diff --git a/ontologies/catalog-v001.xml b/ontologies/catalog-v001.xml
index 68e1af1..8e34c84 100644
--- a/ontologies/catalog-v001.xml
+++ b/ontologies/catalog-v001.xml
@@ -15,11 +15,11 @@
-
-
-
-
-
-
+
+
+
+
+
+
diff --git a/ontologies/core-1.0.3.rdf b/ontologies/core-1.0.3.rdf
index 09645ce..4db02ae 100644
--- a/ontologies/core-1.0.3.rdf
+++ b/ontologies/core-1.0.3.rdf
@@ -38,33 +38,6 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ IPv4 CIDR
@@ -192,6 +165,7 @@ Relates some entity to some external resource.
+ IPv6 CIDR
@@ -298,6 +272,7 @@ NB: the value is an non-negative integer of arbitrary length, but in fact IPv6 a
+
Characterizes a collection of software security issues (flaws, faults, bugs, vulnerabilities, weaknesses, etc).
Catalog
@@ -392,6 +367,12 @@ NB: the value is an non-negative integer of arbitrary length, but in fact IPv6 a
+
+
+
+
+
+
@@ -723,36 +704,21 @@ A Vulnerability individual is primarily used to link to external definitions of
-
+
-
+
-
+
-
+
-
+
-
- Specifies the values of one or more IPv4 addresses expressed using CIDR notation.
- https://tools.ietf.org/html/rfc4632
- IPv4 CIDR
-
-
- https://tools.ietf.org/html/rfc6177
- IPv6 CIDR
- Specifies the values of one or more IPv6 addresses expressed using CIDR notation.
-
+
diff --git a/ontologies/cti-1.0.3.rdf b/ontologies/cti-1.0.3.rdf
index ef03191..8b268b3 100644
--- a/ontologies/cti-1.0.3.rdf
+++ b/ontologies/cti-1.0.3.rdf
@@ -1,4114 +1,3640 @@
-
-
-
-
-
- mailto:morton_swimmer@trendmicro.com
- Be warned that this version is under heavy development.
- Created by Morton swimmer
-
-
+@prefix : .
+@prefix owl: .
+@prefix rdf: .
+@prefix xml: .
+@prefix xsd: .
+@prefix rdfs: .
+@prefix cti-1.0.3#: .
+@base .
+ rdf:type owl:Ontology ;
+ owl:versionIRI cti-1.0.3#: ;
+ owl:imports ;
+ "mailto:morton_swimmer@trendmicro.com"^^xsd:anyURI ;
+ owl:versionInfo "Be warned that this version is under heavy development."@en ,
+ "Created by Morton swimmer" .
-
+#################################################################
+# Annotation properties
+#################################################################
-
+### http://ainf.aau.at/ontodebug#axiom
+ rdf:type owl:AnnotationProperty ;
+ rdfs:subPropertyOf .
-
+### http://ainf.aau.at/ontodebug#testCase
+ rdf:type owl:AnnotationProperty .
-
-
-
-
+### http://ainf.aau.at/ontodebug#type
+ rdf:type owl:AnnotationProperty ;
+ rdfs:subPropertyOf .
-
-
-
+### http://ontologies.ti-semantics.com/cti#mitreType
+:mitreType rdf:type owl:AnnotationProperty ;
+ rdfs:comment "The 'type' as given in the JSON data."@en .
-
+### http://ontologies.ti-semantics.com/cti#mitreVerb
+:mitreVerb rdf:type owl:AnnotationProperty ;
+ rdfs:comment "The name of the label for some property in the Mitre JSON, like 'type' or 'created_by_ref' that this entitiy corresponds to. This doesn't mean that its an exact equivalence."@en .
-
-
-
-
+### http://ontologydesignpatterns.org/opla-sd#entityPosition
+ rdf:type owl:AnnotationProperty .
-
-
- The 'type' as given in the JSON data.
-
-
+### http://ontologydesignpatterns.org/opla-sd#entityPositionX
+ rdf:type owl:AnnotationProperty .
-
+### http://ontologydesignpatterns.org/opla-sd#entityPositionY
+ rdf:type owl:AnnotationProperty .
-
- The name of the label for some property in the Mitre JSON, like 'type' or 'created_by_ref' that this entitiy corresponds to. This doesn't mean that its an exact equivalence.
-
-
+### http://purl.org/dc/terms/creator
+ rdf:type owl:AnnotationProperty ;
+ "Examples of a Creator include a person, an organization, or a service. Typically, the name of a Creator should be used to indicate the entity."@en-us ;
+ ;
+ "1999-07-02" ;
+ "2008-01-14" ;
+ rdfs:comment "An entity primarily responsible for making the resource."@en-us ;
+ rdfs:isDefinedBy ;
+ rdfs:label "Creator"@en-us .
-
-
- Examples of a Creator include a person, an organization, or a service. Typically, the name of a Creator should be used to indicate the entity.
-
- 1999-07-02
- 2008-01-14
- An entity primarily responsible for making the resource.
-
- Creator
-
-
+### http://purl.org/dc/terms/description
+ rdf:type owl:AnnotationProperty .
-
+### http://purl.org/dc/terms/hasVersion
+ rdf:type owl:AnnotationProperty .
-
-
+### http://purl.org/dc/terms/issued
+ rdf:type owl:AnnotationProperty .
-
-
-
+### http://purl.org/dc/terms/modified
+ rdf:type owl:AnnotationProperty .
-
+### http://purl.org/dc/terms/publisher
+ rdf:type owl:AnnotationProperty .
-
-
+### http://purl.org/dc/terms/title
+ rdf:type owl:AnnotationProperty .
-
-
-
+#################################################################
+# Object Properties
+#################################################################
+### http://ontologies.ti-semantics.com/cti#accomplishes
+:accomplishes rdf:type owl:ObjectProperty ;
+ rdfs:domain :Technique ;
+ rdfs:range :Tactic .
-
-
-
+### http://ontologies.ti-semantics.com/cti#attackRequirement
+:attackRequirement rdf:type owl:ObjectProperty ;
+ rdfs:domain :AttackPattern ;
+ rdfs:range :AttackRequirement ;
+ rdfs:comment "Requirement for this attack to be possible."@en .
-
+### http://ontologies.ti-semantics.com/cti#attributedTo
+:attributedTo rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf owl:topObjectProperty ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:label "attributed-to"@en .
-
-
+### http://ontologies.ti-semantics.com/cti#belongsToAutonomousSystem
+:belongsToAutonomousSystem rdf:type owl:ObjectProperty ;
+ rdfs:domain :IPv4AddressObject ;
+ rdfs:range :AutonomousSystemObject .
-
-
+### http://ontologies.ti-semantics.com/cti#campaignAttributedTo
+:campaignAttributedTo rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :attributedTo ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:domain :Campaign ;
+ rdfs:range [ rdf:type owl:Class ;
+ owl:unionOf (
+ :IntrusionSet
+ )
+ ] ;
+ rdfs:comment """This Relationship describes that the Intrusion Set or Threat Actor that is involved in carrying out the Campaign.
+For example, an attributed-to Relationship from the Glass Gazelle Campaign to the Urban Fowl Threat Actor means that the actor carried out or was involved in some of the activity described by the Campaign."""@en .
-
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#campaignLabel
+:campaignLabel rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :label ;
+ rdfs:domain :Campaign .
-
+### http://ontologies.ti-semantics.com/cti#derivedFrom
+:derivedFrom rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf owl:topObjectProperty ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:comment "TODO: need an axiom which restricts the range class to be the same as the domain class for a given individual"@en ,
+ """The information in the target object is based on information from the source object.
+derived-from is an explicit relationship between two separate objects and MUST NOT be used as a substitute for the versioning process"""@en ;
+ rdfs:label "derived-from"@en .
-
-
-
- Requirement for this attack to be possible.
-
-
+### http://ontologies.ti-semantics.com/cti#detectionBypassed
+:detectionBypassed rdf:type owl:ObjectProperty ;
+ rdfs:domain :AttackPattern ;
+ rdfs:range :DetectionMethod ;
+ rdfs:comment "A defensive measure or procedure that will be bypassed a given attack pattern."@en .
-
-
-
-
- attributed-to
-
-
+### http://ontologies.ti-semantics.com/cti#detectionMethodUsed
+:detectionMethodUsed rdf:type owl:ObjectProperty .
-
+### http://ontologies.ti-semantics.com/cti#detects
+:detects rdf:type owl:ObjectProperty ;
+ rdfs:domain :Indicator ;
+ rdfs:range .
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#effectivePermissionsRequired
+:effectivePermissionsRequired rdf:type owl:ObjectProperty ;
+ rdfs:domain :AttackPattern ;
+ rdfs:range .
-
-
-
-
-
-
-
-
-
-
-
-
-
- This Relationship describes that the Intrusion Set or Threat Actor that is involved in carrying out the Campaign.
+### http://ontologies.ti-semantics.com/cti#goal
+:goal rdf:type owl:ObjectProperty ;
+ rdfs:domain :IntrusionSet ;
+ rdfs:label "goal"@en .
-For example, an attributed-to Relationship from the Glass Gazelle Campaign to the Urban Fowl Threat Actor means that the actor carried out or was involved in some of the activity described by the Campaign.
-
-
+### http://ontologies.ti-semantics.com/cti#hasActivity
+:hasActivity rdf:type owl:ObjectProperty ;
+ rdfs:range .
-
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#hasDetection
+:hasDetection rdf:type owl:ObjectProperty ;
+ rdfs:domain :AttackPattern ;
+ rdfs:range :Detection ;
+ rdfs:comment "What form of detection can detection this attack pattern."@en .
-
+### http://ontologies.ti-semantics.com/cti#hasObjective
+:hasObjective rdf:type owl:ObjectProperty ;
+ rdfs:domain [ rdf:type owl:Class ;
+ owl:unionOf ( :Campaign
+
+ [ rdf:type owl:Restriction ;
+ owl:onProperty ;
+ owl:someValuesFrom
+ ]
+ )
+ ] ;
+ rdfs:range :Objective ;
+ rdfs:comment "State what objectives a Threat Actor or Campaign may have"@en .
-
-
-
- TODO: need an axiom which restricts the range class to be the same as the domain class for a given individual
- The information in the target object is based on information from the source object.
-derived-from is an explicit relationship between two separate objects and MUST NOT be used as a substitute for the versioning process
- derived-from
-
-
+### http://ontologies.ti-semantics.com/cti#hasTechnique
+:hasTechnique rdf:type owl:ObjectProperty ;
+ rdfs:domain ,
+ :IntrusionSet ;
+ rdfs:range :Technique .
-
-
-
-
- A defensive measure or procedure that will be bypassed a given attack pattern.
-
-
+### http://ontologies.ti-semantics.com/cti#impersonates
+:impersonates rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf owl:topObjectProperty ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:domain ;
+ rdfs:range ;
+ rdfs:label "impersonates"@en .
-
+### http://ontologies.ti-semantics.com/cti#implements
+:implements rdf:type owl:ObjectProperty .
-
-
+### http://ontologies.ti-semantics.com/cti#includes
+:includes rdf:type owl:ObjectProperty .
-
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#indicates
+:indicates rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf owl:topObjectProperty ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:domain :Indicator ;
+ rdfs:range [ rdf:type owl:Class ;
+ owl:unionOf (
+
+
+ :AttackPattern
+ :Campaign
+ :IntrusionSet
+ )
+ ] ;
+ rdfs:comment """This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion Set, or Threat Actor. This evidence may not be direct: for example, the Indicator may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.
+For example, an indicates Relationship from an Indicator to a Campaign object representing Glass Gazelle means that the Indicator is capable of detecting evidence of Glass Gazelle, such as command and control IPs commonly used by that Campaign."""@en ;
+ rdfs:label "indicates"@en .
-
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#intrusionSetAttributedTo
+:intrusionSetAttributedTo rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :attributedTo ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:domain :IntrusionSet ;
+ rdfs:range ;
+ rdfs:comment """This Relationship describes that the related Threat Actor is involved in carrying out the Intrusion Set.
+For example, an attributed-to Relationship from the Red Orca Intrusion Set to the Urban Fowl Threat Actor means that the actor carried out or was involved in some of the activity described by the Intrusion Set."""@en .
-
-
-
- goal
-
-
+### http://ontologies.ti-semantics.com/cti#killChainPhase
+:killChainPhase rdf:type owl:ObjectProperty ;
+ rdfs:domain [ rdf:type owl:Class ;
+ owl:unionOf ( :AttackPattern
+ :Indicator
+ )
+ ] ;
+ rdfs:range :KillChainPhase ;
+ rdfs:comment "The kill chain phase(s) to which this Indicator corresponds."@en .
-
+### http://ontologies.ti-semantics.com/cti#label
+:label rdf:type owl:ObjectProperty .
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#mitigates
+:mitigates rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :relatedTo ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:range [ rdf:type owl:Class ;
+ owl:unionOf (
+
+ :AttackPattern
+ :Tool
+ )
+ ] ;
+ rdfs:label "mitigates"@en .
-
-
-
-
- What form of detection can detection this attack pattern.
-
-
+### http://ontologies.ti-semantics.com/cti#motivation
+:motivation rdf:type owl:ObjectProperty .
-
+### http://ontologies.ti-semantics.com/cti#observableObject
+:observableObject rdf:type owl:ObjectProperty ;
+ rdfs:domain :ObservedData ;
+ rdfs:range :ObservableObject ;
+ rdfs:comment "References an Observable Object from the container, Observerable Data."@en .
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- State what objectives a Threat Actor or Campaign may have
-
-
+### http://ontologies.ti-semantics.com/cti#observedData
+:observedData rdf:type owl:ObjectProperty ;
+ rdfs:domain :Sighting ;
+ rdfs:range :ObservedData .
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#permissionsRequired
+:permissionsRequired rdf:type owl:ObjectProperty ;
+ rdfs:domain :AttackPattern ;
+ rdfs:range .
-
+### http://ontologies.ti-semantics.com/cti#primaryMotivation
+:primaryMotivation rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :motivation .
-
-
-
-
-
- impersonates
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion Set, or Threat Actor. This evidence may not be direct: for example, the Indicator may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.
-
-For example, an indicates Relationship from an Indicator to a Campaign object representing Glass Gazelle means that the Indicator is capable of detecting evidence of Glass Gazelle, such as command and control IPs commonly used by that Campaign.
- indicates
-
-
-
-
-
-
-
-
-
-
-
- This Relationship describes that the related Threat Actor is involved in carrying out the Intrusion Set.
-
-For example, an attributed-to Relationship from the Red Orca Intrusion Set to the Urban Fowl Threat Actor means that the actor carried out or was involved in some of the activity described by the Intrusion Set.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The kill chain phase(s) to which this Indicator corresponds.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- mitigates
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- References an Observable Object from the container, Observerable Data.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Asserts a non-specific relationship between two SDOs. This relationship can be used when none of the other predefined relationships are appropriate.
+### http://ontologies.ti-semantics.com/cti#relatedTo
+:relatedTo rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf owl:topObjectProperty ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:comment """Asserts a non-specific relationship between two SDOs. This relationship can be used when none of the other predefined relationships are appropriate.
-As an example, a Malware object describing a piece of malware could be marked as a related-to a Tool if they are commonly used together. That relationship is not common enough to standardize on, but may be useful to some analysts.
-
-
-
-
-
+As an example, a Malware object describing a piece of malware could be marked as a related-to a Tool if they are commonly used together. That relationship is not common enough to standardize on, but may be useful to some analysts."""@en .
-
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#relationSource
+:relationSource rdf:type owl:ObjectProperty ;
+ rdfs:domain :Relationship .
-
-
-
-
-
-
- domain-name:resolves_to_refs
- Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to.
-The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records).
-
-
+### http://ontologies.ti-semantics.com/cti#relationTarget
+:relationTarget rdf:type owl:ObjectProperty ;
+ rdfs:domain :Relationship .
-
+### http://ontologies.ti-semantics.com/cti#reportLabel
+:reportLabel rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :label ;
+ rdfs:domain :Report ;
+ rdfs:range :ReportLabel .
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#resolvesToIPAddress
+:resolvesToIPAddress rdf:type owl:ObjectProperty ;
+ rdfs:domain :DomainNameObject ;
+ rdfs:range :DomainNameObject ,
+ :IPv4AddressObject ,
+ :IPv6AddressObject ;
+ :mitreType "domain-name:resolves_to_refs" ;
+ rdfs:comment """Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to.
+The objects referenced in this list MUST be of type ipv4-addr or ipv6-addr or domain-name (for cases such as CNAME records)."""@en .
-
-
-
-
- resource_level
-
-
+### http://ontologies.ti-semantics.com/cti#resolvesToMAC
+:resolvesToMAC rdf:type owl:ObjectProperty ;
+ rdfs:domain :IPv4AddressObject ;
+ rdfs:range :MACAddressObject .
-
+### http://ontologies.ti-semantics.com/cti#resourceLevel
+:resourceLevel rdf:type owl:ObjectProperty ;
+ rdfs:domain :IntrusionSet ;
+ rdfs:range :AttackResourceLevelVocab ;
+ rdfs:label "resource_level"@en .
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- It's a little unclear what this is supposed to mean. Most likely it's meant to say that some entity is replaced by another in the description and this one is revoked.
- revoked-by
-
-
+### http://ontologies.ti-semantics.com/cti#revokedBy
+:revokedBy rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :relatedTo ;
+ rdfs:domain [ rdf:type owl:Class ;
+ owl:unionOf (
+ :IntrusionSet
+ )
+ ] ;
+ rdfs:range [ rdf:type owl:Class ;
+ owl:unionOf (
+ :IntrusionSet
+ )
+ ] ;
+ rdfs:comment "It's a little unclear what this is supposed to mean. Most likely it's meant to say that some entity is replaced by another in the description and this one is revoked."@en ;
+ rdfs:label "revoked-by" .
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#secondaryMotivation
+:secondaryMotivation rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :motivation .
-
-
-
-
-
- A list of ID references to the Identity (victim) objects of the entities that saw the sighting.
+### http://ontologies.ti-semantics.com/cti#sightedAt
+:sightedAt rdf:type owl:ObjectProperty ;
+ rdfs:domain :Sighting ;
+ rdfs:range :Identity ;
+ rdfs:comment """A list of ID references to the Identity (victim) objects of the entities that saw the sighting.
Omitting the where_sighted_refs property does not imply that the sighting was seen by the object creator. To indicate that the sighting was seen by the object creator, an Identity representing the object creator should be listed in where_sighted_refs.
-This property MUST reference only Identity SDOs.
- where_sighted_refs
-
-
-
-
-
+This property MUST reference only Identity SDOs."""@en ,
+ "where_sighted_refs"@en .
-
-
-
- Reference to something that was sighted (e.g., Indicator or Malware).
-
-
+### http://ontologies.ti-semantics.com/cti#sightingOf
+:sightingOf rdf:type owl:ObjectProperty ;
+ rdfs:domain :Sighting ;
+ rdfs:range :Sightable ;
+ rdfs:comment "Reference to something that was sighted (e.g., Indicator or Malware)."@en .
-
-
-
-
-
- tactic_refs
- Related a Matric to a relevant tactic covered in the Matrix representation.
-
-
+### http://ontologies.ti-semantics.com/cti#sourceOfSighting
+:sourceOfSighting rdf:type owl:ObjectProperty .
-
+### http://ontologies.ti-semantics.com/cti#subtechniqueOf
+:subtechniqueOf rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :relatedTo ;
+ rdfs:domain :Technique ;
+ rdfs:range :Technique .
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#tactic
+:tactic rdf:type owl:ObjectProperty ;
+ rdfs:domain :Matrix ,
+ :Technique ;
+ rdfs:range :Tactic ;
+ :mitreVerb "tactic_refs"^^xsd:token ;
+ rdfs:comment "Related a Metric to a relevant tactic covered in the Matrix representation."@en .
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#targetOfSighting
+:targetOfSighting rdf:type owl:ObjectProperty .
-
+### http://ontologies.ti-semantics.com/cti#targetsExploit
+:targetsExploit rdf:type owl:ObjectProperty ;
+ rdfs:range .
-
-
-
-
-
- This Relationship describes that the Threat Actor's real identity is the related Identity.
-For example, an attributed-to Relationship from the jay-sm17h Threat Actor to the John Smith Identity means that the actor known as jay-sm17h is John Smith.
-
-Note that 'Identity' is a disputed entity in this ontology.
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#targetsVictim
+:targetsVictim rdf:type owl:ObjectProperty ;
+ rdfs:range :Identity .
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#technique
+:technique rdf:type owl:ObjectProperty ;
+ rdfs:domain :Sighting ;
+ rdfs:range :Procedure ,
+ :Tactic ,
+ :Technique .
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Refers to a technique, tool, attack pattern or malware that we have seen a threat actor or intrusion set use.
- uses
-
-
+### http://ontologies.ti-semantics.com/cti#threatActorAttributedTo
+:threatActorAttributedTo rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :attributedTo ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:domain ;
+ rdfs:range :Identity ;
+ rdfs:comment """This Relationship describes that the Threat Actor's real identity is the related Identity.
+For example, an attributed-to Relationship from the jay-sm17h Threat Actor to the John Smith Identity means that the actor known as jay-sm17h is John Smith.
-
-
-
-
-
-
-
-
-
-
+Note that 'Identity' is a disputed entity in this ontology."""@en .
-
-
-
+### http://ontologies.ti-semantics.com/cti#usedBy
+:usedBy rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :relatedTo ;
+ owl:inverseOf :uses ;
+ rdfs:domain [ rdf:type owl:Class ;
+ owl:unionOf (
+ :AttackPattern
+ :Tool
+ )
+ ] ;
+ rdfs:range .
-
+### http://ontologies.ti-semantics.com/cti#uses
+:uses rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf :relatedTo ;
+ rdfs:domain [ rdf:type owl:Class ;
+ owl:unionOf (
+ :IntrusionSet
+ )
+ ] ;
+ rdfs:range [ rdf:type owl:Class ;
+ owl:unionOf (
+ :AttackPattern
+ :Technique
+ :Tool
+ )
+ ] ;
+ rdfs:comment "Refers to a technique, tool, attack pattern or malware that we have seen a threat actor or intrusion set use."@en ;
+ rdfs:label "uses"@en .
-
-
+### http://ontologies.ti-semantics.com/cti#variantOf
+:variantOf rdf:type owl:ObjectProperty ;
+ rdfs:subPropertyOf owl:topObjectProperty ;
+ rdf:type owl:IrreflexiveProperty ;
+ rdfs:domain ;
+ rdfs:range .
-
-
+### http://ontologies.ti-semantics.com/platform#platform
+ rdf:type owl:ObjectProperty .
-
+### http://xmlns.com/foaf/0.1/member
+ rdf:type owl:ObjectProperty .
-
-
-
-
+#################################################################
+# Data properties
+#################################################################
-
+### http://ontologies.ti-semantics.com/core#ipv4CIDR
+ rdfs:domain .
-
-
-
-
-
+### http://ontologies.ti-semantics.com/core#ipv4Value
+ rdfs:range xsd:string .
-
-
-
- This should subclass rdfs:label
-
-
+### http://ontologies.ti-semantics.com/cti#alias
+:alias rdf:type owl:DatatypeProperty ;
+ rdfs:subPropertyOf :name ;
+ rdfs:comment "This should subclass rdfs:label"@en .
-
+### http://ontologies.ti-semantics.com/cti#asn
+:asn rdf:type owl:DatatypeProperty ;
+ rdfs:domain :AutonomousSystemObject ;
+ rdfs:range xsd:unsignedInt ;
+ rdfs:comment "Integer number of the autonomous system"@en ;
+ rdfs:label "autonomous system number"@en .
-
-
-
- Integer number of the autonomous system
- autonomous system number
-
-
+### http://ontologies.ti-semantics.com/cti#banner
+:banner rdf:type owl:DatatypeProperty ;
+ rdfs:domain :Banner ;
+ rdfs:range xsd:base64Binary ,
+ xsd:string .
-
-
-
-
- This defines that the state of some asset is compromised.
-
-
+### http://ontologies.ti-semantics.com/cti#compromised
+:compromised rdf:type owl:DatatypeProperty ;
+ rdfs:domain owl:Thing ;
+ rdfs:range xsd:boolean ;
+ rdfs:comment "This defines that the state of some asset is compromised."@en .
-
+### http://ontologies.ti-semantics.com/cti#deprecated
+:deprecated rdf:type owl:DatatypeProperty ;
+ rdfs:range xsd:boolean .
-
-
-
- Text representation of the domain name
- Domain Name
-
-
+### http://ontologies.ti-semantics.com/cti#domainName
+:domainName rdf:type owl:DatatypeProperty ;
+ rdfs:domain :DomainNameObject ;
+ rdfs:range xsd:string ;
+ rdfs:comment "Text representation of the domain name"@en ;
+ rdfs:label "Domain Name"@en .
-
-
-
-
- A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Vulnerability identifiers, such as a CVE ID [CVE].
+### http://ontologies.ti-semantics.com/cti#externalReference
+:externalReference rdf:type owl:DatatypeProperty ;
+ rdfs:domain :AttackPattern ;
+ rdfs:range xsd:anyURI ;
+ rdfs:comment """A list of external references which refer to non-STIX information. This property MAY be used to provide one or more Vulnerability identifiers, such as a CVE ID [CVE].
When specifying a CVE ID, the source_name property of the external reference MUST be set to cve and the external_id property MUST be the exact CVE identifier.
This property MAY be used to provide one or more Attack Pattern identifiers, such as a CAPEC ID. When specifying a CAPEC ID, the source_name property of the external reference MUST be set to capec and the external_id property MUST be formatted as CAPEC-[id].
-For RDF purposes these identifiers must use some IRI form, eg: a URN or CVE or CAPEC: cve:CVE-###### or capec:CAPEC-#####
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- STIX Patterns are composed of multiple building blocks, ranging from simple key-value comparisons to more complex, context-sensitive expressions. The most fundamental building block is the Comparison Expression, which is a comparison between a single property of a Cyber Observable Object and a given constant using a Comparison Operator.
- http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html
- pattern
-
-
-
+For RDF purposes these identifiers must use some IRI form, eg: a URN or CVE or CAPEC: cve:CVE-###### or capec:CAPEC-#####"""@en .
-
-
-
-
- As an alternative to a pattern, we cal also just reference a pattern by some token. This is important in the case where a proprietary product provides detection, but the pattern it uses is not known.
-
-
+### http://ontologies.ti-semantics.com/cti#firstSeen
+:firstSeen rdf:type owl:DatatypeProperty ;
+ rdfs:domain :Observable ;
+ rdfs:range xsd:dateTime ,
+ xsd:dateTimeStamp .
-
+### http://ontologies.ti-semantics.com/cti#hasPattern
+:hasPattern rdf:type owl:DatatypeProperty ;
+ rdfs:domain :Indicator ;
+ rdfs:range xsd:string ;
+ rdfs:comment "STIX Patterns are composed of multiple building blocks, ranging from simple key-value comparisons to more complex, context-sensitive expressions. The most fundamental building block is the Comparison Expression, which is a comparison between a single property of a Cyber Observable Object and a given constant using a Comparison Operator."@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html"^^xsd:anyURI ;
+ rdfs:label "pattern"@en .
-
-
-
- Specifies the values of one or more IPv4 addresses expressed using CIDR notation.
- IPv4 CIDR
-
-
+### http://ontologies.ti-semantics.com/cti#hasPatternReference
+:hasPatternReference rdf:type owl:DatatypeProperty ;
+ rdfs:domain :Indicator ;
+ rdfs:range xsd:token ;
+ [ "189.78223375002452"^^xsd:double ;
+ "430.31774151038996"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "As an alternative to a pattern, we cal also just reference a pattern by some token. This is important in the case where a proprietary product provides detection, but the pattern it uses is not known."@en .
-
-
-
-
-
- Long integer representation of a single IPv4 address
- IPv4 Address
-
-
+### http://ontologies.ti-semantics.com/cti#killChainName
+:killChainName rdf:type owl:DatatypeProperty ;
+ rdfs:domain :KillChainPhase ;
+ rdfs:range xsd:string ;
+ rdfs:comment "The name of the kill chain. The value of this property SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators."@en ;
+ rdfs:label "kill_chain_name"@en .
-
+### http://ontologies.ti-semantics.com/cti#lastSeen
+:lastSeen rdf:type owl:DatatypeProperty ;
+ rdfs:domain :Observable ;
+ rdfs:range xsd:dateTime ,
+ xsd:dateTimeStamp .
-
-
-
- The name of the kill chain. The value of this property SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- kill_chain_name
-
-
+### http://ontologies.ti-semantics.com/cti#name
+:name rdf:type owl:DatatypeProperty ;
+ rdfs:domain [ rdf:type owl:Class ;
+ owl:unionOf ( :AttackPattern
+ :Indicator
+ )
+ ] ;
+ rdfs:range xsd:string ;
+ rdfs:comment "A name used to identify the object."@en ,
+ "This should be replaced by rdfs:label"@en .
-
-
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#networkRequired
+:networkRequired rdf:type owl:DatatypeProperty ;
+ rdfs:domain :AttackPattern ;
+ rdfs:range xsd:boolean .
-
+### http://ontologies.ti-semantics.com/cti#observableCount
+:observableCount rdf:type owl:DatatypeProperty .
-
-
-
-
-
-
-
-
-
-
- A name used to identify the object.
- This should be replaced by rdfs:label
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.
+### http://ontologies.ti-semantics.com/cti#observedDataCount
+:observedDataCount rdf:type owl:DatatypeProperty ;
+ rdfs:subPropertyOf :observableCount ;
+ rdfs:domain :ObservedData ;
+ rdfs:range xsd:positiveInteger ;
+ rdfs:comment """The number of times the data represented in the objects property was observed. This MUST be an integer between 1 and 999,999,999 inclusive.
If the number_observed property is greater than 1, the data contained in the objects property was observed multiple times. In these cases, object creators MAY omit properties of the Cyber Observable object (such as timestamps) that are specific to a single instance of that observed data.
-In Stix2, this is called number_observed.
-
-
-
-
-
-
-
-
-
- The name of the phase in the kill chain. The value of this property SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators.
- phase_name
-
-
+In Stix2, this is called number_observed."""@en .
-
+### http://ontologies.ti-semantics.com/cti#phaseName
+:phaseName rdf:type owl:DatatypeProperty ;
+ rdfs:domain :KillChainPhase ;
+ rdfs:range xsd:string ;
+ rdfs:comment "The name of the phase in the kill chain. The value of this property SHOULD be all lowercase (where lowercase is defined by the locality conventions) and SHOULD use hyphens instead of spaces or underscores as word separators."@en ;
+ rdfs:label "phase_name"@en .
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#revoked
+:revoked rdf:type owl:DatatypeProperty ;
+ rdfs:range xsd:boolean .
-
-
-
-
- The summary property indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data.
+### http://ontologies.ti-semantics.com/cti#sightingIsSummary
+:sightingIsSummary rdf:type owl:DatatypeProperty ;
+ rdfs:domain :Sighting ;
+ rdfs:range xsd:boolean ;
+ rdfs:comment """The summary property indicates whether the Sighting should be considered summary data. Summary data is an aggregation of previous Sightings reports and should not be considered primary source data.
-Ommision should imply false, but because of the open world assumption, this should be made explicit or the reasoner will assume it is unknown.
-
-
+Ommision should imply false, but because of the open world assumption, this should be made explicit or the reasoner will assume it is unknown."""@en .
-
-
-
-
-
-
- This MUST be an integer between 0 and 999,999,999 inclusive and represents the number of times the SDO referenced by the sighting_of_ref property was sighted.
+### http://ontologies.ti-semantics.com/cti#sightingsCount
+:sightingsCount rdf:type owl:DatatypeProperty ;
+ rdfs:subPropertyOf :observableCount ;
+ rdfs:domain :Sighting ;
+ rdfs:range xsd:positiveInteger ;
+ rdfs:comment """This MUST be an integer between 0 and 999,999,999 inclusive and represents the number of times the SDO referenced by the sighting_of_ref property was sighted.
Observed Data has a similar property called number_observed, which refers to the number of times the data was observed. These counts refer to different concepts and are distinct.
For example, a single sighting of a DDoS bot might have many millions of observations of the network traffic that it generates. Thus, the Sighting count would be 1 (the bot was observed once) but the Observed Data number_observed would be much higher.
-As another example, a sighting with a count of 0 can be used to express that an indicator was not seen at all.
-
-
-
-
-
-
-
-
-
- The time from which this Indicator should be considered valuable intelligence.
-
-
-
-
-
-
-
-
-
- The time at which this Indicator should no longer be considered valuable intelligence.
-
-If the valid_until property is omitted, then there is no constraint on the latest time for which the Indicator should be used.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- true
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- TODO: Need to differentiate between Tool and Malware so that we can create a necessary and sufficent equivalent class declaration
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- It is nessary and sufficient that a ThreatActor is either a person, an organization or a group of people and that they have malicious objectives.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- TODO: Need to differentiate between Tool and Malware so that we can create a necessary and sufficent equivalent class declaration
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Unexpected, or unusual activity that may not necessarily be malicious or indicate compromise. This type of activity may include reconnaissance-like behavior such as port scans or version identification, network behavior anomalies, and asset and/or user behavioral anomalies.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- An Indicator of unexpected, or unusual activity that may not necessarily be malicious or indicate compromise. This type of activity may include reconnaissance-like behavior such as port scans or version identification, network behavior anomalies, and asset and/or user behavioral anomalies.
-
-
-
-
-
-
-
-
- Suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Indicator of suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.).
- Anonymization Indicator
-
-
-
-
-
-
-
-
-
-
-
+As another example, a sighting with a count of 0 can be used to express that an indicator was not seen at all."""@en .
-
-
-
- The general concept behind application whitelisting is quite simple. Instead of attempting to block malicious files and activity, application whitelisting will only permit known good files. Essentially, whitelisting flips the antivirus model from a ‘default allow’ to a ‘default deny’ for all executable files. This is accomplished by creating a list of known or approved file hashes and only allowing files with approved hashed to execute.
- https://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
-
-
+### http://ontologies.ti-semantics.com/cti#validFrom
+:validFrom rdf:type owl:DatatypeProperty ;
+ rdfs:domain :Indicator ;
+ rdfs:range xsd:dateTimeStamp ;
+ rdfs:comment "The time from which this Indicator should be considered valuable intelligence."@en .
-
+### http://ontologies.ti-semantics.com/cti#validUntil
+:validUntil rdf:type owl:DatatypeProperty ;
+ rdfs:domain :Indicator ;
+ rdfs:range xsd:dateTimeStamp ;
+ rdfs:comment """The time at which this Indicator should no longer be considered valuable intelligence.
-
-
- The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.
- https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_4jegwl6ojbes
- Artifact Object
-
-
+If the valid_until property is omitted, then there is no constraint on the latest time for which the Indicator should be used."""@en .
-
-
-
-
- An asset is any data, device, or other component of the environment that supports information-related activities. Assets generally include hardware (e.g. servers and switches), software (e.g. mission critical applications and support systems) and confidential information. Assets should be protected from illicit access, use, disclosure, alteration, destruction, and/or theft, resulting in loss to the organization.
- https://en.wikipedia.org/wiki/Asset_(computer_security)
- https://zh.wikipedia.org/wiki/%E8%B3%87%E8%A8%8A%E8%B3%87%E7%94%A2
-
-
-
-
-
-
-
-
- Knowing a Threat Actor or Intrusion Set's motivation may allow an analyst or defender to better understand likely targets and behaviors.
+
+### http://ontologies.ti-semantics.com/cti#xMitreDetection
+:xMitreDetection rdf:type owl:DatatypeProperty ;
+ rdfs:range xsd:string ;
+ rdfs:comment "x_mitre_detection" .
+
+
+#################################################################
+# Classes
+#################################################################
+
+### http://ontologies.ti-semantics.com/core#Activity
+ rdf:type owl:Class ;
+ rdfs:subClassOf :Observable ;
+ [ "295.36306060703106"^^xsd:double ;
+ "268.6894655336211"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/core#AdversarialActivity
+ rdf:type owl:Class ;
+ [ "199.9241053147456"^^xsd:double ;
+ "174.66542955278317"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/core#Attack
+ rdf:type owl:Class ;
+ [ "219.5247199630646"^^xsd:double ;
+ "16.64138641412486"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/core#Catalog
+ rdf:type owl:Class ;
+ [ "2.6143084201971156"^^xsd:double ;
+ "11.45035161756735"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/core#CourseOfAction
+ rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Restriction ;
+ owl:onProperty :mitigates ;
+ owl:someValuesFrom [ rdf:type owl:Class ;
+ owl:unionOf (
+
+
+ :AttackPattern
+ )
+ ]
+ ] ;
+ [ "283.69066110684685"^^xsd:double ;
+ "191.47361369565348"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/core#IPv4CIDR
+ owl:equivalentClass :IPv4AddressObject .
+
+
+### http://ontologies.ti-semantics.com/core#IPv6Address
+ owl:equivalentClass :ObservableObject .
+
+
+### http://ontologies.ti-semantics.com/core#IPv6CIDR
+ owl:equivalentClass :IPv6CIDR .
+
+
+### http://ontologies.ti-semantics.com/core#InternetProtocolAddress
+ owl:equivalentClass :ServerNetworkAddress .
+
+
+### http://ontologies.ti-semantics.com/core#Malware
+ rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Class ;
+ owl:unionOf ( [ owl:intersectionOf ( [ rdf:type owl:Restriction ;
+ owl:onProperty :uses ;
+ owl:someValuesFrom :AttackPattern
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty ;
+ owl:someValuesFrom
+ ]
+ ) ;
+ rdf:type owl:Class
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :revoked ;
+ owl:hasValue "true"^^xsd:boolean
+ ]
+ )
+ ] ;
+ rdfs:subClassOf :MaliciousBehavior ,
+ :Observable ,
+ [ owl:intersectionOf (
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :implements ;
+ owl:someValuesFrom :Technique
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "274.21719519692016"^^xsd:double ;
+ "206.0778159958786"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "TODO: Need to differentiate between Tool and Malware so that we can create a necessary and sufficent equivalent class declaration"@en .
+
+
+### http://ontologies.ti-semantics.com/core#Platform
+ rdf:type owl:Class ;
+ [ "9.125653045791477"^^xsd:double ;
+ "115.09998518444888"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/core#Software
+ rdf:type owl:Class ;
+ [ "19.62119486174736"^^xsd:double ;
+ "292.00588358359863"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/core#ThreatActor
+ rdf:type owl:Class ;
+ owl:equivalentClass [ owl:intersectionOf ( [ rdf:type owl:Class ;
+ owl:unionOf (
+
+ [ rdf:type owl:Restriction ;
+ owl:onProperty ;
+ owl:someValuesFrom
+ ]
+ )
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :hasObjective ;
+ owl:someValuesFrom :MaliciousObjective
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ rdfs:subClassOf :Observable ;
+ [ "28.501137056978845"^^xsd:double ;
+ "256.2770104163348"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "It is nessary and sufficient that a ThreatActor is either a person, an organization or a group of people and that they have malicious objectives."@en .
+
+
+### http://ontologies.ti-semantics.com/core#Tool
+ rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Restriction ;
+ owl:onProperty ;
+ owl:someValuesFrom
+ ] ;
+ rdfs:subClassOf :Behavior ,
+ :Observable ;
+ [ "51.74393994504866"^^xsd:double ;
+ "213.53857451669586"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "TODO: Need to differentiate between Tool and Malware so that we can create a necessary and sufficent equivalent class declaration"@en .
+
+
+### http://ontologies.ti-semantics.com/core#Vulnerability
+ rdf:type owl:Class ;
+ [ "206.7549723985581"^^xsd:double ;
+ "120.82226233948117"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#AerospaceIndustrySector
+:AerospaceIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "231.3526232030093"^^xsd:double ;
+ "25.181411889996557"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#AgricultureIndustrySector
+:AgricultureIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "2.1779021778537904"^^xsd:double ;
+ "16.110591425919754"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#AnomalousActivity
+:AnomalousActivity rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "108.23969149797084"^^xsd:double ;
+ "189.67246987226508"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Unexpected, or unusual activity that may not necessarily be malicious or indicate compromise. This type of activity may include reconnaissance-like behavior such as port scans or version identification, network behavior anomalies, and asset and/or user behavioral anomalies."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#AnomalousActivityIndicator
+:AnomalousActivityIndicator rdf:type owl:Class ;
+ owl:equivalentClass [ owl:intersectionOf ( :Indicator
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :detects ;
+ owl:someValuesFrom :AnomalousActivity
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "85.90496226281617"^^xsd:double ;
+ "263.4883840231755"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "An Indicator of unexpected, or unusual activity that may not necessarily be malicious or indicate compromise. This type of activity may include reconnaissance-like behavior such as port scans or version identification, network behavior anomalies, and asset and/or user behavioral anomalies."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#AnonymizationActivity
+:AnonymizationActivity rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "242.0343302670647"^^xsd:double ;
+ "37.17779982889669"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.)."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#AnonymizationIndicator
+:AnonymizationIndicator rdf:type owl:Class ;
+ owl:equivalentClass [ owl:intersectionOf ( :Indicator
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :detects ;
+ owl:someValuesFrom :AnonymizationActivity
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "280.5428622356401"^^xsd:double ;
+ "292.39777998752885"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Indicator of suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.)."@en ;
+ rdfs:label "Anonymization Indicator"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#AntiVirus
+:AntiVirus rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "226.143541791287"^^xsd:double ;
+ "230.74541085306436"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#ApplicationWhitelisting
+:ApplicationWhitelisting rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "217.41819201056728"^^xsd:double ;
+ "269.1688159716444"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "The general concept behind application whitelisting is quite simple. Instead of attempting to block malicious files and activity, application whitelisting will only permit known good files. Essentially, whitelisting flips the antivirus model from a ‘default allow’ to a ‘default deny’ for all executable files. This is accomplished by creating a list of known or approved file hashes and only allowing files with approved hashed to execute."@en ;
+ rdfs:isDefinedBy "https://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599"^^xsd:anyURI .
+
+
+### http://ontologies.ti-semantics.com/cti#ArtifactObject
+:ArtifactObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "156.37415497990384"^^xsd:double ;
+ "16.503235024825745"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload."@en ;
+ rdfs:isDefinedBy "https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_4jegwl6ojbes"^^xsd:anyURI ;
+ rdfs:label "Artifact Object"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#Asset
+:Asset rdf:type owl:Class ;
+ [ "154.86756779198797"^^xsd:double ;
+ "12.602792162702253"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "An asset is any data, device, or other component of the environment that supports information-related activities. Assets generally include hardware (e.g. servers and switches), software (e.g. mission critical applications and support systems) and confidential information. Assets should be protected from illicit access, use, disclosure, alteration, destruction, and/or theft, resulting in loss to the organization."@en ;
+ rdfs:isDefinedBy "https://en.wikipedia.org/wiki/Asset_(computer_security)"@en ,
+ "https://zh.wikipedia.org/wiki/%E8%B3%87%E8%A8%8A%E8%B3%87%E7%94%A2"@zh .
+
+
+### http://ontologies.ti-semantics.com/cti#AttackMotivationVocab
+:AttackMotivationVocab rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "121.1812575818739"^^xsd:double ;
+ "129.4429628426017"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """Knowing a Threat Actor or Intrusion Set's motivation may allow an analyst or defender to better understand likely targets and behaviors.
Motivation shapes the intensity and the persistence of an attack. Threat Actors and Intrusion Sets usually act in a manner that reflects their underlying emotion or situation, and this informs defenders of the manner of attack. For example, a spy motivated by nationalism (ideology) likely has the patience to achieve long-term goals and work quietly for years, whereas a cyber-vandal out for notoriety can create an intense and attention-grabbing attack but may quickly lose interest and move on. Understanding these differences allows defenders to implement controls tailored to each type of attack for greatest efficiency.
-This section including vocabulary items and their descriptions is based on the Threat Agent Motivations publication from Intel Corp in February 2015 [Casey 2015].
-
- AttackMotivationVocab
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Attack Patterns are a type of Procedure that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed.
-An example of an attack pattern is "spear phishing": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern.
-
-Relationships from Attack Pattern can be used to relate it to what it targets (Vulnerabilities and Identities) and which tools and malware use it (Tool and Malware).
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714301
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- An attack pattern may target an identiy and/or a vulnerability, and/or it uses some malware or tool.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Attack Resource Level is an open vocabulary that captures the general level of resources that a threat actor, intrusion set, or campaign might have access to. It ranges from individual, a person acting alone, to government, the resources of a national government.
-This section including vocabulary items and their descriptions is based on the Threat Agent Library publication from Intel Corp in September 2007 [Casey 2007].
-
- attack-resource-level
-
-
-
-
-
-
-
-
- Patterns of behavior that indicate attribution to a particular Threat Actor or Campaign.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Indicator of patterns of behavior that indicate attribution to a particular Threat Actor or Campaign.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- This object represents the properties of an Autonomous System (AS).
- https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_27gux0aol9e3
- Autonomous System Object
- https://www.wikidata.org/wiki/Q749245
-
-
-
-
-
-
-
-
- Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence.
- https://technet.microsoft.com/en-us/sysinternals/bb963902
-
-
-
-
-
-
-
-
- Text returned from some GET or similar request to a network addressable resource.
- Banner
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior.
-
-
-
-
-
-
-
-
- An objective that is benign in intent.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.
+This section including vocabulary items and their descriptions is based on the Threat Agent Motivations publication from Intel Corp in February 2015 [Casey 2015].""" ;
+ rdfs:isDefinedBy ;
+ rdfs:label "AttackMotivationVocab"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#AttackPattern
+:AttackPattern rdf:type owl:Class ;
+ owl:equivalentClass [ owl:intersectionOf ( :Procedure
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :targetsExploit ;
+ owl:someValuesFrom
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :targetsVictim ;
+ owl:someValuesFrom :Identity
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :uses ;
+ owl:someValuesFrom [ rdf:type owl:Class ;
+ owl:unionOf (
+ :ToolLabel
+ )
+ ]
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ rdfs:subClassOf :MaliciousBehavior ;
+ [ "263.80510754297825"^^xsd:double ;
+ "103.10891551546133"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """Attack Patterns are a type of Procedure that describe ways that adversaries attempt to compromise targets. Attack Patterns are used to help categorize attacks, generalize specific attacks to the patterns that they follow, and provide detailed information about how attacks are performed.
+An example of an attack pattern is \"spear phishing\": a common type of attack where an attacker sends a carefully crafted e-mail message to a party with the intent of getting them to click a link or open an attachment to deliver malware. Attack Patterns can also be more specific; spear phishing as practiced by a particular threat actor (e.g., they might generally say that the target won a contest) can also be an Attack Pattern.
+
+Relationships from Attack Pattern can be used to relate it to what it targets (Vulnerabilities and Identities) and which tools and malware use it (Tool and Malware)."""@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714301"@en .
+
+[ rdf:type owl:Axiom ;
+ owl:annotatedSource :AttackPattern ;
+ owl:annotatedProperty owl:equivalentClass ;
+ owl:annotatedTarget [ owl:intersectionOf ( :Procedure
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :targetsExploit ;
+ owl:someValuesFrom
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :targetsVictim ;
+ owl:someValuesFrom :Identity
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :uses ;
+ owl:someValuesFrom [ rdf:type owl:Class ;
+ owl:unionOf (
+ :ToolLabel
+ )
+ ]
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ rdfs:comment "An attack pattern may target an identiy and/or a vulnerability, and/or it uses some malware or tool."
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#AttackRequirement
+:AttackRequirement rdf:type owl:Class ;
+ [ "260.3413193032268"^^xsd:double ;
+ "2.37150080774188"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#AttackResourceLevelVocab
+:AttackResourceLevelVocab rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "163.32598860053722"^^xsd:double ;
+ "133.0631727317546"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """Attack Resource Level is an open vocabulary that captures the general level of resources that a threat actor, intrusion set, or campaign might have access to. It ranges from individual, a person acting alone, to government, the resources of a national government.
+This section including vocabulary items and their descriptions is based on the Threat Agent Library publication from Intel Corp in September 2007 [Casey 2007].""" ;
+ rdfs:isDefinedBy ;
+ rdfs:label "attack-resource-level"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#AttributionActivity
+:AttributionActivity rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "118.68008928686267"^^xsd:double ;
+ "2.1159070161089337"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Patterns of behavior that indicate attribution to a particular Threat Actor or Campaign."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#AttributionIndicator
+:AttributionIndicator rdf:type owl:Class ;
+ owl:equivalentClass [ owl:intersectionOf ( :Indicator
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :detects ;
+ owl:someValuesFrom :AttributionActivity
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "195.51125923629306"^^xsd:double ;
+ "257.74023750698916"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Indicator of patterns of behavior that indicate attribution to a particular Threat Actor or Campaign."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#AutomotiveIndustrySector
+:AutomotiveIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "108.9626993145871"^^xsd:double ;
+ "78.80748954257533"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#AutonomousSystemObject
+:AutonomousSystemObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "299.16898279186995"^^xsd:double ;
+ "120.5383227331657"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "This object represents the properties of an Autonomous System (AS)."@en ;
+ rdfs:isDefinedBy "https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_27gux0aol9e3"^^xsd:anyURI ;
+ rdfs:label "Autonomous System Object"@en ;
+ rdfs:seeAlso "https://www.wikidata.org/wiki/Q749245"^^xsd:anyURI .
+
+
+### http://ontologies.ti-semantics.com/cti#AutorunsAnalysis
+:AutorunsAnalysis rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "6.676864531127932"^^xsd:double ;
+ "237.4007282496997"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence."@en ;
+ rdfs:isDefinedBy "https://technet.microsoft.com/en-us/sysinternals/bb963902"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#Banner
+:Banner rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "31.336393173552274"^^xsd:double ;
+ "89.9021035630542"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Text returned from some GET or similar request to a network addressable resource."@en ;
+ rdfs:label "Banner"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#Behavior
+:Behavior rdf:type owl:Class ;
+ [ "243.8019661841377"^^xsd:double ;
+ "212.7890108173242"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#BenignActivity
+:BenignActivity rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "128.47122302072185"^^xsd:double ;
+ "71.411094155156"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#BenignIndicator
+:BenignIndicator rdf:type owl:Class ;
+ owl:equivalentClass [ owl:intersectionOf ( :Indicator
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :detects ;
+ owl:someValuesFrom :BenignActivity
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "282.19924644189126"^^xsd:double ;
+ "267.69215187173074"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#BenignObjective
+:BenignObjective rdf:type owl:Class ;
+ rdfs:subClassOf :Objective ;
+ [ "254.61708151859634"^^xsd:double ;
+ "221.03649164062395"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "An objective that is benign in intent."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#BinaryAnalysis
+:BinaryAnalysis rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "254.3903792627863"^^xsd:double ;
+ "91.1581702134031"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Campaign
+:Campaign rdf:type owl:Class ;
+ rdfs:subClassOf :Observable ,
+ [ owl:intersectionOf ( [ rdf:type owl:Restriction ;
+ owl:onProperty :campaignAttributedTo ;
+ owl:someValuesFrom [ rdf:type owl:Class ;
+ owl:unionOf (
+ :IntrusionSet
+ )
+ ]
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :hasActivity ;
+ owl:someValuesFrom
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :hasObjective ;
+ owl:someValuesFrom :Objective
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "137.38313834343944"^^xsd:double ;
+ "290.17180613301474"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets. Campaigns usually have well defined objectives and may be part of an Intrusion Set.
Campaigns are often attributed to an intrusion set and threat actors. The threat actors may reuse known infrastructure from the intrusion set or may set up new infrastructure specific for conducting that campaign.
-Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- true
-
-
-
-
-
-
-
-
-
-
-
- Indicator of assets that are suspected to be compromised.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- true
-
-
-
-
-
-
-
-
-
-
-
- TODO: What we really want to say is this is an Indicator of some asset being in the compromised state. How do we get there?
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system.
- https://support.microsoft.com/en-us/help/875352/a-detailed-description-of-the-data-execution-prevention-dep-feature-in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A method of detection of some activity or object.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The Directory object represents the properties common to a file system directory.
- https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_lyvpga5hlw52
- Directory Object
-
-
-
-
-
-
-
-
- The Domain Name object represents the properties of a network domain name.
- https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_prhhksbxbg87
- Domain Name Object
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The Email Address object represents a single email address.
- https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_wmenahkvqmgj
- Email Address Object
-
-
-
-
-
-
-
-
- The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs.
- https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_grboc7sq5514
- Email Message Object
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- File access controls on an operation system. Usually these refer to Discretionary ACLs, but there are also Mandatory ACLs.
- https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights
- https://en.wikipedia.org/wiki/File_system_permissions
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- emergency services, sanitation
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- An open vocabulary of hashing algorithms.
-When specifying a hashing algorithm not already defined within the hash-algorithm-ov, wherever an authoritative name for a hashing algorithm name is defined, it should be used as the value. In cases where no authoritative name exists and/or where there is variance in the naming of a particular hashing algorithm, producers should exercise their best judgement.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709298
- hash-algorithm
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ipv4-addr
- The IPv4 Address object represents one or more IPv4 addresses expressed using CIDR notation.
- https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_ki1ufj1ku8s0
- IPv4 Address Object
- http://www.wikidata.org/entity/Q35582902
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Handling identity-classes:
+Campaigns can be characterized by their objectives and the incidents they cause, people or resources they target, and the resources (infrastructure, intelligence, Malware, Tools, etc.) they use."""@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714304"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#CommunicationsIndustrySector
+:CommunicationsIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "224.91519829667283"^^xsd:double ;
+ "2.205942351479206"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#CompromisedIndicator
+:CompromisedIndicator rdf:type owl:Class ;
+ owl:equivalentClass [ owl:intersectionOf ( :Indicator
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :detects ;
+ owl:someValuesFrom [ rdf:type owl:Restriction ;
+ owl:onProperty :compromised ;
+ owl:allValuesFrom [ rdf:type rdfs:Datatype ;
+ owl:oneOf [ rdf:type rdf:List ;
+ rdf:first "true"^^xsd:boolean ;
+ rdf:rest rdf:nil
+ ]
+ ]
+ ]
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "55.66705025303295"^^xsd:double ;
+ "15.402756716198843"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Indicator of assets that are suspected to be compromised."@en .
+
+[ rdf:type owl:Axiom ;
+ owl:annotatedSource :CompromisedIndicator ;
+ owl:annotatedProperty owl:equivalentClass ;
+ owl:annotatedTarget [ owl:intersectionOf ( :Indicator
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :detects ;
+ owl:someValuesFrom [ rdf:type owl:Restriction ;
+ owl:onProperty :compromised ;
+ owl:allValuesFrom [ rdf:type rdfs:Datatype ;
+ owl:oneOf [ rdf:type rdf:List ;
+ rdf:first "true"^^xsd:boolean ;
+ rdf:rest rdf:nil
+ ]
+ ]
+ ]
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ rdfs:comment "TODO: What we really want to say is this is an Indicator of some asset being in the compromised state. How do we get there?"@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#ConstructionIndustrySector
+:ConstructionIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "165.6902322758791"^^xsd:double ;
+ "14.26711319088784"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#DataExecutionPrevention
+:DataExecutionPrevention rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "133.91259545820603"^^xsd:double ;
+ "56.225399106392935"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system."@en ;
+ rdfs:isDefinedBy "https://support.microsoft.com/en-us/help/875352/a-detailed-description-of-the-data-execution-prevention-dep-feature-in"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#DefenceIndustrySector
+:DefenceIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "52.14824356328938"^^xsd:double ;
+ "21.16454023279556"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#DefensiveNetworkServiceScanning
+:DefensiveNetworkServiceScanning rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "201.01281024788696"^^xsd:double ;
+ "113.07209810687183"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Detection
+:Detection rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Restriction ;
+ owl:onProperty :detectionMethodUsed ;
+ owl:someValuesFrom :DetectionMethod
+ ] ;
+ [ "238.97322791049683"^^xsd:double ;
+ "241.06032212637126"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#DetectionMethod
+:DetectionMethod rdf:type owl:Class ;
+ [ "240.18260407255232"^^xsd:double ;
+ "231.19833673936589"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "A method of detection of some activity or object."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#DigitalCertificateValidation
+:DigitalCertificateValidation rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "300.20244718990585"^^xsd:double ;
+ "109.59442593099823"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#DirectoryObject
+:DirectoryObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "106.83120890247336"^^xsd:double ;
+ "277.3226957593092"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "The Directory object represents the properties common to a file system directory."@en ;
+ rdfs:isDefinedBy "https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_lyvpga5hlw52"^^xsd:anyURI ;
+ rdfs:label "Directory Object"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#DomainNameObject
+:DomainNameObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "178.83475528416605"^^xsd:double ;
+ "287.607242955545"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "The Domain Name object represents the properties of a network domain name."@en ;
+ rdfs:isDefinedBy "https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_prhhksbxbg87"^^xsd:anyURI ;
+ rdfs:label "Domain Name Object"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#EducationIndustrySector
+:EducationIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "231.7127202591847"^^xsd:double ;
+ "284.7509077145375"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#EmailAddressObject
+:EmailAddressObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "148.59928377686967"^^xsd:double ;
+ "223.67787220141642"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "The Email Address object represents a single email address."@en ;
+ rdfs:isDefinedBy "https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_wmenahkvqmgj"^^xsd:anyURI ;
+ rdfs:label "Email Address Object"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#EmailMessageObject
+:EmailMessageObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "33.823522906864575"^^xsd:double ;
+ "11.28822518201998"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "The Email Message object represents an instance of an email message, corresponding to the internet message format described in [RFC5322] and related RFCs."@en ;
+ rdfs:isDefinedBy "https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_grboc7sq5514"^^xsd:anyURI ;
+ rdfs:label "Email Message Object"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#EnergyIndustrySector
+:EnergyIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "3.501472561807096"^^xsd:double ;
+ "170.16411861621282"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#EnterpriseCatalog
+:EnterpriseCatalog rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "165.57438094098237"^^xsd:double ;
+ "259.89910156825187"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#EnterpriseMatrix
+:EnterpriseMatrix rdf:type owl:Class ;
+ rdfs:subClassOf :Matrix ;
+ [ "193.1629828971079"^^xsd:double ;
+ "222.5618330941143"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#EntertainmentIndustrySector
+:EntertainmentIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "9.861557815171125"^^xsd:double ;
+ "4.6143113088092065"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#ExploitPrevention
+:ExploitPrevention rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "137.03528177635002"^^xsd:double ;
+ "292.6522508821759"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#FileMonitoring
+:FileMonitoring rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "114.30259645382037"^^xsd:double ;
+ "213.19494091432196"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#FilePathWhitelisting
+:FilePathWhitelisting rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "161.97979473289152"^^xsd:double ;
+ "97.87032129917428"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#FileSystemAccessControls
+:FileSystemAccessControls rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "84.32466015545569"^^xsd:double ;
+ "166.14888966975226"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "File access controls on an operation system. Usually these refer to Discretionary ACLs, but there are also Mandatory ACLs."@en ;
+ rdfs:isDefinedBy "https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights"@en ,
+ "https://en.wikipedia.org/wiki/File_system_permissions"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#FinancialServicesIndustrySector
+:FinancialServicesIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "295.99797266175796"^^xsd:double ;
+ "261.49406455608363"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Firewall
+:Firewall rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "119.79968209367195"^^xsd:double ;
+ "109.78143195568217"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#FullyQualifiedDomainName
+:FullyQualifiedDomainName rdf:type owl:Class ;
+ rdfs:subClassOf :DomainNameObject ;
+ [ "273.0289923302848"^^xsd:double ;
+ "172.308065708909"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#GovernmentLocalSector
+:GovernmentLocalSector rdf:type owl:Class ;
+ rdfs:subClassOf :GovernmentSector ;
+ [ "85.88232176066599"^^xsd:double ;
+ "192.52846659637953"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#GovernmentNationalSector
+:GovernmentNationalSector rdf:type owl:Class ;
+ rdfs:subClassOf :GovernmentSector ;
+ [ "204.54120264169612"^^xsd:double ;
+ "152.6406339609093"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#GovernmentPublicSector
+:GovernmentPublicSector rdf:type owl:Class ;
+ rdfs:subClassOf :GovernmentSector ;
+ [ "175.98745381863216"^^xsd:double ;
+ "236.2531311437074"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "emergency services, sanitation"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#GovernmentRegionalSector
+:GovernmentRegionalSector rdf:type owl:Class ;
+ rdfs:subClassOf :GovernmentSector ;
+ [ "140.08572506751128"^^xsd:double ;
+ "55.702441224742735"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#GovernmentSector
+:GovernmentSector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "140.36411651078723"^^xsd:double ;
+ "40.89477796637381"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#HashAlgorithmVocab
+:HashAlgorithmVocab rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "193.71532348404705"^^xsd:double ;
+ "157.87411352262583"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """An open vocabulary of hashing algorithms.
+When specifying a hashing algorithm not already defined within the hash-algorithm-ov, wherever an authoritative name for a hashing algorithm name is defined, it should be used as the value. In cases where no authoritative name exists and/or where there is variance in the naming of a particular hashing algorithm, producers should exercise their best judgement."""@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709298"@en ;
+ rdfs:label "hash-algorithm"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#HealthcareIndustrySector
+:HealthcareIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "121.7843217151827"^^xsd:double ;
+ "136.2150806070698"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#HeuristicDetection
+:HeuristicDetection rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "13.55568789688166"^^xsd:double ;
+ "185.27395938249904"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#HospitalityIndustrySector
+:HospitalityIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "88.35186548468731"^^xsd:double ;
+ "245.5446221092276"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#HostForensicAnalysis
+:HostForensicAnalysis rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "205.35349155772053"^^xsd:double ;
+ "131.90169707981414"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#HostIntrusionPreventionSystems
+:HostIntrusionPreventionSystems rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "499.8761906907884"^^xsd:double ;
+ "50.47275927149475"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#ICSCatalog
+:ICSCatalog rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "183.4537572460114"^^xsd:double ;
+ "261.0694998031449"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#IPv4AddressObject
+:IPv4AddressObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ :mitreType "ipv4-addr" ;
+ [ "228.24350173586961"^^xsd:double ;
+ "284.29915388066144"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "The IPv4 Address object represents one or more IPv4 addresses expressed using CIDR notation."@en ;
+ rdfs:isDefinedBy "https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_ki1ufj1ku8s0"@en ;
+ rdfs:label "IPv4 Address Object"@en ;
+ rdfs:seeAlso "http://www.wikidata.org/entity/Q35582902"^^xsd:anyURI .
+
+
+### http://ontologies.ti-semantics.com/cti#IPv6AddressObject
+:IPv6AddressObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "222.17056502411427"^^xsd:double ;
+ "82.87167440027909"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#IPv6CIDR
+:IPv6CIDR rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "295.328456938082"^^xsd:double ;
+ "151.72045666339412"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Identity
+:Identity rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Class ;
+ owl:unionOf (
+
+
+ [ rdf:type owl:Restriction ;
+ owl:onProperty ;
+ owl:someValuesFrom
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty ;
+ owl:someValuesFrom
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty ;
+ owl:someValuesFrom
+ ]
+ )
+ ] ;
+ [ "223.6316155482985"^^xsd:double ;
+ "186.53269650313607"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Deprecated in favor of FOAF and DCTERMS classes."@en ,
+ """Handling identity-classes:
group-identity becomes foaf:group
individual-identity becomes foaf:Person
organization-identity becomes foaf:organization
unknown-identity just stick with the Identity class
-class-identity will need to be qualified with restrictions on whatever the most relevant superclass is
- Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups (e.g., the finance sector).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Indicators are linked to patterns by the hasPattern or hasPatternReference properties and specify some indication of comprimise or other states that are relevant for an incident and are seen in Sightings.
-
-While optional, it's also highly advised to use the killChainPhase property to specify where in a given Kill Chain, this indicator will be found.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714313
-
-
-
-
-
-
-
- Industry sector is an open vocabulary that describes industrial and commercial sectors. It is intended to be holistic; it has been derived from several other lists and is not limited to "critical infrastructure" sectors.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709301
- industry-sector
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- true
-
-
-
-
- An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.
+class-identity will need to be qualified with restrictions on whatever the most relevant superclass is"""@en ,
+ "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, or groups (e.g., the finance sector)."@en ;
+ owl:deprecated "true"^^xsd:boolean .
+
+
+### http://ontologies.ti-semantics.com/cti#Indicator
+:Indicator rdf:type owl:Class ;
+ rdfs:subClassOf [ owl:intersectionOf ( [ rdf:type owl:Class ;
+ owl:unionOf ( [ rdf:type owl:Restriction ;
+ owl:onProperty :hasPattern ;
+ owl:someValuesFrom xsd:string
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :hasPatternReference ;
+ owl:someValuesFrom xsd:token
+ ]
+ )
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :validFrom ;
+ owl:someValuesFrom xsd:dateTime
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "112.29110994594657"^^xsd:double ;
+ "54.23565807579992"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """Indicators are linked to patterns by the hasPattern or hasPatternReference properties and specify some indication of comprimise or other states that are relevant for an incident and are seen in Sightings.
+
+While optional, it's also highly advised to use the killChainPhase property to specify where in a given Kill Chain, this indicator will be found."""@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714313"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#IndustrySector
+:IndustrySector rdf:type owl:Class ;
+ [ "119.56146806761221"^^xsd:double ;
+ "221.2799864816682"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Industry sector is an open vocabulary that describes industrial and commercial sectors. It is intended to be holistic; it has been derived from several other lists and is not limited to \"critical infrastructure\" sectors."@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709301"@en ;
+ rdfs:label "industry-sector"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#InfrastructureIndustrySector
+:InfrastructureIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "530.31784986711"^^xsd:double ;
+ "200.1119427495666"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#InsuranceIndustrySector
+:InsuranceIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "287.4445315808189"^^xsd:double ;
+ "262.84255188386396"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#IntrusionSet
+:IntrusionSet rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Class ;
+ owl:unionOf ( [ rdf:type owl:Restriction ;
+ owl:onProperty :uses ;
+ owl:someValuesFrom :Behavior
+ ]
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :revoked ;
+ owl:hasValue "true"^^xsd:boolean
+ ]
+ )
+ ] ;
+ [ "23.81695111980069"^^xsd:double ;
+ "65.9706569338486"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.
Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes.
-While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714316
-
-
-
-
-
-
-
-
- The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
-The JSON MTI serialization uses the JSON object type [RFC7159] when representing kill-chain-phase.
- kill-chain-phase
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Patterns of suspected malicious objects and/or activity.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Patterns of suspected malicious objects and/or activity.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- An objective that is malicious in intent.
-
-
-
-
-
-
-
-
- Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709302
- malware
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- x-mitre-matrix
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Observable
-
-
-
-
-
-
-
- https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_mlbmudhl16lr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Examples
+While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state."""@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714316"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#KillChainPhase
+:KillChainPhase rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "32.580199127780936"^^xsd:double ;
+ "242.6995731892933"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """The kill-chain-phase represents a phase in a kill chain, which describes the various phases an attacker may undertake in order to achieve their objectives.
+The JSON MTI serialization uses the JSON object type [RFC7159] when representing kill-chain-phase."""@en ;
+ rdfs:label "kill-chain-phase"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#LinuxEnterpriseMatix
+:LinuxEnterpriseMatix rdf:type owl:Class ;
+ rdfs:subClassOf :EnterpriseMatrix ;
+ [ "40.70332518515094"^^xsd:double ;
+ "45.61962290492247"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#LinuxEnterpriseMatrix
+:LinuxEnterpriseMatrix rdf:type owl:Class ;
+ rdfs:subClassOf :EnterpriseMatrix ;
+ [ "112.31710560151217"^^xsd:double ;
+ "86.62772707650483"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#LogAnalysis
+:LogAnalysis rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "214.8394966107444"^^xsd:double ;
+ "179.91940719954752"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#MACAddressObject
+:MACAddressObject rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "111.06179382727743"^^xsd:double ;
+ "95.50855348126679"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#MacOSEnterpriseMatrix
+:MacOSEnterpriseMatrix rdf:type owl:Class ;
+ rdfs:subClassOf :EnterpriseMatrix ;
+ [ "263.3538879746727"^^xsd:double ;
+ "12.137075119712284"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#MaliciousActivity
+:MaliciousActivity rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "275.8587336829666"^^xsd:double ;
+ "209.88932836428063"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Patterns of suspected malicious objects and/or activity."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#MaliciousActivityIndictor
+:MaliciousActivityIndictor rdf:type owl:Class ;
+ owl:equivalentClass [ owl:intersectionOf ( :Indicator
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :detects ;
+ owl:someValuesFrom :MaliciousActivity
+ ]
+ ) ;
+ rdf:type owl:Class
+ ] ;
+ [ "283.4259111332767"^^xsd:double ;
+ "273.9571686826132"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Patterns of suspected malicious objects and/or activity."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#MaliciousBehavior
+:MaliciousBehavior rdf:type owl:Class ;
+ rdfs:subClassOf :Behavior ;
+ [ "267.85569395166493"^^xsd:double ;
+ "170.37449032263584"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#MaliciousObjective
+:MaliciousObjective rdf:type owl:Class ;
+ rdfs:subClassOf :Objective ;
+ [ "81.66217645124617"^^xsd:double ;
+ "170.7790482997426"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "An objective that is malicious in intent."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#MalwareLabel
+:MalwareLabel rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "37.4899058539695"^^xsd:double ;
+ "275.19022263691244"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool." ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709302"^^xsd:anyURI ;
+ rdfs:label "malware"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#ManufacturingIndustrySector
+:ManufacturingIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "273.73878444447087"^^xsd:double ;
+ "105.3743052108004"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Matrix
+:Matrix rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ :mitreType "x-mitre-matrix"@en ;
+ [ "109.63117265286188"^^xsd:double ;
+ "83.91523561595056"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#MiningIndustrySector
+:MiningIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "292.2698667458957"^^xsd:double ;
+ "268.7546536496855"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#MitigationRelationship
+:MitigationRelationship rdf:type owl:Class ;
+ rdfs:subClassOf :Relationship ;
+ [ "182.92108630850072"^^xsd:double ;
+ "190.32490742097175"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#MobileCatalog
+:MobileCatalog rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "36.90618655855819"^^xsd:double ;
+ "93.0433287546583"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#MobileMatrix
+:MobileMatrix rdf:type owl:Class ;
+ rdfs:subClassOf :Matrix ;
+ [ "166.0853094142291"^^xsd:double ;
+ "183.68687876337455"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#NetworkIntrusionDetectionSystem
+:NetworkIntrusionDetectionSystem rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "82.16747971922538"^^xsd:double ;
+ "50.166724812039995"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#NonProfitIndustrySector
+:NonProfitIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "31.566758475836693"^^xsd:double ;
+ "88.87118429551391"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Objective
+:Objective rdf:type owl:Class .
+
+
+### http://ontologies.ti-semantics.com/cti#Observable
+:Observable rdf:type owl:Class ;
+ [ "37.19495271521704"^^xsd:double ;
+ "271.3321717387462"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:label "Observable"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#ObservableObject
+:ObservableObject rdf:type owl:Class ;
+ [ "43.96966306648843"^^xsd:double ;
+ "77.87898815345083"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:isDefinedBy "https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_mlbmudhl16lr"^^xsd:anyURI .
+
+
+### http://ontologies.ti-semantics.com/cti#ObservedData
+:ObservedData rdf:type owl:Class ;
+ rdfs:subClassOf [ rdf:type owl:Restriction ;
+ owl:onProperty :firstSeen ;
+ owl:allValuesFrom xsd:dateTimeStamp
+ ] ,
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :lastSeen ;
+ owl:allValuesFrom xsd:dateTimeStamp
+ ] ,
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :observedDataCount ;
+ owl:allValuesFrom xsd:positiveInteger
+ ] ;
+ [ "14.50617570629219"^^xsd:double ;
+ "227.60992595043956"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """Examples
Observed Data of a File object
{
- "type": "observed-data",
- "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
- "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
- "created": "2016-04-06T19:58:16.000Z",
- "modified": "2016-04-06T19:58:16.000Z",
- "first_observed": "2015-12-21T19:00:00Z",
- "last_observed": "2015-12-21T19:00:00Z",
- "number_observed": 50,
- "objects": {
- "0": {
- "type": "file",
+ \"type\": \"observed-data\",
+ \"id\": \"observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf\",
+ \"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",
+ \"created\": \"2016-04-06T19:58:16.000Z\",
+ \"modified\": \"2016-04-06T19:58:16.000Z\",
+ \"first_observed\": \"2015-12-21T19:00:00Z\",
+ \"last_observed\": \"2015-12-21T19:00:00Z\",
+ \"number_observed\": 50,
+ \"objects\": {
+ \"0\": {
+ \"type\": \"file\",
...
}
}
-}
- Observed Data conveys information that was observed on systems and networks using the Cyber Observable specification defined in parts 3 and 4 of this specification. For example, Observed Data can capture the observation of an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply information: this file was seen, without any context for what it means.
+}"""@en ,
+ """Observed Data conveys information that was observed on systems and networks using the Cyber Observable specification defined in parts 3 and 4 of this specification. For example, Observed Data can capture the observation of an IP address, a network connection, a file, or a registry key. Observed Data is not an intelligence assertion, it is simply information: this file was seen, without any context for what it means.
Observed Data captures both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity. When the number_observed property is 1 the Observed Data is of a single entity. When the number_observed property is greater than 1, the observed data consists of several instances of an entity collected over the time window specified by the first_observed and last_observed properties. When used to collect aggregate data, it is likely that some fields in the Cyber Observable Object (e.g., timestamp fields) will be omitted because they would differ for each of the individual observations.
Observed Data may be used by itself (without relationships) to convey raw data collected from network and host-based detection tools. A firewall could emit a single Observed Data instance containing a single Network Traffic object for each connection it sees. The firewall could also aggregate data and instead send out an Observed Data instance every ten minutes with an IP address and an appropriate number_observed value to indicate the number of times that IP address was observed in that window.
-Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. The Sighting object, which captures the sighting of an Indicator, Malware, or other SDO, uses Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active).
- TODO: is this 'event' in the ACT data model?
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714322
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Procedures are representations of the behavior or modus operandi of cyber adversaries. They describe the 'how' of a adversarial behavior at a macro level.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Reports are expected to have one or more ReportLabel but we'll refrain from making that a necessary condition.
- Reports collect threat intelligence focused on one or more topics (via foaf:topic), such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story.
+Observed Data may also be related to other SDOs to represent raw data that is relevant to those objects. The Sighting object, which captures the sighting of an Indicator, Malware, or other SDO, uses Observed Data to represent the raw information that led to the creation of the Sighting (e.g., what was actually seen that suggested that a particular instance of malware was active)."""@en ,
+ "TODO: is this 'event' in the ACT data model?"@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714322"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#PharmaceuticalsIndustrySector
+:PharmaceuticalsIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "181.4398358705223"^^xsd:double ;
+ "191.98648312631397"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#PreAttackMatrix
+:PreAttackMatrix rdf:type owl:Class ;
+ rdfs:subClassOf :Matrix ;
+ [ "181.82546954453045"^^xsd:double ;
+ "175.28003746743212"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Procedure
+:Procedure rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Restriction ;
+ owl:onProperty :includes ;
+ owl:someValuesFrom
+ ] ,
+ [ rdf:type owl:Restriction ;
+ owl:onProperty :includes ;
+ owl:someValuesFrom :Technique
+ ] ;
+ [ "185.40907597092666"^^xsd:double ;
+ "139.31018405735819"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Within ATT&CK, procedures are the specific implementation adversaries have used for techniques or sub-techniques. A procedure can span multiple techniques and sub-techniques."@en ;
+ rdfs:label "Procedure"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#ProcessWhitelisting
+:ProcessWhitelisting rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "300.76128910731245"^^xsd:double ;
+ "214.4117646349829"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#RelatedToRelationship
+:RelatedToRelationship rdf:type owl:Class ;
+ rdfs:subClassOf :Relationship ;
+ [ "229.75936473718903"^^xsd:double ;
+ "240.46779132119138"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Only seems to be used in PRE-ATT&CK which is deprecated."@en ;
+ owl:deprecated "true"^^xsd:boolean .
+
+
+### http://ontologies.ti-semantics.com/cti#Relationship
+:Relationship rdf:type owl:Class ;
+ [ "237.1224978295913"^^xsd:double ;
+ "232.55636564660674"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Report
+:Report rdf:type owl:Class ;
+ rdfs:subClassOf ;
+ [ "243.77488771976226"^^xsd:double ;
+ "238.89625591589106"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Reports are expected to have one or more ReportLabel but we'll refrain from making that a necessary condition."@en ,
+ """Reports collect threat intelligence focused on one or more topics (via foaf:topic), such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story.
For example, a threat report produced by ACME Defense Corp. discussing the Glass Gazelle campaign should be represented using Report.
-While a report typically contains a narrative associated with the topic, that is hard to capture in a quantifiable way. However, indicators, goals, tactics, etc should should be exposed through this type of object.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714325
-
-
-
-
-
-
-
-
- Report label is an open vocabulary to describe the primary purpose or subject of a report. For example, a report that contains malware and indicators for that malware should have a report label of malware to capture that the malware is the primary purpose. Report labels are not mutually exclusive: a Report can be both a malware report and a tool report. Just because a report contains objects of a type does not mean that the report should include that label. If the objects are there to simply provide evidence or context for other objects, it is not necessary to include them in the label.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709303
- ReportLabel
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Something that can be sighted.
-
-
-
-
-
-
-
-
-
-
- 1
-
-
-
- A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior.
- Examples
+While a report typically contains a narrative associated with the topic, that is hard to capture in a quantifiable way. However, indicators, goals, tactics, etc should should be exposed through this type of object."""@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714325"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#ReportLabel
+:ReportLabel rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "65.3270253514031"^^xsd:double ;
+ "144.154103541674"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Report label is an open vocabulary to describe the primary purpose or subject of a report. For example, a report that contains malware and indicators for that malware should have a report label of malware to capture that the malware is the primary purpose. Report labels are not mutually exclusive: a Report can be both a malware report and a tool report. Just because a report contains objects of a type does not mean that the report should include that label. If the objects are there to simply provide evidence or context for other objects, it is not necessary to include them in the label."@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709303"@en ;
+ rdfs:label "ReportLabel"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#RetailIndustrySector
+:RetailIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "98.66956564718508"^^xsd:double ;
+ "11.159685349250758"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#RevokedByRelationship
+:RevokedByRelationship rdf:type owl:Class ;
+ rdfs:subClassOf :Relationship ;
+ [ "164.76341384245492"^^xsd:double ;
+ "105.0239166641443"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#ServerNetworkAddress
+:ServerNetworkAddress rdf:type owl:Class ;
+ rdfs:subClassOf :ObservableObject ;
+ [ "290.19576357868544"^^xsd:double ;
+ "176.05933491070536"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Sightable
+:Sightable rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Class ;
+ owl:unionOf (
+
+
+
+ :AttackPattern
+ :Campaign
+ :Identity
+ :Indicator
+ :IntrusionSet
+ :ObservedData
+ )
+ ] ;
+ [ "243.126701285538"^^xsd:double ;
+ "178.83139186057784"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Something that can be sighted."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#Sighting
+:Sighting rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Restriction ;
+ owl:onProperty :sightingOf ;
+ owl:qualifiedCardinality "1"^^xsd:nonNegativeInteger ;
+ owl:onClass :Indicator
+ ] ;
+ [ "89.35335064482979"^^xsd:double ;
+ "251.23246112303866"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "A Sighting denotes the belief that something in CTI (e.g., an indicator, malware, tool, threat actor, etc.) was seen. Sightings are used to track who and what are being targeted, how attacks are carried out, and to track trends in attack behavior."@en ,
+ """Examples
Sighting of Indicator, without Observed Data
{
- "type": "sighting",
- "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
- "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
- "created": "2016-04-06T20:08:31.000Z",
- "modified": "2016-04-06T20:08:31.000Z",
- "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f"
+ \"type\": \"sighting\",
+ \"id\": \"sighting--ee20065d-2555-424f-ad9e-0f8428623c75\",
+ \"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",
+ \"created\": \"2016-04-06T20:08:31.000Z\",
+ \"modified\": \"2016-04-06T20:08:31.000Z\",
+ \"sighting_of_ref\": \"indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f\"
}
Sighting of Indicator, with Observed Data (what exactly was seen) and where it was seen
[
{
- "type": "sighting",
- "id": "sighting--ee20065d-2555-424f-ad9e-0f8428623c75",
- "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
- "created": "2016-04-06T20:08:31.000Z",
- "modified": "2016-04-06T20:08:31.000Z",
- "first_seen": "2015-12-21T19:00:00Z",
- "last_seen": "2015-12-21T19:00:00Z",
- "count": 50,
- "sighting_of_ref": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
- "observed_data_refs": ["observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf"],
- "where_sighted_refs": ["identity--b67d30ff-02ac-498a-92f9-32f845f448ff"]
+ \"type\": \"sighting\",
+ \"id\": \"sighting--ee20065d-2555-424f-ad9e-0f8428623c75\",
+ \"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",
+ \"created\": \"2016-04-06T20:08:31.000Z\",
+ \"modified\": \"2016-04-06T20:08:31.000Z\",
+ \"first_seen\": \"2015-12-21T19:00:00Z\",
+ \"last_seen\": \"2015-12-21T19:00:00Z\",
+ \"count\": 50,
+ \"sighting_of_ref\": \"indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f\",
+ \"observed_data_refs\": [\"observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf\"],
+ \"where_sighted_refs\": [\"identity--b67d30ff-02ac-498a-92f9-32f845f448ff\"]
},
{
- "type": "observed-data",
- "id": "observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf",
- "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
- "created": "2016-04-06T19:58:16.000Z",
- "modified": "2016-04-06T19:58:16.000Z",
- "start": "2015-12-21T19:00:00Z",
- "stop": "2016-04-06T19:58:16Z",
- "count": 50,
- "objects": {
- "0": {
- "type": "file",
+ \"type\": \"observed-data\",
+ \"id\": \"observed-data--b67d30ff-02ac-498a-92f9-32f845f448cf\",
+ \"created_by_ref\": \"identity--f431f809-377b-45e0-aa1c-6a4751cae5ff\",
+ \"created\": \"2016-04-06T19:58:16.000Z\",
+ \"modified\": \"2016-04-06T19:58:16.000Z\",
+ \"start\": \"2015-12-21T19:00:00Z\",
+ \"stop\": \"2016-04-06T19:58:16Z\",
+ \"count\": 50,
+ \"objects\": {
+ \"0\": {
+ \"type\": \"file\",
...
}
}
}
-]
- TODO: is this 'event' in the ACT Framework?
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714342
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- x-mitre-tactic
- Category of techniques
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Threat actor label is an open vocabulary used to describe what type of threat actor the individual or group is. For example, some threat actors are competitors who try to steal information, while others are activists who act in support of a social or political cause. Actor labels are not mutually exclusive: a threat actor can be both a disgruntled insider and a spy. [Casey 2007])
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709304
- threat-actor
-
-
-
-
-
-
-
-
- Threat actor role is an open vocabulary that is used to describe the different roles that a threat actor can play. For example, some threat actors author malware or operate botnets while other actors actually carry out attacks directly.
-Threat actor roles are not mutually exclusive. For example, an actor can be both a financial backer for attacks and also direct attacks.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709305
- threat-actor-role
-
-
-
-
-
-
-
-
- Threat actor sophistication vocabulary captures the skill level of a threat actor. It ranges from "none", which describes a complete novice, to "strategic", which describes an attacker who is able to influence supply chains to introduce vulnerabilities. This vocabulary is separate from resource level because an innovative, highly-skilled threat actor may have access to very few resources while a minimal-level actor might have the resources of an organized crime ring.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709306
- threat-actor-sophistication
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.
+]"""@en ,
+ "TODO: is this 'event' in the ACT Framework?"@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714342"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#SignatureBasedDetection
+:SignatureBasedDetection rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "56.89607258834317"^^xsd:double ;
+ "52.00815565279119"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#StaticFileAnalysis
+:StaticFileAnalysis rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "236.9059821411016"^^xsd:double ;
+ "291.5358024837348"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#SubTechnique
+:SubTechnique rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Restriction ;
+ owl:onProperty :subtechniqueOf ;
+ owl:someValuesFrom :Technique
+ ] ;
+ [ "197.41358763306857"^^xsd:double ;
+ "288.36815840429813"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Sub-techniques further break down behaviors described by techniques into more specific descriptions of how behavior is used to achieve an objective. For example, with OS Credential Dumping, there are several more specific behaviors under this technique that can be described as sub-techniques, including accessing LSASS Memory, the Security Account Manager, or accessing /etc/passwd and /etc/shadow."@en ;
+ rdfs:label "Sub-Technique"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#SubtechniqueOfRelationship
+:SubtechniqueOfRelationship rdf:type owl:Class ;
+ rdfs:subClassOf :Relationship ;
+ [ "122.42347129789198"^^xsd:double ;
+ "215.04688962746192"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#SystemAccessControls
+:SystemAccessControls rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "289.2910717128526"^^xsd:double ;
+ "279.28991085374315"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#Tactic
+:Tactic rdf:type owl:Class ;
+ :mitreVerb "x-mitre-tactic"@en ;
+ [ "172.53999744772344"^^xsd:double ;
+ "230.1324290307472"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical objective: the reason for performing an action. Tactics serve as useful contextual categories for individual techniques and cover standard notations for things adversaries do during an operation, such as persist, discover information, move laterally, execute files, and exfiltrate data."@en .
+
+
+### http://ontologies.ti-semantics.com/cti#Technique
+:Technique rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Restriction ;
+ owl:onProperty :accomplishes ;
+ owl:someValuesFrom :Tactic
+ ] ;
+ rdfs:subClassOf :Observable ;
+ [ "195.20829276865626"^^xsd:double ;
+ "5.769376737808188"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Techniques represent “how” an adversary achieves a tactical objective by performing an action. Techniques may also represent “what” an adversary gains by performing an action."@en ;
+ rdfs:label "Technique"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#TechnologyIndustrySector
+:TechnologyIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "134.65666556318138"^^xsd:double ;
+ "38.903803656686925"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#TelecommunicationsIndustrySector
+:TelecommunicationsIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "116.60401134850788"^^xsd:double ;
+ "21.212475144280155"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#ThreatActorLabel
+:ThreatActorLabel rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "141.92890479906887"^^xsd:double ;
+ "189.22242068885194"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Threat actor label is an open vocabulary used to describe what type of threat actor the individual or group is. For example, some threat actors are competitors who try to steal information, while others are activists who act in support of a social or political cause. Actor labels are not mutually exclusive: a threat actor can be both a disgruntled insider and a spy. [Casey 2007])"@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709304"@en ;
+ rdfs:label "threat-actor"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#ThreatActorRoleVocab
+:ThreatActorRoleVocab rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "201.0633675378922"^^xsd:double ;
+ "65.91220873210877"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """Threat actor role is an open vocabulary that is used to describe the different roles that a threat actor can play. For example, some threat actors author malware or operate botnets while other actors actually carry out attacks directly.
+Threat actor roles are not mutually exclusive. For example, an actor can be both a financial backer for attacks and also direct attacks."""@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709305"@en ;
+ rdfs:label "threat-actor-role"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#ThreatActorSophisticationVocab
+:ThreatActorSophisticationVocab rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "119.98396888789189"^^xsd:double ;
+ "55.389532900440955"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Threat actor sophistication vocabulary captures the skill level of a threat actor. It ranges from \"none\", which describes a complete novice, to \"strategic\", which describes an attacker who is able to influence supply chains to introduce vulnerabilities. This vocabulary is separate from resource level because an innovative, highly-skilled threat actor may have access to very few resources while a minimal-level actor might have the resources of an organized crime ring."@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709306"@en ;
+ rdfs:label "threat-actor-sophistication"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#Tool
+:Tool rdf:type owl:Class ;
+ owl:equivalentClass [ rdf:type owl:Restriction ;
+ owl:onProperty :implements ;
+ owl:someValuesFrom :Technique
+ ] ;
+ rdfs:subClassOf ;
+ [ "141.12743999028862"^^xsd:double ;
+ "124.48186903280221"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment """Tools are legitimate software that can be used by threat actors to perform attacks. Knowing how and when threat actors use such tools can be important for understanding how campaigns are executed. Unlike malware, these tools or software packages are often found on a system and have legitimate purposes for power users, system administrators, network administrators, or even normal users. Remote access tools (e.g., RDP) and network scanning tools (e.g., Nmap) are examples of Tools that may be used by a Threat Actor during an attack.
The Tool SDO characterizes the properties of these software tools and can be used as a basis for making an assertion about how a Threat Actor uses them during an attack. It contains properties to name and describe the tool, a list of Kill Chain Phases the tool can be used to carry out, and the version of the tool.
-This SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterise tools used as part of a course of action in response to an attack. Tools used during response activities can be included directly as part of a Course of Action SDO.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714331
-
-
-
-
-
-
-
-
- Tool labels describe the categories of tools that can be used to perform attacks.
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709307
- tool
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+This SDO MUST NOT be used to characterize malware. Further, Tool MUST NOT be used to characterise tools used as part of a course of action in response to an attack. Tools used during response activities can be included directly as part of a Course of Action SDO."""@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part2-stix-objects/stix-v2.0-cs01-part2-stix-objects.html#_Toc496714331"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#ToolLabel
+:ToolLabel rdf:type owl:Class ;
+ rdfs:subClassOf :Vocabularies ;
+ [ "77.42790050741587"^^xsd:double ;
+ "19.339376638240164"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] ;
+ rdfs:comment "Tool labels describe the categories of tools that can be used to perform attacks."@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709307"@en ;
+ rdfs:label "tool"@en .
+
+
+### http://ontologies.ti-semantics.com/cti#TransportationIndustrySector
+:TransportationIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "89.27395508562576"^^xsd:double ;
+ "8.270914176891166"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#UserModeSignatureValidation
+:UserModeSignatureValidation rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "18.37729557380348"^^xsd:double ;
+ "276.463817604824"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#UsesRelationship
+:UsesRelationship rdf:type owl:Class ;
+ rdfs:subClassOf :Relationship ;
+ [ "264.01443480070975"^^xsd:double ;
+ "97.87219123636947"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
-
-
+### http://ontologies.ti-semantics.com/cti#UtilitiesIndustrySector
+:UtilitiesIndustrySector rdf:type owl:Class ;
+ rdfs:subClassOf :IndustrySector ;
+ [ "71.83785596287191"^^xsd:double ;
+ "78.95325568430837"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
-
+### http://ontologies.ti-semantics.com/cti#Vocabularies
+:Vocabularies rdf:type owl:Class ;
+ [ "98.73004844790223"^^xsd:double ;
+ "169.01228141270207"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://ontologies.ti-semantics.com/cti#WindowsUserAccountControl
+:WindowsUserAccountControl rdf:type owl:Class ;
+ rdfs:subClassOf :DetectionMethod ;
+ [ "262.05048696288964"^^xsd:double ;
+ "192.43040461458213"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
+
+### http://purl.org/dc/dcmitype/Software
+ rdf:type owl:Class ;
+ [ "83.86363437393881"^^xsd:double ;
+ "201.16516267290555"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
+
-
-
-
-
+### http://www.w3.org/2006/time#TemporalEntity
+ rdf:type owl:Class ;
+ [ "235.31366338110516"^^xsd:double ;
+ "82.77070938798586"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
-
+### http://xmlns.com/foaf/0.1/Agent
+ rdf:type owl:Class ;
+ [ "157.81765103501039"^^xsd:double ;
+ "256.69114486618037"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
-
-
+### http://xmlns.com/foaf/0.1/Document
+ rdf:type owl:Class ;
+ [ "61.29405845755734"^^xsd:double ;
+ "4.317999066416837"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
-
-
-
+### http://xmlns.com/foaf/0.1/Group
+ rdf:type owl:Class ;
+ [ "54.945968789515454"^^xsd:double ;
+ "129.17348606322378"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
-
+### http://xmlns.com/foaf/0.1/Organization
+ rdf:type owl:Class ;
+ [ "79.59780779903357"^^xsd:double ;
+ "92.24041656678764"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
-
-
+### http://xmlns.com/foaf/0.1/Person
+ rdf:type owl:Class ;
+ [ "67.46299062581939"^^xsd:double ;
+ "275.6780260473321"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
-
-
-
+#################################################################
+# Individuals
+#################################################################
+### http://ontologies.ti-semantics.com/cti#MD5-hash-algorithm
+:MD5-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the MD5 message digest algorithm. The corresponding hash string for this value MUST be a valid MD5 message digest as defined in [RFC 1321]."@en ;
+ rdfs:label "MD5"@en .
-
-
-
+### http://ontologies.ti-semantics.com/cti#MD6-hash-algorithm
+:MD6-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the MD6 message digest algorithm. The corresponding hash string for this value MUST be a valid MD6 message digest as defined in the [MD6] proposal."@en ;
+ rdfs:label "MD6"@en .
-
+### http://ontologies.ti-semantics.com/cti#RIPEMD-160-hash-algorithm
+:RIPEMD-160-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) cryptographic hash function. The corresponding hash string for this value MUST be a valid RIPEMD-160 message digest as defined in the [RIPEMD-160] specification."@en ;
+ rdfs:label "RIPEMD-160"@en .
-
-
+### http://ontologies.ti-semantics.com/cti#SHA-1-hash-algorithm
+:SHA-1-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC 3174]."@en ;
+ rdfs:label "SHA-1"@en .
-
-
-
+### http://ontologies.ti-semantics.com/cti#SHA-224-hash-algorithm
+:SHA-224-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA-224 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-224 message digest as defined in [RFC 6234]."@en ;
+ rdfs:label "SHA-224"@en .
-
+### http://ontologies.ti-semantics.com/cti#SHA-256-hash-algorithm
+:SHA-256-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA-256 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC 6234]."@en ;
+ rdfs:label "SHA-256"@en .
-
+### http://ontologies.ti-semantics.com/cti#SHA-384-hash-algorithm
+:SHA-384-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA-384 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-384 message digest as defined in [RFC 6234]."@en ;
+ rdfs:label "SHA-384"@en .
-
-
-
- Specifies the MD5 message digest algorithm. The corresponding hash string for this value MUST be a valid MD5 message digest as defined in [RFC 1321].
- MD5
-
-
+### http://ontologies.ti-semantics.com/cti#SHA-512-hash-algorithm
+:SHA-512-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA-512 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC 6234]."@en ;
+ rdfs:label "SHA-512"@en .
-
+### http://ontologies.ti-semantics.com/cti#SHA3-224-hash-algorithm
+:SHA3-224-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA3-224 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-224 message digest as defined in [FIPS202]."@en ;
+ rdfs:label "SHA3-224"@en .
-
-
- Specifies the MD6 message digest algorithm. The corresponding hash string for this value MUST be a valid MD6 message digest as defined in the [MD6] proposal.
- MD6
-
-
+### http://ontologies.ti-semantics.com/cti#SHA3-256-hash-algorithm
+:SHA3-256-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA3-256 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202]."@en ;
+ rdfs:label "SHA3-256"@en .
-
-
-
- Specifies the RIPEMD-160 (RACE Integrity Primitives Evaluation Message Digest) cryptographic hash function. The corresponding hash string for this value MUST be a valid RIPEMD-160 message digest as defined in the [RIPEMD-160] specification.
- RIPEMD-160
-
-
+### http://ontologies.ti-semantics.com/cti#SHA3-384-hash-algorithm
+:SHA3-384-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA3-384 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-384 message digest as defined in [FIPS202]."@en ;
+ rdfs:label "SHA3-384"@en .
-
+### http://ontologies.ti-semantics.com/cti#SHA3-512-hash-algorithm
+:SHA3-512-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the SHA3-512 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202]."@en ;
+ rdfs:label "SHA3-512"@en .
-
-
- Specifies the SHA-1 (secure-hash algorithm 1) cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA-1 message digest as defined in [RFC 3174].
- SHA-1
-
-
+### http://ontologies.ti-semantics.com/cti#WHIRLPOOL-hash-algorithm
+:WHIRLPOOL-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the whirlpool cryptographic hash function. The corresponding hash string for this value MUST be a valid WHIRLPOOL message digest as defined in [ISO10118]."@en ;
+ rdfs:label "WHIRLPOOL"@en .
-
-
-
- Specifies the SHA-224 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-224 message digest as defined in [RFC 6234].
- SHA-224
-
-
+### http://ontologies.ti-semantics.com/cti#accidental-attack-motivation
+:accidental-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """A non-hostile actor whose benevolent or harmless intent inadvertently causes harm.
+For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.""" ,
+ "According to the text, this implies that it's disjoint with pretty much all of the other motivations with the exception of coercion. Unpredictability might be considered, but an accidental actor isn't acting unpredictably by intent." ;
+ rdfs:label "accidental"@en .
-
+### http://ontologies.ti-semantics.com/cti#activist-threat-actor
+:activist-threat-actor rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """Highly motivated, potentially destructive supporter of a social or political cause (e.g., trade, labor, environment, etc.) that attempts to disrupt an organization's business model or damage their image.
+This category includes actors sometimes referred to as anarchists, cyber vandals, extremists, and hacktivists."""@en ;
+ rdfs:label "activist"@en .
-
-
- Specifies the SHA-256 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-256 message digest as defined in [RFC 6234].
- SHA-256
-
-
-
-
-
-
-
- Specifies the SHA-384 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-384 message digest as defined in [RFC 6234].
- SHA-384
-
-
-
-
-
-
-
-
- Specifies the SHA-512 cryptographic hash function (part of the SHA2 family). The corresponding hash string for this value MUST be a valid SHA-512 message digest as defined in [RFC 6234].
- SHA-512
-
-
-
-
-
-
-
-
- Specifies the SHA3-224 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-224 message digest as defined in [FIPS202].
- SHA3-224
-
-
-
-
-
-
-
-
- Specifies the SHA3-256 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-256 message digest as defined in [FIPS202].
- SHA3-256
-
-
-
-
-
-
-
-
- Specifies the SHA3-384 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-384 message digest as defined in [FIPS202].
- SHA3-384
-
-
-
-
-
-
-
-
- Specifies the SHA3-512 cryptographic hash function. The corresponding hash string for this value MUST be a valid SHA3-512 message digest as defined in [FIPS202].
- SHA3-512
-
-
-
-
-
-
-
-
- Specifies the whirlpool cryptographic hash function. The corresponding hash string for this value MUST be a valid WHIRLPOOL message digest as defined in [ISO10118].
- WHIRLPOOL
-
-
-
-
-
-
-
-
- A non-hostile actor whose benevolent or harmless intent inadvertently causes harm.
-For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.
- According to the text, this implies that it's disjoint with pretty much all of the other motivations with the exception of coercion. Unpredictability might be considered, but an accidental actor isn't acting unpredictably by intent.
- accidental
-
-
-
-
-
-
-
-
- Highly motivated, potentially destructive supporter of a social or political cause (e.g., trade, labor, environment, etc.) that attempts to disrupt an organization's business model or damage their image.
-This category includes actors sometimes referred to as anarchists, cyber vandals, extremists, and hacktivists.
- activist
-
-
-
-
-
-
-
-
- Can develop their own tools or scripts from publicly known vulnerabilities to target systems and users. Actors in this category are very adept at IT systems and have a background in software development along with a solid understanding of defensive techniques and operational security.
+### http://ontologies.ti-semantics.com/cti#advanced-threat-actor-sophistication
+:advanced-threat-actor-sophistication rdf:type owl:NamedIndividual ,
+ :ThreatActorSophisticationVocab ;
+ rdfs:comment """Can develop their own tools or scripts from publicly known vulnerabilities to target systems and users. Actors in this category are very adept at IT systems and have a background in software development along with a solid understanding of defensive techniques and operational security.
These actors rely on others to find and identify weaknesses and vulnerabilities in systems, but are able to create their own tools, delivery mechanisms, and execution strategies.
Example Roles: Toolkit Developer
These actors:
● attack known vulnerabilities;
● can create their own tools; and
-● have proficient knowledge of the tools.
- advanced
-
-
-
-
-
-
-
-
- Any software that is funded by advertising. Adware may also gather sensitive user information from a system.
- adware
-
-
-
-
-
-
-
- aerospace
-
-
-
-
-
-
-
-
- Threat actor executes attacks either on behalf of themselves or at the direction of someone else.
- agent
-
-
-
-
-
-
-
- agriculture
-
-
-
-
-
-
-
- Unexpected, or unusual activity that may not necessarily be malicious or indicate compromise. This type of activity may include reconnaissance-like behavior such as port scans or version identification, network behavior anomalies, and asset and/or user behavioral anomalies.
- anomalous activity
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Report subject is a characterization of one or more attack patterns and related information.
- attack-pattern
-
-
-
-
-
-
-
- automotive
-
-
-
-
-
+● have proficient knowledge of the tools."""@en ;
+ rdfs:label "advanced"@en .
-
-
- A malicious program that allows an attacker to perform actions on a remote system, such as transferring files, acquiring passwords, or executing arbitrary commands [Mell2005].
- backdoor
-
-
+### http://ontologies.ti-semantics.com/cti#adware-malware
+:adware-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "Any software that is funded by advertising. Adware may also gather sensitive user information from a system."@en ;
+ rdfs:label "adware"@en .
-
-
-
- A program that resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or Trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions.
- bot
-
-
+### http://ontologies.ti-semantics.com/cti#aerospace-industry-sector
+:aerospace-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "aerospace"@en .
-
+### http://ontologies.ti-semantics.com/cti#agent-threat-actor-role
+:agent-threat-actor-role rdf:type owl:NamedIndividual ,
+ :ThreatActorRoleVocab ;
+ rdfs:comment "Threat actor executes attacks either on behalf of themselves or at the direction of someone else."@en ;
+ rdfs:label "agent"@en .
-
-
- Report subject is a characterization of one or more campaigns and related information.
- campaign
-
-
+### http://ontologies.ti-semantics.com/cti#agriculture-industry-sector
+:agriculture-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "agriculture"@en .
-
-
- A class of entities, such as all hospitals, all Europeans, or the Domain Administrators in a system.
- class
-
-
+### http://ontologies.ti-semantics.com/cti#anomalous-activity-indicator
+:anomalous-activity-indicator rdf:type owl:NamedIndividual ;
+ rdfs:comment "Unexpected, or unusual activity that may not necessarily be malicious or indicate compromise. This type of activity may include reconnaissance-like behavior such as port scans or version identification, network behavior anomalies, and asset and/or user behavioral anomalies."@en ;
+ rdfs:label "anomalous activity"@en .
-
+### http://ontologies.ti-semantics.com/cti#attack-motivation-ov
+:attack-motivation-ov rdf:type owl:NamedIndividual ,
+ owl:Thing .
-
-
-
-
+### http://ontologies.ti-semantics.com/cti#attack-pattern-report
+:attack-pattern-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more attack patterns and related information."@en ;
+ rdfs:label "attack-pattern"@en .
-
-
-
- Being forced to act on someone else's behalf.
-Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.
- This is also pretty much mutually exclusive of other motivating factors and it is not the same as accidental
- coercion
-
-
+### http://ontologies.ti-semantics.com/cti#automotive-industry-sector
+:automotive-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "automotive"@en .
-
+### http://ontologies.ti-semantics.com/cti#backdoor-malware
+:backdoor-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A malicious program that allows an attacker to perform actions on a remote system, such as transferring files, acquiring passwords, or executing arbitrary commands [Mell2005]."@en ;
+ rdfs:label "backdoor"@en .
-
- communications
-
-
+### http://ontologies.ti-semantics.com/cti#bot-malware
+:bot-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A program that resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or Trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions."@en ;
+ rdfs:label "bot"@en .
-
-
-
- An organization that competes in the same economic marketplace.
-The goal of a competitor is to gain an advantage in business with respect to the rival organization it targets. It usually does this by copying intellectual property, trade secrets, acquisition strategies, or other technical or business data from a rival organization with the intention of using the data to bolster its own assets and market position.
- competitor
-
-
+### http://ontologies.ti-semantics.com/cti#campaign-report
+:campaign-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more campaigns and related information."@en ;
+ rdfs:label "campaign"@en .
-
+### http://ontologies.ti-semantics.com/cti#class-identity
+:class-identity rdf:type owl:NamedIndividual ;
+ rdfs:comment "A class of entities, such as all hospitals, all Europeans, or the Domain Administrators in a system."@en ;
+ rdfs:label "class"@en .
-
- construction
-
-
+### http://ontologies.ti-semantics.com/cti#club-attack-resource-level
+:club-attack-resource-level rdf:type owl:NamedIndividual ,
+ :AttackResourceLevelVocab .
-
-
-
- A formally organized group with a leader, typically motivated by a specific goal and organized around that goal. Group persists long term and typically operates within a single geography.
- contest
-
-
+### http://ontologies.ti-semantics.com/cti#coercion-attack-motivation
+:coercion-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """Being forced to act on someone else's behalf.
+Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.""" ,
+ "This is also pretty much mutually exclusive of other motivating factors and it is not the same as accidental" ;
+ rdfs:label "coercion"@en .
-
+### http://ontologies.ti-semantics.com/cti#communications-industry-sector
+:communications-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "communications"@en .
-
-
- Tools used to crack password databases or otherwise exploit/discover credentials, either locally or remotely, such as John the Ripper and NCrack.
- credential-exploitation
-
-
+### http://ontologies.ti-semantics.com/cti#competitor-threat-actor
+:competitor-threat-actor rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """An organization that competes in the same economic marketplace.
+The goal of a competitor is to gain an advantage in business with respect to the rival organization it targets. It usually does this by copying intellectual property, trade secrets, acquisition strategies, or other technical or business data from a rival organization with the intention of using the data to bolster its own assets and market position."""@en ;
+ rdfs:label "competitor"@en .
-
-
-
- An enterprise organized to conduct significant, large-scale criminal activity for profit.
-Crime syndicates, also known as organized crime, are generally large, well-resourced groups that operate to create profit from all types of crime.
- crime-syndicate
-
-
+### http://ontologies.ti-semantics.com/cti#construction-industry-sector
+:construction-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "construction"@en .
-
+### http://ontologies.ti-semantics.com/cti#contest-attack-resource-level
+:contest-attack-resource-level rdf:type owl:NamedIndividual ,
+ :AttackResourceLevelVocab ;
+ rdfs:comment "A formally organized group with a leader, typically motivated by a specific goal and organized around that goal. Group persists long term and typically operates within a single geography."@en ;
+ rdfs:label "contest"@en .
-
-
- Individual who commits computer crimes, often for personal financial gain and often involves the theft of something valuable.
-Intellectual property theft, extortion via ransomware, and physical destruction are common examples. A criminal as defined here refers to those acting individually or in very small or informal groups. For sophisticated organized criminal activity, see the crime syndicate descriptor.
- criminal
-
-
+### http://ontologies.ti-semantics.com/cti#credential-exploitation-tool
+:credential-exploitation-tool rdf:type owl:NamedIndividual ,
+ :ToolLabel ;
+ rdfs:comment "Tools used to crack password databases or otherwise exploit/discover credentials, either locally or remotely, such as John the Ripper and NCrack."@en ;
+ rdfs:label "credential-exploitation"@en .
-
-
-
- A tool used to perform a distributed denial of service attack.
- ddos
-
-
+### http://ontologies.ti-semantics.com/cti#crime-syndicate-threat-actor
+:crime-syndicate-threat-actor rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """An enterprise organized to conduct significant, large-scale criminal activity for profit.
+Crime syndicates, also known as organized crime, are generally large, well-resourced groups that operate to create profit from all types of crime."""@en ;
+ rdfs:label "crime-syndicate"@en .
-
+### http://ontologies.ti-semantics.com/cti#criminal-threat-actor
+:criminal-threat-actor rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """Individual who commits computer crimes, often for personal financial gain and often involves the theft of something valuable.
+Intellectual property theft, extortion via ransomware, and physical destruction are common examples. A criminal as defined here refers to those acting individually or in very small or informal groups. For sophisticated organized criminal activity, see the crime syndicate descriptor."""@en ;
+ rdfs:label "criminal"@en .
-
- defence
-
-
+### http://ontologies.ti-semantics.com/cti#ddos-malware
+:ddos-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A tool used to perform a distributed denial of service attack."@en ;
+ rdfs:label "ddos"@en .
-
-
-
- Tools used to perform denial of service attacks or DDoS attacks, such as Low Orbit Ion Cannon (LOIC) and DHCPig.
- denial-of-service
-
-
+### http://ontologies.ti-semantics.com/cti#defence-industry-sector
+:defence-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "defence"@en .
-
+### http://ontologies.ti-semantics.com/cti#denial-of-service-tool
+:denial-of-service-tool rdf:type owl:NamedIndividual ,
+ :ToolLabel ;
+ rdfs:comment "Tools used to perform denial of service attacks or DDoS attacks, such as Low Orbit Ion Cannon (LOIC) and DHCPig."@en ;
+ rdfs:label "denial-of-service"@en .
-
-
- The threat actor who directs the activities, goals, and objectives of the malicious activities.
- director
-
-
+### http://ontologies.ti-semantics.com/cti#director-threat-actor-role
+:director-threat-actor-role rdf:type owl:NamedIndividual ,
+ :ThreatActorRoleVocab ;
+ rdfs:comment "The threat actor who directs the activities, goals, and objectives of the malicious activities."@en ;
+ rdfs:label "director"@en .
-
-
-
- A desire to assert superiority over someone or something else.
-Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism based attacks.
- This is only mutually exclusive of accidental and coercion, as there may be multiple factors involved in the actor's motivation
- dominance
-
-
+### http://ontologies.ti-semantics.com/cti#dominance-attack-motivation
+:dominance-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """A desire to assert superiority over someone or something else.
+Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism based attacks. """ ,
+ "This is only mutually exclusive of accidental and coercion, as there may be multiple factors involved in the actor's motivation" ;
+ rdfs:label "dominance"@en .
-
+### http://ontologies.ti-semantics.com/cti#dropper-malware
+:dropper-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A type of trojan that deposits an enclosed payload (generally, other malware) onto the target computer."@en ;
+ rdfs:label "dropper"@en .
-
-
- A type of trojan that deposits an enclosed payload (generally, other malware) onto the target computer.
- dropper
-
-
+### http://ontologies.ti-semantics.com/cti#education-industry-sector
+:education-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "education"@en .
-
-
- education
-
-
+### http://ontologies.ti-semantics.com/cti#energy-industry-sector
+:energy-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "energy"@en .
-
+### http://ontologies.ti-semantics.com/cti#entertainment-industry-sector
+:entertainment-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "entertainment"@en .
-
- energy
-
-
-
-
-
-
- entertainment
-
-
-
-
-
-
-
-
- Can focus on the discovery and use of unknown malicious code, are is adept at installing user and kernel mode rootkits, frequently use data mining tools, target corporate executives and key users (government and industry) for the purpose of stealing personal and corporate data. Actors in this category are very adept at IT systems and software development and are experts with security systems, defensive techniques, attack methods, and operational security.
+### http://ontologies.ti-semantics.com/cti#expert-threat-actor-sophistication
+:expert-threat-actor-sophistication rdf:type owl:NamedIndividual ,
+ :ThreatActorSophisticationVocab ;
+ rdfs:comment """Can focus on the discovery and use of unknown malicious code, are is adept at installing user and kernel mode rootkits, frequently use data mining tools, target corporate executives and key users (government and industry) for the purpose of stealing personal and corporate data. Actors in this category are very adept at IT systems and software development and are experts with security systems, defensive techniques, attack methods, and operational security.
Example Roles: Vulnerability Researcher, Reverse Engineer, Threat Researcher, Malware Creator
These actors:
● attack unknown and known vulnerabilities;
● can create their own tools from scratch; and
-● have proficient knowledge of the tools.
- expert
-
-
+● have proficient knowledge of the tools."""@en ;
+ rdfs:label "expert"@en .
-
+### http://ontologies.ti-semantics.com/cti#exploit-kit-malware
+:exploit-kit-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A software toolkit to target common vulnerabilities."@en ;
+ rdfs:label "exploit-kit"@en .
-
-
- A software toolkit to target common vulnerabilities.
- exploit-kit
-
-
+### http://ontologies.ti-semantics.com/cti#exploitation-tool
+:exploitation-tool rdf:type owl:NamedIndividual ,
+ :ToolLabel ;
+ rdfs:comment "Tools used to exploit software and systems, such as sqlmap and Metasploit."@en ;
+ rdfs:label "exploitation"@en .
-
-
-
- Tools used to exploit software and systems, such as sqlmap and Metasploit.
- exploitation
-
-
+### http://ontologies.ti-semantics.com/cti#financial-services-industry-sector
+:financial-services-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "financial-services"@en .
-
+### http://ontologies.ti-semantics.com/cti#government-attack-resource-level
+:government-attack-resource-level rdf:type owl:NamedIndividual ,
+ :AttackResourceLevelVocab ;
+ rdfs:comment "Controls public assets and functions within a jurisdiction; very well resourced and persists long term."@en ;
+ rdfs:label "government"@en .
-
- financial-services
-
-
+### http://ontologies.ti-semantics.com/cti#government-local-industry-sector
+:government-local-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "government-local"@en .
-
-
-
- Controls public assets and functions within a jurisdiction; very well resourced and persists long term.
- government
-
-
+### http://ontologies.ti-semantics.com/cti#government-national-industry-sector
+:government-national-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "government-national"@en .
-
+### http://ontologies.ti-semantics.com/cti#government-public-services-industry-sector
+:government-public-services-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "government-public-services"@en .
-
- government-local
-
-
+### http://ontologies.ti-semantics.com/cti#government-regional-industry-sector
+:government-regional-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "government-regional"@en .
-
-
- government-national
-
-
+### http://ontologies.ti-semantics.com/cti#group-identity
+:group-identity rdf:type owl:NamedIndividual ;
+ rdfs:comment "An informal collection of people, without formal governance, such as a distributed hacker group."@en ;
+ rdfs:label "group"@en .
-
+### http://ontologies.ti-semantics.com/cti#hacker-threat-actor
+:hacker-threat-actor rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """An individual that tends to break into networks for the thrill or the challenge of doing so.
+Hackers may use advanced skills or simple attack scripts they have downloaded."""@en ;
+ rdfs:label "hacker"@en .
-
- government-public-services
-
-
+### http://ontologies.ti-semantics.com/cti#healthcare-industry-sector
+:healthcare-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "healthcare"@en .
-
-
- government-regional
-
-
+### http://ontologies.ti-semantics.com/cti#hospitality-leisure-industry-sector
+:hospitality-leisure-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "hospitality-leisure"@en .
-
+### http://ontologies.ti-semantics.com/cti#identity-report
+:identity-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more identities and related information."@en ;
+ rdfs:label "identity"@en .
-
- An informal collection of people, without formal governance, such as a distributed hacker group.
- group
-
-
+### http://ontologies.ti-semantics.com/cti#ideology-attack-motivation
+:ideology-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts.
+Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty.
+For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.""" ,
+ "While ideology implies some higher (if possibly faulty) values system, it is not mutually exclusive of most other motivations." ;
+ rdfs:label "ideology"@en .
-
-
-
- An individual that tends to break into networks for the thrill or the challenge of doing so.
-Hackers may use advanced skills or simple attack scripts they have downloaded.
- hacker
-
-
+### http://ontologies.ti-semantics.com/cti#independent-threat-actor-role
+:independent-threat-actor-role rdf:type owl:NamedIndividual ,
+ :ThreatActorRoleVocab ;
+ rdfs:comment "A threat actor acting by themselves."@en ;
+ rdfs:label "independent"@en .
-
+### http://ontologies.ti-semantics.com/cti#indicator-report
+:indicator-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more indicators and related information."@en ;
+ rdfs:label "indicator"@en .
-
- healthcare
-
-
+### http://ontologies.ti-semantics.com/cti#individual-attack-resource-level
+:individual-attack-resource-level rdf:type owl:NamedIndividual ,
+ :AttackResourceLevelVocab ;
+ rdfs:comment "Resources limited to the average individual; Threat Actor acts independently." ;
+ rdfs:label "individual"@en .
-
-
- hospitality-leisure
-
-
+### http://ontologies.ti-semantics.com/cti#individual-identity
+:individual-identity rdf:type owl:NamedIndividual ;
+ rdfs:comment "A single person"@en ;
+ rdfs:label "individual"@en .
-
+### http://ontologies.ti-semantics.com/cti#information-gathering-tool
+:information-gathering-tool rdf:type owl:NamedIndividual ,
+ :ToolLabel ;
+ rdfs:comment "Tools used to enumerate system and network information, e.g., NMAP."@en ;
+ rdfs:label "information-gathering"@en .
-
-
- Report subject is a characterization of one or more identities and related information.
- identity
-
-
+### http://ontologies.ti-semantics.com/cti#infrastructure-architect-threat-actor-role
+:infrastructure-architect-threat-actor-role rdf:type owl:NamedIndividual ,
+ :ThreatActorRoleVocab ;
+ rdfs:comment "Someone who designs the battle space."@en ;
+ rdfs:label "infrastructure-architect"@en .
-
-
-
- A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts.
-Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty.
-For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.
- While ideology implies some higher (if possibly faulty) values system, it is not mutually exclusive of most other motivations.
- ideology
-
-
+### http://ontologies.ti-semantics.com/cti#infrastructure-industry-sector
+:infrastructure-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "infrastructure"@en .
-
+### http://ontologies.ti-semantics.com/cti#infrastructure-operator-threat-actor-role
+:infrastructure-operator-threat-actor-role rdf:type owl:NamedIndividual ,
+ :ThreatActorRoleVocab ;
+ rdfs:comment "The threat actor who provides and supports the attack infrastructure that is used to deliver the attack (botnet providers, cloud services, etc.)."@en ;
+ rdfs:label "infrastructure-operator"@en .
-
-
- A threat actor acting by themselves.
- independent
-
-
+### http://ontologies.ti-semantics.com/cti#innovator-threat-actor-sophistication
+:innovator-threat-actor-sophistication rdf:type owl:NamedIndividual ,
+ :ThreatActorSophisticationVocab ;
+ rdfs:comment """Typically criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
+Demonstrates sophisticated capability. An innovator has the ability to create and script unique programs and codes targeting virtually any form of technology. At this level, this actor has a deep knowledge of networks, operating systems, programming languages, firmware, and infrastructure topologies and will demonstrate operational security when conducting his activities. Innovators are largely responsible for the discovery of 0-day vulnerabilities and the development of new attack techniques.
+Example Roles: Toolkit Innovator, 0-Day Exploit Author
+These actors:
+● attack unknown and known vulnerabilities;
+● create attacks against 0-Day exploits from scratch; and
+● create new and innovative attacks and toolkits."""@en ;
+ rdfs:label "innovator"@en .
-
-
-
- Report subject is a characterization of one or more indicators and related information.
- indicator
-
-
+### http://ontologies.ti-semantics.com/cti#insider-accidental-threat-actor
+:insider-accidental-threat-actor rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """A non-hostile insider who unintentionally exposes the organization to harm.
+“Insider” in this context includes any person extended internal trust, such as regular employees, contractors, consultants, and temporary workers."""@en ;
+ rdfs:label "insider-accidental"@en .
-
+### http://ontologies.ti-semantics.com/cti#insider-disgruntled-threat-actor
+:insider-disgruntled-threat-actor rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """Current or former insiders who seek revengeful and harmful retaliation for perceived wrongs.
+“Insider” in this context includes any person extended internal trust, such as regular employees, contractors, consultants, and temporary workers.
+Disgruntled threat actors may have extensive knowledge that can be leveraged when conducting attacks and can take any number of actions including sabotage, violence, theft, fraud, espionage, or embarrassing individuals or the organization."""@en ;
+ rdfs:label "insider-disgruntled"@en .
-
-
- Resources limited to the average individual; Threat Actor acts independently.
- individual
-
-
+### http://ontologies.ti-semantics.com/cti#insurance-industry-sector
+:insurance-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "insurance"@en .
-
-
- A single person
- individual
-
-
+### http://ontologies.ti-semantics.com/cti#intermediate-threat-actor-sophistication
+:intermediate-threat-actor-sophistication rdf:type owl:NamedIndividual ,
+ :ThreatActorSophisticationVocab ;
+ rdfs:comment """Can proficiently use existing attack frameworks and toolkits to search for and exploit vulnerabilities in computers or systems. Actors in this category have computer skills equivalent to an IT professional and typically have a working knowledge of networks, operating systems, and possibly even defensive techniques and will typically exhibit some operational security.
+These actors rely others to develop the malicious tools and delivery mechanisms, but are able to plan their own execution strategy. They are proficient in the tools they are using and how they work and can even make minimal modifications as needed.
+Example Roles: Toolkit User
+These actors:
+● attack known vulnerabilities;
+● use attack frameworks and toolkits; and
+● have proficient knowledge of the tools."""@en ;
+ rdfs:label "intermediate"@en .
-
+### http://ontologies.ti-semantics.com/cti#intrusion-set-report
+:intrusion-set-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more intrusion sets and related information."@en ;
+ rdfs:label "intrusion-set"@en .
-
-
- Tools used to enumerate system and network information, e.g., NMAP.
- information-gathering
-
-
+### http://ontologies.ti-semantics.com/cti#keylogger-malware
+:keylogger-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A type of malware that surreptitiously monitors keystrokes and either records them for later retrieval or sends them back to a central collection point."@en ;
+ rdfs:label "keylogger"@en .
-
-
-
- Someone who designs the battle space.
- infrastructure-architect
-
-
+### http://ontologies.ti-semantics.com/cti#malware-report
+:malware-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more malware instances and related information."@en ;
+ rdfs:label "malware"@en .
-
+### http://ontologies.ti-semantics.com/cti#manufacturing-industry-sector
+:manufacturing-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "manufacturing"@en .
-
- infrastructure
-
-
+### http://ontologies.ti-semantics.com/cti#minimal-threat-actor-sophistication
+:minimal-threat-actor-sophistication rdf:type owl:NamedIndividual ,
+ :ThreatActorSophisticationVocab ;
+ rdfs:comment """Can minimally use existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers. Commonly referred to as a script-kiddie.
+These actors rely on others to develop the malicious tools, delivery mechanisms, and execution strategy and often do not fully understand the tool they are using or how they work. They also lack the ability to conduct their own reconnaissance and targeting research.
+Example Roles: Script-Kiddie
+These actors:
+● attack known weaknesses;
+● use well known scripts and tools; and
+● have minimal knowledge of the tools."""@en ;
+ rdfs:label "minimal"@en .
-
-
-
- The threat actor who provides and supports the attack infrastructure that is used to deliver the attack (botnet providers, cloud services, etc.).
- infrastructure-operator
-
-
+### http://ontologies.ti-semantics.com/cti#mining-industry-sector
+:mining-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "mining"@en .
-
+### http://ontologies.ti-semantics.com/cti#network-capture-tool
+:network-capture-tool rdf:type owl:NamedIndividual ,
+ :ToolLabel ;
+ rdfs:comment "Tools used to capture network traffic, such as Wireshark and Kismet."@en ;
+ rdfs:label "network-capture"@en .
-
-
- Typically criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.
-Demonstrates sophisticated capability. An innovator has the ability to create and script unique programs and codes targeting virtually any form of technology. At this level, this actor has a deep knowledge of networks, operating systems, programming languages, firmware, and infrastructure topologies and will demonstrate operational security when conducting his activities. Innovators are largely responsible for the discovery of 0-day vulnerabilities and the development of new attack techniques.
-Example Roles: Toolkit Innovator, 0-Day Exploit Author
-These actors:
-● attack unknown and known vulnerabilities;
-● create attacks against 0-Day exploits from scratch; and
-● create new and innovative attacks and toolkits.
- innovator
-
-
+### http://ontologies.ti-semantics.com/cti#non-profit-industry-sector
+:non-profit-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "non-profit"@en .
-
-
-
- A non-hostile insider who unintentionally exposes the organization to harm.
-“Insider” in this context includes any person extended internal trust, such as regular employees, contractors, consultants, and temporary workers.
- insider-accidental
-
-
+### http://ontologies.ti-semantics.com/cti#none-threat-actor-sophistication
+:none-threat-actor-sophistication rdf:type owl:NamedIndividual ,
+ :ThreatActorSophisticationVocab ;
+ rdfs:comment """Can carry out random acts of disruption or destruction by running tools they do not understand. Actors in this category have average computer skills.
+Example Roles: Average User
+These actors:
+● can not launch targeted attacks"""@en ;
+ rdfs:label "none"@en .
-
+### http://ontologies.ti-semantics.com/cti#notoriety-attack-motivation
+:notoriety-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """Seeking prestige or to become well known through some activity.
+Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact one of the main goals is to garner the respect of their target audience.""" ,
+ "This is actually similar to personal or organization gain, except the currency is reputation and not money." ;
+ rdfs:label "notoriety"@en .
-
-
- Current or former insiders who seek revengeful and harmful retaliation for perceived wrongs.
-“Insider” in this context includes any person extended internal trust, such as regular employees, contractors, consultants, and temporary workers.
-Disgruntled threat actors may have extensive knowledge that can be leveraged when conducting attacks and can take any number of actions including sabotage, violence, theft, fraud, espionage, or embarrassing individuals or the organization.
- insider-disgruntled
-
-
+### http://ontologies.ti-semantics.com/cti#observed-data-report
+:observed-data-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of observed data and related information."@en ;
+ rdfs:label "observed-data"@en .
-
-
- insurance
-
-
+### http://ontologies.ti-semantics.com/cti#organization-attack-resource-level
+:organization-attack-resource-level rdf:type owl:NamedIndividual ,
+ :AttackResourceLevelVocab ;
+ rdfs:comment "Larger and better resourced than a team; typically a company or crime syndicate. Usually operates in multiple geographic areas and persists long term."@en ;
+ rdfs:label "organization"@en .
-
+### http://ontologies.ti-semantics.com/cti#organization-identity
+:organization-identity rdf:type owl:NamedIndividual ;
+ rdfs:comment "A formal organization of people, with governance, such as a company or country."@en ;
+ rdfs:label "organization"@en .
-
-
- Can proficiently use existing attack frameworks and toolkits to search for and exploit vulnerabilities in computers or systems. Actors in this category have computer skills equivalent to an IT professional and typically have a working knowledge of networks, operating systems, and possibly even defensive techniques and will typically exhibit some operational security.
-These actors rely others to develop the malicious tools and delivery mechanisms, but are able to plan their own execution strategy. They are proficient in the tools they are using and how they work and can even make minimal modifications as needed.
-Example Roles: Toolkit User
-These actors:
-● attack known vulnerabilities;
-● use attack frameworks and toolkits; and
-● have proficient knowledge of the tools.
- intermediate
-
-
+### http://ontologies.ti-semantics.com/cti#organizational-gain-attack-motivation
+:organizational-gain-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """Seeking advantage over a competing organization, including a military organization.
+Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.""" ;
+ rdfs:label "organizational-gain"@en .
-
-
-
- Report subject is a characterization of one or more intrusion sets and related information.
- intrusion-set
-
-
+### http://ontologies.ti-semantics.com/cti#personal-gain-attack-motivation
+:personal-gain-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """The desire to improve one’s own financial status.
+Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft.
+While a Threat Actor or Intrusion Set may be seeking personal gain this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.""" ;
+ rdfs:label "personal-gain"@en .
-
+### http://ontologies.ti-semantics.com/cti#personal-satisfaction-attack-motivation
+:personal-satisfaction-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc.
+Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.""" ,
+ "This seems a bit redundant with personal-gain if we consider non-money rewards a gain." ;
+ rdfs:label "personal-satisfaction"@en .
-
-
- A type of malware that surreptitiously monitors keystrokes and either records them for later retrieval or sends them back to a central collection point.
- keylogger
-
-
+### http://ontologies.ti-semantics.com/cti#pharmaceuticals-industry-sector
+:pharmaceuticals-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "pharmaceuticals"@en .
-
-
-
- Report subject is a characterization of one or more malware instances and related information.
- malware
-
-
+### http://ontologies.ti-semantics.com/cti#ransomware-malware
+:ransomware-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files."@en ;
+ rdfs:label "ransomware"@en .
-
+### http://ontologies.ti-semantics.com/cti#remote-access-tool
+:remote-access-tool rdf:type owl:NamedIndividual ,
+ :ToolLabel ;
+ rdfs:comment "Tools used to access machines remotely, such as VNC and Remote Desktop."@en ;
+ rdfs:label "remote-access"@en .
-
- manufacturing
-
-
+### http://ontologies.ti-semantics.com/cti#remote-access-trojan-malware
+:remote-access-trojan-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A remote access trojan program (or RAT), is a trojan horse capable of controlling a machine through commands issued by a remote attacker."@en ;
+ rdfs:label "remote-access-trojan"@en .
-
-
-
- Can minimally use existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers. Commonly referred to as a script-kiddie.
-These actors rely on others to develop the malicious tools, delivery mechanisms, and execution strategy and often do not fully understand the tool they are using or how they work. They also lack the ability to conduct their own reconnaissance and targeting research.
-Example Roles: Script-Kiddie
-These actors:
-● attack known weaknesses;
-● use well known scripts and tools; and
-● have minimal knowledge of the tools.
- minimal
-
-
+### http://ontologies.ti-semantics.com/cti#resource-exploitation-malware
+:resource-exploitation-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A type of malware that steals a system's resources (e.g., CPU cycles), such as a bitcoin miner."@en ;
+ rdfs:label "resource-exploitation"@en .
-
+### http://ontologies.ti-semantics.com/cti#retail-industry-sector
+:retail-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "retail"@en .
-
- mining
-
-
+### http://ontologies.ti-semantics.com/cti#revenge-attack-motivation
+:revenge-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization.
+A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.""" ;
+ rdfs:label "revenge"@en .
-
-
-
- Tools used to capture network traffic, such as Wireshark and Kismet.
- network-capture
-
-
+### http://ontologies.ti-semantics.com/cti#rogue-security-software-malware
+:rogue-security-software-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A fake security product that demands money to clean phony infections."@en ;
+ rdfs:label "rogue-security-software"@en .
-
+### http://ontologies.ti-semantics.com/cti#rootkit-malware
+:rootkit-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A type of malware that hides its files or processes from normal methods of monitoring in order to conceal its presence and activities. Rootkits can operate at a number of levels, from the application level — simply replacing or adjusting the settings of system software to prevent the display of certain information — through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rootkits, which are activated before the operating system and thus even harder to detect while the system is running."@en ;
+ rdfs:label "rootkit"@en .
-
- non-profit
-
-
+### http://ontologies.ti-semantics.com/cti#screen-capture-malware
+:screen-capture-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A type of malware used to capture images from the target systems screen, used for exfiltration and command and control."@en ;
+ rdfs:label "screen-capture"@en .
-
-
-
- Can carry out random acts of disruption or destruction by running tools they do not understand. Actors in this category have average computer skills.
-Example Roles: Average User
-These actors:
-● can not launch targeted attacks
- none
-
-
+### http://ontologies.ti-semantics.com/cti#sensationalist-nation-state
+:sensationalist-nation-state rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """Seeks to cause embarrassment and brand damage by exposing sensitive information in a manner designed to cause a public relations crisis.
+A sensationalist may be an individual or small group of people motivated primarily by a need for notoriety. Unlike the activist, the sensationalist generally has no political goal, and is not using bad PR to influence the target to change its behavior or business practices."""@en ;
+ rdfs:label "sensationalist"@en .
-
+### http://ontologies.ti-semantics.com/cti#sponsor-threat-actor-role
+:sponsor-threat-actor-role rdf:type owl:NamedIndividual ,
+ :ThreatActorRoleVocab ;
+ rdfs:comment "The threat actor who funds the malicious activities."@en ;
+ rdfs:label "sponsor"@en .
-
-
- Seeking prestige or to become well known through some activity.
-Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact one of the main goals is to garner the respect of their target audience.
- This is actually similar to personal or organization gain, except the currency is reputation and not money.
- notoriety
-
-
+### http://ontologies.ti-semantics.com/cti#spy-nation-state
+:spy-nation-state rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """Secretly collects sensitive information for use, dissemination, or sale.
+Traditional spies (governmental and industrial) are part of a well-resourced intelligence organization and are capable of very sophisticated clandestine operations. However, insiders such as employees or consultants acting as spies can be just as effective and damaging, even when their activities are largely opportunistic and not part of an overall campaign."""@en ;
+ rdfs:label "spy"@en .
-
-
-
- Report subject is a characterization of observed data and related information.
- observed-data
-
-
+### http://ontologies.ti-semantics.com/cti#spyware-malware
+:spyware-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "Software that gathers information on a user's system without their knowledge and sends it to another party. Spyware is generally used to track activities for the purpose of delivering advertising."@en ;
+ rdfs:label "spyware"@en .
-
+### http://ontologies.ti-semantics.com/cti#ssdeep-hash-algorithm
+:ssdeep-hash-algorithm rdf:type owl:NamedIndividual ,
+ :HashAlgorithmVocab ;
+ rdfs:comment "Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid piecewise hash as defined in the [SSDEEP] specification."@en ;
+ rdfs:label "ssdeep"@en .
-
-
- Larger and better resourced than a team; typically a company or crime syndicate. Usually operates in multiple geographic areas and persists long term.
- organization
-
-
+### http://ontologies.ti-semantics.com/cti#strategic-threat-actor-sophistication
+:strategic-threat-actor-sophistication rdf:type owl:NamedIndividual ,
+ :ThreatActorSophisticationVocab ;
+ rdfs:comment """State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest.
+These actors:
+● can create or use entire supply chains to launch an attack;
+● can create and design attacks for any systems, software package, or device; and
+● are responsible for APT-level attacks."""@en ;
+ rdfs:label "strategic"@en .
-
-
-
- A formal organization of people, with governance, such as a company or country.
- organization
-
-
+### http://ontologies.ti-semantics.com/cti#team-attack-resource-level
+:team-attack-resource-level rdf:type owl:NamedIndividual ,
+ :AttackResourceLevelVocab ;
+ rdfs:comment "A short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal. For example, people who break into systems just for thrills or prestige may hold a contest to see who can break into a specific target first. It also includes announced \"operations\" to achieve a specific goal, such as the original \"OpIsrael\" call for volunteers to disrupt all of Israel's Internet functions for a day."@en ;
+ rdfs:label "team"@en .
-
-
-
- Seeking advantage over a competing organization, including a military organization.
-Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.
- organizational-gain
-
-
+### http://ontologies.ti-semantics.com/cti#technology-industry-sector
+:technology-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "technology"@en .
-
+### http://ontologies.ti-semantics.com/cti#telecommunications-industry-sector
+:telecommunications-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "telecommunications"@en .
-
-
- The desire to improve one’s own financial status.
-Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft.
-While a Threat Actor or Intrusion Set may be seeking personal gain this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.
- personal-gain
-
-
+### http://ontologies.ti-semantics.com/cti#terrorist-nation-state
+:terrorist-nation-state rdf:type owl:NamedIndividual ,
+ :ThreatActorLabel ;
+ rdfs:comment """Uses extreme violence to advance a social or political agenda as well as monetary crimes to support its activities.
+In this context a terrorist refers to individuals who target noncombatants with violence to send a message of fear far beyond the actual events. They may act independently or as part of a terrorist organization.
+Terrorist organizations must typically raise much of their operating budget through criminal activity, which often occurs online. Terrorists are also often adept at using and covertly manipulating social media for both recruitment and impact."""@en ;
+ rdfs:label "terrorist"@en .
-
-
-
-
- A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc.
-Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.
- This seems a bit redundant with personal-gain if we consider non-money rewards a gain.
- personal-satisfaction
-
-
+### http://ontologies.ti-semantics.com/cti#threat-actor-report
+:threat-actor-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more threat actors and related information."@en ;
+ rdfs:label "threat-actor"@en .
-
-
- pharmaceuticals
-
-
+### http://ontologies.ti-semantics.com/cti#threat-report
+:threat-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a broad characterization of a threat across multiple facets."@en ;
+ rdfs:label "threat"@en .
-
+### http://ontologies.ti-semantics.com/cti#tool-report
+:tool-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more tools and related information."@en ;
+ rdfs:label "tool"@en .
-
-
- A type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files.
- ransomware
-
-
+### http://ontologies.ti-semantics.com/cti#transportation-industry-sector
+:transportation-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "transportation"@en .
-
-
-
- Tools used to access machines remotely, such as VNC and Remote Desktop.
- remote-access
-
-
+### http://ontologies.ti-semantics.com/cti#trojan-malware
+:trojan-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "Any malicious computer program which is used to hack into a computer by misleading users of its true intent."@en ;
+ rdfs:label "trojan"@en .
-
+### http://ontologies.ti-semantics.com/cti#unknown-identity
+:unknown-identity rdf:type owl:NamedIndividual ;
+ rdfs:comment "It is unknown whether the classification is individual, group, organization, or class."@en ;
+ rdfs:label "unknown"@en .
-
-
- A remote access trojan program (or RAT), is a trojan horse capable of controlling a machine through commands issued by a remote attacker.
- remote-access-trojan
-
-
+### http://ontologies.ti-semantics.com/cti#unpredictable-attack-motivation
+:unpredictable-attack-motivation rdf:type owl:NamedIndividual ,
+ :AttackMotivationVocab ;
+ rdfs:comment """Acting without identifiable reason or purpose and creating unpredictable events.
+Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims.""" ;
+ rdfs:label "unpredictable"@en .
-
-
-
- A type of malware that steals a system's resources (e.g., CPU cycles), such as a bitcoin miner.
- resource-exploitation
-
-
+### http://ontologies.ti-semantics.com/cti#utilities-industry-sector
+:utilities-industry-sector rdf:type owl:NamedIndividual ;
+ rdfs:label "utilities"@en .
-
+### http://ontologies.ti-semantics.com/cti#virus-malware
+:virus-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A malicious computer program that replicates by reproducing itself or infecting other programs by modifying them."@en ;
+ rdfs:label "virus"@en .
-
- retail
-
-
+### http://ontologies.ti-semantics.com/cti#vulnerability-report
+:vulnerability-report rdf:type owl:NamedIndividual ,
+ :ReportLabel ;
+ rdfs:comment "Report subject is a characterization of one or more vulnerabilities and related information."@en ;
+ rdfs:label "vulnerability"@en .
-
-
-
- A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization.
-A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.
- revenge
-
-
+### http://ontologies.ti-semantics.com/cti#vulnerability-scanning-tool
+:vulnerability-scanning-tool rdf:type owl:NamedIndividual ,
+ :ToolLabel ;
+ rdfs:comment "Tools used to scan systems and networks for vulnerabilities, e.g., Nessus."@en ;
+ rdfs:label "vulnerability-scanning"@en .
-
+### http://ontologies.ti-semantics.com/cti#worm-malware
+:worm-malware rdf:type owl:NamedIndividual ,
+ :MalwareLabel ;
+ rdfs:comment "A self-replicating, self-contained program that usually executes itself without user intervention."@en ;
+ rdfs:label "worm"@en .
-
-
- A fake security product that demands money to clean phony infections.
- rogue-security-software
-
-
+[ "label Range ReportLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+] .
-
+[ "label Range ReportLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
-
- A type of malware that hides its files or processes from normal methods of monitoring in order to conceal its presence and activities. Rootkits can operate at a number of levels, from the application level — simply replacing or adjusting the settings of system software to prevent the display of certain information — through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rootkits, which are activated before the operating system and thus even harder to detect while the system is running.
- rootkit
-
-
+[ """Campaign SubClassOf (campaignAttributedTo some
+(ThreatActor or IntrusionSet)) and (hasActivity some AdversarialActivity) and (hasObjective some Objective)"""^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
+[ "Indicator SubClassOf label min 1 IndicatorLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
+[ "Indicator EquivalentTo ((hasPatternReference only token) and (validFrom only dateTime)) or (hasPattern only string)"^^xsd:string ;
+ "false"^^xsd:boolean
+ ] .
-
-
- A type of malware used to capture images from the target systems screen, used for exfiltration and command and control.
- screen-capture
-
-
+[ "Indicator EquivalentTo ((hasPatternReference only token) and (validFrom only dateTime)) or (hasPattern only string)"^^xsd:string ;
+ "false"^^xsd:boolean
+ ] .
+[ "Indicator EquivalentTo Thing"^^xsd:string ;
+ "false"^^xsd:boolean
+ ] .
-
+[ "Report SubClassOf label min 1 ReportLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
-
- Seeks to cause embarrassment and brand damage by exposing sensitive information in a manner designed to cause a public relations crisis.
-A sensationalist may be an individual or small group of people motivated primarily by a need for notoriety. Unlike the activist, the sensationalist generally has no political goal, and is not using bad PR to influence the target to change its behavior or business practices.
- sensationalist
-
-
+[ "Campaign SubClassOf IntrusionSet"^^xsd:string ;
+ "false"^^xsd:boolean
+ ] .
+[ "Campaign SubClassOf IntrusionSet"^^xsd:string ;
+ "false"^^xsd:boolean
+ ] .
-
+[ "Indicator SubClassOf label min 1 IndicatorLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
-
- The threat actor who funds the malicious activities.
- sponsor
-
-
+[ "label Range ReportLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
+[ "Report SubClassOf label min 1 ReportLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
+[ "label Range ReportLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
-
- Secretly collects sensitive information for use, dissemination, or sale.
-Traditional spies (governmental and industrial) are part of a well-resourced intelligence organization and are capable of very sophisticated clandestine operations. However, insiders such as employees or consultants acting as spies can be just as effective and damaging, even when their activities are largely opportunistic and not part of an overall campaign.
- spy
-
-
+[ """Campaign SubClassOf (campaignAttributedTo some
+(ThreatActor or IntrusionSet)) and (hasActivity some AdversarialActivity) and (hasObjective some Objective)"""^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
+[ "Report SubClassOf label min 1 ReportLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
+[ "Indicator EquivalentTo Thing"^^xsd:string ;
+ "false"^^xsd:boolean
+ ] .
-
-
- Software that gathers information on a user's system without their knowledge and sends it to another party. Spyware is generally used to track activities for the purpose of delivering advertising.
- spyware
-
-
+[ "Indicator SubClassOf label min 1 IndicatorLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
+[ "Campaign SubClassOf IntrusionSet"^^xsd:string ;
+ "false"^^xsd:boolean
+ ] .
-
+[ "Report SubClassOf label min 1 ReportLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
-
- Specifies the ssdeep fuzzy hashing algorithm. The corresponding hash string for this value MUST be a valid piecewise hash as defined in the [SSDEEP] specification.
- ssdeep
-
-
+[ "Indicator SubClassOf label min 1 IndicatorLabel"^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
+[ """Campaign SubClassOf (campaignAttributedTo some
+(ThreatActor or IntrusionSet)) and (hasActivity some AdversarialActivity) and (hasObjective some Objective)"""^^xsd:string ;
+ "true"^^xsd:boolean
+ ] .
-
+[ "278.884443804092"^^xsd:double ;
+ "158.33423810409943"^^xsd:double ;
+ rdfs:comment "This is an entity positioning annotation generated by CoModIDE (https://comodide.com/). Removing this annotation will break rendering the CoModIDE schema diagram view."@en
+ ] .
-
-
- State actors who create vulnerabilities through an active program to “influence” commercial products and services during design, development or manufacturing, or with the ability to impact products while in the supply chain to enable exploitation of networks and systems of interest.
-These actors:
-● can create or use entire supply chains to launch an attack;
-● can create and design attacks for any systems, software package, or device; and
-● are responsible for APT-level attacks.
- strategic
-
-
+#################################################################
+# Annotations
+#################################################################
+ rdfs:label "malware-author"@en ;
+ rdfs:comment "The threat actor who authors malware or other malicious tools."@en .
-
-
-
- A short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal. For example, people who break into systems just for thrills or prestige may hold a contest to see who can break into a specific target first. It also includes announced "operations" to achieve a specific goal, such as the original "OpIsrael" call for volunteers to disrupt all of Israel's Internet functions for a day.
- team
-
-
+ rdfs:comment """Entities who work for the government or military of a nation state or who work at their direction.
+These actors typically have access to significant support, resources, training, and tools and are capable of designing and executing very sophisticated and effective Intrusion Sets and Campaigns."""@en ;
+ rdfs:label "nation-state"@en .
-
+ rdfs:comment "Indicator labels is an open vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. Indicator labels should not be used to capture information that can be better captured via related Malware or Attack Pattern objects. It is better to link an Indicator to a Malware object describing Poison Ivy rather than simply labeling it with \"poison-ivy\"."@en ;
+ rdfs:isDefinedBy "http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709300"@en .
-
- technology
-
-
+ owl:deprecated "true"^^xsd:boolean ;
+ rdfs:comment "Deprecated in favor of DCTERMS:source"@en .
-
-
- telecommunications
-
-
+ rdfs:comment "To comment on this schema, please contact dcmifb@dublincore.org." ;
+ "The Dublin Core Metadata Initiative"@en-us ;
+ "DCMI Namespace for the Dublin Core Metadata Element Set, Version 1.1"@en-us ;
+ "2008-01-14" .
-
+ "Examples of a Contributor include a person, an organization, or a service. Typically, the name of a Contributor should be used to indicate the entity."@en-us ;
+ ;
+ rdfs:comment "An entity responsible for making contributions to the resource."@en-us ;
+ "1999-07-02" ;
+ rdfs:isDefinedBy ;
+ rdfs:label "Contributor"@en-us ;
+ "2008-01-14" .
-
-
- Uses extreme violence to advance a social or political agenda as well as monetary crimes to support its activities.
-In this context a terrorist refers to individuals who target noncombatants with violence to send a message of fear far beyond the actual events. They may act independently or as part of a terrorist organization.
-Terrorist organizations must typically raise much of their operating budget through criminal activity, which often occurs online. Terrorists are also often adept at using and covertly manipulating social media for both recruitment and impact.
- terrorist
-
-
+ ;
+ "2008-01-14" ;
+ rdfs:label "Coverage"@en-us ;
+ "Spatial topic and spatial applicability may be a named place or a location specified by its geographic coordinates. Temporal topic may be a named period, date, or date range. A jurisdiction may be a named administrative entity or a geographic place to which the resource applies. Recommended best practice is to use a controlled vocabulary such as the Thesaurus of Geographic Names [TGN]. Where appropriate, named places or time periods can be used in preference to numeric identifiers such as sets of coordinates or date ranges."@en-us ;
+ "1999-07-02" ;
+ rdfs:isDefinedBy ;
+ rdfs:comment "The spatial or temporal topic of the resource, the spatial applicability of the resource, or the jurisdiction under which the resource is relevant."@en-us .
-
-
-
- Report subject is a characterization of one or more threat actors and related information.
- threat-actor
-
-
+ rdfs:comment "A point or period of time associated with an event in the lifecycle of the resource."@en-us ;
+ rdfs:label "Date"@en-us ;
+ "Date may be used to express temporal information at any level of granularity. Recommended best practice is to use an encoding scheme, such as the W3CDTF profile of ISO 8601 [W3CDTF]."@en-us ;
+ rdfs:isDefinedBy ;
+ ;
+ "1999-07-02" ;
+ "2008-01-14" .
-
+ rdfs:isDefinedBy ;
+ rdfs:comment "An account of the resource."@en-us ;
+ rdfs:label "Description"@en-us ;
+ "2008-01-14" ;
+ "1999-07-02" ;
+ "Description may include but is not limited to: an abstract, a table of contents, a graphical representation, or a free-text account of the resource."@en-us ;
+ .
+
-
-
- Report subject is a broad characterization of a threat across multiple facets.
- threat
-
-
+ "Examples of dimensions include size and duration. Recommended best practice is to use a controlled vocabulary such as the list of Internet Media Types [MIME]."@en-us ;
+ rdfs:comment "The file format, physical medium, or dimensions of the resource."@en-us ;
+ ;
+ rdfs:isDefinedBy ;
+ "2008-01-14" ;
+ rdfs:label "Format"@en-us ;
+ "1999-07-02" .
-
+ ;
+ "1999-07-02" ;
+ "Recommended best practice is to identify the resource by means of a string conforming to a formal identification system. "@en-us ;
+ "2008-01-14" ;
+ rdfs:isDefinedBy ;
+ rdfs:comment "An unambiguous reference to the resource within a given context."@en-us ;
+ rdfs:label "Identifier"@en-us .
-
-
- Report subject is a characterization of one or more tools and related information.
- tool
-
-
+ ;
+ rdfs:label "Language"@en-us ;
+ "2008-01-14" ;
+ rdfs:isDefinedBy ;
+ "1999-07-02" ;
+ rdfs:seeAlso ;
+ "Recommended best practice is to use a controlled vocabulary such as RFC 4646 [RFC4646]."@en-us ;
+ rdfs:comment "A language of the resource."@en-us .
-
-
- transportation
-
-
+ "2008-01-14" ;
+ ;
+ rdfs:label "Publisher"@en-us ;
+ "Examples of a Publisher include a person, an organization, or a service. Typically, the name of a Publisher should be used to indicate the entity."@en-us ;
+ "1999-07-02" ;
+ rdfs:isDefinedBy ;
+ rdfs:comment "An entity responsible for making the resource available."@en-us .
-
+ "1999-07-02" ;
+ rdfs:label "Relation"@en-us ;
+ "Recommended best practice is to identify the related resource by means of a string conforming to a formal identification system. "@en-us ;
+ ;
+ rdfs:comment "A related resource."@en-us ;
+ "2008-01-14" ;
+ rdfs:isDefinedBy .
-
-
- Any malicious computer program which is used to hack into a computer by misleading users of its true intent.
- trojan
-
-
-
-
-
-
-
- It is unknown whether the classification is individual, group, organization, or class.
- unknown
-
-
-
-
-
-
-
-
- Acting without identifiable reason or purpose and creating unpredictable events.
-Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims.
- unpredictable
-
-
-
-
-
-
-
- utilities
-
-
-
-
-
-
-
-
- A malicious computer program that replicates by reproducing itself or infecting other programs by modifying them.
- virus
-
-
-
-
-
-
-
-
- Report subject is a characterization of one or more vulnerabilities and related information.
- vulnerability
-
-
-
-
-
-
-
-
- Tools used to scan systems and networks for vulnerabilities, e.g., Nessus.
- vulnerability-scanning
-
-
-
-
-
-
-
-
- A self-replicating, self-contained program that usually executes itself without user intervention.
- worm
-
-
- Report SubClassOf label min 1 ReportLabel
- true
-
-
- label Range ReportLabel
- true
-
-
- label Range ReportLabel
- true
-
-
- Report SubClassOf label min 1 ReportLabel
- true
-
-
- Indicator SubClassOf label min 1 IndicatorLabel
- true
-
-
- Report SubClassOf label min 1 ReportLabel
- true
-
-
- Campaign SubClassOf IntrusionSet
- false
-
-
- Campaign SubClassOf (campaignAttributedTo some
-(ThreatActor or IntrusionSet)) and (hasActivity some AdversarialActivity) and (hasObjective some Objective)
- true
-
-
- Indicator EquivalentTo Thing
- false
-
-
- label Range ReportLabel
- true
-
-
- Campaign SubClassOf IntrusionSet
- false
-
-
- Campaign SubClassOf (campaignAttributedTo some
-(ThreatActor or IntrusionSet)) and (hasActivity some AdversarialActivity) and (hasObjective some Objective)
- true
-
-
- Report SubClassOf label min 1 ReportLabel
- true
-
-
- Campaign SubClassOf (campaignAttributedTo some
-(ThreatActor or IntrusionSet)) and (hasActivity some AdversarialActivity) and (hasObjective some Objective)
- true
-
-
- Indicator EquivalentTo ((hasPatternReference only token) and (validFrom only dateTime)) or (hasPattern only string)
- false
-
-
- Indicator EquivalentTo Thing
- false
-
-
- Campaign SubClassOf IntrusionSet
- false
-
-
- Indicator SubClassOf label min 1 IndicatorLabel
- true
-
-
- Indicator SubClassOf label min 1 IndicatorLabel
- true
-
-
- Indicator SubClassOf label min 1 IndicatorLabel
- true
-
-
- Indicator EquivalentTo ((hasPatternReference only token) and (validFrom only dateTime)) or (hasPattern only string)
- false
-
-
- label Range ReportLabel
- true
-
-
-
-
-
-
-
- malware-author
- The threat actor who authors malware or other malicious tools.
-
-
- Entities who work for the government or military of a nation state or who work at their direction.
-These actors typically have access to significant support, resources, training, and tools and are capable of designing and executing very sophisticated and effective Intrusion Sets and Campaigns.
- nation-state
-
-
- Indicator labels is an open vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. Indicator labels should not be used to capture information that can be better captured via related Malware or Attack Pattern objects. It is better to link an Indicator to a Malware object describing Poison Ivy rather than simply labeling it with "poison-ivy".
- http://docs.oasis-open.org/cti/stix/v2.0/cs01/part1-stix-core/stix-v2.0-cs01-part1-stix-core.html#_Toc496709300
-
-
- To comment on this schema, please contact dcmifb@dublincore.org.
- The Dublin Core Metadata Initiative
- DCMI Namespace for the Dublin Core Metadata Element Set, Version 1.1
- 2008-01-14
-
-
- Examples of a Contributor include a person, an organization, or a service. Typically, the name of a Contributor should be used to indicate the entity.
-
- An entity responsible for making contributions to the resource.
- 1999-07-02
-
- Contributor
- 2008-01-14
-
-
- Coverage
- 2008-01-14
-
- Spatial topic and spatial applicability may be a named place or a location specified by its geographic coordinates. Temporal topic may be a named period, date, or date range. A jurisdiction may be a named administrative entity or a geographic place to which the resource applies. Recommended best practice is to use a controlled vocabulary such as the Thesaurus of Geographic Names [TGN]. Where appropriate, named places or time periods can be used in preference to numeric identifiers such as sets of coordinates or date ranges.
- 1999-07-02
-
- The spatial or temporal topic of the resource, the spatial applicability of the resource, or the jurisdiction under which the resource is relevant.
-
-
- A point or period of time associated with an event in the lifecycle of the resource.
-
- Date
- Date may be used to express temporal information at any level of granularity. Recommended best practice is to use an encoding scheme, such as the W3CDTF profile of ISO 8601 [W3CDTF].
-
- 1999-07-02
- 2008-01-14
-
-
-
- An account of the resource.
- Description
- 2008-01-14
- 1999-07-02
- Description may include but is not limited to: an abstract, a table of contents, a graphical representation, or a free-text account of the resource.
-
-
-
- Examples of dimensions include size and duration. Recommended best practice is to use a controlled vocabulary such as the list of Internet Media Types [MIME].
- The file format, physical medium, or dimensions of the resource.
-
- 2008-01-14
-
- Format
- 1999-07-02
-
-
-
- 1999-07-02
- Recommended best practice is to identify the resource by means of a string conforming to a formal identification system.
- 2008-01-14
-
- An unambiguous reference to the resource within a given context.
- Identifier
-
-
-
- 2008-01-14
- Language
-
- 1999-07-02
- Recommended best practice is to use a controlled vocabulary such as RFC 4646 [RFC4646].
-
- A language of the resource.
-
-
- 2008-01-14
-
- Publisher
- Examples of a Publisher include a person, an organization, or a service. Typically, the name of a Publisher should be used to indicate the entity.
-
- 1999-07-02
- An entity responsible for making the resource available.
-
-
- 1999-07-02
- Recommended best practice is to identify the related resource by means of a string conforming to a formal identification system.
- A related resource.
-
- Relation
-
- 2008-01-14
-
-
- 1999-07-02
-
- 2008-01-14
-
- Information about rights held in and over the resource.
- Rights
- Typically, rights information includes a statement about various property rights associated with the resource, including intellectual property rights.
-
-
-
- 1999-07-02
- 2008-01-14
- Source
- The described resource may be derived from the related resource in whole or in part. Recommended best practice is to identify the related resource by means of a string conforming to a formal identification system.
-
- A related resource from which the described resource is derived.
-
-
- The topic of the resource.
-
- 2008-01-14
- Typically, the subject will be represented using keywords, key phrases, or classification codes. Recommended best practice is to use a controlled vocabulary. To describe the spatial or temporal topic of the resource, use the Coverage element.
- Subject
-
- 1999-07-02
-
-
-
- 2008-01-14
- A name given to the resource.
- Title
- 1999-07-02
-
-
-
-
- Recommended best practice is to use a controlled vocabulary such as the DCMI Type Vocabulary [DCMITYPE]. To describe the file format, physical medium, or dimensions of the resource, use the Format element.
- Type
- 2008-01-14
- The nature or genre of the resource.
-
- 1999-07-02
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+ "1999-07-02" ;
+ ;
+ "2008-01-14" ;
+ rdfs:isDefinedBy ;
+ rdfs:comment "Information about rights held in and over the resource."@en-us ;
+ rdfs:label "Rights"@en-us ;
+ "Typically, rights information includes a statement about various property rights associated with the resource, including intellectual property rights."@en-us .
+
+
+ ;
+ "1999-07-02" ;
+ "2008-01-14" ;
+ rdfs:label "Source"@en-us ;
+ "The described resource may be derived from the related resource in whole or in part. Recommended best practice is to identify the related resource by means of a string conforming to a formal identification system."@en-us ;
+ rdfs:isDefinedBy ;
+ rdfs:comment "A related resource from which the described resource is derived."@en-us .
+
+
+ rdfs:comment "The topic of the resource."@en-us ;
+ ;
+ "2008-01-14" ;
+ "Typically, the subject will be represented using keywords, key phrases, or classification codes. Recommended best practice is to use a controlled vocabulary. To describe the spatial or temporal topic of the resource, use the Coverage element."@en-us ;
+ rdfs:label "Subject"@en-us ;
+ "1999-07-02" ;
+ rdfs:isDefinedBy .
+
+
+ ;
+ "2008-01-14" ;
+ rdfs:label "Title"@en-us ;
+ rdfs:comment "A name given to the resource."@en-us ;
+ "1999-07-02" ;
+ rdfs:isDefinedBy .
+
+
+ ;
+ "Recommended best practice is to use a controlled vocabulary such as the DCMI Type Vocabulary [DCMITYPE]. To describe the file format, physical medium, or dimensions of the resource, use the Format element."@en-us ;
+ rdfs:label "Type"@en-us ;
+ "2008-01-14" ;
+ rdfs:isDefinedBy ;
+ "1999-07-02" ;
+ rdfs:comment "The nature or genre of the resource."@en-us .
+
+
+#################################################################
+# General axioms
+#################################################################
+
+[ rdf:type owl:AllDifferent ;
+ owl:distinctMembers ( :accidental-attack-motivation
+ :coercion-attack-motivation
+ )
+] .
+
+
+### Generated by the OWL API (version 4.5.9.2019-02-01T07:24:44Z) https://github.com/owlcs/owlapi