Hitachi Group Global Network




Middle East and Africa



Why We Love Semantics in IT Security (And You Should, Too!)
You are here: Home \ Data Mining \ Why We Love Semantics in IT Security (And You Should, Too!)
Why We Love Semantics in IT Security
Posted on Wednesday, February 24th, 2016 by


What do we mean by Semantics?


Semantics is the study of meaning that is used for understanding human expression through language. It focuses on the relation between signifiers such as words, phrases, signs and symbols and what they stand for.

In IT security when we refer to semantics we usually refer to “Semantic Event Correlation”.

You have surely noticed these terms in the company brochures you received by email last week. While scrolling down the PDF, you could not avoid reading them in enlarged expressions such as bold text, titles etc. spread across the document. It was probably preceded by the terms “Machine Learning” (ML) or “Big Data”. Same page, different paragraph.

We have been hearing so many discussions about these subjects. They recently became buzzwords because every occasion is good to mention them (e.g. describing the value of a new application or emphasizing the scope of an upcoming feature).


A step back

With these terms being so overused, employees and managers start to not believe in them anymore, simply because at the end of the day, when trying these features out nobody clearly sees how they can help.

This often happens because people’s expectations are bigger than the real advantages that these tools can bring. When it comes to data protection and network monitoring, people tend to think that these tools could completely replace Information Security Analysts and take care of all the proper and intuitive consideration needed to solve an investigation.

Well, this is not the case.


What can ML and Semantics do?

In general, these tools should not replace human analysis but rather allow security experts to avoid spending too much time on repetitive or trivial tasks and to focus on compelling analysis. Then, the best thing to do is to identify what can be automated in the monitoring analysis process and start to think about the best algorithm that could help in this regard.

We know that many of the most successful Advanced Persistent Threat (APT) attacks [1] happen after months of patient data gathering and learning before, during and after infiltrating a network.

In order to discover these attacks, we need machine learning algorithms that look for anomalies over a long period of time and after that, we need to find ways to relate all the logs that might occur on the machines involved in those attacks.


Using Machine Learning without spending too much time/resources

Well, that is why we love semantics!

Thanks to semantics, we can in fact identify relationships among unstructured and un-mapped elements representing security-related events. Thus, we can understand in which context a log can fit by referring it to known descriptions of attack patterns or specific attack steps. Semantics will result in saving large amounts of time that analysts would otherwise be wasting in repetitive tasks.


Here is an example of the phases used in semantics to process text:

Above Security Phases used in Semantics - IT Security


Ultimately, semantics helps indexing security-related logs in order to highlight pieces of information that do not necessarily share content with intelligence feeds, but are important to discover possible actions that could clearly show the hackers’ intent.


Now, are you starting to love semantics? Do you want to know more?

Feel free to comment on this article by using the best keywords to identify and label the topic you would like me to address. I will cluster them and provide you with the proper answers.



Nicandro Scarabeo
About author:
In his position as Senior Product Manager at Hitachi Systems Security, Nicandro Scarabeo has initiated and consolidated collaborations with universities from Italy, France and Canada. Having joined Above Security in 2010, he currently leads the company’s research unit with the goal of applying methods to correlate primary sensor security data, extracting knowledge from high volumes of security-related-data, introducing new sources of information for security analysis purposes and identifying methods to evaluate the performance of the system. Nicandro Scarabeo completed his Ph.D. at the University of Cassino and Southern Lazio, Italy, in the Department of Electrical and Information Engineering in March 2016. He obtained his Master’s degree from the Mobile Communication Engineering Department at Aalborg University, Denmark.

Latest Webinars | Watch Now

Cybersecurity, Cyber Crime and Your Business — How to Strengthen Your Cybersecurity Posture – In collaboration with Cytelligence

Watch Now

Cybersecurity 101 for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now

Introduction to Technical Security Testing for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now