System compromise assessment model using knowledge management elements

In the context of the increasing number of threats and the complexity of attack methods, traditional approaches to ensuring information security are often not effective enough. This is due both to the limited capabilities of classical anomaly detection methods and insufficient consideration of the context and dynamics of changes in the network environment. In this regard, the task of developing new methods and approaches that allow not only to detect attacks, but also to effectively interpret their nature, as well as detect obfuscated attacks, becomes relevant. This article proposes a model based on the use of an intelligent information security system, which would expand the capabilities of SOAR systems – it would allow using information coming from the SIEM system not only to search for local vulnerabilities, but also for a comprehensive final goal of the attack vector, including situations of false attacks. For this purpose, it is proposed to use a combined approach based on the use of a knowledge graph model designed by enriching the network graph with a knowledge base about the infrastructure, which would allow finding more complex correlations between individual incidents in the network and larger attack scenarios.