Akademia Górniczo-Hutnicza
im. Stanisława Staszica w Krakowie
Wydział Elektrotechniki, Automatyki, Informatyki i Inżynierii Biomedycznej
K ATEDRA I NFORMATYKI S TOSOWANEJ
ROZPRAWA DOKTORSKA
MJR MGR IN Ż .
BARTOSZ JASIUL
M ODELOWANIE WYBRANYCH ATAKÓW
CYBERNETYCZNYCH Z WYKORZYSTANIEM
ONTOLOGII I SIECI P ETRIEGO
P ROMOTOR :
dr hab. Marcin Szpyrka, prof. AGH
Kraków 2013
AGH
University of Science and Technology in Krakow
Faculty of Electrical Engineering, Automatics, Computer Science
and Biomedical Engineering
D EPARTMENT OF A PPLIED C OMPUTER S CIENCE
P H D T HESIS
M AJ . BARTOSZ JASIUL , M.S C . E NG .
M ODELING OF S ELECTED C YBER T HREATS
WITH O NTOLOGY AND P ETRI N ETS
S UPERVISOR :
Marcin Szpyrka, Ph.D., D.Sc.
Krakow 2013
I would like to express my sincere gratitude to several individuals without
whom I would not be able to complete this Thesis successfully.
First and foremost, I would like to thank Professor Marcin Szpyrka whom
I have cooperated with for the last two years. I will never forget our first
meeting. I was after reading his book about Real Time Colored Petri nets and
on four pages I presented him what I was planning to realize in my dissertation.
He agreed at once to supervise my work and the results of our cooperation are
visible in this Thesis. I would like to thank for the atmosphere of research he
created, for spending time on verification of my work and discussions even late
in the evening.
I sincerely thank Joanna Śliwa, who has always motivated me for realization
of this Thesis, that she found time for scientific support and involvement in my
researches.
I greatly appreciate assistance of Rafał Piotrowski, his valuable remarks,
advice and evaluation of the results of my work. I also thank Kamil Gleba and
Paweł Skarżyński for their help in development of cyber defence applications.
I am also grateful to Beata Sobiech for proofreading of this Thesis.
Finally, I would like to thank my family, wife Mariola, daughter Ula, and
son Adam, for understanding that lately I have to sacrifice my family life for
completing these researches.
Bartosz Jasiul
Contents
1. Introduction....................................................................................................................................
6
1.1.
Motivation..............................................................................................................................
6
1.2.
The problem overview ...........................................................................................................
7
1.3.
Aim ........................................................................................................................................
8
1.4.
Claim .....................................................................................................................................
8
1.5.
Work outline ..........................................................................................................................
8
2. Related work................................................................................................................................... 10
2.1.
Malicious software ................................................................................................................ 10
2.1.1. Malware features........................................................................................................ 12
2.1.2. Malware characteristics.............................................................................................. 13
2.2.
Evading virus detection technologies .................................................................................... 15
2.3.
Malware detection techniques based on ontology and CP-nets – an overview ..................... 15
3. PRONTO – malware hunting tool – preface ............................................................................... 18
3.1.
Approach to malware detection ............................................................................................. 18
3.2.
The idea of PRONTO module ............................................................................................... 19
3.3.
PRONTO module classification ............................................................................................ 20
4. Ontology.......................................................................................................................................... 22
4.1.
Ontology definition................................................................................................................ 22
4.2.
Semantic models.................................................................................................................... 23
4.3.
Rules ...................................................................................................................................... 30
4.4.
Ontology applications............................................................................................................ 31
5. Colored Petri nets........................................................................................................................... 34
5.1.
Formal definition of non-hierarchical CP-nets ...................................................................... 34
5.2.
Places ..................................................................................................................................... 35
5.3.
Transitions and arcs ............................................................................................................... 37
5.4.
Hierarchical CP-nets.............................................................................................................. 38
5.5.
Applications of CP-nets......................................................................................................... 41
6. The architecture of the solution .................................................................................................... 43
4
CONTENTS
5
6.1.
PRONTO module design ....................................................................................................... 43
6.2.
PRONTOlogy – events filtering............................................................................................. 46
6.2.1. Ontology model.......................................................................................................... 46
6.2.2. PRONTOlogy engine ................................................................................................. 49
6.3.
PRONTOnet – malware tracking........................................................................................... 50
6.3.1. An approach to malware tracking .............................................................................. 50
6.3.2. Utilization of CP-net models for malware tracking ................................................... 51
7. Verification of the modeling approach ......................................................................................... 56
7.1.
Verification of the model ....................................................................................................... 56
7.1.1. PRONTOlogy.owl evaluation..................................................................................... 56
7.1.2. Evaluation of cyber attack CP-net models construction ............................................ 60
7.2.
Cyber attacks detection – an experiment............................................................................... 65
7.2.1. Data acquisition.......................................................................................................... 65
7.2.2. Scenarios of malware detection ................................................................................. 68
8. Conclusions and further works..................................................................................................... 80
8.1.
Conclusions ........................................................................................................................... 80
8.2.
Further works......................................................................................................................... 81
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
1. Introduction
This chapter introduces the reader to the subject of the Thesis. Firstly, it presents motivation and
briefly introduces the scope of the problem. Then, it defines the aim and the claim of the Thesis. Finally,
it familiarizes the reader with the outline of this Dissertation and presents contents of subsequent chapters
within which the claim is proven.
1.1. Motivation
Computer system security is based on the main three pillars: confidentiality (C), integrity (I), and
availability (A). It is supported in terms of CIA provision in majority by cryptographic functions. Confidentiality is realized by encryption, physical protection, and separation of sensitive information from
those generally accessible. Integrity can be reached by using various hash functions, signatures, checksums or meta-labels. Availability refers to the accessibility of system functions and stored data to eligible users. Additionally, there is often the requirement for the system to be operating correctly for
a certain percentage of time. These core principles of information and system security are extended by
non-repudiation, authenticity and privacy.
Overwhelming number of computer systems are connected to each other by global network – Internet, which allows to produce results beyond those achievable by the individual systems alone [Buc05].
Outcomes of cooperative work and accessibility of information are perceived and appreciated probably
by all its users.
The advantages of this technology are available, unfortunately, also for hostile goals. The number of cyber threats arises rapidly [AG10], [GN11], [Nam12] from 23 680 646 in 2008 [Gos09] to
1 595 587 670 in 2012 [MN13], and this is nowadays one of the most vexing problems in computer
system security [CDPMM09]. At the end of 2012 Kaspersky Lab, the Russian producer of antivirus software, reported that [Rai12] it currently detects and blocks more than 200 000 new malicious programs
every day, a significant increase from the first half of 2012, when 125 000 malicious programs were
detected and blocked each day on average.
Although awareness about necessary security appliances seems to be common and the tools used for
that purpose are getting more and more advanced, the number of successful attacks targeted on computer
systems is growing [TAEC13]. They are mostly related to denial of offered services, gaining access or
stealing private data, financial fraud, etc. Moreover, the evolution towards cloud computing, increasing
use of social networks, mobile and peer-to-peer networking technologies that are intrinsic part of our
6
1.2. The problem overview
7
life today, carrying many conveniences within our personal life, business and government, gives the
possibility to use them as tools for cyber criminals and potential path of malware propagation [ADR+ 10].
Computer systems are prone to cyber attacks even though a number of security controls are already
deployed. Cyber criminals are focused on finding a way to bypass security controls and gain access into
the protected network. For that reason organizations, companies, governments and institutions as well as
ordinary citizens all over the world are interested in detection of all attempts of malicious actions targeted
on their computer networks and single machines.
Malicious activity detection usually starts with application of various techniques. The success rate of
the applied methods for malware detection depends on the reliability of the malware model. Usually they
are based on the code signatures. Security controls (e.g. antivirus tools) might be maladjusted because
signatures of new threats are not identified yet. Hackers often use existing parts of code in order to
implement new types of malware. This allows, in return, to quickly develop signatures of new dangerous
software. Therefore, the more signatures are deployed the more malicious codes are identified. On the
other hand, one of the methods of misleading the signature-based detection systems is code obfuscation,
the aim of which is generating – from already existing code – a new application that cannot be assessed
yet as risky by security controls. This technique is simple to be used and potentially successful, so that
also successful countermeasures are necessary. One of the examples is to follow behaviors of malicious
software in order to identify them and eliminate from the protected system.
This Thesis proposes the response to the current needs of both individual users and huge international
organizations in terms of behavioral analysis of malware.
1.2. The problem overview
According to Nomura Research Institute annual report on cyber security trend in 2012 [TMM12]
a hundred percent organizations had antivirus products installed. Despite this, according to the report,
about thirty percent of organizations are systematically infected by malware. The reason for this
situation is not – as it might be expected – inappropriate update of operating systems and antivirus
definition files, but lack of all signatures for existing threats.
Equally, Kaspersky Lab estimated that in 2012 around 200 000 unique malware were detected every
day. The mass part of them had utilized existing parts of malicious codes. This simplicity of development
of the new malicious code from existing ones and effectiveness of obfuscation mechanisms make the
attacker armed with a powerful weapon.
Moreover, according to the study conducted in 2012 by the Verizon RISK Team with cooperation
from many national federal organizations, including e.g. Australian Federal Police, Irish Reporting and
Information Security Service, and United States Secret Service [VAI]:
– 54% of malware took months to discover,
– 29% of malware took weeks to discover,
– 13% of malware took days to discover.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
8
1.3. Aim
This report shows how important is introducing new techniques that speed up the process of malware detection to hours. Authors of the report [TMM12] indicate that antivirus products should be supported by malware behavioral analysis tools in order to detect those of attacks for which signatures were
not established. An existing example of appliance that uses behavioral analysis for advanced persistent
threats detection is Digital DNA by HBGary that extends the capabilities of McAfee Total Protection
antivirus [McH]. Detailed technical specifications of this solution have not been released for public. The
product brochure provides that multiple low level behaviors are identified for every running program or
binary. This leads to conclusion that each application is observed from behavioral perspective. McAfee
is proud that the solution allowed to detect during the last year more 0-day attacks than the previous five
years combined. This indicates the scale of new malware development and efficacy of the behavioral
approach.
1.3. Aim
The aim of the Thesis is to propose, develop and verify a Method of modeling cyber threats directed
at computer systems. Moreover, the goal is to prove that the Method enables to create models resembling
the behavior of malware that support the process of selected cyber attacks detection. Proposed approach
to modeling of cyber attacks is based on ontology and Colored Petri nets (abbr. CP-nets).
This Thesis is addressed to cyber defence researchers, security architects and developers solving
up-to-date problems regarding detection and prevention from advanced persistent threats.
1.4. Claim
The Thesis is to prove the following claim:
The malware modeling method based on ontology and Colored Petri nets enables to detect cyber
attacks the code of which has been obfuscated.
The claim has been proven by performing the following tasks:
1) Development and verification of cyber threats ontology and reasoning rules.
2) Showing that the ontological model and reasoning rules enable identification of single cyber incidents
among regular activities.
3) Modeling of cyber attacks directed at computer system with utilization of Colored Petri nets.
4) Verification of the method combining ontology and CP-net models reflecting cyber threats in order
to prove that it is applicable for detection of attacks on the monitored computer systems.
1.5. Work outline
Chapter 2 presents malware types, their features and characteristics. This is followed by description
of the methods for evading virus technologies. This chapter also presents described in literature and
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
1.5. Work outline
9
considered beneficial techniques for cyber attack detection limited to behavioral analysis and utilization
of ontology and Petri nets.
Chapter 3 provides the overview of the approach taken to prove the Thesis and introduces the reader
to the proposed Method. Additionally, it presents the classification of the Method among other existing
ones.
Chapter 4 introduces the definition of ontology and reasoning rules. It also shows their use in computer systems and briefly presents their wide scope of application in different scientific and practical
fields.
Chapter 5 formally defines Colored Petri nets with the examples that allow to quickly understand
their nature and appliance. It also presents applications of CP-nets in many areas.
Chapter 6 describes the architecture of the proposed solution. It introduces the reader to the concept
of how ontology and CP-nets are utilized in order to model malicious actions in the monitored system
and presents the approach to their application in threats’ tracking tools.
Chapter 7 presents verification of the proposed Method and describes practical scenarios of malware
detection with the use of the developed tools.
Chapter 8 briefly summarizes achieved results, presents conclusions and outlines future work.
Acknowledgment
This Thesis has been partially supported by the National Centre for Research and Development
project no. PBS1/A3/14/2012 "Sensor data correlation module for detection of unauthorized actions and
support of decision process" and the European Regional Development Fund the Innovative Economy
Operational Programme, under the INSIGMA project no. 01.01.02-00-062/09.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
2. Related work
This chapter introduces the reader to broad range of malicious software that threaten computer systems security. It presents classification of malware types from different viewpoints, their characteristics
as well as the problem of evading anti virus technologies. Finally, it briefs general results of the-state-ofthe-art analysis in terms of cyber attacks detection.
2.1. Malicious software
The term malware, in the area of computer science, is defined as a malicious code that executes
unwanted and possibly dangerous activities on a computer system. All malicious activities detected by
antivirus tools are classified into particular groups. They may vary depending on the chosen classification
approach. Classification proposed in this Thesis is based on two interesting sources that have different
points of view in this area, i.e.: the book titled "Practical Malware Analysis. The Hands-On Guide to
Dissecting Malicious Software" [SH12] and Kaspersky Lab Classification Tree [Lab13].
Malicious software has been divided by Kaspersky Lab into the following main classes: Malware,
AdWare, RiskWare, and PornWare. Further on, the main class – Malware – consists of the following
disjoined sub-classes:
– Viruses and Worms – malicious programs that self-replicate on computers or via computer networks without the user being aware.
– Trojans – malicious programs that perform actions, which are not authorized by the user: they
delete, block, modify or copy data, and they disrupt the performance of computers or computer
networks. Unlike viruses and worms, the threats that fall into this category are unable to make
copies of themselves or self-replicate.
– Suspicious Packers – malicious programs compressed or packed using a variety of methods combined with file encryption in order to prevent reverse engineering of the program and to hinder
analysis of program behavior with proactive and heuristic methods.
– Malicious Tools – programs designed to automatically create viruses, worms, or Trojans, conduct
DoS attacks on remote servers, hack other computers, etc.
It should be noted that the Malware class includes software that could possibly have different target
and influence, whereas the three other main classes in Kaspersky Lab classification are targeted to:
– display advertisements (usually in the form of banners), redirect search requests to advertising
websites, and collect marketing-type data about the user (AdWare);
10
11
2.1. Malicious software
– cover legitimate programs, which can cause damage when they fall into the hands of malicious
users (and are used to delete, block, modify, or copy data, or disrupt the performance of computers
or networks) (RiskWare);
– display pornographic material to the user (PornWare).
Downloaders and Launchers
Backdoors
Credential Stealers
Persistence Mechanisms
Privilege Escalation
User-Mode Rootkits
Viruses/
Worms
Trojans
Suspicious
Packers
Malicious
Tools
Figure 2.1: Overlapping of malware classifications
At it is shown, Kaspersky Lab definition focuses on the characteristics of the malicious code and its
possibilities in terms of self dissemination and code composition. This however is not the only interesting
approach. A different classification is presented in the book "Practical Malware Analysis ..." [SH12],
where other classes of malicious characteristics were listed. These are:
– Downloaders and Launchers that download or launch other malicious code, commonly installed
by attackers when they first gain access to a system;
– Backdoors that install themselves onto a computer to allow the attacker access;
– Credential Stealers that collect information from a victim’s computer and usually send it to the
attacker;
– Persistence Mechanisms that are used to maintain the malware for a long time in the infected
computer;
– Privilege Escalation that installs itself onto a privileged account;
– User-Mode Rootkits that conceal the existence of other code, usually paired with other malware,
such as a backdoor, to allow remote access for the attacker and make the code difficult for the
victim to detect.
Substantially, this classification is focused mainly on the method for bypassing the border security
controls and gaining access to the system, which is crucial in terms of malware behavior. Nevertheless,
these two classifications in the opinion of the Author of this Thesis are overlapping as presented in
Figure 2.1.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
12
2.1. Malicious software
2.1.1. Malware features
Malware can be analyzed from different perspectives. The first is their destructiveness. Destructive
malware are programs with malicious intent that are implemented in order to disturb, make loss or theft.
These programs are viruses, worms, botnets, spyware, trojan horses, rootkits, and backdors. Malware
that is designed only to advertise products or attract to visit websites are called disturbers. They include
spam and adware.
The second type of malware type can be addressed by its objective. According to ITU-T recommendation "X.805: Security architecture for systems providing end-to-end communications" [IT03] cyber
attacks can cause the following results:
– destruction (an attack on availability) – extinction of information/systems/services/networks;
– disclosure (an attack on confidentiality) – unauthorized access to an asset;
– corruption (an attack on integrity) – unauthorized tampering with an asset;
– removal (an attack on availability) – theft, removal or loss of information and/or resources;
– interruption (an attack on availability) – information and/or network becomes unavailable or unusable.
In Table 2.1 cyber threats (according to X.805) were mapped to the security dimensions.
Table 2.1: X.805 security threats mapped to the security dimensions
Security dimension
X.805 Security Threats
Destruction
Corruption
Removal
Disclosure
X
X
X
X
X
X
X
X
X
X
Data confidentiality
X
X
Communication security
X
X
Access control
Authentication
Non-repudiation
X
Data integrity
X
Availability
X
X
Interruption
X
Privacy
X
X
Malware analysis can be realized also from the operational perspective. It can be perceived
as [TS08]:
– tangible: when malware causes destruction in the victim’s machine;
– intangible: malware does not cause any destruction but may cause operations such as theft or
duplication;
– manual adjustment: target of malware is determined manually by the attacker;
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
2.1. Malicious software
13
– self-propagation: malware choses target randomly and propagates itself from one machine to another;
– single operation: target of malware is only one computer or infrastructure;
– network operation: malware has more than one victim and executes multiple operations.
From the establishment method perspective malware can have the following status:
– centralized: the attack is executed from a single point of operation;
– distributed: the attack is run from multiple/parallel sources (e.g. DDoS attack);
– local: malware installed on the machine executes malicious activity on it;
– remote: malware attacks other machines than it is installed on.
From the communication perspective malicious software can be:
– autonomic: malware does not communicate with its creator;
– dependent: malware needs to communicate with its creator;
– centrally controlled: malware communicates with command and control center (C&C) in order to
download orders and additional code;
– without central control: malware does not communicate with C&C.
The above analysis allowed to classify malware types from five perspectives: destructiveness of malicious software, their objectives, realized operations, establishment method and types of communication.
2.1.2. Malware characteristics
As mentioned in section 1.1 malware realizes malicious activities on the victim’s machine/system.
It can cause various damages and disorders like theft, removal of system security controls, destruction
of files, etc. Since the subject of this Thesis refers straightforward to the malware behavior, a short
presentation of selected malware types is introduced in this section in order to show their specifications.
Viruses
Virus is an autonomous code that can self-replicate on computers or via computer networks. Viruses
are programs that inject themselves to other files in order to be perceived as legitimate programs. This
allows them to propagate and execute themselves without the user being aware of.
Worms
Worms, similarly to viruses, are programs that have the possibility to self-replicate on computer or
via computer networks without being noticed by the users. A copy of a worm can self-replicate, too. The
difference between viruses and worms is the number of methods of self-replication – worms have more
than one, while viruses utilize only one method. Moreover, worms can be easily spread over a wide or
local area networks without the need to be attached to a specific file. This makes the worm independent
from the carrier. For instance, a worm can be embedded on a website making every visitor a potential
victim.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
2.1. Malicious software
14
Spyware
Spyware is a program developed to steal, make copy or inform the author about activities of the users
of infected machine. The most popular spyware are keyloggers [Bal11] that are responsible for saving
passwords and keys to protected user resources (e.g. private data, bank accounts) and reporting them
back to an outside source.
Adware
First, adware was used to advertise paid licenses of software when a free of charge software was
installed. Later on, this possibility was utilized by hackers in order to attract users to visit paid content
of web pages (often pornographic sites). This type of malware becomes difficult to be uninstalled when
hackers have used advanced techniques that block any activity focused on modification of such a software. To get rid of such an unwanted code it is recommended to use free software frequently distributed
by well known antivirus companies.
Trojan horses
Trojan horses or simply trojans are programs that realize activities not authorized by the user. They
delete, block, modify data, and frequently – negatively affect the performance of infected machines and
networks. In opposite to viruses and worms, trojans are unable to self replicate and disseminate within
the computer network.
Rootkits
The task of rootkits is to hide the existence of malicious applications from users or programs detecting
escalation of access privileges. They are usually installed after a hacker or malicious software reaches
administrator account (so called root) privileges.
Botnets
Botnets are sets of cooperating programs on various infected machines performing specific orders or
tasks that they were designed for. Botnets are often used for DDoS attacks in order to make a website
or a network impossible to be reached by legitimate users.
The above mentioned malicious software types perform their activities in majority of cases in five
phases of a cyber attack:
– first contact: malware must find a way to contact with users;
– local execution: threats use a diversity of ways to enter a system and begin to write files on disk
and modify the system in order to set up a base for downloading or execution of the destructive
code;
– establish presence: cyber attacks use several tricks to hide themselves from detection before even
beginning of their malicious work;
– malicious activity: cyber attacks start to realize their business according to the intent of their
developers, e.g. stealing passwords, bank frauds, selling fake antiviruses or programs;
– dissemination: malicious software distributes itself to other machines and systems in order to
bring higher profit to the attacker.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
2.2. Evading virus detection technologies
15
The most important and expensive phase for attackers is establishing presence of the malicious code
on the selected operating system or particular victim’s machine. The next section discusses how attackers
approach and try to execute the attack without being noticed by particular system stakeholders.
In this Thesis it is assumed that the proposed method supports the process of malware signatures
development for malicious software components that were obfuscated as well as for 0-day attacks that
use particular part of known destructive codes modified in order to make an attack successful.
2.2. Evading virus detection technologies
The method of evading antivirus tools is generally called obfuscation. It is a technique aimed at
generating new software that realizes the same functions as the original one but does not have its specific
code signatures. It can be realized by modification of java scripts, additional loops in the code that return
to the point of execution (zero loops), encryption techniques run at program execution, etc.
The list of obfuscation techniques includes, but is not limited to:
– Parasitic obfuscation that is used to append, prepend, or insert code into data sections of files on
disk [BKM07].
– Self-modification that allows malware to modify its code during every infection. Thus, each infected file contains different variant of the virus [LD03].
– Polymorphic coding that is an obfuscation that consists in infecting files with an encrypted copy
of the virus [Auc96]. At each time an encryption key or even encryption method can be modified,
therefore virus codes are different from one another in infections causing their signatures to be
hard to detect [CPA+ 08]. If some part of code remains the same, an anti-virus tool can decrypt the
code using an emulator. However, it is not always a successful technique. It allows to detect some
malware and produce new signatures for them.
– Metamorphic coding that is a technique of rewriting the functions of software every time in a different way [BM08], [RMI12]. Viruses that utilize this technique are very large and complex. Metamorphism makes viruses almost undetectable by signature-based tools.
Obfuscation techniques are very successful in hiding malicious code against byte-level content analysis [KWLP05], [KM06] and static analysis methods [CJS+ 05], [Fla04], [CJ03] which make cyber attacks
undetectable. Significant effort is made by cyber criminals in order to thwart detection by anti-malware
tools. Moreover, methods of evading antivirus products will be developed as long as cyber crimes are
profitable.
2.3. Malware detection techniques based on ontology and CP-nets – an
overview
Great effort has been made lately in static analysis of malicious codes because this technique generally has brought good accuracy in malware detection [KKB+ 06], [KRFV04], [SYS+ 08]. Even though
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
2.3. Malware detection techniques based on ontology and CP-nets – an overview
16
it is an appropriate technique [KRV04], the most difficult problem it faces is difficulty to handle obfuscated binaries [Szo05]. Additionally, obfuscation techniques are perceived as NP-hard for static analysis [MKK07].
On the other hand, dynamic malware analysis is directed at reaching reliable information about executed malicious codes. Dynamic malware analysis may be based on setting up behavior clusters from
sequences and measuring distances between single events [BAMJ07], [LM06]. However, this approach
suffers from the lack of external rules for data analysis. According to [CJK07], [RHWD08] a successful
method of dynamic malware analysis is comparison of specifications of malicious behavior with hooked
processes at application level.
The approach to malware modeling proposed in this Thesis is based on utilization of both ontology
and Colored Petri nets used during the dynamic malware analysis. It must be emphasized that there exist
related works that separately utilize ontology and CP-nets in detection or modeling of cyber threats,
although they differ remarkably in the attitude to malware modeling. For instance, graph knowledge
models and ontologies were used for modeling and reasoning over network attacks and attack prediction [SA12]. Knowledge representation methods and modeled network attacks with their prerequisites
and consequences were used to provide description logic reasoning and inference over attack domain
concepts. This way the ontology-based system was proposed to predict potential attacks using inference
and observation of information provided by sensors.
An ontology-based approach to instantiate security policy and reactions to network attacks was proposed to map alerts into attack contexts [CBCdV+ 08]. This solution was used to identify the policies
to be applied in the network to prevent from the threat. Ontologies in this case were utilized to describe alerts, and inference rules were performed for mapping alerts into possible attacks and adequate
policy rules. In general, security rules and policies can be applied both in hardware unified firewall systems [Nal07] as well as in web security systems [NL03], [ARS+ 10].
Ontologies and knowledge representation as a semantic model was successfully used for indirect
association analysis to extract useful information about terrorist social network [TCK10]. Ontological
filtering was adapted to transform semantic representation of a terrorist network into a set of complex
networks. Then, for further processing, structured graph [TK10] was produced. This allowed to investigate terrorist social network and find relations between criminals.
It is also worth to mention that ontologies were successfully adapted for detection of cyber attacks in
the network traffic within the Federated Cyber Defence System (FCDS) [JPB+ 12] developed by Polish
Military Communication Institute, ITTI Ltd. and CERT Poland. The Author of this Thesis was one of
the major architects and developers of this system. Ontologies in FCDS were also utilized to produce so
called general decision rules [CKP+ 11], [CK11] that mitigate consequences of attacks. These general
decision rules were translated to the language of particular network or software security appliance in
order to execute the rule and take appropriate action. For instance, system reaction units were able to
block or redirect traffic to a trap or back to the attacker, disable affected network service (e.g. web service)
or notify the administrator [PJS+ 11] that sensors have detected suspicious activities in the network traffic.
Likewise for ontology, Colored Petri nets were successfully adapted for identification of cyber
threats. In the work [KS94] authors observed that mathematical representation of Petri nets allows for
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
2.3. Malware detection techniques based on ontology and CP-nets – an overview
17
modeling of computer misuse. Proposed mechanisms consisted in representation of known attack as a sequences of events. In this case the attack was presented as a Petri net graph. Comparing misuses with the
Petri net graph allowed for detection of unwanted actions.
Colored Petri nets were also utilized for detection of DoS attacks in Wide Area Networks [Hea09].
In this case Colored Petri nets were adapted to model router network connections in the area of
The United States. It was proved that modifications in the network infrastructure made by DoS attacks
can be detected by comparison of the current state to the modeled one. Moreover, this method was proposed as an early warning system against network attacks. Additionally, it can support development of
network infrastructure security strategies.
Next major contribution in utilization of Colored Petri nets was identified in work [TSD10a],
[TSD10b] supported by US Air Force Office of Scientific Research. This outstanding research presents
a new approach to formal specification of the malicious functionalities based on activity diagrams defined in an abstract domain. It introduces abstract functional objects that, along with system objects,
could be used for creating generic specifications covering multiple functionality realizations. Methodology proposed in the work utilizes Colored Petri nets for recognition of functionalities at the system call
level.
As we can see, application of ontology and CP-nets touches many disciplines where modeling of system behavior is critical. This particular usage is also crucial in this Thesis for ontology and CP-nets
application in cyber defence, what has been proven in the following chapters.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
3. PRONTO – malware hunting tool – preface
This chapter introduces the reader to the Method of malware modeling proposed in this Thesis and
describe the approach to detection of malicious activity. Additionally, it presents the classification of the
Method among other existing ones.
3.1. Approach to malware detection
On the basis of the problem stated in [Bon98], let us suppose that an existing malware called Ann
has distinctive code features {f1 , f2 , f3 } and signatures {s1 , s2 , s3 } that are known for antivirus tools.
Then, malware Ann is modified by someone using obfuscation methods (see par. 2.2) in such a way that
as a result the codes Bob and Dan are developed. The new malware Bob and Dan have the same features
{f1 , f2 , f3 } like Ann although different code signatures: {s1 , s4 , s5 } and {s6 , s4 , s5 } adequately. Thus,
signature-based detectors can easily detect malware Ann and some of them will detect Bob, because it
has one signature typical for Ann. Neither of signature-based tools can detect Dan code as suspicious or
malicious because it does not have signature similar to the existing ones.
Now, let us assume that in some system malware Dan is executed and performs its malicious activity. Anti-virus scanners are unable to detect this malware, even though sensors spread in this system
can deliver information about its activity. These activities observed independently are treated as regular
actions of a user or software. However, identification of those events that are distinctive for this malware
in system logs can prove that the system is infected by a particular modification of Ann code.
In the proposed Method the basis for detection of malicious behavior are models of malware activities
which reflect system resources modifications, affected components of infected systems, data exchanged
with other malware or control stations, used protocols, etc. Moreover, the Method identifies suspicious
events in system logs and maps them onto stored malware characteristics in the form of Colored Petri net
models. For this purpose, there has been proposed a novel tool called PRONTO, which traces system logs
and matches sensor data with modeled malware activities. Regarding the fact that in case of system log
analysis, large number of sensor data must be processed, it is proposed that ontology reasoning is used
for identification and classification of events as suspicious, malicious or regular behavior.
18
19
3.2. The idea of PRONTO module
3.2. The idea of PRONTO module
In order to prove the claim of the Thesis there has been proposed a behavior-oriented malware
hunting tool, so called PRONTO, that could be used in parallel to existing signature-based tools.
The main requirement for the presented Method is that the malware was not recognized yet by the
signature mechanisms. The aim therefore is to track its suspicious activities in order to find it while
running in the system.
PRONTO – malware hunting tool
Reasoning
Malware description
CP-net models
Knowledge
base
Process monitor
Registry monitor
Lifting
SQWRL query
results
File monitor
Network monitor
.
.
.
Events
(xsd defined)
Registered
markings
PRONTOlogy engine
Attack vector
Alarm:
malware
recognition
PRONTOnet engine
Sensors
Stage 1 – events filtering
Stage 2 – threats tracking
Figure 3.1: Concept of PRONTO module
The two main threads the Method is composed of are (see Figure 3.1):
– Filtering of the system events registered by the system monitors (sensors) to discover the main
features of the hostile activity. These features are related to particular objects and actions triggered
on that objects – e.g. registry (add entry, modify entry, delete registry entry, etc.), process (start,
stop process, etc.), file (copy, delete, run, open, close file, etc.), domain (connect to, etc.), IP address
(connect to, etc.);
– Tracking suspicious activity in order to discover malicious exploits running in the system. Filtered events are correlated in order to find similarities with the stored malware activities modeled in
the form of Colored Petri nets. The result of malware tracking is the alarm that contains information vector about malicious activity, similarity to the known attacks and list of incidents
that affected the system.
The first component is related to capturing events from sensors and analyzing them with an expert system that uses – defined for the purpose of the Method – comprehensive ontology, so called
PRONTOlogy. Registered events in the form of XML objects are sent to the PRONTOntology engine
and lifted to add entries to the Knowledge Base. PRONTOlogy describes events registered by system
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
3.3. PRONTO module classification
20
monitors and is able, on the basis of rule engine and inference, with the use of specially defined rules,
to classify an event as potentially suspicious, malicious or regular. As a result, markings of the modeled
malware in the form of CP-nets are delivered for further analysis.
The main element of the threats tracking component of the Method is PRONTOnet. It provides
formal model of malware behavior and allows to track suspicious activities potentially assigning
them to a class of known malware types or identifying an unknown ones. Known exploits can be
undetectable to signature-based malware detecting tools after their code has been obfuscated (see section 2.2), although their activities can be easily observed. It also often happens that a new malware piece
of software is composed of known components from other ones. This results in another behavior pattern
that can be tracked as a new exploit, not identified yet. The result of threats tracking stage is an alert
informing about identification of suspicious or malicious events with a certain similarity rate to
the known malware types. Reaction to the detected attack, which is beyond this Thesis, can be realized by Federated Cyber Defense System [JPB+ 12], that has been developed since 2010 at Military
Communication Institute.
3.3. PRONTO module classification
On the basis of the main features of the Method, according to Figure 3.2, one can classify it as:
– recognizing known patterns of malware behavior [MDL+ 12],
– Host-based Intrusion Detection System (HIDS) [VB10],
– having central module responsible for malware detection [JP12],
– with malware detection module fed up by the system logs [FPZ+ 08],
– passively reacting for detected malware [HBB+ 07],
– analyzing incidents in real time [WAFS+ 08].
PRONTO – malware hunting tool – is developed to cooperate with existing signature based detection
methods (e.g. anti-viruses), which do not recognize distinctive features of new or obfuscated malware.
PRONTO can be also used in so called sandboxes in order to trace development and progress of malicious activities. Thus, it could be also used as a client honeypot [WWCZ10] that waits passively for an
attack. During the attack PRONTO recognizes single incidents that are compared with CP-net models of
malware activity. For that reason PRONTO is classified to the known patterns recognition method. It is
also possible to adapt this Method to detect anomalies.
It was proved that CP-net models were successfully utilized to detect Denial-of-Service cyber attacks
over the Internet’s router infrastructure [Hea09]. This work is focused only on detection of malicious
activities at the host level and recognizing incidents coming from a single machine or operating system.
Therefore, PRONTO is classified as Host-based Intrusion Detection System, slight modification will
allow it to detect unwanted actions at the network level, though.
The architecture of PRONTO itself is centralized, however PRONTO module is utilized to detect
malware in a federated system. Modification of security policy and architecture in such a way to accept
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
21
3.3. PRONTO module classification
the events from other domains / computer systems / machines will allow to classify it as the federated
system.
Features of malware detection methods
Method of
detection
Protected
system
Architecture
Source of data
Type of
reaction
Time of
analysis
Anomaly
detection
Host
(HIDS)
Centralized
System logs
Active
Real time
Known paterns
recognition
Network
(NIDS)
Federated
Network
traffic
Passive
Delayed
Hybrid
Hybrid
System
statistics
Legend:
current classification of PRONTO
possible use of PRONTO
Figure 3.2: Features of malware detection methods (based on [Ren11])
In terms of data sources, for the purpose of the Thesis PRONTO module is limited to analyzing only
system logs (registry modifications, operations on files, running processes, etc.). Extension of the source
of data to network traffic and system statistic will allow to search through wider range of information
with probably negative effect on efficacy and efficiency. To address this problem ongoing research at
Military Communication Institute is divided into three parallel tracks:
– malware analysis at the host level (PRONTO),
– detection of attacks in network traffic with utilization of machine learning [HJ97], [FCR09],
– analysis of system statistics with utilization of Tsallis entropy theory [Tsa88].
Reaction to detected malware is beyond the scope of this work, however, it is foreseen that the
Method would be passive in terms of reaction type, because it cannot be used to block the attack before
its appearance.
The last feature in Figure 3.2 defines the time of analysis. In this case PRONTO module must be
assigned to real time solutions, because every symptom of malware is analyzed in the time when it
appears.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
4. Ontology
This chapter presents an introduction of the theoretic fundamentals of ontology, inference and the use
of rules. It defines what is ontology, presents different types of modeling languages with emphasis on
their expressiveness, and introduces the idea of using rules. The chapter is summarized with the overview
of ontology application in knowledge and software engineering.
4.1. Ontology definition
The term ontology derives from philosophy where, since the ancient times, it has been used to formally describe the surrounding world in terms of entities, their characteristics, hierarchy and relationships. In fact, ontology is still important for philosophers who are dealing with the formal logics trying
to understand basic rules of the world. However, the real value of ontologies reflects in their application
to knowledge representation and software engineering.
Ontology application has existed in computer science since 1970s when researchers in the field of artificial intelligence understood the power of expert systems and their potential in real-world applications.
However, formal definitions of ontology appeared not earlier than in 1990s [Gru93], [Gru95].
According to [AvH03] an ontology is an explicit and formal specification of a conceptualization.
In general, ontology describes some domain of knowledge formally, defining basic concepts, their
properties and relationships among them. With this approach an ontology, by the definition of common
vocabulary enables to provide shared understanding of the meaning of terms both among people as
well as among software agents. It allows do define hierarchies of ontologies and re-use existing knowledge supporting interoperability and avoiding re-inventing the wheel. Ontologies describe artifacts with
different level of detail. They can be simple taxonomies (such as the Yahoo hierarchy), metadata schemes
(such as the Dublin Core), as well as logical theories. Lately, with the invention and rapid expansion of
the web-based tools and interoperable, platform-independent markup languages, ontologies are very frequently used for the development of the Semantic web [Hef04], where a significant degree of structure
is necessary.
In order to achieve this structure complexity ontologies are usually expressed in a logic-based language, so that detailed, accurate, consistent, sound, and meaningful distinctions that can be made among
the classes, properties, and relations [Hef04]. This, in turn, allows to perform automated reasoning supporting development of intelligent applications that can work at the human conceptual level (e.g. soft22
4.2. Semantic models
23
ware agents, decision support, understanding of speech and natural language, knowledge management,
automated choices).
However, application of ontologies can be more trivial. Common understanding of terms and relations that they give strong support for semantic interoperability, the goal of all current system engineers.
Systems working in the global network sharing information from various communities usually rely on
exchanging data between parties who have agreed to the definitions beforehand. This approach however
makes it necessary to update interfaces implementation every time XML Schema changes.
Typically, ontology consists of a finite list of terms, and relationships between them. Its aim is to
provide semantic description of objects and, in the end, allow to define facts and develop knowledge
base (abbr. KB). KB is composed of two important types of statements:
– TBox, so called Terminological statements, describing a conceptualization, a set of concepts and
properties for these concepts with the use of controlled vocabulary,
– ABox, so called Assertional statements, facts associated with terminological vocabulary within
a knowledge base.
Making a reference to the object-oriented programming, TBox statements are sometimes associated
with object-oriented classes and ABox statements – with instances of those classes. Together, they form
a knowledge base.
One of the most important traits of ontology application in software engineering is the possibility to
infer knowledge on the basis of facts in KB. Reasoners, dedicated software programs can, on the basis
of facts, relations among those facts, axioms, assertions – infer new facts. For example, if All professors
are faculty members (subclass relationship):
Prof(x) -> faculty(x)
and faculty members are Staff members (subclass relationship)
faculty(x) -> Staff(x)
and Marcin Szpyrka is a Professor (individual of the Prof class – ABox entry)
Prof(Marcin Szpyrka)
then:
Prof(x) -> Staff(x) – all Professors are also Staff members (inferred subclass relationship),
faculty(Marcin Szpyrka) – Marcin Szpyrka is also a faculty member (inferred knowledge),
Staff(Marcin Szpyrka) – and a Staff member (inferred knowledge).
This very trivial example shows that, on the basis of existing knowledge, ontology enables to deduce new facts. Possibilities of semantic models expressiveness are shown on the basis of examples in
Section 4.2 presenting particular semantic languages.
4.2. Semantic models
Knowledge representation with the use of ontologies can have different expressiveness, which
strongly influences the possibility of querying, inferencing and reasoning. For the purpose of knowB. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
4.2. Semantic models
24
ledge engineering and automatic reasoning specialized markup languages used for semantic modeling
are defined. These are:
– RDF – The Resource Description Framework [LS99],
– RDFS – The RDF Schema language [BGM04], and
– OWL – Web Ontology Language [PSH04].
RDF statements are called triples and appear in the form of subject – predicate – object expressions.
The subject denotes the resource, and the predicate denotes traits or aspects of the resource and expresses
relationship between the subject and the object.
For example, the statement "Bartosz Jasiul is the author of this Thesis." in RDF
is represented by the triple:
– a subject denoting Bartosz Jasiul,
– a predicate denoting author, and
– an object denoting this Thesis.
RDF is an abstract model with several serialization formats: the most common – XML (eXtensible
Markup Language) format, tabular Notation 3 (or N3), introduced by W3C as a non-XML serialization
of RDF models designed to be easier to write by hand, and in some cases easier to follow and JSON
(a proposal). With the use of RDF in XML the above sentence can be written as follows:
<?xml version="1.0" encoding="UTF-8"?>
<rdf:RDF %deleted namespaces%
<ns:person rdf:about="http://www.wil.waw.pl/phd#Bartosz Jasiul">
<ns:firstName>Bartosz</ns:firstName>
<ns:lastName>Jasiul</ns:lastName>
<ns:author rdf:resource="http://www.wil.waw.pl/phd#this Thesis"/>
</ns:person>
</rdf:RDF>
RDF defines the following vocabulary in terms of classes:
– rdf:XMLLiteral – the class of XML literal values,
– rdf:Property – the class of properties,
– rdf:Statement – the class of RDF statements,
– rdf:Alt, rdf:Bag, rdf:Seq – containers of alternatives, unordered containers, and ordered
containers (rdfs:Container is a super-class of the three),
– rdf:List – the class of RDF Lists,
– rdf:nil – an instance of rdf:List representing the empty list.
RDF also defines the following vocabulary in terms of properties:
– rdf:type – an instance of rdf:Property used to state that a resource is an instance of a class,
– rdf:first – the first item in the subject RDF list,
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
4.2. Semantic models
25
– rdf:rest – the rest of the subject RDF list after rdf:first,
– rdf:value – idiomatic property used for structured values,
– rdf:subject – the subject of the subject RDF statement,
– rdf:predicate – the predicate of the subject RDF statement,
– rdf:object – the object of the subject RDF statement.
RDFS enhances RDF with additional vocabulary, i.e. classes, associated properties and utility properties built on the limited vocabulary of RDF. In terms of classes RDFS defines the following vocabulary:
– rdfs:Resource is the top – hierarchy class. All things described by RDF are resources.
– rdfs:Class – defines particular group of resources.
– rdfs:Literal – literal values such as strings and integers.
– rdfs:Datatype – the class of datatypes.
– rdf:XMLLiteral – the class of XML literal values.
In terms of Properties, which are instances of the class rdf:Property and describe a relation between subject resources and object resources:
– rdfs:domain of an rdf:predicate – the class of the subject in a triple whose second component is the predicate.
– rdfs:range of an rdf:predicate – the class or datatype of the object in a triple whose second
component is the predicate.
– rdfs:subClassOf – allows to declare hierarchies of classes.
– rdfs:subPropertyOf – an instance of rdf:Property that is used to state that all resources
related by one property are also related by another.
– rdfs:label – an instance of rdf:Property that can be used to provide a human-readable
version of a resource’s name.
– rdfs:comment – an instance of rdf:Property that can be used to provide a human-readable
description of a resource.
– rdfs:seeAlso – an instance of rdf:Property that is used to indicate a resource that might
provide additional information about the subject resource.
– rdfs:isDefinedBy – an instance of rdf:Property that is used to indicate a resource defining
the subject resource. This property may be used to indicate an RDF vocabulary in which a resource
is described.
RDF/RDFS allow to provide description of facts in the form of triples. They allow simple semantics
to be associated with identifiers. They enable to define classes, their hierarchy, properties (with hierarchy) and simple restrictions on domain and range of properties. In this sense, RDF Schema is a simple
ontology language. RDF/RDFS do not allow, however, to define transitive, unique or inverse properties,
to define classes as sums or subtraction of classes (e.g. P erson v W oman t M an), amount restrictions, disjointness of classes. That is why for ontology representation and modeling a more expressive
language is necessary. These requirements are met by OWL defined as an extension to RDF/RDFS.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
4.2. Semantic models
26
OWL stands on the top of XML/XMLSchema/RDF/RDFS stack and adds more vocabulary for describing properties and classes: among others, relations between classes (e.g. disjointness), cardinality
(e.g. "exactly one"), equality, richer typing of properties, characteristics of properties (e.g. symmetry),
and enumerated classes [MvH04]. In general, OWL is based on experience gained by authors of the
DAML+OIL web ontology language.
In terms of expressiveness OWL is divided into three main types [MvH04]:
– OWL Lite – the simplest classification hierarchy and the lowest formal complexity. It supports
cardinality constraints although permits only cardinality values of 0 or 1.
– OWL DL – based on description logics paradigm. Includes all OWL language constructs, but they
can be used only under certain restrictions. For instance, in OWL DL a class may be a subclass
of many classes, but cannot be an instance of another class. This set of vocabulary provides maximum expressiveness and keeps computational completeness, which means that all conclusions are
guaranteed to be computable, and decidability, which means that all computations will finish in
finite time.
– OWL Full – which has the richest vocabulary but does not guarantee computational completeness.
For this reason this type of expressiveness cannot be used in any reasoning software.
All OWL types are sublanguages in the following meaning:
– Every legal OWL Lite ontology is a legal OWL DL ontology:
(OWL Lite ⊂ OWL DL).
– Every valid OWL Lite conclusion is a valid OWL DL conclusion:
(OWL Lite conclusion ⊂ OWL DL conclusion).
– Every legal OWL DL ontology is a legal OWL Full ontology:
(OWL DL ⊂ OWL Full ).
– Every valid OWL DL conclusion is a valid OWL Full conclusion:
(OWL DL conclusion ⊂ OWL Full conclusion).
In terms of requirements taken in this Thesis, ontology is to be used for the purpose of decision
support. This is a kind of an expert system that, on the basis of the knowledge base can define which
events should be treated as suspicious. For this purpose it is proposed to use description logic (DL),
which enables to represent knowledge formally. Typical reasoning tasks for OWL DL are decidable.
Due to that, it is used in artificial intelligence for formal reasoning and greatly supports application of
ontologies in computer engineering (e.g. for medical knowledge) and Semantic Web [BHS05].
With OWL one can define classes and properties of those classes. Every class is a descendant of
owl:Thing. Classes are defined using owl:Class construct, e.g.
<owl:Class rdf:ID="MilitaryRanks"/>
We can define two classes as equivalent with owl:equivalentClass
<owl:Class rdf:ID="Major">
<owl:equivalentClass rdf:resource="#OF3"/>
</owl:Class>
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
27
4.2. Semantic models
Subsumption relationship among classes is expressed with rdfs:subClassOf.
<owl:Class rdf:ID="Major">
<rdfs:subClassOf rdf:resource="#Officer"/>
</owl:Class>
We can also define disjointness of classes (owl:disjointWith) and collections of objects (owl:oneOf).
<owl:Class rdf:about="Major">
<owl:disjointWith rdf:resource="Lieutenant Colonel"/>
</owl:Class>
Attributes of objects are called properties. These are:
– datatype properties – attributes that specify class features by means of data (XSD datatype),
– object properties – attributes that define relationship between classes (Relations).
Table 4.1: OWL axioms
Axiom
DL Syntax
Example
subClassOf
C1 v C2
Human v Being u Biped
equivalentClass
C1 ≡ C2
Man ≡ Human u Male
disjointWith
sameIndividualAs
C1 v ¬C2
{x1 } ≡ {x2 }
Male v ¬Female
{Marcin Szpyrka} ≡ {Prof . Szpyrka}
differentFrom
{x1 } v ¬{x2 }
subPropertyOf
P1 v P2
hasPhDStudent v hasStudent
equivalentProperty
P1 ≡ P2
Maj . ≡ OF3
inverseOf
P2−
P1 ≡
transitiveProperty
P+ v P
functionalProperty
T v ≤ 1P
inverseFunctionalProperty
T v ≤ 1P −
{Marcin Szpyrka} v ¬{Bartosz Jasiul }
hasPhDStudent ≡ hasSupervisor −
supervisor + v supervisor
T v ≤ 1 hasSupervisor
T v ≤ 1 hasPhDStudent −
Each property has its domain – that defines originating class and range – that defines the target class.
For datatype properties range is an XSD datatype. For object properties domain and range is a class. It
can be the same class (e.g. hasSupervisor(x,y) where x and y are persons).
OWL enables to express both hierarchy of classes and relationships. Therefore object properties can have subsumption. Moreover, transitions can be defined as transitive, symmetric and functional (owl:TransitiveProperty, owl:SymmetricProperty, owl:FunctionalProperty).
OWL allows to define instances of classes as individuals. Vocabulary of OWL DL has been shown in
Tables 4.1 and 4.2. In particular, axioms of OWL DL are presented in Table 4.1 and class constructors in
Table 4.2 respectively.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
28
4.2. Semantic models
Table 4.2: OWL class constructors
Constructor
DL Syntax
Example
Model Syntax
intersectionOf
C1 u ... u Cn
Human u Male
C1 ∧ ... ∧ Cn
unionOf
C1 t ... t Cn
Major t Professor
C1 ∨ ... ∨ Cn
¬C
¬Major
¬C
{x1 } t ... t {xn }
{Marcin} t ... t {Bartosz }
x1 ∨ ... ∨ xn
allValuesFrom
∀P.C
∀hasPhDStudent.Professor
[P ]C
someValuesFrom
∃P.C
∃hasSupervisor .Major
hP iC
maxCardinality
≤ nP
≤ 1 hasSupervisor
[P ]n+1
minCardinality
≥ nP
≥ 3 hasPhDStudent
hP in
complementOf
oneOf
In a simple case OWL DL is ALC – Attribute Language with Complement and enables to build the
following concepts and relationships between concepts (see Table 4.3). These concepts allow to build
TBox entries – terminological axioms.
An example of using this expressiveness has been shown in Table 4.4, which presents appropriate
ALC axioms in contrary to the example from Table 4.5. When information about disjointness of classes
is added, one can also deduce on types of individuals (see Table 4.5). OWL DL can have extended
expressiveness which is defined as SHOIN . It allows to define the vocabulary for concepts, individuals
and roles as presented in Table 4.6. Moreover, SHOIN provides cardinality restrictions. This allows to
use data values in the argument of particular role and close class as well as particular domain.
Table 4.3: ALC : Building concepts and stating relationship between concepts [HHK+ 06]
Constructor
Description
C uD
individuals in C and D
C tD
individuals in C or D
¬C
individuals not in C
∃R.C
individuals with some relation R to C
∀R.C
individuals with all relations R to C
CvD
all individuals of C are also in D
C≡D
the individuals of C and D are the same
An example of logical reasoning based on DL can be seen in Table 4.4. It is based on Open World
Assumption (abbr. OWA) which states that anything might be true unless it can be proven false. Therefore, everything we do not know is undefined. It is contradictory to the Closed World Assumption that
refers to everything we do not know is false. According to OWA, in Table 4.5 before we entered fact
about disjointness of classes, we could have make a logical mistake.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
29
4.2. Semantic models
Table 4.4: Exemplary terminological axioms – TBox entries
Constructor
Description
Conference v Event
Every conference is an event.
Conference v ∀participant.Person
Each participant of a conference is a person.
Person v Female t Male
Persons are female or male.
cisim2013 : Conference
CISIM2013 is a conference.
cisim2013 : bartoszjasiul
Bartosz Jasiul participates in CISIM2013.
bartoszjasiul : Person
Bartosz Jasiul is a person.
Table 4.5: Missing disjointness – TBox entries
Constructor
Description
Conference v Event
Every conference is an event.
Conference v ∀participant.Person
Each participant of a conference is a person.
(cisim2013 , bartoszjasiul ) : paricipant
Interesting – CISIM2013 participates in Bartosz Jasiul.
It is not a contradiction in case CISIM2013 is a person.
cisim2013 : Person
Curiously – CISIM2013 is a person.
What is missing?
Person v ¬Event
Person is not an event.
cisim2013 : Conference
CISIM2013 is a conference.
Table 4.6: OWL DL: SHOIN and particular domains (based on [HHK+ 06])
Concepts
ALC
Boolean operators: u, t, ¬, ∀R, ∃R
N
Number restrictions
≥ 3 has_phdstudent; ≤ 1 has_supervisor
Q
Qualified number restriction
≥ 3 has_phdstudent.Professor
O
Nominals
{marcin, bartosz, ula, adam}
Individuals
≈
Same
bartosz ≈ b_jasiul
6≈
Different
bartosz 6≈ marcin
H
Subrole hierarchy
has_professor v has_supervisor
I
Inverse roles
has_supervisor− v has_phdstudent
S
(ALC +) roole transitivity
Trans(has_supervisor)
Roles
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
30
4.3. Rules
4.3. Rules
OWL expressiveness is limited, however. Given DL roles: parent, brother and uncle, one cannot describe their exact relationship, i.e. Someones’ uncle is the brother of their parent in OWL.
The TBox statements define properties about entities, however, they cannot define conditional statements, e.g. If a Student studies Maths then he is a Maths Student. For this purpose it is recommended to
use rules and rule engines that allow for adding certain facts to the knowledge based on existing axioms.
Rules are of the form of an implication between an antecedent(body) and consequent(head).
Their meaning can be read as: whenever the conditions specified in the antecedent hold, then the
conditions specified in the consequent must also hold. In relatively informal human readable format:
antecedent(body) -> consequent(head).
Both the antecedent(body) and consequent(head) may consist of zero or more atoms. An
empty antecedent is treated as trivially true (i.e. satisfied with every interpretation), so the consequent
must also be satisfied with every interpretation. When a consequent is empty, it is treated as trivially
false (i.e. not satisfied with any interpretation), so the antecedent must also not be satisfied with any
interpretation.
When both antecedent and consequent are conjunctions of 1 − n atoms the rule takes the following form: a1 ∧ ... ∧ an . Variables are indicated using the standard convention of prefixing
them with a question mark (e.g., ?x). Using this syntax, there can be defined a rule asserting that
if a parent (x2) has a child (x1) and a brother (x3), the brother is an uncle to the child, i.e.:
hasParent(?x1,?x2) ^ hasBrother(?x2,?x3) -> hasUncle(?x1,?x3).
The rules can be defined using a few formal languages, e.g. Jess rule language [Jes], JessML [SWR],
RuleML (Rule Markup Language) [BAP+ 12], SWRL (Semantic Web Rule Language) [HPSB+ 04a].
Due to the easiness of defining and processing rules in SWRL, this language has been selected to be used
in the Thesis. It uses the human-readable syntax as presented above together with the abstract and XML
syntax. It is supported by software components and can be used in real-life scenario. The abstract syntax
example would be:
Implies(Antecedent(hasParent(I-variable(x1) I-variable(x2))
hasBrother(I-variable(x2) I-variable(x3)))
Consequent(hasUncle(I-variable(x1) I-variable(x3)))).
SWRL uses ontology vocabulary (classes and properties), however, it has also enhanced possibilities
defined in so called built-ins. They are predicates that take one or more arguments and evaluate to true
if the arguments satisfy the predicate. For example, an equal built-in can be defined to accept two arguments and return true if the arguments are the same. A number of core built-ins for common mathematical
and string operations are contained in the SWRL Built-in Submission [HPSB+ 04b]. These are e.g.
–
–
–
–
–
–
swrlb:equal,
swrlb:notEqual,
swrlb:lessThan,
swrlb:lessThanOrEqual,
swrlb:greaterThan,
swrlb:greaterThanOrEqual.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
4.4. Ontology applications
31
OWL DL with SWRL allow to define efficient models that have very rich expressiveness, however,
in order to stay decidable, restrictions on SWRL rules must be applied. These are so called DL-safe
rules, which are SWRL rules that are restricted to known individuals [HHK+ 06]. With the use of rule
engines new (inferred) knowledge is put into working memory that stores all facts and axioms. In order
to retrieve it from KB, it is necessary to use special language – Semantic Query-enhanced Web Rule
Language (SQWRL) – built on the SWRL rule language [HPSB+ 04a].
The syntactics of SQWRL is similar to SWRL. It takes a standard SWRL antecedent and treats it
as a pattern for query. SQWRL provides the possibility for basic querying, for sorting the results, but
also enables to calculate some functions (e.g. count individuals sqwrl:count(?p), calculate average
sqwrl:avg(?age), etc.). It also uses special built-ins (sqwrlb) that allow to define, for instance, equa-
lity functions: swrlb:lessThan, sqwrlb:greaterThan. The following examples show some of the
possibilities of SQWRL:
Person(?p) ^ hasAge(?p,?a) ^ swrlb:lessThan(?a,18) -> sqwrl:select(?p,?a)
Person(?p) -> sqwrl:count(?p)
(hasChild>=1)(?i) -> sqwrl:select(?i).
4.4. Ontology applications
This Section is focused on presentation of ontology-enabled approaches found in related work in
different domains. Ontologies were utilized for many different practical and scientific purposes [UG96],
[HKST06], [FBD96] and only limited list of them has been outlined in this Section.
One of the possible usages of ontologies is their application to provide common understanding of
one domain from different viewpoints. This can be assisted by an example of requirements establishing,
which is important in every project focused on development of a particular product. This is crucial in
military domain, where meeting rigorous requirements may decide on someone’s life. The problem of
perception of particular domain described from one perspective was discussed in technical [MKA04],
[HKST06] and scientific documents [LFB96], [Gua98], [Gru93]. Ontology was proposed as a framework for information and knowledge sharing among participants taking part in delivery of a product to
the customer. Domain of user requirements might be differently perceived by stakeholders taking part
in designing, prototyping, developing, testing as well as advertising the expected product. Different understanding of the user domain may lead to ambiguous and incomplete specification on each level of
development [HS06]. An ontology was proposed to be used for both, to describe requirements specification documents, and to formally represent requirements knowledge in the form of domain model
specified with the use of normative or formal languages [WDVP00].
Ontologies were also identified as useful to describe the functionality of various components for their
reuse or migration between different domains. The adaptation of ontologies were proposed e.g for software engineering repositories [CD00], [MMM98] in order to provide developers with semantic queries
to search for components that already exist. In such a way they can save time, avoid additional work
and improve the software quality in contrary to repositories that are limited to a key-word based search
engines that suffer from low precision. In similarly way, ontologies may be adapted to different workflow
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
4.4. Ontology applications
32
management vendor systems [WfM99] in order to describe a product independently from any particular
system. This allows to share and integrate product databases as well as to manage product lifecycle and
this way – achieve semantic interoperability [Pra].
Ontologies and semantic reasoning were also recently utilized to solve the problem of supplying the
low level commanders with information from information sources located on higher command levels.
There has been proposed the Adaptation Framework For Web Services Provision (AFRO) [SJ12] that
defines a mechanism for effective Web services invocation in tactical networks, which are considered
disadvantaged in terms of available throughput, delay and error rate. Its implementation, in the form of
AFRO Proxy with its ontology performs so called adaptation actions, which are modifications of the
SOAP XML messages by changing their encoding to more efficient or dropping information that are
accepted to be removed by the service requester. The proposed ontology, supported with rules allows
to evaluate the context of the service call to determine which adaptations are the most appropriate. This
mechanism based on ontology reasoning gives promising effects for low level commanders located in the
battlefield. They can be supplied with information generally available on high command levels, which, up
to now, was very rarely distributed to tactical networks. Additionally, the above mentioned Web services
can be securely achieved at low levels of commands [JSG+ 10], [JSP+ 10], [JOS+ 10].
Ontologies were also successfully adapted to knowledge representation, encoding, and interpretation
in the form of rule-based system and design framework. There has been proposed HeKatE methodology [NKF09], [NL10] for composition and development of complex rule based systems. Representation
of knowledge and rules as eXtended Tabular Trees (XTT) [LN07], [NL08] ensured high density and
transparency of knowledge. Construction of XTTs is based on sets of similar rules in opposite to flat
rule-based systems where every single rule is of high value. These sets of rules form decision tables that
allow to infer knowledge. The approach of using forward-chaining decision rules in HeKatE allowed to
model, inter alia, control systems or business rules.
Utilization of ontologies is observed in the military planning system developed by US Defense
Advanced Research Projects Agency. For that purpose Knowledge Representation Specification Language [Leh93] was developed. It was designed in order to provide a sharable ontology of plans and
planning information. As a result, a tool for specification of shared domain information was proposed.
The main aim of plan ontology was delivery of shared vocabulary of concepts, definitions of concepts,
relations, and conditions typical for planning activities. This ontology was used to create plans that might
be shared or created by the users of different and disparate domains.
Ontologies were also adapted for construction of video and music files repository. For this purpose
Digital Multimedia Repository Ontology [ŁP12] was proposed. It met required flexibility and adaptability to different development scenarios with a focus on reusing existing knowledge resources. In particular,
the ontology was used to design of recommendation and personalization solutions for digital multimedia
repositories, data mining as wall as testing semantic data mining algorithms [LVH+ 11].
Recently, ontologies were used by Military Communication Institute and AGH University of Science
and Technology researchers for reasoning over the knowledge about incidents on roads and then to support decision processes [SGC+ 11], [GŚD+ 12]. In this case ontology has been applied for development
of Event Notification Services created for the traffic monitoring system. Event Notification Services were
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
4.4. Ontology applications
33
used to automate the process of informing safety services about accidents and threats on the monitored
roads. The knowledge inferred by reasoning module on the basis of T-Box and A-Box ontology statements, extended with SWRL rules allowed to identify collisions and dangers related to the road traffic
automatically. The advantage of this solution is categorization of incidents and development of automatic
notifications to the public safety services that are necessary for bringing help (e.g. police, fire brigade,
ambulance). These situation can be car accidents, traffic jams, injuries of pedestrians, etc.
As we can see, ontologies have a wide area of applications. One of them is also cyber defence what
has been shown in this Thesis.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
5. Colored Petri nets
The aim of this chapter is to provide an introduction of the Colored Petri nets (CP-nets). The description is limited to short definitions, ideas and utilization of CP-nets that are necessary to understand
the solution considered in this Thesis. Then, on the basis of exemplary models, definitions are shown in
practice. A list of various applications of CP-nets summarizes this chapter.
5.1. Formal definition of non-hierarchical CP-nets
Colored Petri nets is a discrete-event modeling language combining the capabilities of Petri
nets [Pet65], [Mur89] with the capabilities of a high-level programming language [Jen97], [JK09],
[Szp08b]. CP-nets provide graphical notation typical for Petri nets, but net elements are described
using CPN ML programming language, which is based on the functional programming language Standard ML [Ull98].
The formal definition of a non-hierarchical CP-net is shown in Definition 5.1 [JK09].
Definition 5.1. A non-hierarchical CP-net is a nine-tuple CPN = (P, T, A, Σ, V, C, G, E, I), where:
1) P is a finite set of places.
2) T is a finite set of transitions such that P ∩ T = ∅.
3) A ⊆ (P × T ) ∪ (T × P ) is a set of directed arcs.
4) Σ is a finite set of non-empty color sets.
5) V is a finite set of typed variables such that Type[v] ∈ Σ for all variables v ∈ V .
6) C : P → Σ is a color set function that assigns a color set to each place.
7) G : T → Expr V is a guard function that assigns a guard to each transition t such that Type[G(t)] =
Bool .
8) E : A → Expr V is an arc expression function that assigns an arc expression to each arc a such that
Type[E(a)] = C(p)MS , where p is the place connected to the arc a.
9) I : P → Expr ∅ is an initialization function that assigns an initialization expression to each place p
such that Type[I(p)] = C(p)MS .
The initial marking is obtained by evaluating the initialization expressions. A marking of a CP-net is
a function M defined on the set of places P , such that: ∀p ∈ P : M (p) ∈ C(p)MS .
34
35
5.2. Places
A simulation (execution) of a CP-net is described by means of an occurrence sequence. It specifies
the markings that are reached and the transitions that occurred. To make it possible to evaluate arc expressions, it is necessary to assign (bind) some values to free variables occurring in arc expressions on the
arcs connected to the transition and in the transition guard. Let Var (t) denote the set of such variables.
Definition 5.2. A binding b of a transition t is a function that maps each variable v ∈ Var (t) into a value
b(v) ∈ Type[v].
A binding element is a pair (t, b) such that t ∈ T and b ∈ B(t).
Let G(t)hbi denote the result of evaluating the guard expression G(t) of a transition t in the binding
b, and let E(a)hbi denote the result of evaluating the arc expression E(a) of an arc a in the binding b.
Definition 5.3. A binding element (t, b) is enabled in a marking M if and only if:
1) G(t)hbi evaluates to true,
2) for all (p, t) ∈ A, E(p, t)hbi ≤ M (p).
In other words, a transition is enabled (ready to occur) if it is possible to construct such binding that
the guard evaluates to true and each of the arc expressions evaluate to tokens, which are present on the
corresponding input places.
(t,b)
When (t, b) is enabled in M , it may lead to the marking M 0 (denoted by M −→ M 0 ) defined by:
∀p ∈ P : M 0 (p) = M (p) − E(p, t)hbi + E(t, p)hbi,
(5.1)
where E(a)hbi evaluates to ∅ if a ∈
/ A.
All reachable markings and transition occurrences can be represented as a full occurrence graph
(reachability graph). This graph has a node for each reachable marking and an arc for each occurring
binding element.
5.2. Places
A CP-net is always created as a graph with two kinds of nodes called places and transitions. States of
a CP-net are represented by means of places, which are drawn as ellipses. Each place has an associated
type (color set) determining the kind of data the place may contain. The types are similar to types in
programming languages such as C or Pascal. In case of CP-nets types are defined using CPN ML syntax.
Listing 5.1: Examples of color sets
colset A = bool with (off, on);
colset B = int with 1 .. 10;
colset C = with a | b | c;
colset D = index id with 1 .. 5;
colset E = product A * B * C;
colset F = list C;
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
36
5.2. Places
There are specified the following basic types (color sets): Unit, Boolean, Integer, String, Enumeration, Index and compound types: Product, Record, List, Union. Moreover, it is possible to define Subsets
and Aliases. Examples of the above types definitions are given in Listing 5.1 and let us now explain these
types.
Type A is a Boolean type where off stands for false, while on for true. Type B represents integer
values greater or equal to 1 and less or equal to 10. Type C can reach one from the following values:
either a, or b, or c. Colorset D is the set of values id(i) comprising identifier id and index-specifier
i, where 1 ≤ i ≤ 5. Colorset E is the triple containing values of types A, B and C, e.g. (on, 3, a),
(off, 10, c). Type F is a list of values of colorset C, e.g. [a], [a, c], [c, c, b, b, a].
Each place can contain finite number of values that are called tokens. The tokens that are present on
a particular place are called marking of the place. Place may contain more than one token with the same
value, thus a marking is multiset over the corresponding place type.
Let N = {1, 2, . . . } and N+ = {0, 1, 2, . . . } denote the set of natural and non-negative integer
numbers respectively. A multiset A∗ over a non-empty set A is a function A∗ : A → N+ that maps each
element x ∈ A into a number of appearances of the element x in the multiset A∗ . The non-negative
integer A∗ (x) is the coefficient of x in A∗ .
Assume A = {a, b, c, d, e}, then the following examples of multisets may be considered A∗1 =
{a, a, c, c, c, d, e, e} and A∗2 = {a, b}. These multisets may be also denoted as A∗1 = 2‘a + 3‘c + d + 2‘e
and A∗2 = a + b. Thus, any multiset may be written as the following sum:
X
A∗ =
A∗ (x)‘x,
(5.2)
x∈A
An element x ∈ A is a member of a multiset A∗ if A∗ (x) > 0.
Let A∗1 and A∗2 be multisets over a set A and let n ∈ N+ . Then:
X
x ∈ A(A∗1 (x) + A∗2 (x))‘x
A∗1 + A∗2 =
X
n · A∗1 =
x ∈ A(n · A∗1 (x))‘x
(5.3)
(5.4)
A∗1 = A∗2 ⇔ ∀x ∈ A : A∗1 (x) = A∗2 (x)
(5.5)
A∗1 ≤ A∗2 ⇔ ∀x ∈ A : A∗1 (x) ≤ A∗2 (x)
X
A∗1 − A∗2 =
x ∈ A(A∗1 (x) − A∗2 (x))‘x, if A∗2 ≤ A∗1
X
|A∗1 | =
A∗1 (x)
(5.6)
(5.7)
(5.8)
x∈A
The set of all multisets over a set A is denoted by AMS .
A marking of a net consists of markings of all places and can be treated as a state of the modeled
system. The initial marking is determined by initialization expressions of places.
In conclusion, if a non-hierarchical CP-net is considered, we have to provide three inscriptions for
each place:
– name,
– colorset,
– initial marking.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
37
5.3. Transitions and arcs
5.3. Transitions and arcs
Actions of a CP-net are represented by means of transitions, which are drawn as rectangles. Transitions and places are connected by arcs. The dynamic aspect of CP-nets is connected with occurrences of
transitions. An occurrence of a transition removes tokens from input places of that transition and adds
new tokens to output places. The exact number of tokens removed and added by an occurrence of the
transition, and their data values are determined by the corresponding transition and its surrounding arcs
inscriptions.
colset P = with p | q;
colset I = int with 1..20;
colset E = with e;
colset U = product P * I;
var x : P;
var i : I
3’(q,0)
p1
U
e
t1
(x,i)
[x = q]
if x = q
then
1’(q,i+1)
else
empty
(x,i)
1’e
2’(p,0)
p4
E
if x = q
then 1’e
else
empty
p2
U
(x,i)
t2
case x of
p => 3’e |
q => 1’e
(x,i)
p3
U
3’e
p5
e
E
if x = p
then
1’(p,i+1)
else
empty
(x,i)
t3
Figure 5.1: CP-net structure and inscriptions
Let us consider an example of a CP-net presented in Figure 5.1. We have used different colors to
point out the net structure, places inscriptions as well as transitions and arcs inscriptions.
The net structure is shown in black. Places and transitions are connected by arcs that always go from
a place to a transition or vice versa. We use formal definition given in [JK09], thus parallel arcs are
not allowed. We use P , T and A ⊆ P × T ∪ T × P to denote the sets of places, transitions and arcs
respectively.
Places inscriptions are shown in red. We use Σ to denote the set of non-empty color sets used in the
given model. For a place its color set and initial marking are represented as labels placed next to the corresponding ellipse. C(p) and I(p) are used to denote place p colorset and initial expression respectively.
Transitions and arcs inscriptions are shown in blue. It is assumed that a finite set V of variables of
types from Σ is given. A variable is defined using the var keyword. For any variable v, Type[v] is used
to denote the type of the variable.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
38
5.4. Hierarchical CP-nets
Let Expr denote the set of expressions provided by the inscription language. The set of free variables
in an expression e ∈ Expr is denoted by Var [e]. For a set of variables V 0 ⊆ V , the set of expressions
such that Var [e] ⊆ V 0 is denoted by Expr V 0 .
Each transition t has assigned a guard expression G(t) such that Type[G(t)] = Bool and
G(t) ∈ Expr V . In the considered example only transition t1 has defined its guard explicitly (the expression [x=q]). In other cases, the default guard true is used. To activate the transition it is necessary
to fulfill its guard.
Each arc a has assigned an arc expression E(a) ∈ Expr V . It is required that Type[E(a)] is a multiset
over the set C(p), where a = (t, p) or a = (p, t). Let us consider arc expressions for selected arcs from
Figure 5.1:
– (p1, t1) – (x,i) denotes any multiset X ∈ UMS such that |X| = 1;
– (t3, p2) – if x = p then 1‘(p,i+1) else empty indicates for a multiset X ∈ UMS such
that either |X| = 1 when x = p or |X| = 0 in other cases;
– (p5, t2) – case x of p => 3‘e | q =>1‘e denotes a multiset X ∈ EMS such that either
X = 3‘e when x = p or X = 1‘e for x = q;
Now, let us focus on markings and binding elements of the considered exemplary CP-net in
Figure 5.1. The initial marking M0 can be presented as follows: M0 = (3‘(q, 0), 2‘(p, 0), ∅, 1‘e, 3‘e).
The binding elements (t1, b1 ) and (t2, b2 ), where b1 (x) = q, b1 (i) = 0, b2 (x) = p and b2 (i) = 0 are
enabled in the initial marking. For example, after occurrence of the binding element (t1, b1 ), the new
marking M1 = (2‘(q, 0), 2‘(p, 0) + 1‘(q, 0), ∅, ∅, 3‘e) is obtained.
5.4. Hierarchical CP-nets
For an effective modeling CP-nets enable to distribute parts of the net across multiple subnets called
modules. The result of such an approach is a hierarchical CP-net. The formal definition of hierarchical
CP-nets can be found in [Jen97], [JK09], [Szp08b]. This section contains only informal description of
such nets illustrated with a simple counter example taken from [Szp08b].
if (x=a) then 1`a
else empty
p1
t2
Element
2`a++4`b++3`c
Element
x
p2
t1
if (x=b) then 1`b
else empty
p3
t3
Element
if (x=c) then 1`c
else empty
p4
Counting
t4
Element
Figure 5.2: Sorting module [Szp08b]
B. Jasiul
Counting
Modeling of Selected Cyber Threats with Ontology and Petri Nets
Counting
p5
Element
p6
Element
p7
Element
39
5.4. Hierarchical CP-nets
Let us consider the module shown in Figure 5.2. This is an example of a prime module i.e. the
top level module of a hierarchical CP-net. The presented module is not a complete CP-net model due
to the substitution transitions shown as rectangular boxes with double-line borders. Each of them has
a rectangular substitution tag located next to it that contains the name of a submodule which is related
to the substitution transition. In this example all substitution transitions have assigned the same module,
but this is not required in general. It should be emphasised that substitution transitions do not have arc
expressions or guards.
The considered CP-net is used to sort tokens placed initially in place p1. The transition t1 is used
to sort tokens – a, b and c tokens are moved to places p2, p3 and p4 respectively. In other words, each
occurrence of a binding element (t1, b) removes one token from place p1 and adds a new token with
the same value to one of the output places. Transitions t2, t3 and t4 are used to move the tokens to
their output places and to count the number of moving tokens. Substitution transition can be treated
as procedure call, while the corresponding submodel as the procedure implementation. The Counting
module is presented in Figure 5.3.
Element
p8
x
x
t5
In
Element
p9
Out
i+1
i
p10
1`0
Counter
CommonCounter
Figure 5.3: Counting module [Szp08b]
Place p8 is an input port and p9 is an output port. Input and output ports constitute the interface
through which a module exchanges tokens with its environment. It is possible to use ports that are input/output ports. Port places are indicated by rectangular port tags located next to them. The tag represents the port mode. A module imports tokens via its input ports and export tokens via output ones.
Moreover, a module may also contain internal places, which are relevant only to the module itself.
The input places of substitution transitions are called input sockets, and the output places are called
output sockets. The socket places of a substitution transition constitute the interface of the substitution
transition. To tie a module with its submodules, it must be specified how the interface of each submodule
is related to the interface of its substitution transition. This is done by means of a port-socket relation,
which relates the port places of the submodule to the socket places of the substitution transition. Input
ports are related to input sockets, output ports – to output sockets etc. When a port and a socket are
related, they constitute a single compound place. They share the same marking and of course need to
have identical color sets, and their initial marking expressions must evaluate to the same multiset of
tokens. If a port place does not have an initial marking expression, then it obtains its initial marking from
the related socket place.
The Counting module is used three times as a submodule. This means that there are three separate
instances of the module i.e. there are three instances of place p8, transition t5 etc. Each instance of the
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
40
5.4. Hierarchical CP-nets
module has its own marking. The relationship between modules in a hierarchical model is represented as
a directed graph called model hierarchy.
Figure 5.4: Model hierarchy graph [Szp08b]
The model hierarchy for the considered example is shown in Figure 5.4. The names of modules are
written inside nodes, while arcs are labeled with the names of the substitution transitions. Nodes without
incoming arcs represent prime modules. The module hierarchy is required to be acyclic. In the considered
model there are only two levels of abstraction. In general, there can be an arbitrary number of abstraction
levels.
Hierarchical CP-nets provide two mechanisms to combine modules substitution transitions and fusion sets. Fusion sets allow places in different modules (or module instances) to be glued together into
one compound place. They are similar to global variables in many programming languages. The places
that are members of a fusion set are called fusion places. They share the same marking and they must
have identical color sets and initial markings. Fusion places are indicated with a fusion tag that contains
the fusion set name.
In the considered example there is one fusion set called CommonCounter that contains all instances
of the place p10. It means that transitions t2, t3 and t4 share the same counter. This can be seen in
Figures 5.5 and 5.6 that present the considered model after the final marking has been reached.
Figure 5.5: Final marking after model simulation – Sorting module
Pictures and screen-shots presented in this chapter were prepared with the use of CPN Tools [WK09],
[JKW07], [RWL+ 03] available at http://cpntools.org web page. CPN Tools is originally developed for
editing, simulating, and analyzing Colored Petri nets. From 2000 till 2010 this software was managed by
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
5.5. Applications of CP-nets
41
Figure 5.6: Final marking after model simulation – Counting module
the CPN Group at Aarhus University (Denmark). Then, it was transferred to the AIS group, Eindhoven
University of Technology (The Netherlands).
5.5. Applications of CP-nets
Colored Petri nets and CPN Tools are established graphical and mathematical mechanisms for modeling and verification of concurrent systems. CP-nets are used as a design language for the specification
of complex workflows. Moreover, Petri net theory enables formal verification of the correctness of workflow procedures [vdA98].
Colored Petri nets were utilized in many practical and industrial solutions. The list of their applications covers but is not limited to:
– protocols [VABG08] and networks verification [CDH99];
– software [DWJ08], [ŻD07] and hardware design [XK98], [CKR93];
– control of systems development [RS96], [Mor00], [Szp08a], [BKY98];
– military systems verification [FBD96], [FD96], [GB99], [WSL98], [BL93];
– modeling and verification of systems applied in biology [Cha07], [KSH99], chemistry [KO94],
[MTA+ 03], and medicine [CW87], [MOS98].
Due to the fact that the Author of this Thesis is both a researcher and regular soldier at Military Communication Institute in Zegrze (Poland) the survey of possible use of CP-nets is limited in the dissertation
to software, hardware and generally military purposes.
In software and hardware development, Colored Petri nets were utilized in many areas, for example, for modeling Web services composition [DWJ08]. Boundedness and liveness properties of Petri net
models were used to the analysis of the correctness of the composite Web services. Data flow between
services modeled as a net was combined with the CP-net flow to obtain an integrated architecture. With
the use of CP-nets faults and failures of composite web services as well as interactions between them
and their clients can be identified before their deployment [ŻD07].
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
5.5. Applications of CP-nets
42
CP-net models were also used to analyze both the time and space complexity of the software in the
Nokia mobile phones [XK98]. At the prototyping stage CP-net models were used to evaluate alternative
mechanisms and policies in order to predict possible and useful system properties.
Hewlett-Packard Laboratories used Colored Petri nets for modeling bank transactions [CKR93].
Similarly to the conclusions regarding Nokia phones, CP-net tools were seen as useful in the design
phases and during taking key decisions about the system architecture and behavior in terms of both
quantitative and qualitative values for further steps.
CP-nets in hardware were utilized for modeling generic superscalar processor architecture [BKY98].
Colored Petri net models allowed to analyze processor real-time properties, such as the worst case execution time for a block of instructions. CP-nets modeling language was proposed as an efficient mechanism
for identification of parallel execution of instructions, branch prediction, and the use of processor instructions.
As mentioned at the beginning of this section, CP-nets were also successfully utilized for military purposes. For instance, in Australia a Military Communications Gateway was developed [FBD96],
[FD96]. CP-nets were used to investigate operation of the gateway between a Tactical Packet Radio Network and Broadband ISDN. In particular, to verify architecture and behavior prior to implementation.
In addition, Australian Armed Forces used CP-nets to model and analyze distributed air-to-air missile
simulator which was developed as a testing platform for missile guidance and control algorithms [GB99].
Business processes modeled by Colored Petri nets allowed to verify that the communication interface was
correct and deadlock free for a given set of input parameters and state spaces.
On the other hand, US Air Force developed the project on improving military planning for Command
and Control System [WSL98]. Colored Petri net formalism and tools were used to assess the impact of
a set of controllable events or actions on outcomes of interest as well as to assess the impact of various
sequences and timing of those actionable events. With this methodology, alternative courses of action
were assessed in order to provide detailed planning and evaluation of those courses.
In Canada, CP-nets and the CPN tools were used to model and investigate a conceptual naval vessel [BL93]. In this case CP-nets models were created to represent the behavior of ship critical system
components. Proposed methodology was used to evaluate the performance of various decision policies
for weapon assignment.
As we can see, application of Colored Petri nets touches many disciplines where modeling of system
behavior is critical. This particular usage is also crucial in this Thesis for CP-nets application in cyber
defense.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
6. The architecture of the solution
This chapter is focused on detailed specification of the architecture of the solution for behavioralbased malware detection – so called PRONTO module. It introduces the reader to the concept of how
ontology and CP-nets are utilized in order to model malicious actions in the monitored system and
presents the approach to their application in threats’ tracking tools.
6.1. PRONTO module design
PRONTO, as already mentioned in Chapter 3, is a malware hunting tool. It is composed of two
main components: PRONTOlogy and PRONTOnet. These components’ main activity is based on models
of cyber threats that have been proposed in this Thesis. The process of building knowledge about the
behavior of malware is performed off-line in cooperation with External Providers and human-operated
expert systems. They support the process of building cyber threats’ models with the use of ontology and
CP-nets applied, in the end, in the threats’ tracking tools that are running in real time.
PRONTO module has been depicted in Figure 6.1. Its activity is based on cooperation of processes
depicted as rectangles, data – as parallelograms, databases – as cylinders. Arrows in the picture indicate
communication flow assumed in the PRONTO module.
PRONTO malware hunting tool cooperates with external elements. It is supplied with the events
observed by sensors running in the monitored system and is also supported by an expert system, so
called Cyber Threat Model Building Block, with information on vulnerabilities and potential attacks
on the protected system. Although data acquisition stream (observed events) and the tool for CP-net
modeling (expert system) are not an integral part of the PRONTO threat tracking module, they have been
described as important elements of the cyber threats model verification.
External provider of threats and vulnerabilities can be any trusted registry of attacks and vulnerabilities (e.g. National Vulnerability Database [NVD], [CVE] or Threat Centre [McA]). For the purpose
of this Thesis various external databases were used to define and describe attacks and their symptoms.
External provider is a source of knowledge for the Cyber Threat Model Building Block to perform its
main goal, i.e. analysis of vulnerabilities of the monitored system. This is the first process that must be
realized in order to assess security gaps and limit the search only to the potential threats. In practice, it is
realized by stakeholders responsible for availability and operational correctness of the system. In many
cases they are administrators or chief security architects. They know or have a list of deployed system
components and their versions. On the basis of known vulnerabilities and possible threats they are able to
43
44
6.1. PRONTO module design
External provider
Monitored system
Register of threats and vulnerabilities
System assets
Cyber Threat Model Building Block
Sensors
Identification of system vulnerabilities
CP-net models and
reasoning rules
Observed events
PRONTO
Reasoning:
Events filtering
Knowledge
base
Events
vector
PRONTOlogy
Malware detection:
Matching sensor events
with CP-net models
Detected
attack
CP-net models
of threats /
type of threats
PRONTOnet
Figure 6.1: Architecture of PRONTO module
B. Jasiul
Ontology
Modeling of Selected Cyber Threats with Ontology and Petri Nets
6.1. PRONTO module design
45
describe potential attacks on the managed system. The result of their work in the form of vulnerabilities
detection is the input to the PRONTO module with:
(a) filling in the knowledge base and the rules list with the set of malicious symptoms, and
(b) creating CP-net models resembling malicious behavior of particular malware types.
It is assumed that information about operations run in the monitored system is provided by various
sensors. These sensors generate data about events observed e.g. in file system, registry, processes and
network (communication with IP addresses or specific domains). PRONTO module receives this information as it is assumed that it has unlimited access to data from sensors installed on the protected device.
This provides the possibility to use the most precise information about the actions executed in the system.
This way PRONTO module is being fed with information about all kinds of attacks (malicious actions)
that might affect monitored systems.
Sensors operating in the monitored system are used to deliver to the PRONTO module the list of
observed events including both malicious ones – potentially realized by malware, and regular ones –
originated from legitimate users. These malicious ones can resemble activities of authorized users, therefore it is required to decide automatically on the level of their potential harmfulness, sending forward
only those suspicious ones. An important role of system stakeholders is to define such activities that may
negatively influence the whole system as well as its particular components.
Cyber Threat Model Building Block for the purpose of CP-net models and reasoning rules definition
prepares detailed information about:
– modification of the files (e.g. actions of creating, deleting files),
– modification of the system registry entries (e.g. new entries, modification of key values),
– initiated, executed and stopped applications and services,
– modification of user privileges,
– network connections and data transfer.
This information set is used to prepare cyber threat models for PRONTO to detect cyber attacks
caused by already known malware as well as 0-day attacks made by unknown ones. These models are
based on semantic description of suspicious events processed by PRONTOlogy and CP-nets used by
PRONTOnet.
Filtering of events is realized with ontology reasoning (described in section 6.2) and malware datection is done with comparing filtered sensor events to CP-net models (described in section 6.3).
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
6.2. PRONTOlogy – events filtering
46
6.2. PRONTOlogy – events filtering
6.2.1. Ontology model
One of the most fundamental challenges in threats recognition is their first sifting through which
would result in identification of those events that should be perceived as suspicious and processed further
on. This process should enable automatic filtering of events on the basis of their characteristic features.
However, it is not trivial to assume an action is suspicious since the mechanism must catch the context
of its invocation in order to assess if it is a regular operating system or user activity, or anomaly that
should be investigated further on. For this reason, it was necessary to use a method that could provide
the possibility to deduce from the gathered data and analyze possible correlation among events.
These requirements were met by the semantic techniques based on ontology and rules that enable to
create knowledge base and infer additional facts automatically.
As mentioned in Chapter 4:
“An ontology is an explicit and formal specification of a conceptualization”. [AvH08]
In general, ontology describes a domain of discourse formally. Typically, ontology consists of a finite list of terms, and relationships between these terms. This set describes so called TBox statements,
which are Terminological statements that describe the domain in terms of controlled vocabularies. They
describe important concepts (classes of objects) of the domain and their properties (see Chapter 4).
For the purpose of this Thesis there has been proposed an ontology modeled in the Web Ontology
Language (OWL) titled PRONTOlogy.owl that describes basic classes and relationships among them.
Since the investigated domain needs the description that would enable to reflect and represent facts that
a resource executes an action on another resource particular object properties are used. They indicate
actions executed on resources and enable to define appropriate triples (e.g. run (x,y), where x, y are
members of Resource class and run is object property, with domain and range equal to Resource).
Based on TBoxes there can be defined e.g. the following general statements:
Event(x)
Resource(y)
ResFile(z)
hasResource(x,y)
Resource(y) is a ResProcess
ResFile(z) is a Resource
run (y,z)
where:
– Event, Resource, ResProcess, ResFile – are classes,
– hasResource, run – are object properties,
– is a – is subclass relationship.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
47
6.2. PRONTOlogy – events filtering
According to Figure 6.2 the model consists of the three main classes:
– Event,
– Place,
– Resource.
Run, Execute, Modify,
Delete, Close, Open,
Download, Terminate,
Connect, Create, Read,
Query, Other
Owl:Thing
ResDomain
ResFile
is-a
Resource
ResourceName
Event
hasResource
ResProcess
ResIPAddress
hasColour
Domain
hasPlace
EventName
ResRegistry
Place
File
is-a
Registry
Process
IPAddress
Figure 6.2: PRONTOlogy model
In order to differentiate types of resources that perform actions observed by system monitors, there
have been defined the following subclasses of the Resource class:
– ResFile – where the resource is a file,
– ResRegistry – where the resource is a registry,
– ResProcess – where the resource is a process,
– ResDomain – where the resource is a domain the system is trying to connect to,
– ResIPAddress – where the resource is an IP address the system is trying to connect to.
In order to indicate particular registry entries, file names etc. datatype properties have been proposed.
They describe name of the Resource (ResourceName) and name of particular Event (EventName).
In order to reflect activities on system resources there have been modeled the following object properties that resemble types of system activities:
– run – e.g. running a service, process;
– open – e.g. opening a file, registry;
– close – e.g. closing a file, application, process;
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
6.2. PRONTOlogy – events filtering
48
– modify – e.g. modification of registry entry, file, process;
– execute – e.g. executing an application;
– terminate – e.g. terminating a process;
– connect – e.g. connecting to the IP address or domain;
– query – e.g. querying the registry entry state;
– download – downloading data from remote location;
– create – creating a new object, e.g. registry entry, file;
– delete – deleting an object, e.g. file, registry entry.
For all object properties listed above Domain and Range are equal to Resource, which means that
one resource can execute actions on other resources.
There are also additional object properties that can reflect the fact:
(i) that particular event should be perceived as a Place: hasPlace, where
Domain = Event, Range = Place,
(ii) that particular marking appears for particular Place: hasColor, where
Domain = Place, Range = Resource, and
(iii) that particular event is related to a Resource: hasResource, where
Domain = Event, Range = Resource.
The above defined types of classes and object properties enable to describe events that are registered
by system monitors (sensors). Additionally, the model was constructed in such a way that it can reflect
the fact that particular observed activity should be perceived as a token in the Petri net. This process is
performed automatically with the use of reasoning rules. As already explained in Chapter 4 the Semantic
Web Rule Language (SWRL) [HPSB+ 04a] offers appropriate expressiveness and tool support in order
to use it for the assumed purpose.
SWRL combines characteristics of the OWL DL and Lite with those of the Rule Markup Language.
It allows to infer new facts from already existing ones although has some limitations. OWL Full constructs, such as classes, property values, are not supported by this language so that it does not support
direct reasoning about classes or properties. It is not possible to write a rule that, for example, deduces
some new knowledge based on the fact that one class is a direct subclass of another. For the same reason,
RDF (Resource Description Framework [LS99]) or RDFS (RDF Schema), or OWL constructs such as
owl:Class or owl:DatatypeProperty, cannot be used in rules.
As events from sensors are delivered to PRONTOlogy engine, new facts are inserted into the knowledge base in the form of ABox statements. In order to provide additional facts to the knowledge base
in terms of appearance of a new token in the CP-net model of particular attack, the rules are proposed.
The following listing shows the rule which head defines a condition: an event where a process named
csrss opens a file named open.exe, which in fact is an infected file. When this condition is met, it results
in identification of a new Place in the CP-net model, which is a File with token open.exe.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
6.2. PRONTOlogy – events filtering
49
Place(?c) ^ Resource(?y) ^ resourceName(?y, "csrss.exe") ^ open(?y, ?z)
^ ResFile(?z) ^ resourceName(?z, "open.exe") -> File(?c) ^ hasColour(?c, ?z)
A new set of rules will be prepared whenever new threats appear in the process of system vulnerabilities analysis. For the purpose of the Thesis there has been shown an exemplary set that will provide the
possibility to discover markings of places defined in the CP-net model (see Chapter 7).
6.2.2. PRONTOlogy engine
The ontology model presented in the above subsection is used in the PRONTOlogy engine. System
activities that are logged by different system sensors form a stream of hundreds to even hundred thousands of events per minute. They record activities of the user and related background activity of the
system. In terms of presented Method sensors that cover the spectrum of incidents describing the behavior of different malware types are process, registry, file and network monitors, reflected in the ontology.
Sensors allow to log file system, registry and process/thread activities in real-time. After a proper
configuration they enable sifting of incoming events and comprehensive event properties such as session
ID numbers, user names, reliable process information, full thread stacks with integrated symbol support
for each operation, simultaneous logging to a file, etc.
The first stage of the PRONTOlogy engine operation is devoted to the analysis of this events’ stream
and classification of single events as either suspicious or regular ones. This classification is assumed
as a background activity for the monitoring of the system state realized by the second component of
PRONTO, i.e. threat tracking (PRONTOnet).
Particular types of malware perform distinctive activities. Each of them is different or, what is more,
they can have their types. This entails various malware realization. If malware signature is unknown (the
code has been obfuscated), identification of its activity can be done by analyzing system events. The first
stage of this process is related to filtering of events and classifying them as neutral or suspicious. In the
further case information about the event is passed down to the next stage – threat tracking.
The stage of events filtering is based on the ontology engine that automatically, with the use of the
knowledge base and a set of rules, defines if the registered event is suspicious and should be tracked
further by the PRONTOnet module. Knowledge base is created with lifting the information about events
registered by sensors to create assertions and facts (entering ABox statements into the knowledge base).
Suspicious actions are modeled as instances of the Place class. As already mentioned, the rules will
provide the possibility to infer facts that particular event indicates existence of a Place in the CP-net
model (hasPlace object property) and therefore particular token (hasColor object property) exists and
this fact should be passed further on to the PRONTOnet. For instance, the rules can infer that e.g. an event
called winlogon.exe_run_VRT7.tmp which means that the winlogon.exe process has run VRT7.tmp
file is suspicious and sends on this information to the threat tracing module for further investigation.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
50
6.3. PRONTOnet – malware tracking
6.3. PRONTOnet – malware tracking
6.3.1. An approach to malware tracking
Let us assume that places P are any nodes, files, protocols, processes or any other assets in the
monitored system, transitions T are any operations made on system assets, arcs A are shifts that activate
assets in the system, and color set Σ is a set of values or pointers indicating particular system assets. The
rest of CP-net parameters are skipped in order to define relation between monitored computer system
and the CP-net models precisely.
Now let us assume the situation (see Figure 6.3) when in the monitored computer system a web
browser is activated in order to visit some Internet resources (e.g. a web page). This web page contains
malicious code which is downloaded to the system and then executed. After being activated it is responsible for logging user keystrokes when https sites are visited (e.g. banks) and sending registered streams
to the command and control center (so called C&C). When analyzing this case it is assumed that the code
of the malicious software program passed successfully rigorous verification by signature based mechanisms (an anti-virus application), was not recognized so far and is able to activate itself on the system.
Firstly, a virus is setting up his presence in the system. This is called the establishing presence phase and
includes downloading additional codes and commands from C&C, deactivating security metrics (switching off firewall, antivirus, other intrusion detection mechanisms and security controls). After this step,
the exploit is able to execute malicious activities and disseminate itself to other systems.
Monitored
System
Malicious
Code
is dowloaded
has
System Shell
contains
executes
Web Browser
visits
Web Service
visits
Encrypted
Web Services
after infection
executes
Malicious
Code
is logging
Web Browser
sends logs
C&C
Figure 6.3: Example of malicious activity
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
6.3. PRONTOnet – malware tracking
51
In order to follow the CP-net modeling approach taken in this Thesis, one can investigate Figure 6.3,
which presents relationship among assets that take part in malicious activities that are run in the system.
The assets such as System Shell, Web Browser, Malicious Code, Web Service, etc. are in fact places P
in CP-net model. Transitions T are actions realized on those system assets such as execution, logging,
browsing, sending, etc. Arcs A are arrows depicted in the picture. Color sets Σ are e.g. names of registry
entries, locations of files, their handlers after execution, sent data, IP addresses or domain names of
C&Cs.
6.3.2. Utilization of CP-net models for malware tracking
Malware that is produced almost never is deployed without a technology that hides malicious code
against signature based anti-virus tools. The method of evading signature based mechanisms is generally
called obfuscation. It is a technique to generate software that realizes the same functions but does not
have specific code signatures. It can be realized by modification of java scripts, additional loops in the
code that return to the point of execution (zero loops), encryption techniques run at program execution,
etc. New malware, called 0-day exploits, is generally produced from the existing part of codes that were
used in various cyber attacks. This is a fast and the most popular way for hackers to generate new
malicious tools without much investment. Obfuscation techniques cause signature based mechanisms
insufficient for detecting new malicious activities. Regarding that, a new exploit which is composed of
known malware executes the same functions and operations on the system. Therefore, even performed
among many actually harmless actions, it is possible to detect some diverse actions like:
– operations on particular files,
– operations on registry entries,
– executed processes and applications,
– communication with specific IP addresses,
– communication with domains.
The malware detection which takes as an input the set of suspicious events received from
PRONTOlogy engine uses CP-net models defined in this Thesis. Detection process is graphically depicted in CP-net models presented in the following Figures 6.4, 6.5, 6.6, and 6.7. The model is hierarchical, therefore has been described by four modules (prime, acquisition, verification, and Virut module).
The prime module of CP-net model representing PRONTOnet threat tracking tool is depicted in
Figure 6.4. On the left hand side of this figure there is a column of places, marked with ellipses, storing
tokens that represent particular assets that might be affected by malware:
– F – a place storing tokens indicating files;
– R – registry entries;
– P – processes;
– D – domains;
– IP – IP addresses that malware may communicate with.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
52
6.3. PRONTOnet – malware tracking
f1++f2++ …
++fn
F_detected
F
S
VF
S
Acquisition
r1++r2++ …
++rn
R_detected
R
S
VR
S
Acquisition
p1++p2++ …
++pn
P_detected
P
VP
Verify
S
S
Acquisition
d1++d2++ …
++dn
Verification
D_detected
D
RESULT
V
VD
S
S
Acquisition
ip1++ip2++
… ++ipn
IP_detected
IP
S
VIP
S
Acquisition
Figure 6.4: CP-net model of PRONTOnet – prime module
The second column in Figure 6.4 is composed of substitute transitions that are related to the
Acquisition process depicted in Figure 6.5. The next column is made up of places indicating particular assets affected by malware activated in the monitored system. Markings of these places are processed
by substitute transition called Verify in order to deduce that system is infected by certain malware type.
In consequence place RESULT is marked with a vector informing about malware and symptoms that
indicate this malware.
Let us also explain color sets and inscriptions in the Figure 6.4, called prime module.
Listing 6.1: Color types and inscriptions in PRONTOnet prime module
colset S = String;
colset I = Integer;
colset Symptoms = List S;
colset V = Product I * S * Symptoms;
Color type S is a string. This way particular assets are described by variables f, r, p, d, ip of
type S, e.g. file C:\[WINDIR]\System32\svchost.exe or IP address 66.232.126.195. Color set
I is an integer and is used as threat identity number, and color set Symptoms is a list of strings describing
assets suspected to be infected by malware. Color set V is a product that indicates threat identity number,
name of the threat, and list of symptoms that were used for identification which attack was executed in
the system.
In Figure 6.5 symptom acquisition process and co-operation with PRONTOlogy module is presented.
Place Symptom in an input/output port that indicates appropriate places F, R, P, D, and IP from higher
level module (Figure 6.4). In the Acquisition module tokens that represent filtered suspicious activiB. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
53
6.3. PRONTOnet – malware tracking
PRONTOlogy
t
Trigger
S
s1++s2++ …
++sn
Symptom
S
I/0
t
[x = t]
x
Symptom_detected
x
VSymptom
S
x
Out
Figure 6.5: CP-net – Acquisition module
ties identified by PRONTOlogy are passed to the VSymptom place if the same token exists at Symptom
place. Identified suspicious actions mark VSymptom place for further processing by the Verify transition.
Marking of Symptom place contains all tracked elements of the monitored system, e.g. all IP addresses
that the system may communicate with and download malicious software. Transition Symptom_detected
is developed in order to test existence of appropriate token in Symptom place in case the Trigger place
is marked. If compared tokens are different, the transition does not react. It is required conformity of tokens by the guard [x = t]. The presented module is also prepared to detect in the monitored system more
than one exploit that uses the same tricks to switch off system security controls or even two or more malware using the same malicious code. Marking of Symptom place is not reduced while Symptom_detected
transition is enabled. This module shows an important role of PRONTOlogy in detection of suspicious
events and passing them to PRONTOnet module.
In
VF
Malware_1
S
Virut
In
VR
S
Malware_2
Malware2
In
VP
S
.
.
.
RESULT
V
In
VD
S
Malware_n
In
VIP
S
Malwaren
Figure 6.6: CP-net – Verification module
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
Out
54
6.3. PRONTOnet – malware tracking
Verification module is presented in Figure 6.6. It must be noted that substitute transition Verify in
primary module represents multiple transitions designed for identification of various malware types. This
indicates that in particular marking of V places appropriate transition for particular malware (verification
process) is enabled. An exemplary virus detection for chosen marking is shown in Figure 6.7, which
presents detection of malware called Virut [Vir], [NP13].
In
VF
1'vrt7.tmp
S
In
VR
1'HKLM\...\Security
S
In
VP
1'winlogon++
1'svchost
Virut
S
v
RESULT
V
Out
1'zief.pl++
1'setdoc.cn
In
VD
S
1'209.205.196.18
++1'94.247.2.38
In
VIP
S
Figure 6.7: CP-net – Virut module
f1++f2++ …
++fn
F
F_detected
S
VF
S
Acquisition
r1++r2++ …
++rn
R
R_detected
S
VR
S
Acquisition
p1++p2++ …
++pn
P
P_detected
VP
Verify
S
S
Acquisition
d1++d2++ …
++dn
D
RESULT
V
Verification
D_detected
VD
S
S
Acquisition
ip1++ip2++
… ++ipn
IP
IP_detected
S
VIP
S
new1++new2+
+ … ++newn
New
Acquisition
New_detected
S
VNew
S
Acquisition
Figure 6.8: CP-net – The first layer of the model with additional New place
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
6.3. PRONTOnet – malware tracking
55
In the presented example, assuming appearance of the current marking, transition Virut is enabled,
which in consequence leads to receiving vector v informing about detection of the Virut malware. The
structure of vector v is as follows:
1’ 1 | Virut | vrt7.tmp, HKLM\...\Security, winlogon, svchost, zief.pl,
setdoc.cn, 209.205.196.18, 94.247.2.38.
The CP-net models presented in this chapter allow to easily update symptoms of a new attack by
changing initial marking of places. Every time when a new malware model is entered to the PRONTO
appropriate actualization of places markings must be realized.
It is also worth to emphasize that the detection of malware is not limited only to depicted resources.
As already mentioned in Chapter 3, PRONTO may be also used to identification of exploits through
analysis of network traffic and system statistics. If some resource is identified as useful for malware
detection, the primary module needs only to be updated with additional places New and VNew, as well as
transition New_detected as depicted in Figure 6.8.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7. Verification of the modeling approach
This chapter presents verification of the proposed Method. The aim of verification is to check if the
implemented Method is able to detect malicious activities and categorize them as a specific malware.
The verification process is divided into the following steps:
– Ontology evaluation. Developed ontology and reasoning rules have been validated and verified.
– Evaluation of malware modeling. An examplary malware is presented as CP-net model with the
use of software developed for the purpose of verification.
– System data acquisition. Simulated malicious software modifies the system, files, registry and
connects to their C&Cs. Moreover, it executes harmful activities. All observed actions, including
both legitimate and those made by malware, have been registered.
– Filtering suspicious activities. The reasoning rules are applied in order to find these activities
executed by malware.
– Malware detection experiment. Suspicious activities are assigned to malware CP-net models. Revealing which attack was detected. Vector containing information about detected suspicious activities and their similarity to the modeled malware was presented.
Scenario 1. Virut detection.
Scenario 2. VBMania detection.
Scenario 3. 0-day attack detection.
7.1. Verification of the model
7.1.1. PRONTOlogy.owl evaluation
This section is devoted to ontology evaluation which, according to [SGC+ 11], should consist in
validation and verification of an ontology in terms of its scope, consistency and expressiveness.
Semantic model defined in PRONTO ontology (PRONTOlogy) is devoted to reflect events that occur
in the monitored system and enable to identify these suspicious ones. This model has direct relationship with the CP-net through the use of the Place class the instances of which are passed over to the
PRONTOnet. PRONTOlogy defines:
– The event instance modeled with the use of Event class. Data about occurred events is received
from the sensors, then lifted to the ontology model as instances of the Event class. Each instance
56
7.1. Verification of the model
57
has eventName (data property) defined by the sensor. The description of event is modeled with the
use of hasResource object property which indicates initiator of an event which is some system
resource.
– System resources that are under monitoring by sensors – File, Registry, Process, Domain,
IPaddress. They are modeled by the following classes: ResFile, ResRegistry, ResProcess,
ResDomain, ResIPAddress, which are subclasses of the Resource class.
– The event description modeled with the use of object properties (run, create, modify, delete,
download, open, close, read, execute, terminate, connect, query). These object pro-
perties domain and range is the Resource class, which means that resources perform actions
on other resources.
– An abstract Place class that defines the fact that particular event is suspicious and should be
handled over by the CP-net model for further investigation. This class has five subclasses that
define the type of a Place, which in turn results from event originator and reflects Places in the
CP-net model.
With the use of the proposed ontology it is possible to describe the event of running a file by particular
process. For instance occurrence of winlogon.exe_run_VRT7.tmp event would cause inserting of the
following instances into the knowledge base:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_1
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_1, "winlogon.exe_run_VRT7.tmp")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_8
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_8, "winlogon.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResFile_9
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResFile_9, "vrt7.tmp")
http://wil.waw.pl/secor/PRONTOlogy.owl#run(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_8, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResFile_9)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/secor
/PRONTOlogy.owl#Event_1, http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_8)
The stage of events filtering is based on the ontology engine that automatically, with the use of
the knowledge base and a set of rules defines if the registered event is suspicious and should be tracked
further by the threat tracing module. As already mentioned in Section 6.2, knowledge base is created with
lifting the information about events registered by sensors to create assertions and facts. Suspicious actions
are modeled as instances of a Place class. The knowledge about the object which is also an instance of
the Place class is derived by the set of rules proposed for the purpose of PRONTOlogy.
If the following rule is applied:
Place(?c) ^ Resource(?y) ^ resourceName(?y, "winlogon.exe") ^ run(?y, ?z)
^ ResFile(?z) ^ resourceName(?z, "vrt7.tmp") -> File(?c) ^ hasColour(?c, ?z)
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.1. Verification of the model
58
the following instances will be added to the knowledge base:
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_1 is a member of File class
(inferred knowledge)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_1, http://wil.waw.pl/secor/PRONTOlogy.owl#ResFile_9).
If the following rule is applied:
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ Resource(?y)
^ resourceName(?y, "winlogon.exe") ^ run(?y, ?z) ^ ResFile(?z)
^ resourceName(?z, "vrt7.tmp")
-> hasPlace(?e,?c) ^ File(?c) ^ hasColour(?c, ?z)
additionally the relation
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_1, http://wil.waw.pl/secor/PRONTOlogy.owl#Place_1).
will be added.
If an event has hasPlace relation to any Place instance, it is a suspicious event.
The PRONTOlogy defines all entities that are necessary to describe events monitoring system behavior and identify suspicious events. Moreover, the direct relation between ontology and CP-nets has been
modeled with the use of the Place class. That is why, they satisfy the required scope and expressiveness
of ontology.
The second ontology evaluation step consists in checking the ontology consistency. According
to [Tar46] ontology is consistent (also called satisfiable) when it does not contain a contradiction. The
lack of contradiction can be defined in either semantic or syntactic terms. The syntactic definition states
that a theory is consistent if there is no such P formula that both P and its negation are provable from
the axioms of the theory under its associated deductive system. The ontology model that contains formal
definitions of classes, properties and individuals allows inferring new knowledge from knowledge that
is already present. The fact that it is based on formal description logic makes it prone to logical reasoning
and enables to infer knowledge from existing facts and axioms.
Facts are defined as: information about a particular individual, in the form of classes that the individual belongs to plus properties and values of that individual [PSH04].
Axioms are used to associate class and property identifiers with either partial or complete specifications of their characteristics, and to give other information about classes and properties. Axioms used
to be called definitions, but they are not all definitions in the common sense of the term and thus a more
neutral name has been chosen [PSH04].
The consistency of PRONTOlogy.owl has been verified in the Protégé ontology editing tool (version 3.4.6) [PRO] using the Pellet 1.5.2 [SPCG+ 07] reasoner on a machine with the following configuration:
– Processor: Intel Core i7 (2 cores 2,8 GHz each);
– RAM: 6 GB;
– Operating System: Windows 7 (64 bit).
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.1. Verification of the model
59
Figure 7.1: Consistency checking of PRONTOlogy.owl – information log from Protégé
The consistency check on this machine was successful (as depicted in Figure 7.1) and
PRONTOlogy.owl has been proved consistent.
To satisfy verification of events filtering with ontology and reasoning a web service
PRONTOlogyInterface was implemented in Java programming environment [Jav]. The service was
developed with utilization of Protégé, Pellet, SWRL Jess bridge [SWR], and Jess71p2 [Jes] programming libraries. Web Service was run on the GlassFish Server 3.1.2 [Gla].
PRONTOlogyInterface consists of two programming packages:
– wil.waw.pl.protegeclass.prontology, and
– wil.waw.pl.prontology.
Java classes of wil.waw.pl.protegclass.prontology package were developed with Generate
Protégé-OWL Java Code plug-in of Protégé editor. The generator allowed to define Java classes on the
basis of PRONTOlogy.owl automatically [see Figure 7.2].
Package wil.waw.pl.prontology consists of the following classes:
– InferenceResult.java,
– OperationType.java,
– ResourceType.java,
– PRONTOlogy.java.
InferenceResult.java class defines result code of PRONTOlogyInterface service.
OperationType.java defines types of operations on resources:
public enum OperationType {RUN, EXECUTE, CREATE, MODIFY, DELETE, CLOSE, OPEN,
DOWNLOAD, CONNECT, ACCESS, TERMINATE, QUERY, READ, OTHER}.
Enumerate class ResourceType.java defines types of resource:
public enum ResourceType{RESDOMAIN, RESIPADDRES, RESUSER, RESREGISTRY,
RESFILE, RESPROCESS}.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
60
7.1. Verification of the model
PRONTOlogy.owl
ResDomain
Owl:Thing
ResFile
is-a
Resource
Event
ResProcess
hasResource
ResUser
hasColour
hasPlace
Domain
Place
ResRegistry
is-a
Generate Protege-OWL
Java Code
ResIPAddress
File
Registry
Process
User
IPAddress
Figure 7.2: Generation of Java classes on the basis of PRONTOlogy.owl
PRONTOlogy.java is the main class of PRONTOlogyInterface and it implements the following
web methods:
– readOntologyFromFile() that reads the ontology from the file;
– inferKnowledge() that realizes ontology reasoning;
– queryForPetriPlace() that identifies the Place in CP-net on the basis of defined knowledge
base;
– queryForPetriToken() that identifies, on the basis of the knowledge base, a token assigned to
a particular Place.
7.1.2. Evaluation of cyber attack CP-net models construction
In order to define requirements for cyber attack models according to [JK09] the following questions
need to be answered: What is the purpose? What do we want to learn about the system by making this
kind of model? What kinds of properties are we interested in investigating?
Without initially answering these questions in some detail, it is impossible to make a good model,
and we shall be unable to decide what should be included in the model, and what can be abstracted
away without compromising the correctness of the conclusions that will be drawn from investigating the
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.1. Verification of the model
61
model. Finding the appropriate abstraction level at different points in the development of systems is one
of the arts of modeling.
Firstly, the purpose of modeling of cyber attacks is to understand their nature and behavior at the infected system. Obfuscation methods allow attackers to bypass signature-based security controls although
activity in the system still has the same nature. Thus, the model of malware is a reflection of potential
attack that may appear. Secondly, modeling of threats allows us to observe modification of malicious
activities and finding new threats, so called 0-day attacks. Any similarity to the model leads to rising an
alarm that suspicious activity is detected. Thirdly and finally, we need to know the value of risk that our
system might be infected [SJWD13] and, in case of successful attack, what kind of changes would be
applied in the system.
According to the architecture presented in Chapter 6, cyber attacks CP-net models support malware
detection so the model must reflect:
– system assets, and
– actions that are conducted on these assets.
The model must also provide the possibility to track behavior of malware, and on the basis of observation of different events, decide about existence of particular malware in the protected system.
The model was constructed in such a way that of reflects all the computer assets taking part in
malware execution, such as file system, registry, executed processes, IP addresses, and domain names
that system connects to are modeled as places P in CP-net model. Thus, set P is formed with objects of
the protected system involved in detection of malware harmful activities:
P = PP rocess ∪ PIP _address ∪ PDomain ∪ PF ile ∪ PRegistry ∪ PSensor
Possible transition set T is composed of any actions realized on the system assets:
T = {Execute, Create, Modify, Delete, Close, Run, Terminate, Connect, Query, Download,
Read, Open, Other}
Color set Σ over places P is to reflect different types of assets e.g. address of a web page, location of
files, their handlers after execution, sent data, IP address or domain name of C&C.
Σ = ΣP rocess ∪ ΣIP _address ∪ ΣF ile ∪ ΣDomain ∪ ΣRegistry
Initial marking M0 of places P allows to indicate particular assets that must be tracked by the proposed Method in order to reflect different evants characteristics, i.e. particular file name, file path, registry
entry, etc. In the proposed model M0 is as follows:
M0 = MP rocess ∪ MIP _address ∪ MF ile ∪ MDomain ∪ MRegistry , where:
MP = {svchosts, rundll32, csrsc, ...} – indicate particular processes,
MIP _address = {209.205.196.18, 66.232.126.195, 94.247.2.38234, ...} – IP addresses,
MF = {vrt7.tmp, ntdll.dll, 8.tmp, 9.tmp, ...} – files,
MD = {horobl.cn, setdoc.cn, zief .pl , irc.zief .pl , proxim.ircgalaxy.pl, ...} – domains,
MR = {HKLM/.../F irewallP olicy, HKU/.../UpdateHost, ...} – registry entries.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
62
7.1. Verification of the model
Set A is a set of directed arcs that connect places to transitions and transitions to places:
A ⊆ (P × T ) ∪ (T × P ). They enable to reflect the sequence of actions on system assets.
For the purpose of particular malware modeling and storing their specifications a dedicated application, called CP-net malware modeling tool was developed (abbr. CPN MM). Software CPN Tools
presented in Chapter 5 is not sufficient for identification of malware types affecting the computer system. It is accurate for observation of data flows during malware execution, but not accurate for cyber
attacks experimental detection process.
Figure 7.3: CP-net malware modeling tool – first window
Figure 7.4: Malware editor window of CPN MM
Let us focus on modeling of cyber attacks with the use of CPN MM tool. As an example showing
model expressiveness Virut malware [NP13], [Vir] has been chosen. The first window of the CPN MM
is presented in Figure 7.3. It presents the list of modeled cyber attacks and Virut malware as the last one.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
63
7.1. Verification of the model
Figure 7.5: Editor of malware symptoms
Whenever an expert wants to model a new cyber attack he needs to choose Add button end fill in data as
presented in Figure 7.4. Symtoms of particular malware are edited with the use of the window presented
in Figure 7.5. It shows drag and drop tool which allows to add subsequent places to the model easily. This
software is in the development stage, therefore its functions are limited. Transitions are shown, currently,
as operations over places. This software will be developed till the end of the ongoing project at Military
Communication Institute. Its results are planed to be demonstrated and tested at the nearest annual edition
of NATO CWIX exercises. Graph presented in Figure 7.5 is used in the following Section 7.2.2 as the
base for verification of Virut malware detection.
Table 7.1: Malware class pl.waw.wil.pronto.datamodel.Malware
Name
Type
Description
id
java.util.UUID
Malware identity number. Unique 128 bits identifier in accordance
with RFC-4122.
name
java.lang.String
Malware name.
urls
java.util.List
A list containing URL address to the sites with detailed description of virus (e.g. URLs to McAffee, Kaspersky, Symantec,
ESET).
description
java.lang.String
Short description of malware.
vulnerabilities
java.lang.String
Description of system’s vulnerabilities exploited by the malware.
symptoms
java.util.List
List of symptoms. The elements of the list are objects of classes
that inherit from class
pl.waw.wil.pronto.datmodel.AbstractSymptom.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
64
7.1. Verification of the model
The main element of CPN MM is a database in which CP-net models of malware are stored. The principal class of the database is pl.waw.wil.pronto.datamodel.Malware (see Table 7.1) that describes potential cyber attack.
Table 7.2: Symptom class pl.waw.wil.pronto.datmodel.AbstractSymptom
Name
Type
Description
id
java.util.UUID
Symptom identity number.
name
java.lang.String
Symptom name.
next
java.util.List
List of symptoms existing after current symptom.
Table 7.3: pl.waw.wil.pronto.datamodel.symptoms.RegistrySymptom
Name
Type
Description
registryEntry
java.lang.String
Name of registry entry, e.g.
HKEY_CURRENT_USER\Software\Microsoft\...\Security.
valueName
java.lang.String
Value of the registry entry, e.g. Sending_Security
value
java.lang.String
Value of the registry key , e.g. Medium.
action
RegistryAction
Type of action executed on the registry entry: ADD, DELETE,
MODIFY, QUERY, NOT_SPECIFIED.
Table 7.4: pl.waw.wil.pronto.datamodel.symptoms.FileSymptom
Name
Type
Description
path
java.lang.String
File path.
fileName
java.lang.String
File name.
action
FileAction
Type of action on the file: CREATE, DELETE, MODIFY, ACCESS,
EXECUTE, READ, NOT_SPECIFIED.
Table 7.5: pl.waw.wil.pronto.datamodel.symptoms.ProcessSymptom
Name
Type
Description
processName
java.lang.String
Process name.
action
ProcessAction
Type of action on the service: EXECUTE, TERMINATE,
NOT_SPECIFIED.
Each malware is represented by its identity number, specific name, url pointing to its description, abbreviated description, etc. Additionally, each malware has specific features, called attack symptoms. Each
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
65
Table 7.6: pl.waw.wil.pronto.datamodel.symptoms.IpSymptom
Name
Type
Description
address
java.lang.String
IP address that a system is connected to.
port
java.lang.Integer
A number of the port used for connection.
action
IpAction
Type of action: CONNECT, NOT_SPECIFIED.
Table 7.7: pl.waw.wil.pronto.datamodel.symptoms.DomainSymptom
Name
Type
Description
domainName
java.lang.String
Name of the domain that system is communicating with.
action
DomainAction
Type of action: CONNECT, NOT_SPECIFIED.
symptom inherits from the abstract class pl.waw.wil.pronto.datamodel.AbstractSymptom (see
Table 7.2).
Specific detailed symptom classes were constructed for particular resources: registry (Table 7.3),
file (Table 7.4), process (Table 7.5), IP address (Table 7.6), domain name (Table 7.7). These classes
represent Places, and tokens assigned to these Places registryEntry, fileName, processName,
address, domainName. Transitions are modeled with the use of action attribute that indicates re-
source (Place) currently affected by malware.
In this way the CP-net models of cyber attacks are constructed and stored for detection of malware
operating in the monitored system.
7.2. Cyber attacks detection – an experiment
7.2.1. Data acquisition
The verification was made with the use of the most popular target of cyber infections – Microsoft
Windows operating system. The Author of this Thesis does not claim that this is the most vulnerable
system. In the Author’s opinion the reason of cyber attacks on Windows operating system is the popularity of the system and potentially high gain from conducted attacks. Microsoft products are very popular
which makes them attractive for cyber criminals.
For the observation of activities, applications, services and network connections in the native
Microsoft Windows 7 operating system environment Sysinternals Suite utility package [RM11] was
used. The Sysinternals Suite is a set of over 70 advanced diagnostic and troubleshooting programs for
the Windows platform. These programs are available for free download from Microsoft’s Technet web
page [MST].
Majority of events were observed with Process Monitor utility [RC13] – a part of the Sysinternals
Suite. Process Monitor is an advanced monitoring application for Windows that registers events which
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
66
relate to file system, registry, and process activity in real-time. It enables monitoring event properties
such as session IDs, user names, process information, thread stacks, simultaneous logging to a file, etc.
It is a powerful utility that supports PRONTOlogy module with detailed information on activities in the
protected system. An example of a single event acquired with Process Monitor is presented in Listing 7.1.
Listing 7.1: Example of a single event acquired with Process Monitor
<event>
<ProcessIndex>14340</ProcessIndex>
<Time_of_Day>17:22:25,1104786</Time_of_Day>
<Process_Name>ThreatProc.exe</Process_Name>
<PID>2728</PID>
<Operation>RegQueryValue</Operation>
<Path>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\
SurrogateFallback\Plane2</Path>
<Result>SUCCESS</Result>
<Detail>Type: REG_SZ, Length: 24, Data: SimSun-ExtB</Detail>
</event>
Process Monitor allows to report system events for further analysis and reasoning to the
PRONTOlogy module. Detailed report on system activities includes, but is not limited to:
– process name – the name of the process performing the operation;
– operation – the name of the operation being logged;
– path (if applicable) – the path of the object that the operation is performed on (e.g. a registry path,
a file system path);
– result – the result of the operation (e.g. Success, EoF, Buffer Overflow);
– detail – additional operation-specific information about the event.
For the purpose of data acquisition it is also possible to use API hooking tools [API], [EAS], however,
they inject themselves (like viruses) to the processes, thus they can affect results of the verification. In
case of utilization of PRONTO malware hunting tool for detection of network attacks (see Chapter 3)
various network utilities, e.g. SNORT [SNO], ARAKIS [ARA], iptables [NET], should also be used.
Having stored CP-net models of cyber attacks in the database, it is possible to go further with the
experiment to malware detection phase. As mentioned above, the aim of the experiment is not only to
identify existing malware that was obfuscated, but also 0-day attacks that have, to some degree, similar
behavior to the already identified one.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
Listing 7.2: Example of acquired one regular and three suspicious events in the first scenario
<event>
<ProcessIndex>14340</ProcessIndex>
<Time_of_Day>17:20:21,1001813</Time_of_Day>
<Process_Name>WINLOGON.EXE</Process_Name>
<PID>2728</PID>
<Operation>ReadFile</Operation>
<Path>C:\Windows\Temp\vrt7.tmp</Path>
<Result>SUCCESS</Result>
<Detail>Offset: 734 720, Length: 16 384, Priority: Normal</Detail>
</event>
<event>
<ProcessIndex>14560</ProcessIndex>
<Time_of_Day>17:22:25,1104786</Time_of_Day>
<Process_Name>ThreatProc.exe</Process_Name>
<PID>6043</PID>
<Operation>RegSetValueEx</Operation>
<Path>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows System Monitor: "C:\Windows\system\winrsc.exe"
</Path>
<Result>SUCCESS</Result>
<Detail>Type: REG_SZ, Length: 24, Data: SimSun-ExtB</Detail>
</event>
<event>
<ProcessIndex>16640</ProcessIndex>
<Time_of_Day>17:22:36,2548113</Time_of_Day>
<Process_Name>WINWORD.EXE</Process_Name>
<PID>6733</PID>
<Operation>RegQueryKey</Operation>
<Path>HKLM</Path>
<Result>SUCCESS</Result>
<Detail>Query: HandleTags, HandleTags: 0x0</Detail>
</event>
<event>
<ProcessIndex>19240</ProcessIndex>
<Time_of_Day>17:47:02,1294174</Time_of_Day>
<Process_Name>mmirc.exe</Process_Name>
<PID>12188</PID>
<Operation>TCP Connect</Operation>
<Path>MalwareTest1-VAIO:55052 -> irc.zief.pl:6667</Path>
<Result>SUCCESS</Result>
<Event_Class>Network</Event_Class>
<Image_Path>C:\Windows\Temp\mmirc.exe</Image_Path>
<Session>1</Session>
</event>
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
67
7.2. Cyber attacks detection – an experiment
68
7.2.2. Scenarios of malware detection
Within one minute operation of Windows 7 OS thousands or even hundreds of thousands single
events may be observed. Report from the Process Monitor includes everything that took place in the
system. It includes both regular and suspicious activities.
For the purpose of verification and, in particular, generation of these unwanted activities, three different machines were infected by Virut [NP13], [Vir], VBMania@MM [VBM], and 0-day attack that was
simulated with events typical to different parts of malicious codes.
At the same time, various programs were executed on these three machines in order to simulate
legitimate user activity. This allowed us to generate background regular events.
The scenarios 1-3 show steps of PRONTO operation in terms of malware detection on the basis of
CP-net model presented in the architecture (see Chapter 6).
Scenario 1
The data acquisition phase allowed to gather information about events collected by the Process Monitor. Obviously, the whole file with captured events will not be presented in this chapter although an exemplary excerpt from it is presented in Listing 7.2. The events presented in Listing 7.2 are processed and
XML data is lifted to the semantic metadata. Based on this example the following instances are inserted
into the ontology model (as ABox entries):
for the first event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_1 - an instance of the
Event class
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_1, "winlogon_read_vrt.7")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_2728
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResProcess_2728, "winlogon.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResFile_1
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResFile_1, "vrt7.tmp")
http://wil.waw.pl/secor/PRONTOlogy.owl#read(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_2728, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResFile_1)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_1, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_2728)
for the second event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_2 - an instance of the
Event class
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_2, "ThreadProc_modify_Windows_System_Monitor")
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_6043
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResProcess_6043, "ThreatProc.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_1
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResRegistry_1, "HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run\Windows System Monitor:
C:\Windows\system\winrsc.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#modify(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_6043, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResRegistry_1)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_2, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_6043)
for the third event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_3 - an instance of the
Event class
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_3, "Winword_read_HKLM")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_6733
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResProcess_6733, "Winword.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_2
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResRegistry_2, "HKLM")
http://wil.waw.pl/secor/PRONTOlogy.owl#read(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_6733, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResRegistry_2)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_3, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_6733)
for the fourth event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_4 - an instance of the
Event class
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_4, "mmirc_connect_irc_zief_pl")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_12188
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResProcess_12188, "mmirc.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResDomain_1
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResDomain_1, "irc.zief.pl")
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
69
7.2. Cyber attacks detection – an experiment
70
http://wil.waw.pl/secor/PRONTOlogy.owl#connect(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_12188, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResDomain_1)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_4, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_12188)
The rules that are valid in the presented scenario allow to infer that three of the above events are
suspicious. These are the following rules:
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ resourceName(?y, "winlogon.exe")
^ read(?y, ?z) ^ ResFile(?z) ^ resourceName(?z, "vrt7.tmp")
-> hasPlace (?e,?c) ^ File(?c) ^ hasColour(?c, ?z)
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ modify(?y, ?z) ^ ResRegistry(?z)
^ resourceName(?z, "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Windows System Monitor: C: \Windows\system\winrsc.exe")
-> hasPlace(?e,?c) ^ Registry(?c) ^ hasColour(?c, ?z)
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ connect(?y, ?z) ^ ResDomain(?z)
^ resourceName(?z, "irc.zief.pl")
-> hasPlace (?e,?c) ^ Domain(?c) ^ hasColour(?c, ?z)
On the basis of these rules the following facts are inferred:
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_1 - member of the File class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_1, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_1).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_1, http://wil.waw.pl/secor/PRONTOlogy.owl#ResFile_1).
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_2 - member of the Registry class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_2, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_2).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_2, http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_1).
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_3 - member of the Domain class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_2, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_2).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_2, http://wil.waw.pl/secor/PRONTOlogy.owl#ResDomain_1).
Events 1, 2 and 4 (see Listing 7.2) have been identified as suspicious, whereas event 3 – as a regular
system activity. The SQWRL query that allowed to select this knowledge from the ontology had the
following structure:
tbox:isSubClassOf(?subClass, Place) ^ abox:hasIndividual(?subClass, x)
-> sqwrl:select(?subClass)
Place(?p) ^ hasColour(?p, ?c) ^ resourceName(?c, ?n) -> sqwrl:select(?n)
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
71
The rules applied in the PRONTOlogy module allowed to pass forward to the PRONTOnet module
only information about suspicious events in the form of Places and appropriate tokens assigned to them
(with the use of hasColour object property). It takes place in the acquisition module as presented in the
architecture of solution. Then, in the PRONTOnet, these tokens are passed to verification module where
marking Ma of Places is:
Ma = MF ile ∪ MDomain ∪ MRegistry , where:
– MF ile ={vrt7.tmp},
– MDomain ={irc.zief.pl},
– MRegistry = {HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\Windows System Monitor: "C:\Windows\system\winrsc.exe"}.
At the machine described in this scenario the detection realized with the use of CPN MM and marking
Ma allowed to identify Virut attack. The result vector is as follows:
1’ 1 | Virut | vrt7.tmp, irc.zief.pl, Windows System Monitor:
"C:\Windows\system\winrsc.exe"
Detection of Virut malware is shown in Figure 7.6.
Figure 7.6: Result of detection Virut malware
Realization of this scenario allowed to prove that the proposed ontology model as well as applied reasoning rules were successfully adapted to detection of single malicious incidents. Then, these incidents
were collected and compared with the CP-net models created with the use of CPN MM tool. As a result,
Virut malware has been detected.
CP-net model described in Chapter 6 allowed to reflect all crucial system resources that can be
affected by malware. Therefore, it was possible to identify operations performed by an obfuscated code.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
Listing 7.3: Example of acquired suspicious events in the second scenario
<module>
<Timestamp>130167337407066774</Timestamp>
<BaseAddress>0x13f340000</BaseAddress>
<Size>5120</Size>
<Path>E:\OPEN.EXE</Path>
<Version>2.1</Version>
<Description>OPEN</Description>
</module>
<event>
<ProcessIndex>14560</ProcessIndex>
<Time_of_Day>17:22:38,7391109</Time_of_Day>
<Process_Name>Administrator CV 2010.exe</Process_Name>
<PID>6072</PID>
<Operation>RegSetValueEx</Operation>
<Path>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile\EnableFirewall: 0x00000000</Path>
<Result>SUCCESS</Result>
<Detail>Type: REG_SZ, Length: 24, Data: SimSun-ExtB</Detail>
</event>
<event>
<ProcessIndex>14560</ProcessIndex>
<Time_of_Day>17:22:38,7391383</Time_of_Day>
<Process_Name>Administrator CV 2010.exe</Process_Name>
<PID>6072</PID>
<Operation>RegSetValueEx</Operation>
<Path>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile\EnableFirewall: 0x00000000</Path>
<Result>SUCCESS</Result>
<Detail>Type: REG_SZ, Length: 24, Data: SimSun-ExtB</Detail>
</event>
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
72
7.2. Cyber attacks detection – an experiment
73
Scenario 2
In scenario 2 the data acquisition phase allowed to gather information about events collected by the
Process Monitor. As in scenario 1, an exemplary excerpt from the process monitor file is presented in
Listing 7.3. In this scenario, in the process of data lifting (on the basis of data from Listing 7.3) the
following instances are inserted into the ontology model (as ABox entries):
for the first event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_5 - instance of the Event class
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_5, "openexe_opened")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_Explorer
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResProcess_Explorer, "explorer.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResFile_2
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResFile_2, "open.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#run(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_Explorer, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResFile_2)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_5, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_Explorer)
for the second event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_6 - instance of the Event class
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_6, "admin_vc_2010_modify_Firewall_StandardProfile")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_6072
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResProcess_6072, "Administrator CV 2010.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_2
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResRegistry_2, "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000")
http://wil.waw.pl/secor/PRONTOlogy.owl#modify(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_6072, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResRegistry_2)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_6, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_6072)
for the third event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_7 - instance of the
Event class
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
74
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_7, "admin_vc_2010_modify_Firewall_DomainProfile")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_6072 (is already in KB)
http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_3
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResRegistry_3, "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\ DomainProfile\EnableFirewall: 0x00000000")
http://wil.waw.pl/secor/PRONTOlogy.owl#modify(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_6072, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResRegistry_3)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_7, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_6072)
In scenario 2 the following rules result in successful identification of suspicious events:
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ run(?y, ?z) ^ ResFile(?z)
^ resourceName(?z, "open.exe")
-> hasPlace (?e,?c) ^ File(?c) ^ hasColour(?c, ?z)
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ modify(?y, ?z) ^ ResRegistry(?z)
^ resourceName(?z, "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000")
-> hasPlace (?e,?c) ^ Registry(?c) ^ hasColour(?c, ?z)
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ modify(?y, ?z) ^ ResRegistry(?z)
^ resourceName(?z, "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\DomainProfile\EnableFirewall: 0x00000000")
-> hasPlace (?e,?c) ^ Registry(?c) ^ hasColour(?c, ?z)
On the basis of these rules in scenario 2 the following facts are inferred:
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_4 - member of the File class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_5, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_4).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_4, http://wil.waw.pl/secor/PRONTOlogy.owl#ResFile_2).
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_5 - member of the Registry class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_6, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_5).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_5, http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_2).
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_6 - member of the Domain class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_7, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_6).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_6, http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_3).
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
75
Events 5, 6 and 7 have been identified as suspicious. Rules applied by the PRONTOlogy module
allowed to pass forward to the PRONTOnet module information about suspicious events 5, 6 and 7 in the
form of Places and appropriate tokens assigned to them (with the use of hasColour object property).
In this case, receipt of the tokens in the acquisition module has led to marking:
Mb = MF ile ∪ MRegistry , where:
– MF ile = {OPEN.EXE},
– MRegistry = {HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile\EnableFirewall: 0x00000000,
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile\EnableFirewall: 0x00000000}.
At the machine described in this scenario marking Mb has led to detection of VBMania attack. The
final result vector is:
1’ 2 | VBMania@MM | OPEN.EXE, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000,
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
EnableFirewall: 0x00000000
Detection of VBMania cyber attack is shown in Figure 7.7.
Figure 7.7: Result of detection VBMania@MM cyber attack
In case of scenario 2, single malicious activities identified by PRONTOlogy module formed the list
of symptoms that was compared to the CP-net malware models in PRONTOnet module. As a result,
VBMania@MM exploit was detected. This way the efficacy of the proposed Method was proved.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
Listing 7.4: Example of acquired suspicious events in the third scenario
<event>
<ProcessIndex>14560</ProcessIndex>
<Time_of_Day>17:22:25,1104786</Time_of_Day>
<Process_Name>ThreatProc.exe</Process_Name>
<PID>6043</PID>
<Operation>RegSetValueEx</Operation>
<Path>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows System Monitor: "C:\Windows\system\winrsc.exe"
</Path>
<Result>SUCCESS</Result>
<Detail>Type: REG_SZ, Length: 24, Data: SimSun-ExtB</Detail>
</event>
<event>
<ProcessIndex>14560</ProcessIndex>
<Time_of_Day>17:22:38,7391109</Time_of_Day>
<Process_Name>Administrator CV 2010.exe</Process_Name>
<PID>6072</PID>
<Operation>RegSetValueEx</Operation>
<Path>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile\EnableFirewall: 0x00000000</Path>
<Result>SUCCESS</Result>
<Detail>Type: REG_SZ, Length: 24, Data: SimSun-ExtB</Detail>
</event>
<event>
<ProcessIndex>17280</ProcessIndex>
<Time_of_Day>17:25:56,1076553</Time_of_Day>
<Process_Name>tempskip.exe</Process_Name>
<PID>8766</PID>
<Operation>TCP Connect</Operation>
<Path>MalwareTest3-VAIO:45122 -> irc.gendoxxx.cn:6667</Path>
<Result>SUCCESS</Result>
<Event_Class>Network</Event_Class>
<Image_Path>C:\Temp\tempskip.exe</Image_Path>
<Session>1</Session>
</event>
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
76
7.2. Cyber attacks detection – an experiment
77
Scenario 3
In scenario 3 the 0-day attack is emulated with parts of different malicious codes. This is to show
that the detection also operates when a new malware appears in the monitored machine. In this scenario
an exemplary Process Monitor file was created. The excerpt from it is presented in Listing 7.4. In the
process of data lifting the following instances are inserted into the ontology model (as ABox entries):
for the first event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_8 - instance of the Event class
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_8, "ThreadProc_modify_Windows_System_Monitor")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_6043
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResProcess_6043, "ThreatProc.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_5
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResRegistry_5, "HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run\Windows System Monitor:
C:\Windows\system\winrsc.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#modify(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_6043, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResRegistry_5)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_8, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_6043)
for the second event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_9 - instance of the Event class
http://wil.waw.pl/secor/PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_9, "admin_vc_2010_modify_Firewall_StandardProfile")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_6072
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResProcess_6072, "Administrator CV 2010.exe")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_6
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResRegistry_6, "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000")
http://wil.waw.pl/secor/PRONTOlogy.owl#modify(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_6072, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResRegistry_6)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_9, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_6072)
for the third event:
http://wil.waw.pl/secor/PRONTOlogy.owl#Event_10 - instance of the Event class
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
78
http://wil.waw.pl/secor/ PRONTOlogy.owl#eventName(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_10, "tempskip_connect_irc_gendoxx_cn")
http://wil.waw.pl/secor/PRONTOlogy.owl#ResProcess_8766
http://wil.waw.pl/secor/PRONTOlogy.owl#ResDomain_4
http://wil.waw.pl/secor/PRONTOlogy.owl#resourceName(http://wil.waw.pl/
secor/PRONTOlogy.owl#ResDomain_4, "irc.gendoxx.cn")
http://wil.waw.pl/secor/PRONTOlogy.owl#connect(http://wil.waw.pl/secor/
PRONTOlogy.owl#ResProcess_8766, http://wil.waw.pl/secor/
PRONTOlogy.owl#ResDomain_4)
http://wil.waw.pl/secor/PRONTOlogy.owl#hasResource(http://wil.waw.pl/
secor/PRONTOlogy.owl#Event_10, http://wil.waw.pl/secor/PRONTOlogy.owl
#ResProcess_8766)
In scenario 3 the following rules result in successful identification of suspicious events:
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ modify(?y, ?z) ^ ResRegistry(?z)
^ resourceName(?z, "HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\
CurrentVersion\Run\Windows System Monitor: C:\Windows\system\winrsc.exe)
-> hasPlace (?e,?c) ^ Registry(?c) ^ hasColour(?c, ?z)
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ modify(?y, ?z) ^ ResRegistry(?z)
^ resourceName(?z, "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000")
-> hasPlace (?e,?c) ^ Registry(?c) ^ hasColour(?c, ?z)
Event(?e) ^ Place(?c) ^ hasResource(?e,?y) ^ connect(?y, ?z) ^ ResDomain(?z)
^ resourceName(?z, "irc.gendoxx.cn")
-> hasPlace (?e,?c) ^ Domain(?c) ^ hasColour(?c, ?z)
On the basis of these rules in scenario 3 the following facts are inferred:
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_7 - member of the Registry class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_8, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_7).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_7, http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_5).
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_8 - member of the Registry class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_9, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_8).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_8, http://wil.waw.pl/secor/PRONTOlogy.owl#ResRegistry_6).
http://wil.waw.pl/secor/PRONTOlogy.owl#Place_9 - member of the Domain class
http://wil.waw.pl/secor/PRONTOlogy.owl#hasPlace(http://wil.waw.pl/secor/
PRONTOlogy.owl#Event_10, http://wil.waw.pl/secor/ PRONTOlogy.owl#Place_9).
http://wil.waw.pl/secor/PRONTOlogy.owl#hasColour(http://wil.waw.pl/secor/
PRONTOlogy.owl#Place_9, http://wil.waw.pl/secor/PRONTOlogy.owl#ResDomain_4).
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
7.2. Cyber attacks detection – an experiment
79
Events 8, 9 and 10 have been identified as suspicious. Rules applied by the PRONTOlogy module
allowed to pass forward to the PRONTOnet module information about these suspicious events in the
form of Places and appropriate tokens assigned to them (with the use of hasColour object property).
At the third machine the following marking Mc was observed:
Mc = MDomain ∪ MRegistry , where:
– MDomain = {irc.gendoxx.cn},
– MRegistry = {HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run\Windows System Monitor: C:\Windows\system\winrsc.exe,
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile\EnableFirewall: 0x00000000}.
This marking Mc has led to detection of a 0-day attack. The final result vector is:
1’ 2 | VBMania@MM | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000,
1’ 1 | Virut | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\Windows System Monitor: C:\Windows\system\winrsc.exe,
1’ 6 | Generic Downloader | irc.gendoxx.cn
Figure 7.8: Detection of 0-day attack
Detection of a 0-day attack is shown in Figure 7.8. In fact, the verification module detected three
malware types Virut, VBMania, and GenericDownloader. This can be treated as a simplification resulting from an early stage of the PRONTO development. For the purpose of this Thesis, it has been shown
that these CP-net models allow to detect particular malware types, which indicates with high probability
that new malware is running on the monitored machine. However, detection of 0-days is more complicated. Additional static analysis performed by an expert, going beyond the CP-net – based modeling, is
necessary. Application of these two solutions (PRONTO malware hunting tool and static analysis) will
shorten the time of new malware signatures development to hours or days, what the current market is
lacking at the moment.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
8. Conclusions and further works
This chapter summarizes results achieved in this Thesis and outlines further works related to the
subject of cyber attacks detection. Moreover, it presents possible adaptation and the use of presented
solution in already deployed security systems.
8.1. Conclusions
One of the most important problems in computer security is detection of malicious activities focused
on hardware, software and information assets of protected systems. These malicious activities include
various cyber attacks carried out in order to destabilize or even deny the offered system services, steal
private data as well as to fraud money. Majority of cyber attacks are realized with the use of existing parts
of malicious codes and application of obfuscation techniques in order to evade signature-based security
controls (e.g. firewalls, antivirus applications). The ease of creation of new malware and profits they
bring for the underground economy motivate attackers for development of more precise, victim-oriented
malicious operations.
This Thesis tackles the problem of malware detection. It proposes new approach to behavioral malicious code analysis in order to inform security stakeholders about suspicious activities observed in the
monitored system. This should lead to faster and appropriate decisions that mitigate the negative results
of conducted cyber attack and, in consequence, development of new signatures to avoid similar threats.
After broad and extensive analysis of literature and years of researches and developments of cryptographic and information assurance appliances deployed in the Polish Armed Forces the Author has
formulated the claim of this Thesis which states that the malware modeling method based on ontology
and Colored Petri nets enables to detect cyber attacks the code of which has been obfuscated.
In order to prove the claim, there has been proposed the PRONTO malware hunting tool that realizes
identification of single suspicious activities among numerous regular ones with the use of ontology and
reasoning rules as well as development of Colored Petri net malware models that have been used to detect
various cyber threats including 0-day attacks. PRONTO has been split into two cooperating modules:
PRONTOlogy with its ontology and reasoning rules, and PRONTOnet with its Colored Petri net models
constructed with the use of CP-net malware modeling tool.
PRONTOlogy module has been verified in terms of meeting the claim of the Thesis. There has been
shown that the proposed ontology defines all entities that are necessary to identify single malicious activities on the basis of generated sensor events describing both regular and suspicious actions. The scope of
80
8.2. Further works
81
ontology covers the required relationship between cyber attack and CP-nets. Ontology has been verified
in terms of scope, consistency, expressiveness and then applied in the form of PRONTOlogy module.
Additionally, proposed reasoning rules enabled to infer knowledge about suspicious activities on the basis of sensor data and to indicate the assets affected by malware it the form of Places and appropriate
tokens in CP-net cyber attack models.
PRONTOnet module has been also verified in terms of meeting the claim of the Thesis. There has
been shown that the proposed approach to modeling and resulting CP-net cyber attack models constructed
with the use of CP-net malware modeling tool allow to identify known malware as well as 0-day attacks
the code of which has been obfuscated. Moreover, PRONTOnet is able to pass on the alarms about
observed threat and symptoms that indicate existence of particular malware.
Verification process and the results obtained within conducted experiments prove the claim of the
Thesis that states the malware modeling method based on ontology and Colored Petri nets enables to
detect cyber attacks the code of which has been obfuscated.
The proposed Method of malware modeling and its detection is planned to be adapted at least in
Federated Cyber Defence System, however its applicability is much wider. It can be used in honeypots
spread in the monitored system in the form of so called sandboxes without any or with vulnerable security
controls in order to trace and track unwanted activities generated by software as well as users of the
system. The advantage of the Method should be also noticed by companies utilizing only signature-based
antivirus applications. In particular, PRONTO fulfills the current need to shorten the time of malware
detection from the moment it has established itself in the system. As mentioned in the introductory
chapter of this Thesis, it took months to detect over 50% of malware and weeks for about 30% of them.
Before being identified cyber attacks can cause irreversible losses and damages in the system. Alarm
risen by PRONTO and in time introduction of appropriate security measures and malware removal can
mitigate the risk of potential losses. Moreover, faster detection of new malware should lead to faster
delivery of appropriate signatures constructed on the basis of static code analysis which is a current need
of companies producing antivirus applications.
Promising effects of advanced persistent threats detection with the use of proposed PRONTO malware hunting tool motivate the Author and the Supervisor of this Thesis to continue scientific cooperation
in development of new solutions in the area of cyber defence.
8.2. Further works
This Thesis is focused on a particular problem how to analyze and track malware behavior in the
monitored system. It is an element of ongoing R&D project realized in the Military Communication
Institute. The result vector informing about detected malware computed by PRONTO malware hunting
tool is transfered to the decision module of Federated Cyber Defence System where it is further processed. This vector may contain information about single attack or about detection of few malware types
the code of which has been used to produce this attack. This information should be enhanced by advanced
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
8.2. Further works
82
analysis of symptoms in order to decide arbitrarily about existence of a few active malware programs or
only a new obfuscated one.
The Author and the Supervisor of this Thesis utilized previously Bayes’ theorem and attack trees to
estimate the risk in telecommunication networks [SJWD13]. Adaptation and smart modification of this
attitude to risk assessment should lead to provision by PRONTO module the result vector containing
weights of attributes indicating with close approximation the type of detected 0-day attack.
Moreover, interaction and information exchange between PRONTO and two other modules developed at Military Communication Institute that utilize Tsallis statistics and machine learning should
improve the success rate of cyber attack detection by the Federated Cyber Defence System. However,
exact result of this interaction will be known in the nearest future.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
Bibliography
[ADR+ 10]
S. Adair, R. Deibert, R. Rohozinski, N. Villeneuve, and G. Walton. Shadows in the cloud:
Investigating Cyber Espionage 2.0. http://shadows-in-the-cloud.net, 2010. Information
Warfare Monitor Shadowserver Foundation.
[AG10]
E. Aseev and A. Gostev. Kaspersky Security Bulletin: Statistics 2009.
http://www.securelist.com/en/analysis/204792101/, 2010.
[API]
API hooking revealed.
http://www.codeproject.com/Articles/2082/API-hooking-revealed.
[ARA]
ARAKIS. http://www.arakis.pl.
[ARS+ 10]
Ł. Apiecionek, M. Romantowski, J. Śliwa, B. Jasiul, and R. Goniacz. Safe exchange of
information for civil-military operations. In Military Communications and Information
Technology: A Comprehensive Approach Enabler, pages 39–50. MUT Publishing House,
2010.
[Auc96]
D. Aucsmith. Tamper–resistant software: An implementation. Lecture Notes in Computer
Science: Information Hiding: First International Workshop, 1174:317–333, 1996.
[AvH03]
G. Antoniou and F. van Harmelen. A Semantic Web Primer. The MIT Press Cambridge,
Massachusetts, London, England, 2003.
[AvH08]
G. Antoniou and F. van Harmelen. A Semantic Web Primer. The MIT Press, Cambridge,
Massachusetts, London, England, 2008.
[Bal11]
R. Baloch. An Introduction To Keyloggers, RATS And Malware.
http://www.rafayhackingarticles.net/, 2011.
[BAMJ07]
M. Bailey, J. Andersen, Z. Morleymao, and F. Jahanian. Automated classification and
analysis of internet malware. In Proceedings of Recent Advances in Intrusion Detection
(RAID’07), 2007.
[BAP+ 12]
H. Boley, T. Athan, A. Paschke, S. Tabet, B. Grosof, N. Bassiliades, G. Governatori,
F. Olken, and D. Hirtle. Schema Specification of Deliberation RuleML Version 1.0.
http://ruleml.org/spec/, 2012.
83
84
BIBLIOGRAPHY
[BGM04]
D. Brickley, R.V. Guha, and B. McBride. RDF Vocabulary Description Language 1.0:
RDF Schema. http://www.w3.org/TR/rdf-schema/, 2004.
[BHS05]
F. Baader, I. Horrocks, and U. Sattler. Description logics as ontology languages for the
semantic web. In Mechanizing Mathematical Reasoning, pages 228–248. Springer, 2005.
[BKM07]
G. Bonfante, M. Kaczmarek, and J-Y. Marion. A classification of viruses through recursion theorems. In Proceedings of the 3rd conference on Computability in Europe:
Computation and Logic in the Real World, CiE ’07, pages 73–82, Berlin, Heidelberg,
2007. Springer-Verlag.
[BKY98]
F.P. Burns, A.M. Koelmans, and A.V. Yakovlev. Analysing superscalar processor architectures with coloured Petri nets. In International Journal on Software Tools for Technology
Transfer, volume 2, pages 182–191. Springer-Verlag, 1998.
[BL93]
J. Berger and Luc Lamontagne. A colored Petri net model for a naval command and
control system. In M. Ajmone-Marsan, editor, Application and Theory of Petri Nets,
volume 691 of Lecture Notes in Computer Science, pages 532–541. Springer, 1993.
[BM08]
J-M. Borello and L. Mé. Code obfuscation techniques for metamorphic viruses. Journal
in Computer Virology, 4(3):211–220, 2008.
[Bon98]
V. Bontchev. Macro virus identification problems. In Computers & Security, volume 17,
pages 69–89, 1998.
[Buc05]
T. Buckman. NATO Network Enabled Capability Feasibility Study – Executive Summary,
Version 2.0, 2005. NATO Consultation, Command and Control Agency.
[CBCdV+ 08] N. Cuppens-Boulahia, F. Cuppens, J.E.L. de Vergara, E. Vazquez, J. Guerra, and H. Debar.
An ontology-based approach to react to network attacks. In Risks and Security of Internet
and Systems. CRiSIS ’08., pages 27–35, 2008.
[CD00]
J. Cheesman and J. Daniels.
UML components: a simple process for specifying
component-based software. Addison-Wesley Longman Publishing Co., Inc., Boston, MA,
USA, 2000.
[CDH99]
C. Capellmann, H. Dibold, and U. Herzog. Using high-level Petri nets in the field of
intelligent networks. In J. Billington, M. Diaz, and G. Rozenberg, editors, Application
of Petri Nets to Communication Networks, volume 1605 of Lecture Notes in Computer
Science, pages 1–36. Springer Berlin Heidelberg, 1999.
[CDPMM09] M. Conti, R. Di Pietro, L. Mancini, and A. Mei. Mobility and cooperation to thwart
node capture attacks in MANETs. EURASIP Journal on Wireless Communications and
Networking, 2009(1):8:1–8:13, 2009.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
BIBLIOGRAPHY
[Cha07]
85
C. Chaouiya. Petri net modelling of biological networks. Briefings in Bioinformatics,
8(4):210–219, 2007.
[CJ03]
M. Christodorescu and S. Jha. Static analysis of executables to detect malicious patterns.
In Proceedings of the 12th USENIX Security Symposium, pages 169–186, 2003.
[CJK07]
M. Christodorescu, S. Jha, and C. Kruegel. Mining specifications of malicious behavior.
In Proceedings of the 6th joint meeting of the European Software Engineering Conference
and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 5–14, 2007.
[CJS+ 05]
M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant. Semantics-aware malware
detection. In IEEE Symposium on Security and Privacy, pages 32–46, 2005.
[CK11]
M. Choraś and R. Kozik. Network event correlation and semantic reasoning for federated
networks protection system. In N. Chaki and A. Cortesi, editors, Computer Information
Systems – Analysis and Technologies, volume 245 of Communications in Computer and
Information Science, pages 48–54. Springer Berlin Heidelberg, 2011.
[CKP+ 11]
M. Choraś, R. Kozik, R. Piotrowski, J. Brzostek, and W. Hołubowicz. Network events
correlation for federated networks protection system. In W. Abramowicz, I. Llorente,
M. Surridge, A. Zisman, and J. Vayssière, editors, Towards a Service-Based Internet,
volume 6994 of Lecture Notes in Computer Science, pages 100–111. Springer Berlin
Heidelberg, 2011.
[CKR93]
L. Cherkasova, V. Kotov, and T. Rokicki. On net modeling of industrial size concurrent
systems. In M. Ajmone-Marsan, editor, Application and Theory of Petri Nets, volume
691 of Lecture Notes in Computer Science, pages 552–561. Springer Berlin Heidelberg,
1993.
[CPA+ 08]
J. Cappaert, B. Preneel, B. Anckaert, M. Madou, and K. De Bosschere. Towards tamper
resistant code encryption: practice and experience. In Proceedings of the 4th international
conference on Information security practice and experience, ISPEC’08, pages 86–100,
Berlin, Heidelberg, 2008. Springer-Verlag.
[CVE]
Common Vulnerabilities and Exposures. http://cve.mitre.org/.
[CW87]
T.M. Chin and A.S. Willsky. Stochastic Petri Net Modeling of Wave Sequences in Cardiac
Arrhythmias. LIDS-P. Defense Technical Information Center, 1987.
[DWJ08]
Z-J. Ding, J-L. Wang, and C-J. Jiang. An approach for synthesis Petri nets for modeling
and verifying composite web service. In Journal Of Information Science And Engineering, volume 24, pages 1309–1328, 2008.
[EAS]
B. Jasiul
EasyHook. http://easyhook.codeplex.com/.
Modeling of Selected Cyber Threats with Ontology and Petri Nets
86
BIBLIOGRAPHY
[FBD96]
D.J. Floreani, J. Billington, and A. Dadej. Designing and verifying a communications
gateway using coloured Petri nets and Design/CPNTM . In J. Billington and W. Reisig,
editors, Application and Theory of Petri Nets 1996, volume 1091 of Lecture Notes in
Computer Science, pages 153–171. Springer Berlin Heidelberg, 1996.
[FCR09]
M. Ficco, L. Coppolino, and L. Romano. A weight-based symptom correlation approach
to sql injection attacks. In LADC ’09. Fourth Latin-American Symposium on Dependable
Computing, pages 9–16, 2009.
[FD96]
D. J. Floreani and A. J. Dadej. Application of the stratification concept to radio networks
and their gateways. Computer Networks and ISDN Systems, 28(5):675–687, 1996.
[Fla04]
H. Flake. Structural comparison of executable objects. In Proceedings of the IEEE Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA,
pages 161–173, 2004.
[FPZ+ 08]
W. Fu, J. Pang, R. Zhao, Y. Zhang, and B. Wei. Static detection of API-calling behavior from malicious binary executables. In International Conference on Computer and
Electrical Engineering ICCEE, pages 388–392, 2008.
[GB99]
S. Gordon and J. Billington. Analysing a missile simulator with coloured Petri nets.
In International Journal on Software Tools for Technology Transfer, volume 2, pages
144–159. Springer-Verlag, 1999.
[Gla]
GlassFish Server. https://glassfish.java.net/.
[GN11]
A. Gostev and Y. Namestnikov.
Kaspersky Security Bulletin: Statistics 20010.
http://www.securelist.com/en/analysis/204792162/, 2011.
[Gos09]
A. Gostev. Kaspersky Security Bulletin: Statistics 2008.
http://www.securelist.com/en/analysis/204792052/, 2009.
[Gru93]
T.R. Gruber. Toward principles for the design of ontologies used for knowledge sharing. In Formal ontology in conceptual analysis and knowledge representation. Kluwer
Academic Publishers, 1993.
[Gru95]
T.R. Gruber. Toward principles for the design of ontologies used for knowledge sharing.
International Journal of Human-Computer Studies – Special issue: the role of formal
ontology in the information technology, 43(5-6):907–928, 1995.
[GŚD+ 12]
K. Gleba, J. Śliwa, D. Duda, J. Głowacka, and P. Pyda. Run-time ontology on the basis
of event notification service. In Military Communication Conference, MCC2012, pages
1–7. MUT Publishing House, 2012.
[Gua98]
B. Jasiul
N. Guarino. Formal ontology and information systems. pages 3–15. IOS Press, 1998.
Modeling of Selected Cyber Threats with Ontology and Petri Nets
87
BIBLIOGRAPHY
[HBB+ 07]
D. Harley, K. Bechtel, M. Blanchard, H.K. Diemer, A. Lee, I. Muttik, and B. Zdrnja.
AVIEN Malware Defense Guide for the Enterprise. Syngress Publishing, 2007.
[Hea09]
L. Healy.
A model to study cyber attack mechanics and denial-of-service exploits
over the internet’s router infrastructure using Colored Petri Nets.
Technical report,
http://commons.emich.edu/theses/218, 2009. Masters Theses and Doctoral Dissertations.
Paper 218.
[Hef04]
J. Heflin. OWL Web Ontology Language. Use Cases and Requirements.
http://www.w3.org/TR/webont-req/, 2004.
[HHK+ 06]
P. Hasse, P. Hitzler, M. Krötzsch, J. Angele, and R. Studer. Practical Reasoning with
OWL and DL-Safe Rules. http://km.aifb.kit.edu/ws/prowl2006/prowl06_4on1.pdf, 2006.
[HJ97]
C.S. Hood and C. Ji. Proactive network fault detection. In Proceedings of the INFOCOM
’97. Sixteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Driving the Information Revolution, pages 1147–1155, Washington, DC, USA,
1997. IEEE Computer Society.
[HKST06]
H-J. Happel, A. Korthaus, S. Seedorf, and P. Tomczyk. KOntoR: An ontology-enabled
approach to software reuse. In Proc. of the 18th int. conf. on software engineering and
knowledge engineering, pages 1–6, 2006.
[HPSB+ 04a] I. Horrocks, P.F. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, and M. Dean. SWRL:
A Semantic Web Rule Language. Combining OWL and RuleML.
http://www.w3.org/Submission/SWRL/, 2004.
[HPSB+ 04b] I. Horrocks, P.F. Patel-Schneider, H. Boley, S. Tabet, B. Grosof, and M. Dean. SWRL.
Section 8. Built-ins, 2004.
[HS06]
H-J. Happel and S. Seedorf. Applications of ontologies in software engineering. In 2nd
International Workshop on Semantic Web Enabled Software Engineering (SWESE 2006),
pages 1–14, 2006.
[IT03]
Telecommunication Standardization Sector: ITU-T. Recomendation X.805: Security architecture for systems providing end-to-end communications. https://www.itu.int/, 2003.
[Jav]
Java Platform – Standard Edition. http://www.oracle.com/technetwork/java/javase/.
[Jen97]
K. Jensen. Coloured Petri Nets. Basic Concepts, Analysis Methods and Practical Use,
volume 1–3. Springer-Verlag, Berlin, Germany, 1992-1997.
[Jes]
Jess – the Rule Engine for the Java Platform. http://www.jessrules.com/.
[JK09]
K. Jensen and L.M. Kristensen. Coloured Petri Nets: Modelling and Validation of Concurrent Systems. Springer-Verlag, Berlin, Heidelberg, 1st edition, 2009.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
BIBLIOGRAPHY
[JKW07]
88
K. Jensen, L.M. Kristensen, and L. Wells. Coloured Petri nets and CPN Tools for modelling and validation of concurrent systems. In International Journal on Software Tools for
Technology Transfer, volume 9, pages 213–254, 2007.
[JOS+ 10]
B. Jasiul, P. Olofsson, J. Śliwa, M. Sjöblom, R. Goniacz, and R. Piotrowski. A lesson
learned from the information assurance and delivery in the project Multinational Interagency Situational Awareness – Extended Martime. In Military Communications and
Information Systems Conference (MCC): Concepts and Implementations for Innovative
Military Communications and Information Technologies, pages 407–417. MUT Publishing House, 2010.
[JP12]
B. Jasiul and R. Piotrowski. System ochrony sieci teleinformatycznych przed działaniami
nieuprawnionymi SOPAS. In Ewolucja wojskowych systemów teleinformatycznych oraz
lesson learned w świetle misji pokojowych i stabilizacyjnych, pages 69–75. Ministerstwo
Obrony Narodowej, 2012.
[JPB+ 12]
B. Jasiul, R. Piotrowski, P. Berezinski, M. Choraś, R. Kozik, and J. Brzostek. Federated
Cyber Defence System – applied methods and techniques. In Military Communications
and Information Systems Conference (MCC), 2012. Military Communications and Information Technology: A trusted Cooperation Enabler, vol. 1, pages 347–357.
[JSG+ 10]
B. Jasiul, J. Śliwa, R. Goniacz, R. Piotrowski, and M. Amanowicz. Web services security
in SOA-based systems. In Proceedings of IEEE Multimedia Communications, Services
and Security (MCSS), Krakow, Poland, 2010.
[JSP+ 10]
B. Jasiul, J. Śliwa, R. Piotrowski, R. Goniacz, and M. Amanowicz. Authentication and authorization of users and services in federated SOA environments - challenges and opportunities. In Proceedings of NATO Information Systems and Technology Panel Symposium:
Information Assurance and Cyber Defence, Tallinn, Estonia, 2010. RTO-MP-IST-091.
[KKB+ 06]
E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware
detection. In Usenix Security Symposium, 2006.
[KM06]
J. Kolter and M. Maloof. Learning to detect and classify malicious executables in the
wild. Journal of Machine Learning Research, 7:2721–2744, 2006.
[KO94]
C. Kuroda and K. Ogawa. Nonlinear waves in a shear flow with a diffusive exothermic reaction and its qualitative reasoning. Chemical Engineering Science, 49(16):2699 – 2708,
1994.
[KRFV04]
C. Kruegel, W. Robertson, Valeur F., and G. Vigna. Static disassembly of obfuscated
binaries. In Proceedings of USENIX Security, pages 255–270, 2004.
[KRV04]
C. Kruegel, W. Robertson, and G. Vigna. Detecting kernel-level rootkits through binary
analysis. In Proceedings of the Annual Computer Security Applications Conference, 2004.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
BIBLIOGRAPHY
[KS94]
89
S. Kumar and E.H. Spafford. A Pattern Matching Model for Misuse Intrusion Detection. Technical report, http://docs.lib.purdue.edu/cstech/1170, 1994. Computer Science
Technical Reports. Paper 1170.
[KSH99]
I. Koch, S. Schuster, and M. Heiner. Simulation and analysis of metabolic networks by
time-dependent Petri nets. In German Conference on Bioinformatics, pages 208–209,
1999.
[KWLP05]
M. Karim, A. Walenstein, A. Lakhotia, and L. Parida. Malware phylogeny generation
using permutations of code. Journal in Computer Virology, 1:13–23, 2005.
[Lab13]
Kaspersky Lab. The malware classification tree.
http://www.kaspersky.com/internet-security-center/threats/malware-classifications, 2013.
[LD03]
C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In Proceedings of the 10th ACM conference on Computer and communications
security, CCS ’03, pages 290–299, New York, NY, USA, 2003. ACM.
[Leh93]
N. Lehrer. The knowledge representation specification language manual. US Defense
Advanced Research Projects Agency, 1993.
[LFB96]
J. Lin, M.S. Fox, and T. Bilgic. A requirement ontology for engineering design. Concurrent Engineering: Research and Applications, 4:279–291, 1996.
[LM06]
T. Lee and J. Mody. Behavioral classification. In Proceedings of EICAR Conference,
2006.
[LN07]
A. Lig˛eza and G.J. Nalepa. Knowledge representation with granular attributive logic for
XTT-based expert systems. In FLAIRS-20 : Proceedings of the 20th International Florida
Artificial Intelligence Research Society Conference : Key West, Florida, May 7-9, 2007,
pages 530–535. Artificial Intelligence Research Society, 2007.
[ŁP12]
A. Ławrynowicz and R. Palma. Applications of ontology design patterns in the transformation of multimedia repositories. 2012.
[LS99]
O. Lassila and R.R. Swick. Resource Description Framework (RDF) Model and Syntax
Specification. http://www.w3.org/TR/PR-rdf-syntax, 1999.
[LVH+ 11]
N. Lavrac, A. Vavpetic, M. Hilario, A. Kalousis, A. Ławrynowicz, and J. Potoniec. Tutorial on semantic data mining. 2011.
[McA]
Threat Center by McAffee. http://www.mcafee.com/us/threat-center.aspx.
[McH]
McAfee and HB Garry Solution Brief. Extend McAfee Total Protection for Endpoint with
HBGary Digital DNA and Responder.
http://www.mcafee.com/us/resources/solution-briefs/sb-hbgary.pdf. visited 29 Aug 2013.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
BIBLIOGRAPHY
[MDL+ 12]
90
W. Ma, P. Duan, S. Liu, G. Gu, and J-C. Liu. Shadow attacks: automatically evading
system-call-behavior based malware detection. Journal in Computer Virology, 8(1-2):
1–13, 2012.
[MKA04]
V. Mayank, N. Kositsyna, and M. Austin. Requirements engineering and the semantic
web, part ii. representaion, management, and validation of requirements and system-level
architectures. Technical report, http://hdl.handle.net/1903/6421, 2004. Institute for Systems Research Technical Reports. ISR; TR 2004-14.
[MKK07]
A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In
Proceedings of the Annual Computer Security Applications Conference, 2007.
[MMM98]
A. Mili, R. Mili, and R. T. Mittermeir. A survey of software reuse libraries. Annals of
Software Engineering, 5:349–414, 1998.
[MN13]
D. Maslennikov and Y. Namestnikov. Kaspersky Security Bulletin. The overall statistics
for 2012. http://www.securelist.com/en/analysis/204792255/, 2013.
[Mor00]
K.H. Mortensen. Automatic code generation method based on coloured Petri net models
applied on an access control system. In M. Nielsen and D. Simpson, editors, Application
and Theory of Petri Nets 2000, volume 1825 of Lecture Notes in Computer Science, pages
367–386. Springer Berlin Heidelberg, 2000.
[MOS98]
N. Mateva, N. Ouzounov, and R. Stefanov. Assistance with generalized net models to the
differential diagnosis of some pathologic somatic muscular and neurologic conditions in
stomatology. Folia medica, 40(3B Suppl 3):81, 1998.
[MST]
Microsoft Technet – Sysinternals. http://technet.microsoft.com/en-us/sysinternals/.
[MTA+ 03]
H. Matsuno, Y. Tanaka, H. Aoshima, A. Doi, M. Matsui, and S. Miyano. Biopathways
representation and simulation on hybrid functional Petri net. In silico biology, 3(3):
389–404, 2003.
[Mur89]
T. Murata. Petri nets: Properties, analysis and applications. Proceedings of the IEEE,
77(4):541–580, 1989.
[MvH04]
D.L. McGuinness and F. van Harmelen. OWL Web Ontology Language. Overview.
http://www.w3.org/TR/owl-features/, 2004.
[Nal07]
G.J. Nalepa. A unified firewall model for web security. In K.M. W˛egrzyn-Wolska and
P.S. Szczepaniak, editors, Advances in Intelligent Web Mastering, volume 43 of Advances
in Soft Computing, pages 248–253. Springer Berlin Heidelberg, 2007.
[Nam12]
Y. Namestnikov. Kaspersky Security Bulletin. Statistics 2011.
http://www.securelist.com/en/analysis/204792216/, 2012.
[NET]
B. Jasiul
Netfilter. http://www.netfilter.org/.
Modeling of Selected Cyber Threats with Ontology and Petri Nets
BIBLIOGRAPHY
[NKF09]
91
G.J. Nalepa, K. Kaczor, and W.T. Furmańska. HeKatE rule runtime and design framework. In Proceedings of the 3rd East European Workshop on Rule-Based Applications
(RuleApps 2009), pages 21–30, 2009.
[NL03]
G.J. Nalepa and A. Lig˛eza. Designing reliable web security systems using rule-based
systems approach. In E. Menasalvas, J. Segovia, and P.S. Szczepaniak, editors, Advances
in Web Intelligence, volume 2663 of Lecture Notes in Computer Science, pages 124–133.
Springer Berlin Heidelberg, 2003.
[NL08]
G.J. Nalepa and A. Lig˛eza. XTT+ rule design using the ALSV(FD). In Proceedings of
the 2nd East European Workshop on Rule-Based Applications (RuleApps 2008), pages
11–15, 2008.
[NL10]
G.J. Nalepa and A. Lig˛eza. The HeKatE methodology. Hybrid engineering of intelligent
systems. International Journal of Applied Mathematics and Computer Science, 20(1):
35–53, 2010.
[NP13]
NASK and CERT Polska. Raport: Przej˛ecie domen botnetu Virut.
http://www.cert.pl/PDF/Raport_Virut_PL.pdf, 2013. dated 25 Feb 2013.
[NVD]
National Vulnerability Database. http://nvd.nist.gov/.
[Pet65]
C. A. Petri. Communication with automata. Technical report, New York, 1965. English translation of Kommunikation mit Automaten, PhD Dissertation, University of Bonn,
1962.
[PJS+ 11]
R. Piotrowski, B. Jasiul, M. Śliwka, G. Kantyka, T. Podlasek, T. Dalecki, M. Choraś,
R. Kozik, and J. Brzostek. The response to cyber threats in federation of systems environment. In Military Communications and Information Systems Conference (MCC): Civil
Military Cooperation, 2011.
[Pra]
M.J. Pratt. Introduction to ISO 10303 - the STEP Standard for Product Data Exchange.
http://www.mel.nist.gov/msidlibrary/doc/jcise1.pdf.
[PRO]
Protégé – ontology editor and knowledge-base framework. http://protege.stanford.edu/.
[PSH04]
P.F. Patel-Schneider and I. Horrocks. OWL Web Ontology Language Semantics and Abstract Syntax. Section 2. Abstract Syntax.
http://www.w3.org/TR/owl-semantics/syntax.html, 2004.
[Rai12]
C. Raiu. Virus News: 2012 by the numbers. http://www.kaspersky.com/, 2012.
[RC13]
M. Russinovich and B. Cogswell. Process Monitor v3.05.
http://technet.microsoft.com/pl-pl/sysinternals/bb896645.aspx, June 4, 2013.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
92
BIBLIOGRAPHY
[Ren11]
R. Renk.
Modyfikacja metody opartej o słownik funkcji bazowych do wykrywania
anomalii w ruchu sieciowym w sieciach IP.
Bydgoszcz, 2011.
Rozprawa dok-
torska przedstawiona Radzie Wydziału Telekomunikacji i Elektrotechniki Uniwersytetu
Technologiczno-Przyrodniczego im. Jana i J˛edrzeja Śniadeckich w Bydgoszczy.
[RHWD08]
K. Rieck, T. Holz, C. Willems, and P. Düssel. Learning and classification of malware
behavior. In Fifth Conference on Detection of Intrusions and Malware & Vulnerability
Assessment (DIMVA), 2008.
[RM11]
M. Russinovich and A. Margosis. Windows Sysinternals Administrator’s Reference.
Microsoft Press, Redmond, Washington, USA, 2011.
[RMI12]
B. Rad, M. Masrom, and S. Ibrahim. Camouflage in malware: from encryption to metamorphism. In IJCSNS International Journal of Computer Science and Network Security,
volume 12, pages 74–83, 2012.
[RS96]
J.L. Rasmussen and M. Singh. Designing a security system by means of coloured Petri
nets. In J. Billington and W. Reisig, editors, Application and Theory of Petri Nets, volume
1091 of Lecture Notes in Computer Science, pages 400–419. Springer Berlin Heidelberg,
1996.
[RWL+ 03]
AV. Ratzer, L. Wells, H.M. Lassen, M. Laursen, J.F. Qvortrup, M.S. Stissing, M. Westergaard, S. Christensen, and K. Jensen. CPN Tools for editing, simulating, and analysing
coloured Petri nets. In W.M.P. van der Aalst and E. Best, editors, Applications and Theory of Petri Nets, volume 2679 of Lecture Notes in Computer Science, pages 450–462.
Springer Berlin Heidelberg, 2003.
[SA12]
A. Salahi and M. Ansarinia. Predicting network attacks using ontology-driven inference.
International Journal of Information and Communication Technology (IJICT), 4, 2012.
[SGC+ 11]
J. Śliwa, K. Gleba, W. Chmiel, P. Szwed, and A. Głowacz. IOEM – Ontology engineering
methodology for large systems. In P. J˛edrzejowicz, N. Nguyen, and K. Hoang, editors,
Computational Collective Intelligence. Technologies and Applications, volume 6922 of
Lecture Notes in Computer Science, pages 602–611. Springer Berlin Heidelberg, 2011.
[SH12]
M. Sikorski and A. Honig. Practical Malware Analysis. The Hands-On Guide to Dissecting Malicious Software. No Starch Press, Inc., San Francisco, CA, 2012.
[SJ12]
J. Śliwa and B. Jasiul. Efficiency of dynamic content adaptation based on semantic description of web service call context. In Military Communications Conference, MILCOM
2012, Orlando, USA, pages 1–6, 2012.
[SJWD13]
M. Szpyrka, B. Jasiul, K. Wrona, and F. Dziedzic. Telecommunications networks risk
assessment with Bayesian networks. In Computer Information Systems and Industrial
Management Proceedings of the 12th IFIP TC8 International Conference CISIM 2013,
volume 8104 of Lecture Notes in Computer Science. Springer-Verlag, 2013.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
BIBLIOGRAPHY
93
[SNO]
SNORT. http://www.snort.org/.
[SPCG+ 07]
E. Sirin, B. Parsia, B. Cuenca Grau, A. Kalyanpur, and Y Katz. Pellet: A practical OWLDL reasoner. In Web Semantics: Science, Services and Agents on the World Wide Web,
volume 5, pages 51 – 53, 2007.
[SWR]
SWRLJessBridge. http://protege.cim3.net/cgi-bin/wiki.pl?SWRLJessBridge.
[SYS+ 08]
M. Sharif, V. Yegneswaran, H. Saidi, P. Porras, and W. Lee. Eureka: A framework for
enabling static malware analysis. In Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security, ESORICS ’08, pages 481–500, Berlin,
Heidelberg, 2008. Springer-Verlag.
[Szo05]
P. Szor. The Art of Computer Virus Research and Defense. Addison–Wesley Professional.
Symantec Press series, 2005.
[Szp08a]
M. Szpyrka. Exclusion rule-based systems – case study. In International Multiconference on Computer Science and Information Technology, volume 3, pages 237–242,
Wisła, Poland, 2008.
[Szp08b]
M. Szpyrka. Sieci Petriego w modelowaniu i analizie systemów współbieżnych. WNT,
Warszawa, 2008.
[TAEC13]
H. Tibbs, S. Ambler-Edwards, and M.J. Corcoran. The Global Cyber Game: Achieving strategic resilience in the global knowledge society, 2013. Defence Academy of
The United Kingdom.
[Tar46]
A. Tarski. Introduction to Logic and to the Methodology of Deductive Sciences, Second
Edition. Dover Publications, Inc., New York, 1946.
[TCK10]
Z. Tarapata, M. Chmielewski, and R. Kasprzyk. An algorithmic approach to social knowledge processing and reasoning based on graph representation – a case study. In N. NgocThanh, L. ManhThanh, and J. Światek,
˛
editors, Intelligent Information and Database Systems, volume 5991 of Lecture Notes in Computer Science, pages 93–104. Springer Berlin
Heidelberg, 2010.
[TK10]
Z. Tarapata and R. Kasprzyk. Graph-based optimization method for information diffusion and attack durability in networks. In M. Szczuka, M. Kryszkiewicz, S. Ramanna,
R. Jensen, and Q. Hu, editors, Rough Sets and Current Trends in Computing, volume
6086 of Lecture Notes in Computer Science, pages 698–709. Springer Berlin Heidelberg,
2010.
[TMM12]
A. Takeshi, K. Masaki, and T. Murakami. Cyber Security Trend – Annual Review 2012.
http://www.nri-secure.co.jp/news/2012/pdf/cyber_security_trend_report_en.pdf, 2012.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
BIBLIOGRAPHY
[TS08]
94
T. Tafazzoli and S.H. Sadjadi. Malware fuzzy ontology for semantic web. In IJCSNS International Journal of Computer Science and Network Security, volume 8, pages
153–161, 2008.
[Tsa88]
Constantino Tsallis. Possible generalization of boltzmann-gibbs statistics. Journal of
Statistical Physics, 52(1-2):479–487, 1988.
[TSD10a]
A. Tokhtabayev, V. Skormin, and A. Dolgikh. Dynamic, resilient detection of complex
malicious functionalities in the system call domain. In MILCOM, Military Communications Conference, pages 1349–1356, 2010.
[TSD10b]
A. Tokhtabayev, V. Skormin, and A. Dolgikh. Expressive, Efficient and Obfuscation Resilient Behavior Based IDS. In European Symposium on Research in Computer Security,
pages 698–715, 2010.
[UG96]
M. Uschold and M. Gruninger. Ontologies: Principles, methods and applications. Knowledge Engineering Review, 11:93–136, 1996.
[Ull98]
J.D. Ullman. Elements of ML programming (ML97 ed.). Prentice-Hall, Inc., Upper Saddle
River, NJ, USA, 1998.
[VABG08]
S. Vanit-Anunchai, J. Billington, and G.E. Gallasch. Analysis of the datagram congestion control protocol’s connection management procedures using the sweep-line method.
International Journal on Software Tools for Technology Transfer, 10(1):29–56, 2008.
[VAI]
Verizone. 2012 Data Breach Investigations Report.
http://www.verizonenterprise.com/DBIR/2012/.
[VB10]
L. Vokorokos and A. Balaz. Host-based intrusion detection system. In 14th International
Conference on Intelligent Engineering Systems (INES), pages 43–47, 2010.
[VBM]
Malware W32/VBMania@MM characteristics by McAffee.
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=275435.
[vdA98]
W.M.P. van der Aalst. The application of Petri nets to workflow management. In The Journal of Circuits, Systems and Computers, volume 8, pages 21–66, 1998.
[Vir]
Virus Profile: W32/Virut.n.gen characteristics by McAffee.
http://home.mcafee.com/virusinfo/virusprofile.aspx?key=154055.
[WAFS+ 08]
H. Wei, J. Alves-Foss, T. Soule, H. Pforsich, D. Zhang, and D. Frincke. A layered decision model for cost-effective system security. International Journal of Information and
Computer Security, 2(3):297–324, 2008.
[WDVP00]
B. Wouters, D. Deridder, and E. Van Paesschen. The use of ontologies as a backbone
for use case management. In European Conference on Object-Oriented Programming
(ECOOP 2000), pages 1–6, 2000.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets
BIBLIOGRAPHY
95
[WfM99]
WfMC. Terminology and glosssary, 1999.
[WK09]
M. Westergaard and L. Kristensen. The Access/CPN Framework: A Tool for Interacting
with the CPN Tools Simulator. In G. Franceschinis and K. Wolf, editors, Applications
and Theory of Petri Nets, volume 5606 of Lecture Notes in Computer Science, pages
313–322. Springer Berlin Heidelberg, 2009.
[WSL98]
L.W. Wagenhals, I. Shin, and A.H. Levis. Creating executable models of influence nets
with coloured Petri nets. In International Journal on Software Tools for Technology Transfer, volume 2, pages 168–181. Springer-Verlag, 1998.
[WWCZ10]
P. Wang, L. Wu, R. Cunningham, and C.C. Zou. Honeypot detection in advanced botnet
attacks. International Journal of Information and Computer Security, 4(1):30–51, 2010.
[XK98]
J. Xu and J. Kuusela. Analyzing the execution architecture of mobile phone software with
colored Petri nets. In International Journal on Software Tools for Technology Transfer,
volume 2, pages 133–143. Springer-Verlag, 1998.
[ŻD07]
K. Żurowska and R Deters. Overcoming failures in composite web services by analysing
colored Petri nets. In CPN’07 - Workshop and Tutorial on Practical Use of Coloured Petri
Nets and CPN Tools. Department of Computer Science, University of Aarhus, 2007.
B. Jasiul
Modeling of Selected Cyber Threats with Ontology and Petri Nets