Enabling New Technologies for Cyber Security Defense with the ICAS Cyber Security Ontology

Distribution Statement ”A” (Approved for Public Release, Distribution Unlimited) Abstract—Incident response teams that are charged with breach discovery and containment face several challenges, the most important of which is access to pertinent data. Our TAPIO (Targeted Attack Premonition using Integrated Operational data) tool is designed to solve this problem by automatically extracting data from across the enterprise into a fully linked semantic graph and making it accessible in real time. Automated data translation reduces the costs to deploy and extend the system, while presenting data as a linked graph gives analysts a powerful tool for rapidly exploring the causes and effects of a particular event. At the heart of this tool is a cyber security ontology that is specially constructed to enable the TAPIO tool to automatically ingest data from a wide range of data sources, and which provides semantic relationships across the landscape of an enterprise network. In this paper we present this ontology, describe some of the decisions made during its development, and outline how it enables automated mapping technologies of the TAPIO system.

[1]  M. Tahar Kechadi,et al.  A complete formalized knowledge representation model for advanced digital forensics timeline analysis , 2014, Digit. Investig..

[2]  Alan W. McMorran,et al.  An Introduction to IEC 61970-301 & 61968-11 : The Common Information Model , 2007 .

[3]  Paolo Atzeni,et al.  MIDST: model independent schema and data translation , 2007, SIGMOD '07.

[4]  Mirko Čubrilo,et al.  Ontology in Information Security , 2015 .

[5]  Philip A. Bernstein,et al.  ModelGen: model independent schema translation , 2005, 21st International Conference on Data Engineering (ICDE'05).

[6]  Steffen Staab,et al.  F--a model of events based on the foundational ontology dolce+DnS ultralight , 2009, K-CAP '09.

[7]  Ju An Wang,et al.  OVM: an ontology for vulnerability management , 2009, CSIIRW '09.

[8]  Kristina Lerman,et al.  Semi-automatically Mapping Structured Sources into the Semantic Web , 2012, ESWC.

[9]  Dongwon Lee,et al.  Nesting-Based Relational-to-XML Schema Translation , 2001, International Workshop on the Web and Databases.

[10]  M. Tahar Kechadi,et al.  Automatic Timeline Construction and Analysis for Computer Forensics Purposes , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[11]  Lindsley G. Boiney The Human Side of Agile Cyber Defense: Leveraging Cyber Analysts' Expertise , 2014 .

[12]  Lorrie Faith Cranor,et al.  Building an Ontology of Cyber Security , 2014, STIDS.

[13]  Antanas Cenys,et al.  Security Ontology for Adaptive Mapping of Security Standards , 2013, Int. J. Comput. Commun. Control.

[14]  Philip A. Bernstein,et al.  Interactive Schema Translation with Instance-Level Mappings , 2005, VLDB.

[15]  Leo Obrst,et al.  Developing an Ontology of the Cyber Security Domain , 2012, STIDS.

[16]  Stefan Fenz,et al.  Ontological Mapping of Information Security Best-Practice Guidelines , 2009, BIS.

[17]  Myong H. Kang,et al.  Security Ontology for Annotating Resources , 2005, OTM Conferences.