Considering the continuous growth in the complexity of both information systems and security information, it becomes more and more necessary to provide solutions that facilitate the user in the management and use of these large and complex knowledge-bases. In the last years we have seen the birth of more and more examples that propose ontologies, semantically rich descriptions of entities and relations for the management of security information. The aim of this work is to provide an ontology that (i) supports a formal description of an ICT system, (ii) relates it to its potential vulnerabilities, possible attack vectors, and available mitigations, (iii) allows inferring a tight relationship between IT/OT assets and their vulnerabilities. Given the description of the ICT system, the ontology is automatically populated with security information items obtained by querying external knowledge bases (e.g., CWE, CVE, MITRE ATT&CK) and then providing the user with the necessary information to support operations such as Vulnerability Assessment and Penetration Testing and countermeasure planning.

Ontology for Cybersecurity Governance of ICT Systems / De Rosa, Fabio; Maunero, Nicolò; Nicoletti, Luca; Prinetto, Paolo; Trussoni, Martina. - ELETTRONICO. - 3260:(2022), pp. 52-63. ((Intervento presentato al convegno Italian Conference on Cybersecurity (ITASEC22) (2022) tenutosi a Rome (ITA) nel 20-23 June, 2022.

Ontology for Cybersecurity Governance of ICT Systems

Maunero, Nicolò;Prinetto, Paolo;
2022

Abstract

Considering the continuous growth in the complexity of both information systems and security information, it becomes more and more necessary to provide solutions that facilitate the user in the management and use of these large and complex knowledge-bases. In the last years we have seen the birth of more and more examples that propose ontologies, semantically rich descriptions of entities and relations for the management of security information. The aim of this work is to provide an ontology that (i) supports a formal description of an ICT system, (ii) relates it to its potential vulnerabilities, possible attack vectors, and available mitigations, (iii) allows inferring a tight relationship between IT/OT assets and their vulnerabilities. Given the description of the ICT system, the ontology is automatically populated with security information items obtained by querying external knowledge bases (e.g., CWE, CVE, MITRE ATT&CK) and then providing the user with the necessary information to support operations such as Vulnerability Assessment and Penetration Testing and countermeasure planning.
File in questo prodotto:
File Dimensione Formato  
ITASEC-3558.pdf

accesso aperto

Descrizione: Manoscritto accettato, camera ready version.
Tipologia: 2. Post-print / Author's Accepted Manuscript
Licenza: Creative commons
Dimensione 792.65 kB
Formato Adobe PDF
792.65 kB Adobe PDF Visualizza/Apri
paper4.pdf

accesso aperto

Descrizione: versione pubblicata del paper
Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Creative commons
Dimensione 1.12 MB
Formato Adobe PDF
1.12 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Caricamento pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2971406