search

oasis-open / tac-ontology

OASIS Threat Actor Context (TAC) TC: Creating an ontology for expressing the rich context around Threat Actors. https://github.com/oasis-open/tac-ontology
BSD 3-Clause "New" or "Revised" License
9 stars 4 forks source link

Refactor the TAC Ontology to remove the cti namespace. #18

Closed rhohimer closed 2 years ago

rhohimer commented 2 years ago

The cti namespace does not add value to the TAC Ontology. The CTI-TC created the STIX specification, not the CTI specification.

This issue was the core of issue #13. Instead of making stixCore properties sub-properties of the cti properties, the solution to disambiguate the redundancy is to only represent the concepts in the stixCore namespace.

rhohimer commented 2 years ago

Class hierarchy does not look as intimidating as I had imagined. image

In early review, the cti:ExternalReference is a class that has dataproperties and object properties that need to be examined further. The other cti class don't have too many properties (if any) defined. image

rhohimer commented 2 years ago

The most direct approach to refactoring the ontology to remove the cti namespace is to not use the Protégé editor, but instead use a text editor such as NotePad++. Basically, there are two files that contain the cti concepts. These will have to be expressed in the stixCore file.

image

rhohimer commented 2 years ago

I'm reviewing the purpose of each of the existing namespaces. If the purpose is unknown, we need to question its existence.

Three namespace of immediate interest are:

  1. cti
  2. stix
  3. stixCore

These namespaces exist to capture that basic knowledge of the STIX specification. They are imported into the stix-spec.owl file (the STIX Specification ontology). My question is, why not only have only ONE namespace? What is the purpose of having three separate namespaces?

For the sake of the users, keeping the namespaces to a minimum is best. This is because it reduces the errors caused by selection of the wrong namespace when creating a NamedIndividual for a knowledgegraph.

image

I am going to proceed using the following assumption: If the concept (Class or Property) is represented in the STIX 2.1 Specification it should be in the "stix" namespace.

rhohimer commented 2 years ago

Since the cti:Object will no longer exist, we need to provide to its subclasses the properties that they inherited from cti:Object.

  1. cti:id
  2. cit:object_type

image

rhohimer commented 2 years ago

The STIX 2.1 Specification defined Meta Objects.

image

Each of the "Meta Objects" have been defined in the cti namespace, but only the Language Content was subclassed as a SMO.

Extension Definition and Data Markings need to be handled correctly.

rhohimer commented 2 years ago

image

Significant restructuring today.... the TAC Ontology is MUCH better organized now.