[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Towards a better understanding of JSON-LD (Was: MTI Binding)
In hopes of increasing the understanding of RDF/OWL and JSON-LD, I’ve taken a snippet of the Poison Ivy sample provided up in GitHub, mapped it do an ontology defined in RDF/OWL, and then generated the same output in a number of different formats. The ontology that describes a STIX Campaign is attached (campaign.rdf) and can be visualized as a class diagram using UML notation in the attached file campaign.html-classdiagram.png Below is the basic snippet that I took from STIX/XML from the file fireeye-pivy-report.xml : <stix:Campaign timestamp="2014-05-08T09:00:00.000000Z" id="fireeye:campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e" xsi:type="campaign:CampaignType"> <campaign:Title>th3bug</campaign:Title> <campaign:Status>Ongoing</campaign:Status> <campaign:Related_TTPs> <campaign:Related_TTP> <stixCommon:Relationship>Uses Malware</stixCommon:Relationship> <stixCommon:TTP idref="fireeye:ttp-34a3d511-e213-40d5-a932-fc4d836d455e"/> </campaign:Related_TTP> <campaign:Related_TTP> <stixCommon:Relationship>Uses Malware</stixCommon:Relationship> <stixCommon:TTP idref="fireeye:ttp-2821af3c-0f2b-45b4-92f5-465ca7a51920"/> </campaign:Related_TTP> <campaign:Related_TTP> <stixCommon:Relationship>Uses Malware</stixCommon:Relationship> <stixCommon:TTP idref="fireeye:ttp-862fd6e1-1711-4b70-8bec-1591f4baabc1"/> </campaign:Related_TTP> </campaign:Related_TTPs> <campaign:Attribution> <campaign:Attributed_Threat_Actor> <stixCommon:Threat_Actor idref="fireeye:threatactor-fb580b4d-b36d-415c-b711-d9997955f5c1"/> </campaign:Attributed_Threat_Actor> </campaign:Attribution> </stix:Campaign> The following examples illustrate a basic example of using the STIX Campaign ontology. The example show the definition of an ongoing Campaign called "th3bug" that is attributed to a particular threat actor and references 3 different TTPs that are asserted to be related to the campaign as described in the STIX/XML above. The campaign is assigned the identifier Through the use of RDF/OWL, it is possible to serialize an instance of Campaign in a number of different formats. To demonstrate this, the following examples illustrate the same information in a number of different formats. Running the above STIX/XML thru a simple translator written in Python and based on the Campaign ontology, I was able to generate the following serializations: N-triple Format <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://stix.mitre.org/Campaign#Campaign> . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://www.w3.org/2000/01/rdf-schema#label> "th3bug" . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://stix.mitre.org/stixCommon#id> "campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e" . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://stix.mitre.org/stixCommon#timestamp> "2014-05-08T09:00:00Z" . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://stix.mitre.org/stixCommon#title> "th3bug" . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://stix.mitre.org/Campaign#status> "Ongoing"^^<http://stix.mitre.org/default_vocabularies-1#CampaignStatusVocab-1.0> . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://stix.mitre.org/Campaign#attribution> <http://cti.company.com/threatactor-fb580b4d-b36d-415c-b711-d9997955f5c1> . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://stix.mitre.org/stixCommon#relatedTTP> <http://cti.company.com/ttp-34a3d511-e213-40d5-a932-fc4d836d455e> . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://stix.mitre.org/stixCommon#relatedTTP> <http://cti.company.com/ttp-2821af3c-0f2b-45b4-92f5-465ca7a51920> . <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> <http://stix.mitre.org/stixCommon#relatedTTP> <http://cti.company.com/ttp-862fd6e1-1711-4b70-8bec-1591f4baabc1> . Turtle Format <http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e> a <http://stix.mitre.org/Campaign#Campaign> ; rdfs:label "th3bug" ; stixc:id "campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e" ; stixc:timestamp "2014-05-08T09:00:00Z" ; stixc:title "th3bug" ; campaign:status "Ongoing"^^http://stix.mitre.org/default_vocabularies-1#CampaignStatusVocab-1.0 ; campaign:attribution <http://cti.company.com/threatactor-fb580b4d-b36d-415c-b711-d9997955f5c1> ; stixc:relatedTTP <http://cti.company.com/ttp-34a3d511-e213-40d5-a932-fc4d836d455e>, <http://cti.company.com/ttp-2821af3c-0f2b-45b4-92f5-465ca7a51920>, <http://cti.company.com/ttp-862fd6e1-1711-4b70-8bec-1591f4baabc1> . RDF/XML Format <rdf:Description rdf:about="http://cti.company.com/campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e"> <rdf:type rdf:resource="http://stix.mitre.org/Campaign#Campaign"/> <rdfs:label>th3bug</rdfs:label> <stixc:id>campaign-d02a1560-ff69-49f4-ac34-919b8aa4b91e</stixc:id> <stixc:timestamp>2014-05-08T09:00:00Z</stixc:timestamp> <stixc:title>th3bug</stixc:title> <campaign:status rdf:datatype="http://stix.mitre.org/default_vocabularies-1#CampaignStatusVocab-1.0">Ongoing</campaign:status> <campaign:attribution rdf:resource="http://cti.company.com/threatactor-fb580b4d-b36d-415c-b711-d9997955f5c1"/> <stixc:relatedTTP rdf:resource="http://cti.company.com/ttp-34a3d511-e213-40d5-a932-fc4d836d455e"/> <stixc:relatedTTP rdf:resource="http://cti.company.com/ttp-2821af3c-0f2b-45b4-92f5-465ca7a51920"/> <stixc:relatedTTP rdf:resource="http://cti.company.com/ttp-862fd6e1-1711-4b70-8bec-1591f4baabc1"/> </rdf:Description> JSON-LD Objects
While this is NOT an exhaustive example, I believe it shows a concrete example of how this can be done using a sample directly from existing STIX 1.2. Assuming that there is significant interest, I can provide additional examples of other STIX components represented in these serialization formats. NOTE: this is a bit of a dated example as I have since also added support for additional information about the relationship itself, which are just represented as any other data in an RDF/OWL serialization. Hope this helps everyone better understand what is being discussed. Regards, Paul Patrick From: <cti-users@lists.oasis-open.org> on behalf of Shawn Riley Date: Wednesday, October 7, 2015 at 5:20 PM To: "cti-users@lists.oasis-open.org" Subject: Re: [cti-users] Towards a better understanding of JSON-LD (Was: MTI Binding)
|
Attachment:
campaign.rdf
Description: Binary data
Attachment:
campaign.html-classdiagram.png
Description: PNG image
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]