Semantic Events

A New Linguistics-Inspired Way to Interpret and Represent Events
  • Susan Marie Thomas
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 16)


As cyber-attacks increase in frequency and sophistication, the need for intelligent automated defenses increases, but the quality of software logs available for this purpose is questionable. To address this problem a whole new approach to logging is proposed in this paper, one called semantic events. The approach developed out of an empirical, qualitative investigation of a range of logs and existing standards, and is motivated by the desire to normalize events in order to conduct broad cross-log analyses to detect security issues. A key finding is that logs are often hard to understand. An analysis of the causes of this led to the development of a linguistics-inspired event model and a method to interpret and represent logs using a kind of controlled natural language, the essence of the semantic events. They are convertible to an ontology that can be loaded into Protégé to perform reasoning and consistency checking. Crucially, they are stored in a knowledge base for re-use across logs to enable broad analyses.


Semantic event Event model Logging Security Semantics Ontology Protégé Controlled natural language 



This work was made possible by the encouragement and support of highly valued colleagues.


  1. 1.
    Oliner, A., Stearley, J.: What supercomputers say: a study of five system logs. In: 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2007, Edinburgh, pp. 575–584 (2007)Google Scholar
  2. 2.
  3. 3.
    Kent, K., Souppaya, M.: Guide to Computer Security Log Management, NIST Special Publication 800-92, p. 5 (2006)Google Scholar
  4. 4.
    Uschold, M., Gruninger, M., et al.: Ontologies: principles, methods and applications. Knowl. Eng. Rev. 11(2), 93–136 (1996)CrossRefGoogle Scholar
  5. 5.
    Bonial, C., Corvey, W., Palmer, M., Petukhova, V., Bunt, H.: A hierarchical unification of LIRICS and VerbNet semantic roles. In: Proceedings of the ICSC Workshop on Semantic Annotation for Computational Linguistic Resources (SACL-ICSC 2011), September 2011 Google Scholar
  6. 6.
  7. 7.
    Tognini-Bonelli, E.: Working with corpora: issues and insights. In: Coffin, C., et al. (eds.) Applying English Grammar. The Open University, Arnold (2004)Google Scholar
  8. 8.
    Kuhn, T.: A survey and classification of controlled natural languages. Comput. Linguist. 40(1), 121–170 (2014)CrossRefGoogle Scholar
  9. 9.
  10. 10.
    Sapegin, A., Jaeger, D., Azodi, A., Gawron, M., Cheng, F., Meinel, C.: Hierarchical object log format for normalisation of security events. In: Information Assurance and Security (IAS 2013), pp. 25–30, December 2013Google Scholar
  11. 11.
    Feiertag, R., et al.: A Common Intrusion Specification Language (CISL). DARPA, 6 May 1999.
  12. 12.
    The CEE Board: Common Event Expression. MITRE (2008).
  13. 13.
    McGuire, G., Reid, E.: The State of Security Automation Standards - 2011: A Survey. MITRE (2011).
  14. 14.
    DMTF: Cloud Audit Data Federation - OpenStack Profile: (CADF-OpenStack) A CADF Representation for OpenStack, version 1.1.0 (2015).
  15. 15.
  16. 16.

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.SAP SE: Security ResearchKarlsruheGermany

Personalised recommendations