Professional Documents
Culture Documents
1 s2.0 S1877050922008961 Main
1 s2.0 S1877050922008961 Main
com
Procedia ScienceDirect
Procedia Computer
Available Science
online at 00 (2022) 000–000
www.sciencedirect.com
Computer Science 00 (2022) 000–000
Procedia ScienceDirect
ScienceDirect
Computer
Available Science
online at 00 (2022) 000–000
www.sciencedirect.com www.elsevier.com/locate/
Procedia ScienceDirect
Computer
Available Science
online at 00 (2022) 000–000
www.sciencedirect.com www.elsevier.com/locate/
procedia
www.elsevier.com/locate/
Procedia ScienceDirect
Procedia Computer
Available online Science
at 00 (2022) 000–000
www.sciencedirect.com procedia
Computer Science 00 (2022) 000–000 www.elsevier.com/locate/
procedia
InternationalProcedia ScienceDirect
Computer
Conference
Available
Available online
online Science
on Military
at
at 00 (2022) 000–000
Communications
www.sciencedirect.com
www.sciencedirect.com and Information Systems
www.elsevier.com/locate/
procedia
InternationalProcedia ScienceDirect
Conference on
Computer
International Conference
Military
Science
on Military
Communications
(ICMCIS 2022) 000–000
00 (2022)
Communications
(ICMCIS 2022)
and
and
Information Systems
www.elsevier.com/locate/
procedia
Information Systems
www.elsevier.com/locate/
InternationalProcedia ScienceDirect
Computer
Conference Science
on Military 00 (2022)
2022) 000–000
Communications
(ICMCIS
procedia
and Information Systems
procedia
www.elsevier.com/locate/
InternationalProcedia
InternationalProcedia
Computer
Conference
Conference on
Science
on Military
(ICMCIS
Military
ScienceDirect
00 (2022)
2022) 000–000
Communications
Communications
and Information
and
Systems
www.elsevier.com/locate/
procedia
Information Systems
Cybersecurity
International ontology
Cybersecurity Conference and
Computer
on defense
Science
(ICMCIS
Military 00 (2022)
2022)solutions:
Communications 000–000and the POC
Information platform
Systems
www.elsevier.com/locate/
International ontology
Conference onand defense solutions: the POC platform
Procedia Computer(ICMCIS
Science 2022)
205 (2022) 300–309 procedia
Cybersecurity ontology and defense
(ICMCIS
Military 2022)solutions:
Communications the POC
and Information platform
Systems
www.elsevier.com/locate/
procedia
Cybersecurity ontology and(ICMCIS
International Conference on defense
Military solutions: theprocedia
Communications
2022) and POC platform
Information Systems
Cybersecurity
International ontology
Cybersecurity Conference onand
ontology and defense
Elisabetta
(ICMCIS
Military solutions:
Zuanelli*
2022)
Communications
defense
Elisabetta solutions:
Zuanelli* the POC
and Information
the POC platform
Systems
platform
Cybersecurity
International ontology
Dept. of
Conference and
Management
on
Dept. of Management defense
and Law,
(ICMCIS
Military solutions:
University
2022)
Communications
Elisabetta
and Law, Zuanelli*
University
of Rome
and
of Rome the
“Tor
POC
Vergata”
Information
“Tor Vergata” platform
Systems
Cybersecurity ontology and
Via
Dept. of Management defense
Columbia
(ICMCIS
and 2,
Law,
Via Columbia solutions:
Rome,
2022)
Elisabetta 00133,
Zuanelli*
2, University
Rome,
Italy
of Rome
00133, the
Italy “Tor POC
Vergata” platform
Cybersecurity ontology and
Dept. of Management defense
Elisabetta
and Law,
Via Columbia solutions:
Zuanelli*
2, University
Rome,
Elisabetta
of Rome
00133,
Zuanelli* the
Italy “Tor POC
Vergata” platform
Cybersecurity ontology and
Dept. of Management
defense
and Law,
Via Columbia
Dept. of Management and Law, solutions:
2, University
Rome,
Elisabetta of Rome
00133,
Zuanelli*
University of Rome the
Italy “Tor
“Tor POC
Vergata”
Vergata” platform
Cybersecurity
Abstract ontology and
Dept. of Management
Via defense
Via Columbia
and Law,
Elisabetta
Columbia 2, solutions:
2, University
Rome, 00133,
Zuanelli*
Rome, of Rome
00133, Italy
Via Columbia 2, Rome, 00133, Italy
the POC
Italy “Tor Vergata”
platform
Abstract Dept. of Management and Elisabetta Zuanelli*of Rome “Tor Vergata”
Law, University
Abstract Dept. of Management and
Via Columbia Law,
Elisabetta 2, University
Rome, of Rome
00133,
Zuanelli* Italy “Tor Vergata”
Abstract
The paper presents the Platform Ontology
Dept. of of Cybersecurity
Management Via Columbia
and (POC)
Law, asZuanelli*
developed
2, University
Rome, 00133,
of by the Pragmema
Italy
Rome team for big data analytics and early
“Tor Vergata”
The paperof presents the Platform Ontology of Cybersecurity Elisabetta
(POC) as developed
Abstract
detection cybersecurity incidents as needed in operational defense systems. by Thethemodeling
Pragmema of team for bigrepresentation
knowledge data analytics for andthreat
early
Abstract
The paper
detection presents the
of cybersecurity Platform Dept. of
Ontology
incidents Management
as neededof Via Columbia
Cybersecurity and Law,
(POC) 2, Rome,
University
as 00133,
developed of byItaly
Rome
the “Tor
PragmemaVergata”
of team for big data analytics for andthreat
early
intelligence,
Abstract info sharing, and incidents reportsinisoperational
based on the defense systems.
theoretical The modeling
assumptions provided knowledge
by generalrepresentation
linguistics (specifically
detection
The paper
intelligence, of cybersecurity
presents
info the
sharing, incidents
Platform
and as needed
Ontology
incidents of inisoperational
Via Columbia
Cybersecurity
reports based on(POC)defense
the2, Rome,
as systems.
00133,
developed
theoretical The
by modeling
Italy
the
assumptions Pragmema of team
provided knowledge
by for big
general representation
data analytics
linguistics for
and threat
early
(specifically
text linguistics and pragmalinguistics), semantics and cognitive psychology in an AI perspective and turned into neural networks
Abstract
intelligence,
The paper
detection
text of
linguistics infoand
presents sharing,
the
cybersecurity and
Platform incidents
Ontology
incidents
pragmalinguistics), reports
as needed
semantics inisoperational
based
of Cybersecurity
and on(POC)
the
cognitive theoretical
as developed
defense assumptions
systems.
psychology inby
The
an AI provided
themodeling
Pragmema
perspective byand
of team general
forturned
knowledge linguistics
bigrepresentation
data analytics
into neural(specifically
and
for early
threat
networks
DDBB.
The paper presents the Platform Ontology of Cybersecurity
Abstract
text linguistics
detection
intelligence,
DDBB.
The paper of infoand
presents pragmalinguistics),
cybersecurity
sharing,
the incidents
and
Platform incidents
Ontology semantics
as needed
reports
of based
Cybersecurity on(POC)
and cognitive
inisoperational the
(POC)
as developed
psychology
defense systems.
theoretical
as inbyanthe
The
assumptions
developed by AIPragmema
the of team
perspective
modeling
provided
Pragmema byand
team
forturned
knowledge bigrepresentation
general
for big
data analytics
into neural
linguistics
data analytics
and
for
and
early
networks
threat
(specifically
early
detection
DDBB.
intelligence,
text of cybersecurity
linguistics infoand sharing, incidents
and
pragmalinguistics), as needed
incidents reportsin
semantics isoperational
based
and on the
cognitive defense systems.
theoretical
psychology The
assumptions
in an modeling
AI of knowledge
provided
perspective byandgeneral representation
turnedlinguistics
into neural for threat
(specifically
networks
Abstract
detection
© 2022
The paper
intelligence, of cybersecurity
Elisabetta
presents
info Zuanelli.
the
sharing, incidents
Published
Platform
and as
Ontology
incidents needed
by reports
ELSEVIER
of in operational
Cybersecurity
is B.V.on(POC)
based defense
the as systems.
developed
theoretical The
by modeling
the
assumptions Pragmema of
provided knowledge
team
by for big
general representation
data analytics
linguistics for
and threat
early
(specifically
text
DDBB.
© linguistics
2022 Elisabetta and pragmalinguistics),
Zuanelli. Published semantics andB.V.
cognitive psychologyassumptions
in an AI perspective byand turnedlinguistics
into neural networks
Abstract
intelligence,
This
text
The
© is an
detection
linguistics
paper
2022
DDBB.
info
open
of
presents
Elisabetta andsharing,
access
cybersecurity and
article under
incidents
pragmalinguistics),
the Platform
Zuanelli. asby
incidents
the
Ontology
Published CC
by
ELSEVIER
reports
semantics inisoperational
ofBY-NC-ND
needed based
andB.V.
Cybersecurity
ELSEVIER
on(POC)
license the
cognitive theoretical
defense systems.inby
psychology
as developed The provided
anthemodeling
AIPragmema of team
perspective general
(https://creativecommons.org/licenses/by-nc-nd/4.0
knowledge
and bigrepresentation
forturned into
data ) (specifically
neural
analytics for
and threat
networks
early
This is an of
Peer-review
intelligence,
DDBB.
detection open
text linguistics under
info access
and article
responsibility
sharing,
cybersecurity and under
pragmalinguistics), the
of the
incidents
incidents asbyCC BY-NC-ND
semantics
scientific
reports
needed inis and license
committee
basedcognitive
operational ofthe
on(POC) (https://creativecommons.org/licenses/by-nc-nd/4.0
the psychology
International
theoretical
defense inConference
an modeling
assumptions
systems. The AI perspective byand
on Military
provided
of team turnedlinguistics
Communications
general
knowledge )and
into neural networks
(specifically
The
© paper
2022
This is an presents
Elisabetta
open the article
Platform
Zuanelli.
access Ontology
Published
under the CC ofBY-NC-ND
Cybersecurity
ELSEVIER B.V.
license as developed by the Pragmema
(https://creativecommons.org/licenses/by-nc-nd/4.0for bigrepresentation )and for
data analytics andthreat
early
DDBB.
Peer-review
Information
text linguistics
intelligence, under
Systems
infoand responsibility of
pragmalinguistics),
sharing, and the
incidents scientific
semantics
reports committee
andB.V. of
cognitive the International
psychology Conference
inby on
anthemodeling
AIPragmema Military
perspective byand Communications
turned into neural networks
detection
©
The2022
paper
Peer-review
This is an of cybersecurity
Elisabetta
presents
under
open Zuanelli.
the incidents
Published
Platform
responsibility
access article asby
Ontology
underof the needed
CC ELSEVIER
of inis based
Cybersecurity
scientific
BY-NC-NDcommittee on(POC)
operational of
license
the
the
(
theoretical
defense
as assumptions
systems.
developed
International The
Conference provided
on of team
Military general
knowledge
https://creativecommons.org/licenses/by-nc-nd/4.0
for big linguistics
representation
data
Communications analytics
)
(specifically
and for
and threat
early
Information
DDBB.
© Systems
© 2022
text
2022
detection
Information
This is an
Peer-review
© 2022
Elisabetta
linguistics
intelligence,The
of and Zuanelli.
Authors.
info sharing,
cybersecurity
Systems
open
under
Elisabetta access article Published
pragmalinguistics),
Published
and
incidents
responsibility
Zuanelli. underof
Published asby
by
incidents
the by
ELSEVIER
semantics
Elsevier
reports
needed
CC BY-NC-ND
scientific
ELSEVIER
B.V.
inis andB.V.
basedcognitive
onofthe
operational
committeelicense
B.V.
psychology
theoretical
defense
the systems.
International
inThe
an modeling
assumptionsAI perspective
Conference provided
on byand
of knowledge
Military
turned
general
(https://creativecommons.org/licenses/by-nc-nd/4.0 into neural
linguistics
representation
Communications )and networks
(specifically
for threat
Keywords:
DDBB.
This isisan Cybersecurity
anopen access ontology;
article AIthe
knowledge CCrepresentation; (https://creativecommons.org/licenses/by-nc-nd/4.0
threat intelligence; graphsannetworks representation; IoCs correlations
Thislinguistics
text
intelligence,
Peer-review
Information
Keywords:
This is an
open
info
under
Systems
open
access
andsharing, andunder
article
responsibility
access
Cybersecurity article under
ontology;
under
pragmalinguistics),
incidents
of the
the
CC
the BY-NC-ND
semantics
reports
scientific
CC BY-NC-NDis and license
BY-NC-ND
based
committeecognitive
onof
license
license
the
the (https://creativecommons.org/licenses/by-nc-nd/4.0)
psychology
theoretical inConference
assumptions
International AI perspective
provided
on byand
Military turned
general
(https://creativecommons.org/licenses/by-nc-nd/4.0 IoCs linguistics
Communications )and
into neural networks
(specifically
)and
© 2022
Peer-review
DDBB.
Peer-review
text
Elisabetta
linguistics under
under
and
Zuanelli.
responsibility ofAI
Published
responsibility
pragmalinguistics),
knowledge
the
ofby the
representation;
ELSEVIER
scientific
scientific
semantics and
B.V.
committee threat
of
committee
cognitive the intelligence;
International
of the
psychology
graphs networks
Conference
International onrepresentation;
Military
Conference
correlations
Communications
on Military Communications
Keywords:
Information
Peer-review
© 2022
This is an
Information
Systems
Cybersecurity
under
Elisabetta
open
ontology;
responsibility
Zuanelli.
access
Systems
AI knowledge
of the
articlePublished
under thebyscientific
CCELSEVIER
representation;
BY-NC-NDcommittee
B.V.
threat
of the
license International Conference on Military Communications)and networks
intelligence; in
graphsan AI perspective
networks and
representation;
(https://creativecommons.org/licenses/by-nc-nd/4.0
turned
IoCs into neural
correlations
and
DDBB. Information
Keywords:
Information Systems
Cybersecurity
Systems ontology; AI knowledge representation; threat intelligence; graphs networks representation; IoCs correlations
Peer-review
This
1.
© is an
Introduction
2022
Keywords: under
open
Elisabetta responsibility
access article
Zuanelli.
Cybersecurity underofAIthe
Published
ontology;
scientific
CCELSEVIER
by
knowledge BY-NC-NDcommittee of
license
B.V.
representation; (https://creativecommons.org/licenses/by-nc-nd/4.0
the
threat
International Conference on Military Communications)and
intelligence; graphs networks representation; IoCs correlations
1. Introduction
Information
Peer-review
Keywords:
This
© is an
2022 Systems
under
open
Elisabetta responsibility
Cybersecurity
access ontology;
article
Zuanelli. underofAIthe
Published scientific
knowledge
CCELSEVIER
by committee
representation;
BY-NC-ND of
license
B.V. the
threat International
intelligence; Conference
graphs networkson Military Communications
(https://creativecommons.org/licenses/by-nc-nd/4.0
representation; IoCs correlations )and
1. Introduction
Keywords:
Information Cybersecurity
Systems ontology; AI knowledge representation; threat intelligence; graphs networks representation; IoCs correlations
Peer-review
Diverse
This is an under
open responsibility
access article underof the scientific
CC BY-NC-NDcommittee of
license the
( International Conference on Military Communications
https://creativecommons.org/licenses/by-nc-nd/4.0
approaches to the ontological/taxonomic modeling of cybersecurity have been proposed over the )andyears for
1. Introduction
Keywords: Cybersecurity ontology;
Diverse
Information
Peer-review
threat
1. approaches
Systems
intelligence
Introduction and to
under responsibility
info ofAIthe
thesharing.knowledge representation;
ontological/taxonomic
scientific
The committee
overall aim
threat intelligence;
modeling
of
of the International
cybersecurity
graphs networks
of cybersecurity
Conference
repositories have
onrepresentation;
is been proposed
Military IoCs correlations
over
Communications
technological and the
logical andyears
semantic for
1. Diverse
Keywords:
Introduction
threat approaches
Cybersecurity
intelligence
Information Systems and to
infothesharing.
ontology; ontological/taxonomic
AI knowledge
The representation;
overall aim modeling
ofthreat of cybersecurity
intelligence;
cybersecurity graphs
repositories have
networks been proposed
representation;
is technological IoCs and over the years
correlations
logical semantic for
interoperability
1. Introduction
Diverse
threat
Keywords:
of data
approaches
intelligence
Cybersecurityand toasthe
info related
ontology;sharing.
AI
to events/incidents
ontological/taxonomic
The
knowledge overall aim
representation;
reporting
modeling
of and
cybersecurity
threat
analysis
of cybersecurity
intelligence;
for detection
repositories
graphs have
networks is andproposed
been prevention
technological
representation; IoCs andoverof cybersecurity
the years
logical
correlations semantic for
interoperability
attacks andapproaches of data
incidents asthe
related to events/incidents modeling reporting and analysis for detection andproposed
prevention of cybersecurity
1. Diverse
threat
Keywords:
Diverseintelligence
Introduction
interoperability Cybersecurity
approaches and[1][2][3][4]
of data to
info
asthe
ontology;
to sharing.
related [5][6].
ontological/taxonomic
The overall
to events/incidents
AI knowledge aimmodeling
representation;
ontological/taxonomic of
reporting
threat
of cybersecurity
cybersecurity
and
of repositories
analysis
intelligence; graphs
cybersecurity
haveis
for detection
networks
have
been
technological IoCs and
andproposed
prevention
representation;
been
over the years
logical semantic
of cybersecurity
correlations
over the years
for
for
attacks
As and
yet, incidents
repositories [1][2][3][4]
of cybersecurity [5][6]. taxonomies and ofontologies
threat
1. Diverseintelligence
Introduction
interoperability
attacks and approaches
of
incidents and[1][2][3][4]
data info
to
as thesharing.
related to The overall aim
ontological/taxonomic
events/incidents
[5][6]. reporting of propose
cybersecurity
modeling and analysis different
repositories
cybersecurityfor haveclasses/categories
is technological
detectionbeen
and proposed
prevention of
and data/entities
logical
overof semantic
the years
cybersecurity and
for
threat
As
their intelligence
yet, repositories
relations and and ofinfo
different sharing.
cybersecurity
data The overall
taxonomies
classifications. aim
and of cybersecurity
ontologies repositories
propose different is technological
classes/categories and
of logical semantic
data/entities and
interoperability
threat
1. intelligence
Introduction
attacks
Diverse
As and
yet, of data
incidents
approaches
repositories and ascybersecurity
info related
sharing.
[1][2][3][4]
to
of the The
[5][6]. overall As
to events/incidents
ontological/taxonomic
taxonomies aimamodeling
and result,
reporting
of ontologiesdata
and
cybersecurity
of reporting
analysis
cybersecurity
propose in
forthe
repositories operational
detection
have
different is defense
andproposed
prevention
technological
been
classes/categories andsystems
logical
over
of the requires
of cybersecurity
semantic
years
data/entities foraa
and
interoperability
their
manual relations
analysis ofand
and data as related
different
classification toofevents/incidents
data classifications.
data/IoCs As
withareporting
result,
no andreporting
data
functional analysis
relations foramong
in detection
the andforprevention
operational
them defense
prevention ofand
systems cybersecurity
requires
resilience
attacks
1. Diverse and
interoperability
Introduction
As
threat yet, incidents
of
approaches
repositories
intelligence and[1][2][3][4]
data to
of as related
the
cybersecurity
info sharing. [5][6].
to events/incidents
ontological/taxonomic
taxonomies andreporting
modeling
ontologies and
of analysis
cybersecurity
propose for detection
have
different and
been prevention
proposed
classes/categories over
of of cybersecurity
the years
data/entities fora
and
their
attacks
manual relations
activities.and
yet, analysis
As relations
andand
incidents
repositories
different
[1][2][3][4]
classification
of cybersecurity ofThe
data classifications.
[5][6]. overall As
data/IoCs
taxonomies
aima of
with
and no cybersecurity
result,
functional
ontologies
repositories
data reporting
relations
propose
in among
different
is them
technological
the operational fordefense andsystems
prevention
classes/categories of
logical semantic
and requires
resilience
data/entities and
attacks
threat
Diverse
their and
interoperability
manual incidents
intelligence
approaches
analysis and
ofandand[1][2][3][4]
data info
to
different
as thesharing.
related
classification [5][6].
to ofThe overall
ontological/taxonomic
data classifications.
events/incidents
data/IoCs aim
As
witha of cybersecurity
modeling
result,
reporting
no of
data
and
functional repositories
cybersecurity
reporting
analysis
relations in
forthehaveis technological
detection
among been
operational
themand proposed
defense
prevention
for and
prevention logical
over
systems
of the semantic
years
requires
cybersecurity
and resiliencefora
As yet,
activities.
The paperrepositories
presents of cybersecurity
the Platform taxonomies
Ontology and ontologies
for Cybersecurity (POC)propose
with different
an classes/categories
innovative methodological of data/entities
approach to and
the
their
As relations
yet,
interoperability
threat
manual
Diverse
attacks intelligence
activities. analysis
and and
repositories
of
approaches
incidentsanddifferent
data
and of as
info
to the data
cybersecurity
related
sharing.
classification
[1][2][3][4] classifications.
to ofThe taxonomies
events/incidents
overall
data/IoCs
ontological/taxonomic
[5][6]. As
aim
withamodeling
and result,
of
noontologies
reporting data
and
cybersecurity
functional
of reporting
propose
analysis in the
different
for
repositories
relations
cybersecurity amongoperational
haveis defense
classes/categories
detection and prevention
technological
them
been for
proposed and
preventionsystems
of logical
over and
the requires
data/entities
of cybersecurity
semantic
resilience
years foraa
and
their
Therelations
definitionpaper of and different
presents
cybersecurity data classifications.
the Platform
upper-levelOntology ontology, Asdomain
a result,
for Cybersecurity data reporting
(POC)
entities and with in innovative
an
logical the operational
semantic defense
methodological
relations [7]. systems
POC approach
is requires
to the
developed
manual
their
attacks
activities. analysis
relations
and
interoperability and
incidentsand
ofand classification
different
[1][2][3][4]
data data
ascybersecurity
related of
[5][6]. data/IoCs
classifications.
toOntology with
As a no functional
result, data relations
reporting in among
the them
operational for prevention
defense systemsand resilience
requires thea
threat
As
Theyet,
manual
definition
both in
intelligence
paperrepositories
of presents
aanalysis
andclassification
cybersecurity
taxonomic
ofinfo
the
and
sharing.
Platform
upper-level
ontological ofevents/incidents
The overall
taxonomies
data/IoCs
ontology,
format
andreporting
aim
with of
domain
according noontologies
for Cybersecurity andpropose
cybersecurity
(POC)
to functional
entities
knowledge
analysis
and with
relations foramong
repositories
an
logical
detection
different is
innovative
semantic
representation themand forprevention
technological
classes/categories
methodological
relations
based on
and
of
prevention
[7]. POC
linguistics,
of cybersecurity
logical
approach
and semantic
data/entities to and
resilience
is developed
semantics, and
activities.
manual
As
attacks
The yet, analysis
paper
and repositories
interoperability
their relations
definition incidents
of of
andand
presents data
cybersecurityclassification
of cybersecurity
[1][2][3][4]
the as
different Platform
related
data to ofevents/incidents
[5][6]. data/IoCs
taxonomies
Ontology
classifications.
upper-level for
ontology, with
As and
a no functional
ontologies
Cybersecurity
reporting
domainresult, (POC)
and
data
entities relations
propose
with
analysis
reporting
and logicalfor
in among
different
an them
detection
the and
operational
semantic forprevention
prevention
classes/categories
innovative methodological
defense
relations [7]. of and
approach
of
systems
POC is resilience
data/entities to
cybersecurity
requires
developed and
thea
activities.
both inpaper
cognitive a taxonomic
psychology. and The ontological
paper formatthe
presents according
POC datato architecture
knowledge representation
at different basedmethodological
levels on linguistics,
including semantics,to
contextualized and
cyber
The
activities.
their
As
attacks
manual
both relations
yet,
definition
in and
a presents
and
repositories
of cybersecurity
incidents
analysis
taxonomic and the
different
of Platform
[1][2][3][4]data
cybersecurity
upper-level
classification
and ontological Ontology
classifications.
[5][6].
of data/IoCs
format for
taxonomies
ontology, Cybersecurity
As
with
accordinga
and
domainresult,
noontologies
to (POC)
data
entities
functional
knowledge with
reporting
propose
and an
in innovative
the
different
logical
relations among
representation operational defense
classes/categories
semantic relations
them
based for
on [7]. of
preventionPOC
linguistics, approach
systems requires
data/entities
is
and developed
resilience
semantics, thea
and
The paper
cognitive
incidents/events presents
psychology. the
reporting The Platform
paperIoCs
and Ontology
presents
data forPOC
the Cybersecurity
correlations, databy (POC)ofwith
architecture
means at an innovative
different
graphs methodological
levelsrelations
networks including
DDBB. approach
contextualized
The overall to the
cyber
operative
definition
The
manual
their
both
As in paper
relations
activities.
cognitive of
yet,aanalysiscybersecurity
presents
andand
taxonomic
repositories
psychology. the
different
and
ofThe upper-level
Platform
classification Ontology
offormatontology,
data/IoCs
data classifications.
ontological
cybersecurity
paper presents for
taxonomies
the Asdomain
Cybersecurity
with
according
POC no
adata
and result, entities
ontologies (POC)
to functional and logical
with
relations
data reporting
knowledge
architecturepropose
at an semantic
innovative
in among
the
representation
different
different them
operational
based on
classes/categories
levels including [7].
methodological
fordefense
preventionPOC
systems
linguistics,
of is
approach
and developed
to
resilience
requires
semantics,
data/entities
contextualized thea
and
cyber
definition
incidents/events
implication ofiscybersecurity
the reporting
inferential upper-level
and IoCs
activity of ontology,
data
big data domain
correlations,
analytics by
forentities
means and
of
prevention logical
graphs
in a semantic
networks
structured relations
DDBB.
ontological [7].
The
modelPOC
overall
[8].is developed
operative
both in
definition
activities.
manual
cognitive
their
The a
paper
incidents/eventstaxonomic
of
analysis
psychology.
relations andand
presents and
cybersecuritytheThe
different ontological
upper-level
classification
paper
data
Platform of format
presentsdata/IoCs
classifications.
Ontology theaccording
ontology,
for POC
Asdomain
witha no
datato
result,
Cybersecurity knowledge
entities
functional
architecture
data andrepresentation
logical
relations
at
reporting
(POC) with semantic
among
different
in
an the based
levels on
relations
them for linguistics,
including
operational
innovative [7].
prevention
defense
methodological POC semantics,
is
and
contextualized
systems
approachdeveloped and
resilience
cyber
requires
to thea
both
cognitive is thereporting
in a taxonomic
implication psychology. inferential
The
and
and ontological IoCsof
activity
paper
data
format
presents
correlations,
big data
the
according
analytics
POC data
toby
for means
knowledge ofrepresentation
prevention
architecture
graphs
at
networks
indifferent
a structured based DDBB.
ontological
levels including
The
on linguistics,
model overall
[8].
contextualized
operative
semantics, and
cyber
both
The
manual inpaper
activities.
definition
implication aanalysis
incidents/eventstaxonomic
of presents
is the and and
cybersecuritythe
reporting ontological
Platform
and
classification
inferential IoCs
upper-level
activity ofofformat
Ontology
data
data/IoCs according
for
correlations,
ontology,
big data with
domain
analyticsnotoby
Cybersecurity knowledge
(POC)
means
functional
forentities of
prevention representation
with
relations
and an
graphs
logical
in a among
semantic
structured based
innovative
networksthem on
for
relations
ontologicallinguistics,
methodological
DDBB. The
prevention
[7].
modelPOC semantics,
approach
overall
and
[8].is to and
operative
resilience
developed the
cognitive psychology. The paper presents the POC data architecture at different levels including contextualized cyber
incidents/events
cognitive
definition
The paper
implication
activities.
both
1.1. in
The a psychology.
ofis the
taxonomic
state of reporting
cybersecurity
presents
the theThe
inferential
and
art: and
paper IoCs
upper-level
Platform
activity
ontological
issues and of data
presents
Ontologybig
format
problems correlations,
the
ontology,
for
data POC data
domain
Cybersecurity
analytics
according to by
for means
architecture
entities
(POC) ofrepresentation
and
prevention
knowledge graphs
at
with
in aan networks
different
logical levels
semantic
innovative
structured based DDBB.
including
relations
methodological
ontological
on The
model
linguistics,overall
contextualized
[7]. POC is
approach
[8]. operative
semantics, cyber
developed
to the
and
incidents/events reporting and IoCs data correlations, by means of graphs networks DDBB. The overall operative
implication
1.1. The
incidents/events
both inpaper
definition
The
cognitive ofis
astate thethe
of
taxonomic inferential
art:
reporting
and
cybersecurity
presents
psychology. the issues
The activity
and and
IoCs
ontological
upper-level
Platform
paper of
Ontology
presents big
problems
data
format data
ontology,
for
the analytics
correlations,
according
domain
Cybersecurity
POC data for
toby prevention
means
knowledge
entities
(POC)
architecture and indifferent
aanstructured
ofrepresentation
graphs
logical
with
at networks
semantic ontological
based
innovative
levels DDBB. model
The
on linguistics,
relations [7].
methodological
including POC [8].
overall operative
semantics,
is developed
approach
contextualized to and
the
cyber
implication
1.1. The state is the
of theinferential
art: issues activity of
and problems big data analytics for prevention in a structured ontological model [8].
implication
cognitive
both in
definition a
incidents/events
The ofis
typologies the
psychology.
taxonomic inferential
and
cybersecurity
reporting
ofart: The
present activity
paper
ontological
upper-level
and IoCs
modeling of
presents big
format data
the
ontology,
data analytics
POC
according data
domain
correlations, to for
by prevention
architecture
knowledge
entities
means and
of atin a structured
different
representation
logical
graphs semantic ontological
levels
based
networks including
on
relations
DDBB.
proposals for cybersecurity ontologies/taxonomies confirm the problematic model
linguistics,
[7].
The POC [8].
contextualized
semantics,
overall is cyber
developed and
operative
1.1.
The Thetypologies
state of theof issues modeling
present and problems
incidents/events
cognitive
both
implication
evaluation
1.1. The psychology.
in astate
taxonomic
is of
of the reporting
and The
inferential
present
the art: and
paper IoCs
ontological
activity presents
of
repositories/solutions.
issues and bigproposals
data
format
problems correlations,
the
data POC
according for
data
analytics
Cybersecurity tocybersecurity
by means
architecture
knowledge
for prevention
‘ontologies’ ontologies/taxonomies
ofrepresentation
atgraphs
incan benetworks
different levels
a structured based
defined DDBB.
includingconfirm
onlogical
ontological
as The
linguistics,
model the
overall
contextualized problematic
operative
semantics,
[8].
semantic systemscyber
andof
The
evaluation
1.1. The typologies
of
state present
of the of present
art: issues modeling
repositories/solutions.
and problems proposals for cybersecurity
Cybersecurity ‘ontologies’ ontologies/taxonomies
can be defined as confirm
logical the problematic
semantic systems of
implication
incidents/events
cognitive
entities and is the
psychology.
their inferential
reporting The
logical activity
and
paper IoCs
semantic of
presents big
data data
the
relationships analytics
correlations,
POC data
based for
by prevention
means
architecture
on high of at
levelin a
graphs structured
networks
different
knowledge ontological
levels DDBB.
including
representation model
The [8].
overall
contextualized
as applied operative
cyber
to the
The
1.1. Thetypologies
evaluation state of
of theirtheofart:
present present
issues modeling
and problems
repositories/solutions. proposals for cybersecurity
Cybersecurity ‘ontologies’ ontologies/taxonomies
can be defined confirm
as logical the problematic
semantic systems of
entities
implication and
incidents/events
cybersecurity is the logical
inferential
reporting
domain. Best semantic
activity
and IoCs
abstract of relationships
big
data data based
analytics
correlations,
representations should for
by on high
prevention
means
contextualize level
of in aknowledge
graphs structured
entities networks
and representation
ontological
DDBB.
relations. model
The as applied
[8].
overall to
operative the
The Thetypologies
evaluation
entities
1.1. and of their
state of theof
present present
logical
art: modeling
repositories/solutions.
semantic
issues and problems proposals
relationships for cybersecurity
Cybersecurity
based on‘ontologies’
high level ontologies/taxonomies
can be and
defined
knowledge confirm
as logical
representation as the
semantic problematic
appliedsystems
to the of
The
implicationtypologies
cybersecurity domain.
istheir
the of present
Best
inferential modeling
abstract
activity proposals
representations
ofrelationships
bigproposals
data for
should
analytics cybersecurity
contextualize
foron‘ontologies’
prevention ontologies/taxonomies
entities
incan
aknowledge
structured relations.
ontological confirm
model the
[8]. problematic
evaluation
The
entities
1.1. The
cybersecurityand of
typologies
state
Taxonomies, present
of the
domain.ofart:
instead,repositories/solutions.
present
logical issues
Best are modeling
semantic
and
mainly
abstract problems Cybersecurity
hierarchical
representations for cybersecurity
based
classes
should of high level
single
contextualize be and
defined
ontologies/taxonomies
decontextualized
entities as logical
confirm
representation
entities.
relations. Insemantic
as the
most systems
problematic
applied
cases, to of
the
even
evaluation
Taxonomies, of presentinstead,repositories/solutions.
are mainly Cybersecurity
hierarchical classes ‘ontologies’
ofhigh
single can be defined as
decontextualized logical Insemantic
entities. most systems
cases, of
entities
evaluation
cybersecurity
taxonomies
The
1.1. The and of
state their
show
typologies present
domain.
of the logical
typological
of present
art: semantic
repositories/solutions.
Best abstract
issues and relationships
representations
inconsistencies.
modeling
problems proposals based
Cybersecurity
should
for on‘ontologies’
contextualize
cybersecurity level knowledge
can be
entities defined
and representation
as
relations.
ontologies/taxonomies logical
confirm as
semanticapplied
the toeven
systems
problematic the
of
Taxonomies,
entities
taxonomies and their
show instead,
logical
typological are mainly
semantic hierarchical
relationships
inconsistencies. classes
based on of single
high leveldecontextualized
knowledge entities.
representation In most
as cases,
applied to even
the
cybersecurity
entities and domain.
their Best
logical abstract
semantic representations
relationships should
based contextualize
on‘ontologies’ entities
be and relations.
The
1.1. Thetypologies
evaluation
taxonomies
cybersecurity of
state
Taxonomies, showpresent
of the of present
art:
instead, issues
typological
domain. Best are modeling
repositories/solutions.
and problems
mainly
inconsistencies.
abstract proposals
Cybersecurity
hierarchical
representations classes
should ofhigh
for cybersecurity level
single
contextualize
knowledge
decontextualized
entities and
representation
ontologies/taxonomies
can defined as confirm
logical
entities.
relations.
as
most applied
the
Insemantic cases, toeven
problematic
systems the
of
cybersecurity
evaluation
The
entities andof
typologies
Taxonomies,
taxonomies domain.
present
their
show
*Elisabetta of Best
present
logical
instead,
typological
Zuanelli. abstract
modeling
semantic
are
Tel.: mainly representations
repositories/solutions. proposals
relationships
inconsistencies.
+39-348-3333682 hierarchical should
Cybersecurity
based
classes contextualize
on‘ontologies’
for cybersecurity
ofhigh level
single entities
can be and
knowledge
decontextualized relations.
defined
ontologies/taxonomies as logical
representation
entities. Insemantic
confirm as the
most systems
problematic
applied
cases, toeven of
the
Taxonomies,
entities
evaluation
The andof
*Elisabetta
typologies
cybersecurity their instead,
present
domain. logical
Zuanelli.
of present
Best are
Tel.: mainly
semantic
+39-348-3333682
repositories/solutions.
modeling
abstract hierarchical
relationships classes
based
Cybersecurity
proposals
representations ofhigh
for cybersecurity
should single
on‘ontologies’
contextualize leveldecontextualized
knowledge
can be and
defined
ontologies/taxonomies
entities entities.
representation
as
relations.logical Insemantic
confirm most
as the cases,
applied toeven
systems
problematic the
of
taxonomies E-mail
Taxonomies, show
address:
*Elisabetta
typological
instead,
Zuanelli. are inconsistencies.
elisabetta.zuanelli@uniroma2.it
mainly
Tel.: +39-348-3333682 hierarchical classes of single decontextualized entities. In most cases, even
taxonomies
entities
evaluation
E-mailshow
cybersecurityand of
address:
their typological
domain.
present Bestare
logical inconsistencies.
elisabetta.zuanelli@uniroma2.it
abstract
semantic representations
repositories/solutions. relationships should
based
Cybersecurity contextualize
on high level
‘ontologies’ entities and
knowledge
can be relations.
defined representation
as logical as
semanticapplied to
systems the
of
taxonomies
Taxonomies,
E-mail
1877-0509 ©*Elisabetta show
address: typological
instead,
2022 TheZuanelli. inconsistencies.
mainly
elisabetta.zuanelli@uniroma2.it
Authors.Tel.: +39-348-3333682
Published hierarchical
by Elsevier B.V. classes of single decontextualized entities. In most cases, even
cybersecurity
Thisentities
taxonomies
an open andaccess
is Taxonomies,
E-mail showdomain.
their
address:
*Elisabetta instead,Best
logical
typological abstract
semantic
are mainly representations
relationships
inconsistencies.
elisabetta.zuanelli@uniroma2.it
Zuanelli.
article Tel.: +39-348-3333682
under the CC should
based
hierarchicallicense
BY-NC-ND classes contextualize
onofhigh level
single entities and relations.
knowledge
decontextualized representation
entities. In as
(https://creativecommons.org/licenses/by-nc-nd/4.0) most applied
cases,toeven the
*Elisabetta
cybersecurity
E-mail Zuanelli.
domain. Tel.:abstract
Best +39-348-3333682
representations
elisabetta.zuanelli@uniroma2.it should contextualize entities and relations.
taxonomies underaddress:
E-mailshow typological
Peer-review
Taxonomies,
*Elisabetta responsibility
instead,
Zuanelli. are
Tel.: ofinconsistencies.
the scientific
mainly
+39-348-3333682 committee
hierarchical of the
classes International
of Conference
single decontextualized on Military
entities. Communications
In most cases, and even
address: elisabetta.zuanelli@uniroma2.it
Information
taxonomies Systems
E-mail
Taxonomies, show
address: typological
instead, are inconsistencies.
elisabetta.zuanelli@uniroma2.it
mainly hierarchical classes of single decontextualized entities. In most cases, even
*Elisabetta Zuanelli. Tel.: +39-348-3333682
10.1016/j.procs.2022.09.031
taxonomies E-mailshow
address:
*Elisabetta typological inconsistencies.
elisabetta.zuanelli@uniroma2.it
Zuanelli. Tel.: +39-348-3333682
E-mail address:
*Elisabetta elisabetta.zuanelli@uniroma2.it
Zuanelli. Tel.: +39-348-3333682
E-mail address: elisabetta.zuanelli@uniroma2.it
*Elisabetta Zuanelli. Tel.: +39-348-3333682
E-mail address: elisabetta.zuanelli@uniroma2.it
Elisabetta Zuanelli et al. / Procedia Computer Science 205 (2022) 300–309 301
The basic principles of a cybersecurity ontology consist in the definition of an upper level, a mid-level, and a specific
domain ontology for data representation. This activity requires the definition of taxonomic and ontological entities and
their relations on one side. On the other side, platforms of cyber data analysis and classification require the correlation
and integration of IoCs deriving from monitoring systems (IDS, IPS, firewalls, antimalware, antivirus, antispam, honey
pot, penetration tests, etc.). In general, different platforms/repositories reveal a simplification of the theoretical
ontological core and the adoption of intuitive classes, entities, relations, and vocabularies. In other terms, there is a loose
connection between the theoretical logical semantic definition of the ontology and the domain ontology that does not
allow for big data architecture and data interpretation by the machine. Consequently, operational digital services to
cybersecurity such as preventive/predictive activities by the machine seem unattainable yet [9] [10].
The contributions to the definition of cybersecurity ontologies/taxonomies often propose frameworks describing
useful processes to be activated by an organization to manage cybersecurity, articulated into IT asset domain, incident
handling domain or operational information, organizational modeling, management [11][12][13]. In a structured
methodological representation of general and specific criteria for developing an ontology of the cybersecurity domain,
comparative tables emphasize the reuse of existing ontologies, classes and properties and equivalent relations. As for the
final product, they distinguish upper ontologies, high level and domain-independent, from mid-level and domain
ontologies that represent specific concepts [14].
An enormous effort to produce enumerations and lists of contents to be associated with an ontological architecture has
been produced by MITRE since 2010: the 2016 NIST Vulnerability Ontology appeared as the first active contribution to
the cybersecurity knowledge representation.
Comparative tables such as Fig.1, list cyber threat intelligence taxonomies/ontologies and shared partial values, with no
methodological implications [15].
In a comparative study of ontologies related to diverse specific topics, Fig.2, the authors highlight methodological
biases: “only 13.33% of the papers validate their proposals, trying to identify the correct use of the language, the
accuracy of the taxonomic structure, the validity of the vocabulary, … One of the challenges that constitutes a
potentially interesting area arises when data is collected from different safety equipment (IDS, intrusion prevention
system, firewall, antivirus system, system security audit, honeynet, etc.) The safety equipment is distributed in different
domains in the network, which is required to develop an ontology that can integrate real-time data from this safety
equipment and allows the captured data to be properly administered” [16].
302 Elisabetta Zuanelli et al. / Procedia Computer Science 205 (2022) 300–309
The comment appears particularly consistent as it reveals the lack of topics/entities and related correlations, on one
side; on the other it calls the attention to the need of incorporating IoCs.
In the presentation of the Pragmema POC (Platform Ontology for Cybersecurity), E-Age 2017, I introduced the
theoretical ground for an innovative approach to knowledge representation in cybersecurity ontologies [17]. POC is
based on an abstract upper-level ontology that is developed into the cybersecurity domain ontology and a related
pragmatic ontology that releases cybersecurity services. The general cybersecurity ontology has been furtherly developed
to subsume subdomain ontologies such as automotive and financial entities. The methodological issues to be faced were
knowledge representation and the development of the Controlled Vocabulary.
In the theoretical ground I had to face two basic biases or inadequacies in specific literature as far as the ontological
representation of data is concerned.
Most ontologies do not include the abstract level of knowledge representation and appear rather as specific perspectives
of categories/entities: semantic threat modelling, cyberthreat intelligence, attack patterns, etc. [18] [19].
Where an upper level appears it refers to logical relations that do not include ‘logical semantic relations’ as typical of
natural language representation and interpretation of cybersecurity entities [20]. The upper and midlevel concepts defined
for POC derive from the semantics of natural language knowledge representations as dealt with in linguistics,
psycholinguistics, semantic approaches [21]. In Fig. 3 and Fig. 4 general concepts for representation of entities are
presented.
Fig. 3 The upper-level ontology concepts Fig. 4 The mid-level ontology concepts
Elisabetta Zuanelli et al. / Procedia Computer Science 205 (2022) 300–309 303
The upper level/midlevel POC concepts were semantically defined and turned into the knowledge ontology of POC.
Logical semantic interoperability was assigned to JSON format data. The knowledge upper ontology was then related
to correlative first level classes of entities deriving from a procedural framing of the cybersecurity domain such as:
threats, vulnerabilities, events and incident routes, impact typologies and mitigations, represented by means of
taxonomic and ontological relations deriving from their definitions.
2.2. The specification of a Controlled Semantic Vocabulary (CSV): the three levels ontology
The methodological issue concerning the quality of a CV puts forward the question on how to realize unambiguous
and contextualized definitions of entities/entries. The MITRE approach used a model of semantic relations in the CV
that does not allow for a general cybersecurity knowledge representation and a specification of the cybersecurity
domain ontology. The reason lies in the modeling of ‘semantic memory’ that does not include syntactic relations of
entities for semantic contextualized representation. As compared with preliminary statements in the analysis of the
MITRE proposal, in current repositories there is no concern for semantic specifications. Vocabularies appear as listings
of items in alphabetical order or matter of fact definitions with no semantic implications.
Definitions of entities in POC were realized through the development of an innovative method for a Controlled
(Semantic) Vocabulary (CSV). In my approach, a CSV specifies classes of entities and logical semantic relations as
implied in a natural language formulation. To specify the conceptual definition of lexical entries/entities of a natural
language (technical) vocabulary in an ontology, the application of a range of semantic relations including predicative
relations (propositions) was faced. Semantic relations in the definition of entities were related on one side to logical
semantic features in the modeling of semantic memory where verbal entities have been analyzed and related by means
of interconnected links, including hierarchical and no hierarchical classifications and the specification of conceptual
linguistic attributes and properties [22][23].
On the other side, the decision to include syntactic representations of entities as implied in the first models of
semantic memory, was derived from the structure of vocabulary definitions that in my perspective correspond to a
contextualized text. Technically defined in text linguistics, a text is a set of phrases where referent and coreferential
words are connected by semantic attributes, properties, and predicative relations. In other terms, lexical entities in the
field of cybersecurity terminology imply a definition that specifies the textual world/value within which words have a
specific correlative meaning as related to a specific text/context/domain and related data. Therefore, if we consider the
definition of an entity in a controlled vocabulary as a set of phrases endowed with coherent (logical semantic) and
cohesive features called textuality, the textuality of definitions allows us to apply the notion of primary and secondary
semantic universal concepts underlying a textual meaning to the representation of the domain ontology [24]. If we
define ‘malware’ as the typology of noxious software whose malicious installation in a computer is capable to cause
negative impact on its use by a subject (person, company, institution, etc.), we realize that semantic relations in this
definition have to do with conceptual related entities that stand for multiple digital actors (agents, patients), situations,
events, state, objects, time, space, instrument, ends in view, cause, result; attributes such as noxious, negative, etc.;
properties such as can/does, namely predicative features, etc. These semantic syntactic relations among entities are
technologically resolved by the underlying ontological network DDBB. The POC abstract layer of architecture, in fact,
is based on the general structuring of primary and secondary centers of control in psycholinguistic, textual, and
pragmatic literature and represented in the cybersecurity knowledge framework. The representation of lexical
entities/concepts and their relations in the cybersecurity domain ontology was developed from the upper-level general
features and has included the articulation of their definitions by means of relations such as class (is a), attribute,
property as well as predicative/syntactic specifications (can, does) of categories as related to contextual meanings. In
Fig.4 there follows POC screenshots of classes of the first level domain ontology on the initial Liferay platform.
So far, classes /entities described in the POC CSV amount to 586 items. They are organized into classes/categories
defined both by taxonomic hierarchic relations and transversal logical semantic relations at different levels (Fig. 6).
304 Elisabetta Zuanelli et al. / Procedia Computer Science 205 (2022) 300–309
Fig. 10 The incident nodes and starting variables: the reverse knowledge incident analytics (RKIA)
Fig. 10 The incident nodes and starting variables: the reverse knowledge incident analytics (RKIA)
Fig. 10 The incident nodes and starting variables: the reverse knowledge incident analytics (RKIA)
The POC reverse knowledge incident
Fig. 10 The incident analytics
nodes (RKIA)
and starting starts
variables: from the
the reverse technological
knowledge data representing
incident analytics (RKIA) an incident and
The POC reverse knowledge incident
Fig. 10 The incident analytics
nodes (RKIA)
and starting starts
variables: from the
the reverse technological
knowledge data representing
incident analytics (RKIA) an incident and
theThe
diverse logical
POC logical paths.
reverse paths. The
knowledge ordered links
incident links of
analytics the path
(RKIA) are considered
starts concurrent
from the concurrent
technological variables for incident
data representing anreporting and
incident and
theThe
diverse
POC reverse Fig. 10The
knowledge The ordered
incident
incident nodes and of
analytics the
starting path
(RKIA) are
variables: considered
starts
the from
reverse the technological
knowledge variables
incident data for incidentan
representing
analytics (RKIA) reporting
incident and
and
interpretation.
the diverse
POC logicalThese links/nodes are sets of variables as processed by the ontology specification at different levels. In
The
the diverse Thesepaths.
reverse
interpretation.
logical
The ordered
knowledge
links/nodes
paths. The
incident links
are sets
ordered
of the
analytics
of variables
links of the
path
(RKIA) are
as are
path
considered
starts
processedfromby
considered
concurrent
thethe
technological variables
ontologyvariables
concurrent
for incident
data representing
specification
for
anreporting
at different
incident
incident
levels.and
reporting In
and
other words,
interpretation. the incident
These representation
links/nodes are sets is related to potential or factual logical semantic relationships at the diverse
the diverse
The
other POC logical
words, reverse
interpretation. the paths.
incident
These
The
knowledge ordered
incident
representation
links/nodes are sets isof
links
of
variables
of the
analytics
related
variables to as
path
(RKIA) processed
are
potential
as processed
by
considered
starts from thethe
or factual
by
ontology
concurrent
technological
the logical
ontology
specification
variables at different
for incident
data representing
semantic relationships
specification at anat
different thelevels.
reporting
incident In
and
and
diverse
levels. In
levels
other of knowledge
words,
interpretation. the
These structuring
incident
links/nodes within
representation
are sets the
is
of globaltoontology.
related
variables potential
as processedDifferent
or factual
by the concurrent
logical
ontology nodes relationships
semantic for different
specification at incidents
at
different the are
diverse
levels. In
the diverse
levels logical
of knowledge
other words, the paths. The
structuring
incident ordered links
within is
representation of
therelatedthe path are
globaltoontology.
potentialconsidered
Different concurrent
or factual concurrent
logical variables for incident
nodes relationships
semantic reporting
for different atincidents
the and
are
diverse
considered
levels
other of
words, asthe
conditioning
knowledgeincident contextual
structuring within
representation variable
the
is global
related factors
to of attacks/incidents.
ontology.
potential Different
or factual Specific
concurrent
logical filters
nodes
semantic for ofdifferent
different
relationships clusters
incidents
at the of
are
diverse
interpretation.
considered
levels of can These
knowledge links/nodes
as conditioning are
contextual
structuring sets of
within variable
the variables
global as
factors processed by the
of attacks/incidents.
ontology. ontology
DifferentorconcurrentSpecificspecification
filters
nodes for at different
ofdifferent levels.
differentincidents In
clusters are
of
variables
considered
levels of asoffer
knowledge a recurrent
conditioning confirmation
contextual
structuring within theof global
variableincident paths
factors of
ontology.for different
attacks/incidents.
Different differing incidents
Specific
concurrent filters
nodes reporting.
for of different
different clusters
incidents of
are
other words,
variables the incident
consideredcanasreports
offer representation
a recurrentcontextual
conditioning confirmation is related
of incident
variable to potential
paths
factors of for or factual logical
different or differing
attacks/incidents. semantic
incidents
Specific relationships
reporting.
filtersresults
of different at the diverse
clusters of
Longitudinal
variables of similar or different attack mechanisms/paths should release predictive of incoming threats
levels of can
considered
Longitudinal
variables can
offer
offer
a recurrent
asreports
conditioning
knowledge a similar
recurrent
confirmation
contextual
ofstructuring or different
confirmation
of global
within variable
the incident
attack
of
paths
factors of for
ontology.
mechanisms/paths
incident paths for
different
Different
should
different
orconcurrent
attacks/incidents.
or
differing
release
differing
incidents
Specific filters
nodes
predictive
incidents
reporting.
for ofdifferent
results different
reporting.
clusters
incidents
of incoming of
are
threats
based oncan
Longitudinal thereports
activation of confirmation
of similar different
or differentclusters
attack of data according
mechanisms/paths to orthe
should POCpredictive
release representation andincoming
analytics and
variables
considered
based on the
Longitudinal
offer a recurrent
asreports
conditioning
activation ofcontextual
ofinferential
similar different of incident
variable
clusters
or processes.
different attack
paths
factors
of data for
mechanisms/paths
different
ofaccording
attacks/incidents.
to the
should
differing
Specific
POC
release filtersresults
incidents
representation
predictive results
of
reporting.
of different
andincoming
of analytics threats
clusters of
and
threats
regressive/prospective
based on
Longitudinal the activation
reports of
ofinferential different
similarconfirmation
or processes. An
clusters
different attack overall
of graph
data representation
according
mechanisms/paths to
should theof POC
POC
release nodes and links
representation
predictive results of
andthe
of the incident
analytics
incoming is as
and
threats
variables can
based onin the offer
regressive/prospectivea recurrent
activation of terminal
different nodes ofAn
clustersincident
overall paths
of datagraph for different
representation
according or
toofthediffering
of POC incidents
nodes and
POC representation reporting.
links of
and firstincident
analytics is as
and
follows Fig.11.
regressive/prospective
based onin the The
activation blue
inferential processes.
of terminal
different An
clusters represent
overall
of data different
graphaccording types
representation
tooftheincidents
of POC as
nodes filtered
and by
links
representation the
of the cluster
incident
andincoming
analytics is of
as
and
Longitudinal
follows reports
Fig.11.
regressive/prospective of
The similar
blue
inferential or different
nodes attack mechanisms/paths
represent different should
types release
incidents predictive
as results
filtered
processes. An overall graph representation of POC nodes and links of the incident is asby of
the first threats
cluster of
parameters/entities
follows in Fig.11.
regressive/prospective for
The incidents
blue
inferential reporting.
terminal nodes
processes. represent
An overall different
graph types
representationof incidents
of POC
POC nodesas filtered by
and links of the first cluster of
based
followsonin the
parameters/entitiesactivation
Fig.11. for of terminal
Theincidents
blue different
reporting. clusters
nodes of data
represent according
different typestoofthe incidents representation
as filtered by the andthefirst
incident isand
analytics
cluster of
as
parameters/entities
follows in Fig.11. for
regressive/prospective incidents
Theinferential reporting.
blue terminal nodesAnrepresent
processes. overall different
graph types of incidents
representation of POC as filtered
nodes and by of
links thethefirst clusteris of
incident as
parameters/entities for incidents reporting.
parameters/entities
follows in Fig.11. for Theincidents reporting.
blue terminal nodes represent different types of incidents as filtered by the first cluster of
parameters/entities for incidents reporting.
Fig. 11 The POC platform nodes graph for the incident analytics
Fig. 11 The POC platform nodes graph for the incident analytics
Fig. 11 The POC platform nodes graph for the incident analytics
3. The technological infrastructure
Fig. 11 The POC platform nodes graph for the incident analytics
3. The technological infrastructure
Fig. 11 The POC platform nodes graph for the incident analytics
3. The technological infrastructure
3.Data
The technological
management and infrastructure
analysis are Fig.mainly developed
11 The POC with graph
platform nodes R and for Python programming
the incident analytics languages and environments
3.Data
The technological
(supportingmanagement
the necessaryinfrastructure
and analysis are mainly developed
mathematical/statistical withData
functions). R and Pythonuses
analysis programming
‘decision trees’languages and environments
and ‘neural networks’ to
Data
(supportingmanagement
the and
necessary analysis are mainly
mathematical/statistical developed with
functions). R
Data and Python
analysis programming
uses ‘decision languages
trees’ and and environments
‘neural networks’ to
3. The
Data
categorizetechnological
(supportingmanagement
data and
the and to
necessaryinfrastructure
and analysis
define are
predictions mainly developed
typical
mathematical/statistical of with
inferential
functions). R and
statistics.
Data Python
analysisBoth programming
‘supervised’
uses and
‘decision trees’languages and
‘unsupervised’
and ‘neural environments
models are
networks’ to
categorize
Data
(supporting data
management
used for analysis.the to
necessary define
and predictions
analysis are typical
mainly
mathematical/statistical of inferential
developed with
functions). statistics.
R
Data and Both
Python
analysis ‘supervised’
programming
uses ‘decision and ‘unsupervised’
languages
trees’ and and
‘neural models
environments
networks’ are
to
categorize
used for
(supporting data
analysis.
the and to define
necessary predictions typical offunctions).
mathematical/statistical inferential Data
statistics.
analysisBoth ‘supervised’
uses ‘decision and ‘unsupervised’
trees’ and ‘neural models are
networks’ to
categorize
Data
Unsupervised
used data
management
for analysis. and to
methods, define
and when predictions
analysis are
there is typical
mainly
no of
default inferential
developed
groupingwith statistics.
R and
variable, Both
Python
are used ‘supervised’
programming
for and
‘clustering’ ‘unsupervised’
languages
templates andand models
environments are
‘association
Unsupervised
categorize
used for
(supporting data
analysis. methods,
and to
the necessary when
define there
predictionsis no default
typical
mathematical/statistical of grouping
inferential
for functions). variable,
statistics.
Dataand are
analysis used
Both for ‘clustering’
‘supervised’
usesfor‘decision and
models trees’ templates
‘unsupervised’
and and
‘neural ‘association
models are
rules’ templates.
Unsupervised
rules’ templates.
Supervised
methods,
Supervised whenmethods
there is are used
areno default ‘classification’
grouping variable, and are
‘regression’
used ‘clustering’based on the
templates andnetworks’
type of groupingto
‘association
used for
categorize
variable,
rules’
analysis.
Unsupervisedwhether
templates. methods,
data and to define
cardinal
Supervised ormethods
when there is
predictions
numeric.
methods are noused for
of ‘classification’
default
typical
Supervised
used for grouping
inferentialvariable,
regression statistics.
‘classification’ models
and
‘regression’
are usedlinear
Both
are models
for ‘clustering’
‘supervised’
‘regression’ models
based
and
(an estimate
based
on the type
templates
‘unsupervised’
based
on the andaof
on
type
grouping
‘association
models
of are
dependent
grouping
variable,
Unsupervised
rules’
used
variable whether
templates.
for analysis.
and orcardinal
onemethods,morewhen
Supervised ormethods
numeric.
there is
independent arenoSupervised
default
used Aregression
grouping
for ‘classification’
variables). Support models
variable,
and are
Vector are
usedlinear
‘regression’
Machine (an estimate
forconstructs
‘clustering’
models based
new based
templates
on on
andtoaof
the type
examples dependent
‘association
grouping
one of the
variable,
variable
rules’ whether
and
templates. orcardinal
onemethods,moreby
Supervised ormethods
numeric.
independent are Supervised
variables).
used Aregression
Support
for ‘classification’ models
Vector
and are are linear
Machine
‘regression’ (an estimate
constructs
models new
based based
examples
on onto
the type aofone
dependent
of the
grouping
variable,
Unsupervised
database
variable whether
classes
and one cardinal
possible
or more or
when numeric.
there
obtaining
independent isa Supervised
no default regression
grouping
non-probabilistic
variables). A binary
Support models
variable,
classifier.
Vector are
used
Machine linear
for (an
constructs estimate
‘clustering’ new based
templates
examples on
andtoa dependent
‘association
one of the
database
variable,
variable
rules’
Among classes
whether
and
the one
templates. possible
moreby
orcardinal
Supervised
classification obtaining
or numeric.
independent
methods
models, aK-NN
theare non-probabilistic
Supervised
variables).
used method, binaryVector
Aregression
Support
for ‘classification’
k-nearest classifier.
models
neighbors, areislinear
Machine
and ‘regression’ (an
constructs
used,models
whichestimate
isnew
based based
examples
basedon thethe
on oncharacteristics
typetoaofone
dependent
of the
grouping
database
Among
variable classes
the possible
classification by obtaining
models, a
theaAn non-probabilistic
K-NN method, binary
k-nearest classifier.
neighbors, islinear
used, which isnew
based onthe
theoncharacteristics
of objectsand
database
variable,
Among
one
classes
whether
close
the to orthemore
possibleoneby
cardinal
classification
independent
obtaining
or numeric.
considered.
models, theaAn
variables).
object
K-NN
Aregression
non-probabilistic
Supervised Support
is classified
method, byVector
binary
k-nearest models Machine
aclassifier.
plurality
neighbors, arevote constructs
of
is used, its(an estimate
neighbors, examples
based
with toa one
theobject
of the
dependent
assigned
of objects
database
Among
variable
to the mostandclose
classes
the oneto
common orthemore
possibleoneby
classification
class considered.
obtaining
models,
independent
among itsthe object is classified
non-probabilistic
K-NN method,
variables).
closest k A
neighbors.Support byVector
binary
k-nearest aclassifier.
plurality
neighbors,
Classification vote
Machine
treesis of
used,
or itswhich
which
constructs
is based
neighbors,
is
decision-making with
based
new
onthe
on
examples
trees the
that
characteristics
object assigned
characteristics
to one of the
represent
of
to objects
the
Among most close
the to theclass
common one considered.
classification among
models, itsthe An
closestobject
K-NN is classified
k method,
neighbors. by aneighbors,
plurality
Classification
k-nearest vote
treesis orof itswhich
neighbors,
decision-making
used, is basedwithonthe
trees object
that
the assigned
represent the
characteristics
of
data
to objects
database
thein a close
classes
tree withto the
possibleone
interior considered.
by obtaining
binary nodes An
a object is classified
non-probabilistic
that divide samples by
binary
into a plurality
classifier.
homogeneous vote of its
‘labels’ neighbors,
classes are with
used. the object assigned
data
of
to inmost
Among
POC aistree
objects
the most the
a
common
with
close to
common
tool to theclass
interior
class
classification
normalize
amongnodes
one binary
among
models,
big
its closest
considered.
its
data. Anthat
closest
the K-NN
The
k neighbors.
divide
object
k is samples
neighbors.
method,
ontology
Classification
into
classified byhomogeneous
aneighbors,
plurality
Classification
k-nearest
encompasses the
trees
vote
treesis
structured
or
or
decision-making
‘labels’
of classes
itswhich
neighbors,
decision-making
used, is
representation based
treesthe
areofwith
used.
trees
on
that
that
the
masses
represent
object
represent
the
assigned
the
characteristics
of data. At
data
to POC
theinmost
aistree
a with
tool
commonto interior
normalize
class binary
big
among nodes
data.
its that ontology
The
closest divide
k samples
neighbors. into homogeneous
encompasses the
Classification structured
trees ‘labels’
or classes areofused.
representation
decision-making masses
trees thatof data. At
represent the
data
of in a
objects
applicational
POC tree with
close to
level,interior
the one
POC binary
allowsnodes
considered. for Anthat
the divide
object is samples into
classified
correlation amongby homogeneous
a plurality vote
institution/company‘labels’
of its classes
neighbors,are
technology used.
with the
assets, object assigned
cybersecurity
to POC ais
applicational
datatheinmost
a tool
istree with
a tool
common
to interior
level, normalize
POC big nodes
allows
classbinary
to normalize
data.
big data.
among
Thethe ontology
itsforclosest
that
The divide
ontology
encompasses
correlation
samples among the structured
institution/company
into homogeneous
encompasses
k neighbors. the structured
Classification trees or
representation
‘labels’ classes
representation
decision-making areof
technology masses
assets,
ofused.
masses
trees
of data. At the
thatofcybersecurity
data. At the
represent
implementation data, events, and incidents monitoring data IoCs/IoAs.
implementation data,aevents,
Finally, it releases and Elisabetta
incidents
contextualized Zuanelli
of et
theal.data
monitoring
evaluation / Procedia
type of riskComputer
IoCs/IoAs. Science 205
value recording and(2022) 300–309
incident assessment. 307
implementation data,aevents,
Finally, it releases and incidents
contextualized monitoring
evaluation of the data
type IoCs/IoAs.
of risk value recording and incident assessment.
implementation data,
Finally, it releases events, and incidents monitoring data IoCs/IoAs.
implementation
4.Finally,
The three data,aaevents,
levels
contextualized
and evaluation
incidents of the data
monitoring type IoCs/IoAs.
of risk value recording and incident assessment.
implementation
Finally, it data,ontology
it releases
releases aevents, andincidents
and IoCs
contextualized
contextualized
correlation
evaluation of the data
monitoring
evaluation of the
type IoCs/IoAs.
type
of risk value recording and incident assessment.
of risk value recording and incident assessment.
4.Finally,
The three it levels ontology
releases a and IoCs
contextualized correlation
evaluation of the type of risk value recording and incident assessment.
4. The three levels ontology and IoCs correlation
4.POC assumes
The three the ontology
levels correlationand
of IoCs
the knowledge
correlationontology with the domain ontology and the pragmatic ontology as well
4. The three levels
ofontology and
of IoCs correlation
4.POC
as The
POC
assumes
the integration
three
assumes
the
levels
the
correlation
defense systems
ontology
correlationand thedata/IoCs
of IoCs
knowledge
correlation
thedata/IoCs
knowledge
ontology with
(monitoring
ontology with
the domain
systems,
the domain
ontology
IDS, IPS,
ontology
and
firewall,
and
the pragmatic
antimalware, ontology
antivirus,
the pragmatic ontology
as well
antispam,
as well
as the integration
honeypot,
POC etc.)
assumes the of
for defense systems
attacks/incidents (monitoring
interpretation. The systems, IDS,
cybersecurity IPS, firewall,
knowledge antimalware,
representation inantivirus,
graphs antispam,
appears as
as the integration
POC
honeypot,assumes
etc.) of correlation
the
for
of thedata/IoCs
defense systems
correlation of the
attacks/incidents
knowledge
knowledge
ontology with
(monitoring
ontology
interpretation. The with
the domain
systems,
the domain
cybersecurity
ontology
IDS,knowledge
IPS,
ontology
and
firewall,
and
the pragmatic
antimalware,
the pragmatic
representation in
ontology
antivirus,
ontology
graphs
as well
antispam,
as well
appears as
follows
as the
POC in Fig.
integration
assumes 12.of
the defense systems
correlation data/IoCs
of thedata/IoCs
knowledge (monitoring
ontology systems,
with IDS,
the domainIPS, firewall,
ontology antimalware,
and antivirus,
the pragmatic ontologyantispam,
as well
honeypot,
as the
follows etc.)12.
integration
in Fig. for
of attacks/incidents
defense systems interpretation. The cybersecurity
(monitoring systems, knowledge
IDS, IPS, representation
firewall, antimalware,inantivirus,
graphs appears as
antispam,
honeypot,
as etc.)12.
the integration
follows in Fig. for attacks/incidents
of attacks/incidents interpretation.
defense systems data/IoCs The cybersecurity
(monitoring knowledge
systems, IDS,knowledge representation
IPS, firewall, antimalware,inantivirus,
graphs appears as
antispam,
honeypot, etc.)
follows in Fig. for
12. interpretation. The cybersecurity representation in graphs appears as
honeypot, etc.)
follows in Fig. 12. for attacks/incidents interpretation. The cybersecurity knowledge representation in graphs appears as
follows in Fig. 12.
References
[1] Parmelee MC. Toward an ontology architecture for cyber-security standards. [Online]
https://stids.c4i.gmu.edu/STIDS2010/papers/STIDS_CR_A8_Parmelee.pdf.
[2] Obrst L, Chase P, Markeloff R. Developing an ontology of the cyber security domain. [Online] ceur ws.org/Vol-
966/STIDS2012_T06_ObrstEtAl_CyberOntology.pdf · PDF file.
[3 Semy S, Pulvermacher M, Obrst L. Toward the use of an upper ontology for U.S. Government and U.S. Military Domains: An evaluation. 2004.
[Online] https://www.semanticscholar.org/paper/Toward-the-Use-of-an-Upper-Ontology-for-U.S.-and-An-Semy-
Pulvermacher/ee115831432d2cc36c20f9aee70893817f1ce142#paper-header.
[4] ENISA, Ontology and Taxonomies of Resilience, Dec.2011. [Online] https://www.enisa.europa.eu/publications/ontology_taxonomies.
[5] ENISA, Threat Taxonomy: A Tool for Structuring Threat Information, Jan. 2016. [Online]
https://www.um.es/documents/2096502/4937674/Enisa.pdf/2374a6a9-3c9d-422c-b5ad-b047a2fb8568.
[6] ENISA, A Good Practice Guide of Using Taxonomies in Incident Prevention and Detection, Dec. 2016, [Online]
https://op.europa.eu/en/publication-detail/-/publication/8782ec02-e923-11e6-ad7c-01aa75ed71a1/language-en/format-PDF.
[7] Zuanelli E. The cybersecurity ontology platform: the POC solution. 2017. [Online] https://asrenorg.net/eage2017/sites/default/files/files/e-
AGE%202017%20Proceedings_Final.pdf.
[8] Zuanelli E. Cybersecurity analytics: classificazioni, tassonomie, ontologie. In Zuanelli E , editor. Cybersecurity, protezione dei dati, privacy, Roma:
Aracne; 2020, pp. 511-531.
[9] STIX™ and TAXII™. [Online] https://www.oasis-open.org/2021/07/14/new-versions-of-stix-and-taxii-approved-as-oasis-standards-to-enable-
automated-exchange-of-cyber-threat-intelligence/.
[10] MISP Threat Sharing. [Online] https://www.misp-project.org/.
[11] Takahashi T, Kadobayashi Y. Reference Ontology for cybersecurity operational information, The Computer Journal 2015; 2297-2312.
[12] Santos PS, Almeida JP, Guizzardi G. An ontology-based analysis and semantics for organizational structure modelling in the ARIS method. 2013.
[Online] https://www.semanticscholar.org/paper/An-ontology-based-analysis-and-semantics-for-in-the-Santos-
Almeida/559db2a00d05062850013d3fd12a6f95c2a6abd8.
[13] Quinn S,Waltermire D, Johnson C, Scarfone K, Banghart J. SP 800-126. The Technical Specification for the Security Content Automation
Protocol (SCAP): SCAP Version 1.0 November 2009. [Online] https://dl.acm.org/doi/book/10.5555/2206210.
[14] Oltramari A, Cranor LF, Walls RJ, McDaniel P. Building an ontology of cyber security. [Online] Ceur-ws.org/Vol-1304/STIDS. 2014; 54-61.
[15] Mavroeidis V, Bromander S. Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat
intelligence. 2017. [Online] http://doi.ieeecomputersociety.org/10.1109/EISIC.2017.20.
[16] Velasco Silva D, Rodríguez R G. Ontologies for network security and future challenges. 2017; 545. [Online] https://arxiv.org/pdf/1704.02441.
[17] Zuanelli E. The cybersecurity ontology platform: the POC solution. Asren 2017. [Online] http://asrenorg.net/eage2017/sites/default/files/files/e-
AGE%202017%20Proceedings_Final.pdf.
[18] MITRE. CAPEC. Common Attack Pattern Enumeration and Classification. [Online] https://capec.mitre.org/data/index.html.
[19] Syed R. Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system. 2020. [Online]
https://www.semanticscholar.org/paper/Cybersecurity-vulnerability-management%3A-A-ontology-
Syed/1f43a83185005d4d90dfd2cfeae586a644af8f34.
[20] Syed Z, Padia A, Finin T, Mathews L, Joshi A. UCO: A unified cybersecurity ontology. 2016 . [Online]
aaai.orhttps://scholar.google.com/scholar?&q=Syed%2C%20Z.%2C%20Padia%2C%20A.%2C%20Finin%2C%20T.%2C%20Mathews%2C%20L.%2
C%20Joshi%2C%20A.%3A%20UCO%3A%20A%20unified%20cybersecurity%20ontology.%20In%3A%20Workshops%20at%20the%20Thirtieth%2
0AAAI%20Conference%20on%20Artificial%20Intelligence%20%282016%29.
[21] Carnap R. Empirismo, semantica e ontologia. In Linksy L, editor. Semantica e filosofia del linguaggio, Milano: Mondadori;1969, pp. 261-284.
[22] Collins AM, Quillian MR. Retrieval time from semantic memory. Journal of verbal learning and verbal behaviour 1969; 8:240-47.
[23] Collins AM, Loftus EF. A spreading activation theory of semantic processing. Psychological review1975; 82: 407-28.
[24] De Beaugrande R, Dressler WR. Introduzione alla linguistica del testo, Bologna: Il Mulino; 1994.
[25] The Beijing Knownsec Information Technology. Malicious code analysis on Ukraine's power grid incident V4. [Online]
https://blog.knownsec.com/wp-content/uploads/2016/01/ L150113.pdf.