- Keywords were used: "+ontology +cybersecurity" on Google Scholar
- Round 1: Results (161000 results) were filtered by relevancy (based on Google Scholar ranking algorithm), with publication year of 2011 and later. Only first 300 results were screened.
- Round 2: Results of round 2 are listed below. Most relevant papers were selected based on their Abstracts.
Traditional cybersecurity risk assessment is reactive and based on business risk assessment approach. The 2014 NIST Cybersecurity Framework provides businesses with an organizational tool to catalog cybersecurity efforts and areas that need additional support. As part of an on-going effort to develop a holistic, predictive cyber security risk assessment model, the characterization of human factors, which includes human behavior, is needed to understand how the actions of users, defenders (IT personnel), and attackers affect cybersecurity risk. Trust has been found to be a crucial element affecting an individual’s role within a cyber system. The use of trust as a human factor in holistic cybersecurity risk assessment relies on an understanding how differing mental models, risk postures, and social biases impact the level trust given to an individual and the biases affecting the ability to give said trust. The Human Factors Ontology illustrates the individual characteristics, situational characteristics, and relationships that influence the trust given to an individual. Furthering the incorporation of ontologies into the science of cybersecurity will help decision-makers build the foundation needed for predictive and quantitative risk assessments.
Current efforts are based on an obsolete hierarchy of malware classes that defines a malware family by one single prevalent behavior (e.g., viruses infect other files, worms spread and exploit remote systems autonomously, Trojan horses disguise themselves as benign programs, and so on). In order to address the detection of modern, complex malware families whose infections involve sets of multiple exploit methods, we need an ontology broader enough to deal with these suspicious activities performed on the victim's system. In this paper, we propose a core model for a novel malware ontology that is based on their exhibited behavior, filling a gap in the field.
This paper presents a new method to detect attack patterns in security-critical systems, based on a new notion of Behavior Ontology. Generally security-critical systems are large and complex, and are subject to be attacked by attackers in every possible way. Therefore it is very complicated to detect various attacks systematically in some semantic structure. This paper handles the complication with Behavior Ontology, where patterns of attacks in the systems are defined as a sequence of actions on class ontology for the systems. By the nature of the actions, the attack patterns can be abstracted in hierarchical order, forming a lattice or a lattice of lattices, based on inclusion relations. Once the behavior ontology for the attach patterns are defined, the attacks in the target systems can be detected both semantically and hierarchically in the structure of the ontology. Compared with other attack models, the analysis on the behavior ontology shows that the approach in the paper is very effective and efficient in time and space. The approach can be considered as the first attempt to detect attack patterns with the notion of behavior ontology.
While a universally agreed-upon classification scheme would facilitate the development of such understanding and also collaborations, current classification schemes are insufficient, fragmented and often incompatible since each focuses on different perspectives (e.g., role of the computer, attack, attacker's or defender's viewpoint), or uses varying terminologies to refer to the same thing, making consistent cybercrime classifications improbable. In this paper we present and illustrate a new cybercrime ontology that incorporates multiple perspectives and offers a more holistic viewpoint for cybercrime classification than prior works. It should therefore prove to be a more useful tool for cybercrime stakeholders.
The goal of this article is to demonstrate how an ontology-engineering methodology may be systematically applied for designing and evaluating such security systems. A detailed ontological model is shown that caters to the generalized working of web applications, the underlying communication protocols and attacks. More specifically the proposed ontological model because it captures the context can not only detect HTTP protocol specification attacks but also helps focus only on specific portions of the request and response where a malicious script is possible. The model also captures the context of important attacks, the various technologies used by the hackers, source, target and vulnerabilities exploited by the attack, impact on system components and controls for mitigation.
APTMalInsight: Identify and cognize APT malware based on system call information and ontology knowledge framework
This paper proposes a novel APT malware detection and cognition framework named APTMalInsight aiming at identifying and cognizing APT malware by leveraging system call information and ontology knowledge. We systematically study APT malware and extracts dynamic system call information to describe its behavioral characteristics. With respect to the established feature vectors, the APT malware can be detected and clustered into their belonging families accurately. Furthermore, a horizontal comparison between APT malware and the traditional malware is conducted from the perspective of behavior types, to understand the behavioral characteristics of APT malware in depth.
Developing an Ontology for Individual and Organizational Sociotechnical Indicators of Insider Threat Risk
Human behavioral factors are fundamental to under�standing, detecting and mitigating insider threats, but to date insufficiently represented in a formal ontology. We report on the design and development of an ontology that emphasizes individu�al and organizational sociotechnical factors, and incorporates technical indicators from previous work. We compare our ontol�ogy with previous research and describe use cases to demonstrate how the ontology may be applied. Our work advances current efforts toward development of a comprehensive knowledge base to support advanced reasoning for insider threat mitigation
This paper proposes an ontology-based intelligent system for malware behavioral analysis. The design background and structure of the Taiwan Malware Analysis Net (TWMAN) are presented to analyze the malware behavior. The TWMAN is composed of the malware behavioral analysis agent and the ontology agent. All of the essential information of the TWMAN, including the malware behavioral ontology, which is store in an ontology repository. The malware behavioral analysis agent collects the malware behavioral information to build malware behavioral ontology and malware behavioral rules. The results from the system logs show that the TWMAN can work effectively based on the malware behavioral analysis to protect the computers from the attack of computer viruses and Trojans.
Malicious programs have been the main actors in complex, sophisti�cated attacks against nations, governments, diplomatic agencies, private institutions and people. Knowledge about malicious program behavior forms the basis for constructing more secure information systems. In this article, we introduce MBO, a Malicious Behavior Ontology that repre�sents complex behaviors of suspicious executions, and through inference rules calculates their associated threat level for analytical proposals. We evaluate MBO using over two thousand unique known malware and 385 unique known benign software. Results highlight the representativeness of the MBO for expressing typical malicious activities.
Mobile malware has caused harm by leaking of user privacy, depletion of battery power, and extra service charges by automatically sending expensive multimedia messages or making long-distance calls. Also, the convenience which can download programs from the Internet and share software with one another through short-range Bluetooth connections, worldwide multimedia messaging service communications and memory cards has created new vulnerabilities. As we know, anti-malware software is to play an essential role in defending against mobile malware. The majority of detection software relies on an up-to-date malware signature database to detect malware. However, mobile phone networks have very different characteristics in terms of limited processing power, storage capacity and battery power. It is a challenge to distribute malware signatures files to mobile devices in a timely manner. Therefore, this paper proposes an ontology-based behavioral analysis for mobile malware, and further provides information about mobile malware for end users to help them use their mobile phones securely.
The insider threat community currently lacks a standardized method of expression for indicators of potential malicious insider activity. We believe that communicating potential indicators of malicious insider activity in a consistent and commonly accepted language will allow insider threat programs to implement more effective controls through an increase in collaboration and information sharing with other insider threat teams. In this report, we present an ontology for insider threat indicators. We make the case for using an ontology to fill the stated gap in the insider threat community. We also describe the semi-automated, data-driven development of the ontology, as well as the process by which the ontology was validated. In the appendices, we provide the ontologys users manual and technical specification.
Understanding and recommending security requirements from problem domain ontology: A cognitive three-layered approach
Socio-technical systems (STS) are inherently complex due to the heterogeneity of its intertwined components. Therefore, ensuring STS security continues to pose significant challenges. Persistent security issues in STS are extremely critical to address as threats to security can affect entire enterprises, resulting in significant recovery costs. A profound understanding of the problems across multiple dimensions of STS is the key in addressing such security issues. However, we lack a systematic acquisition of the scattered knowledge related to design, development, and execution of STS. In this work, we methodologically analyze security issues from a requirements engineering perspective. We propose a cognitive three-layered framework integrating various modeling methodologies and knowledge sources related to security. This framework helps in understanding essential components of security and making recommendations of security requirements regarding threat analyses and risk assessments using Problem Domain Ontology (PDO) knowledge base. We also provide tool support for our framework. With the goal-oriented security reference model, we demonstrate how security requirements are recommended based on PDO, with the help of the tool. The organized acquisition of knowledge from SME groups and the domain working group provides rich context of security requirements, and also enhances the re-usability of the knowledge set.
Situation awareness depends on a reliable perception of the environment and comprehension of its semantic structures. In this respect, cyberspace presents a unique challenge to the situation awareness of users and analysts, since it is a unique combination of human and machine elements, whose complex interactions occur in a global communication network. Accordingly, we outline the underpinnings of an ontology of secure operations in cyberspace, presenting the ontology framework and providing two modeling examples. We make the case for adopting a rigorous semantic model of cyber security to overcome the current limits of the state of the art.