Inference and Ontologies

  • Brian E. Ulicny
  • Jakub J. Moskal
  • Mieczyslaw M. Kokar
  • Keith Abe
  • John Kei Smith
Part of the Advances in Information Security book series (ADIS, volume 62)


The importance of visualization—discussed in the previous chapter—does not diminish the critical role that algorithmic analysis plays in achieving CSA. Algorithms reason about the voluminous observations and data about the network and infer important features of the situation that help analysts and decision-makers form their situational awareness. In order to perform this inference, and to make its output useful to other algorithms and human users, an algorithm needs to have its inputs and outputs represented in a consistent vocabulary of well-specified terms and their relations, i.e., it needs an ontology with a clear semantics and a standard. This topic is the focus of the present chapter. We already touched on the importance of semantics in the Cognition and Technology chapter. Now we discuss in detail how, in cyber operations, inference based on ontology can be used to determine the threat actor, the target and purpose in order to determine potential courses of action and future impact. Since a comprehensive ontology for cyber security does not exist, we show how such an ontology can be developed by taking advantage of existing cyber security related standards and markup languages.


Intrusion Detection Situational Awareness Formal Semantic Inference Engine Model Drive Architecture 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Anagnostopoulos, E. et al. Vol. 418. Studies in Computational Intelligence. Springer Berlin Heidelberg, 2013, pp. 319–360. isbn: 978-3-642-28976-7. doi: 10 . 1007 / 978 - 3 - 642 - 28977 - 4 _ 12. url: Scholar
  2. Atkinson, S.R., Beaulne, K., Walker, D., and Hossain, L. “Cyber – Transparencies, Assurance and Deterrence”, International Conference on Cyber Security, 2012Google Scholar
  3. Baader, F., McGuinness, D. L., Nardi, D., and Patel-Schneider, P. F. (Eds.). (2010) The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press.Google Scholar
  4. Barwise, J., Perry, J. (1983) Situations and Attitudes. Cambridge, MA: MIT Press.Google Scholar
  5. Bedini, I. et al. “Transforming XML Schema to OWL Using Patterns”. In: Semantic Computing (ICSC), 2011 Fifth IEEE International Conference on. 2011a, pp. 102–109. doi:  10.1109/ICSC.2011.77
  6. Bedini, I., Matheus, C., Patel-Schneider, P. F., and Boran, A. Transforming XML Schema to OWL Using Patterns. ICSC '11 Proceedings of the 2011 IEEE Fifth International Conference on Semantic Computing, Pages 102-109, 2011b.Google Scholar
  7. Bikakis, N. et al. “The XML and Semantic Web Worlds: Technologies, Interoperability and Integration: A Survey of the State of the Art”. In: Semantic Hyper/Multimedia Adaptation. Ed. by IoannisGoogle Scholar
  8. Bohring, H., and Auer, S. “Mapping XML to OWL Ontologies.” In: Leipziger Informatik-Tage 72 (2005), pp. 147–156.Google Scholar
  9. Bouet, M., and Israel, M. “INSPIRE Ontology Handler: automatically building and managing a knowledge base for Critical Information Infrastructure Protection”, 12th IFIP/IEEE IM, 2011.Google Scholar
  10. Boyd, J. A discourse on winning and losing. Technical report, Maxwell AFB, 1987.Google Scholar
  11. Bradshaw, J. M., Carvalho, M., Bunch, L., Eskridge, T., Feltovich, P. J., Johnson, M., and Kidwell, D. “Sol: An Agent-Based Framework for Cyber Situation Awareness”, Kunstl Intell, 26:127–140, 2012.CrossRefGoogle Scholar
  12. Brank, J., Grobelnik, M., and Mladenic, D. A survey of ontology evaluation techniques. In In Proceedings of the Conference on Data Mining and Data Warehouses (SiKDD 2005)Google Scholar
  13. CAPEC – Common Attack Pattern Enumeration and Characterization.
  14. Caton, J. L. “Beyond Domains, Beyond Commons: Context and Theory of Conflict in Cyberspace”, 4th International Conference on Cyber Conflict, 2012.Google Scholar
  15. CCE – Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues. [Online]
  16. Chen, H., and Joshi, A. The SOUPA Ontology for Pervasive Computing. Birkhauser Publishing Ltd., April 2004Google Scholar
  17. Common Vulnerability Scoring System (CVSS-SIG). [Online]
  18. CPE – Common Platform Enumeration. [Online]
  19. CVE – Common Vulnerabilities and Exposures. [Online]
  20. CWE – Common Weakness Enumeration. National Vulnerability Database,
  21. CWE – Common Weakness Enumeration.
  22. CybOX – Cyber Observable eXpression.
  23. D’Amico, A., Buchanan, L., Goodall, J., and Walczak, P. “Mission Impact of Cyber Events: Scenarios and Ontology to Express the Relationships between Cyber Assets, Missions and Users”, International Conference on i-Warfare and Security (ICIW), The Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio, USA, 2010.Google Scholar
  24. de Barros Barreto, A., Costa, P. C. G., and Yano, E. T. Using a Semantic Approach to Cyber Impact Assessment. STIDS, 2013.Google Scholar
  25. Doerr, M., Ore, C.-E., and Stead, S. The CIDOC conceptual reference model: a new standard for knowledge sharing. In Conceptual modeling, pages 51–56. Australian Computer Society, Inc., 2007. ISBN 978-1-920682-64-4.Google Scholar
  26. Dumontier, M. SemanticScience wiki: ODPMereotopology. Updated Nov 27, 2013.
  27. Endsley, M. (1995). “Toward a theory of situation awareness in dynamic systems”. Human Factors 37(1), 32-64.CrossRefGoogle Scholar
  28. Fenza, G., Furno, D., Loia, V., and Veniero, M. “Agent-based Cognitive approach to Airport Security Situation Awareness”, International Conference on Complex, Intelligent and Software Intensive Systems, 2010.Google Scholar
  29. Ferdinand, M., Zirpins, C., and Trastour, D. “Lifting XML Schema to OWL”. In: Web Engineering. Ed. by Nora Koch, Piero Fraternali, and Martin Wirsing. Vol. 3140. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2004, pp. 354–358. isbn: 978-3-540-22511-9. doi: 10. 1007/978-3-540-27834-4_44. Scholar
  30. Francois, A. R. J., Nevatia, R., Hobbs, J., and Bolles, R. C. VERL: An ontology framework for representing and annotating video events. IEEE MultiMedia, 12(4), 2005.Google Scholar
  31. GeoNames Ontology – Geo Semantic Web.
  32. Goodall, J. R., D’Amico, A., and Kopylec, J. K. “Camus: Automatically Mapping Cyber Assetts to Missions and Users”, IEEE Military Communications Conference, MILCOM 2009, pp.1-7, 2009.Google Scholar
  33. Gruber, T. Ontology. In Ling Liu and M. Tamer Ozsu, editors, The Encyclopedia of Database Systems, pages 1963–1965. Springer, 2009.Google Scholar
  34. Herzog, A., Shahmehri, N., and Duma, C. “An Ontology of Information Security,” IGI Global, 2007, pp. 1-23.Google Scholar
  35. Hobbs, J. R., and Pan, F. An Ontology of Time for the Semantic Web. CM Transactions on Asian Language Processing (TALIP): Special issue on Temporal Information Processing. 2004. Vol. 3, 1, pp. 66-85.Google Scholar
  36. Horrocks, I., and Sattler, U. The effect of adding complex role inclusion axioms in description logics. In Proc. of the 18th Int. Joint Conf. on Artificial Intelligence (IJCAI 2003), pages 343–348. Morgan Kaufmann, Los Altos, 2003.Google Scholar
  37. Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1, 80.Google Scholar
  38. IODEF – Cover Pages Incident Object Description and Exchange Format.
  39. IPTC International Press Telecommunications Council, London, UK. EventML, 2008.
  40. jsoup: Java HTML Parser.
  41. Kang, W., and Liang, Y. “A Security Ontology with MDA for Software Development”, International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, 2013.Google Scholar
  42. Khairkar, A. D., Kshirsagar, D., and Kumar, S. “Ontology for Detection of Web Attacks”, International Conference on Communication Systems and Network Technologies, 2013.Google Scholar
  43. Kim, H. M., Biehl, M., and Buzacott, J. A. “M-CI2: Modelling Cyber Interdependencies between Critical Infrastructures”, 3rd IEEE International Conference on Industrial Informatics (INDIN), 2005.Google Scholar
  44. Kokar, M. M., Matheus, C. J., and Baclawski, K. Ontology-based situation aware- ness. Inf. Fusion, 10(1):83–98, 2009. ISSN 1566-2535. doi: 1016/j.inffus.2007.01.004. Google Scholar
  45. Lin, F. Handbook of Knowledge Representation, chapter Situtation Calculus. El- sevier, 2008Google Scholar
  46. MAEC – Malware Attribute Enumeration and Characterization.
  47. Matheus, C. J., Kokar, M. M., and Baclawski, K. A core ontology for situation awareness; Cairns, Australia. In Information Fusion, pages 545–552, July 2003.Google Scholar
  48. Matheus, C. J., Kokar, M. M., Baclawski, K., and Letkowski, J. An application of semantic web technologies to situation awareness. In International Semantic Web Conference, volume 3729 of LNCS, pages 944–958. Springer, 2005.Google Scholar
  49. Matheus, C., Baclawski, K., and Kokar, M. (2006). BaseVISor: A Triples-Based Inference Engine Outfitted to Process RuleML and R-Entailment Rules. In Proceedings of the 2nd International Conference on Rules and Rule Languages for the Semantic Web, Athens, GA.Google Scholar
  50. McMorrow, D. Science of Cyber-Security. Technical Report, JSR-10-102, The MITRE Corporation, 2010.Google Scholar
  51. More, S., Matthews, M., Joshi, A., Finin, T. “A Knowledge-Based Approach To Intrusion Detection Modeling”, IEEE Symposium on Security and Privacy Workshops, 2012.Google Scholar
  52. Mueller, E. T. Handbook of Knowledge Representation, chapter Event Calculus. Elsevier, 2008Google Scholar
  53. Mundie, D. A., and McIntire, D. M. “The MAL: A Malware Analysis Lexicon”, Technical Note, CMU/SEI-2013-TN-010, Software Engineering Institute, 2013.Google Scholar
  54. NIST. National Vulnerability Database Version 2.2. http:// Scholar
  55. Obrst, L., Ceusters, W., Mani, I., Ray, S., and Smith, B. The evaluation of ontologies. In ChristopherJ.O. Baker and Kei-Hoi Cheung, editors, Semantic Web, pages 139–158. Springer US, 2007.Google Scholar
  56. Obrst, L., Chase, P., & Markeloff, R. (2012). Developing an ontology of the cyber security domain. Proceedings of Semantic Technologies for Intelligence, Defense, and Security (STIDS), 49-56.Google Scholar
  57. Okolica, J. S., McDonald, T., Peterson, G. L., Mills, R. F., and Haas, M. W. Developing Systems for Cyber Situational Awareness. Proceedings of the 2nd Cyberspace Research Workshop, Shreveport, Louisiana, USA, 2009.Google Scholar
  58. Oltramari, A., Lebiere, C., Vizenor, L., Zhu, W., and Dipert, R. “Towards a Cognitive System for Decision Support in Cyber Operations”, STIDS, 2013.Google Scholar
  59. OVAL – Open Vulnerability and Assessment Language. [Online]
  60. Parmelee, M. Toward an Ontology Architecture for Cyber- Security Standards. George Mason University, Fairfax, VA : Semantic Technologies for Intelligence, Defense, and Security (STIDS) 2010Google Scholar
  61. Raimond, Y., and Abdallah, S. The event ontology, October 2007.
  62. RDF: Resource Description Framework. W3C.
  63. Rodrigues, T., Rosa, P., and Cardoso, J. “Mapping XML to Existing OWL ontologies”. In: International Conference WWW/Internet. Citeseer. 2006, pp. 72–77.Google Scholar
  64. SCAP – Security Content Automation Protocol. NIST. [Online]
  65. Scherp, A., Franz, T., Saathoff, C., and Staab, S. F–a model of events based on the foundational ontology DOLCE+DnS Ultralight. In Conference on Knowledge Capture, pages 137–144, New York, NY, USA, 2009. ACM. ISBN 978-1-60558-658-8. doi: Scholar
  66. Security Intelligence. Defining APT Campaigns. SANS Digital Forensics and Incident Response,
  67. Shen, Z., Ma, K.-L., and Eliassi-Rad, T. Visual analysis of large heterogeneous social networks by semantic and structural abstraction. Visualization and Computer Graphics, IEEE Transactions on, 12(6):1427–1439, 2006.Google Scholar
  68. Sheth, A. Can Semantic Web techniques empower comprehension and projection in Cyber Situational Awareness? ARO Workshop, Fairfax, VA, 2007.Google Scholar
  69. Singhal, A., and Wijesekera, D. 2010. Ontologies for modeling enterprise level security metrics. In Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW ’10), Frederick T. Sheldon, Stacy Prowell, Robert K. Abercrombie, and Axel Krings (Eds.). ACM, New York, NY, USA, Article 58, 3 pages. DOI=10.1145/1852666.1852731 Scholar
  70. Stewart, J. (2013). Chasing APT. Dell SecureWorks Counter Threat Unit™ Threat Intelligence. 23 July 2012.
  71. STIX – Structured Threat Information eXpression. “A Structured Language for Cyber Threat Intelligence Information”.
  72. Strasburg, C., Basu, S., and Wong, J. S. “S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems”, IEEE 37th Annual Computer Software and Applications Conference, 2013.Google Scholar
  73. Strassner, J., Betser, J., Ewart, R., and Belz, F. “A Semantic Architecture for Enhanced Cyber Situational Awareness”, Secure& Resilient Cyber Architectures Conference, MITRE, McLean, VA, 2010.Google Scholar
  74. Swimmer, M. Towards An Ontology of Malware Classes. January 27, 2008.
  75. The Friend of a Friend (FOAF) project.
  76. Undercoffer, J., Joshi, A., and Pinkston, J. “Modeling Computer Attacks: An Ontology for Intrusion Detection,” in Proc. 6th Int. Symposium on Recent Advances in Intrusion Detection. Springer, September 2003.Google Scholar
  77. US-CERT. (2013) Alert (TA13-309A) CryptoLocker Ransomware Infections. Original release date: November 05, 2013 | Last revised: November 18, 2013
  78. Vrandečić, D. Ontology evaluation. In Stephen Staab and Rudi Studer, editors, Handbook on Ontologies, International Handbooks on Information Systems, pages 293–313. Springer Berlin Heidelberg, 2009.Google Scholar
  79. W3C. OWL 2 Web Ontology Language Document Overview, 2009.
  80. Wali, A., Chun, S. A., and Geller, J. “A Bootstrapping Approach for Developing a Cyber-Security Ontology Using Textbook Index Terms”, International Conference on Availability, Reliability and Security, 2013.Google Scholar
  81. Wang, X. H., Zhang, D. Q., Gu, T., and Pung, H. K. Ontology based context modeling and reasoning using OWL. In Pervasive Computing and Communications Workshops, page 18, Washington, DC, USA, 2004. IEEE. ISBN 0-7695-2106-1Google Scholar
  82. Wang, X., Mamadgi, S., Thekdi, A., Kelliher, A., and Sundaram, H. Eventory – an event based media repository. In Semantic Computing, pages 95–104, Washington, DC, USA, 2007. IEEE. ISBN 0-7695-2997-6.Google Scholar
  83. Westermann, U., and Jain, R. Toward a common event model for multimedia ap- plications. IEEE MultiMedia, 14(1):19–29, 2007.CrossRefGoogle Scholar
  84. Yau, S. S., and Liu, J. Hierarchical situation modeling and reasoning for pervasive computing. In Software Technologies for Future Embedded and Ubiquitous Systems, pages 5–10, Washington, DC, USA, 2006. IEEE. ISBN 0-7695-2560-1.Google Scholar
  85. Ye, J., Coyle, L., Dobson, S., and Nixon, P. Ontology-based models in pervasive computing systems. The Knowledge Engineering Review, 22(4):315–347, 2007.Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Brian E. Ulicny
    • 1
  • Jakub J. Moskal
    • 1
  • Mieczyslaw M. Kokar
    • 2
  • Keith Abe
    • 3
  • John Kei Smith
    • 4
  1. 1.VIStology, Inc.FraminghamUSA
  2. 2.Northeastern UniversityBostonUSA
  3. 3.Referentia Systems IncorporatedHonoluluUSA
  4. 4.LiveActionPalo AltoUSA

Personalised recommendations