=Paper=
{{Paper
|id=None
|storemode=property
|title=Developing an Ontology of the Cyber Security Domain
|pdfUrl=https://ceur-ws.org/Vol-966/STIDS2012_T06_ObrstEtAl_CyberOntology.pdf
|volume=Vol-966
|dblpUrl=https://dblp.org/rec/conf/stids/ObrstCM12
}}
==Developing an Ontology of the Cyber Security Domain==
https://ceur-ws.org/Vol-966/STIDS2012_T06_ObrstEtAl_CyberOntology.pdf
Developing an Ontology of the
Cyber Security Domain
Leo Obrsta, Penny Chaseb, Richard Markeloffa
The MITRE Corporation
a
McLean, VA
b
Bedford, MA
{lobrst, pc, rmarkeloff}@mitre.org
precise searches and complex queries. Initially, this effort is
Abstract— This paper reports on a trade study we
focused on malware. Malware is one of the most prevalent
performed to support the development of a Cyber ontology
from an initial malware ontology. The goals of the Cyber
threats to cyber security, and the MITRE team's work on the
ontology effort are first described, followed by a discussion Malware Attribute Enumeration and Characterization (MAEC)
of the ontology development methodology used. The main language [1] provides a store of knowledge that can be readily
body of the paper then follows, which is a description of the leveraged.
potential ontologies and standards that could be utilized to As the scope of the ontology expands, the underlying
extend the Cyber ontology from its initially constrained conceptual framework will be provided by the Diamond Model
malware focus. These resources include, in particular, Cyber of malicious activity [2], shown in Figure 1. The four corners
and malware standards, schemas, and terminologies that of the diamond, Victim, Infrastructure, Capability, and Actor
directly contributed to the initial malware ontology effort. (the one threatening the victim), account for all the major
Other resources are upper (sometimes called 'foundational') dimensions of a malicious cyber threat.
ontologies. Core concepts that any Cyber ontology will
extend have already been identified and rigorously defined
in these foundational ontologies. However, for lack of space,
this section is profoundly reduced. In addition, utility
ontologies that are focused on time, geospatial, person,
events, and network operations are briefly described. These
utility ontologies can be viewed as specialized super-domain
or even mid-level ontologies, since they span many, if not
most, ontologies -- including any Cyber ontology. An overall
view of the ontological architecture used by the trade study
is also given. The report on the trade study concludes with
some proposed next steps in the iterative evolution of the
Cyber ontology.
Fig. 1. The Diamond Model of malicious activity (from [2]).
Index Terms—ontology, malware, cyber, trade study.
The primary goals of this document are to explain the
process followed in developing the Cyber ontology and catalog
I. INTRODUCTION the sources upon which it is based. A secondary goal is to
provide a compilation of resources useful for constructing
This report is a trade study to support the development of a semantic models in the cyber security domain.
Cyber ontology. In this section we present the goals of both the
Cyber ontology effort and this report. The following sections II. ONTOLOGY DEVELOPMENT METHODOLOGY
discuss the ontology development methodology and various
ontologies and standards that could be utilized to extend the This section identifies the general methodology employed
Cyber ontology. This report concludes with some proposed in the ontology development process, along with the specific
next steps in the iterative evolution of the Cyber ontology. methodology used to develop the Cyber ontology.
The ultimate goal of this effort is to develop an ontology of A. General Methodology
the cyber security domain, expressed in the OWL language, In general, the ontology development methodology
that will enable data integration across disparate data sources. employed here is called a "middle-out" approach. This means
Formally defined semantics will make it possible to execute
�that it contains aspects of top-down analysis and bottom-up schemas and expressed analyst questions and interests (and
analysis. Bottom-up analysis requires understanding the their decompositions), these entities, relationships, properties,
semantics of the underlying data sources which are to be and values are incorporated into the Cyber ontology, after
integrated. Top-down analysis requires understanding the refinement according to ontological engineering principles.
semantics of the end-users who will actually use the resulting Keeping it simpler: Where possible, the simpler
ontology-informed, semantically integrated set of data sources, ontological approach is chosen. This can mean that, for
i.e., the kinds of questions those end-users want to ask or could example, where the choice is between a 4-D spacetime or a 3-
ask, given the enhanced capabilities resulting from the D space and time conceptualization, the 3-D conceptualization
semantic integration of those data sources (e.g., questions that is chosen because it is generally simpler for non-ontologists to
require temporal integration or reasoning, as over integrated
understand.
timelines of events). See references [3-8].
These kinds of analyses result in the development of C. Cyber Ontology Architecture
competency questions [7, 8]. These are the questions that need The final product of the ontology development
to be asked of the ontology in order to provide the targeted methodology described above will be an ontology that consists
value to the users. As such, these questions can be viewed as of a number of modular sub-ontologies, rather than a single,
the queries that need to be executed. These queries, in turn, can monolithic ontology. Ontologies can be grouped into three
be viewed as a test procedure that indicates when the ontology broad categories of upper, mid-level and domain ontologies,
development is sufficiently complete for a given stage of according to their levels of abstraction [9]:
development, i.e., when those queries return results that are
Upper ontologies are high-level, domain-independent
accurate, sufficiently rich, and at the right level of granularity
ontologies that provide common knowledge bases
as judged by a subject matter expert (SME).
from which more domain-specific ontologies may be
Capturing the right competency questions is part of the derived. Standard upper ontologies are also referred to
requirements analysis phase of ontology development. These as foundational or universal ontologies.
help identify use cases and scenarios. Taken together, the
Mid-level ontologies are less abstract and make
competency questions, uses cases, and scenarios enable the
assertions that span multiple domain ontologies.
requirements to be fleshed out.
These ontologies may provide more concrete
The key to ontology development here is of course an
representations of abstract concepts found in the upper
understanding of the cyber domain, which drives the kinds of
ontology. There is no clear demarcation point between
entities, properties, relationships, and potentially rules that will
upper and mid-level. Mid-level ontologies also
be needed in the ontology.
encompass the set of ontologies that represent
B. Specific Methodology commonly used concepts, such as Time and Location.
More specifically, the methodology used for the current These commonly used ontologies are sometimes
referred to as utility ontologies [10].
ontology development is based on the following principles,
focused on parsimony and reuse: Doman ontologies specify concepts particular to a
domain of interest and represent those concepts and
Reuse of existing ontologies: Existing ontologies are
their relationships from a domain specific perspective.
reused where possible. The methodology of reuse consists of Domain ontologies may be composed by importing
the following steps: mid-level ontologies. They may also extend concepts
A. Establish the base of possible existing ontologies in defined in mid-level or upper ontologies.
the domain areas of interest, including foundational, These categories and their roles in ontology architecture are
mid-level, utility, and reference ontologies. shown in Figure 2, reproduced from [9]. A further discussion
B. When developing the current Cyber ontology, can be found in [10].
incorporate classes and properties (and definitions)
that exist in the best of the ontologies of (A). Upper
Upper
C. When the number of classes and properties Upper
Ontology
Upper
incorporated from a given ontology of (A) into the
Cyber ontology grows large, consider directly
importing the given ontology into the Cyber
Utility Mid-Level Mid-Level
ontology, and establishing equivalence relations Mid-Level
between the classes of the (A) ontology and the Ontology
Super Domain
classes of the Cyber ontology.
Harvesting of existing schemas, data dictionaries,
glossaries, standards: Other structured and definitional
Domain SuperDomain Domain
resources are used when available, as a form of knowledge Domain
Ontology
acquisition of the domain. These resources are analyzed for
Domain Domain
the kinds of entities, relationships, properties, attributes, and
the range of values for those, expressed in the resource. Where
it makes sense, and as correlated with other Cyber database Fig. 2. Ontology architecture
� Figure 3 depicts the expected architecture of the Cyber
ontology. Each rounded box represents a major category of
concepts. These concepts can be arranged along a level of
abstraction continuum from broad and general to domain-
specific. The larger bounding boxes represent separate
ontologies that span multiple concept categories. The
ontologies shown in Figure 3 and the sources they are based on
are described in the following section.
Fig. 4. Swimmer's malware class hierarchy (from [11]).
In Swimmer's taxonomy of malware characteristics, all
malware characteristics belong to one of three high-level
classes:
• Payload. This is assumed to be programmed with
malicious intent.
• Vector. This defines how the malware is deployed or
spread.
• Obfuscation. Characteristics for evading detection.
In describing vector characteristics, Swimmer coins the
term "insituacy" to mean "the state the Malware strives to be in
through its actions".
Fig 3. The Cyber ontology architecture 2) MAEC: Malware Attribute and Enumeration
Characterization
III. RESOURCES FOR THE MALWARE AND CYBER MAEC is intended as a language for addressing all known
ONTOLOGIES: ONTOLOGIES, SCHEMAS, AND STANDARDS types, variants, and manifestations of malware. Current
There exist a variety of resources that can lay the signature-based malware detection techniques identify malware
groundwork for a Cyber ontology. This section presents a using a single metadata entity (e.g., a file hash), and MAEC’s
survey of those resources that we consider to be particularly primary goal is to provide a more flexible method for
applicable and important. These are not limited to ontologies, characterizing malware based on patterns of attributes such as
but also include taxonomies, lexica, and schemas. behaviors, artifacts, and attack patterns. This stands in contrast
with Swimmer’s work, which is focused on predefined
A. Malware Resources malware families and discernible intent.
Published attempts to systematically categorize malware
include one ontology [11] and three descriptive languages
implemented in XML [1, 12, 13]. Also worthy of mention is an
attempt at categorizing malware traits [14].
XML is a technology for defining text documents for
information exchange, and the structure and content of a
particular type of XML document is dictated by an XML
schema. XML schemas offer enumerations of concepts and
shared vocabularies for specific domains that can be useful as a
basis for ontology development. However, XML schemas do
not define formal semantics for the terms they contain, and are
therefore not equivalent to ontologies.
1) Swimmer's Ontology of Malware Classes
A paper by Morton Swimmer [11] is the only non-trivial
attempt to construct an ontological model of malware that we
could identify. Swimmer's ontology is intended to enable data
exchange between security software products. Swimmer's Fig. 5. The MAEC architecture
taxonomy of malware classes is shown in Figure 4.
Swimmer's malware class hierarchy is relatively simple. It MAEC has a tiered architecture, as shown in Figure 5. At
organizes malware into well-known categories such as Trojan its lowest level, MAEC strives to portray what an instance of
horse, virus, and worm. This may not be useful for malware malware does by describing its actions, such as hardware
instances that exhibit either behaviors from multiple classes or accesses and system state changes. A distinction is drawn
novel behaviors not associated with any recognized class. between semantics and syntactics by abstracting actions away
from their implementations. This facilitates correlation between
�malware instances that do similar things at a low-level but with adversely affected. These events have four descriptive
different implementations (such as malware targeted at dimensions:
different platforms). Agent: Whose actions affected the asset
MAEC's middle level describes malware behaviors. Action: What actions affected the asset
Behaviors serve to organize and define the purpose behind low- Asset: Which assets were affected
level actions, whether in groups or as singletons. Behaviors can Attribute: How the asset was affected.
represent discrete components of malware functionality at a The details of the VERIS model are available online in a
level that is useful for analysis, triage, detection, etc. Wiki format [18].
MAEC's top level summarizes malware in terms of its
mechanisms. Mechanisms are organized groups of behaviors. C. Attack Patterns and Process Models
Some examples would be propagation, insertion, and self- The literature offers a number of attempts to create
defense. Since there is likely a low upper bound on the number taxonomies and conceptual models of cyber attacks and attack
of possible mechanisms, they can be useful in understanding patterns. Howard and Longstaff's [15] attack model is shown
the composition of malware at a very high level. in Figure 6. In their model, an attacker uses a tool to exploit a
There are other resources such as the Industry Connections vulnerability. This produces an action on a target (which
Security Group (ICSG) Malware Metadata Exchange Format together comprises an event). The intention is to accomplish
[12], and Zeltser's Categories of Common Malware Traits [14], an unauthorized result.
which space limitations preclude us from elaborating.
B. Languages for Cyber Security Incidents
Howard and Longstaff's seminal work [15] represents an
early attempt to establish a common language for describing
computer and network security incidents. Since then, industry
and standards organizations have promulgated several
languages for describing computer and network security
incidents. Some of the prominent ones are described below.
These languages all share the goal of facilitating information
sharing across the cyber security community.
OpenIOC is an XML format for sharing intelligence related
to cyber security incidents. Intelligence is organized as
Indicators of Compromise (IOCs), which represent patterns
that suggest malicious activity. OpenIOC has been developed
by MANDIANT [13] and offered as an open standard.
MANDIANT's products are widely used by defense
contractors, and consistency with OpenIOC facilitates
processing information from the Defense Industrial Base
(DIB). OpenIOC includes around 30 separate XML schemas
that describe various classes of objects that can be used to
detect suspicious activity, such as MD5 hashes, registry keys,
IP addresses, etc. The OpenIOC schemas are probably the most
comprehensive descriptions of these types of objects available. Fig. 6. Howard and Longstaff's model of computer and network attacks
The MAEC team incorporated the OpenIOC objects into (from [15]).
MAEC and subsequently the OpenIOC objects formed the
starting point for CybOX objects (CybOX is discussed in A more recent work in a similar vein [21], presented at the
Section III.H). 2007 IEEE International Symposium on Network Computing
IODEF [16] is a specification, in the form of an XML and Applications, delineates a model for the attack process
schema, developed by the IETF Extended Incident Handling that consists of the following phases:
(INCH) Working Group of the Internet Engineering Task Force Reconnaissance. The search for information about
(IETF) [17]. IODEF is an information exchange format for potential victims.
Computer Security Incident Response Teams (CSIRTs). It also
Gain Access. Gaining access, at the desired level, to a
provides a basis for the development of interoperable tools and
procedures for incident reporting. victim's system.
The VERIS framework [18] is used by Verizon Business Privilege Escalation. Escalate the initial privilege level, as
[19] to collect security incident data from anyone who necessary.
volunteers to submit it. These data are collected using a Web Victim Exploration. Gaining knowledge of the victim's
application [20]. The goal is to collect data of sufficient system, including browsing files, searching user accounts,
quantity and quality to support statistical analyses. Verizon's identifying hardware, identifying installed program, and
data collection is based on what they refer to as the A4 Threat searching trusted hosts.
Model. In this model, security incidents are regarded as a series
of events where an organization's information assets are
� Principal actions. Taking steps to accomplish the ultimate catalog the utility ontologies that we would consider for
objective of the attack, such as installing malicious inclusion in the Cyber ontology.
software or compromising data integrity.
1) Persons
This model is shown in flowchart form in Figure 7,
reproduced from [21]. Modeling the Actor and Victim nodes in Figure 1-1 will
entail an ontological description of persons, their social roles
and relationships, and their relationships to things. Among the
available ontologies that might address this need, we include
Friend Of A Friend (FOAF) [36], DOLCE Social Objects [37]
which includes social roles and organizations.
2) Time
The Cyber ontology will need to be able to express notions
of time instances and intervals, as well as concepts related to
clock and calendar time. Various theories of the structure of
time have been proposed; see [38] for a survey. Of particular
interest is Allen's Interval Algebra for temporal reasoning
[39]. Allen's calculus defines 13 basic relations between two
time intervals.
There are two W3C standard ontologies of temporal
concepts, OWL-Time [40] and time-entry [41]. They both
provide similar vocabularies for expressing facts about
FIG. 7. A proposed attack process model (from [21]). temporal intervals and instants, while time-entry also includes
the concept of an event. Both ontologies contain object
Relevant discussions of attack phases can also be found in properties that implement the Allen relations. Also included in
blog postings by Bejtlich [22] and Cloppert [23]. the ontologies are classes and relations for expressing intervals
The CAPEC catalog [24] defines a taxonomy of attack and instants in clock and calendar terms. Both ontologies
patterns. The CAPEC catalog currently contains 68 categories include the concept of a time zone, and a separate global time
and 400 attack patterns. Attack patterns are modeled after zone ontology is available [42].
object-oriented design patterns, and by design they exclude
low-level implementation details. Categories are containers for 3) Geospatial
related attack patterns. The patterns are more or less aligned
with the top two MAEC layers, and categories roughly The Cyber ontology may require geospatial concepts to
correspond to MAEC mechanisms. describe the physical locations of people or infrastructure. See
The WASC Threat Classification [25] is similar to [43] for a comprehensive survey of available geospatial
CAPEC. ontologies. Another source of information about geospatial
ontologies is the Spatial Ontology Community of Practice
D. Foundational Ontologies for the Cyber Ontology (SOCoP) [44]. SOCoP is chartered as a Community of
Modeling choices are made in the development of Practice under the Best Practices Committee of the Federal
foundational ontologies that have a downward impact on mid- CIO Council.
level and domain ontologies. We cannot describe some of The two-dimensional analog to Allen's Interval Algebra for
these ontological choices here, but invite the reader to see [9]. qualitative spatial representation is the Region Connection
There are several foundational ontologies that could be Calculus 8 (RCC-8) [45], so named because eight basic
considered for use in the Cyber ontology. These range from relations comprise the calculus. RCC theory can be extended
Descriptive Ontology for Linguistic and Cognitive to support reasoning about regions with indeterminate
Engineering (DOLCE) [26], Basic Formal Ontology (BFO) boundaries [46].
[27], Object-Centered High-Level REference ontology If it is the case that a significant portion of the geospatial
(OCHRE) [28], Generic Formal Ontology (GFO) [29], information to be described by the Cyber ontology is in the
Suggested Upper Merged Ontology (SUMO) [30], Unified form of text mentions of place names, then the GeoNames
Foundational Ontology (UFO) [31, 32], and Cyc/OpenCyc Ontology [47] may be suitable for inclusion in the ontology.
[33-35]. Although GeoNames does not support RCC-8, it has relations
such as locatedIn, nearby, and neighbor. It is accompanied by
E. Utility Ontologies
a knowledge base containing 140 million assertions about 7.5
The Cyber ontology will necessarily include concepts from million geographical objects that span the globe. A typical use
domains that transcend cyber security, such as notions for GeoNames is to infer what country a given town, city, or
concerning people, time, space, and events. Where possible, region is located in.
the Cyber ontology will import existing ontologies to provide
descriptions of these concepts. In this section we very briefly
�F. Events and Situations information, including adversaries, tactics, techniques and
Events are entities that describe the occurrences of actions procedures (TTPs), incidents, indicators, vulnerabilities, and
and changes in the real world. Situations represent histories of courses of actions. Malware is included under the heading of
action occurrences. In this context at least, situations are not TTPs. STIX references other schemas and cyber information,
equivalent to states. Events and situations are dynamic and including MAEC, CybOX, CVE, and CPE.
challenging to model in knowledge representation systems. Security Content Automation Protocol (SCAP) [56] is a
As in the temporal and spatial domains, logic formalisms suite of specifications that standardize the format and
have been created for representing and reasoning about events nomenclature by which security software products
and situations. These are the event calculus [48] and situation communicate software flaw and security configuration
calculus [49]. Both calculi employ the notion of fluents. A information. In its current incarnation [57], SCAP is
fluent is a condition that can change over time. The main comprised of seven specifications:
elements of the event calculus are fluents and actions, and for eXtensible Configuration Checklist Description
the situation calculus they are fluents, actions and situations. Format (XCCDF) [58], a language for authoring
Notions of events and situations are included in several of security checklists/benchmarks and for reporting
the ontologies previously described. DOLCE, GFO, Cyc, and results of checklist evaluation.
time-entry all have Event classes. GFO has a class named
History that corresponds to the concept of a situation, and Cyc Open Vulnerability and Assessment Language
has a Situation class. BFO's ProcessualEntity class has (OVAL) [59], a language for representing system
subclasses that correspond closely to events and situations. configuration information, assessing machine state,
Ontologies for events and situations include a DOLCE and reporting assessment results.
extension for descriptions and situations [50], a proposed
upper event ontology [51], and an ontology for Linking Open Open Checklist Interactive Language (OCIL) [60], a
Descriptions of Events (LODE) [52]. framework for expressing a set of questions to be
presented to a user and corresponding procedures for
G. Network Operations
interpreting responses to these questions.
A network operations (NetOps) OWL ontology was
developed in 2009 by MITRE as part of the data strategy Common Platform Enumeration (CPE) [61], a
effort supporting the NetOps Community of Interest (COI). nomenclature and dictionary of hardware, operating
The NetOps ontology includes entities and events, and systems, and applications.
represents mission threads of interest to US federal
government network management. Common Configuration Enumeration (CCE) [62], a
nomenclature and dictionary of security software
H. Other Cyber Resources configurations.
There are a number of other resources that can be mined
for concepts, abstractions, and relationships between entities Common Vulnerabilities and Exposures (CVE) [63],
that may be suitable for inclusion in a Cyber ontology. a nomenclature and dictionary of security-related
Common Event Expression (CEE) [53] is intended to software flaws.
standardize the way computer events are described, logged,
and exchanged. Some of these events would naturally Common Vulnerability Scoring System (CVSS) [64],
correspond to malware actions and behaviors. The CEE an open specification for measuring the relative
components most relevant to cyber security ontology severity of software flaw vulnerabilities
development are the Common Dictionary and Event Of these standards, the ones most germane to developing a
Expression Taxonomy (CDET). The dictionary defines a Cyber ontology would be OVAL, CPE, CCE and CVE.
collection of event fields and field value types that are used Parmelee [65] has outlined a semantic framework for these
throughout CEE to specify the values of properties associated four standards built upon loosely-coupled modular ontologies.
with specific events. The taxonomy specifies event types. Parmelee's framework is intended to simplify data
Examples of event types are user login, service restart, interoperability across automated security systems based on
network connection, privilege elevation, and account creation. the OVAL, CPE, CCE and CVE standards.
A recent foundational schema for the cyber domain is
Cyber Observable Expression (CybOX) [54]. CybOX is IV. CYBER ONTOLOGY DEVELOPMENT: NEXT STEPS
designed for the specification, capture, characterization and The current Cyber ontology is focused primarily on
communication of events or stateful properties observable in malware and some preliminary aspects of the so-called
the cyber domain in support of a wide range of use cases. 'diamond model', which includes actors, victims,
MAEC and CEE both leverage CybOX for describing cyber infrastructure, and capabilities. Necessarily, more of the
objects, actions, and events. An emerging schema is the infrastructure and capabilities were developed first; however,
Structured Threat Information Expression (STIX) [55], which even these are not yet developed to the level of detail that is
provides an overarching framework for describing threat warranted, i.e., expanding on behavioral aspects and events, in
�particular that are the core of Cyber, would make it more [18] VERIS Framework. [Online]
useful. These are our next steps. https://verisframework.wiki.zoho.com/.
[19] Verizon Business. [Online] http://www.verizonbusiness.com/.
ACKNOWLEDGMENT [20] Verizon Incident Classification and Reporting. [Online]
https://www2.icsalabs.com/veris/incidents/new#/welcome.
© 2012, The MITRE Corporation. All Rights Reserved. [21] Gadelrab, M., El Kala, A. and Deswarte, Y. Execution Patterns
The views expressed in this paper are those of the authors in Automatic Malware and Human-Centric Attacks. IEEE
alone and do not reflect the official policy or position of The International Symposium on Network Computing and
MITRE Corporation or any other company or individual. Applications. 2008.
[22] Bejtlich, R. TaoSecurity: Incident Phases of Compromise.
REFERENCES [Online] June 6, 2009.
[1] MAEC - Malware Attribute Enumeration and Characterization. http://taosecurity.blogspot.com/2009/06/incident-phases-of-
[Online] http://maec.mitre.org/. compromise.html.
[2] Ingle, J. Organizing Intelligence to Respond to Network [23] Cloppert, M. [Online] Oct. 14, 2009. http://computer-
Intrusions and Attacks. Briefing for the DoD Information forensics.sans.org/blog/2009/10/14/security-intelligence-
Assurance Symposium. Nashville, TN, 2010. attacking-the-kill-chain/.
[3] Fernandéz, M., Gómez-Pérez, A. and and Juristo, N. [24] CAPEC - Common Attack Pattern Enumeration and
METHONTOLOGY: From Ontological Art to Ontological Characterization. [Online] http://capec.mitre.org/.
Engineering. AAAI97 Workshop on Ontological Engineering, [25] The Web Application Security Consortium/Threat
Spring Symposium Series. Stanford University, 1997. pp. 33-40. Classification. [Online]
[4] Fernández M. et al. Building a Chemical Ontology Using http://projects.webappsec.org/w/page/13246978/Threat-
Methontology and the Ontology Design Environment. IEEE Classification.
Intelligent Systems. January/February 1999. Vol. 14, 1. [26] Laboratory for Applied Ontology - DOLCE. [Online]
http://www.aifb.uni- http://www.loa-cnr.it/DOLCE.html.
karlsruhe.de/Lehrangebot/Sommer2001/SemanticWeb/papers/ch [27] Basic Formal Ontology (BFO). [Online]
emical_ontology.pdf. http://www.ifomis.org/bfo.
[5] Fernández, M. Overview of Methodologies for Building [28] Schneider, L. How to Build a Foundational Ontology -- The
Ontologies. Workshop on Ontologies and Problem-Solving Object-Centered High-level Reference Ontology OCHRE.
Methods: Lessons Learned and Future Trends. (IJCAI99). Proceedings OF THE 26TH Annual German Conference on AI,
August 1996. KI 2003: Advances In Artificial Intelligence . 2003.
[6] Gómez-Pérez, A., Fernández, M. and de Vicente, A. Towards a [29] General Formal Ontology (GFO). [Online] http://www.onto-
Method to Conceptualize Domain Ontologies. ECAI med.de/ontologies/gfo/.
'96Workshop on Ontological Engineering. Budapest, Hungary : [30] Niles, I., and Pease, A. Towards a Standard Upper Ontology.
s.n., 1996. pp. 41-52. [ed.] Chris Welty and Barry Smith. Proceedings of the 2nd
[7] Gruninger, M. and Fox, M. S. Methodology for the design and International Conference on Formal Ontology in Information
evaluation of ontologies. Montreal, 1995. Systems (FOIS-2001). 2001.
[8] Uschold, M. and Gruninger, M. Ontologies: Principles, [31] Guizzardi, G., Wagner, G. Some Applications of a Unified
Methods, and Applications. 1996. Vol. 11, 2, pp. 93-136. Foundational Ontology in Business. [ed.] Michael Rosemann
[9] Obrst, L. Ontological Architectures. [ed.] Johanna Seibt, and Peter Green. Ontologies and Business Systems Analysis.
Achilles Kameas Roberto Poli. Chapter 2 in Part One: Ontology IDEA Publisher, 2005.
as Technology in the book: TAO – Theory and Applications of [32] Guizzardi, G., Wagner, G. Towards Ontological Foundations for
Ontology, Volume 2: Computer Applications. Springer, 2010. Agent Modeling Concepts using UFO. Agent-Oriented
[10] Semy, S., Pulvermacher, M. and Obrst, L. Toward the Use of an Information Systems (AOIS), selected revised papers of the
Upper Ontology for U.S. Government and U.S. Military Sixth International Bi-Conference Workshop on Agent-Oriented
Domains: An Evaluation. MITRE Technical Report, MTR Information Systems. Springer-Verlag, 2005.
04B0000063. November 2005. [33] Cycorp, Inc. [Online]
[11] Swimmer, M. Towards An Ontology of Malware Classes. http://cyc.com/cyc/technology/whatiscyc_dir/whatsincyc.
[Online] January 27, 2008. [34] Cycorp, Inc. [Online] http://cyc.com/cyc.
http://www.scribd.com/doc/24058261/Towards-an-Ontology-of- [35] OpenCyc.org. [Online] http://www.opencyc.org/.
Malware-Classes. [36] The Friend of a Friend (FOAF) project. [Online]
[12] IEEE-SA - Industry Connections. [Online] http://www.foaf-project.org/.
http://standards.ieee.org/develop/indconn/icsg/malware.html. [37] Masolo, C. et al. Social Roles and their Descriptions.
[13] MANDIANT: Intelligent Information Security. [Online] Proceedings of KR'2004. 2004. pp. 267-277.
http://www.mandiant.com. [38] Hayes, P. A Catalog of Temporal Theories. Technical Report
[14] Zeltser, L. Categories of Common Malware Traits. Internet UIUC-BI-AI-96-01. s.l. : Univerisity of Illinois, 1996.
Storm Center Handler's Diairy. [Online] Sept. 25, 2009. [39] Allen, J. F. Maintaining knowledge about temporal intervals.
http://isc.sans.edu/diary.html?storyid=7186. Communications of the ACM. 1983.
[15] Howard, J. D. and Longstaff, T. A Common Language for [40] Hobbs, J. R. and Pan, F. An Ontology of Time for the Semantic
Computer Security Incidents. [Technical Report]. Sandia Web. CM Transactions on Asian Language Processing (TALIP):
National Laboratories, 1998. Special issue on Temporal Information Processing. 2004. Vol. 3,
[16] Cover Pages Incident Object Description and Exchange Format 1, pp. 66-85.
(IODEF). [Online] http://xml.coverpages.org/iodef.html. [41] Pan, F. and Hobbs, J. R. Time in OWL-S. Proceedings of the
[17] Internet Engineering Task Force. [Online] http://www.ietf.org/. AAAI Spring Symposium on Semantic Web Services. s.l. :
Stanford University, 2004. pp. 29-36.
�[42] A Time Zone Resource in OWL. [Online] [52] LODE: Linking Open Descriptions of Events. [Online]
http://www.isi.edu/~hobbs/timezonehomepage.html. http://escholarship.org/uc/item/4pd6b5mh.
[43] Ressler, J., Dean, M. and Kolas, D. Geospatial Ontology Trade [53] Common Event Expression: CEE, A Standard Log Language for
Study. [ed.] Terry Janssen, Werner Ceuster Leo Obrst. Event Interoperability in Electronic Systems. [Online]
Ontologies and Semantic Technologies for Intelligence. http://cee.mitre.org/.
Amsterdam, Berlin, Tokyo, Washington D.C. : IOS Press, 2010, [54] CybOX – Cyber Observable Expression. [Online]
Chapter 11, pp. 179-212. http://cybox.mitre.org/
[44] Spatial Ontology Community of Practice (SOCoP). [Online] [55] STIX-whitepaper. [Online]
http://www.socop.org/. http://measurablesecurity.mitre.org/docs/STIX-Whitepaper.pdf
[45] Randall, D., Cui, Z. and and Cohn, A. A spatial logic based on [56] The Security Content Automation Protocol (SCAP) - NIST.
regions and connection. Proceedings of the 3rd International [Online] http://scap.nist.gov/.
Conference on Principles of Knowledge Representation and [57] Quinn, Waltermire, Johnson, Scarfone, Banghart. The Technical
Reasoning. Cambridge, MA, 1992. pp. 165-176. Specification for the Security Content Automation Protocol
[46] Gotts, A. Cohn and N. The ‘Egg-Yolk’ representation of regions (SCAP): SCAP Version 1.1 (DRAFT). Gaithersburg, MD :
with indeterminate boundaries. [ed.] P. Burrough and A. M. NIST, 2011. SP800-126.
Frank. Proceedings, GISDATA Specialist Meeting on [58] XCCDF - The eXtensible Configuration Checklist Description
Geographical Objects with Undetermined Boundaries. Francis Format - The Security Content Automation Protocol (SCAP) -
Taylor, 1996. pp. 171-187. NIST. [Online] http://scap.nist.gov/specifications/xccdf/.
[47] GeoNames Ontology - Geo Semantic Web. [Online] [59] OVAL - Open Vulnerability and Assessment Language.
http://www.geonames.org/ontology/documentation.html. [Online] http://oval.mitre.org/.
[48] Kowalski, R. and Sergot, M. A Logic-based Calculus of Events. [60] OCIL - The Open Checklist Interactive Language - The Security
New Generation Computing . 1986. Vol. 4, pp. 67–95. Content Automation Protocol (SCAP) - NIST. [Online]
[49] Reiter, R. The frame problem in the situation calculus: a simple http://scap.nist.gov/specifications/ocil/.
solution (sometimes) and a completeness result for goal [61] CPE - Common Platform Enumeration. [Online]
regression. [ed.] Vladimir Lifshitz. Artificial intelligence and http://cpe.mitre.org/.
mathematical theory of computation: papers in honour of John [62] Common Configuration Enumeration (CCE): Unique Identifiers
McCarthy. San Diego, CA : Academic Press Professional, Inc., for Common System Configuration Issues. [Online]
1991. pp. 359-380. http://cce.mitre.org/.
[50] Gangemi, A. and Mika, P. Understanding the Semantic Web [63] CVE - Common Vulnerabilities and Exposures. [Online]
through Descriptions and Situations. Proceedings of http://cve.mitre.org/.
CoopIS/DOA/ODBASE. 2003. pp. 689-706. [64] Common Vulnerability Scoring System (CVSS-SIG). [Online]
[51] Kaneiwa1, K. Iwazume, M. and Fukuda, K. An upper ontology http://www.first.org/cvss/.
for event classifications and relations. AI'07 Proceedings of the [65] Parmelee, M. Toward an Ontology Architecture for Cyber-
20th Australian joint conference on Advances in artificial Security Standards. George Mason University, Fairfax, VA :
intelligence . 2007. Semantic Technologies for Intelligence, Defense, and Security
(STIDS) 2010.
�