1 s2.0 S1877050922008961 Main

Available online at www.sciencedirect.
com
Procedia ScienceDirect
Procedia Computer
Available Science
online at 00 (2022) 000–000
www.sciencedirect.com
Computer Science 00 (2022) 000–000
ScienceDirect
Computer
Available Science
online at 00 (2022) 000–000
www.sciencedirect.com www.elsevier.com/locate/
Computer
Available Science
online at 00 (2022) 000–000
www.sciencedirect.com www.elsevier.com/locate/
procedia
www.elsevier.com/locate/
Procedia Computer
Available online Science
at 00 (2022) 000–000
www.sciencedirect.com procedia
Computer Science 00 (2022) 000–000 www.elsevier.com/locate/
procedia
InternationalProcedia ScienceDirect
Computer
Conference
Available
Available online
online Science
on Military
at
at 00 (2022) 000–000
Communications
www.sciencedirect.com
www.sciencedirect.com and Information Systems
procedia
Conference on
Computer
International Conference
Military
Science
on Military
Communications
(ICMCIS 2022) 000–000
00 (2022)
Communications
(ICMCIS 2022)
and
and
Information Systems
procedia
Information Systems
Computer
Conference Science
on Military 00 (2022)
2022) 000–000
Communications
(ICMCIS
procedia
and Information Systems
procedia
InternationalProcedia
InternationalProcedia
Computer
Conference
Conference on
Science
on Military
(ICMCIS
Military
ScienceDirect
00 (2022)
2022) 000–000
Communications
Communications
and Information
and
Systems
procedia
Information Systems
Cybersecurity
International ontology
Cybersecurity Conference and
Computer
on defense
Science
(ICMCIS
Military 00 (2022)
2022)solutions:
Communications 000–000and the POC
Information platform
Systems
Conference onand defense solutions: the POC platform
Procedia Computer(ICMCIS
Science 2022)
205 (2022) 300–309 procedia
Cybersecurity ontology and defense
(ICMCIS
Military 2022)solutions:
Communications the POC
and Information platform
Systems
procedia
Cybersecurity ontology and(ICMCIS
International Conference on defense
Military solutions: theprocedia
Communications
2022) and POC platform
Information Systems
Cybersecurity
Cybersecurity Conference onand
ontology and defense
Elisabetta
(ICMCIS
Military solutions:
Zuanelli*
2022)
Communications
defense
Elisabetta solutions:
Zuanelli* the POC
and Information
the POC platform
Systems
platform
Cybersecurity
Dept. of
Conference and
Management
on
Dept. of Management defense
and Law,
(ICMCIS
Military solutions:
University
2022)
Communications
Elisabetta
and Law, Zuanelli*
University
of Rome
and
of Rome the
“Tor
POC
Vergata”
Information
“Tor Vergata” platform
Systems
Cybersecurity ontology and
Via
Columbia
(ICMCIS
and 2,
Law,
Via Columbia solutions:
Rome,
2022)
Elisabetta 00133,
Zuanelli*
2, University
Rome,
Italy
of Rome
00133, the
Italy “Tor POC
Vergata” platform
Elisabetta
and Law,
Via Columbia solutions:
Zuanelli*
2, University
Rome,
Elisabetta
of Rome
00133,
Zuanelli* the
Italy “Tor POC
Vergata” platform
Dept. of Management
defense
and Law,
Via Columbia
Dept. of Management and Law, solutions:
2, University
Rome,
Elisabetta of Rome
00133,
Zuanelli*
University of Rome the
Italy “Tor
“Tor POC
Vergata”
Vergata” platform
Cybersecurity
Abstract ontology and
Dept. of Management
Via defense
Via Columbia
and Law,
Elisabetta
Columbia 2, solutions:
2, University
Rome, 00133,
Zuanelli*
Rome, of Rome
00133, Italy
Via Columbia 2, Rome, 00133, Italy
the POC
Italy “Tor Vergata”
platform
Abstract Dept. of Management and Elisabetta Zuanelli*of Rome “Tor Vergata”
Law, University
Abstract Dept. of Management and
Via Columbia Law,
Elisabetta 2, University
Rome, of Rome
00133,
Zuanelli* Italy “Tor Vergata”
Abstract
The paper presents the Platform Ontology
Dept. of of Cybersecurity
Management Via Columbia
and (POC)
Law, asZuanelli*
developed
2, University
Rome, 00133,
of by the Pragmema
Italy
Rome team for big data analytics and early
“Tor Vergata”
The paperof presents the Platform Ontology of Cybersecurity Elisabetta
(POC) as developed
Abstract
detection cybersecurity incidents as needed in operational defense systems. by Thethemodeling
Pragmema of team for bigrepresentation
knowledge data analytics for andthreat
early
Abstract
The paper
detection presents the
of cybersecurity Platform Dept. of
Ontology
incidents Management
as neededof Via Columbia
Cybersecurity and Law,
(POC) 2, Rome,
University
as 00133,
developed of byItaly
Rome
the “Tor
PragmemaVergata”
of team for big data analytics for andthreat
early
intelligence,
Abstract info sharing, and incidents reportsinisoperational
based on the defense systems.
theoretical The modeling
assumptions provided knowledge
by generalrepresentation
linguistics (specifically
detection
The paper
intelligence, of cybersecurity
presents
info the
sharing, incidents
Platform
and as needed
Ontology
incidents of inisoperational
Via Columbia
Cybersecurity
reports based on(POC)defense
the2, Rome,
as systems.
00133,
developed
theoretical The
by modeling
Italy
the
assumptions Pragmema of team
provided knowledge
by for big
general representation
data analytics
linguistics for
and threat
early
(specifically
text linguistics and pragmalinguistics), semantics and cognitive psychology in an AI perspective and turned into neural networks
Abstract
intelligence,
The paper
detection
text of
linguistics infoand
presents sharing,
the
cybersecurity and
Platform incidents
Ontology
incidents
pragmalinguistics), reports
as needed
semantics inisoperational
based
of Cybersecurity
and on(POC)
the
cognitive theoretical
as developed
defense assumptions
systems.
psychology inby
The
an AI provided
themodeling
Pragmema
perspective byand
of team general
forturned
knowledge linguistics
bigrepresentation
data analytics
into neural(specifically
and
for early
threat
networks
DDBB.
The paper presents the Platform Ontology of Cybersecurity
Abstract
text linguistics
detection
intelligence,
DDBB.
The paper of infoand
presents pragmalinguistics),
cybersecurity
sharing,
the incidents
and
Platform incidents
Ontology semantics
as needed
reports
of based
Cybersecurity on(POC)
and cognitive
inisoperational the
(POC)
as developed
psychology
defense systems.
theoretical
as inbyanthe
The
assumptions
developed by AIPragmema
the of team
perspective
modeling
provided
Pragmema byand
team
forturned
knowledge bigrepresentation
general
for big
data analytics
into neural
linguistics
data analytics
and
for
and
early
networks
threat
(specifically
early
detection
DDBB.
intelligence,
text of cybersecurity
linguistics infoand sharing, incidents
and
pragmalinguistics), as needed
incidents reportsin
semantics isoperational
based
and on the
cognitive defense systems.
theoretical
psychology The
assumptions
in an modeling
AI of knowledge
provided
perspective byandgeneral representation
turnedlinguistics
into neural for threat
(specifically
networks
Abstract
detection
© 2022
The paper
intelligence, of cybersecurity
Elisabetta
presents
info Zuanelli.
the
sharing, incidents
Published
Platform
and as
Ontology
incidents needed
by reports
ELSEVIER
of in operational
Cybersecurity
is B.V.on(POC)
based defense
the as systems.
developed
theoretical The
by modeling
the
assumptions Pragmema of
provided knowledge
team
by for big
general representation
data analytics
linguistics for
and threat
early
(specifically
text
DDBB.
© linguistics
2022 Elisabetta and pragmalinguistics),
Zuanelli. Published semantics andB.V.
cognitive psychologyassumptions
in an AI perspective byand turnedlinguistics
into neural networks
Abstract
intelligence,
This
text
The
© is an
detection
linguistics
paper
2022
DDBB.
info
open
of
presents
Elisabetta andsharing,
access
cybersecurity and
article under
incidents
pragmalinguistics),
the Platform
Zuanelli. asby
incidents
the
Ontology
Published CC
by
ELSEVIER
reports
semantics inisoperational
ofBY-NC-ND
needed based
andB.V.
Cybersecurity
ELSEVIER
on(POC)
license the
cognitive theoretical
defense systems.inby
psychology
as developed The provided
anthemodeling
AIPragmema of team
perspective general
(https://creativecommons.org/licenses/by-nc-nd/4.0
knowledge
and bigrepresentation
forturned into
data ) (specifically
neural
analytics for
and threat
networks
early
This is an of
Peer-review
intelligence,
DDBB.
detection open
text linguistics under
info access
and article
responsibility
sharing,
cybersecurity and under
pragmalinguistics), the
of the
incidents
incidents asbyCC BY-NC-ND
semantics
scientific
reports
needed inis and license
committee
basedcognitive
operational ofthe
on(POC) (https://creativecommons.org/licenses/by-nc-nd/4.0
the psychology
International
theoretical
defense inConference
an modeling
assumptions
systems. The AI perspective byand
on Military
provided
of team turnedlinguistics
Communications
general
knowledge )and
(specifically
The
© paper
2022
This is an presents
Elisabetta
open the article
Platform
Zuanelli.
access Ontology
Published
under the CC ofBY-NC-ND
Cybersecurity
ELSEVIER B.V.
license as developed by the Pragmema
(https://creativecommons.org/licenses/by-nc-nd/4.0for bigrepresentation )and for
data analytics andthreat
early
DDBB.
Peer-review
Information
text linguistics
intelligence, under
Systems
infoand responsibility of
pragmalinguistics),
sharing, and the
incidents scientific
semantics
reports committee
andB.V. of
cognitive the International
psychology Conference
inby on
anthemodeling
AIPragmema Military
perspective byand Communications
turned into neural networks
detection
©
The2022
paper
Peer-review
This is an of cybersecurity
Elisabetta
presents
under
open Zuanelli.
the incidents
Published
Platform
responsibility
access article asby
Ontology
underof the needed
CC ELSEVIER
of inis based
Cybersecurity
scientific
BY-NC-NDcommittee on(POC)
operational of
license
the
the
(
theoretical
defense
as assumptions
systems.
developed
International The
Conference provided
on of team
Military general
knowledge
https://creativecommons.org/licenses/by-nc-nd/4.0
for big linguistics
representation
data
Communications analytics
)
(specifically
and for
and threat
early
Information
DDBB.
© Systems
© 2022
text
2022
detection
Information
This is an
Peer-review
© 2022
Elisabetta
linguistics
intelligence,The
of and Zuanelli.
Authors.
info sharing,
cybersecurity
Systems
open
under
Elisabetta access article Published
pragmalinguistics),
Published
and
incidents
responsibility
Zuanelli. underof
Published asby
by
incidents
the by
ELSEVIER
semantics
Elsevier
reports
needed
CC BY-NC-ND
scientific
ELSEVIER
B.V.
inis andB.V.
basedcognitive
onofthe
operational
committeelicense
B.V.
psychology
theoretical
defense
the systems.
International
inThe
an modeling
assumptionsAI perspective
Conference provided
on byand
of knowledge
Military
turned
general
(https://creativecommons.org/licenses/by-nc-nd/4.0 into neural
linguistics
representation
Communications )and networks
(specifically
for threat
Keywords:
DDBB.
This isisan Cybersecurity
anopen access ontology;
article AIthe
knowledge CCrepresentation; (https://creativecommons.org/licenses/by-nc-nd/4.0
threat intelligence; graphsannetworks representation; IoCs correlations
Thislinguistics
text
intelligence,
Peer-review
Information
Keywords:
This is an
open
info
under
Systems
open
access
andsharing, andunder
article
responsibility
access
Cybersecurity article under
ontology;
under
pragmalinguistics),
incidents
of the
the
CC
the BY-NC-ND
semantics
reports
scientific
CC BY-NC-NDis and license
BY-NC-ND
based
committeecognitive
onof
license
license
the
the (https://creativecommons.org/licenses/by-nc-nd/4.0)
psychology
theoretical inConference
assumptions
International AI perspective
provided
on byand
Military turned
general
(https://creativecommons.org/licenses/by-nc-nd/4.0 IoCs linguistics
Communications )and
(specifically
)and
© 2022
Peer-review
DDBB.
Peer-review
text
Elisabetta
linguistics under
under
and
Zuanelli.
responsibility ofAI
Published
responsibility
pragmalinguistics),
knowledge
the
ofby the
representation;
ELSEVIER
scientific
scientific
semantics and
B.V.
committee threat
of
committee
cognitive the intelligence;
International
of the
psychology
graphs networks
Conference
International onrepresentation;
Military
Conference
correlations
Communications
on Military Communications
Keywords:
Information
Peer-review
© 2022
This is an
Information
Systems
Cybersecurity
under
Elisabetta
open
ontology;
responsibility
Zuanelli.
access
Systems
AI knowledge
of the
articlePublished
under thebyscientific
CCELSEVIER
representation;
BY-NC-NDcommittee
B.V.
threat
of the
license International Conference on Military Communications)and networks
intelligence; in
graphsan AI perspective
networks and
representation;
turned
IoCs into neural
correlations
and
DDBB. Information
Keywords:
Information Systems
Cybersecurity
Systems ontology; AI knowledge representation; threat intelligence; graphs networks representation; IoCs correlations
Peer-review
This
1.
© is an
Introduction
2022
Keywords: under
open
Elisabetta responsibility
access article
Zuanelli.
Cybersecurity underofAIthe
Published
ontology;
scientific
CCELSEVIER
by
knowledge BY-NC-NDcommittee of
license
B.V.
representation; (https://creativecommons.org/licenses/by-nc-nd/4.0
the
threat
International Conference on Military Communications)and
intelligence; graphs networks representation; IoCs correlations
1. Introduction
Information
Peer-review
Keywords:
This
© is an
2022 Systems
under
open
Elisabetta responsibility
Cybersecurity
access ontology;
article
Zuanelli. underofAIthe
Published scientific
knowledge
CCELSEVIER
by committee
representation;
BY-NC-ND of
license
B.V. the
threat International
intelligence; Conference
graphs networkson Military Communications
representation; IoCs correlations )and
1. Introduction
Keywords:
Information Cybersecurity
Systems ontology; AI knowledge representation; threat intelligence; graphs networks representation; IoCs correlations
Peer-review
Diverse
This is an under
open responsibility
access article underof the scientific
CC BY-NC-NDcommittee of
license the
( International Conference on Military Communications
https://creativecommons.org/licenses/by-nc-nd/4.0
approaches to the ontological/taxonomic modeling of cybersecurity have been proposed over the )andyears for
1. Introduction
Keywords: Cybersecurity ontology;
Diverse
Information
Peer-review
threat
1. approaches
Systems
intelligence
Introduction and to
under responsibility
info ofAIthe
thesharing.knowledge representation;
ontological/taxonomic
scientific
The committee
overall aim
threat intelligence;
modeling
of
of the International
cybersecurity
graphs networks
of cybersecurity
Conference
repositories have
onrepresentation;
is been proposed
Military IoCs correlations
over
Communications
technological and the
logical andyears
semantic for
1. Diverse
Keywords:
Introduction
threat approaches
Cybersecurity
intelligence
Information Systems and to
infothesharing.
ontology; ontological/taxonomic
AI knowledge
The representation;
overall aim modeling
ofthreat of cybersecurity
intelligence;
cybersecurity graphs
repositories have
networks been proposed
representation;
is technological IoCs and over the years
correlations
logical semantic for
interoperability
1. Introduction
Diverse
threat
Keywords:
of data
approaches
intelligence
Cybersecurityand toasthe
info related
ontology;sharing.
AI
to events/incidents
The
knowledge overall aim
representation;
reporting
modeling
of and
cybersecurity
threat
analysis
of cybersecurity
intelligence;
for detection
repositories
graphs have
networks is andproposed
been prevention
technological
representation; IoCs andoverof cybersecurity
the years
logical
correlations semantic for
interoperability
attacks andapproaches of data
incidents asthe
related to events/incidents modeling reporting and analysis for detection andproposed
prevention of cybersecurity
1. Diverse
threat
Keywords:
Diverseintelligence
Introduction
interoperability Cybersecurity
approaches and[1][2][3][4]
of data to
info
asthe
ontology;
to sharing.
related [5][6].
The overall
to events/incidents
AI knowledge aimmodeling
representation;
ontological/taxonomic of
reporting
threat
of cybersecurity
cybersecurity
and
of repositories
analysis
intelligence; graphs
cybersecurity
haveis
for detection
networks
have
been
technological IoCs and
andproposed
prevention
representation;
been
over the years
logical semantic
of cybersecurity
correlations
over the years
for
for
attacks
As and
yet, incidents
repositories [1][2][3][4]
of cybersecurity [5][6]. taxonomies and ofontologies
threat
1. Diverseintelligence
Introduction
interoperability
attacks and approaches
of
incidents and[1][2][3][4]
data info
to
as thesharing.
related to The overall aim
events/incidents
[5][6]. reporting of propose
cybersecurity
modeling and analysis different
repositories
cybersecurityfor haveclasses/categories
is technological
detectionbeen
and proposed
prevention of
and data/entities
logical
overof semantic
the years
cybersecurity and
for
threat
As
their intelligence
yet, repositories
relations and and ofinfo
different sharing.
cybersecurity
data The overall
taxonomies
classifications. aim
and of cybersecurity
ontologies repositories
propose different is technological
classes/categories and
of logical semantic
data/entities and
interoperability
threat
1. intelligence
Introduction
attacks
Diverse
As and
yet, of data
incidents
approaches
repositories and ascybersecurity
info related
sharing.
[1][2][3][4]
to
of the The
[5][6]. overall As
to events/incidents
taxonomies aimamodeling
and result,
reporting
of ontologiesdata
and
cybersecurity
of reporting
analysis
cybersecurity
propose in
forthe
repositories operational
detection
have
different is defense
andproposed
prevention
technological
been
classes/categories andsystems
logical
over
of the requires
of cybersecurity
semantic
years
data/entities foraa
and
interoperability
their
manual relations
analysis ofand
and data as related
different
classification toofevents/incidents
data classifications.
data/IoCs As
withareporting
result,
no andreporting
data
functional analysis
relations foramong
in detection
the andforprevention
operational
them defense
prevention ofand
systems cybersecurity
requires
resilience
attacks
1. Diverse and
interoperability
Introduction
As
threat yet, incidents
of
approaches
repositories
intelligence and[1][2][3][4]
data to
of as related
the
cybersecurity
info sharing. [5][6].
to events/incidents
taxonomies andreporting
modeling
ontologies and
of analysis
cybersecurity
propose for detection
have
different and
been prevention
proposed
classes/categories over
of of cybersecurity
the years
data/entities fora
and
their
attacks
manual relations
activities.and
yet, analysis
As relations
andand
incidents
repositories
different
[1][2][3][4]
classification
of cybersecurity ofThe
[5][6]. overall As
data/IoCs
taxonomies
aima of
with
and no cybersecurity
result,
functional
ontologies
repositories
data reporting
relations
propose
in among
different
is them
technological
the operational fordefense andsystems
prevention
classes/categories of
logical semantic
and requires
resilience
data/entities and
attacks
threat
Diverse
their and
interoperability
manual incidents
intelligence
approaches
analysis and
ofandand[1][2][3][4]
data info
to
different
as thesharing.
related
classification [5][6].
to ofThe overall
events/incidents
data/IoCs aim
As
witha of cybersecurity
modeling
result,
reporting
no of
data
and
functional repositories
cybersecurity
reporting
analysis
relations in
forthehaveis technological
detection
among been
operational
themand proposed
defense
prevention
for and
prevention logical
over
systems
of the semantic
years
requires
cybersecurity
and resiliencefora
As yet,
activities.
The paperrepositories
presents of cybersecurity
the Platform taxonomies
Ontology and ontologies
for Cybersecurity (POC)propose
with different
an classes/categories
innovative methodological of data/entities
approach to and
the
their
As relations
yet,
interoperability
threat
manual
Diverse
attacks intelligence
activities. analysis
and and
repositories
of
approaches
incidentsanddifferent
data
and of as
info
to the data
cybersecurity
related
sharing.
classification
[1][2][3][4] classifications.
to ofThe taxonomies
events/incidents
overall
data/IoCs
[5][6]. As
aim
withamodeling
and result,
of
noontologies
reporting data
and
cybersecurity
functional
of reporting
propose
analysis in the
different
for
repositories
relations
cybersecurity amongoperational
haveis defense
classes/categories
detection and prevention
technological
them
been for
proposed and
preventionsystems
of logical
over and
the requires
data/entities
of cybersecurity
semantic
resilience
years foraa
and
their
Therelations
definitionpaper of and different
presents
cybersecurity data classifications.
the Platform
upper-levelOntology ontology, Asdomain
a result,
for Cybersecurity data reporting
(POC)
entities and with in innovative
an
logical the operational
semantic defense
methodological
relations [7]. systems
POC approach
is requires
to the
developed
manual
their
attacks
activities. analysis
relations
and
interoperability and
incidentsand
ofand classification
different
[1][2][3][4]
data data
ascybersecurity
related of
[5][6]. data/IoCs
classifications.
toOntology with
As a no functional
result, data relations
reporting in among
the them
operational for prevention
defense systemsand resilience
requires thea
threat
As
Theyet,
manual
definition
both in
intelligence
paperrepositories
of presents
aanalysis
andclassification
cybersecurity
taxonomic
ofinfo
the
and
sharing.
Platform
upper-level
ontological ofevents/incidents
The overall
taxonomies
data/IoCs
ontology,
format
andreporting
aim
with of
domain
according noontologies
for Cybersecurity andpropose
cybersecurity
(POC)
to functional
entities
knowledge
analysis
and with
relations foramong
repositories
an
logical
detection
different is
innovative
semantic
representation themand forprevention
technological
classes/categories
methodological
relations
based on
and
of
prevention
[7]. POC
linguistics,
of cybersecurity
logical
approach
and semantic
data/entities to and
resilience
is developed
semantics, and
activities.
manual
As
attacks
The yet, analysis
paper
and repositories
interoperability
their relations
definition incidents
of of
andand
presents data
cybersecurityclassification
of cybersecurity
[1][2][3][4]
the as
different Platform
related
data to ofevents/incidents
[5][6]. data/IoCs
taxonomies
Ontology
classifications.
upper-level for
ontology, with
As and
a no functional
ontologies
Cybersecurity
reporting
domainresult, (POC)
and
data
entities relations
propose
with
analysis
reporting
and logicalfor
in among
different
an them
detection
the and
operational
semantic forprevention
prevention
classes/categories
innovative methodological
defense
relations [7]. of and
approach
of
systems
POC is resilience
data/entities to
cybersecurity
requires
developed and
thea
activities.
both inpaper
cognitive a taxonomic
psychology. and The ontological
paper formatthe
presents according
POC datato architecture
knowledge representation
at different basedmethodological
levels on linguistics,
including semantics,to
contextualized and
cyber
The
activities.
their
As
attacks
manual
both relations
yet,
definition
in and
a presents
and
repositories
of cybersecurity
incidents
analysis
taxonomic and the
different
of Platform
[1][2][3][4]data
cybersecurity
upper-level
classification
and ontological Ontology
classifications.
[5][6].
of data/IoCs
format for
taxonomies
ontology, Cybersecurity
As
with
accordinga
and
domainresult,
noontologies
to (POC)
data
entities
functional
knowledge with
reporting
propose
and an
in innovative
the
different
logical
relations among
representation operational defense
classes/categories
semantic relations
them
based for
on [7]. of
preventionPOC
linguistics, approach
systems requires
data/entities
is
and developed
resilience
semantics, thea
and
The paper
cognitive
incidents/events presents
psychology. the
reporting The Platform
paperIoCs
and Ontology
presents
data forPOC
the Cybersecurity
correlations, databy (POC)ofwith
architecture
means at an innovative
different
graphs methodological
levelsrelations
networks including
DDBB. approach
contextualized
The overall to the
cyber
operative
definition
The
manual
their
both
As in paper
relations
activities.
cognitive of
yet,aanalysiscybersecurity
presents
andand
taxonomic
repositories
psychology. the
different
and
ofThe upper-level
Platform
classification Ontology
offormatontology,
data/IoCs
ontological
cybersecurity
paper presents for
taxonomies
the Asdomain
Cybersecurity
with
according
POC no
adata
and result, entities
ontologies (POC)
to functional and logical
with
relations
data reporting
knowledge
architecturepropose
at an semantic
innovative
in among
the
representation
different
different them
operational
based on
classes/categories
levels including [7].
methodological
fordefense
preventionPOC
systems
linguistics,
of is
approach
and developed
to
resilience
requires
semantics,
data/entities
contextualized thea
and
cyber
definition
incidents/events
implication ofiscybersecurity
the reporting
inferential upper-level
and IoCs
activity of ontology,
data
big data domain
correlations,
analytics by
forentities
means and
of
prevention logical
graphs
in a semantic
networks
structured relations
DDBB.
ontological [7].
The
modelPOC
overall
[8].is developed
operative
both in
definition
activities.
manual
cognitive
their
The a
paper
incidents/eventstaxonomic
of
analysis
psychology.
relations andand
presents and
cybersecuritytheThe
different ontological
upper-level
classification
paper
data
Platform of format
presentsdata/IoCs
classifications.
Ontology theaccording
ontology,
for POC
Asdomain
witha no
datato
result,
Cybersecurity knowledge
entities
functional
architecture
data andrepresentation
logical
relations
at
reporting
(POC) with semantic
among
different
in
an the based
levels on
relations
them for linguistics,
including
operational
innovative [7].
prevention
defense
methodological POC semantics,
is
and
contextualized
systems
approachdeveloped and
resilience
cyber
requires
to thea
both
cognitive is thereporting
in a taxonomic
implication psychology. inferential
The
and
and ontological IoCsof
activity
paper
data
format
presents
correlations,
big data
the
according
analytics
POC data
toby
for means
knowledge ofrepresentation
prevention
architecture
graphs
at
networks
indifferent
a structured based DDBB.
ontological
levels including
The
on linguistics,
model overall
[8].
contextualized
operative
semantics, and
cyber
both
The
manual inpaper
activities.
definition
implication aanalysis
incidents/eventstaxonomic
of presents
is the and and
cybersecuritythe
reporting ontological
Platform
and
classification
inferential IoCs
upper-level
activity ofofformat
Ontology
data
data/IoCs according
for
correlations,
ontology,
big data with
domain
analyticsnotoby
Cybersecurity knowledge
(POC)
means
functional
forentities of
prevention representation
with
relations
and an
graphs
logical
in a among
semantic
structured based
innovative
networksthem on
for
relations
ontologicallinguistics,
methodological
DDBB. The
prevention
[7].
modelPOC semantics,
approach
overall
and
[8].is to and
operative
resilience
developed the
cognitive psychology. The paper presents the POC data architecture at different levels including contextualized cyber
incidents/events
cognitive
definition
The paper
implication
activities.
both
1.1. in
The a psychology.
ofis the
taxonomic
state of reporting
cybersecurity
presents
the theThe
inferential
and
art: and
paper IoCs
upper-level
Platform
activity
ontological
issues and of data
presents
Ontologybig
format
problems correlations,
the
ontology,
for
data POC data
domain
Cybersecurity
analytics
according to by
for means
architecture
entities
(POC) ofrepresentation
and
prevention
knowledge graphs
at
with
in aan networks
different
logical levels
semantic
innovative
structured based DDBB.
including
relations
methodological
ontological
on The
model
linguistics,overall
contextualized
[7]. POC is
approach
[8]. operative
semantics, cyber
developed
to the
and
incidents/events reporting and IoCs data correlations, by means of graphs networks DDBB. The overall operative
implication
1.1. The
incidents/events
both inpaper
definition
The
cognitive ofis
astate thethe
of
taxonomic inferential
art:
reporting
and
cybersecurity
presents
psychology. the issues
The activity
and and
IoCs
ontological
upper-level
Platform
paper of
Ontology
presents big
problems
data
format data
ontology,
for
the analytics
correlations,
according
domain
Cybersecurity
POC data for
toby prevention
means
knowledge
entities
(POC)
architecture and indifferent
aanstructured
ofrepresentation
graphs
logical
with
at networks
semantic ontological
based
innovative
levels DDBB. model
The
on linguistics,
relations [7].
methodological
including POC [8].
overall operative
semantics,
is developed
approach
contextualized to and
the
cyber
implication
1.1. The state is the
of theinferential
art: issues activity of
and problems big data analytics for prevention in a structured ontological model [8].
implication
cognitive
both in
definition a
incidents/events
The ofis
typologies the
psychology.
taxonomic inferential
and
cybersecurity
reporting
ofart: The
present activity
paper
ontological
upper-level
and IoCs
modeling of
presents big
format data
the
ontology,
data analytics
POC
according data
domain
correlations, to for
by prevention
architecture
knowledge
entities
means and
of atin a structured
different
representation
logical
graphs semantic ontological
levels
based
networks including
on
relations
DDBB.
proposals for cybersecurity ontologies/taxonomies confirm the problematic model
linguistics,
[7].
The POC [8].
contextualized
semantics,
overall is cyber
developed and
operative
1.1.
The Thetypologies
state of theof issues modeling
present and problems
incidents/events
cognitive
both
implication
evaluation
1.1. The psychology.
in astate
taxonomic
is of
of the reporting
and The
inferential
present
the art: and
paper IoCs
ontological
activity presents
of
repositories/solutions.
issues and bigproposals
data
format
problems correlations,
the
data POC
according for
data
analytics
Cybersecurity tocybersecurity
by means
architecture
knowledge
for prevention
‘ontologies’ ontologies/taxonomies
ofrepresentation
atgraphs
incan benetworks
different levels
a structured based
defined DDBB.
includingconfirm
onlogical
ontological
as The
linguistics,
model the
overall
contextualized problematic
operative
semantics,
[8].
semantic systemscyber
andof
The
evaluation
1.1. The typologies
of
state present
of the of present
art: issues modeling
and problems proposals for cybersecurity
Cybersecurity ‘ontologies’ ontologies/taxonomies
can be defined as confirm
logical the problematic
semantic systems of
implication
incidents/events
cognitive
entities and is the
psychology.
their inferential
reporting The
logical activity
and
paper IoCs
semantic of
presents big
data data
the
relationships analytics
correlations,
POC data
based for
by prevention
means
architecture
on high of at
levelin a
graphs structured
networks
different
knowledge ontological
levels DDBB.
including
representation model
The [8].
overall
contextualized
as applied operative
cyber
to the
The
1.1. Thetypologies
evaluation state of
of theirtheofart:
present present
issues modeling
and problems
repositories/solutions. proposals for cybersecurity
Cybersecurity ‘ontologies’ ontologies/taxonomies
can be defined confirm
as logical the problematic
semantic systems of
entities
implication and
incidents/events
cybersecurity is the logical
inferential
reporting
domain. Best semantic
activity
and IoCs
abstract of relationships
big
data data based
analytics
correlations,
representations should for
by on high
prevention
means
contextualize level
of in aknowledge
graphs structured
entities networks
and representation
ontological
DDBB.
relations. model
The as applied
[8].
overall to
operative the
The Thetypologies
evaluation
entities
1.1. and of their
state of theof
present present
logical
art: modeling
semantic
issues and problems proposals
relationships for cybersecurity
Cybersecurity
based on‘ontologies’
high level ontologies/taxonomies
can be and
defined
knowledge confirm
as logical
representation as the
semantic problematic
appliedsystems
to the of
The
implicationtypologies
cybersecurity domain.
istheir
the of present
Best
inferential modeling
abstract
activity proposals
representations
ofrelationships
bigproposals
data for
should
analytics cybersecurity
contextualize
foron‘ontologies’
prevention ontologies/taxonomies
entities
incan
aknowledge
structured relations.
ontological confirm
model the
[8]. problematic
evaluation
The
entities
1.1. The
cybersecurityand of
typologies
state
Taxonomies, present
of the
domain.ofart:
instead,repositories/solutions.
present
logical issues
Best are modeling
semantic
and
mainly
abstract problems Cybersecurity
hierarchical
representations for cybersecurity
based
classes
should of high level
single
contextualize be and
defined
ontologies/taxonomies
decontextualized
entities as logical
confirm
representation
entities.
relations. Insemantic
as the
most systems
problematic
applied
cases, to of
the
even
evaluation
Taxonomies, of presentinstead,repositories/solutions.
are mainly Cybersecurity
hierarchical classes ‘ontologies’
ofhigh
single can be defined as
decontextualized logical Insemantic
entities. most systems
cases, of
entities
evaluation
cybersecurity
taxonomies
The
1.1. The and of
state their
show
typologies present
domain.
of the logical
typological
of present
art: semantic
Best abstract
issues and relationships
representations
inconsistencies.
modeling
problems proposals based
Cybersecurity
should
for on‘ontologies’
contextualize
cybersecurity level knowledge
can be
entities defined
and representation
as
relations.
ontologies/taxonomies logical
confirm as
semanticapplied
the toeven
systems
problematic the
of
Taxonomies,
entities
taxonomies and their
show instead,
logical
typological are mainly
semantic hierarchical
relationships
inconsistencies. classes
based on of single
high leveldecontextualized
knowledge entities.
representation In most
as cases,
applied to even
the
cybersecurity
entities and domain.
their Best
logical abstract
semantic representations
relationships should
based contextualize
on‘ontologies’ entities
be and relations.
The
1.1. Thetypologies
evaluation
taxonomies
cybersecurity of
state
Taxonomies, showpresent
of the of present
art:
instead, issues
typological
domain. Best are modeling
and problems
mainly
inconsistencies.
abstract proposals
Cybersecurity
hierarchical
representations classes
should ofhigh
for cybersecurity level
single
contextualize
knowledge
decontextualized
entities and
representation
can defined as confirm
logical
entities.
relations.
as
most applied
the
Insemantic cases, toeven
problematic
systems the
of
cybersecurity
evaluation
The
entities andof
typologies
Taxonomies,
taxonomies domain.
present
their
show
*Elisabetta of Best
present
logical
instead,
typological
Zuanelli. abstract
modeling
semantic
are
Tel.: mainly representations
repositories/solutions. proposals
relationships
inconsistencies.
+39-348-3333682 hierarchical should
Cybersecurity
based
classes contextualize
on‘ontologies’
for cybersecurity
ofhigh level
single entities
can be and
knowledge
decontextualized relations.
defined
ontologies/taxonomies as logical
representation
entities. Insemantic
confirm as the
most systems
problematic
applied
cases, toeven of
the
Taxonomies,
entities
evaluation
The andof
*Elisabetta
typologies
cybersecurity their instead,
present
domain. logical
Zuanelli.
of present
Best are
Tel.: mainly
semantic
+39-348-3333682
modeling
abstract hierarchical
relationships classes
based
Cybersecurity
proposals
representations ofhigh
for cybersecurity
should single
on‘ontologies’
contextualize leveldecontextualized
knowledge
can be and
defined
entities entities.
representation
as
relations.logical Insemantic
confirm most
as the cases,
applied toeven
systems
problematic the
of
taxonomies E-mail
Taxonomies, show
address:
*Elisabetta
typological
instead,
Zuanelli. are inconsistencies.
elisabetta.zuanelli@uniroma2.it
mainly
Tel.: +39-348-3333682 hierarchical classes of single decontextualized entities. In most cases, even
taxonomies
entities
evaluation
E-mailshow
cybersecurityand of
address:
their typological
domain.
present Bestare
logical inconsistencies.
abstract
semantic representations
repositories/solutions. relationships should
based
Cybersecurity contextualize
on high level
‘ontologies’ entities and
knowledge
can be relations.
defined representation
as logical as
semanticapplied to
systems the
of
taxonomies
Taxonomies,
E-mail
1877-0509 ©*Elisabetta show
address: typological
instead,
2022 TheZuanelli. inconsistencies.
mainly
Authors.Tel.: +39-348-3333682
Published hierarchical
by Elsevier B.V. classes of single decontextualized entities. In most cases, even
cybersecurity
Thisentities
taxonomies
an open andaccess
is Taxonomies,
E-mail showdomain.
their
address:
*Elisabetta instead,Best
logical
typological abstract
semantic
are mainly representations
relationships
inconsistencies.
Zuanelli.
article Tel.: +39-348-3333682
under the CC should
based
hierarchicallicense
BY-NC-ND classes contextualize
onofhigh level
single entities and relations.
knowledge
decontextualized representation
entities. In as
(https://creativecommons.org/licenses/by-nc-nd/4.0) most applied
cases,toeven the
*Elisabetta
cybersecurity
E-mail Zuanelli.
domain. Tel.:abstract
Best +39-348-3333682
representations
elisabetta.zuanelli@uniroma2.it should contextualize entities and relations.
taxonomies underaddress:
E-mailshow typological
Peer-review
Taxonomies,
*Elisabetta responsibility
instead,
Zuanelli. are
Tel.: ofinconsistencies.
the scientific
mainly
+39-348-3333682 committee
hierarchical of the
classes International
of Conference
single decontextualized on Military
entities. Communications
In most cases, and even
address: elisabetta.zuanelli@uniroma2.it
Information
taxonomies Systems
E-mail
Taxonomies, show
address: typological
instead, are inconsistencies.
mainly hierarchical classes of single decontextualized entities. In most cases, even
*Elisabetta Zuanelli. Tel.: +39-348-3333682
10.1016/j.procs.2022.09.031
taxonomies E-mailshow
address:
*Elisabetta typological inconsistencies.
Zuanelli. Tel.: +39-348-3333682
E-mail address:
*Elisabetta elisabetta.zuanelli@uniroma2.it
Zuanelli. Tel.: +39-348-3333682
E-mail address: elisabetta.zuanelli@uniroma2.it
*Elisabetta Zuanelli. Tel.: +39-348-3333682
E-mail address: elisabetta.zuanelli@uniroma2.it
Elisabetta Zuanelli et al. / Procedia Computer Science 205 (2022) 300–309 301
The basic principles of a cybersecurity ontology consist in the definition of an upper level, a mid-level, and a specific
domain ontology for data representation. This activity requires the definition of taxonomic and ontological entities and
their relations on one side. On the other side, platforms of cyber data analysis and classification require the correlation
and integration of IoCs deriving from monitoring systems (IDS, IPS, firewalls, antimalware, antivirus, antispam, honey
pot, penetration tests, etc.). In general, different platforms/repositories reveal a simplification of the theoretical
ontological core and the adoption of intuitive classes, entities, relations, and vocabularies. In other terms, there is a loose
connection between the theoretical logical semantic definition of the ontology and the domain ontology that does not
allow for big data architecture and data interpretation by the machine. Consequently, operational digital services to
cybersecurity such as preventive/predictive activities by the machine seem unattainable yet [9] [10].
The contributions to the definition of cybersecurity ontologies/taxonomies often propose frameworks describing
useful processes to be activated by an organization to manage cybersecurity, articulated into IT asset domain, incident
handling domain or operational information, organizational modeling, management [11][12][13]. In a structured
methodological representation of general and specific criteria for developing an ontology of the cybersecurity domain,
comparative tables emphasize the reuse of existing ontologies, classes and properties and equivalent relations. As for the
final product, they distinguish upper ontologies, high level and domain-independent, from mid-level and domain
ontologies that represent specific concepts [14].
An enormous effort to produce enumerations and lists of contents to be associated with an ontological architecture has
been produced by MITRE since 2010: the 2016 NIST Vulnerability Ontology appeared as the first active contribution to
the cybersecurity knowledge representation.
Comparative tables such as Fig.1, list cyber threat intelligence taxonomies/ontologies and shared partial values, with no
methodological implications [15].
Fig. 1 Cyber threat intelligence model
In a comparative study of ontologies related to diverse specific topics, Fig.2, the authors highlight methodological
biases: “only 13.33% of the papers validate their proposals, trying to identify the correct use of the language, the
accuracy of the taxonomic structure, the validity of the vocabulary, … One of the challenges that constitutes a
potentially interesting area arises when data is collected from different safety equipment (IDS, intrusion prevention
system, firewall, antivirus system, system security audit, honeynet, etc.) The safety equipment is distributed in different
domains in the network, which is required to develop an ontology that can integrate real-time data from this safety
equipment and allows the captured data to be properly administered” [16].
302 Elisabetta Zuanelli et al. / Procedia Computer Science 205 (2022) 300–309
Fig. 2 Topics in ontologies
The comment appears particularly consistent as it reveals the lack of topics/entities and related correlations, on one
side; on the other it calls the attention to the need of incorporating IoCs.
2. The POC methodological approach
In the presentation of the Pragmema POC (Platform Ontology for Cybersecurity), E-Age 2017, I introduced the
theoretical ground for an innovative approach to knowledge representation in cybersecurity ontologies [17]. POC is
based on an abstract upper-level ontology that is developed into the cybersecurity domain ontology and a related
pragmatic ontology that releases cybersecurity services. The general cybersecurity ontology has been furtherly developed
to subsume subdomain ontologies such as automotive and financial entities. The methodological issues to be faced were
knowledge representation and the development of the Controlled Vocabulary.
In the theoretical ground I had to face two basic biases or inadequacies in specific literature as far as the ontological
representation of data is concerned.
2.1. The upper-level representation of an ontology
Most ontologies do not include the abstract level of knowledge representation and appear rather as specific perspectives
of categories/entities: semantic threat modelling, cyberthreat intelligence, attack patterns, etc. [18] [19].
Where an upper level appears it refers to logical relations that do not include ‘logical semantic relations’ as typical of
natural language representation and interpretation of cybersecurity entities [20]. The upper and midlevel concepts defined
for POC derive from the semantics of natural language knowledge representations as dealt with in linguistics,
psycholinguistics, semantic approaches [21]. In Fig. 3 and Fig. 4 general concepts for representation of entities are
presented.
Fig. 3 The upper-level ontology concepts Fig. 4 The mid-level ontology concepts
The upper level/midlevel POC concepts were semantically defined and turned into the knowledge ontology of POC.
Logical semantic interoperability was assigned to JSON format data. The knowledge upper ontology was then related
to correlative first level classes of entities deriving from a procedural framing of the cybersecurity domain such as:
threats, vulnerabilities, events and incident routes, impact typologies and mitigations, represented by means of
taxonomic and ontological relations deriving from their definitions.
2.2. The specification of a Controlled Semantic Vocabulary (CSV): the three levels ontology
The methodological issue concerning the quality of a CV puts forward the question on how to realize unambiguous
and contextualized definitions of entities/entries. The MITRE approach used a model of semantic relations in the CV
that does not allow for a general cybersecurity knowledge representation and a specification of the cybersecurity
domain ontology. The reason lies in the modeling of ‘semantic memory’ that does not include syntactic relations of
entities for semantic contextualized representation. As compared with preliminary statements in the analysis of the
MITRE proposal, in current repositories there is no concern for semantic specifications. Vocabularies appear as listings
of items in alphabetical order or matter of fact definitions with no semantic implications.
Definitions of entities in POC were realized through the development of an innovative method for a Controlled
(Semantic) Vocabulary (CSV). In my approach, a CSV specifies classes of entities and logical semantic relations as
implied in a natural language formulation. To specify the conceptual definition of lexical entries/entities of a natural
language (technical) vocabulary in an ontology, the application of a range of semantic relations including predicative
relations (propositions) was faced. Semantic relations in the definition of entities were related on one side to logical
semantic features in the modeling of semantic memory where verbal entities have been analyzed and related by means
of interconnected links, including hierarchical and no hierarchical classifications and the specification of conceptual
linguistic attributes and properties [22][23].
On the other side, the decision to include syntactic representations of entities as implied in the first models of
semantic memory, was derived from the structure of vocabulary definitions that in my perspective correspond to a
contextualized text. Technically defined in text linguistics, a text is a set of phrases where referent and coreferential
words are connected by semantic attributes, properties, and predicative relations. In other terms, lexical entities in the
field of cybersecurity terminology imply a definition that specifies the textual world/value within which words have a
specific correlative meaning as related to a specific text/context/domain and related data. Therefore, if we consider the
definition of an entity in a controlled vocabulary as a set of phrases endowed with coherent (logical semantic) and
cohesive features called textuality, the textuality of definitions allows us to apply the notion of primary and secondary
semantic universal concepts underlying a textual meaning to the representation of the domain ontology [24]. If we
define ‘malware’ as the typology of noxious software whose malicious installation in a computer is capable to cause
negative impact on its use by a subject (person, company, institution, etc.), we realize that semantic relations in this
definition have to do with conceptual related entities that stand for multiple digital actors (agents, patients), situations,
events, state, objects, time, space, instrument, ends in view, cause, result; attributes such as noxious, negative, etc.;
properties such as can/does, namely predicative features, etc. These semantic syntactic relations among entities are
technologically resolved by the underlying ontological network DDBB. The POC abstract layer of architecture, in fact,
is based on the general structuring of primary and secondary centers of control in psycholinguistic, textual, and
pragmatic literature and represented in the cybersecurity knowledge framework. The representation of lexical
entities/concepts and their relations in the cybersecurity domain ontology was developed from the upper-level general
features and has included the articulation of their definitions by means of relations such as class (is a), attribute,
property as well as predicative/syntactic specifications (can, does) of categories as related to contextual meanings. In
Fig.4 there follows POC screenshots of classes of the first level domain ontology on the initial Liferay platform.
Fig. 5 The cybersecurity domain ontology
So far, classes /entities described in the POC CSV amount to 586 items. They are organized into classes/categories
defined both by taxonomic hierarchic relations and transversal logical semantic relations at different levels (Fig. 6).
Fig 6. The POC ontological taxonomic relations

2.3. The POC pragmatic ontology
2.3. The POC pragmatic ontology
2.3.
A The
thirdPOC
levelpragmatic
of POC isontology
the pragmatic ontology that releases services. The operative implication of a cybersecurity
A third is
ontology level
its of POC istothe
capacity pragmatic
release ontology services.
cybersecurity that releases
Theservices. The
pragmatic operative
ontology as implication of a cybersecurity
in Fig. 7 includes a suite of
ontology
A third is
cybersecurity itsand
level capacity
of data istothe
POCanalyticsrelease cybersecurity
pragmatic
‘tools’ as theservices.
ontology
such that TheCSV
releases
operational pragmatic
services. Theontology
for guided as implication
operative
incidents in Fig. 7 includes
reporting, of risk
the a suite of
a cybersecurity
assessment
cybersecurity
ontology is itsand
and risk evaluation data analytics
capacity ‘tools’
to release
frameworks, such as the
the cybersecurity
remediation operational
services.
techniques, andCSV
The for guided
pragmatic
the incidents
ontology
standardization as reporting, the risk assessment
in Fig. 7 includes
references. a suite of
and risk evaluation
cybersecurity frameworks,
and data the remediation
analytics ‘tools’ techniques,
such as the andCSV
operational the standardization references.
for guided incidents reporting, the risk assessment
and risk evaluation frameworks, the remediation techniques, and the standardization references.
Fig. 7 The cybersecurity pragmatic ontology

These services are straightforwardly linked to the cybersecurity ontology
These services are straightforwardly linked to the cybersecurity ontology
These services
2.4. Data are straightforwardly
analysis, classification, andlinked to thesystem
reporting cybersecurity ontology
2.4. Data analysis, classification, and reporting system
2.4.
A Data analysis,
specific POC classification, and reporting
application/service that has system
to do with prevention activities is the automatic classification and
A specific
analysis of data POC andapplication/service
the reporting system. thatThe
hasPOCto do with prevention
events/incidents activities
reporting is the
system automatic
includes IoCs classification
data as relatedand to
analysis
A of
specific dataPOC and the reporting system.
application/service thatThe
has POC
to events/incidents
do with prevention reporting
activitiessystem
is
the different levels of the ontology. A contextualized entry/entity is placed in the POC filling in application includes
the IoCs
automatic data asinrelated
classification to
and
a closed
the different
analysis
field related levels
of data
to theandof thereporting
the
semantic ontology. A contextualized
system.
controlled The POC(CSV).
vocabulary entry/entity is placed
events/incidents
The CSV reporting
is used in the aPOC
assystem
closedfilling
includesin to
guide application
IoCs inrelated
a closed
data asfields
specific to
to be
fielddifferent
the related
compiled tostrict
the of
forlevels semantic controlled
the ontology.
homogeneous vocabulary
A contextualized
preliminary (CSV). The
entry/entity
data reporting, CSV isservice
is placed
a crucial used asforaPOC
in the closed guide
filling
big data in to specific
application
analytics fields to be
in a closed
and classification
compiled
field
as needed for
relatedfortostrict
the homogeneous
semantic
attacks prevention preliminary
controlled
and prediction.dataThe
vocabulary reporting,
(CSV). a crucial
The
applicationCSV isservice
used as
of multiple fora closed
filtersbigofdata analytics
guide
clustered and classification
tovariables
specific fields to be
at different
as needed
compiled
levels forstrict
for
of the attacks
ontology prevention
homogeneous and prediction.
preliminary
for data reporting opens data The
the application
reporting,
way of multiple
a crucial
to longitudinal service filters
for bigofdata
comparative clustered ofvariables
analytics
analyses and and
data at proactive
different
classification
levels
as neededof the
evaluation for ontology
attacks
of risks for dataAs
andprevention
threats. reporting
and opens the
prediction.
stated before, the way
Theneed to longitudinal
application
for of multiple
an integration comparative
of filters
assets ofin analyses
clusteredofvariables
cybersecurity data andat proactive
analysis different
and logs
from defense systems with an ontological representation of incidents data reporting in a global ontology is and
evaluation
levels of of
the risks and
ontology threats.
for dataAs stated
reporting before,
opens the
the need
way for
to an integration
longitudinal of assets
comparative in cybersecurity
analyses of analysis
data and logs
proactive
the core
from defense
evaluation
problem. systems
of risks and with an As
threats. ontological representation
stated before, the need forof an
incidents data of
integration reporting
assets inincybersecurity
a global ontology
analysisis and
the core
logs
problem.
from
POCdefense
faces the systems
problemwithof an ontological
incidents representation
and events reportingofapplying
incidents data reporting
a context in a global
of cybersecurity ontology as
parameters is filters
the coreof
POCIntegrated
problem.
data. faces the strata
problem of incidents
of clustered and events
variables reporting
as specific applying a context
parameters/filters of cybersecurity
for specific incidentsparameters as filters
data reporting of
are the
data.
POCIntegrated
innovativefaces the strata
problem
contributions oftoclustered
ofdata
incidentsvariables as specific
and events
representation. parameters/filters
reporting applying a context for specific incidentsparameters
of cybersecurity data reporting are the
as filters of
innovative
data.
A case contributions
Integrated
study strata
for oftoclustered
data representation.
exemplifying variables as specific
methodology parameters/filters
is the Ukraine’s Power Grid for specific
Incidentincidents
in 2015.data Thereporting
analysis areof the
the
A case that
innovative
incident study for exemplifying
contributions
compromised to data methodology
therepresentation.
network system is ofthe Ukrainian
Ukraine’s power
Power companies
Grid Incident wasinperformed
2015. Theby analysis of the
The Beijing
incident
A case that
Knownsec study compromised
Securityfor Team by the
exemplifyingmeansnetwork
of IoCssystem
methodology is of
samples the Ukrainian
Ukraine’s
acquired power companies
Power observers
by western Grid Incident aswas inperformed
2015.
reported Theby
in Fig. The Beijing
8.analysis of the
Knownsec
incident that Security Team by the
compromised means of IoCssystem
network samplesofacquired by western
Ukrainian power observers
companiesaswas reported in Fig. by
performed 8. The Beijing
Knownsec Security Team by means of IoCs samples acquired by western observers as reported in Fig. 8.
Fig. 8 The 26 samples acquired by Tencent PC Manager Team

This is the assumed reconstruction of the attack. Data for analysis were acquired from different sources.
This is the assumed reconstruction of the attack. Data for analysis were acquired from different sources.
“1. Attackers
This use Office
is the assumed Sand Worm
reconstruction of the (run with
attack. Dataadministrator access
for analysis were + CVE-2014-4114)
acquired to carry out
from different sources.
“1. Attackers use Office Sand Worm (run with administrator access + CVE-2014-4114) to carry out
watering hole attacks.
“1. Attackers use The victim
Office Sandhosts
Wormwill execute
(run with malicious code toaccess
administrator interact+with remote C&C servers.
CVE-2014-4114) to carrySome
out
watering hole attacks. The victim hosts will execute malicious code to interact with remote C&C servers. Some
system information
watering willThe
hole attacks. be victim
sent to hosts
C&C will
servers
execute malicious code to interact with remote C&C servers. Some
system information will be sent to C&C servers
2. Sandworm
system information (macro
will bevirus) performs
sent to malicious operations using the remote execution vulnerability (CVE-
C&C servers
2. Sandworm (macro virus) performs malicious operations using the remote execution vulnerability (CVE-
2014-0751)
2. Sandwormof Industrial
(macro Control HMI (Human
virus) performs Machine
malicious Interface).
operations using The aim is to
the remote carry out
execution attacks within
vulnerability the
(CVE-
2014-0751) of Industrial Control HMI (Human Machine Interface). The aim is to carry out attacks within the
internal network
2014-0751) and access
of Industrial the Industrial
Control HMI (Human Control HMI ofInterface).
Machine GE Cimplicity,
The aimAdvantech/Broad win Web
is to carry out attacks Access,
within the
internal network and access the Industrial Control HMI of GE Cimplicity, Advantech/Broad win Web Access,
and Siemens
internal networkWinCC
and etc. to control
access the internal
the Industrial network
Control HMI directly
of GE Cimplicity, Advantech/Broad win Web Access,
and Siemens WinCC etc. to control the internal network directly
and 3. Attackers
Siemens use vulnerability
WinCC etc. to controlto the
implant Black
internal Energy
network into HMI
directly
3. Attackers use vulnerability to implant Black Energy into HMI
4. Attackers
3. The implanted Black Energy
use vulnerability opensBlack
to implant the Dropbear
Energy intoSSHHMIbackdoor and listens port 6789 to provide
4. The implanted Black Energy opens the Dropbear SSH backdoor and listens port 6789 to provide
convenience to host communication
4. The implanted Black Energy opens the Dropbear SSH backdoor and listens port 6789 to provide
convenience to host communication
5. Attackers
convenience start
to host the Kill Disk component according to the plan and cause destructive influence by
communication
5. Attackers start the Kill Disk component according to the plan and cause destructive influence by
destroying (formatting)
5. Attackers hostKill
start the disks”
Disk[25].
component according to the plan and cause destructive influence by
destroying (formatting) host disks” [25].
Interaction
destroying with external
(formatting) C&C [25].
host disks” servers by the attackers is crucial and vulnerabilities of the system allow for
Interaction with external C&C servers by the attackers is crucial and vulnerabilities of the system allow for
the attack as well.
Interaction withThe schematic
external representation
C&C servers of the partial
by the attackers kill and
is crucial chain of the attackofcorresponding
vulnerabilities the system allowto the
for
the attack as well. The schematic representation of the partial kill chain of the attack corresponding to the
malicious
the attack code analysis
as well. The progress
schematicis visualized in Fig.
representation of9.the partial kill chain of the attack corresponding to the
malicious code analysis progress is visualized in Fig. 9.
malicious code analysis progress is visualized in Fig. 9.
Fig. 9 Malicious code analysis progress (Knownsec Security Team)

According to data reported in the analysis of the Ukraine’s power grid incident, a typological reporting of the incident
According to data reported in the analysis of the Ukraine’s power grid incident, a typological reporting of the incident
According
according to to
POCdata reported
releases in the
a first analysis
level of thescheme
taxonomic Ukraine’s
suchpower
as thegrid
oneincident, a typological
in Fig. 10. reporting
The taxonomy of the incident
was furtherly related
according to POC releases a first level taxonomic scheme such as the one in Fig. 10. The taxonomy was furtherly related
according to POC releases a first level taxonomic scheme such as the one in Fig. 10. The taxonomy was furtherly
to the different strata levels of the ontology. The methodology for incident reporting and analytics in POC is defined related
as
to the different strata levels of the ontology. The methodology for incident reporting and analytics in POC is defined as
to the different
Reverse strataIncident
Knowledge levels ofAnalytics
the ontology. The methodology for incident reporting and analytics in POC is defined as
(RKIA).
Reverse Knowledge Incident Analytics (RKIA).
Reverse Knowledge Incident Analytics (RKIA).
Fig. 10 The incident nodes and starting variables: the reverse knowledge incident analytics (RKIA)
The POC reverse knowledge incident
Fig. 10 The incident analytics
nodes (RKIA)
and starting starts
variables: from the
the reverse technological
knowledge data representing
incident analytics (RKIA) an incident and
The POC reverse knowledge incident
Fig. 10 The incident analytics
nodes (RKIA)
and starting starts
variables: from the
the reverse technological
knowledge data representing
incident analytics (RKIA) an incident and
theThe
diverse logical
POC logical paths.
reverse paths. The
knowledge ordered links
incident links of
analytics the path
(RKIA) are considered
starts concurrent
from the concurrent
technological variables for incident
data representing anreporting and
incident and
theThe
diverse
POC reverse Fig. 10The
knowledge The ordered
incident
incident nodes and of
analytics the
starting path
(RKIA) are
variables: considered
starts
the from
reverse the technological
knowledge variables
incident data for incidentan
representing
analytics (RKIA) reporting
incident and
and
interpretation.
the diverse
POC logicalThese links/nodes are sets of variables as processed by the ontology specification at different levels. In
The
the diverse Thesepaths.
reverse
interpretation.
logical
The ordered
knowledge
links/nodes
paths. The
incident links
are sets
ordered
of the
analytics
of variables
links of the
path
(RKIA) are
as are
path
considered
starts
processedfromby
considered
concurrent
thethe
technological variables
ontologyvariables
concurrent
for incident
data representing
specification
for
anreporting
at different
incident
incident
levels.and
reporting In
and
other words,
interpretation. the incident
These representation
links/nodes are sets is related to potential or factual logical semantic relationships at the diverse
the diverse
The
other POC logical
words, reverse
interpretation. the paths.
incident
These
The
knowledge ordered
incident
representation
links/nodes are sets isof
links
of
variables
of the
analytics
related
variables to as
path
(RKIA) processed
are
potential
as processed
by
considered
starts from thethe
or factual
by
ontology
concurrent
technological
the logical
ontology
specification
variables at different
for incident
data representing
semantic relationships
specification at anat
different thelevels.
reporting
incident In
and
and
diverse
levels. In
levels
other of knowledge
words,
interpretation. the
These structuring
incident
links/nodes within
representation
are sets the
is
of globaltoontology.
related
variables potential
as processedDifferent
or factual
by the concurrent
logical
ontology nodes relationships
semantic for different
specification at incidents
at
different the are
diverse
levels. In
the diverse
levels logical
of knowledge
other words, the paths. The
structuring
incident ordered links
within is
representation of
therelatedthe path are
globaltoontology.
potentialconsidered
Different concurrent
or factual concurrent
logical variables for incident
nodes relationships
semantic reporting
for different atincidents
the and
are
diverse
considered
levels
other of
words, asthe
conditioning
knowledgeincident contextual
structuring within
representation variable
the
is global
related factors
to of attacks/incidents.
ontology.
potential Different
or factual Specific
concurrent
logical filters
nodes
semantic for ofdifferent
different
relationships clusters
incidents
at the of
are
diverse
interpretation.
considered
levels of can These
knowledge links/nodes
as conditioning are
contextual
structuring sets of
within variable
the variables
global as
factors processed by the
of attacks/incidents.
ontology. ontology
DifferentorconcurrentSpecificspecification
filters
nodes for at different
ofdifferent levels.
differentincidents In
clusters are
of
variables
considered
levels of asoffer
knowledge a recurrent
conditioning confirmation
contextual
structuring within theof global
variableincident paths
factors of
ontology.for different
attacks/incidents.
Different differing incidents
Specific
concurrent filters
nodes reporting.
for of different
different clusters
incidents of
are
other words,
variables the incident
consideredcanasreports
offer representation
a recurrentcontextual
conditioning confirmation is related
of incident
variable to potential
paths
factors of for or factual logical
different or differing
attacks/incidents. semantic
incidents
Specific relationships
reporting.
filtersresults
of different at the diverse
clusters of
Longitudinal
variables of similar or different attack mechanisms/paths should release predictive of incoming threats
levels of can
considered
Longitudinal
variables can
offer
offer
a recurrent
asreports
conditioning
knowledge a similar
recurrent
confirmation
contextual
ofstructuring or different
confirmation
of global
within variable
the incident
attack
of
paths
factors of for
ontology.
mechanisms/paths
incident paths for
different
Different
should
different
orconcurrent
attacks/incidents.
or
differing
release
differing
incidents
Specific filters
nodes
predictive
incidents
reporting.
for ofdifferent
results different
reporting.
clusters
incidents
of incoming of
are
threats
based oncan
Longitudinal thereports
activation of confirmation
of similar different
or differentclusters
attack of data according
mechanisms/paths to orthe
should POCpredictive
release representation andincoming
analytics and
variables
considered
based on the
Longitudinal
offer a recurrent
asreports
conditioning
activation ofcontextual
ofinferential
similar different of incident
variable
clusters
or processes.
different attack
paths
factors
of data for
mechanisms/paths
different
ofaccording
attacks/incidents.
to the
should
differing
Specific
POC
release filtersresults
incidents
representation
predictive results
of
reporting.
of different
andincoming
of analytics threats
clusters of
and
threats
regressive/prospective
based on
Longitudinal the activation
reports of
ofinferential different
similarconfirmation
or processes. An
clusters
different attack overall
of graph
data representation
according
mechanisms/paths to
should theof POC
POC
release nodes and links
representation
predictive results of
andthe
of the incident
analytics
incoming is as
and
threats
variables can
based onin the offer
regressive/prospectivea recurrent
activation of terminal
different nodes ofAn
clustersincident
overall paths
of datagraph for different
representation
according or
toofthediffering
of POC incidents
nodes and
POC representation reporting.
links of
and firstincident
analytics is as
and
follows Fig.11.
regressive/prospective
based onin the The
activation blue
inferential processes.
of terminal
different An
clusters represent
overall
of data different
graphaccording types
representation
tooftheincidents
of POC as
nodes filtered
and by
links
representation the
of the cluster
incident
andincoming
analytics is of
as
and
Longitudinal
follows reports
Fig.11.
regressive/prospective of
The similar
blue
inferential or different
nodes attack mechanisms/paths
represent different should
types release
incidents predictive
as results
filtered
processes. An overall graph representation of POC nodes and links of the incident is asby of
the first threats
cluster of
parameters/entities
follows in Fig.11.
regressive/prospective for
The incidents
blue
inferential reporting.
terminal nodes
processes. represent
An overall different
graph types
representationof incidents
of POC
POC nodesas filtered by
and links of the first cluster of
based
followsonin the
parameters/entitiesactivation
Fig.11. for of terminal
Theincidents
blue different
reporting. clusters
nodes of data
represent according
different typestoofthe incidents representation
as filtered by the andthefirst
incident isand
analytics
cluster of
as
parameters/entities
follows in Fig.11. for
regressive/prospective incidents
Theinferential reporting.
blue terminal nodesAnrepresent
processes. overall different
graph types of incidents
representation of POC as filtered
nodes and by of
links thethefirst clusteris of
incident as
parameters/entities for incidents reporting.
parameters/entities
follows in Fig.11. for Theincidents reporting.
blue terminal nodes represent different types of incidents as filtered by the first cluster of
parameters/entities for incidents reporting.
Fig. 11 The POC platform nodes graph for the incident analytics
3. The technological infrastructure
3.Data
The technological
management and infrastructure
analysis are Fig.mainly developed
11 The POC with graph
platform nodes R and for Python programming
the incident analytics languages and environments
3.Data
The technological
(supportingmanagement
the necessaryinfrastructure
and analysis are mainly developed
mathematical/statistical withData
functions). R and Pythonuses
analysis programming
‘decision trees’languages and environments
and ‘neural networks’ to
Data
the and
necessary analysis are mainly
mathematical/statistical developed with
functions). R
Data and Python
analysis programming
uses ‘decision languages
trees’ and and environments
‘neural networks’ to
3. The
Data
categorizetechnological
data and
the and to
necessaryinfrastructure
and analysis
define are
predictions mainly developed
typical
mathematical/statistical of with
inferential
functions). R and
statistics.
Data Python
analysisBoth programming
‘supervised’
uses and
‘decision trees’languages and
‘unsupervised’
and ‘neural environments
models are
networks’ to
categorize
Data
(supporting data
management
used for analysis.the to
necessary define
and predictions
analysis are typical
mainly
mathematical/statistical of inferential
developed with
functions). statistics.
R
Data and Both
Python
analysis ‘supervised’
programming
uses ‘decision and ‘unsupervised’
languages
trees’ and and
‘neural models
environments
networks’ are
to
categorize
used for
(supporting data
analysis.
the and to define
necessary predictions typical offunctions).
mathematical/statistical inferential Data
statistics.
analysisBoth ‘supervised’
uses ‘decision and ‘unsupervised’
trees’ and ‘neural models are
networks’ to
categorize
Data
Unsupervised
used data
management
for analysis. and to
methods, define
and when predictions
analysis are
there is typical
mainly
no of
default inferential
developed
groupingwith statistics.
R and
variable, Both
Python
are used ‘supervised’
programming
for and
‘clustering’ ‘unsupervised’
languages
templates andand models
environments are
‘association
Unsupervised
categorize
used for
(supporting data
analysis. methods,
and to
the necessary when
define there
predictionsis no default
typical
mathematical/statistical of grouping
inferential
for functions). variable,
statistics.
Dataand are
analysis used
Both for ‘clustering’
‘supervised’
usesfor‘decision and
models trees’ templates
‘unsupervised’
and and
‘neural ‘association
models are
rules’ templates.
Unsupervised
rules’ templates.
Supervised
methods,
Supervised whenmethods
there is are used
areno default ‘classification’
grouping variable, and are
‘regression’
used ‘clustering’based on the
templates andnetworks’
type of groupingto
‘association
used for
categorize
variable,
rules’
analysis.
Unsupervisedwhether
templates. methods,
data and to define
cardinal
Supervised ormethods
when there is
predictions
numeric.
methods are noused for
of ‘classification’
default
typical
Supervised
used for grouping
inferentialvariable,
regression statistics.
‘classification’ models
and
‘regression’
are usedlinear
Both
are models
for ‘clustering’
‘supervised’
‘regression’ models
based
and
(an estimate
based
on the type
templates
‘unsupervised’
based
on the andaof
on
type
grouping
‘association
models
of are
dependent
grouping
variable,
Unsupervised
rules’
used
variable whether
templates.
for analysis.
and orcardinal
onemethods,morewhen
numeric.
there is
independent arenoSupervised
default
used Aregression
grouping
for ‘classification’
variables). Support models
variable,
and are
Vector are
usedlinear
‘regression’
Machine (an estimate
forconstructs
‘clustering’
models based
new based
templates
on on
andtoaof
the type
examples dependent
‘association
grouping
one of the
variable,
variable
rules’ whether
and
templates. orcardinal
onemethods,moreby
numeric.
independent are Supervised
variables).
used Aregression
Support
for ‘classification’ models
Vector
and are are linear
Machine
‘regression’ (an estimate
constructs
models new
based based
examples
on onto
the type aofone
dependent
of the
grouping
variable,
Unsupervised
database
variable whether
classes
and one cardinal
possible
or more or
when numeric.
there
obtaining
independent isa Supervised
no default regression
grouping
non-probabilistic
variables). A binary
Support models
variable,
classifier.
Vector are
used
Machine linear
for (an
constructs estimate
‘clustering’ new based
templates
examples on
andtoa dependent
‘association
one of the
database
variable,
variable
rules’
Among classes
whether
and
the one
templates. possible
moreby
orcardinal
Supervised
classification obtaining
or numeric.
independent
methods
models, aK-NN
theare non-probabilistic
Supervised
variables).
used method, binaryVector
Aregression
Support
for ‘classification’
k-nearest classifier.
models
neighbors, areislinear
Machine
and ‘regression’ (an
constructs
used,models
whichestimate
isnew
based based
examples
basedon thethe
on oncharacteristics
typetoaofone
dependent
of the
grouping
database
Among
variable classes
the possible
classification by obtaining
models, a
theaAn non-probabilistic
K-NN method, binary
k-nearest classifier.
neighbors, islinear
used, which isnew
based onthe
theoncharacteristics
of objectsand
database
variable,
Among
one
classes
whether
close
the to orthemore
possibleoneby
cardinal
classification
independent
obtaining
or numeric.
considered.
models, theaAn
variables).
object
K-NN
Aregression
non-probabilistic
Supervised Support
is classified
method, byVector
binary
k-nearest models Machine
aclassifier.
plurality
neighbors, arevote constructs
of
is used, its(an estimate
neighbors, examples
based
with toa one
theobject
of the
dependent
assigned
of objects
database
Among
variable
to the mostandclose
classes
the oneto
common orthemore
possibleoneby
classification
class considered.
obtaining
models,
independent
among itsthe object is classified
non-probabilistic
K-NN method,
variables).
closest k A
neighbors.Support byVector
binary
k-nearest aclassifier.
plurality
neighbors,
Classification vote
Machine
treesis of
used,
or itswhich
which
constructs
is based
neighbors,
is
decision-making with
based
new
onthe
on
examples
trees the
that
characteristics
object assigned
characteristics
to one of the
represent
of
to objects
the
Among most close
the to theclass
common one considered.
classification among
models, itsthe An
closestobject
K-NN is classified
k method,
neighbors. by aneighbors,
plurality
Classification
k-nearest vote
treesis orof itswhich
neighbors,
decision-making
used, is basedwithonthe
trees object
that
the assigned
represent the
characteristics
of
data
to objects
database
thein a close
classes
tree withto the
possibleone
interior considered.
by obtaining
binary nodes An
a object is classified
non-probabilistic
that divide samples by
binary
into a plurality
classifier.
homogeneous vote of its
‘labels’ neighbors,
classes are with
used. the object assigned
data
of
to inmost
Among
POC aistree
objects
the most the
a
common
with
close to
common
tool to theclass
interior
class
classification
normalize
amongnodes
one binary
among
models,
big
its closest
considered.
its
data. Anthat
closest
the K-NN
The
k neighbors.
divide
object
k is samples
neighbors.
method,
ontology
Classification
into
classified byhomogeneous
aneighbors,
plurality
Classification
k-nearest
encompasses the
trees
vote
treesis
structured
or
or
decision-making
‘labels’
of classes
itswhich
neighbors,
decision-making
used, is
representation based
treesthe
areofwith
used.
trees
on
that
that
the
masses
represent
object
represent
the
assigned
the
characteristics
of data. At
data
to POC
theinmost
aistree
a with
tool
commonto interior
normalize
class binary
big
among nodes
data.
its that ontology
The
closest divide
k samples
neighbors. into homogeneous
encompasses the
Classification structured
trees ‘labels’
or classes areofused.
representation
decision-making masses
trees thatof data. At
represent the
data
of in a
objects
applicational
POC tree with
close to
level,interior
the one
POC binary
allowsnodes
considered. for Anthat
the divide
object is samples into
classified
correlation amongby homogeneous
a plurality vote
institution/company‘labels’
of its classes
neighbors,are
technology used.
with the
assets, object assigned
cybersecurity
to POC ais
applicational
datatheinmost
a tool
istree with
a tool
common
to interior
level, normalize
POC big nodes
allows
classbinary
to normalize
data.
big data.
among
Thethe ontology
itsforclosest
that
The divide
ontology
encompasses
correlation
samples among the structured
institution/company
into homogeneous
encompasses
k neighbors. the structured
Classification trees or
representation
‘labels’ classes
representation
decision-making areof
technology masses
assets,
ofused.
masses
trees
of data. At the
thatofcybersecurity
data. At the
represent
implementation data, events, and incidents monitoring data IoCs/IoAs.
implementation data,aevents,
Finally, it releases and Elisabetta
incidents
contextualized Zuanelli
of et
theal.data
monitoring
evaluation / Procedia
type of riskComputer
IoCs/IoAs. Science 205
value recording and(2022) 300–309
incident assessment. 307
implementation data,aevents,
Finally, it releases and incidents
contextualized monitoring
evaluation of the data
type IoCs/IoAs.
of risk value recording and incident assessment.
implementation data,
Finally, it releases events, and incidents monitoring data IoCs/IoAs.
implementation
4.Finally,
The three data,aaevents,
levels
contextualized
and evaluation
incidents of the data
monitoring type IoCs/IoAs.
implementation
Finally, it data,ontology
it releases
releases aevents, andincidents
and IoCs
contextualized
contextualized
correlation
evaluation of the data
monitoring
evaluation of the
type IoCs/IoAs.
type
4.Finally,
The three it levels ontology
releases a and IoCs
contextualized correlation
evaluation of the type of risk value recording and incident assessment.
4. The three levels ontology and IoCs correlation
4.POC assumes
The three the ontology
levels correlationand
of IoCs
the knowledge
correlationontology with the domain ontology and the pragmatic ontology as well
4. The three levels
ofontology and
of IoCs correlation
4.POC
as The
POC
assumes
the integration
three
assumes
the
levels
the
correlation
defense systems
ontology
correlationand thedata/IoCs
of IoCs
knowledge
correlation
thedata/IoCs
knowledge
ontology with
(monitoring
ontology with
the domain
systems,
the domain
ontology
IDS, IPS,
ontology
and
firewall,
and
the pragmatic
antimalware, ontology
antivirus,
the pragmatic ontology
as well
antispam,
as well
as the integration
honeypot,
POC etc.)
assumes the of
for defense systems
attacks/incidents (monitoring
interpretation. The systems, IDS,
cybersecurity IPS, firewall,
knowledge antimalware,
representation inantivirus,
graphs antispam,
appears as
as the integration
POC
honeypot,assumes
etc.) of correlation
the
for
of thedata/IoCs
defense systems
correlation of the
attacks/incidents
knowledge
knowledge
ontology with
(monitoring
ontology
interpretation. The with
the domain
systems,
the domain
cybersecurity
ontology
IDS,knowledge
IPS,
ontology
and
firewall,
and
the pragmatic
antimalware,
the pragmatic
representation in
ontology
antivirus,
ontology
graphs
as well
antispam,
as well
appears as
follows
as the
POC in Fig.
integration
assumes 12.of
the defense systems
correlation data/IoCs
of thedata/IoCs
knowledge (monitoring
ontology systems,
with IDS,
the domainIPS, firewall,
ontology antimalware,
and antivirus,
the pragmatic ontologyantispam,
as well
honeypot,
as the
follows etc.)12.
integration
in Fig. for
of attacks/incidents
defense systems interpretation. The cybersecurity
(monitoring systems, knowledge
IDS, IPS, representation
firewall, antimalware,inantivirus,
graphs appears as
antispam,
honeypot,
as etc.)12.
the integration
follows in Fig. for attacks/incidents
of attacks/incidents interpretation.
defense systems data/IoCs The cybersecurity
(monitoring knowledge
systems, IDS,knowledge representation
IPS, firewall, antimalware,inantivirus,
graphs appears as
antispam,
honeypot, etc.)
follows in Fig. for
12. interpretation. The cybersecurity representation in graphs appears as
honeypot, etc.)
follows in Fig. 12. for attacks/incidents interpretation. The cybersecurity knowledge representation in graphs appears as
follows in Fig. 12.
Fig. 12 POC Cybersecurity knowledge

First level classes of cybersecurity knowledge are semantically related to knowledge
Fig. 12 POC Cybersecurity the first level classes of the domain ontology as
First level classes of vulnerabilities,
cybersecurity knowledge Fig. 12 POC Cybersecurity
are semantically to knowledge
relatedtechniques,
the first level
in Fig. 13: threats, impact typologies,
Fig. 12remediation
POC Cybersecurity knowledge
First level classes of cybersecurity knowledge are semantically related to the first leveleventclasses
routes of
classes and
of
theincident
domain ontologyThe
the domain routes.
as
ontology as
in Fig.
First
knowledge13:classes
level threats,
of vulnerabilities,
cybersecurity
cybersecurity impact
ontology knowledge
and typologies, remediation
are semantically
the domain ontology techniques,
relatedtransversal
contain eventclasses
to the firstlogical
level routes of
and
semantic theincident
domain
relations routes.
ontology
between The
as
them
in Fig.
First 13:classes
level threats,
of vulnerabilities, impact
cybersecurity knowledge typologies, remediation
are semantically relatedtechniques, eventclasses
to the first level routes of
andtheincident
domain routes.
ontologyTheas
knowledge
in Fig.
First
and level
internalcybersecurity
13:classes
threats, ontology knowledge
of vulnerabilities,
cybersecurity
taxonomies. and the domain
impact ontology
typologies, contain
relatedtransversal
remediation
are semantically to the firstlogical
techniques, semantic
eventclasses
level routes of
andrelations
the between
incident
domain routes.
ontologythem
The
as
knowledge
in Fig. 13: cybersecurity ontology and
threats, vulnerabilities, the domain
impact ontology
typologies, contain transversal
remediation techniques,logical
event semantic
routes andrelations
incidentbetween
routes.them
The
andFig.
in internal
knowledge taxonomies.
13: cybersecurity
threats, ontology and
vulnerabilities, the domain
impact ontology
typologies, contain transversal
remediation techniques,logical
event semantic
routes andrelations
incidentbetween
routes.them
The
and internalcybersecurity
knowledge taxonomies. ontology and the domain ontology contain transversal logical semantic relations between them
and internalcybersecurity
knowledge taxonomies. ontology and the domain ontology contain transversal logical semantic relations between them
and internal taxonomies.
and internal taxonomies.
Fig. 13 The cybersecurity domain ontology POC

In incidents reporting, technological data
Fig.concerning IoCs and
13 The cybersecurity IoAs
domain (Indicators
ontology POC of Attack) are managed by means of a
In incidents
guided reporting, technological data concerning IoCs and IoAs (Indicators of Attack) are
Themanaged by means of a
In incidents reporting, technological data concerning IoCs and IoAs (Indicators ofrelations.
insertion into the ontology and described by metadata of logical semantics Attack) are IoC correlation
managed by meansrelated
of a
guided
In insertion
incidents
to a typical into the
reporting,
incident ontology and
technological described
data by metadata
concerning IoCs of
and logical
IoAs semantics
(Indicators ofrelations.
Attack) The
are IoC correlation
managed by meansrelated
of a
guided insertion
In incidents intointhe
reporting,
POC graphs and
ontology representation
data
is as
by followsof
metadata
concerning
in logical
Fig. 14.semantics relations. The IoC correlation related
IoCs and IoAs (Indicators of Attack) are managed by means of a
toIn
a typical
guided incident
insertion
incidents intointhe
reporting,POC graphs and
ontology representation
data is as
by follows
metadata
concerning IoCs andin IoAs
of Fig. 14.
logical semanticsofrelations.
(Indicators Themanaged
Attack) are IoC correlation
by meansrelated
of a
to a typical
guided incident
insertion intointhe
POC graphs and
ontology representation is as
described by followsof
metadata in logical
to a typical
guided incident
insertion intointhe
POC graphs and
ontology representation is as
described by followsof
metadata in logical
to a typical incident in POC graphs representation is as follows in Fig. 14.
Fig. 14 The typical incident IoC correlations

The result is a univocal technologicalFig.and logical
14 The typical semantic
incident IoC interoperability
correlations and practical feasibility of threat
The result is a univocal technological and logical semantic interoperability and practical feasibility of threat
intelligence
The resultandis info sharing technological
a univocal for attacks/incidents
and
Fig. representation.
logical
14 The typical semantic The
incident IoC implication isand
interoperability
correlations the practical
possibilityfeasibility
of eludingofmanual
threat
The resultand
intelligence is info
a univocal
sharing technological and
for attacks/incidents
Fig. logical
14 The typical semantic
representation. interoperability
The
incident IoC implication isand
correlations the practical
possibilityfeasibility
of eludingofmanual
threat
handling of data
The result
intelligence is that
and info issharing
open totechnological
a univocal personal
for interpretations,
and logical
attacks/incidents even though
semantic
representation. based on shared
interoperability
The implication rules.
isand This may
the practical
possibility happen
feasibility
of eludingbyoffeeding
threat
manual
intelligence and that
handling of data info issharing
open tofor attacks/incidents
personal representation.
interpretations, even though The implication
based on shared is rules.
the possibility
This may of eluding
happen manual
by feeding
theThe
machine
intelligence
handlingresult
of with
and aconspicuous
info
is that
data sharing
univocal
is open to amounts
for ofinterpretations,
technological
personal data
and thatlogical
attacks/incidents machine training
representation.
semantic
even though may
The learn to interpret.
implication
interoperability
based on sharedisand
the practical
possibility
rules. This may of eluding
feasibility
happen by manual
offeeding
threat
theThe
handlingresult is that
of data
machine with aconspicuous
univocal
is open totechnological and thatlogical
personalofinterpretations,
amounts data semantic
even
machine thoughinteroperability
training based
may on shared
learn and practical
rules.
to interpret. This may feasibility
happen byoffeeding
threat
The hierarchical
handling of data
intelligence
the machine and view
withthat
info of IoC
issharing
open
conspicuous correlations
tofor
personal in POC
attacks/incidents
amounts data is
ofinterpretations, as follows
representation.
that machine in Fig.
eventraining
thoughThe
may 15.
based on shared
implication
learn is rules. This may of
the possibility
to interpret. happen
eludingby feeding
manual
intelligence
theThe
machine and info sharing
with conspicuous
hierarchical for
view of IoCamountsattacks/incidents
of data
correlations representation.
that machine
in POC training
is as follows The
may
in Fig. implication is the
15.learn to interpret. possibility of eluding manual
theThe
machine
handling withthat
of data
hierarchical conspicuous
is open
view toamounts
of IoC personalofinterpretations,
data that machineeventraining
though may 15.learn
based to interpret.
on shared rules. This may happen by feeding
handling of data that
The hierarchical is open
view tocorrelations
of IoC correlations
in POC is as follows
personal interpretations, even though
in POC is as follows
in Fig.
in Fig.based
15. on shared rules. This may happen by feeding
theThe hierarchical
machine view of IoCamounts
with conspicuous correlations in POC
of data is as follows
that machine in Fig.
training may 15.learn to interpret.
the machine with conspicuous amounts of data that machine training may learn to interpret.
The hierarchical view of IoC correlations in POC is as follows in Fig. 15.
The hierarchical view of IoC correlations in POC is as follows in Fig. 15.
Fig. 15 The IoC hierarchical view

This taxonomic view must be analyticallyFig.
Fig.
15 The IoC hierarchical
implemented view
with specific
15 The IoC hierarchical view technological data and no contradictory
This taxonomic view must be analytically implemented with specific technological data and no contradictory
representation
This taxonomic by defence
view mustsystems. The POC Fig.
be analytically neural networks
implemented
15 The data
with base,
specific
IoC hierarchical for the three levels
technological
view fortechnological dataextensions, and the IoC
and no contradictory
This taxonomic
representation view must
by defence be analytically
systems. The POC Fig. implemented
neural networks
15 The IoC with
data specific
hierarchical base,
view the three levels dataextensions,
and no contradictory
and the IoC
correlations,
This taxonomic
representation release an overall
view
by defence must be
systems.‘dashboard’
The POCfor
analytically threat
implemented
neural intelligence,
networks with info sharing
data specific
base, and reporting.
fortechnological
the three Statistical
dataextensions,
levels and inferential
no contradictory
and the IoC
representation by defence
correlations, release systems.
an overall The POCfor
‘dashboard’ neural
threatnetworks data base,
intelligence, for the three
info sharing levels extensions,
and reporting. Statisticaland the IoC
inferential
analyses and regressive
representation
This taxonomic
correlations, by defence
release view
an analytics
systems.
must
overall be cananalytically
leadPOC
The
‘dashboard’ to predictive
neural
for activities,
networks
implemented
threat withso specific
data
intelligence, far
infonotsharing
base, available.
for the threeThe
technological
and validity
levels of the
no solution
dataextensions,
reporting. and
Statisticaland theneeds
IoC
contradictory
inferential
This taxonomic
correlations, release view
an must
overall be analytically
‘dashboard’ forimplemented
threat with
intelligence, specific
info technological
sharing and data
reporting.
analyses and regressive analytics can lead to predictive activities, so far not available. The validity of the solution needs and no contradictory
Statistical inferential
big data scenario
correlations,
representation
analyses and bytesting
releasedefence
regressive and implementation.
an analytics
overall
systems.‘dashboard’
can The
lead POC
to for threat
neural
predictive intelligence,
networks
activities,data
so info
base,
far notsharing
for andThe
the three
available. reporting.
levels Statistical
extensions,
validity of the andinferential
solutiontheneeds
IoC
representation
analyses bytesting
defence
and regressive
big data scenario andsystems.
analytics canThe
leadPOC
implementation. neural networks
to predictive activities,data base,
so far notfor the three
available. Thelevels extensions,
validity and theneeds
of the solution IoC
analyses
big data and regressive
correlations, release
scenario an analytics
testing overall
and can lead to predictive
‘dashboard’
implementation. for threat activities, so far
intelligence, infonotsharing
available.
andThe validity Statistical
reporting. of the solution needs
inferential
correlations, release
big data scenario an and
testing overall ‘dashboard’ for threat intelligence, info sharing and reporting. Statistical inferential
implementation.
5. Conclusions
big data scenario
analyses testing analytics
and regressive and implementation.
can lead to predictive activities, so far not available. The validity of the solution needs
analyses and regressive analytics can lead to predictive activities, so far not available. The validity of the solution needs
5. Conclusions
5. Conclusions
big data scenario testing and implementation.
5.The
bigConclusions
datapaper
scenario
aimedtesting and implementation.
at discussing present inadequacies of current platforms for threat intelligence, info-sharing and
5. Conclusions
The paper
incidents aimed
reporting at
and discussing
to propose present inadequacies platform
an AI cybersecurity of current platforms
solution. As for
yet, threat intelligence,
the enormous amountinfo-sharing
of data beingand
The
5.The paper
Conclusions aimed at discussing present inadequacies of current platforms for threat intelligence, info-sharing and
incidents
5. reporting
paper
Conclusions
acquired by aimed and
infinite to propose
atsources
discussing
and an
madeAI cybersecurity
present inadequacies
openly platform
of current
available to a solution.
platforms
widespread As for
yet, theofenormous
threat
target amount
intelligence,
users lacks of data
info-sharing
logical being
and
semantic
incidents
The paper reporting
aimed and to propose present
at discussing an AI cybersecurity
inadequacies platform
of current solution.
platforms As for
yet, threat
the enormous amount
intelligence, of data being
info-sharing and
acquired
incidents by
systematization infinite
reporting andsources
to
on account and
propose made
an AI
of methodological openly available
cybersecurity
flawsavailable to
platform
in theplatform a widespread
solution.
theoretical As target
yet,
and technological theof users
enormous lacks
amount
specifications. logical
of semantic
data being
acquired
incidents
The by aimed
paper infinite
reporting and
atsources and present
to propose
discussing made
an openly
AI cybersecurity
inadequacies of to a solution.
current widespread
platforms As fortarget
yet, theof
threat users lacks
enormous amount
intelligence, logical semantic
of data
info-sharing being
and
systematization
acquired
The paper by aimedon account
infinite of methodological
atsources and present
discussing made openly flawsavailable
in theof
inadequacies theoretical and technological
to a widespread
current platforms target
for specifications.
of
threat users lacks logical
intelligence, semantic
info-sharing and
systematization
acquired
incidents on account
by infinite
reporting and to of methodological
sources and an
propose madeAI flawsavailable
openly in theplatform
cybersecurity theoretical and technological
to a solution.
widespread As target
yet, the specifications.
of users lacks
enormous amountlogical
of semantic
data being
systematization
incidents
The POC on account
reporting
solution and of methodological
to propose
represents a modeling flaws in
an AI cybersecurity
solution thean
and theoretical
platform
application andcapable
solution. technological
As yet,
to the specifications.
face enormous
the need amount
for data of data being
standardization
systematization
acquired on account
bysolution
infinite of methodological
sources and made openly flawsavailable
in the theoretical and technological
to a widespread target specifications.
The POC
acquired bysolution
infiniterepresents
sources a modeling
and made solutionas
openly and an application
available to by
a civiliancapable
widespread to face of
target theusers lacks
datalogical
need systems.
for semantic
standardization
and integration
The POC
systematization to
onface cyber-attacks
represents
account of and incidents,
a modeling
methodological solution
flaws advocated
and
in theantheoretical
application and capable to face of
and military
technological theusers
defence
need forlacks
specifications. datalogical semantic
standardization
and integration
The POC solution
systematization to
onface cyber-attacks
represents
account and incidents,
a modeling
of methodological flawsasin
solution advocated
and by civilian
theantheoretical
application and military
andcapable defence
need systems.
to face specifications.
technological the for data standardization
and integration
The POC solutionto face cyber-attacks
represents and incidents,
a modeling solutionasandadvocated by civilian
an application and military
capable defence
to face the need systems.
for data standardization
and
The integration
POC to face
solution cyber-attacks
expects wide testingand incidents, as advocatedFurther
and implementation. by civilian and military
applications defence
of the AI systems. include domain
modeling
and
The integration
The POCsolution
POC to face
solution cyber-attacks
represents
expects and incidents,
wideaa modeling
testing andsolution asand
advocated
implementation. by civilian
an application
Further and military
capable
applicationsto face defence
the
of the need
AI systems.
for data include
modeling standardization
domain
The POC
ontologies
The integrationsolution
and
POC solution represents
thematic
expectssubdomain modeling
wide testing solution
(financial, and an
automotive,
and implementation. application
healthcare,
Further capable to face
environment,
applications the need
etc.)
of the for data include
integrated
AI modeling standardization
with data from
domain
and
The POC solution
ontologies to face
and tothematiccyber-attacks
expects wide testing
subdomain and incidents, as advocated
and implementation.
(financial, automotive, by civilian
Further
healthcare, and military
applications
environment, defence
of the systems.
AI integrated
etc.) modeling include
with datadomain
from
and
The integration
defense
POC solution face
technologies; cyber-attacks
customization
expects wide and
of
testing incidents,
data
and as
(company,advocated
implementation. by civilian
institution,
Further etc.);and military
technological
applications of defence
the systems.
implementation
AI modeling of
include modeling
domain
ontologies and thematic subdomain (financial, automotive, healthcare, environment, etc.) integrated with data from
ontologies and thematic
defense technologies; subdomain (financial,
customization automotive,
of data (company, healthcare,
institution, environment,
etc.); technological etc.) integrated with
implementation of data from
modeling
(machine
The POC learning,
ontologies
defense solution deep
and thematic
expects learning)
subdomain
wide testingand dataimplementation.
(financial,
of and implementation
automotive, in the etc.);
healthcare,
Further tool according
environment,
applications to multiple
etc.)
of the AI modalities.
integrated
modeling with Finally,
of data
include from
domain
The POCtechnologies;
defense
(machine technologies;
learning,
customization
solution expects wide testing
customization
deep learning) and
data
of and
data
(company,
dataimplementation.
(company,
implementation
institution,
Further
institution,
in the etc.);
technological
applications of the
tool technological
according
implementation
to AI modeling
implementation
multiple include modeling
domain
of modeling
modalities. Finally,
standards
defense
ontologies
(machine for logical-semantic
technologies;
and thematic
learning, metadata
customization
subdomain
deep subdomain
learning) and ofand
datapreventive
(financial, (company, /predictive
automotive,
data implementation services
institution,
healthcare,etc.);
in the tool are expected.
technological
environment,
according to implementation
etc.) integrated
multiple with of
modalities. modeling
data from
Finally,
ontologiesfor
(machine
standards and thematic
learning, deep learning)
logical-semantic metadata (financial,
and anddata automotive,
implementation
preventive healthcare,
/predictivein services
the tool environment,
areaccording
expected.to etc.) integrated
multiple with data
modalities. from
Finally,
defense
(machine
standards technologies;
learning, customization
deep
for logical-semanticlearning) of
and
metadataofand data
data (company,
implementation
preventive institution,
/predictivein the etc.);
tool
services technological
according to implementation
multiple of
modalities. modeling
Finally,
defense technologies;
standards customization
for logical-semantic metadata and data (company,
preventive institution,
/predictive etc.);are
services are
expected. implementation of modeling
technological
expected.
References
[1] Parmelee MC. Toward an ontology architecture for cyber-security standards. [Online]
https://stids.c4i.gmu.edu/STIDS2010/papers/STIDS_CR_A8_Parmelee.pdf.
[2] Obrst L, Chase P, Markeloff R. Developing an ontology of the cyber security domain. [Online] ceur ws.org/Vol-
966/STIDS2012_T06_ObrstEtAl_CyberOntology.pdf · PDF file.
[3 Semy S, Pulvermacher M, Obrst L. Toward the use of an upper ontology for U.S. Government and U.S. Military Domains: An evaluation. 2004.
[Online] https://www.semanticscholar.org/paper/Toward-the-Use-of-an-Upper-Ontology-for-U.S.-and-An-Semy-
Pulvermacher/ee115831432d2cc36c20f9aee70893817f1ce142#paper-header.
[4] ENISA, Ontology and Taxonomies of Resilience, Dec.2011. [Online] https://www.enisa.europa.eu/publications/ontology_taxonomies.
[5] ENISA, Threat Taxonomy: A Tool for Structuring Threat Information, Jan. 2016. [Online]
https://www.um.es/documents/2096502/4937674/Enisa.pdf/2374a6a9-3c9d-422c-b5ad-b047a2fb8568.
[6] ENISA, A Good Practice Guide of Using Taxonomies in Incident Prevention and Detection, Dec. 2016, [Online]
https://op.europa.eu/en/publication-detail/-/publication/8782ec02-e923-11e6-ad7c-01aa75ed71a1/language-en/format-PDF.
[7] Zuanelli E. The cybersecurity ontology platform: the POC solution. 2017. [Online] https://asrenorg.net/eage2017/sites/default/files/files/e-
AGE%202017%20Proceedings_Final.pdf.
[8] Zuanelli E. Cybersecurity analytics: classificazioni, tassonomie, ontologie. In Zuanelli E , editor. Cybersecurity, protezione dei dati, privacy, Roma:
Aracne; 2020, pp. 511-531.
[9] STIX™ and TAXII™. [Online] https://www.oasis-open.org/2021/07/14/new-versions-of-stix-and-taxii-approved-as-oasis-standards-to-enable-
automated-exchange-of-cyber-threat-intelligence/.
[10] MISP Threat Sharing. [Online] https://www.misp-project.org/.
[11] Takahashi T, Kadobayashi Y. Reference Ontology for cybersecurity operational information, The Computer Journal 2015; 2297-2312.
[12] Santos PS, Almeida JP, Guizzardi G. An ontology-based analysis and semantics for organizational structure modelling in the ARIS method. 2013.
[Online] https://www.semanticscholar.org/paper/An-ontology-based-analysis-and-semantics-for-in-the-Santos-
Almeida/559db2a00d05062850013d3fd12a6f95c2a6abd8.
[13] Quinn S,Waltermire D, Johnson C, Scarfone K, Banghart J. SP 800-126. The Technical Specification for the Security Content Automation
Protocol (SCAP): SCAP Version 1.0 November 2009. [Online] https://dl.acm.org/doi/book/10.5555/2206210.
[14] Oltramari A, Cranor LF, Walls RJ, McDaniel P. Building an ontology of cyber security. [Online] Ceur-ws.org/Vol-1304/STIDS. 2014; 54-61.
[15] Mavroeidis V, Bromander S. Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat
intelligence. 2017. [Online] http://doi.ieeecomputersociety.org/10.1109/EISIC.2017.20.
[16] Velasco Silva D, Rodríguez R G. Ontologies for network security and future challenges. 2017; 545. [Online] https://arxiv.org/pdf/1704.02441.
[17] Zuanelli E. The cybersecurity ontology platform: the POC solution. Asren 2017. [Online] http://asrenorg.net/eage2017/sites/default/files/files/e-
AGE%202017%20Proceedings_Final.pdf.
[18] MITRE. CAPEC. Common Attack Pattern Enumeration and Classification. [Online] https://capec.mitre.org/data/index.html.
[19] Syed R. Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system. 2020. [Online]
https://www.semanticscholar.org/paper/Cybersecurity-vulnerability-management%3A-A-ontology-
Syed/1f43a83185005d4d90dfd2cfeae586a644af8f34.
[20] Syed Z, Padia A, Finin T, Mathews L, Joshi A. UCO: A unified cybersecurity ontology. 2016 . [Online]
aaai.orhttps://scholar.google.com/scholar?&q=Syed%2C%20Z.%2C%20Padia%2C%20A.%2C%20Finin%2C%20T.%2C%20Mathews%2C%20L.%2
C%20Joshi%2C%20A.%3A%20UCO%3A%20A%20unified%20cybersecurity%20ontology.%20In%3A%20Workshops%20at%20the%20Thirtieth%2
0AAAI%20Conference%20on%20Artificial%20Intelligence%20%282016%29.
[21] Carnap R. Empirismo, semantica e ontologia. In Linksy L, editor. Semantica e filosofia del linguaggio, Milano: Mondadori;1969, pp. 261-284.
[22] Collins AM, Quillian MR. Retrieval time from semantic memory. Journal of verbal learning and verbal behaviour 1969; 8:240-47.
[23] Collins AM, Loftus EF. A spreading activation theory of semantic processing. Psychological review1975; 82: 407-28.
[24] De Beaugrande R, Dressler WR. Introduzione alla linguistica del testo, Bologna: Il Mulino; 1994.
[25] The Beijing Knownsec Information Technology. Malicious code analysis on Ukraine's power grid incident V4. [Online]
https://blog.knownsec.com/wp-content/uploads/2016/01/ L150113.pdf.

1 s2.0 S1877050922008961 Main

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1 s2.0 S1877050922008961 Main

Uploaded by

Copyright:

Available Formats

Available online at www.sciencedirect.

Fig. 1 Cyber threat intelligence model

Fig. 2 Topics in ontologies

2. The POC methodological approach

2.1. The upper-level representation of an ontology

Fig. 5 The cybersecurity domain ontology

Fig 6. The POC ontological taxonomic relations

Fig. 7 The cybersecurity pragmatic ontology

Fig. 8 The 26 samples acquired by Tencent PC Manager Team

Fig. 9 Malicious code analysis progress (Knownsec Security Team)

Fig. 12 POC Cybersecurity knowledge

Fig. 13 The cybersecurity domain ontology POC

Fig. 14 The typical incident IoC correlations

Fig. 15 The IoC hierarchical view

You might also like