As disclosed by a recent report1, there has been half a billion cyber security breaches in the first semester of 2014, matching the record set across the entire precedent year. In general, this alarming trend should not surprise when we consider that the bedrock of the Internet is a technological infrastructure built almost 35 years ago for trusted military communications and not for data exchange in the wild (see [ 1 ], p.58). The picture gets even worse when considering that the ability to grasp the risk and threats associated with computer networks is averagely poor: recent surveys have actually shown that 65% of the victims of intrusion and information theft in the private sector are notified by third parties and that the detection process usually takes up to 13 months (e.g., see [ 2 ], p.10).

Though not exhaustive, such rough statistics at least suggest that if the inadequacy of the technological infrastucture is a key aspect to explain the vulnerabilities of networked computer systems, the human factor also plays a central role. As proposed in [ 3 ], to improve situation awareness of users and security operators, a shift of focus from system to environment level is highly necessary when modeling cyber scenarios: to this end, a full-fledged science of cyber security needs to be founded, whose core tenet is cognizing the cyberspace as a hybrid framework of interaction between humans and computers, where security and privacy policies play a crucial role. As stated by [ 4 ], this cognizance depends on both a reliable perception of the elements of the environment and, most importantly for our work, on the explicit representation of their semantics. Accordingly, the current article presents the underpinnings of an ontology of secure cyber operations: by

MidYearDataBreachQuickView.pdf

Every science is concerned with distinct objects and strives to build rigorous models of the phenomena involving them [ 6 ]: accordingly, the objects of a science of cyber security correspond to the attributes of (and the relations between) network of computer devices, security policies, and the tools and techniques of cyber attack and cyber defense [ 7 ]. Therefore, inasmuch as ontologies are formal models of a domain, building ontologies of the aforementioned attributes and relations is critical for the transformation of cyber security into a science.

In 2010, the DoD sponsored a study to examine the theory and practice of cyber security, and evaluate whether there are underlying fundamental principles that would make it possible to adopt a more scientific approach. The study team concluded that the most important requirement would be “the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding. A common language and agreed-upon experimental protocols will facilitate the testing of hypotheses and validation of concepts” [ 8 ]. The need for controlled vocabularies and ontologies to make progress toward a science of cyber security is recognized in [ 9 ] and [ 10 ] as well. In this domain, ontologies would include the classification of cyber attacks, cyber incidents, and malicious and impacted software 2 For instance, exploiting material available in this portal: http://militaryontology.com/cyber-security-ontology.html 3 http://cra.psu.edu/ programs. From our point of view, where the human component of cyber security is also essential, the analysis needs to be expanded to the different roles that attackers, users, defenders and policies play in the context of cyber security, the different tasks that the members of a team are assigned to by the team leader, and the knowledge, skills and abilities needed to fulfill them.

There has been little work on ontologies for cyber security and cyber warfare. Within a broader paper, there is a brief discussion of an ontology for DDoS attacks [ 11 ] and a general ontology for cyber warfare is discussed in [ 12 ]. To the best of our knowledge, Obrst and colleagues [ 13 ] provide the most comprehensive description of a cyber ontology architecture, whose vision has actually inspired the work presented in this paper (the scale of the project and its difficulties are also discussed by Dipert in [ 10 ]). By and large, efforts that have been made toward developing ontologies of cyber security, even when expressed in OWL, RDF or other XML-based formats, typically do not utilize existing military domain or middle-level ontologies such UCORE-SL4. With regard to human users and human computer interaction, the most important step in understanding a complex new domain involves producing accessible terminological definitions and classifications of entities and phenomena, as stressed in [ 9 ]. Discussions of cyber warfare and cyber security often begin with the difficulties created by misused terminology (such as characterizing cyber espionage as an attack): in this regard, the Joint Chiefs of Staff created a list of cyber term definitions that has been further developed and improved in a classified version5. None of these definitions, however, are structured as an ontology. Likewise, various agencies and corporations (NIST6, MITRE7, Verizon8) have formulated enumerations of types of malware, vulnerabilities, and exploitations. In particular MITRE, which has been very active in this field, maintains two dictionaries, namely CVE (Common Vulnerabilities and Exposures 9 ) and CWE (Common Weakness Enumeration10), a classification of attack patterns (CAPEC - Common Attack Pattern Enumeration and Classification11), and an XML-structured language to represent cyber threat information (STIX - Structure Threat Information Expression 12 ). Regardless of the essential value of these resources, without a “shared semantics” the sprawling definitions they contain are hard to maintain and port into machine-readable formats.

III. A THREE-LEVEL ONTOLOGY FOR

THE CYBER-SECURITY RESEARCH ALLIANCE

Top-level ontologies capture generic characteristics of world entities, such as spatial and temporal dimensions, morphology (e.g., parts, edges, sides), qualities (e.g., color, 4 http://www.slideshare.net/BarrySmith3/universal-core-semantic-layerucoresl 5 http://publicintelligence.net/dod-joint-cyber-terms/ 6 http://www.nist.gov/ 7 http://www.mitre.org/ 8 http://www.verizon.com/ 9 https://cve.mitre.org/ 10 http://cwe.mitre.org/ 11 https://capec.mitre.org/ 12 https://stix.mitre.org/language/version1.1.1/ volume, electric charge), etc.; because of their inherent generality, they are not suited to model contextual aspects. Nevertheless, it’s good practice to describe the fine-grained concepts that constitute a domain-level ontology in terms of foundational (or top-level) categories, adding core (or middlelevel) notions to fill contingent conceptual gaps. For instance, an ontology of mineralogy should include notions like “basaltic rock”, “texture” and “metamorphic reaction”. In order to describe the meaning of those specific concepts, high-level categories such that “object”, “quality” and “process” must be employed; the ontology should also define an intermediate notion like “metamorphism”, which is common across domains (biology, chemistry, computer science, architecture, etc.), to explain how the different phases, end products, and features of metamorphic reactions are bound together.

Our ontology of cyber security makes no exceptions to the tripartite layering described above: in particular, CRATELO is an ontological framework constituted of a domain ontology of cyber operations (OSCO), designed on the basis of DOLCE top ontology extended with a security-related middle-level ontology (SECCO). The three levels of CRATELO (schematized in figure 1) currently include 223 classes and 131 relationships (divided into 116 object properties and 15 datatype properties) and encoded in OWL-DL. The expressivity of the ontology is SRIQ, a decidable extension of the description logic SHIN (see [ 14 ] for more details). A. Descriptive Ontology for Linguistic and Cognitive Engineering (DOLCE)

DOLCE is part of a library of foundational ontologies for the Semantic Web developed under the WonderWeb EU project 13 . As reflected in the acronym, DOLCE holds a cognitive bias, i.e., aiming at capturing the conceptual primitives underlying natural language and commonsense reasoning [ 15 ]. In order to reduce the complexity of the axiomatisation, in the current work we adopt DOLCESPRAY14, a simplified version of DOLCE [ 16 ].

The root of the hierarchy of DOLCE-SPRAY is ENTITY, which is defined as the class of anything that is identifiable as an object of experience or thought. The first relevant distinction is among CONCRETE ENTITY, i.e., whose instances 13 http://wonderweb.man.ac.uk/ 14 Categories are indicated in small caps; relationships in italics. Mutiple individuals instantiating the same category are denoted by adding an ‘s’ to the category name (e.g., REQUIREMENTs). Presenting the axiomatisation of DOLCE-SPRAY is out of scope in this paper.

CONCRETE ENTITY

CONTINUANT

AGENT

PERSON GROUP

SOCIAL GROUP OBJECT

ARTIFACT

NATURAL ENTITY SUBSTANCE

TEMPORAL LOCATION SPATIAL LOCATION

COMPOSITE QUALITY ABSTRACT ENTITY

PHYSICAL QUALITY OCCURRENT

PROCESS ACTION

STATE ABSTRACT QUALITY INFORMATION CHARACTERIZATION

ROLE PLAN

POLICY TASK

REQUIREMENT are located in definite spatiotemporal regions, and ABSTRACT ENTITY, whose instances don’t have inherent spatiotemporal dimensions. CONCRETE ENTITY is further divided into CONTINUANT, OCCURRENT, and QUALITY, respectively entities with inherent spatial parts (e.g., artifacts, animals, substances), entities with inherent temporal parts (e.g., events, actions, states) and entities whose existence depends on their host (for instance ‘the color of a flower’, ‘the duration of a football game’, ‘the area of a construction site’, etc.). DOLCE’s basic ontological distinctions are maintained in DOLCE-SPRAY: the substantial differences come from a) merging ABSTRACT and NON–PHYSICAL–ENDURANT categories into DOLCESPRAY’s ABSTRACT ENTITY and b) by breaking the class QUALITY into PHYSICAL QUALITY and ABSTRACT QUALITY, moving the latter under the branch ABSTRACT ENTITY. Accordingly, the class ABSTRACT QUALITY designates the qualities that don’t have any defining spatiotemporal dimension, such as the price of goods, the usefulness of a service, etc. A sibling of ABSTRACT QUALITY under the ABSTRACT ENTITY branch, INFORMATION refers to any content that can be conveyed by some physical OBJECT, from the metal boards used for road signs to the memory location of a Python script. CHARACTERIZATION is defined as a mapping of n-uples of individuals to truth-values. Individuals belonging to CHARACTERIZATION can be regarded to as ‘reified concepts’ (e.g., ‘manufactured object’), and the irreflexive, antisymmetric relation characterizes associates them with the objects they denote (‘a collection of vintage shoes’). Among the relevant sub-types of CHARACTERIZATION we can find: ROLE, i.e., the classification of an entity according to a given context or perspective (e.g., ‘instructor’); PLAN, namely the generic description of an action (such as ‘the disassembly of a 9mm’); TASK, that is a representation of the specific steps that are needed to execute an ACTION according to a PLAN (e.g., ‘removing the magazine’, ‘pull back the slide’); REQUIREMENT, whose instances can be seen as the conditions that need to be satisfied as part of a PLAN (e.g., ‘the weapon must be clear before proceeding’). A specific sub-class of PLAN is POLICY, whose instances need to satisfy specific REQUIREMENTs adopted or proposed by some SOCIAL GROUP (e.g., a government, a party, a no profit association, a private company, etc.). In general, the branch of DOLCE-SPRAY rooted on CHARACTERIZATION distills the extensions introduced in [ 17 ]. An overview of DOLCE-SPRAY backbone taxonomy is represented in Figure 2.

B. Security Core Ontology (SECCO)

This section outlines a set of security concepts based on DOLCE-SPRAY primitives.

An entity is a THREAT φ for an ASSET α valued by a STAKEHOLDER σ and protected by a DEFENDER δ, if and only if φ is used by an ATTACKER κ to exploit a VULNERABILITY ϖ of α in an OFFENSIVE_OPERATION το. To prevent το, a specific collection of SECURITY_REQUIREMENTs υs need to be satisfied by a SECURITY_POLICY π, enforced to protect α. But if το strikes, δ has to promptly defend α, performing a suitable DEFENSIVE_OPERATION δο to deploy a COUNTERMEASURE χ for neutralizing PAYLOAD ψ conveyed by το15. The class OPERATION can be represented as the union of το and δο: any OPERATION ο is carried out on the basis of a MISSION-PLAN λ whose sequence of MISSION_TASKs ξs are executed in ο16. Note that in order to delineate λ in a DEFENSIVE_OPERATION δο, δ would also need to run a RISK-ASSESSMENT µ of the RISK ρ associated to ξs (datatype properties can be used to represent ρ as a parameterization of the expected losses, probabilities of attack, etc.)17. The formalization below (1-30) represents a basic alignment between SECCO and DOLCESPRAY. The relations isPartOf, participates (and its inverse hasParticipant), isQualityOf, characterizes, definedIn, satisfies hasRole, hasRequirement, are imported from DOLCE-SPRAY. We used self-explanatory abbreviations (e.g., OFF_OP instead of OFFENSIVE_OPERATION) to keep the list compact, when possible. For reasons of space, presenting a comprehensive set of axioms for SECCO is out of scope in this paper.

ATTACKER18!! ⊑ ROLE! ∀ !ℎ!"!#$%"&'%(. AGENT DEFENDER!! ⊑ ROLE! ∀ !ℎ!"!#$%"&'%(. AGENT (1) (2) 15 Both countermeasures and payloads are artifacts of some sort, e.g., an antidote and a poison. 16 ο can be a single ACTION or a complex collection of interconnected actions. 17 Although risk assessment needs to be done preemptively, continuous monitoring is also required for up-to-date situational awareness. 18 In our model, instances of ATTACKER, DEFENDER and STAKEHOLDER are not equal to instances of PERSON,2GROUP2 and, in general, AGENT.2In2this2 perspective,2 ‘Alessandro’2 (instance2 of2 PERSON)2 qua 2 DEFENDER2 would2 correspond2 to2 team2 member2 ‘Alpha1’2 (instance2 of2 DEFENDER).2 Qua N entities2 have2 been2 formally2 analyzed2 in2 [ 33 ].2 Also,2 since2 in2 different2 situations2 a2 defender2 may2 play2 the2 role2 of2 an2 attacker2 (and2 vice2 versa),2 we2don’t2consider2the2two2classes2as2disjoint.2 (3) (4) STAKEHOLDER!! ⊑ ROLE! ∀ !ℎ!"!#$%"&'%(. AGENT

SECCO’s categories are positioned at a too coarse-level of granularity to capture the details of domain-specific scenarios: properties like THREAT, VULNERABILITY, ATTACK, COUNTERMEASURE, ASSET are orthogonal to different domains and, in virtue of this, they can be predicated of a broad spectrum of things: for instance, infections are a threat to the human body, Stuxnet is a threat to PLCs, the impact of large asteroids on the Earth’s surface is a threat to the survival of organic life forms, dictatorship is a threat to civil liberties, and so on and so forth. Though there seems to be a consensus in the literature on the core ontological concepts of security (see [ 18 ] and [ 19 ]), the minimal set presented here has been occasionally expanded along alternate directions. For instance, Fenz and Ekelhart [ 20 ] introduce the concept of ‘control’, by means of which stakeholders implement suitable countermeasures to mitigate known vulnerabilities of assets20. A ‘policy’, in this context, is defined as a regulatory or organizational form of control (SECCO definition of POLICY is more functionality-centered). Fenz and Ekelhart [ 20 ] also outline a taxonomy of assets, distinguishing ‘tangible’ (e.g., 19 Note that δ and σ may or may not coincide: in the second case, the latter needs to delegate the former to act in her behalf. The notion of delegation (and trust) in agent ontologies has been extensively studied by [ 26 ], but it’s currently not included in CRATELO, as (6) shows. 20 In cyber security, exploitations of unknown vulnerabilities correspond to the so-called Zero-Day Attacks. ‘wallet’) from ‘intangible’ ones (e.g., ‘credit card credentials’), where the former can be furthermore split into ‘movable’ (e.g., ‘car’, ‘jewelry’) and ‘unmovable’ (e.g., ‘house’, ‘land’). Interestingly enough, Fenz and Ekelhart reify the procedure of assessing a risk into the concept of ‘rating’, whose attributes can be expressed qualitatively (e.g., in Likert scale – high, medium and low) or quantitatively (measuring the probability of a risk). Avižienis and colleagues present a comprehensive analysis of security where the notion of ‘fault’ is introduced to denote an interruption of the services delivered by a given system in the environment [ 21 ]. A middle-level ontology of security can be possibly extended beyond SECCO: in this respect, the key contribution of this module doesn’t rely on the coverage (or ‘concept density’ – see [ 22 ], p. 187) of security primitives but on the formalization driven by a top-level ontology. Our approach has some similarities with the effort described in [ 23 ], though Massacci and colleagues were principally concerned with the ontological analysis of a specific software development methodology, Secure Tropos.

C. Ontologies of Secure Cyber Operations (OSCO)

One of the major cyber security problems for government and corporations is the widespread “operational chaos” experienced by analysts, as Michael Susong has recently called the phenomenon of “having too many alarms (false positives) in a network, not enough trained people to deal with them, and a consequent poor prioritization of risks and countermeasures” 21 . In this regard, the objective of an ontology of cyber security is to shape that chaos into a framework of meaningful and reusable chunks of knowledge, turning the operational disarray into a systematic model by means of which cyber analysts can improve their situation awareness. As mentioned in section 1, the key to this augmented cognizance relies on a consistent assessment of the context and on a comprehensive understanding of its elements at the semantic level. But how is a cyber operation usually defined? In a document released in 2010, the Joint Chiefs of Staff describes a “cyberspace operation” as the “employment of cyber capabilities where the primary purpose is to achieve objectives in or through cyberspace. Such operations include computer network operations and activities to operate and defend the Global Information Grid” [ 24 ]. Drawing on this broad definition and relying on DOLCE-SPRAY and SECCO, in OSCO we represent a CYBER_OPERATION ψ as an OPERATION executed by a CYBER_OPERATOR ϕ , who can play either the role of DEFENDER in a DEFENSIVE_CYBEROPERATION or the role of ATTACKER in an OFFENSIVE_CYBEROPERATION. In the context of cyber security we can also distinguish between those OFFENSIVE_CYBER_OPERATIONs whose MISSION-PLANs satisfy the OFFENSIVE_REQUIREMENT of remaining undetected, and those that don’t: we use the class CYBER_EXPLOITATION to the denote the former, and CYBERATTACK for the latter. As Lin points out in [ 5 ], from a technical viewpoint cyber-attacks and cyber exploitations are very similar: they use the same access paths and focus on the same vulnerabilities. The difference is on the delivery and 21 Dr. Micheal Susong is an Intelligence Subject Matter Expert affliated to iSIGHT Partners; he gave an invited talk at Carnegie Mellon University on September 8th, 2014. execution of the PAYLOAD that must be performed undetectably in CYBER_EXPLOITATIONs (e.g., port scanning or SQL injections). The list of class-inclusions below (33-51) denotes the alignment between OSCO and SECCO categories and some specializations of OSCO domain concepts. For reasons of space we could not include a formal characterization of specific cyber threats and cyber vulnerabilities (comprehensive classifications can be consistently found in military reports, doctrines and academic articles - see [ 25 ] [ 26 ] [ 27 ]). (31) (32) Since the development of a full-scale domain ontology is currently underway within our project, for the sake of this article we will limit ourselves to model only two sample scenarios.

1) Example 1:RETRIEVE_FILE_SECURELY

Figure 3 represents CRATELO’s classes and relationships used to model the Retrieve File Securely scenario. For issues of visualization, the diagram covers only the most salient notions involved in this cyber operation. In order to retrieve a file without exposing a computer system – and possibly an entire network – to cyber threats, some specific security requirements need to be fulfilled while carrying out that operation. In particular, as it is also the case for other kinds of CYBEROPERATION, RETRIEVE-FILE-SECURELY must occur over a secure channel of a network, from authenticated computer(s) and through authorized server(s). By and large, abiding to these security requirements while executing the mission-tasks should lead to mission accomplishment. The composite

RETRIEVE-FILE-SECURELY-TASK can be further divided into simpler temporally-structured and logically-connected subtasks. Accordingly, a request for a file can be sent to an authenticated server only after locating the desired file in the network; the inspection of the file can trivially occur only once the file has been obtained; and so on and so forth. In CRATELO we can express these basic temporal constraints by means of the foundational layer: in fact, DOLCE includes an adaptation of Allen’s axioms [ 28 ], which are considered as a powerful logical theory for temporal representation and reasoning (the formalization of these axioms has also been maintained in DOLCE-SPRAY). Moreover, if malware is detected, the file must be removed from the host: the deployment of this preventive countermeasure aims at avoiding a disruption of the isolated computer node and a cyber attack to the network it belongs to. This countermeasure can be expressed as a conditional rule formalized in CRATELO by using an additional modeling apparatus, i.e., the Semantic Web Rule Language (SWRL)22, which extends OWL-DL axioms. By including rule-based mechanisms in CRATELO we also comply with the core requisites described in [ 13 ] of a fullfledged cyber ontology architecture.

As the example exposes, one of the key design principles underlying CRATELO is to separate the temporal dynamics of cyber operations from the abstract generalizations used to describe them, i.e., plans, tasks, requirements. This approach consents to model a cyber operation as an ontology pattern grounded on the top level dyad ACTION-CHARACTERIZATION, unfolded by the middle-level tetrad OPERATIONMISSION_PLAN-MISSION_TASK-SEC_REQUIREMENT, and specified by CYBER_OPERATION-CYBER_MISSION_PLANCYBER_MISSION_TASK-CYBER_SECURITY_REQUIREMENT. In recent years, ‘ontology patterns’ have become an important instrument for conceptual modeling [ 29 ]: the rationale, as our work suggests, is to identify some minimal knowledge structures within an ontology to be used for modeling a problem (in this regard, the ontology remains the reference framework whereby the pattern can be expanded). This methodology is also ideal from a reasoning standpoint. For instance, in [ 30 ] the authors state that “mission activities are tasks focused on answering mission questions” (where the latter can be seen as partially overlapping the notion of security requirement): but an ontology that fails to discriminate ‘activities’ from ‘tasks’ would likely be affected in its inference capabilities, in the degree that reasoning over tasks that have not been executed yet – i.e., that are not activities – would not be supported. It’s not difficult to imagine the circumstances where this limit can become a serious drawback for a cyber analyst: mental simulation is commonly adopted by humans to foresee the outcomes of an action before performing it [ 31 ], and a semantic framework where mission activities and tasks are conceptually viewed as the same entity precludes that, and might eventually result into pervasive logical inconsistencies (if the ambiguity is not somehow reduced). On the contrary, an ontology-pattern based on CRATELO allows to specify cyber operations at a sufficient level of conceptual granularity. 22 http://www.w3.org/Submission/SWRL/

In a simplified scenario where an SQL injection attack is launched, a defensive cyber operation of INTRUSION_DETECTION can be divided into three essential subactions (and corresponding tasks): 1) block the IP address of the attacker; 2) to escalate the level of response; 3) to block all external connections and 4) redirect the incoming traffic to a honeypot for further inspection. Who can perform these actions? In the real world, cyber analysts with different responsibilities and privileges usually form a response team: for instance, we can indicate with L1, L2 and L3 the incremental levels of expertise of cyber analysts. Accordingly, 1) would only be performed by L1 analysts; 2) can only be performed by L1 analysts toward L2 analysts or by L2 toward L3; 3) can only be executed by L2 analysts and 4) only by L3. As a matter of fact, gauging which action fits better the situation is not a one-shot decision, but rather a multi-stage evaluation process where the situational awareness of cyber analysts frequently changes Also, each of those sub-actions has incremental costs and inversely proportional risks: for instance, if blocking all the connections to a web server eliminates the risks of a reiterated attack, suspending the network traffic has a severe impact on the system functionality (e.g., no data access for authorized third parties): escalation, in this context, is an effective means to prevent risk mismanagement. Although this simplified scenario gives only a partial account of the actions that actual analysts have at their disposal, using an ontology of cyber security like CRATELO to model intrusion detection can clearly represent a mean to improve situational awareness and fill the semantic gap [ 32 ] in our understanding of the cognitive demands in the cyber world. Figure 4 presents a partial view of CRATELO categories and relations used for intrusion detection.