Latest News

Alexander Moiseev: Ontologies in information security

Alexander Moiseev, Chief Business Officer, Kaspersky, considers how ontologies can provide the world with greater, faster protection from cyberthreats and more.

In the cybersecurity industry, we regularly analyse new technologies and look for ways to put them to use. Ontology may not represent a very popular approach right now, but it can speed up and simplify a lot of processes. I believe it’s only a matter of time before using ontology for cybersecurity catches on.

In information systems, what’s an ontology?

In information science, an ontology is a systematic description of all of the terms in a specific subject area, their characteristics or attributes, and their relationships. For example, the Marvel Comics Universe ontology includes the names and attributes (superpowers, weapons, weaknesses) of all of the superheroes, their power levels, and so forth. An ontology can describe anything from wines to electrical grids.

Using a language such as OWL, Web Ontology Language, you can develop tools to analyse ontologies and identify hidden connections and missing or obscure details. For example, analysing the ontology of the Marvel universe can help determine the best team of superheroes and the most expedient way to defeat a villain.

For that, as well as for similar tasks, we could use the Protégé platform, for example. Developed at Stanford University, the software’s purpose is to analyse biomedical data, but now it’s a free, open-source ontology editor and framework for building intelligent systems to manage knowledge from any field.

Ontologies vs. machine learning

The tools for working with ontologies have a lot in common with machine-learning algorithms, but with one key difference: machine-learning models predict; ontological tools deduce.

Machine-learning models analyse large arrays of data and use them to make predictions about new objects. For example, a machine-learning model might look at 100 malicious e-mails and highlight the specific characteristics they share. Then, if the model recognises some of those characteristics in a new e-mail, it can determine that the new message is also malicious.

An ontology also figures in data analysis, but instead of leading to predictions, it points to information that logically ensues from supplied parameters. It doesn’t learn or draw on previous experiences to analyse information. For example, if we indicate in the ontology that ‘e-mail A’ is a phishing e-mail and that all phishing e-mails are malicious, and then state that ‘e-mail B’ is a phishing e-mail, the ontology will conclude that e-mail B is malicious. If we set out to analyse ‘e-mail C’ but don’t supply any characteristics, the ontology will not make any conclusion.

Ontologies and machine learning can complement each other. For example, ontologies can optimise and accelerate machine-learning models. They make the process of training models much easier by simulating logical reasoning and by being able to automatically classify and link information. And using time-saving ontological axioms — rules that describe the relationship between concepts — can narrow the input array for the machine-learning model, speeding its ability to find an answer.

Other uses for ontologies in cybersecurity

Ontologies can also help identify hidden opportunities or weak areas. For example, we can analyse a company infrastructure’s level of protection against a specific cyberthreat, such as ransomware. To do so, we create an ontology of potential anti-ransomware measures and apply it to the list of existing security measures in the organisation.

Using the ontology will tell you whether the infrastructure has enough protection or needs work. You can use the same method to determine whether an IT security system meets IECNIST, or other standards. This can also be done manually, but it would take much longer and be more expensive.

Ontologies also make the lives of IT security specialists easier by enabling them to communicate with each other in the same language. Using ontology can improve cybersecurity by helping specialists contextualise the problems and attacks that others encounter, leading them to better security measures. That kind of information also comes in handy when experts create information security architectures from scratch by offering a systematic view of vulnerabilities, attacks, and their connections.

The very concept may seem complicated and abstract, but you encounter ontologies almost every day. Consider Internet searches, for example. Ontologies underlie semantic searches, letting you search for answers to actual queries rather than getting bogged down in the meaning of each individual word in them. That greatly increases the quality of search results. Pinterest, an image-sharing social network, uses similar technologies, relying on ontologies to analyse users’ actions and reactions, and then employing that data to optimise recommendations and targeted advertising.

The above represents just a few ideas of how using ontologies can improve many aspects of business and cybertech. Here at Kaspersky, we’re interested in ontology’s prospects not only for cybersecurity, but also in terms of the bigger picture, where ontology presents huge opportunities for business.