RE: [EXT] RE: [cti-users] OWL representation of STIX 2

[Ryan Hohimer <rhohimer@champtc.com>]

Hi Bret,

Sure, I can expand on some of the challenges I’m experiencing. It may be best to express up front that I want the OWL representation to support description logic reasoning (inferencing). This is a key motivation behind using a formal ontological language.

 

One of the first decision points that I am having to “shoehorn” into an OWL representation involves the Relationship Object construct. The OWL language is extremely expressive and has the ability to express the relationships between objects extremely well. We can express whether the nature of the relationships in formal preposition logic. Concepts relating to the predicate (relationship between objects) such as functional, inverse functional, transitive, symmetric, asymmetric, reflexive, and irreflexive can be made in the OWL Modeling. This expressive capability is made more complex with the add constructs of the SROs.

 

Modeling a domain such as cybersecurity should go beyond taxonomic definitions. For instance, (and this is just a example), the relationship between a Killchain and a Killchain Phase should go beyond just the fact that a Killchain Phase is part of a Killchain. This may not be the best example as the spec only defines a class for Killchain at present. But, I want to express things such as the sequence of Killchain Phases. This allows for the inference that if a Sighting of an Indicator is indicative activity in a Killchain Phase, then the Threat Actor must have met requisite phases. This could the trigger Courses of Action to do the root cause analysis that would answer W5H.

 

Using W3C OWL standards for predicate expressiveness and conforming to the specification with regard to SROs means that we must represent this information in two ways. Translating between the two is lossy. If I want to share my logic via the STIX 2 model I have to do so with custom extensions.

 

A second area to consider is somewhat related. We have spent a good deal of corporate time and money learning about and adopting mature standards based dictionaries and enumerations. For example Customer Information Quality (CIQ), Common Attack Patterns Enumerations and Classification (CAPEC), CVE, CCE, CWE, MAEC, CybOX, etc.  There are logical relationships between all of these things. Since we as a community are using these concepts extensively in the course of protecting our enterprises, it is natural to want a modeling language that uses the same concepts. If included we could use to them to disambiguate, communicate, and share.

 

I’m a very strong believer in STIX 2 for sharing threat intelligence. But I’m struggling to bridge it to how we use cybersecurity language in formal reasoning systems.

 

Thanks,

Ryan E. Hohimer
Chief Technology Officer
CHAMPION Technology Company Inc.
1838-B Terminal Drive
Richland, WA 99354
(509) 940-1818 ext 102

This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected.

 

From: Bret Jordan [mailto:Bret_Jordan@symantec.com]
Sent: Monday, October 9, 2017 10:01 AM
To: Ryan Hohimer <rhohimer@champtc.com>; Paul Patrick <Paul.Patrick@FireEye.com>
Cc: cti-users@lists.oasis-open.org
Subject: Re: [EXT] RE: [cti-users] OWL representation of STIX 2

 

Hi Ryan!

 

Can you explain a bit more about the problems you are seeing / running in to?

 

Bret

---

From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Ryan Hohimer <rhohimer@champtc.com>
Sent: Thursday, October 5, 2017 6:00:28 PM
To: Paul Patrick
Cc: cti-users@lists.oasis-open.org
Subject: [EXT] RE: [cti-users] OWL representation of STIX 2

 

Paul,

I would very much like to talk with you about your experiences. As I mentioned, I’m authoring a STIX 2 owl representation and have found multiple points where I may be making decisions that we may regret later.

For instance, I am twisted around the axle about how to represent observables. These have been first order objects in my previous modeling. Not modeling an Observable class seems problematic at best.

Additionally, I’d like to represent the relationships to other cyber classifications, enumerations, dictionaries, and non-cyber domain models in a smart fashion.

 

Thanks,

Ryan E. Hohimer
Chief Technology Officer
CHAMPION Technology Company Inc.
1838-B Terminal Drive
Richland, WA 99354
(509) 940-1818 ext 102

This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected.

 

From: Paul Patrick [mailto:Paul.Patrick@FireEye.com]
Sent: Thursday, October 5, 2017 3:36 PM
To: Ryan Hohimer <rhohimer@champtc.com>
Cc: cti-users@lists.oasis-open.org
Subject: Re: [cti-users] OWL representation of STIX 2

 

Ryan,

 

We’ve been using OWL since before STIX 1 came out and have modeled STIX 1, CybOX, and MAEC 4.1.  We’ve more recently updated our OWL model to be able to support STIX 2 as well as the MAEC 5 efforts as well.

 

We’d be happy to talk with you about our experiences.

 

 

Paul Patrick

Chief Architect, Global Services and Intelligence

FireEye Corp.

 

 

 

 

From: Ryan Hohimer <rhohimer@champtc.com>
Date: October 4, 2017 at 1:48:46 PM EDT
To: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: [cti-users] OWL representation of STIX 2

We are incorporating an OWL representation of STIX 2 into our DarkLight product. The current STIX specification and architecture are not as smooth a fit as I would like, but it is what it is. I have not seen nor heard of anyone working on an OWL representation effort.

 

We have the Knowledge Representation and Reasoning (KR&R) background to be comfortable in developing an OWL representation, but would prefer not to do so in a vacuum or in the dark. Is anyone else working on an OWL representation that would like to collaborate? We can do the “heavy lifting” as it is an integral part of our AI solution. Having the perspective of other pragmatic users would be welcomed. Obviously, our goal is to use the W3C formal ontological language to support semantic interoperability between knowledge-based solutions, decision automation, and smart orchestration.

 

v/r,

Ryan E. Hohimer
Chief Technology Officer
CHAMPION Technology Company Inc.
1838-B Terminal Drive
Richland, WA 99354
(509) 940-1818 ext 102

This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected.

 

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.