Developing an Ontology of the Cyber Security Domain Leo Obrsta, Penny Chaseb, Richard Markeloffa The MITRE Corporation a McLean, VA b Bedford, MA {lobrst, pc, rmarkeloff}@mitre.org precise searches and complex queries. Initially, this effort is Abstract— This paper reports on a trade study we focused on malware. Malware is one of the most prevalent performed to support the development of a Cyber ontology from an initial malware ontology. The goals of the Cyber threats to cyber security, and the MITRE team's work on the ontology effort are first described, followed by a discussion Malware Attribute Enumeration and Characterization (MAEC) of the ontology development methodology used. The main language [1] provides a store of knowledge that can be readily body of the paper then follows, which is a description of the leveraged. potential ontologies and standards that could be utilized to As the scope of the ontology expands, the underlying extend the Cyber ontology from its initially constrained conceptual framework will be provided by the Diamond Model malware focus. These resources include, in particular, Cyber of malicious activity [2], shown in Figure 1. The four corners and malware standards, schemas, and terminologies that of the diamond, Victim, Infrastructure, Capability, and Actor directly contributed to the initial malware ontology effort. (the one threatening the victim), account for all the major Other resources are upper (sometimes called 'foundational') dimensions of a malicious cyber threat. ontologies. Core concepts that any Cyber ontology will extend have already been identified and rigorously defined in these foundational ontologies. However, for lack of space, this section is profoundly reduced. In addition, utility ontologies that are focused on time, geospatial, person, events, and network operations are briefly described. These utility ontologies can be viewed as specialized super-domain or even mid-level ontologies, since they span many, if not most, ontologies -- including any Cyber ontology. An overall view of the ontological architecture used by the trade study is also given. The report on the trade study concludes with some proposed next steps in the iterative evolution of the Cyber ontology. Fig. 1. The Diamond Model of malicious activity (from [2]). Index Terms—ontology, malware, cyber, trade study. The primary goals of this document are to explain the process followed in developing the Cyber ontology and catalog I. INTRODUCTION the sources upon which it is based. A secondary goal is to provide a compilation of resources useful for constructing This report is a trade study to support the development of a semantic models in the cyber security domain. Cyber ontology. In this section we present the goals of both the Cyber ontology effort and this report. The following sections II. ONTOLOGY DEVELOPMENT METHODOLOGY discuss the ontology development methodology and various ontologies and standards that could be utilized to extend the This section identifies the general methodology employed Cyber ontology. This report concludes with some proposed in the ontology development process, along with the specific next steps in the iterative evolution of the Cyber ontology. methodology used to develop the Cyber ontology. The ultimate goal of this effort is to develop an ontology of A. General Methodology the cyber security domain, expressed in the OWL language, In general, the ontology development methodology that will enable data integration across disparate data sources. employed here is called a "middle-out" approach. This means Formally defined semantics will make it possible to execute that it contains aspects of top-down analysis and bottom-up schemas and expressed analyst questions and interests (and analysis. Bottom-up analysis requires understanding the their decompositions), these entities, relationships, properties, semantics of the underlying data sources which are to be and values are incorporated into the Cyber ontology, after integrated. Top-down analysis requires understanding the refinement according to ontological engineering principles. semantics of the end-users who will actually use the resulting Keeping it simpler: Where possible, the simpler ontology-informed, semantically integrated set of data sources, ontological approach is chosen. This can mean that, for i.e., the kinds of questions those end-users want to ask or could example, where the choice is between a 4-D spacetime or a 3- ask, given the enhanced capabilities resulting from the D space and time conceptualization, the 3-D conceptualization semantic integration of those data sources (e.g., questions that is chosen because it is generally simpler for non-ontologists to require temporal integration or reasoning, as over integrated understand. timelines of events). See references [3-8]. These kinds of analyses result in the development of C. Cyber Ontology Architecture competency questions [7, 8]. These are the questions that need The final product of the ontology development to be asked of the ontology in order to provide the targeted methodology described above will be an ontology that consists value to the users. As such, these questions can be viewed as of a number of modular sub-ontologies, rather than a single, the queries that need to be executed. These queries, in turn, can monolithic ontology. Ontologies can be grouped into three be viewed as a test procedure that indicates when the ontology broad categories of upper, mid-level and domain ontologies, development is sufficiently complete for a given stage of according to their levels of abstraction [9]: development, i.e., when those queries return results that are  Upper ontologies are high-level, domain-independent accurate, sufficiently rich, and at the right level of granularity ontologies that provide common knowledge bases as judged by a subject matter expert (SME). from which more domain-specific ontologies may be Capturing the right competency questions is part of the derived. Standard upper ontologies are also referred to requirements analysis phase of ontology development. These as foundational or universal ontologies. help identify use cases and scenarios. Taken together, the  Mid-level ontologies are less abstract and make competency questions, uses cases, and scenarios enable the assertions that span multiple domain ontologies. requirements to be fleshed out. These ontologies may provide more concrete The key to ontology development here is of course an representations of abstract concepts found in the upper understanding of the cyber domain, which drives the kinds of ontology. There is no clear demarcation point between entities, properties, relationships, and potentially rules that will upper and mid-level. Mid-level ontologies also be needed in the ontology. encompass the set of ontologies that represent B. Specific Methodology commonly used concepts, such as Time and Location. More specifically, the methodology used for the current These commonly used ontologies are sometimes referred to as utility ontologies [10]. ontology development is based on the following principles, focused on parsimony and reuse:  Doman ontologies specify concepts particular to a domain of interest and represent those concepts and Reuse of existing ontologies: Existing ontologies are their relationships from a domain specific perspective. reused where possible. The methodology of reuse consists of Domain ontologies may be composed by importing the following steps: mid-level ontologies. They may also extend concepts A. Establish the base of possible existing ontologies in defined in mid-level or upper ontologies. the domain areas of interest, including foundational, These categories and their roles in ontology architecture are mid-level, utility, and reference ontologies. shown in Figure 2, reproduced from [9]. A further discussion B. When developing the current Cyber ontology, can be found in [10]. incorporate classes and properties (and definitions) that exist in the best of the ontologies of (A). Upper Upper C. When the number of classes and properties Upper Ontology Upper incorporated from a given ontology of (A) into the Cyber ontology grows large, consider directly importing the given ontology into the Cyber Utility Mid-Level Mid-Level ontology, and establishing equivalence relations Mid-Level between the classes of the (A) ontology and the Ontology Super Domain classes of the Cyber ontology. Harvesting of existing schemas, data dictionaries, glossaries, standards: Other structured and definitional Domain SuperDomain Domain resources are used when available, as a form of knowledge Domain Ontology acquisition of the domain. These resources are analyzed for Domain Domain the kinds of entities, relationships, properties, attributes, and the range of values for those, expressed in the resource. Where it makes sense, and as correlated with other Cyber database Fig. 2. Ontology architecture Figure 3 depicts the expected architecture of the Cyber ontology. Each rounded box represents a major category of concepts. These concepts can be arranged along a level of abstraction continuum from broad and general to domain- specific. The larger bounding boxes represent separate ontologies that span multiple concept categories. The ontologies shown in Figure 3 and the sources they are based on are described in the following section. Fig. 4. Swimmer's malware class hierarchy (from [11]). In Swimmer's taxonomy of malware characteristics, all malware characteristics belong to one of three high-level classes: • Payload. This is assumed to be programmed with malicious intent. • Vector. This defines how the malware is deployed or spread. • Obfuscation. Characteristics for evading detection. In describing vector characteristics, Swimmer coins the term "insituacy" to mean "the state the Malware strives to be in through its actions". Fig 3. The Cyber ontology architecture 2) MAEC: Malware Attribute and Enumeration Characterization III. RESOURCES FOR THE MALWARE AND CYBER MAEC is intended as a language for addressing all known ONTOLOGIES: ONTOLOGIES, SCHEMAS, AND STANDARDS types, variants, and manifestations of malware. Current There exist a variety of resources that can lay the signature-based malware detection techniques identify malware groundwork for a Cyber ontology. This section presents a using a single metadata entity (e.g., a file hash), and MAEC’s survey of those resources that we consider to be particularly primary goal is to provide a more flexible method for applicable and important. These are not limited to ontologies, characterizing malware based on patterns of attributes such as but also include taxonomies, lexica, and schemas. behaviors, artifacts, and attack patterns. This stands in contrast with Swimmer’s work, which is focused on predefined A. Malware Resources malware families and discernible intent. Published attempts to systematically categorize malware include one ontology [11] and three descriptive languages implemented in XML [1, 12, 13]. Also worthy of mention is an attempt at categorizing malware traits [14]. XML is a technology for defining text documents for information exchange, and the structure and content of a particular type of XML document is dictated by an XML schema. XML schemas offer enumerations of concepts and shared vocabularies for specific domains that can be useful as a basis for ontology development. However, XML schemas do not define formal semantics for the terms they contain, and are therefore not equivalent to ontologies. 1) Swimmer's Ontology of Malware Classes A paper by Morton Swimmer [11] is the only non-trivial attempt to construct an ontological model of malware that we could identify. Swimmer's ontology is intended to enable data exchange between security software products. Swimmer's Fig. 5. The MAEC architecture taxonomy of malware classes is shown in Figure 4. Swimmer's malware class hierarchy is relatively simple. It MAEC has a tiered architecture, as shown in Figure 5. At organizes malware into well-known categories such as Trojan its lowest level, MAEC strives to portray what an instance of horse, virus, and worm. This may not be useful for malware malware does by describing its actions, such as hardware instances that exhibit either behaviors from multiple classes or accesses and system state changes. A distinction is drawn novel behaviors not associated with any recognized class. between semantics and syntactics by abstracting actions away from their implementations. This facilitates correlation between malware instances that do similar things at a low-level but with adversely affected. These events have four descriptive different implementations (such as malware targeted at dimensions: different platforms).  Agent: Whose actions affected the asset MAEC's middle level describes malware behaviors.  Action: What actions affected the asset Behaviors serve to organize and define the purpose behind low-  Asset: Which assets were affected level actions, whether in groups or as singletons. Behaviors can  Attribute: How the asset was affected. represent discrete components of malware functionality at a The details of the VERIS model are available online in a level that is useful for analysis, triage, detection, etc. Wiki format [18]. MAEC's top level summarizes malware in terms of its mechanisms. Mechanisms are organized groups of behaviors. C. Attack Patterns and Process Models Some examples would be propagation, insertion, and self- The literature offers a number of attempts to create defense. Since there is likely a low upper bound on the number taxonomies and conceptual models of cyber attacks and attack of possible mechanisms, they can be useful in understanding patterns. Howard and Longstaff's [15] attack model is shown the composition of malware at a very high level. in Figure 6. In their model, an attacker uses a tool to exploit a There are other resources such as the Industry Connections vulnerability. This produces an action on a target (which Security Group (ICSG) Malware Metadata Exchange Format together comprises an event). The intention is to accomplish [12], and Zeltser's Categories of Common Malware Traits [14], an unauthorized result. which space limitations preclude us from elaborating. B. Languages for Cyber Security Incidents Howard and Longstaff's seminal work [15] represents an early attempt to establish a common language for describing computer and network security incidents. Since then, industry and standards organizations have promulgated several languages for describing computer and network security incidents. Some of the prominent ones are described below. These languages all share the goal of facilitating information sharing across the cyber security community. OpenIOC is an XML format for sharing intelligence related to cyber security incidents. Intelligence is organized as Indicators of Compromise (IOCs), which represent patterns that suggest malicious activity. OpenIOC has been developed by MANDIANT [13] and offered as an open standard. MANDIANT's products are widely used by defense contractors, and consistency with OpenIOC facilitates processing information from the Defense Industrial Base (DIB). OpenIOC includes around 30 separate XML schemas that describe various classes of objects that can be used to detect suspicious activity, such as MD5 hashes, registry keys, IP addresses, etc. The OpenIOC schemas are probably the most comprehensive descriptions of these types of objects available. Fig. 6. Howard and Longstaff's model of computer and network attacks The MAEC team incorporated the OpenIOC objects into (from [15]). MAEC and subsequently the OpenIOC objects formed the starting point for CybOX objects (CybOX is discussed in A more recent work in a similar vein [21], presented at the Section III.H). 2007 IEEE International Symposium on Network Computing IODEF [16] is a specification, in the form of an XML and Applications, delineates a model for the attack process schema, developed by the IETF Extended Incident Handling that consists of the following phases: (INCH) Working Group of the Internet Engineering Task Force  Reconnaissance. The search for information about (IETF) [17]. IODEF is an information exchange format for potential victims. Computer Security Incident Response Teams (CSIRTs). It also  Gain Access. Gaining access, at the desired level, to a provides a basis for the development of interoperable tools and procedures for incident reporting. victim's system. The VERIS framework [18] is used by Verizon Business  Privilege Escalation. Escalate the initial privilege level, as [19] to collect security incident data from anyone who necessary. volunteers to submit it. These data are collected using a Web  Victim Exploration. Gaining knowledge of the victim's application [20]. The goal is to collect data of sufficient system, including browsing files, searching user accounts, quantity and quality to support statistical analyses. Verizon's identifying hardware, identifying installed program, and data collection is based on what they refer to as the A4 Threat searching trusted hosts. Model. In this model, security incidents are regarded as a series of events where an organization's information assets are  Principal actions. Taking steps to accomplish the ultimate catalog the utility ontologies that we would consider for objective of the attack, such as installing malicious inclusion in the Cyber ontology. software or compromising data integrity. 1) Persons This model is shown in flowchart form in Figure 7, reproduced from [21]. Modeling the Actor and Victim nodes in Figure 1-1 will entail an ontological description of persons, their social roles and relationships, and their relationships to things. Among the available ontologies that might address this need, we include Friend Of A Friend (FOAF) [36], DOLCE Social Objects [37] which includes social roles and organizations. 2) Time The Cyber ontology will need to be able to express notions of time instances and intervals, as well as concepts related to clock and calendar time. Various theories of the structure of time have been proposed; see [38] for a survey. Of particular interest is Allen's Interval Algebra for temporal reasoning [39]. Allen's calculus defines 13 basic relations between two time intervals. There are two W3C standard ontologies of temporal concepts, OWL-Time [40] and time-entry [41]. They both provide similar vocabularies for expressing facts about FIG. 7. A proposed attack process model (from [21]). temporal intervals and instants, while time-entry also includes the concept of an event. Both ontologies contain object Relevant discussions of attack phases can also be found in properties that implement the Allen relations. Also included in blog postings by Bejtlich [22] and Cloppert [23]. the ontologies are classes and relations for expressing intervals The CAPEC catalog [24] defines a taxonomy of attack and instants in clock and calendar terms. Both ontologies patterns. The CAPEC catalog currently contains 68 categories include the concept of a time zone, and a separate global time and 400 attack patterns. Attack patterns are modeled after zone ontology is available [42]. object-oriented design patterns, and by design they exclude low-level implementation details. Categories are containers for 3) Geospatial related attack patterns. The patterns are more or less aligned with the top two MAEC layers, and categories roughly The Cyber ontology may require geospatial concepts to correspond to MAEC mechanisms. describe the physical locations of people or infrastructure. See The WASC Threat Classification [25] is similar to [43] for a comprehensive survey of available geospatial CAPEC. ontologies. Another source of information about geospatial ontologies is the Spatial Ontology Community of Practice D. Foundational Ontologies for the Cyber Ontology (SOCoP) [44]. SOCoP is chartered as a Community of Modeling choices are made in the development of Practice under the Best Practices Committee of the Federal foundational ontologies that have a downward impact on mid- CIO Council. level and domain ontologies. We cannot describe some of The two-dimensional analog to Allen's Interval Algebra for these ontological choices here, but invite the reader to see [9]. qualitative spatial representation is the Region Connection There are several foundational ontologies that could be Calculus 8 (RCC-8) [45], so named because eight basic considered for use in the Cyber ontology. These range from relations comprise the calculus. RCC theory can be extended Descriptive Ontology for Linguistic and Cognitive to support reasoning about regions with indeterminate Engineering (DOLCE) [26], Basic Formal Ontology (BFO) boundaries [46]. [27], Object-Centered High-Level REference ontology If it is the case that a significant portion of the geospatial (OCHRE) [28], Generic Formal Ontology (GFO) [29], information to be described by the Cyber ontology is in the Suggested Upper Merged Ontology (SUMO) [30], Unified form of text mentions of place names, then the GeoNames Foundational Ontology (UFO) [31, 32], and Cyc/OpenCyc Ontology [47] may be suitable for inclusion in the ontology. [33-35]. Although GeoNames does not support RCC-8, it has relations such as locatedIn, nearby, and neighbor. It is accompanied by E. Utility Ontologies a knowledge base containing 140 million assertions about 7.5 The Cyber ontology will necessarily include concepts from million geographical objects that span the globe. A typical use domains that transcend cyber security, such as notions for GeoNames is to infer what country a given town, city, or concerning people, time, space, and events. Where possible, region is located in. the Cyber ontology will import existing ontologies to provide descriptions of these concepts. In this section we very briefly F. Events and Situations information, including adversaries, tactics, techniques and Events are entities that describe the occurrences of actions procedures (TTPs), incidents, indicators, vulnerabilities, and and changes in the real world. Situations represent histories of courses of actions. Malware is included under the heading of action occurrences. In this context at least, situations are not TTPs. STIX references other schemas and cyber information, equivalent to states. Events and situations are dynamic and including MAEC, CybOX, CVE, and CPE. challenging to model in knowledge representation systems. Security Content Automation Protocol (SCAP) [56] is a As in the temporal and spatial domains, logic formalisms suite of specifications that standardize the format and have been created for representing and reasoning about events nomenclature by which security software products and situations. These are the event calculus [48] and situation communicate software flaw and security configuration calculus [49]. Both calculi employ the notion of fluents. A information. In its current incarnation [57], SCAP is fluent is a condition that can change over time. The main comprised of seven specifications: elements of the event calculus are fluents and actions, and for  eXtensible Configuration Checklist Description the situation calculus they are fluents, actions and situations. Format (XCCDF) [58], a language for authoring Notions of events and situations are included in several of security checklists/benchmarks and for reporting the ontologies previously described. DOLCE, GFO, Cyc, and results of checklist evaluation. time-entry all have Event classes. GFO has a class named History that corresponds to the concept of a situation, and Cyc  Open Vulnerability and Assessment Language has a Situation class. BFO's ProcessualEntity class has (OVAL) [59], a language for representing system subclasses that correspond closely to events and situations. configuration information, assessing machine state, Ontologies for events and situations include a DOLCE and reporting assessment results. extension for descriptions and situations [50], a proposed upper event ontology [51], and an ontology for Linking Open  Open Checklist Interactive Language (OCIL) [60], a Descriptions of Events (LODE) [52]. framework for expressing a set of questions to be presented to a user and corresponding procedures for G. Network Operations interpreting responses to these questions. A network operations (NetOps) OWL ontology was developed in 2009 by MITRE as part of the data strategy  Common Platform Enumeration (CPE) [61], a effort supporting the NetOps Community of Interest (COI). nomenclature and dictionary of hardware, operating The NetOps ontology includes entities and events, and systems, and applications. represents mission threads of interest to US federal government network management.  Common Configuration Enumeration (CCE) [62], a nomenclature and dictionary of security software H. Other Cyber Resources configurations. There are a number of other resources that can be mined for concepts, abstractions, and relationships between entities  Common Vulnerabilities and Exposures (CVE) [63], that may be suitable for inclusion in a Cyber ontology. a nomenclature and dictionary of security-related Common Event Expression (CEE) [53] is intended to software flaws. standardize the way computer events are described, logged, and exchanged. Some of these events would naturally  Common Vulnerability Scoring System (CVSS) [64], correspond to malware actions and behaviors. The CEE an open specification for measuring the relative components most relevant to cyber security ontology severity of software flaw vulnerabilities development are the Common Dictionary and Event Of these standards, the ones most germane to developing a Expression Taxonomy (CDET). The dictionary defines a Cyber ontology would be OVAL, CPE, CCE and CVE. collection of event fields and field value types that are used Parmelee [65] has outlined a semantic framework for these throughout CEE to specify the values of properties associated four standards built upon loosely-coupled modular ontologies. with specific events. The taxonomy specifies event types. Parmelee's framework is intended to simplify data Examples of event types are user login, service restart, interoperability across automated security systems based on network connection, privilege elevation, and account creation. the OVAL, CPE, CCE and CVE standards. A recent foundational schema for the cyber domain is Cyber Observable Expression (CybOX) [54]. CybOX is IV. CYBER ONTOLOGY DEVELOPMENT: NEXT STEPS designed for the specification, capture, characterization and The current Cyber ontology is focused primarily on communication of events or stateful properties observable in malware and some preliminary aspects of the so-called the cyber domain in support of a wide range of use cases. 'diamond model', which includes actors, victims, MAEC and CEE both leverage CybOX for describing cyber infrastructure, and capabilities. Necessarily, more of the objects, actions, and events. An emerging schema is the infrastructure and capabilities were developed first; however, Structured Threat Information Expression (STIX) [55], which even these are not yet developed to the level of detail that is provides an overarching framework for describing threat warranted, i.e., expanding on behavioral aspects and events, in particular that are the core of Cyber, would make it more [18] VERIS Framework. [Online] useful. These are our next steps. https://verisframework.wiki.zoho.com/. [19] Verizon Business. [Online] http://www.verizonbusiness.com/. ACKNOWLEDGMENT [20] Verizon Incident Classification and Reporting. [Online] https://www2.icsalabs.com/veris/incidents/new#/welcome. © 2012, The MITRE Corporation. All Rights Reserved. [21] Gadelrab, M., El Kala, A. and Deswarte, Y. Execution Patterns The views expressed in this paper are those of the authors in Automatic Malware and Human-Centric Attacks. IEEE alone and do not reflect the official policy or position of The International Symposium on Network Computing and MITRE Corporation or any other company or individual. Applications. 2008. [22] Bejtlich, R. TaoSecurity: Incident Phases of Compromise. REFERENCES [Online] June 6, 2009. [1] MAEC - Malware Attribute Enumeration and Characterization. http://taosecurity.blogspot.com/2009/06/incident-phases-of- [Online] http://maec.mitre.org/. compromise.html. [2] Ingle, J. Organizing Intelligence to Respond to Network [23] Cloppert, M. [Online] Oct. 14, 2009. http://computer- Intrusions and Attacks. Briefing for the DoD Information forensics.sans.org/blog/2009/10/14/security-intelligence- Assurance Symposium. Nashville, TN, 2010. attacking-the-kill-chain/. [3] Fernandéz, M., Gómez-Pérez, A. and and Juristo, N. [24] CAPEC - Common Attack Pattern Enumeration and METHONTOLOGY: From Ontological Art to Ontological Characterization. [Online] http://capec.mitre.org/. Engineering. AAAI97 Workshop on Ontological Engineering, [25] The Web Application Security Consortium/Threat Spring Symposium Series. Stanford University, 1997. pp. 33-40. Classification. [Online] [4] Fernández M. et al. Building a Chemical Ontology Using http://projects.webappsec.org/w/page/13246978/Threat- Methontology and the Ontology Design Environment. IEEE Classification. Intelligent Systems. January/February 1999. Vol. 14, 1. [26] Laboratory for Applied Ontology - DOLCE. [Online] http://www.aifb.uni- http://www.loa-cnr.it/DOLCE.html. karlsruhe.de/Lehrangebot/Sommer2001/SemanticWeb/papers/ch [27] Basic Formal Ontology (BFO). [Online] emical_ontology.pdf. http://www.ifomis.org/bfo. [5] Fernández, M. Overview of Methodologies for Building [28] Schneider, L. How to Build a Foundational Ontology -- The Ontologies. Workshop on Ontologies and Problem-Solving Object-Centered High-level Reference Ontology OCHRE. Methods: Lessons Learned and Future Trends. (IJCAI99). Proceedings OF THE 26TH Annual German Conference on AI, August 1996. KI 2003: Advances In Artificial Intelligence . 2003. [6] Gómez-Pérez, A., Fernández, M. and de Vicente, A. Towards a [29] General Formal Ontology (GFO). [Online] http://www.onto- Method to Conceptualize Domain Ontologies. ECAI med.de/ontologies/gfo/. '96Workshop on Ontological Engineering. Budapest, Hungary : [30] Niles, I., and Pease, A. Towards a Standard Upper Ontology. s.n., 1996. pp. 41-52. [ed.] Chris Welty and Barry Smith. Proceedings of the 2nd [7] Gruninger, M. and Fox, M. S. Methodology for the design and International Conference on Formal Ontology in Information evaluation of ontologies. Montreal, 1995. Systems (FOIS-2001). 2001. [8] Uschold, M. and Gruninger, M. Ontologies: Principles, [31] Guizzardi, G., Wagner, G. Some Applications of a Unified Methods, and Applications. 1996. Vol. 11, 2, pp. 93-136. Foundational Ontology in Business. [ed.] Michael Rosemann [9] Obrst, L. Ontological Architectures. [ed.] Johanna Seibt, and Peter Green. Ontologies and Business Systems Analysis. Achilles Kameas Roberto Poli. Chapter 2 in Part One: Ontology IDEA Publisher, 2005. as Technology in the book: TAO – Theory and Applications of [32] Guizzardi, G., Wagner, G. Towards Ontological Foundations for Ontology, Volume 2: Computer Applications. Springer, 2010. Agent Modeling Concepts using UFO. Agent-Oriented [10] Semy, S., Pulvermacher, M. and Obrst, L. Toward the Use of an Information Systems (AOIS), selected revised papers of the Upper Ontology for U.S. Government and U.S. Military Sixth International Bi-Conference Workshop on Agent-Oriented Domains: An Evaluation. MITRE Technical Report, MTR Information Systems. Springer-Verlag, 2005. 04B0000063. November 2005. [33] Cycorp, Inc. [Online] [11] Swimmer, M. Towards An Ontology of Malware Classes. http://cyc.com/cyc/technology/whatiscyc_dir/whatsincyc. [Online] January 27, 2008. [34] Cycorp, Inc. [Online] http://cyc.com/cyc. http://www.scribd.com/doc/24058261/Towards-an-Ontology-of- [35] OpenCyc.org. [Online] http://www.opencyc.org/. Malware-Classes. [36] The Friend of a Friend (FOAF) project. [Online] [12] IEEE-SA - Industry Connections. [Online] http://www.foaf-project.org/. http://standards.ieee.org/develop/indconn/icsg/malware.html. [37] Masolo, C. et al. Social Roles and their Descriptions. [13] MANDIANT: Intelligent Information Security. [Online] Proceedings of KR'2004. 2004. pp. 267-277. http://www.mandiant.com. [38] Hayes, P. A Catalog of Temporal Theories. Technical Report [14] Zeltser, L. Categories of Common Malware Traits. Internet UIUC-BI-AI-96-01. s.l. : Univerisity of Illinois, 1996. Storm Center Handler's Diairy. [Online] Sept. 25, 2009. [39] Allen, J. F. Maintaining knowledge about temporal intervals. http://isc.sans.edu/diary.html?storyid=7186. Communications of the ACM. 1983. [15] Howard, J. D. and Longstaff, T. A Common Language for [40] Hobbs, J. R. and Pan, F. An Ontology of Time for the Semantic Computer Security Incidents. [Technical Report]. Sandia Web. CM Transactions on Asian Language Processing (TALIP): National Laboratories, 1998. Special issue on Temporal Information Processing. 2004. Vol. 3, [16] Cover Pages Incident Object Description and Exchange Format 1, pp. 66-85. (IODEF). [Online] http://xml.coverpages.org/iodef.html. [41] Pan, F. and Hobbs, J. R. Time in OWL-S. Proceedings of the [17] Internet Engineering Task Force. [Online] http://www.ietf.org/. AAAI Spring Symposium on Semantic Web Services. s.l. : Stanford University, 2004. pp. 29-36. [42] A Time Zone Resource in OWL. [Online] [52] LODE: Linking Open Descriptions of Events. [Online] http://www.isi.edu/~hobbs/timezonehomepage.html. http://escholarship.org/uc/item/4pd6b5mh. [43] Ressler, J., Dean, M. and Kolas, D. Geospatial Ontology Trade [53] Common Event Expression: CEE, A Standard Log Language for Study. [ed.] Terry Janssen, Werner Ceuster Leo Obrst. Event Interoperability in Electronic Systems. [Online] Ontologies and Semantic Technologies for Intelligence. http://cee.mitre.org/. Amsterdam, Berlin, Tokyo, Washington D.C. : IOS Press, 2010, [54] CybOX – Cyber Observable Expression. [Online] Chapter 11, pp. 179-212. http://cybox.mitre.org/ [44] Spatial Ontology Community of Practice (SOCoP). [Online] [55] STIX-whitepaper. [Online] http://www.socop.org/. http://measurablesecurity.mitre.org/docs/STIX-Whitepaper.pdf [45] Randall, D., Cui, Z. and and Cohn, A. A spatial logic based on [56] The Security Content Automation Protocol (SCAP) - NIST. regions and connection. Proceedings of the 3rd International [Online] http://scap.nist.gov/. Conference on Principles of Knowledge Representation and [57] Quinn, Waltermire, Johnson, Scarfone, Banghart. The Technical Reasoning. Cambridge, MA, 1992. pp. 165-176. Specification for the Security Content Automation Protocol [46] Gotts, A. Cohn and N. The ‘Egg-Yolk’ representation of regions (SCAP): SCAP Version 1.1 (DRAFT). Gaithersburg, MD : with indeterminate boundaries. [ed.] P. Burrough and A. M. NIST, 2011. SP800-126. Frank. Proceedings, GISDATA Specialist Meeting on [58] XCCDF - The eXtensible Configuration Checklist Description Geographical Objects with Undetermined Boundaries. Francis Format - The Security Content Automation Protocol (SCAP) - Taylor, 1996. pp. 171-187. NIST. [Online] http://scap.nist.gov/specifications/xccdf/. [47] GeoNames Ontology - Geo Semantic Web. [Online] [59] OVAL - Open Vulnerability and Assessment Language. http://www.geonames.org/ontology/documentation.html. [Online] http://oval.mitre.org/. [48] Kowalski, R. and Sergot, M. A Logic-based Calculus of Events. [60] OCIL - The Open Checklist Interactive Language - The Security New Generation Computing . 1986. Vol. 4, pp. 67–95. Content Automation Protocol (SCAP) - NIST. [Online] [49] Reiter, R. The frame problem in the situation calculus: a simple http://scap.nist.gov/specifications/ocil/. solution (sometimes) and a completeness result for goal [61] CPE - Common Platform Enumeration. [Online] regression. [ed.] Vladimir Lifshitz. Artificial intelligence and http://cpe.mitre.org/. mathematical theory of computation: papers in honour of John [62] Common Configuration Enumeration (CCE): Unique Identifiers McCarthy. San Diego, CA : Academic Press Professional, Inc., for Common System Configuration Issues. [Online] 1991. pp. 359-380. http://cce.mitre.org/. [50] Gangemi, A. and Mika, P. Understanding the Semantic Web [63] CVE - Common Vulnerabilities and Exposures. [Online] through Descriptions and Situations. Proceedings of http://cve.mitre.org/. CoopIS/DOA/ODBASE. 2003. pp. 689-706. [64] Common Vulnerability Scoring System (CVSS-SIG). [Online] [51] Kaneiwa1, K. Iwazume, M. and Fukuda, K. An upper ontology http://www.first.org/cvss/. for event classifications and relations. AI'07 Proceedings of the [65] Parmelee, M. Toward an Ontology Architecture for Cyber- 20th Australian joint conference on Advances in artificial Security Standards. George Mason University, Fairfax, VA : intelligence . 2007. Semantic Technologies for Intelligence, Defense, and Security (STIDS) 2010.