STIX 2.1 ontology model POC with Stardog using knowledge graphs and RDF

POC resources to Download
STIX 2.1 ontology for Risk Management using Stardog Knowledge graphs and RDF
STIX 2.1 ontology for Threat Modelling POC with Stardog knowledge graphs and RDF

Overview

The purpose of this proof of concept (POC) is to define a STIX ontology model using the STIX domain objects list, the object properties and their relationships. This was extended and modified where necessary. These modifications were made after analysing STIX 2.1 and determining that the modifications would better suit the scope of the POC. The key objectives of the POC are to see how fit for purpose a STIX ontology is and if and how a STIX ontology could support eight different extension domains :- Risk Management, CIS Controls, COBIT, D3fend, NIST, Enterprise Architecture, Service Management and ISO 62443.

STIX Extensions Ontology

There are several other areas of STIX that are worth adding to the ontology and they may improve the different types of threat intelligence conveyed to the extension domains. The eight domains were chosen for their different dependencies on threat intelligence

STIX 2.1

STIX (Structured Threat Information eXpression) version 2.1 is a standardised language and data model for representing and sharing cyber threat intelligence.

RDFS

RDFS provides a foundation for building ontologies and defining structured knowledge representations in RDF. It enables the creation of more expressive and organized RDF data models by introducing concepts like classes, properties, inheritance, and constraints. RDFS is often used in combination with other ontology languages like OWL (Web Ontology Language) to provide even richer semantics and reasoning capabilities.

RDFS extends the capabilities of RDF by introducing additional vocabulary and concepts for defining classes, properties, and relationships between resources. It allows for the creation of hierarchies of classes, specification of domain and range constraints for properties, and definition of property hierarchies through sub-property relationships.

Key features and concepts of RDFS include:

  1. Classes: RDFS allows the definition of classes to categorize resources. Classes can have subclasses and can be used to define the structure of RDF data.
  2. Properties: RDFS provides a way to define properties that describe relationships between resources. Properties can have domains and ranges, which specify the types of resources that can be connected by the property.
  3. Inheritance: RDFS supports class and property inheritance, allowing subclasses to inherit properties and relationships defined in their parent classes.
  4. Subclass and Sub-property Relationships: RDFS allows the creation of subclass relationships between classes and sub-property relationships between properties. This enables more specific classifications and refining of relationships.
  5. Domain and Range Constraints: RDFS allows the specification of domain and range constraints for properties. The domain constraint specifies the class of resources that can be the subject of a property, and the range constraint specifies the class of resources that can be the object of a property.
  6. Property Hierarchies: RDFS supports the creation of property hierarchies through subproperty relationships. This allows for the definition of more specialized properties that inherit characteristics from their parent properties.

Stardog

Stardog was selected as the platform for the POC for its ability to work with RDFS and to build knowledge graphs. Stardog is a semantic graph database platform that combines the use of RDF (Resource Description Framework) and SPARQL (SPARQL Protocol and RDF Query Language) to manage and query highly connected data. It provides a solution for storing, reasoning with, and querying large-scale knowledge graphs and ontologies.

Key features of the Stardog platform for the POC include:

  1. RDF Database:
    Stardog is designed as a native RDF database, meaning it can directly store and manage RDF data and triples. It supports efficient storage, indexing, and retrieval of RDF data, allowing for fast query execution.
  2. Semantic Reasoning:
    Stardog supports semantic reasoning capabilities, enabling the inference of new knowledge based on the defined ontologies and rules. To help the POC it can perform logical deductions, consistency checks, and rule-based reasoning to derive new relationships and insights from the data model.
  3. SPARQL Query Language:
    Stardog provides a SPARQL query engine that allows users to query and manipulate RDF data using the SPARQL language. SPARQL queries can be used to retrieve specific information, perform complex graph pattern matching, and aggregate data across the graph.
  4. Data Integration:
    Stardog offers various mechanisms for data integration, allowing users to ingest data from multiple sources and merge them into a unified knowledge graph. It supports various data formats and protocols, including RDF, OWL, JSON-LD and CSV
  5. Security and Access Control:
    Stardog provides robust security features to protect sensitive data. It offers authentication and authorization mechanisms, role-based access control, and fine-grained permissions management to ensure data confidentiality and integrity.
  6. Data Visualization and Analytics:
    Stardog integrates with data visualization and analytics tools, allowing users to explore and analyze the graph data visually. It supports integration with tools like Tableau, Grafana, and Jupyter notebooks for advanced analytics and insights.
threat-model-poc-overviewDownload