Cyber Defense and Situational Awareness pp 167-199 | Cite as
Inference and Ontologies
Abstract
The importance of visualization—discussed in the previous chapter—does not diminish the critical role that algorithmic analysis plays in achieving CSA. Algorithms reason about the voluminous observations and data about the network and infer important features of the situation that help analysts and decision-makers form their situational awareness. In order to perform this inference, and to make its output useful to other algorithms and human users, an algorithm needs to have its inputs and outputs represented in a consistent vocabulary of well-specified terms and their relations, i.e., it needs an ontology with a clear semantics and a standard. This topic is the focus of the present chapter. We already touched on the importance of semantics in the Cognition and Technology chapter. Now we discuss in detail how, in cyber operations, inference based on ontology can be used to determine the threat actor, the target and purpose in order to determine potential courses of action and future impact. Since a comprehensive ontology for cyber security does not exist, we show how such an ontology can be developed by taking advantage of existing cyber security related standards and markup languages.
Keywords
Intrusion Detection Situational Awareness Formal Semantic Inference Engine Model Drive ArchitectureReferences
- Anagnostopoulos, E. et al. Vol. 418. Studies in Computational Intelligence. Springer Berlin Heidelberg, 2013, pp. 319–360. isbn: 978-3-642-28976-7. doi: 10 . 1007 / 978 - 3 - 642 - 28977 - 4 _ 12. url: http://dx.doi.org/10.1007/978-3-642-28977-4_12Google Scholar
- Apache Jena. http://jena.apache.org
- Atkinson, S.R., Beaulne, K., Walker, D., and Hossain, L. “Cyber – Transparencies, Assurance and Deterrence”, International Conference on Cyber Security, 2012Google Scholar
- Baader, F., McGuinness, D. L., Nardi, D., and Patel-Schneider, P. F. (Eds.). (2010) The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press.Google Scholar
- Barwise, J., Perry, J. (1983) Situations and Attitudes. Cambridge, MA: MIT Press.Google Scholar
- Bedini, I. et al. “Transforming XML Schema to OWL Using Patterns”. In: Semantic Computing (ICSC), 2011 Fifth IEEE International Conference on. 2011a, pp. 102–109. doi: 10.1109/ICSC.2011.77
- Bedini, I., Matheus, C., Patel-Schneider, P. F., and Boran, A. Transforming XML Schema to OWL Using Patterns. ICSC '11 Proceedings of the 2011 IEEE Fifth International Conference on Semantic Computing, Pages 102-109, 2011b.Google Scholar
- Bikakis, N. et al. “The XML and Semantic Web Worlds: Technologies, Interoperability and Integration: A Survey of the State of the Art”. In: Semantic Hyper/Multimedia Adaptation. Ed. by IoannisGoogle Scholar
- Bohring, H., and Auer, S. “Mapping XML to OWL Ontologies.” In: Leipziger Informatik-Tage 72 (2005), pp. 147–156.Google Scholar
- Bouet, M., and Israel, M. “INSPIRE Ontology Handler: automatically building and managing a knowledge base for Critical Information Infrastructure Protection”, 12th IFIP/IEEE IM, 2011.Google Scholar
- Boyd, J. A discourse on winning and losing. Technical report, Maxwell AFB, 1987.Google Scholar
- Bradshaw, J. M., Carvalho, M., Bunch, L., Eskridge, T., Feltovich, P. J., Johnson, M., and Kidwell, D. “Sol: An Agent-Based Framework for Cyber Situation Awareness”, Kunstl Intell, 26:127–140, 2012.CrossRefGoogle Scholar
- Brank, J., Grobelnik, M., and Mladenic, D. A survey of ontology evaluation techniques. In In Proceedings of the Conference on Data Mining and Data Warehouses (SiKDD 2005)Google Scholar
- CAPEC – Common Attack Pattern Enumeration and Characterization. http://capec.mitre.org/.
- Caton, J. L. “Beyond Domains, Beyond Commons: Context and Theory of Conflict in Cyberspace”, 4th International Conference on Cyber Conflict, 2012.Google Scholar
- CCE – Common Configuration Enumeration: Unique Identifiers for Common System Configuration Issues. [Online] http://cce.mitre.org/.
- Chen, H., and Joshi, A. The SOUPA Ontology for Pervasive Computing. Birkhauser Publishing Ltd., April 2004Google Scholar
- Common Vulnerability Scoring System (CVSS-SIG). [Online] http://www.first.org/cvss/.
- CPE – Common Platform Enumeration. [Online] http://cpe.mitre.org/.
- CVE – Common Vulnerabilities and Exposures. [Online] http://cve.mitre.org/.
- CWE – Common Weakness Enumeration. National Vulnerability Database, http://nvd.nist.gov/cwe.cfm.
- CWE – Common Weakness Enumeration. http://cwe.mitre.org
- CybOX – Cyber Observable eXpression. http://cybox.mitre.org
- D’Amico, A., Buchanan, L., Goodall, J., and Walczak, P. “Mission Impact of Cyber Events: Scenarios and Ontology to Express the Relationships between Cyber Assets, Missions and Users”, International Conference on i-Warfare and Security (ICIW), The Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio, USA, 2010.Google Scholar
- de Barros Barreto, A., Costa, P. C. G., and Yano, E. T. Using a Semantic Approach to Cyber Impact Assessment. STIDS, 2013.Google Scholar
- Doerr, M., Ore, C.-E., and Stead, S. The CIDOC conceptual reference model: a new standard for knowledge sharing. In Conceptual modeling, pages 51–56. Australian Computer Society, Inc., 2007. ISBN 978-1-920682-64-4.Google Scholar
- Dumontier, M. SemanticScience wiki: ODPMereotopology. https://code.google.com/p/semanticscience/wiki/ODPMereotopology. Updated Nov 27, 2013.
- Endsley, M. (1995). “Toward a theory of situation awareness in dynamic systems”. Human Factors 37(1), 32-64.CrossRefGoogle Scholar
- Fenza, G., Furno, D., Loia, V., and Veniero, M. “Agent-based Cognitive approach to Airport Security Situation Awareness”, International Conference on Complex, Intelligent and Software Intensive Systems, 2010.Google Scholar
- Ferdinand, M., Zirpins, C., and Trastour, D. “Lifting XML Schema to OWL”. In: Web Engineering. Ed. by Nora Koch, Piero Fraternali, and Martin Wirsing. Vol. 3140. Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2004, pp. 354–358. isbn: 978-3-540-22511-9. doi: 10. 1007/978-3-540-27834-4_44. http://dx.doi.org/10.1007/978-3-540-27834-4_44.Google Scholar
- Francois, A. R. J., Nevatia, R., Hobbs, J., and Bolles, R. C. VERL: An ontology framework for representing and annotating video events. IEEE MultiMedia, 12(4), 2005.Google Scholar
- GeoNames Ontology – Geo Semantic Web. http://www.geonames.org/ontology/documentation.html.
- Goodall, J. R., D’Amico, A., and Kopylec, J. K. “Camus: Automatically Mapping Cyber Assetts to Missions and Users”, IEEE Military Communications Conference, MILCOM 2009, pp.1-7, 2009.Google Scholar
- Gruber, T. Ontology. In Ling Liu and M. Tamer Ozsu, editors, The Encyclopedia of Database Systems, pages 1963–1965. Springer, 2009.Google Scholar
- Herzog, A., Shahmehri, N., and Duma, C. “An Ontology of Information Security,” IGI Global, 2007, pp. 1-23.Google Scholar
- Hobbs, J. R., and Pan, F. An Ontology of Time for the Semantic Web. CM Transactions on Asian Language Processing (TALIP): Special issue on Temporal Information Processing. 2004. Vol. 3, 1, pp. 66-85.Google Scholar
- Horrocks, I., and Sattler, U. The effect of adding complex role inclusion axioms in description logics. In Proc. of the 18th Int. Joint Conf. on Artificial Intelligence (IJCAI 2003), pages 343–348. Morgan Kaufmann, Los Altos, 2003.Google Scholar
- Hutchins, E. M., Cloppert, M. J., & Amin, R. M. (2011). Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare & Security Research, 1, 80.Google Scholar
- IODEF – Cover Pages Incident Object Description and Exchange Format. http://xml.coverpages.org/iodef.html.
- IPTC International Press Telecommunications Council, London, UK. EventML, 2008. http://iptc.org/.
- jsoup: Java HTML Parser. http://jsoup.org/
- Kang, W., and Liang, Y. “A Security Ontology with MDA for Software Development”, International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, 2013.Google Scholar
- Khairkar, A. D., Kshirsagar, D., and Kumar, S. “Ontology for Detection of Web Attacks”, International Conference on Communication Systems and Network Technologies, 2013.Google Scholar
- Kim, H. M., Biehl, M., and Buzacott, J. A. “M-CI2: Modelling Cyber Interdependencies between Critical Infrastructures”, 3rd IEEE International Conference on Industrial Informatics (INDIN), 2005.Google Scholar
- Kokar, M. M., Matheus, C. J., and Baclawski, K. Ontology-based situation aware- ness. Inf. Fusion, 10(1):83–98, 2009. ISSN 1566-2535. doi: http://dx.doi.org/10. 1016/j.inffus.2007.01.004. Google Scholar
- Lin, F. Handbook of Knowledge Representation, chapter Situtation Calculus. El- sevier, 2008Google Scholar
- MAEC – Malware Attribute Enumeration and Characterization. http://maec.mitre.org/.
- Matheus, C. J., Kokar, M. M., and Baclawski, K. A core ontology for situation awareness; Cairns, Australia. In Information Fusion, pages 545–552, July 2003.Google Scholar
- Matheus, C. J., Kokar, M. M., Baclawski, K., and Letkowski, J. An application of semantic web technologies to situation awareness. In International Semantic Web Conference, volume 3729 of LNCS, pages 944–958. Springer, 2005.Google Scholar
- Matheus, C., Baclawski, K., and Kokar, M. (2006). BaseVISor: A Triples-Based Inference Engine Outfitted to Process RuleML and R-Entailment Rules. In Proceedings of the 2nd International Conference on Rules and Rule Languages for the Semantic Web, Athens, GA.Google Scholar
- McMorrow, D. Science of Cyber-Security. Technical Report, JSR-10-102, The MITRE Corporation, 2010.Google Scholar
- More, S., Matthews, M., Joshi, A., Finin, T. “A Knowledge-Based Approach To Intrusion Detection Modeling”, IEEE Symposium on Security and Privacy Workshops, 2012.Google Scholar
- Mueller, E. T. Handbook of Knowledge Representation, chapter Event Calculus. Elsevier, 2008Google Scholar
- Mundie, D. A., and McIntire, D. M. “The MAL: A Malware Analysis Lexicon”, Technical Note, CMU/SEI-2013-TN-010, Software Engineering Institute, 2013.Google Scholar
- NIST. National Vulnerability Database Version 2.2. http:// http://nvd.nist.gov/Google Scholar
- Obrst, L., Ceusters, W., Mani, I., Ray, S., and Smith, B. The evaluation of ontologies. In ChristopherJ.O. Baker and Kei-Hoi Cheung, editors, Semantic Web, pages 139–158. Springer US, 2007.Google Scholar
- Obrst, L., Chase, P., & Markeloff, R. (2012). Developing an ontology of the cyber security domain. Proceedings of Semantic Technologies for Intelligence, Defense, and Security (STIDS), 49-56.Google Scholar
- Okolica, J. S., McDonald, T., Peterson, G. L., Mills, R. F., and Haas, M. W. Developing Systems for Cyber Situational Awareness. Proceedings of the 2nd Cyberspace Research Workshop, Shreveport, Louisiana, USA, 2009.Google Scholar
- Oltramari, A., Lebiere, C., Vizenor, L., Zhu, W., and Dipert, R. “Towards a Cognitive System for Decision Support in Cyber Operations”, STIDS, 2013.Google Scholar
- OVAL – Open Vulnerability and Assessment Language. [Online] http://oval.mitre.org/.
- OWL/Implementations. W3C. http://www.w3.org/2001/sw/wiki/OWL/Implementations.
- Parmelee, M. Toward an Ontology Architecture for Cyber- Security Standards. George Mason University, Fairfax, VA : Semantic Technologies for Intelligence, Defense, and Security (STIDS) 2010Google Scholar
- Raimond, Y., and Abdallah, S. The event ontology, October 2007. http://motools.sf.net/event
- RDF: Resource Description Framework. W3C. http://www.w3.org/RDF/
- Rodrigues, T., Rosa, P., and Cardoso, J. “Mapping XML to Existing OWL ontologies”. In: International Conference WWW/Internet. Citeseer. 2006, pp. 72–77.Google Scholar
- SCAP – Security Content Automation Protocol. NIST. [Online] http://scap.nist.gov/.
- Scherp, A., Franz, T., Saathoff, C., and Staab, S. F–a model of events based on the foundational ontology DOLCE+DnS Ultralight. In Conference on Knowledge Capture, pages 137–144, New York, NY, USA, 2009. ACM. ISBN 978-1-60558-658-8. doi: http://doi.acm.org/10.1145/1597735.1597760.Google Scholar
- Security Intelligence. Defining APT Campaigns. SANS Digital Forensics and Incident Response, http://digital-forensics.sans.org/blog/2010/06/21/security-intelligence-knowing-enemy/
- Shen, Z., Ma, K.-L., and Eliassi-Rad, T. Visual analysis of large heterogeneous social networks by semantic and structural abstraction. Visualization and Computer Graphics, IEEE Transactions on, 12(6):1427–1439, 2006.Google Scholar
- Sheth, A. Can Semantic Web techniques empower comprehension and projection in Cyber Situational Awareness? ARO Workshop, Fairfax, VA, 2007.Google Scholar
- Singhal, A., and Wijesekera, D. 2010. Ontologies for modeling enterprise level security metrics. In Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research (CSIIRW ’10), Frederick T. Sheldon, Stacy Prowell, Robert K. Abercrombie, and Axel Krings (Eds.). ACM, New York, NY, USA, Article 58, 3 pages. DOI=10.1145/1852666.1852731 http://doi.acm.org/10.1145/1852666.1852731Google Scholar
- Stewart, J. (2013). Chasing APT. Dell SecureWorks Counter Threat Unit™ Threat Intelligence. 23 July 2012. http://www.secureworks.com/research/threats/chasing_apt/
- STIX – Structured Threat Information eXpression. “A Structured Language for Cyber Threat Intelligence Information”. http://stix.mitre.org
- Strasburg, C., Basu, S., and Wong, J. S. “S-MAIDS: A Semantic Model for Automated Tuning, Correlation, and Response Selection in Intrusion Detection Systems”, IEEE 37th Annual Computer Software and Applications Conference, 2013.Google Scholar
- Strassner, J., Betser, J., Ewart, R., and Belz, F. “A Semantic Architecture for Enhanced Cyber Situational Awareness”, Secure& Resilient Cyber Architectures Conference, MITRE, McLean, VA, 2010.Google Scholar
- Swimmer, M. Towards An Ontology of Malware Classes. January 27, 2008. http://www.scribd.com/doc/24058261/Towards-an-Ontology-of-Malware-Classes.
- The Friend of a Friend (FOAF) project. http://www.foaf-project.org/.
- Undercoffer, J., Joshi, A., and Pinkston, J. “Modeling Computer Attacks: An Ontology for Intrusion Detection,” in Proc. 6th Int. Symposium on Recent Advances in Intrusion Detection. Springer, September 2003.Google Scholar
- US-CERT. (2013) Alert (TA13-309A) CryptoLocker Ransomware Infections. Original release date: November 05, 2013 | Last revised: November 18, 2013 http://www.us-cert.gov/ncas/alerts/TA13-309A
- Vrandečić, D. Ontology evaluation. In Stephen Staab and Rudi Studer, editors, Handbook on Ontologies, International Handbooks on Information Systems, pages 293–313. Springer Berlin Heidelberg, 2009.Google Scholar
- W3C. OWL 2 Web Ontology Language Document Overview, 2009. http://www.w3.org/TR/owl2-overview/.
- Wali, A., Chun, S. A., and Geller, J. “A Bootstrapping Approach for Developing a Cyber-Security Ontology Using Textbook Index Terms”, International Conference on Availability, Reliability and Security, 2013.Google Scholar
- Wang, X. H., Zhang, D. Q., Gu, T., and Pung, H. K. Ontology based context modeling and reasoning using OWL. In Pervasive Computing and Communications Workshops, page 18, Washington, DC, USA, 2004. IEEE. ISBN 0-7695-2106-1Google Scholar
- Wang, X., Mamadgi, S., Thekdi, A., Kelliher, A., and Sundaram, H. Eventory – an event based media repository. In Semantic Computing, pages 95–104, Washington, DC, USA, 2007. IEEE. ISBN 0-7695-2997-6.Google Scholar
- Westermann, U., and Jain, R. Toward a common event model for multimedia ap- plications. IEEE MultiMedia, 14(1):19–29, 2007.CrossRefGoogle Scholar
- WhoIs. http://www.whois.com/
- Yau, S. S., and Liu, J. Hierarchical situation modeling and reasoning for pervasive computing. In Software Technologies for Future Embedded and Ubiquitous Systems, pages 5–10, Washington, DC, USA, 2006. IEEE. ISBN 0-7695-2560-1.Google Scholar
- Ye, J., Coyle, L., Dobson, S., and Nixon, P. Ontology-based models in pervasive computing systems. The Knowledge Engineering Review, 22(4):315–347, 2007.Google Scholar