difficult and time-consuming
process that heavily relies on the domain knowledge and information technology knowl-
edge of network security professionals. As a result, application scenarios should guide
the design of appropriate security ontology. At the same time, dynamic and automatic
enrichment of the information security ontology is required [42].
Unified STUCCO
Security
Ontologies UCO
3. The Datasets
Security analysts make decisions based on a wealth of knowledge to secure systems,
including known and newly discovered threats, weaknesses, vulnerabilities, and attack
patterns. Such knowledge is collected, published, and structured by research institutions,
government agencies, and industry experts, e.g., the Computer Emergency Response Teams
(CERTs) and MITRE [67]. The widely used standards include the vulnerabilities as well as
the associated data published by the National Vulnerability Database (NVD) [68], such as
CVE, CVSS, CWE, and CPE, and the prospective attacker exploits published by Common
Attack Pattern Enumeration and Classification (CAPEC) [69]. In this section, we review
the significant datasets for building CSKG by the categories as follows: (1) the datasets of
open-source CSKG; (2) the datasets for IE in the cybersecurity domain; (3) other datasets
that may inspire future researchers to come up with new solutions.
Electronics 2022, 11, 2287 7 of 28
Table 2. The open datasets of information extraction task for cyber security.
Task
Dataset and Year Entity Types Data Sources
NER RE
Software, Network_terms, Attack, File_name,
Lal [80], 2013 X - Blogs, Official Security, Bulletins, CVE
Hardware, Other_technical_terms, NER_modifier
Vendor, Product, Version, Language,
Bridges et al. [81], 2013 X - NVD, OSVBD, Exploit DB
vulnerability, and vulnerability relevant term
Lim et al. [82], 2017 X - Action, Subject, Object, Modifier APT reports
Kim et al. [83], 2020 X - Malware, IP, Domain/URL, Hash, their categories CTI reports
Malware, MalwareFamily, Attacker,
Rastogi et al. [73], 2021 X X CVE, Malware reports
AttackerGroup, ExploitTarget, Indicator, etc.
Attack prediction
(§4.2.1)
8. Coupling to the 2. Threats discovery Threat hunting
physical layer (§4.8) (§4.2) (§4.2.2)
Intrusion detection
(§4.2.3)
7. Malware attribution Application
and analysis (§4.7) scenarios Attack paths Analysis
(§4.3.1)
6. Vulnerability Attack attribution
management and 3. Attack Investigation (§4.3.2)
prediction (§4.6) (§4.3) Consequence prediction
(§4.3.3)
Attack analysis
(§4.3.4)
issues early. The author extended UCO so that it can reason over inputs from multiple
network sensors, such as intrusion detection systems (IDS), Snort, and so on, as well as the
knowledge from the cyber-kill chain. To express rules between entities, the Semantic Web
Rule Language (SWRL) was utilized. The aggregator module was designed to combine
alerts into a reasoning model. They proved its ability to identify newer attacks by putting it
to the test against custom-built ransomware akin to WannaCry and displaying the timeline
of the attack as well as the system’s response activities. Unfortunately, this study solely
described the system’s architecture and did not include any additional information or data.
Sun et al. [96] suggested a prediction approach of a 0-day attack route based on a cyber
defense KG to address the challenge of attack prediction induced by the 0-day vulnerability.
The KG was generated from three aspects (i.e., threat, assets, and vulnerability), which sup-
ported transforming the task of attack prediction into a KG link prediction problem. A path
ranking algorithm was used to create the 0-day attack graph and discover the possible
0-day attack of the target system, according to the above methodology. The experimental
results revealed that the suggested strategy might increase the accuracy of 0-day attack
prediction with the aid of KG. Furthermore, employing the path ranking algorithm can
aid in tracing the causes of predicted outcomes in order to increase the explanatory ability
to forecast.
Table 5. Cont.
which results in the absence of synergies between the multiple dimensions. As illustrated
by Xue [118], the main challenge faced by the application of cyber CSKG is that there is
no direct connection between the KG based on abstract attack knowledge such as STIX 2.0
and the system and network logs that contain the behavior information. It is a semantic
gap between them. For complicated cyberattacks, it is difficult to incorporate all context
information quickly to initiate real-time and accurate analysis. To create the attack scene,
traditional rule-based association analysis relies on expert knowledge, which lacks the
capacity to reason automatically.
To address the aforementioned issue, Wang et al. [119] presented an integrated corre-
lation analysis approach to a cybersecurity event. The approach included the vulnerability
KG, threat intelligence KG, the network infrastructure KG, and intrusion alert KG into
the CSKG, as well as documented the data sources for each dimension. Following alert
normalization and alert fusion, the alert verification was conducted by judging whether
the vulnerabilities of one alert are in the host vulnerability set. Furthermore, the attack
thread correlation analysis process relies on the existing alerts to query the associated alerts,
CVE items, and CAPEC items, which could be conducive to predicting the real purpose
of attackers. In the authors’ thesis [120], rebuilding the scene of a series of alerts based
on KG was introduced in detail. The author conducts an experiment on the DARPA 2000
dataset to assess the performance of the proposed framework by comparing the number of
remaining alerts after correlation analysis. This research showed an example of the use of
KG for correlation analysis. Qi et al. [121] believed that cyberattacks involve various attack
phases that are related to IDS alarms. Based on this thought, an association analysis model
developed on cybersecurity attack events KG is presented to display a cyberattack scenario
in a special air–ground integrated network graphically. The CSKG includes five tuples:
attacks, alarms, events, relations, and the rules. The association analysis was used by
calculating the coincidence degree between the gathered events sequence and the attacked
events sequence in the KG.
However, due to the absence of a thorough knowledge of the integrated space–ground
network as well as the limits of the present experimental settings, this article relied solely
on simulation tests to validate the viability of the aforementioned approach. Manual
analysis of logs often does not scale well and frequently results in a lack of knowledge
and insufficient transparency about concerns. To address this issue, Ekelhart et al. [122]
introduced a flexible framework for the automated construction of KGs from arbitrary raw
log messages. The method closes a key gap and offers up a variety of data sources for KG
construction by making the log data suitable for semantic analysis. As mentioned earlier
in Section 4.2, Garrido et al. [100] proposed the application of machine learning on KGs
to increase the utility of the IDS-generated alerts for human operators by improving their
quality and relevance in modern industrial systems.
practice. Based on the industrial internet security vulnerabilities, an industrial CSKG was
built and stored in Neo4j by Tao et al. [127] in order to analyze, query, and visualize from
the temporal, spatial, and correlation dimensions.
When confronted with actual intrusions, CyGraph correlates intrusion alerts to pub-
lished vulnerability pathways and recommends the appropriate courses of action for
reacting to attacks. CyGraph creates a predicted model of likely attack pathways and
major vulnerabilities based on queries. As previously stated, by constructing a knowledge
representation learning approach (translation-based, description-embodied), a CSKG based
on CWE might be utilized to infer incomplete relationships and common effects. To find
hidden relationships among weaknesses, Qin et al. [40] proposed a query-based model for
analyzing and reasoning new knowledge automatically. The reasoning flow of the sample
CWE Chain was demonstrated based on a vulnerability KG (VulKG), which covers the
vulnerability data from NVD, CVE, CWE, and CPE. However, the example could merely
partially take over the place of the analysis and labeling work of security specialists under
some specific scenarios, where the operator needs to know the query target previously.
For effectively managing the sparse or inaccurate malware threat information, a malware
KG called MalKG was established by Rastogi et al. [73], which is the first open-source auto-
mated malware threat intelligence KG. Additionally, there are approximately 40 thousand
triples in the provided MalKG dataset (i.e., MT40K), which include 27,354 unique entities
and 34 relationships. The study also manually curated a benchmark KG dataset called
MT3K, with 5741 unique entities and 22 relationships, forming 3027 triples. It demonstrated
the prediction capabilities of MalKG using two use cases in predicting new information.
One of the application scenarios is predicting and sorting all the potential vulnerabilities
or CVEs of the malware-impacted software system by comprehensive utilization of infor-
mation from the network environment, malware, and KG. A vulnerability exploitation
KG was built by combining and extracting multi-dimensional domain knowledge, as has
already been noted in [124]. Attack strategies depending on KG enhance the performance
in comprehensive vulnerability exploitation and flexible response by analyzing each device-
level node. Based on an industrial network example, the feasibility of the method was
investigated. Similarly, in Wang’s study [128], chain reasoning and confidence calculation
were also used to support vulnerability detection and finding latent relationships between
CWEs. At the end of this research, similarity matching based on a source code level graph
is used for judging the similarity between the target node and the node in the vulnerability
database, which provides new insights into vulnerability mining. Wang et al. [129] ex-
tended the relationships in the vulnerability KG by identifying the alternative vulnerability
with similar consequences.
features associated with a given malware; for instance, the newly discovered malware may
share similarities with a disclosed malware linked to a certain APT group. As reported
in the white paper [117], the profiling and automatic attribution of APT attacker gangs
can be realized through the extraction of key elements of threat intelligence and dynamic
behavioral reasoning. The key solution lies in establishing a unified language to describe
the behavior and characteristics of different APT organizations, as well as in building a
knowledge base about APT organizations. However, the white paper did not disclose the
details of the related research.
technique for power loT terminals is provided [93] in order to perceive and measure enor-
mous power IoT terminals’ security risks and threats in real-time. However, this article did
not describe a suitable network for evaluation. As analyzed previously, Chen et al. [124]
used the domain KG to produce attack strategies by analyzing several vulnerabilities in the
industrial control system. The topology of the target network is composed of the Internet,
two firewalls, one router, an enterprise network, and an industrial ethernet. One firewall
is used to protect all assets of the local network. The other one is situated between the
enterprise network and industrial ethernet. The route is between the first firewall and the
enterprise network, followed by the second firewall and industrial ethernet. The assets of
the enterprise network include a web server, admin host, and printer. Some peripherals,
such as an HMI, a data server, a workstation, and three PLCs with different end-effector
devices (e.g., valve, flowmeter), are connected to the industrial ethernet. The attacker is a
certain host from the Internet, and the PLCs are the attack target.
Based on the above analysis and related research, this paper sorts out a general
experimental network architecture (as shown in Figure 5) to demonstrate the effect of
potential security investigation approaches. This general network mainly contains four
parts, including DMZ, a subnet connected to the Internet via a router, a subnet connected
to DMZ, and an industrial control network connected to DMZ. Each subnet is isolated by a
firewall, and the attackers usually start their offensive action from the Internet. A researcher
could utilize it to adapt to a complex network by modifying or adding some devices,
extending the subnets, or changing the connection mechanism. The network topology
expresses the network environment. In addition, it should also include the software and
hardware installed on each node, security protection measures, and existing vulnerabilities.
Internet
Attacker
Firewall 1
Router
Web Email
Server Server
Firewall 2 Firewall 3 Firewall 4
The adequate annotated cybersecurity datasets are indispensable for training or val-
idating the IE models, even for the pre-training language model or the prompt-based
language models. However, existing datasets could not support this task well because of
several drawbacks: first, most of them are designed for only one information extraction
task (i.e., entity extraction) and rarely for two IE tasks; secondly, because of different self-
designed ontologies and different research targets, the entity and relationship types are
various; thirdly, the existing datasets are in a single language (i.e., English), which could not
satisfy the requirement of multilanguage; finally, annotating the corpus manually remains
the primary way of offering initial data for the model in the vertical domain.
Further research should be undertaken to investigate the new multilanguage cyberse-
curity IE dataset building based on comprehension and reliable data sources. This potential
dataset should be annotated in a standard format and with a statement document. In the
aspect of the annotated method, to lessen the reliance on the annotated vertical corpus, semi-
supervised or unsupervised extraction approaches, as well as prompt-based generating
methods, can be investigated.
(2) The construction of a dynamic cybersecurity knowledge graph
There are well-developed frameworks for knowledge graph building. To establish
large-scale knowledge bases, both top-down [136] and bottom-up [137] building approaches
can be utilized. In the field of cybersecurity, the former one is more popular (i.e., it designs
a cybersecurity ontology schema first, then extracts the knowledge required by the schema
from the corpus), which relies heavily on expert knowledge. The automatic ontology con-
struction technology (also known as ontology learning) should still be considered necessary
for the timely collection of emerging knowledge during the process of ontology update.
Conventional knowledge graphs mainly focus on the entities, their relations, attribu-
tions, etc., which are relatively deterministic and static knowledge. With the development
of KG research and the demand for field applications, event knowledge and dynamic
knowledge, such as temporal information, conditional relationships, causal information,
and event subordination relationships, will inevitably be included. Considerably more
work will need to be done to represent the cybersecurity event knowledge and support
relevant logical reasoning by building a cybersecurity event temporal knowledge graph.
(3) The application scenarios of the cybersecurity knowledge graph
Although the construction technologies of CSKG are stable, there is still no unified
open-source KG that is accepted by everyone. KGs, while their usefulness and utility are
frequently incomplete, redundant, and ambiguous, can lead to uninformative query results.
As a result of the different application demands of various scenarios, researchers have
to rebuild a new knowledge graph every time. This survey has made a comprehensive
review of the application scenarios of CSKG, but at present, the CSKG function proposed
above mainly remains on the query and display functions provided by Neo4j. This does
not fully exploit the KG’s potential to automate reasoning. Therefore, it is still not clear
how to use it to solve some practical problems in the cybersecurity domain. KG completion
is just one of the many applications of knowledge reasoning technology. To achieve a new
Electronics 2022, 11, 2287 23 of 28
6. Conclusions
In this review, we have provided a critical overview of the various works on the
cybersecurity knowledge graph’s application scenarios. To begin, this article provides a
quick explanation of CSKG’s origins, ideas, and building methods. Then, several open-
source datasets that are available for building cybersecurity knowledge graphs and the
information extraction task, and their drawbacks, are illustrated. In the fourth chapter of
this paper, we carried out a comparative study of the many publications that expound on
the most recent advances in the application scenarios of CSKG. A novel comprehensive
classification framework was developed for describing the related works from 9 main
aspects and 18 subclasses. Finally, new study options have been proposed based on a
consideration of the inadequacies of the present research.
Cybersecurity teams could utilize CSKG to better intuitively understand threat intel-
ligence, network posture, relationships, and attributes of security entities. CSKG could
serve as a foundation for understanding the knowledge of cybersecurity, analyzing data
of cybersecurity, and discovering the patterns of cyberattacks and abnormal features. It
is hoped that this research will contribute to a deeper understanding of how to apply
cybersecurity knowledge graphs in industrial practice.
Author Contributions: Conceptualization, Z.D. and Y.Z.; methodology, K.L. and F.W.; software, K.L.;
validation, S.L. and Z.Y.; investigation, K.L. and F.W.; resources, K.L.; data curation, K.L.; writing—
original draft preparation, K.L.; writing—review and editing, S.L. and Z.Y.; visualization, K.L. and
F.W.; supervision, Z.D. and Y.Z.; project administration, Z.D.; funding acquisition, Y.Z. All authors
have read and agreed to the published version of the manuscript.
Funding: This research was partially funded by The Science and Technology Innovation Program of
Hunan Province, grant number 2021RC3076 and Training Program for Excellent Young Innovators of
Changsha, grant number KQ2009009.
Conflicts of Interest: The authors declare no conflict of interest.
References
1. Osborne, C. Colonial Pipeline Paid Close to $5 Million in Ransomware Blackmail Payment. 2021. Available online: https:
//www.calvin.edu/library/knightcite/index.php (accessed on 3 April 2022).
2. Auer, M. Lack of Experts in Cyber Security. 2020. Available online: https://www.threatq.com/lack-of-experts-in-cyber-security/
(accessed on 3 April 2022).
Electronics 2022, 11, 2287 24 of 28
3. Kumar, K.; Pande, B.P. Applications of machine learning techniques in the realm of cybersecurity. Cyber Secur. Digit. Forensics
2022, 295–315. [CrossRef]
4. Liebetrau, T. Cyber conflict short of war: A European strategic vacuum. Eur. Secur. 2022, 1–20. [CrossRef]
5. Cole, E. Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization; Newnes: Newton, MA, USA, 2012.
6. Sriavstava, R.; Singh, P.; Chhabra, H. Review on cyber security intrusion detection: Using methods of machine learning and data
mining. In Internet of Things and Big Data Applications; Springer: New York, NY, USA, 2020; pp. 121–132.
7. Pang, G.; Shen, C.; Cao, L.; Hengel, A.V.D. Deep learning for anomaly detection: A review. ACM Comput. Surv. (CSUR) 2021,
54, 1–38. [CrossRef]
8. Perdisci, R.; Ariu, D.; Fogla, P.; Giacinto, G.; Lee, W. McPAD: A multiple classifier system for accurate payload-based anomaly
detection. Comput. Netw. 2009, 53, 864–881. [CrossRef]
9. Llorens, A. 5 Best Practices to Get More from Threat Intelligence. 2021. Available online: https://www.threatq.com/5-best-
practices-more-threat-intelligence/ (accessed on 3 April 2022).
10. Xue, R.; Tang, P.; Fang, S. Prediction of computer network security situation based on association rules mining. Wirel. Commun.
Mob. Comput. 2022, 2022, 2794889. [CrossRef]
11. Zeng, Z.; Peng, W.; Zeng, D.; Zeng, C.; Chen, Y. Intrusion detection framework based on causal reasoning for DDoS. J. Inf. Secur.
Appl. 2022, 65, 103–124. [CrossRef]
12. Sikos, L.F.; Philp, D.; Howard, C.; Voigt, S.; Stumptner, M.; Mayer, W. Knowledge representation of network semantics for
reasoning-powered cyber-situational awareness. In AI in Cybersecurity; Springer: New York, NY, USA, 2019; pp. 19–45.
13. Rastogi, N.; Dutta, S.; Zaki, M.J.; Gittens, A.; Aggarwal, C. Malont: An ontology for malware threat intelligence. In Proceedings
of the International Workshop on Deployable Machine Learning for Security Defense, San Diego, CA, USA, 24 August 2020;
Springer: New York, NY, USA, 2020; pp. 28–44.
14. Zhao, J.; Yan, Q.; Li, J.; Shao, M.; He, Z.; Li, B. TIMiner: Automatically extracting and analyzing categorized cyber threat
intelligence from social data. Comput. Secur. 2020, 95, 101867. [CrossRef]
15. Husari, G.; Al-Shaer, E.; Ahmed, M.; Chu, B.; Niu, X. Ttpdrill: Automatic and accurate extraction of threat actions from
unstructured text of cti sources. In Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL,
USA, 4–8 December 2017; pp. 103–115.
16. Bouarroudj, W.; Boufaida, Z.; Bellatreche, L. Named entity disambiguation in short texts over knowledge graphs. Knowl. Inf.
Syst. 2022, 64, 325–351. [CrossRef]
17. Ji, S.; Pan, S.; Cambria, E.; Marttinen, P.; Philip, S.Y. A survey on knowledge graphs: Representation, acquisition, and applications.
IEEE Trans. Neural Netw. Learn. Syst. 2021, 33, 494–514. [CrossRef]
18. Zhang, K.; Liu, J. Review on the application of knowledge graph in cyber security assessment. In IOP Conference Series: Materials
Science and Engineering; IOP Publishing: Bristol, UK, 2020; Volume 768, pp. 52–103.
19. Noel, S. A review of graph approaches to network security analytics. In From Database to Cyber Security; Springer: Cham,
Switzerland 2018; pp. 300–323.
20. Sani, M. Knowledge Graph on Cybersecurity: A Survey. 2020. Available online: https://upvdoc.univ-perp.fr/fr/congres-des-
doctorants/article-maman-sani-aboubacar (accessed on 3 April 2022).
21. Yan, Z.; Liu, J. A review on application of knowledge graph in cybersecurity. In Proceedings of the 2020 IEEE International Signal
Processing, Communications and Engineering Management Conference (ISPCEM), Montreal, QC, Canada, 27–29 November
2020; pp. 240–243.
22. Dong, C.; Jiang, B.; Lu, Z.; Liu, B.; Li, N.; Ma, P. Knowledge graph for cyberspace security intelligence: A survey. J. Cyber. Secur.
2020, 5, 56–76.
23. Ding, Z.; Liu, K.; Liu, B.; Zhu, X. Survey of cyber security knowledge graph. J. Huazhong Univ. Sci. Tech. (Nat. Sci. Ed.) 2021,
49, 79–91.
24. Lassila, O.; Swick, R.R. Resource Description Framework (RDF) Model and Syntax Specification. 1999. Available online:
http://w3.org/TR/1999/REC-rdf-syntax-19990222 (accessed on 3 April 2022).
25. Smith, K.M. OWL Web Ontology Language Guide. 2004. Available online: http://w3.org/TR/owl-guide (accessed on 3 April 2022).
26. Singhal, A. Introducing the Knowledge Graph: Things, Not Strings. 2012. Available online: https://blog.google/products/
search/introducing-knowledge-graph-things-not/ (accessed on 3 April 2022).
27. Hogan, A.; Blomqvist, E.; Cochez, M.; d’Amato, C.; Melo, G.d.; Gutierrez, C.; Kirrane, S.; Gayo, J.E.L.; Navigli, R.; Neumaier, S.;
et al. Knowledge graphs. Synth. Lect. Data Semant. Knowl. 2021, 12, 1–257. [CrossRef]
28. Yang, Y.; Xu, B.; Hu, J.; Tong, M.; Zhang, P.; Zheng, L. Accurate and efficient method for constructing domain knowledge graph.
J. Softw. 2018, 29, 2931–2947.
29. Du, X.; Li, M.; Wang, S. A survey on ontology learning research. J. Softw. 2006, 17. [CrossRef]
30. Iannacone, M.; Bohn, S.; Nakamura, G.; Gerth, J.; Huffer, K.; Bridges, R.; Ferragut, E.; Goodall, J. Developing an ontology for
cyber security knowledge graphs. In Proceedings of the 10th Annual Cyber and Information Security Research Conference,
Oak Ridge, TN, USA, 7–9 April 2015; pp. 1–4.
31. Syed, Z.; Padia, A.; Finin, T.; Mathews, L.; Joshi, A. UCO: A unified cybersecurity ontology. In Proceedings of the Workshops at
the Thirtieth AAAI Conference on Artificial Intelligence, Phoenix, AZ, USA, 12–13 February 2016.
Electronics 2022, 11, 2287 25 of 28
32. Undercofer, J.; Joshi, A.; Finin, T.; Pinkston, J. A target-centric ontology for intrusion detection. In Workshop on Ontologies in
Distributed Systems, Proceedings of the 18th International Joint Conference on Artificial Intelligence, Acapulco, Mexico, 9–15 August 2003;
Morgan Kaufmann Pub: Burlington, MA, USA, 2003.
33. Ding, Y.; Wu, R.; Zhang, X. Ontology-based knowledge representation for malware individuals and families. Comput. Secur. 2019,
87, 101574. [CrossRef]
34. Grégio, A.; Bonacin, R.; Nabuco, O.; Afonso, V.M.; De Geus, P.L.; Jino, M. Ontology for malware behavior: A core model proposal.
In Proceedings of the 2014 IEEE 23rd International WETICE Conference, Parma, Italy, 23–25 June 2014; pp. 453–458.
35. Gao, J.; Wang, A. Research on ontology-based network threat intelligence analysis technology. Comput. Eng. Appl. 2020,
56, 112–117.
36. Simmonds, A.; Sandilands, P.; Ekert, L.V. An ontology for network security attacks. In Proceedings of the Asian Applied
Computing Conference, Kathmandu, Nepal, 29–31 October 2004; Springer: New York, NY, USA, 2004; pp. 317–323.
37. Shuo, W.; Jianhua, W.; Guangming, T.; Qingqi, P.; Yuchen, Z.; Xiaohu, L. Intelligent and efficient method for optimal penetration
path generation. J. Comput. Res. Dev. 2019, 56, 929.
38. Wang, J.A.; Wang, H.; Guo, M.; Zhou, L.; Camargo, J. Ranking attacks based on vulnerability analysis. In Proceedings of the 2010
43rd Hawaii International Conference on System Sciences, Honolulu, HI, USA, 5–8 January 2010; pp. 1–10.
39. Gao, J. Research on Ontology Model and Its Application in Information Security Evaluation. Ph.D. Thesis, Shanghai Jiao Tong
University, Shanghai, China, 2015.
40. Qin, S.; Chow, K. Automatic analysis and reasoning based on vulnerability knowledge graph. In Cyberspace Data and Intelligence,
and Cyber-Living, Syndrome, and Health; Springer: New York, NY, USA, 2019; pp. 3–19.
41. Hooi, E.K.J.; Zainal, A.; Maarof, M.A.; Kassim, M.N. TAGraph: Knowledge graph of threat actor. In Proceedings of the 2019 IEEE
International Conference on Cybersecurity (ICoCSec), Negeri Sembilan, Malaysia, 25–26 September 2019; pp. 76–80.
42. Sanagavarapu, L.M.; Iyer, V.; Reddy, Y.R. A deep learning approach for ontology enrichment from unstructured text. In
Cybersecurity and High-Performance Computing Environments: Integrated Innovations, Practices, and Applications; CRC Press: Abingdon,
Oxon, UK, 2022; p. 261.
43. Li, J.; Sun, A.; Han, J.; Li, C. A survey on deep learning for named entity recognition. IEEE Trans. Knowl. Data Eng. 2020, 34, 50–70.
[CrossRef]
44. Liao, X.; Yuan, K.; Wang, X.; Li, Z.; Xing, L.; Beyah, R. Acing the ioc game: Toward automatic discovery and analysis of
open-source cyber threat intelligence. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications
Security, Vienna, Austria, 24–28 October 2016; pp. 755–766.
45. Jones, C.L.; Bridges, R.A.; Huffer, K.M.; Goodall, J.R. Towards a relation extraction framework for cyber-security concepts. In
Proceedings of the 10th Annual Cyber and Information Security Research Conference, Ridge, TN, USA, 7–9 April 2015; pp. 1–4.
46. Meng, L.; Yanling, L.; Min, L. Review of transfer learning for named entity recognition. J. Front. Comput. Sci. Technol. 2021,
15, 206.
47. Georgescu, T.M. Natural language processing model for automatic analysis of cybersecurity-related documents. Symmetry 2020,
12, 354. [CrossRef]
48. Wang, X.; Zhang, Y.; Ren, X.; Zhang, Y.; Zitnik, M.; Shang, J.; Langlotz, C.; Han, J. Cross-type biomedical named entity recognition
with deep multi-task learning. Bioinformatics 2019, 35, 1745–1752. [CrossRef]
49. Huang, L.; Ji, H.; May, J. Cross-lingual multi-level adversarial transfer to enhance low-resource name tagging. In Proceedings
of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language
Technologies, Minneapolis, MN, USA, 2–7 June 2019; Volume 1 (Long and Short Papers), pp. 3823–3833.
50. Yang, Y.; Chen, W.; Li, Z.; He, Z.; Zhang, M. Distantly supervised NER with partial annotation learning and reinforcement
learning. In Proceedings of the 27th International Conference on Computational Linguistics, Santa Fe, NM, USA, 20–26 August
2018; pp. 2159–2169.
51. Li, J.; Ye, D.; Shang, S. Adversarial transfer for named entity boundary detection with pointer networks. In Proceedings of the
International Joint Conference on Artificial Intelligence (IJCAI), Macao, China, 10–16 August 2019; pp. 5053–5059.
52. Zhang, Q.; Fu, J.; Liu, X.; Huang, X. Adaptive co-attention network for named entity recognition in tweets. In Proceedings of the
Thirty-Second AAAI Conference on Artificial Intelligence, New Orleans, LA, USA, 2–7 February 2018.
53. Zeng, D.; Liu, K.; Lai, S.; Zhou, G.; Zhao, J. Relation classification via convolutional deep neural network. In Proceedings of the
COLING 2014, the 25th International Conference on Computational Linguistics: Technical Papers, Dublin, Ireland, 23–29 August
2014; pp. 2335–2344.
54. Zhang, D.; Wang, D. Relation classification via recurrent neural network. arXiv 2015, arXiv:1508.01006.
55. Peng, Z.; Wei, S.; Tian, J.; Qi, Z.; Bo, X. Attention-based bidirectional long short-term memory networks for relation classification.
In Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers), Berlin,
Germany, 7–12 August 2016; pp. 207–212.
56. Vashishth, S.; Joshi, R.; Prayaga, S.S.; Bhattacharyya, C.; Talukdar, P. RESIDE: Improving distantly-supervised neural relation
extraction using side information. arXiv 2018, arXiv:1812.04361.
57. Zeng, D.; Kang, L.; Chen, Y.; Zhao, J. Distant supervision for relation extraction via piecewise convolutional neural networks. In
Proceedings of the Conference on Empirical Methods in Natural Language Processing, Lisbon, Portugal, 17–21 September 2015;
pp. 1753–1762.
Electronics 2022, 11, 2287 26 of 28
58. Lin, Y.; Shen, S.; Liu, Z.; Luan, H.; Sun, M. Neural relation extraction with selective attention over instances. In Proceedings of the
54th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), Berlin, Germany, 7–12 August
2016; pp. 2124–2133.
59. Fu, T.J.; Ma, W.Y. GraphRel: Modeling text as relational graphs for joint entity and relation extraction. In Proceedings of
the ACL 2019—57th Annual Meeting of the Association for Computational Linguistics, Florence, Italy, 28 July–2 August 2019;
pp. 1409–1418.
60. Guo, Y.; Liu, Z.; Huang, C.; Liu, J.; Jing, W.; Wang, Z.; Wang, Y. CyberRel: Joint entity and relation extraction for cybersecurity
concepts. International Conference on Information and Communications Security, Chongqing, China, 19–21 November 2021 ;
pp.447–463.
61. Li, T.; Guo, Y.; Ju, A. Knowledge triple extraction in cybersecurity with adversarial active learning. J. Commun. 2020, 41, 80–91.
62. Walker, C.; Strassel, S.; Medero, J.; Maeda, K. ACE 2005 multilingual training corpus. Prog. Theor. Phys. Suppl. 2006, 110, 261–276.
63. Mitamura, T.; Liu, Z.; Hovy, E. Overview of TAC-KBP 2015 event nugget track. In Proceedings of the Text Analysis Conference,
Gaithersburg, MD, USA, 16–17 November 2015.
64. Sevgili, O.; Shelmanov, A.; Arkhipov, M.; Panchenko, A.; Biemann, C. Neural entity linking: A survey of models based on deep
learning. arXiv 2020, arXiv:2006.00575.
65. Chen, X.; Jia, S.; Xiang, Y. A review: Knowledge reasoning over knowledge graph. Expert Syst. Appl. 2020, 141, 112948. [CrossRef]
66. Li, X.; Lian, Y.; Zhang, H.; Huang, K. Key technologies of cyber security knowledge graph. Front. Data Domputing 2021, 3, 9–18.
67. MITRE. 2022. Available online: https://www.mitre.org/ (accessed on 3 April 2022).
68. NVD National Vulnerability Database. 2022. Available online: https://nvd.nist.gov/ (accessed on 3 April 2022).
69. MITRE. Common Attack Pattern Enumeration and Classification. 2022. Available online: https://capec.mitre.org/ (accessed on
3 April 2022).
70. Nan, S. CWE Knowledge Graph Based Twitter Data Analysis for Cybersecurity. 2019. Available online: https://github.com/
nansunsun/CWE-Knowledge-Graph-Based-Twitter-Data-Analysis-for-Cybersecurity (accessed on 4 April 2022).
71. Cheng, X. Visualization Web Page of Vulnerability Knowledge Graph. 2021. Available online: https://cinnqi.github.io/Neo4j-
D3-VKG/ (accessed on 4 April 2022).
72. Sarhan, I.; Spruit, M. Open-CyKG. 2021. Available online: https://github.com/IS5882/Open-CyKG (accessed on 4 April 2022).
73. Rastogi, N.; Dutta, S.; Christian, R.; Gridley, J.; Zaki, M.; Gittens, A.; Aggarwal, C. Predicting malware threat intelligence using
KGs. arXiv 2021, arXiv:2102.05571.
74. SEPSES. The SEPSES Cyber-KB. 2019. Available online: https://sepses.ifs.tuwien.ac.at/dumps/version/102019/ (accessed on 3
April 2022).
75. Kiesling, E.; Ekelhart, A.; Kurniawan, K.; Ekaputra, F. The SEPSES knowledge graph: An integrated resource for cybersecurity. In
Proceedings of the International Semantic Web Conference, Auckland, New Zealand, 26–30 October 2019; Springer: New York,
NY, USA, 2019; pp. 198–214.
76. Di, W. CyberSecurity Knowledge Graph. 2020. Available online: https://github.com/HoloLen/CyberSecurity_Knowledge_
graph (accessed on 3 April 2022).
77. Qi, Y. Knowledge Graph for Vulnerabilities of Industrial Control Systems (ICSKG). 2020. Available online: https://github.com/
QYue/Athena-ICSKG-master (accessed on 4 April 2022).
78. Sarhan, I.; Spruit, M. Open-cykg: An open cyber threat intelligence knowledge graph. Knowl. Based Syst. 2021, 233, 107524.
[CrossRef]
79. Rastogi, N.; Dutta, S.; Zaki, M.; Gittens, A.; Aggarwal, C. Open-CyKG. 2021. Available online: https://github.com/liujie40/
MalKG-1 (accessed on 4 April 2022).
80. Lal, R. Information Extraction of Security Related Entities and Concepts from Unstructured Text. 2013. Available on-
line: https://ebiquity.umbc.edu/paper/html/id/626/Information-Extraction-of-Security-related-entities-and-concepts-from-
unstructured-text- (accessed on 4 April 2022).
81. Bridges, R.A.; Jones, C.L.; Iannacone, M.D.; Testa, K.M.; Goodall, J.R. Automatic labeling for entity extraction in cyber security.
arXiv 2013, arXiv:1308.4941.
82. Lim, S.K.; Muis, A.O.; Lu, W.; Ong, C.H. Malwaretextdb: A database for annotated malware articles. In Proceedings of the 55th
Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), Vancouver, BC, Canada, 30 July–4
August 2017; pp. 1557–1567.
83. Kim, G.; Lee, C.; Jo, J.; Lim, H. Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network. Int. J.
Mach. Learn. Cybern. 2020, 11, 2341–2355. [CrossRef]
84. Runzi, Z.; Wenmao, L. An intelligent security operation technology system framework AISecOps. Front. Data Domputing 2021,
3, 32–47.
85. Zenglin, X.; Yongpan, S.; Lirong, H.; Yafang, W. Review on knowledge graph techniques. J. Univ. Electron. Sci. Technol. China
2016, 45, 589–606.
86. Noel, S.; Harley, E.; Tam, K.H.; Limiero, M.; Share, M. CyGraph: Graph-based analytics and visualization for cybersecurity. In
Handbook of Statistics; Elsevier: Amsterdam, The Netherlands, 2016; Volume 35, pp. 117–167.
87. Chen, X. Design and Implementation of Network Attack Situation Detection System Based on Knowledge Graph. Master’s
Thesis, Beijing University of Posts and Telecommunications, Beijing, China, 2020.
Electronics 2022, 11, 2287 27 of 28
88. Wang, Y. Research and Implementation of NSSA Technology Based on Knowledge Graph. Master’s Thesis, University of
Electronic Science and Technology of China, Chengdu, China, 2020.
89. Wang, B.; Wu, L.; Hu, X.; He, Y. Satellite cyber situational understanding based on knowledge reasoning. Syst. Eng. Electron.
2022, 44, 1562–1571.
90. Wu, S.; Zhang, Y.; Cao, W. Network security assessment using a semantic reasoning and graph based approach. Comput. Electr.
Eng. 2017, 64, 96–109. [CrossRef]
91. Philpot, M. Cyber Intelligence Ontology. 2015. Available online: https://github.com/daedafusion/cyber-ontology (accessed on
4 April 2022).
92. SPARQL. Virtuoso SPARQL Query Editor. 2022. Available online: https://w3id.org/sepses/sparql (accessed on 4 April 2022).
93. Pang, T.; Song, Y.; Shen, Q. Research on security threat assessment for power iot terminal based on knowledge graph. In
Proceedings of the 2021 IEEE 5th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC),
Xi’an, China, 15–17 October 2021; Volume 5, pp. 1717–1721.
94. FireEye. Common Vulnerability Scoring System. 2018. Available online: https://www.fireeye.com/content/dam/collateral/en/
mtrends-2018.pdf (accessed on 4 April 2022).
95. Narayanan, S.N.; Ganesan, A.; Joshi, K.; Oates, T.; Joshi, A.; Finin, T. Early detection of cybersecurity threats using collaborative
cognition. In Proceedings of the 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC),
Philadelphia, PA, USA, 18–20 October 2018; pp. 354–363.
96. Sun, C.; Hu, H.; Yang, Y.; Zhang, H. Prediction method of 0 day attack path based on cyber defense knowledge graph. Chin. J.
Netw. Inf. Secur. 2022, 8, 151–166.
97. Gao, P.; Shao, F.; Liu, X.; Xiao, X.; Qin, Z.; Xu, F.; Mittal, P.; Kulkarni, S.R.; Song, D. Enabling efficient cyber threat hunting with
cyber threat intelligence. In Proceedings of the 2021 IEEE 37th International Conference on Data Engineering (ICDE), Chania,
Greece, 19–22 April 2021; pp. 193–204.
98. Chen, J. DDoS attack detection based on knowledge graph. J. Inf. Secur. Res. 2020, 6, 91–96.
99. Feiyang, L.; Kun, L.; Fei, S.; Chunhua, Z. Distributed DDoS attacks malicious behavior knowledge base construction. Telecommun.
Sci. 2021, 37, 17–32.
100. Garrido, J.S.; Dold, D.; Frank, J. Machine learning on knowledge graphs for context-aware security monitoring. In Proceedings of
the 2021 IEEE International Conference on Cyber Security and Resilience (CSR), Rhodes, Greece, 26–28 July 2021; pp. 55–60.
101. SENKI. Open Source Threat Intelligence Feeds. 2020. Available online: https://www.senki.org/operators-security-toolkit/open-
source-threat-intelligence-feeds/ (accessed on 4 April 2022).
102. Jian, S.; Lu, Z.; Du, D.; Jiang, B.; Li, B. Overview of network intrusion detection technology. J. Inf. Secur. 2020, 5, 96–122.
103. Kovalenko, O.; Wimmer, M.; Sabou, M.; Lüder, A.; Ekaputra, F.J.; Biffl, S. Modeling automationml: Semantic web technologies vs.
model-driven engineering. In Proceedings of the 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation
(ETFA), Luxembourg, 8–11 September 2015; pp. 1–4.
104. Noel, S.; Harley, E.; Tam, K.H.; Gyor, G. Big-Data Architecture for Cyber Attack Graphs Representing Security Relationships
in Nosql Graph Databases. 2015. Available online: https://csis.gmu.edu/noel/pubs/2015_IEEE_HST.pdf (accessed on
4 April 2022).
105. Ye, Z.; Guo, Y.; Li, T.; Ju, A.K. Extended attack graph generation method based on knowledge graph. Comput. Sci. 2019,
46, 165–173.
106. Chen, Z.; Dong, N.; Zhong, S.; Hou, B.; Chang, J. Research on the power network security vulnerability expansion attack graph
based on knowledge map. Inf. Technol. 2022, 46, 30–35.
107. Zhu, Z.; Jiang, R.; Jia, Y.; Xu, J.; Li, A. Cyber security knowledge graph based cyber attack attribution framework for space-ground
integration information network. In Proceedings of the 2018 IEEE 18th International Conference on Communication Technology
(ICCT), Chongqing, China, 8–11 October 2018; pp. 870–874.
108. Xue, J. Attack Attribution: Provenance Graph Construction Technology Based on Causation. 2020. Available online: http:
//blog.nsfocus.net/attack-investigation-0907/ (accessed on 4 April 2022).
109. Han, Z.; Li, X.; Liu, H.; Xing, Z.; Feng, Z. Deepweak: Reasoning common software weaknesses via knowledge graph embedding.
In Proceedings of the 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER),
Campobasso, Italy, 20–23 March 2018; pp. 456–466.
110. Datta, P.; Lodinger, N.; Namin, A.S.; Jones, K.S. Cyber-attack consequence prediction. arXiv 2020, arXiv:2012.00648.
111. Vukotic, A.; Watt, N.; Abedrabbo, T.; Fox, D.; Partner, J. Neo4j in Action; Manning Publications Co.: Shelter Island, NY, USA, 2015;
Volume 22.
112. Ruohonen, J. A look at the time delays in cvss vulnerability scoring. Appl. Comput. Inform. 2017, 15, 129–135. [CrossRef]
113. Mitre. Common Weakness Enumeration. 2022. Available online: https://cwe.mitre.org/ (accessed on 4 April 2022).
114. Qi, Y.; Jiang, R.; Jia, Y.; Li, A. Attack analysis framework for cyber-attack and defense test platform. Electronics 2020, 9, 1413.
[CrossRef]
115. Alsaheel, A.; Nan, Y.; Ma, S.; Yu, L.; Walkup, G.; Celik, Z.B.; Zhang, X.; Xu, D. ATLAS: A sequence-based learning approach for
attack investigation. In Proceedings of the 30th USENIX Security Symposium (USENIX Security 21), Vancouver, BC, Canada,
11–13 August 2021; pp. 3005–3022.
Electronics 2022, 11, 2287 28 of 28
116. Wang, W.; Zhou, H.; Li, K.; Tu, Z.; Liu, F. Cyber-attack behavior knowledge graph based on CAPEC and CWE towards 6G. In
Proceedings of the International Symposium on Mobile Internet Security, Jeju Island, Korea, 7–9 October 2021; Springer: New
York, NY, USA, 2021; pp. 352–364.
117. NEFOCUS. Security Knowledge Graph Technology White Paper. 2022. Available online: https://www.nsfocus.com.cn/html/20
22/92_0105/166.html (accessed on 4 April 2022).
118. Xue, J. Attack Reasoning: Dilemma of Application of Security Knowledge Graph. 2020. Available online: http://blog.nsfocus.
net/stucco-cyber/ (accessed on 4 April 2022).
119. Wang, W.; Jiang, R.; Jia, Y.; Li, A.; Chen, Y. KGBIAC: Knowledge graph based intelligent alert correlation framework. In
Proceedings of the International Symposium on Cyberspace Safety and Security, Xi’an, China, 23–25 October 2017; Springer: New
York, NY, USA, 2017; pp. 523–530.
120. Wang, W. Research for Algorithm of Distributed Security Event Correlation Based on Knowledge Graph. Master’s Thesis,
National University of Defense Technology, Changsha, China, 2018.
121. Qi, Y.; Jiang, R.; Jia, Y.; Li, R.; Li, A. Association analysis algorithm based on knowledge graph for space-ground integrated
network. In Proceedings of the 2018 IEEE 18th International Conference on Communication Technology (ICCT), Chongqing,
China, 8–11 October 2018; pp. 222–226.
122. Ekelhart, A.; Ekaputra, F.J.; Kiesling, E. Automated Knowledge Graph Construction from Raw Log Data. 2020. Available online:
http://ceur-ws.org/Vol-2721/paper552.pdf (accessed on 4 April 2022).
123. Ou, Y.; Zhou, T.; Zhu, J. Recommendation of cyber attack method based on knowledge graph. In Proceedings of the 2020 IEEE
International Conference on Computer Engineering and Intelligent Control (ICCEIC), Chongqing, China, 6–8 November 2020;
pp. 60–65.
124. Chen, X.; Shen, W.; Yang, G. Automatic generation of attack strategy for multiple vulnerabilities based on domain knowledge
graph. In Proceedings of the IECON 2021–47th IEEE Annual Conference of the IEEE Industrial Electronics Society, Toronto, ON,
Canada, 13–16 October 2021; pp. 1–6.
125. Vassilev, V.; Sowinski-Mydlarz, V.; Gasiorowski, P.; Ouazzane, K.; Phipps, A. Intelligence graphs for threat intelligence and
security policy validation of cyber systems. In Proceedings of the International Conference on Artificial Intelligence and
Applications, Suzhou, China, 15–17 October 2021; Springer: New York, NY, USA, 2021; pp. 125–139.
126. Syed, R. Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system. Inf. Manag. 2020,
57, 103334. [CrossRef]
127. Tao, Y.; Jia, X.; Wu, Y. A research method of industrial Internet security vulnerabilities based on knowledge map. J. Inf. Technol.
Netw. Secur. 2020, 39, 6–13.
128. Wang, L. Research on Software Security Vulnerability Mining Technology Based on Knowledge Graph. Master’s Thesis, Xi’an
Technological University, Xi’an, China, 2021.
129. Wang, L. Research on Construction of Vulnerability Knowledge Graph and Vulnerability Situation Awareness. Master’s Thesis,
University of Chinese Academy of Sciences, Beijing, China, 2020.
130. Najafi, P.; Mühle, A.; Pünter, W.; Cheng, F.; Meinel, C. MalRank: A measure of maliciousness in SIEM-based knowledge
graphs. In Proceedings of the 35th Annual Computer Security Applications Conference, San Juan, PR, USA, 9–13 December 2019;
pp. 417–429.
131. Dutta, S.; Rastogi, N.; Yee, D.; Gu, C.; Ma, Q. Malware knowledge graph generation. arXiv 2021, arXiv:2102.05583.
132. Wang, Z.; Sun, L.; Zhu, H. Defining social engineering in cybersecurity. IEEE Access 2020, 8, 85094–85115. [CrossRef]
133. Wang, Z.; Zhu, H.; Liu, P.; Sun, L. Social engineering in cybersecurity: A domain ontology and knowledge graph application
examples. Cybersecurity 2021, 4, 1–21. [CrossRef]
134. Mitra, S.; Piplai, A.; Mittal, S.; Joshi, A. Combating fake cyber threat intelligence using provenance in cybersecurity knowledge
graphs. In Proceedings of the 2021 IEEE International Conference on Big Data (Big Data), Orlando, FL, USA, 15–18 December
2021; pp. 3316–3323.
135. Xiao, H.; Xing, Z.; Li, X.; Guo, H. Embedding and predicting software security entity relationships: A knowledge graph based
approach. In Proceedings of the International Conference on Neural Information Processing, Sydney, Australia, 12–15 December
2019; Springer: New York, NY, USA, 2019; pp. 50–63.
136. Shang, H.; Jiang, R.; Li, A.; Wang, W. A framework to construct knowledge base for cyber security. In Proceedings of the 2017
IEEE Second International Conference on Data Science in Cyberspace (DSC), Shenzhen, China, 26–29 June 2017; pp. 242–248.
137. Liu, Q.; Li, Y.; Duan, H.; Liu, Y.; Qin, Z. Knowledge graph construction techniques. J. Comput. Res. Dev. 2016, 53, 582.