Recommendations for Responding to System Security Incidents Using Knowledge Graph Embedding

Abstract

Recently, security attacks occurring in edge computing environments have emerged as an important research topic in the field of cybersecurity. Edge computing is a distributed computing technology that expands the existing cloud computing architecture to introduce a new layer, the edge layer, between the cloud layer and the user terminal layer. Edge computing has the advantage of greatly improving the data processing speed and efficiency but, at the same time, is complex, and various new attacks occur frequently. Therefore, for improving the security of edge computing, effective and intelligent security strategies and policies must be established in consideration of a wide range of vulnerabilities. Intelligent security systems, which have recently been studied, provide a way to detect and respond to security threats by integrating the latest technologies, such as machine learning and big data analysis. Intelligent security technology can quickly recognize attack patterns or abnormal behaviors within a large amount of data and continuously respond to new threats through learning. In particular, knowledge-based technologies using ontology or knowledge graph technology play an important role in more deeply understanding the meaning and relationships between of security data and more effectively detecting and responding to complex threats. This study proposed a method for recommending strategies to respond to edge computing security incidents based on the automatic generation and embedding of security knowledge graphs. An EdgeSecurity–BERT model, utilizing the latest security vulnerability data from edge computing, was designed to extract entities and their relational information. Also, a security vulnerability assessment method was proposed to recommend strategies to respond to edge computing security incidents through knowledge graph embedding. In the experiment, the classification accuracy of security news data for common vulnerability and exposure data was approximately 86% on average. In addition, the EdgeSecurityKG applying the security vulnerability similarity improved the Hits@10 performance to identify the correct link, but the MR performance was degraded owing to the increased complexity. In complex areas, such as security, careful evaluation of the model’s performance and data selection are important. The EdgeSecurityKG applying the security vulnerability similarity provides an important advantage in understanding complex security vulnerability relationships.

1. Introduction

Recently, security attacks in edge computing environments have emerged as an important research topic in the field of cybersecurity. Edge computing is a distributed computing technology that expands the existing cloud computing architecture to introduce a new layer, the edge layer, between the cloud layer and the user terminal layer [1]. This technology has the advantage of improving the data processing speed and reducing the bandwidth usage by executing data processing and analysis at the edge of the network, which is at a point closer to the user. Edge computing greatly improves the data processing speed and efficiency but, at the same time, new security vulnerabilities occur. The main security attacks of edge computing include the following characteristics: First, distributed data processing exposes vulnerabilities at various points in the network. These vulnerabilities can be used by attackers to break into the system or steal data. Second, because devices in edge computing are placed in a physically accessible location, physical intrusion also acts as an important threat. Security attacks in these environments include denial-of-service (DoS) and distributed-denial-of-service (DDoS) attacks, malware propagation, and data leakage [2]. In particular, edge computing environments are used for applications that require real-time data processing and management, so these attacks can severely affect the performance of the system. In addition, man-in-the-middle attacks can intercept or manipulate information during data transmission, threatening the integrity and confidentiality of the communication. The complexity and diversity of these attacks require a security mechanism specific to edge computing. Therefore, because traditional security approaches do not fully reflect the characteristics of distributed and dynamic edge computing, it is necessary to develop security strategies and solutions, using intelligent technologies. Intelligent security systems, which have been significantly researched in recent years, provide methods for detecting and responding to security threats by integrating the latest technologies, such as machine learning and big data analytics. These systems can quickly recognize attack patterns or anomalous behaviors within large amounts of data and continuously respond to threats, even new ones, through continuous learning. Although traditional security systems respond to attacks after their occurrence, intelligent security systems take a proactive approach in identifying and responding to threats in advance. In addition, they offer the great advantage of analyzing large amounts of data, such as security logs and network traffic, to detect previously undiscovered threats. In particular, knowledge-based intelligent security systems using ontology or knowledge graph technology are crucial for deepening the understanding of the meaning of and relationships between security data and detecting and responding to complex threats more effectively [3]. Knowledge-based security technologies formally define entities, such as attack types, vulnerabilities, and attackers, and their relationships. Consequently, the system can gain a deeper understanding of security events and quickly identify the overall scenario or pattern of an attack by linking various elements of threat information [4]. By understanding the knowledge of specific security threats and the attack situation, accurate and effective response strategies can be established. Herein, a method for recommending strategies for responding to edge computing security incidents is proposed using the automatic generation and embedding of security knowledge graphs. We perform text extraction and preprocessing based on the latest security vulnerability data of edge computing. Furthermore, we design an EdgeSecurity–BERT model to extract entities and their relational information, which are components of the knowledge graph. Consequently, we propose a security vulnerability assessment method to recommend response strategies for edge computing security incidents through knowledge graph embedding. Our main contributions are the following:

• We propose a method to recommend security incident response strategies in edge computing, using the automatic generation of security knowledge graphs and knowledge graph embedding. We design an EdgeSecurity–BERT model that performs text extraction and preprocessing based on the latest security vulnerability data and extracts entity and relationship information, which is a component of a knowledge graph. In addition, we propose a method to recommend edge computing security incident response strategies through knowledge graph embedding;
• In the process of automatically creating EdgeSecurityKG, we measure the similarities of security vulnerabilities to effectively reflect the latest security technology trends and security threat rankings;
• We propose a knowledge graph embedding method for security incident response. We present a method for determining responses to security incidents, utilizing the generated EdgeSecurityKG.

The remainder of this paper is organized as follows: Section 2 describes the intelligent security incident responses and knowledge graph embedding and completion. Section 3 describes the methods for automatically generating and embedding security knowledge graphs, as proposed in this study. Section 4 validates the proposed methodology by measuring the performance of the proposed methods. Finally, Section 5 concludes the study.

2. Related Work

In this chapter, we summarize the types of existing security incident response methods and the status of the intelligent security incident responses. In addition, we introduce the latest research on knowledge graph embedding and completion.

2.1. Intelligent Security Incident Responses

Security incident response technologies primarily identify security attacks by analyzing patterns or behaviors. However, pattern-based intrusion response methods have the disadvantage of not having a high detection rate in situations where new or complex intrusions are used. Pattern-based attack detection uses signatures or patterns of known attack types to identify attacks. This method detects attacks by comparing network traffic or system activity with known attack patterns stored in the database. This pattern-based method is highly efficient and accurate, but it is inefficient in detecting new or modified attack types that are not in the database. Behavior-based attack detection recognizes abnormal behavior by analyzing and modeling system or network behavior based on machine learning. Behavior-based approaches are effective against new types of attacks, but they can make errors in distinguishing normal behavior from attack behavior. To overcome the limitations of existing security technologies, intelligent security technology research has been actively conducted in recent years. In particular, ontology and semantic web-based reasoning technology, intelligent access control, text mining and natural language processing (NLP) based malware detection technology, and knowledge graph-based intrusion response recommendation technology have been widely studied [5]. Security ontologies, which represent entities and relationships between concepts, are being used to integrate heterogeneous data and schemas from various security systems and to detect threats and analyze vulnerabilities in various attack scenarios. Knowledge graph technology is used to build knowledge graphs based on common weakness enumeration (CWE) data that summarize source code vulnerabilities and then use it to predict relationships within vulnerabilities based on a translation model [6]. In addition, after the integration of various security concepts and instances based on knowledge graphs, methods for predicting intrusion incidents, using knowledge graph embedding technology, are being studied. These intelligent security technologies have the advantage of applying various reasoning techniques to recommend responses to security intrusions.

2.2. Knowledge Graph Embedding and Completion

In knowledge graph research, methods for inferring previously unknown facts, such as link prediction, are very important techniques. Knowledge graph embedding is used as a representative method for link prediction [7,8,9]. Knowledge graph embedding is a method for vectorizing entities and relationships in a knowledge graph, and the embedding value is learned based on a scoring function that predicts the probability that a given triple is true [10,11,12]. A representative example of knowledge graph embedding technology is as follows: First, TransE is based on the principle that subject and object parts can be interpreted based on a relation [13,14]. TransE learns that the sum of the subject vector and the relationship vector in the vector space approximates the object vector [15,16,17]. RotatE is a rotation model that expands TransE’s perspective on relationships to consider relationships as rotations from the subject to the object on a complex plane [18,19,20]. RotatE has the advantage of being able to model various relationship patterns, such as symmetry, antisymmetry, inverse, or synthesis. DistMult and ComplEx are semantic similarity-based models that match the potential semantics of objects and relationships based on their similarity [21,22,23]. DistMult is a simplified model of bilinear formulation that limits the relationship to diagonal matrices [24,25,26]. However, DistMult has a limitation in that it cannot model asymmetric relationships. ComplEx is an extension of the DistMult model to the complex range, utilizing paired complex embeddings and Hermitian inner products to model asymmetric relationships [27,28,29]. Holographic Embedding (HolE) is a knowledge graph embedding method that leverages circular correlation to compress and intertwine entity and relation vectors, enabling it to effectively capture complex, asymmetrical relationships in the graph [30]. Convolutional 2D Knowledge Graph Embedding (ConvE), on the other hand, utilizes convolutional neural networks to process reshaped 2D embeddings of entities and relations, which allows for a more efficient representation of relational patterns and is particularly advantageous for large-scale graphs and predictive tasks [17,31]. Knowledge completion techniques utilizing query sentences and knowledge graph embeddings are under active research. Knowledge completion infers new triples from the query embeddings and the subject and object embeddings of the knowledge graph [32,33,34,35]. In addition, a knowledge graph completion method based on a transformer-based model is being actively studied. HittER is a hierarchical transformer model designed to learn the entity and relationship representations of knowledge graphs. This model demonstrates good performance in link prediction and question answering for datasets, such as FreebaseQA and WebQuestionSP [36]. KG-BERT uses a pretrained language model, such as BERT, to process the entity, relationship, and triple of the knowledge graph as a text sequence [37]. BERT-INT presents a way to sort entities throughout the knowledge graph, using additional information, such as the name and description [38]. In this study, we design a knowledge graph completion model based on the BERT model, but we focus on presenting a method that can be used to generate a knowledge graph by improving the quality of the training data, using the security vulnerability assessment of the security news data.

3. Recommendations for Responding to Security Incidents Using Knowledge Graph Embedding

3.1. Overall Process

In this section, we describe the process for using the automatic generation of security knowledge graphs and knowledge graph embedding to recommend strategies to counter edge computing security incidents.

As shown in Figure 1, our proposed method performs the following steps:

Step 1: Data preparation. Text extraction and preprocessing are performed based on the latest security vulnerability data of edge computing;

Step 2: Security vulnerability assessment. A security vulnerability evaluation is performed on the collected security vulnerability text to select a sentence suitable for generating a security knowledge graph;

Step 3: Knowledge graph construction. An edge computing knowledge graph is generated using the EdgeSecurity–BERT model to extract entity and relationship information from the selected text data according to security vulnerability similarities;

Step 4: Security incident responses. In this step, we use the knowledge graph embedding method to infer a response strategy to respond to edge computing security incidents.

3.2. Edge Computing Security Data Classification Using Security Vulnerability Similarities

In this subsection, we propose the use of security vulnerability similarities to effectively reflect the latest security technology trends and security threat rankings in the process of automatically generating a knowledge graph, using security news data and security vulnerability data. As the full text of the security vulnerability data or security news data is utilized to generate the security vulnerability knowledge graph, the entity–relation extraction results of the knowledge graph tend not to reflect the latest security trends [39,40]. In this study, to overcome these shortcomings, we measured the security vulnerability similarity to select texts for knowledge graph generation from the latest security news data by considering the security risk ranking. To measure the security vulnerability similarity, we used the Top2Vec algorithm for topic modeling and the Doc2Vec algorithm for news data classification. At each stage, different types of data were applied to reflect the latest security technology trends, and the final result was derived by assigning weights to the results of each stage. We performed the following two steps to measure the similarity of the security vulnerabilities: First, we classified the types of security attacks in edge computing and then selected keywords for each attack. For the security news data, we collected information on security news and vulnerabilities from 10 sites, including The Hacker News, Krebs on Security, Dark Reading, Infosecurity Magazine, and SecurityWeek. To facilitate the effective collection of the latest information on major security vulnerabilities in edge computing, we checked and selected matching news articles from those sites, using the list of security vulnerabilities in edge computing and related keywords, as presented in

Table 1. List of security vulnerabilities in edge computing and related keywords.

Category	Related Hacking Techniques and Key Keywords
Data Leakage	Data Sniffing; Man-in-the-Middle Attacks; Packet Capture
Physical Security	Physical Tampering; Hardware Hacking; Lockpicking
Device Authentication Management	Credential Theft; Session Hijacking; Password Cracking
Network Segregation and Firewalls	Port Scanning; Firewall Evasion; VPN Exploits
Updates and Patch Management	Exploiting Known Vulnerabilities; Zero-Day Attacks; Encryption
Encryption	Cryptanalysis; Key Cracking; SSL Stripping
DDoS Attacks	Botnets; Traffic Flooding; Amplification Attacks
Device Complexity	Protocol Manipulation; Firmware Hacking; Configuration Exploits
Vulnerabilities of Default Settings	Default Credential Exploitation; Factory Reset Attacks
Absence of Logging and Monitoring	Stealth Attacks; Intrusion Concealment; Log Manipulation

.

When collecting security news data, we used the Python libraries BeautifulSoup and newspaper3k to extract the content of the article from each URL and then performed text preprocessing tasks, such as removing stop words, spaces, and special characters and converting the text to lowercase. Figure 2 presents an example of the results for preprocessing the collected security news data.

After extracting the main keywords using the Top2Vec algorithm, which can extract the main topics from the collected security news articles, we measured the word frequency for each keyword. Figure 3 shows a word cloud representation of the frequency of the main keywords counted for each category item. The data corresponding to the security-type keywords for each category item were used along with the common vulnerability and exposure (CVE) data.

The extracted topics were compared with the CVE list, and the word count results were accumulated and added together. Using the Top2Vec algorithm, the topic groups were classified into 45 category items, and the total sum of each item was divided by the sum of the CVE counting values for each item, where each category item was included in the CVE keyword list, as shown in Equation (1). A_count represents the total sum of the frequencies of the words related to attack types extracted from the CVE list, and A_n is the aggregate of all the counting values for each attack type in the CVE list.

$$T=\frac{{\sum }_{n=1}^{45}{A}_n}{A_{count}}$$

(1)

The result by attack type, T, shows the relevance between the attack type and the CVE data. The higher the score, the higher the relevance, and it is reflected as an item of the security vulnerability similarity.

Second, the Doc2Vec algorithm was used for the classification of the relationship between the security news data and the CVE list. The Doc2Vec algorithm can be used to predict words in a given context and consider the semantics of the entire document, including that context. In this study, we used the concatenation of distributed memory (DM) and distributed bag of word (DBOW) models for this algorithm. First, to optimize the DM model, we set the vector size to 100, the minimum number of word occurrences to 2, and the window size to 2, in which case, the classification accuracy was the highest. The DBOW model showed the highest classification accuracy when we set the vector size to 100 and the minimum number of word occurrences to 2. The performance of the generated models was evaluated using K-fold cross-validation, where K was set to 5, and the performance was averaged after performing cross-analysis five times. Furthermore, we generated keywords for each topic group by attack type and measured the similarity between the group and CVE word list, using the cosine similarity method. The final equation, L, was derived by summing the similarity values with the subject group for each CVE list. Equation (2) is used to measure the similarity between the topic list, T, of the three subject groups measured using the Doc2Vec algorithm and the CVE word list, C.

$$L={\sum }_{n=1}^{3}D(C, T_n)$$

(2)

For each CVE list, the similarity values for the security newsgroups were added together and reflected in the security vulnerability similarity (SVS), as shown in Equation (3).

$$SVS=T\times L$$

(3)

In

Table 2. Results obtained for applying the security vulnerability similarity to security news data.

Example 1 of Security News Data
As ransomware attacks against critical infrastructure skyrocket, new research shows that threat actors behind such disruptions are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major targets. “Ransomware operators often buy access from independent cybercriminal groups who…
CVE-ID	Document Similarity	Security Vulnerability Similarity
CVE-2020-6023	0.21358260244737504	263.1456
CVE-2020-6022	0.21188648759031214	227.5123
CVE-2020-6012	0.1846109167994328	158.6411
CVE-2021-42258	0.17519347541004693	112.5398
CVE-2020-28950	0.1750353043365507	102.8419
Example 2 of Security News Data
A new set of critical vulnerabilities has been disclosed in the Realtek RTL8170C Wi-Fi module that an adversary could abuse to gain elevated privileges on a device and hijack wireless communications. “Successful exploitation would lead to the complete control of the Wi-Fi module and potential root access on the OS (such as Linux or Android) of the embedded device that…
CVE-ID	Document Similarity	Security Vulnerability Similarity
CVE-2020-25855	0.4746279862237799	186.5433
CVE-2020-25856	0.21188648759031214	227.5123
CVE-2021-43282	0.46691596828290133	165.8799
CVE-2020-25857	0.462240646796948	121.5677
CVE-2020-25854	0.45093828499370875	112.8531

, the first data are news regarding a cybersecurity issue related to a new trend in ransomware attacks. By measuring the similarity with the CVE data, we observed high similarity in items related to file deletion and privilege escalation during anti-ransomware file restoration. The second data are related to a vulnerability in the “Realtek RTL8170C Wi-Fi” module that could allow an attacker to escalate privileges and take control of wireless communications in IoT devices. Herein, the similarity with the data for the vulnerability in the “Realtek RTL8195A Wi-Fi” module was observed. In this study, the latest security news data and CVE data used to generate security knowledge graphs automatically based on the security vulnerability similarity were classified to improve the accuracy for generating the knowledge graphs of the related domains.

3.3. Automated Generation and Expansion of BERT-Based Edge Computing Security Knowledge Graph

In this section, we describe the method for automatically generating and expanding a security knowledge graph based on the BERT model. An EdgeSecurityKG is generated automatically based on the classified edge computing security texts, using the security vulnerability similarity obtained from the collected security news data and CVE data. To generate the knowledge graph automatically from the edge computing security texts, two types of information are essential: entity and relation. We used a trained named entity recognition (NER) model that can identify jargon specific to the field [41].

The process was divided into two parts: The first part involved accurately extracting all the entities from the collected sentences, using the NER model. In the second part, the extracted words were combined to generate a set of entity pairs, using all the possible concatenations of the pairs. In edge computing security texts, NER is achieved through the pretrained BERT model [42,43]. The process began by analyzing edge computing security texts to generate a vocabulary. In the preprocessing stage, the text was cleaned and transformed into the required form based on the vocabulary. The preprocessed data were then used in the pretraining process of the BERT, which utilized a multi-layer transformer structure to gain a deep understanding of the complex context of sentences and the relationships between words. Finally, an EdgeSecurity–BERT model specific to the field of edge computing security was generated through the process shown in Figure 4.

If a token was not present in the vocabulary, the “[UNK]” token was used to represent the unknown. Subsequently, the tokenized and embedded input data were passed through several layers of the model. The main features of the sentence were extracted through average pooling, which uses the average value, and max pooling, which uses the maximum value. The data were then passed through a fully connected layer to learn complex patterns in the sentence and a SoftMax layer to obtain the probability value for each entity name. The end result of this process was the output of correctly tagged entity names in the sentence. A knowledge graph is composed of linked relations and the entities that form the relations, and it is important to extract these relations and entities effectively.

To identify the relations between the entities in a given sentence, the entities should first be recognized accurately. Consequently, a model is applied to determine their relations [18]. In this process, Entity_Head and Entity_Tail were input to the pretrained BERT model by reflecting the structure and context of the sentence. Entity_Head and Entity_Tail were processed through a specific embedding method. For edge computing security texts, important relational information can be extracted based on the frequency of occurrence of Entity_Head. Before the application of the sentences to a language model, such as BERT, the sentences were tokenized, and special tokens, such as [SEP], were used to distinguish them. The BERT model provides an output hidden-state value for each token, which is processed using the average pooling and max pooling methods [44,45,46]. In addition, as the performance of the relation extraction is closely related to the types of entities, the types of the Entity_Head and Entity_Tail were represented by embedding them into 64-dimensional vectors. The output of the generated BERT, the vector values obtained through pooling, and the type-embedding values were concatenated and used as a composite input. These linked data were then passed through the fully connected layer. Then, after a SoftMax operation was performed, the relation between the entities in the sentence was classified. Figure 5 provides an example for extracting entities and relations from edge computing security text through this process.

To expand the knowledge graph created using the security news data and CVE data, relevant text was collected from the Google News site based on the extracted entities and relations. Using 30 search results per entity and the link information contained on the pertaining pages, we collected three pages of child contents. In general, texts are extracted from news sites according to the frequency of the keyword; thus, if the knowledge graph is created using them, its relevance to the entity is not high. Therefore, in this study, we used the security vulnerability similarity to classify the collected news data based on the ranking of the relevance to the entity among the collected new data and then performed the process for expanding the knowledge graph. Figure 6 shows a part of the knowledge graph expanded through the Google News site for the entity “Cloud Computing”.

3.4. Knowledge Graph Embedding for Responses to Security Incidents

In this subsection, we describe a method for inferring responses to security incidents, using the generated edge computing security knowledge graph. When text related to a specific security incident is entered as input into the system, the knowledge graph is used to analyze various entities and relations to determine the characteristics, type, cause, and impact of the attack. To perform this task, the knowledge graph was used to detect the complex pattern and structure of the security attack and infer the relation in the triple format. As shown in Figure 7, the edge computing security text was embedded using the ALBERT model, and the embedding was applied to the ComplEx model. ALBERT reduced the size of the embedding vector to a size smaller than the number of dimensions of the input embedding vector to lighten the model by reducing the number of parameters at the beginning of the input [47,48]. Once the security incident text was input, the ALBERT model was used to generate a vector representation. [CLS] and [SEPi] are special tokens used in transform encoder-based language models, such as BERT and ALBERT. The [CLS] token is mainly utilized in classification tasks, where the output value of the language model corresponding to [CLS] is used as a vector representation of the input of the language model, whereas [SEPi] is used to distinguish between the sentences used as the input to the language model.

Rather than using the ALBERT model’s output corresponding to [CLS] to convert each sentence in the security incident text to a vector, we encoded the sentences in the input document, using the output corresponding to [SEPi], which was inserted to separate each sentence. Therefore, sentences S₁, S₂, …, S_n, comprising the text of a specific security incident, were converted to the corresponding sentence-embedding vectors (E_S1, E_S2, …, E_Sn), as shown in Equation (4).

$$E_{s1}, E_{s2}, \dots ,E_{sn}=ALBERT(S_1, S_2, \dots , S_n)$$

(4)

where S_i represents the i-th sentence, which is tokenized using the ALBERT tokenizer and used as input to the ALBERT model, and E_Si is the output value of the ALBERT model corresponding to [SEPi] and the vector representation corresponding to the i-th sentence. Through this process, the sentence vectors that comprise the document and reflect the contextual information between the sentences can be obtained.

$$\begin{gathered} \widehat{{\mathrm{E}}_{s_i}}=relu(FNN(E_{s_i})) \\ {C}_{s_i}=\frac{\widehat{{\mathrm{E}}_{s_i}}\times C_i}{\parallel \widehat{{\mathrm{E}}_{s_i}}\parallel C_i\parallel } (i=0, 1, \dots , m) \end{gathered}$$

(5)

In Equation (5), relu(FNN(E_Si)) is a function for finding the vector $\widehat{E_{S_i}}$, which maps the i-th sentence vector, $E_{S_i}$, to the vector space for the labels to be classified; and $C_{S_i}$ is the cosine similarity distribution between $\widehat{E_{S_i}}$ and the embedding vectors $C_0, C_1, \cdots , C_m$, corresponding to the labels to be classified. The label embedding vectors $C_0, C_1, \cdots , C_m$ were initialized randomly and then fine-tuned during the learning process. Through this process, the sentence encoder generated a feature vector (sentence basis), which is a vectorized representation of the relational information between the sentence and the label to be classified, and linked it with the sentence vector $E_{S_i}$ to output the sentence vector $E_{S_i}$, which reflects the feature.

The inference process is centered on the ComplEx Score calculation function, and this function uses the embedding vector of the security incident text and the embedding vector of the subject and object in the knowledge graph. ComplEx Score is used to evaluate the suitability of a given triple and based on this, a new triple is inferred [49]. This process captures the hidden meaning of certain entities and relations in the knowledge graph and enables a more accurate understanding and analysis of the details of a security incident. For a triple (h, r, t), the ComplEx Scoring function is expressed as Equation (6).

$$s\left(h, r,t\right)=Re({\sum }_{i=1}^k{h}_i^r\times r_i\times t_i^{\ast r})$$

(6)

where Re is the real number part of the complex number, k is the number of dimensions of the embedding, and $h^r, r,\mathrm{a}\mathrm{n}\mathrm{d} t^{\ast r}$ are the conjugated embedding of the head, relation, and tail, respectively, in the relational dimension, r.

The process for inferring responses to security incidents involves model training and testing stages. In the model training stage, we first extracted the security incident texts from the training dataset and used the embedding module to obtain the embedding values of the texts, which include the topic embedding and predicate embedding of the security incident text. This information was combined with the edge computing security knowledge graph to learn the embedding values of all the entities corresponding to the subject and object parts through the ComplEx model. The ComplEx Score calculation function uses all the embedding values to perform the calculation. In addition, it calculates the loss, using the binary cross-entropy loss to compare the calculation result with the ground-truth set. Thereafter, the embedding values were updated through the backward step, and the training was performed continuously. The embedding values learned this way were used in the ComplEx Score calculation function, using test data in the test stage, and the inferred knowledge was used to verify the accuracy of the security incident responses.

To infer the method for responding to a security incident from the attack-related text of the edge computing, as shown in

Table 3. Results for inferring attack response methods for edge computing using knowledge graph embedding.

Inference Process	Result
Attack-related Sample Text	Attackers, aware that real-time responses and processing are crucial in edge computing environments, can exploit these vulnerabilities when network speeds decline. They can overwhelm the network with excessive traffic, leading to a denial-of-service (DoS) or distributed-denial-of-service (DDoS) attack, incapacitating network functionality. They can also conduct routing attacks by manipulating network-routing information to cause service delays. How can these attacks be defended against?
Concept Extraction	attackers; real-time responses; edge computing environments; network speeds; excessive traffic; denial of service (DoS); distributed denial of service (DDoS); network functionality; routing attacks; network-routing information; service delays
Relationship Extraction	- Edge computing environments require real-time responses. - Attackers exploit edge computing environments when network speeds decline. - Attackers cause excessive traffic. - Excessive traffic leads to DoS or DDoS. - DoS or DDoS incapacitates network functionality. - Attackers conduct routing attacks. - Routing attacks manipulate network-routing information. - Routing attacks cause service delays.
New Relationship Extraction Using Inference	- Edge computing environments are vulnerable to attackers when network speeds decline. - Real-time responses can be affected by service delays. - Network functionality depends on network speeds. - Routing attacks cause denial of service (DoS) indirectly through service delays.
Response Method Formula Generated Through Inference Results	- IF edge computing environments are vulnerable WHEN network speeds decline THEN strengthen the security of the edge devices and network infrastructure to mitigate potential threats. - IF real-time responses can be affected by service delays THEN optimize the network and manage traffic to minimize latency and ensure real-time responses. - IF network functionality depends on network speeds THEN continuously monitor and manage the network performance to maintain optimal speeds and functionality. - IF routing attacks cause denial of service (DoS) indirectly through service delays THEN implement network security solutions to detect and counteract routing manipulations.

, we extracted “incapacitates” as a similar predicate because it has the highest value among the predicate-embedding values in the text. As shown in Figure 8, the embedding value of the concept “DDoS”, extracted from the attack-related text, was inserted, and the embedding value of “defended”, a predicate similar to the query, was concatenated and entered as a predicate in the score calculation function. Afterward, the embedding values “Edge computing environments”, “Network speeds”, “Routing attacks”, and “Real-time responses”, which can be candidate subjects and objects in the knowledge graph, were substituted into the object individually to perform the calculation. “Network speeds”, with the highest score of 0.58, was selected as the object to infer new knowledge. The response method formula is grounded on a fundamental rule of inference in propositional logic known as Modus Ponens. Modus Ponens is a classical form of logical reasoning that asserts if a conditional statement (‘If P then Q’) is true, and its antecedent P is established as true, then the consequent Q necessarily follows [50].

4. Experiments and Assessment

In this chapter, we describe experiments on the classification of edge computing security data using the security vulnerability similarity and the prediction of knowledge completion and relationships to respond to security incidents.

4.1. Experiment on Edge Computing Security Data Classification Using Security Vulnerability Similarity

In this study, we proposed the security vulnerability similarity to effectively reflect the latest security technology trends and security threat rankings in the process of automatically generating a knowledge graph, using security news data and security vulnerability data. For the security data classification experiment using the security vulnerability similarity between the security news data and CVE data, we collected security news and vulnerability-related information from ten sites and then selected the optimal security data to generate a knowledge graph for the edge computing security. The classification performance of the model was evaluated using the accuracy and F1-score. Accuracy is the percentage of samples whereby the news data classification has been correctly performed for particular CVE data.

$$Accuracy=\frac{Number of correct news data}{Total number of news data}$$

(7)

Precision refers to the percentage of samples that belong to the news data among the news data predicted as a group related to the CVE data. Further, Recall is the percentage of samples that are correctly predicted among the samples that belong to the news data.

$$Precision=\frac{True Positives}{True Positives+False Positives}$$

(8)

$$Recall=\frac{True Positives}{True Positives+False Negatives}$$

(9)

Consequently, the F1-score is calculated as the harmonic mean of the Precision and Recall.

$$F1-score=2\times \frac{Precision\times Recall}{Precision+Recall}$$

(10)

For the classification between the security news and CVE data, Doc2Vec’s DM and DBOW models were concatenated to perform embedding, after which the classification was performed using the linear kernel of support vector machines (SVMs).

As shown in Figure 9, the classification accuracy of the security news data for the CVE data was measured to be approximately 86% on average. After the parameters of Doc2Vec’s DM, DBOW, and concatenation models were adjusted, the DBOW model exhibited the highest value (0.885) for the weighted average precision.

4.2. Experiment on Knowledge Completion and Relation Prediction for Security Incident Responses

In this subsection, we describe experiments on link prediction and triple classification to evaluate the performance of the proposed knowledge completion and inference for security incident responses. We extracted 8,689 entities and 591 relations from the collected security news and security vulnerability data and generated a total of 103,311 triples (Entity_Head; Relation; Entity_Tail). We also extracted 6,146 entities and 481 relations from the security vulnerability data classified using the security vulnerability similarity, and generated a total of 83,311 triples (Entity_Head; Relation; Entity_Tail). A Gaussian error linear unit (GELU) transformer encoder was used to measure the accuracy of the relation extraction, and an adaptive moment estimation (ADAM) optimizer was used as an optimizer [51]. As the parameters used for training, embedding_size was set to 128, hidden_size to 1,024, layer to 12, and attention_heads to 12. For the assessment in this experiment, we used the commonly used rank-based evaluation metrics as follows: mean rank (MR) and HIT@N. MR is the mean rank value of all the triples; the HIT@N metric is the ratio of the triples with the top N ranks to all the test triples, and Q is the set of test triples. And, ${rank(s,p,o)}_i$ is the rank of the object for the i-th test triple.

$$MR=\frac{1}{\left|Q\right|}{\sum }_{i=1}^{\left|Q\right|}{rank(s,p,o)}_i$$

(11)

$$Hits@N=\frac{1}{\left|Q\right|}{\sum }_{i=1}^{\left|Q\right|}\left\{\begin{array}{c}1 if({rank\left(s,p,o\right)}_i \le N)\\ 0 otherwise\end{array}\right.$$

(12)

Table 4. The prediction results of the relationship obtained using the EdgeSecurity–BERT model.

Method	EdgeSecurityKG without Security Vulnerability Similarity Applied		EdgeSecurityKG with Security Vulnerability Similarity Applied
Metric	MR	Hits@10	MR	Hits@10
TransE	512.12	0.491	614.74	0.514
TransH	491.08	0.415	531.67	0.446
HolE [30]	152.56	0.549	212.98	0.561
ConvE [31]	835.81	0.311	934.51	0.42
EdgeSecurity–BERT	323.76	0.674	451.87	0.783

shows the results for measuring the link prediction by constructing the triples (Entity_Head; Relation; Entity_Tail) extracted from the security news and security vulnerability data and the result for measuring the link prediction by constructing the triples (Entity_Head; Relation; Entity_Tail) classified based on the security vulnerability similarity.

The initial models of translation embedding, such as TransE and TransH, demonstrated high performance in both the MR and Hits@10 metrics. EdgeSecurityKG, when classified using the security vulnerability similarity, showed improved performance in the Hits@10 metric, which is attributed to the security vulnerability similarity enabling the model to learn from a broader array of link relations and paths, thereby enhancing its ability to identify correct links within the top 10 predictions. However, the performance of EdgeSecurityKG in the MR metric was not as high when the security vulnerability similarity was applied. The added complexity of the link relationships and paths introduced by the security vulnerability similarity may have impacted the model’s ability to consistently predict accurate rankings for all the entities. Moreover, the comparison of the EdgeSecurityKG’s MR performance with that of the HolE model, regardless of the application of the security vulnerability similarity, indicates that EdgeSecurityKG may not be fully optimized for the specific characteristics of our dataset. Although the security vulnerability similarity improves certain aspects of the model’s performance, it does not uniformly enhance its overall ranking prediction ability. This finding emphasizes the need for careful evaluation of the model’s performance and strategic data selection, especially in complex domains, such as security. Nonetheless, EdgeSecurityKG with the application of the security vulnerability similarity offers significant advantages in better understanding and predicting complex security vulnerability relationships and patterns. This can contribute to increasing the accuracy of link prediction and knowledge representation in the field of security.

5. Conclusions

This study proposed a method for automatically generating and embedding security knowledge graphs to recommend strategies for responding to edge computing security incidents. We performed text extraction and preprocessing based on the latest security vulnerability data of edge computing. Furthermore, we designed an EdgeSecurity–BERT model to extract entities and their relational information, which are components of the knowledge graph, and consequently proposed a security vulnerability evaluation method to recommend response strategies for edge computing security incidents through knowledge graph embedding. Experiments were conducted to measure the accuracy of the edge computing security data classification using the security vulnerability similarity. The experimental results showed that the classification accuracy of the security news data for the CVE data was approximately 86% on average. In the experiment on knowledge completion and relationship prediction for security incident responses, the knowledge graph link prediction performance was measured using the following rank-based evaluation metrics: MR and HIT@N. The EdgeSecurityKG applying the security vulnerability similarity improved the Hits@10 performance to identify the correct link, but the MR performance degraded owing to the increased complexity. By representing complex relations in a low-dimensional vector space, knowledge graph embedding provided a clear understanding of the relations between the various factors related to the security vulnerabilities. Information, such as the systems wherein a particular vulnerability had been found in the past and its consequences, can be easily extracted from the knowledge graph. We expect that knowledge graph embedding will be used to predict vulnerabilities or relations that have not yet been discovered through methods such as link and relation prediction rather than simply utilizing existing information.