Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Semantic_Web_Methodology_NIST

VIEWS: 0 PAGES: 42

									                         Semantic Web Methodology


Step 1
Describe your initial, most difficult requirements in conversational, informal English.
Leverage any existing diagrams or formalisms.
Step 2
Decompose the problem into domain components. Pick the most difficult domain as a
starting point. Add in any ―for free‖ completed domains.
Step 3
Look for opportunities of abstraction to lessen the number of components.
Step 4
Research existing vocabularies and ontologies in similar domains to use in composition.
Step 5
If a preexisting vocabulary does not exist, model it yourself creating Tbox entries.
Step 6
Take an instantiation of the data and prove it can work on paper.
Step 7
Use a semantic web implementation, like Protege or Jena, to build a Tbox vocabulary.
Step 8
In a semantic web implementation, instantiate the vocabulary by creating instances and
output the instances as RDF/XML.
Step 9
Iterations - repeat steps 1 through 8 until complete.


National Institute of Standards Technology (NIST)
Case Study




Step 1 - Describe your initial, most difficult requirements in conversational,
informal English


At a high level, NIST' goal in the trial is to use semantic technology to improve storage
and query capabilities for the data it now holds in the National Vulnerability Database
(NVD). At this time, this represents data held in the Computer Vulnerability

1
Enumeration (CVE) database, the National Checklists Program, US-CERT alerts, US-
CERT vulnerability notes, and OVAL (Open Vulnerability Assessment Language)
queries. In the near term, NIST also expects to place data from the Computer Platform
Enumeration (CPE), but in any event, as SCAP (Secure Content Automation Program)
adoption increases in industry, there are potential many more sources that could feed
the NVD with other data related to configurations, assets, remediation, patches,
compliance, etc. NIST believes that semantic technology will improve the capability to
share such data on an inter-operable basis, discover new relationships, and to improve
the rate and ease with which data fields can be added, deleted or changed (I.e., change
the schema in a RDBMS frame of reference). In addition, at this time, matching
between the current NVD datasets is problematic, and NIST has an additional
requirement that this problem be removed, I.e., a vulnerability represented in the current
CVE database could be matched with the various platforms it appears in (e.g.,
desktops), represented in CPE data.
Step 2 - Decompose the problem into domain components. Pick the most difficult
domain as a starting point


The NIST team brainstormed and was able to describe the highest interest nouns
(entities) and their properties at a high level. Because it is imperative to aim at first to
describe the task at a high level of generality, it is not necessary to capture all nouns at
the beginning.
Product: hardware, software or system component

       Has name
          o Products may be known by more than one name (e.g., marketing name =
             ―Vista‖, codename = ―Longhorn‖, abbreviation = jre, alternative branding)
          o Identify a preferred name


       Has vendor
          o vendor can be commercial entity, educational institution, open source,
              government agency, individual
       Consists of other products
          o e.g., Microsoft Office consists of Word, Excel, PowerPoint
       Has sub-products
          o e.g., SQL Server has Reporting Services
       Has version
          o ability to serialize versions
       Depends on products


Organization:

       Has name


2
           o  Organization may be known by more than one name (e.g., formal,
              informal, acquisitions, mergers)
       Releases products

Person:

       Has name
           o Person may be known by more than one name
       Belongs to organization


Topics/Classifications (architecture, operating system, web server, app server)
We may come up with topics that can be, Windows (Home Professional), Host
environment, Target environment or the release of a language such as Java 1.5 or Java
1.6.
The group determined the highest level noun and the most complex one was Product
Entity. This was the base element around which other properties such as vendor,
version, etc. could be composed. In this position, Product Entity functions as an
‗exploding‘ noun because products consist of other products, and products depend on
other products. This formulation was made with the understanding that components and
relationships could and probably would change as the environment was decomposed,
and that this is typical at this early stage.
The team also had access to another abstract model for a similar environment from a
partner office, which also described the relationships between vulnerabilitites, hardware,
software, configurations, and other nouns generally about network hygiene. This is
shown in Figure 1.




3
Figure 1 – Relations of business entities in the comparative vulnerability test environment

                                      Performed by                     Made of
                         Operations                      Evaluation                     Evaluation

                                                          Teams                           Teams

                                                                                        members
                                                                       use
               evaluate
                                                                                             employ
                     Organizations                      Credentials

                                                                             employ
                                                                                        Techniques
          have

     Policy                 Performed by           have masquerade as


                                                                                    exploit
                         Networks                       Users
                                                                             Scanners



                                   access
              Composed of                                                         evaluate
                                                 have

                           Hosts                         Software      has            Configurations

                                           run


              transmit             store           has                 evaluate
                                                                                             employ

                           Files                     Vulnerabilities                      Tools
       own


                                                                       exploit


                   contain                               fix      Patches
                        Data
                                                                                    analyze
4
Step 3 - Look for opportunities of abstraction to lessen the number of
components


As is common OO modeling practice (where it is generally more effective to create more
objects and lessen inheritance), semantic implementation recommends that the domain
designer aim for a range of between 8 and 30 nouns. Object composition (black-box
reuse) is an alternative to class inheritance (white-box reuse). New functionality is
obtained by assembling or composing objects to get more complex functionality. Put
another way, object composition is defined dynamically when the semantic user runs a
query, since at that time objects that are known to the user in his domain acquire
references to other objects in other domain vocabularies (we will return to this in step 4).
Any object can be replaced at run-time by another as long as it has the same type.


This step, then, is the ―special sauce.‖ The team saw that Configurations, Software,
Tools and Patches are really groupings of Products and Topics. When the team used
composition and inheritance, they produced an abstraction and a simplification. This
reduced the number of components in the abstraction (shown in red in figure 2) which
allows these advantages:


Favoring object composition over class inheritance helps keep each class encapsulated
and focused on one task. The rationale is as follows:
    Classes and class hierarchies remain small and manageable.
    A design based on object composition has more objects (instances) and less
      classes (Tbox) and the system behavior depends on their interrelationships
      instead of being defined in one class.
    As stated by Erich Gamma, ―Favor object composition over class inheritance. In
      our experience, designers overuse inheritance.‖




5
                                       Figure 2 – Areas of Focus (red)
                                       Performed by                        Made of
                         Operations                       Evaluation                            Evaluation

                                                             Teams                                Teams

                                                                                                members
                                                                           use
              evaluate
                                                                                                   employ
                        Organizations                     Credentials

                                                                                 employ
                                                                                                Techniques
         have

    Policy                  Performed by              have Masquerade as


                                                                                           exploit
                          Networks                       Users

                                                                                     Scanners



                                      access
             Composed of                                                                evaluate
                                                  have

                           Hosts                            Software       has              Configurations

                                            run


             transmit               store             has                  evaluate
                                                                                                    employ

                            Files                        Vulnerabilties                           Tools
     own


                                                                           exploit


                   contain                                fix
                                                                 Patches
                            Data



                                                                                       analyze
6
The NIST team compared their initial four-component abstraction with the vulnerability
test environment abstraction they were working to shorten (i.e., remove components).
They hypothesized that the components they were ‗re-addressing‘ through composition
(patches, tools, software, users, credentials, organizations, evaluation teams,
evaluations) could be contained at an abstract level in their original four component
abstraction, shown in figure 3.




             Figure 3 – An abstraction over the aforementioned red labeled notes


        Topics                                                      Users



                 Have many
                                                                     Belong to
                                 Developed by
               Products                                  Organization


                                      Used by

    Composed
      with Consists
                       of

While it is important to know the cardinality and composition of products up front, i.e.
what a template may look like, it is impossible to know any entity‘s specifics and the
measure to which the consistencies and dependencies may change.




7
Step 4 - Research existing vocabularies and ontologies in similar domains to use
in composition


It would be useful here to step back and reiterate that the power of the semantic web
comes not just from applications designed to transform, index and query RDF data like
Blackbook2. One can also leverage existing domain vocabularies on the web that you
can get 'for free.'
Friend Of A Friend (FOAF) and Virtual Card (VC) are current vocabularies that pertain
to Users and Organizations. The team chose VC for better support of Organizations
and the relationship to Users. No suitable domain vocabularies exist for the other two
components so the team had to build a custom vocabulary for Product and Topic.


Step 5 - If preexisting vocabulary does not exist, model it yourself, creating Tbox
entries




Tbox—the ‗term box‘---literally defines the concepts in the domain. It comes the closest
to what current RDBMS users would call a schema, or even in some definitions, a
model. The Abox consists of records or definitions of individuals/objects. In Computer


8
Science an Abox is an ―assertion component‖ or a fact associated with a terminological
vocabulary within a knowledge base, or more simply, data instances.

The terms Abox and Tbox are used to describe two different types of statements in
vocabularies and ontologies. Tbox statements describe a system in terms of controlled
vocabularies, for example, a set of classes and properties. Abox are Tbox-compliant
statements about that vocabulary. Tbox statements can be associated with object-
oriented classes and Abox statements instances of those classes. Together Abox and
Tbox statements make up a knowledge base.


First, the team created a Topic Tbox and a Product Tbox; then it compose those
vocabularies in the same way VC is constructed. Current vocabularies that area
available tend to violate Gamma's approach to composition by using a ―kitchen sink‖
type of approach. Vocabularies compose with other vocabularies and should be agile.
Topics allow grouping of items with information about a particular grouping. Any
reference to an individual is thorough VC. Any reference to a product is through the
Product vocabulary.

For the purposes of this trial, NIST agreed to be the domain holder for PRODUCT,
TOPIC, VULNERABILITY, PRODUCT, PRODUCT-INSTANCE, and CONFIGURATION.
As a result, they are providing web server setup that provides documentation for the
namespace and URI. Additionally, NIST will manage versions and releases of the
domain vocabularies.


Step 6 - Take an instantiation of the data and prove it can work on paper
As an example, the team used Linux as a product with a dependency on both a Linux
Kernel as well as xwindows. The team then placed a JBoss application server on the
stack to prove that the paradigm would work (figure 4).
The team became confident that it could compose products in a variety of different
ways. This could mean anything from an embedded system using a Linux Kernel to a
data processing system using JBoss. All may be modeled using our compositional
product structure.
                                  Figure 4: example a


                                      JBoss4
                                       Figure




                                   xwindows

9
                        Ubuntu                       Fedora
                         Linux                        Linux
                                         Figure 4: example b


                                          Apache


                                          Window                      Linux
                                          XP Pro
                              Intel
                                                                AMD
                                                                AMD

Step 7- Use a semantic web implementation, like Protege or Jena, to build a Tbox
vocabulary


The <rdf:Bag> element is used to describe a list of values that is intended to be
unordered. RDF defines several container elements. Collections
We used protege to create the Tbox for NVD. Protege allows the
user/ontologist/computer scientist to work graphically at the OWL level and
automatically create the Tbox java source file.
Below is the OWL file created graphically in protege and the java file automatically
generated by protege.


<rdf:RDF xml:base="http://nvd.nist.gov/ontology.owl">

<owl:Ontology rdf:about="">

<owl:versionInfo rdf:datatype="http://www.w3.org/2001/XMLSchema#string">



10
      draft

</owl:versionInfo>

<rdfs:comment rdf:datatype="http://www.w3.org/2001/XMLSchema#string">

      NVD is the U.S. government repository of standards based vulnerability management

      data represented using the Security Content Automation Protocol (SCAP). This

      data enables automation of vulnerability management, security measurement, and

      compliance. NVD includes databases of security checklists, security related software

      flaws, misconfigurations, product names, and impact metrics.

</rdfs:comment>

<owl:imports rdf:resource="http://www.w3.org/2006/vcard/ns.rdf"/>

<rdfs:label rdf:datatype="http://www.w3.org/2001/XMLSchema#string">

      NVD Ontology

     </rdfs:label>

</owl:Ontology>

<owl:Class rdf:about="#vcard:Name"/>

</owl:Class>

<

<owl:Class rdf:ID="Topic">

−

<rdfs:comment rdf:datatype="http://www.w3.org/2001/XMLSchema#string">



      This class represents a topic that contains a group of products. An example

      use case for this class is where a TOPIC representing Web Servers contains all

      possible products that are Web Servers.



</rdfs:comment>

<rdfs:label rdf:datatype="http://www.w3.org/2001/XMLSchema#string">



11
     Topic

    </rdfs:label>

</owl:Class>

−

<owl:Class>

−

<owl:unionOf rdf:parseType="Collection">

<owl:Class rdf:about="#ProductInstance"/>

<owl:Class rdf:about="#Finding"/>

</owl:unionOf>

</owl:Class>

−

<owl:Class rdf:about="#Product">

−

<rdfs:comment rdf:datatype="http://www.w3.org/2001/XMLSchema#string">



     An instance of the PRODUCT class has product-metadata and it has a unique id.

     The product-metadata represents all the attributes we need to capture

     relating to a PRODUCT such as the current CPE component structure (vendor,

     product, version, update, edition, language), titles, role, and anything else

     that needs to be captured at this level. To be considered an instance of the

     PRODUCT class the individual will have to be concrete, which is to say the

     component structure must be fully populated (will have to use OWL

     restrictions here). The end-goal for this Class is to have a set of

     individuals that represent all IT products.



     This domain is where we will map to other IT domains such CVEs, CCEs. The

     mappings should be performed through the product-metadata.



</rdfs:comment>


12
<rdfs:label rdf:datatype="http://www.w3.org/2001/XMLSchema#string">

     Product

    </rdfs:label>

</owl:Class>

−

<owl:Class>

−



<owl:ObjectProperty rdf:ID="owns">

<rdfs:range rdf:resource="#Product"/>

<rdfs:comment rdf:datatype="http://www.w3.org/2001/XMLSchema#string">A person or organization
owns a product.</rdfs:comment>

−

<owl:inverseOf>

<owl:ObjectProperty rdf:ID="owner"/>

</owl:inverseOf>

−

<rdfs:domain>

−

<owl:Class>

−

<owl:unionOf rdf:parseType="Collection">

<rdf:Description rdf:about="http://www.w3.org/2006/vcard/ns#VCard"/>

<rdf:Description rdf:about="http://www.w3.org/2006/vcard/ns#Organization"/>

</owl:unionOf>

</owl:Class>

</rdfs:domain>

<rdfs:label rdf:datatype="http://www.w3.org/2001/XMLSchema#string">owns</rdfs:label>

</owl:ObjectProperty>

−

<owl:ObjectProperty rdf:ID="topic">

13
−

<rdfs:comment rdf:datatype="http://www.w3.org/2001/XMLSchema#string">



      A product falls under a particular topic.



</rdfs:comment>

<rdfs:range rdf:resource="#Topic"/>

−

<owl:inverseOf>

<owl:ObjectProperty rdf:ID="product"/>

</owl:inverseOf>

<rdfs:domain rdf:resource="#Product"/>

<rdfs:label rdf:datatype="http://www.w3.org/2001/XMLSchema#string">

      topic

    </rdfs:label>

</owl:ObjectProperty>

<owl:FunctionalProperty rdf:ID="alternateName">

<rdf:type rdf:resource="http://www.w3.org/2002/07/owl#DatatypeProperty"/>

<rdfs:label rdf:datatype="http://www.w3.org/2001/XMLSchema#string">Alternate name</rdfs:label>

<rdfs:comment rdf:datatype="http://www.w3.org/2001/XMLSchema#string">Alternate name for whatever
reason.</rdfs:comment>

<rdfs:domain rdf:resource="#Product"/>

<rdfs:range rdf:resource="http://www.w3.org/2001/XMLSchema#string"/>

</owl:FunctionalProperty>

</rdf:RDF>

−

Corresponding code created by protege.
public class NVD {

     /** <p>The ontology model that holds the vocabulary terms</p> */

     private static OntModel m_model = ModelFactory.createOntologyModel( OntModelSpec.OWL_MEM, null );


14
     /** <p>The namespace of the vocabulary as a string</p> */

     public static final String NS = "http://nvd.nist.gov/ontology.owl#";




     /** <p>The namespace of the vocabulary as a string</p>

     * @see #NS */

     public static String getURI() {return NS;}




     /** <p>The namespace of the vocabulary as a resource</p> */

     public static final Resource NAMESPACE = m_model.createResource( NS );




     /** <p>Signifies this product is contained in the specified Product</p> */

     public static final ObjectProperty containedIn = m_model.createObjectProperty(
"http://nvd.nist.gov/ontology.owl#containedIn" );




     /** <p>A product can contain more products.</p> */

   public static final ObjectProperty contains = m_model.createObjectProperty(
"http://nvd.nist.gov/ontology.owl#contains" );



     /** <p>Signifies the product relationship for the given resource. NOTE: inverseOf

     * properties defined on other side of symmetric relationship</p>

     */

   public static final ObjectProperty product = m_model.createObjectProperty(
"http://nvd.nist.gov/ontology.owl#product" );




     /** <p>A product falls under a particular topic.</p> */


15
   public static final ObjectProperty topic = m_model.createObjectProperty(
"http://nvd.nist.gov/ontology.owl#topic" );




     /** <p>A vulnerability has an alternate identifier.</p> */

   public static final DatatypeProperty alternateIdentifier = m_model.createDatatypeProperty(
"http://nvd.nist.gov/ontology.owl#alternateIdentifier" );




     /** <p>Alternate name for whatever reason.</p> */

   public static final DatatypeProperty alternateName = m_model.createDatatypeProperty(
"http://nvd.nist.gov/ontology.owl#alternateName" );




     /** <p>The name of a setting?</p> */

   public static final DatatypeProperty domain = m_model.createDatatypeProperty(
"http://nvd.nist.gov/ontology.owl#domain" );




     /** <p>The vector the scores apply to.</p> */

   public static final DatatypeProperty scoreVector = m_model.createDatatypeProperty(
"http://nvd.nist.gov/ontology.owl#scoreVector" );




     /** <p>The title of the product</p> */

     public static final DatatypeProperty title = m_model.createDatatypeProperty(
"http://nvd.nist.gov/ontology.owl#title" );




     /** <p>The value of a setting.</p> */

     public static final DatatypeProperty value = m_model.createDatatypeProperty(
"http://nvd.nist.gov/ontology.owl#value" );



     /** <p>A product has a version.</p> */

16
   public static final DatatypeProperty version = m_model.createDatatypeProperty(
"http://nvd.nist.gov/ontology.owl#version" );




     /** <p>An instance of the PRODUCT class has product-metadata and it has a unique

     * id. The product-metadata represents all the attributes we need to capture

     * relating to a PRODUCT such as the current CPE component structure (vendor,

     * product, version, update, edition, language), titles, role, and anything else

     * that needs to be captured at this level. To be considered an instance of the

     * PRODUCT class the individual will have to be concrete, which is to say the

     * component structure must be fully populated (will have to use OWL restrictions

     * here). The end-goal for this Class is to have a set of individuals that represent

     * all IT products. This domain is where we will map to other IT domains such

     * CVEs, CCEs. The mappings should be performed through the product-metadata.</p>

     */

     public static final OntClass Product = m_model.createClass( "http://nvd.nist.gov/ontology.owl#Product" );




     /** <p>A setting can be instantiated by a real setting value.</p> */

     public static final OntClass SettingInstance = m_model.createClass(
"http://nvd.nist.gov/ontology.owl#SettingInstance" );




     /** <p>This class represents a topic that contains a group of products. An example

     * use case for this class is where a TOPIC representing Web Servers contains

     * all possible products that are Web Servers.</p>

     */

     public static final OntClass Topic = m_model.createClass( "http://nvd.nist.gov/ontology.owl#Topic" );

17
     public static final OntClass Name = m_model.createClass( "http://nvd.nist.gov/ontology.owl#vcard:Name" );



   public static final OntClass Organization = m_model.createClass(
"http://nvd.nist.gov/ontology.owl#vcard:Organization" );




}



Step 8 - In a semantic web implementation, instantiate the vocabulary by creating
instances and output the instances as RDF/XML


Our code creates the RDF/XML (Tbox) entries based on our compositional vocabulary
(Tbox).
package semantic.exp;



import semantic.exp.generated.NVD;




import com.hp.hpl.jena.rdf.model.Model;

import com.hp.hpl.jena.rdf.model.ModelFactory;

import com.hp.hpl.jena.rdf.model.Resource;

import com.hp.hpl.jena.vocabulary.RDFS;

import com.hp.hpl.jena.vocabulary.VCARD;




public class NVDModelGenerator {

          public static void main(String args[]) throws Exception {

                  Model model = ModelFactory.createDefaultModel();

                  model.setNsPrefix("NVD", NVD.getURI());




18
     Resource redHat = model.createResource("http://www.redhat.com/");

     redHat.addProperty(VCARD.NAME, "Red Hat");



     Resource appServer = model.createResource(NVD.Topic.getURI() + "1");

     appServer.addProperty(RDFS.label, "Application Server");




     Resource kernel = model.createResource(NVD.Topic.getURI() + "2");

     kernel.addProperty(RDFS.label, "Kernel");




     Resource os = model.createResource(NVD.Topic.getURI() + "3");

     os.addProperty(RDFS.label, "OS");




     Resource rhelAppServer = model.createResource(NVD.Product.getURI()

                     + "1");

     rhelAppServer.addProperty(NVD.alternateName,

                     "cpe:/a:redhat:application_server");

     rhelAppServer

                     .addProperty(NVD.title, "Red Hat Application Server", "EN");




     rhelAppServer.addProperty(NVD.owner, redHat);

     rhelAppServer.addProperty(NVD.topic, appServer);




     Resource rhelKernel = model.createResource(NVD.Product.getURI() + "2");

     rhelKernel.addProperty(NVD.alternateName, "cpe:/a:redhat:kernel");

     rhelKernel.addProperty(NVD.title, "Red Hat Kernel", "EN");

     rhelKernel.addProperty(NVD.owner, redHat); // is-a vendor


19
     rhelKernel.addProperty(NVD.topic, kernel);




     Resource rhel = model.createResource(NVD.Product.getURI() + "3");

     rhel.addProperty(NVD.alternateName, "cpe:/o:redhat:enterprise_linux");

     rhel.addProperty(NVD.owner, redHat);

     rhel.addProperty(NVD.version, "enterprise_linux");

     rhel.addProperty(NVD.title, "Red Hat Enterprise Linux", "EN");




     rhel.addProperty(NVD.topic, os);

     rhel.addProperty(NVD.contains, rhelKernel);

     appServer.addProperty(NVD.product, rhelAppServer);

     kernel.addProperty(NVD.product, rhelKernel);




     Resource google = model.createResource("http://www.google.com/");

     google.addProperty(VCARD.NAME, "Google");




     Resource microsoft = model.createResource("http://www.microsoft.com/");

     microsoft.addProperty(VCARD.NAME, "Microsoft");




     Resource chrome = model.createResource(NVD.Product.getURI() + "88789");

     chrome

                      .addProperty(NVD.alternateName,

                                        "cpe:/a:google:chrome:0.2.149.29");

     chrome.addProperty(NVD.owner, google);

     chrome.addProperty(NVD.title, "Google Chrome 0.2.149.29", "EN");

     chrome.addProperty(NVD.version, "0.2.149.29");


20
     Resource chrome2 = model.createResource(NVD.Product.getURI() + "88790");

     chrome

                      .addProperty(NVD.alternateName,

                                        "cpe:/a:google:chrome:0.2.149.30");

     chrome.addProperty(NVD.owner, google);

     chrome.addProperty(NVD.title, "Google Chrome 0.2.149.30", "EN");

     chrome.addProperty(NVD.version, "0.2.149.30");




     Resource chrome3 = model.createResource(NVD.Product.getURI() + "94444");

     chrome

                      .addProperty(NVD.alternateName,

                                        "cpe:/a:google:chrome:1.0.154.36");

     chrome.addProperty(NVD.owner, google);

     chrome.addProperty(NVD.title, "Google Chrome 1.0.154.36", "EN");

     chrome.addProperty(NVD.version, "1.0.154.36");




     // product info not necessarily related to vuln...just sample data

     Resource vuln = model.createResource(NVD.Vulnerability + "1");

     vuln.addProperty(NVD.alternateIdentifier, "CVE-2009-0411");

     Resource newProduct = model.createResource(NVD.Product.getURI() + "4")

                      .addProperty(NVD.alternateName,

                                        "cpe:/a:google:chrome:1.0.154.36").addProperty(

                                        NVD.owner, google).addProperty(NVD.title,

                                        "Google Chrome 1.0.154.37", "EN").addProperty(

                                        NVD.version, "1.0.154.37");


21
            vuln.addProperty(NVD.product, newProduct);

            // show conjunction

            Resource containedProduct = model.createResource(

                            NVD.Product.getURI() + "5").addProperty(NVD.alternateName,

                            "cpe:/a:microsoft:ie:6.92").addProperty(NVD.owner, microsoft)

                            .addProperty(NVD.title, "Microsoft IE 6", "EN").addProperty(

                                            NVD.version, "6.92");




            newProduct = model.createResource(NVD.Product.getURI() + "6")

                            .addProperty(NVD.alternateName, "cpe:/o:microsoft:windows:5.2")

                            .addProperty(NVD.owner, microsoft).addProperty(NVD.title,

                                            "Microsoft Windows XP").addProperty(NVD.version, "5.2")

                            .addProperty(NVD.alternateName, "Professional").addProperty(

                                            NVD.contains, containedProduct);

            vuln.addProperty(NVD.product, newProduct);

            Resource baseScore = model.createResource(NVD.Score + "5base");

            baseScore.addProperty(NVD.score, "5");

            baseScore.addProperty(NVD.scoreVector, "base");

            Resource accessVector = model



     .createResource("http://nvd.nist.gov/ontology/data/SCORE/NetworkAccessVector");

            accessVector.addProperty(NVD.score, "Network");

            accessVector.addProperty(NVD.scoreVector, "AccessVector");

            vuln.addProperty(NVD.score, baseScore);

            vuln.addProperty(NVD.score, accessVector);




22
                 // a setting present on a PRODUCT_INSTANCE or PRODUCT_FINDING

                 Resource setting = model.createResource(NVD.Setting + "1");

                 setting.addProperty(NVD.domain, "javascript_enabled");

                 setting.addProperty(NVD.range, "on");

                 setting.addProperty(NVD.range, "off");




                 // capture the value for the setting

                 Resource captureValue = model.createResource(NVD.SettingInstance

                                   .getURI()

                                   + "1");

                 captureValue.addProperty(NVD.settingFor, setting);

                 captureValue.addProperty(NVD.value, "on");




                 // Represents a known, concrete, product found on a physical network

                 Resource productInstance = model.createResource(NVD.ProductInstance

                                   .getURI()

                                   + "1");

                 productInstance

                                   .addProperty(

                                                    RDFS.comment,

                                                    "Represents an instance of Google Chrome as found on an
actual physical network");

                 // mapping to the PRODUCT

                 productInstance.addProperty(NVD.product, chrome3);

                 Resource ipSetting, ipSettingInstance, macSetting, macSettingInstance, portSetting,
portSettingInstance;

                 ipSetting = model.createResource(NVD.Setting.getURI() + "IP");

23
     macSetting = model.createResource(NVD.Setting.getURI() + "MAC");

     portSetting = model.createResource(NVD.Setting.getURI() + "Port");

     ipSettingInstance = model.createResource(NVD.SettingInstance.getURI()

                         + "69.163.188.122");

     macSettingInstance = model.createResource(NVD.SettingInstance.getURI()

                         + "00-0C-F1-56-98-AD");

     portSettingInstance = model.createResource(NVD.SettingInstance.getURI()

                         + "80");

     ipSettingInstance.addProperty(NVD.settingFor, ipSetting);

     macSettingInstance.addProperty(NVD.settingFor, macSetting);

     portSettingInstance.addProperty(NVD.settingFor, portSetting);




     productInstance.addProperty(NVD.settingInstance, ipSettingInstance);

     productInstance.addProperty(NVD.settingInstance, macSettingInstance);

     productInstance.addProperty(NVD.settingInstance, portSettingInstance);




     // Represents an unkown product found on a physical network, but not

     // accounted for

     // this would typically be found as a result of information pulled back

     // by a port scan

     Resource productFinding = model.createResource(NVD.Finding.getURI()

                         + "1");

     productFinding

                         .addProperty(

                                         RDFS.comment,




24
                                                       "Represents an unkown product found on a physical
network, but not accounted for. "

                                                                     + "This would typically be found as a result
of information pulled back by a port scan. Based on the physical metadata, this finding is "

                                                                       + "most likely the same as "

                                                                       + productInstance.getURI()

                                                                       + ", just responding on a different port");

                 Resource ownerSetting, ownerSettingInstance;

                 ownerSetting = model.createResource(NVD.Setting.getURI() + "owner");

                 ownerSettingInstance = model.createResource(NVD.SettingInstance

                                    .getURI()

                                    + "google");

                 ownerSettingInstance.addProperty(NVD.settingFor, ownerSetting);




                 Resource versionSetting, versionSettingInstance;

                 versionSetting = model.createResource(NVD.Setting.getURI() + "version");

                 versionSettingInstance = model.createResource(NVD.SettingInstance

                                    .getURI()

                                    + "0.2.149.30");

                 versionSettingInstance.addProperty(NVD.settingFor, versionSetting);



                 productFinding.addProperty(NVD.settingInstance, ownerSettingInstance);

                 productFinding.addProperty(NVD.settingInstance, versionSettingInstance);




                 ipSettingInstance = model.createResource(NVD.SettingInstance.getURI()

                                    + "69.163.188.122");

                 macSettingInstance = model.createResource(NVD.SettingInstance.getURI()

25
                         + "00-0C-F1-56-98-AD");

         portSettingInstance = model.createResource(NVD.SettingInstance.getURI()

                         + "4893");

         ipSettingInstance.addProperty(NVD.settingFor, ipSetting);

         macSettingInstance.addProperty(NVD.settingFor, macSetting);

         portSettingInstance.addProperty(NVD.settingFor, portSetting);




         productInstance.addProperty(NVD.settingInstance, ipSettingInstance);

         productInstance.addProperty(NVD.settingInstance, macSettingInstance);

         productInstance.addProperty(NVD.settingInstance, portSettingInstance);




         // capture an action

         Resource action1 = model.createResource(NVD.Action.getURI() + "1");

         Resource testingOrg = model

                         .createResource("http://www.sometestOrg.com");

         testingOrg.addProperty(VCARD.NAME, "ACME Testing Organizatoin");

         action1.addProperty(NVD.performedBy, testingOrg);

         action1.addProperty(NVD.performedOn, vuln);




         // output...

         model.write(System.out);

         model.write(System.out, "N-TRIPLE");

         // model.write(System.out, "N3");

     }

}




26
Step 9 - Another iteration is necessary to complete our requirements
Second Iteration
Step 1 - Describe your initial, most difficult requirements in conversational,
informal English. Leverage any existing diagrams or formalisms
Then team then considered that it had to track instances of products. An instance of a
product is based on the definition of a product in conjunction with specific settings.
Settings have domains and ranges for a set of values. These settings further describe
products.

Policy refers to the process of making important organizational decisions, including the
identification of different alternatives such as programs or spending priorities, and
choosing among them on the basis of the impact they will have. Policies can be
understood as political, management, financial, and administrative mechanisms
arranged to reach explicit goals.

A security risk is classified as a vulnerability if it is recognized as a possible means of
attack. A security risk with one or more known instances of working and fully-
implemented attacks is classified as an exploit.
Vulnerabilities exist for products as a whole or with products instantiated with certain
settings.
In computer systems a configuration is an arrangement of functional units according to
their nature, number, and chief characteristics. Configuration pertains to the choice of
hardware, software, firmware, policy and documentation. The configuration affects
system function and performance.


Step 2 - Decompose the problem into domain components. Pick the most difficult
domain as a starting point
With this in mind, the problem became manageable. This became the team‘s final
iteration. The team will track Vulnerabilities, Configurations and Product Instances. At
the conclusion of this domain analysis, the analysis is complete.




27
Step 3 - Look for opportunities of abstraction to lessen the number of
components




28
29
30
31
The new abstraction in shown in figure 5




32
                                   Figure 5




     Topics                                                           Users




               Have
               many                                                  Belong
                                                                     to
              Products            Developed                  Organization
                                  by


                                Used
                                by
                                   Instantiat
                           Have    e           Product
Composed                                      Instance
  with                     many
              Consists
                of
                         Vulnerability
                                                                         Have
                                               Instantiate               many
 Are                                           Values
 assigned                                                          Configuration
        Score                                 Setting




33
                              Figure 6 – the original abstraction



                                         Performed by                         Made of
                            Operation                        Evaluation                            Evaluation
                               s                              Teams                                  Team
                                                                                                   Members


                                                                              use
                 evaluate
                                                                                                       employ
                            Organizations                     Credentials

                                                                                    employ
                                                                                                    Techniques
          have

     Policy                   Performed by                        Masquerade as
                                                     have


                                                                                              exploit
                            Networks                       Users
                                                                                        Scanners


                                        access
              Composed of                                                                  evaluate
                                                    have

                             Hosts                            Software                             Configurations
                                                                              has
                                              run

              transmit                store             has                   evaluate
                                                                                                        employ

                              Files                         Vulnerabilities                           Tools
      own

                                                                              exploit

                     contain                                fix

                                                                    Patches
                              Data
34

                                                                                          analyze
Step 4 - Research existing vocabularies and ontologies in similar domains to use
in composition
In the case of NIST, the team used Dublin Core to represent Policy. It is a predefined
vocabulary and a standard for representing publications. We may list or track policy
using Dublin Core.



Step 5 - If a preexisting vocabulary does not exist, model it yourself creating Tbox
entries
We create Tbox entries for Vulnerability, Configuration, Setting, Score, and Product
Instance.




35
Step 6 - Take an instantiation of the data and prove it can work on paper

                                        Figure 7

                                                                 My Web Site



                      JBoss                                         MyJBoss
                                                                    32G RAM

                   XWindows                                      Gnome 2.24

Ubuntu Linux                         Fedora Linux                 Ubuntu 8.1

                      Kernel                                     Kernel 2.6.29


         Buffer                          Small Memory
        Overflow


My web site runs on JBoss. JBoss runs on a Linux configuration. The Linux
configuration, when running with less than 64 Gig of memory has a vulnerability of
buffer overflow allowing compromised access to the system. Clearly our Tbox
represents these instances. The definitions of products through composition are on
the left in blue. The instances of product instance are on the right in grey.
Step 7 - Use a semantic web implementation, like Protege or Jena, to build a Tbox
vocabulary
The solution in its entirety was shown above.


Step 8 - In a semantic web implementation, instantiate the vocabulary by creating
instances and output the instances as RDF/XML
The solution in its entirety was shown above. The resulting RDF/XML is below.
36
<rdf:RDF

  xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"

  xmlns:NVD="http://nvd.nist.gov/ontology.owl#"

  xmlns:vcard="http://www.w3.org/2001/vcard-rdf/3.0#"

  xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" >

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Action1">

  <NVD:performedOn rdf:resource="http://nvd.nist.gov/ontology.owl#Vulnerability1"/>

  <NVD:performedBy rdf:resource="http://www.sometestOrg.com"/>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Product3">

     <NVD:contains rdf:resource="http://nvd.nist.gov/ontology.owl#Product2"/>

     <NVD:topic rdf:resource="http://nvd.nist.gov/ontology.owl#Topic3"/>

     <NVD:title xml:lang="EN">Red Hat Enterprise Linux</NVD:title>

     <NVD:version>enterprise_linux</NVD:version>

     <NVD:owner rdf:resource="http://www.redhat.com/"/>

     <NVD:alternateName>cpe:/o:redhat:enterprise_linux</NVD:alternateName>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#SettingInstance00-0C-F1-56-98-AD">

     <NVD:settingFor rdf:resource="http://nvd.nist.gov/ontology.owl#SettingMAC"/>

 </rdf:Description>

 <rdf:Description rdf:about="http://www.redhat.com/">

     <vcard:NAME>Red Hat</vcard:NAME>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Topic2">

     <NVD:product rdf:resource="http://nvd.nist.gov/ontology.owl#Product2"/>

     <rdfs:label>Kernel</rdfs:label>

 </rdf:Description>

37
 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Product1">

     <NVD:topic rdf:resource="http://nvd.nist.gov/ontology.owl#Topic1"/>

     <NVD:owner rdf:resource="http://www.redhat.com/"/>

     <NVD:title xml:lang="EN">Red Hat Application Server</NVD:title>

     <NVD:alternateName>cpe:/a:redhat:application_server</NVD:alternateName>

 </rdf:Description>

 <rdf:Description rdf:about="http://www.google.com/">

     <vcard:NAME>Google</vcard:NAME>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#SettingInstance1">

     <NVD:value>on</NVD:value>

     <NVD:settingFor rdf:resource="http://nvd.nist.gov/ontology.owl#Setting1"/>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology/data/SCORE/NetworkAccessVector">

     <NVD:scoreVector>AccessVector</NVD:scoreVector>

     <NVD:score>Network</NVD:score>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Product5">

     <NVD:version>6.92</NVD:version>

     <NVD:title xml:lang="EN">Microsoft IE 6</NVD:title>

     <NVD:owner rdf:resource="http://www.microsoft.com/"/>

     <NVD:alternateName>cpe:/a:microsoft:ie:6.92</NVD:alternateName>

 </rdf:Description>

 <rdf:Description rdf:about="http://www.sometestOrg.com">

     <vcard:NAME>ACME Testing Organizatoin</vcard:NAME>

 </rdf:Description>


38
 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Setting1">

     <NVD:range>off</NVD:range>

     <NVD:range>on</NVD:range>

     <NVD:domain>javascript_enabled</NVD:domain>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Score5base">

     <NVD:scoreVector>base</NVD:scoreVector>

     <NVD:score>5</NVD:score>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Product88789">

     <NVD:title xml:lang="EN">Google Chrome 0.2.149.30</NVD:title>

     <NVD:alternateName>cpe:/a:google:chrome:1.0.154.36</NVD:alternateName>

     <NVD:version>0.2.149.30</NVD:version>

     <NVD:alternateName>cpe:/a:google:chrome:0.2.149.30</NVD:alternateName>

     <NVD:title xml:lang="EN">Google Chrome 1.0.154.36</NVD:title>

     <NVD:owner rdf:resource="http://www.google.com/"/>

     <NVD:version>1.0.154.36</NVD:version>

     <NVD:alternateName>cpe:/a:google:chrome:0.2.149.29</NVD:alternateName>

     <NVD:version>0.2.149.29</NVD:version>

     <NVD:title xml:lang="EN">Google Chrome 0.2.149.29</NVD:title>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#SettingInstancegoogle">

     <NVD:settingFor rdf:resource="http://nvd.nist.gov/ontology.owl#Settingowner"/>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#SettingInstance80">

     <NVD:settingFor rdf:resource="http://nvd.nist.gov/ontology.owl#SettingPort"/>


39
 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Product2">

     <NVD:topic rdf:resource="http://nvd.nist.gov/ontology.owl#Topic2"/>

     <NVD:owner rdf:resource="http://www.redhat.com/"/>

     <NVD:title xml:lang="EN">Red Hat Kernel</NVD:title>

     <NVD:alternateName>cpe:/a:redhat:kernel</NVD:alternateName>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Topic1">

     <NVD:product rdf:resource="http://nvd.nist.gov/ontology.owl#Product1"/>

     <rdfs:label>Application Server</rdfs:label>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#SettingInstance69.163.188.122">

     <NVD:settingFor rdf:resource="http://nvd.nist.gov/ontology.owl#SettingIP"/>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Finding1">

     <NVD:settingInstance rdf:resource="http://nvd.nist.gov/ontology.owl#SettingInstance0.2.149.30"/>

     <NVD:settingInstance rdf:resource="http://nvd.nist.gov/ontology.owl#SettingInstancegoogle"/>

     <rdfs:comment>Represents an unkown product found on a physical network, but not accounted for. This
would typically be found as a result of information pulled back by a port scan. Based on the physical metadata,
this finding is most likely the same as http://nvd.nist.gov/ontology.owl#ProductInstance1, just responding on a
different port</rdfs:comment>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#ProductInstance1">

     <NVD:settingInstance rdf:resource="http://nvd.nist.gov/ontology.owl#SettingInstance4893"/>

     <NVD:settingInstance rdf:resource="http://nvd.nist.gov/ontology.owl#SettingInstance80"/>

     <NVD:settingInstance rdf:resource="http://nvd.nist.gov/ontology.owl#SettingInstance00-0C-F1-56-98-
AD"/>

     <NVD:settingInstance rdf:resource="http://nvd.nist.gov/ontology.owl#SettingInstance69.163.188.122"/>

40
     <NVD:product rdf:resource="http://nvd.nist.gov/ontology.owl#Product94444"/>

   <rdfs:comment>Represents an instance of Google Chrome as found on an actual physical
network</rdfs:comment>

 </rdf:Description>

 <rdf:Description rdf:about="http://www.microsoft.com/">

     <vcard:NAME>Microsoft</vcard:NAME>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Topic3">

     <rdfs:label>OS</rdfs:label>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Vulnerability1">

     <NVD:score rdf:resource="http://nvd.nist.gov/ontology/data/SCORE/NetworkAccessVector"/>

     <NVD:score rdf:resource="http://nvd.nist.gov/ontology.owl#Score5base"/>

     <NVD:product rdf:resource="http://nvd.nist.gov/ontology.owl#Product6"/>

     <NVD:product rdf:resource="http://nvd.nist.gov/ontology.owl#Product4"/>

     <NVD:alternateIdentifier>CVE-2009-0411</NVD:alternateIdentifier>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#SettingInstance0.2.149.30">

     <NVD:settingFor rdf:resource="http://nvd.nist.gov/ontology.owl#Settingversion"/>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#SettingInstance4893">

     <NVD:settingFor rdf:resource="http://nvd.nist.gov/ontology.owl#SettingPort"/>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Product6">

     <NVD:contains rdf:resource="http://nvd.nist.gov/ontology.owl#Product5"/>

     <NVD:alternateName>Professional</NVD:alternateName>



41
     <NVD:version>5.2</NVD:version>

     <NVD:title>Microsoft Windows XP</NVD:title>

     <NVD:owner rdf:resource="http://www.microsoft.com/"/>

     <NVD:alternateName>cpe:/o:microsoft:windows:5.2</NVD:alternateName>

 </rdf:Description>

 <rdf:Description rdf:about="http://nvd.nist.gov/ontology.owl#Product4">

     <NVD:version>1.0.154.37</NVD:version>

     <NVD:title xml:lang="EN">Google Chrome 1.0.154.37</NVD:title>

     <NVD:owner rdf:resource="http://www.google.com/"/>

     <NVD:alternateName>cpe:/a:google:chrome:1.0.154.36</NVD:alternateName>

 </rdf:Description>

</rdf:RDF>




42

								
To top