Frequently Asked Questions

What is D3FEND?

D3FEND is a knowledge base, but more specifically a knowledge graph, of cybersecurity countermeasure techniques. In the simplest sense, it is a catalog of defensive cybersecurity techniques and their relationships to offensive/adversary techniques. The primary goal of the initial D3FEND release is to help standardize the vocabulary used to describe defensive cybersecurity technology functionality.

What is D3FEND not?

D3FEND does not prescribe specific countermeasures, it does not prioritize them, and it does not characterize their effectiveness. However, standardizing the vocabulary we use to describe technical countermeasures may help us solve those problems.

Who is D3FEND for?

D3FEND has multiple audiences. The most immediate is security systems architecture experts and technical executives making acquisition or investment decisions. If you need to understand how cyber defenses work in granular detail, D3FEND is meant to be a good starting point.

What are D3FEND use cases?

The dominant use case thus far has been to inform acquisition and investment. It can do this in two ways.

First, it can be used to compare the claimed functionality in multiple product solution sets with a common defensive technique taxonomy. This makes it possible to identify product differences and product gaps relative to desired functionality in a more precise, consistent, and repeatable manner.

Second, it can suggest a potential testing scope for the defensive techniques in terms of relevant offensive techniques. This is done by identifying a product or product set's claimed defensive techniques, then querying D3FEND for the potentially related offensive techniques. An offensive test plan can be constructed by selecting combinations of the related offensive techniques. This sort of testing can be useful to determine how well a defensive product performs its claimed functionality.

What is the maturity level of D3FEND?

As of 1.0.0, D3FEND is now considered stable, we use semantic version to indicate the degree of changes from release to release.

How often is D3FEND updated?

Quarterly.

What does a listed reference in D3FEND mean or imply?

D3FEND references several different types of internet links. For example, patents, external knowledgebases, open specifications, and even open-source code repositories. The references are used for the purposes of developing the generic countermeasure technique knowledgebase article.

Why does D3FEND reference patents?

The patent corpus was our initial focus for multiple reasons. There is strong motivation for inventors, investors, and organizations to describe and distinguish how their cybersecurity technologies work in patents. This due to the various protections patents provide for intellectual property owners. It is also a highly curated corpus with category codes, citations, and an official legally authoritative assessment of the novelty of their claims. In our experience, vendor white papers and marketing material do not sufficiently explain how the technologies work at an engineering level, nor do they do so in as uniform a manner as patents. To date, there appears to be no comprehensive public analysis of the cybersecurity patent corpus for the purpose of developing a knowledge graph of cyber countermeasures.

This corpus, while useful, has numerous issues that need to be understood when using it for our purpose. In some cases, the corpus is adversarial. For example, in academic papers, the citations tend to have high fidelity because researchers are incentivized to accurately represent prior scientific knowledge. Patents also have citations and prior art enumerations. However, these are often selected to bolster the case that the new patent is truly novel, useful, and non-obvious for business purposes. This is done without the peer review process used in academia.

What does D3FEND stand for?

Detection, Denial, and Disruption Framework Empowering Network Defense.

How can I contribute?

Please see our page on how to contribute.