The Basic Formal Ontology (BFO) has emerged as a standard top-level ontology architecture and is currently employed in multiple initiatives for the purposes of data sharing and interoperability [ 1, 2 ]. BFO has been extended by multiple ontology projects in different areas, including for example the biomedical field [ 3 ], occupations [ 4 ], documents and information [ 5 ], the military domain [ 6 ], intelligence [ 7 ], industry [ 8 ], and social entities [ 9 ]. Moreover, the Common Core Ontologies (CCO) have recently emerged as a mid-level architecture widely adopted in the defense and intelligence community [ 10 ].

The domain of information processing and computation nevertheless remains a complex domain to represent ontologically. More specifically cyberspace, provisionally understood as the aggregate composed of computing artifacts, the information they process and the connections between such artifacts, is the object of interest for this paper. Ontologically representing cyberspace allows for integration of data about cyberspace itself with data about other parts of reality – for example, watchlist data or geographical location data. This would allow for implementation of ontologies in different computer science fields, starting from cybersecurity, and be of crucial support for big data analysis in intelligence operations.

Foundational studies in the ontology of cyberspace were already introduced in the BFO community [ 11 ], while more recently the CCO community has developed the Cyber ontology, which is currently part of an IEEE initiative, to represent cyberspace and the entities inhabiting it [ 12, 13 ]. The aim of this short paper is to introduce a general, high-level pattern for the representation of information sharing and modification in the BFO and CCO community.

The representation of information processing through BFO stands on the threefold distinction of information, information bearer and the qualities or dispositions of the bearer which concretize the information content. Take first as an example the familiar case of a book and the information stored in it. The book itself is a material entity, which acts as information bearer, and is represented in CCO by the class “Information Bearing Entity” (IBE). The pattern of ink on the book is instead a quality of the book, which allows it to convey information. The pattern of ink is, in BFO terms, a specifically dependent continuant, given that it requires the continued existence of this specific instance of book in order to remain in existence. The corresponding CCO class is called Information Quality Entity (IQE).

Finally, the information itself is the content of the book. The latter entity is, in BFO terms, a generically dependent continuant: it can continue to exist as long at least one entity is structured in such a way that it carries the information in question. This means that different copies of the same book can carry the same, numerically identical, information content, despite the copies and the ink patterns being different from one another. The corresponding CCO class is called Information Content Entity (ICE).

Notice that the link between the generically dependent continuant (the information) and the material entity (the information bearer) is given by the presence of the qualities of the material entity. The relation between the generically dependent continuant and the qualities is called a relation of concretization. The generically dependent continuant in question can only be interacted with by modifying the qualities and dispositions of a certain material entity. For example, changing the pattern of ink on a piece of paper makes it such that the pattern of ink on the piece of paper is now concretizing a different information content.

We can provisionally consider cyberspace as the aggregate of multiple computing artifacts and the information stored in and exchanged by these computing artifacts. The processes taking place in cyberspace are then mostly processes of information processing and sharing. An ontological representation of cyberspace will then make use of material entities (computing artifacts), ICEs (the information stored in the devices) and the patterns of qualities and dispositions which concretize these ICEs.

Image 1 shows a simplified model of a cyber-attack known as active packet sniffing. In one such attack, a malicious actor intercepts a data packet which is being transmitted over a network, reads the information in the packet, and changes it by inserting malicious code in the data packet. The ontological model of this process represents the process of active packet sniffing as modifying the quality pattern that concretizes the information content of the data packet. This information content is non-malicious at t1, and is replaced by malicious information at t3, after the process of modification has taken place at t2. The quality is borne by a data packet bearer, which in this case could be a part of a disk of a server. The quality itself could be identified with the pattern of electromagnetic energy that is stored on the disk.

The precision at which the material entity and quality are represented nevertheless doesn’t need to be as detailed as the one discussed above. Unless the ontology in question is used, say, in the realm of industry manufacturing of computer hardware, we can represent bearers and their qualities at a higher level of granularity. For example, we can consider the whole server as data packet bearer, and we can introduce corresponding qualities identified by the type of information they are concretizing. In the case shown in figure 1, the quality concretizing data packet information is simply called a data packet quality.

The threefold distinction introduced in BFO and extended in CCO has great representational power, insofar as it allows for the ontologist adopting it to represent different sides of the entities involved in information processing. Clearly, the full extent of the threefold distinction doesn’t need to be employed in all situations. For example, in some cases it might be sufficient to say that a malicious actor is trying to access or modify the information (ICE) stored on a certain device. Nevertheless, BFO and CCO allow for a more fine-grained distinction which can be used to model tampering of code, direct modification of information stored on a specific hardware, as well as tracking detailed provenance of information, and information about the specific place and time where a certain cyber-attack has taken place.

BFO and CCO offer a well-developed and stable pattern which can be used to ontologically represent information processing, copying and sharing, as well as related operations in cyberspace. Adopting these top- and mid-level ontological layers provides a starting semantic layer which will be extremely useful in bridging data coming from different sources for interoperability of cybersecurity data. The author wishes to acknowledge the insightful discussions with John Beverley, the members of the 2024 Ontology Engineering and Intelligence Analysis seminar at the University at Buffalo, and the members of the Cyber Ontology IEEE group.