Ontologies in information security

How ontologies can provide the world with greater, faster protection from cyberthreats and more.

Pyramid to illustrate Ontologies and their use in cybersecurity

Here at Kaspersky, we regularly analyze new technologies and look for ways to put them to use in cybersecurity. Ontology may not represent a very popular approach right now, but it can speed up and simplify a lot of processes. I believe it’s only a matter of time before using ontology for cybersecurity catches on.

In information systems, what’s an ontology?

In information science, an ontology is a systematic description of all of the terms in a specific subject area, their characteristics or attributes, and their relationships. For example, the Marvel Comics Universe ontology includes the names and attributes (superpowers, weapons, weaknesses) of all of the superheroes, their power levels, and so forth. An ontology can describe anything from wines to electrical grids.

Using a language such as OWL, Web Ontology Language, you can develop tools to analyze ontologies and identify hidden connections and missing or obscure details. For example, analyzing the ontology of the Marvel universe can help determine the best team of superheroes and the most expedient way to defeat a villain.

For that, as well as for similar tasks, we could use the Protégé platform, for example. Developed at Stanford University, the software’s purpose is to analyze biomedical data, but now it’s a free, open-source ontology editor and framework for building intelligent systems to manage knowledge from any field.

Ontologies vs. machine learning

The tools for working with ontologies have a lot in common with machine-learning algorithms, but with one key difference: Machine-learning models predict; ontological tools deduce.

Machine-learning models analyze large arrays of data and use them to make predictions about new objects. For example, a machine-learning model might look at 100 malicious e-mails and highlight the specific characteristics they share. Then, if the model recognizes some of those characteristics in a new e-mail, it can determine that the new message is also malicious.

An ontology also figures in data analysis, but instead of leading to predictions, it points to information that logically ensues from supplied parameters. It doesn’t learn or draw on previous experiences to analyze information. For example, if we indicate in the ontology that e-mail A is a phishing e-mail and that all phishing e-mails are malicious, and then state that e-mail B is a phishing e-mail, the ontology will conclude that e-mail B is malicious. If we set out to analyze e-mail C but don’t supply any characteristics, the ontology will not make any conclusion.

Ontologies and machine learning can complement each other. For example, ontologies can optimize and accelerate machine-learning models. They make the process of training models much easier by simulating logical reasoning and by being able to automatically classify and link information. And using time-saving ontological axioms — rules that describe the relationship between concepts — can narrow the input array for the machine-learning model, speeding its ability to find an answer.

Other uses for ontologies in cybersecurity

Ontologies can also help identify hidden opportunities or weak areas. For example, we can analyze a company infrastructure’s level of protection against a specific cyberthreat, such as ransomware. To do so, we create an ontology of potential antiransomware measures and apply it to the list of existing security measures in the organization.

Using the ontology will tell you whether the infrastructure has enough protection or needs work. You can use the same method to determine whether an IT security system meets IEC, NIST, or other standards. This can also be done manually, but it would take much longer and be more expensive.

Ontologies also make the lives of IT security specialists easier by enabling them to communicate with each other in the same language. Using ontology can improve cybersecurity by helping specialists contextualize the problems and attacks that others encounter, leading them to better security measures. That kind of information also comes in handy when experts create information security architectures from scratch by offering a systematic view of vulnerabilities, attacks, and their connections.

The very concept may seem complicated and abstract, but you encounter ontologies almost every day. Consider Internet searches, for example. Ontologies underlie semantic searches, letting you search for answers to actual queries rather than getting bogged down in the meaning of each individual word in them. That greatly increases the quality of search results. Pinterest, an image-sharing social network, uses similar technologies, relying on ontologies to analyze users’ actions and reactions, and then employing that data to optimize recommendations and targeted advertising.

The above represents just a few ideas of how using ontologies can improve many aspects of business and cybertech. Here at Kaspersky, we’re interested in ontology’s prospects not only for cybersecurity, but also in terms of the bigger picture, where ontology presents huge opportunities for business.