OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-users] RE: [EXT] RE: [cti-users] OWL representation of STIX 2


This Stratfor article from 4 days ago gives a good insight to the IC's analytic modernization efforts with OBP/ABI analysis methodologies. 

https://worldview.stratfor.com/article/tools-intelligence-analysis-are-getting-smarter?

Quote from the story - "Chief among them is a methodology known as Activity-Based Intelligence (ABI). Across the U.S. intelligence community, analysts use ABI to collect, relate, collate, sift, analyze, understand and share vast amounts of complex information quickly and easily. "


Best, 
Shawn

On Tue, Oct 10, 2017 at 8:31 AM, Shawn Riley <shawn.p.riley@gmail.com> wrote:
Just a quick follow up to Ryan's comments. It's worth keeping in mind that OWL is a key enabling technology for the U.S. Intelligence Community's analytic modernization efforts over the past decade. The analytic modernization results and the increased collaboration between the IC and industry is one of the reasons we are seeing vendors adopting OWL for additional types of intelligence like CTI.  

OWL is a W3C knowledge representation language that enables the security data and threat intelligence feeds, sources, and analytic outputs to be organized into semantic knowledge graphs using the object-based production (OBP) methodology. OBP organizes the objects and automatically builds out the attributes (properties), associations (relationships), and activities into a knowledge graph which in turn enables the discovery of the 'unknown unknowns' using activity-based intelligence (ABI) tradecraft captured in AI-driven playbooks. 

OBP and ABI are related analysis methodologies that rapidly integrates data from multiple sources to discover relevant patterns, determine and identify change, and characterize those patterns to create decision advantage and drive the sensing, sense-making, decision-making, and acting in the cyber environment.  Activity-Based Intelligence promotes a deductive approach to analytic reasoning and reduces the space of potential outcomes by eliminating the impossible. Deductive reasoning is used to validate a hypothesis and tells us why the evidence supports the claim. 




The modeling of objects in STIX and extensions to other related cyber data sets can directly impact the follow on analysis methodologies. Better to ask questions now while we're trying to code up STIX 2 and are discovering potential issues. 

Best,
Shawn





On Mon, Oct 9, 2017 at 1:54 PM, Ryan Hohimer <rhohimer@champtc.com> wrote:

Hi Bret,

Sure, I can expand on some of the challenges I’m experiencing. It may be best to express up front that I want the OWL representation to support description logic reasoning (inferencing). This is a key motivation behind using a formal ontological language.

 

One of the first decision points that I am having to “shoehorn” into an OWL representation involves the Relationship Object construct. The OWL language is extremely expressive and has the ability to express the relationships between objects extremely well. We can express whether the nature of the relationships in formal preposition logic. Concepts relating to the predicate (relationship between objects) such as functional, inverse functional, transitive, symmetric, asymmetric, reflexive, and irreflexive can be made in the OWL Modeling. This expressive capability is made more complex with the add constructs of the SROs.

 

Modeling a domain such as cybersecurity should go beyond taxonomic definitions. For instance, (and this is just a example), the relationship between a Killchain and a Killchain Phase should go beyond just the fact that a Killchain Phase is part of a Killchain. This may not be the best example as the spec only defines a class for Killchain at present. But, I want to express things such as the sequence of Killchain Phases. This allows for the inference that if a Sighting of an Indicator is indicative activity in a Killchain Phase, then the Threat Actor must have met requisite phases. This could the trigger Courses of Action to do the root cause analysis that would answer W5H.

 

Using W3C OWL standards for predicate expressiveness and conforming to the specification with regard to SROs means that we must represent this information in two ways. Translating between the two is lossy. If I want to share my logic via the STIX 2 model I have to do so with custom extensions.

 

A second area to consider is somewhat related. We have spent a good deal of corporate time and money learning about and adopting mature standards based dictionaries and enumerations. For example Customer Information Quality (CIQ), Common Attack Patterns Enumerations and Classification (CAPEC), CVE, CCE, CWE, MAEC, CybOX, etc.  There are logical relationships between all of these things. Since we as a community are using these concepts extensively in the course of protecting our enterprises, it is natural to want a modeling language that uses the same concepts. If included we could use to them to disambiguate, communicate, and share.

 

I’m a very strong believer in STIX 2 for sharing threat intelligence. But I’m struggling to bridge it to how we use cybersecurity language in formal reasoning systems.

 

Thanks,

Ryan E. Hohimer
Chief Technology Officer
CHAMPION Technology Company Inc.
1838-B Terminal Drive
Richland, WA 99354
(509) 940-1818 ext 102

This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected.

 

From: Bret Jordan [mailto:Bret_Jordan@symantec.com]
Sent: Monday, October 9, 2017 10:01 AM
To: Ryan Hohimer <rhohimer@champtc.com>; Paul Patrick <Paul.Patrick@FireEye.com>
Cc: cti-users@lists.oasis-open.org
Subject: Re: [EXT] RE: [cti-users] OWL representation of STIX 2

 

Hi Ryan!

 

Can you explain a bit more about the problems you are seeing / running in to?

 

Bret


From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Ryan Hohimer <rhohimer@champtc.com>
Sent: Thursday, October 5, 2017 6:00:28 PM
To: Paul Patrick
Cc: cti-users@lists.oasis-open.org
Subject: [EXT] RE: [cti-users] OWL representation of STIX 2

 

Paul,

I would very much like to talk with you about your experiences. As I mentioned, I’m authoring a STIX 2 owl representation and have found multiple points where I may be making decisions that we may regret later.

For instance, I am twisted around the axle about how to represent observables. These have been first order objects in my previous modeling. Not modeling an Observable class seems problematic at best.

Additionally, I’d like to represent the relationships to other cyber classifications, enumerations, dictionaries, and non-cyber domain models in a smart fashion.

 

Thanks,

Ryan E. Hohimer
Chief Technology Officer
CHAMPION Technology Company Inc.
1838-B Terminal Drive
Richland, WA 99354
(509) 940-1818 ext 102

This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected.

 

From: Paul Patrick [mailto:Paul.Patrick@FireEye.com]
Sent: Thursday, October 5, 2017 3:36 PM
To: Ryan Hohimer <rhohimer@champtc.com>
Cc: cti-users@lists.oasis-open.org
Subject: Re: [cti-users] OWL representation of STIX 2

 

Ryan,

 

We’ve been using OWL since before STIX 1 came out and have modeled STIX 1, CybOX, and MAEC 4.1.  We’ve more recently updated our OWL model to be able to support STIX 2 as well as the MAEC 5 efforts as well.

 

We’d be happy to talk with you about our experiences.

 

 

Paul Patrick

Chief Architect, Global Services and Intelligence

FireEye Corp.

 

 

 

 

From: Ryan Hohimer <rhohimer@champtc.com>
Date: October 4, 2017 at 1:48:46 PM EDT
To: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: [cti-users] OWL representation of STIX 2

We are incorporating an OWL representation of STIX 2 into our DarkLight product. The current STIX specification and architecture are not as smooth a fit as I would like, but it is what it is. I have not seen nor heard of anyone working on an OWL representation effort.

 

We have the Knowledge Representation and Reasoning (KR&R) background to be comfortable in developing an OWL representation, but would prefer not to do so in a vacuum or in the dark. Is anyone else working on an OWL representation that would like to collaborate? We can do the “heavy lifting” as it is an integral part of our AI solution. Having the perspective of other pragmatic users would be welcomed. Obviously, our goal is to use the W3C formal ontological language to support semantic interoperability between knowledge-based solutions, decision automation, and smart orchestration.

 

v/r,

Ryan E. Hohimer
Chief Technology Officer
CHAMPION Technology Company Inc.
1838-B Terminal Drive
Richland, WA 99354
(509) 940-1818 ext 102

This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected.

 

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]