CERT-SEI
CERT Insider Threat Blog

How Ontologies Can Help Build a Science of Cybersecurity

By CERT Insider Threat Center on 03/12/2013 | Permalink

Hello, this is David Mundie, a Senior Member of the Technical Staff in the CERT Program. The term "science of cybersecurity" is a popular one in our community these days. For some time now I have advocated ontologies and controlled vocabularies as an approach to building such a science. I am fond of citing the conclusion of the Jason Report, that the most important step towards a “science of cybersecurity "would be the construction of a common language and a set of basic concepts about which the security community can develop a shared understanding," or in other words, an ontology.

In August 2012, I presented a paper on a disciplined, 10-step process for building ontologies at the First International Workshop on Ontologies and Taxonomies for Security (SecOnt) . In 2012, David McIntire and I worked with the CERT Malware Analysis team to generate a controlled vocabulary for malware analysis that has just been published as the CERT report, The MAL: A Malware Analysis Lexicon.

Most recently, I have transferred that vocabulary to a machine-processable ontology language, specifically, the W3C's OWL, or Web Ontology Language. That transfer made it possible to combine the vocabulary with a competency model that maps semantic clusters from the vocabulary onto specific job competencies. So-called Ontology-Based Competency Models have been quite popular recently, because combining rigorous models of domain knowledge with rigorous models of competencies provides a solid basis for building training programs, performance assessments, and hiring plans. Two examples are An Ontological Approach to Competency Management and Ontology-Based Competency Management.

Although still in its infancy, we think our combination of the malware analysis vocabulary and the competency model holds a lot of promise, and hope to present it at this year's SecOnt workshop. The following screen shot shows the top level of the ontology being edited in Stanford's Protégé tool.

ontology.png
 

 

 

 

 

 

 

 

 

 

If you have questions or want more information about our work on a malware ontology, send email to insider-threat-feedback@cert.org.

Topics: Insider Threat , Malware Analysis