├── CCE.owl
├── CVE.owl
├── CVSS.owl
├── Capec.owl
├── Cybox.owl
├── CyboxCommon.owl
├── DataMarking.owl
├── IDSOntologyv2.3.0.owl
├── Maec.owl
├── README.md
├── STIX.owl
├── STUCCO.owl
├── cyber-ontology
├── LICENSE.md
├── README.md
├── annotation
│ ├── content.rdf
│ ├── oa.rdf
│ └── skos.rdf
├── argos
│ ├── asset.rdf
│ ├── case.rdf
│ ├── editor_annotation.rdf
│ └── insider.rdf
├── capec
│ └── capec.rdf
├── cce
│ └── cce.rdf
├── ciq
│ ├── ciq_common.rdf
│ ├── ciq_currency.rdf
│ ├── ciq_xal.rdf
│ ├── ciq_xnl.rdf
│ └── ciq_xpil.rdf
├── cpe
│ └── cpe.rdf
├── cve
│ ├── catalog-v001.xml
│ ├── cve.rdf
│ ├── cvss.rdf
│ └── statement.rdf
├── cwe
│ ├── cwe.rdf
│ └── cwss.rdf
├── cybox
│ ├── account.rdf
│ ├── address.rdf
│ ├── api.rdf
│ ├── arp_cache.rdf
│ ├── artifact.rdf
│ ├── as.rdf
│ ├── code.rdf
│ ├── cybox_common.rdf
│ ├── cybox_core.rdf
│ ├── device.rdf
│ ├── disk.rdf
│ ├── dns.rdf
│ ├── domain_name.rdf
│ ├── email_message.rdf
│ ├── event.rdf
│ ├── event_log.rdf
│ ├── file.rdf
│ ├── gui.rdf
│ ├── hostname.rdf
│ ├── http_session.rdf
│ ├── library.rdf
│ ├── linux_package.rdf
│ ├── memory.rdf
│ ├── mutex.rdf
│ ├── network_connection.rdf
│ ├── network_packet.rdf
│ ├── network_protocol.rdf
│ ├── network_route.rdf
│ ├── network_socket.rdf
│ ├── network_subnet.rdf
│ ├── pipe.rdf
│ ├── port.rdf
│ ├── process.rdf
│ ├── product.rdf
│ ├── semaphore.rdf
│ ├── sms_message.rdf
│ ├── socket_address.rdf
│ ├── system.rdf
│ ├── thread.rdf
│ ├── uri.rdf
│ ├── url_history.rdf
│ ├── user_session.rdf
│ ├── volume.rdf
│ ├── whois.rdf
│ ├── windows_critical_section.rdf
│ ├── windows_filemapping.rdf
│ ├── windows_handle.rdf
│ ├── windows_hook.rdf
│ ├── windows_kernel.rdf
│ ├── windows_mailslot.rdf
│ ├── windows_network_share.rdf
│ ├── windows_prefetch.rdf
│ ├── windows_registry.rdf
│ ├── windows_system_restore.rdf
│ ├── windows_task.rdf
│ ├── windows_waitable_timer.rdf
│ └── x509_certificate.rdf
├── dc
│ ├── dcelements.rdf
│ ├── dcterms.rdf
│ └── dctype.rdf
├── geo
│ └── wgs84_pos.rdf
├── maec
│ ├── maec_bundle.rdf
│ ├── maec_common.rdf
│ ├── maec_container.rdf
│ ├── maec_package.rdf
│ └── metadatasharing.rdf
├── openioc
│ └── ioc.rdf
├── oval
│ ├── oval_common.rdf
│ ├── oval_definitions.rdf
│ └── oval_variables.rdf
├── provenance
│ └── prov-o.rdf
├── resources
│ ├── CybOX-Objects.txt
│ ├── Document Definition.txt
│ ├── TippingList.txt
│ └── fixture-vocabs.xlsx
├── scap
│ ├── patch.rdf
│ └── scap_core.rdf
├── stix
│ ├── campaign.rdf
│ ├── course_of_action.rdf
│ ├── exploit_target.rdf
│ ├── incident.rdf
│ ├── indicator.rdf
│ ├── markings.rdf
│ ├── report.rdf
│ ├── stix_common.rdf
│ ├── stix_core.rdf
│ ├── threat_actor.rdf
│ └── ttp.rdf
└── vocab
│ ├── sw_vocab-status.rdf
│ └── vocabulary_common.rdf
├── docs
├── AAAI_workshop_2016.pdf
├── BestPracticesPublishingLinkedData.pdf
├── BookChapter-CyberChapterKott.pdf
├── Catalogue of Cybersecurity Standards.pdf
├── DataonWebBestPractices.pdf
├── IDSOntologyv2.3.0.png
└── UCO_TR.pdf
├── killchain.owl
└── uco_2.owl
/CCE.owl:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | ]>
10 |
11 |
12 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 | #hasAssociatedTechnicalMechanism
47 | for any given configuration issue there may be one or more ways to implement the desired result
48 |
49 |
50 |
51 | #hasConceptualParameter
52 | parameters that would need to be specified in order to implement a CCE on a system
53 |
54 |
55 |
56 | #hasDescription
57 | a humanly understandable description of the configuration issue
58 |
59 |
60 |
61 | #hasReferences
62 | pointers to the specific sections of the documents or tools in which the configuration issue is described in detail
63 |
64 |
65 |
66 | #onPlatform
67 | A CCE "platform group" roughly identifies the operating system or application to which a CCE entry applies. CCE’s platform groups adhere to the same level of granularity commonly found in security configuration guidance that are written for individual platforms, as well as in the sets of checks and other features found in configuration audit and management tools. They are a set of high-level "buckets" that imply a particular CCE is "related to" the OS or application named by the platform group. These groups are meant for human interpretation, and are not definitive declarations of a CCE entry’s relation to a particular platform.
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
--------------------------------------------------------------------------------
/CVE.owl:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | ]>
10 |
11 |
12 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
--------------------------------------------------------------------------------
/DataMarking.owl:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | ]>
10 |
11 |
12 |
18 |
19 | STIX OWL Ontology
20 |
21 | Copyright (c) 2014 VIStology, Inc., http://www.vistology.com/, Framingham, MA, USA
22 |
23 | This file contains an OWL representation of information contained in the VIStology Knowledge Base. The content of this OWL file is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license whose text can be found at http://creativecommons.org/licenses/by-nc/4.0/legalcode. The content of this RDF/OWL file, including the VIStology Knowledgebase content it represents, constitutes the "Work" referred to in the Creative Commons license. The terms of this license equally apply to, without limitation, renamings and other logically equivalent reformulations of the content of this OWL file (or portions thereof) in any natural or formal language, as well as to derivations of this content or inclusion of it in other ontologies.
24 |
25 |
26 |
27 |
28 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 | MarkingType specifies a structure for marking information to be applied to portions of XML content.
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/Maec.owl:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
6 |
7 |
8 |
9 | ]>
10 |
11 |
12 |
18 |
19 | STIX OWL Ontology
20 |
21 | Copyright (c) 2014 VIStology, Inc., http://www.vistology.com/, Framingham, MA, USA
22 |
23 | This file contains an OWL representation of information contained in the VIStology Knowledge Base. The content of this OWL file is licensed under the Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license whose text can be found at http://creativecommons.org/licenses/by-nc/4.0/legalcode. The content of this RDF/OWL file, including the VIStology Knowledgebase content it represents, constitutes the "Work" referred to in the Creative Commons license. The terms of this license equally apply to, without limitation, renamings and other logically equivalent reformulations of the content of this OWL file (or portions thereof) in any natural or formal language, as well as to derivations of this content or inclusion of it in other ontologies.
24 |
25 |
26 |
27 |
28 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 | The BundleType complex type serves as the high-level construct which encapsulates all other MAEC elements.
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # UCO2
2 | Unified Cybersecurity Ontology v2.0
3 |
4 | The Unified Cybersecurity Ontology (UCO) is intended to support information integration and cyber situational awareness in cybersecurity systems. The ontology incorporates and integrates heterogeneous data and knowledge schemas from different cybersecurity systems and most commonly used cybersecurity standards for information sharing and exchange. The UCO ontology has also been mapped to a number of existing cybersecurity ontologies as well as concepts in the Linked Open Data cloud. Similar to DBpedia which serves as the core for general knowledge in Linked Open Data cloud, we envision UCO to serve as the core for cybersecurity domain, which would evolve and grow with the passage of time with additional cybersecurity data sets as they become available.
5 |
6 | If you use UCO or want to refer to it in a paper, please cite:
7 |
8 | > Zareen Syed, Ankur Padia, Tim Finin, Lisa Mathews and Anupam Joshi, UCO: Unified Cybersecurity Ontology, AAAI Workshop on Artificial Intelligence for Cyber Security, February 2016. http://ebiq.org/p/722
9 |
--------------------------------------------------------------------------------
/cyber-ontology/README.md:
--------------------------------------------------------------------------------
1 | #Cyber Intelligence Ontology
2 |
3 | 
Cyber is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
4 |
--------------------------------------------------------------------------------
/cyber-ontology/annotation/content.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 |
14 | Working Draft 29 April 2011
15 | Representing Content in RDF as defined by http://www.w3.org/TR/Content-in-RDF/
16 | Representing Content in RDF
17 |
18 |
19 |
20 |
21 |
22 | The XML content (can only be used for XML-wellformed content).
23 | XML content
24 |
25 |
26 |
27 |
28 | The document type declaration.
29 | Document type declaration
30 |
31 |
32 |
33 |
34 | The content.
35 | Content
36 |
37 |
38 |
39 |
40 | The base64 encoded content (can be used for binary content).
41 | Base64 content
42 |
43 |
44 |
45 |
46 | The text content (can be used for text content).
47 | Text content
48 |
49 |
50 |
51 |
52 |
53 | The document type name.
54 | Document type name
55 |
56 |
57 |
58 |
59 |
60 | The standalone declaration in the XML declaration.
61 | XML standalone document declaration
62 |
63 |
64 |
65 |
66 |
67 | The document type declaration.
68 | Document type declaration
69 |
70 |
71 |
72 |
73 | The character sequence of the text content.
74 | Character sequence
75 |
76 |
77 |
78 |
79 |
80 |
81 | The XML version declared in the XML declaration.
82 | XML version
83 |
84 |
85 |
86 |
87 |
88 | The internal document type definition subset within the document type declarations.
89 | Internal DTD subset
90 |
91 |
92 |
93 |
94 |
95 | The XML content following the document type declaration.
96 | XML rest
97 |
98 |
99 |
100 |
101 | The character encoding used to create a character sequence from a byte sequence or vice versa.
102 | Character encoding
103 |
104 |
105 |
106 |
107 |
108 |
109 | The document type declarations's public identifier.
110 | Public ID
111 |
112 |
113 |
114 |
115 |
116 | The XML content preceding the document type declaration.
117 | XML leading misc
118 |
119 |
120 |
121 |
122 |
123 | The Base64 encoded byte sequence of the content.
124 | Base64 encoded byte sequence
125 |
126 |
127 |
128 |
129 |
130 | The document type declarations's system identifier (typed: xsd:anyURI)
131 | System ID
132 |
133 |
134 |
135 |
136 |
137 | The character encoding declared in the XML declaration.
138 | XML character encoding
139 |
140 |
141 |
142 |
143 |
144 |
--------------------------------------------------------------------------------
/cyber-ontology/argos/asset.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 | ARGOS Asset Ontology
13 | Editor Annotation ontology defines a set of annotations that provide a graphical editor information about how to create corresponding IRI's for new instances created along with information that is used to control how properties appear in the editor.
14 |
15 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
16 | 1.0.0.0
18 |
19 |
20 |
21 |
22 | 1
24 |
25 |
26 |
27 |
28 |
29 | Characterizes a digital asset
30 | Asset
31 |
32 |
33 | 1
35 |
36 |
37 |
38 |
39 |
40 |
41 | argos
43 |
44 |
45 |
46 | 1
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 | 1
60 |
61 |
62 |
63 |
64 | 1
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | Specifies the location from where the asset was ingested
74 | argos
76 | Location URI
77 |
78 |
79 |
80 |
81 |
82 |
83 | Specifies a reference to the contents of teh asset.
84 |
85 | Contents
86 | argos
88 |
89 |
90 |
91 | Specifies the parent of the assets.
92 |
93 |
94 | Parent Asset
95 | argos
97 |
98 |
99 |
100 | Specifies the date and time when the asset was collected
101 |
102 |
103 | Collection Timestamp
104 | argos
106 |
107 |
108 |
109 | Specifies the MIME type associated with the asset
110 | MIME Type
111 |
112 |
113 | argos
115 |
116 |
117 |
118 |
119 | Specifies the unified universal identifier associated with the asset
120 |
121 | UUID
122 | argos
124 |
125 |
126 |
127 |
128 |
129 |
--------------------------------------------------------------------------------
/cyber-ontology/argos/case.rdf:
--------------------------------------------------------------------------------
1 |
2 |
9 |
10 | ARGOS Case Ontology
11 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
12 | Created with TopBraid Composer
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
--------------------------------------------------------------------------------
/cyber-ontology/argos/insider.rdf:
--------------------------------------------------------------------------------
1 |
2 |
9 |
10 |
11 | ARGOS Insider Ontology
12 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
13 | Created with TopBraid Composer
15 |
16 |
17 |
18 |
19 |
20 | points to ciq:Persion?
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/cyber-ontology/ciq/ciq_common.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 | 1.0.0-001
14 | This ontology provides a vocabulary and representation of the OASIS Customer Information Quality (CIQ) Specification V3.0 commonly used types in the name, address, and party ontologies.
15 |
16 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
17 | OASIS Customer Information Quality (CIQ) Common Types Ontology
18 |
19 |
20 | Specifies date to which the data is valid. Could be end date, expiry date, validity end date, etc
21 | Date Valid To
22 |
23 |
24 |
25 |
26 | Ordinality
27 | Specifies the ordinality (e.g., 1,2, or 3) of this text line
28 |
29 |
30 | Specifies the date from which data is valid. Could be start date, issue date, validity start date, etc
31 | Date Valid From
32 |
33 |
34 |
35 | Specifies a line of text
36 | Text Line
37 |
38 |
39 |
40 | Specifes values to indicate the level of reliability of the data
41 | Data Quality Type
42 |
43 |
44 |
45 | Valid
47 |
48 | Invalid
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 | Status
58 | Specifies the status of the entity. e.g. Old, Current, Inactive, Active, etc
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 | Active
68 |
69 | Inactive
71 |
72 | Current
74 |
75 | Old
77 |
78 |
79 |
80 |
81 |
82 | Specifies the language used (name of human language, e.g. en, en-US)
83 | Language Code
84 |
85 |
86 |
87 | true
89 | Specifies the identifier associate with an object's parent
90 |
91 | Parent Id
92 |
93 |
94 |
95 |
96 | Valid From
97 | Specifies the date the data quality is valid from
98 |
99 |
100 |
101 | Valid To
102 | Specifies the date the data quality is valid to
103 |
104 |
105 | Specifies that the entry has been abbreviated
106 | Abbreviation
107 |
108 |
109 |
110 |
111 | Specifies a globally unique identifier for this definition
112 | Globally Unique Identifier
113 |
114 |
115 |
116 |
117 |
--------------------------------------------------------------------------------
/cyber-ontology/ciq/ciq_currency.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | 1.0.0-000
13 |
14 | This ontology provides a vocabulary and representation of the OASIS Customer Information Quality (CIQ) eXtensible Currency Language.
15 |
16 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
17 | OASIS Customer Information Quality (CIQ) eXtensible Currency Language (xCL) Ontology
18 |
19 |
20 |
21 | Currency
22 |
23 |
24 |
25 |
26 |
27 | 1
29 |
30 |
31 | Characterizes currency
32 |
33 |
34 | 1
36 |
37 |
38 |
39 |
40 |
41 |
42 | ciq
44 |
45 |
46 | 1
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 | 1
62 |
63 |
64 |
65 |
66 |
67 | 1
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 | ciq
79 |
80 | iso numeric currency code
81 |
82 | Specifies the three-digit numerica code per ISO 4217.
83 |
84 |
85 | Currency Name
86 |
87 | Specifies the name of the currency
88 |
89 |
90 | ciq
92 |
93 |
94 | Currency Symbol Codes
95 | ciq
97 |
98 |
99 |
100 | Specifies the currency symbol as a sequence of one or more comma-separated unicode hex values
101 |
102 |
103 | ISO 4217 Currency Code
104 |
105 |
106 |
107 | ciq
109 | Specifies the 3-character currency code per ISO 4217
110 |
111 |
112 |
113 | Specifies the symbol associated with the curency
114 | currency symbol
115 | ciq
117 |
118 |
119 |
120 |
121 |
122 |
123 |
--------------------------------------------------------------------------------
/cyber-ontology/cve/catalog-v001.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/api.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 | Cyber Observable eXpression (CybOX) API Ontology
14 | This ontology provides a vocabulary and representation of an API for the Cyber Observable eXpression (CybOX).
15 |
16 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
17 |
18 | The ontology is based on the Cybox API object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
19 |
20 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
21 | 2.1.0-000
23 |
24 |
25 |
26 |
27 | 1
29 |
30 |
31 |
32 | cybox
34 |
35 |
36 | 1
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 | 1
48 |
49 |
50 | Characterize a specific Application Programming Interface.
51 |
52 |
53 | 1
55 |
56 |
57 |
58 |
59 |
60 | 1
62 |
63 |
64 |
65 |
66 |
67 | 1
69 |
70 |
71 |
72 |
73 |
74 |
75 | 1
77 |
78 |
79 |
80 |
81 |
82 | 1
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 | 1
93 |
94 |
95 |
96 |
97 |
98 | http://www.daedafusion.com/${id}
100 | API
101 |
102 |
103 |
104 | 1
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 | cybox
115 | Specifies any name/value pairs of the parameters passed into the API call.
116 | Parameters
117 |
118 |
119 |
120 |
121 |
122 | Specifies the normalized name of the API function called, e.g. CreateFile.
123 |
124 |
125 | Normalized Function Name
126 |
127 | cybox
129 |
130 |
131 | cybox
133 |
134 | return value
135 |
136 |
137 | Specifies the return value of the API call.
138 |
139 |
140 | Function Name
141 |
142 | Specifies the exact name of the API function called, e.g. CreateFileEx.
143 |
144 |
145 | cybox
147 |
148 |
149 | Specifies the address of the API call in the binary.
150 |
151 |
152 |
153 | cybox
155 | Address
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/arp_cache.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 |
14 |
15 | Cyber Observable eXpression (CybOX) ARP Cache Ontology
16 | 2.1.0-000
18 | This ontology provides a vocabulary and representation of a ARP Cache for the Cyber Observable eXpression (CybOX).
19 |
20 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
21 |
22 | The ontology is based on the CybOX ARP Cache object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
23 |
24 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
25 |
26 |
27 | cybox
29 | http://www.daedafusion.com/${id}
31 |
32 |
33 | 1
35 |
36 |
37 |
38 |
39 |
40 | 1
42 |
43 |
44 |
45 |
46 |
47 | 1
49 |
50 |
51 |
52 |
53 |
54 | 1
56 |
57 |
58 |
59 |
60 |
61 | 1
63 |
64 |
65 |
66 | ARPCache
67 |
68 |
69 | 1
71 |
72 |
73 |
74 |
75 |
76 | 1
78 |
79 |
80 |
81 | Characterize entries in a system's address resolution protocol (ARP) cache.
82 |
83 |
84 |
85 |
86 | ARPCache Entry
87 |
88 |
89 |
90 | 1
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 | 1
101 |
102 |
103 |
104 |
105 |
106 |
107 | cybox
109 |
110 |
111 | 1
113 |
114 |
115 |
116 |
117 |
118 | Characterize an ARP Cache Entry.
119 |
120 |
121 | 1
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 | Specifies the network interface to which the ARP cache entry belongs.
131 |
132 |
133 |
134 | cybox
136 | Network Interface
137 |
138 |
139 |
140 | Specifies the physical (e.g. MAC-48) address that is mapped to the IP address in the ARP cache entry.
141 |
142 | cybox
144 | Physical Address
145 |
146 |
147 |
148 |
149 | Specifies one or more address resolution protocol (ARP) cache entries.
150 |
151 |
152 | cybox
154 | ARP Cache Entries
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 | Specifies the IP address that is mapped to the physical address in the ARP cache entry.
166 |
167 |
168 | cybox
170 | IP Address
171 |
172 |
173 | http://www.daedafusion.com/default_vocabularies-1#ARPCacheEntryTypeVocab
175 | http://www.daedafusion.com/default_vocabularies-1#ARPCacheEntryTypeVocab-1.0
177 | Specifies the type of ARP cache entry, which typically refers to the way the entry was added to the cache.
178 |
179 |
180 |
181 | cybox
183 | ARP Cache Entry Type
184 |
185 |
186 |
187 |
188 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/as.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | Cyber Observable eXpression (CybOX) Autonomous System Ontology
12 | This ontology provides a vocabulary and representation of an Autonomous System (AS) for the Cyber Observable eXpression (CybOX).
13 |
14 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
15 |
16 | The ontology is based on the Cybox Autonomous System object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
17 |
18 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
19 | 2.1.0-000
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | 1
30 |
31 |
32 | cybox
34 |
35 |
36 |
37 | 1
39 |
40 |
41 |
42 |
43 |
44 | 1
46 |
47 |
48 |
49 |
50 |
51 | 1
53 |
54 |
55 | http://www.daedafusion.com/${id}
57 |
58 |
59 |
60 |
61 |
62 | 1
64 |
65 |
66 | Autonomous system
67 |
68 |
69 |
70 | 1
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 | 1
81 |
82 |
83 |
84 |
85 |
86 | 1
88 |
89 |
90 | Characterize an autonomous system (AS).
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 | 1
100 |
101 |
102 |
103 |
104 |
105 | 1
107 |
108 |
109 |
110 |
111 | 1
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 | cybox
125 |
126 | Specifies the number assigned to the autonomous system (AS).
127 |
128 | Such assignments are typically performed by a regional internet registry (RIR).
129 |
130 | Number
131 |
132 |
133 | Handle
134 | cybox
136 |
137 |
138 |
139 | Specifies the handle for the autonomous system (AS), which is typically the AS number prepended with the string 'AS'.
140 |
141 |
142 |
143 | cybox
145 | Name
146 |
147 |
148 | Specifies the name of the autonomous system (AS).
149 |
150 |
151 |
152 |
153 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/device.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | 1.0.0-000
13 | Cyber Observable eXpression (CybOX) Device Ontology
14 | This ontology provides a vocabulary and representation of a Device for the Cyber Observable eXpression (CybOX).
15 |
16 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
17 |
18 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
19 |
20 |
21 |
22 |
23 |
24 | ${manufacturerName} {$model}
26 | Device
27 | cybox
29 |
30 |
31 | 1
33 |
34 |
35 |
36 |
37 |
38 | Characterize a specific Device.
39 |
40 |
41 | 1
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 | 1
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 | 1
61 |
62 |
63 |
64 |
65 |
66 | http://www.daedafusion.com/${id}
68 |
69 |
70 | 1
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 | 1
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 | 1
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 | 1
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 | cybox
110 |
111 |
112 | System Details
113 | Specifies the details of the system that may be present on the device. {@en-US}
114 |
115 |
116 |
117 |
118 | cybox
120 | Specifies the manufacturer of the device.
121 | Manufacturer
122 |
123 |
124 |
125 |
126 | cybox
128 |
129 |
130 | Specifies the version of the firmware running on the device.
131 |
132 | Firmware Version
133 |
134 |
135 | cybox
137 |
138 |
139 | Specifies the serial number of the Device.
140 |
141 | Serial Number
142 |
143 |
144 | cybox
146 |
147 | Specifies the type of the device.
148 |
149 | Device Type
150 |
151 |
152 |
153 | cybox
155 |
156 |
157 | Specifies a brief description of the Device.
158 |
159 | Description
160 |
161 |
162 | cybox
164 |
165 |
166 | Specifies the model identifier of the device.
167 |
168 | Model
169 |
170 |
171 | cybox
173 |
174 |
175 | Specifies the name of the manufacturer of the device.
176 |
177 | Manufacturer Name
178 |
179 |
180 |
181 |
182 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/domain_name.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 | Cyber Observable eXpression (CybOX) Domain Address Ontology
14 | This ontology provides a vocabulary and representation of an Domain Address for the Cyber Observable eXpression (CybOX).
15 |
16 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
17 |
18 | The ontology is based on the Cybox Domain Address object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
19 |
20 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
21 | 2.1.0-000
23 |
24 |
25 | http://www.daedafusion.com/${id}
27 |
28 |
29 | 1
31 |
32 |
33 |
34 |
35 |
36 | Characterize network domain names.
37 |
38 |
39 | 1
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 | 1
50 |
51 |
52 |
53 |
54 | cybox
56 |
57 |
58 |
59 | 1
61 |
62 |
63 |
64 |
65 |
66 | 1
68 |
69 |
70 |
71 | Domain Name
72 |
73 |
74 | 1
76 |
77 |
78 |
79 |
80 |
81 | 1
83 |
84 |
85 |
86 |
87 |
88 | 1
90 |
91 |
92 |
93 |
94 |
95 | 1
97 |
98 |
99 |
100 |
101 |
102 | Specifies the value of the Domain name.
103 |
104 |
105 | Value
106 | cybox
108 |
109 |
110 |
111 | http://www.daedafusion.com/default_vocabularies-1#DomainNameTypeVocab
113 | Specifies the type of Domain Name that is being defined.
114 | Type
115 |
116 |
117 |
118 | cybox
120 | http://www.daedafusion.com/default_vocabularies-1#DomainNameTypeVocab-1.0
122 |
123 |
124 |
125 |
126 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/event.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | Cyber Observable eXpression (CybOX) Event Ontology
12 | This ontology provides a vocabulary and representation of an Event for the Cyber Observable eXpression (CybOX).
13 |
14 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
15 |
16 | The ontology is based on the CybOX Windows Event object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
17 |
18 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
19 | 2.1.0-000
21 |
22 |
23 |
24 |
25 |
26 | ${eventType} ${eventName}
28 |
29 |
30 |
31 | 1
33 |
34 |
35 |
36 |
37 |
38 | 1
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 | 1
50 |
51 |
52 | cybox
54 | http://www.daedafusion.com/${@hash(${eventType}${eventName})}
56 |
57 |
58 | 1
60 |
61 |
62 |
63 |
64 |
65 | 1
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | 1
77 |
78 |
79 | Windows event
80 | Characterizes a Windows Event
81 |
82 |
83 |
84 |
85 |
86 | 1
88 |
89 |
90 |
91 |
92 | 1
94 |
95 |
96 |
97 |
98 |
99 | 1
101 |
102 |
103 |
104 |
105 |
106 | 1
108 |
109 |
110 |
111 |
112 |
113 |
114 | cybox
116 | Handle
117 | Specifies the handle to the Windows event object.
118 |
119 |
120 |
121 |
122 |
123 | cybox
125 | Specifies the name of the Windows event object.
126 |
127 | Event Name
128 |
129 |
130 |
131 |
132 | http://www.daedafusion.com/default_vocabularies-1#WinEventTypeVocab
134 | cybox
136 | Event Type
137 |
138 | http://www.daedafusion.com/default_vocabularies-1#WinEventTypeVocab-1.0
140 |
141 | Specifies the type of the Windows event.
142 |
143 |
144 |
145 |
146 |
147 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/hostname.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 | Cyber Observable eXpression (CybOX) Hostname Ontology
13 |
14 | This ontology provides a vocabulary and representation of a Hostname for the Cyber Observable eXpression (CybOX).
15 |
16 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
17 |
18 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
19 | 1.0.0-000
21 |
22 |
23 |
24 |
25 | 1
27 |
28 |
29 |
30 |
31 |
32 | 1
34 |
35 |
36 |
37 |
38 |
39 | 1
41 |
42 |
43 |
44 | Hostname
45 |
46 |
47 | 1
49 |
50 |
51 |
52 |
53 |
54 | 1
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 | 1
66 |
67 |
68 |
69 |
70 | 1
72 |
73 |
74 |
75 | http://www.daedafusion.com/${id}
77 |
78 |
79 |
80 |
81 | 1
83 |
84 |
85 | Characterizes a particular network hostname.
86 |
87 |
88 |
89 | 1
91 |
92 |
93 |
94 |
95 |
96 | ${hostname}
98 | cybox
100 |
101 |
102 | cybox
104 |
105 |
106 | Hostname
107 | Specifies the actual value of the Hostname.
108 |
109 |
110 |
111 | cybox
113 |
114 |
115 | Specifies a relevant Naming System for the Hostname (e.g. DNS, NIS, NetBIOS).
116 |
117 | Naming System
118 |
119 |
120 | cybox
122 |
123 |
124 | Specifies if this is also a valid domain name.
125 | Is Also Domain Name
126 |
127 |
128 |
129 |
130 |
131 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/network_packet.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 |
14 | Cyber Observable eXpression (CybOX) Network Packet Ontology
15 | This ontology provides a vocabulary and representation of a Network Packet for the Cyber Observable eXpression (CybOX).
16 |
17 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
18 |
19 | The ontology is based on the CybOX Network Packet object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
20 |
21 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
22 | 2.1.0-000
24 |
25 |
26 | Characterizes a Network Packet
27 | Network packet
28 | ${id}
30 |
31 |
32 | 1
34 |
35 |
36 |
37 |
38 |
39 | 1
41 |
42 |
43 |
44 |
45 |
46 | 1
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 | 1
57 |
58 |
59 |
60 | http://www.daedafusion.com/object-${id}
62 | cybox
64 |
65 |
66 | 1
68 |
69 |
70 |
71 |
72 |
73 | 1
75 |
76 |
77 |
78 |
79 |
80 | 1
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/network_subnet.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | 2.1.0-000
13 | This ontology provides a vocabulary and representation of a Network Subnet for the Cyber Observable eXpression (CybOX).
14 |
15 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
16 |
17 | The ontology is based on the CybOX Network Subnet object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
18 |
19 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
20 | Cyber Observable eXpression (CybOX) Network Subnet Ontology
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 | 1
33 |
34 |
35 | http://www.daedafusion.com/${id}
37 |
38 |
39 |
40 | 1
42 |
43 |
44 |
45 |
46 |
47 | 1
49 |
50 |
51 |
52 |
53 |
54 | 1
56 |
57 |
58 |
59 |
60 |
61 | 1
63 |
64 |
65 |
66 |
67 |
68 | 1
70 |
71 |
72 |
73 | Characterize a generic system network subnet.
74 |
75 |
76 |
77 |
78 | 1
80 |
81 |
82 |
83 |
84 |
85 | 1
87 |
88 |
89 | cybox
91 |
92 |
93 | 1
95 |
96 |
97 |
98 |
99 |
100 | Network Subnet
101 |
102 |
103 | Routes
104 | cybox
106 |
107 |
108 |
109 | Specifies a set of network routes.
110 |
111 |
112 | Subnet Name
113 |
114 |
115 | cybox
117 | Specifies a name for the network subnet.
118 |
119 |
120 |
121 |
122 | cybox
124 |
125 |
126 | Number of IP Addresses
127 | Specifies the number of valid IP addresses within the scope of the network subnet.
128 |
129 |
130 |
131 |
132 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/port.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 | This ontology provides a vocabulary and representation of a Port for the Cyber Observable eXpression (CybOX).
14 |
15 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
16 |
17 | The ontology is based on the Cybox Port object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
18 |
19 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
20 | 2.1.0-000
22 | Cyber Observable eXpression (CybOX) Port Ontology
23 |
24 |
25 |
26 | Characterize networking ports.
27 | http://www.daedafusion.com/${@hash(${portNumber})}
29 |
30 |
31 | 1
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 | 1
43 |
44 |
45 |
46 |
47 | 1
49 |
50 |
51 |
52 |
53 |
54 |
55 | 1
57 |
58 |
59 |
60 |
61 |
62 | 1
64 |
65 |
66 |
67 |
68 |
69 |
70 | 1
72 |
73 |
74 |
75 |
76 |
77 | 1
79 |
80 |
81 |
82 |
83 |
84 | 1
86 |
87 |
88 |
89 |
90 |
91 | Port ${portNumber}
93 | Port
94 | cybox
96 |
97 |
98 | cybox
100 | Specifies the Protocol associated with the port.
101 |
102 | Related Protocol
103 |
104 |
105 |
106 |
107 | Registered
108 |
109 | cybox
111 |
112 |
113 | Specifies whether the port is registered in the IANA Service Name and Transport Protocol Port Number Registry.
114 |
115 | Refer to http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml for more information.
116 |
117 |
118 | Specifies the actual value of the port.
119 |
120 |
121 | cybox
123 |
124 | Port Number
125 |
126 |
127 |
128 |
129 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/socket_address.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 | This ontology provides a vocabulary and representation of a Socket Address for the Cyber Observable eXpression (CybOX).
14 |
15 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
16 |
17 | The ontology is based on the Cybox Socket Address object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
18 |
19 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
20 |
21 | Cyber Observable eXpression (CybOX) Socket Address Ontology
22 |
23 | 2.1.0-000
25 |
26 |
27 |
28 |
29 |
30 |
31 | 1
33 |
34 |
35 |
36 |
37 |
38 | 1
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 | 1
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 | 1
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 | 1
69 |
70 |
71 |
72 | cybox
74 |
75 |
76 | 1
78 |
79 |
80 |
81 |
82 |
83 | 1
85 |
86 |
87 |
88 | http://www.daedafusion.com/${@hash(${ipAddress#addressValue}||${hostname#hostname}${port#portNumber})}
90 |
91 |
92 | 1
94 |
95 |
96 |
97 |
98 |
99 | 1
101 |
102 |
103 |
104 | ${ipAddress#addressValue||hostname#hostname}:${port#portNumber}
106 | Characterizes an identifier for a network host (IP address or Hostname) and port number pair.
107 | Socket Address
108 |
109 |
110 | 1
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 | Specifies the IP address component of the socket address.
126 |
127 | IP Address
128 | cybox
130 |
131 |
132 |
133 | Specifies the port number component of the socket connection.
134 |
135 |
136 | Port
137 | cybox
139 |
140 |
141 |
142 | Specifies a Hostname for the the socket address.
143 | Hostname
144 |
145 |
146 | cybox
148 |
149 |
150 |
151 |
152 |
153 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/user_session.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | This ontology provides a vocabulary and representation of an User Session for the Cyber Observable eXpression (CybOX).
12 |
13 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
14 |
15 | The ontology is based on the Cybox User Session object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
16 |
17 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
18 | 2.1.0-000
20 | Cyber Observable eXpression (CybOX) User Session Ontology {@en-US}Cyber Observable eXpression (CybOX) Account Ontology
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 | 1
30 |
31 |
32 |
33 |
34 |
35 | 1
37 |
38 |
39 | http://www.daedafusion.com/${@hash(${$loginTime}${logoutTime})}
41 |
42 |
43 |
44 |
45 |
46 | 1
48 |
49 |
50 |
51 |
52 |
53 | 1
55 |
56 |
57 | User Session
58 |
59 |
60 |
61 |
62 |
63 | 1
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | 1
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 | 1
84 |
85 |
86 | cybox
88 |
89 |
90 |
91 | 1
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 | 1
102 |
103 |
104 | Characterize user sessions.
105 |
106 |
107 |
108 |
109 | 1
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 | 1
120 |
121 |
122 | ${loginTime} - ${logoutTime}
124 |
125 |
126 |
127 | 1
129 |
130 |
131 |
132 |
133 |
134 | 1
136 |
137 |
138 |
139 |
140 | Effective Group ID
141 | cybox
143 |
144 |
145 |
146 | Specifies the effective group ID of the group used in the user session.
147 |
148 |
149 | Effective User ID
150 | cybox
152 |
153 |
154 |
155 | Specifies the effective user ID of the user used in the user session.
156 |
157 |
158 | Effective Group
159 | cybox
161 |
162 |
163 | Specifies the name of the effective group used in the user session.
164 |
165 |
166 |
167 | Specifies the date/time of the logout for the user session.
168 |
169 |
170 |
171 | cybox
173 | Logout Time
174 |
175 |
176 | Specifies the date/time of the login for the user session.
177 |
178 |
179 |
180 | cybox
182 | Login Time
183 |
184 |
185 | Effective User
186 | cybox
188 |
189 |
190 |
191 | Specifies the effective username used in the user session.
192 |
193 |
194 |
195 |
196 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/windows_critical_section.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 | Cyber Observable eXpression (CybOX) Windows Critical Section Ontology
14 | This ontology provides a vocabulary and representation of a Windows Critical Section for the Cyber Observable eXpression (CybOX).
15 |
16 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
17 |
18 | The ontology is based on the CybOX Windows Critical Section object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
19 |
20 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
21 | 2.1.0-000
23 |
24 |
25 |
26 |
27 | 1
29 |
30 |
31 |
32 |
33 |
34 | 1
36 |
37 |
38 |
39 |
40 |
41 | 1
43 |
44 |
45 |
46 |
47 |
48 | 1
50 |
51 |
52 |
53 |
54 |
55 | 1
57 |
58 |
59 |
60 | ${address} : ${spinCount}
62 |
63 |
64 | 1
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | 1
75 |
76 |
77 |
78 |
79 |
80 | Windows Critical Section
81 | http://www.daedafusion.com/${@hash(${address})}
83 |
84 |
85 | 1
87 |
88 |
89 |
90 |
91 |
92 |
93 | 1
95 |
96 |
97 |
98 | Characterizes a Windows Critical Section
99 | cybox
101 |
102 |
103 |
104 | Specifies the address of the code that crated the critical section object.
105 | Address
106 |
107 |
108 | cybox
110 |
111 |
112 |
113 | Spin Count
114 |
115 |
116 |
117 | cybox
119 | Specifies the spin count value for the critical section object.
120 |
121 |
122 |
123 |
124 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/windows_mailslot.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 |
13 |
14 | Cyber Observable eXpression (CybOX) Windows Mailslot Ontology
15 | This ontology provides a vocabulary and representation of a Windows Mailslot for the Cyber Observable eXpression (CybOX).
16 |
17 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
18 |
19 | The ontology is based on the CybOX Windows Mailslot object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
20 |
21 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
22 | 2.1.0-000
24 |
25 |
26 | http://www.daedafusion.com/${@hash($(mailslotName))}
28 | ${mailslotName}
30 |
31 |
32 | 1
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 | 1
43 |
44 |
45 |
46 |
47 |
48 | 1
50 |
51 |
52 |
53 |
54 |
55 | Windows Mailslot
56 | cybox
58 |
59 |
60 | 1
62 |
63 |
64 |
65 |
66 |
67 | 1
69 |
70 |
71 |
72 |
73 |
74 | 1
76 |
77 |
78 |
79 |
80 |
81 | 1
83 |
84 |
85 |
86 |
87 | Characterize Windows mailslot objects.
88 |
89 |
90 | 1
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 | 1
102 |
103 |
104 |
105 |
106 |
107 | 1
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 | 1
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 | 1
127 |
128 |
129 |
130 |
131 |
132 | Specifies the open Windows handle to the mailslot.
133 |
134 |
135 |
136 | cybox
138 | Handle
139 |
140 |
141 | Specifies the amount of time, in milliseconds, a read operation can wait for a message to be written to the mailslot before a time-out occurs.
142 |
143 |
144 |
145 | cybox
147 | Read Timeout
148 |
149 |
150 | Specifies the Windows security attributes for the mailslot.
151 |
152 |
153 |
154 | cybox
156 | Security Attributes
157 |
158 |
159 | Specifies the name of the mailslot.
160 |
161 |
162 |
163 | cybox
165 | Name
166 |
167 |
168 | Specifies the maximum message size for the mailslot, in bytes.
169 |
170 |
171 |
172 | cybox
174 | Max Message Size
175 |
176 |
177 |
178 |
179 |
--------------------------------------------------------------------------------
/cyber-ontology/cybox/windows_waitable_timer.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | 2.1.0-000
13 | This ontology provides a vocabulary and representation of an Windows Waitable Timer for the Cyber Observable eXpression (CybOX).
14 |
15 | CybOX provides a common mechansim (structure and content) to convey the full range of potential cyber observable information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
16 |
17 | The ontology is based on the CybOX Windows Waitable Timer object schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
18 |
19 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
20 | Cyber Observable eXpression (CybOX) Windows Waitable Timer Ontology
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 | 1
31 |
32 |
33 | ${waitableTimerName} (${waitableTimerType})
35 |
36 |
37 |
38 |
39 |
40 | 1
42 |
43 |
44 |
45 | Windows Waitable Timer
46 |
47 | cybox
49 | Characterize Windows waitable timer (synchronization) objects.
50 |
51 |
52 |
53 |
54 |
55 | 1
57 |
58 |
59 | http://www.daedafusion.com/${@hash(${waitableTimerName}${waitableTimerType})}
61 |
62 |
63 |
64 | 1
66 |
67 |
68 |
69 |
70 |
71 | 1
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 | 1
82 |
83 |
84 |
85 |
86 |
87 | 1
89 |
90 |
91 |
92 |
93 |
94 | 1
96 |
97 |
98 |
99 |
100 |
101 | 1
103 |
104 |
105 |
106 |
107 |
108 | 1
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 | 1
119 |
120 |
121 |
122 |
123 | <http://cybox.mitre.org/objects/WindowsWaitableTimer>
125 | cybox
127 | Handle
128 |
129 |
130 | Specifies the handle to the Windows waitable timer object.
131 |
132 |
133 | Specifies the security attributes for the Windows waitable timer object.
134 | cybox
136 |
137 |
138 |
139 | Security Attributes
140 |
141 |
142 | Specifies the name of the Windows waitable timer object.
143 | cybox
145 |
146 |
147 |
148 | Waitable Timer Name
149 |
150 |
151 | Specifies the type of the windows waitable timer object.
152 | cybox
154 |
155 |
156 |
157 | Waitable Timer Type
158 | http://www.daedafusion.com/default_vocabularies-1#WaitableTimerTypeVocab-1.0
160 | http://www.daedafusion.com/default_vocabularies-1#WaitableTimerTypeVocab
162 |
163 |
164 |
165 |
166 |
--------------------------------------------------------------------------------
/cyber-ontology/geo/wgs84_pos.rdf:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | WGS84 Geo Positioning: an RDF vocabulary
8 | A vocabulary for representing latitude, longitude and
9 | altitude information in the WGS84 geodetic reference datum.
10 | Version $Id: wgs84_pos.rdf,v 1.22 2009/04/20 15:00:30 timbl Exp $. See http://www.w3.org/2003/01/geo/ for more details.
11 | $Date: 2009/04/20 15:00:30 $
12 | geo
13 |
14 |
15 | Recent changes to this namespace:
16 | $Log: wgs84_pos.rdf,v $
17 | Revision 1.22 2009/04/20 15:00:30 timbl
18 | Remove the time bits which have been deal with elsewhere eg in iCal.
19 |
20 | Revision 1.21 2009/04/20 12:52:47 timbl
21 | try again
22 |
23 | Revision 1.20 2009/04/20 12:42:11 timbl
24 | Add Event (edited ages ago and never checked in), and location (following discussion http://chatlogs.planetrdf.com/swig/2009-04-20#T12-36-09)
25 |
26 | Revision 1.19 2009/04/20 12:36:31 timbl
27 | Add Event (edited ages ago and never checked in), and location (following discussion http://chatlogs.planetrdf.com/swig/2009-04-20#T12-36-09)
28 |
29 | Revision 1.18 2006/02/01 22:01:04 danbri
30 | Clarified that lat and long are decimal degrees, and that alt is decimal metres about local reference ellipsoid
31 |
32 | Revision 1.17 2004/02/06 17:38:12 danbri
33 | Fixed a bad commit screwup
34 |
35 | Revision 1.15 2003/04/19 11:24:08 danbri
36 | Fixed the typo even more.
37 |
38 | Revision 1.14 2003/04/19 11:16:56 danbri
39 | fixed a typo
40 |
41 | Revision 1.13 2003/02/19 22:27:27 connolly
42 | relaxed domain constraints on lat/long/alt from Point to SpatialThing
43 |
44 | Revision 1.12 2003/01/12 01:41:41 danbri
45 | Trying local copy of XSLT doc.
46 |
47 | Revision 1.11 2003/01/12 01:20:18 danbri
48 | added a link to morten's xslt rdfs viewer.
49 |
50 | Revision 1.10 2003/01/11 18:56:49 danbri
51 | Removed datatype range from lat and long properties, since they would
52 | have required each occurance of the property to mention the datatype.
53 |
54 | Revision 1.9 2003/01/11 11:41:31 danbri
55 | Another typo; repaired rdfs:Property to rdf:Property x4
56 |
57 | Revision 1.8 2003/01/11 11:05:02 danbri
58 | Added an rdfs:range for each lat/long/alt property,
59 | http://www.w3.org/2001/XMLSchema#float
60 |
61 | Revision 1.7 2003/01/10 20:25:16 danbri
62 | Longer rdfs:comment for Point, trying to be Earth-centric and neutral about
63 | coordinate system(s) at the same time. Feedback welcomed.
64 |
65 | Revision 1.6 2003/01/10 20:18:30 danbri
66 | Added CVS log comments into the RDF/XML as an rdfs:comment property of the
67 | vocabulary. Note that this is not common practice (but seems both harmless
68 | and potentially useful).
69 |
70 |
71 | revision 1.5
72 | date: 2003/01/10 20:14:31; author: danbri; state: Exp; lines: +16 -5
73 | Updated schema:
74 | Added a dc:date, added url for more info. Changed the rdfs:label of the
75 | namespace from gp to geo. Added a class Point, set as the rdfs:domain of
76 | each property. Added XML comment on the lat_long property suggesting that
77 | we might not need it (based on #rdfig commentary from implementors).
78 |
79 | revision 1.4
80 | date: 2003/01/10 20:01:07; author: danbri; state: Exp; lines: +6 -5
81 | Fixed typo; several rdfs:about attributes are now rdf:about. Thanks to MortenF in
82 | #rdfig for catching this error.
83 |
84 | revision 1.3
85 | date: 2003/01/10 11:59:03; author: danbri; state: Exp; lines: +4 -3
86 | fixed buglet in vocab, added more wgs links
87 |
88 | revision 1.2
89 | date: 2003/01/10 11:01:11; author: danbri; state: Exp; lines: +4 -4
90 | Removed alt from the as-a-flat-string property, and switched from
91 | space separated to comma separated.
92 |
93 | revision 1.1
94 | date: 2003/01/10 10:53:23; author: danbri; state: Exp;
95 | basic geo vocab
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 | SpatialThing
104 | Anything with spatial extent, i.e. size, shape, or position.
105 | e.g. people, places, bowling balls, as well as abstract areas like cubes.
106 |
107 |
108 |
109 |
126 |
127 |
128 |
129 | point
130 | A point, typically described using a coordinate system relative to Earth, such as WGS84.
131 |
132 |
133 | Uniquely identified by lat/long/alt. i.e.
134 |
135 | spaciallyIntersects(P1, P2) :- lat(P1, LAT), long(P1, LONG), alt(P1, ALT),
136 | lat(P2, LAT), long(P2, LONG), alt(P2, ALT).
137 |
138 | sameThing(P1, P2) :- type(P1, Point), type(P2, Point), spaciallyIntersects(P1, P2).
139 |
140 |
141 |
142 |
143 |
144 |
145 | latitude
146 | The WGS84 latitude of a SpatialThing (decimal degrees).
147 |
148 |
149 |
158 |
159 |
160 |
161 | location
162 |
163 | The relation between something and the point,
164 | or other geometrical thing in space, where it is. For example, the realtionship between
165 | a radio tower and a Point with a given lat and long.
166 | Or a relationship between a park and its outline as a closed arc of points, or a road and
167 | its location as a arc (a sequence of points).
168 | Clearly in practice there will be limit to the accuracy of any such statement, but one would expect
169 | an accuracy appropriate for the size of the object and uses such as mapping .
170 |
171 |
172 |
173 |
174 |
175 | longitude
176 | The WGS84 longitude of a SpatialThing (decimal degrees).
177 |
178 |
179 |
180 |
181 | altitude
182 | The WGS84 altitude of a SpatialThing (decimal meters
183 | above the local reference ellipsoid).
184 |
185 |
186 |
187 |
188 | lat/long
189 | A comma-separated representation of a latitude, longitude coordinate.
190 |
191 |
192 |
193 |
--------------------------------------------------------------------------------
/cyber-ontology/maec/maec_container.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | Malware Attribute Enumeration and Characterization (MAEC) Container Ontology
12 |
13 |
14 |
15 | 2.1.0-000
17 |
18 |
19 |
20 | This ontology provides a vocabulary and representation for the Malware Attribute Enumeration and Characterization (MAEC) Container types.
21 |
22 | MAEC provides a common mechansim (structure and content) for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. The Container ontology enables a collection of Packages to be included together.
23 |
24 | The ontology is based on the MAEC Container schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
25 |
26 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
27 |
28 |
29 |
30 |
31 | 1
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 | 1
47 |
48 |
49 |
50 | Container ${containerId} [${timestamp}]
52 |
53 |
54 |
55 |
56 |
57 | 1
59 |
60 |
61 | http://www.daedafusion.com/${containerId}
63 | Container
64 | Characterizes a container of information about malware
65 |
66 | maec
68 |
69 |
70 |
71 | Specifies the list of Packages with the container
72 | maec
74 |
75 |
76 | Packages
77 |
78 |
79 | maec
81 | Specifies the time and data when the container was generated
82 |
83 |
84 | Timestamp
85 |
86 |
87 |
88 |
89 |
90 |
--------------------------------------------------------------------------------
/cyber-ontology/oval/oval_common.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 | Open Vulnerability and Assessment Language (OVAL) Common Types Ontology
13 | 5.11-000
15 |
16 | This ontology provides a vocabulary and representation for the Open Vulnerability and Assessment Language (OVAL) common types.
18 |
19 | The OVAL ontology provides a characterization of an information security community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details, and an assortment of content repositories held throughout the community. Tools and services that use OVAL for the three steps of system assessment — representing system information, expressing specific machine states, and reporting the results of an assessment — provide enterprises with accurate, consistent, and actionable information so they may improve their security. Use of OVAL also provides for reliable and reproducible information assurance metrics and enables interoperability and automation among security tools and services.
20 |
21 | The ontology is based on the OVAL schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
22 |
23 | Copyright (c) 2014-2015, DaedaFusion, LLC. All rights reserved.
24 |
25 |
26 |
27 | oval
29 | OVAL Object-ID
30 | Specifies the OVAL-ID of an Object. Object Id's should be formated as 'oval:Organization DNS Name.oval:obj:ID Value' where organization DNS Name is of the form ‘org.mitre.oval’; and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it.
31 |
32 |
33 |
34 |
35 | oval:[A-Za-z0-9_-.]+:obj:[1-9][0-9]*
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 | Specifies the OVAL-ID of a State. State Id's should be formated as 'oval:Organization DNS Name.oval:ste:ID Value' where organization DNS Name is of the form ‘org.mitre.oval’; and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it.
45 | oval
47 |
48 | OVAL State-ID
49 |
50 |
51 |
52 |
53 | oval:[A-Za-z0-9_-.]+:ste:[1-9][0-9]*
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 | Specifies when the particular OVAL document was compiled.
63 |
64 | Note that the timestamp element does not specify when a definition (or set of definitions) was created or modified but rather when the actual document that contains the definition was created. For example, the document might have pulled a bunch of existing OVAL Definitions together, each of the definitions having been created at some point in the past. The timestamp in this case would be when the combined document was created
65 |
66 | oval
68 |
69 | Timestamp
70 |
71 |
72 | Specifies the OVAL-ID of a Test. Test Id's should be formated as 'oval:Organization DNS Name.oval:tst:ID Value' where organization DNS Name is of the form ‘org.mitre.oval’; and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it.
73 | oval
75 |
76 | OVAL Test-ID
77 |
78 |
79 |
80 |
81 | oval:[A-Za-z0-9_-.]+:tst:[1-9][0-9]*
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 | OVAL Definition-ID
91 |
92 | oval
94 | Specifies the OVAL-ID of the Definition. Definition Id's should be formated as 'oval:Organization DNS Name.oval:def:ID Value' where organization DNS Name is of the form ‘org.mitre.oval’; and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it.
95 |
96 |
97 |
98 |
99 | oval:[A-Za-z0-9_-.]+:def:[1-9][0-9]*
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 | oval:[A-Za-z0-9_-.]+:var:[1-9][0-9]*
114 |
115 |
116 |
117 |
118 |
119 | OVAL Variable-ID
120 |
121 | oval
123 | Specifies the OVAL-ID of a Variable. Variable Id's should be formated as 'oval:Organization DNS Name.oval:var:ID Value' where organization DNS Name is of the form ‘org.mitre.oval’; and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it.
124 |
125 |
126 |
127 |
128 |
--------------------------------------------------------------------------------
/cyber-ontology/oval/oval_variables.rdf:
--------------------------------------------------------------------------------
1 |
2 |
9 |
10 |
11 | Open Vulnerability and Assessment Language (OVAL) Variables Ontology
13 | This ontology provides a vocabulary and representation for the Open Vulnerability and Assessment Language (OVAL) Variables types.
15 |
16 | The OVAL ontology provides a characterization of an information security community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details, and an assortment of content repositories held throughout the community. Tools and services that use OVAL for the three steps of system assessment — representing system information, expressing specific machine states, and reporting the results of an assessment — provide enterprises with accurate, consistent, and actionable information so they may improve their security. Use of OVAL also provides for reliable and reproducible information assurance metrics and enables interoperability and automation among security tools and services.
17 |
18 | The ontology is based on the OVAL schema maintained by The MITRE Corporation copyright 2012-2014. The version number of the ontology is kept in sync with the schema in order to more easily relate between the ontology and the corresponding schema version.
19 |
20 | Copyright (c) 2014-2015, DaedaFusion, LLC. All rights reserved.
21 | 5.11-000
23 |
24 |
25 |
26 |
27 |
--------------------------------------------------------------------------------
/cyber-ontology/resources/CybOX-Objects.txt:
--------------------------------------------------------------------------------
1 | account.rdf
2 | Account_Object.xsd
3 | User_Account_Object.xsd
4 | Unix_User_Account_Object.xsd
5 | Win_User_Account_Object.xsd
6 | Win_Computer_Account_Object.xsd
7 |
8 | address.rdf
9 | Address_Object.xsd
10 |
11 | api.rdf
12 | API_Object.xsd
13 |
14 | arp_cache.rdf
15 | ARP_Cache_Object.xsd
16 |
17 | artifact.rdf
18 | Artifact_Object.xsd
19 |
20 | as.rdf
21 | AS_Object.xsd
22 |
23 | code.rdf
24 | Code_Object.xsd
25 |
26 | device.rdf
27 | Device_Object.xsd
28 |
29 | disk.rdf
30 | Disk_Object.xsd
31 | Disk_Partition_Object.xsd
32 |
33 | dns.rdf
34 | DNS_Cache_Object.xsd
35 | DNS_Query_Object.xsd
36 | DNS_Record_Object.xsd
37 |
38 | domain_name.rdf
39 | Domain_Name_Object.xsd
40 |
41 | email_message.rdf
42 | Email_Message_Object.xsd
43 |
44 | event.rdf
45 | Win_Event_Object.xsd
46 |
47 | event_log.rdf
48 | Win_Event_Log_Object.xsd
49 |
50 | file.rdf
51 | File_Object.xsd
52 | Archive_File_Object.xsd
53 | Image_File_Object.xsd
54 | PDF_File_Object.xsd
55 | Unix_File_Object.xsd
56 | Win_File_Object.xsd
57 | Win_Executable_File_Object.xsd
58 | Win_Driver_Object.xsd
59 |
60 | gui.rdf
61 | GUI_Dialogbox_Object.xsd
62 | GUI_Object.xsd
63 | GUI_Window_Object.xsd
64 |
65 | hostname.rdf
66 | Hostname_Object.xsd
67 |
68 | http_session.rdf
69 | HTTP_Session_Object.xsd
70 |
71 | library.rdf
72 | Library_Object.xsd
73 |
74 | linux_package.rdf
75 | Linux_Package_Object.xsd
76 |
77 | memory.rdf
78 | Memory_Object.xsd
79 | Win_Memory_Page_Region_Object.xsd
80 |
81 | mutex.rdf
82 | Mutex_Object.xsd
83 | Win_Mutex_Object.xsd
84 |
85 | network_connection.rdf
86 | Network_Connection_Object.xsd
87 |
88 | network_protocol.rdf
89 |
90 | network_route.rdf
91 | Network_Route_Entry_Object.xsd
92 | Network_Route_Object.xsd
93 | Unix_Network_Route_Entry_Object.xsd
94 | Win_Network_Route_Entry_Object.xsd
95 |
96 | network_socket.rdf
97 | Network_Socket_Object.xsd
98 |
99 | network_subnet.rdf
100 | Network_Subnet_Object.xsd
101 |
102 | pipe.rdf
103 | Pipe_Object.xsd
104 | Unix_Pipe_Object.xsd
105 | Win_Pipe_Object.xsd
106 |
107 | port.rdf
108 | Port_Object.xsd
109 |
110 | process.rdf
111 | Process_Object.xsd
112 | Unix_Process_Object.xsd
113 | Win_Process_Object.xsd
114 | Win_Service_Object.xsd
115 |
116 | product.rdf
117 | Product_Object.xsd
118 |
119 | semaphore.rdf
120 | Semaphore_Object.xsd
121 | Win_Semaphore_Object.xsd
122 |
123 | sms_messsage.rdf
124 | SMS_Message_Object.xsd
125 |
126 | socket_address.rdf
127 | Socket_Address_Object.xsd
128 |
129 | system.rdf
130 | System_Object.xsd
131 | Win_System_Object.xsd
132 |
133 | thread.rdf
134 | Win_Thread_Object.xsd
135 |
136 | uri.rdf
137 | URI_Object.xsd
138 | Link_Object.xsd
139 |
140 | url_history.rdf
141 | URL_History_Object.xsd
142 |
143 | user_session.rdf
144 | User_Session_Object.xsd
145 |
146 | volume.rdf
147 | Volume_Object.xsd
148 | Unix_Volume_Object.xsd
149 | Win_Volume_Object.xsd
150 |
151 | windows_critical_section.rdf
152 | Win_Critical_Section_Object.xs
153 |
154 | windows_filemapping.rdf
155 | Win_Filemapping_Object.xsd
156 |
157 | windows_handle.rdf
158 | Win_Handle_Object.xsd
159 |
160 | windows_hook.rdf
161 | Win_Hook_Object.xsd
162 | Win_Kernel_Hook_Object.xsd
163 |
164 | windows_kernel.rdf
165 | Win_Kernel_Object.xsd
166 |
167 | windows_mailslot.rdf
168 | Win_Mailslot_Object.xsd
169 |
170 | windows_network_share.rdf
171 | Win_Network_Share_Object.xsd
172 |
173 | windows_prefetch.rdf
174 | Win_Prefetch_Object.xsd
175 |
176 | windows_registry.rdf
177 | Win_Registry_Key_Object.xsd
178 |
179 | windows_system_restore.rdf
180 | Win_System_Restore_Object.xsd
181 |
182 | windows_task.rdf
183 | Win_Task_Object.xsd
184 |
185 | windows_waitable_timer.rdf
186 | Win_Waitable_Timer_Object.xsd
187 |
188 | whois.rdf
189 | Whois_Object.xsd
190 |
191 | x509_certificate.rdf
192 | X509_Certificate_Object.xsd
193 |
194 |
195 | ========== Unhandled ================
196 |
197 | Custom_Object.xsd
198 |
199 | Network_Flow_Object.xsd
200 | Network_Packet_Object.xsd
201 |
--------------------------------------------------------------------------------
/cyber-ontology/resources/Document Definition.txt:
--------------------------------------------------------------------------------
1 | Document
2 | title xsd:string
3 | subject xsd:string
4 | description xsd:string // description of resource content
5 | resourceName File // name of the file that contains the resource
6 | locator URL // logical address at which the resource can be accessed (e.g. a URL).
7 | location Location // describes where resource was created or otherwise authored
8 | sizeInBytes xsd:long // size of resource in bytes (could be on File)
9 | author xsd:string
10 | version xsd:string
11 | contentType xsd:string // application/pdf,application/msword
12 | creationDate xsd:dateTime
13 | lastModifyDate xsd:dateTime
14 | lastSaveDate xsd:dateTime
15 | copyrightDate xsd:date
16 | copyright xsd:string // copyright statement
17 | publisher xsd:string // original publisher
18 | custodian xsd:string // entity responsible for documents when original publisher does not control the works.
19 | pages xsd:long
20 | keywords sioct:Tag
21 | producer xsd:string // name of tool that converted document to PDF
22 | creatorTool xsd:string // name of tool that created the original document
23 |
24 |
25 | Image
26 | title xsd:string
27 | subject xsd:string
28 | description xsd:string // description of resource content
29 | resourceName File // name of the file that contains the resource
30 | locator URL // logical address at which the resource can be accessed (e.g. a URL).
31 | location Location // describes where resource was created, developed, or otherwise authored
32 | sizeInBytes xsd:long
33 | author xsd:string
34 | version xsd:string
35 | contentType xsd:string // image/jpeg, image/png
36 | creationDate xsd:dateTime
37 | lastModifyDate xsd:dateTime
38 | lastSaveDate xsd:dateTime
39 | copyrightDate xsd:date
40 | copyright xsd:string // copyright statement
41 | publisher xsd:string // original publisher
42 | custodian xsd:string // entity responsible for the documents when the original publisher does not control the works.
43 |
44 | xPixels xsd:decimal // width of picture in pixels
45 | yPixels xsd:decimal // height of picture in pixels
46 | deviceMake xsd:string // manufacturer of device which captured the image
47 | deviceModel xsd:string // model of the device that caputred the image
48 |
49 |
50 | Video
51 | title xsd:string
52 | subject xsd:string
53 | description xsd:string // description of resource content
54 | resourceName File // name of the file that contains the resource
55 | locator URL // logical address at which the resource can be accessed (e.g. a URL).
56 | location Location // describes where the resource has been created, developed, recorded, or otherwise authored
57 | sizeInBytes xsd:long
58 | author xsd:string
59 | version xsd:string
60 | contentType xsd:string // application/pdf,application/msword
61 | creationDate xsd:dateTime
62 | lastModifyDate xsd:dateTime
63 | lastSaveDate xsd:dateTime
64 | copyrightDate xsd:date
65 | copyright xsd:string // copyright statement
66 | publisher xsd:string // original publisher
67 | custodian xsd:string // entity responsible for the documents when the original publisher does not control the works.
68 |
69 | deviceMake xsd:string // manufacturer of device which captured the image
70 | deviceModel xsd:string // model of the device that captured the image
71 | duration xsd:decimal // actual duration, in seconds
72 | samplingRate xsd:decimal // audio sampling rate, defined to be samples/second.
73 | frameRate xsd:decimal // video frame rate, defined to be frames/second.
74 | frameWidth xsd:decimal // width of the frame in pixels
75 | frameHeight xsd:decimal // Height of the frame in pixels
76 | compression xsd:string // compression type used
77 |
--------------------------------------------------------------------------------
/cyber-ontology/resources/TippingList.txt:
--------------------------------------------------------------------------------
1 | # Tipping Files
2 |
3 | # lOCATION OF LISTS OF BLOCKLISTS
4 | #
5 | http://www.selectrealsecurity.com/public-block-lists
6 | http://pausethenreflect.blogspot.com/2012/07/blacklist-of-knownsuspected-malicious.html
7 |
8 | #
9 | # Malicious Hosts
10 | #
11 | http://hosts-file.net/download/hosts.txt
12 | http://www.malwaredomainlist.com/hostslist/hosts.txt
13 |
14 | #
15 | # Domains
16 | #
17 | https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
18 | http://virustracker.info/text/Blocklist_combined.txt
19 | https://spyeyetracker.abuse.ch/blocklist.php?download=domainblocklist
20 | http://www.dshield.org/feeds/suspiciousdomains_High.txt
21 | http://www.dshield.org/feeds/suspiciousdomains_Medium.txt
22 | #http://exposure.iseclab.org/malware_domains.txt
23 |
24 | #
25 | # Malicious IP Addresses
26 | #
27 | http://malc0de.com/bl/IP_Blacklist.txt
28 | https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
29 | http://www.malwaredomainlist.com/hostslist/ip.txt
30 | https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
31 |
32 | #
33 | # Malware Traffic
34 | #
35 | http://www.nothink.org/blacklist/blacklist_malware_dns.txt
36 | http://www.nothink.org/blacklist/blacklist_malware_http.txt
37 | http://www.nothink.org/blacklist/blacklist_malware_irc.txt
38 | http://www.nothink.org/blacklist/blacklist_ssh_all.txt
39 | http://www.nothink.org/blacklist/blacklist_ssh_day.txt
40 |
41 |
42 |
43 | #
44 | # Malicious URLs
45 | #
46 | http://www.malwaredomainlist.com/hostslist/yesterday_urls.php
47 |
48 | #
49 | # Clean/Delisted
50 | #
51 | http://www.malwaredomainlist.com/hostslist/delisted.txt
52 |
--------------------------------------------------------------------------------
/cyber-ontology/resources/fixture-vocabs.xlsx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ebiquity/uco2/2521b4655cb8006b5ddf69495e522f06be4543b5/cyber-ontology/resources/fixture-vocabs.xlsx
--------------------------------------------------------------------------------
/cyber-ontology/scap/patch.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 | Security Content Automation Protocol (SCAP) Patch Ontology
13 | 1.0.0-001
15 |
16 | This ontology provides a vocabulary and representation for the Security Content Automation Protocol (SCAP) Patch data type which provides a standardized method of describing and identifying patches to address vulnerabilities. The SCAP is a method for using specific standards to enable automatedmpliance evaluation, vulnerability management, measurement, and policy compliance evaluation.
17 |
18 | Copyright (c) 2014, DaedaFusion, LLC. All rights reserved.
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 | 1
28 |
29 |
30 | Patch
31 | ${patchName}
33 | Defines a patch
34 |
35 |
36 |
37 |
38 |
39 | 1
41 |
42 |
43 | scap
45 |
46 |
47 |
48 |
49 |
50 | 1
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 | 1
62 |
63 |
64 | scap:/Patch/${name}/${patchIdentifier}
66 |
67 |
68 |
69 |
70 |
71 | 1
73 |
74 |
75 |
76 |
77 |
78 |
79 | scap
81 |
82 | Specifies zero or more references to check systems associated with this patch.
83 | Checks
84 |
85 |
86 |
87 |
88 | scap
90 | References
91 | Specifies zero or more references associated with the patch.
92 |
93 |
94 |
95 |
96 |
97 | scap
99 |
100 | Specifies zero or more patches that are superceded by the referenced patch.
101 | Supersedes Patches
102 |
103 |
104 |
105 |
106 | scap
108 |
109 | Specifies zero or more patches that supersede this patch.
110 | Superseded By
111 |
112 |
113 |
114 |
115 | scap
117 |
118 | Specifies that the patch has been superseded if true.
119 | Superseded
120 |
121 |
122 |
123 |
124 | scap
126 |
127 | Specifies zero or more notes associated with the patch.
128 |
129 | Notes
130 |
131 |
132 |
133 | scap
135 | Patch Name
136 |
137 |
138 | Specifies the vendor-supplied for the patch. The patch name should be in all lower-case and use underscores for spaces.
139 |
140 |
141 |
142 | scap
144 |
145 | Specifies that the patch has been depreciated and thus should not be used.
146 | Deprecated
147 |
148 |
149 |
150 |
151 | scap
153 |
154 | Specifies a human-formatted title for the patch
155 | Title
156 |
157 |
158 |
159 |
160 | scap
162 | Specifies a unique identifier for the patch
163 |
164 | Patch Identifier
165 |
166 |
167 |
168 |
169 |
170 |
--------------------------------------------------------------------------------
/cyber-ontology/stix/report.rdf:
--------------------------------------------------------------------------------
1 |
2 |
10 |
11 |
12 | STIX Report Ontology
13 | This ontology provides a vocabulary and representation for the Structured Threat Information eXpression (STIX) Report. The Report ontology provides a characterization of the context to a given grouping of STIX content.
14 |
15 |
16 |
17 |
18 | 1.2.0-000
20 |
21 |
22 |
23 |
24 | 1
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 | 1
37 |
38 |
39 |
40 |
41 |
42 | Characterizes a contextual wrapper for a given group of STIX content.
43 | Report
44 |
45 |
46 | 1
48 |
49 |
50 |
51 | stix
53 |
54 |
55 | 1
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 | Specifies a reference to one or more related Reports
67 | Related Reports
68 |
69 |
70 | stix
72 |
73 |
74 |
75 | Specifies the intended purpose(s) or use(s) of this report.
76 |
77 | Examples of report intent include Threat Report, Indicators, PBX, and Campaign Characterization (these specific values are only provided to help explainthe property: they are neither recommended values nor necessarily part of any existing vocabulary). The content creator may choose any arbitrary value or may constrain the set of possible values by referencing an externally-defined vocabulary or leveraging a formally defined vocabulary.
78 |
79 | By default, the Report Intent Vocabulary is used to defined a restricted set of values.
80 | stix
82 | Intent
83 |
84 |
85 | http://stix.mitre.org/default_vocabularies-1.0#ReportIntentVocab-1.0
87 | http://stix.mitre.org/default_vocabularies-1.0#ReportIntentVocab
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
--------------------------------------------------------------------------------
/cyber-ontology/vocab/sw_vocab-status.rdf:
--------------------------------------------------------------------------------
1 |
2 |
11 |
12 |
13 |
14 | SemWeb Vocab Status ontology
15 | An RDF vocabulary for relating SW vocabulary terms to their status.
16 | This vocabulary was created in the FOAF project, based on experience with FOAF, Dublin Core and other early RDF vocabularies. Deployment experience shows that changing namespace URIs is expensive and unrewarding, so this vocabulary provides terms to support in-place evolution of structured data vocabularies. By indicating status at the level of terms rather than vocabularies, dictionary-style, fine grained improvements become easier. Different organizations and parties can agree or disagree on the status of a vocabulary term; however the status published alongside the term may deserve special attention. Future work could include patterns for citing announcements and decisions, or using SKOS to decentralise the extension of the basic status levels.
17 | Dan Brickley
18 | Leigh Dodds
19 | Libby Miller
20 | Pierre-Yves Vandenbussche
21 | 2011-12-12
22 | 2003-06-01
23 | vs
24 | http://www.w3.org/2003/06/sw-vocab-status/ns#
25 |
26 |
27 |
28 |
29 | term status
30 | the status of a vocabulary term, expressed as a short symbolic string; known values include 'unstable','testing', 'stable' and 'archaic'
31 | unstable
32 |
33 |
34 |
35 |
36 |
37 | more info
38 | more information about the status etc of a term, typically human oriented
39 |
40 | unstable
41 |
42 |
43 |
44 |
45 | user docs
46 | human-oriented documentation, examples etc for use of this term
47 |
48 | unstable
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/docs/AAAI_workshop_2016.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ebiquity/uco2/2521b4655cb8006b5ddf69495e522f06be4543b5/docs/AAAI_workshop_2016.pdf
--------------------------------------------------------------------------------
/docs/BestPracticesPublishingLinkedData.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ebiquity/uco2/2521b4655cb8006b5ddf69495e522f06be4543b5/docs/BestPracticesPublishingLinkedData.pdf
--------------------------------------------------------------------------------
/docs/BookChapter-CyberChapterKott.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ebiquity/uco2/2521b4655cb8006b5ddf69495e522f06be4543b5/docs/BookChapter-CyberChapterKott.pdf
--------------------------------------------------------------------------------
/docs/Catalogue of Cybersecurity Standards.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ebiquity/uco2/2521b4655cb8006b5ddf69495e522f06be4543b5/docs/Catalogue of Cybersecurity Standards.pdf
--------------------------------------------------------------------------------
/docs/DataonWebBestPractices.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ebiquity/uco2/2521b4655cb8006b5ddf69495e522f06be4543b5/docs/DataonWebBestPractices.pdf
--------------------------------------------------------------------------------
/docs/IDSOntologyv2.3.0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ebiquity/uco2/2521b4655cb8006b5ddf69495e522f06be4543b5/docs/IDSOntologyv2.3.0.png
--------------------------------------------------------------------------------
/docs/UCO_TR.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ebiquity/uco2/2521b4655cb8006b5ddf69495e522f06be4543b5/docs/UCO_TR.pdf
--------------------------------------------------------------------------------