1. Introduction

As warfare begins to move away from the physical battlefield and onto the cyber realm, it becomes important to build the necessary capability to keep up with such advances. "Over the last two decades, the United States has witnessed significant and rapid technological advancements in digital communications (cyber communications) and information technology. Owners and operators of critical infrastructure have capitalised on these innovative technologies to operate their systems more efficiently and provide better service to customers. Despite the many benefits of an increasingly "wired" economy and defence, the nation's exposure to cyber threats have also increased." This statement by Dean (2013), the editor of the International Security Quarterly journal, expresses the fact that nations have to defend themselves against cyber threats; nations are vulnerable in terms of digital attacks with the intention of sabotage, espionage, terrorism and crime by people of ill intent. Symantec highlighted a 91% increase in targeted attacks in the 2014 threat report (Symantic Corporation, 2014). As a consequence, military forces have to include cyber attack counter-measures as part of their military power.

Within military forces there exist Electronic Warfare (EW) threat analysis databases that are populated with all possible electromagnetic threats (such as missile range finding or radar tracing) focusing on fingerprinting the electronic emissions of weapons that use the electromagnetic spectrum. This captured information can be used for analyses. For example, this information is loaded onto an aircraft's early warning and counter -measure system before a mission into enemy territory. This is part of platform protection in an attempt to increase the survivability of the aircraft in combat by automatically countering weapons that use electronic emissions, thus allowing the pilot to focus on the mission itself.

The cyber world can learn from EW by applying the same principles of developing a threat knowledge database for cyber warfare. A Security Information Events Management (SIEM) system is a step in the right direction although mainly focusing on reactive counter-measures. This paper takes this aspect further by presenting the development of a Command and Control (C2) ontology for the subdomain of Cyber Network Attack Planning. This ontology will assist in building a knowledge base for cyber network attack planning and counter measures which will enable proactive cyber counter-measures.

Section 2 contains background information, specifically an overview of ontologies, command and control from a military perspective, and network attack ontologies. Section 3 discusses the presented Cyber Network Attack Planning ontology and the paper is concluded in Section 4.

2. Background

This section gives an overview of ontologies, Command and Control and existing Network Attack ontologies.

2.1 Overview of ontologies

An ontology is a technology that provides a way to exchange semantic information between people and machines (Noy and McGuinness 2001). It is a formal encoding of concepts in a chosen domain, and in addition contains properties and instances of these concepts as well as axioms that give information on the concepts and properties. It also has an automated reasoning facility which enables the derivation of new information from the facts contained in an ontology. Grüber (1993) defines an ontology as "formal, explicit specification of a shared conceptualisation".

Noy and McGuinness defined an ontology as: ".... a common vocabulary for researchers who need to share information in a domain .... includes machine-interpretable definitions of basic concepts in the domain and relations among them." (Noy and McGuinness 2001).

Ontologies provide the following benefits:

* Sharing a common understanding of the structure of information.

* Facilitate reuse of domain knowledge.

* Make domain assumptions clear.

* Separate domain knowledge from operational knowledge.

* Analyse domain knowledge.

* Providing a common vocabulary.

Noy and McGuinness describe an ontology as a formal explicit description of concepts of discourse classes, with the properties of each class describing various attributes of the concepts (slots) and their restrictions. Classes are the focal point of ontologies, and can be divided into subclasses which represent more detailed concepts. The information in an ontology is expressed in an ontology language (a logic-based language) that has a well-defined semantics and powerful reasoning tools. The web ontology language (OWL) 2.0 is the official Semantic Web ontology language (http://semanticweb.org/wiki/OWL_2). OWL was designed to provide a common way to process the content of web information instead of displaying it. It is intended to be interpreted by computer applications and not to be read by people. In this research, OWL was used to interpret the ontological model developed for the cyber security strategic domain.

2.2 Command and control

Command and Control is a term used to refer to the military discipline of pursuing objectives but is also used in other domains. According to Smith, Miettinen and Mandrivk (2009) "Command and Control (C2) signifies the disciplined pursuit of objectives of a sort which can be identified in any serious human endeavour, whether it be peacetime engineering, humanitarian disaster relief operations, or the conduct of war".

Smith et al. (2009) state that C2 can be broken down into six components if viewed from the commander's perspective:

* Organising available assets.

* Gaining and understanding of the situation.

* Planning for operations.

* Making decisions.

* Directing subordinates and elements.

* Monitoring progress.

Extensive research has been done since the early 2000s regarding the development and application of military related ontologies, especially in the development of ontologies to support C2. Curts and Campbell (2005) state that "the sorts of semantic interoperability provided by ontology technology are indispensable in attempting to improve our understanding of Command and Control (C2)."

Command and Control ontologies have been significantly developed and a Command and Control special issue was released by Tolk and Smith (2011) in the International Journal of Intelligent Defence Support Systems. They stated that the advantage of an ontology based approach is: "The possibility of incremental adoption - integration and analysis becomes possible even if only subsets of the data have been subject to annotation." They also add the following benefits provided by C2 ontologies:

* Distributed approach such that multiple different groups can work on different portions of the data provided only that the same ontologies are used for annotation.

* A net-centric data strategy.

* The data is notchanged by the process of annotation.

* Integratability, interoperability and consistent interpretation.

* Effective coordination across different communities.

* Flexibility.

Although there are a large number of C2 ontologies, we only cite a few relevant examples. Smith et al. (2005) presented a process for constructing a concise, modular and extensible core C2 ontology. Their aim was to support interoperability in a military environment by building a core (general) ontology that can be extended with sub-domain ontologies. Curts and Campbell (2005) approached the development of a C2 ontology from the perspective that there does not seem to be a set of shared definitions for C2 concepts. Rather than trying to define C2, these two researchers attempted to define the content and the boundaries. Nguyen, Opena, Loo and Regli (2010) discussed the development of a set of ontologies for use in messaging systems within the military and first responder C2 applications. Stoutenberg et al. (2007) developed ontologies and rules to address emerging mission needs. Some work has also been done in terms of ontological development to deal with cyber operations, for instance, Belk and Noyes (2012).

In modern warfare it is no longer sufficient to only focus on physical attacks and counter-measures; the threat against cyber networks is becoming increasingly significant. Networks are being incorporated into the modern battlespace such as the Russian-Georgian Cyber War (Korns et al., 2008).

2.3 Network attack ontologies

The use of ontologies in the study of network attacks is relatively new although a number of ontologies have been developed in the past decade.

Rochaeli and Eckert (2005) proposed an ontological approach to construct the knowledge representation framework for computers and their vulnerabilities. They developed a framework in which security administrators can find scenario-oriented patterns. Security administrators can thus interpret detected scenarios with these enabling policies.

Mandujano (2005) developed an ontology to produce and recognise attack programme signatures. A snort intrusion detection system was used as input data. This ontology is aimed at the packet-level intrusion detection.

Li and Tian (2010) developed a developed an ontology-based intrusion alerts correlation system. This system contained agents and sensors, where agents process the information and sensors gather security information. They used an automated reasoner aimed at deducing attack sessions and classes in determining risk.

Abdoli and Kahani (2009) developed an ontology that makes use of the IDSagents and MasterAgent classes to perform intrusion detection. Their system was able to reduce false positives and negatives for intrusion detection systems. The ontology still required the attack classes have to be investigated offline by domain experts. A reasoner was used to conclude risks.

Frye et al. (2012) used an ontology to model the elements of a network attack.They developed two ontologies, the first representing a simple model with four main classes: Availability, Recon, GainAccess, and ViewChangeData.

Van Heerden et al. (2012a) developed an ontology that present both the view of the attacker and defender. The ontology used an automated reasoner to determine network attack scenario relations.

Social engineering is another means which can be used to attack a network. Mouton et al. (2014) proposed an ontological model which provides both a formalised definition for social engineering attacks and an ontology which can be used to perform a social engineering attack.

3. The cyber network attack planning ontology

An ontology is made up of classes, instances or individuals, and relations between the classes, and a reasoner can be applied to reason across the knowledge base of an ontology to make additional inferences that extend the knowledge base. A concept is described by a class and an instance by an individual in an ontology.

Fig. 1 shows the concepts and flow of information between these concepts in C2. The classes in Network Attack Planning Ontology (NAPO) were based on the concepts presented in fig. 1. NAPO houses knowledge for C2 in network operations, more precisely, providing support for cyber network attack planning and counter-measures. Network attacks and counter-measures against them form a subdomain of C2.

NAPO aims to provide support on a tactical level during the planning of a network operation. Considering Fig. 1, the proposed ontology aids in the functions and tasking, command decision making and direction, monitoring, and planning and analysis. Most of the terminology will be inherited from the traditional C2 domain. Fig. 2 places the Network Attack Planning Ontology (NAPO) subdomain in perspective within the C2 domain.

In this paper we only present a partial view of the ontology due to its complexity. Fig. 3 shows the top level classes of NAPO. The ontology was built using Protégé, an open-source tool for building ontologies, developed by Stanford University (http://protege.stanford.edu/). The central class of NAPO is Operation; this class represents all instances of operations in the military cyber domain. In order to carry out an operation, there are three directly connected classes, namely Constraint, Target and Task.

Having the battle space moved from a physical realm to a cyber realm, constraints are no longer limited to physical elements such as weather and terrain. As such, it is important to take note of the constraints that a network operation has to deal with. For example, it is not viable to physically attack a cloud storage server. The subclasses of Constraint represent ethical, legal, military and physical constraints. Each of these classes can be expanded to deal with country or state specific legislations.

The Target class consistsof the instances that have a reachable location and have some vulnerability that can be exploited or patched. Subclasses of Target provide a grouping of potential targets, for instance, social media, email server, websites and so forth. Individuals belonging to the subclasses provide the actually names of these entities in the ontology. For example, the URL www.example.com can be an individual of a potential target for website attacks.

The Task class represents the set of network attack and defend activities. The subclasses of Task are derived from the computer network attack taxonomy presented by van Heerden et al. (2012b). These activities can be tasked to an Agent, who has a Role within an Organisation.

The ontology provides semantic support for decision-making during the tasking phase of C2. For example, a list of agents and their capabilities can be inferred when a user queries which agent can perform a specific task. Inferences are possible by specifying relations between the classes.

A relation linking two classes in NAPO performs a similar role to that of a verb in a sentence. For example, Commander A commands Subordinate B. Fig. 4 presents a partial view of the relations in NAPO.

The chain of command is important in the military context. This is represented by the commands relation as shown in Fig. 4. The inverse of the commands relation, commandedBy, allows the tool to reason about relations between a commander and a subordinate.

The detectsVulnerability operation aids in determining which sensor to deploy for a task. Knowing which sensor can detect certain vulnerabilities allows a commander to assign resources correctly. Once the resource is assigned, a person or agent would be required to carry this out.

One of the advantages of using an ontology is the ability to create chained (composition of) relations. In NAPO chained relations allow the user to query classes and individuals that are not directly linked. Referring back to the sensors and subordinates example, the hasAccessSupportingTask relation binds certain officers to a task based on which sensors they can use. This eliminates the need to construct complex queries. Fig.5 illustrates the underlying relations graphically.

The next section looks at the queries that can be posed in the proposed ontology that aid in the decision making of a commander.

3.1 Planning support queries

The aim of this ontology is to support planning and tasking during an operation. The associated reasoner will point out inconsistencies in the knowledge base. This is essential to ensure that tasks are assigned to capable officers and that resources are properly utilised.

In addition, the reasoner adds implicit information to the knowledge base. This allows entities to be automatically classified with minimal information entered. Fig. 6 shows an example of the reasoner inferring TestTarget to belong to the Target class based on only four explicitly stated relations, without any prior classification.

With reference to Fig.6:

* Panel 1 shows some individuals with the individual TestTarget selected.

* Panel 2 shows the explicitly stated relations for TestTarget.

* Panel 3 shows inferences made by the reasoner (i.e. implicit information). Inferred information appears in light yellow or (light grey if figure is not viewed in colour).

* The left side window in this panel shows how TestTarget is classified by the reasoner to be a member of the class Target.

* The right side window in this panel shows the implicit (inferred) relations added by the reasoner. These inferred relations are the two relations at the bottom of the list.

In a relational database, TestTarget would not be returned as a selection of targets as it was not explicitly defined. This may potentially affect an operation if a target is left out during the planning phase. The semantic information represented in an ontology overcomes this limitation. After the inference is made, a user can query the list of targets, showing all possible targets.

A common decision required for planning an operation is deciding who to deploy for the tasks that form part of the operation. To aid in this decision process, the proposed ontology can be queried to search for all the subordinates that have access to certain sensors needed for a specific task. Fig. 7 shows the result of such a query.

With reference to Fig. 7:

* Panel 1 shows the query window with the question: "Who can perform a Reconnaissance Task?" in Description Logic (DL) syntax.

* Panel 2 shows the results of the query in the form of individuals.

The reasoner associated with the ontology model can infer implicit relations without the need to explicitly define them. In a relational database model, one would need to specify specific fields for a Reconnaissance task to return a list of subordinates.

4. Conclusion and future work

As warfare begins to move away from the physical battlefield and onto the cyber realm, it becomes important to build the necessary capabilities. To aid in the effort of building such a capability, this paper presents an ontology to serve as a planning tool for cyber attack and counter-measure planning.

With new threats being discovered on a regular basis, the rigid structure of database schema becomes inflexible and thus difficult to maintain, due to coupling. Coupling is the measure of dependence between two items. The use of an ontology allows the user to alter and expand the structure without needing to worry about coupling. In addition to the easier sharing and upkeep, this paper demonstrated the benefits of semantic reasoning in the cyber domain.

Semantic representation and automated reasoning allow inferences to be made without stating all information explicitly. This plays a potential role in the planning process as it unveils information that are not apparent. For example, identifying additional targets during an operation may reveal any weak links that might be exposed or that require hardening.

The proposed ontology is still in its infancy. The authors aim to extend the ontology such that it can be used as an operational tool. This extension includes enriching the content by adding more classes, relations and individuals. Therefore this will further the development in the field of ontological approach to planning network attacks and counter-measures. In the future this ontology can also be merged with a higher or lower level ontology.