Ontology for Threat Modeling
- Ontology for Threat Modeling is a formal, machine-interpretable framework that defines and interrelates threats, vulnerabilities, adversaries, and assets for rigorous risk analysis.
- It leverages description logic and standards like OWL/RDF, MITRE ATT&CK, STIX, and ISO/IEC 42001 to ensure semantic consistency and interoperability.
- The framework enables automated reasoning, quantitative risk assessment, and direct mapping of technical threat events to business loss metrics across various domains.
An ontology for threat modeling is a formal, machine-interpretable conceptualization of threat domains, adversarial methods, system assets, and the relationships that structure risk, impact, and mitigation in socio-technical environments. Unlike ad hoc taxonomies or informal diagrams, ontologies enable unambiguous specification, automated reasoning, alignment with security standards, and linkage between technical threat events and business loss metrics. Contemporary threat modeling ontologies cover highly specialized domains—AI security, cyber-physical critical infrastructure, malware intelligence, digital forensics, and influence operations—while sharing foundational patterns grounded in description logic, OWL/RDF, and integration with standards such as MITRE ATT&CK, STIX, ISO/IEC 42001, and NIST AI RMF.
1. Ontological Foundations in Threat Modeling
Ontology-driven threat modeling is distinguished by the formalization of key security entities (threats, vulnerabilities, countermeasures, assets, adversaries) as classes with well-defined properties and axioms, supporting rigorous analysis and reasoning (Huwyler, 26 Nov 2025, Idrees et al., 2014, Oliveira et al., 30 Jun 2025). Central to these frameworks are:
- Classes (Concepts): Precise domains such as Misuse, Poisoning, Adversarial, Privacy, Biases, SupplyChain, Intellectual Property Threat, or domain-specific notions (e.g., AttackPattern, Vulnerability, ThreatActor, SystemAsset, SecurityGoal).
- Properties (Relations): Object properties linking concepts (e.g., hasSubThreat, targetsAsset, exploitsVulnerability, mapsToLossCategory), data properties carrying quantification (hasFrequencyParameter, hasImpactParameter).
- Axioms: Specification in description logic or OWL, encoding domain/range, subsumption, cardinality, and disjointness constraints. Example:
These formalizations are designed to support technical completeness, semantic consistency, and interoperability across heterogeneous security tooling and regulatory requirements (Huwyler, 26 Nov 2025, Oliveira et al., 30 Jun 2025, Idrees et al., 2014).
2. Domain-Specific Threat Modeling Ontologies
Threat modeling ontologies are customized for distinct application domains, yet exhibit a recurring structural meta-pattern.
- AI Security Ontologies: The "AI System Threat Vector Taxonomy" models nine domains (Misuse, Poisoning, Privacy, Adversarial, Biases, UnreliableOutputs, Drift, SupplyChain, IPThreat) with 53 granular sub-threats. Each threat class explicitly maps to loss categories (Confidentiality, Integrity, Availability, Legal, Reputation), facilitating quantitative risk assessment and direct traceability to standards (ISO/IEC 42001, NIST AI RMF) (Huwyler, 26 Nov 2025).
- Attack Tree and Risk Ontologies: Ontologies grounded in the Unified Foundational Ontology (UFO) and COVER risk ontology distinguish objects, events, intentions, situations, and qualities (e.g., cost, probability, damage). Attack trees are mapped onto covering concepts such as AttackGoal ⊑ Intention, AttackStep ⊑ ThreatEventType, and metrics computed recursively via semiring structures (Oliveira et al., 30 Jun 2025).
- Adversary and Capability Ontologies: Meta-models for adversary profiling structure attacker objectives, methods, modes, consequences, and profiles (capability, expertise, location, resources). These enable both manual scenario modeling (via SysML-Sec) and automated reasoning regarding risk and requirements coverage (Idrees et al., 2014, Mavroeidis et al., 2021).
- CTI, Malware, and Influence Operations: Domain-specific ontologies (e.g., MALOnt, IOO, SCOPE) integrate standards such as ATT&CK, CAPEC, STIX, CVE/CWE, and CASE. They model threat intelligence including malware families, tactics, indicators, actors, and digital evidence, supporting both cybercrime and digital forensics (Tudela et al., 10 Mar 2025, Rastogi et al., 2020, Tok et al., 2024).
3. Ontology Properties, Axioms, and Mapping Functions
Key properties and axioms emerge consistently across threat modeling ontologies:
- Hierarchical Structuring: Domains and sub-threats reflect class hierarchies; e.g., Misuse ⊑ ThreatVector, PromptInjection ⊑ Misuse (Huwyler, 26 Nov 2025).
- Crosswalk to Control Frameworks: Mappings (via alignedToControl or similar properties) directly relate threat classes to risk management controls (NIST, ISO/IEC, EU AI Act), supporting auditability and regulatory compliance (Huwyler, 26 Nov 2025).
- Loss Category and Risk Quantification: Formally, many ontologies support the mapping function
and impact quantification, for example:
where is the event frequency and the average loss for threat (Huwyler, 26 Nov 2025).
- Description Logic/OWL Expressions: Sample axioms include:
- Object-Asset-Event Participation: Modern extensions, e.g., in the WATCHDOG framework, represent objects-at-risk, events (disruption nodes), and object participation, enabling disruption propagation analysis with traceable risk semantics (Nicoletti et al., 2024).
4. Reasoning, Automated Analysis, and Implementation
Ontology-based threat modeling supports advanced reasoning and automation.
- Automated Reasoning: DL reasoners (HermiT, Pellet) and rule engines (SWRL, SPARQL) infer new consequences, flag inconsistent models, and answer complex queries (e.g., "find all passive, functional attacks" or "which campaigns exploited the same vulnerability") (Idrees et al., 2014, Oliveira et al., 30 Jun 2025, Christian et al., 2021, Rastogi et al., 2020).
- Pattern-Based Analysis: RDF/OWL knowledge graphs instantiated from cloud configurations or data flow diagrams are queried via SPARQL to automate detection of threat patterns, mapped to frameworks such as STRIDE (Brazhuk, 2023).
- Quantitative/Probabilistic Extensions: Advanced formalisms (e.g., convolved Monte Carlo risk formulas, DOGLog in WATCHDOG) enable risk aggregation, what-if analysis, and minimal scenario discovery with object-centric optimization (Huwyler, 26 Nov 2025, Nicoletti et al., 2024).
- Integration with Modeling Tools: Embedding in UML/SysML-Sec enables graphical design with ontology-backed reasoning and constraint checks, directly linking adversary models and attack trees to security requirements and system assets (Idrees et al., 2014).
5. Alignment with Standards and Interoperability
Alignment with standards and emphasis on interoperability are major priorities in recent ontology designs.
- Direct Standard Mappings: Ontology classes (e.g., Poisoning, Drift) are explicitly mapped to ISO/IEC 42001 controls and NIST AI RMF functions; techniques and attack patterns are crosswalked to MITRE ATT&CK TTPs via OWL equivalence (Huwyler, 26 Nov 2025, Tudela et al., 10 Mar 2025, Tok et al., 2024).
- Hierarchical Data Integration: Integration chains link ATT&CK techniques → CAPEC patterns → CWE weaknesses → CVE vulnerabilities, enabling multi-layered threat landscape mapping and comprehensive risk coverage (Brazhuk, 2021).
- Regulatory and Legal Ontology Integration: Some frameworks employ higher-order BFO/CCO alignment for integration with rights, policies, legal mandates, and regulatory process ontologies, expanding threat modeling applicability into compliance and governance (Colle, 2024, Huwyler, 26 Nov 2025).
6. Methodological Guidance and Evaluation
Recent work prescribes systematic, metric-driven methodologies:
- Competency-Driven Ontology Engineering: Start with formal competency questions, frequently anchored in regulatory or operational requirements, and derive structured classes and relations iteratively (Colle, 2024).
- Metric Suite for Ontology Evaluation: Quantitative metrics—non-parochiality, top-level alignment, technical specificity, hub potential—are used to assess applicability, extensibility, and semantic completeness (Colle, 2024).
- Best Practices: Modular design, rigorous annotation, documentation, versioning, use of ontology design patterns, and community review cycles are universally recommended (Oliveira et al., 30 Jun 2025, Colle, 2024).
7. Illustrative Instantiations and Practical Outcomes
In practice, ontology-based threat modeling enables direct, auditable mapping between real-world incidents and security controls (Huwyler, 26 Nov 2025, Tok et al., 2024, Cotti et al., 26 Aug 2025):
| Scenario | Ontology Instantiation Example (abbreviated) | Risk/Control Outcome |
|---|---|---|
| Prompt injection attack on AI chatbot | Individual: PromptInjection; mapsToLossCategory: Integrity | Mapped to NIST Map/ISO42001 6.2.2 |
| Phishing campaign in smart city | Incident: hasTechnique: T1566.002; involvesComponent: IoT | Case evidence captured, chain of custody |
| Malware campaign triage | :MalwareX hasAttackPattern :Ransomware; usesInfra :C2Server | IoCs harvested, cluster by TTP |
Such instantiations allow for aggregation of incident statistics, measurement of financial exposure, automated regulatory reporting, and feedback for security requirements engineering.
References
- Standardized Threat Taxonomy for AI Security, Governance, and Regulatory Compliance (Huwyler, 26 Nov 2025)
- Model the System from Adversary Viewpoint: Threats Identification and Modeling (Idrees et al., 2014)
- An ontological lens on attack trees: Toward adequacy and interoperability (Oliveira et al., 30 Jun 2025)
- Towards an ontology of state actors in cyberspace (Colle, 2024)
- Ontology-based Attack Graph Enrichment (Saint-Hilaire et al., 2022)
- The Influence Operation Ontology (IOO) (Tudela et al., 10 Mar 2025)
- MALOnt: An Ontology for Malware Threat Intelligence (Rastogi et al., 2020)
- Proactive security defense: cyber threat intelligence modeling for connected autonomous vehicles (Wang et al., 2024)
- A Smart City Infrastructure Ontology for Threats, Cybercrime, and Digital Forensic Investigation (Tok et al., 2024)
- Ontology-driven Knowledge Graph for Android Malware (Christian et al., 2021)
- Predicting Network Attacks Using Ontology-Driven Inference (Salahi et al., 2013)
- WATCHDOG: an ontology-aWare risk AssessmenT approaCH via object-oriented DisruptiOn Graphs (Nicoletti et al., 2024)
- Grid-STIX: A STIX 2.1-Compliant Cyber-Physical Security Ontology for Power Grid (Blakely et al., 14 Nov 2025)
Ontology-driven threat modeling thus constitutes a rigorous foundation for integrating technical, organizational, and regulatory perspectives in the formal analysis, management, and reduction of risk in complex systems.