An area of information security today is especially relevant: the amount of threats and their destructive capacity grow with every year. Computer attacks are com­ plicated trigger аЫе operations in that it can involve consideraЫe amount of network nodes now. Intruders use the various techniques of conducting attacks and concealment of their activities, complicating work of defenders at the same. In such circumstances, the development of new methods that would Ье applied in composition with the automated tools of exposure of cyber threats becomes not simply an interesting scientific task, but also а valuaЫe practical result.

The traditional approach for the exposure of threats is based on the use of signatures, namely search of suspicious templates in operating data. The signa­ ture approach is ublquitously used due to the ease and protfiabllity, orfm the point of view of computing resources. Unfortunately, it has а range of substantial drbawacks: the signature approach requires consideraЫe eforts on maintenance of base of signatures in the actual state not being аЫе to expose new types of threats (zero-day attacks) and does not allow to line up the models of complex attacks.

The most popular alternative ofr the signature approach is the usage of meth­ ods of machine learning. А search of threats, which is based on the exposure of anomalies, behavioral, and statistical analysis, allows us to find out substan­ tially more dificult

attacks than the signature approach, but it is not deprived of the defects.

Machine learning algorithms results are often poorly interpretaЫe thus there are dificulties

in localization and threat removing. In addition, such algorithms often require nfie-tuning

under а correct infrastructure and skilled support for the timely account of inevitaЫe changes of external terms. оТ

two indicated approaches we can add and approach on the basis of formal models. As noted in the work [ 12 ] ontology is already one of the xfied assets of realization of the large systems of information security because it allows us to use the experience of wide expert association for providing of transparency of work and forecast of results. Tools of exposure threat on the basis of formal models can allow not only to identify and classify threats but also to efectively produce reliaЫe and interpreted decisions rfo

their removal. The key advantage of such tools is а higher level of the used abstractions that provides knowledge system­ atization, decision automation, and allows to ofer to the expert the decisions with the observance of rfomal

response procedures.

One of the proЫems of conceptual models usage in dynamically developing areas is the laboriousness of knowledge base maintenance in the actual state. But the wide usage of open and community-supported standards and taxonomies, such as CVE/NVD 1 or САРЕС 2 allows to avoid the dificulties related to up­ dating of the knowledge base. On the one side, open and peer-reviewed sources allow where appropriate to specify

the terminological base of ontology and on the other, allow to update the actual filling of the knowledge base regularly.

Another unique advantage of using formal models in cybersecurity is the high development level of industrial systems for collecting information about pro­ tected objects. In modern organization all required information is already pre­ sented in inventory databases and SIEM systems 3, that consideraЬly simplifies its integration in the knowledge base.

In spite of the fact

that ontology а long ago and successfully used in many areas, such as genetics and Ьio-medicine, they meet rarely in enterprise solutions providing information security. The purpose of this work is а demonstration of wide possiЬilities of an ontological approach for the development of methods and tools rfo reacting to the security threats of the distributed information infrastruc­ ture. Central directions of our research are the questions related to applicaЬility and eficiency

of logical reasoning and also questions related to the conceptual representation of knowledge about an information infrastructure.

The brief review of accessiЫe works is given in the second part of this article, the third part contains а scheme description of the model knowledge base, on which in fourth part some possiЬilities of ontological approach are demonstrated. 1 https://cve.mitre.org

and event management) - class of the systems carrying out the centralized collection and analysis of security log

Related Works The construction of ontological models in information security is conducted al­ ready for more than fiteen years. One of the first bright works in this area is ontology IDS 4, presented in [ 17 ]. Authors put the aim to show the utility of on­ tology as а model for classifi cation of attacks in the intrusion detection system underlining their superiority above more used taxonomies due to greater eflxi­ Ьility and the possibllity to work with heterogeneous data. Their result ontology presented as attack classifi cation framework and described in DAML-OIL [ 3 ] (language predecessor OWL [ 7 ]) ontology plugging in more than 190 concepts and operating with the data got as а result of instrumentation of the Linux kernel. Note that one of the dignities of the built ontology authors count the un­ amblguity of objects distribution on classes, thus, the same high level of strictness is arrived at, as well as at reasoning based on the use of taxonomies. Possiblli­ ties of the use of the built model are on example SYN flood attacks and bufer overoflw. The classifi cation consists of а selection of the most correct class that would correspond to the happening event.

Another classic example of the ontological model usage is presented in the article [ 6 ], in that it is suggested to use the ontology of informatio n security for annotating functional efatures web of resources. Final ontology appears as seven sub ontologies and intended for description of security mechanisms such as pro­ tocols, algorithms, and registration data. In а diefrence ofrm IDS of ontology that is intended for the use in а certain application, the ontology of submit­ ted authors is а general ontology of information security and can Ье used for annotating any the web of resources.

Development of semantic models is directly connected with the use of in­ dustry standards and specification s, so in work [ 18 ] OVM ontology based on taxonomies is presented and standards of corporation MITRE 5 (CVE, CWE, САРЕС, CVSS) and intended for description of weakness in software products. The built ontology is one of maiden attempts to Ьind the current standards of description in а more dificul t and complete model.

Other example of the successful use of open dictionaries is described in [ 5 ]. Ву а basic proЫem at the automated use of such data authors consider а pres­ ence of important information presented as text. The result of their research is rfamework trained for extraction of relevant content. Extracted entities intercon­ nection between them appears as RDF-triplets on the basis of simple ontology, complementary of IDS [ 17 ] ontology. The final system is integrated into the inafrstructure of the linked open data (LOD) 6

Approach allowing to systematize not only information security but also the development of ontology process, presented in works [ 8 ] and [ 9 ]. In the first authors examine methodology of construction of ontology in cybersecurity. The construction of ontology in their opinion consists of the next stages: 4 IDS - lntrusion detection system 5 https://mitre.org 6 https://lod-cloud.net/ 1. Determination of the aims shown in the required queries to the knowledge base and supposed scenarios of the use. 2. Analysis of existent ontologies of the same subject domain including all valu­ aЫe concepts from them here. If the number of concepts is great authors recommend to include whole ontology in the complement of the developed scheme. 3. Addition of connections coming from data with that it is assumed to work and coming from necessities and existent industry standard.

In authors' opinion, ontologies are usually an association of three levels, from most general, such as DOLCE, at the top level, to the applied ontology [ 9 ] , this approach gets further development described as lful ontology-framework CARTELO. The ontology DOLCE- SPRAY is used at the top level, at middle­ level ontology is presented Ьу the ontology of SECCO, plugging in itself the basic concepts of cybersecurity, the ontology of cyber-operations OSCO complements at the bottom level.

Ву the natural desire of researchers, that in the total got the embodiment in а number of works, was to overcome one ontology of all traditional scenarios of the use of concepts of cybersecurity. Thus in work [ 2 ] there is an example of the complex use of ontology made in composition the system of cybersecurity. The Package-oriented ontology fo r the description of network tracfi of РАСО is used as а kernel for extraction of knowledge from network tracfi and as an instrument of classification of tracfi and, together with more general top-level ontologies (CARTELO), as an interface for analyst work. ln stand experiments where eficiency of the system was compared rfo the exposure of attacks with the and without use of ontology advantages of ontological approach were shown. In the total authors соте to the conclusion that comblnation of high-level on­ tologies and low-level ontologies allows to substantially increase expressiveness of semantic model, and usage of such models together with traditional tools to become the basis for the system of decision making, the superior possibllity of analyst.

In works [ 16 ] and [ 15 ] an example is made not simply constructions of ontol­ ogy, but also developments of the architecture of knowledge base fo r its use. As basic functional components of the system authors distinguish the component of incidents handling presented Ьу the bases of incidents and warnings; asset management component, presented Ьу the base of resources; and the component of accumulation of knowledge. The last includes the knowledge base of products and services, the knowledge base of risks, and the knowledge base of counter­ measures that contain knowledge based on the treatment of industry standards. Ontology, here, is а tool for uniform manipulation of the collected heterogeneous data.

ln [ 4 ] authors note that fo rmal representation of knowledge and integration of information from diefrent sources allows substantially improve quality of ex­ posure and response. ln the article as main scenarios of the use are the search of relevant records from IDS, collection of information about sowftare, and at­ tempt of determination of malicious activity on the basis of network tracfi and changes in the system. For the solution of these tasks, authors develop ontology of STUCO. Its notaЫe fe atures are relative simplicity and realization Ьу means of JSON- scheme from one side, promotes its practical applicaЬility, but with other lays on substantial limitations, main fro m that is the impossiЬility of the logical reasoning mechanism usage

The common decision of long-term proЬlem standardization of fo rmats of cybersecurity-related knowledge lately became language STIX [ 1 ], thererfoe no wonder that the most complex is universal ontology of cybersecurity (UCO), presented in work [ 14 ] is based on exactly its structure. An ofered ontology is implemented in OWL DL assuming an efective inference allows to extract infor­ mation from all popular industrial dictionaries and assumes the wide spectrum of scenarios of the use. Meantime its valuaЫe use in practice feasiЫe only after its adaptation to certain tasks Ьу means of the addition of corresponding applied ontologies. UCO is the most successful attempt to create а middle-level ontology, that ofrm one side would possess suficient expressiveness fo r the description of conceptions of any cybersecurity directions and with other abandoned space for the claricfiation of bottom level ontologies.

In the conclusion of this review, we want to note that in spite of the fact that ofr the past years substantial results were oЬtained with the area of development of cybersecurity ontologies many tasks are not solved. PossiЬility of reasoning is not used even in those works where implementation allows to use them. The proЫem of extraction of knowledge from the unstructured sources is not fully resolved although work makes consideraЫe part of analysing such data. Ontolo­ gies do not contained concepts for description of information infras tructure in the meantime the question of cybersecurity prioritization events is continuously related to such knowledge. А possiЫe way for eficient infrastructure represen­ tation presented in recent work [ 10 ], but valuaЫe ontologies containing both knowledge about infrastructure and knowledge of information security are yet to Ье developed. 3

Knowledge Base Architecture То show the possiЬilities of ontological approach the model knowledge base was implemented. А terminological constituent (Т - Ьох) of knowledge base is on­ tology of UCO complemented applied with bottom level ontologies. An actual constituent (А- Вох) plugs operating information (events and incidents of cyber­ security), information about an infrastructure and also information from open dictionaries and taxonomies. 3.1

Ontological Model As said earlier UCO though and is the most complete cybersecurity ontology in pure form tfis badly for practical application and requires adaptation. As such adaptation, additional ontologies for the decision of certain tasks were developed. Ontology of operating information extends and complements such concepts of UCO as action and observaЫe. Its main task is to provide accordance with other objects of knowledge base and Ьу operating inrfomation.

Its key concept is the event. The event is the universal observed object and parent for allother types, which represent events in the real world. ln addition, it plugs in description rules of threats exposure (signatures, anomalies, and others) and sets their accordance with industry standards, such as а matrix of АТТ&СК[lЗ].

Ontology of inrfo­ mation infrastructure is а clarification

for uco - identity - localidentity that allowsto determine authentication for

internal subjects and also essence set of infrastructure objects for

description of endpoints and applications in an infras­ tructure (frequently Ьу the subclasses of uco - observaЫe) and their well-known and possiЫe connections. Last from

ontology models is prioritization ontology.

It is а model for concepts ofrm

а conclusion of environmental risk metrics CVSS. lt includes the environmental risk of CVSS. Requirements to confidentia lity, availaЬility, integrity, probaЬility are causing damages that hatch on the basis of data about subject to the risk to the infrastructure. 3.2