An ontology in information systems is a structure consisting of a set of concepts and categories related to a certain area of knowledge, as well as information about their properties and the links between them. In the context of information security, we can talk about cyberontology or cybersecurity ontology.
Ontologies are distinct from knowledge bases or taxonomies. The difference between an ontology and a knowledge base is that the ontology of a particular area of knowledge must include comprehensive general information about it, whereas a knowledge base may contain incomplete data and information about particular cases. Ontologies also imply a data structure; knowledge bases can hold unstructured facts.
In turn, a taxonomy is the classification of objects and their arrangement in a hierarchy, whereas ontology describes their properties and relationships.
Data scientists use a variety of ontology languages to work with ontologies. OWL (Web Ontology Language) is the most common ontology language.
Using ontologies in information security
Ontologies have several uses in cybersecurity:
- Creating a unified general classification of malware, attack vectors, and vulnerabilities, enabling information security professionals to speak the same language and exchange threat intelligence, thus improving the level of protection against cyberthreats;
- Assessing the level of protection of an organization’s infrastructure against a specific threat or advanced persistent threat (APT), and risk assessment. An ontology contains information about specific groups’ attack vectors and vulnerabilities, as well as which types of malware they typically use in their attacks. It also indicates a means of protection and the necessary patches for each vulnerability. The use of such an ontology enables the quick analysis of an organization’s infrastructure, a determination of how well it is protected, and what measures would improve its security;
- Speeding up and simplifying machine-learning models, which find use in antivirus engines and elsewhere.