Building an Ontology of Cyber Security Alessandro Oltramari and Lorrie Faith Cranor Robert J. Walls and Patrick McDaniel CyLab, Carnegie Mellon University Department of Computer Science Pittsburgh, USA Pennsylvania State University University Park, USA Abstract—Situation awareness depends on a reliable and large, the concepts and the relationships that structure this perception of the environment and comprehension of its semantic semantic model are peculiar to the domain. That is, notions that structures. In this respect, cyberspace presents a unique are suitable for representing security in the physical world challenge to the situation awareness of users and analysts, since it cannot be directly transferred to the cyber environment (e.g., is a unique combination of human and machine elements, whose “attack attribution” [5]). We build upon existing ontologies, complex interactions occur in a global communication network. expanding them to support novel use cases as needed2. Our Accordingly, we outline the underpinnings of an ontology of goal is to use the proposed ontology as basis for improving the secure operations in cyberspace, presenting the ontology situation awareness of cyber defenders, allowing them to make framework and providing two modeling examples. We make the optimal operational decisions in every state of the environment. case for adopting a rigorous semantic model of cyber security to overcome the current limits of the state of the art. The rest of the paper is organized as follows: Section II makes the case for the adoption of ontologies in the cyber Keywords— cyber security, ontology, situation awareness, security realm; Section III outlines the structure of ontology patterns. ‘CRATELO’, a Three Level Ontology for the Cyber Security Research Alliance program funded by ARL3, and describes I. INTRODUCTION two simple cyber scenarios modeled by means of our As disclosed by a recent report1, there has been half a approach; finally, Section IV draws preliminary conclusions billion cyber security breaches in the first semester of 2014, and outlines an agenda for future research. matching the record set across the entire precedent year. In II. RELATED WORK general, this alarming trend should not surprise when we consider that the bedrock of the Internet is a technological Every science is concerned with distinct objects and strives infrastructure built almost 35 years ago for trusted military to build rigorous models of the phenomena involving them communications and not for data exchange in the wild (see [1], [6]: accordingly, the objects of a science of cyber security p.58). The picture gets even worse when considering that the correspond to the attributes of (and the relations between) ability to grasp the risk and threats associated with computer network of computer devices, security policies, and the tools networks is averagely poor: recent surveys have actually and techniques of cyber attack and cyber defense [7]. shown that 65% of the victims of intrusion and information Therefore, inasmuch as ontologies are formal models of a theft in the private sector are notified by third parties and that domain, building ontologies of the aforementioned attributes the detection process usually takes up to 13 months (e.g., see and relations is critical for the transformation of cyber security [2], p.10). into a science. Though not exhaustive, such rough statistics at least In 2010, the DoD sponsored a study to examine the theory suggest that if the inadequacy of the technological infrastucture and practice of cyber security, and evaluate whether there are is a key aspect to explain the vulnerabilities of networked underlying fundamental principles that would make it possible computer systems, the human factor also plays a central role. to adopt a more scientific approach. The study team concluded As proposed in [3], to improve situation awareness of users and security operators, a shift of focus from system to environment that the most important requirement would be “the level is highly necessary when modeling cyber scenarios: to construction of a common language and a set of basic this end, a full-fledged science of cyber security needs to be concepts about which the security community can develop a founded, whose core tenet is cognizing the cyberspace as a shared understanding. A common language and agreed-upon hybrid framework of interaction between humans and experimental protocols will facilitate the testing of hypotheses computers, where security and privacy policies play a crucial and validation of concepts” [8]. The need for controlled role. As stated by [4], this cognizance depends on both a vocabularies and ontologies to make progress toward a science reliable perception of the elements of the environment and, of cyber security is recognized in [9] and [10] as well. In this most importantly for our work, on the explicit representation of domain, ontologies would include the classification of cyber their semantics. Accordingly, the current article presents the attacks, cyber incidents, and malicious and impacted software underpinnings of an ontology of secure cyber operations: by 2 For instance, exploiting material available in this portal: 1 https://www.riskbasedsecurity.com/reports/2014- http://militaryontology.com/cyber-security-ontology.html 3 MidYearDataBreachQuickView.pdf http://cra.psu.edu/ 54 programs. From our point of view, where the human volume, electric charge), etc.; because of their inherent component of cyber security is also essential, the analysis generality, they are not suited to model contextual aspects. needs to be expanded to the different roles that attackers, Nevertheless, it’s good practice to describe the fine-grained users, defenders and policies play in the context of cyber concepts that constitute a domain-level ontology in terms of security, the different tasks that the members of a team are foundational (or top-level) categories, adding core (or middle- assigned to by the team leader, and the knowledge, skills and level) notions to fill contingent conceptual gaps. For instance, abilities needed to fulfill them. an ontology of mineralogy should include notions like “basaltic There has been little work on ontologies for cyber security rock”, “texture” and “metamorphic reaction”. In order to and cyber warfare. Within a broader paper, there is a brief describe the meaning of those specific concepts, high-level discussion of an ontology for DDoS attacks [11] and a general categories such that “object”, “quality” and “process” must be ontology for cyber warfare is discussed in [12]. To the best of employed; the ontology should also define an intermediate our knowledge, Obrst and colleagues [13] provide the most notion like “metamorphism”, which is common across domains comprehensive description of a cyber ontology architecture, (biology, chemistry, computer science, architecture, etc.), to whose vision has actually inspired the work presented in this explain how the different phases, end products, and features of paper (the scale of the project and its difficulties are also metamorphic reactions are bound together. discussed by Dipert in [10]). By and large, efforts that have Our ontology of cyber security makes no exceptions to the been made toward developing ontologies of cyber security, tripartite layering described above: in particular, CRATELO is even when expressed in OWL, RDF or other XML-based an ontological framework constituted of a domain ontology of formats, typically do not utilize existing military domain or cyber operations (OSCO), designed on the basis of DOLCE top middle-level ontologies such UCORE-SL 4 . With regard to ontology extended with a security-related middle-level human users and human computer interaction, the most ontology (SECCO). The three levels of CRATELO important step in understanding a complex new domain (schematized in figure 1) currently include 223 classes and 131 involves producing accessible terminological definitions and relationships (divided into 116 object properties and 15 classifications of entities and phenomena, as stressed in [9]. datatype properties) and encoded in OWL-DL. The Discussions of cyber warfare and cyber security often begin expressivity of the ontology is SRIQ, a decidable extension of with the difficulties created by misused terminology (such as the description logic SHIN (see [14] for more details). characterizing cyber espionage as an attack): in this regard, the Joint Chiefs of Staff created a list of cyber term definitions that has been further developed and improved in a classified version5. None of these definitions, however, are structured as an ontology. Likewise, various agencies and corporations (NIST6, MITRE7, Verizon8) have formulated enumerations of types of malware, vulnerabilities, and exploitations. In particular MITRE, which has been very active in this field, maintains two dictionaries, namely CVE (Common Vulnerabilities and Exposures 9 ) and CWE (Common Weakness Enumeration10), a classification of attack patterns (CAPEC - Common Attack Pattern Enumeration and Figure 1: The schematics of CRATELO Classification11), and an XML-structured language to represent cyber threat information (STIX - Structure Threat Information A. Descriptive Ontology for Linguistic and Cognitive Expression 12 ). Regardless of the essential value of these Engineering (DOLCE) resources, without a “shared semantics” the sprawling DOLCE is part of a library of foundational ontologies for definitions they contain are hard to maintain and port into the Semantic Web developed under the WonderWeb EU machine-readable formats. project 13 . As reflected in the acronym, DOLCE holds a cognitive bias, i.e., aiming at capturing the conceptual III. A THREE-LEVEL ONTOLOGY FOR primitives underlying natural language and commonsense THE CYBER-SECURITY RESEARCH ALLIANCE reasoning [15]. In order to reduce the complexity of the Top-level ontologies capture generic characteristics of axiomatisation, in the current work we adopt DOLCE- world entities, such as spatial and temporal dimensions, SPRAY14, a simplified version of DOLCE [16]. morphology (e.g., parts, edges, sides), qualities (e.g., color, The root of the hierarchy of DOLCE-SPRAY is ENTITY, which is defined as the class of anything that is identifiable as an object of experience or thought. The first relevant 4 http://www.slideshare.net/BarrySmith3/universal-core-semantic-layer- distinction is among CONCRETE ENTITY, i.e., whose instances ucoresl 5 http://publicintelligence.net/dod-joint-cyber-terms/ 6 http://www.nist.gov/ 13 http://wonderweb.man.ac.uk/ 7 http://www.mitre.org/ 14 8 Categories are indicated in small caps; relationships in italics. http://www.verizon.com/ 9 https://cve.mitre.org/ Mutiple individuals instantiating the same category are denoted by 10 http://cwe.mitre.org/ adding an ‘s’ to the category name (e.g., REQUIREMENTs). 11 https://capec.mitre.org/ Presenting the axiomatisation of DOLCE-SPRAY is out of scope in 12 https://stix.mitre.org/language/version1.1.1/ this paper. 55 CONCRETE ENTITY context or perspective (e.g., ‘instructor’); PLAN, namely the generic description of an action (such as ‘the disassembly of a CONTINUANT 9mm’); TASK, that is a representation of the specific steps that AGENT are needed to execute an ACTION according to a PLAN (e.g., PERSON ‘removing the magazine’, ‘pull back the slide’); GROUP SOCIAL GROUP REQUIREMENT, whose instances can be seen as the conditions OBJECT that need to be satisfied as part of a PLAN (e.g., ‘the weapon ARTIFACT must be clear before proceeding’). A specific sub-class of NATURAL ENTITY PLAN is POLICY, whose instances need to satisfy specific SUBSTANCE REQUIREMENTs adopted or proposed by some SOCIAL GROUP PHYSICAL QUALITY (e.g., a government, a party, a no profit association, a private TEMPORAL LOCATION company, etc.). In general, the branch of DOLCE-SPRAY SPATIAL LOCATION rooted on CHARACTERIZATION distills the extensions COMPOSITE QUALITY introduced in [17]. An overview of DOLCE-SPRAY backbone taxonomy is represented in Figure 2. OCCURRENT PROCESS B. Security Core Ontology (SECCO) ACTION STATE This section outlines a set of security concepts based on DOLCE-SPRAY primitives. ABSTRACT ENTITY An entity is a THREAT φ for an ASSET α valued by a STAKEHOLDER σ and protected by a DEFENDER δ, if and only ABSTRACT QUALITY INFORMATION if φ is used by an ATTACKER κ to exploit a VULNERABILITY ϖ CHARACTERIZATION of α in an OFFENSIVE_OPERATION το. To prevent το, a ROLE specific collection of SECURITY_REQUIREMENTs υs need to be PLAN POLICY satisfied by a SECURITY_POLICY π, enforced to protect α. But if TASK το strikes, δ has to promptly defend α, performing a suitable REQUIREMENT DEFENSIVE_OPERATION δο to deploy a COUNTERMEASURE χ for neutralizing PAYLOAD ψ conveyed by το 15 . The class Figure 2: DOLCE-SPRAY backbone taxonomy OPERATION can be represented as the union of το and δο: any OPERATION ο is carried out on the basis of a MISSION-PLAN λ are located in definite spatiotemporal regions, and ABSTRACT whose sequence of MISSION_TASKs ξs are executed in ο16. ENTITY, whose instances don’t have inherent spatiotemporal Note that in order to delineate λ in a DEFENSIVE_OPERATION dimensions. CONCRETE ENTITY is further divided into δο, δ would also need to run a RISK-ASSESSMENT µ of the RISK CONTINUANT, OCCURRENT, and QUALITY, respectively entities ρ associated to ξs (datatype properties can be used to with inherent spatial parts (e.g., artifacts, animals, substances), represent ρ as a parameterization of the expected losses, entities with inherent temporal parts (e.g., events, actions, probabilities of attack, etc.)17. The formalization below (1-30) states) and entities whose existence depends on their host (for represents a basic alignment between SECCO and DOLCE- instance ‘the color of a flower’, ‘the duration of a football SPRAY. The relations isPartOf, participates (and its inverse game’, ‘the area of a construction site’, etc.). DOLCE’s basic hasParticipant), isQualityOf, characterizes, definedIn, ontological distinctions are maintained in DOLCE-SPRAY: satisfies hasRole, hasRequirement, are imported from the substantial differences come from a) merging ABSTRACT DOLCE-SPRAY. We used self-explanatory abbreviations and NON–PHYSICAL–ENDURANT categories into DOLCE- (e.g., OFF_OP instead of OFFENSIVE_OPERATION) to keep the list SPRAY’s ABSTRACT ENTITY and b) by breaking the class compact, when possible. For reasons of space, presenting a QUALITY into PHYSICAL QUALITY and ABSTRACT QUALITY, comprehensive set of axioms for SECCO is out of scope in moving the latter under the branch ABSTRACT ENTITY. this paper. Accordingly, the class ABSTRACT QUALITY designates the qualities that don’t have any defining spatiotemporal ATTACKER18!! ⊑ ROLE! ∀ !ℎ!"!#$%"&'%(. AGENT (1) dimension, such as the price of goods, the usefulness of a DEFENDER!! ⊑ ROLE! ∀ !ℎ!"!#$%"&'%(. AGENT (2) service, etc. A sibling of ABSTRACT QUALITY under the ABSTRACT ENTITY branch, INFORMATION refers to any content that can be conveyed by some physical OBJECT, from the 15 Both countermeasures and payloads are artifacts of some sort, e.g., an metal boards used for road signs to the memory location of a antidote and a poison. 16 Python script. CHARACTERIZATION is defined as a mapping of ο can be a single ACTION or a complex collection of interconnected actions. 17 Although risk assessment needs to be done preemptively, continuous n-uples of individuals to truth-values. Individuals belonging to monitoring is also required for up-to-date situational awareness. CHARACTERIZATION can be regarded to as ‘reified concepts’ 18 In our model, instances of ATTACKER, DEFENDER and STAKEHOLDER (e.g., ‘manufactured object’), and the irreflexive, are not equal to instances of PERSON,2GROUP2and, in general, AGENT.2In2this2 antisymmetric relation characterizes associates them with the perspective,2 ‘Alessandro’2 (instance2 of2 PERSON)2 qua2 DEFENDER2 would2 objects they denote (‘a collection of vintage shoes’). Among correspond2 to2 team2 member2 ‘Alpha1’2 (instance2 of2 DEFENDER).2 QuaN the relevant sub-types of CHARACTERIZATION we can find: entities2 have2 been2 formally2 analyzed2 in2 [33].2 Also,2 since2 in2 different2 situations2 a2 defender2 may2 play2 the2 role2 of2 an2 attacker2 (and2 vice2 versa),2 ROLE, i.e., the classification of an entity according to a given we2don’t2consider2the2two2classes2as2disjoint.2 56 STAKEHOLDER!! ⊑ ROLE! ∀ !ℎ!"!#$%"&'%(. AGENT (3) ‘wallet’) from ‘intangible’ ones (e.g., ‘credit card STAKEHOLDER!! ⊑ ¬!!(ATTACKER ⊔ DEFENDER)19 (4) credentials’), where the former can be furthermore split into ASSET!! ⊑ ROLE! ∀ !ℎ!"!#$%"&'%(!(OBJECT ⊔ INFORMATION)!!!!!!!! (5) ‘movable’ (e.g., ‘car’, ‘jewelry’) and ‘unmovable’ (e.g., ASSET!! ⊑ ¬!!THREAT (6) ‘house’, ‘land’). Interestingly enough, Fenz and Ekelhart reify THREAT!! ⊑ ROLE! ∀ !ℎ!"!#$%"&'%(!(OBJECT ⊔ INFORMATION)!!!! (7) the procedure of assessing a risk into the concept of ‘rating’, THREAT!! ⊑ ¬!!ASSET (8) whose attributes can be expressed qualitatively (e.g., in Likert SEC_REQ! ⊑ DEF_REQ ⊑ REQUIREMENT (9) scale – high, medium and low) or quantitatively (measuring SECURITY_POLICY! ⊑2POLICY ∀ !"#$!%$&!. SEC_REQ!!!!!!!!!!!!!!!!!!!! (10) the probability of a risk). Avižienis and colleagues present a OFF_REQ! ⊑ REQUIREMENT (11) comprehensive analysis of security where the notion of ‘fault’ OFF_REQ! ⊑ ¬!!DEF_REQ (12) is introduced to denote an interruption of the services DEF_REQ! ⊑ ¬!!OFF_REQ (13) delivered by a given system in the environment [21]. A OPERATION!! ⊑ ACTION! (14) middle-level ontology of security can be possibly extended DEF_OP!! ⊑ OPERATION (15) beyond SECCO: in this respect, the key contribution of this OFF_OP!! ⊑ OPERATION (16) module doesn’t rely on the coverage (or ‘concept density’ – OFF_OP! ⊑ ¬!!DEF_OP (17) see [22], p. 187) of security primitives but on the DEF_OP! ⊑ ¬!!OFF_OP (18) formalization driven by a top-level ontology. Our approach MISSION_PLAN! ⊑2PLAN (19) has some similarities with the effort described in [23], though MISSION_TASK!2⊑2TASK!⊓ ∀!!"#$%!&$'!&. MISSION__PLAN (20) Massacci and colleagues were principally concerned with the RISK! ⊑2ABST_QUALITY ⊓ ∀!!"#$%&!'!"#. MISSION__TASK (21) ontological analysis of a specific software development RISK_ASSESSMENT!! ⊑ ACTION ∃ ℎ!"#!$%&'&(!)%!. RISK! (22) methodology, Secure Tropos. COUNTERMEASURE!! ⊑ ARTIFACT! ⊓ ∀!"#$%&%!"$'(. DEF_OP (23) C. Ontologies of Secure Cyber Operations (OSCO) PAYLOAD!! ⊑ ARTIFACT! ∀ !"#$%&%!"$'(. OFF_OP (24) VULNERABILITY! ⊑ ABST_QUALITY! ⊓ ∀!!"#$%&!'()*. ASSET!! (25) One of the major cyber security problems for government DEF_OP!!!! ≡ !!! ∃!ℎ!"#!$%&'&(!)%. DEFENDER! and corporations is the widespread “operational chaos” ⊓ ∃!"!#$%!&. MISSION_PLAN!!!!! experienced by analysts, as Michael Susong has recently ⊓ ∃hasParticipant.COUNTERMEASURE!2 called the phenomenon of “having too many alarms (false !!!!!!!!!!!!!!!!!!!!⊓ ∃ hasRequirement.DEF_REQ22222222222222222222222222222222222222222222222222222(26)2 positives) in a network, not enough trained people to deal with OFF_OP!!!! ≡ !!! ∃!ℎ!"#!$%&'&(!)%. ATTACKER! ⊓ ∃!"!#$%!&. MISSION_PLAN!!!!! them, and a consequent poor prioritization of risks and ⊓ ∃hasParticipant.PAYLOAD!2 countermeasures” 21 . In this regard, the objective of an !!!!!!!!!!!!!!!!!!!!⊓ ∃ hasRequirement.OFF_REQ22222222222222222222222222222222222222222222222222222(27)2 ontology of cyber security is to shape that chaos into a ATTACKER!2≡ ∀2exploits.VULNERABILITY!⊓ ∃!"#". THREAT (28) framework of meaningful and reusable chunks of knowledge, DEFENDER!2≡ ∀2protects.ASSET!⊓ ∃!"#". COUNTERMEASURE!!!!!!!!!!!!(29) turning the operational disarray into a systematic model by STAKEHOLDER!2≡ ∀2values.ASSET!⊓ ∃!"#$%&!'. SECURITY_POLICY2(30) means of which cyber analysts can improve their situation awareness. As mentioned in section 1, the key to this SECCO’s categories are positioned at a too coarse-level of augmented cognizance relies on a consistent assessment of the granularity to capture the details of domain-specific scenarios: context and on a comprehensive understanding of its elements properties like THREAT, VULNERABILITY, ATTACK, at the semantic level. But how is a cyber operation usually COUNTERMEASURE, ASSET are orthogonal to different domains defined? In a document released in 2010, the Joint Chiefs of and, in virtue of this, they can be predicated of a broad Staff describes a “cyberspace operation” as the “employment spectrum of things: for instance, infections are a threat to the of cyber capabilities where the primary purpose is to achieve human body, Stuxnet is a threat to PLCs, the impact of large objectives in or through cyberspace. Such operations include asteroids on the Earth’s surface is a threat to the survival of computer network operations and activities to operate and organic life forms, dictatorship is a threat to civil liberties, and defend the Global Information Grid” [24]. Drawing on this so on and so forth. Though there seems to be a consensus in broad definition and relying on DOLCE-SPRAY and SECCO, the literature on the core ontological concepts of security (see in OSCO we represent a CYBER_OPERATION ψ as an [18] and [19]), the minimal set presented here has been OPERATION executed by a CYBER_OPERATOR ϕ , who can play occasionally expanded along alternate directions. For instance, either the role of DEFENDER in a DEFENSIVE_CYBER- Fenz and Ekelhart [20] introduce the concept of ‘control’, by OPERATION or the role of ATTACKER in an OFFENSIVE_CYBER- means of which stakeholders implement suitable OPERATION. In the context of cyber security we can also countermeasures to mitigate known vulnerabilities of assets20. distinguish between those OFFENSIVE_CYBER_OPERATIONs A ‘policy’, in this context, is defined as a regulatory or whose MISSION-PLANs satisfy the OFFENSIVE_REQUIREMENT of organizational form of control (SECCO definition of POLICY is remaining undetected, and those that don’t: we use the class more functionality-centered). Fenz and Ekelhart [20] also CYBER_EXPLOITATION to the denote the former, and CYBER- outline a taxonomy of assets, distinguishing ‘tangible’ (e.g., ATTACK for the latter. As Lin points out in [5], from a technical viewpoint cyber-attacks and cyber exploitations are very similar: they use the same access paths and focus on the 19 Note that δ and σ may or may not coincide: in the second case, the latter same vulnerabilities. The difference is on the delivery and needs to delegate the former to act in her behalf. The notion of delegation (and trust) in agent ontologies has been extensively studied by [26], but it’s 21 currently not included in CRATELO, as (6) shows. Dr. Micheal Susong is an Intelligence Subject Matter Expert affliated to 20 In cyber security, exploitations of unknown vulnerabilities correspond to iSIGHT Partners; he gave an invited talk at Carnegie Mellon University on the so-called Zero-Day Attacks. September 8th, 2014. 57 execution of the PAYLOAD that must be performed RETRIEVE-FILE-SECURELY-TASK can be further divided into undetectably in CYBER_EXPLOITATIONs (e.g., port scanning or simpler temporally-structured and logically-connected SQL injections). The list of class-inclusions below (33-51) subtasks. Accordingly, a request for a file can be sent to an denotes the alignment between OSCO and SECCO categories authenticated server only after locating the desired file in the and some specializations of OSCO domain concepts. For network; the inspection of the file can trivially occur only once reasons of space we could not include a formal the file has been obtained; and so on and so forth. In characterization of specific cyber threats and cyber CRATELO we can express these basic temporal constraints by vulnerabilities (comprehensive classifications can be means of the foundational layer: in fact, DOLCE includes an consistently found in military reports, doctrines and academic adaptation of Allen’s axioms [28], which are considered as a articles - see [25] [26] [27]). powerful logical theory for temporal representation and reasoning (the formalization of these axioms has also been CYBER_OPERATION! ⊑2OPERATION (31) maintained in DOLCE-SPRAY). Moreover, if malware is OFF_CYBER_OP! ⊑2CYBER_OPERATION! (32) detected, the file must be removed from the host: the DEF_CYBER_OP! ⊑2CYBER_OPERATION!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(33) deployment of this preventive countermeasure aims at avoiding OFF_CYBER_OP! ⊑ OFF_OP (34) a disruption of the isolated computer node and a cyber attack to OFF_CYBER_REQ! ⊑2OFF_REQ (35) the network it belongs to. This countermeasure can be DEF_CYBER_REQ. ⊑2DEF_REQ2222222222222222222222222222222222222222222222222222222222222222 (36) expressed as a conditional rule formalized in CRATELO by UNDETECTABILITY! ⊑2OFF_CYBER_REQ (37) using an additional modeling apparatus, i.e., the Semantic Web CYBER_COUNTERMEASURE! ⊑2COUNTERMEASURE (38) Rule Language (SWRL)22, which extends OWL-DL axioms. CYBER_ASSET! ⊑2ASSET (39) By including rule-based mechanisms in CRATELO we also CYBER_THREAT! ⊑2THREAT (40) comply with the core requisites described in [13] of a full- CYBER_SEC_REQUIREMENT ⊑ SEC_REQUIREMENT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!(41) fledged cyber ontology architecture. CYBER_SECURITY_POLICY ⊑ SECURITY_POLICY (42) As the example exposes, one of the key design principles CYBER_VULNERABILITY! ⊑ VULNERABILITY (43) underlying CRATELO is to separate the temporal dynamics of CYBER_ATTACKER2⊑ ATTACKER2 cyber operations from the abstract generalizations used to !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ∀2exploits.CYBER_VULNERABILITY!2 describe them, i.e., plans, tasks, requirements. This approach !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ∃!"#". CYBER_THREAT (44) CYBER_ANALYST2⊑ DEFENDER2 consents to model a cyber operation as an ontology pattern !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ∀2protects.CYBER_ASSET!2 grounded on the top level dyad ACTION-CHARACTERIZATION, !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ∃!"#". CYBER_COUNTERMEASURE (45) unfolded by the middle-level tetrad OPERATION- CYBER_STAKEHOLDER2⊑ STAKEHOLDER2 MISSION_PLAN-MISSION_TASK-SEC_REQUIREMENT, and !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ∀2values.CYBER_ASSET!2 specified by CYBER_OPERATION-CYBER_MISSION_PLAN- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ∃!"#$%&!'. CYBER_SECURITY_POLICY (46) CYBER_ATTACK ⊑ OFF_CYBER_OP !!!!! CYBER_MISSION_TASK-CYBER_SECURITY_REQUIREMENT. In !!!!⊓ ∃ℎ!"#!$%&'&(!)%. CYBER_ATTACKER! recent years, ‘ontology patterns’ have become an important !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ¬∃ℎ!"#$!"#$%&%'(. UNDETECTABILITY (47)2 instrument for conceptual modeling [29]: the rationale, as our CYBER_EXPLOITATION ⊑ OFF_CYBER_OP !!!!! work suggests, is to identify some minimal knowledge !!!!!!!!!!!!!!⊓ ∃ℎ!"#!$%&'&(!)%. CYBER_ATTACKER! structures within an ontology to be used for modeling a !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ∃ℎ!"#$%&'($)$*+. UNDETECTABILITY!(48) problem (in this regard, the ontology remains the reference DEF_CYBER_OP !!⊑ DEF_OP !!!!! framework whereby the pattern can be expanded). This !!!!⊓ ∃ℎ!"#!$%&'&(!)%. CYBER_ANALYST! methodology is also ideal from a reasoning standpoint. For !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!⊓ ∃ℎ!"#$%&'($)$*+. DEF_CYBER_REQ (49)2 instance, in [30] the authors state that “mission activities are tasks focused on answering mission questions” (where the Since the development of a full-scale domain ontology is currently underway within our project, for the sake of this latter can be seen as partially overlapping the notion of article we will limit ourselves to model only two sample security requirement): but an ontology that fails to scenarios. discriminate ‘activities’ from ‘tasks’ would likely be affected in its inference capabilities, in the degree that reasoning over 1) Example 1:RETRIEVE_FILE_SECURELY tasks that have not been executed yet – i.e., that are not Figure 3 represents CRATELO’s classes and relationships activities – would not be supported. It’s not difficult to used to model the Retrieve File Securely scenario. For issues of imagine the circumstances where this limit can become a visualization, the diagram covers only the most salient notions serious drawback for a cyber analyst: mental simulation is involved in this cyber operation. In order to retrieve a file commonly adopted by humans to foresee the outcomes of an without exposing a computer system – and possibly an entire action before performing it [31], and a semantic framework network – to cyber threats, some specific security requirements where mission activities and tasks are conceptually viewed as need to be fulfilled while carrying out that operation. In the same entity precludes that, and might eventually result into particular, as it is also the case for other kinds of CYBER- pervasive logical inconsistencies (if the ambiguity is not OPERATION, RETRIEVE-FILE-SECURELY must occur over a secure somehow reduced). On the contrary, an ontology-pattern channel of a network, from authenticated computer(s) and based on CRATELO allows to specify cyber operations at a through authorized server(s). By and large, abiding to these sufficient level of conceptual granularity. security requirements while executing the mission-tasks should lead to mission accomplishment. The composite 22 http://www.w3.org/Submission/SWRL/ 58 2) Example 2: INTRUSION_DETECTION evaluation process where the situational awareness of cyber In a simplified scenario where an SQL injection attack is analysts frequently changes Also, each of those sub-actions launched, a defensive cyber operation of has incremental costs and inversely proportional risks: for INTRUSION_DETECTION can be divided into three essential sub- instance, if blocking all the connections to a web server actions (and corresponding tasks): 1) block the IP address of eliminates the risks of a reiterated attack, suspending the the attacker; 2) to escalate the level of response; 3) to block all network traffic has a severe impact on the system functionality external connections and 4) redirect the incoming traffic to a (e.g., no data access for authorized third parties): escalation, in honeypot for further inspection. Who can perform these this context, is an effective means to prevent risk actions? In the real world, cyber analysts with different mismanagement. Although this simplified scenario gives only responsibilities and privileges usually form a response team: a partial account of the actions that actual analysts have at for instance, we can indicate with L1, L2 and L3 the their disposal, using an ontology of cyber security like incremental levels of expertise of cyber analysts. Accordingly, CRATELO to model intrusion detection can clearly represent 1) would only be performed by L1 analysts; 2) can only be a mean to improve situational awareness and fill the semantic performed by L1 analysts toward L2 analysts or by L2 toward gap [32] in our understanding of the cognitive demands in the L3; 3) can only be executed by L2 analysts and 4) only by L3. cyber world. Figure 4 presents a partial view of CRATELO As a matter of fact, gauging which action fits better the categories and relations used for intrusion detection. situation is not a one-shot decision, but rather a multi-stage Figure 3 – A visualization of the RETRIEVE-FILE-SECURELY cyber operation modeled in CRATELO. Legend of the arc types: ‘has subclass’ (purple); ‘is executed in’ (green); ‘executes’ (brown); ‘has part’ (yellow); ‘defines task’ (orange); ‘is defined in task’ (ochre); ‘satisfies (all)’ (fuchsia); ‘satisfies (some)’ (electric blue). Figure 4 – A subset of actions that can be performed in a cyber operation of INTRUSION_DETECTION. This diagram shows some of the interdependencies between classes of actions and levels of expertise of cyber analysts. Legend of the arc types: ‘has subclass’ (solid purple); ‘targets’ (dotted purple); ‘defend’ (yellow); ‘has part’ (brown); ‘executes task’ (light brown); ‘involves (only) agent’ (gray); ‘involves (only disjunction)’ (green).23 23 Figure 3-4 were generated and exported using Ontograf (http://protegewiki.stanford.edu/wiki/OntoGraf), a visualization plug-in for Protégé. Even within the same ontology, Ontograf automatically assigns different colors to arcs when a new figure is created: this explains mismatch of colors between the two figures. 59 IV. CONCLUSIONS AND FUTURE WORK ACKNOWLEDGMENTS Notwithstanding the proliferation of taxonomies, This research was sponsored by the Army Research Laboratory dictionaries, glossaries, and terminologies of the cyber and was accomplished under Cooperative Agreement Number landscape, building a comprehensive model of this domain W911NF-13-2-0045 (ARL Cyber Security CRA). The views remains a major objective for the community of reference, that and conclusions contained in this document are those of the includes government agencies, private organizations, authors and should not be interpreted as representing the researchers and intelligence professionals. There are multiple official policies, either expressed or implied, of the Army reasons behind the discrepancy between demand and supply of Research Laboratory or the U.S. Government. The U.S. semantic models of cyber security. Although we cannot Government is authorized to reproduce and distribute reprints thoroughly address this topic here, we are firmly convinced for Government purposes notwithstanding any copyright that a great part of the problem is the lack of balance between notation here on. the ‘vertical’ and the ‘horizontal’ directions of the effort. From one side, state of the art consists of several classifications of the domain, as argued in Section II: these efforts typically yield REFERENCES rich catalogs of cyber attacks, exploits and vulnerabilities. On [1] Yannakogeorgos, P. and Lowther, A. B. "The Prospects of the other side, a rigorous conceptual analysis of the entities and Cyber Deterrence: American Sponsorships of Global relationships that are encompassed by different cyber scenarios Norms," in Conflict and Cooperation in Cyberspace.: would also be needed, but little work has been done on this Taylor&Francis, 2013, pp. 49-77. horizontal dimension (if we exclude the ongoing MITRE [2] L. Mattice, "Taming the "21st Century's Wild West" of initiative described by Leo Obrst and colleagues in [13]). In Cyberspace?," in Conflict and Cooperation in Cyberspace.: this paper we placed ourselves on the second perspective: Taylor&Francis, 2013, pp. 9-12. instead of presenting “yet another” catalog of cyber notions, an [3] McDaniel, P., Rivera, B., Swami, A. "Toward a Science of endeavor that remains however of undisputable relevance, we Secure Environments," Security and Privacy, vol. 12, no. 4, decided to explore in depth the semantic space of operations. pp. 68-70, July/August 2014. Our investigation addresses cyber operations as complex [4] Endsley, M.R. "Toward a Theory of Situation Awareness in entities where the human factor is as important as the Dynamic Systems," Human Factors, vol. 37, no. 1, pp. 32- technological spectrum: our ontological analysis is grounded 64, 1995. on a bedrock of foundational concepts and reaches the domain [5] Lin, H. "Escalation Dynamics and Conflict Termination in of cyber operations through an intermediate layer where core Cyberspace," Strategic Studies Quarterly, vol. 6, no. 3, pp. notions are defined. 46-70, Fall 2012. Future work will focus on the following research steps: [6] Bunge, M. Causality and Modern Science. New York: • extending SECCO with an ontology of risk; Dover Publications, 1979. • populating OSCO with a large set of cyber [7] Kott, A."Towards Fundamental Science of Cyber Security," operations documented in the literature and in Network Science and Cybersecurity, R. E. Pino, Ed. New learned from real-world case studies; York, 2014, vol. 55. • designing and customizing a methodology for [8] The MITRE Corporation, "Science of Cyber-Security," The ontology validation based on “competency MITRE Corporation, McLean, VA, Technical 2010. questions” submitted to domain experts (along to what has been proposed in [20]); [9] Mundie, D. A. and McIntire, D. M. "The MAL: A Malware Analysis Lexicon," CERT® Program - Carnegie • running cyber warfare simulations within military Mellon University , Technical 2013. exercises, collecting data to be modeled with CRATELO; [10] Dipert, R. "The Essential Features of an Ontology for Cyberwarfare," in Conflict and Cooperation in Cyberspace • studying ontology mappings beteween CRATELO - The Challenge to National Security, Panayotis A and other semantic models (e.g., MITRE’s Cyber Yannakogeorgos and A. B. Lowther, Eds.: Taylor & Ontology Architecture), ensuring interoperability Francis, 2013, pp. 35-48. and reusability of the resource. [11] Kotenko, I. "Agent-Based modeling and simulation of We are aware of the challenges ahead of us in pursuing this cyber-warfare between malefactors and security agents in research agenda, which would usually be very difficult to internet ," in 19th European Conference on Modeling and implement. Nevertheless, we’re also persuaded that, in the Simulation, 2005. broad vision framed by the ARL Cyber Security Collaborative [12] D’Amico, A., Buchanan, L., Goodall, J. & Walczak, P. Research Alliance, what we have described illustrates a (2009) Mission impact of cyber events: Scenarios and realistic work plan and a necessary step toward the foundation ontology to express the relationship between cyber assets. of a science of cyber security. [Online]. http://www.dtic.mil/cgi- bin/GetTRDoc?AD=ADA517410 [13] Obrst, L., Chase, P., & Markeloff, R. "Developing an ontology of the cyber security domain," in Seventh International Conference on Semantic Technologies for 60 Intelligence, Defense, and Security, 2012, pp. 49-56). Cyber Operations. [Online]. [14] Horrocks, I., Kutz, O., Sattler, U. "The Irresistible SRIQ ," http://afri.au.af.mil/cyber/Docs/panel1/Cyber_Lexicon.pdf in OWLED '05 - "OWL: Experiences and Directions", vol. [25] Joint Chiefs of Staff, "The National Military Strategy for 188, Galway, 2005. Cyberspace Operations," Department of Defense, 2006. [15] Masolo, C., Borgo, S., Gangemi, A., Guarino, N., [Online]. Oltramari, Schneider, L. A. "The WonderWeb Library of http://www.dod.mil/pubs/foi/joint_staff/jointStaff_jointOpe Foundational Ontologies and the DOLCE ontology," rations/07-F-2105doc1.pdf Laboratory For Applied Ontology, ISTC-CNR, Technical [26] Air Force Doctrine Document, "Cyberspace Operations,". Report 2002. [27] Simmons, C. B., Shiva, S. G., Bedi, H., Dasgupta [16] Vetere G., Jezek E., Chiari I., Zanzotto F.M., Nissim M., "AVOIDIT: A Cyber Attack Taxonomy," in 9th Annual Gangemi A. Oltramari A., "Senso Comune: A Symposium on Information Assurance (ASIA), Albany, NY, Collaborative Knowledge Resource for Italian," in The 2014, pp. 2-12. People's Web Meets NLP: Collaboratively Constructed [28] Allen, J.F. "An interval based representation of temporal Language Resources.: Springer Verlag, 2013, pp. 45-67. knowledge," in 7th International Joint Conference on [17] Gangemi, A., Mika, P. "Understanding the Semantic Web Artificial Intelligence (IJCAI), vol. 1, Vancouver, 1983, pp. through Descriptions and Situations," in On The Move to 221–226. Meaningful Internet Systems - Lecture Notes in Computer [29] Gangemi, A. and Presutti, V. "Ontology design patterns," in Science. Berlin-Heidelberg: Springer, 2003, vol. 2888, pp. Handbook on Ontologies.: Springer , 2009, pp. 221-244. 689-706. [30] Morris, T.I., Mayron, L.M., Smith, W.B., Knepper, M.M., [18] Salinesi, C., Wattiau, I., A. Souag, "Ontologies for Security Reg, I., Fox, K.L. "A perceptually-relevant model-based Requirements: A Literature Survey and Classification," in cyber threat prediction method for enterprise mission Advanced Information Systems Engineering Workshops, assurance," in IEEE Multi-disciplinary Conference on vol. 112, 2012, pp. 61-69. Cognitive Methods in Situation Awareness and Decision [19] Schumacher, M. "Toward a Security Core Ontology," in Support, Miami Beach, 2011, pp. 60-65. Security Engineering with Patterns. Berling-Heidelberg: [31] Taylor, S.E., Pham L.B., Rivkin I.D., Armor D.A. Springer-Verlag, 2003, pp. 87-96. "Harnessing the imagination. Mental simulation, self- [20] Fenz, S., Ekelhart, A. "Formalizing Information Security regulation, and coping.," American Psychologist , vol. 53, Knowledge," in the International Symposium on no. 4, pp. 429-439, Apr 1998. Information, Computer, and Communications Security [32] Gonzalez, C., Ben-Asher, N., Oltramari, A., Lebiere, C. (ASIACCS ’09), New York, pp. 183-194. "Cognitive Models of Cyber Situation Awareness and [21] Avižienis, A., Laprie, J., Randell, B., Landwehr, C. "Basic Decision Making," in Cyber Defense and Situational Concepts and Taxonomy of Dependable and Secure Awareness, A., Wang, C., Erbacher, R. Kott, Ed.: Springer, Computing," IEEE Transactions on Dependable and 2014, vol. 62. Secure Computing, vol. 1, no. 1, pp. 11-33, January-March [33] Masolo, C., Guizzardi, G., Vieu, L., Bottazzi, E., Ferrario, 2004. R. "Relational Roles and Qua Individuals". In AAAI Fall [22] Prévot, L., Borgo, S., Oltramari, A. "Interfacing Ontologies Symposium on Roles, an Interdisciplinary Perspective, and Lexical Resources," in Ontology and the Lexicon - A Virginia, USA. 2005. Natural Language Perspective, C.R., Calzolari, N., Gangemi, A., Oltramari, A., Prévot, L. Huang, Ed. New York, USA: Cambridge University Press, 2010, pp. 185- 200. [23] Massacci, F., Mylopoulos, J., Paci, F., Thein, T.T., Yijun, Y. "An Extended Ontology for Security Requirements". In CAiSE 2011 International Workshops, vol. 83, London, 2011, pp. 622-636. [24] Joint Staff Department of Defense. Joint Terminology for 61