{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,31]],"date-time":"2025-10-31T17:04:08Z","timestamp":1761930248405,"version":"build-2065373602"},"reference-count":60,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2022,4,11]],"date-time":"2022-04-11T00:00:00Z","timestamp":1649635200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100002428","name":"FWF Austrian Science Fund","doi-asserted-by":"publisher","award":["P 30437 Einzelprojekte"],"award-info":[{"award-number":["P 30437 Einzelprojekte"]}],"id":[{"id":"10.13039\/501100002428","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["MAKE"],"abstract":"<jats:p>The integration of heterogeneous and weakly linked log data poses a major challenge in many log-analytic applications. Knowledge graphs (KGs) can facilitate such integration by providing a versatile representation that can interlink objects of interest and enrich log events with background knowledge. Furthermore, graph-pattern based query languages, such as SPARQL, can support rich log analyses by leveraging semantic relationships between objects in heterogeneous log streams. Constructing, materializing, and maintaining centralized log knowledge graphs, however, poses significant challenges. To tackle this issue, we propose VloGraph\u2014a distributed and virtualized alternative to centralized log knowledge graph construction. The proposed approach does not involve any a priori parsing, aggregation, and processing of log data, but dynamically constructs a virtual log KG from heterogeneous raw log sources across multiple hosts. To explore the feasibility of this approach, we developed a prototype and demonstrate its applicability to three scenarios. Furthermore, we evaluate the approach in various experimental settings with multiple heterogeneous log sources and machines; the encouraging results from this evaluation suggest that the approach can enable efficient graph-based ad-hoc log analyses in federated settings.<\/jats:p>","DOI":"10.3390\/make4020016","type":"journal-article","created":{"date-parts":[[2022,4,12]],"date-time":"2022-04-12T02:48:59Z","timestamp":1649731739000},"page":"371-396","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["VloGraph: A Virtual Knowledge Graph Framework for Distributed Security Log Analysis"],"prefix":"10.3390","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5353-7376","authenticated-orcid":false,"given":"Kabul","family":"Kurniawan","sequence":"first","affiliation":[{"name":"Institute for Data, Process and Knowledge Management, Vienna University of Economics and Business, 1020 Vienna, Austria"},{"name":"Research Group Multimedia Information Systems, University of Vienna, 1090 Vienna, Austria"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3682-1364","authenticated-orcid":false,"given":"Andreas","family":"Ekelhart","sequence":"additional","affiliation":[{"name":"Research Group Security and Privacy, University of Vienna, 1090 Vienna, Austria"},{"name":"SBA Research, 1040 Vienna, Austria"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7856-2113","authenticated-orcid":false,"given":"Elmar","family":"Kiesling","sequence":"additional","affiliation":[{"name":"Institute for Data, Process and Knowledge Management, Vienna University of Economics and Business, 1020 Vienna, Austria"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4743-3124","authenticated-orcid":false,"given":"Dietmar","family":"Winkler","sequence":"additional","affiliation":[{"name":"Information and Software Engineering, Vienna University of Technology, 1040 Vienna, Austria"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2998-742X","authenticated-orcid":false,"given":"Gerald","family":"Quirchmayr","sequence":"additional","affiliation":[{"name":"Research Group Multimedia Information Systems, University of Vienna, 1090 Vienna, Austria"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8295-9252","authenticated-orcid":false,"given":"A Min","family":"Tjoa","sequence":"additional","affiliation":[{"name":"Information and Software Engineering, Vienna University of Technology, 1040 Vienna, Austria"}]}],"member":"1968","published-online":{"date-parts":[[2022,4,11]]},"reference":[{"key":"ref_1","unstructured":"Chuvakin, A., Schmidt, K., and Phillips, C. (2022, February 24). Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management. Available online: https:\/\/www.perlego.com\/book\/1809940\/logging-and-log-management-the-authoritative-guide-to-understanding-the-concepts-surrounding-logging-and-log-management-pdf."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"355","DOI":"10.3390\/fi5030355","article-title":"Design and Implementation of a Hybrid Ontological-Relational Data Repository for SIEM Systems","volume":"5","author":"Kotenko","year":"2013","journal-title":"Future Internet"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1145\/2076450.2076466","article-title":"Advances and Challenges in Log Analysis","volume":"55","author":"Oliner","year":"2012","journal-title":"Commun. ACM"},{"key":"ref_4","first-page":"219","article-title":"Design and Analysis of a Dynamically Configured Log-based Distributed Security Event Detection Methodology","volume":"9","author":"Grimaila","year":"2012","journal-title":"J. Def. Model. Simul. Appl. Methodol. Technol."},{"key":"ref_5","unstructured":"Guillermo Su\u00e1rez de Tangil, E.P. (2013). Advances in Security Information Management: Perceptions and Outcomes, Nova Science Publishers, Incorporated. COMPUTER NETWORKS SERIES."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"402","DOI":"10.1109\/TR.2020.3031317","article-title":"Have it Your Way: Generating Customized Log Datasets With a Model-Driven Simulation Testbed","volume":"70","author":"Landauer","year":"2021","journal-title":"IEEE Trans. Reliab."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Kurniawan, K., Ekelhart, A., Kiesling, E., Winkler, D., Quirchmayr, G., and Tjoa, A.M. (2021, January 17\u201320). Virtual Knowledge Graphs for Federated Log Analysis. Proceedings of the 16th International Conference on Availability, Reliability and Security, Vienna, Austria.","DOI":"10.1145\/3465481.3465767"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Xiao, G., Calvanese, D., Kontchakov, R., Lembo, D., Poggi, A., Rosati, R., and Zakharyaschev, M. (2018, January 13\u201319). Ontology-Based Data Access: A Survey. Proceedings of the Twenty-Seventh International Joint Conference on Artificial Intelligence, Stockholm, Sweden.","DOI":"10.24963\/ijcai.2018\/777"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"201","DOI":"10.1162\/dint_a_00011","article-title":"Virtual Knowledge Graphs: An Overview of Systems and Use Cases","volume":"1","author":"Xiao","year":"2019","journal-title":"Data Intell."},{"key":"ref_10","unstructured":"(2022, February 24). MITRE ATT&CK Matrix. Available online: https:\/\/attack.mitre.org\/."},{"key":"ref_11","unstructured":"(2022, February 24). Syslogd-Linux Manual Page. Available online: https:\/\/linux.die.net\/man\/8\/syslogd."},{"key":"ref_12","unstructured":"(2022, February 24). Windows Event Log. Available online: https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/wes\/windows-event-log."},{"key":"ref_13","unstructured":"(2022, February 24). W3C Extended Log File Format. Available online: https:\/\/www.w3.org\/TR\/WD-logfile.html."},{"key":"ref_14","unstructured":"(2022, February 24). NGINX Logging. Available online: https:\/\/docs.nginx.com\/nginx\/admin-guide\/monitoring\/logging\/."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Zhu, J., He, S., Liu, J., He, P., Xie, Q., Zheng, Z., and Lyu, M.R. (2019, January 25\u201331). Tools and Benchmarks for Automated Log Parsing. Proceedings of the 41st International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP \u201919, Montreal, QC, Canada.","DOI":"10.1109\/ICSE-SEIP.2019.00021"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Ekelhart, A., Ekaputra, F.J., and Kiesling, E. (2021, January 24\u201328). The SLOGERT Framework for Automated Log Knowledge Graph Construction. Proceedings of the European Semantic Web Conference, Virtual.","DOI":"10.1007\/978-3-030-77385-4_38"},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"109","DOI":"10.1016\/j.procs.2018.09.011","article-title":"Taming the Logs-Vocabularies for Semantic Security Analysis","volume":"137","author":"Ekelhart","year":"2018","journal-title":"Procedia Comput. Sci."},{"key":"ref_18","unstructured":"(2022, February 24). W3C Standards. Available online: https:\/\/www.w3.org\/standards\/."},{"key":"ref_19","unstructured":"(2022, February 24). RDF 1.1 Turtle. Available online: https:\/\/www.w3.org\/TR\/turtle\/."},{"key":"ref_20","unstructured":"(2022, February 24). RDF Schema 1.1. Available online: https:\/\/www.w3.org\/TR\/rdf-schema\/."},{"key":"ref_21","unstructured":"(2022, February 24). RDF 1.1 Semantics. Available online: https:\/\/www.w3.org\/TR\/rdf11-mt\/."},{"key":"ref_22","unstructured":"(2022, February 24). OWL 2 Web Ontology Language Document Overview (Second Edition). Available online: https:\/\/www.w3.org\/TR\/owl2-overview\/."},{"key":"ref_23","unstructured":"(2022, February 24). SPARQL 1.1 Overview. Available online: https:\/\/www.w3.org\/TR\/sparql11-overview\/."},{"key":"ref_24","unstructured":"(2022, February 24). SPARQL 1.1 Federated Query. Available online: https:\/\/www.w3.org\/TR\/sparql11-federated-query\/."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"H\u00f6lbl, M., Rannenberg, K., and Welzer, T. (2020, January 21\u201323). Cross-Platform File System Activity Monitoring and Forensics\u2014A Semantic Approach. Proceedings of the ICT Systems Security and Privacy Protection, SEC 2020, IFIP Advances in Information and Communication Technology, Maribor, Slovenia.","DOI":"10.1007\/978-3-030-58201-2"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Kent, K.A., and Souppaya, M. (2006). Guide to Computer Security Log Management, National Institute of Standards and Technology. Special Publication SP 800-92.","DOI":"10.6028\/NIST.SP.800-92"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Svacina, J., Raffety, J., Woodahl, C., Stone, B., Cerny, T., Bures, M., Shin, D., Frajtak, K., and Tisnovsky, P. (2020, January 13\u201316). On Vulnerability and Security Log Analysis: A Systematic Literature Review on Recent Trends. Proceedings of the International Conference on Research in Adaptive and Convergent Systems, RACS \u201920, Gwangju, Korea.","DOI":"10.1145\/3400286.3418261"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Jose, S., Malathi, D., Reddy, B., and Jayaseeli, D. (2018). A Survey on Anomaly Based Host Intrusion Detection System, IOP Publishing. Journal of Physics: Conference Series.","DOI":"10.1088\/1742-6596\/1000\/1\/012049"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Yadav, R.B., Kumar, P.S., and Dhavale, S.V. (2020, January 4\u20135). A survey on log anomaly detection using deep learning. Proceedings of the 2020 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO), Noida, India.","DOI":"10.1109\/ICRITO48877.2020.9197818"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Landauer, M., Skopik, F., Wurzenberger, M., and Rauber, A. (2020). System log clustering approaches for cyber security applications: A survey. Comput. Secur., 92.","DOI":"10.1016\/j.cose.2020.101739"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Sabahi, F., and Movaghar, A. (2008, January 16\u201320). Intrusion Detection: A Survey. Proceedings of the 2008 Third International Conference on Systems and Networks Communications, Lisbon, Portugal.","DOI":"10.1109\/ICSNC.2008.44"},{"key":"ref_32","unstructured":"(2022, February 24). NIST Cybersecurity Framework, Available online: https:\/\/www.nist.gov\/cyberframework."},{"key":"ref_33","unstructured":"(2022, February 24). NIST SP 800-92 Guide to Computer Security Log Management, Available online: https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-92\/final."},{"key":"ref_34","unstructured":"(2022, February 24). Gartner Magic Quadrant for SIEM. Available online: https:\/\/www.gartner.com\/en\/documents\/4003080."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1007\/978-3-642-33704-8_16","article-title":"Model-Based Security Event Management","volume":"Volume 7531","author":"Rieke","year":"2012","journal-title":"Computer Network Security"},{"key":"ref_36","unstructured":"(2022, February 24). CVE - Common Vulnerabilities and Exposures. Available online: https:\/\/cve.mitre.org\/\/."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Diederichsen, L., Choo, K.K.R., and Le-Khac, N.A. (2019, January 15\u201318). A graph database-based approach to analyze network log files. Proceedings of the International Conference on Network and System Security, Sapporo, Japan.","DOI":"10.1007\/978-3-030-36938-5_4"},{"key":"ref_38","first-page":"117","article-title":"Chapter 4\u2014 CyGraph: Graph-Based Analytics and Visualization for Cybersecurity","volume":"Volume 35","author":"Gudivada","year":"2016","journal-title":"Cognitive Computing: Theory and Applications"},{"key":"ref_39","unstructured":"do Nascimento, C.H., Assad, R.E., L\u00f3scio, B.F., and Meira, S.R.L. (2010, January 25\u201326). Ontolog: A security log analyses tool using web semantic and ontology. Proceedings of the 2nd OWASP Ibero-American Web Applications Security Conference, Lisbon, Portugal."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Nimbalkar, P., Mulwad, V., Puranik, N., Joshi, A., and Finin, T. (2016, January 28\u201330). Semantic Interpretation of Structured Log Files. Proceedings of the 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI), Pittsburgh, PA, USA.","DOI":"10.1109\/IRI.2016.81"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1016\/j.procs.2016.04.109","article-title":"Toward an Efficient Ontology-Based Event Correlation in SIEM","volume":"83","author":"Kenaza","year":"2016","journal-title":"Procedia Comput. Sci."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Wang, F., Bundy, A., Li, X., Zhu, R., Nuamah, K., Xu, L., Mauceri, S., and Pan, J.Z. (2021, January 6\u20138). LEKG: A System for Constructing Knowledge Graphs from Log Extraction. Proceedings of the 10th International Joint Conference on Knowledge Graphs, IJCKG\u201921, Virtual.","DOI":"10.1145\/3502223.3502250"},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Calvanese, D., Kalayci, T.E., Montali, M., and Santoso, A. (2017). OBDA for Log Extraction in Process Mining. Reasoning Web, Semantic Interoperability on the Web, Proceedings of the 13th International Summer School 2017, London, UK, 7\u201311 July 2017, Springer International Publishing. Tutorial Lectures.","DOI":"10.1007\/978-3-319-61033-7_9"},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"114","DOI":"10.1007\/3-540-45861-1_10","article-title":"Decentralized Event Correlation for Intrusion Detection","volume":"Volume 2288","author":"Goos","year":"2002","journal-title":"Information Security and Cryptology\u2014ICISC 2001"},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Xiaokui, S., Smiy, J., Danfeng, Y., and Heshan, L. (2013). Massive Distributed and Parallel Log Analysis for Organizational Security, IEEE.","DOI":"10.1109\/GLOCOMW.2013.6824985"},{"key":"ref_46","unstructured":"(2022, February 24). Resource Description Framework (RDF). Available online: https:\/\/www.w3.org\/RDF\/."},{"key":"ref_47","first-page":"778","article-title":"SPARQL 1.1 query language","volume":"21","author":"Harris","year":"2013","journal-title":"W3C Recomm."},{"key":"ref_48","unstructured":"(2022, February 24). SEPSES Corelog. Available online: https:\/\/w3id.org\/sepses\/vocab\/log\/core\/."},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"22","DOI":"10.1016\/j.websem.2013.01.002","article-title":"Binary RDF Representation for Publication and Exchange (HDT)","volume":"19","author":"Polleres","year":"2013","journal-title":"Web Semant. Sci. Serv. Agents World Wide Web"},{"key":"ref_50","unstructured":"(2022, February 24). SEPSES CSKG-SPARQL Endpoint. Available online: https:\/\/w3id.org\/sepses\/sparql."},{"key":"ref_51","unstructured":"(2022, February 24). SPARQL Query Forms. Available online: https:\/\/www.w3.org\/TR\/sparql11-query\/#QueryForms."},{"key":"ref_52","unstructured":"(2022, February 24). CARML A Pretty Sweet RML Engine. Available online: https:\/\/github.com\/carml\/carml."},{"key":"ref_53","unstructured":"Dimou, A., Vander Sande, M., Colpaert, P., Verborgh, R., Mannens, E., and Walle, R. (2022, February 24). A generic language for integrated RDF mappings of heterogeneous data. Ldow. 2014. Available online: https:\/\/openreview.net\/pdf?id=S14jNMWd-H."},{"key":"ref_54","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1007\/978-3-030-00668-6_15","article-title":"Comunica: A Modular SPARQL Query Engine for the Web","volume":"Volume 11137","author":"Taelman","year":"2018","journal-title":"The Semantic Web\u2014ISWC 2018"},{"key":"ref_55","unstructured":"(2022, February 24). Sigma-Generic Signature Format for SIEM Systems. Available online: https:\/\/github.com\/SigmaHQ\/sigma."},{"key":"ref_56","first-page":"5","article-title":"An ATT&CK-KG for Linking Cybersecurity Attacks to Adversary Tactics and Techniques","volume":"2021","author":"Kurniawan","year":"2021","journal-title":"Semant. Web ISWC"},{"key":"ref_57","unstructured":"(2022, February 24). CAPEC-Common Attack Pattern Enumerations and Classifications. Available online: https:\/\/capec.mitre.org\/."},{"key":"ref_58","unstructured":"(2022, February 24). SPARQL-Club Companies Seeking SPARQL Talent. Available online: http:\/\/sparql.club."},{"key":"ref_59","doi-asserted-by":"crossref","unstructured":"Haag, F., Lohmann, S., Bold, S., and Ertl, T. (2016, January 7\u201310). Visual SPARQL querying based on extended filter\/flow graphs. Proceedings of the 2014 International Working Conference on Advanced Visual Interfaces\u2014AVI \u201914, Bari, Italy.","DOI":"10.1145\/2598153.2598185"},{"key":"ref_60","doi-asserted-by":"crossref","unstructured":"Vargas, H., Buil-Aranda, C., Hogan, A., and Lopez, C. (2019). RDF Explorer: A Visual Query Builder for Semantic Web Knowledge Graphs, Creative Commons.","DOI":"10.1007\/978-3-030-30793-6_37"}],"container-title":["Machine Learning and Knowledge Extraction"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2504-4990\/4\/2\/16\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:51:48Z","timestamp":1760136708000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2504-4990\/4\/2\/16"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,11]]},"references-count":60,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2022,6]]}},"alternative-id":["make4020016"],"URL":"https:\/\/doi.org\/10.3390\/make4020016","relation":{},"ISSN":["2504-4990"],"issn-type":[{"type":"electronic","value":"2504-4990"}],"subject":[],"published":{"date-parts":[[2022,4,11]]}}}