Members of the OASIS Threat Actor Context (TAC) TC create and manage technical content in this TC GitHub repository (https://github.com/oasis-tcs/tac-ontology/) as part of the TC's chartered work (the program of work and deliverables described in its charter.
OASIS TC GitHub repositories, as described in GitHub Repositories for OASIS TC Members' Chartered Work, are governed by the OASIS TC Process, IPR Policy, and other policies. While they make use of public GitHub repositories, these repositories are distinct from OASIS Open Repositories, which are used for development of open source licensed content.
The purpose of this repository is to manage Ontology Web Language (OWL) representations of the Threat Actor Context Technical Committee's (TAC-TC) work. Additionally, TAC TC work products related to the ontologies will be in this repository, such as documentation, user guides, and utilities.
As stated in this repository's CONTRIBUTING file, contributors to this repository must be Members of the OASIS TAC TC for any substantive contributions or change requests. Anyone wishing to contribute to this GitHub project and participate in the TC's technical activity is invited to join as an OASIS TC Member. Public feedback is also accepted, subject to the terms of the OASIS Feedback License.
Please see the LICENSE file for description of the license terms and OASIS policies applicable to the TC's work in this GitHub project. Content in this repository is intended to be part of the TAC TC's permanent record of activity, visible and freely available for all to use, subject to applicable OASIS policies, as presented in the repository LICENSE.
The OASIS Threat Actor Context Technical Committee (TAC-TC) is chartered to create an ontology for expressing the rich context around Threat Actors. The OASIS TAC-TC is a separate Technical Committee from the OASIS CTI-TC, it will embrace and extend the CTI-TC's release of the STIX 2.1 standard.
This repositiory is for TAC-TC members to collaborate on the development of the ontologies necessary for supporting Threat Analysts to assert facts into a graph knowledgebase and formally reason over those facts.
In order to extend the STIX 2.1 standard in a semantically interoperable way, the TAC-TC will develop and use a formal ontological representation of the specification. This representation will expose multiple levels of semantics.
The adoption of multiple models, including the STIX 2.1 specification, will be a benefit of adopting the TAC Ontology.
The TAC-TC is providing a solution built upon the semantic technologies, in specific, a Semantic Graph based solution. Rather than attempt to provide a background on Property Graphs and Semantic Graphs in this readme.md file, the reader can investigate many discussions such as this article on LinkedIn.
The STIX 2.1 specification content more closely aligns with a Property Graph representation rather than a Semantic Graph representation. This is due to the use of Relationship nodes between STIX Objects. This is a perfectly legitimate structure choice, but does not afford us with the full set of semantic tools we would like. Therefore, a series of representations to represent the STIX 2.1 standard as a full Semantic Graph have been taken.
The TAC Github repository contains content which is subject to change as development progresses. The tac-ontology repository has the following structure:
- tac-ontology (the root repository directory)
- etc (directory with an example pre-commit script and suggested .gitignore file)
- img (images directory)
- stix-spec (directory with the OWL files that define the STIX 2.1 Specification in RDF/XML)
- stem-semex (semantic extension (semex) directory with the OWL files that extend the stix-spec ontology with ObjectProperties to map the Relationship Objects (SROs))
- tac (directory with the extension of the stix-semex ontology to add the Threat Actor Context concepts)
This representation will be as close as possible to the STIX 2.1 Specification.
- stix-spec
- stix.owl
- stix-spec.owl
- core
- cyber-observables
- meta-objects
- threat intel
- vocabularies
To represent all the content of the STIX 2.1 Specification we have separated many of the Domain assertions and Restrictions into separate files. As you examine the files you may observe this as pairs of files. For example:
directory.owl and directory-context.owl
Where the domain assertions are restrictions as defined in the STIX 2.1 specification are asserted in the directory-context.owl file.
This representation will extend the stix.owl representation with the ObjectProperty and DataProperty predicates encapsulated in the Relationship objects in the STIX 2.1 specification.
- stix-semex
- stix-semex.owl
- sro-properties
Because of the modularization, we can import only the part of the STIX 2.1 Specification as needed for semantic extension. Hence stix-semex.owl imports stix.owl, but not stix-spec.owl. The reason for this is a topic that should be examined in depth. It is not possible to fully explain why this is true in this README file. However, it can be noted that it has to do with how a formal Description Logics Reasoner interprets domain, range, restriction, and cardinality assertions.
This third layer of representation will add the concepts of the TAC-TC members.
- tac
- tac.owl
The TAC ontology imports the stix-semex.owl file.
Developers have their own preferences when in comes to ontology editors and writing styles. This causes dificulties in managing a common repository used by multiple ontology contributors. To resolve the problem, all ontology content submitted and persisted in the TAC ontology repository must be Normalized with a utility called the RDF Toolkit. This utility puts the submitted content into a standardized form. It removes any stylistic differences between contributors.
In the tac-ontology/etc/ directory is an example githook script. This pre-commit script will allow the user to edit the ontology with their preferred ontology editor, and when they commit the changes, the pre-commit script normalizes the ontology content.
Please send questions or comments about OASIS TC GitHub repositories to the OASIS TC Administrator. For questions about content in this repository, please contact the TC Chair or Co-Chairs as listed on the the TAC TC's home page.