Security Assets Management Ontology (SAMO) for Genoa ITS

The aim of SAMO ontology is to semantically represent (model) assets for the security domain in order to facilitate their efficient management. The current version of SAMO represents knowledge related to the use case for Genoa ITS v1.

The objectives of the ontology are to:

  1. represent assets (basic, composite) and asset types that ‘live’ in a security domain ecosystem, along with threats, vulnerabilities, and other entities e.g., users, services.
  2. facilitate the efficient management of assets through a knowledge browser (Web application)
  3. provide querying and inferencing capabilities such as the identification of i) threats/vulnerabilities per asset, ii) affected services from compromised composite assets, iii) relationships between interconnected assets/composite assets/entities, etc.

The ontology has been used to build a knowledge base for the Genoa ITS v1.2 use case. This use case concerns knowledge related to:

  1. Asset (basic and composite): The set of basic assets e.g., software, hardware, data, that are used to compose other assets such as Composite Assets. It is related to threats. A basic asset may be connected to another basic asset (to the same or different composite asset).

Example (partial definition of a Basic Asset): “AMT Genoa AVM Service Web API” is a basic asset of type AS-SO-01 (Web-Based Services), is (automatically identified as) part of the composite asset COM-GEN-AS-06 (Automated Vehicle Monitoring (AVM) System), is connected (inferred) to “AMT Genoa AVM Service Application Keys” basic asset of type AS-DA-03 (Operation Data / Application Data).

Example (partial definition of a Composite Asset): “Passenger Mobile Device” is a composite asset that is comprised of many basic assets (e.g., “AMT Genoa Passenger App Keys” basic asset) and belongs to four different services e.g., “Automated Vehicle Monitoring” service.

  1. Basic Asset type: the types that basic assets can belong to are five i.e., Application Software, Communication Network, Data, Hardware, and System Software. It is related to some Threat and to some Vulnerability.

Example (partial definition of a Basic Asset type): “Operation Data / Application Data” (AS-DA-03) is Data type which has (inferred) three threats, one being the “Unintentional Disclosure of Data” (the smartphone user unintentionally discloses data on the smartphone).

  1. Ecosystem: a generic entity that is used to describe an orchestration of other entities/services that are functioning in a specific setting e.g., smart city.

Example: ECO-GEN-01 is the Genoa ITS ecosystem of our use case, which has four different entities/services, one being SERV-GEN-01 (Ticket Purchase).

  1. Service: a service (or Entity) is providing its composite assets in ecosystems.

Example: SERV-GEN-01 (Ticket Purchase) service provides the “Passenger Mobile Device” (composite asset) and the “Ticketing System (composite asset)”.

  1. Threat: a treat exploits one or more vulnerabilities and is associated with one of more basic assets.

Example: Authentication traffic spikes or Abuse of user authentication/authorisation data by third parties’ personnel or Abuse of the application management function (AMF) authentication and key agreement procedure or Abuse the credentials of existing accounts. It exploits the CVE-2017-3167 vulnerability, it is a threat of type SW/NET, and concerns a number of asset types, one being the Operating System.

  1. Vulnerability: a vulnerability is related to (concerns) one or more threats, and at least one Basic Asset type.

Example: CVE-2017-3167 vulnerability. In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

  1. User and user roles: A user is assigned one or more roles in using a basic asset. A user role e.g., admin, internal, external, is assigned to one or more users with specific privileges.

Example queries for evaluating the ontology populated with instances for the Genoa v.1.2 use case are:

  1. fetch the basic assets (BAs) that are connected with any type of connection
  2. fetch the composite assets (CAs) that are connected (via BAs) with any type of connection
  3. fetch the CAs that are connected via a ‘stores’ connection
  4. fetch the CAs that are connected via a ‘NFC connection’ connection
  5. fetch the CAs/BAs that are connected (via BAs) and the type of their connection
  6. fetch the BAs that are connected and the type of their connection

SAMO-based knowledge browser

An advanced knowledge browser (Web application) that utilizes SAMO has been developed with the primary goal of enhancing knowledge retrieval and knowledge creation efficiency. The application leverages the ontology and OWL Lite reasoning to provide an extensive overview of the knowledge schema and make the exploration of entities, relations, and instances easily accessible.

The knowledge browser integrates several functionalities in a Web-based interface, including:

  1. Project Management:
  • Create a new SAMO-based knowledge management project.
  • Previewing or editing existing project.
  1. Knowledge Retrieval:
  • Display classes, instances, and properties.
  • Organize classes in a tree view, with subclasses grouped under each superclass.
  • Select a class to load its instances.
  • Select an instance to load its properties.
  • Distinguish between data properties and object properties of an instance.
  • Object properties represent relations between instances, such as the relationship between a basic asset A and a composite asset C. Selecting an object property loads the related instance and its properties.
  1. Querying Functionality:
  • Compose and executing SPARQL queries against the knowledge base using a query editor.
  • Access a list of predefined queries for quick retrieval of frequently used queries.
  • Create and execute template queries based on dynamic user input. Users can select instances and query their properties, or select properties to discover related instances.
  1. Query Results:
  • Display query results in a table format.
  • Offer a dedicated search field to search within the results.
  • Enable the export of results to CSV and PDF formats.
  1. Knowledge Creation:
  • The application facilitates the creation of new instances through dedicated forms generated based on SAMO class and property definitions
  • Support dynamic addition and removal of properties with cardinality greater than one
  • Existing instances can be edited using prefilled forms, which populate with the values of the instance’s properties
  • Basic validations are applied when submitting forms to ensure data integrity

Links: a) ontology, b) application