ANCILE: Franco-Luxembourgish SOAR Research

• ANCILE is a multinational research project advancing SOAR systems through autonomic computing, adversarial machine learning, and ontology evaluation.
• The project employs a credibility-centered framework that quantifies institutional, academic, practitioner, and industrial indicators to assess cybersecurity ontologies.
• Findings reveal key trade-offs between foundational grounding and industrial adoption, prompting a federated approach for balancing academic rigor with practical deployment.

The Franco-Luxembourgish research project ANCILE (AutoNomic Cyber-security with adversarIal Learning and Explanations) is a multinational initiative to advance Security Orchestration, Automation, and Response (SOAR) systems by integrating autonomic computing, adversarial machine learning, and ontology-driven knowledge management. ANCILE provides a case-driven framework for ontology evaluation that explicitly incorporates credibility measures—addressing deficits in trust, endorsement, and adoption frequently observed in the cybersecurity ontology landscape (Leblanc et al., 1 Dec 2025).

1. Objectives and Theoretical Foundations

ANCILE's objective is to pioneer next-generation SOAR frameworks that autonomously orchestrate monitoring, analysis, planning, and execution (MAPE-K loops) across distributed and heterogeneous environments. This is operationalized through three pillars:

• Autonomic computing: Closed control loops (MAPE-K) enabling continuous and adaptive response.
• Adversarial machine learning: Red- and blue-team co-evolution, fostering resilient decision automation and attack detection.
• Ontology-driven knowledge base (K): Formally grounded, federated ontologies that ensure semantic coherence between disparate reasoning engines (e.g., deep learning in Python, probabilistic logic in Prolog, Kubernetes orchestration, SDN controllers in Java).

ANCILE targets a consortium of stakeholders: academics, SOC-tool developers, SOC operators, and standards development contributors. A foundational principle is that adopted ontologies must be FAIR-compliant, foundationally grounded, interoperable with de facto industry standards (MITRE ATT&CK™, STIX), validated by field practitioners, and demonstrably industrially deployable.

2. Research Questions and Operational Challenges

ANCILE frames its research around two core questions:

• RQ1: Why is ontology reuse limited in cybersecurity, despite an abundance of published models?
• RQ2: What evaluation criteria, beyond logical soundness and structural consistency, are required to guide ontology selection in operationally relevant contexts?

These questions highlight a gap between the proliferation of theoretical models and their practical adoption: technical quality alone is insufficient; social trust and evidence of real-world applicability are critical for widespread endorsement. The operational context further complicates selection by imposing multi-stakeholder requirements—simultaneous grounding in formal methods, practical deliverability, and compliance with sector-specific standards.

3. Credibility-Centered Evaluation Framework

Built atop Wilson et al. and the ISO/IEC 25012 data quality standard, ANCILE extends the traditional F4OC (Framework for Ontologies Classification) pipeline by introducing four orthogonal, quantitatively measurable "credibility indicators" for any ontology $O$:

• Institutional Endorsement (I): $I(O) = 1$ if $O$ is referenced by at least one major standard (e.g., MITRE ATT&CK, D3FEND, ISO/IEC); else $0$.
• Academic Recognition (A): $A(O) = R(O)/R_{max}$, where $R(O)$ is the venue score (e.g., $1.0$ for Q1 journal, $0.8$ for Q2, $0.6$ for top-tier conference, $0.4$ for B-tier), with normalization $0 \leq A(O) \leq 1$.
• Practitioner Validation (P): $P(O) = 1$ if a formal review by $\geq 3$ qualified cybersecurity professionals has certified $O$; else $0$.
• Industrial Maturity (D): $D(O) = L/3$, with $L\in\{1,2,3\}$ representing increasing levels of production integration: white-paper visibility ($L=1$), documented deployment ($L=2$), multiple independent adoptions ($L=3$).

The composite credibility score is given as:

$C(O) = w_I I(O) + w_A A(O) + w_P P(O) + w_D D(O)$

with equal weighting ($w_I = w_A = w_P = w_D = 0.25$) as default, though stakeholders may adjust these to reflect evolving priorities.

4. Ontology Classification and Selection Process

ANCILE augments the five-step F4OC pipeline (application level, generality, formal expressiveness, logical density) with a classification scheme mapping ontologies into "credibility-based" classes based on their indicator values:

$$\text{Assign}\ O\ \text{to}\ \begin{cases} \mathbf{C1} & \text{if }A(O) \geq 0.75\ (\text{Academic Ontology}) \ \mathbf{C2} & \text{if }P(O) = 1\ (\text{Practitioner-validated}) \ \mathbf{C3} & \text{if }I(O) = 1\ (\text{Standardized Ontology}) \ \mathbf{C4} & \text{if }D(O) \geq \tfrac{2}{3}\ (\text{Industrial Ontology}) \end{cases}$$

Ontologies may be assigned to multiple classes, reflecting their multidimensional strengths.

The selection process in ANCILE proceeds in four stages:

• Step 1: F4OC Filtering: Of 87 candidate ontologies post-2021, only 4% were "well-grounded," 25% "reference," and 87% "operational." The F4OC pipeline alone identified CRATELO as the ideal candidate, but its artifact was not available.
• Step 2: Candidate Pooling: Iterative criterion relaxation surfaced six "near-miss" candidates: COVER, ROSE (both UFO-grounded), WAVED, D3FEND, STIX, and UCO.
• Step 3: Credibility Evaluation: Scoring these on $(I, A, P, D)$ axes and computing $C(O)$, ontologies were mapped to classes C1–C4. The findings are summarized below.

Ontology	I	A	P	D	$C(O)$	Classes
COVER	0	0.8	0	0.33	0.23	C1
ROSE	0	1.0	0	0.33	0.33	C1
STIX	1	0.6	1	0.66	0.73	C1,C2,C3,C4
D3FEND	1	0.7	0	0.66	0.51	C1,C3,C4
WAVED	1	0.8	1	0.66	0.79	C1–C4
UCO	1	0.5	0	0.33	0.42	C3

• Step 4: Modular Federation: No candidate satisfied all requirements; ANCILE adopted a federated approach:
  • COVER and ROSE for foundational UFO-based grounding
  • STIX and D3FEND core modules for standardized concepts
  • WAVED for taxonomy alignment (MITRE ATT&CK, D3FEND, CWE/CVE)
  • UCO for external integration

5. Empirical Results and Lessons Learned

The credibility-centered framework reordered the candidate ranking compared to traditional pipelines. Ontologies with evidence of real-world adoption (WAVED, STIX) moved to the forefront, while academically rigorous but unadopted ontologies were deprioritized.

Key trade-offs included:

• Foundational grounding vs. standard alignment: Ontologies most grounded in philosophical rigor (e.g., UFO) were not always those best aligned to current practice.
• Academic rigor vs. industrial adoption: High scores in peer review did not guarantee practitioner/industrial uptake.

ANCILE's federated selection mitigates these trade-offs at the cost of increased integration complexity. Practitioner panels validated the composite ontology as "sufficiently complete" for SOC blue-team and red-team operations.

6. Implications and Future Directions

The ANCILE framework demonstrates that credibility-based evaluation is decisive for ontology selection in operational R&D and can be generalized to other sectors where adoption hinges on social trust as much as logical coherence. The weighting of credibility criteria can be dynamically tuned to project phase (e.g., shifting emphasis from academic to industrial as a system moves from research to deployment).

Planned enhancements include a fifth indicator—historical stability (version longevity)—and automated tooling to compute $(I, A, P, D)$ dynamically via citation analytics, code repository metrics, and standards databases.

Embedding credibility at the core of ontology evaluation, in conjunction with classical F4OC criteria, offers a nuanced, context-sensitive approach that bridges the persistent divide between academic modeling and the demands of real-world cybersecurity operations (Leblanc et al., 1 Dec 2025).