@prefix d3f: . @prefix dcterms: . @prefix owl: . @prefix rdf: . @prefix rdfs: . @prefix skos: . @prefix xsd: . a owl:Ontology ; owl:versionIRI ; rdfs:comment "Use of the D3FEND Knowledge Graph, and the associated references from this ontology are subject to the Terms of Use. D3FEND is funded by the National Security Agency (NSA) Cybersecurity Directorate and managed by the National Security Engineering Center (NSEC) which is operated by The MITRE Corporation. D3FEND™ and the D3FEND logo are trademarks of The MITRE Corporation. This software was produced for the U.S. Government under Basic Contract No. W56KGU-18-D0004, and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause 252.227-7014 (FEB 2012) Copyright 2022 The MITRE Corporation." ; owl:versionInfo "1.4.0" ; d3f:release-date "2026-03-31T00:12:00+00:00"^^xsd:dateTime ; dcterms:description "D3FEND is a framework which encodes a countermeasure knowledge base as a knowledge graph. The graph contains the types and relations that define key concepts in the cybersecurity countermeasure domain and the relations necessary to link those concepts to each other. Each of these concepts and relations are linked to references in the cybersecurity literature." ; dcterms:license "MIT" ; dcterms:title "D3FEND™ - A knowledge graph of cybersecurity countermeasures" . ### Object Properties d3f:abuses a owl:ObjectProperty ; rdfs:label "abuses" ; skos:altLabel "misapplies", "misuses" ; rdfs:subPropertyOf d3f:uses ; rdfs:isDefinedBy ; d3f:definition "x abuses y: The entity x applies an artifact y to a wrong thing or person; x applies y badly or incorrectly." . d3f:access-mediated-by a owl:ObjectProperty ; rdfs:label "access-mediated-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:mediates-access-to ; d3f:definition "x access-mediated-by y: The entity or resource x has its access regulated, controlled, or facilitated by entity y, which acts as an intermediary or gatekeeper to enforce access control policies." . d3f:accessed-by a owl:ObjectProperty ; rdfs:label "accessed-by" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-be-accessed-by ; owl:inverseOf d3f:accesses ; d3f:definition "x accessed-by y: The entity or resource x is accessed by entity y." . d3f:accesses a owl:ObjectProperty ; rdfs:label "accesses" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-access ; rdfs:isDefinedBy ; d3f:definition "x accesses y: The subject x takes the action of reading from, writing into, or executing the stored information in the object y. Reads, writes, and executes are specific cases of accesses." . d3f:addressed-by a owl:ObjectProperty ; rdfs:label "addressed-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:addresses ; d3f:definition "x addressed-by y: Relates a resource x (e.g., network host, peripheral device, disk sector, a memory cell or other logical or physical entity) to a discrete address y in an address space that points to it." . d3f:addresses a owl:ObjectProperty ; rdfs:label "addresses" ; skos:altLabel "points-to" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x addresses y: Relates a pointer x to a digital artifact y located in the address space to which x points. The address space is part of some digital store, whether it be in memory, an image, or a persistent storage device." ; rdfs:seeAlso , . d3f:adds a owl:ObjectProperty ; rdfs:label "adds" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-add ; d3f:definition "x adds y: The subject x adds a data object y, such as a file, to some other digital artifact, such as a directory. Examples include an agent or technique adding a record to a database or a domain entry to a DNS server." . d3f:analyzes a owl:ObjectProperty ; rdfs:label "analyzes" ; rdfs:subPropertyOf d3f:associated-with, d3f:detects ; rdfs:isDefinedBy ; d3f:definition "x analyzes y: The subject x breaks down object y into components or essential features, assessing y by quantitative methods, qualitative methods, or both. Usually the analysis is done in terms of some model or framework." . d3f:associated-with a owl:ObjectProperty ; rdfs:label "associated-with" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x associated-with y: The subject x and object y are associated in some way. This is the most general definite relationship in d3fend (i.e., most general relationship that is not prefixed by 'may-'.)" ; rdfs:seeAlso . d3f:attached-to a owl:ObjectProperty ; rdfs:label "attached-to" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x attached-to y: A subject x is joined in close association to an object y." ; rdfs:seeAlso d3f:connects . d3f:attack-may-be-countered-by a owl:ObjectProperty ; rdfs:label "attack-may-be-countered-by" ; rdfs:subPropertyOf d3f:may-be-tactically-associated-with . d3f:authenticates a owl:ObjectProperty ; rdfs:label "authenticates" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; rdfs:isDefinedBy ; d3f:definition "x authenticates y: The subject x establishes the authenticity of some y. This relation indicates an authentication event has occurred." . d3f:authorizes a owl:ObjectProperty ; rdfs:label "authorizes" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; rdfs:isDefinedBy ; d3f:definition "x authorizes y: A subject x grants authorization or clearance for an agent y to use an object. This relation indicates an authorization event has occurred." ; rdfs:seeAlso . d3f:blocks a owl:ObjectProperty ; rdfs:label "blocks" ; rdfs:subPropertyOf d3f:counters, d3f:filters, d3f:may-block ; rdfs:isDefinedBy ; d3f:definition "x blocks y: The entity x blocks off the use of digital artifact y by reference to a block or allow list (or both.)" . d3f:broader a owl:ObjectProperty ; rdfs:label "broader" ; rdfs:subPropertyOf d3f:semantic-relation ; d3f:definition "x broader y: The entity x represents a more general or inclusive concept than entity y." . d3f:broader-transitive a owl:ObjectProperty ; rdfs:label "broader-transitive" ; rdfs:subPropertyOf d3f:semantic-relation ; d3f:definition "x broader-transitive y: The entity x represents a more general concept than entity y, including indirect or hierarchical relationships where x encompasses y through intermediate entities." . d3f:carried-by a owl:ObjectProperty ; rdfs:label "carried-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:carries ; d3f:definition "x carried-by y: The information entity x is dependent upon the entity y for its storage, transport, or communication. Entity y serves as the necessary bearer or link from which x can be recovered or interpreted." . d3f:carries a owl:ObjectProperty ; rdfs:label "carries" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x carries y: The entity x serves as the bearer or link for information y, enabling y to be stored, transported, or communicated such that y can be recovered or interpreted from x" . d3f:caused-by a owl:ObjectProperty ; rdfs:label "caused-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:causes ; rdfs:isDefinedBy ; d3f:definition "x caused-by y: The event or action x occurs as a consequence of event or action y." . d3f:causes a owl:ObjectProperty ; rdfs:label "causes" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x causes y: The event or action x brings about event or action y as a consequence." . d3f:communicates-with a owl:ObjectProperty, owl:SymmetricProperty ; rdfs:label "communicates-with" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x communicates-with y: x and y exchange signals or data bidirectionally, enabling mutual awareness, coordination, or interaction." . d3f:configures a owl:ObjectProperty ; rdfs:label "configures" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; d3f:definition "x configures y: The entity x sets the operational parameters of entity y, determining how y will operate." . d3f:connected-to a owl:ObjectProperty ; rdfs:label "connected-to" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x connected-to y: The subject x shares a direct physical or logical link with object y such that communication is possible between them without intermediate routing." . d3f:connects a owl:ObjectProperty ; rdfs:label "connects" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x connects y: The subject x joins system y by means of communication equipment (to some other system, typically the adversary-targeted host)." . d3f:contained-by a owl:ObjectProperty, owl:TransitiveProperty ; rdfs:label "contained-by" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-be-contained-by ; owl:inverseOf d3f:contains ; d3f:definition "x contained-by y: The entity x exists within or is physically or logically enclosed by entity y." . d3f:contains a owl:ObjectProperty, owl:TransitiveProperty ; rdfs:label "contains" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-contain ; rdfs:isDefinedBy ; d3f:definition "x contains y: A core relation that holds between a whole x and its part y. Equivalent to relational concept 'has part' and thus transitive." . d3f:controlled-by a owl:ObjectProperty ; rdfs:label "controlled-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:controls ; d3f:definition "x controlled-by y: x's operation or behavior is directed or regulated by y." . d3f:controls a owl:ObjectProperty ; rdfs:label "controls" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x controls y: x directs or regulates y's operational state, behavior, or function." . d3f:copies a owl:ObjectProperty ; rdfs:label "copies" ; rdfs:subPropertyOf d3f:creates ; rdfs:isDefinedBy ; d3f:definition "x copies y: A technique or agent x reproduces or makes an exact copy of some digital artifact y." . d3f:copy-of a owl:ObjectProperty ; rdfs:label "copy-of" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x copy-of y: The subject x is a duplicate of the object y." . d3f:corrupts a owl:ObjectProperty ; rdfs:label "corrupts" ; rdfs:subPropertyOf d3f:impairs ; d3f:definition "x corrupts y: The entity x causes y to enter an incorrect, inconsistent, or unintended state by modifying y's information-bearing content (e.g., a bit, symbol, word, configuration cell, or stored parameter) such that y's value no longer matches the expected or previously valid value." . d3f:counters a owl:ObjectProperty ; rdfs:label "counters" ; rdfs:subPropertyOf d3f:may-counter . d3f:created-by a owl:ObjectProperty ; rdfs:label "created-by" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-be-created-by ; owl:inverseOf d3f:creates ; d3f:definition "x created-by y: The entity x is brought into existence, developed, or generated by entity y." . d3f:creates a owl:ObjectProperty ; rdfs:label "creates" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-create ; rdfs:isDefinedBy ; d3f:definition "x creates y: The subject x brings into existence an object y. Some technique or agent x creates a persistent digital artifact y (as opposed to production of a consumable or transient object.); i.e., bring forth or generate." ; rdfs:seeAlso d3f:produces . d3f:d3fend-general-object-property a owl:ObjectProperty ; rdfs:label "d3fend-general-object-property" ; rdfs:subPropertyOf d3f:d3fend-object-property . d3f:d3fend-kb-object-property a owl:ObjectProperty ; rdfs:label "d3fend-kb-object-property" ; rdfs:subPropertyOf d3f:d3fend-object-property ; d3f:definition "x d3fend-kb-object-property y: The object y is a d3fend knowledge base object property. These properties allow the linkage of knowledge and information supporting and illustrating the d3fend model." . d3f:d3fend-object-property a owl:ObjectProperty ; rdfs:label "d3fend-object-property" . d3f:d3fend-process-object-property a owl:ObjectProperty ; rdfs:label "d3fend-process-object-property" ; rdfs:subPropertyOf d3f:d3fend-object-property . d3f:d3fend-tactical-verb-property a owl:ObjectProperty ; rdfs:label "d3fend-tactical-verb-property" ; rdfs:subPropertyOf d3f:d3fend-object-property . d3f:d3fend-use-case-object-property a owl:ObjectProperty ; rdfs:subPropertyOf d3f:d3fend-object-property . d3f:deceives a owl:ObjectProperty ; rdfs:label "deceives" ; rdfs:subPropertyOf d3f:counters . d3f:deceives-with a owl:ObjectProperty ; rdfs:label "deceives-with" ; rdfs:subPropertyOf d3f:d3fend-tactical-verb-property ; d3f:definition "x deceives-with y: The entity x misleads or manipulates another entity using y as a tool, method, or mechanism to create false perceptions or understanding." . d3f:decodes a owl:ObjectProperty ; rdfs:label "decodes" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x decodes y: The entity x transforms data y to a different form, usually through decompression." . d3f:deletes a owl:ObjectProperty ; rdfs:label "deletes" ; rdfs:subPropertyOf d3f:evicts, d3f:modifies ; rdfs:isDefinedBy ; d3f:definition "x deletes y: A technique or agent x wipes out the digitally or magnetically recorded information of digital object y." . d3f:dependent a owl:ObjectProperty ; rdfs:label "dependent" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x dependent y: A dependent y is an entity that requires the fulfillment of the requirements specified in dependency x." . d3f:depends-on a owl:ObjectProperty ; rdfs:label "depends-on" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:has-dependent ; rdfs:isDefinedBy ; d3f:definition "x depends-on y: The entity x is contingent on y being available; x relies on y." ; rdfs:seeAlso . d3f:derived-from a owl:ObjectProperty ; rdfs:label "derived-from" ; rdfs:subPropertyOf d3f:depends-on ; d3f:definition "x derived-from y: The entity x is derived from or based on the value of y." . d3f:detects a owl:ObjectProperty ; rdfs:label "detects" ; rdfs:subPropertyOf d3f:counters, d3f:d3fend-tactical-verb-property ; d3f:definition "x detects y: The entity x discovers the presence, occurrence, or state of entity y through observation or measurement." . d3f:disables a owl:ObjectProperty ; rdfs:label "disables" ; rdfs:subPropertyOf d3f:evicts, d3f:may-disable, d3f:modifies ; rdfs:isDefinedBy ; d3f:definition "x disables y: The technique or agent x makes an entity y unable to perform its actions or capabilities." . d3f:drives a owl:ObjectProperty ; rdfs:label "drives" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x drives y: The device driver x causes a system component y to function by controlling it." ; rdfs:seeAlso . d3f:employed-by a owl:ObjectProperty ; rdfs:label "employed-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:employs ; rdfs:isDefinedBy ; d3f:definition "x employed-by y: An entity x is put into service by a technique or agent y. Inverse of y employs x." . d3f:employs a owl:ObjectProperty ; rdfs:label "employs" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x employs y: The entity x makes purposeful use of entity y to perform a function." . d3f:enabled-by a owl:ObjectProperty ; rdfs:label "enabled-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:enables ; rdfs:isDefinedBy ; d3f:definition "x enabled-by y: A top level technique y enables a tactic x, that is, the property indicates that a technique y is used to put a particular tactic x into action. In other words, y renders x capable or able for some task. Inverse of enables." . d3f:enables a owl:ObjectProperty ; rdfs:label "enables" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x enables y: A top level technique x enables a tactic y, that is, the property indicates that a technique x is used to put a particular tactic y into action. In other words, x renders y capable or able for some task." . d3f:encodes a owl:ObjectProperty ; rdfs:label "encodes" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x encodes y: The entity x transforms data y to a different form, usually through compression." . d3f:encrypts a owl:ObjectProperty ; rdfs:label "encrypts" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; rdfs:isDefinedBy ; d3f:definition "x encrypts y: The entity x converts the ordinary representation of a digital artifact y into a secret code." . d3f:end a owl:ObjectProperty ; rdfs:label "end" ; rdfs:subPropertyOf d3f:d3fend-process-object-property . d3f:enforces a owl:ObjectProperty ; rdfs:label "enforces" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x enforces y: Technique x forces entity y to be compliant with a law, rule, or obligation." . d3f:enumerates a owl:ObjectProperty ; rdfs:label "enumerates" ; rdfs:subPropertyOf d3f:reads ; d3f:definition "x enumerates y: The subject x takes the action of reading from a digital source y to acquire data and create a list of its contents." . d3f:erases a owl:ObjectProperty ; rdfs:label "erases" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x erases y: A technique x removes recorded data from storage device y creating space for new data." . d3f:evaluated-by a owl:ObjectProperty ; rdfs:label "evaluated-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:evaluates ; d3f:definition "x evaluated-by y: The entity x is assessed and analyzed by entity y." . d3f:evaluates a owl:ObjectProperty ; rdfs:label "evaluates" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-evaluate ; d3f:definition "x evaluates y: The entity x systematically assesses entity y to judge its state, quality, or risk." . d3f:evicts a owl:ObjectProperty ; rdfs:label "evicts" ; rdfs:subPropertyOf d3f:counters, d3f:d3fend-tactical-verb-property, d3f:may-evict ; d3f:definition "x evicts y: The entity x forcibly removes entity y from the environment or resource where y was residing." . d3f:exactly a owl:ObjectProperty ; rdfs:label "exactly" ; rdfs:subPropertyOf d3f:semantic-relation ; d3f:definition "x exactly y: The entity x is identical to or fully corresponds to entity y." . d3f:excises a owl:ObjectProperty ; rdfs:label "excises" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x excises y: Technique x removes a section of entity y." . d3f:executed-by a owl:ObjectProperty ; rdfs:label "executed-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:executes ; d3f:definition "x executed-by y: The entity or function x is carried out, performed, or run by entity y." . d3f:executes a owl:ObjectProperty ; rdfs:label "executes" ; rdfs:subPropertyOf d3f:accesses, d3f:may-execute, d3f:runs ; rdfs:isDefinedBy ; d3f:definition "x executes y: The subject x takes the action of carrying out (executing) y, which is a single software module, function, or instruction." . d3f:extends a owl:ObjectProperty ; rdfs:label "extends" ; rdfs:subPropertyOf d3f:modifies ; rdfs:isDefinedBy ; d3f:definition "x extends y: The entity x extends the scope or range or area of entity y, especially in the sense of widening the range of applications." . d3f:filters a owl:ObjectProperty ; rdfs:label "filters" ; rdfs:subPropertyOf d3f:associated-with, d3f:isolates ; rdfs:isDefinedBy ; d3f:definition "x filters y: An technique or agent x removes some specified set of of entities from the content of a digital artifact y, by passing an artifact's content through a filter. A filter is a device that removes something from whatever passes through it." ; rdfs:seeAlso , . d3f:forges a owl:ObjectProperty ; rdfs:label "forges" ; rdfs:subPropertyOf d3f:creates ; d3f:definition "x forges y: An technique or agent x counterfeits a digital artifact y, such as a fake credential, with the intent to deceive." ; rdfs:seeAlso . d3f:fork a owl:ObjectProperty ; rdfs:label "fork" ; rdfs:subPropertyOf d3f:d3fend-process-object-property . d3f:hardens a owl:ObjectProperty ; rdfs:label "hardens" ; rdfs:subPropertyOf d3f:counters, d3f:d3fend-tactical-verb-property ; d3f:definition "x hardens y: The entity x fortifies entity y to reduce its weaknesses so y can better withstand attack or failure." . d3f:has-account a owl:ObjectProperty ; rdfs:label "has-account" ; rdfs:subPropertyOf d3f:owns ; d3f:definition "x has-account y: The subject x has ownership or possession of some account y." ; rdfs:seeAlso . d3f:has-agent a owl:ObjectProperty ; rdfs:label "has-agent" ; rdfs:subPropertyOf d3f:has-participant ; d3f:definition "x has-agent y: The event x occurs because agent y actively carries it out." . d3f:has-audience a owl:ObjectProperty ; rdfs:label "has-audience" ; rdfs:subPropertyOf d3f:d3fend-use-case-object-property . d3f:has-contribution a owl:ObjectProperty ; rdfs:label "has-contribution" ; rdfs:subPropertyOf d3f:d3fend-kb-object-property . d3f:has-contributor a owl:ObjectProperty ; rdfs:label "has-contributor" ; rdfs:subPropertyOf d3f:d3fend-kb-object-property . d3f:has-dependent a owl:ObjectProperty ; rdfs:label "has-dependent" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x has-dependent y: The entity x is relied upon or required by entity y." . d3f:has-goal a owl:ObjectProperty ; rdfs:label "has-goal" ; rdfs:subPropertyOf d3f:d3fend-use-case-object-property . d3f:has-input a owl:ObjectProperty ; rdfs:label "has-input" ; rdfs:subPropertyOf d3f:has-participant ; rdfs:domain d3f:Event ; rdfs:range d3f:Artifact ; owl:inverseOf d3f:input-of ; d3f:definition "x has-input y: An event x has input y iff y is an artifact that is present at the start of x, provides material or information required for x to begin, and during x either y's state is altered or the information content it bears is realized." ; rdfs:seeAlso , . d3f:has-location a owl:ObjectProperty ; rdfs:label "has-location" ; skos:altLabel "located_in" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x has-location y: The entity x is situated in a particular spot or position y." ; rdfs:seeAlso . d3f:has-mediator a owl:ObjectProperty ; rdfs:label "has-mediator" ; rdfs:subPropertyOf d3f:has-participant ; d3f:definition "x has-mediator y: The entity x relies on or is facilitated by entity y." . d3f:has-member a owl:ObjectProperty ; rdfs:label "has-member" ; rdfs:subPropertyOf d3f:d3fend-kb-object-property ; owl:inverseOf d3f:member-of . d3f:has-operating-mode a owl:ObjectProperty ; rdfs:label "has-operating-mode" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x has-operating-mode y: The entity x is currently operating in or has the potential to be in operating mode y." . d3f:has-output a owl:ObjectProperty ; rdfs:label "has-output" ; rdfs:subPropertyOf d3f:has-participant ; rdfs:domain d3f:Event ; rdfs:range d3f:Artifact ; owl:inverseOf d3f:output-of ; d3f:definition "x has-output y: An event x has output y iff y is an artifact that is present at the end of x, was not present in the same state at the start of x, and whose presence at the end is required for x to be considered complete; the change in state may arise either from a transformation of y itself or from the realization of the information content y bears." ; rdfs:seeAlso , . d3f:has-participant a owl:ObjectProperty ; rdfs:label "has-participant" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:participates-in ; rdfs:isDefinedBy ; d3f:definition "x has-participant y: The event x involves an object y as a participant, indicating that y plays some role in the event, whether actively, passively, or otherwise." . d3f:has-prerequisite a owl:ObjectProperty ; rdfs:label "has-prerequisite" ; rdfs:subPropertyOf d3f:d3fend-use-case-object-property . d3f:has-procedure a owl:ObjectProperty ; rdfs:label "has-procedure" ; rdfs:subPropertyOf d3f:d3fend-general-object-property . d3f:has-recipient a owl:ObjectProperty ; rdfs:label "has-recipient" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x has-recipient y: An agent y is the intended recipient and decoder of the information contained in communication x." ; rdfs:seeAlso , . d3f:has-sender a owl:ObjectProperty ; rdfs:label "has-sender" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x has-sender y: An agent y is the sender and encoder of the information contained in communication x." ; rdfs:seeAlso . d3f:has-weakness a owl:ObjectProperty ; rdfs:label "has-weakness" ; rdfs:subPropertyOf d3f:may-have-weakness ; owl:inverseOf d3f:weakness-of ; d3f:definition "x has-weakness y: The entity x exhibits a condition y that could, in some circumstances, lead to a vulnerability." . d3f:hides a owl:ObjectProperty ; rdfs:label "hides" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:range d3f:DigitalArtifact ; d3f:definition "x hides y: A technique or operation x conceals the digital artifact y." . d3f:identified-by a owl:ObjectProperty ; rdfs:label "identified-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:identifies ; d3f:definition "x identified-by y: The entity x is recognized or described by entity y." . d3f:identifies a owl:ObjectProperty ; rdfs:label "identifies" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x identifies y: The entity x recognizes or brings attention to entity y, making it distinct or clear through naming, description, or discovery." . d3f:impairs a owl:ObjectProperty ; rdfs:label "impairs" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x impairs y: The entity or action x hinders entity y by reducing its normal function, capacity, or availability." . d3f:implemented-by a owl:ObjectProperty ; rdfs:label "implemented-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:implements ; d3f:definition "x implemented-by y: The entity x is realized or brought into operation by entity y." . d3f:implements a owl:ObjectProperty ; rdfs:label "implements" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x implements y: The entity x realizes entity y by putting its design or specification into effect." . d3f:initiates a owl:ObjectProperty ; rdfs:label "initiates" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x initiates y: The entity or action x starts or triggers entity or function y, bringing it into action." . d3f:injects a owl:ObjectProperty ; rdfs:label "injects" ; rdfs:subPropertyOf d3f:executes ; d3f:definition "x injects y: The subject x takes the action of exploiting a security flaw by introducing (injecting) y, which is code or data that will change the course of execution or state of a computing process to an alternate course or state. Typically code injection is associated with adversaries intending the alternate course to facilitate a malevolent purpose; however, code injection can be unintentional or the intentions behind it may be good or benign." ; rdfs:seeAlso , . d3f:input-of a owl:ObjectProperty ; rdfs:label "input-of" ; rdfs:subPropertyOf d3f:participates-in ; rdfs:domain d3f:Artifact ; rdfs:range d3f:Event ; d3f:definition "x input-of y: An artifact x is input of an event y iff x participates at the start of y, provides the material or information required for y to begin, and during y either x's state is altered or the information content it bears is realized." ; rdfs:seeAlso . d3f:installs a owl:ObjectProperty ; rdfs:label "installs" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x installs y: An entity x sets up digital artifact y for subsequent use. For example, an installation program can install application software." . d3f:instructed-by a owl:ObjectProperty ; rdfs:label "instructed-by" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x instructed-by y: A subject x takes machine instructions from object y." . d3f:instructs a owl:ObjectProperty ; rdfs:label "instructs" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x instructs y: A subject x delivers machine instructions to object y." . d3f:interprets a owl:ObjectProperty ; rdfs:label "interprets" ; rdfs:subPropertyOf d3f:executes, d3f:may-interpret ; d3f:definition "x interprets y: The subject x interprets the executable script y. The definition of interprets here is 'Parse the source code and perform its behavior directly.'" ; rdfs:seeAlso . d3f:inventoried-by a owl:ObjectProperty ; rdfs:label "inventoried-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:inventories ; d3f:definition "x inventoried-by y: The entity x is cataloged, recorded, or tracked by entity y." . d3f:inventories a owl:ObjectProperty ; rdfs:label "inventories" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x inventories y: The entity x systematically discovers entity y and records its presence and key details for tracking." . d3f:invoked-by a owl:ObjectProperty ; rdfs:label "invoked-by" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-be-invoked-by ; owl:inverseOf d3f:invokes ; d3f:definition "x invoked-by y: The entity x is called, triggered, or activated by entity y." . d3f:invokes a owl:ObjectProperty ; rdfs:label "invokes" ; skos:altLabel "calls" ; rdfs:subPropertyOf d3f:executes, d3f:may-invoke ; rdfs:isDefinedBy ; d3f:definition "x invokes y: The subject x invokes a system service by use of an instruction object y that interrupts the program being executed and passes control to the operating system to perform that operation." ; rdfs:seeAlso . d3f:isolates a owl:ObjectProperty ; rdfs:label "isolates" ; rdfs:subPropertyOf d3f:associated-with, d3f:d3fend-tactical-verb-property ; rdfs:isDefinedBy ; d3f:definition "x isolates y: The technique or agent x sets digital artifact y apart from other digital artifacts, sequestering y." . d3f:jams a owl:ObjectProperty ; rdfs:label "jams" ; rdfs:subPropertyOf d3f:impairs ; d3f:definition "x jams y: The entity x deliberately introduces interfering energy that degrades, disrupts, blocks, or masks the information-bearing capability of the target y." . d3f:kb-reference a owl:ObjectProperty ; rdfs:label "kb-reference" ; skos:altLabel "has-technique-reference" ; rdfs:subPropertyOf d3f:d3fend-kb-object-property ; owl:inverseOf d3f:kb-reference-of . d3f:kb-reference-of a owl:ObjectProperty ; rdfs:label "kb-reference-of" ; skos:altLabel "kb-is-example-of" ; rdfs:subPropertyOf d3f:d3fend-kb-object-property ; rdfs:range d3f:CyberTechnique ; d3f:definition "x kb-is-example-of y: The reference x is an example of technique y." . d3f:limits a owl:ObjectProperty ; rdfs:label "limits" ; skos:altLabel "cutoff" ; rdfs:subPropertyOf d3f:restricts ; rdfs:isDefinedBy ; d3f:definition "x limits y: The entity x specifies a designated limit beyond which some entity y cannot function or must be terminated." ; rdfs:seeAlso . d3f:loaded-by a owl:ObjectProperty ; rdfs:label "loaded-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:loads ; d3f:definition "x loaded-by y: The entity x is brought into memory by entity y." . d3f:loads a owl:ObjectProperty ; rdfs:label "loads" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x loads y: The technique or process x transfers a software from storage y to a computer's memory for subsequent execution." . d3f:manages a owl:ObjectProperty ; rdfs:label "manages" ; skos:altLabel "oversees", "supervises" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x manages y: The technique or agent x watches and directs the use of digital artifact y." . d3f:mapped-by a owl:ObjectProperty ; rdfs:label "mapped-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:maps ; d3f:definition "x mapped-by y: The entity x is linked to another entity by entity y." . d3f:maps a owl:ObjectProperty ; rdfs:label "maps" ; rdfs:subPropertyOf d3f:may-map ; d3f:definition "x maps y: The entity x discovers and records how entity y is arranged and interconnected." . d3f:may-access a owl:ObjectProperty ; rdfs:label "may-access" ; rdfs:subPropertyOf d3f:may-be-associated-with ; owl:inverseOf d3f:may-be-accessed-by ; d3f:definition "x may-access y: The entity x may access the thing y; that is, 'x accesses y' may be true." . d3f:may-add a owl:ObjectProperty ; rdfs:label "may-add" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-add y: The entity x may add the thing y; that is, 'x adds y' may be true." . d3f:may-be-accessed-by a owl:ObjectProperty ; rdfs:label "may-be-accessed-by" ; rdfs:subPropertyOf d3f:may-be-associated-with . d3f:may-be-associated-with a owl:ObjectProperty ; rdfs:label "may-be-associated-with" ; rdfs:subPropertyOf d3f:d3fend-object-property ; d3f:definition "x may-be-associated-with y: The subject x and object y may be associated in some way." ; rdfs:seeAlso . d3f:may-be-contained-by a owl:ObjectProperty, owl:TransitiveProperty ; rdfs:label "may-be-contained-by" ; rdfs:subPropertyOf d3f:may-be-associated-with ; owl:inverseOf d3f:may-contain . d3f:may-be-created-by a owl:ObjectProperty ; rdfs:label "may-be-created-by" ; rdfs:subPropertyOf d3f:may-be-associated-with ; owl:inverseOf d3f:may-create . d3f:may-be-deceived-by a owl:ObjectProperty ; rdfs:label "may-be-deceived-by" ; rdfs:subPropertyOf d3f:attack-may-be-countered-by ; owl:inverseOf d3f:may-deceive ; d3f:pref-label "may be deceived by" . d3f:may-be-detected-by a owl:ObjectProperty ; rdfs:label "may-be-detected-by" ; rdfs:subPropertyOf d3f:attack-may-be-countered-by ; owl:inverseOf d3f:may-detect ; d3f:pref-label "may be detected by" . d3f:may-be-evicted-by a owl:ObjectProperty ; rdfs:label "may-be-evicted-by" ; rdfs:subPropertyOf d3f:attack-may-be-countered-by ; owl:inverseOf d3f:may-evict ; d3f:pref-label "may be evicted by" . d3f:may-be-hardened-against-by a owl:ObjectProperty ; rdfs:label "may-be-hardened-against-by" ; rdfs:subPropertyOf d3f:attack-may-be-countered-by ; owl:inverseOf d3f:may-harden ; d3f:pref-label "may be hardened against by" . d3f:may-be-invoked-by a owl:ObjectProperty ; rdfs:label "may-be-invoked-by" ; rdfs:subPropertyOf d3f:may-be-associated-with ; owl:inverseOf d3f:may-invoke . d3f:may-be-isolated-by a owl:ObjectProperty ; rdfs:label "may-be-isolated-by" ; rdfs:subPropertyOf d3f:attack-may-be-countered-by ; owl:inverseOf d3f:may-isolate ; d3f:pref-label "may be isolated by" . d3f:may-be-modified-by a owl:ObjectProperty ; rdfs:label "may-be-modified-by" ; rdfs:subPropertyOf d3f:may-be-associated-with ; owl:inverseOf d3f:may-modify . d3f:may-be-tactically-associated-with a owl:ObjectProperty ; rdfs:label "may-be-tactically-associated-with" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-be-tactically-associated-with y: the defensive action x may be a tactic that counters offensive action y." . d3f:may-be-weakness-of a owl:ObjectProperty ; rdfs:label "may-be-weakness-of" ; rdfs:subPropertyOf d3f:may-be-associated-with ; rdfs:domain d3f:Weakness ; rdfs:range d3f:Artifact ; owl:inverseOf d3f:may-have-weakness . d3f:may-block a owl:ObjectProperty ; rdfs:label "may-block" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-block y: They entity x may block the thing y; that is, 'x blocks y' may be true." . d3f:may-contain a owl:ObjectProperty, owl:TransitiveProperty ; rdfs:label "may-contain" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "to potentially have as contents or constituent parts; comprise; include." . d3f:may-corrupt a owl:ObjectProperty ; rdfs:label "may-corrupt" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-corrupt y: They entity x may corrupt y's information content; that is, 'x corrupts y' may be true." . d3f:may-counter a owl:ObjectProperty ; rdfs:label "may-counter" ; rdfs:subPropertyOf d3f:may-be-associated-with . d3f:may-counter-attack a owl:ObjectProperty ; rdfs:label "may-counter-attack" ; rdfs:subPropertyOf d3f:may-be-tactically-associated-with . d3f:may-create a owl:ObjectProperty ; rdfs:label "may-create" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-create y: The entity x may create the entity y; that is, 'x creates y' may be true." . d3f:may-deceive a owl:ObjectProperty ; rdfs:label "may-deceive" ; rdfs:subPropertyOf d3f:may-counter-attack ; d3f:pref-label "may deceive" . d3f:may-detect a owl:ObjectProperty ; rdfs:label "may-detect" ; rdfs:subPropertyOf d3f:may-counter-attack ; d3f:pref-label "may detect" . d3f:may-disable a owl:ObjectProperty ; rdfs:label "may-disable" ; rdfs:subPropertyOf d3f:may-evict . d3f:may-evaluate a owl:ObjectProperty ; rdfs:label "may-evaluate" ; rdfs:subPropertyOf d3f:may-be-associated-with . d3f:may-evict a owl:ObjectProperty ; rdfs:label "may-evict" ; rdfs:subPropertyOf d3f:may-counter, d3f:may-counter-attack ; d3f:pref-label "may evict" . d3f:may-execute a owl:ObjectProperty ; rdfs:label "may-execute" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-execute y: The subject x may take the action of carrying out (executing) y, which is a single software module, function, or instruction." . d3f:may-harden a owl:ObjectProperty ; rdfs:label "may-harden" ; rdfs:subPropertyOf d3f:may-counter-attack ; d3f:pref-label "may harden" . d3f:may-have-weakness a owl:ObjectProperty ; rdfs:label "may-have-weakness" ; rdfs:subPropertyOf d3f:may-be-associated-with ; rdfs:domain d3f:Artifact ; rdfs:range d3f:Weakness . d3f:may-interpret a owl:ObjectProperty ; rdfs:label "may-interpret" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-interpret y: The entity x may interpret the thing y; that is, 'x interprets y' may be true." . d3f:may-invoke a owl:ObjectProperty ; rdfs:label "may-invoke" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-invoke y: The entity x may invoke the thing y; that is, 'x invokes y' may be true." . d3f:may-isolate a owl:ObjectProperty ; rdfs:label "may-isolate" ; rdfs:subPropertyOf d3f:may-counter-attack ; d3f:pref-label "may isolate" . d3f:may-map a owl:ObjectProperty ; rdfs:label "may-map" ; rdfs:subPropertyOf d3f:may-be-associated-with . d3f:may-modify a owl:ObjectProperty ; rdfs:label "may-modify" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-modify y: The entity x may modify the thing y; that is, 'x modifies y' may be true." . d3f:may-produce a owl:ObjectProperty ; rdfs:label "may-produce" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-produce y: The entity x may produce the thing y; that is, 'x produces y' may be true." . d3f:may-query a owl:ObjectProperty ; rdfs:label "may-query" ; rdfs:subPropertyOf d3f:may-be-associated-with . d3f:may-run a owl:ObjectProperty ; rdfs:label "may-run" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-run y: The entity x may run the thing y; that is, 'x runs y' may be true." . d3f:may-transfer a owl:ObjectProperty ; rdfs:label "may-transfer" ; rdfs:subPropertyOf d3f:may-be-associated-with ; d3f:definition "x may-transfer y: They entity x may send the thing y; that is, 'x transfers y' may be true." . d3f:mediates-access-to a owl:ObjectProperty ; rdfs:label "mediates-access-to" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x mediates-access-to y: The entity x controls and brokers requests to reach entity y, enforcing the access rules that allow or deny it." . d3f:member-of a owl:ObjectProperty ; rdfs:label "member-of" ; rdfs:subPropertyOf d3f:d3fend-kb-object-property . d3f:modified-by a owl:ObjectProperty ; rdfs:label "modified-by" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-be-modified-by ; owl:inverseOf d3f:modifies ; d3f:definition "x modified-by y: The entity x is changed by entity y." . d3f:modifies a owl:ObjectProperty ; rdfs:label "modifies" ; skos:altLabel "alters" ; rdfs:subPropertyOf d3f:accesses, d3f:associated-with, d3f:may-modify ; rdfs:isDefinedBy ; d3f:definition "x modifies y: A technique or agent x causes a digital object y to change; become different; or undertake a transformation. Afterwards, the data or state held by a digital object is changed." . d3f:modifies-part a owl:ObjectProperty ; rdfs:label "modifies-part" ; rdfs:subPropertyOf d3f:may-modify ; owl:propertyChainAxiom ( d3f:modifies d3f:contains ) ; d3f:definition "x modifies-part y: The entity x modifies a part of y. [Note: This is a rolification property for the rule 'if one modifies a part of a whole, they modify the whole.' Reasoning for this and similar semantics to come are under evaluation and not part of current d3fend inferences.]" . d3f:monitors a owl:ObjectProperty ; rdfs:label "monitors" ; rdfs:subPropertyOf d3f:associated-with, d3f:detects ; rdfs:isDefinedBy ; d3f:definition "x monitors y: The technique or agent x keep tabs on, keeps an eye on, or keeps the digital artifact y under surveillance." . d3f:narrower a owl:ObjectProperty ; rdfs:label "narrower" ; rdfs:subPropertyOf d3f:semantic-relation ; d3f:definition "x narrower y: The entity x represents a more specific or focused concept than entity y." . d3f:narrower-transitive a owl:ObjectProperty ; rdfs:label "narrower-transitive" ; rdfs:subPropertyOf d3f:semantic-relation ; d3f:definition "x narrower-transitive y: The entity x represents a more specific concept than entity y, including indirect or hierarchical relationships where x is a subset of y through intermediate entities." . d3f:neutralizes a owl:ObjectProperty ; rdfs:label "neutralizes" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; rdfs:isDefinedBy ; d3f:definition "x neutralizes y: The technique x makes the execution of actions of y ineffective by preventing or counterbalancing the effect of y." . d3f:next a owl:ObjectProperty ; rdfs:label "next" ; rdfs:subPropertyOf d3f:d3fend-process-object-property . d3f:obfuscates a owl:ObjectProperty ; rdfs:label "obfuscates" ; rdfs:subPropertyOf d3f:evicts, d3f:modifies ; rdfs:isDefinedBy ; d3f:definition "x obfuscates y: The technique x makes the digital artifact y unclear or obscure. Typically obfuscation is a way to hide a digital artifact from discovery, use, or both." ; rdfs:seeAlso . d3f:operates a owl:ObjectProperty ; rdfs:label "operates" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy "oewn-01513459-v" ; d3f:definition "x operates y: The entity x enables, activates, or controls the functioning or behavior of object y (operated entity), typically in accordance with the design or intended use of the operated entity." . d3f:originates-from a owl:ObjectProperty ; rdfs:label "originates-from" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x originates-from y: The digital event or artifact x began its network transit from a physical location y." . d3f:output-of a owl:ObjectProperty ; rdfs:label "output-of" ; rdfs:subPropertyOf d3f:participates-in ; rdfs:domain d3f:Artifact ; rdfs:range d3f:Event ; d3f:definition "x output-of y: An artifact x is output of an event y iff x must be present when y concludes, was absent in the same state when x began, and y counts as complete only when x is available at its end." ; rdfs:seeAlso . d3f:owns a owl:ObjectProperty ; rdfs:label "owns" ; skos:altLabel "possesses" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x owns y: The subject x has ownership or possession of some object y." ; rdfs:seeAlso . d3f:participates-in a owl:ObjectProperty ; rdfs:label "participates-in" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x participates-in y: The object x takes part in the event y, signifying that x contributes to or is affected by the event's occurrence in some way." . d3f:powered-by a owl:ObjectProperty ; rdfs:label "powered-by" ; rdfs:subPropertyOf d3f:depends-on ; owl:inverseOf d3f:powers ; d3f:definition "x powered-by y: x obtains its essential energy or force from y to perform its function or remain active." . d3f:powers a owl:ObjectProperty ; rdfs:label "powers" ; rdfs:subPropertyOf d3f:has-dependent ; d3f:definition "x powers y: x furnishes y with the energy or force required for y's functionality or operation." . d3f:preceded-by a owl:ObjectProperty ; rdfs:label "preceded-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:precedes ; rdfs:isDefinedBy ; d3f:definition "x preceded-by y: The event or action x occurs after event or action y in time." . d3f:precedes a owl:ObjectProperty ; rdfs:label "precedes" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x precedes y: The event or action x occurs before event or action y in time." . d3f:process-ancestor a owl:ObjectProperty, owl:TransitiveProperty ; rdfs:label "process-ancestor" ; rdfs:subPropertyOf d3f:process-property ; d3f:definition "x process-ancestor y: The process y is a process ancestor of process x, indicating one or more process creation events were conducted at process y and subsequently created process x." . d3f:process-image-path a owl:ObjectProperty ; rdfs:label "process-image-path" ; skos:altLabel "processImagePath" ; rdfs:subPropertyOf d3f:process-property ; d3f:definition "x process-image-path y: The filepath y is the process image path for the process x, indicating the path to the resource from which the process's image was loaded." . d3f:process-parent a owl:ObjectProperty ; rdfs:label "process-parent" ; skos:altLabel "processParent" ; rdfs:subPropertyOf d3f:process-ancestor ; d3f:definition "x process-parent y: The process y created the process x (directly) with a create process event." . d3f:process-property a owl:ObjectProperty ; rdfs:label "process-property" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x process-property y: The process x has the a process-property y. This is generalization for specific process object properties." . d3f:process-user a owl:ObjectProperty ; rdfs:label "process-user" ; skos:altLabel "processUser" ; rdfs:subPropertyOf d3f:process-property ; d3f:definition "x process-user y: The process x has been executed by the user y." . d3f:produced-by a owl:ObjectProperty ; rdfs:label "produced-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:produces ; d3f:definition "x produced-by y: The entity x is created by entity y." . d3f:produces a owl:ObjectProperty ; rdfs:label "produces" ; skos:altLabel "outputs" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-produce ; rdfs:isDefinedBy ; d3f:definition "x produces y: The subject entity x or process produces a data object y, which may be discrete digital object or a stream (e.g., a stream such as network traffic.)" ; rdfs:seeAlso d3f:creates . d3f:provider a owl:ObjectProperty ; rdfs:label "provider" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x provider y: A provider y is an entity that supplies a service, system, or data resources to a dependent entity x." ; rdfs:seeAlso . d3f:quarantines a owl:ObjectProperty ; rdfs:label "quarantines" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x quarantines y: Technique x moves entity y to a place of isolation." . d3f:queries a owl:ObjectProperty ; rdfs:label "queries" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-query ; d3f:definition "x queries y: The entity x requests information or data from entity y." . d3f:reads a owl:ObjectProperty ; rdfs:label "reads" ; rdfs:subPropertyOf d3f:accesses ; d3f:definition "x reads y: The subject x takes the action of reading from a digital source y to acquire data and placing it into volatile memory for processing." ; rdfs:seeAlso , . d3f:receives a owl:ObjectProperty ; rdfs:label "receives" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x receives y: The subject x acquires object y from a communication medium and transfers y into its local context for storage or processing." . d3f:recorded-in a owl:ObjectProperty ; rdfs:label "recorded-in" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:records ; d3f:definition "x recorded-in y: The event x is documented, logged, or otherwise preserved within the digital artifact y, which stores or encodes relevant data about the event." . d3f:records a owl:ObjectProperty ; rdfs:label "records" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x records y: The digital artifact x makes a record of events y; set down in permanent form." ; rdfs:seeAlso . d3f:regenerates a owl:ObjectProperty ; rdfs:label "regenerates" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; rdfs:isDefinedBy ; d3f:definition "x regenerates y: The entity x discards the current digital artifact y and creates a new version that serves the same function." . d3f:related a owl:ObjectProperty ; rdfs:label "related" ; rdfs:subPropertyOf d3f:semantic-relation ; rdfs:isDefinedBy skos:related ; d3f:definition "x related y: x has a symmetric associative relation to y." . d3f:restores a owl:ObjectProperty ; rdfs:label "restores" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x restores y: The entity x returns entity y to its known-good or previous state." . d3f:restricted-by a owl:ObjectProperty ; rdfs:label "restricted-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:restricts ; d3f:definition "x restricted-by y: The entity x is limited, constrained, or regulated by entity y." . d3f:restricts a owl:ObjectProperty ; rdfs:label "restricts" ; rdfs:subPropertyOf d3f:associated-with, d3f:isolates ; rdfs:isDefinedBy ; d3f:definition "x restricts y: The entity x bounds the use of entity y." . d3f:resume a owl:ObjectProperty ; rdfs:label "resume" ; rdfs:subPropertyOf d3f:d3fend-process-object-property ; rdfs:isDefinedBy ; d3f:definition "x resume y: The agent or technique x continues a previous action on entity y. Usually occurs after suspension on y." . d3f:resumes a owl:ObjectProperty ; rdfs:label "resumes" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x resumes y: The agent or technique x continues a previous action on entity y. Usually occurs after suspension on y." . d3f:runs a owl:ObjectProperty ; rdfs:label "runs" ; rdfs:subPropertyOf d3f:associated-with, d3f:may-run ; d3f:definition "x runs y: To carry out a process or program y, as on a computer or a machine x; where y may be a large software assembly or a specific module or instruction. Examples: \"run a new program on the Mac\"; \"the computer runs the application software\"." ; rdfs:seeAlso . d3f:semantic-relation a owl:ObjectProperty ; rdfs:label "semantic-relation" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x semantic-relation y: The entity x is conceptually or meaningfully connected to entity y." . d3f:signed-by a owl:ObjectProperty ; rdfs:label "signed-by" ; rdfs:subPropertyOf d3f:validated-by ; owl:inverseOf d3f:signs ; d3f:definition "x signed-by y: The digital artifact x includes a signature generated by the entity y, certifying the authenticity and integrity of x. This relationship indicates that x has undergone a validation process by y, using cryptographic measures to ensure that x is trustworthy and unaltered since the signing by y." . d3f:signs a owl:ObjectProperty ; rdfs:label "signs" ; rdfs:subPropertyOf d3f:validates ; d3f:definition "x signs y: The entity x applies a digital signature to the digital artifact y, thereby asserting its validity, integrity, and authenticity. Typically, this involves cryptographic techniques to securely bind the signature to y, ensuring that y's contents have not been altered and are authentic as endorsed by x." . d3f:spoofs a owl:ObjectProperty ; rdfs:label "spoofs" ; rdfs:subPropertyOf d3f:associated-with, d3f:deceives-with ; d3f:definition "x spoofs y: The technique x creates a fake instance of a digital artifact y; that is, y is a decoy, fake, or counterfeit." ; rdfs:seeAlso , . d3f:start a owl:ObjectProperty ; rdfs:label "start" ; rdfs:subPropertyOf d3f:d3fend-process-object-property . d3f:strengthens a owl:ObjectProperty ; rdfs:label "strengthens" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; rdfs:isDefinedBy ; d3f:definition "x strengthens y: The technique x makes digital artifact y resistant (to harm or misuse.)" . d3f:summarizes a owl:ObjectProperty ; rdfs:label "summarizes" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x summarizes y: The sensor x summarizes a set y of events concerning digital artifacts over time." . d3f:suspends a owl:ObjectProperty ; rdfs:label "suspends" ; rdfs:subPropertyOf d3f:evicts ; rdfs:isDefinedBy ; d3f:definition "x suspends y: The agent or technique x pauses entity y." . d3f:terminates a owl:ObjectProperty ; rdfs:label "terminates" ; rdfs:subPropertyOf d3f:associated-with, d3f:evicts ; rdfs:isDefinedBy ; d3f:definition "x terminates y: The technique x brings to an end or halt to some activity y." ; d3f:synonym "aborts" ; rdfs:seeAlso . d3f:transmits a owl:ObjectProperty ; rdfs:label "transmits" ; skos:altLabel "sends" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x transmits y: The subject x actively emits object y onto a communication medium, rendering y observable and available for reception on that medium." . d3f:unloads a owl:ObjectProperty ; rdfs:label "unloads" ; rdfs:subPropertyOf d3f:evicts ; d3f:definition "x unloads y: The technique or artifact performs the action of unloading some artifact (applications, kernel modules, or hardware drivers, etc.) from a computer's memory." . d3f:unmounts a owl:ObjectProperty ; rdfs:label "unmounts" ; rdfs:subPropertyOf d3f:associated-with ; d3f:definition "x unmounts y: An operation x removes the access via computer system's file system the availability of files and directories on storage artifact y. Unmounts reverse or undo prior mount operations." ; rdfs:seeAlso . d3f:updates a owl:ObjectProperty ; rdfs:label "updates" ; rdfs:subPropertyOf d3f:hardens, d3f:modifies ; d3f:definition "x updates y: The technique x updates the software for component y." . d3f:use-limits a owl:ObjectProperty ; rdfs:label "use-limits" ; rdfs:subPropertyOf d3f:limits ; d3f:definition "x use-limits y: The entity x specifies a designated number of uses beyond which some entity y cannot function or must be terminated." ; rdfs:seeAlso . d3f:used-by a owl:ObjectProperty ; rdfs:label "used-by" ; rdfs:subPropertyOf d3f:associated-with ; owl:inverseOf d3f:uses ; d3f:definition "x used-by y: The inverse of y uses x." . d3f:uses a owl:ObjectProperty ; rdfs:label "uses" ; rdfs:subPropertyOf d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x uses y: The entity x puts into service a resource or implement y; makes y work or employ for a particular purpose or for its inherent or natural purpose." . d3f:validated-by a owl:ObjectProperty ; rdfs:label "validated-by" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; d3f:definition "x validated-by y: The digital artifact x has its authenticity and correctness confirmed or verified by the technique, operation, or agent y." . d3f:validates a owl:ObjectProperty ; rdfs:label "validates" ; rdfs:subPropertyOf d3f:associated-with, d3f:hardens ; rdfs:isDefinedBy ; d3f:definition "x validates y: The technique x proves the digital artifact y is valid; that is, x shows or confirms the validity of y." . d3f:verifies a owl:ObjectProperty ; rdfs:label "verifies" ; rdfs:subPropertyOf d3f:analyzes, d3f:associated-with ; rdfs:isDefinedBy ; d3f:definition "x verifies y: The technique x confirms the truth of a digital artifact y." ; rdfs:seeAlso , , . d3f:weakness-of a owl:ObjectProperty ; rdfs:label "weakness-of" ; rdfs:subPropertyOf d3f:may-be-weakness-of . d3f:writes a owl:ObjectProperty ; rdfs:label "writes" ; rdfs:subPropertyOf d3f:accesses ; d3f:definition "x writes y: The subject x takes the action of writing to a digital artifact y to store data and placing it into persistent memory for later reference." ; rdfs:seeAlso . ### Annotation Properties d3f:attack-id a owl:AnnotationProperty ; rdfs:label "attack-id" ; rdfs:subPropertyOf d3f:attack-kb-annotation ; rdfs:domain d3f:OffensiveTechnique ; rdfs:range xsd:string ; d3f:definition "x attack-id y: The offensive technique x has the att&ck unique id of y." . d3f:attack-kb-annotation a owl:AnnotationProperty ; rdfs:label "attack-kb-annotation" ; rdfs:subPropertyOf d3f:d3fend-annotation ; rdfs:domain d3f:OffensiveTechnique ; d3f:definition "x attack-kb-annotation y: The offensive technique x has the kb annotation of y." . d3f:contributor a owl:AnnotationProperty . d3f:cwe-id a owl:AnnotationProperty ; rdfs:label "cwe-id" ; rdfs:subPropertyOf d3f:cwe-kb-annotation . d3f:cwe-kb-annotation a owl:AnnotationProperty ; rdfs:label "cwe-kb-annotation" ; rdfs:subPropertyOf d3f:d3fend-annotation . d3f:d3fend-annotation a owl:AnnotationProperty ; rdfs:label "d3fend-annotation" ; rdfs:subPropertyOf owl:versionInfo ; d3f:definition "x d3fend-annotation y: The d3fend object x has the annotation y." . d3f:d3fend-catalog-annotation-property a owl:AnnotationProperty ; rdfs:label "d3fend-catalog-annotation-property" ; skos:altLabel "d3fend-vendor-registry-annotation-property" ; rdfs:subPropertyOf d3f:d3fend-annotation . d3f:d3fend-display-annotation a owl:AnnotationProperty ; rdfs:label "d3fend-display-annotation" ; rdfs:subPropertyOf d3f:d3fend-annotation . d3f:d3fend-kb-annotation-property a owl:AnnotationProperty ; rdfs:label "d3fend-kb-annotation-property" ; rdfs:subPropertyOf d3f:d3fend-annotation ; d3f:definition "x d3fend-kb-annotation-property y: The entity x had the d3fend kb annotation y." . d3f:d3fend-kb-reference-annotation a owl:AnnotationProperty ; rdfs:label "d3fend-kb-reference-annotation" ; rdfs:subPropertyOf d3f:d3fend-kb-annotation-property ; rdfs:domain d3f:TechniqueReference ; rdfs:range xsd:string ; d3f:definition "x d3fend-kb-data-property y: The reference x has the data property y." . d3f:definition a owl:AnnotationProperty ; rdfs:label "definition" ; rdfs:subPropertyOf d3f:d3fend-annotation ; rdfs:isDefinedBy ; d3f:definition "x definition y: The d3fend object x has the definition y." . d3f:description a owl:AnnotationProperty ; rdfs:label "description"@en ; rdfs:subPropertyOf d3f:d3fend-catalog-annotation-property ; rdfs:isDefinedBy ; d3f:definition "A statement that represents something in words." . d3f:display-baseurl a owl:AnnotationProperty ; rdfs:label "display-baseurl" ; rdfs:subPropertyOf d3f:d3fend-display-annotation ; d3f:definition "A base string to use as prefix to create a full URL for an entity. The baseurl must end in a forward slash: /" . d3f:display-order a owl:AnnotationProperty ; rdfs:label "display-order" ; rdfs:subPropertyOf d3f:d3fend-display-annotation ; d3f:definition "x display-order y: An object x should be displayed in ordinal position y when placed or listed in a d3fend display with other objects of its kind." . d3f:display-priority a owl:AnnotationProperty ; rdfs:label "display-priority" ; rdfs:subPropertyOf d3f:d3fend-display-annotation . d3f:kb-abstract a owl:AnnotationProperty ; rdfs:label "kb-abstract" ; rdfs:subPropertyOf d3f:d3fend-kb-reference-annotation ; rdfs:domain d3f:TechniqueReference ; rdfs:range xsd:string ; d3f:definition "x kb-abstract y: The reference x has the abstract y." . d3f:kb-article a owl:AnnotationProperty ; rdfs:label "kb-article" ; rdfs:subPropertyOf d3f:d3fend-kb-reference-annotation ; rdfs:domain d3f:Technique ; rdfs:range xsd:string ; d3f:definition "The technique x has the kb-article y, where y is written in Markdown." . d3f:kb-author a owl:AnnotationProperty ; rdfs:label "kb-author" ; rdfs:subPropertyOf d3f:d3fend-kb-reference-annotation ; rdfs:domain d3f:TechniqueReference ; rdfs:range xsd:string ; d3f:definition "x kb-author y: The reference x has some author y." . d3f:kb-mitre-analysis a owl:AnnotationProperty ; rdfs:label "kb-mitre-analysis" ; rdfs:subPropertyOf d3f:d3fend-kb-annotation-property ; rdfs:domain d3f:TechniqueReference ; rdfs:range xsd:string ; d3f:definition "x kb-mitre-analysis y: The reference x has the mitre d3fend analysis y." . d3f:kb-organization a owl:AnnotationProperty ; rdfs:label "kb-organization" ; rdfs:subPropertyOf d3f:d3fend-kb-annotation-property ; d3f:definition "x kb-organization y: The reference x was created or owned by the organization y." . d3f:label a owl:AnnotationProperty ; rdfs:label "label"@en ; rdfs:subPropertyOf rdfs:label . d3f:pref-label a owl:AnnotationProperty ; rdfs:label "pref-label" ; rdfs:subPropertyOf d3f:d3fend-annotation ; d3f:definition "x pref-label y: The preferred display value for x is y in d3fend tools." . d3f:release-date a owl:AnnotationProperty ; rdfs:label "release-date" ; rdfs:subPropertyOf d3f:d3fend-annotation, owl:versionInfo ; d3f:definition "x release-date y: The object x has the release-date y." . d3f:synonym a owl:AnnotationProperty ; rdfs:label "synonym" ; rdfs:subPropertyOf d3f:d3fend-annotation ; d3f:definition "an equivalent term." . dcterms:description a owl:AnnotationProperty . dcterms:license a owl:AnnotationProperty . dcterms:title a owl:AnnotationProperty . rdfs:isDefinedBy a owl:AnnotationProperty ; rdfs:label "isDefinedBy" . rdfs:label a owl:AnnotationProperty . rdfs:seeAlso a owl:AnnotationProperty . skos:altLabel a owl:AnnotationProperty . skos:example a owl:AnnotationProperty . skos:prefLabel a owl:AnnotationProperty . ### Data Properties d3f:archived-at a owl:DatatypeProperty ; rdfs:label "archived-at"@en ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property ; rdfs:range xsd:anyURI . d3f:attack-kb-data-property a owl:DatatypeProperty ; rdfs:label "attack-kb-data-property" ; skos:altLabel "attack-kb-property" . d3f:available a owl:DatatypeProperty ; rdfs:label "date available"@en ; rdfs:subPropertyOf d3f:date ; rdfs:range xsd:dateTime ; d3f:definition "Date that the resource became or will become available." . d3f:capec-id a owl:DatatypeProperty ; rdfs:label "capec-id" ; rdfs:subPropertyOf d3f:d3fend-kb-data-property ; d3f:definition "Unique identifier for a CAPEC technique, i.e. a common attack pattern identified by the pattern CAPEC-[number]." . d3f:comments a owl:DatatypeProperty, owl:FunctionalProperty ; rdfs:label "comments" ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property ; rdfs:range xsd:string ; d3f:definition "x comments y: x claim has provider comments y." . d3f:confidence a owl:DatatypeProperty ; rdfs:label "confidence" ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property . d3f:control-name a owl:DatatypeProperty ; rdfs:label "control-name" ; rdfs:subPropertyOf d3f:d3fend-external-control-data-property ; d3f:definition "The control (or control enhancement) name." . d3f:created a owl:DatatypeProperty ; rdfs:label "date created"@en ; rdfs:subPropertyOf d3f:date ; rdfs:range xsd:dateTime ; d3f:definition "Date of creation of the resource." . d3f:d3fend-artifact-data-property a owl:DatatypeProperty ; rdfs:label "d3fend-artifact-data-property" ; rdfs:subPropertyOf d3f:d3fend-data-property ; rdfs:domain d3f:DigitalArtifact ; d3f:definition "x d3fend-artifact-data-property y: The artifact x has the data property y." . d3f:d3fend-catalog-data-property a owl:DatatypeProperty ; rdfs:label "d3fend-catalog-data-property" ; skos:altLabel "d3fend-vendor-registry-data-property"@en ; rdfs:subPropertyOf d3f:d3fend-data-property . d3f:d3fend-comment a owl:DatatypeProperty ; rdfs:label "d3fend-comment" ; rdfs:subPropertyOf d3f:d3fend-kb-data-property ; d3f:definition "x d3fend-comment y: The entity x has an D3FEND team written a public note about entity y." . d3f:d3fend-data-property a owl:DatatypeProperty ; rdfs:label "d3fend-data-property" . d3f:d3fend-display-property a owl:DatatypeProperty ; rdfs:label "d3fend-display-property" ; rdfs:subPropertyOf d3f:d3fend-data-property ; d3f:definition "x d3fend-display-property y: An object x should be displayed using the display property y, when it applies." . d3f:d3fend-external-control-data-property a owl:DatatypeProperty ; rdfs:label "d3fend-external-control-data-property" ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property, d3f:d3fend-data-property . d3f:d3fend-id a owl:DatatypeProperty ; rdfs:label "d3fend-id" ; rdfs:subPropertyOf d3f:d3fend-kb-data-property ; d3f:definition "Unique identifier for a D3FEND technique. D3-[Acronym]." . d3f:d3fend-kb-data-property a owl:DatatypeProperty ; rdfs:label "d3fend-kb-data-property" ; rdfs:subPropertyOf d3f:d3fend-data-property ; d3f:definition "x d3fend-kb-data-property y: The d3fend knowledge base object x has a data property y; e.g., a string capturing a particular aspect or section of a knowledge base article." . d3f:date a owl:DatatypeProperty ; rdfs:label "date"@en ; rdfs:subPropertyOf d3f:d3fend-data-property ; rdfs:range xsd:dateTime ; d3f:definition "A point or period of time associated with an event in the lifecycle of the resource." ; rdfs:seeAlso . d3f:expectation-rating a owl:DatatypeProperty ; rdfs:label "expectation-rating" ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property . d3f:has-link a owl:DatatypeProperty ; rdfs:label "has-link" ; rdfs:subPropertyOf d3f:d3fend-kb-data-property ; rdfs:range xsd:anyURI ; d3f:definition "x has-link y: The d3fend analysis x has the link y." . d3f:identifier a owl:DatatypeProperty ; rdfs:label "identifier"@en ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property ; rdfs:range xsd:string . d3f:issued a owl:DatatypeProperty ; rdfs:label "date issued"@en ; rdfs:subPropertyOf d3f:date ; rdfs:range xsd:dateTime ; d3f:definition "Date of formal issuance of the resource." . d3f:kb-reference-title a owl:DatatypeProperty ; rdfs:label "kb-reference-title" ; rdfs:subPropertyOf d3f:d3fend-kb-data-property ; rdfs:range xsd:string ; d3f:definition "x kb-reference-title y: The d3fend knowledge base reference x has the reference title string y." . d3f:modified a owl:DatatypeProperty ; rdfs:label "date modified"@en ; rdfs:subPropertyOf d3f:date ; rdfs:range xsd:dateTime ; d3f:definition "Date on which the resource was changed." . d3f:name a owl:DatatypeProperty ; rdfs:label "name"@en ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property . d3f:operating-system a owl:DatatypeProperty ; rdfs:label "operating-system"@en ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property ; rdfs:range xsd:string ; d3f:definition "x operating-system y: The product x is supported on operating system y." . d3f:process-command-line-arguments a owl:DatatypeProperty ; rdfs:label "process-command-line-arguments" ; rdfs:subPropertyOf d3f:process-data-property ; d3f:definition "x process-command-line-arguments y: The process x has the process command line arguments data y." . d3f:process-data-property a owl:DatatypeProperty ; rdfs:label "process-data-property" ; rdfs:subPropertyOf d3f:d3fend-artifact-data-property ; d3f:definition "x process-data-property y: The process x has the data property y." . d3f:process-environmental-variables a owl:DatatypeProperty ; rdfs:label "process-environmental-variables" ; skos:altLabel "process-environmental-variable" ; rdfs:subPropertyOf d3f:process-data-property ; d3f:definition "x process-environment-variables y: The process x has the process environmental variables data y." . d3f:process-identifier a owl:DatatypeProperty ; rdfs:label "process-identifier" ; rdfs:subPropertyOf d3f:process-data-property ; d3f:definition "x process-identifier y: The process x has the process identifier y." . d3f:process-security-context a owl:DatatypeProperty ; rdfs:label "process-security-context" ; rdfs:subPropertyOf d3f:process-data-property ; rdfs:domain d3f:Process ; d3f:definition "x process-security-context y: The process x has the process security context data y." . d3f:published a owl:DatatypeProperty ; rdfs:label "date published"@en ; rdfs:subPropertyOf d3f:date ; rdfs:range xsd:dateTime ; d3f:definition "Date of publication of the resource." . d3f:rating a owl:DatatypeProperty, owl:FunctionalProperty ; rdfs:label "rating" ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property . d3f:risk-impact a owl:DatatypeProperty ; rdfs:label "risk-impact" ; rdfs:subPropertyOf d3f:d3fend-data-property ; rdfs:range [ a rdfs:Datatype ; owl:onDatatype xsd:integer ; owl:withRestrictions ( [ xsd:maxInclusive 5 ] [ xsd:minInclusive 1 ] ) ] ; rdfs:isDefinedBy ; d3f:definition "Risk impact rating, expressed on a numeric scale from 1 (lowest impact) to 5 (highest impact) in the context of a 5x5 risk matrix. Impact is used here as a synonym for consequence, another popular term used in risk analysis." . d3f:risk-likelihood a owl:DatatypeProperty ; rdfs:label "risk-likelihood" ; rdfs:subPropertyOf d3f:d3fend-data-property ; rdfs:range [ a rdfs:Datatype ; owl:onDatatype xsd:integer ; owl:withRestrictions ( [ xsd:maxInclusive 5 ] [ xsd:minInclusive 1 ] ) ] ; rdfs:isDefinedBy ; d3f:definition "Risk likelihood rating, expressed on a numeric scale from 1 (lowest likelihood) to 5 (highest likelihood) in the context of a 5x5 risk matrix." . d3f:stage a owl:DatatypeProperty, owl:FunctionalProperty ; rdfs:label "stage" ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property . d3f:text a owl:DatatypeProperty ; rdfs:label "text"@en ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property ; d3f:definition "The text of the document (i.e., terms of license.)" . d3f:title a owl:DatatypeProperty ; rdfs:label "title"@en ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property ; rdfs:range xsd:string ; d3f:definition "A name given to the resource." . d3f:valid a owl:DatatypeProperty ; rdfs:label "date valid"@en ; rdfs:subPropertyOf d3f:date ; rdfs:range xsd:dateTime ; d3f:definition "Date (often a range) of validity of a resource." . d3f:version a owl:DatatypeProperty, owl:FunctionalProperty ; rdfs:label "version"@en ; rdfs:subPropertyOf d3f:d3fend-catalog-data-property, d3f:d3fend-external-control-data-property ; rdfs:range [ a rdfs:Datatype ; owl:unionOf ( xsd:integer xsd:string ) ] ; d3f:definition "x version y: The product or service x has the version y." . d3f:windows-registry-data-property a owl:DatatypeProperty ; rdfs:label "windows-registry-data-property" ; rdfs:subPropertyOf d3f:d3fend-artifact-data-property ; d3f:definition "x windows-registry-data-property y: The windows registry entry x has the property y." . d3f:windows-registry-key a owl:DatatypeProperty ; rdfs:label "windows-registry-key" ; skos:altLabel "key" ; rdfs:subPropertyOf d3f:windows-registry-data-property ; d3f:definition "x value y: The key-value pair x has the key y." . d3f:windows-registry-value a owl:DatatypeProperty ; rdfs:label "windows-registry-value" ; skos:altLabel "value" ; rdfs:subPropertyOf d3f:windows-registry-data-property ; d3f:definition "x value y: The key-value pair x has the data value y." . ### Classes d3f:AcademicPaperReference a owl:Class ; rdfs:label "Academic Paper Reference" ; rdfs:subClassOf d3f:TechniqueReference ; d3f:pref-label "Academic Paper" . d3f:Access a owl:Class ; rdfs:label "Access" ; rdfs:subClassOf d3f:Action, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Resource ], [ a owl:Restriction ; owl:onProperty d3f:has-mediator ; owl:someValuesFrom d3f:AccessMediator ] . d3f:AccessControlAdministrationEvent a owl:Class ; rdfs:label "Access Control Administration Event" ; skos:altLabel "Permission Administration Event", "Permission Provisioning Event" ; rdfs:subClassOf d3f:AccessControlEvent ; d3f:definition "An event concerning the administrative actions of setting, modifying, or abolishing permissions, configuring access control settings, and managing user access rights to ensure alignment with access control policies." . d3f:AccessControlConfiguration a owl:Class, owl:NamedIndividual ; rdfs:label "Access Control Configuration" ; rdfs:subClassOf d3f:ConfigurationResource ; d3f:definition "Information about what access permissions are granted to particular users for particular objects." ; rdfs:seeAlso . d3f:AccessControlEvent a owl:Class ; rdfs:label "Access Control Event" ; rdfs:subClassOf d3f:AuthorizationEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:AccessControlConfiguration ] ; d3f:definition "An event that captures the implementation or evaluation of access control measures, including the application of rules and policies to govern the accessibility of resources by agents within a digital system." . d3f:AccessControlGroup a owl:Class, owl:NamedIndividual ; rdfs:label "Access Control Group" ; rdfs:subClassOf d3f:AccessControlConfiguration, [ a owl:Restriction ; owl:onProperty d3f:restricted-by ; owl:someValuesFrom d3f:AccessControlList ] ; d3f:definition "A collection of objects that can have access controls placed on them." ; d3f:restricted-by d3f:AccessControlList ; rdfs:seeAlso . d3f:AccessControlList a owl:Class, owl:NamedIndividual ; rdfs:label "Access Control List" ; rdfs:subClassOf d3f:AccessControlConfiguration, [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:UserGroup ] ; rdfs:isDefinedBy ; d3f:definition "A list of permissions attached to an object." ; d3f:restricts d3f:UserGroup . d3f:AccessDeniedEvent a owl:Class ; rdfs:label "Access Denied Event" ; rdfs:subClassOf d3f:AccessMediationEvent ; d3f:definition "An event indicating the refusal of access to a resource, where an access request has been evaluated and denied based on current authorization policies, preventing operations by the requesting agent." . d3f:AccessGrantedEvent a owl:Class ; rdfs:label "Access Granted Event" ; rdfs:subClassOf d3f:AccessMediationEvent ; d3f:definition "An event signifying that access to a resource has been authorized and successfully enforced, allowing the requesting agent to perform specified operations based on the access control policies." . d3f:AccessMediation a d3f:AccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Access Mediation" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Isolate ] ; d3f:d3fend-id "D3-AMED" ; d3f:definition "Access mediation is the process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances). Access mediation decisions should enforce least privilege by granting access for scoped durations to prevent privilege creep and, where applicable, implement just-in-time (JIT) access. Denial decisions may prevent initial access or terminate access that has already been granted, ensuring continuous enforcement of security policies." ; d3f:enables d3f:Isolate ; d3f:kb-reference d3f:Reference-CNNSI-4009 ; d3f:synonym "Access Control" ; rdfs:seeAlso , , , , . d3f:AccessMediationEvent a owl:Class ; rdfs:label "Access Mediation Event" ; skos:altLabel "Access Enforcement Event" ; rdfs:subClassOf d3f:AccessControlEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:AccessMediator ] ; d3f:definition "An event involving the intermediary control mechanism that evaluates access requests and enforces access control decisions, ensuring that subjects' resource interactions comply with the established access policies." . d3f:AccessMediator a owl:Class, owl:NamedIndividual ; rdfs:label "Access Mediator" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:implements ; owl:someValuesFrom d3f:AccessControlConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:mediates-access-to ; owl:someValuesFrom d3f:Resource ], [ a owl:Restriction ; owl:onProperty d3f:used-by ; owl:someValuesFrom d3f:Agent ] ; d3f:definition "An Access Mediator enforces access control policies to regulate interactions with a resource." ; d3f:implements d3f:AccessControlConfiguration ; d3f:mediates-access-to d3f:Resource ; d3f:used-by d3f:Agent . d3f:AccessModeling a d3f:AccessModeling, owl:Class, owl:NamedIndividual ; rdfs:label "Access Modeling" ; rdfs:subClassOf d3f:OperationalActivityMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:AccessControlConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:DigitalIdentity ], [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:UserAccount ] ; d3f:d3fend-id "D3-AM" ; d3f:definition "Access modeling captures and records the access permissions granted to identities (e.g., administrators, users, groups, systems) and optionally includes details on how these identities are stored, managed, and shared across systems." ; d3f:kb-reference d3f:Reference-RFC7642SystemForCrossDomainIdentityManagementDefinitionsOverviewConceptsAndRequirements ; d3f:maps d3f:AccessControlConfiguration, d3f:DigitalIdentity, d3f:UserAccount . d3f:AccessPolicyAdministration a d3f:AccessPolicyAdministration, owl:Class, owl:NamedIndividual ; rdfs:label "Access Policy Administration" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Isolate ] ; d3f:d3fend-id "D3-APA" ; d3f:definition "Access policy administration is the systematic process of defining, implementing, and managing access control policies that dictate user permissions to resources." ; d3f:enables d3f:Isolate ; d3f:synonym "Access Control Administration" . d3f:AccessProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Access Process" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Process ] ; d3f:accesses d3f:Process . d3f:AccessToken a owl:Class, owl:NamedIndividual ; rdfs:label "Access Token" ; skos:altLabel "Ticket", "Token" ; rdfs:subClassOf d3f:Credential ; d3f:definition "In computer systems, an access token contains the security credentials for a login session and identifies the user, the user's groups, the user's privileges, and, in some cases, a particular application. Typically one may be asked to enter the access token (e.g. 40 random characters) rather than the usual password (it therefore should be kept secret just like a password)." ; rdfs:seeAlso . d3f:AccountLocking a d3f:AccountLocking, owl:Class, owl:NamedIndividual ; rdfs:label "Account Locking" ; rdfs:subClassOf d3f:CredentialEviction, [ a owl:Restriction ; owl:onProperty d3f:disables ; owl:someValuesFrom d3f:UserAccount ] ; d3f:created "2020-08-05T00:00:00"^^xsd:dateTime ; d3f:d3fend-id "D3-AL" ; d3f:definition "The process of temporarily disabling user accounts on a system or domain." ; d3f:disables d3f:UserAccount ; d3f:kb-article """## How it works Management servers with enterprise policies for account management provide the ability to enable and disable account for given rules. The rules may include specific periods of time (eg. weekend, plant shutdown, leave periods), specific user types or groups, or individual users. ## Considerations * Local accounts caches vs centralized account management * Single Sign-on * Role based vs Attribute based systems ## Examples of account configuration stores * Directory Services * Active Directory * RADIUS * LDAP * Oracle User Account Management * JumpCloud""" ; d3f:kb-reference d3f:Reference-AccountMonitoring_ForescoutTechnologies, d3f:Reference-FrameworkForNotifyingADirectoryServiceOfAuthenticationEventsProcessedOutsideTheDirectoryService_OracleInternationalCorp . d3f:Action a owl:Class, owl:NamedIndividual ; rdfs:label "Action" ; rdfs:subClassOf d3f:Event, [ a owl:Restriction ; owl:onProperty d3f:has-agent ; owl:someValuesFrom d3f:Agent ] ; d3f:definition "An Action is a deliberate operation or activity performed by an entity." . d3f:ActiveCertificateAnalysis a d3f:ActiveCertificateAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Active Certificate Analysis" ; rdfs:subClassOf d3f:CertificateAnalysis ; d3f:created "2020-08-05T00:00:00"^^xsd:dateTime ; d3f:d3fend-id "D3-ACA" ; d3f:definition "Actively collecting PKI certificates by connecting to the server and downloading its server certificates for analysis." ; d3f:kb-article """## How it works Analysis of server certificates using active methods to detect if certificates have been misconfigured or spoofed by using elements of the certificate, certificate authorities and signatures. ### Certificate validity analysis This can be accomplished by verifying the digital signature on certificate. ### Certificate path analysis The client's browser can perform path verification to ensure that the server's certificate contains a valid trust anchor. ### Certificate configuration analysis Some browsers can be configured to implement the key-usage extensions contained certificates. This can help to prevent a certificate from being misused. ### Certificate revocation status analysis Using either Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) to determine the revocation status. OCSP Stapling, binding the status with the certificate, helps to mitigate potential delay in status verifications. ## Considerations * Management of the PKI across the enterprise typically requires automation to maintain scalability and flexibility * If the certificate authority, issuing the certificate, is compromised then all of the certificates issued by the CA are suspect * There may be delays associated with updates to certificates * Revoked certificates give the appearance of valid certificates until they are published to a trusted revocation service (OCSP or CRL) * The revocation service (OCSP or CRL) may be down during our connection and a browser will need to make a decision will need to be made about trusting the connection""" ; d3f:kb-reference d3f:Reference-SecuringWebTransactions . d3f:ActiveLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Active Learning" ; rdfs:subClassOf d3f:MachineLearning ; d3f:d3fend-id "D3A-AL" ; d3f:definition "Active learning aims to improve learning efficiency by allowing the learning algorithm to select which data to learn from." ; d3f:kb-article """## How it works Traditional supervised learning often requires a large number of labeled instances, which can be costly or time-consuming to obtain. Active learning addresses this labeling bottleneck by asking an oracle (e.g., a human annotator) to label selected unlabeled instances. The goal is to achieve high accuracy with minimal labeling effort. ## Considerations Active learning is particularly useful in scenarios where data is abundant but labeled instances are scarce or expensive. Examples include speech recognition, information extraction, and document classification. ## References - Wikipedia article on Active Learning (machine learning) [Link](https://en.wikipedia.org/wiki/Active_learning_(machine_learning)) - Settles, B. (2009). Active Learning Literature Survey. [Link](https://burrsettles.com/pub/settles.activelearning.pdf)""" . d3f:ActiveLogicalLinkMapping a d3f:ActiveLogicalLinkMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Active Logical Link Mapping" ; rdfs:subClassOf d3f:LogicalLinkMapping, [ a owl:Restriction ; owl:onProperty d3f:may-query ; owl:someValuesFrom d3f:NetworkAgent ] ; d3f:d3fend-id "D3-ALLM" ; d3f:definition "Active logical link mapping sends and receives network traffic as a means to map the whole data link layer, where the links represent logical data flows rather than physical connection" ; d3f:kb-article """## How it works Active logical link mapping establishes awareness of logical links in the network by sending data over the network to gather information about logical connections in the network. Typically this will be achieved through network telemetry coordinated for network management and monitoring and will use a link layer discovery protocol such as LLDP and the information gathered and aggregated a higher levels using an application protocol such as SNMP. The information may be polled by network management softare or configured once and then pushed from network sensors (or agents.) Another means of establishing network connectivity is by means of sendingn traffic through the use of a tool such as traceroute, to determine the logical paths through the network architecture. ## Considerations * Best practice is to encrypte network monitoring data and require authentication for queries or admin/management functions. * Push notifications reduce bandwidth necessary to capture and maintain information if reliable transport is used. * Special consideration should be made before using of active scanning in OT networks and OT-safe options chosen where available.""" ; d3f:kb-reference d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices, d3f:Reference-SNMPNetworkAutoDiscovery ; d3f:may-query d3f:NetworkAgent . d3f:ActivePhysicalLinkMapping a d3f:ActivePhysicalLinkMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Active Physical Link Mapping" ; rdfs:subClassOf d3f:PhysicalLinkMapping, [ a owl:Restriction ; owl:onProperty d3f:may-query ; owl:someValuesFrom d3f:NetworkAgent ] ; owl:disjointWith d3f:DirectPhysicalLinkMapping ; d3f:d3fend-id "D3-APLM" ; d3f:definition "Active physical link mapping sends and receives network traffic as a means to map the physical layer." ; d3f:kb-reference d3f:Reference-IdentificationOfTracerouteNodesAndAssociatedDevices, d3f:Reference-UsingSpanningTreeProtocolSTPToEnhanceLayer2NetworkTopologyMaps ; d3f:may-query d3f:NetworkAgent ; d3f:synonym "Active Physical Layer Mapping" . d3f:ActivityDependency a owl:Class ; rdfs:label "Activity Dependency" ; rdfs:subClassOf d3f:Dependency ; d3f:definition "An activity dependency is a dependency that indicates an activity has an activity or agent which relies on it in order to be functional." . d3f:Actor-Critic a owl:Class, owl:NamedIndividual ; rdfs:label "Actor-Critic" ; rdfs:subClassOf d3f:PolicyGradient, d3f:TemporalDifferenceLearning ; d3f:d3fend-id "D3A-AC" ; d3f:definition "Actor-Critic is a Temporal Difference(TD) version of Policy gradient. It has two networks: Actor and Critic. The actor decided which action should be taken and critic inform the actor how good was the action and how it should adjust. The learning of the actor is based on policy gradient approach. In comparison, critics evaluate the action produced by the actor by computing the value function." ; d3f:kb-article """## References The Actor-Critic Reinforcement Learning Algorithm. Medium. [Link](https://medium.com/intro-to-artificial-intelligence/the-actor-critic-reinforcement-learning-algorithm-c8095a655c14).""" . d3f:Actuator a owl:Class ; rdfs:label "Actuator" ; rdfs:subClassOf d3f:OutputDevice ; d3f:definition "An actuator is a mechanical or electromechanical device that, upon receiving a relatively low-energy control signal (e.g., electrical voltage, fluid pressure, or human force), translates its primary energy source (electric, hydraulic, or pneumatic) into targeted mechanical motion or adjustment. It typically works in conjunction with a control device (like a valve or logic driver) and is central to automation, enabling machines or systems to move, open, close, or otherwise manipulate their components or environment. By amplifying or redirecting energy from one form to another, the actuator executes control commands, thereby automating processes in industrial, automotive, aerospace, and other domains where precise mechanical action is essential." ; rdfs:seeAlso . d3f:AdaptiveResonanceTheoryClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Adaptive Resonance Theory Clustering" ; rdfs:subClassOf d3f:ANN-basedClustering ; d3f:d3fend-id "D3A-ARTC" ; d3f:definition "Adaptive Resonance Theory (ART) Clustering is a neural network algorithm used for clustering data and is open to new learning(i.e. adaptive) without discarding the previous or the old information(i.e. resonance)." ; d3f:kb-article """## References GeeksforGeeks. (n.d.). Adaptive Resonance Theory (ART). [Link](https://www.geeksforgeeks.org/adaptive-resonance-theory-art/)""" . d3f:AddressSpace a owl:Class ; rdfs:label "Address Space" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "An address space defines a range of discrete addresses, each of which may correspond to a network host, peripheral device, disk sector, a memory cell or other logical or physical entity. For software programs to save and retrieve stored data, each unit of data must have an address where it can be located. The number of address spaces available depends on the underlying address structure, which is usually limited by the computer architecture being used." . d3f:AddUserToGroupEvent a owl:Class ; rdfs:label "Add User to Group Event" ; rdfs:subClassOf d3f:GroupManagementEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:UserAccount ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:GroupCreationEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:UserAccountCreationEvent ] ; d3f:definition "An event where a user is added to a group, granting the user the permissions and privileges associated with the group." . d3f:AdministrativeNetworkActivityAnalysis a d3f:AdministrativeNetworkActivityAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Administrative Network Activity Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:IntranetAdministrativeNetworkTraffic ] ; d3f:analyzes d3f:IntranetAdministrativeNetworkTraffic ; d3f:created "2020-08-05T00:00:00"^^xsd:dateTime ; d3f:d3fend-id "D3-ANAA" ; d3f:definition "Detection of unauthorized use of administrative network protocols by analyzing network activity against a baseline." ; d3f:kb-article """## How it works Network protocols such as RDP, IPMI, SSH, SNMP, VNC, MOSH, NX, TeamViewer, SPICE, PCoIP, and others are used by system administrators to remotely manage servers. Defenders monitor administrative network activity to determine if the use of remote protocols is malicious. Attackers can abuse administrative protocols and leverage them for initial access to various endpoints. For example, an attacker with valid credentials will remotely SSH or RDP into a server and attempt to blend in with existing traffic from system administrators. By monitoring the traffic activity, it is possible to detect when the protocols are behaving differently from a known baseline of system administration activity. ## Considerations * Administrative traffic can be encrypted, making network protocol analysis a challenge * False alarms can be mitigated by integration with inventory management systems""" ; d3f:kb-reference d3f:Reference-MethodAndSystemForDetectingSuspiciousAdministrativeActivity_VectraNetworksInc, d3f:Reference-RemoteRegistry_MITRE, d3f:Reference-WindowsRemoteManagement_WinRM_MITRE . d3f:AdministrativeNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Administrative Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "Administrative network traffic is network traffic related to the remote administration or control of hosts or devices through a standard remote administrative protocol. Remote shells, terminals, RDP, and VNC are examples of these protocols, which are typically only used by administrators." ; rdfs:seeAlso . d3f:Agent a owl:Class, owl:NamedIndividual ; rdfs:label "Agent" ; rdfs:subClassOf d3f:D3FENDCore ; d3f:definition "An entity capable of performing intentional actions." ; rdfs:seeAlso . d3f:AgentAuthentication a d3f:AgentAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Agent Authentication" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:Agent ], [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Harden ], [ a owl:Restriction ; owl:onProperty d3f:strengthens ; owl:someValuesFrom d3f:UserAccount ] ; d3f:authenticates d3f:Agent ; d3f:d3fend-id "D3-AA" ; d3f:definition "Agent authentication is the process of verifying the identities of agents to ensure they are authorized and trustworthy participants within a system." ; d3f:enables d3f:Harden ; d3f:kb-reference d3f:Reference-NIST-Special-Publication-800-53-Revision-5 ; d3f:strengthens d3f:UserAccount . d3f:AgentGroup a owl:Class ; rdfs:label "Agent Group" ; rdfs:subClassOf d3f:Group, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Agent ] . d3f:AgglomerativeClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Agglomerative Clustering" ; rdfs:subClassOf d3f:HierarchicalClustering ; d3f:d3fend-id "D3A-AC" ; d3f:definition "Agglomerative Clustering is a type of hierarchical clustering method where data points are grouped together based on similarity. Initially, each data point is treated as an individual cluster, and then in successive iterations, the closest clusters are merged until only one large cluster remains or until a specified stopping criterion is met." ; d3f:kb-article """## How it works Agglomerative clustering starts with each data point as its own cluster. The algorithm then iterates, identifying the two clusters that are closest to each other based on a defined distance metric (e.g., Euclidean, Manhattan). These two clusters are then merged into a single cluster. This process continues iteratively, merging the closest pairs of clusters in each step until all data points are merged into a single cluster or until other stopping criteria are achieved. A dendrogram, which is a tree-like diagram, can be used to represent the sequence of merges, providing a visual representation of the hierarchical structure of data. ## Considerations - **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan). - **Scalability**: Agglomerative clustering can be computationally intensive for large datasets. - **Sensitivity**: The method can be sensitive to outliers, which might affect the quality of the clusters formed. ## Key Test Considerations - **Unsupervised Learning**: - **Number of Clusters**: Determine an optimal number of clusters using the dendrogram and techniques like the elbow method. - **Cluster Analysis**: - **Silhouette Score**: Evaluates how similar an object is to its own cluster compared to other clusters. A higher silhouette score indicates that the object is well matched to its own cluster and poorly matched to neighboring clusters. - **Dunn Index**: Measures the ratio between the smallest distance between observations not in the same cluster to the largest intra-cluster distance. - **Hierarchical Clustering**: - **Cophenetic Correlation Coefficient**: Measures the correlation between the distances of points in feature space and their distances on the dendrogram. Helps assess the fidelity of the dendrogram in preserving pairwise distances between samples. - **Agglomerative Clustering**: - **Linkage Criteria**: Test different linkage criteria (e.g., single, complete, average) to determine which produces the most cohesive clusters for the data at hand. ## Platforms, Tools, or Libraries - **scikit-learn**: - A versatile machine learning library in Python. - The `AgglomerativeClustering` class in scikit-learn provides this functionality. - **SciPy**: - A Python library used for scientific and technical computing. - The `scipy.cluster.hierarchy` module provides functions for hierarchical and agglomerative clustering, including the `linkage` and `dendrogram` functions. - **R**: - The `hclust` function in the stats package provides agglomerative clustering. - The `agnes` function in the `cluster` package offers a more extensive implementation. - **MATLAB**: - Offers the `linkage` function for hierarchical agglomerative clustering and `dendrogram` for visualization. - **Weka**: - A collection of machine learning algorithms for data mining tasks. - The `HierarchicalClusterer` class provides an implementation of agglomerative clustering. ## References 1. Jain, A. K., & Dubes, R. C. (1988). *Algorithms for clustering data*. Prentice-Hall, Inc. 2. Murtagh, F., & Legendre, P. (2014). Ward’s hierarchical agglomerative clustering method: which algorithms implement Ward’s criterion?. *Journal of Classification*, 31(3), 274-295. [Link](https://link.springer.com/article/10.1007/s00357-014-9161-z). 3. Scikit-learn. (30 Jun 2023). Scikit-learn Documentation: Agglomerative Clustering. [Link](https://scikit-learn.org/stable/modules/generated/sklearn.cluster.AgglomerativeClustering.html).""" . d3f:AlethicLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Alethic Logic" ; rdfs:subClassOf d3f:ModalLogic ; d3f:d3fend-id "D3A-AL" ; d3f:definition "Alethic logic is a modal logic that addresses the modalities of necessity and possibility." ; d3f:kb-article """## References 1. Alethic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Alethic_logic)""" . d3f:Alias a owl:Class ; rdfs:label "Alias" ; rdfs:subClassOf d3f:SlowSymbolicLink ; rdfs:isDefinedBy ; d3f:definition "In macOS, an alias is a small file that represents another object in a local, remote, or removable[1] file system and provides a dynamic link to it; the target object may be moved or renamed, and the alias will still link to it (unless the original file is recreated; such an alias is ambiguous and how it is resolved depends on the version of macOS)." . d3f:AllocateMemory a owl:Class, owl:NamedIndividual ; rdfs:label "Allocate Memory" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:MemoryBlock ] ; d3f:creates d3f:MemoryBlock . d3f:AML.T0000 a owl:Class ; rdfs:label "Search Open Technical Databases - ATLAS" ; skos:prefLabel "Search Open Technical Databases" ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; d3f:attack-id "AML.T0000" ; d3f:definition """Adversaries may search for publicly available research and technical documentation to learn how and where AI is used within a victim organization. The adversary can use this information to identify targets for attack, or to tailor an existing attack to make it more effective. Organizations often use open source model architectures trained on additional proprietary data in production. Knowledge of this underlying architecture allows the adversary to craft more realistic proxy models ([Create Proxy AI Model](/techniques/AML.T0005)). An adversary can search these resources for publications for authors employed at the victim organization. Research and technical materials may exist as academic papers published in [Journals and Conference Proceedings](/techniques/AML.T0000.000), or stored in [Pre-Print Repositories](/techniques/AML.T0000.001), as well as [Technical Blogs](/techniques/AML.T0000.002).""" ; rdfs:seeAlso . d3f:AML.T0000.000 a owl:Class ; rdfs:label "Journals and Conference Proceedings - ATLAS" ; skos:prefLabel "Journals and Conference Proceedings" ; rdfs:subClassOf d3f:AML.T0000 ; d3f:attack-id "AML.T0000.000" ; d3f:definition """Many of the publications accepted at premier artificial intelligence conferences and journals come from commercial labs. Some journals and conferences are open access, others may require paying for access or a membership. These publications will often describe in detail all aspects of a particular approach for reproducibility. This information can be used by adversaries to implement the paper.""" ; rdfs:seeAlso . d3f:AML.T0000.001 a owl:Class ; rdfs:label "Pre-Print Repositories - ATLAS" ; skos:prefLabel "Pre-Print Repositories" ; rdfs:subClassOf d3f:AML.T0000 ; d3f:attack-id "AML.T0000.001" ; d3f:definition """Pre-Print repositories, such as arXiv, contain the latest academic research papers that haven't been peer reviewed. They may contain research notes, or technical reports that aren't typically published in journals or conference proceedings. Pre-print repositories also serve as a central location to share papers that have been accepted to journals. Searching pre-print repositories provide adversaries with a relatively up-to-date view of what researchers in the victim organization are working on.""" ; rdfs:seeAlso . d3f:AML.T0000.002 a owl:Class ; rdfs:label "Technical Blogs - ATLAS" ; skos:prefLabel "Technical Blogs" ; rdfs:subClassOf d3f:AML.T0000 ; d3f:attack-id "AML.T0000.002" ; d3f:definition """Research labs at academic institutions and company R&D divisions often have blogs that highlight their use of artificial intelligence and its application to the organization's unique problems. Individual researchers also frequently document their work in blogposts. An adversary may search for posts made by the target victim organization or its employees. In comparison to [Journals and Conference Proceedings](/techniques/AML.T0000.000) and [Pre-Print Repositories](/techniques/AML.T0000.001) this material will often contain more practical aspects of the AI system. This could include underlying technologies and frameworks used, and possibly some information about the API access and use case. This will help the adversary better understand how that organization is using AI internally and the details of their approach that could aid in tailoring an attack.""" ; rdfs:seeAlso . d3f:AML.T0001 a owl:Class ; rdfs:label "Search Open AI Vulnerability Analysis - ATLAS" ; skos:prefLabel "Search Open AI Vulnerability Analysis" ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; d3f:attack-id "AML.T0001" ; d3f:definition """Much like the [Search Open Technical Databases](/techniques/AML.T0000), there is often ample research available on the vulnerabilities of common AI models. Once a target has been identified, an adversary will likely try to identify any pre-existing work that has been done for this class of models. This will include not only reading academic papers that may identify the particulars of a successful attack, but also identifying pre-existing implementations of those attacks. The adversary may obtain [Adversarial AI Attack Implementations](/techniques/AML.T0016.000) or develop their own [Adversarial AI Attacks](/techniques/AML.T0017.000) if necessary.""" ; rdfs:seeAlso . d3f:AML.T0002 a owl:Class ; rdfs:label "Acquire Public AI Artifacts - ATLAS" ; skos:prefLabel "Acquire Public AI Artifacts" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0002" ; d3f:definition """Adversaries may search public sources, including cloud storage, public-facing services, and software or data repositories, to identify AI artifacts. These AI artifacts may include the software stack used to train and deploy models, training and testing data, model configurations and parameters. An adversary will be particularly interested in artifacts hosted by or associated with the victim organization as they may represent what that organization uses in a production environment. Adversaries may identify artifact repositories via other resources associated with the victim organization (e.g. [Search Victim-Owned Websites](/techniques/AML.T0003) or [Search Open Technical Databases](/techniques/AML.T0000)). These AI artifacts often provide adversaries with details of the AI task and approach. AI artifacts can aid in an adversary's ability to [Create Proxy AI Model](/techniques/AML.T0005). If these artifacts include pieces of the actual model in production, they can be used to directly [Craft Adversarial Data](/techniques/AML.T0043). Acquiring some artifacts requires registration (providing user details such email/name), AWS keys, or written requests, and may require the adversary to [Establish Accounts](/techniques/AML.T0021). Artifacts might be hosted on victim-controlled infrastructure, providing the victim with some information on who has accessed that data.""" ; rdfs:seeAlso . d3f:AML.T0002.000 a owl:Class ; rdfs:label "Datasets - ATLAS" ; skos:prefLabel "Datasets" ; rdfs:subClassOf d3f:AML.T0002 ; d3f:attack-id "AML.T0002.000" ; d3f:definition """Adversaries may collect public datasets to use in their operations. Datasets used by the victim organization or datasets that are representative of the data used by the victim organization may be valuable to adversaries. Datasets can be stored in cloud storage, or on victim-owned websites. Some datasets require the adversary to [Establish Accounts](/techniques/AML.T0021) for access. Acquired datasets help the adversary advance their operations, stage attacks, and tailor attacks to the victim organization.""" ; rdfs:seeAlso . d3f:AML.T0002.001 a owl:Class ; rdfs:label "Models - ATLAS" ; skos:prefLabel "Models" ; rdfs:subClassOf d3f:AML.T0002 ; d3f:attack-id "AML.T0002.001" ; d3f:definition """Adversaries may acquire public models to use in their operations. Adversaries may seek models used by the victim organization or models that are representative of those used by the victim organization. Representative models may include model architectures, or pre-trained models which define the architecture as well as model parameters from training on a dataset. The adversary may search public sources for common model architecture configuration file formats such as YAML or Python configuration files, and common model storage file formats such as ONNX (.onnx), HDF5 (.h5), Pickle (.pkl), PyTorch (.pth), or TensorFlow (.pb, .tflite). Acquired models are useful in advancing the adversary's operations and are frequently used to tailor attacks to the victim model.""" ; rdfs:seeAlso . d3f:AML.T0003 a owl:Class ; rdfs:label "Search Victim-Owned Websites - ATLAS" ; skos:prefLabel "Search Victim-Owned Websites" ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; d3f:attack-id "AML.T0003" ; d3f:definition """Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain technical details about their AI-enabled products or services. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info. These sites may also have details highlighting business operations and relationships. Adversaries may search victim-owned websites to gather actionable information. This information may help adversaries tailor their attacks (e.g. [Adversarial AI Attacks](/techniques/AML.T0017.000) or [Manual Modification](/techniques/AML.T0043.003)). Information from these sources may reveal opportunities for other forms of reconnaissance (e.g. [Search Open Technical Databases](/techniques/AML.T0000) or [Search Open AI Vulnerability Analysis](/techniques/AML.T0001))""" ; rdfs:seeAlso . d3f:AML.T0004 a owl:Class ; rdfs:label "Search Application Repositories - ATLAS" ; skos:prefLabel "Search Application Repositories" ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; d3f:attack-id "AML.T0004" ; d3f:definition """Adversaries may search open application repositories during targeting. Examples of these include Google Play, the iOS App store, the macOS App Store, and the Microsoft Store. Adversaries may craft search queries seeking applications that contain AI-enabled components. Frequently, the next step is to [Acquire Public AI Artifacts](/techniques/AML.T0002).""" ; rdfs:seeAlso . d3f:AML.T0005 a owl:Class ; rdfs:label "Create Proxy AI Model - ATLAS" ; skos:prefLabel "Create Proxy AI Model" ; rdfs:subClassOf d3f:ATLASAIAttackStagingTechnique ; d3f:attack-id "AML.T0005" ; d3f:definition """Adversaries may obtain models to serve as proxies for the target model in use at the victim organization. Proxy models are used to simulate complete access to the target model in a fully offline manner. Adversaries may train models from representative datasets, attempt to replicate models from victim inference APIs, or use available pre-trained models.""" ; rdfs:seeAlso . d3f:AML.T0005.000 a owl:Class ; rdfs:label "Train Proxy via Gathered AI Artifacts - ATLAS" ; skos:prefLabel "Train Proxy via Gathered AI Artifacts" ; rdfs:subClassOf d3f:AML.T0005 ; d3f:attack-id "AML.T0005.000" ; d3f:definition """Proxy models may be trained from AI artifacts (such as data, model architectures, and pre-trained models) that are representative of the target model gathered by the adversary. This can be used to develop attacks that require higher levels of access than the adversary has available or as a means to validate pre-existing attacks without interacting with the target model.""" ; rdfs:seeAlso . d3f:AML.T0005.001 a owl:Class ; rdfs:label "Train Proxy via Replication - ATLAS" ; skos:prefLabel "Train Proxy via Replication" ; rdfs:subClassOf d3f:AML.T0005 ; d3f:attack-id "AML.T0005.001" ; d3f:definition """Adversaries may replicate a private model. By repeatedly querying the victim's [AI Model Inference API Access](/techniques/AML.T0040), the adversary can collect the target model's inferences into a dataset. The inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model. A replicated model that closely mimic's the target model is a valuable resource in staging the attack. The adversary can use the replicated model to [Craft Adversarial Data](/techniques/AML.T0043) for various purposes (e.g. [Evade AI Model](/techniques/AML.T0015), [Spamming AI System with Chaff Data](/techniques/AML.T0046)).""" ; rdfs:seeAlso . d3f:AML.T0005.002 a owl:Class ; rdfs:label "Use Pre-Trained Model - ATLAS" ; skos:prefLabel "Use Pre-Trained Model" ; rdfs:subClassOf d3f:AML.T0005 ; d3f:attack-id "AML.T0005.002" ; d3f:definition "Adversaries may use an off-the-shelf pre-trained model as a proxy for the victim model to aid in staging the attack." ; rdfs:seeAlso . d3f:AML.T0006 a owl:Class ; rdfs:label "Active Scanning - ATLAS" ; skos:prefLabel "Active Scanning" ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; d3f:attack-id "AML.T0006" ; d3f:definition """An adversary may probe or scan the victim system to gather information for targeting. This is distinct from other reconnaissance techniques that do not involve direct interaction with the victim system. Adversaries may scan for open ports on a potential victim's network, which can indicate specific services or tools the victim is utilizing. This could include a scan for tools related to AI DevOps or AI services themselves such as public AI chat agents (ex: [Copilot Studio Hunter](https://github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Enum)). They can also send emails to organization service addresses and inspect the replies for indicators that an AI agent is managing the inbox. Information gained from Active Scanning may yield targets that provide opportunities for other forms of reconnaissance such as [Search Open Technical Databases](/techniques/AML.T0000), [Search Open AI Vulnerability Analysis](/techniques/AML.T0001), or [Gather RAG-Indexed Targets](/techniques/AML.T0064).""" ; rdfs:seeAlso . d3f:AML.T0007 a owl:Class ; rdfs:label "Discover AI Artifacts - ATLAS" ; skos:prefLabel "Discover AI Artifacts" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0007" ; d3f:definition """Adversaries may search private sources to identify AI learning artifacts that exist on the system and gather information about them. These artifacts can include the software stack used to train and deploy models, training and testing data management systems, container registries, software repositories, and model zoos. This information can be used to identify targets for further collection, exfiltration, or disruption, and to tailor and improve attacks.""" ; rdfs:seeAlso . d3f:AML.T0008 a owl:Class ; rdfs:label "Acquire Infrastructure - ATLAS" ; skos:prefLabel "Acquire Infrastructure" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0008" ; d3f:definition """Adversaries may buy, lease, or rent infrastructure for use throughout their operation. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, mobile devices, and third-party web services. Free resources may also be used, but they are typically limited. Infrastructure can also include physical components such as countermeasures that degrade or disrupt AI components or sensors, including printed materials, wearables, or disguises. Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.""" ; rdfs:seeAlso . d3f:AML.T0008.000 a owl:Class ; rdfs:label "AI Development Workspaces - ATLAS" ; skos:prefLabel "AI Development Workspaces" ; rdfs:subClassOf d3f:AML.T0008 ; d3f:attack-id "AML.T0008.000" ; d3f:definition """Developing and staging AI attacks often requires expensive compute resources. Adversaries may need access to one or many GPUs in order to develop an attack. They may try to anonymously use free resources such as Google Colaboratory, or cloud resources such as AWS, Azure, or Google Cloud as an efficient way to stand up temporary resources to conduct operations. Multiple workspaces may be used to avoid detection.""" ; rdfs:seeAlso . d3f:AML.T0008.001 a owl:Class ; rdfs:label "Consumer Hardware - ATLAS" ; skos:prefLabel "Consumer Hardware" ; rdfs:subClassOf d3f:AML.T0008 ; d3f:attack-id "AML.T0008.001" ; d3f:definition """Adversaries may acquire consumer hardware to conduct their attacks. Owning the hardware provides the adversary with complete control of the environment. These devices can be hard to trace.""" ; rdfs:seeAlso . d3f:AML.T0008.002 a owl:Class ; rdfs:label "Domains - ATLAS" ; skos:prefLabel "Domains" ; rdfs:subClassOf d3f:AML.T0008 ; d3f:attack-id "AML.T0008.002" ; d3f:definition """Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes (see [ATT&CK](https://attack.mitre.org/techniques/T1583/001/)). Large AI datasets are often distributed as a list of URLs to individual datapoints. Adversaries may acquire expired domains that are included in these datasets and replace individual datapoints with poisoned examples ([Publish Poisoned Datasets](/techniques/AML.T0019)).""" ; rdfs:seeAlso . d3f:AML.T0008.003 a owl:Class ; rdfs:label "Physical Countermeasures - ATLAS" ; skos:prefLabel "Physical Countermeasures" ; rdfs:subClassOf d3f:AML.T0008 ; d3f:attack-id "AML.T0008.003" ; d3f:definition """Adversaries may acquire or manufacture physical countermeasures to aid or support their attack. These components may be used to disrupt or degrade the model, such as adversarial patterns printed on stickers or T-shirts, disguises, or decoys. They may also be used to disrupt or degrade the sensors used in capturing data, such as laser pointers, light bulbs, or other tools.""" ; rdfs:seeAlso . d3f:AML.T0008.004 a owl:Class ; rdfs:label "Serverless - ATLAS" ; skos:prefLabel "Serverless" ; rdfs:subClassOf d3f:AML.T0008 ; d3f:attack-id "AML.T0008.004" ; d3f:definition """Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, AWS Lambda functions, or Google Apps Scripts, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. Once acquired, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server. As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers. This can be used to bypass a Content Security Policy which prevent retrieving content from arbitrary locations.""" ; rdfs:seeAlso . d3f:AML.T0010 a owl:Class ; rdfs:label "AI Supply Chain Compromise - ATLAS" ; skos:prefLabel "AI Supply Chain Compromise" ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique ; d3f:attack-id "AML.T0010" ; d3f:definition """Adversaries may gain initial access to a system by compromising the unique portions of the AI supply chain. This could include [Hardware](/techniques/AML.T0010.000), [Data](/techniques/AML.T0010.002) and its annotations, parts of the AI [AI Software](/techniques/AML.T0010.001) stack, or the [Model](/techniques/AML.T0010.003) itself. In some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.""" ; rdfs:seeAlso . d3f:AML.T0010.000 a owl:Class ; rdfs:label "Hardware - ATLAS" ; skos:prefLabel "Hardware" ; rdfs:subClassOf d3f:AML.T0010 ; d3f:attack-id "AML.T0010.000" ; d3f:definition "Adversaries may target AI systems by disrupting or manipulating the hardware supply chain. AI models often run on specialized hardware such as GPUs, TPUs, or embedded devices, but may also be optimized to operate on CPUs." ; rdfs:seeAlso . d3f:AML.T0010.001 a owl:Class ; rdfs:label "AI Software - ATLAS" ; skos:prefLabel "AI Software" ; rdfs:subClassOf d3f:AML.T0010 ; d3f:attack-id "AML.T0010.001" ; d3f:definition """Most AI systems rely on a limited set of AI frameworks. An adversary could get access to a large number of AI systems through a comprise of one of their supply chains. Many AI projects also rely on other open source implementations of various algorithms. These can also be compromised in a targeted way to get access to specific systems.""" ; rdfs:seeAlso . d3f:AML.T0010.002 a owl:Class ; rdfs:label "Data - ATLAS" ; skos:prefLabel "Data" ; rdfs:subClassOf d3f:AML.T0010 ; d3f:attack-id "AML.T0010.002" ; d3f:definition """Data is a key vector of supply chain compromise for adversaries. Every AI project will require some form of data. Many rely on large open source datasets that are publicly available. An adversary could rely on compromising these sources of data. The malicious data could be a result of [Poison Training Data](/techniques/AML.T0020) or include traditional malware. An adversary can also target private datasets in the labeling phase. The creation of private datasets will often require the hiring of outside labeling services. An adversary can poison a dataset by modifying the labels being generated by the labeling service.""" ; rdfs:seeAlso . d3f:AML.T0010.003 a owl:Class ; rdfs:label "Model - ATLAS" ; skos:prefLabel "Model" ; rdfs:subClassOf d3f:AML.T0010 ; d3f:attack-id "AML.T0010.003" ; d3f:definition """AI-enabled systems often rely on open sourced models in various ways. Most commonly, the victim organization may be using these models for fine tuning. These models will be downloaded from an external source and then used as the base for the model as it is tuned on a smaller, private dataset. Loading models often requires executing some saved code in the form of a saved model file. These can be compromised with traditional malware, or through some adversarial AI techniques.""" ; rdfs:seeAlso . d3f:AML.T0010.004 a owl:Class ; rdfs:label "Container Registry - ATLAS" ; skos:prefLabel "Container Registry" ; rdfs:subClassOf d3f:AML.T0010 ; d3f:attack-id "AML.T0010.004" ; d3f:definition """An adversary may compromise a victim's container registry by pushing a manipulated container image and overwriting an existing container name and/or tag. Users of the container registry as well as automated CI/CD pipelines may pull the adversary's container image, compromising their AI Supply Chain. This can affect development and deployment environments. Container images may include AI models, so the compromised image could have an AI model which was manipulated by the adversary (See [Manipulate AI Model](/techniques/AML.T0018)).""" ; rdfs:seeAlso . d3f:AML.T0011 a owl:Class ; rdfs:label "User Execution - ATLAS" ; skos:prefLabel "User Execution" ; rdfs:subClassOf d3f:ATLASExecutionTechnique ; d3f:attack-id "AML.T0011" ; d3f:definition """An adversary may rely upon specific actions by a user in order to gain execution. Users may inadvertently execute unsafe code introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.""" ; rdfs:seeAlso . d3f:AML.T0011.000 a owl:Class ; rdfs:label "Unsafe AI Artifacts - ATLAS" ; skos:prefLabel "Unsafe AI Artifacts" ; rdfs:subClassOf d3f:AML.T0011 ; d3f:attack-id "AML.T0011.000" ; d3f:definition """Adversaries may develop unsafe AI artifacts that when executed have a deleterious effect. The adversary can use this technique to establish persistent access to systems. These models may be introduced via a [AI Supply Chain Compromise](/techniques/AML.T0010). Serialization of models is a popular technique for model storage, transfer, and loading. However, this format without proper checking presents an opportunity for code execution.""" ; rdfs:seeAlso . d3f:AML.T0011.001 a owl:Class ; rdfs:label "Malicious Package - ATLAS" ; skos:prefLabel "Malicious Package" ; rdfs:subClassOf d3f:AML.T0011 ; d3f:attack-id "AML.T0011.001" ; d3f:definition """Adversaries may develop malicious software packages that when imported by a user have a deleterious effect. Malicious packages may behave as expected to the user. They may be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). They may not present as obviously malicious to the user and may appear to be useful for an AI-related task.""" ; rdfs:seeAlso . d3f:AML.T0012 a owl:Class ; rdfs:label "Valid Accounts - ATLAS" ; skos:prefLabel "Valid Accounts" ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique ; d3f:attack-id "AML.T0012" ; d3f:definition """Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Credentials may take the form of usernames and passwords of individual user accounts or API keys that provide access to various AI resources and services. Compromised credentials may provide access to additional AI artifacts and allow the adversary to perform [Discover AI Artifacts](/techniques/AML.T0007). Compromised credentials may also grant an adversary increased privileges such as write access to AI artifacts used during development or production.""" ; rdfs:seeAlso . d3f:AML.T0013 a owl:Class ; rdfs:label "Discover AI Model Ontology - ATLAS" ; skos:prefLabel "Discover AI Model Ontology" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0013" ; d3f:definition """Adversaries may discover the ontology of an AI model's output space, for example, the types of objects a model can detect. The adversary may discovery the ontology by repeated queries to the model, forcing it to enumerate its output space. Or the ontology may be discovered in a configuration file or in documentation about the model. The model ontology helps the adversary understand how the model is being used by the victim. It is useful to the adversary in creating targeted attacks.""" ; rdfs:seeAlso . d3f:AML.T0014 a owl:Class ; rdfs:label "Discover AI Model Family - ATLAS" ; skos:prefLabel "Discover AI Model Family" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0014" ; d3f:definition """Adversaries may discover the general family of model. General information about the model may be revealed in documentation, or the adversary may use carefully constructed examples and analyze the model's responses to categorize it. Knowledge of the model family can help the adversary identify means of attacking the model and help tailor the attack.""" ; rdfs:seeAlso . d3f:AML.T0015 a owl:Class ; rdfs:label "Evade AI Model - ATLAS" ; skos:prefLabel "Evade AI Model" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique, d3f:ATLASImpactTechnique, d3f:ATLASInitialAccessTechnique ; d3f:attack-id "AML.T0015" ; d3f:definition """Adversaries can [Craft Adversarial Data](/techniques/AML.T0043) that prevents an AI model from correctly identifying the contents of the data or [Generate Deepfakes](/techniques/AML.T0088) that fools an AI model expecting authentic data. This technique can be used to evade a downstream task where AI is utilized. The adversary may evade AI-based virus/malware detection or network scanning towards the goal of a traditional cyber attack. AI model evasion through deepfake generation may also provide initial access to systems that use AI-based biometric authentication.""" ; rdfs:seeAlso . d3f:AML.T0016 a owl:Class ; rdfs:label "Obtain Capabilities - ATLAS" ; skos:prefLabel "Obtain Capabilities" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0016" ; d3f:definition """Adversaries may search for and obtain software capabilities for use in their operations. Capabilities may be specific to AI-based attacks [Adversarial AI Attack Implementations](/techniques/AML.T0016.000) or generic software tools repurposed for malicious intent ([Software Tools](/techniques/AML.T0016.001)). In both instances, an adversary may modify or customize the capability to aid in targeting a particular AI-enabled system.""" ; rdfs:seeAlso . d3f:AML.T0016.000 a owl:Class ; rdfs:label "Adversarial AI Attack Implementations - ATLAS" ; skos:prefLabel "Adversarial AI Attack Implementations" ; rdfs:subClassOf d3f:AML.T0016 ; d3f:attack-id "AML.T0016.000" ; d3f:definition "Adversaries may search for existing open source implementations of AI attacks. The research community often publishes their code for reproducibility and to further future research. Libraries intended for research purposes, such as CleverHans, the Adversarial Robustness Toolbox, and FoolBox, can be weaponized by an adversary. Adversaries may also obtain and use tools that were not originally designed for adversarial AI attacks as part of their attack." ; rdfs:seeAlso . d3f:AML.T0016.001 a owl:Class ; rdfs:label "Software Tools - ATLAS" ; skos:prefLabel "Software Tools" ; rdfs:subClassOf d3f:AML.T0016 ; d3f:attack-id "AML.T0016.001" ; d3f:definition """Adversaries may search for and obtain software tools to support their operations. Software designed for legitimate use may be repurposed by an adversary for malicious intent. An adversary may modify or customize software tools to achieve their purpose. Software tools used to support attacks on AI systems are not necessarily AI-based themselves.""" ; rdfs:seeAlso . d3f:AML.T0016.002 a owl:Class ; rdfs:label "Generative AI - ATLAS" ; skos:prefLabel "Generative AI" ; rdfs:subClassOf d3f:AML.T0016 ; d3f:attack-id "AML.T0016.002" ; d3f:definition """Adversaries may search for and obtain generative AI models or tools, such as large language models (LLMs), to assist them in various steps of their operation. Generative AI can be used in a variety of malicious ways, including generating malware or offensive cyber scripts, [Retrieval Content Crafting](/techniques/AML.T0066), or generating [Phishing](/techniques/AML.T0052) content. Adversaries may obtain an open source model or they may leverage a generative AI service. They may need to jailbreak the generative AI model to bypass any restrictions put in place to limit the types of responses it can generate. They may also need to break the terms of service of the generative AI.""" ; rdfs:seeAlso . d3f:AML.T0017 a owl:Class ; rdfs:label "Develop Capabilities - ATLAS" ; skos:prefLabel "Develop Capabilities" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0017" ; d3f:definition "Adversaries may develop their own capabilities to support operations. This process encompasses identifying requirements, building solutions, and deploying capabilities. Capabilities used to support attacks on AI-enabled systems are not necessarily AI-based themselves. Examples include setting up websites with adversarial information or creating Jupyter notebooks with obfuscated exfiltration code." ; rdfs:seeAlso . d3f:AML.T0017.000 a owl:Class ; rdfs:label "Adversarial AI Attacks - ATLAS" ; skos:prefLabel "Adversarial AI Attacks" ; rdfs:subClassOf d3f:AML.T0017 ; d3f:attack-id "AML.T0017.000" ; d3f:definition """Adversaries may develop their own adversarial attacks. They may leverage existing libraries as a starting point ([Adversarial AI Attack Implementations](/techniques/AML.T0016.000)). They may implement ideas described in public research papers or develop custom made attacks for the victim model.""" ; rdfs:seeAlso . d3f:AML.T0018 a owl:Class ; rdfs:label "Manipulate AI Model - ATLAS" ; skos:prefLabel "Manipulate AI Model" ; rdfs:subClassOf d3f:ATLASAIAttackStagingTechnique, d3f:ATLASPersistenceTechnique ; d3f:attack-id "AML.T0018" ; d3f:definition "Adversaries may directly manipulate an AI model to change its behavior or introduce malicious code. Manipulating a model gives the adversary a persistent change in the system. This can include poisoning the model by changing its weights, modifying the model architecture to change its behavior, and embedding malware which may be executed when the model is loaded." ; rdfs:seeAlso . d3f:AML.T0018.000 a owl:Class ; rdfs:label "Poison AI Model - ATLAS" ; skos:prefLabel "Poison AI Model" ; rdfs:subClassOf d3f:AML.T0018 ; d3f:attack-id "AML.T0018.000" ; d3f:definition """Adversaries may manipulate an AI model's weights to change it's behavior or performance, resulting in a poisoned model. Adversaries may poison a model by by directly manipulating its weights, training the model on poisoned data, further fine-tuning the model, or otherwise interfering with its training process. The change in behavior of poisoned models may be limited to targeted categories in predictive AI models, or targeted topics, concepts, or facts in generative AI models, or aim for a general performance degradation.""" ; rdfs:seeAlso . d3f:AML.T0018.001 a owl:Class ; rdfs:label "Modify AI Model Architecture - ATLAS" ; skos:prefLabel "Modify AI Model Architecture" ; rdfs:subClassOf d3f:AML.T0018 ; d3f:attack-id "AML.T0018.001" ; d3f:definition """Adversaries may directly modify an AI model's architecture to re-define it's behavior. This can include adding or removing layers as well as adding pre or post-processing operations. The effects could include removing the ability to predict certain classes, adding erroneous operations to increase computation costs, or degrading performance. Additionally, a separate adversary-defined network could be injected into the computation graph, which can change the behavior based on the inputs, effectively creating a backdoor.""" ; rdfs:seeAlso . d3f:AML.T0018.002 a owl:Class ; rdfs:label "Embed Malware - ATLAS" ; skos:prefLabel "Embed Malware" ; rdfs:subClassOf d3f:AML.T0018 ; d3f:attack-id "AML.T0018.002" ; d3f:definition """Adversaries may embed malicious code into AI Model files. AI models may be packaged as a combination of instructions and weights. Some formats such as pickle files are unsafe to deserialize because they can contain unsafe calls such as exec. Models with embedded malware may still operate as expected. It may allow them to achieve Execution, Command & Control, or Exfiltrate Data.""" ; rdfs:seeAlso . d3f:AML.T0019 a owl:Class ; rdfs:label "Publish Poisoned Datasets - ATLAS" ; skos:prefLabel "Publish Poisoned Datasets" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0019" ; d3f:definition """Adversaries may [Poison Training Data](/techniques/AML.T0020) and publish it to a public location. The poisoned dataset may be a novel dataset or a poisoned variant of an existing open source dataset. This data may be introduced to a victim system via [AI Supply Chain Compromise](/techniques/AML.T0010).""" ; rdfs:seeAlso . d3f:AML.T0020 a owl:Class ; rdfs:label "Poison Training Data - ATLAS" ; skos:prefLabel "Poison Training Data" ; rdfs:subClassOf d3f:ATLASPersistenceTechnique, d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0020" ; d3f:definition """Adversaries may attempt to poison datasets used by an AI model by modifying the underlying data or its labels. This allows the adversary to embed vulnerabilities in AI models trained on the data that may not be easily detectable. Data poisoning attacks may or may not require modifying the labels. The embedded vulnerability is activated at a later time by data samples with an [Insert Backdoor Trigger](/techniques/AML.T0043.004) Poisoned data can be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010) or the data may be poisoned after the adversary gains [Initial Access](/tactics/AML.TA0004) to the system.""" ; rdfs:seeAlso . d3f:AML.T0021 a owl:Class ; rdfs:label "Establish Accounts - ATLAS" ; skos:prefLabel "Establish Accounts" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0021" ; d3f:definition "Adversaries may create accounts with various services for use in targeting, to gain access to resources needed in [AI Attack Staging](/tactics/AML.TA0001), or for victim impersonation." ; rdfs:seeAlso . d3f:AML.T0024 a owl:Class ; rdfs:label "Exfiltration via AI Inference API - ATLAS" ; skos:prefLabel "Exfiltration via AI Inference API" ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; d3f:attack-id "AML.T0024" ; d3f:definition """Adversaries may exfiltrate private information via [AI Model Inference API Access](/techniques/AML.T0040). AI Models have been shown leak private information about their training data (e.g. [Infer Training Data Membership](/techniques/AML.T0024.000), [Invert AI Model](/techniques/AML.T0024.001)). The model itself may also be extracted ([Extract AI Model](/techniques/AML.T0024.002)) for the purposes of [AI Intellectual Property Theft](/techniques/AML.T0048.004). Exfiltration of information relating to private training data raises privacy concerns. Private training data may include personally identifiable information, or other protected data.""" ; rdfs:seeAlso . d3f:AML.T0024.000 a owl:Class ; rdfs:label "Infer Training Data Membership - ATLAS" ; skos:prefLabel "Infer Training Data Membership" ; rdfs:subClassOf d3f:AML.T0024 ; d3f:attack-id "AML.T0024.000" ; d3f:definition """Adversaries may infer the membership of a data sample or global characteristics of the data in its training set, which raises privacy concerns. Some strategies make use of a shadow model that could be obtained via [Train Proxy via Replication](/techniques/AML.T0005.001), others use statistics of model prediction scores. This can cause the victim model to leak private information, such as PII of those in the training set or other forms of protected IP.""" ; rdfs:seeAlso . d3f:AML.T0024.001 a owl:Class ; rdfs:label "Invert AI Model - ATLAS" ; skos:prefLabel "Invert AI Model" ; rdfs:subClassOf d3f:AML.T0024 ; d3f:attack-id "AML.T0024.001" ; d3f:definition """AI models' training data could be reconstructed by exploiting the confidence scores that are available via an inference API. By querying the inference API strategically, adversaries can back out potentially private information embedded within the training data. This could lead to privacy violations if the attacker can reconstruct the data of sensitive features used in the algorithm.""" ; rdfs:seeAlso . d3f:AML.T0024.002 a owl:Class ; rdfs:label "Extract AI Model - ATLAS" ; skos:prefLabel "Extract AI Model" ; rdfs:subClassOf d3f:AML.T0024 ; d3f:attack-id "AML.T0024.002" ; d3f:definition """Adversaries may extract a functional copy of a private model. By repeatedly querying the victim's [AI Model Inference API Access](/techniques/AML.T0040), the adversary can collect the target model's inferences into a dataset. The inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model. Adversaries may extract the model to avoid paying per query in an artificial intelligence as a service (AIaaS) setting. Model extraction is used for [AI Intellectual Property Theft](/techniques/AML.T0048.004).""" ; rdfs:seeAlso . d3f:AML.T0025 a owl:Class ; rdfs:label "Exfiltration via Cyber Means - ATLAS" ; skos:prefLabel "Exfiltration via Cyber Means" ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; d3f:attack-id "AML.T0025" ; d3f:definition """Adversaries may exfiltrate AI artifacts or other information relevant to their goals via traditional cyber means. See the ATT&CK [Exfiltration](https://attack.mitre.org/tactics/TA0010/) tactic for more information.""" ; rdfs:seeAlso . d3f:AML.T0029 a owl:Class ; rdfs:label "Denial of AI Service - ATLAS" ; skos:prefLabel "Denial of AI Service" ; rdfs:subClassOf d3f:ATLASImpactTechnique ; d3f:attack-id "AML.T0029" ; d3f:definition """Adversaries may target AI-enabled systems with a flood of requests for the purpose of degrading or shutting down the service. Since many AI systems require significant amounts of specialized compute, they are often expensive bottlenecks that can become overloaded. Adversaries can intentionally craft inputs that require heavy amounts of useless compute from the AI system.""" ; rdfs:seeAlso . d3f:AML.T0031 a owl:Class ; rdfs:label "Erode AI Model Integrity - ATLAS" ; skos:prefLabel "Erode AI Model Integrity" ; rdfs:subClassOf d3f:ATLASImpactTechnique ; d3f:attack-id "AML.T0031" ; d3f:definition """Adversaries may degrade the target model's performance with adversarial data inputs to erode confidence in the system over time. This can lead to the victim organization wasting time and money both attempting to fix the system and performing the tasks it was meant to automate by hand.""" ; rdfs:seeAlso . d3f:AML.T0034 a owl:Class ; rdfs:label "Cost Harvesting - ATLAS" ; skos:prefLabel "Cost Harvesting" ; rdfs:subClassOf d3f:ATLASImpactTechnique ; d3f:attack-id "AML.T0034" ; d3f:definition """Adversaries may target different AI services to send useless queries or computationally expensive inputs to increase the cost of running services at the victim organization. Sponge examples are a particular type of adversarial data designed to maximize energy consumption and thus operating cost.""" ; rdfs:seeAlso . d3f:AML.T0035 a owl:Class ; rdfs:label "AI Artifact Collection - ATLAS" ; skos:prefLabel "AI Artifact Collection" ; rdfs:subClassOf d3f:ATLASCollectionTechnique ; d3f:attack-id "AML.T0035" ; d3f:definition """Adversaries may collect AI artifacts for [Exfiltration](/tactics/AML.TA0010) or for use in [AI Attack Staging](/tactics/AML.TA0001). AI artifacts include models and datasets as well as other telemetry data produced when interacting with a model.""" ; rdfs:seeAlso . d3f:AML.T0036 a owl:Class ; rdfs:label "Data from Information Repositories - ATLAS" ; skos:prefLabel "Data from Information Repositories" ; rdfs:subClassOf d3f:ATLASCollectionTechnique ; d3f:attack-id "AML.T0036" ; d3f:definition """Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include SharePoint, Confluence, and enterprise databases such as SQL Server.""" ; rdfs:seeAlso . d3f:AML.T0037 a owl:Class ; rdfs:label "Data from Local System - ATLAS" ; skos:prefLabel "Data from Local System" ; rdfs:subClassOf d3f:ATLASCollectionTechnique ; d3f:attack-id "AML.T0037" ; d3f:definition """Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. This can include basic fingerprinting information and sensitive data such as ssh keys.""" ; rdfs:seeAlso . d3f:AML.T0040 a owl:Class ; rdfs:label "AI Model Inference API Access - ATLAS" ; skos:prefLabel "AI Model Inference API Access" ; rdfs:subClassOf d3f:ATLASAIModelAccessTechnique ; d3f:attack-id "AML.T0040" ; d3f:definition """Adversaries may gain access to a model via legitimate access to the inference API. Inference API access can be a source of information to the adversary ([Discover AI Model Ontology](/techniques/AML.T0013), [Discover AI Model Family](/techniques/AML.T0014)), a means of staging the attack ([Verify Attack](/techniques/AML.T0042), [Craft Adversarial Data](/techniques/AML.T0043)), or for introducing data to the target system for Impact ([Evade AI Model](/techniques/AML.T0015), [Erode AI Model Integrity](/techniques/AML.T0031)). Many systems rely on the same models provided via an inference API, which means they share the same vulnerabilities. This is especially true of foundation models which are prohibitively resource intensive to train. Adversaries may use their access to model APIs to identify vulnerabilities such as jailbreaks or hallucinations and then target applications that use the same models.""" ; rdfs:seeAlso . d3f:AML.T0041 a owl:Class ; rdfs:label "Physical Environment Access - ATLAS" ; skos:prefLabel "Physical Environment Access" ; rdfs:subClassOf d3f:ATLASAIModelAccessTechnique ; d3f:attack-id "AML.T0041" ; d3f:definition """In addition to the attacks that take place purely in the digital domain, adversaries may also exploit the physical environment for their attacks. If the model is interacting with data collected from the real world in some way, the adversary can influence the model through access to wherever the data is being collected. By modifying the data in the collection process, the adversary can perform modified versions of attacks designed for digital access.""" ; rdfs:seeAlso . d3f:AML.T0042 a owl:Class ; rdfs:label "Verify Attack - ATLAS" ; skos:prefLabel "Verify Attack" ; rdfs:subClassOf d3f:ATLASAIAttackStagingTechnique ; d3f:attack-id "AML.T0042" ; d3f:definition """Adversaries can verify the efficacy of their attack via an inference API or access to an offline copy of the target model. This gives the adversary confidence that their approach works and allows them to carry out the attack at a later time of their choosing. The adversary may verify the attack once but use it against many edge devices running copies of the target model. The adversary may verify their attack digitally, then deploy it in the [Physical Environment Access](/techniques/AML.T0041) at a later time. Verifying the attack may be hard to detect since the adversary can use a minimal number of queries or an offline copy of the model.""" ; rdfs:seeAlso . d3f:AML.T0043 a owl:Class ; rdfs:label "Craft Adversarial Data - ATLAS" ; skos:prefLabel "Craft Adversarial Data" ; rdfs:subClassOf d3f:ATLASAIAttackStagingTechnique ; d3f:attack-id "AML.T0043" ; d3f:definition """Adversarial data are inputs to an AI model that have been modified such that they cause the adversary's desired effect in the target model. Effects can range from misclassification, to missed detections, to maximizing energy consumption. Typically, the modification is constrained in magnitude or location so that a human still perceives the data as if it were unmodified, but human perceptibility may not always be a concern depending on the adversary's intended effect. For example, an adversarial input for an image classification task is an image the AI model would misclassify, but a human would still recognize as containing the correct class. Depending on the adversary's knowledge of and access to the target model, the adversary may use different classes of algorithms to develop the adversarial example such as [White-Box Optimization](/techniques/AML.T0043.000), [Black-Box Optimization](/techniques/AML.T0043.001), [Black-Box Transfer](/techniques/AML.T0043.002), or [Manual Modification](/techniques/AML.T0043.003). The adversary may [Verify Attack](/techniques/AML.T0042) their approach works if they have white-box or inference API access to the model. This allows the adversary to gain confidence their attack is effective "live" environment where their attack may be noticed. They can then use the attack at a later time to accomplish their goals. An adversary may optimize adversarial examples for [Evade AI Model](/techniques/AML.T0015), or to [Erode AI Model Integrity](/techniques/AML.T0031).""" ; rdfs:seeAlso . d3f:AML.T0043.000 a owl:Class ; rdfs:label "White-Box Optimization - ATLAS" ; skos:prefLabel "White-Box Optimization" ; rdfs:subClassOf d3f:AML.T0043 ; d3f:attack-id "AML.T0043.000" ; d3f:definition """In White-Box Optimization, the adversary has full access to the target model and optimizes the adversarial example directly. Adversarial examples trained in this manner are most effective against the target model.""" ; rdfs:seeAlso . d3f:AML.T0043.001 a owl:Class ; rdfs:label "Black-Box Optimization - ATLAS" ; skos:prefLabel "Black-Box Optimization" ; rdfs:subClassOf d3f:AML.T0043 ; d3f:attack-id "AML.T0043.001" ; d3f:definition """In Black-Box attacks, the adversary has black-box (i.e. [AI Model Inference API Access](/techniques/AML.T0040) via API access) access to the target model. With black-box attacks, the adversary may be using an API that the victim is monitoring. These attacks are generally less effective and require more inferences than [White-Box Optimization](/techniques/AML.T0043.000) attacks, but they require much less access.""" ; rdfs:seeAlso . d3f:AML.T0043.002 a owl:Class ; rdfs:label "Black-Box Transfer - ATLAS" ; skos:prefLabel "Black-Box Transfer" ; rdfs:subClassOf d3f:AML.T0043 ; d3f:attack-id "AML.T0043.002" ; d3f:definition """In Black-Box Transfer attacks, the adversary uses one or more proxy models (trained via [Create Proxy AI Model](/techniques/AML.T0005) or [Train Proxy via Replication](/techniques/AML.T0005.001)) they have full access to and are representative of the target model. The adversary uses [White-Box Optimization](/techniques/AML.T0043.000) on the proxy models to generate adversarial examples. If the set of proxy models are close enough to the target model, the adversarial example should generalize from one to another. This means that an attack that works for the proxy models will likely then work for the target model. If the adversary has [AI Model Inference API Access](/techniques/AML.T0040), they may use [Verify Attack](/techniques/AML.T0042) to confirm the attack is working and incorporate that information into their training process.""" ; rdfs:seeAlso . d3f:AML.T0043.003 a owl:Class ; rdfs:label "Manual Modification - ATLAS" ; skos:prefLabel "Manual Modification" ; rdfs:subClassOf d3f:AML.T0043 ; d3f:attack-id "AML.T0043.003" ; d3f:definition """Adversaries may manually modify the input data to craft adversarial data. They may use their knowledge of the target model to modify parts of the data they suspect helps the model in performing its task. The adversary may use trial and error until they are able to verify they have a working adversarial input.""" ; rdfs:seeAlso . d3f:AML.T0043.004 a owl:Class ; rdfs:label "Insert Backdoor Trigger - ATLAS" ; skos:prefLabel "Insert Backdoor Trigger" ; rdfs:subClassOf d3f:AML.T0043 ; d3f:attack-id "AML.T0043.004" ; d3f:definition """The adversary may add a perceptual trigger into inference data. The trigger may be imperceptible or non-obvious to humans. This technique is used in conjunction with [Poison AI Model](/techniques/AML.T0018.000) and allows the adversary to produce their desired effect in the target model.""" ; rdfs:seeAlso . d3f:AML.T0044 a owl:Class ; rdfs:label "Full AI Model Access - ATLAS" ; skos:prefLabel "Full AI Model Access" ; rdfs:subClassOf d3f:ATLASAIModelAccessTechnique ; d3f:attack-id "AML.T0044" ; d3f:definition """Adversaries may gain full "white-box" access to an AI model. This means the adversary has complete knowledge of the model architecture, its parameters, and class ontology. They may exfiltrate the model to [Craft Adversarial Data](/techniques/AML.T0043) and [Verify Attack](/techniques/AML.T0042) in an offline where it is hard to detect their behavior.""" ; rdfs:seeAlso . d3f:AML.T0046 a owl:Class ; rdfs:label "Spamming AI System with Chaff Data - ATLAS" ; skos:prefLabel "Spamming AI System with Chaff Data" ; rdfs:subClassOf d3f:ATLASImpactTechnique ; d3f:attack-id "AML.T0046" ; d3f:definition """Adversaries may spam the AI system with chaff data that causes increase in the number of detections. This can cause analysts at the victim organization to waste time reviewing and correcting incorrect inferences.""" ; rdfs:seeAlso . d3f:AML.T0047 a owl:Class ; rdfs:label "AI-Enabled Product or Service - ATLAS" ; skos:prefLabel "AI-Enabled Product or Service" ; rdfs:subClassOf d3f:ATLASAIModelAccessTechnique ; d3f:attack-id "AML.T0047" ; d3f:definition """Adversaries may use a product or service that uses artificial intelligence under the hood to gain access to the underlying AI model. This type of indirect model access may reveal details of the AI model or its inferences in logs or metadata.""" ; rdfs:seeAlso . d3f:AML.T0048 a owl:Class ; rdfs:label "External Harms - ATLAS" ; skos:prefLabel "External Harms" ; rdfs:subClassOf d3f:ATLASImpactTechnique ; d3f:attack-id "AML.T0048" ; d3f:definition """Adversaries may abuse their access to a victim system and use its resources or capabilities to further their goals by causing harms external to that system. These harms could affect the organization (e.g. Financial Harm, Reputational Harm), its users (e.g. User Harm), or the general public (e.g. Societal Harm).""" ; rdfs:seeAlso . d3f:AML.T0048.000 a owl:Class ; rdfs:label "Financial Harm - ATLAS" ; skos:prefLabel "Financial Harm" ; rdfs:subClassOf d3f:AML.T0048 ; d3f:attack-id "AML.T0048.000" ; d3f:definition "Financial harm involves the loss of wealth, property, or other monetary assets due to theft, fraud or forgery, or pressure to provide financial resources to the adversary." ; rdfs:seeAlso . d3f:AML.T0048.001 a owl:Class ; rdfs:label "Reputational Harm - ATLAS" ; skos:prefLabel "Reputational Harm" ; rdfs:subClassOf d3f:AML.T0048 ; d3f:attack-id "AML.T0048.001" ; d3f:definition "Reputational harm involves a degradation of public perception and trust in organizations. Examples of reputation-harming incidents include scandals or false impersonations." ; rdfs:seeAlso . d3f:AML.T0048.002 a owl:Class ; rdfs:label "Societal Harm - ATLAS" ; skos:prefLabel "Societal Harm" ; rdfs:subClassOf d3f:AML.T0048 ; d3f:attack-id "AML.T0048.002" ; d3f:definition "Societal harms might generate harmful outcomes that reach either the general public or specific vulnerable groups such as the exposure of children to vulgar content." ; rdfs:seeAlso . d3f:AML.T0048.003 a owl:Class ; rdfs:label "User Harm - ATLAS" ; skos:prefLabel "User Harm" ; rdfs:subClassOf d3f:AML.T0048 ; d3f:attack-id "AML.T0048.003" ; d3f:definition "User harms may encompass a variety of harm types including financial and reputational that are directed at or felt by individual victims of the attack rather than at the organization level." ; rdfs:seeAlso . d3f:AML.T0048.004 a owl:Class ; rdfs:label "AI Intellectual Property Theft - ATLAS" ; skos:prefLabel "AI Intellectual Property Theft" ; rdfs:subClassOf d3f:AML.T0048 ; d3f:attack-id "AML.T0048.004" ; d3f:definition """Adversaries may exfiltrate AI artifacts to steal intellectual property and cause economic harm to the victim organization. Proprietary training data is costly to collect and annotate and may be a target for [Exfiltration](/tactics/AML.TA0010) and theft. AIaaS providers charge for use of their API. An adversary who has stolen a model via [Exfiltration](/tactics/AML.TA0010) or via [Extract AI Model](/techniques/AML.T0024.002) now has unlimited use of that service without paying the owner of the intellectual property.""" ; rdfs:seeAlso . d3f:AML.T0049 a owl:Class ; rdfs:label "Exploit Public-Facing Application - ATLAS" ; skos:prefLabel "Exploit Public-Facing Application" ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique ; d3f:attack-id "AML.T0049" ; d3f:definition "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services." ; rdfs:seeAlso . d3f:AML.T0050 a owl:Class ; rdfs:label "Command and Scripting Interpreter - ATLAS" ; skos:prefLabel "Command and Scripting Interpreter" ; rdfs:subClassOf d3f:ATLASExecutionTechnique ; d3f:attack-id "AML.T0050" ; d3f:definition """Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell. There are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript and Visual Basic. Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various Remote Services in order to achieve remote Execution.""" ; rdfs:seeAlso . d3f:AML.T0051 a owl:Class ; rdfs:label "LLM Prompt Injection - ATLAS" ; skos:prefLabel "LLM Prompt Injection" ; rdfs:subClassOf d3f:ATLASExecutionTechnique ; d3f:attack-id "AML.T0051" ; d3f:definition """An adversary may craft malicious prompts as inputs to an LLM that cause the LLM to act in unintended ways. These "prompt injections" are often designed to cause the model to ignore aspects of its original instructions and follow the adversary's instructions instead. Prompt Injections can be an initial access vector to the LLM that provides the adversary with a foothold to carry out other steps in their operation. They may be designed to bypass defenses in the LLM, or allow the adversary to issue privileged commands. The effects of a prompt injection can persist throughout an interactive session with an LLM. Malicious prompts may be injected directly by the adversary ([Direct](/techniques/AML.T0051.000)) either to leverage the LLM to generate harmful content or to gain a foothold on the system and lead to further effects. Prompts may also be injected indirectly when as part of its normal operation the LLM ingests the malicious prompt from another data source ([Indirect](/techniques/AML.T0051.001)). This type of injection can be used by the adversary to a foothold on the system or to target the user of the LLM. Malicious prompts may also be [Triggered](/techniques/AML.T0051.002) user actions or system events.""" ; rdfs:seeAlso . d3f:AML.T0051.000 a owl:Class ; rdfs:label "Direct - ATLAS" ; skos:prefLabel "Direct" ; rdfs:subClassOf d3f:AML.T0051 ; d3f:attack-id "AML.T0051.000" ; d3f:definition "An adversary may inject prompts directly as a user of the LLM. This type of injection may be used by the adversary to gain a foothold in the system or to misuse the LLM itself, as for example to generate harmful content." ; rdfs:seeAlso . d3f:AML.T0051.001 a owl:Class ; rdfs:label "Indirect - ATLAS" ; skos:prefLabel "Indirect" ; rdfs:subClassOf d3f:AML.T0051 ; d3f:attack-id "AML.T0051.001" ; d3f:definition """An adversary may inject prompts indirectly via separate data channel ingested by the LLM such as include text or multimedia pulled from databases or websites. These malicious prompts may be hidden or obfuscated from the user. This type of injection may be used by the adversary to gain a foothold in the system or to target an unwitting user of the system.""" ; rdfs:seeAlso . d3f:AML.T0051.002 a owl:Class ; rdfs:label "Triggered - ATLAS" ; skos:prefLabel "Triggered" ; rdfs:subClassOf d3f:AML.T0051 ; d3f:attack-id "AML.T0051.002" ; d3f:definition "An adversary may trigger a prompt injection via a user action or event that occurs within the victim's environment. Triggered prompt injections often target AI agents, which can be activated by means the adversary identifies during [Discovery](/tactics/AML.TA0008) (See [Activation Triggers](/techniques/AML.T0084.002)). These malicious prompts may be hidden or obfuscated from the user and may already exist somewhere in the victim's environment from the adversary performing [Prompt Infiltration via Public-Facing Application](/techniques/AML.T0093). This type of injection may be used by the adversary to gain a foothold in the system or to target an unwitting user of the system." ; rdfs:seeAlso . d3f:AML.T0052 a owl:Class ; rdfs:label "Phishing - ATLAS" ; skos:prefLabel "Phishing" ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique ; d3f:attack-id "AML.T0052" ; d3f:definition """Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Generative AI, including LLMs that generate synthetic text, visual deepfakes of faces, and audio deepfakes of speech, is enabling adversaries to scale targeted phishing campaigns. LLMs can interact with users via text conversations and can be programmed with a meta prompt to phish for sensitive information. Deepfakes can be use in impersonation as an aid to phishing.""" ; rdfs:seeAlso . d3f:AML.T0052.000 a owl:Class ; rdfs:label "Spearphishing via Social Engineering LLM - ATLAS" ; skos:prefLabel "Spearphishing via Social Engineering LLM" ; rdfs:subClassOf d3f:AML.T0052 ; d3f:attack-id "AML.T0052.000" ; d3f:definition """Adversaries may turn LLMs into targeted social engineers. LLMs are capable of interacting with users via text conversations. They can be instructed by an adversary to seek sensitive information from a user and act as effective social engineers. They can be targeted towards particular personas defined by the adversary. This allows adversaries to scale spearphishing efforts and target individuals to reveal private information such as credentials to privileged systems.""" ; rdfs:seeAlso . d3f:AML.T0053 a owl:Class ; rdfs:label "AI Agent Tool Invocation - ATLAS" ; skos:prefLabel "AI Agent Tool Invocation" ; rdfs:subClassOf d3f:ATLASExecutionTechnique, d3f:ATLASPrivilegeEscalationTechnique ; d3f:attack-id "AML.T0053" ; d3f:definition """Adversaries may use their access to an AI agent to invoke tools the agent has access to. LLMs are often connected to other services or resources via tools to increase their capabilities. Tools may include integrations with other applications, access to public or private data sources, and the ability to execute code. This may allow adversaries to execute API calls to integrated applications or services, providing the adversary with increased privileges on the system. Adversaries may take advantage of connected data sources to retrieve sensitive information. They may also use an LLM integrated with a command or script interpreter to execute arbitrary instructions. AI agents may be configured to have access to tools that are not directly accessible by users. Adversaries may abuse this to gain access to tools they otherwise wouldn't be able to use.""" ; rdfs:seeAlso . d3f:AML.T0054 a owl:Class ; rdfs:label "LLM Jailbreak - ATLAS" ; skos:prefLabel "LLM Jailbreak" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique, d3f:ATLASPrivilegeEscalationTechnique ; d3f:attack-id "AML.T0054" ; d3f:definition """An adversary may use a carefully crafted [LLM Prompt Injection](/techniques/AML.T0051) designed to place LLM in a state in which it will freely respond to any user input, bypassing any controls, restrictions, or guardrails placed on the LLM. Once successfully jailbroken, the LLM can be used in unintended ways by the adversary.""" ; rdfs:seeAlso . d3f:AML.T0055 a owl:Class ; rdfs:label "Unsecured Credentials - ATLAS" ; skos:prefLabel "Unsecured Credentials" ; rdfs:subClassOf d3f:ATLASCredentialAccessTechnique ; d3f:attack-id "AML.T0055" ; d3f:definition """Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. bash history), environment variables, operating system, or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. private keys).""" ; rdfs:seeAlso . d3f:AML.T0056 a owl:Class ; rdfs:label "Extract LLM System Prompt - ATLAS" ; skos:prefLabel "Extract LLM System Prompt" ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; d3f:attack-id "AML.T0056" ; d3f:definition """Adversaries may attempt to extract a large language model's (LLM) system prompt. This can be done via prompt injection to induce the model to reveal its own system prompt or may be extracted from a configuration file. System prompts can be a portion of an AI provider's competitive advantage and are thus valuable intellectual property that may be targeted by adversaries.""" ; rdfs:seeAlso . d3f:AML.T0057 a owl:Class ; rdfs:label "LLM Data Leakage - ATLAS" ; skos:prefLabel "LLM Data Leakage" ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; d3f:attack-id "AML.T0057" ; d3f:definition """Adversaries may craft prompts that induce the LLM to leak sensitive information. This can include private user data or proprietary information. The leaked information may come from proprietary training data, data sources the LLM is connected to, or information from other users of the LLM.""" ; rdfs:seeAlso . d3f:AML.T0058 a owl:Class ; rdfs:label "Publish Poisoned Models - ATLAS" ; skos:prefLabel "Publish Poisoned Models" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0058" ; d3f:definition "Adversaries may publish a poisoned model to a public location such as a model registry or code repository. The poisoned model may be a novel model or a poisoned variant of an existing open-source model. This model may be introduced to a victim system via [AI Supply Chain Compromise](/techniques/AML.T0010)." ; rdfs:seeAlso . d3f:AML.T0059 a owl:Class ; rdfs:label "Erode Dataset Integrity - ATLAS" ; skos:prefLabel "Erode Dataset Integrity" ; rdfs:subClassOf d3f:ATLASImpactTechnique ; d3f:attack-id "AML.T0059" ; d3f:definition "Adversaries may poison or manipulate portions of a dataset to reduce its usefulness, reduce trust, and cause users to waste resources correcting errors." ; rdfs:seeAlso . d3f:AML.T0060 a owl:Class ; rdfs:label "Publish Hallucinated Entities - ATLAS" ; skos:prefLabel "Publish Hallucinated Entities" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0060" ; d3f:definition "Adversaries may create an entity they control, such as a software package, website, or email address to a source hallucinated by an LLM. The hallucinations may take the form of package names commands, URLs, company names, or email addresses that point the victim to the entity controlled by the adversary. When the victim interacts with the adversary-controlled entity, the attack can proceed." ; rdfs:seeAlso . d3f:AML.T0061 a owl:Class ; rdfs:label "LLM Prompt Self-Replication - ATLAS" ; skos:prefLabel "LLM Prompt Self-Replication" ; rdfs:subClassOf d3f:ATLASPersistenceTechnique ; d3f:attack-id "AML.T0061" ; d3f:definition "An adversary may use a carefully crafted [LLM Prompt Injection](/techniques/AML.T0051) designed to cause the LLM to replicate the prompt as part of its output. This allows the prompt to propagate to other LLMs and persist on the system. The self-replicating prompt is typically paired with other malicious instructions (ex: [LLM Jailbreak](/techniques/AML.T0054), [LLM Data Leakage](/techniques/AML.T0057))." ; rdfs:seeAlso . d3f:AML.T0062 a owl:Class ; rdfs:label "Discover LLM Hallucinations - ATLAS" ; skos:prefLabel "Discover LLM Hallucinations" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0062" ; d3f:definition """Adversaries may prompt large language models and identify hallucinated entities. They may request software packages, commands, URLs, organization names, or e-mail addresses, and identify hallucinations with no connected real-world source. Discovered hallucinations provide the adversary with potential targets to [Publish Hallucinated Entities](/techniques/AML.T0060). Different LLMs have been shown to produce the same hallucinations, so the hallucinations exploited by an adversary may affect users of other LLMs.""" ; rdfs:seeAlso . d3f:AML.T0063 a owl:Class ; rdfs:label "Discover AI Model Outputs - ATLAS" ; skos:prefLabel "Discover AI Model Outputs" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0063" ; d3f:definition """Adversaries may discover model outputs, such as class scores, whose presence is not required for the system to function and are not intended for use by the end user. Model outputs may be found in logs or may be included in API responses. Model outputs may enable the adversary to identify weaknesses in the model and develop attacks.""" ; rdfs:seeAlso . d3f:AML.T0064 a owl:Class ; rdfs:label "Gather RAG-Indexed Targets - ATLAS" ; skos:prefLabel "Gather RAG-Indexed Targets" ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; d3f:attack-id "AML.T0064" ; d3f:definition """Adversaries may identify data sources used in retrieval augmented generation (RAG) systems for targeting purposes. By pinpointing these sources, attackers can focus on poisoning or otherwise manipulating the external data repositories the AI relies on. RAG-indexed data may be identified in public documentation about the system, or by interacting with the system directly and observing any indications of or references to external data sources.""" ; rdfs:seeAlso . d3f:AML.T0065 a owl:Class ; rdfs:label "LLM Prompt Crafting - ATLAS" ; skos:prefLabel "LLM Prompt Crafting" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0065" ; d3f:definition """Adversaries may use their acquired knowledge of the target generative AI system to craft prompts that bypass its defenses and allow malicious instructions to be executed. The adversary may iterate on the prompt to ensure that it works as-intended consistently.""" ; rdfs:seeAlso . d3f:AML.T0066 a owl:Class ; rdfs:label "Retrieval Content Crafting - ATLAS" ; skos:prefLabel "Retrieval Content Crafting" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0066" ; d3f:definition """Adversaries may write content designed to be retrieved by user queries and influence a user of the system in some way. This abuses the trust the user has in the system. The crafted content can be combined with a prompt injection. It can also stand alone in a separate document or email. The adversary must get the crafted content into the victim\\u0027s database, such as a vector database used in a retrieval augmented generation (RAG) system. This may be accomplished via cyber access, or by abusing the ingestion mechanisms common in RAG systems (see [RAG Poisoning](/techniques/AML.T0070)). Large language models may be used as an assistant to aid an adversary in crafting content.""" ; rdfs:seeAlso . d3f:AML.T0067 a owl:Class ; rdfs:label "LLM Trusted Output Components Manipulation - ATLAS" ; skos:prefLabel "LLM Trusted Output Components Manipulation" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; d3f:attack-id "AML.T0067" ; d3f:definition """Adversaries may utilize prompts to a large language model (LLM) which manipulate various components of its response in order to make it appear trustworthy to the user. This helps the adversary continue to operate in the victim's environment and evade detection by the users it interacts with. The LLM may be instructed to tailor its language to appear more trustworthy to the user or attempt to manipulate the user to take certain actions. Other response components that could be manipulated include links, recommended follow-up actions, retrieved document metadata, and [Citations](/techniques/AML.T0067.000).""" ; rdfs:seeAlso . d3f:AML.T0067.000 a owl:Class ; rdfs:label "Citations - ATLAS" ; skos:prefLabel "Citations" ; rdfs:subClassOf d3f:AML.T0067 ; d3f:attack-id "AML.T0067.000" ; d3f:definition "Adversaries may manipulate the citations provided in an AI system's response, in order to make it appear trustworthy. Variants include citing a providing the wrong citation, making up a new citation, or providing the right citation but for adversary-provided data." ; rdfs:seeAlso . d3f:AML.T0068 a owl:Class ; rdfs:label "LLM Prompt Obfuscation - ATLAS" ; skos:prefLabel "LLM Prompt Obfuscation" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; d3f:attack-id "AML.T0068" ; d3f:definition """Adversaries may hide or otherwise obfuscate prompt injections or retrieval content from the user to avoid detection. This may include modifying how the injection is rendered such as small text, text colored the same as the background, or hidden HTML elements.""" ; rdfs:seeAlso . d3f:AML.T0069 a owl:Class ; rdfs:label "Discover LLM System Information - ATLAS" ; skos:prefLabel "Discover LLM System Information" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0069" ; d3f:definition "The adversary is trying to discover something about the large language model's (LLM) system information. This may be found in a configuration file containing the system instructions or extracted via interactions with the LLM. The desired information may include the full system prompt, special characters that have significance to the LLM or keywords indicating functionality available to the LLM. Information about how the LLM is instructed can be used by the adversary to understand the system's capabilities and to aid them in crafting malicious prompts." ; rdfs:seeAlso . d3f:AML.T0069.000 a owl:Class ; rdfs:label "Special Character Sets - ATLAS" ; skos:prefLabel "Special Character Sets" ; rdfs:subClassOf d3f:AML.T0069 ; d3f:attack-id "AML.T0069.000" ; d3f:definition "Adversaries may discover delimiters and special characters sets used by the large language model. For example, delimiters used in retrieval augmented generation applications to differentiate between context and user prompts. These can later be exploited to confuse or manipulate the large language model into misbehaving." ; rdfs:seeAlso . d3f:AML.T0069.001 a owl:Class ; rdfs:label "System Instruction Keywords - ATLAS" ; skos:prefLabel "System Instruction Keywords" ; rdfs:subClassOf d3f:AML.T0069 ; d3f:attack-id "AML.T0069.001" ; d3f:definition "Adversaries may discover keywords that have special meaning to the large language model (LLM), such as function names or object names. These can later be exploited to confuse or manipulate the LLM into misbehaving and to make calls to plugins the LLM has access to." ; rdfs:seeAlso . d3f:AML.T0069.002 a owl:Class ; rdfs:label "System Prompt - ATLAS" ; skos:prefLabel "System Prompt" ; rdfs:subClassOf d3f:AML.T0069 ; d3f:attack-id "AML.T0069.002" ; d3f:definition "Adversaries may discover a large language model's system instructions provided by the AI system builder to learn about the system's capabilities and circumvent its guardrails." ; rdfs:seeAlso . d3f:AML.T0070 a owl:Class ; rdfs:label "RAG Poisoning - ATLAS" ; skos:prefLabel "RAG Poisoning" ; rdfs:subClassOf d3f:ATLASPersistenceTechnique ; d3f:attack-id "AML.T0070" ; d3f:definition """Adversaries may inject malicious content into data indexed by a retrieval augmented generation (RAG) system to contaminate a future thread through RAG-based search results. This may be accomplished by placing manipulated documents in a location the RAG indexes (see [Gather RAG-Indexed Targets](/techniques/AML.T0064)). The content may be targeted such that it would always surface as a search result for a specific user query. The adversary's content may include false or misleading information. It may also include prompt injections with malicious instructions, or false RAG entries.""" ; rdfs:seeAlso . d3f:AML.T0071 a owl:Class ; rdfs:label "False RAG Entry Injection - ATLAS" ; skos:prefLabel "False RAG Entry Injection" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; d3f:attack-id "AML.T0071" ; d3f:definition """Adversaries may introduce false entries into a victim's retrieval augmented generation (RAG) database. Content designed to be interpreted as a document by the large language model (LLM) used in the RAG system is included in a data source being ingested into the RAG database. When RAG entry including the false document is retrieved, the LLM is tricked into treating part of the retrieved content as a false RAG result. By including a false RAG document inside of a regular RAG entry, it bypasses data monitoring tools. It also prevents the document from being deleted directly. The adversary may use discovered system keywords to learn how to instruct a particular LLM to treat content as a RAG entry. They may be able to manipulate the injected entry's metadata including document title, author, and creation date.""" ; rdfs:seeAlso . d3f:AML.T0072 a owl:Class ; rdfs:label "Reverse Shell - ATLAS" ; skos:prefLabel "Reverse Shell" ; rdfs:subClassOf d3f:ATLASCommandAndControlTechnique ; d3f:attack-id "AML.T0072" ; d3f:definition """Adversaries may utilize a reverse shell to communicate and control the victim system. Typically, a user uses a client to connect to a remote machine which is listening for connections. With a reverse shell, the adversary is listening for incoming connections initiated from the victim system.""" ; rdfs:seeAlso . d3f:AML.T0073 a owl:Class ; rdfs:label "Impersonation - ATLAS" ; skos:prefLabel "Impersonation" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; d3f:attack-id "AML.T0073" ; d3f:definition """Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via [Phishing](/techniques/AML.T0052), or [Spearphishing via Social Engineering LLM](/techniques/AML.T0052.000)) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary's ultimate goals, possibly against multiple victims. Adversaries may target resources that are part of the AI DevOps lifecycle, such as model repositories, container registries, and software registries.""" ; rdfs:seeAlso . d3f:AML.T0074 a owl:Class ; rdfs:label "Masquerading - ATLAS" ; skos:prefLabel "Masquerading" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; d3f:attack-id "AML.T0074" ; d3f:definition "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names." ; rdfs:seeAlso . d3f:AML.T0075 a owl:Class ; rdfs:label "Cloud Service Discovery - ATLAS" ; skos:prefLabel "Cloud Service Discovery" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0075" ; d3f:definition """An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs. Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[1][2] For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[3][4] Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Logs.""" ; rdfs:seeAlso . d3f:AML.T0076 a owl:Class ; rdfs:label "Corrupt AI Model - ATLAS" ; skos:prefLabel "Corrupt AI Model" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; d3f:attack-id "AML.T0076" ; d3f:definition "An adversary may purposefully corrupt a malicious AI model file so that it cannot be successfully deserialized in order to evade detection by a model scanner. The corrupt model may still successfully execute malicious code before deserialization fails." ; rdfs:seeAlso . d3f:AML.T0077 a owl:Class ; rdfs:label "LLM Response Rendering - ATLAS" ; skos:prefLabel "LLM Response Rendering" ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; d3f:attack-id "AML.T0077" ; d3f:definition """An adversary may get a large language model (LLM) to respond with private information that is hidden from the user when the response is rendered by the user's client. The private information is then exfiltrated. This can take the form of rendered images, which automatically make a request to an adversary controlled server. The adversary gets AI to present an image to the user, which is rendered by the user's client application with no user clicks required. The image is hosted on an attacker-controlled website, allowing the adversary to exfiltrate data through image request parameters. Variants include HTML tags and markdown For example, an LLM may produce the following markdown: ``` ![ATLAS](https://atlas.mitre.org/image.png?secrets="private data") ``` Which is rendered by the client as: ``` ``` When the request is received by the adversary's server hosting the requested image, they receive the contents of the `secrets` query parameter.""" ; rdfs:seeAlso . d3f:AML.T0078 a owl:Class ; rdfs:label "Drive-by Compromise - ATLAS" ; skos:prefLabel "Drive-by Compromise" ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique ; d3f:attack-id "AML.T0078" ; d3f:definition """Adversaries may gain access to an AI system through a user visiting a website over the normal course of browsing, or an AI agent retrieving information from the web on behalf of a user. Websites can contain an [LLM Prompt Injection](/techniques/AML.T0051) which, when executed, can change the behavior of the AI model. The same approach may be used to deliver other types of malicious code that don't target AI directly (See [Drive-by Compromise in ATT&CK](https://attack.mitre.org/techniques/T1189/)).""" ; rdfs:seeAlso . d3f:AML.T0079 a owl:Class ; rdfs:label "Stage Capabilities - ATLAS" ; skos:prefLabel "Stage Capabilities" ; rdfs:subClassOf d3f:ATLASResourceDevelopmentTechnique ; d3f:attack-id "AML.T0079" ; d3f:definition """Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](/techniques/AML.T0017)) or obtained ([Obtain Capabilities](/techniques/AML.T0016)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](/techniques/AML.T0008)) or was otherwise compromised by them. Capabilities may also be staged on web services, such as GitHub, model registries, such as Hugging Face, or container registries. Adversaries may stage a variety of AI Artifacts including poisoned datasets ([Publish Poisoned Datasets](/techniques/AML.T0019), malicious models ([Publish Poisoned Models](/techniques/AML.T0058), and prompt injections. They may target names of legitimate companies or products, engage in typosquatting, or use hallucinated entities ([Discover LLM Hallucinations](/techniques/AML.T0062)).""" ; rdfs:seeAlso . d3f:AML.T0080 a owl:Class ; rdfs:label "AI Agent Context Poisoning - ATLAS" ; skos:prefLabel "AI Agent Context Poisoning" ; rdfs:subClassOf d3f:ATLASPersistenceTechnique ; d3f:attack-id "AML.T0080" ; d3f:definition """Adversaries may attempt to manipulate the context used by an AI agent's large language model (LLM) to influence the responses it generates or actions it takes. This allows an adversary to persistently change the behavior of the target agent and further their goals. Context poisoning can be accomplished by prompting the an LLM to add instructions or preferences to memory (See [Memory](/techniques/AML.T0080.000)) or by simply prompting an LLM that uses prior messages in a thread as part of its context (See [Thread](/techniques/AML.T0080.001)).""" ; rdfs:seeAlso . d3f:AML.T0080.000 a owl:Class ; rdfs:label "Memory - ATLAS" ; skos:prefLabel "Memory" ; rdfs:subClassOf d3f:AML.T0080 ; d3f:attack-id "AML.T0080.000" ; d3f:definition """Adversaries may manipulate the memory of a large language model (LLM) in order to persist changes to the LLM to future chat sessions. Memory is a common feature in LLMs that allows them to remember information across chat sessions by utilizing a user-specific database. Because the memory is controlled via normal conversations with the user (e.g. "remember my preference for ...") an adversary can inject memories via Direct or Indirect Prompt Injection. Memories may contain malicious instructions (e.g. instructions that leak private conversations) or may promote the adversary's hidden agenda (e.g. manipulating the user).""" ; rdfs:seeAlso . d3f:AML.T0080.001 a owl:Class ; rdfs:label "Thread - ATLAS" ; skos:prefLabel "Thread" ; rdfs:subClassOf d3f:AML.T0080 ; d3f:attack-id "AML.T0080.001" ; d3f:definition """Adversaries may introduce malicious instructions into a chat thread of a large language model (LLM) to cause behavior changes which persist for the remainder of the thread. A chat thread may continue for an extended period over multiple sessions. The malicious instructions may be introduced via Direct or Indirect Prompt Injection. Direct Injection may occur in cases where the adversary has acquired a user's LLM API keys and can inject queries directly into any thread. As the token limits for LLMs rise, AI systems can make use of larger context windows which allow malicious instructions to persist longer in a thread. Thread Poisoning may affect multiple users if the LLM is being used in a service with shared threads. For example, if an agent is active in a Slack channel with multiple participants, a single malicious message from one user can influence the agent's behavior in future interactions with others.""" ; rdfs:seeAlso . d3f:AML.T0081 a owl:Class ; rdfs:label "Modify AI Agent Configuration - ATLAS" ; skos:prefLabel "Modify AI Agent Configuration" ; rdfs:subClassOf d3f:ATLASPersistenceTechnique ; d3f:attack-id "AML.T0081" ; d3f:definition """Adversaries may modify the configuration files for AI agents on a system. This allows malicious changes to persist beyond the life of a single agent and affects any agents that share the configuration. Configuration changes may include modifications to the system prompt, tampering with or replacing knowledge sources, modification to settings of connected tools, and more. Through those changes, an attacker could redirect outputs or tools to malicious services, embed covert instructions that exfiltrate data, or weaken security controls that normally restrict agent behavior.""" ; rdfs:seeAlso . d3f:AML.T0082 a owl:Class ; rdfs:label "RAG Credential Harvesting - ATLAS" ; skos:prefLabel "RAG Credential Harvesting" ; rdfs:subClassOf d3f:ATLASCredentialAccessTechnique ; d3f:attack-id "AML.T0082" ; d3f:definition "Adversaries may attempt to use their access to a large language model (LLM) on the victim's system to collect credentials. Credentials may be stored in internal documents which can inadvertently be ingested into a RAG database, where they can ultimately be retrieved by an AI agent." ; rdfs:seeAlso . d3f:AML.T0083 a owl:Class ; rdfs:label "Credentials from AI Agent Configuration - ATLAS" ; skos:prefLabel "Credentials from AI Agent Configuration" ; rdfs:subClassOf d3f:ATLASCredentialAccessTechnique ; d3f:attack-id "AML.T0083" ; d3f:definition """Adversaries may access the credentials of other tools or services on a system from the configuration of an AI agent. AI Agents often utilize external tools or services to take actions, such as querying databases, invoking APIs, or interacting with cloud resources. To enable these functions, credentials like API keys, tokens, and connection strings are frequently stored in configuration files. While there are secure methods such as dedicated secret managers or encrypted vaults that can be deployed to store and manage these credentials, in practice they are often placed in less protected locations for convenience or ease of deployment. If an attacker can read or extract these configurations, they may obtain valid credentials that allow direct access to sensitive systems outside the agent itself.""" ; rdfs:seeAlso . d3f:AML.T0084 a owl:Class ; rdfs:label "Discover AI Agent Configuration - ATLAS" ; skos:prefLabel "Discover AI Agent Configuration" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0084" ; d3f:definition """Adversaries may attempt to discover configuration information for AI agents present on the victim's system. Agent configurations can include tools or services they have access to. Adversaries may directly access agent configuring dashboards or configuration files. They may also obtain configuration details by prompting the agent with questions such as "What tools do you have access to?" Adversaries can use the information they discover about AI agents to help with targeting.""" ; rdfs:seeAlso . d3f:AML.T0084.000 a owl:Class ; rdfs:label "Embedded Knowledge - ATLAS" ; skos:prefLabel "Embedded Knowledge" ; rdfs:subClassOf d3f:AML.T0084 ; d3f:attack-id "AML.T0084.000" ; d3f:definition """Adversaries may attempt to discover the data sources a particular agent can access. The AI agent's configuration may reveal data sources or knowledge. The embedded knowledge may include sensitive or proprietary material such as intellectual property, customer data, internal policies, or even credentials. By mapping what knowledge an agent has access to, an adversary can better understand the AI agent's role and potentially expose confidential information or pinpoint high-value targets for further exploitation.""" ; rdfs:seeAlso . d3f:AML.T0084.001 a owl:Class ; rdfs:label "Tool Definitions - ATLAS" ; skos:prefLabel "Tool Definitions" ; rdfs:subClassOf d3f:AML.T0084 ; d3f:attack-id "AML.T0084.001" ; d3f:definition "Adversaries may discover the tools the AI agent has access to. By identifying which tools are available, the adversary can understand what actions may be executed through the agent and what additional resources it can reach. This knowledge may reveal access to external data sources such as OneDrive or SharePoint, or expose exfiltration paths like the ability to send emails, helping adversaries identify AI agents that provide the greatest value or opportunity for attack." ; rdfs:seeAlso . d3f:AML.T0084.002 a owl:Class ; rdfs:label "Activation Triggers - ATLAS" ; skos:prefLabel "Activation Triggers" ; rdfs:subClassOf d3f:AML.T0084 ; d3f:attack-id "AML.T0084.002" ; d3f:definition """Adversaries may discover keywords or other triggers (such as incoming emails, documents being added, incoming message, or other workflows) that activate an agent and may cause it to run additional actions. Understanding these triggers can reveal how the AI agent is activated and controlled. This may also expose additional paths for compromise, as an adversary could attempt to trigger the agent from outside its environment and drive it to perform unintended or malicious actions.""" ; rdfs:seeAlso . d3f:AML.T0085 a owl:Class ; rdfs:label "Data from AI Services - ATLAS" ; skos:prefLabel "Data from AI Services" ; rdfs:subClassOf d3f:ATLASCollectionTechnique ; d3f:attack-id "AML.T0085" ; d3f:definition """Adversaries may use their access to a victim organization's AI-enabled services to collect proprietary or otherwise sensitive information. As organizations adopt generative AI in centralized services for accessing an organization's data, such as with chat agents which can access retrieval augmented generation (RAG) databases and other data sources via tools, they become increasingly valuable targets for adversaries. AI agents may be configured to have access to tools and data sources that are not directly accessible by users. Adversaries may abuse this to collect data that a regular user wouldn't be able to access directly.""" ; rdfs:seeAlso . d3f:AML.T0085.000 a owl:Class ; rdfs:label "RAG Databases - ATLAS" ; skos:prefLabel "RAG Databases" ; rdfs:subClassOf d3f:AML.T0085 ; d3f:attack-id "AML.T0085.000" ; d3f:definition "Adversaries may prompt the AI service to retrieve data from a RAG database. This can include the majority of an organization's internal documents." ; rdfs:seeAlso . d3f:AML.T0085.001 a owl:Class ; rdfs:label "AI Agent Tools - ATLAS" ; skos:prefLabel "AI Agent Tools" ; rdfs:subClassOf d3f:AML.T0085 ; d3f:attack-id "AML.T0085.001" ; d3f:definition "Adversaries may prompt the AI service to invoke various tools the agent has access to. Tools may retrieve data from different APIs or services in an organization." ; rdfs:seeAlso . d3f:AML.T0086 a owl:Class ; rdfs:label "Exfiltration via AI Agent Tool Invocation - ATLAS" ; skos:prefLabel "Exfiltration via AI Agent Tool Invocation" ; rdfs:subClassOf d3f:ATLASExfiltrationTechnique ; d3f:attack-id "AML.T0086" ; d3f:definition "Adversaries may use prompts to invoke an agent's tool capable of performing write operations to exfiltrate data. Sensitive information can be encoded into the tool's input parameters and transmitted as part of a seemingly legitimate action. Variants include sending emails, creating or modifying documents, updating CRM records, or even generating media such as images or videos." ; rdfs:seeAlso . d3f:AML.T0087 a owl:Class ; rdfs:label "Gather Victim Identity Information - ATLAS" ; skos:prefLabel "Gather Victim Identity Information" ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; d3f:attack-id "AML.T0087" ; d3f:definition """Adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, photos, etc.) as well as sensitive details such as credentials or multi-factor authentication (MFA) configurations. Adversaries may gather this information in various ways, such as direct elicitation, [Search Victim-Owned Websites](/techniques/AML.T0003), or via leaked information on the black market. Adversaries may use the gathered victim data to Create Deepfakes and impersonate them in a convincing manner. This may create opportunities for adversaries to [Establish Accounts](/techniques/AML.T0021) under the impersonated identity, or allow them to perform convincing [Phishing](/techniques/AML.T0052) attacks.""" ; rdfs:seeAlso . d3f:AML.T0088 a owl:Class ; rdfs:label "Generate Deepfakes - ATLAS" ; skos:prefLabel "Generate Deepfakes" ; rdfs:subClassOf d3f:ATLASAIAttackStagingTechnique ; d3f:attack-id "AML.T0088" ; d3f:definition """Adversaries may use generative artificial intelligence (GenAI) to create synthetic media (i.e. imagery, video, audio, and text) that appear authentic. These "[deepfakes]( https://en.wikipedia.org/wiki/Deepfake)" may mimic a real person or depict fictional personas. Adversaries may use deepfakes for impersonation to conduct [Phishing](/techniques/AML.T0052) or to evade AI applications such as biometric identity verification systems (see [Evade AI Model](/techniques/AML.T0015)). Manipulation of media has been possible for a long time, however GenAI reduces the skill and level of effort required, allowing adversaries to rapidly scale operations to target more users or systems. It also makes real-time manipulations feasible. Adversaries may utilize open-source models and software that were designed for legitimate use cases to generate deepfakes for malicious use. However, there are some projects specifically tailored towards malicious use cases such as [ProKYC](https://www.catonetworks.com/blog/prokyc-selling-deepfake-tool-for-account-fraud-attacks/).""" ; rdfs:seeAlso . d3f:AML.T0089 a owl:Class ; rdfs:label "Process Discovery - ATLAS" ; skos:prefLabel "Process Discovery" ; rdfs:subClassOf d3f:ATLASDiscoveryTechnique ; d3f:attack-id "AML.T0089" ; d3f:definition """Adversaries may attempt to get information about processes running on a system. Once obtained, this information could be used to gain an understanding of common AI-related software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Identifying the AI software stack can then lead an adversary to new targets and attack pathways. AI-related software may require application tokens to authenticate with backend services. This provides opportunities for [Credential Access](/tactics/AML.TA0013) and [Lateral Movement](/tactics/AML.TA0015). In Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or `Get-Process` via PowerShell. Information about processes can also be extracted from the output of Native API calls such as `CreateToolhelp32Snapshot`. In Mac and Linux, this is accomplished with the `ps` command. Adversaries may also opt to enumerate processes via `/proc`.""" ; rdfs:seeAlso . d3f:AML.T0090 a owl:Class ; rdfs:label "OS Credential Dumping - ATLAS" ; skos:prefLabel "OS Credential Dumping" ; rdfs:subClassOf d3f:ATLASCredentialAccessTechnique ; d3f:attack-id "AML.T0090" ; d3f:definition """Adversaries may extract credentials from OS caches, application memory, or other sources on a compromised system. Credentials are often in the form of a hash or clear text, and can include usernames and passwords, application tokens, or other authentication keys. Credentials can be used to perform [Lateral Movement](/tactics/AML.TA0015) to access other AI services such as AI agents, LLMs, or AI inference APIs. Credentials could also give an adversary access to other software tools and data sources that are part of the AI DevOps lifecycle.""" ; rdfs:seeAlso . d3f:AML.T0091 a owl:Class ; rdfs:label "Use Alternate Authentication Material - ATLAS" ; skos:prefLabel "Use Alternate Authentication Material" ; rdfs:subClassOf d3f:ATLASLateralMovementTechnique ; d3f:attack-id "AML.T0091" ; d3f:definition """Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. AI services commonly use alternate authentication material as a primary means for users to make queries, making them vulnerable to this technique.""" ; rdfs:seeAlso . d3f:AML.T0091.000 a owl:Class ; rdfs:label "Application Access Token - ATLAS" ; skos:prefLabel "Application Access Token" ; rdfs:subClassOf d3f:AML.T0091 ; d3f:attack-id "AML.T0091.000" ; d3f:definition """Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials. Application access tokens are used to make authorized API requests on behalf of a user or service and are commonly used to access resources in cloud, container-based applications, and software-as-a-service (SaaS). They are commonly used for AI services such as chatbots, LLMs, and predictive inference APIs.""" ; rdfs:seeAlso . d3f:AML.T0092 a owl:Class ; rdfs:label "Manipulate User LLM Chat History - ATLAS" ; skos:prefLabel "Manipulate User LLM Chat History" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; d3f:attack-id "AML.T0092" ; d3f:definition """Adversaries may manipulate a user's large language model (LLM) chat history to cover the tracks of their malicious behavior. They may hide persistent changes they have made to the LLM's behavior, or obscure their attempts at discovering private information about the user. To do so, adversaries may delete or edit existing messages or create new threads as part of their coverup. This is feasible if the adversary has the victim's authentication tokens for the backend LLM service or if they have direct access to the victim's chat interface. Chat interfaces (especially desktop interfaces) often do not show the injected prompt for any ongoing chat, as they update chat history only once when initially opening it. This can help the adversary's manipulations go unnoticed by the victim.""" ; rdfs:seeAlso . d3f:AML.T0093 a owl:Class ; rdfs:label "Prompt Infiltration via Public-Facing Application - ATLAS" ; skos:prefLabel "Prompt Infiltration via Public-Facing Application" ; rdfs:subClassOf d3f:ATLASInitialAccessTechnique, d3f:ATLASPersistenceTechnique ; d3f:attack-id "AML.T0093" ; d3f:definition """An adversary may introduce malicious prompts into the victim's system via a public-facing application with the intention of it being ingested by an AI at some point in the future and ultimately having a downstream effect. This may occur when a data source is indexed by a retrieval augmented generation (RAG) system, when a rule triggers an action by an AI agent, or when a user utilizes a large language model (LLM) to interact with the malicious content. The malicious prompts may persist on the victim system for an extended period and could affect multiple users and various AI tools within the victim organization. Any public-facing application that accepts text input could be a target. This includes email, shared document systems like OneDrive or Google Drive, and service desks or ticketing systems like Jira. Adversaries may perform [Reconnaissance](/tactics/AML.TA0002) to identify public facing applications that are likely monitored by an AI agent or are likely to be indexed by a RAG. They may perform [Discover AI Agent Configuration](/techniques/AML.T0084) to refine their targeting.""" ; rdfs:seeAlso . d3f:AML.T0094 a owl:Class ; rdfs:label "Delay Execution of LLM Instructions - ATLAS" ; skos:prefLabel "Delay Execution of LLM Instructions" ; rdfs:subClassOf d3f:ATLASDefenseEvasionTechnique ; d3f:attack-id "AML.T0094" ; d3f:definition """Adversaries may include instructions to be followed by the AI system in response to a future event, such as a specific keyword or the next interaction, in order to evade detection or bypass controls placed on the AI system. For example, an adversary may include "If the user submits a new request..." followed by the malicious instructions as part of their prompt. AI agents can include security measures against prompt injections that prevent the invocation of particular tools or access to certain data sources during a conversation turn that has untrusted data in context. Delaying the execution of instructions to a future interaction or keyword is one way adversaries may bypass this type of control.""" ; rdfs:seeAlso . d3f:AML.T0095 a owl:Class ; rdfs:label "Search Open Websites/Domains - ATLAS" ; skos:prefLabel "Search Open Websites/Domains" ; rdfs:subClassOf d3f:ATLASReconnaissanceTechnique ; d3f:attack-id "AML.T0095" ; d3f:definition """Adversaries may search public websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or domains owned by the victim. Adversaries may find the information they seek to gather via search engines. They can use precise search queries to identify software platforms or services used by the victim to use in targeting. This may be followed by [Exploit Public-Facing Application](/techniques/AML.T0049) or [Prompt Infiltration via Public-Facing Application](/techniques/AML.T0093).""" ; rdfs:seeAlso . d3f:AML.TA0000 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "AI Model Access - ATLAS" ; skos:prefLabel "AI Model Access" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0000" ; d3f:definition """The adversary is attempting to gain some level of access to an AI model. AI Model Access enables techniques that use various types of access to the AI model that can be used by the adversary to gain information, develop attacks, and as a means to input data to the model. The level of access can range from the full knowledge of the internals of the model to access to the physical environment where data is collected for use in the AI model. The adversary may use varying levels of model access during the course of their attack, from staging the attack to impacting the target system. Access to an AI model may require access to the system housing the model, the model may be publicly accessible via an API, or it may be accessed indirectly via interaction with a product or service that utilizes AI as part of its processes.""" ; rdfs:seeAlso . d3f:AML.TA0001 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "AI Attack Staging - ATLAS" ; skos:prefLabel "AI Attack Staging" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0001" ; d3f:definition """The adversary is leveraging their knowledge of and access to the target system to tailor the attack. AI Attack Staging consists of techniques adversaries use to prepare their attack on the target AI model. Techniques can include training proxy models, poisoning the target model, and crafting adversarial data to feed the target model. Some of these techniques can be performed in an offline manner and are thus difficult to mitigate. These techniques are often used to achieve the adversary's end goal.""" ; rdfs:seeAlso . d3f:AML.TA0002 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Reconnaissance - ATLAS" ; skos:prefLabel "Reconnaissance" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0002" ; d3f:definition """The adversary is trying to gather information about the AI system they can use to plan future operations. Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organizations' AI capabilities and research efforts. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to obtain relevant AI artifacts, targeting AI capabilities used by the victim, tailoring attacks to the particular models used by the victim, or to drive and lead further Reconnaissance efforts.""" ; rdfs:seeAlso . d3f:AML.TA0003 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Resource Development - ATLAS" ; skos:prefLabel "Resource Development" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0003" ; d3f:definition """The adversary is trying to establish resources they can use to support operations. Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include AI artifacts, infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as [AI Attack Staging](/tactics/AML.TA0001).""" ; rdfs:seeAlso . d3f:AML.TA0004 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Initial Access - ATLAS" ; skos:prefLabel "Initial Access" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0004" ; d3f:definition """The adversary is trying to gain access to the AI system. The target system could be a network, mobile device, or an edge device such as a sensor platform. The AI capabilities used by the system could be local with onboard or cloud-enabled AI capabilities. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within the system.""" ; rdfs:seeAlso . d3f:AML.TA0005 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Execution - ATLAS" ; skos:prefLabel "Execution" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0005" ; d3f:definition """The adversary is trying to run malicious code embedded in AI artifacts or software. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does [Remote System Discovery](https://attack.mitre.org/techniques/T1018/).""" ; rdfs:seeAlso . d3f:AML.TA0006 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Persistence - ATLAS" ; skos:prefLabel "Persistence" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0006" ; d3f:definition """The adversary is trying to maintain their foothold via AI artifacts or software. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence often involve leaving behind modified ML artifacts such as poisoned training data or manipulated AI models.""" ; rdfs:seeAlso . d3f:AML.TA0007 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Defense Evasion - ATLAS" ; skos:prefLabel "Defense Evasion" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0007" ; d3f:definition """The adversary is trying to avoid being detected by AI-enabled security software. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include evading AI-enabled security software such as malware detectors.""" ; rdfs:seeAlso . d3f:AML.TA0008 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Discovery - ATLAS" ; skos:prefLabel "Discovery" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0008" ; d3f:definition """The adversary is trying to figure out your AI environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.""" ; rdfs:seeAlso . d3f:AML.TA0009 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Collection - ATLAS" ; skos:prefLabel "Collection" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0009" ; d3f:definition """The adversary is trying to gather AI artifacts and other related information relevant to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the AI artifacts, or use the collected information to stage future operations. Common target sources include software repositories, container registries, model repositories, and object stores.""" ; rdfs:seeAlso . d3f:AML.TA0010 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Exfiltration - ATLAS" ; skos:prefLabel "Exfiltration" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0010" ; d3f:definition """The adversary is trying to steal AI artifacts or other information about the AI system. Exfiltration consists of techniques that adversaries may use to steal data from your network. Data may be stolen for its valuable intellectual property, or for use in staging future operations. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.""" ; rdfs:seeAlso . d3f:AML.TA0011 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Impact - ATLAS" ; skos:prefLabel "Impact" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0011" ; d3f:definition """The adversary is trying to manipulate, interrupt, erode confidence in, or destroy your AI systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.""" ; rdfs:seeAlso . d3f:AML.TA0012 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Privilege Escalation - ATLAS" ; skos:prefLabel "Privilege Escalation" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0012" ; d3f:definition """The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: - SYSTEM/root level - local administrator - user account with admin-like access - user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an adversary persist can execute in an elevated context.""" ; rdfs:seeAlso . d3f:AML.TA0013 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Credential Access - ATLAS" ; skos:prefLabel "Credential Access" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0013" ; d3f:definition """The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.""" ; rdfs:seeAlso . d3f:AML.TA0014 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Command and Control - ATLAS" ; skos:prefLabel "Command and Control" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0014" ; d3f:definition """The adversary is trying to communicate with compromised AI systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim's network structure and defenses.""" ; rdfs:seeAlso . d3f:AML.TA0015 a d3f:OffensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Lateral Movement - ATLAS" ; skos:prefLabel "Lateral Movement" ; rdfs:subClassOf d3f:ATLASTactic, d3f:OffensiveTactic ; d3f:attack-id "AML.TA0015" ; d3f:definition """The adversary is trying to move through your AI environment. Lateral Movement consists of techniques that adversaries may use to gain access to and control other systems or components in the environment. Adversaries may pivot towards AI Ops infrastructure such as model registries, experiment trackers, vector databases, notebooks, or training pipelines. As the adversary moves through the environment, they may discover means of accessing additional AI-related tools, services, or applications. AI agents may also be a valuable target as they commonly have more permissions than standard user accounts on the system.""" ; rdfs:seeAlso . d3f:AnalyticalPurpose a owl:Class ; rdfs:label "Analytical Purpose" ; rdfs:subClassOf d3f:Goal . d3f:AnalyticTechnique a owl:Class ; rdfs:label "Analytic Technique" ; rdfs:subClassOf d3f:Technique ; rdfs:isDefinedBy ; d3f:definition "A process in which a computer examines information using mathematical methods in order to find useful patterns." . d3f:ANN-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "ANN-based Clustering" ; rdfs:subClassOf d3f:ClusterAnalysis ; d3f:d3fend-id "D3A-ABC" ; d3f:definition "Combines the principles of Artificial Neural Networks (ANN) and clustering methods." ; d3f:kb-article """## References Wikipedia. (n.d.). Artificial neural network. [Link](https://en.wikipedia.org/wiki/Artificial_neural_network)""" . d3f:AnonymousPipe a owl:Class ; rdfs:label "Anonymous Pipe" ; rdfs:subClassOf d3f:Pipe ; rdfs:isDefinedBy ; d3f:definition "In computer science, an anonymous pipe is a simplex FIFO communication channel that may be used for one-way interprocess communication (IPC). An implementation is often integrated into the operating system's file IO subsystem. Typically a parent program opens anonymous pipes, and creates a new process that inherits the other ends of the pipes, or creates several new processes and arranges them in a pipeline." . d3f:AnswerSetProgramming a owl:Class, owl:NamedIndividual ; rdfs:label "Answer Set Programming" ; rdfs:subClassOf d3f:LogicProgramming ; d3f:d3fend-id "D3A-ASP" ; d3f:definition "Answer set programming is a form of declarative programming based on the stable model (answer set) semantics of logic programming." ; d3f:kb-article """## How it works Answer set programming (ASP) is oriented towards difficult (primarily NP-hard) search problems. The computational process employed in the design of many answer set solvers is an enhancement of the DPLL algorithm and, in principle, it always terminates (unlike Prolog query evaluation, which may lead to an infinite loop). In a more general sense, ASP includes all applications of answer sets to knowledge representation and the use of Prolog-style query evaluation for solving problems arising in these applications. ## References 1. Answer set programming. (2023, April 27). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Answer_set_programming)""" ; d3f:synonym "ASP" . d3f:Application a owl:Class, owl:NamedIndividual ; rdfs:label "Application" ; rdfs:subClassOf d3f:Software, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ApplicationConfiguration ] ; d3f:definition "A program that gives a computer instructions that provide the user with tools to accomplish a task; \"he has tried several different word processing applications\". Distinct from system software that is intrinsically part of the operating system. An application can be made up of executable files, configuration files, shared libraries, etc." ; d3f:may-contain d3f:ApplicationConfiguration ; rdfs:seeAlso , , . d3f:Application-basedProcessIsolation a d3f:Application-basedProcessIsolation, owl:Class, owl:NamedIndividual ; rdfs:label "Application-based Process Isolation" ; rdfs:subClassOf d3f:ExecutionIsolation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:Process ], [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:Subroutine ] ; d3f:d3fend-id "D3-ABPI" ; d3f:definition "Application code which prevents its own subroutines from accessing intra-process / internal memory space." ; d3f:isolates d3f:Process ; d3f:kb-article """## How it works Some applications implement logic to permit or deny a particular subroutine access to other data within the same applicaition process. This is intended to prevent critical application process data from being tampered with. ### Application-based Process Isolation in web browsers. Isolation in browsers usually is designed with the following architectural mindset: * Sandboxes and web resources should not be allowed to access each other because compromise of one should not effect the other. * The principle of least-privilege should be followed when browsing. The following aspects help make browser-based process isolation possible: * Same Origin Policy * Separate tabs and iframes use their own DOMs (cross-site document object models always run as a different process) * CORS ensures cross-site data is not delivered to a process unless the server allows it * Cookie and local data storage is separated by domain/site * Separate execution environments (threads) ## Considerations - Using isolation in browsers does mitigate and protect by default some types of attacks (e.g. renderer attacks and access to the filesystem) but it depends on correct configuration of CORS, use of valid/appropriate certificates. - Application-based Process Isolation may increase memory footprint. - Application-based Process Isolation may decrease application performance.""" ; d3f:kb-reference d3f:Reference-PrivateApplicationAccessWithBrowserIsolation, d3f:Reference-ProtectingWebApplicationsFromUntrustedEndpointsUsingRemoteBrowserIsolation, d3f:Reference-SiteIsolationDesignDocument ; d3f:restricts d3f:Subroutine ; d3f:synonym "Browser-based Process Isolation", "Remote Browser Isolation", "Sandbox" . d3f:ApplicationConfiguration a owl:Class, owl:NamedIndividual ; rdfs:label "Application Configuration" ; rdfs:subClassOf d3f:ConfigurationResource ; d3f:definition "Information used to configure the parameters and initial settings for an application." ; rdfs:seeAlso . d3f:ApplicationConfigurationDatabase a owl:Class, owl:NamedIndividual ; rdfs:label "Application Configuration Database" ; rdfs:subClassOf d3f:ConfigurationDatabase, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ApplicationConfigurationDatabaseRecord ] ; d3f:contains d3f:ApplicationConfigurationDatabaseRecord ; d3f:definition "A database used to hold application configuration data." . d3f:ApplicationConfigurationDatabaseRecord a owl:Class, owl:NamedIndividual ; rdfs:label "Application Configuration Database Record" ; rdfs:subClassOf d3f:ApplicationConfiguration, d3f:ConfigurationDatabaseRecord ; d3f:definition "A database record holding information used to configure the parameters and initial settings for an application." . d3f:ApplicationConfigurationFile a owl:Class, owl:NamedIndividual ; rdfs:label "Application Configuration File" ; rdfs:subClassOf d3f:ConfigurationFile, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ApplicationConfiguration ] ; d3f:contains d3f:ApplicationConfiguration ; d3f:definition "A file containing Information used to configure the parameters and initial settings for an application.. A plist file is an example of this type of file for macOS. Usually text-based." . d3f:ApplicationConfigurationHardening a d3f:ApplicationConfigurationHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Application Configuration Hardening" ; rdfs:subClassOf d3f:ApplicationHardening, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:ApplicationConfiguration ] ; d3f:d3fend-id "D3-ACH" ; d3f:definition "Modifying an application's configuration to reduce its attack surface." ; d3f:hardens d3f:ApplicationConfiguration ; d3f:kb-article """## How it works Application configuration settings can be configured to limit the permissions on an application or disable certain vulnerable application features. Hardening an application's configuration involves analyzing not only the application but also the environment in which the application is run in for potential vulnerabilities.""" ; d3f:kb-reference d3f:Reference-RedHatEnterpriseLinux8SecurityTechnicalImplementationGuide, d3f:Reference-Windows10STIG . d3f:ApplicationConfigurationModificationEvent a owl:Class ; rdfs:label "Application Configuration Modification Event" ; rdfs:subClassOf d3f:ConfigurationModificationEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ApplicationConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:ApplicationUpdateEvent ] ; d3f:definition "An event in which the configuration of a specific software application is changed, affecting how that application executes, interacts with other components, or exposes functionality to users or services." . d3f:ApplicationDeletionEvent a owl:Class ; rdfs:label "Application Deletion Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ApplicationInstallationEvent ] ; d3f:definition "An event capturing the removal of an application from a system, ensuring its binaries, configuration files, and registry entries are deleted or deactivated." . d3f:ApplicationDisableEvent a owl:Class ; rdfs:label "Application Disable Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ApplicationEnableEvent ] ; d3f:definition "An event capturing the disabling of an application, preventing it from being operational or accessed until re-enabled." . d3f:ApplicationEnableEvent a owl:Class ; rdfs:label "Application Enable Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ApplicationInstallationEvent ] ; d3f:definition "An event representing the enabling of an application, allowing it to be started or accessed when required." . d3f:ApplicationEvent a owl:Class ; rdfs:label "Application Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Application ] ; d3f:definition "An event that captures the behavior, state, or interactions of software applications or services operating within a system. Application events encompass lifecycle changes, configuration updates, and operational anomalies, providing insight into the health and performance of software components." ; rdfs:seeAlso . d3f:ApplicationExceptionMonitoring a d3f:ApplicationExceptionMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Application Exception Monitoring" ; rdfs:subClassOf d3f:ApplicationPerformanceMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:ApplicationFailureCountVariable ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:Log ] ; d3f:d3fend-id "D3-AEM" ; d3f:definition "Monitoring the failures of system counters and timers." ; d3f:kb-article """## How it works Monitoring timer and counter failures or exceedances can reveal issues with the program or platform, and is important for both safety and security. It may also help identify tampering or malicious activity affecting the device or the processes it controls.""" ; d3f:kb-reference d3f:Reference-SecurePLCCodingPracticesTop20List ; d3f:monitors d3f:ApplicationFailureCountVariable, d3f:Log ; d3f:synonym "Application Failure Monitoring" . d3f:ApplicationFailureCountVariable a owl:Class, owl:NamedIndividual ; rdfs:label "Application Failure Count Variable" ; rdfs:subClassOf d3f:RuntimeVariable ; rdfs:comment "Differenct controller brands have different system tags to monitor various aspects, for example in Allen-Bradley you might use S:ERR, T4:0.DN, C5:0.OV; respectively System error, timer/counter status bits" ; d3f:definition "Variables that keep count of various failures and errors." . d3f:ApplicationHardening a d3f:ApplicationHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Application Hardening" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Harden ] ; d3f:d3fend-id "D3-AH" ; d3f:definition "Application Hardening makes an executable application more resilient to a class of exploits which either introduce new code or execute unwanted existing code. These techniques may be applied at compile-time or on an application binary." ; d3f:enables d3f:Harden ; d3f:kb-article """## Technique Overview Exploits may, for example, rely on knowledge of addresses in a process's memory, they may alter memory contents, and they may cause a program to use instructions in a way that they were not intended. By, for example, including code that dynamically changes the memory address of data or code on each run, introducing logic to validating the memory contents before certain potentially dangerous flows are executed, or monitoring a program for unusual sequence of instructions, this makes it harder for an attacker to craft a working exploit.""" ; d3f:synonym "Process Hardening" . d3f:ApplicationInstallationEvent a owl:Class ; rdfs:label "Application Installation Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SoftwareDeploymentTool ] ; d3f:definition "An event representing the installation of an application onto a system, making it available for use and interaction." . d3f:ApplicationInstaller a owl:Class, owl:NamedIndividual ; rdfs:label "Application Installer" ; rdfs:subClassOf d3f:UserApplication ; d3f:definition "An application installer is a user application designed to install, configure, and deploy another application." . d3f:ApplicationInventorySensor a owl:Class, owl:NamedIndividual ; rdfs:label "Application Inventory Sensor" ; rdfs:subClassOf d3f:EndpointSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:Application ] ; d3f:definition "Collects information on applications on an endpoint." ; d3f:monitors d3f:Application . d3f:ApplicationLayerEvent a owl:Class ; rdfs:label "Application Layer Event" ; rdfs:subClassOf d3f:NetworkEvent ; d3f:definition "An event occurring at the application layer, involving protocols that support application-specific communication." . d3f:ApplicationLayerFirewall a owl:Class ; rdfs:label "Application Layer Firewall" ; skos:altLabel "Application Firewall" ; rdfs:subClassOf d3f:Firewall ; rdfs:isDefinedBy ; d3f:definition "An application firewall is a form of firewall that controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall, which is - without additional software - unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls." . d3f:ApplicationLayerLink a owl:Class ; rdfs:label "Application Layer Link" ; rdfs:subClassOf d3f:LogicalLink ; d3f:definition "An Application Layer Link is a type of logical link that exists at the application layer of a network or system architecture." . d3f:ApplicationPerformanceMonitoring a d3f:ApplicationPerformanceMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Application Performance Monitoring" ; rdfs:subClassOf d3f:PlatformMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:ApplicationScanTime ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:SystemApplicationCycleCount ] ; d3f:d3fend-id "D3-APM" ; d3f:definition "Monitoring the count and duration of the application or program cycle." ; d3f:kb-article """## How it works Keeping track of the controller cycle time by logging it, setting alarms, and correlating with other events. Changes to cycle time can be indicative of injecting new logic, deleting logic, or system failures.""" ; d3f:kb-reference d3f:Reference-SecurePLCCodingPracticesTop20List ; d3f:monitors d3f:ApplicationScanTime, d3f:SystemApplicationCycleCount . d3f:ApplicationProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Application Process" ; rdfs:subClassOf d3f:UserProcess, [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:Application ] ; d3f:definition "An application process is an instance of an application computer program that is being executed." ; d3f:runs d3f:Application ; rdfs:seeAlso . d3f:ApplicationProcessConfiguration a owl:Class ; rdfs:label "Application Process Configuration" ; rdfs:subClassOf d3f:ApplicationConfiguration ; d3f:definition "The current configuration of an application process, stored in memory. It may have been sourced from other types of application configurations, e.g. Application Configuration Files or Application Configuration Database Records." . d3f:ApplicationProtocolCommandAnalysis a d3f:ApplicationProtocolCommandAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Application Protocol Command Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:d3fend-id "D3-APCA" ; d3f:definition "Analyzing application protocol level remote commands to detect unauthorized activity." ; d3f:kb-article """## How it works This technique requires the ability to parse application layer protocols to understand the commands being sent to a remote service. Signature-based or statistical analysis may be employed to identify unauthorized commands being sent. These commands can be observed by monitoring network traffic or application logs.""" ; d3f:kb-reference d3f:Reference-MethodAndApparatusForDetectingAnomaliesOfAnInfrastructureInANetwork, d3f:Reference-ProtocolBasedDetectionOfSuspiciousNetworkTraffic ; d3f:monitors d3f:NetworkTraffic . d3f:ApplicationRestartEvent a owl:Class ; rdfs:label "Application Restart Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ApplicationStopEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:ApplicationStartEvent ] ; d3f:definition "An event where an application is sequentially stopped and started, typically to refresh its state, apply updates, or resolve issues while preserving its availability." . d3f:ApplicationRule a owl:Class ; rdfs:label "Application Rule" ; rdfs:subClassOf d3f:ApplicationConfiguration ; d3f:definition "A configuration of an application which is used to apply logical or data processing functions to data processed by the application." . d3f:ApplicationRuntimeVariable a owl:Class ; rdfs:label "Application Runtime Variable" ; rdfs:subClassOf d3f:RuntimeVariable ; d3f:definition "A system variable that tracks aspects of runtime of a system." . d3f:ApplicationScanTime a owl:Class, owl:NamedIndividual ; rdfs:label "Application Scan Time" ; rdfs:subClassOf d3f:ApplicationRuntimeVariable ; d3f:definition "A variable that tracks the measured time it takes to begin, run, and complete a select portion of an application's logic." . d3f:ApplicationShim a owl:Class ; rdfs:label "Application Shim" ; rdfs:subClassOf d3f:Shim ; d3f:definition "An application shim adapts an application program to run on a version of a platform for which they were not originally created. Most commonly \"Application Shimming\" refers to use of The Windows Application Compatibility Toolkit (ACT) provides backward compatibility by simulating the behavior of older version of Windows." ; rdfs:seeAlso d3f:Shim, . d3f:ApplicationStartEvent a owl:Class ; rdfs:label "Application Start Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ApplicationInstallationEvent ] ; d3f:definition "An event where an application transitions from an inactive state to an active state, initializing its resources and becoming operational for user interaction or automated processes." . d3f:ApplicationStopEvent a owl:Class ; rdfs:label "Application Stop Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ApplicationStartEvent ] ; d3f:definition "An event capturing the cessation of an application’s operations, transitioning it to an inactive state and releasing any allocated resources." . d3f:ApplicationUpdateEvent a owl:Class ; rdfs:label "Application Update Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ApplicationInstallationEvent ] ; d3f:definition "An event describing changes made to an application, such as updates, reconfigurations, or patch installations, while maintaining its presence on the system." . d3f:ApproximateStringMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Approximate String Matching" ; rdfs:subClassOf d3f:PartialMatching ; d3f:d3fend-id "D3A-ASM" ; d3f:definition "Approximate string matching is a form of string matching that allows errrors." ; d3f:kb-article """## References 1. Navarro, G. (2001). A guided tour to approximate string matching. _ACM Computing Surveys_, 33(1), 31-88. [Link](https://doi.org/10.1145/375360.375365)""" . d3f:ArchiveFile a owl:Class, owl:NamedIndividual ; rdfs:label "Archive File" ; rdfs:subClassOf d3f:File ; rdfs:isDefinedBy ; d3f:definition "An archive file is a file that is composed of one or more computer files along with metadata. Archive files are used to collect multiple data files together into a single file for easier portability and storage, or simply to compress files to use less storage space. Archive files often store directory structures, error detection and correction information, arbitrary comments, and sometimes use built-in encryption." . d3f:ARIMAModel a owl:Class, owl:NamedIndividual ; rdfs:label "ARIMA Model" ; rdfs:subClassOf d3f:TimeSeriesAnalysis ; d3f:d3fend-id "D3A-AM" ; d3f:definition "An autoregressive integrated moving average (ARIMA) model is a generalization of an autoregressive moving average (ARMA) model." ; d3f:kb-article """## References Wikipedia. (n.d.). Autoregressive integrated moving average. [Link](https://en.wikipedia.org/wiki/Autoregressive_integrated_moving_average)""" ; d3f:synonym "Autoregressive Integrated Moving Average Model" . d3f:ARMA_Model a d3f:TimeSeriesAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "ARMA Model" ; rdfs:subClassOf d3f:TimeSeriesAnalysis ; d3f:d3fend-id "D3-ARMA" ; d3f:definition "Autoregressive-moving-average (ARMA) models provide a parsimonious description of a (weakly) stationary stochastic process in terms of two polynomials, one for the autoregression (AR) and the second for the moving average (MA)." ; d3f:kb-article """## References Wikipedia. (n.d.). Autoregressive-moving-average model. [Link](https://en.wikipedia.org/wiki/Autoregressive%E2%80%93moving-average_model)""" ; d3f:synonym "Autoregressive moving average model" . d3f:Artifact a owl:Class, owl:NamedIndividual ; rdfs:label "Artifact" ; rdfs:subClassOf d3f:D3FENDCore ; d3f:definition "A man-made object taken as a whole." ; rdfs:seeAlso , . d3f:ArtifactServer a owl:Class ; rdfs:label "Artifact Server" ; rdfs:subClassOf d3f:WebServer ; d3f:definition "A digital artifact server provides access services to digital artifacts in a repository. It provides an associated set of data management, search and access methods allowing application-independent access to the content." ; rdfs:seeAlso , . d3f:ArtificialNeuralNetClassification a owl:Class, owl:NamedIndividual ; rdfs:label "Artificial Neural Network Classification" ; rdfs:subClassOf d3f:Classification ; d3f:d3fend-annotation "Classification ANNs seek to classify an observation as belonging to some discrete class as a function of the inputs. The input features (independent variables) can be categorical or numeric types, however, we require a categorical feature as the dependent variable." ; d3f:d3fend-id "D3A-ANNC" ; d3f:kb-article """## References ANN Classification. [Link](http://uc-r.github.io/ann_classification).""" . d3f:AssetInventory a d3f:AssetInventory, owl:Class, owl:NamedIndividual ; rdfs:label "Asset Inventory" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Model ] ; d3f:d3fend-id "D3-AI" ; d3f:definition "Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities." ; d3f:display-order 1 ; d3f:enables d3f:Model ; d3f:synonym "Asset Discovery", "Asset Inventorying" . d3f:AssetInventoryAgent a owl:Class, owl:NamedIndividual ; rdfs:label "Asset Inventory Agent" ; rdfs:subClassOf d3f:NetworkAgent ; d3f:definition "An asset inventory agent is a software tool which captures and transmits information about the devices on a network, including their hostnames, MAC addresses, software they may be running, etc." ; rdfs:seeAlso . d3f:AssetVulnerabilityEnumeration a d3f:AssetVulnerabilityEnumeration, owl:Class, owl:NamedIndividual ; rdfs:label "Asset Vulnerability Enumeration" ; rdfs:subClassOf d3f:AssetInventory, [ a owl:Restriction ; owl:onProperty d3f:evaluates ; owl:someValuesFrom d3f:PhysicalArtifact ], [ a owl:Restriction ; owl:onProperty d3f:evaluates ; owl:someValuesFrom d3f:Software ], [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:Vulnerability ] ; d3f:d3fend-id "D3-AVE" ; d3f:definition "Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities." ; d3f:evaluates d3f:PhysicalArtifact, d3f:Software ; d3f:identifies d3f:Vulnerability ; d3f:kb-reference d3f:Reference-AutomatedComputerVulnerabilityResolutionSystem, d3f:Reference-SecurityVulnerabilityInformationAggregation, d3f:Reference-SystemAndMethodForVulnerabilityRiskAssessment . d3f:AssignPrivilegesToGroupEvent a owl:Class ; rdfs:label "Assign Privileges to Group Event" ; rdfs:subClassOf d3f:GroupManagementEvent, d3f:PermissionGrantingEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:GroupCreationEvent ] ; d3f:definition "An event where specific privileges or rights are granted to a group, enabling its members to perform actions or access resources as defined by the privileges." . d3f:AssociationRuleLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Association Rule Learning" ; rdfs:subClassOf d3f:UnsupervisedLearning ; d3f:d3fend-id "D3A-ARL" ; d3f:definition "Association rule learning is a rule-based machine learning method for discovering interesting relations between variables in large databases." ; d3f:kb-article """## References Association rule learning. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Association_rule_learning)""" . d3f:AsymmetricFeature-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Asymmetric Feature-based Transfer Learning" ; rdfs:subClassOf d3f:HomogenousTransferLearning ; d3f:d3fend-id "D3A-AFTL" ; d3f:definition "Homogeneous (where the metrics are the same for both source and target) asymmetric transformation mapping transforms the source feature space to align with that of the target or the target to that of the source. This, in effect, bridges the feature space gap and reduces the problem into a homogeneous transfer problem when further distribution differences need to be corrected." ; d3f:kb-article """## References Day, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).""" . d3f:AsymmetricKey a owl:Class ; rdfs:label "Asymmetric Key" ; rdfs:subClassOf d3f:CryptographicKey ; d3f:definition "Asymmetric keys are public and private keys, paired such that asymmetric (public-key) cryptography algorithms can be implemented using them. Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys that may be disseminated widely paired with private keys which are known only to the owner. There are two functions that can be achieved: using a public key to authenticate that a message originated with a holder of the paired private key; or encrypting a message with a public key to ensure that only the holder of the paired private key can decrypt it." ; rdfs:seeAlso . d3f:ATLASAIAttackStagingTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "AI Attack Staging Technique - ATLAS" ; skos:prefLabel "AI Attack Staging Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0001 ] ; d3f:enables d3f:AML.TA0001 . d3f:ATLASAIModelAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "AI Model Access Technique - ATLAS" ; skos:prefLabel "AI Model Access Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0000 ] ; d3f:enables d3f:AML.TA0000 . d3f:ATLASCollectionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Collection Technique - ATLAS" ; skos:prefLabel "Collection Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0009 ] ; d3f:enables d3f:AML.TA0009 . d3f:ATLASCommandAndControlTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Command and Control Technique - ATLAS" ; skos:prefLabel "Command and Control Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0014 ] ; d3f:enables d3f:AML.TA0014 . d3f:ATLASCredentialAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Credential Access Technique - ATLAS" ; skos:prefLabel "Credential Access Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0013 ] ; d3f:enables d3f:AML.TA0013 . d3f:ATLASDefenseEvasionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Defense Evasion Technique - ATLAS" ; skos:prefLabel "Defense Evasion Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0007 ] ; d3f:enables d3f:AML.TA0007 . d3f:ATLASDiscoveryTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Discovery Technique - ATLAS" ; skos:prefLabel "Discovery Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0008 ] ; d3f:enables d3f:AML.TA0008 . d3f:ATLASExecutionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Execution Technique - ATLAS" ; skos:prefLabel "Execution Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0005 ] ; d3f:enables d3f:AML.TA0005 . d3f:ATLASExfiltrationTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Exfiltration Technique - ATLAS" ; skos:prefLabel "Exfiltration Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0010 ] ; d3f:enables d3f:AML.TA0010 . d3f:ATLASImpactTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Impact Technique - ATLAS" ; skos:prefLabel "Impact Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0011 ] ; d3f:enables d3f:AML.TA0011 . d3f:ATLASInitialAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Initial Access Technique - ATLAS" ; skos:prefLabel "Initial Access Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0004 ] ; d3f:enables d3f:AML.TA0004 . d3f:ATLASLateralMovementTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Lateral Movement Technique - ATLAS" ; skos:prefLabel "Lateral Movement Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0015 ] ; d3f:enables d3f:AML.TA0015 . d3f:ATLASPersistenceTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Persistence Technique - ATLAS" ; skos:prefLabel "Persistence Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0006 ] ; d3f:enables d3f:AML.TA0006 . d3f:ATLASPrivilegeEscalationTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Privilege Escalation Technique - ATLAS" ; skos:prefLabel "Privilege Escalation Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0012 ] ; d3f:enables d3f:AML.TA0012 . d3f:ATLASReconnaissanceTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Reconnaissance Technique - ATLAS" ; skos:prefLabel "Reconnaissance Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0002 ] ; d3f:enables d3f:AML.TA0002 . d3f:ATLASResourceDevelopmentTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Resource Development Technique - ATLAS" ; skos:prefLabel "Resource Development Technique" ; rdfs:subClassOf d3f:ATLASTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:AML.TA0003 ] ; d3f:enables d3f:AML.TA0003 . d3f:ATLASTactic a owl:Class ; rdfs:label "ATLAS Tactic" ; rdfs:subClassOf d3f:ATLASThing ; d3f:definition "An ATLAS Tactic is a categorical classification of techniques within the MITRE ATLAS™ framework, representing adversarial goals particular to artificial intelligence systems. It also adapts MITRE ATT&CK® Enterprise Matrix tactics by integrating machine learning concepts, thus capturing the unique motives behind actions in AI-specific operations." ; rdfs:seeAlso . d3f:ATLASTechnique a owl:Class ; rdfs:label "ATLAS Technique" ; rdfs:subClassOf d3f:ATLASThing ; d3f:definition "An ATLAS Technique is an action conducted by adversaries to accomplish tactical goals within the context of artificial intelligence systems. These techniques articulate both 'how' adversaries execute these actions to reach their objectives and 'what' outcomes are achieved from these maneuvers." ; rdfs:seeAlso . d3f:ATLASThing a owl:Class ; rdfs:label "ATLAS Thing" ; rdfs:subClassOf d3f:ExternalThreatModelThing . d3f:AtomicClock a owl:Class ; rdfs:label "Atomic Clock" ; rdfs:subClassOf d3f:HardwareClock ; rdfs:isDefinedBy ; d3f:definition "An atomic clock is a clock that measures time by monitoring the resonant frequency of atoms." . d3f:ATTACKEnterpriseDataSource a owl:Class ; rdfs:label "ATTACK Enterprise Data Source" ; rdfs:subClassOf d3f:ATTACKEnterpriseThing . d3f:ATTACKEnterpriseMitigation a owl:Class ; rdfs:label "ATTACK Enterprise Mitigation" ; rdfs:subClassOf d3f:ATTACKEnterpriseThing, [ a owl:Restriction ; owl:onProperty d3f:d3fend-comment ; owl:someValuesFrom xsd:string ], [ a owl:Restriction ; owl:onProperty d3f:semantic-relation ; owl:someValuesFrom d3f:DefensiveTechnique ] . d3f:ATTACKEnterpriseTactic a owl:Class ; rdfs:label "ATTACK Enterprise Tactic" ; rdfs:subClassOf d3f:ATTACKEnterpriseThing . d3f:ATTACKEnterpriseTechnique a owl:Class ; rdfs:label "ATTACK Enterprise Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseThing . d3f:ATTACKEnterpriseThing a owl:Class ; rdfs:label "ATTACK Enterprise Thing" ; rdfs:subClassOf d3f:ATTACKThing . d3f:Attacker a owl:Class ; rdfs:label "Attacker" ; rdfs:subClassOf d3f:Agent ; d3f:definition "An agent that attempts to exploit vulnerabilities to gain unauthorized access to data or systems." . d3f:ATTACKICSCollectionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Collection Technique - ATTACK ICS" ; skos:prefLabel "Collection Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0100 ] ; d3f:enables d3f:TA0100 . d3f:ATTACKICSCommandAndControlTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Command and Control Technique - ATTACK ICS" ; skos:prefLabel "Command and Control Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0101 ] ; d3f:enables d3f:TA0101 . d3f:ATTACKICSDiscoveryTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Discovery Technique - ATTACK ICS" ; skos:prefLabel "Discovery Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0102 ] ; d3f:enables d3f:TA0102 . d3f:ATTACKICSEvasionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Evasion Technique - ATTACK ICS" ; skos:prefLabel "Evasion Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0103 ] ; d3f:enables d3f:TA0103 . d3f:ATTACKICSExecutionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Execution Technique - ATTACK ICS" ; skos:prefLabel "Execution Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0104 ] ; d3f:enables d3f:TA0104 . d3f:ATTACKICSImpactTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Impact Technique - ATTACK ICS" ; skos:prefLabel "Impact Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0105 ] ; d3f:enables d3f:TA0105 . d3f:ATTACKICSImpairProcessControlTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Impair Process Control Technique - ATTACK ICS" ; skos:prefLabel "Impair Process Control Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0106 ] ; d3f:definition "The adversary is trying to manipulate, disable, or damage physical control processes." ; d3f:enables d3f:TA0106 . d3f:ATTACKICSInhibitResponseFunctionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Inhibit Response Function Technique - ATTACK ICS" ; skos:prefLabel "Inhibit Response Function Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0107 ] ; d3f:definition "The adversary is trying to prevent your safety, protection, quality assurance, and operator intervention functions from responding to a failure, hazard, or unsafe state." ; d3f:enables d3f:TA0107 . d3f:ATTACKICSInitialAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Initial Access Technique - ATTACK ICS" ; skos:prefLabel "Initial Access Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0108 ] ; d3f:enables d3f:TA0108 . d3f:ATTACKICSLateralMovementTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Lateral Movement Technique - ATTACK ICS" ; skos:prefLabel "Lateral Movement Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0109 ] ; d3f:enables d3f:TA0109 . d3f:ATTACKICSPersistenceTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Persistence Technique - ATTACK ICS" ; skos:prefLabel "Persistence Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0110 ] ; d3f:enables d3f:TA0110 . d3f:ATTACKICSPrivilegeEscalationTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Privilege Escalation Technique - ATTACK ICS" ; skos:prefLabel "Privilege Escalation Technique" ; rdfs:subClassOf d3f:ATTACKICSTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0111 ] ; d3f:enables d3f:TA0111 . d3f:ATTACKICSTactic a owl:Class ; rdfs:label "ATTACK ICS Tactic" ; rdfs:subClassOf d3f:ATTACKICSThing . d3f:ATTACKICSTechnique a owl:Class ; rdfs:label "ATTACK ICS Technique" ; rdfs:subClassOf d3f:ATTACKICSThing . d3f:ATTACKICSThing a owl:Class ; rdfs:label "ATTACK ICS Thing" ; rdfs:subClassOf d3f:ATTACKThing . d3f:ATTACKMergedThing a owl:Class ; rdfs:label "ATTACK Merged Thing" ; rdfs:subClassOf d3f:ATTACKThing . d3f:ATTACKMobileCollectionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Collection Technique - ATTACK Mobile" ; skos:prefLabel "Collection Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0035 ] ; d3f:enables d3f:TA0035 . d3f:ATTACKMobileCommandAndControlTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Command and Control Technique - ATTACK Mobile" ; skos:prefLabel "Command and Control Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0037 ] ; d3f:enables d3f:TA0037 . d3f:ATTACKMobileCredentialAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Credential Access Technique - ATTACK Mobile" ; skos:prefLabel "Credential Access Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0031 ] ; d3f:enables d3f:TA0031 . d3f:ATTACKMobileDefenseEvasionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Defense Evasion Technique - ATTACK Mobile" ; skos:prefLabel "Defense Evasion Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0030 ] ; d3f:enables d3f:TA0030 . d3f:ATTACKMobileDiscoveryTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Discovery Technique - ATTACK Mobile" ; skos:prefLabel "Discovery Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0032 ] ; d3f:enables d3f:TA0032 . d3f:ATTACKMobileExecutionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Execution Technique - ATTACK Mobile" ; skos:prefLabel "Execution Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0041 ] ; d3f:enables d3f:TA0041 . d3f:ATTACKMobileExfiltrationTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Exfiltration Technique - ATTACK Mobile" ; skos:prefLabel "Exfiltration Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0036 ] ; d3f:enables d3f:TA0036 . d3f:ATTACKMobileImpactTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Impact Technique - ATTACK Mobile" ; skos:prefLabel "Impact Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0034 ] ; d3f:enables d3f:TA0034 . d3f:ATTACKMobileInitialAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Initial Access Technique - ATTACK Mobile" ; skos:prefLabel "Initial Access Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0027 ] ; d3f:enables d3f:TA0027 . d3f:ATTACKMobileLateralMovementTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Lateral Movement Technique - ATTACK Mobile" ; skos:prefLabel "Lateral Movement Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0033 ] ; d3f:enables d3f:TA0033 . d3f:ATTACKMobilePersistenceTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Persistence Technique - ATTACK Mobile" ; skos:prefLabel "Persistence Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0028 ] ; d3f:enables d3f:TA0028 . d3f:ATTACKMobilePrivilegeEscalationTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Privilege Escalation Technique - ATTACK Mobile" ; skos:prefLabel "Privilege Escalation Technique" ; rdfs:subClassOf d3f:ATTACKMobileTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0029 ] ; d3f:enables d3f:TA0029 . d3f:ATTACKMobileTactic a owl:Class ; rdfs:label "ATTACK Mobile Tactic" ; rdfs:subClassOf d3f:ATTACKMobileThing . d3f:ATTACKMobileTechnique a owl:Class ; rdfs:label "ATTACK Mobile Technique" ; rdfs:subClassOf d3f:ATTACKMobileThing . d3f:ATTACKMobileThing a owl:Class ; rdfs:label "ATTACK Mobile Thing" ; rdfs:subClassOf d3f:ATTACKThing . d3f:ATTACKThing a owl:Class ; rdfs:label "ATTACK Thing" ; rdfs:subClassOf d3f:ExternalThreatModelThing ; d3f:definition "ATTACK things are concepts defined in the ATT&CK Framework." . d3f:AudioInputDevice a owl:Class, owl:NamedIndividual ; rdfs:label "Audio Input Device" ; rdfs:subClassOf d3f:InputDevice ; rdfs:isDefinedBy ; d3f:definition "Audio input devices allow a user to send audio info to a computer for processing, recording, or carrying out commands. Devices such as microphones allow users to speak to the computer in order to record a voice message or navigate software. Aside from recording, audio input devices are also used with speech recognition software." . d3f:AuthenticateUser a owl:Class, owl:NamedIndividual ; rdfs:label "Authenticate User" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:UserAccount ] ; d3f:authenticates d3f:UserAccount . d3f:Authentication a owl:Class, owl:NamedIndividual ; rdfs:label "Authentication" ; rdfs:subClassOf d3f:DefensiveAction, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:User ], [ a owl:Restriction ; owl:onProperty d3f:may-create ; owl:someValuesFrom d3f:IntranetNetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:originates-from ; owl:someValuesFrom d3f:PhysicalLocation ] ; d3f:definition "A request-response comprising a user credential presentation to a system and a verification response." ; rdfs:seeAlso , . d3f:AuthenticationCacheInvalidation a d3f:AuthenticationCacheInvalidation, owl:Class, owl:NamedIndividual ; rdfs:label "Authentication Cache Invalidation" ; rdfs:subClassOf d3f:CredentialEviction, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:Credential ] ; d3f:d3fend-id "D3-ANCI" ; d3f:definition "Removing tokens or credentials from an authentication cache to prevent further user associated account accesses." ; d3f:deletes d3f:Credential ; d3f:kb-article """## How it works Applications can locally cache user authentication credentials for certain server connections. An application may attempt to use the cached credential for a connection. If the cached credentials exist then the user will not be typically prompted for new credentials. ## Considerations Are these cached credentials only on the local host? Can they be persisted to the remote server? ## Examples Windows Credential Management API""" ; d3f:kb-reference d3f:Reference-SecureCachingOfServerCredentials_DellProductsLP, d3f:Reference-SystemAndMethodForProvidingAnActivelyInvalidatedClient-sideNetworkResourceCache_IMVU . d3f:AuthenticationEvent a owl:Class ; rdfs:label "Authentication Event" ; skos:altLabel "Agent Authentication Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:caused-by ; owl:someValuesFrom d3f:Authentication ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Agent ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Credential ] ; d3f:definition "An event capturing the systematic process of verifying an agent's identity within a system, involving credential validation and identity confirmation." ; rdfs:seeAlso . d3f:AuthenticationEventThresholding a d3f:AuthenticationEventThresholding, owl:Class, owl:NamedIndividual ; rdfs:label "Authentication Event Thresholding" ; rdfs:subClassOf d3f:UserBehaviorAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Authentication ] ; d3f:analyzes d3f:Authentication ; d3f:created "2020-08-05T00:00:00"^^xsd:dateTime ; d3f:d3fend-id "D3-ANET" ; d3f:definition "Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile." ; d3f:kb-article """## How it works Authentication event data is collected (logon information such as device id, time of day, day of week, geo-location, etc.) to create an activity baseline. Then, a threshold is determined either through a manually specified configuration, or a statistical analysis of deviations in historical data. New authentication events are evaluated to determine if a threshold is exceeded. Thresholds can be static or dynamic. ### Actions As a result of the analysis, actions taken could include: * [Account Locking](/technique/d3f:AccountLocking) * Raising an alert ### Example data sources * Directory server logs * VPN Server logs * IDAM Capability logs * NAC logs * Authentication client logs * Kerberos network traffic * LDAP network traffic ## Considerations This technique covers statistical outliers. Though depending on the complexity or dimensionality of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If the malicious activity is not statistically different from benign activity, an alert threshold will not be met.""" ; d3f:kb-reference d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC, d3f:Reference-SimultaneousLoginsOnAHost_MITRE, d3f:Reference-UserLoggedInToMultipleHosts_MITRE, d3f:Reference-UserLoginActivityMonitoring_MITRE, . d3f:AuthenticationFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Authentication Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:UserAccount ] ; d3f:authenticates d3f:UserAccount ; d3f:definition "Authenticates a user account by verifying a presented credential." . d3f:AuthenticationLog a owl:Class, owl:NamedIndividual ; rdfs:label "Authentication Log" ; rdfs:subClassOf d3f:EventLog, [ a owl:Restriction ; owl:onProperty d3f:records ; owl:someValuesFrom d3f:Authentication ] ; d3f:definition "A log of authentication events." ; d3f:records d3f:Authentication ; rdfs:seeAlso , . d3f:AuthenticationServer a owl:Class, owl:NamedIndividual ; rdfs:label "Authentication Server" ; rdfs:subClassOf d3f:Server, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:AuthenticationServiceApplication ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:AuthenticationService ] ; rdfs:isDefinedBy ; d3f:contains d3f:AuthenticationServiceApplication ; d3f:definition "An authentication server provides a network service that applications use to authenticate the credentials, usually account names and passwords, of their users. When a client submits a valid set of credentials, it receives a cryptographic ticket that it can subsequently use to access various services. Major authentication algorithms include passwords, Kerberos, and public key encryption." ; d3f:manages d3f:AuthenticationService . d3f:AuthenticationService a owl:Class, owl:NamedIndividual ; rdfs:label "Authentication Service" ; rdfs:subClassOf d3f:ServiceApplicationProcess, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:Host ] ; rdfs:isDefinedBy ; d3f:authenticates d3f:Host ; d3f:definition "An authentication service is a mechanism, analogous to the use of passwords on time-sharing systems, for the secure authentication of the identity of network clients by servers and vice versa, without presuming the operating system integrity of either (e.g., Kerberos)." ; rdfs:seeAlso . d3f:AuthenticationServiceApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Authentication Service Application" ; rdfs:subClassOf d3f:ServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:instructs ; owl:someValuesFrom d3f:AuthenticationService ] ; d3f:definition "A software application designed to verify the identity of users or devices." ; d3f:instructs d3f:AuthenticationService . d3f:Authorization a owl:Class, owl:NamedIndividual ; rdfs:label "Authorization" ; rdfs:subClassOf d3f:DefensiveAction, [ a owl:Restriction ; owl:onProperty d3f:authorizes ; owl:someValuesFrom d3f:Access ] ; rdfs:isDefinedBy ; d3f:definition "Authorization is the function of specifying access rights to resources related to information security and computer security in general and to access control in particular. More formally, \"to authorize\" is to define an access policy. For example, human resources staff is normally authorized to access employee records and this policy is usually formalized as access control rules in a computer system. During operation, the system uses the access control rules to decide whether access requests from (authenticated) consumers shall be approved (granted) or disapproved (rejected). Resources include individual files or an item's data, computer programs, computer devices and functionality provided by computer applications. Examples of consumers are computer users, computer program" . d3f:AuthorizationEvent a owl:Class ; rdfs:label "Authorization Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:caused-by ; owl:someValuesFrom d3f:Authorization ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Agent ] ; d3f:definition "An event reflecting the decision-making process and actions concerning access control, recording whether agents are permitted or denied access to resources based on pre-defined access control policies." ; rdfs:seeAlso . d3f:AuthorizationEventThresholding a d3f:AuthorizationEventThresholding, owl:Class, owl:NamedIndividual ; rdfs:label "Authorization Event Thresholding" ; rdfs:subClassOf d3f:UserBehaviorAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Authorization ] ; d3f:analyzes d3f:Authorization ; d3f:created "2020-08-05T00:00:00"^^xsd:dateTime ; d3f:d3fend-id "D3-AZET" ; d3f:definition "Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile." ; d3f:kb-article """## How it works Authorization event data is collected to create a baseline user profile. Authorization events that deviate from the baseline and exceed a static or dynamic threshold are identified for further action. Authorization events can include successful and failed authorization attempts as well as events related to permissions including viewing, editing, deleting, creating files, databases etc. ## Considerations Depending on the complexity of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If malicious activity is not statistically different from benign activity, an alert threshold will not be met.""" ; d3f:kb-reference d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC, d3f:Reference-SMBSessionSetups_MITRE, d3f:Reference-UserLoggedInToMultipleHosts_MITRE, . d3f:AuthorizationLog a owl:Class, owl:NamedIndividual ; rdfs:label "Authorization Log" ; rdfs:subClassOf d3f:EventLog, [ a owl:Restriction ; owl:onProperty d3f:records ; owl:someValuesFrom d3f:NetworkResourceAccess ] ; d3f:definition "A log of authorization events." ; d3f:records d3f:NetworkResourceAccess ; rdfs:seeAlso , . d3f:AuthorizationService a owl:Class ; rdfs:label "Authorization Service" ; rdfs:subClassOf d3f:NetworkService, d3f:ServiceApplicationProcess ; rdfs:isDefinedBy ; d3f:definition "An authorization service ensures that the user is authorized to have access to a particular resource. Authorization can be done through role-based access control (RBAC) or list-based access control (LBAC)." ; rdfs:seeAlso . d3f:Autoencoding a owl:Class, owl:NamedIndividual ; rdfs:label "Autoencoding" ; rdfs:subClassOf d3f:DimensionReduction ; d3f:d3fend-id "D3A-AUT" ; d3f:definition "Autoencoders are specific type of deep learning architecture used for learning representation of data, typically for the purpose of dimensionality reduction. This is achieved by designing deep learning architecture that aims that copying input layer at its output layer." ; d3f:kb-article """## References SOCR. (n.d.). ABIDE Autoencoder. [Link](https://socr.umich.edu/HTML5/ABIDE_Autoencoder/#:~:text=In%20simple%20words%2C%20autoencoders%20are,layer%20at%20its%20output%20layer.)""" . d3f:AutoregressiveModel a owl:Class, owl:NamedIndividual ; rdfs:label "Autoregressive Model" ; rdfs:subClassOf d3f:TimeSeriesAnalysis ; d3f:d3fend-id "D3A-AM" ; d3f:definition "An autoregressive (AR) model is a representation of a type of random process; as such, it is used to describe certain time-varying processes in nature, economics, behavior, etc." ; d3f:kb-article """## References Wikipedia. (n.d.). Autoregressive model. [Link](https://en.wikipedia.org/wiki/Autoregressive_model)""" ; d3f:synonym "AR Model" . d3f:AverageAbsoluteDeviation a owl:Class, owl:NamedIndividual ; rdfs:label "Average Absolute Deviation" ; rdfs:subClassOf d3f:Variability ; d3f:d3fend-id "D3A-AAD" ; d3f:definition "The average absolute deviation (AAD) of a data set is the average of the absolute deviations from a central point." ; d3f:kb-article """## References Wikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)""" . d3f:BarcodeScannerInputDevice a owl:Class ; rdfs:label "Barcode Scanner Input Device" ; skos:altLabel "Barcode Reader" ; rdfs:subClassOf d3f:ImageScannerInputDevice ; rdfs:isDefinedBy ; d3f:definition "A barcode reader (or barcode scanner) is an optical scanner that can read printed barcodes, decode the data contained in the barcode and send the data to a computer. Like a flatbed scanner, it consists of a light source, a lens and a light sensor translating for optical impulses into electrical signals. Additionally, nearly all barcode readers contain decoder circuitry that can analyze the barcode's image data provided by the sensor and sending the barcode's content to the scanner's output port." . d3f:BayesianEstimation a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Estimation" ; rdfs:subClassOf d3f:BayesianMethod ; d3f:d3fend-id "D3A-BE" ; d3f:definition "A Bayes estimator or a Bayes action is an estimator or decision rule that minimizes the posterior expected value of a loss function (i.e., the posterior expected loss)." ; d3f:kb-article """## References Wikipedia. (n.d.). Bayes estimator. [Link](https://en.wikipedia.org/wiki/Bayes_estimator)""" . d3f:BayesianHypothesisTesting a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Hypothesis Testing" ; rdfs:subClassOf d3f:BayesianMethod ; d3f:d3fend-id "D3A-BHT" ; d3f:definition "Bayesian hypothesis testing can be framed as a special case of model comparison where a model refers to a likelihood function and a prior distribution." ; d3f:kb-article """## How it works Given two competing hypotheses and some relevant data, Bayesian hypothesis testing begins by specifying separate prior distributions to quantitatively describe each hypothesis. The combination of the likelihood function for the observed data with each of the prior distributions yields hypothesis-specific models. For each of the hypothesis-specific models, averaging (ie, integrating) the likelihood with respect to the prior distribution across the entire parameter space yields the probability of the data under the model and, therefore, the corresponding hypothesis. This quantity is more commonly referred to as the marginal likelihood and represents the average fit of the model to the data. The ratio of the marginal likelihoods for both hypothesis-specific models is known as the Bayes factor. ## References Baig, S. A., PhD. (2020). Bayesian Inference: An Introduction to Hypothesis Testing Using Bayes Factors. Nicotine & Tobacco Research, 22(7), 1244-1246. [Link](https://academic.oup.com/ntr/article/22/7/1244/5613971)""" . d3f:BayesianLinearRegression a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Linear Regression" ; rdfs:subClassOf d3f:RegressionAnalysis ; d3f:d3fend-id "D3A-BLR" ; d3f:definition "Bayesian linear regression is a type of conditional modeling in which the mean of one variable is described by a linear combination of other variables, with the goal of obtaining the posterior probability of the regression coefficients." ; d3f:kb-article """## References Wikipedia. (n.d.). Bayesian linear regression. [Link](https://en.wikipedia.org/wiki/Bayesian_linear_regression)""" . d3f:BayesianLinearRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Linear Regression Learning" ; rdfs:subClassOf d3f:RegressionAnalysisLearning ; d3f:d3fend-id "D3A-BLRL" ; d3f:definition "A supervised learning method that builds a Bayesian linear regression model using training data." ; d3f:kb-article """## References Wikipedia. (n.d.). Bayesian linear regression. [Link](https://en.wikipedia.org/wiki/Bayesian_linear_regression)""" ; rdfs:seeAlso d3f:BayesianLinearRegression . d3f:BayesianMethod a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Method" ; rdfs:subClassOf d3f:StatisticalMethod ; d3f:d3fend-id "D3A-BM" ; d3f:definition "Bayesian analysis is a statistical procedure which endeavors to estimate parameters of an underlying distribution based on the observed distribution." ; d3f:kb-article """## References Wolfram MathWorld. (n.d.). Bayesian Analysis. [Link](https://mathworld.wolfram.com/BayesianAnalysis.html)""" . d3f:BayesianModelAveraging a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Model Averaging" ; rdfs:subClassOf d3f:EnsembleLearning ; d3f:d3fend-id "D3A-BMA" ; d3f:definition "A parameter estimate (or a prediction of new observations) obtained by averaging the estimates (or predictions) of the different models under consideration, each weighted by its model probability." ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning). Bayesian model average: A parameter estimation approach to model agnostic ensemble learning. (2019). Journal of Machine Learning for Modeling and Computing, 1(2), 61-70. [Link](https://journals.sagepub.com/doi/full/10.1177/2515245919898657#:~:text=Bayesian%20model%20average%3A%20A%20parameter,weighted%20by%20its%20model%20probability).""" . d3f:BayesianModelCombination a owl:Class, owl:NamedIndividual ; rdfs:label "Bayesian Model Combination" ; rdfs:subClassOf d3f:EnsembleLearning ; d3f:d3fend-id "D3A-BMC" ; d3f:definition "Bayesian model combination (BMC) is an algorithmic correction to Bayesian model averaging (BMA). Instead of sampling each model in the ensemble individually, it samples from the space of possible ensembles (with model weights drawn randomly from a Dirichlet distribution having uniform parameters)" ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning). Shultz, K. M., & Peterson, L. E. (2011). Model-averaged confidence intervals for ensemble learning. In *International Joint Conference on Neural Networks* (pp. 2677-2684). [Link](https://axon.cs.byu.edu/papers/Kristine.ijcnn2011.pdf).""" . d3f:BayesOptimalClassifier a owl:Class, owl:NamedIndividual ; rdfs:label "Bayes Optimal Classifier" ; rdfs:subClassOf d3f:EnsembleLearning ; d3f:d3fend-id "D3A-BOC" ; d3f:definition "A probabilistic model that makes the most probable prediction for a new example." ; d3f:kb-article """## References Bayes Optimal Classifier. Machine Learning Mastery. [Link](https://machinelearningmastery.com/bayes-optimal-classifier/). Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).""" . d3f:BERT a owl:Class, owl:NamedIndividual ; rdfs:label "BERT" ; rdfs:subClassOf d3f:Transformer-basedLearning ; d3f:d3fend-id "D3A-BER" ; d3f:definition "Bidirectional Encoder Representations from Transformers (BERT) is based on a deep learning model in which every output element is connected to every input element, and the weightings between them are dynamically calculated based upon their connection." ; d3f:kb-article """## References BERT (language model). (n.d.). In TechTarget. [Link](https://www.techtarget.com/searchenterpriseai/definition/BERT-language-model) BERT (language model). (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/BERT_(language_model))""" ; d3f:synonym "Bidirectional Encoder Representations from Transformers" . d3f:BinaryClassification a owl:Class ; rdfs:label "Binary Classification" ; rdfs:subClassOf d3f:Classifying . d3f:BinaryLargeObject a owl:Class ; rdfs:label "Binary Large Object" ; skos:altLabel "BLOB", "Blob" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A binary large object (BLOB) is a collection of binary data stored as a single entity. Blobs are typically images, audio or other multimedia objects, though sometimes binary executable code is stored as a blob." . d3f:BinarySegment a owl:Class ; rdfs:label "Binary Segment" ; rdfs:subClassOf d3f:DigitalInformationBearer ; d3f:definition "A binary segment is a partition of binary information within a larger binary object, which arranges a set of binary objects for its purpose. For example, code, data, heap, and stack segments are segments of the binary information used by a process. Code and data segments are also found in object files." . d3f:BiometricAuthentication a d3f:BiometricAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Biometric Authentication" ; rdfs:subClassOf d3f:AgentAuthentication, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:Person ] ; d3f:authenticates d3f:Person ; d3f:d3fend-id "D3-BAN" ; d3f:definition "Using biological measures in order to authenticate a user." ; d3f:kb-reference d3f:Reference-TokenlessBiometricTransactionAuthorizationMethodAndSystem, d3f:Reference-www.biometric-solutions.com_keystroke-dynamics . d3f:BitmapImage a owl:Class, owl:NamedIndividual ; rdfs:label "Bitmap Image" ; rdfs:subClassOf d3f:DigitalImage ; d3f:definition "A graphical image whose data is stored in a grid format." . d3f:BitmapImageFile a owl:Class, owl:NamedIndividual ; rdfs:label "Bitmap Image File" ; rdfs:subClassOf d3f:ImageFile, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:BitmapImage ] ; d3f:contains d3f:BitmapImage ; d3f:definition "A file that contains graphics data represented in a bitmap." . d3f:BlockDevice a owl:Class, owl:NamedIndividual ; rdfs:label "Block Device" ; skos:altLabel "Block Special File" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:BootSector ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Partition ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:PartitionTable ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:Volume ] ; rdfs:isDefinedBy ; d3f:contains d3f:BootSector, d3f:Partition, d3f:PartitionTable ; d3f:definition """A block device (or block special file) provides buffered access to hardware devices, and provides some abstraction from their specifics. IEEE Std 1003.1-2017: A file that refers to a device. A block special file is normally distinguished from a character special file by providing access to the device in a manner such that the hardware characteristics of the device are not visible.""" ; d3f:may-contain d3f:Volume ; rdfs:seeAlso . d3f:BookReference a owl:Class ; rdfs:label "Book Reference" ; rdfs:subClassOf d3f:TechniqueReference ; d3f:pref-label "Book" . d3f:BooleanExpressionMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Boolean Expression Matching" ; rdfs:subClassOf d3f:LogicalRules ; d3f:d3fend-id "D3A-BEM" ; d3f:definition "Boolean expression matching produces a Boolean truth value for a given boolean expression and assignment of values to variables in the expression." ; d3f:kb-article """## How it works A Boolean expression is an expression used in programming languages that produces a Boolean value when evaluated. A Boolean value is either true or false. A Boolean expression may be composed of a combination of the Boolean constants true or false, Boolean-typed variables, Boolean-valued operators, and Boolean-valued functions. Boolean expressions correspond to propositional formulas in logic and are a special case of Boolean circuits. ## References 1. Boolean expression. (2022, April 25). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Boolean_expression) 2. Boolean algebra. (2022, May 19). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Boolean_expression)""" . d3f:Boosting a owl:Class, owl:NamedIndividual ; rdfs:label "Boosting" ; rdfs:subClassOf d3f:EnsembleLearning ; d3f:d3fend-id "D3A-BOO" ; d3f:definition "Boosting is a sequential process where each subsequent model attempts to correct the errors of the previous model" ; d3f:kb-article """## How it works Boosting consists of using sequentially weak learners where each iteration’s training focuses on previously misclassified instances in order to improve on the previous iteration. This process is continued iteratively until the final prediction is made by aggregating the previous predictions. ## Considerations Boosting can be computationally expensive, prone to overfitting, and slower to train compared to other ensemble methods. There are three main types of Boosting algorithms - Adaptive Boosting Adaptive Boosting (sometimes called AdaBoost) works by adding equal importance to each piece of a dataset and running it through the base learning algorithms. Every algorithm that errors, the boosting algorithm assigns a higher importance to. This continues until an acceptable level of confidence is reached. - Gradient Boosting Gradient Boosting starts by training multiple models simultaneously to gather a strong estimate of strength to build new base learning algorithms. - XGBoosting XGBoosting is a scalable tree boosting model. Using decision trees, weight is assigned to each variable and put into a decision tree. Outputs that are classified by the algorithm as wrong or weak are put into a second decision tree and the results form a stronger model. ## References Sciencedirect. (n.d.). Semi-supervised learning: An overview. [Link](https://www.sciencedirect.com/science/article/pii/S1319157823000228)""" . d3f:BootLoader a owl:Class, owl:NamedIndividual ; rdfs:label "Boot Loader" ; skos:altLabel "Bootloader" ; rdfs:subClassOf d3f:Software ; rdfs:isDefinedBy ; d3f:definition "A bootloader is software that is responsible for booting a computer. When a computer is turned off, its software‍-‌including operating systems, application code, and data‍-‌remains stored on non-volatile memory. When the computer is powered on, it typically does not have an operating system or its loader in random-access memory (RAM). The computer first executes a relatively small program stored in read-only memory (ROM, and later EEPROM, NOR flash) along with some needed data, to initialize RAM (especially on x86 systems) to access the nonvolatile device (usually block device, eg NAND flash) or devices from which the operating system programs and data can be loaded into RAM." . d3f:BootloaderAuthentication a d3f:BootloaderAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Bootloader Authentication" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:BootLoader ] ; d3f:authenticates d3f:BootLoader ; d3f:d3fend-id "D3-BA" ; d3f:definition "Cryptographically authenticating the bootloader software before system boot." ; d3f:kb-reference d3f:Reference-UEFIPlatformInitialization-Specification ; d3f:synonym "Secure Boot" . d3f:BootRecord a owl:Class, owl:NamedIndividual ; rdfs:label "Boot Record" ; rdfs:subClassOf d3f:Record ; d3f:definition "A d3f:Record which is an essential component of the early boot (system initialization) process." . d3f:BootROM a owl:Class, owl:NamedIndividual ; rdfs:label "Boot ROM" ; rdfs:subClassOf d3f:ROM, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:First-stageBootLoader ] ; rdfs:isDefinedBy ; d3f:contains d3f:First-stageBootLoader ; d3f:definition "Boot ROM is a piece of read-only memory (ROM) that is used for booting a computer system. It contains instructions that are run after the CPU is reset to the reset vector, and it typically loads a bootloader." ; d3f:synonym "Boot Read-only Memory" . d3f:BootSector a owl:Class, owl:NamedIndividual ; rdfs:label "Boot Sector" ; rdfs:subClassOf d3f:BootRecord ; d3f:definition "A boot record [boot sector] is the sector of a persistent data storage device (e.g., hard disk, floppy disk, optical disc, etc.) which contains machine code to be loaded into random-access memory (RAM) and then executed by a computer system's built-in firmware (e.g., the BIOS, Das U-Boot, etc.)." ; rdfs:seeAlso . d3f:BootstrapAggregating a owl:Class, owl:NamedIndividual ; rdfs:label "Bootstrap Aggregating" ; rdfs:subClassOf d3f:ResamplingEnsemble ; d3f:d3fend-id "D3A-BA" ; d3f:definition "Bootstrap aggregating, also called bagging (from bootstrap aggregating), is a machine learning ensemble meta-algorithm designed to improve the stability and accuracy of machine learning algorithms used in statistical classification and regression. It also reduces variance and helps to avoid overfitting. Although it is usually applied to decision tree methods, it can be used with any type of method. Bagging is a special case of the model averaging approach." ; d3f:kb-article """## References Bootstrap aggregating. Wikipedia. [Link](https://en.wikipedia.org/wiki/Bootstrap_aggregating).""" . d3f:BroadcastDomainIsolation a d3f:BroadcastDomainIsolation, owl:Class, owl:NamedIndividual ; rdfs:label "Broadcast Domain Isolation" ; rdfs:subClassOf d3f:NetworkIsolation, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:LocalAreaNetworkTraffic ] ; d3f:d3fend-id "D3-BDI" ; d3f:definition "Broadcast isolation restricts the number of computers a host can contact on their LAN." ; d3f:filters d3f:LocalAreaNetworkTraffic ; d3f:kb-article """## How it works Software Defined Networking, or other network encapsulation technologies intercept host broadcast traffic then route it to a specified destination per a configured policy. This can be implemented within hypervisors, networking hardware (WAPs, switches, routers), or virutal hardware. ## Considerations This technique is highly dependent on network infrastructure and networking requirements.""" ; d3f:kb-reference d3f:Reference-BroadcastIsolationAndLevel3NetworkSwitch_HewlettPackardEnterpriseDevelopmentLP, d3f:Reference-PrivateVirtualLocalAreaNetworkIsolation_CiscoTechnologyInc ; d3f:synonym "Network Segmentation" . d3f:Browser a owl:Class, owl:NamedIndividual ; rdfs:label "Browser" ; rdfs:subClassOf d3f:UserApplication, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:BrowserExtension ] ; rdfs:isDefinedBy ; d3f:definition "A web browser (commonly referred to as a browser) is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI/URL) and may be a web page, image, video or other piece of content. Hyperlinks present in resources enable users easily to navigate their browsers to related resources. Although browsers are primarily intended to use the World Wide Web, they can also be used to access information provided by web servers in private networks or files in file systems." ; d3f:may-contain d3f:BrowserExtension ; rdfs:seeAlso . d3f:BrowserExtension a owl:Class, owl:NamedIndividual ; rdfs:label "Browser Extension" ; rdfs:subClassOf d3f:UserApplication, [ a owl:Restriction ; owl:onProperty d3f:extends ; owl:someValuesFrom d3f:Browser ] ; rdfs:isDefinedBy ; d3f:definition "A browser extension is a plug-in that extends the functionality of a web browser in some way. Some extensions are authored using web technologies such as HTML, JavaScript, and CSS. Browser extensions can change the user interface of the web browser without directly affecting viewable content of a web page; for example, by adding a \"toolbar.\"" ; d3f:extends d3f:Browser . d3f:BucketOfModels a owl:Class, owl:NamedIndividual ; rdfs:label "Bucket of Models" ; rdfs:subClassOf d3f:EnsembleLearning ; d3f:d3fend-id "D3A-BOM" ; d3f:definition "A \"bucket of models\" is an ensemble technique in which a model selection algorithm is used to choose the best model for each problem. When tested with only one problem, a bucket of models can produce no better results than the best model in the set, but when evaluated across many problems, it will typically produce much better results, on average, than any model in the set." ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).""" . d3f:BuildTool a owl:Class ; rdfs:label "Build Tool" ; skos:altLabel "Build Automation Tool" ; rdfs:subClassOf d3f:DeveloperApplication ; d3f:definition "A tool that automates the process of creating a software build and the associated processes including: compiling computer source code into binary code, packaging binary code, and running automated tests." ; rdfs:seeAlso . d3f:BusinessCommunicationPlatformClient a owl:Class ; rdfs:label "Business Communication Platform Client" ; rdfs:subClassOf d3f:CollaborativeSoftware ; rdfs:isDefinedBy ; d3f:definition "Client software to enable the process of sharing information between employees within and outside a company. Business communication encompasses topics such as marketing, brand management, customer relations, consumer behavior, advertising, public relations, corporate communication, community engagement, reputation management, interpersonal communication, employee engagement, and event management. It is closely related to the fields of professional communication and technical communication." . d3f:BusMessage a owl:Class, owl:NamedIndividual ; rdfs:label "Bus Message" ; rdfs:subClassOf d3f:DigitalMessage ; d3f:definition "A digital message potentially containing commands, telemetry, or status signals, encoded in a bus protocol and conveyed over a bus within one or more frames." . d3f:BusMessageAuthentication a d3f:BusMessageAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Bus Message Authentication" ; rdfs:subClassOf d3f:MessageAuthentication, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:BusMessage ] ; d3f:authenticates d3f:BusMessage ; d3f:d3fend-id "D3-BMA" ; d3f:definition "Applies cryptographic primitives to individual bus frames to verify the sender's identity and ensure the integrity of the data payload." ; d3f:kb-article """## How it works Bus Message Authentication functions as a continuous validation layer that operates between the physical transmission of a signal and the application layer's processing of data. Every node on a bus network is provisioned with a cryptographic key and a synchronized 'freshness' state (such as a monotonic counter). When a node prepares to transmit, it generates a Message Authentication Code (MAC) which is created by hashing the message content, the sender's unique ID, and the current freshness value using its secret key. This MAC is then appended to the outgoing frame. As messages circulate on the bus network, receiving nodes do not immediately trust the incoming data. Instead, a hardware controller intercepts the frame and performs a real-time parallel verification. The controller re-calculates the expected MAC based on its own copy of the key and the current network freshness state. If the received MAC matches the calculated one, the message is passed to the system for further action. If the MAC is missing, incorrect, or stale (indicating a replay of an older message), the hardware silently drops the frame or triggers a security alert. ## Considerations * Bandwidth Overhead: Adding authentication tags (MACs) and freshness values reduces the effective data throughput; this requires a trade-off between the desired security level (tag length) and the available bus capacity. * Real-Time Latency: Cryptographic processing must occur in hardware (e.g., via AES-NI, FPGA logic, or specialized ASICs) to meet the deterministic timing constraints of safety-critical systems. * Key Management: A robust mechanism for secure key storage and lifecycle management (e.g., rotation and revocation) is required to ensure that a single compromised node does not jeopardize the entire network. * Protocol Transparency: In legacy environments, authentication must often be implemented as a shim that remains compatible with existing protocol standards to avoid breaking legacy hardware.""" ; d3f:kb-reference d3f:Reference-ControllerAreaNetworkMessageAuthentication . d3f:BusNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "Bus Network" ; skos:altLabel "Bus", "Data Highway" ; rdfs:subClassOf d3f:Network ; rdfs:isDefinedBy ; d3f:definition "An electronic communication system that links multiple components through one shared transmission medium, together with the interface hardware and link-layer signalling that govern access to that medium." . d3f:BusNetworkFrame a owl:Class, owl:NamedIndividual ; rdfs:label "Bus Network Frame" ; skos:altLabel "Bus Frame" ; rdfs:subClassOf d3f:NetworkFrame, [ a owl:Restriction ; owl:onProperty d3f:contained-by ; owl:someValuesFrom d3f:BusNetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:BusMessage ] ; d3f:contained-by d3f:BusNetworkTraffic ; d3f:contains d3f:BusMessage ; d3f:definition "A network frame whose layout and timing follow a bus protocol, allowing data to be exchanged across the shared bus medium." . d3f:BusNetworkNode a owl:Class, owl:NamedIndividual ; rdfs:label "Bus Network Node" ; rdfs:subClassOf d3f:Host, [ a owl:Restriction ; owl:onProperty d3f:connected-to ; owl:someValuesFrom d3f:BusNetwork ], [ a owl:Restriction ; owl:onProperty d3f:transmits ; owl:someValuesFrom d3f:BusNetworkTraffic ] ; d3f:connected-to d3f:BusNetwork ; d3f:definition "A device or logical endpoint whose interface is directly connected to a bus and exchanges data over the shared medium using the protocol implemented on that interface." ; d3f:transmits d3f:BusNetworkTraffic . d3f:BusNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Bus Network Traffic" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:BusNetworkFrame ] ; d3f:contains d3f:BusNetworkFrame ; d3f:definition "The ordered flow of frames, structured by a bus protocol, that traverses the shared bus medium during operation." . d3f:ByteSequenceEmulation a d3f:ByteSequenceEmulation, owl:Class, owl:NamedIndividual ; rdfs:label "Byte Sequence Emulation" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis ; d3f:d3fend-id "D3-BSE" ; d3f:definition "Analyzing sequences of bytes and determining if they likely represent malicious shellcode." ; d3f:kb-article """## How it works Bytes are analyzed as if they are machine code instructions, and such instructions that are a common component of known shellcode are noted, such as stack pivots, reads from a Memory Address Table, and system calls for functions that disable protections or execute code. For example, the x86 instruction `b0 0b: mov $11, %ax`, with no further alterations to the `%ax` register, followed by `cd 80: syscall` executes the system call `execve()` in the Linux kernel, which replaces the current process with another one specified -- this is a common action in shellcode, so this sequence would be flagged. This technique detects shellcode despite whether or not it would cause a buffer overflow in the target binary. If the sequence of bytes contains a sequence similar to that used in malicious shellcode, the entire byte sequence is flagged and a follow-on technique may be invoked. ## Considerations ### False Negatives If the shellcode instructions are far apart, simple implementations might not detect the shellcode. Due to the nature of assembly instructions not having a defined start or end, implementations which do not process all start sequences (for example, when they a find byte sequence of interest, continue scanning forwards from the end of it) might not detect the shellcode. This technique might not detect more complex or obfuscated instructions. For that purpose, Dynamic Analysis or Emulated File Analysis could assist by analyzing the actual instruction function. This technique may not detect self-modifying code. To make it harder for a process to modify itself, Process Segment Execution Prevention should be used, while noting its considerations. This technique might not detect malicious shellcode which reuses instructions in the target binary for malicious effect, as memory references in the presumed assembly code are not dereferenced. Dynamic Analysis and Emulated File Analysis, when set up properly to fork from the running target binary, might detect this. Process Segment Execution Prevention combined with Segment Address Offset Randomization frequently makes introduction of shellcode through overwriting a saved return pointer more difficult. Call stack depth analysis might detect excessive reuse of instructions in the target binary. Shadow Stack Frames might detect that a stack frame's return address has changed and Stack Frame Canary Verification might detect that the stack frame's return address was overwritten. Other heuristic methods might detect jump-oriented programming shellcode. With inserting code directly, that it is not a buffer overflow, and just some place where code is executed either to a file or a write-what-where, the buffer overflow mitigations do not help. Behavioral analysis could detect this, or proper access control could mitigate this. ### False Positives Byte sequences containing code that is never used as machine code are still analyzed and flagged for anomalies, and [eventually](http://mathforum.org/library/drmath/view/55871.html), it is likely that an attack sequence will arise from the sheer volume of bytes transmitted.""" ; d3f:kb-reference d3f:Reference-Network-BasedBufferOverflowDetectionByExploitCodeAnalysis_InformationSecurityResearchCentre, d3f:Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation ; d3f:synonym "Shellcode Transmission Detection" . d3f:C4.5 a owl:Class, owl:NamedIndividual ; rdfs:label "C4.5" ; rdfs:subClassOf d3f:DecisionTree ; d3f:d3fend-id "D3A-C4." ; d3f:definition "C4.5 is an algorithm that is strongly based off ID3. It creates decision trees the same way as ID3. C4.5 improves on several aspects of ID3, including handling discreet variables, handling training data with missing values, and has the ability to automatically prune the decision trees it creates." ; d3f:kb-article """## References C4.5 algorithm. Wikipedia. [Link](https://en.wikipedia.org/wiki/C4.5_algorithm).""" . d3f:C5.0 a owl:Class, owl:NamedIndividual ; rdfs:label "C5.0" ; rdfs:subClassOf d3f:DecisionTree ; d3f:d3fend-id "D3A-C5." ; d3f:definition "C5.0 is the next version of C4.5, which in turn is the upgrade from ID3. The only difference between C5.0 and C4.5 is some improvements made to C5.0." ; d3f:kb-article """## References C4.5 algorithm. Wikipedia. [Link](https://en.wikipedia.org/wiki/C4.5_algorithm).""" . d3f:CACertificateFile a owl:Class ; rdfs:label "CA Certificate File" ; rdfs:subClassOf d3f:CertificateFile ; d3f:definition "A file containing a digital certificate issued by a certificate authority (CA). Certificate authorities store, issue, and sign digital certificates used as part of the public key infrastructure." ; rdfs:seeAlso , . d3f:CacheMemory a owl:Class, owl:NamedIndividual ; rdfs:label "Processor Cache Memory" ; rdfs:subClassOf d3f:PrimaryStorage, [ a owl:Restriction ; owl:onProperty d3f:accessed-by ; owl:someValuesFrom d3f:CentralProcessingUnit ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ProcessSegment ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:CacheMemory ] ; rdfs:isDefinedBy ; d3f:accessed-by d3f:CentralProcessingUnit ; d3f:definition "Cache memory is temporary storage that is more readily available to the processor than the computer's main memory source, located between the main memory and the processor. It is typically either integrated directly into the CPU chip (level 1 cache) or placed on a separate chip with a bus interconnect with the CPU (level 2 cache)." ; d3f:may-contain d3f:ProcessSegment ; d3f:modifies d3f:CacheMemory ; rdfs:seeAlso . d3f:CallStack a owl:Class, owl:NamedIndividual ; rdfs:label "Call Stack" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:StackFrame ] ; rdfs:isDefinedBy ; d3f:contains d3f:StackFrame ; d3f:definition "In computer science, a call stack is a stack data structure that stores information about the active subroutines of a computer program. This kind of stack is also known as an execution stack, program stack, control stack, run-time stack, or machine stack, and is often shortened to just \"the stack\". Although maintenance of the call stack is important for the proper functioning of most software, the details are normally hidden and automatic in high-level programming languages. Many computer instruction sets provide special instructions for manipulating stacks." . d3f:CanopyClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Canopy Clustering" ; rdfs:subClassOf d3f:ClusterAnalysis ; d3f:d3fend-id "D3A-CC" ; d3f:definition "The canopy clustering algorithm is an unsupervised pre-clustering algorithm often used as preprocessing step for the K-means algorithm or the Hierarchical clustering algorithm. It is intended to speed up clustering operations on large data sets." ; d3f:kb-article """## References Wikipedia. (n.d.). Canopy clustering algorithm. [Link](https://en.wikipedia.org/wiki/Canopy_clustering_algorithm)""" . d3f:Capability a owl:Class ; rdfs:label "Capability" ; rdfs:subClassOf d3f:ExternalThing ; rdfs:isDefinedBy ; rdfs:seeAlso . d3f:CAPEC-663 a d3f:CommonAttackPattern, owl:Class, owl:NamedIndividual ; rdfs:label "Exploitation of Transient Instruction Execution" ; rdfs:subClassOf d3f:CommonAttackPattern ; rdfs:isDefinedBy ; d3f:capec-id "CAPEC-553" . d3f:CAPECThing a owl:Class ; rdfs:label "CAPEC Thing" ; rdfs:subClassOf d3f:ExternalThreatModelThing . d3f:CART a owl:Class, owl:NamedIndividual ; rdfs:label "CART" ; rdfs:subClassOf d3f:DecisionTree ; d3f:d3fend-id "D3A-CAR" ; d3f:definition "The CART algorithm is a type of classification algorithm that is required to build a decision tree on the basis of Gini’s impurity index." ; d3f:kb-article """## References Classification and Regression Tree (CART) Algorithm. Analytics Steps. [Link](https://www.analyticssteps.com/blogs/classification-and-regression-tree-cart-algorithm).""" . d3f:CCIControl a owl:Class ; rdfs:label "CCI Control" ; rdfs:subClassOf d3f:ExternalControl, [ a owl:Restriction ; owl:onProperty d3f:control-name ; owl:someValuesFrom xsd:string ], [ a owl:Restriction ; owl:onProperty d3f:member-of ; owl:someValuesFrom d3f:ControlCorrelationIdentifierCatalog ], [ a owl:Restriction ; owl:onProperty d3f:published ; owl:someValuesFrom xsd:dateTime ] . d3f:CentralProcessingUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Central Processing Unit" ; rdfs:subClassOf d3f:Processor, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ProcessorRegister ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:CacheMemory ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:MemoryManagementUnit ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:MemoryProtectionUnit ] ; rdfs:isDefinedBy ; d3f:contains d3f:ProcessorRegister ; d3f:definition "A central processing unit (CPU), also called a central processor, main processor or just processor, is the electronic circuitry that executes instructions comprising a computer program. The CPU performs basic arithmetic, logic, controlling, and input/output (I/O) operations specified by the instructions in the program. This contrasts with external components such as main memory and I/O circuitry, and specialized processors such as graphics" ; d3f:may-contain d3f:CacheMemory, d3f:MemoryManagementUnit, d3f:MemoryProtectionUnit ; d3f:synonym "Central Processor", "CPU", "Main Processor" . d3f:CentralTendency a owl:Class, owl:NamedIndividual ; rdfs:label "Central Tendency" ; rdfs:subClassOf d3f:DescriptiveStatistics ; d3f:d3fend-id "D3A-CT" ; d3f:definition "A measure of central tendency ) is a summary measure that attempts to describe a whole set of data with a single value that represents the middle or centre of its distribution." ; d3f:kb-article """## References Australian Bureau of Statistics. (n.d.). Measures of Central Tendency. [Link](https://www.abs.gov.au/statistics/understanding-statistics/statistical-terms-and-concepts/measures-central-tendency) Wikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)""" . d3f:Centroid-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Centroid-based Clustering" ; rdfs:subClassOf d3f:ClusterAnalysis ; d3f:d3fend-id "D3A-CBC" ; d3f:definition "Centroid-based clustering organizes the data into non-hierarchical clusters, in contrast to hierarchical clustering defined below. K-means is the most widely-used centroid-based clustering algorithm. Centroid-based algorithms are efficient but sensitive to initial conditions and outliers." ; d3f:kb-article """## References Google Developers. (n.d.). Clustering Algorithms. [Link](https://developers.google.com/machine-learning/clustering/clustering-algorithms)""" . d3f:Certificate a owl:Class, owl:NamedIndividual ; rdfs:label "Certificate" ; skos:altLabel "Public Key Certificate" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Identifier ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:PublicKey ] ; rdfs:isDefinedBy ; d3f:contains d3f:Identifier, d3f:PublicKey ; d3f:definition "In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device." ; rdfs:seeAlso . d3f:Certificate-basedAuthentication a d3f:Certificate-basedAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Certificate-based Authentication" ; rdfs:subClassOf d3f:AgentAuthentication, [ a owl:Restriction ; owl:onProperty d3f:reads ; owl:someValuesFrom d3f:Certificate ] ; d3f:d3fend-id "D3-CBAN" ; d3f:definition "Requiring a digital certificate in order to authenticate a user." ; d3f:kb-article """## How it works Certificate-based authentication is a security mechanism that uses digital certificates to verify the identity of a user, device, or server before granting access to a network or system. This method relies on a pair of cryptographic keys: a public key and a private key. ## Considerations * Private Key Protection: Ensure that private keys are securely stored and protected against unauthorized access. * Certificate Revocation: Implement a robust process for revoking certificates if they are compromised or no longer needed. * Man-in-the Middle Attacks: Use mutual authentication to mitigate the risk of these attacks.""" ; d3f:kb-reference d3f:Reference-FederalPublicKeyInfrastructure101 ; d3f:reads d3f:Certificate . d3f:CertificateAnalysis a d3f:CertificateAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Certificate Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:CertificateFile ] ; d3f:analyzes d3f:CertificateFile ; d3f:d3fend-id "D3-CA" ; d3f:definition "Analyzing Public Key Infrastructure certificates to detect if they have been misconfigured or spoofed using both network traffic, certificate fields and third-party logs." ; d3f:kb-article """## How it works Certificate Analysis ensures that the data elements of the certificate are current and anchored in a known trust model. Certificate authorities, revocation lists, and third-party secure logs are used in the analysis. Analysis includes detection of server impersonation, phishing domains, and forged certificates. TLS certificates are designed to expire to ensure that the cryptographic keys are forced to be changed on a regular basis. The certificates in the trust path also expire and can cause a break in the trust chain. This means that even if a server certificate is updated correctly, intermediate certificates can expire and the trust chain is not maintained. This can cause services to become unavailable.""" ; d3f:kb-reference d3f:Reference-SecuringWebTransactions . d3f:CertificateFile a owl:Class, owl:NamedIndividual ; rdfs:label "Certificate File" ; rdfs:subClassOf d3f:File, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Certificate ] ; rdfs:isDefinedBy ; d3f:contains d3f:Certificate ; d3f:definition "A file containing a digital certificate. In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner." . d3f:CertificatePinning a d3f:CertificatePinning, owl:Class, owl:NamedIndividual ; rdfs:label "Certificate Pinning" ; rdfs:subClassOf d3f:CredentialHardening, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:PublicKey ], [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:Certificate ] ; d3f:authenticates d3f:PublicKey ; d3f:d3fend-id "D3-CP" ; d3f:definition "Persisting either a server's X.509 certificate or their public key and comparing that to server's presented identity to allow for greater client confidence in the remote server's identity for SSL connections." ; d3f:hardens d3f:Certificate ; d3f:kb-article """## How it works Pinning allows for a trusted copy of a certificate or public key to be associated with a server and thus reducing the likelihood of frequently visited sites being subjected to man-in-the-middle attacks. Certificates or public keys can be pinned after a trusted connection has been established or the pinning can be preloaded in an application, which is the preferred method for mobile applications. Pinning can take the form of certificate pinning or public key pinning. ## Forms of Pinning * Certificate Pinning (CP) allows for the client to verify the X.509 certificate with a preloaded certificate. Typically, this is involves storing a hash of the certificate and using the stored hash for comparison to the hash of the certificate submitted during the SSL handshake. * Public Key Pinning (PKP) requires the extraction of a public key from server's certificate. The stored public key is compared to the server's presented public key. A public key is expected to rotate less frequently than an X.509 certificate and is generally favored over certificate pinning. An extension of PKP is Subject Public Key Information Pinning (SPKI) includes public key pinning plus additional information for SSL connections. The additional information can include preferred algorithms. ## Considerations * With pinned certificates whenever a server updates its certificate, the pinned certificates will also need to be updated * With pinned public keys the extracted key may be subject to key refresh policies but much less frequently * Servers can become unavailable if pinned objects are set and not updated with the rotated identities. This may require a pinning strategy to be developed. * The application of this technique within web browser applications has been [deprecated](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) by popular web browser developers. They now favor certificate analysis via public certificate transparency logs, and the EXPECT-CT HTTP header.""" ; d3f:kb-reference d3f:Reference-CertificateAndPublicKeyPinning, d3f:Reference-End-to-endCertificatePinning, d3f:Reference-PublicKeyPinningExtensionForHTTP . d3f:CertificateRotation a d3f:CertificateRotation, owl:Class, owl:NamedIndividual ; rdfs:label "Certificate Rotation" ; rdfs:subClassOf d3f:CredentialRotation, [ a owl:Restriction ; owl:onProperty d3f:regenerates ; owl:someValuesFrom d3f:Certificate ] ; d3f:d3fend-id "D3-CERO" ; d3f:definition "Certificate rotation involves replacing digital certificates and their private keys to maintain cryptographic integrity and trust, mitigating key compromise risks and ensuring continuous secure communications." ; d3f:kb-article """## How it works Certificate rotation should be performed when: - Any certificate expires. - A new CA authority is substituted for the old, thus requiring a replacement root certificate. - New or modified constraints need to be imposed on one or more certificates. - A security breach has occurred. Considerations: - Managing certificate rotation across an enterprise can be complex. Automated solutions, sold by multiple vendors, should be considered to manage this complexity.""" ; d3f:kb-reference d3f:Reference-PasswordandKeyRotation-SSH ; d3f:regenerates d3f:Certificate ; rdfs:seeAlso . d3f:CertificateTrustStore a owl:Class, owl:NamedIndividual ; rdfs:label "Certificate Trust Store" ; rdfs:subClassOf d3f:TrustStore, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Certificate ] ; d3f:contains d3f:Certificate ; d3f:definition "A certificate truststore is used to store public certificates used to authenticate clients by the server for an SSL connection." ; rdfs:seeAlso , . d3f:ChangeDefaultPassword a d3f:ChangeDefaultPassword, owl:Class, owl:NamedIndividual ; rdfs:label "Change Default Password" ; rdfs:subClassOf d3f:StrongPasswordPolicy, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:OTController ], [ a owl:Restriction ; owl:onProperty d3f:strengthens ; owl:someValuesFrom d3f:Password ], [ a owl:Restriction ; owl:onProperty d3f:strengthens ; owl:someValuesFrom d3f:UserAccount ] ; d3f:d3fend-id "D3-CDP" ; d3f:definition "Changing the default password means replacing the factory-set credentials with a strong, unique password before the device is deployed, preventing unauthorized access." ; d3f:hardens d3f:OTController ; d3f:kb-article """## How it works Change the default password as soon as a new device is received. The default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. ## Considerations * These should be changed before a device is brought online so that an adversary cannot take advantage of these default credentials. * Strong and complex passwords are preferred if the technology allows.""" ; d3f:kb-reference d3f:Reference-CPGChecklist, d3f:Reference-GuideToOTSecurity, d3f:Reference-MITREATTACKPasswordPolicies ; d3f:strengthens d3f:Password, d3f:UserAccount . d3f:ChatroomClient a owl:Class ; rdfs:label "Chatroom Client" ; skos:altLabel "Chat Room Client" ; rdfs:subClassOf d3f:CollaborativeSoftware ; rdfs:isDefinedBy ; d3f:definition "Client software used to describe conduct any form of synchronous conferencing, occasionally even asynchronous conferencing. The term can thus mean any technology ranging from real-time online chat and online interaction with strangers (e.g., online forums) to fully immersive graphical social environments." . d3f:ChildProcess a owl:Class ; rdfs:label "Child Process" ; rdfs:subClassOf d3f:Process ; rdfs:isDefinedBy ; d3f:definition "A child process in computing is a process created by another process (the parent process). This technique pertains to multitasking operating systems, and is sometimes called a subprocess or traditionally a subtask. There are two major procedures for creating a child process: the fork system call (preferred in Unix-like systems and the POSIX standard) and the spawn (preferred in the modern (NT) kernel of Microsoft Windows, as well as in some historical operating systems)." ; rdfs:seeAlso . d3f:Classification a owl:Class, owl:NamedIndividual ; rdfs:label "Classification" ; rdfs:subClassOf d3f:SupervisedLearning ; d3f:d3fend-id "D3A-CLA" ; d3f:definition "Classification uses an algorithm to accurately assign test data into specific categories." ; d3f:kb-article """## How it works Classification recognizes specific entities within the dataset and attempts to draw some conclusions on how those entities should be labeled or defined. Common classification algorithms are linear classifiers, support vector machines (SVM), decision trees, k-nearest neighbor, and random forest, which are described in more detail below. ## Considerations: There are many different types of classification algorithms for modeling classification predictive modeling problems. There is no single theory on how to map algorithms onto problem types; instead, it is generally recommended that a practitioner use controlled experiments and discover which algorithm and algorithm configuration results in the best performance for a given classification task. ## Key Test Considerations - **Machine Learning**: - **Verify the dataset quality**: Check the data to make sure it is free of errors. Quantify the degree of missing values, outliers, and noise in the data collection. If the data quality is low, it may be difficult or impossible to create models and systems with the desired performance. - **Verify development datasets are representative** of expected operational environment and data collection means. Compare distributions of dataset features and labels with exploratory data analysis and assess the difference in tests on training data and tests on evaluation data (where the evaluation data must be drawn from a representative dataset.) - **Use software libraries**: and tools built for ML where possible, so that the underlying code is verified by prior use.** - **Diagnose model errors with domain SMEs**: Have problem domain SMEs investigate model errors for conditions for which the model may underperform and suggest refinements. - **Classification**: - **Use Standard Classification Performance Measures**: Not all of the following may be necessary, but should be considered for both verification (developmental test) and operational test stages use: - **Accuracy**: The fraction of predictions that were corret. - **Precision**: The proportion of positive identifications that were correct. - **Recall**: The proportion of actual positive cases identified correctly. - **F-Measure**: Combines the preicion and recall into a single score. It is the harmonic mean of the precision and recall. - **Receiver Operating Characteristic (ROC) Curve**: A ROC curve shows the performance of a classification model at all classification thresholds. It graphs the True Positive Rate over the False Positive Rate. - **Area Under the ROC Curve (AUC)**: This measures the two-dimensional area under the ROC Curve. AUC is scale-invariant and classification-threshold invariant. - **ROC TP vs FP points**: In addition to a specific AUC score, the performance at points - **Confusion Matrix**: A confusion matrix is a table layout that allows the visualization of the performance of an algorithm. Each row of the matrix represents the instances in an actual class while each column represents the instances in a predicted class, or vice versa. It is a special kind of contingency table, with two dimensions ("actual" and "predicted"), and identical sets of "classes" in both dimensions (each combination of dimension and class is a variable in the contingency table.) - **Prediction Bias**: The difference between the average of the predicted labels and the average of the labels in the data set. One should check for prediction bias when evaluating the classifier's results. Causes of bias can include: - **Noisy data set**: Errors in original data can as the collection method may have an underlying bias. - **Processing bug**: Errors in the data pipeline can introduce bias. - **Biased training sample (unbalanced samples)**: Model parameters may be skewed towards majority classes. - **Overly strong regularization**: Model may be underfitting model and too simple. - **Proxy variables**: Model features may be highly correlated. - **Overfitting and Underfitting**: Overfitting occurs when the the model built corresponds too closely or exactly to a particular set of data, and thus may fail to fit to predict additional data reliably. An overfitted model is a mathematical model that contains more parameters than can be justified by the data. Underfitting occurs when the model built does adequately capture the patterns in the data. As an example, a linear model will underfit a non-linear dataset. ## Platforms, Tools, or Libraries: - **Python**: - **scikit-learn**: Is a free software machine learning library for Python and includes features for classification. - **TensorFlow**: is an end-to-end source machine learning platform. - **Keras**: is an open-source library that provides a Python API designed to enable fast experimentation with deep neural networks. - **PyTorch**: Is a machine learning framework based on the Torch library. - **R**: - **caret**: Classification And REgression Training package contains functions to streamline model training for complex regression and classification problems. - **randomForest**: Implementation of classification and regression based on forest of trees. ## References 1. Supervised Learning. IBM. [Link](https://www.ibm.com/topics/supervised-learning). 1. Types of Classification in Machine Learning. Machine Learning Mastery. [Link](https://machinelearningmastery.com/types-of-classification-in-machine-learning/). 1. Google. (18 July 2022). Classification: Precision and Recall. [Link](https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall). 1. Wikipedia. (18 Aug 2023). Overfitting. [Link](https://en.wikipedia.org/wiki/Overfitting). 1. Wikipedia. (19 Aug 2023). Confusion matrix. [Link](https://en.wikipedia.org/wiki/Confusion_matrix).""" . d3f:Classifying a owl:Class ; rdfs:label "Classifying" ; rdfs:subClassOf d3f:AnalyticalPurpose . d3f:Client-serverPayloadProfiling a d3f:Client-serverPayloadProfiling, owl:Class, owl:NamedIndividual ; rdfs:label "Client-server Payload Profiling" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:analyzes d3f:NetworkTraffic ; d3f:d3fend-id "D3-CSPP" ; d3f:definition "Comparing client-server request and response payloads to a baseline profile to identify outliers." ; d3f:kb-article """## How it works Profiling request and response payloads across multiple clients to a single server to develop a baseline of their characteristics. May take into account request/response sizes, entropy, frequency, and rhythm. Finally, identify outliers as they may indicate a malicious payload delivery and subsequent server exploitation. ## Considerations * Collecting metrics to establish a profile can be challenging since user behavior can change easily. * Employees may work different hours or inconsistent schedules which will cause false positives. * Collection of network activity to generate metrics is a computationally intensive process. * Users may log into different workstations which may cause false positives.""" ; d3f:kb-reference d3f:Reference-MethodAndSystemForDetectingMaliciousPayloads_VectraNetworksInc . d3f:ClientApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Client Application" ; rdfs:subClassOf d3f:Application ; rdfs:isDefinedBy ; d3f:definition "A client application is software that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network. The term applies to the role that programs or devices play in the client-server model" ; rdfs:seeAlso d3f:T1554 . d3f:ClientComputer a owl:Class, owl:NamedIndividual ; rdfs:label "Client Computer" ; rdfs:subClassOf d3f:Host ; rdfs:isDefinedBy ; d3f:definition "A client computer is a host that accesses a service made available by a server. The server is often (but not always) on another computer system, in which case the client accesses the service by way of a network." ; rdfs:seeAlso . d3f:Clipboard a owl:Class, owl:NamedIndividual ; rdfs:label "Clipboard" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "The clipboard is a buffer that some operating systems provide for short-term storage and transfer within and between application programs. The clipboard is usually temporary and unnamed, and its contents reside in the computer's RAM. The clipboard is sometimes called the paste buffer. Windows, Linux and macOS support a single clipboard transaction. Each cut or copy overwrites the previous contents. Normally, paste operations copy the contents, leaving the contents available in the clipboard for further pasting." . d3f:Clock a owl:Class, owl:NamedIndividual ; rdfs:label "Clock" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:TimeRecord ] ; rdfs:isDefinedBy ; d3f:definition "A mechanism that generates periodic, accurately spaced signals for timekeeping applications. Clocks may be implemented in hardware or software and are essential for system operations, synchronization, and event ordering." ; d3f:produces d3f:TimeRecord . d3f:ClockEvent a owl:Class ; rdfs:label "Clock Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Clock ] ; d3f:definition "An event involving a clock artifact, characterized by changes to or readings from a timekeeping mechanism that maintains a representation of temporal progression." . d3f:ClockSynchronizationEvent a owl:Class ; rdfs:label "Clock Synchronization Event" ; rdfs:subClassOf d3f:SoftwareClockEvent ; d3f:definition "An event in which a software clock adjusts its value based on an external time reference (e.g., NTP server, GPS time signal)." . d3f:Cloud-basedDatabaseApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud-based Database Application" ; rdfs:subClassOf d3f:DatabaseServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:provider ; owl:someValuesFrom d3f:CloudServiceProvider ] ; d3f:definition "A database application where the underlying infrastructure is managed by a third-party cloud provider. Examples include DynamoDB, Firestore, and CosmosDB." ; d3f:provider d3f:CloudServiceProvider ; d3f:synonym "Serverless Database Application" . d3f:CloudConfiguration a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud Configuration" ; skos:altLabel "Cloud Configuration Information" ; rdfs:subClassOf d3f:ConfigurationResource ; d3f:definition "Information used to configure the services, parameters, and initial settings for a virtual server instance running in a cloud service." . d3f:CloudConfigurationModificationEvent a owl:Class ; rdfs:label "Cloud Configuration Modification Event" ; rdfs:subClassOf d3f:ConfigurationModificationEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:CloudConfiguration ] ; d3f:definition "An event that updates cloud-hosted resource configurations such as IAM policies, virtual network constructs, storage settings, or managed-service parameters; impacting resource provisioning, access control, functionality, or compliance." . d3f:CloudInstanceMetadata a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud Instance Metadata" ; rdfs:subClassOf d3f:CloudConfiguration ; d3f:definition "Cloud instance metadata is configuration information on the instance and users of the instance. This includes such information as security groups, public ip addresses, and private addresses, public keys configured, and event rotating security keys. User data can contain initialization scripts, variables, passwords, and more." ; rdfs:seeAlso . d3f:CloudServiceAuthentication a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud Service Authentication" ; rdfs:subClassOf d3f:WebAuthentication ; d3f:definition "A request-response comprising a user credential presentation to a system and a verification response where the verifying party is a cloud service." . d3f:CloudServiceAuthorization a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud Service Authorization" ; rdfs:subClassOf d3f:Authorization ; d3f:definition "Cloud authorization is the function of specifying access rights to cloud resources." . d3f:CloudServiceProvider a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud Service Provider" ; rdfs:subClassOf d3f:ServiceProvider ; d3f:definition "A cloud service provider delivers scalable and distributed computing resources over a network, enabling clients to access infrastructure, platforms, and applications remotely." . d3f:CloudServiceSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud Service Sensor" ; rdfs:subClassOf d3f:CyberSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:CloudServiceAuthentication ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:CloudServiceAuthorization ] ; d3f:definition "Senses data from cloud service platforms. Including data from cloud service authentications, authorizations, and other activities." ; d3f:monitors d3f:CloudServiceAuthentication, d3f:CloudServiceAuthorization . d3f:CloudStorage a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud Storage" ; rdfs:subClassOf d3f:SecondaryStorage ; rdfs:isDefinedBy ; d3f:definition "Cloud storage is storage held within a computing cloud." ; rdfs:seeAlso , . d3f:CloudUserAccount a owl:Class, owl:NamedIndividual ; rdfs:label "Cloud User Account" ; rdfs:subClassOf d3f:UserAccount ; d3f:definition "A user account on a given host is a local user account for a given cloud and specified resources within that cloud." . d3f:ClusterAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Cluster Analysis" ; rdfs:subClassOf d3f:UnsupervisedLearning ; d3f:d3fend-id "D3A-CA" ; d3f:definition "Cluster analysis or clustering is the task of grouping a set of objects in such a way that objects in the same group (called a cluster) are more similar (in some sense) to each other than to those in other groups (clusters)." ; d3f:kb-article """## References Cluster analysis. (n.d.). Wikipedia. [Link](https://en.wikipedia.org/wiki/Cluster_analysis)""" . d3f:Clustering a owl:Class ; rdfs:label "Clustering" ; rdfs:subClassOf d3f:Summarizing . d3f:CodeAnalyzer a owl:Class, owl:NamedIndividual ; rdfs:label "Code Analyzer" ; skos:altLabel "Program Analysis Tool" ; rdfs:subClassOf d3f:DeveloperApplication ; d3f:definition "Code analyzers automatically analyze the composition or behavior of computer programs regarding a property such as correctness, robustness, security, and safety. Program analysis can be performed without executing the program (static program analysis), during runtime (dynamic program analysis) or in a combination of both." ; rdfs:seeAlso . d3f:CodecApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Codec Application" ; rdfs:subClassOf d3f:UserApplication, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:CodecLibrary ] ; d3f:contains d3f:CodecLibrary ; d3f:definition "An application that encodes and decodes digital data." . d3f:CodecLibrary a owl:Class, owl:NamedIndividual ; rdfs:label "Codec Library" ; rdfs:subClassOf d3f:SoftwareLibrary ; d3f:definition "A software component that encodes or decodes a data stream of signal." . d3f:CodeRepository a owl:Class, owl:NamedIndividual ; rdfs:label "Code Repository" ; skos:altLabel "Repository", "Version Control Repository" ; rdfs:subClassOf d3f:Database ; rdfs:isDefinedBy ; d3f:definition "A code repository is a form of database where code, typically source code, is stored and managed. In revision control systems, a repository is a data structure that stores metadata for a set of files or directory structure. Depending on whether the version control system in use is distributed like (Git or Mercurial) or centralized like (Subversion, CVS, or Perforce), the whole set of information in the repository may be duplicated on every user's system or may be maintained on a single server." . d3f:CoefficientOfVariation a owl:Class, owl:NamedIndividual ; rdfs:label "Coefficient of Variation" ; rdfs:subClassOf d3f:Variability ; d3f:d3fend-id "D3A-COV" ; d3f:definition """The coefficient of variation (CV), also known as relative standard deviation (RSD), is a standardized measure of dispersion of a probability distribution or frequency distribution. The coefficient of variation (CV) is defined as the ratio of the standard deviation to the mean .""" ; d3f:kb-article """## References Wikipedia. (n.d.). Coefficient of variation. [Link](https://en.wikipedia.org/wiki/Coefficient_of_variation)""" ; d3f:synonym "Relative Standard Deviation", "RSD" . d3f:CollaborativeSoftware a owl:Class ; rdfs:label "Collaborative Software" ; rdfs:subClassOf d3f:UserApplication ; rdfs:isDefinedBy ; d3f:definition "Collaborative software or groupware is application software designed to help people working on a common task to attain their goals. One of the earliest definitions of groupware is \"intentional group processes plus software to support them\". Collaborative software is a broad concept that overlaps considerably with computer-supported cooperative work (CSCW). According to Carstensen and Schmidt (1999) groupware is part of CSCW. The authors claim that CSCW, and thereby groupware, addresses \"how collaborative activities and their coordination can be supported by means of computer systems.\"" . d3f:CollectionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Collection Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0009 ] ; d3f:definition "The adversary is trying to gather data of interest to their goal." ; d3f:enables d3f:TA0009 . d3f:CombinationLock a owl:Class ; rdfs:label "Combination Lock" ; rdfs:subClassOf d3f:PhysicalLock, [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:Password ] ; rdfs:isDefinedBy ; d3f:definition "A combination lock is a type of locking device in which a sequence of symbols, usually numbers, is used to open the lock." ; rdfs:seeAlso "Federal Specification FL-L-2937" . d3f:Command a owl:Class ; rdfs:label "Command" ; rdfs:subClassOf d3f:DigitalInformation ; rdfs:isDefinedBy ; d3f:definition "A directive (i.e., an instruction specifying a procedure) which, when issued to a computer system, software, or hardware component, causes that entity to execute a specific action, operation, or computation." . d3f:CommandAndControlTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Command and Control Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0011 ] ; d3f:definition "The adversary is trying to communicate with compromised systems to control them." ; d3f:enables d3f:TA0011 . d3f:CommandHistoryLog a owl:Class, owl:NamedIndividual ; rdfs:label "Command History Log" ; rdfs:subClassOf d3f:EventLog ; d3f:definition "A log of commands run in an operating system shell." ; rdfs:seeAlso d3f:CommandLineInterface, . d3f:CommandHistoryLogFile a owl:Class, owl:NamedIndividual ; rdfs:label "Command History Log File" ; rdfs:subClassOf d3f:LogFile, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:CommandHistoryLog ] ; d3f:contains d3f:CommandHistoryLog ; d3f:definition "A command history log file is a file containing a command history, which the history of commands run in an operating system shell." ; rdfs:seeAlso . d3f:CommandLineInterface a owl:Class ; rdfs:label "Command Line Interface" ; skos:altLabel "CLI", "Command-line Interface", "CUI" ; rdfs:subClassOf d3f:UserInterface ; rdfs:isDefinedBy ; d3f:definition "A command-line interface or command language interpreter (CLI), also known as command-line user interface, console user interface, and character user interface (CUI), is a means of interacting with a computer program where the user (or client) issues commands to the program in the form of successive lines of text (command lines). Command-line interfaces to computer operating systems are less widely used by casual computer users, who favor graphical user interfaces. Programs with command-line interfaces are generally easier to automate via scripting." . d3f:CommonAttackPattern a owl:Class ; rdfs:label "Common Attack Pattern" ; rdfs:subClassOf d3f:CAPECThing ; d3f:definition "A common attack pattern that is in the CAPEC knowledge base." . d3f:Compiler a owl:Class, owl:NamedIndividual ; rdfs:label "Compiler" ; rdfs:subClassOf d3f:BuildTool, [ a owl:Restriction ; owl:onProperty d3f:reads ; owl:someValuesFrom d3f:CompilerConfigurationFile ] ; rdfs:isDefinedBy ; d3f:definition "In computing, a compiler is a computer program that translates computer code written in one programming language (the source language) into another language (the target language). The name \"compiler\" is primarily used for programs that translate source code from a high-level programming language to a lower level language (e.g., assembly language, object code, or machine code) to create an executable program." ; d3f:reads d3f:CompilerConfigurationFile . d3f:CompilerConfigurationFile a owl:Class, owl:NamedIndividual ; rdfs:label "Compiler Configuration File" ; rdfs:subClassOf d3f:ApplicationConfigurationFile ; d3f:definition "A file containing Information used to configure the parameters and initial settings for a compiler." . d3f:ComputeDeviceEvent a owl:Class ; rdfs:label "Compute Device Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Processor ] ; d3f:definition "An event capturing the operation, state, or performance of computational hardware, such as CPUs, GPUs, or accelerators. These events reflect processing capacity changes, utilization anomalies, or device health." . d3f:ComputerCabinet a owl:Class ; rdfs:label "Computer Cabinet" ; rdfs:subClassOf d3f:ComputerEnclosure ; d3f:definition "A computer cabinet houses one or more computers and can range in size and material." ; rdfs:seeAlso "https://dbpedia.org/page/Computer_cabinet", "IEEE C37.20.2" . d3f:ComputerCase a owl:Class ; rdfs:label "Computer Case" ; rdfs:subClassOf d3f:ComputerEnclosure ; d3f:definition "A computer case is a computer enclosure which encloses a single primary computer." ; rdfs:seeAlso "https://dbpedia.org/page/Computer_case" . d3f:ComputerEnclosure a owl:Class, owl:NamedIndividual ; rdfs:label "Computer Enclosure" ; rdfs:subClassOf d3f:PhysicalArtifact, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ComputerPlatform ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:PhysicalLock ] ; d3f:definition "A part providing protection of computer equipment against certain external influences and protects against direct contact." ; rdfs:seeAlso "[IEV 826-03-12]", . d3f:ComputerNetworkNode a owl:Class ; rdfs:label "Computer Network Node" ; rdfs:subClassOf d3f:ComputerPlatform, d3f:NetworkNode ; d3f:definition "A network node running on a computer platform." ; rdfs:seeAlso . d3f:ComputerPlatform a owl:Class, owl:NamedIndividual ; rdfs:label "Computer Platform" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Firmware ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:HardwareDevice ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OperatingSystem ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:SystemPlatformVariable ] ; d3f:contains d3f:Firmware, d3f:HardwareDevice, d3f:OperatingSystem, d3f:SystemPlatformVariable ; d3f:definition "Platform includes the hardware and OS. The term computing platform can refer to different abstraction levels, including a certain hardware architecture, an operating system (OS), and runtime libraries. In total it can be said to be the stage on which computer programs can run." ; d3f:synonym "Computing Platform" ; rdfs:seeAlso . d3f:ComputingImage a owl:Class ; rdfs:label "Computing Image" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A computing image captures the full state or contents of a computing entity, such as a process or volume." . d3f:ComputingServer a owl:Class ; rdfs:label "Computing Server" ; rdfs:subClassOf d3f:Server ; rdfs:isDefinedBy ; d3f:definition "A compute server is a system specifically designed to undertake large amounts of computation, usually but not necessarily in a client/server environment." . d3f:ComputingSnapshot a owl:Class, owl:NamedIndividual ; rdfs:label "Computing Snapshot" ; skos:altLabel "Snapshot" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "In computer systems, a snapshot is the state of a system at a particular point in time." . d3f:Condition a owl:Class ; rdfs:label "Condition" ; rdfs:subClassOf d3f:D3FENDCore ; rdfs:comment "Less common usage versus state, meant to superclass precondition, postcondition, and effect." ; rdfs:isDefinedBy "n-06768279" ; d3f:definition "An assumption on which rests the validity or effect of something else." . d3f:ConfigurationDatabase a owl:Class, owl:NamedIndividual ; rdfs:label "Configuration Database" ; rdfs:subClassOf d3f:ConfigurationResource, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ConfigurationDatabaseRecord ] ; d3f:contains d3f:ConfigurationDatabaseRecord . d3f:ConfigurationDatabaseRecord a owl:Class, owl:NamedIndividual ; rdfs:label "Configuration Database Record" ; rdfs:subClassOf d3f:ConfigurationResource, d3f:DatabaseRecord ; d3f:definition "A Configuration Database Record defines settings, parameters, or preferences for applications, systems, or devices." ; d3f:synonym "Configuration Record" . d3f:ConfigurationEvent a owl:Class ; rdfs:label "Configuration Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ConfigurationResource ] ; d3f:definition "A discrete event that creates, applies, modifies, or deletes configuration resources to determine or alter the function of a system, device, application, or service." . d3f:ConfigurationFile a owl:Class ; rdfs:label "Configuration File" ; skos:altLabel "Settings File" ; rdfs:subClassOf d3f:File ; rdfs:isDefinedBy ; d3f:definition "A file containing Information used to configure the parameters and initial settings for some computer programs. They are used for user applications, server processes and operating system settings." . d3f:ConfigurationInventory a d3f:ConfigurationInventory, owl:Class, owl:NamedIndividual ; rdfs:label "Configuration Inventory" ; rdfs:subClassOf d3f:AssetInventory, [ a owl:Restriction ; owl:onProperty d3f:inventories ; owl:someValuesFrom d3f:ConfigurationResource ] ; d3f:d3fend-id "D3-CI" ; d3f:definition "Configuration inventory identifies and records the configuration of software and hardware and their components throughout the organization." ; d3f:inventories d3f:ConfigurationResource ; d3f:kb-article """## How it works The organization retrieves configuration information through means of SNMP (MIB records), WBEM (CIM records), other protocols, or custom scripts and captures that information in a repository, typically known as a Configuration Management Database (CMDB).\"""" ; d3f:kb-reference d3f:Reference-Web-BasedEnterpriseManagement, d3f:Reference-Windows-Management-Infrastructure, d3f:Reference-Windows-Management-Instrumentation . d3f:ConfigurationManagementDatabase a owl:Class ; rdfs:label "Configuration Management Database" ; rdfs:subClassOf d3f:ConfigurationDatabase ; rdfs:isDefinedBy ; d3f:definition "A database used to store configuration records throughout their lifecycle. The Configuration Management System (CMS) maintains one or more CMDBs, and each CMDB stores attributes of configuration items (CIs), and relationships with other CIs." ; rdfs:seeAlso , , . d3f:ConfigurationModificationEvent a owl:Class ; rdfs:label "Configuration Modification Event" ; rdfs:subClassOf d3f:ConfigurationEvent ; d3f:definition "An event that changes the persisted state of configuration resources by adding, updating, or removing parameters, impacting the target component's behavior." . d3f:ConfigurationResource a owl:Class, owl:NamedIndividual ; rdfs:label "Configuration Resource" ; rdfs:subClassOf d3f:Resource ; d3f:definition "A resource used to configure a system including software and hardware." . d3f:ConnectedHoneynet a d3f:ConnectedHoneynet, owl:Class, owl:NamedIndividual ; rdfs:label "Connected Honeynet" ; rdfs:subClassOf d3f:DecoyEnvironment, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:LocalAreaNetwork ] ; d3f:d3fend-id "D3-CHN" ; d3f:definition "A decoy service, system, or environment, that is connected to the enterprise network, and simulates or emulates certain functionality to the network, without exposing full access to a production system." ; d3f:kb-article """## How it works Decoy honeypots are deployed within the enterprise environment that emulate certain services or portions of an OS to attract attackers. ## Considerations A connected honeynet provides a tradeoff between emulating certain functionality but not being as sophisticated as an integrated honeynet. The connected honeynet may not provide enough functionality to detect new attack patterns or zero day exploits but could provide enough functionality for specific known vulnerabilities.""" ; d3f:kb-reference d3f:Reference-ModificationOfAServerToMimicADeceptionMechanism_AcalvioTechnologiesInc ; d3f:spoofs d3f:LocalAreaNetwork . d3f:ConnectionAttemptAnalysis a d3f:ConnectionAttemptAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Connection Attempt Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:IntranetNetworkTraffic ] ; d3f:analyzes d3f:IntranetNetworkTraffic ; d3f:d3fend-id "D3-CAA" ; d3f:definition "Analyzing failed connections in a network to detect unauthorized activity." ; d3f:kb-article """## How it works Connection Attempt Analysis in multiple ways. ### Monitoring traffic to unallocated IP space One approach looks for failed connection attempts against unallocated IP space. First, network traffic is captured to map out the network to identify network assets as well as unallocated IP space. The map is then used to determine if connection attempts are being made to the unallocated IP space. ### Monitoring for sequentially transmitted traffic Another approach passively inspects network traffic with application protocol analyzers observing network activity characteristics such as volume of packets sent/ received, TCP session attributes, and connection information between hosts (start time, source/destination host, services, etc.). Then using pattern matching to identify traffic which appears to be probing for network hosts. ## Considerations * Implementations that rely on analysis of unallocated IP address space increase in their complexity with network size and decentralized network infrastructure. * Inventory of unallocated IP space should should be continuously updated to mitigate the risk of false positives. * IPv6 also introduces challenges including IPv6 traffic bypassing IPv4 specific protection systems (ex. firewalls and IDS) and complexity in managing both IPv6 and IPv4 addresses.""" ; d3f:kb-reference d3f:Reference-DetectingNetworkReconnaissanceByTrackingIntranetDark-netCommunications_VECTRANETWORKSInc ; d3f:synonym "Network Scan Detection" . d3f:ConnectSocket a owl:Class, owl:NamedIndividual ; rdfs:label "Connect Socket" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:connects ; owl:someValuesFrom d3f:Pipe ] ; d3f:connects d3f:Pipe ; d3f:definition "The connect socket system call connects the socket to a target address." ; rdfs:seeAlso . d3f:ConsoleOutputFunction a owl:Class ; rdfs:label "Console Output Function" ; rdfs:subClassOf d3f:Subroutine ; d3f:definition "Outputs characters to a computer console." . d3f:ContainerBuildTool a owl:Class ; rdfs:label "Container Build Tool" ; rdfs:subClassOf d3f:SoftwarePackagingTool ; d3f:definition "A software build tool that creates a container (e.g., Docker container) for deployment." . d3f:ContainerImage a owl:Class, owl:NamedIndividual ; rdfs:label "Container Image" ; rdfs:subClassOf d3f:ComputingImage, d3f:SoftwarePackage ; rdfs:isDefinedBy ; d3f:definition """A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. Container images become containers at runtime and in the case of Docker containers - images become containers when they run on Docker Engine. Available for both Linux and Windows-based applications, containerized software will always run the same, regardless of the infrastructure. Containers isolate software from its environment and ensure that it works uniformly despite differences for instance between development and staging.""" ; rdfs:seeAlso . d3f:ContainerImageAnalysis a d3f:ContainerImageAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Container Image Analysis" ; rdfs:subClassOf d3f:AssetVulnerabilityEnumeration, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:ContainerImage ] ; d3f:analyzes d3f:ContainerImage ; d3f:d3fend-id "D3-CIA" ; d3f:definition "Analyzing a Container Image with respect to a set of policies." ; d3f:kb-article """## How it works Container images are standalone collections of the executable code and content that are used to populate a container environment. They are usually created by either building a container from scratch or by building on top of an existing image pulled from a repository. Throughout the container build workflow, images should be scanned to identify: - outdated libraries, - known vulnerabilities, - or misconfigurations, such as insecure ports or permissions. Scanning should also provide the flexibility to disregard false positives for vulnerability detection where knowledgeable cybersecurity professionals have deemed alerts to be inaccurate. One approach to implementing image scanning is to use an admission controller to block deployments if the image does not comply with the organization's security policies. An admission controller is a Container Orchestration feature that can intercept and process requests to the Container Orchestration API prior to persistence of the object, but after the request is authenticated and authorized. A webhook can be implemented to scan any image before it is deployed in the orchestrator. This admission controller ## Considerations * Image scanning is key to ensuring deployed containers are secure. * Using trusted repositories to build containers is a critical part of the container build workflow. * This technique does not necessarly prevent the build process to add insecure or unsecured files to the Image. """ ; d3f:kb-reference d3f:Reference-ContainerImageAnalysis ; d3f:synonym "Container Image Scanning" . d3f:ContainerOrchestrationSoftware a owl:Class, owl:NamedIndividual ; rdfs:label "Container Orchestration Software" ; rdfs:subClassOf d3f:ServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:ContainerProcess ] ; d3f:definition "A d3f:Software which manages and coordinates running one or more d3f:ContainerProcess." ; d3f:manages d3f:ContainerProcess . d3f:ContainerProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Container Process" ; rdfs:subClassOf d3f:ApplicationProcess ; d3f:definition "A running instance of a container image." ; rdfs:seeAlso d3f:ContainerImage, . d3f:ContainerRuntime a owl:Class, owl:NamedIndividual ; rdfs:label "Container Runtime" ; rdfs:subClassOf d3f:ServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:ContainerImage ] ; d3f:definition "A software layer between a container process and a kernel which often mediates the invocation of a system call." ; d3f:runs d3f:ContainerImage ; rdfs:seeAlso d3f:ContainerProcess, d3f:Kernel, d3f:SystemCall . d3f:ContentExcision a d3f:ContentExcision, owl:Class, owl:NamedIndividual ; rdfs:label "Content Excision" ; rdfs:subClassOf d3f:ContentModification ; d3f:d3fend-id "D3-CNE" ; d3f:definition "Removing specific, potentially malicious, parts of content" ; d3f:kb-article """## How it works If malicious or unecessary elements is discovered within the content, or if a specific embedded portion does not comply with policy, it may be removed to ensure safety.""" ; d3f:kb-reference d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc . d3f:ContentFiltering a d3f:ContentFiltering, owl:Class, owl:NamedIndividual ; rdfs:label "Content Filtering" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Isolate ], [ a owl:Restriction ; owl:onProperty d3f:enforces ; owl:someValuesFrom d3f:ContentPolicy ], [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-CF" ; d3f:definition "Content Filtering techniques aid in the process of analyzing an input file for malicious or erroneous content and outputing a sanitized version." ; d3f:enables d3f:Isolate ; d3f:enforces d3f:ContentPolicy ; d3f:filters d3f:File ; d3f:kb-reference d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc . d3f:ContentFormatConversion a d3f:ContentFormatConversion, owl:Class, owl:NamedIndividual ; rdfs:label "Content Format Conversion" ; rdfs:subClassOf d3f:ContentModification ; d3f:d3fend-id "D3-CFC" ; d3f:definition "Content format conversion is mechanical transformation from one format to another which may be normalization or specifically flattening." ; d3f:kb-article """## How it works This technique may enhance security by transforming files into safer or normalized formats.""" ; d3f:kb-reference d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc . d3f:ContentModification a d3f:ContentModification, owl:Class, owl:NamedIndividual ; rdfs:label "Content Modification" ; rdfs:subClassOf d3f:ContentFiltering, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:DigitalMedia ], [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:FileContentBlock ], [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:FileMetadata ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-CM" ; d3f:definition "Modify content that does not comply with policy." ; d3f:filters d3f:DigitalMedia, d3f:FileContentBlock, d3f:FileMetadata ; d3f:kb-article """## How it works When content is found to not comply with it's content policy, it may be transformed to a safer state by modifying it.""" ; d3f:kb-reference d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc ; d3f:modifies d3f:File . d3f:ContentPolicy a owl:Class, owl:NamedIndividual ; rdfs:label "Content Policy" ; rdfs:subClassOf d3f:DigitalInformationBearer ; d3f:definition "A set of rules and guidelines that dictate the acceptable use, distribution, and management of digital content within a system or platform. It defines what content is allowed, restricted, or prohibited, ensuring compliance with legal, ethical, and organizational standards." . d3f:ContentQuarantine a d3f:ContentQuarantine, owl:Class, owl:NamedIndividual ; rdfs:label "Content Quarantine" ; rdfs:subClassOf d3f:ContentFiltering, [ a owl:Restriction ; owl:onProperty d3f:quarantines ; owl:someValuesFrom d3f:DatabaseRecord ], [ a owl:Restriction ; owl:onProperty d3f:quarantines ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-CQ" ; d3f:definition "Transfer content that does not comply with policy to a quarantine zone." ; d3f:kb-article """## How it works Quarantining serves as a protective measure to isolate potentially harmful files or elements until they can be safely analyzed or processed.""" ; d3f:kb-reference d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc ; d3f:quarantines d3f:DatabaseRecord, d3f:File . d3f:ContentRebuild a d3f:ContentRebuild, owl:Class, owl:NamedIndividual ; rdfs:label "Content Rebuild" ; rdfs:subClassOf d3f:ContentModification ; d3f:d3fend-id "D3-CNR" ; d3f:definition "Rebuild the file according to the spec so any unreferenced components or objects are removed." ; d3f:kb-article """## How it works If inputted content is divided up into components for further scrutiny, the components may be combined back afterwards in a safer state.""" ; d3f:kb-reference d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc ; d3f:synonym "Content Reconstruction" . d3f:ContentSubstitution a d3f:ContentSubstitution, owl:Class, owl:NamedIndividual ; rdfs:label "Content Substitution" ; rdfs:subClassOf d3f:ContentModification ; d3f:d3fend-id "D3-CNS" ; d3f:definition "Modifies specific digital content information by replacing it with something else." ; d3f:kb-article """## How it works If malicious or unecessary elements is discovered within the content, or if a specific embedded portion does not comply with policy, it may be replaced with alternatives to ensure safety.""" ; d3f:kb-reference d3f:Reference-MethodForContentDisarmandReconstruction_OPSWATInc . d3f:ContentValidation a d3f:ContentValidation, owl:Class, owl:NamedIndividual ; rdfs:label "Content Validation" ; rdfs:subClassOf d3f:ContentFiltering ; d3f:d3fend-id "D3-CV" ; d3f:definition "Verify and validate contents complies with policy" ; d3f:kb-article """## How it works To ensure that content is safe, it's composition must be validated according to its content policy.""" ; d3f:kb-reference d3f:Reference-FileSecurityUsingFileFormatValidation_OPSWATInc . d3f:ControlCatalog a owl:Class ; rdfs:label "Control Catalog" ; rdfs:subClassOf d3f:ExternalControlThing, [ a owl:Restriction ; owl:onProperty d3f:has-member ; owl:someValuesFrom d3f:ExternalControl ], [ a owl:Restriction ; owl:onProperty d3f:version ; owl:someValuesFrom [ a rdfs:Datatype ; owl:unionOf ( xsd:integer xsd:string ) ] ] ; d3f:definition "A control catalog is a complete list of protective measures for systems, organizations, or individuals for subject domains (e.g., security and privacy.)" ; rdfs:seeAlso . d3f:ControlCorrelationIdentifierCatalog a owl:Class ; rdfs:label "Control Correlation Identifier Catalog" ; rdfs:subClassOf d3f:ControlCatalog, [ a owl:Restriction ; owl:onProperty d3f:has-member ; owl:someValuesFrom d3f:CCIControl ] ; d3f:definition "A control correlation identifier (CCI) catalog provides a catalog of CCIs for a given release date." ; rdfs:seeAlso . d3f:ControlFlowGraph a owl:Class, owl:NamedIndividual ; rdfs:label "Control Flow Graph" ; rdfs:subClassOf d3f:DigitalInformation ; d3f:definition "A control flow graph is a representation of all possible control flow transfers within a program, typically computed at compile-time or link-time, including calls, jumps, and returns. The control flow graph can be used to compute a control flow policy that permits only the expected control flow transfers during process execution via control flow integrity mechanisms." . d3f:ControlFlowIntegrity a d3f:ControlFlowIntegrity, owl:Class, owl:NamedIndividual ; rdfs:label "Control Flow Integrity" ; rdfs:subClassOf d3f:ApplicationHardening, [ a owl:Restriction ; owl:onProperty d3f:enforces ; owl:someValuesFrom d3f:ControlFlowPolicy ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:CallStack ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:ShadowStack ], [ a owl:Restriction ; owl:onProperty d3f:validates ; owl:someValuesFrom d3f:ControlFlowGraph ], [ a owl:Restriction ; owl:onProperty d3f:validates ; owl:someValuesFrom d3f:MemoryAddress ] ; d3f:d3fend-id "D3-CFI" ; d3f:definition "Enforcing legal control flow transfers during application process execution." ; d3f:enforces d3f:ControlFlowPolicy ; d3f:kb-article """## How it works Control flow integrity (CFI) restricts the destinations of control flow transfer instructions---particularly indirect function branches such as indirect function calls, jumps, and returns---such that execution can only proceed along paths determined to be valid at compile-time or load-time. CFI is typically implemented by instrumenting a program during compilation or binary rewriting. A control flow graph is constructed that defines the legitimate targets for each indirect control flow transfer. At runtime, before an indirect branch is taken, a check is performed to ensure that the target address is a member of the allowed target set. If the check fails, a defensive response such as process termination or exception handling is triggered. Implementations vary in granularity and enforcement mechanism: - Compiler-based CFI inserts runtime checks that validate indirect call targets against type or signature-based constraints. - Operating system–assisted CFI maintains a bitmap or table of valid indirect call targets and verifies them at runtime before allowing execution to continue. - Hardware-assisted CFI enforces control flow integrity using architectural features such as shadow stacks and specific CPU instructions. By preventing execution from jumping to attacker-controlled or unintended code locations, CFI mitigates a wide range of exploitation techniques, including return-oriented programming (ROP), jump-oriented programming (JOP), and function pointer overwrite attacks. ## Considerations While control flow integrity significantly raises the bar for control flow hijacking attacks, several considerations affect its effectiveness: - Granularity trade-offs: coarse-grained CFI allows larger target sets and may permit some unintended control flow paths, while fine-grained CFI offers stronger guarantees at the cost of performance and complexity. - Performance overhead: runtime checks or hardware enforcement may introduce execution overhead, particularly in applications with frequent indirect branches. - Compatibility limitations: some legacy code patterns, dynamic code generation, or just-in-time (JIT) compilation workflows may require special handling or reduced CFI enforcement. - Data-only attacks: CFI does not prevent attacks that manipulate program behavior without altering control flow, such as logic corruption or data-oriented programming. - Bypass techniques: if an attacker can redirect execution to a valid but unintended target within the allowed control flow graph, exploitation may still be possible. CFI is most effective when combined with complementary defenses such as stack canaries, memory safety checks, address space layout randomization (ASLR), and hardware-backed memory protections.""" ; d3f:kb-reference d3f:Reference-IntelControlEnforcementTechnology, d3f:Reference-LLVMControlFlowIntegrity, d3f:Reference-MicrosoftControlFlowGuard ; d3f:monitors d3f:CallStack, d3f:ShadowStack ; d3f:validates d3f:ControlFlowGraph, d3f:MemoryAddress . d3f:ControlFlowPolicy a owl:Class, owl:NamedIndividual ; rdfs:label "Control Flow Policy" ; rdfs:subClassOf d3f:ControlFlowGraph ; d3f:definition "A control flow policy is a subset of the possible control flow transfers computed from a program's control flow graph. It defines only the expected and allowed control flow transfers and is enforced by control flow integrity." . d3f:ConvolutionalNeuralNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "Convolutional Neural Network" ; rdfs:subClassOf d3f:DeepNeuralNetClassification ; d3f:d3fend-id "D3A-CNN" ; d3f:definition "A class of artificial neural network most commonly applied to analyze visual imagery.CNNs use a mathematical operation called convolution in place of general matrix multiplication in at least one of their layers." ; d3f:kb-article """## References Wikipedia. (n.d.). Convolutional neural network. [Link](https://en.wikipedia.org/wiki/Convolutional_neural_network)""" . d3f:CopyMemoryFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Copy Memory Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:copies ; owl:someValuesFrom d3f:MemoryBlock ] ; d3f:copies d3f:MemoryBlock ; d3f:definition "Copies a memory block from one location to another." . d3f:CopyToken a d3f:SystemCall, owl:Class, owl:NamedIndividual ; rdfs:label "Copy Token" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:copies ; owl:someValuesFrom d3f:AccessToken ] ; d3f:copies d3f:AccessToken . d3f:Correlation a owl:Class, owl:NamedIndividual ; rdfs:label "Correlation" ; rdfs:subClassOf d3f:DescriptiveStatistics ; d3f:d3fend-id "D3A-COR" ; d3f:definition "Correlation is the degree to which two or more quantities are linearly associated." ; d3f:kb-article "Wolfram MathWorld. (n.d.). Correlation. [Link](https://mathworld.wolfram.com/Correlation.html)" . d3f:CorrelationClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Correlation Clustering" ; rdfs:subClassOf d3f:High-dimensionClustering ; d3f:d3fend-id "D3A-CC" ; d3f:definition "Correlation clustering provides a method for clustering a set of objects into the optimum number of clusters without specifying that number in advance." ; d3f:kb-article """## References Wikipedia. (n.d.). Correlation clustering. [Link](https://en.wikipedia.org/wiki/Correlation_clustering)""" . d3f:CramersV a owl:Class, owl:NamedIndividual ; rdfs:label "Cramer's V" ; rdfs:subClassOf d3f:Correlation ; d3f:d3fend-id "D3A-CV" ; d3f:definition "Cramér's V (sometimes referred to as Cramér's phi and denoted as φc) is a measure of association between two nominal variables, giving a value between 0 and +1 (inclusive) and is based on Pearson's chi-squared statistic." ; d3f:kb-article """## References Wikipedia. (n.d.). Cramér's V. [Link](https://en.wikipedia.org/wiki/Cram%C3%A9r%27s_V)""" ; d3f:synonym "Cramer's Phi" . d3f:CreateFile a owl:Class, owl:NamedIndividual ; rdfs:label "Create File" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:File ] ; d3f:creates d3f:File ; d3f:definition "System call to create a new file on a file system. Some operating systems implement this functionality as part of their d3f:OpenFile system call." ; rdfs:seeAlso , , , . d3f:CreateProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Create Process" ; skos:altLabel "Execute Process", "Process Spawn", "Spawn Process" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:executes ; owl:someValuesFrom d3f:Process ] ; d3f:definition "A process spawn refers to a function that loads and executes a new child process.The current process may wait for the child to terminate or may continue to execute asynchronously. Creating a new subprocess requires enough memory in which both the child process and the current program can execute. There is a family of spawn functions in DOS, inherited by Microsoft Windows. There is also a different family of spawn functions in an optional extension of the POSIX standards. Fork-exec is another technique combining two Unix system calls, which can effect a process spawn.", "Creates a process.", "Executes a process." ; d3f:executes d3f:Process ; rdfs:seeAlso , , , , , . d3f:CreateSocket a owl:Class, owl:NamedIndividual ; rdfs:label "Create Socket" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:Pipe ] ; d3f:creates d3f:Pipe ; d3f:definition "A create socket system call creates an endpoint for communication and returns a file descriptor that refers to that endpoint." ; rdfs:seeAlso . d3f:CreateThread a owl:Class, owl:NamedIndividual ; rdfs:label "Create Thread" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:Thread ] ; d3f:creates d3f:Thread ; d3f:definition "Threads are an execution model that exists independently from a language, as well as a parallel execution model. They enable a program to control multiple different flows of work that overlap in time." ; rdfs:seeAlso , . d3f:Credential a owl:Class, owl:NamedIndividual ; rdfs:label "Credential" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:UserAccount ] ; rdfs:isDefinedBy ; d3f:authenticates d3f:UserAccount ; d3f:definition "A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being that enables an individual access to a given physical facility or computer-based information system. Typically, credentials can be something a person knows (such as a number or PIN), something they have (such as an access badge), something they are (such as a biometric feature), something they do (measurable behavioral patterns) or some combination of these items. This is known as multi-factor authentication. The typical credential is an access card or key-fob, and newer software can also turn users' smartphones into access devices." ; rdfs:seeAlso . d3f:CredentialAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Credential Access Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Credential ], [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0006 ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:PasswordFile ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateProcess ] ; d3f:accesses d3f:Credential ; d3f:enables d3f:TA0006 ; d3f:may-access d3f:PasswordFile ; d3f:may-invoke d3f:CreateProcess . d3f:CredentialCompromiseScopeAnalysis a d3f:CredentialCompromiseScopeAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Credential Compromise Scope Analysis" ; rdfs:subClassOf d3f:UserBehaviorAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Credential ] ; d3f:analyzes d3f:Credential ; d3f:d3fend-id "D3-CCSA" ; d3f:definition "Determining which credentials may have been compromised by analyzing the user logon history of a particular system." ; d3f:kb-article """## How it works #### Memory Credentials may be stored in memory for a variety of reasons; on Windows, they may be stored in lsass.exe. Once a credential dumper like mimikatz runs and dumps the memory of lsass.exe, the credentials of every account logged on since boot are potentially compromised. When such an event occurs, this analytic will give the forensic context to identify compromised users. Those users could potentially be used in later events for additional logons. #### Hard disk Operating System may cache a certain number of credentials onto the hard disk to use as a source of truth if it cannot contact the credential server. In many versions of Microsoft Windows, the 10 most recent are cached by default; this setting can be changed in the Microsoft Management Console's Local Security Policy: ```Computer Configuration -> Windows Settings -> Local Policy -> Security Options -> Interactive Logon: Number of previous logons to cache -> 0``` Here we are not concerned with the alteration of the credentials but the fact that they might be read. If the attacker has physical access to the machine they are unlikely to be stopped from reading files on the filesystem. "In the event that the domain controller is unavailable Windows will check the last password hashes that has been cached in order to authenticate the user with the system. These password hashes are cached in the following registry setting: HKEY_LOCAL_MACHINE\\SECURITY\\Cache Mimikatz can retrieve these hashes if the following command is executed: lsadump::cache" [1] The Registry Hive, HKEY_LOCAL_MACHINE\\SAM, which is stored in the supporting files %systemroot%\\System32\\Config\\{Sam,sam.log,sam.sav}, contains the SAM file. DC: This is stored in %systemroot%\\ntds\\ntds.dit. (https://www.ultimatewindowssecurity.com/blog/default.aspx?d=10/2017) Sometimes memory, which contains credentials, could get on the hard disk. Like with hiberfil.sys in Windows. Equivalent on Linux In Linux, an attacker could read the /etc/shadow file. Reading from /proc directory: mimipenguin, many others. ## Considerations Effective implementation requires identifying any location that could end up containing credentials, and detecting an method of potential access to a source of credential data. 1. https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5""" ; d3f:kb-reference d3f:Reference-AllLoginsSinceLastBoot_MITRE, d3f:Reference-SystemsAndMethodsForDetectingCredentialTheft_SymantecCorp . d3f:CredentialEviction a d3f:CredentialEviction, owl:Class, owl:NamedIndividual ; rdfs:label "Credential Eviction" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Evict ] ; d3f:d3fend-id "D3-CE" ; d3f:definition "Credential Eviction techniques disable or remove compromised credentials from a computer network." ; d3f:enables d3f:Evict ; d3f:kb-reference d3f:Reference-AccountMonitoring_ForescoutTechnologies . d3f:CredentialHardening a d3f:CredentialHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Credential Hardening" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Harden ], [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:Credential ] ; d3f:d3fend-id "D3-CH" ; d3f:definition "Credential Hardening techniques modify system or network properties in order to protect system or network/domain credentials." ; d3f:enables d3f:Harden ; d3f:hardens d3f:Credential . d3f:CredentialManagementSystem a owl:Class, owl:NamedIndividual ; rdfs:label "Credential Management System" ; rdfs:subClassOf d3f:ServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:Credential ] ; rdfs:isDefinedBy ; d3f:definition "Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI)." ; d3f:manages d3f:Credential . d3f:CredentialRevocation a d3f:CredentialRevocation, owl:Class, owl:NamedIndividual ; rdfs:label "Credential Revocation" ; rdfs:subClassOf d3f:CredentialEviction, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:Credential ] ; d3f:d3fend-id "D3-CR" ; d3f:definition "Deleting a set of credentials permanently to prevent them from being used to authenticate." ; d3f:deletes d3f:Credential ; d3f:kb-article """## How it works Management servers with enterprise policies for account management provide the ability remove permissions, accounts, or credentials. Compromised credentials should be revoked to prevent further malicious activity.""" ; d3f:kb-reference d3f:Reference-RevokingaPreviouslyIssuedVerifiableCredential-Microsoft . d3f:CredentialRotation a d3f:CredentialRotation, owl:Class, owl:NamedIndividual ; rdfs:label "Credential Rotation" ; rdfs:subClassOf d3f:CredentialHardening, [ a owl:Restriction ; owl:onProperty d3f:regenerates ; owl:someValuesFrom d3f:Credential ] ; d3f:d3fend-id "D3-CRO" ; d3f:definition "Credential rotation is a security procedure in which authentication credentials, such as passwords, API keys, or certificates, are regularly changed or replaced to minimize the risk of unauthorized access." ; d3f:kb-article """## How it works Credentials can be systematically changed at predetermined intervals or based on specific events. Credentials such as user passwords may be rotated manually, but it is increasingly common to use an automated system to manage rotation of enterprise passwords, certificates and keys. ## Considerations - Rotation of credentials must be managed carefully to avoid inadvertent service interruption - Management servers with enterprise policies for account management provide the ability to change or reset passwords for accounts. Some organizations rotate credentials periodically to limit the risk of stolen credentials. - When responding to an incident, severity of compromise should be considered to determine what credentials to what accounts should be regenerated - If proactively rotating credentials periodically, several factors should be considered to determine the frequency. Also introduces some risk including promoting the creation of weak passwords and poor storage practices for employees and presents challenges in proper tracking.""" ; d3f:kb-reference d3f:Reference-PasswordandKeyRotation-SSH, ; d3f:regenerates d3f:Credential ; rdfs:seeAlso . d3f:CredentialScrubbing a d3f:CredentialScrubbing, owl:Class, owl:NamedIndividual ; rdfs:label "Credential Scrubbing" ; rdfs:subClassOf d3f:SourceCodeHardening, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:Subroutine ] ; d3f:d3fend-id "D3-CS" ; d3f:definition "The systematic removal of hard-coded credentials from source code to prevent accidental exposure and unauthorized access." ; d3f:hardens d3f:Subroutine ; d3f:kb-article """## How it Works Credential Scrubbing involves identifying and eliminating hard-coded credentials such as usernames, passwords, API keys, and tokens from source code repositories. These credentials should be managed securely using environment variables, secret management tools, or secure vaults where they can be safely accessed when needed. ## Considerations * Developers should conduct regular audits of source code to ensure credentials are not hard-coded. * Exposed credentials found in version control history must be disabled and replaced promptly. * Adopt role-based access controls and credential rotation policies to minimize security risks.""" ; d3f:kb-reference d3f:Reference-SecretsManagementCheatSheet-OWASP ; rdfs:seeAlso d3f:CWE-798, . d3f:CredentialTransmissionScoping a d3f:CredentialTransmissionScoping, owl:Class, owl:NamedIndividual ; rdfs:label "Credential Transmission Scoping" ; rdfs:subClassOf d3f:AccessMediation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:Credential ] ; d3f:d3fend-id "D3-CTS" ; d3f:definition "Limiting the transmission of a credential to a scoped set of relying parties." ; d3f:isolates d3f:Credential ; d3f:kb-reference d3f:Reference-WebAuthentication_AnAPIForAccessingPublicKeyCredentialsLevel2 ; d3f:synonym "Phishing Resistant Authentication" ; rdfs:seeAlso , . d3f:CryptographicKey a owl:Class, owl:NamedIndividual ; rdfs:label "Cryptographic Key" ; rdfs:subClassOf d3f:DigitalInformation ; rdfs:isDefinedBy ; d3f:definition "In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms. Keys also specify transformations in other cryptographic algorithms, such as digital signature schemes and message authentication codes." . d3f:CustomArchiveFile a owl:Class, owl:NamedIndividual ; rdfs:label "Custom Archive File" ; rdfs:subClassOf d3f:ArchiveFile ; d3f:definition "A custom archive file is an archive file conforming to a custom format; that is, an archive file that does not conform to a common standard." . d3f:CWE-5 a owl:Class ; rdfs:label "J2EE Misconfiguration: Data Transmission Without Encryption" ; rdfs:subClassOf d3f:CWE-319 ; d3f:cwe-id "CWE-5" ; d3f:definition "Information sent over a network can be compromised while in transit. An attacker may be able to read or modify the contents if the data are sent in plaintext or are weakly encrypted." . d3f:CWE-6 a owl:Class ; rdfs:label "J2EE Misconfiguration: Insufficient Session-ID Length" ; rdfs:subClassOf d3f:CWE-334 ; d3f:cwe-id "CWE-6" ; d3f:definition "The J2EE application is configured to use an insufficient session ID length." . d3f:CWE-7 a owl:Class ; rdfs:label "J2EE Misconfiguration: Missing Custom Error Page" ; rdfs:subClassOf d3f:CWE-756 ; d3f:cwe-id "CWE-7" ; d3f:definition "The default error page of a web application should not display sensitive information about the product." . d3f:CWE-8 a owl:Class ; rdfs:label "J2EE Misconfiguration: Entity Bean Declared Remote" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-8" ; d3f:definition "When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data. These methods could be leveraged to read sensitive information, or to change data in ways that violate the application's expectations, potentially leading to other vulnerabilities." . d3f:CWE-9 a owl:Class ; rdfs:label "J2EE Misconfiguration: Weak Access Permissions for EJB Methods" ; rdfs:subClassOf d3f:CWE-266 ; d3f:cwe-id "CWE-9" ; d3f:definition "If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product." . d3f:CWE-11 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Creating Debug Binary" ; rdfs:subClassOf d3f:CWE-489 ; d3f:cwe-id "CWE-11" ; d3f:definition "Debugging messages help attackers learn about the system and plan a form of attack." . d3f:CWE-12 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Missing Custom Error Page" ; rdfs:subClassOf d3f:CWE-756 ; d3f:cwe-id "CWE-12" ; d3f:definition "An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses." . d3f:CWE-13 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Password in Configuration File" ; rdfs:subClassOf d3f:CWE-260 ; d3f:cwe-id "CWE-13" ; d3f:definition "Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers." . d3f:CWE-14 a owl:Class ; rdfs:label "Compiler Removal of Code to Clear Buffers" ; rdfs:subClassOf d3f:CWE-733 ; d3f:cwe-id "CWE-14" ; d3f:definition "Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka \"dead store removal.\"" . d3f:CWE-15 a owl:Class ; rdfs:label "External Control of System or Configuration Setting" ; rdfs:subClassOf d3f:CWE-610, d3f:CWE-642 ; d3f:cwe-id "CWE-15" ; d3f:definition "One or more system settings or configuration elements can be externally controlled by a user." . d3f:CWE-20 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Input Validation" ; rdfs:subClassOf d3f:CWE-707, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-20" ; d3f:definition "The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly." ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-22 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" ; rdfs:subClassOf d3f:CWE-668, d3f:CWE-706, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-22" ; d3f:definition "The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory." ; d3f:synonym "Directory traversal", "Path traversal" ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-23 a owl:Class ; rdfs:label "Relative Path Traversal" ; rdfs:subClassOf d3f:CWE-22 ; d3f:cwe-id "CWE-23" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as \"..\" that can resolve to a location that is outside of that directory." ; d3f:synonym "Zip Slip" . d3f:CWE-24 a owl:Class ; rdfs:label "Path Traversal: '../filedir'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-24" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"../\" sequences that can resolve to a location that is outside of that directory." . d3f:CWE-25 a owl:Class ; rdfs:label "Path Traversal: '/../filedir'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-25" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/../\" sequences that can resolve to a location that is outside of that directory." . d3f:CWE-26 a owl:Class ; rdfs:label "Path Traversal: '/dir/../filename'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-26" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"/dir/../filename\" sequences that can resolve to a location that is outside of that directory." . d3f:CWE-27 a owl:Class ; rdfs:label "Path Traversal: 'dir/../../filename'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-27" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal \"../\" sequences that can resolve to a location that is outside of that directory." . d3f:CWE-28 a owl:Class ; rdfs:label "Path Traversal: '..\\filedir'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-28" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize \"..\\\" sequences that can resolve to a location that is outside of that directory." . d3f:CWE-29 a owl:Class ; rdfs:label "Path Traversal: '\\..\\filename'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-29" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\\..\\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory." . d3f:CWE-30 a owl:Class ; rdfs:label "Path Traversal: '\\dir\\..\\filename'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-30" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\\dir\\..\\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory." . d3f:CWE-31 a owl:Class ; rdfs:label "Path Traversal: 'dir\\..\\..\\filename'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-31" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize 'dir\\..\\..\\filename' (multiple internal backslash dot dot) sequences that can resolve to a location that is outside of that directory." . d3f:CWE-32 a owl:Class ; rdfs:label "Path Traversal: '...' (Triple Dot)" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-32" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '...' (triple dot) sequences that can resolve to a location that is outside of that directory." . d3f:CWE-33 a owl:Class ; rdfs:label "Path Traversal: '....' (Multiple Dot)" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-33" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of that directory." . d3f:CWE-34 a owl:Class ; rdfs:label "Path Traversal: '....//'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-34" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....//' (doubled dot dot slash) sequences that can resolve to a location that is outside of that directory." . d3f:CWE-35 a owl:Class ; rdfs:label "Path Traversal: '.../...//'" ; rdfs:subClassOf d3f:CWE-23 ; d3f:cwe-id "CWE-35" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory." . d3f:CWE-36 a owl:Class ; rdfs:label "Absolute Path Traversal" ; rdfs:subClassOf d3f:CWE-22 ; d3f:cwe-id "CWE-36" ; d3f:definition "The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as \"/abs/path\" that can resolve to a location that is outside of that directory." . d3f:CWE-37 a owl:Class ; rdfs:label "Path Traversal: '/absolute/pathname/here'" ; rdfs:subClassOf d3f:CWE-36, d3f:CWE-160 ; d3f:cwe-id "CWE-37" ; d3f:definition "The product accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-38 a owl:Class ; rdfs:label "Path Traversal: '\\absolute\\pathname\\here'" ; rdfs:subClassOf d3f:CWE-36 ; d3f:cwe-id "CWE-38" ; d3f:definition "The product accepts input in the form of a backslash absolute path ('\\absolute\\pathname\\here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-39 a owl:Class ; rdfs:label "Path Traversal: 'C:dirname'" ; rdfs:subClassOf d3f:CWE-36 ; d3f:cwe-id "CWE-39" ; d3f:definition "The product accepts input that contains a drive letter or Windows volume letter ('C:dirname') that potentially redirects access to an unintended location or arbitrary file." . d3f:CWE-40 a owl:Class ; rdfs:label "Path Traversal: '\\\\UNC\\share\\name\\' (Windows UNC Share)" ; rdfs:subClassOf d3f:CWE-36 ; d3f:cwe-id "CWE-40" ; d3f:definition "The product accepts input that identifies a Windows UNC share ('\\\\UNC\\share\\name') that potentially redirects access to an unintended location or arbitrary file." . d3f:CWE-41 a owl:Class ; rdfs:label "Improper Resolution of Path Equivalence" ; rdfs:subClassOf d3f:CWE-706 ; d3f:cwe-id "CWE-41" ; d3f:definition "The product is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object." . d3f:CWE-42 a owl:Class ; rdfs:label "Path Equivalence: 'filename.' (Trailing Dot)" ; rdfs:subClassOf d3f:CWE-41, d3f:CWE-162 ; d3f:cwe-id "CWE-42" ; d3f:definition "The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-43 a owl:Class ; rdfs:label "Path Equivalence: 'filename....' (Multiple Trailing Dot)" ; rdfs:subClassOf d3f:CWE-42, d3f:CWE-163 ; d3f:cwe-id "CWE-43" ; d3f:definition "The product accepts path input in the form of multiple trailing dot ('filedir....') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-44 a owl:Class ; rdfs:label "Path Equivalence: 'file.name' (Internal Dot)" ; rdfs:subClassOf d3f:CWE-41 ; d3f:cwe-id "CWE-44" ; d3f:definition "The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-45 a owl:Class ; rdfs:label "Path Equivalence: 'file...name' (Multiple Internal Dot)" ; rdfs:subClassOf d3f:CWE-44, d3f:CWE-165 ; d3f:cwe-id "CWE-45" ; d3f:definition "The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-46 a owl:Class ; rdfs:label "Path Equivalence: 'filename ' (Trailing Space)" ; rdfs:subClassOf d3f:CWE-41, d3f:CWE-162 ; d3f:cwe-id "CWE-46" ; d3f:definition "The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-47 a owl:Class ; rdfs:label "Path Equivalence: ' filename' (Leading Space)" ; rdfs:subClassOf d3f:CWE-41 ; d3f:cwe-id "CWE-47" ; d3f:definition "The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-48 a owl:Class ; rdfs:label "Path Equivalence: 'file name' (Internal Whitespace)" ; rdfs:subClassOf d3f:CWE-41 ; d3f:cwe-id "CWE-48" ; d3f:definition "The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-49 a owl:Class ; rdfs:label "Path Equivalence: 'filename/' (Trailing Slash)" ; rdfs:subClassOf d3f:CWE-41, d3f:CWE-162 ; d3f:cwe-id "CWE-49" ; d3f:definition "The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-50 a owl:Class ; rdfs:label "Path Equivalence: '//multiple/leading/slash'" ; rdfs:subClassOf d3f:CWE-41, d3f:CWE-161 ; d3f:cwe-id "CWE-50" ; d3f:definition "The product accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-51 a owl:Class ; rdfs:label "Path Equivalence: '/multiple//internal/slash'" ; rdfs:subClassOf d3f:CWE-41 ; d3f:cwe-id "CWE-51" ; d3f:definition "The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-52 a owl:Class ; rdfs:label "Path Equivalence: '/multiple/trailing/slash//'" ; rdfs:subClassOf d3f:CWE-41, d3f:CWE-163 ; d3f:cwe-id "CWE-52" ; d3f:definition "The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-53 a owl:Class ; rdfs:label "Path Equivalence: '\\multiple\\\\internal\\backslash'" ; rdfs:subClassOf d3f:CWE-41, d3f:CWE-165 ; d3f:cwe-id "CWE-53" ; d3f:definition "The product accepts path input in the form of multiple internal backslash ('\\multiple\\trailing\\\\slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-54 a owl:Class ; rdfs:label "Path Equivalence: 'filedir\\' (Trailing Backslash)" ; rdfs:subClassOf d3f:CWE-41, d3f:CWE-162 ; d3f:cwe-id "CWE-54" ; d3f:definition "The product accepts path input in the form of trailing backslash ('filedir\\') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-55 a owl:Class ; rdfs:label "Path Equivalence: '/./' (Single Dot Directory)" ; rdfs:subClassOf d3f:CWE-41 ; d3f:cwe-id "CWE-55" ; d3f:definition "The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-56 a owl:Class ; rdfs:label "Path Equivalence: 'filedir*' (Wildcard)" ; rdfs:subClassOf d3f:CWE-41, d3f:CWE-155 ; d3f:cwe-id "CWE-56" ; d3f:definition "The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files." . d3f:CWE-57 a owl:Class ; rdfs:label "Path Equivalence: 'fakedir/../realdir/filename'" ; rdfs:subClassOf d3f:CWE-41 ; d3f:cwe-id "CWE-57" ; d3f:definition "The product contains protection mechanisms to restrict access to 'realdir/filename', but it constructs pathnames using external input in the form of 'fakedir/../realdir/filename' that are not handled by those mechanisms. This allows attackers to perform unauthorized actions against the targeted file." . d3f:CWE-58 a owl:Class ; rdfs:label "Path Equivalence: Windows 8.3 Filename" ; rdfs:subClassOf d3f:CWE-41 ; d3f:cwe-id "CWE-58" ; d3f:definition "The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short \"8.3\" filename." . d3f:CWE-59 a owl:Class ; rdfs:label "Improper Link Resolution Before File Access ('Link Following')" ; rdfs:subClassOf d3f:CWE-706 ; d3f:cwe-id "CWE-59" ; d3f:definition "The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource." ; d3f:synonym "insecure temporary file", "Zip Slip" . d3f:CWE-61 a owl:Class ; rdfs:label "UNIX Symbolic Link (Symlink) Following" ; rdfs:subClassOf d3f:CWE-59 ; d3f:cwe-id "CWE-61" ; d3f:definition "The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." ; d3f:synonym "Symlink following", "symlink vulnerability" . d3f:CWE-62 a owl:Class ; rdfs:label "UNIX Hard Link" ; rdfs:subClassOf d3f:CWE-59 ; d3f:cwe-id "CWE-62" ; d3f:definition "The product, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." . d3f:CWE-64 a owl:Class ; rdfs:label "Windows Shortcut Following (.LNK)" ; rdfs:subClassOf d3f:CWE-59 ; d3f:cwe-id "CWE-64" ; d3f:definition "The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." ; d3f:synonym "symlink", "Windows symbolic link following" . d3f:CWE-65 a owl:Class ; rdfs:label "Windows Hard Link" ; rdfs:subClassOf d3f:CWE-59 ; d3f:cwe-id "CWE-65" ; d3f:definition "The product, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files." . d3f:CWE-66 a owl:Class ; rdfs:label "Improper Handling of File Names that Identify Virtual Resources" ; rdfs:subClassOf d3f:CWE-706 ; d3f:cwe-id "CWE-66" ; d3f:definition "The product does not handle or incorrectly handles a file name that identifies a \"virtual\" resource that is not directly specified within the directory that is associated with the file name, causing the product to perform file-based operations on a resource that is not a file." . d3f:CWE-67 a owl:Class ; rdfs:label "Improper Handling of Windows Device Names" ; rdfs:subClassOf d3f:CWE-66 ; d3f:cwe-id "CWE-67" ; d3f:definition "The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file." . d3f:CWE-69 a owl:Class ; rdfs:label "Improper Handling of Windows ::DATA Alternate Data Stream" ; rdfs:subClassOf d3f:CWE-66 ; d3f:cwe-id "CWE-69" ; d3f:definition "The product does not properly prevent access to, or detect usage of, alternate data streams (ADS)." . d3f:CWE-72 a owl:Class ; rdfs:label "Improper Handling of Apple HFS+ Alternate Data Stream Path" ; rdfs:subClassOf d3f:CWE-66 ; d3f:cwe-id "CWE-72" ; d3f:definition "The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system." . d3f:CWE-73 a owl:Class ; rdfs:label "External Control of File Name or Path" ; rdfs:subClassOf d3f:CWE-610, d3f:CWE-642 ; d3f:cwe-id "CWE-73" ; d3f:definition "The product allows user input to control or influence paths or file names that are used in filesystem operations." . d3f:CWE-74 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')" ; rdfs:subClassOf d3f:CWE-707 ; d3f:cwe-id "CWE-74" ; d3f:definition "The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component." . d3f:CWE-75 a owl:Class ; rdfs:label "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)" ; rdfs:subClassOf d3f:CWE-74 ; d3f:cwe-id "CWE-75" ; d3f:definition "The product does not adequately filter user-controlled input for special elements with control implications." . d3f:CWE-76 a owl:Class ; rdfs:label "Improper Neutralization of Equivalent Special Elements" ; rdfs:subClassOf d3f:CWE-75 ; d3f:cwe-id "CWE-76" ; d3f:definition "The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements." . d3f:CWE-77 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Neutralization of Special Elements used in a Command ('Command Injection')" ; rdfs:subClassOf d3f:CWE-74, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-77" ; d3f:definition "The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component." ; d3f:synonym "Command injection" ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-78 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" ; rdfs:subClassOf d3f:CWE-77, [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:EvalFunction ], [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:ProcessStartFunction ], [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-78" ; d3f:definition "The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component." ; d3f:may-be-weakness-of d3f:EvalFunction, d3f:ProcessStartFunction, d3f:UserInputFunction ; d3f:synonym "OS Command Injection", "Shell injection", "Shell metacharacters" . d3f:CWE-79 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" ; rdfs:subClassOf d3f:CWE-74, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-79" ; d3f:definition "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users." ; d3f:synonym "CSS", "DOM-Based XSS / Type 0 XSS", "HTML Injection", "Reflected XSS / Non-Persistent XSS / Type 1 XSS", "Stored XSS / Persistent XSS / Type 2 XSS", "XSS" ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-80 a owl:Class ; rdfs:label "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" ; rdfs:subClassOf d3f:CWE-79 ; d3f:cwe-id "CWE-80" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as \"<\", \">\", and \"&\" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages." . d3f:CWE-81 a owl:Class ; rdfs:label "Improper Neutralization of Script in an Error Message Web Page" ; rdfs:subClassOf d3f:CWE-79 ; d3f:cwe-id "CWE-81" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters that could be interpreted as web-scripting elements when they are sent to an error page." . d3f:CWE-82 a owl:Class ; rdfs:label "Improper Neutralization of Script in Attributes of IMG Tags in a Web Page" ; rdfs:subClassOf d3f:CWE-83 ; d3f:cwe-id "CWE-82" ; d3f:definition "The web application does not neutralize or incorrectly neutralizes scripting elements within attributes of HTML IMG tags, such as the src attribute." . d3f:CWE-83 a owl:Class ; rdfs:label "Improper Neutralization of Script in Attributes in a Web Page" ; rdfs:subClassOf d3f:CWE-79 ; d3f:cwe-id "CWE-83" ; d3f:definition "The product does not neutralize or incorrectly neutralizes \"javascript:\" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style." . d3f:CWE-84 a owl:Class ; rdfs:label "Improper Neutralization of Encoded URI Schemes in a Web Page" ; rdfs:subClassOf d3f:CWE-79 ; d3f:cwe-id "CWE-84" ; d3f:definition "The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings." . d3f:CWE-85 a owl:Class ; rdfs:label "Doubled Character XSS Manipulations" ; rdfs:subClassOf d3f:CWE-79 ; d3f:cwe-id "CWE-85" ; d3f:definition "The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters." . d3f:CWE-86 a owl:Class ; rdfs:label "Improper Neutralization of Invalid Characters in Identifiers in Web Pages" ; rdfs:subClassOf d3f:CWE-79, d3f:CWE-436 ; d3f:cwe-id "CWE-86" ; d3f:definition "The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers." . d3f:CWE-87 a owl:Class ; rdfs:label "Improper Neutralization of Alternate XSS Syntax" ; rdfs:subClassOf d3f:CWE-79 ; d3f:cwe-id "CWE-87" ; d3f:definition "The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax." . d3f:CWE-88 a owl:Class ; rdfs:label "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')" ; rdfs:subClassOf d3f:CWE-77 ; d3f:cwe-id "CWE-88" ; d3f:definition "The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string." . d3f:CWE-89 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" ; rdfs:subClassOf d3f:CWE-943, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-89" ; d3f:definition "The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data." ; d3f:synonym "SQL injection", "SQLi" ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-90 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')" ; rdfs:subClassOf d3f:CWE-943 ; d3f:cwe-id "CWE-90" ; d3f:definition "The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component." . d3f:CWE-91 a owl:Class ; rdfs:label "XML Injection (aka Blind XPath Injection)" ; rdfs:subClassOf d3f:CWE-74 ; d3f:cwe-id "CWE-91" ; d3f:definition "The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system." . d3f:CWE-93 a owl:Class ; rdfs:label "Improper Neutralization of CRLF Sequences ('CRLF Injection')" ; rdfs:subClassOf d3f:CWE-74 ; d3f:cwe-id "CWE-93" ; d3f:definition "The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs." . d3f:CWE-94 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Control of Generation of Code ('Code Injection')" ; rdfs:subClassOf d3f:CWE-74, d3f:CWE-913, [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:EvalFunction ], [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-94" ; d3f:definition "The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment." ; d3f:may-be-weakness-of d3f:EvalFunction, d3f:UserInputFunction ; d3f:synonym "Code Injection" . d3f:CWE-95 a owl:Class ; rdfs:label "Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" ; rdfs:subClassOf d3f:CWE-94 ; d3f:cwe-id "CWE-95" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. \"eval\")." . d3f:CWE-96 a owl:Class ; rdfs:label "Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')" ; rdfs:subClassOf d3f:CWE-94 ; d3f:cwe-id "CWE-96" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template." . d3f:CWE-97 a owl:Class ; rdfs:label "Improper Neutralization of Server-Side Includes (SSI) Within a Web Page" ; rdfs:subClassOf d3f:CWE-96 ; d3f:cwe-id "CWE-97" ; d3f:definition "The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-side include (SSI) directive." . d3f:CWE-98 a owl:Class ; rdfs:label "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')" ; rdfs:subClassOf d3f:CWE-706, d3f:CWE-829 ; d3f:cwe-id "CWE-98" ; d3f:definition "The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in \"require,\" \"include,\" or similar functions." ; d3f:synonym "Local file inclusion", "Remote file include", "RFI" . d3f:CWE-99 a owl:Class ; rdfs:label "Improper Control of Resource Identifiers ('Resource Injection')" ; rdfs:subClassOf d3f:CWE-74 ; d3f:cwe-id "CWE-99" ; d3f:definition "The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control." ; d3f:synonym "Insecure Direct Object Reference" . d3f:CWE-102 a owl:Class ; rdfs:label "Struts: Duplicate Validation Forms" ; rdfs:subClassOf d3f:CWE-694, d3f:CWE-1173 ; d3f:cwe-id "CWE-102" ; d3f:definition "The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not expect." . d3f:CWE-103 a owl:Class ; rdfs:label "Struts: Incomplete validate() Method Definition" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-103" ; d3f:definition "The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate()." . d3f:CWE-104 a owl:Class ; rdfs:label "Struts: Form Bean Does Not Extend Validation Class" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-104" ; d3f:definition "If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation." . d3f:CWE-105 a owl:Class ; rdfs:label "Struts: Form Field Without Validator" ; rdfs:subClassOf d3f:CWE-1173 ; d3f:cwe-id "CWE-105" ; d3f:definition "The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation." . d3f:CWE-106 a owl:Class ; rdfs:label "Struts: Plug-in Framework not in Use" ; rdfs:subClassOf d3f:CWE-1173 ; d3f:cwe-id "CWE-106" ; d3f:definition "When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation." . d3f:CWE-107 a owl:Class ; rdfs:label "Struts: Unused Validation Form" ; rdfs:subClassOf d3f:CWE-1164 ; d3f:cwe-id "CWE-107" ; d3f:definition "An unused validation form indicates that validation logic is not up-to-date." . d3f:CWE-108 a owl:Class ; rdfs:label "Struts: Unvalidated Action Form" ; rdfs:subClassOf d3f:CWE-1173 ; d3f:cwe-id "CWE-108" ; d3f:definition "Every Action Form must have a corresponding validation form." . d3f:CWE-109 a owl:Class ; rdfs:label "Struts: Validator Turned Off" ; rdfs:subClassOf d3f:CWE-1173 ; d3f:cwe-id "CWE-109" ; d3f:definition "Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation." . d3f:CWE-110 a owl:Class ; rdfs:label "Struts: Validator Without Form Field" ; rdfs:subClassOf d3f:CWE-1164 ; d3f:cwe-id "CWE-110" ; d3f:definition "Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date." . d3f:CWE-111 a owl:Class ; rdfs:label "Direct Use of Unsafe JNI" ; rdfs:subClassOf d3f:CWE-695 ; d3f:cwe-id "CWE-111" ; d3f:definition "When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java." . d3f:CWE-112 a owl:Class ; rdfs:label "Missing XML Validation" ; rdfs:subClassOf d3f:CWE-1286 ; d3f:cwe-id "CWE-112" ; d3f:definition "The product accepts XML from an untrusted source but does not validate the XML against the proper schema." . d3f:CWE-113 a owl:Class ; rdfs:label "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')" ; rdfs:subClassOf d3f:CWE-93, d3f:CWE-436 ; d3f:cwe-id "CWE-113" ; d3f:definition "The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers." ; d3f:synonym "HTTP Request Splitting", "HTTP Response Splitting" . d3f:CWE-114 a owl:Class ; rdfs:label "Process Control" ; rdfs:subClassOf d3f:CWE-73 ; d3f:cwe-id "CWE-114" ; d3f:definition "Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker." . d3f:CWE-115 a owl:Class ; rdfs:label "Misinterpretation of Input" ; rdfs:subClassOf d3f:CWE-436 ; d3f:cwe-id "CWE-115" ; d3f:definition "The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion." . d3f:CWE-116 a owl:Class ; rdfs:label "Improper Encoding or Escaping of Output" ; rdfs:subClassOf d3f:CWE-707 ; d3f:cwe-id "CWE-116" ; d3f:definition "The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved." ; d3f:synonym "Output Encoding", "Output Sanitization", "Output Validation" . d3f:CWE-117 a owl:Class ; rdfs:label "Improper Output Neutralization for Logs" ; rdfs:subClassOf d3f:CWE-116 ; d3f:cwe-id "CWE-117" ; d3f:definition "The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file." ; d3f:synonym "Log forging" . d3f:CWE-118 a owl:Class ; rdfs:label "Incorrect Access of Indexable Resource ('Range Error')" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-118" ; d3f:definition "The product does not restrict or incorrectly restricts operations within the boundaries of a resource that is accessed using an index or pointer, such as memory or files." . d3f:CWE-119 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Restriction of Operations within the Bounds of a Memory Buffer" ; rdfs:subClassOf d3f:CWE-118, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:RawMemoryAccessFunction ] ; d3f:cwe-id "CWE-119" ; d3f:definition "The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data." ; d3f:synonym "Buffer Overflow", "buffer overrun", "memory safety" ; d3f:weakness-of d3f:RawMemoryAccessFunction . d3f:CWE-120 a owl:Class ; rdfs:label "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')" ; rdfs:subClassOf d3f:CWE-119, d3f:CWE-787 ; d3f:cwe-id "CWE-120" ; d3f:definition "The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow." ; d3f:synonym "Classic Buffer Overflow", "Unbounded Transfer" . d3f:CWE-121 a owl:Class ; rdfs:label "Stack-based Buffer Overflow" ; rdfs:subClassOf d3f:CWE-787, d3f:CWE-788 ; d3f:cwe-id "CWE-121" ; d3f:definition "A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function)." ; d3f:synonym "Stack Overflow" . d3f:CWE-122 a owl:Class ; rdfs:label "Heap-based Buffer Overflow" ; rdfs:subClassOf d3f:CWE-787, d3f:CWE-788 ; d3f:cwe-id "CWE-122" ; d3f:definition "A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc()." . d3f:CWE-123 a owl:Class ; rdfs:label "Write-what-where Condition" ; rdfs:subClassOf d3f:CWE-787 ; d3f:cwe-id "CWE-123" ; d3f:definition "Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow." . d3f:CWE-124 a owl:Class ; rdfs:label "Buffer Underwrite ('Buffer Underflow')" ; rdfs:subClassOf d3f:CWE-786, d3f:CWE-787 ; d3f:cwe-id "CWE-124" ; d3f:definition "The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer." ; d3f:synonym "buffer underrun" . d3f:CWE-125 a owl:Class, owl:NamedIndividual ; rdfs:label "Out-of-bounds Read" ; rdfs:subClassOf d3f:CWE-119, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:RawMemoryAccessFunction ] ; d3f:cwe-id "CWE-125" ; d3f:definition "The product reads data past the end, or before the beginning, of the intended buffer." ; d3f:synonym "OOB read" ; d3f:weakness-of d3f:RawMemoryAccessFunction . d3f:CWE-126 a owl:Class ; rdfs:label "Buffer Over-read" ; rdfs:subClassOf d3f:CWE-125, d3f:CWE-788 ; d3f:cwe-id "CWE-126" ; d3f:definition "The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer." . d3f:CWE-127 a owl:Class ; rdfs:label "Buffer Under-read" ; rdfs:subClassOf d3f:CWE-125, d3f:CWE-786 ; d3f:cwe-id "CWE-127" ; d3f:definition "The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer." . d3f:CWE-128 a owl:Class ; rdfs:label "Wrap-around Error" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-128" ; d3f:definition "Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore \"wraps around\" to a very small, negative, or undefined value." . d3f:CWE-129 a owl:Class ; rdfs:label "Improper Validation of Array Index" ; rdfs:subClassOf d3f:CWE-1285 ; d3f:cwe-id "CWE-129" ; d3f:definition "The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array." ; d3f:synonym "array index underflow", "index-out-of-range", "out-of-bounds array index" . d3f:CWE-130 a owl:Class ; rdfs:label "Improper Handling of Length Parameter Inconsistency" ; rdfs:subClassOf d3f:CWE-240 ; d3f:cwe-id "CWE-130" ; d3f:definition "The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data." ; d3f:synonym "length manipulation", "length tampering" . d3f:CWE-131 a owl:Class ; rdfs:label "Incorrect Calculation of Buffer Size" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-131" ; d3f:definition "The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow." . d3f:CWE-134 a owl:Class ; rdfs:label "Use of Externally-Controlled Format String" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-134" ; d3f:definition "The product uses a function that accepts a format string as an argument, but the format string originates from an external source." . d3f:CWE-135 a owl:Class ; rdfs:label "Incorrect Calculation of Multi-Byte String Length" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-135" ; d3f:definition "The product does not correctly calculate the length of strings that can contain wide or multi-byte characters." . d3f:CWE-138 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements" ; rdfs:subClassOf d3f:CWE-707 ; d3f:cwe-id "CWE-138" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component." . d3f:CWE-140 a owl:Class ; rdfs:label "Improper Neutralization of Delimiters" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-140" ; d3f:definition "The product does not neutralize or incorrectly neutralizes delimiters." . d3f:CWE-141 a owl:Class ; rdfs:label "Improper Neutralization of Parameter/Argument Delimiters" ; rdfs:subClassOf d3f:CWE-140 ; d3f:cwe-id "CWE-141" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as parameter or argument delimiters when they are sent to a downstream component." . d3f:CWE-142 a owl:Class ; rdfs:label "Improper Neutralization of Value Delimiters" ; rdfs:subClassOf d3f:CWE-140 ; d3f:cwe-id "CWE-142" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as value delimiters when they are sent to a downstream component." . d3f:CWE-143 a owl:Class ; rdfs:label "Improper Neutralization of Record Delimiters" ; rdfs:subClassOf d3f:CWE-140 ; d3f:cwe-id "CWE-143" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as record delimiters when they are sent to a downstream component." . d3f:CWE-144 a owl:Class ; rdfs:label "Improper Neutralization of Line Delimiters" ; rdfs:subClassOf d3f:CWE-140 ; d3f:cwe-id "CWE-144" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as line delimiters when they are sent to a downstream component." . d3f:CWE-145 a owl:Class ; rdfs:label "Improper Neutralization of Section Delimiters" ; rdfs:subClassOf d3f:CWE-140 ; d3f:cwe-id "CWE-145" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component." . d3f:CWE-146 a owl:Class ; rdfs:label "Improper Neutralization of Expression/Command Delimiters" ; rdfs:subClassOf d3f:CWE-140 ; d3f:cwe-id "CWE-146" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component." . d3f:CWE-147 a owl:Class ; rdfs:label "Improper Neutralization of Input Terminators" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-147" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component." . d3f:CWE-148 a owl:Class ; rdfs:label "Improper Neutralization of Input Leaders" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-148" ; d3f:definition "The product does not properly handle when a leading character or sequence (\"leader\") is missing or malformed, or if multiple leaders are used when only one should be allowed." . d3f:CWE-149 a owl:Class ; rdfs:label "Improper Neutralization of Quoting Syntax" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-149" ; d3f:definition "Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions." . d3f:CWE-150 a owl:Class ; rdfs:label "Improper Neutralization of Escape, Meta, or Control Sequences" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-150" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component." . d3f:CWE-151 a owl:Class ; rdfs:label "Improper Neutralization of Comment Delimiters" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-151" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component." . d3f:CWE-152 a owl:Class ; rdfs:label "Improper Neutralization of Macro Symbols" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-152" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component." . d3f:CWE-153 a owl:Class ; rdfs:label "Improper Neutralization of Substitution Characters" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-153" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as substitution characters when they are sent to a downstream component." . d3f:CWE-154 a owl:Class ; rdfs:label "Improper Neutralization of Variable Name Delimiters" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-154" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as variable name delimiters when they are sent to a downstream component." . d3f:CWE-155 a owl:Class ; rdfs:label "Improper Neutralization of Wildcards or Matching Symbols" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-155" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as wildcards or matching symbols when they are sent to a downstream component." . d3f:CWE-156 a owl:Class ; rdfs:label "Improper Neutralization of Whitespace" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-156" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as whitespace when they are sent to a downstream component." ; d3f:synonym "White space" . d3f:CWE-157 a owl:Class ; rdfs:label "Failure to Sanitize Paired Delimiters" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-157" ; d3f:definition "The product does not properly handle the characters that are used to mark the beginning and ending of a group of entities, such as parentheses, brackets, and braces." . d3f:CWE-158 a owl:Class ; rdfs:label "Improper Neutralization of Null Byte or NUL Character" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-158" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component." . d3f:CWE-159 a owl:Class ; rdfs:label "Improper Handling of Invalid Use of Special Elements" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-159" ; d3f:definition "The product does not properly filter, remove, quote, or otherwise manage the invalid use of special elements in user-controlled input, which could cause adverse effect on its behavior and integrity." . d3f:CWE-160 a owl:Class ; rdfs:label "Improper Neutralization of Leading Special Elements" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-160" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component." . d3f:CWE-161 a owl:Class ; rdfs:label "Improper Neutralization of Multiple Leading Special Elements" ; rdfs:subClassOf d3f:CWE-160 ; d3f:cwe-id "CWE-161" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstream component." . d3f:CWE-162 a owl:Class ; rdfs:label "Improper Neutralization of Trailing Special Elements" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-162" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component." . d3f:CWE-163 a owl:Class ; rdfs:label "Improper Neutralization of Multiple Trailing Special Elements" ; rdfs:subClassOf d3f:CWE-162 ; d3f:cwe-id "CWE-163" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstream component." . d3f:CWE-164 a owl:Class ; rdfs:label "Improper Neutralization of Internal Special Elements" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-164" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component." . d3f:CWE-165 a owl:Class ; rdfs:label "Improper Neutralization of Multiple Internal Special Elements" ; rdfs:subClassOf d3f:CWE-164 ; d3f:cwe-id "CWE-165" ; d3f:definition "The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstream component." . d3f:CWE-166 a owl:Class ; rdfs:label "Improper Handling of Missing Special Element" ; rdfs:subClassOf d3f:CWE-159, d3f:CWE-228, d3f:CWE-703 ; d3f:cwe-id "CWE-166" ; d3f:definition "The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing." . d3f:CWE-167 a owl:Class ; rdfs:label "Improper Handling of Additional Special Element" ; rdfs:subClassOf d3f:CWE-159, d3f:CWE-228, d3f:CWE-703 ; d3f:cwe-id "CWE-167" ; d3f:definition "The product receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided." . d3f:CWE-168 a owl:Class ; rdfs:label "Improper Handling of Inconsistent Special Elements" ; rdfs:subClassOf d3f:CWE-159, d3f:CWE-228, d3f:CWE-703 ; d3f:cwe-id "CWE-168" ; d3f:definition "The product does not properly handle input in which an inconsistency exists between two or more special characters or reserved words." . d3f:CWE-170 a owl:Class ; rdfs:label "Improper Null Termination" ; rdfs:subClassOf d3f:CWE-707 ; d3f:cwe-id "CWE-170" ; d3f:definition "The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator." . d3f:CWE-172 a owl:Class ; rdfs:label "Encoding Error" ; rdfs:subClassOf d3f:CWE-707 ; d3f:cwe-id "CWE-172" ; d3f:definition "The product does not properly encode or decode the data, resulting in unexpected values." . d3f:CWE-173 a owl:Class ; rdfs:label "Improper Handling of Alternate Encoding" ; rdfs:subClassOf d3f:CWE-172 ; d3f:cwe-id "CWE-173" ; d3f:definition "The product does not properly handle when an input uses an alternate encoding that is valid for the control sphere to which the input is being sent." . d3f:CWE-174 a owl:Class ; rdfs:label "Double Decoding of the Same Data" ; rdfs:subClassOf d3f:CWE-172, d3f:CWE-675 ; d3f:cwe-id "CWE-174" ; d3f:definition "The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations." . d3f:CWE-175 a owl:Class ; rdfs:label "Improper Handling of Mixed Encoding" ; rdfs:subClassOf d3f:CWE-172 ; d3f:cwe-id "CWE-175" ; d3f:definition "The product does not properly handle when the same input uses several different (mixed) encodings." . d3f:CWE-176 a owl:Class ; rdfs:label "Improper Handling of Unicode Encoding" ; rdfs:subClassOf d3f:CWE-172 ; d3f:cwe-id "CWE-176" ; d3f:definition "The product does not properly handle when an input contains Unicode encoding." . d3f:CWE-177 a owl:Class ; rdfs:label "Improper Handling of URL Encoding (Hex Encoding)" ; rdfs:subClassOf d3f:CWE-172 ; d3f:cwe-id "CWE-177" ; d3f:definition "The product does not properly handle when all or part of an input has been URL encoded." . d3f:CWE-178 a owl:Class ; rdfs:label "Improper Handling of Case Sensitivity" ; rdfs:subClassOf d3f:CWE-706 ; d3f:cwe-id "CWE-178" ; d3f:definition "The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results." . d3f:CWE-179 a owl:Class ; rdfs:label "Incorrect Behavior Order: Early Validation" ; rdfs:subClassOf d3f:CWE-20, d3f:CWE-696 ; d3f:cwe-id "CWE-179" ; d3f:definition "The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification." . d3f:CWE-180 a owl:Class ; rdfs:label "Incorrect Behavior Order: Validate Before Canonicalize" ; rdfs:subClassOf d3f:CWE-179 ; d3f:cwe-id "CWE-180" ; d3f:definition "The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step." . d3f:CWE-181 a owl:Class ; rdfs:label "Incorrect Behavior Order: Validate Before Filter" ; rdfs:subClassOf d3f:CWE-179 ; d3f:cwe-id "CWE-181" ; d3f:definition "The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step." ; d3f:synonym "Validate-before-cleanse" . d3f:CWE-182 a owl:Class ; rdfs:label "Collapse of Data into Unsafe Value" ; rdfs:subClassOf d3f:CWE-693, d3f:CWE-707 ; d3f:cwe-id "CWE-182" ; d3f:definition "The product filters data in a way that causes it to be reduced or \"collapsed\" into an unsafe value that violates an expected security property." . d3f:CWE-183 a owl:Class ; rdfs:label "Permissive List of Allowed Inputs" ; rdfs:subClassOf d3f:CWE-697 ; d3f:cwe-id "CWE-183" ; d3f:definition "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses." ; d3f:synonym "Allowlist / Allow List", "Safelist / Safe List", "Whitelist / White List" . d3f:CWE-184 a owl:Class ; rdfs:label "Incomplete List of Disallowed Inputs" ; rdfs:subClassOf d3f:CWE-693, d3f:CWE-1023 ; d3f:cwe-id "CWE-184" ; d3f:definition "The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete." ; d3f:synonym "Blacklist / Black List", "Blocklist / Block List", "Denylist / Deny List" . d3f:CWE-185 a owl:Class ; rdfs:label "Incorrect Regular Expression" ; rdfs:subClassOf d3f:CWE-697 ; d3f:cwe-id "CWE-185" ; d3f:definition "The product specifies a regular expression in a way that causes data to be improperly matched or compared." . d3f:CWE-186 a owl:Class ; rdfs:label "Overly Restrictive Regular Expression" ; rdfs:subClassOf d3f:CWE-185 ; d3f:cwe-id "CWE-186" ; d3f:definition "A regular expression is overly restrictive, which prevents dangerous values from being detected." . d3f:CWE-187 a owl:Class ; rdfs:label "Partial String Comparison" ; rdfs:subClassOf d3f:CWE-1023 ; d3f:cwe-id "CWE-187" ; d3f:definition "The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses." . d3f:CWE-188 a owl:Class ; rdfs:label "Reliance on Data/Memory Layout" ; rdfs:subClassOf d3f:CWE-435, d3f:CWE-1105 ; d3f:cwe-id "CWE-188" ; d3f:definition "The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior." . d3f:CWE-190 a owl:Class, owl:NamedIndividual ; rdfs:label "Integer Overflow or Wraparound" ; rdfs:subClassOf d3f:CWE-682, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:MathematicalFunction ] ; d3f:cwe-id "CWE-190" ; d3f:definition "The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number." ; d3f:synonym "Overflow", "wrap, wrap-around, wrap around", "Wraparound" ; d3f:weakness-of d3f:MathematicalFunction . d3f:CWE-191 a owl:Class ; rdfs:label "Integer Underflow (Wrap or Wraparound)" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-191" ; d3f:definition "The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result." ; d3f:synonym "Integer underflow" . d3f:CWE-192 a owl:Class ; rdfs:label "Integer Coercion Error" ; rdfs:subClassOf d3f:CWE-681 ; d3f:cwe-id "CWE-192" ; d3f:definition "Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types." . d3f:CWE-193 a owl:Class ; rdfs:label "Off-by-one Error" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-193" ; d3f:definition "A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value." ; d3f:synonym "off-by-five" . d3f:CWE-194 a owl:Class ; rdfs:label "Unexpected Sign Extension" ; rdfs:subClassOf d3f:CWE-681 ; d3f:cwe-id "CWE-194" ; d3f:definition "The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses." . d3f:CWE-195 a owl:Class ; rdfs:label "Signed to Unsigned Conversion Error" ; rdfs:subClassOf d3f:CWE-681 ; d3f:cwe-id "CWE-195" ; d3f:definition "The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be represented using an unsigned primitive." . d3f:CWE-196 a owl:Class ; rdfs:label "Unsigned to Signed Conversion Error" ; rdfs:subClassOf d3f:CWE-681 ; d3f:cwe-id "CWE-196" ; d3f:definition "The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive." . d3f:CWE-197 a owl:Class ; rdfs:label "Numeric Truncation Error" ; rdfs:subClassOf d3f:CWE-681 ; d3f:cwe-id "CWE-197" ; d3f:definition "Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion." . d3f:CWE-198 a owl:Class ; rdfs:label "Use of Incorrect Byte Ordering" ; rdfs:subClassOf d3f:CWE-188 ; d3f:cwe-id "CWE-198" ; d3f:definition "The product receives input from an upstream component, but it does not account for byte ordering (e.g. big-endian and little-endian) when processing the input, causing an incorrect number or value to be used." . d3f:CWE-200 a owl:Class ; rdfs:label "Exposure of Sensitive Information to an Unauthorized Actor" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-200" ; d3f:definition "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information." ; d3f:synonym "Information Disclosure", "Information Leak" . d3f:CWE-201 a owl:Class ; rdfs:label "Insertion of Sensitive Information Into Sent Data" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-201" ; d3f:definition "The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor." . d3f:CWE-202 a owl:Class ; rdfs:label "Exposure of Sensitive Information Through Data Queries" ; rdfs:subClassOf d3f:CWE-1230 ; d3f:cwe-id "CWE-202" ; d3f:definition "When trying to keep information confidential, an attacker can often infer some of the information by using statistics." . d3f:CWE-203 a owl:Class ; rdfs:label "Observable Discrepancy" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-203" ; d3f:definition "The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not." ; d3f:synonym "Side Channel Attack" . d3f:CWE-204 a owl:Class ; rdfs:label "Observable Response Discrepancy" ; rdfs:subClassOf d3f:CWE-203 ; d3f:cwe-id "CWE-204" ; d3f:definition "The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere." . d3f:CWE-205 a owl:Class ; rdfs:label "Observable Behavioral Discrepancy" ; rdfs:subClassOf d3f:CWE-203 ; d3f:cwe-id "CWE-205" ; d3f:definition "The product's behaviors indicate important differences that may be observed by unauthorized actors in a way that reveals (1) its internal state or decision process, or (2) differences from other products with equivalent functionality." . d3f:CWE-206 a owl:Class ; rdfs:label "Observable Internal Behavioral Discrepancy" ; rdfs:subClassOf d3f:CWE-205 ; d3f:cwe-id "CWE-206" ; d3f:definition "The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision points." . d3f:CWE-207 a owl:Class ; rdfs:label "Observable Behavioral Discrepancy With Equivalent Products" ; rdfs:subClassOf d3f:CWE-205 ; d3f:cwe-id "CWE-207" ; d3f:definition "The product operates in an environment in which its existence or specific identity should not be known, but it behaves differently than other products with equivalent functionality, in a way that is observable to an attacker." . d3f:CWE-208 a owl:Class ; rdfs:label "Observable Timing Discrepancy" ; rdfs:subClassOf d3f:CWE-203 ; d3f:cwe-id "CWE-208" ; d3f:definition "Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not." . d3f:CWE-209 a owl:Class ; rdfs:label "Generation of Error Message Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-200, d3f:CWE-755 ; d3f:cwe-id "CWE-209" ; d3f:definition "The product generates an error message that includes sensitive information about its environment, users, or associated data." . d3f:CWE-210 a owl:Class ; rdfs:label "Self-generated Error Message Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-209 ; d3f:cwe-id "CWE-210" ; d3f:definition "The product identifies an error condition and creates its own diagnostic or error messages that contain sensitive information." . d3f:CWE-211 a owl:Class ; rdfs:label "Externally-Generated Error Message Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-209 ; d3f:cwe-id "CWE-211" ; d3f:definition "The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that a software application uses. The error can contain sensitive system information." . d3f:CWE-212 a owl:Class ; rdfs:label "Improper Removal of Sensitive Information Before Storage or Transfer" ; rdfs:subClassOf d3f:CWE-669 ; d3f:cwe-id "CWE-212" ; d3f:definition "The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors." . d3f:CWE-213 a owl:Class ; rdfs:label "Exposure of Sensitive Information Due to Incompatible Policies" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-213" ; d3f:definition "The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed." . d3f:CWE-214 a owl:Class ; rdfs:label "Invocation of Process Using Visible Sensitive Information" ; rdfs:subClassOf d3f:CWE-497 ; d3f:cwe-id "CWE-214" ; d3f:definition "A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system." . d3f:CWE-215 a owl:Class ; rdfs:label "Insertion of Sensitive Information Into Debugging Code" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-215" ; d3f:definition "The product inserts sensitive information into debugging code, which could expose this information if the debugging code is not disabled in production." . d3f:CWE-219 a owl:Class ; rdfs:label "Storage of File with Sensitive Data Under Web Root" ; rdfs:subClassOf d3f:CWE-552 ; d3f:cwe-id "CWE-219" ; d3f:definition "The product stores sensitive data under the web document root with insufficient access control, which might make it accessible to untrusted parties." . d3f:CWE-220 a owl:Class ; rdfs:label "Storage of File With Sensitive Data Under FTP Root" ; rdfs:subClassOf d3f:CWE-552 ; d3f:cwe-id "CWE-220" ; d3f:definition "The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties." . d3f:CWE-221 a owl:Class ; rdfs:label "Information Loss or Omission" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-221" ; d3f:definition "The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis." . d3f:CWE-222 a owl:Class ; rdfs:label "Truncation of Security-relevant Information" ; rdfs:subClassOf d3f:CWE-221 ; d3f:cwe-id "CWE-222" ; d3f:definition "The product truncates the display, recording, or processing of security-relevant information in a way that can obscure the source or nature of an attack." . d3f:CWE-223 a owl:Class ; rdfs:label "Omission of Security-relevant Information" ; rdfs:subClassOf d3f:CWE-221 ; d3f:cwe-id "CWE-223" ; d3f:definition "The product does not record or display information that would be important for identifying the source or nature of an attack, or determining if an action is safe." . d3f:CWE-224 a owl:Class ; rdfs:label "Obscured Security-relevant Information by Alternate Name" ; rdfs:subClassOf d3f:CWE-221 ; d3f:cwe-id "CWE-224" ; d3f:definition "The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name." . d3f:CWE-226 a owl:Class ; rdfs:label "Sensitive Information in Resource Not Removed Before Reuse" ; rdfs:subClassOf d3f:CWE-212, d3f:CWE-459 ; d3f:cwe-id "CWE-226" ; d3f:definition "The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or \"zeroize\" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities." . d3f:CWE-228 a owl:Class ; rdfs:label "Improper Handling of Syntactically Invalid Structure" ; rdfs:subClassOf d3f:CWE-703, d3f:CWE-707 ; d3f:cwe-id "CWE-228" ; d3f:definition "The product does not handle or incorrectly handles input that is not syntactically well-formed with respect to the associated specification." . d3f:CWE-229 a owl:Class ; rdfs:label "Improper Handling of Values" ; rdfs:subClassOf d3f:CWE-228 ; d3f:cwe-id "CWE-229" ; d3f:definition "The product does not properly handle when the expected number of values for parameters, fields, or arguments is not provided in input, or if those values are undefined." . d3f:CWE-230 a owl:Class ; rdfs:label "Improper Handling of Missing Values" ; rdfs:subClassOf d3f:CWE-229 ; d3f:cwe-id "CWE-230" ; d3f:definition "The product does not handle or incorrectly handles when a parameter, field, or argument name is specified, but the associated value is missing, i.e. it is empty, blank, or null." . d3f:CWE-231 a owl:Class ; rdfs:label "Improper Handling of Extra Values" ; rdfs:subClassOf d3f:CWE-229 ; d3f:cwe-id "CWE-231" ; d3f:definition "The product does not handle or incorrectly handles when more values are provided than expected." . d3f:CWE-232 a owl:Class ; rdfs:label "Improper Handling of Undefined Values" ; rdfs:subClassOf d3f:CWE-229 ; d3f:cwe-id "CWE-232" ; d3f:definition "The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name." . d3f:CWE-233 a owl:Class ; rdfs:label "Improper Handling of Parameters" ; rdfs:subClassOf d3f:CWE-228 ; d3f:cwe-id "CWE-233" ; d3f:definition "The product does not properly handle when the expected number of parameters, fields, or arguments is not provided in input, or if those parameters are undefined." . d3f:CWE-234 a owl:Class ; rdfs:label "Failure to Handle Missing Parameter" ; rdfs:subClassOf d3f:CWE-233 ; d3f:cwe-id "CWE-234" ; d3f:definition "If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well." . d3f:CWE-235 a owl:Class ; rdfs:label "Improper Handling of Extra Parameters" ; rdfs:subClassOf d3f:CWE-233 ; d3f:cwe-id "CWE-235" ; d3f:definition "The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount." . d3f:CWE-236 a owl:Class ; rdfs:label "Improper Handling of Undefined Parameters" ; rdfs:subClassOf d3f:CWE-233 ; d3f:cwe-id "CWE-236" ; d3f:definition "The product does not handle or incorrectly handles when a particular parameter, field, or argument name is not defined or supported by the product." . d3f:CWE-237 a owl:Class ; rdfs:label "Improper Handling of Structural Elements" ; rdfs:subClassOf d3f:CWE-228 ; d3f:cwe-id "CWE-237" ; d3f:definition "The product does not handle or incorrectly handles inputs that are related to complex structures." . d3f:CWE-238 a owl:Class ; rdfs:label "Improper Handling of Incomplete Structural Elements" ; rdfs:subClassOf d3f:CWE-237 ; d3f:cwe-id "CWE-238" ; d3f:definition "The product does not handle or incorrectly handles when a particular structural element is not completely specified." . d3f:CWE-239 a owl:Class ; rdfs:label "Failure to Handle Incomplete Element" ; rdfs:subClassOf d3f:CWE-237 ; d3f:cwe-id "CWE-239" ; d3f:definition "The product does not properly handle when a particular element is not completely specified." . d3f:CWE-240 a owl:Class ; rdfs:label "Improper Handling of Inconsistent Structural Elements" ; rdfs:subClassOf d3f:CWE-237, d3f:CWE-707 ; d3f:cwe-id "CWE-240" ; d3f:definition "The product does not handle or incorrectly handles when two or more structural elements should be consistent, but are not." . d3f:CWE-241 a owl:Class ; rdfs:label "Improper Handling of Unexpected Data Type" ; rdfs:subClassOf d3f:CWE-228 ; d3f:cwe-id "CWE-241" ; d3f:definition "The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z)." . d3f:CWE-242 a owl:Class ; rdfs:label "Use of Inherently Dangerous Function" ; rdfs:subClassOf d3f:CWE-1177 ; d3f:cwe-id "CWE-242" ; d3f:definition "The product calls a function that can never be guaranteed to work safely." . d3f:CWE-243 a owl:Class ; rdfs:label "Creation of chroot Jail Without Changing Working Directory" ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-669 ; d3f:cwe-id "CWE-243" ; d3f:definition "The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail." . d3f:CWE-244 a owl:Class ; rdfs:label "Improper Clearing of Heap Memory Before Release ('Heap Inspection')" ; rdfs:subClassOf d3f:CWE-226 ; d3f:cwe-id "CWE-244" ; d3f:definition "Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory." . d3f:CWE-245 a owl:Class ; rdfs:label "J2EE Bad Practices: Direct Management of Connections" ; rdfs:subClassOf d3f:CWE-695 ; d3f:cwe-id "CWE-245" ; d3f:definition "The J2EE application directly manages connections, instead of using the container's connection management facilities." . d3f:CWE-246 a owl:Class ; rdfs:label "J2EE Bad Practices: Direct Use of Sockets" ; rdfs:subClassOf d3f:CWE-695 ; d3f:cwe-id "CWE-246" ; d3f:definition "The J2EE application directly uses sockets instead of using framework method calls." . d3f:CWE-248 a owl:Class ; rdfs:label "Uncaught Exception" ; rdfs:subClassOf d3f:CWE-703, d3f:CWE-705, d3f:CWE-755 ; d3f:cwe-id "CWE-248" ; d3f:definition "An exception is thrown from a function, but it is not caught." . d3f:CWE-250 a owl:Class ; rdfs:label "Execution with Unnecessary Privileges" ; rdfs:subClassOf d3f:CWE-269, d3f:CWE-657 ; d3f:cwe-id "CWE-250" ; d3f:definition "The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses." . d3f:CWE-252 a owl:Class ; rdfs:label "Unchecked Return Value" ; rdfs:subClassOf d3f:CWE-754 ; d3f:cwe-id "CWE-252" ; d3f:definition "The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions." . d3f:CWE-253 a owl:Class ; rdfs:label "Incorrect Check of Function Return Value" ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-754 ; d3f:cwe-id "CWE-253" ; d3f:definition "The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions." . d3f:CWE-256 a owl:Class ; rdfs:label "Plaintext Storage of a Password" ; rdfs:subClassOf d3f:CWE-522 ; d3f:cwe-id "CWE-256" ; d3f:definition "Storing a password in plaintext may result in a system compromise." . d3f:CWE-257 a owl:Class ; rdfs:label "Storing Passwords in a Recoverable Format" ; rdfs:subClassOf d3f:CWE-522 ; d3f:cwe-id "CWE-257" ; d3f:definition "The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts." . d3f:CWE-258 a owl:Class ; rdfs:label "Empty Password in Configuration File" ; rdfs:subClassOf d3f:CWE-260, d3f:CWE-521 ; d3f:cwe-id "CWE-258" ; d3f:definition "Using an empty string as a password is insecure." . d3f:CWE-259 a owl:Class ; rdfs:label "Use of Hard-coded Password" ; rdfs:subClassOf d3f:CWE-798 ; d3f:cwe-id "CWE-259" ; d3f:definition "The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components." . d3f:CWE-260 a owl:Class ; rdfs:label "Password in Configuration File" ; rdfs:subClassOf d3f:CWE-522 ; d3f:cwe-id "CWE-260" ; d3f:definition "The product stores a password in a configuration file that might be accessible to actors who do not know the password." . d3f:CWE-261 a owl:Class ; rdfs:label "Weak Encoding for Password" ; rdfs:subClassOf d3f:CWE-522 ; d3f:cwe-id "CWE-261" ; d3f:definition "Obscuring a password with a trivial encoding does not protect the password." . d3f:CWE-262 a owl:Class ; rdfs:label "Not Using Password Aging" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-262" ; d3f:definition "The product does not have a mechanism in place for managing password aging." . d3f:CWE-263 a owl:Class ; rdfs:label "Password Aging with Long Expiration" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-263" ; d3f:definition "The product supports password aging, but the expiration period is too long." . d3f:CWE-266 a owl:Class ; rdfs:label "Incorrect Privilege Assignment" ; rdfs:subClassOf d3f:CWE-269 ; d3f:cwe-id "CWE-266" ; d3f:definition "A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor." . d3f:CWE-267 a owl:Class ; rdfs:label "Privilege Defined With Unsafe Actions" ; rdfs:subClassOf d3f:CWE-269 ; d3f:cwe-id "CWE-267" ; d3f:definition "A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity." . d3f:CWE-268 a owl:Class ; rdfs:label "Privilege Chaining" ; rdfs:subClassOf d3f:CWE-269 ; d3f:cwe-id "CWE-268" ; d3f:definition "Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination." . d3f:CWE-269 a owl:Class ; rdfs:label "Improper Privilege Management" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-269" ; d3f:definition "The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor." . d3f:CWE-270 a owl:Class ; rdfs:label "Privilege Context Switching Error" ; rdfs:subClassOf d3f:CWE-269 ; d3f:cwe-id "CWE-270" ; d3f:definition "The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control." . d3f:CWE-271 a owl:Class ; rdfs:label "Privilege Dropping / Lowering Errors" ; rdfs:subClassOf d3f:CWE-269 ; d3f:cwe-id "CWE-271" ; d3f:definition "The product does not drop privileges before passing control of a resource to an actor that does not have those privileges." . d3f:CWE-272 a owl:Class ; rdfs:label "Least Privilege Violation" ; rdfs:subClassOf d3f:CWE-271 ; d3f:cwe-id "CWE-272" ; d3f:definition "The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed." . d3f:CWE-273 a owl:Class ; rdfs:label "Improper Check for Dropped Privileges" ; rdfs:subClassOf d3f:CWE-271, d3f:CWE-754 ; d3f:cwe-id "CWE-273" ; d3f:definition "The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded." . d3f:CWE-274 a owl:Class ; rdfs:label "Improper Handling of Insufficient Privileges" ; rdfs:subClassOf d3f:CWE-269, d3f:CWE-755 ; d3f:cwe-id "CWE-274" ; d3f:definition "The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses." . d3f:CWE-276 a owl:Class, owl:NamedIndividual ; rdfs:label "Incorrect Default Permissions" ; rdfs:subClassOf d3f:CWE-732, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:ApplicationInstaller ] ; d3f:cwe-id "CWE-276" ; d3f:definition "During installation, installed file permissions are set to allow anyone to modify those files." ; d3f:weakness-of d3f:ApplicationInstaller . d3f:CWE-277 a owl:Class ; rdfs:label "Insecure Inherited Permissions" ; rdfs:subClassOf d3f:CWE-732 ; d3f:cwe-id "CWE-277" ; d3f:definition "A product defines a set of insecure permissions that are inherited by objects that are created by the program." . d3f:CWE-278 a owl:Class ; rdfs:label "Insecure Preserved Inherited Permissions" ; rdfs:subClassOf d3f:CWE-732 ; d3f:cwe-id "CWE-278" ; d3f:definition "A product inherits a set of insecure permissions for an object, e.g. when copying from an archive file, without user awareness or involvement." . d3f:CWE-279 a owl:Class ; rdfs:label "Incorrect Execution-Assigned Permissions" ; rdfs:subClassOf d3f:CWE-732 ; d3f:cwe-id "CWE-279" ; d3f:definition "While it is executing, the product sets the permissions of an object in a way that violates the intended permissions that have been specified by the user." . d3f:CWE-280 a owl:Class ; rdfs:label "Improper Handling of Insufficient Permissions or Privileges" ; rdfs:subClassOf d3f:CWE-755 ; d3f:cwe-id "CWE-280" ; d3f:definition "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state." . d3f:CWE-281 a owl:Class ; rdfs:label "Improper Preservation of Permissions" ; rdfs:subClassOf d3f:CWE-732 ; d3f:cwe-id "CWE-281" ; d3f:definition "The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended." . d3f:CWE-282 a owl:Class ; rdfs:label "Improper Ownership Management" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-282" ; d3f:definition "The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource." . d3f:CWE-283 a owl:Class ; rdfs:label "Unverified Ownership" ; rdfs:subClassOf d3f:CWE-282 ; d3f:cwe-id "CWE-283" ; d3f:definition "The product does not properly verify that a critical resource is owned by the proper entity." . d3f:CWE-284 a owl:Class ; rdfs:label "Improper Access Control" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-284" ; d3f:definition "The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor." ; d3f:synonym "Authorization" . d3f:CWE-285 a owl:Class ; rdfs:label "Improper Authorization" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-285" ; d3f:definition "The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action." ; d3f:synonym "AuthZ" . d3f:CWE-286 a owl:Class ; rdfs:label "Incorrect User Management" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-286" ; d3f:definition "The product does not properly manage a user within its environment." . d3f:CWE-287 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Authentication" ; rdfs:subClassOf d3f:CWE-284, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:AuthenticationFunction ] ; d3f:cwe-id "CWE-287" ; d3f:definition "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct." ; d3f:synonym "AuthC", "authentification", "AuthN" ; d3f:weakness-of d3f:AuthenticationFunction . d3f:CWE-288 a owl:Class ; rdfs:label "Authentication Bypass Using an Alternate Path or Channel" ; rdfs:subClassOf d3f:CWE-306 ; d3f:cwe-id "CWE-288" ; d3f:definition "The product requires authentication, but the product has an alternate path or channel that does not require authentication." . d3f:CWE-289 a owl:Class ; rdfs:label "Authentication Bypass by Alternate Name" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-289" ; d3f:definition "The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor." . d3f:CWE-290 a owl:Class ; rdfs:label "Authentication Bypass by Spoofing" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-290" ; d3f:definition "This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks." . d3f:CWE-291 a owl:Class ; rdfs:label "Reliance on IP Address for Authentication" ; rdfs:subClassOf d3f:CWE-290, d3f:CWE-471, d3f:CWE-923 ; d3f:cwe-id "CWE-291" ; d3f:definition "The product uses an IP address for authentication." . d3f:CWE-293 a owl:Class ; rdfs:label "Using Referer Field for Authentication" ; rdfs:subClassOf d3f:CWE-290 ; d3f:cwe-id "CWE-293" ; d3f:definition "The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking." ; d3f:synonym "referrer" . d3f:CWE-294 a owl:Class ; rdfs:label "Authentication Bypass by Capture-replay" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-294" ; d3f:definition "A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes)." . d3f:CWE-295 a owl:Class ; rdfs:label "Improper Certificate Validation" ; rdfs:subClassOf d3f:CWE-287 ; d3f:cwe-id "CWE-295" ; d3f:definition "The product does not validate, or incorrectly validates, a certificate." . d3f:CWE-296 a owl:Class ; rdfs:label "Improper Following of a Certificate's Chain of Trust" ; rdfs:subClassOf d3f:CWE-295, d3f:CWE-573 ; d3f:cwe-id "CWE-296" ; d3f:definition "The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate." . d3f:CWE-297 a owl:Class ; rdfs:label "Improper Validation of Certificate with Host Mismatch" ; rdfs:subClassOf d3f:CWE-295, d3f:CWE-923 ; d3f:cwe-id "CWE-297" ; d3f:definition "The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host." . d3f:CWE-298 a owl:Class ; rdfs:label "Improper Validation of Certificate Expiration" ; rdfs:subClassOf d3f:CWE-295, d3f:CWE-672 ; d3f:cwe-id "CWE-298" ; d3f:definition "A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age." . d3f:CWE-299 a owl:Class ; rdfs:label "Improper Check for Certificate Revocation" ; rdfs:subClassOf d3f:CWE-295, d3f:CWE-404 ; d3f:cwe-id "CWE-299" ; d3f:definition "The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised." . d3f:CWE-300 a owl:Class ; rdfs:label "Channel Accessible by Non-Endpoint" ; rdfs:subClassOf d3f:CWE-923 ; d3f:cwe-id "CWE-300" ; d3f:definition "The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint." ; d3f:synonym "Adversary-in-the-Middle / AITM", "Interception attack", "Man-in-the-Middle / MITM", "Manipulator-in-the-Middle", "Monkey-in-the-Middle", "Monster-in-the-Middle", "On-path attack", "Person-in-the-Middle / PITM" . d3f:CWE-301 a owl:Class ; rdfs:label "Reflection Attack in an Authentication Protocol" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-301" ; d3f:definition "Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user." . d3f:CWE-302 a owl:Class ; rdfs:label "Authentication Bypass by Assumed-Immutable Data" ; rdfs:subClassOf d3f:CWE-807, d3f:CWE-1390 ; d3f:cwe-id "CWE-302" ; d3f:definition "The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker." . d3f:CWE-303 a owl:Class ; rdfs:label "Incorrect Implementation of Authentication Algorithm" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-303" ; d3f:definition "The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect." . d3f:CWE-304 a owl:Class ; rdfs:label "Missing Critical Step in Authentication" ; rdfs:subClassOf d3f:CWE-303, d3f:CWE-573 ; d3f:cwe-id "CWE-304" ; d3f:definition "The product implements an authentication technique, but it skips a step that weakens the technique." . d3f:CWE-305 a owl:Class ; rdfs:label "Authentication Bypass by Primary Weakness" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-305" ; d3f:definition "The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error." . d3f:CWE-306 a owl:Class ; rdfs:label "Missing Authentication for Critical Function" ; rdfs:subClassOf d3f:CWE-287 ; d3f:cwe-id "CWE-306" ; d3f:definition "The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources." . d3f:CWE-307 a owl:Class ; rdfs:label "Improper Restriction of Excessive Authentication Attempts" ; rdfs:subClassOf d3f:CWE-799, d3f:CWE-1390 ; d3f:cwe-id "CWE-307" ; d3f:definition "The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame." . d3f:CWE-308 a owl:Class ; rdfs:label "Use of Single-factor Authentication" ; rdfs:subClassOf d3f:CWE-654, d3f:CWE-1390 ; d3f:cwe-id "CWE-308" ; d3f:definition "The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme." . d3f:CWE-309 a owl:Class ; rdfs:label "Use of Password System for Primary Authentication" ; rdfs:subClassOf d3f:CWE-654, d3f:CWE-1390 ; d3f:cwe-id "CWE-309" ; d3f:definition "The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism." . d3f:CWE-311 a owl:Class ; rdfs:label "Missing Encryption of Sensitive Data" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-311" ; d3f:definition "The product does not encrypt sensitive or critical information before storage or transmission." . d3f:CWE-312 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information" ; rdfs:subClassOf d3f:CWE-311, d3f:CWE-922 ; d3f:cwe-id "CWE-312" ; d3f:definition "The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere." . d3f:CWE-313 a owl:Class ; rdfs:label "Cleartext Storage in a File or on Disk" ; rdfs:subClassOf d3f:CWE-312 ; d3f:cwe-id "CWE-313" ; d3f:definition "The product stores sensitive information in cleartext in a file, or on disk." . d3f:CWE-314 a owl:Class ; rdfs:label "Cleartext Storage in the Registry" ; rdfs:subClassOf d3f:CWE-312 ; d3f:cwe-id "CWE-314" ; d3f:definition "The product stores sensitive information in cleartext in the registry." . d3f:CWE-315 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in a Cookie" ; rdfs:subClassOf d3f:CWE-312 ; d3f:cwe-id "CWE-315" ; d3f:definition "The product stores sensitive information in cleartext in a cookie." . d3f:CWE-316 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in Memory" ; rdfs:subClassOf d3f:CWE-312 ; d3f:cwe-id "CWE-316" ; d3f:definition "The product stores sensitive information in cleartext in memory." . d3f:CWE-317 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in GUI" ; rdfs:subClassOf d3f:CWE-312 ; d3f:cwe-id "CWE-317" ; d3f:definition "The product stores sensitive information in cleartext within the GUI." . d3f:CWE-318 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in Executable" ; rdfs:subClassOf d3f:CWE-312 ; d3f:cwe-id "CWE-318" ; d3f:definition "The product stores sensitive information in cleartext in an executable." . d3f:CWE-319 a owl:Class ; rdfs:label "Cleartext Transmission of Sensitive Information" ; rdfs:subClassOf d3f:CWE-311 ; d3f:cwe-id "CWE-319" ; d3f:definition "The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors." . d3f:CWE-321 a owl:Class ; rdfs:label "Use of Hard-coded Cryptographic Key" ; rdfs:subClassOf d3f:CWE-798 ; d3f:cwe-id "CWE-321" ; d3f:definition "The product uses a hard-coded, unchangeable cryptographic key." . d3f:CWE-322 a owl:Class ; rdfs:label "Key Exchange without Entity Authentication" ; rdfs:subClassOf d3f:CWE-306 ; d3f:cwe-id "CWE-322" ; d3f:definition "The product performs a key exchange with an actor without verifying the identity of that actor." . d3f:CWE-323 a owl:Class ; rdfs:label "Reusing a Nonce, Key Pair in Encryption" ; rdfs:subClassOf d3f:CWE-344 ; d3f:cwe-id "CWE-323" ; d3f:definition "Nonces should be used for the present occasion and only once." . d3f:CWE-324 a owl:Class ; rdfs:label "Use of a Key Past its Expiration Date" ; rdfs:subClassOf d3f:CWE-672 ; d3f:cwe-id "CWE-324" ; d3f:definition "The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key." . d3f:CWE-325 a owl:Class ; rdfs:label "Missing Cryptographic Step" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-325" ; d3f:definition "The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm." . d3f:CWE-326 a owl:Class ; rdfs:label "Inadequate Encryption Strength" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-326" ; d3f:definition "The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required." . d3f:CWE-327 a owl:Class ; rdfs:label "Use of a Broken or Risky Cryptographic Algorithm" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-327" ; d3f:definition "The product uses a broken or risky cryptographic algorithm or protocol." . d3f:CWE-328 a owl:Class ; rdfs:label "Use of Weak Hash" ; rdfs:subClassOf d3f:CWE-326, d3f:CWE-327 ; d3f:cwe-id "CWE-328" ; d3f:definition "The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack)." . d3f:CWE-329 a owl:Class ; rdfs:label "Generation of Predictable IV with CBC Mode" ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-1204 ; d3f:cwe-id "CWE-329" ; d3f:definition "The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key." . d3f:CWE-330 a owl:Class ; rdfs:label "Use of Insufficiently Random Values" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-330" ; d3f:definition "The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers." . d3f:CWE-331 a owl:Class ; rdfs:label "Insufficient Entropy" ; rdfs:subClassOf d3f:CWE-330 ; d3f:cwe-id "CWE-331" ; d3f:definition "The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others." . d3f:CWE-332 a owl:Class ; rdfs:label "Insufficient Entropy in PRNG" ; rdfs:subClassOf d3f:CWE-331 ; d3f:cwe-id "CWE-332" ; d3f:definition "The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat." . d3f:CWE-333 a owl:Class ; rdfs:label "Improper Handling of Insufficient Entropy in TRNG" ; rdfs:subClassOf d3f:CWE-331, d3f:CWE-703, d3f:CWE-755 ; d3f:cwe-id "CWE-333" ; d3f:definition "True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block." . d3f:CWE-334 a owl:Class ; rdfs:label "Small Space of Random Values" ; rdfs:subClassOf d3f:CWE-330 ; d3f:cwe-id "CWE-334" ; d3f:definition "The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks." . d3f:CWE-335 a owl:Class ; rdfs:label "Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)" ; rdfs:subClassOf d3f:CWE-330 ; d3f:cwe-id "CWE-335" ; d3f:definition "The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds." . d3f:CWE-336 a owl:Class ; rdfs:label "Same Seed in Pseudo-Random Number Generator (PRNG)" ; rdfs:subClassOf d3f:CWE-335 ; d3f:cwe-id "CWE-336" ; d3f:definition "A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized." . d3f:CWE-337 a owl:Class ; rdfs:label "Predictable Seed in Pseudo-Random Number Generator (PRNG)" ; rdfs:subClassOf d3f:CWE-335 ; d3f:cwe-id "CWE-337" ; d3f:definition "A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time." . d3f:CWE-338 a owl:Class ; rdfs:label "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)" ; rdfs:subClassOf d3f:CWE-330 ; d3f:cwe-id "CWE-338" ; d3f:definition "The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong." . d3f:CWE-339 a owl:Class ; rdfs:label "Small Seed Space in PRNG" ; rdfs:subClassOf d3f:CWE-335 ; d3f:cwe-id "CWE-339" ; d3f:definition "A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks." . d3f:CWE-340 a owl:Class ; rdfs:label "Generation of Predictable Numbers or Identifiers" ; rdfs:subClassOf d3f:CWE-330 ; d3f:cwe-id "CWE-340" ; d3f:definition "The product uses a scheme that generates numbers or identifiers that are more predictable than required." . d3f:CWE-341 a owl:Class ; rdfs:label "Predictable from Observable State" ; rdfs:subClassOf d3f:CWE-340 ; d3f:cwe-id "CWE-341" ; d3f:definition "A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc." . d3f:CWE-342 a owl:Class ; rdfs:label "Predictable Exact Value from Previous Values" ; rdfs:subClassOf d3f:CWE-340 ; d3f:cwe-id "CWE-342" ; d3f:definition "An exact value or random number can be precisely predicted by observing previous values." . d3f:CWE-343 a owl:Class ; rdfs:label "Predictable Value Range from Previous Values" ; rdfs:subClassOf d3f:CWE-340 ; d3f:cwe-id "CWE-343" ; d3f:definition "The product's random number generator produces a series of values which, when observed, can be used to infer a relatively small range of possibilities for the next value that could be generated." . d3f:CWE-344 a owl:Class ; rdfs:label "Use of Invariant Value in Dynamically Changing Context" ; rdfs:subClassOf d3f:CWE-330 ; d3f:cwe-id "CWE-344" ; d3f:definition "The product uses a constant value, name, or reference, but this value can (or should) vary across different environments." . d3f:CWE-345 a owl:Class ; rdfs:label "Insufficient Verification of Data Authenticity" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-345" ; d3f:definition "The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data." . d3f:CWE-346 a owl:Class ; rdfs:label "Origin Validation Error" ; rdfs:subClassOf d3f:CWE-284, d3f:CWE-345 ; d3f:cwe-id "CWE-346" ; d3f:definition "The product does not properly verify that the source of data or communication is valid." . d3f:CWE-347 a owl:Class ; rdfs:label "Improper Verification of Cryptographic Signature" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-347" ; d3f:definition "The product does not verify, or incorrectly verifies, the cryptographic signature for data." . d3f:CWE-348 a owl:Class ; rdfs:label "Use of Less Trusted Source" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-348" ; d3f:definition "The product has two different sources of the same data or information, but it uses the source that has less support for verification, is less trusted, or is less resistant to attack." . d3f:CWE-349 a owl:Class ; rdfs:label "Acceptance of Extraneous Untrusted Data With Trusted Data" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-349" ; d3f:definition "The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted." . d3f:CWE-350 a owl:Class ; rdfs:label "Reliance on Reverse DNS Resolution for a Security-Critical Action" ; rdfs:subClassOf d3f:CWE-290, d3f:CWE-807 ; d3f:cwe-id "CWE-350" ; d3f:definition "The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname." . d3f:CWE-351 a owl:Class ; rdfs:label "Insufficient Type Distinction" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-351" ; d3f:definition "The product does not properly distinguish between different types of elements in a way that leads to insecure behavior." . d3f:CWE-352 a owl:Class, owl:NamedIndividual ; rdfs:label "Cross-Site Request Forgery (CSRF)" ; rdfs:subClassOf d3f:CWE-345, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-352" ; d3f:definition "The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor." ; d3f:synonym "Cross Site Reference Forgery", "CSRF", "Session Riding", "XSRF" ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-353 a owl:Class ; rdfs:label "Missing Support for Integrity Check" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-353" ; d3f:definition "The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum." . d3f:CWE-354 a owl:Class ; rdfs:label "Improper Validation of Integrity Check Value" ; rdfs:subClassOf d3f:CWE-345, d3f:CWE-754 ; d3f:cwe-id "CWE-354" ; d3f:definition "The product does not validate or incorrectly validates the integrity check values or \"checksums\" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission." . d3f:CWE-356 a owl:Class ; rdfs:label "Product UI does not Warn User of Unsafe Actions" ; rdfs:subClassOf d3f:CWE-221 ; d3f:cwe-id "CWE-356" ; d3f:definition "The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system." . d3f:CWE-357 a owl:Class ; rdfs:label "Insufficient UI Warning of Dangerous Operations" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-357" ; d3f:definition "The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention." . d3f:CWE-358 a owl:Class ; rdfs:label "Improperly Implemented Security Check for Standard" ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-693 ; d3f:cwe-id "CWE-358" ; d3f:definition "The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique." . d3f:CWE-359 a owl:Class ; rdfs:label "Exposure of Private Personal Information to an Unauthorized Actor" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-359" ; d3f:definition "The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected." ; d3f:synonym "Privacy leak", "Privacy leakage", "Privacy violation" . d3f:CWE-360 a owl:Class ; rdfs:label "Trust of System Event Data" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-360" ; d3f:definition "Security based on event locations are insecure and can be spoofed." . d3f:CWE-362 a owl:Class, owl:NamedIndividual ; rdfs:label "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" ; rdfs:subClassOf d3f:CWE-691, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:SharedResourceAccessFunction ] ; d3f:cwe-id "CWE-362" ; d3f:definition "The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently." ; d3f:synonym "Race Condition" ; d3f:weakness-of d3f:SharedResourceAccessFunction . d3f:CWE-363 a owl:Class ; rdfs:label "Race Condition Enabling Link Following" ; rdfs:subClassOf d3f:CWE-367 ; d3f:cwe-id "CWE-363" ; d3f:definition "The product checks the status of a file or directory before accessing it, which produces a race condition in which the file can be replaced with a link before the access is performed, causing the product to access the wrong file." . d3f:CWE-364 a owl:Class ; rdfs:label "Signal Handler Race Condition" ; rdfs:subClassOf d3f:CWE-362 ; d3f:cwe-id "CWE-364" ; d3f:definition "The product uses a signal handler that introduces a race condition." . d3f:CWE-366 a owl:Class ; rdfs:label "Race Condition within a Thread" ; rdfs:subClassOf d3f:CWE-362 ; d3f:cwe-id "CWE-366" ; d3f:definition "If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined." . d3f:CWE-367 a owl:Class ; rdfs:label "Time-of-check Time-of-use (TOCTOU) Race Condition" ; rdfs:subClassOf d3f:CWE-362 ; d3f:cwe-id "CWE-367" ; d3f:definition "The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state." ; d3f:synonym "TOCCTOU", "TOCTTOU" . d3f:CWE-368 a owl:Class ; rdfs:label "Context Switching Race Condition" ; rdfs:subClassOf d3f:CWE-362 ; d3f:cwe-id "CWE-368" ; d3f:definition "A product performs a series of non-atomic actions to switch between contexts that cross privilege or other security boundaries, but a race condition allows an attacker to modify or misrepresent the product's behavior during the switch." . d3f:CWE-369 a owl:Class ; rdfs:label "Divide By Zero" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-369" ; d3f:definition "The product divides a value by zero." . d3f:CWE-370 a owl:Class ; rdfs:label "Missing Check for Certificate Revocation after Initial Check" ; rdfs:subClassOf d3f:CWE-299 ; d3f:cwe-id "CWE-370" ; d3f:definition "The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time." . d3f:CWE-372 a owl:Class ; rdfs:label "Incomplete Internal State Distinction" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-372" ; d3f:definition "The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner." . d3f:CWE-374 a owl:Class ; rdfs:label "Passing Mutable Objects to an Untrusted Method" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-374" ; d3f:definition "The product sends non-cloned mutable data as an argument to a method or function." . d3f:CWE-375 a owl:Class ; rdfs:label "Returning a Mutable Object to an Untrusted Caller" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-375" ; d3f:definition "Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function." . d3f:CWE-377 a owl:Class ; rdfs:label "Insecure Temporary File" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-377" ; d3f:definition "Creating and using insecure temporary files can leave application and system data vulnerable to attack." . d3f:CWE-378 a owl:Class ; rdfs:label "Creation of Temporary File With Insecure Permissions" ; rdfs:subClassOf d3f:CWE-377 ; d3f:cwe-id "CWE-378" ; d3f:definition "Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack." . d3f:CWE-379 a owl:Class ; rdfs:label "Creation of Temporary File in Directory with Insecure Permissions" ; rdfs:subClassOf d3f:CWE-377 ; d3f:cwe-id "CWE-379" ; d3f:definition "The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file." . d3f:CWE-382 a owl:Class ; rdfs:label "J2EE Bad Practices: Use of System.exit()" ; rdfs:subClassOf d3f:CWE-705 ; d3f:cwe-id "CWE-382" ; d3f:definition "A J2EE application uses System.exit(), which also shuts down its container." . d3f:CWE-383 a owl:Class ; rdfs:label "J2EE Bad Practices: Direct Use of Threads" ; rdfs:subClassOf d3f:CWE-695 ; d3f:cwe-id "CWE-383" ; d3f:definition "Thread management in a Web application is forbidden in some circumstances and is always highly error prone." . d3f:CWE-384 a owl:Class ; rdfs:label "Session Fixation" ; rdfs:subClassOf d3f:CWE-610 ; d3f:cwe-id "CWE-384" ; d3f:definition "Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions." . d3f:CWE-385 a owl:Class ; rdfs:label "Covert Timing Channel" ; rdfs:subClassOf d3f:CWE-514 ; d3f:cwe-id "CWE-385" ; d3f:definition "Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information." . d3f:CWE-386 a owl:Class ; rdfs:label "Symbolic Name not Mapping to Correct Object" ; rdfs:subClassOf d3f:CWE-706 ; d3f:cwe-id "CWE-386" ; d3f:definition "A constant symbolic reference to an object is used, even though the reference can resolve to a different object over time." . d3f:CWE-390 a owl:Class ; rdfs:label "Detection of Error Condition Without Action" ; rdfs:subClassOf d3f:CWE-755 ; d3f:cwe-id "CWE-390" ; d3f:definition "The product detects a specific error, but takes no actions to handle the error." . d3f:CWE-391 a owl:Class ; rdfs:label "Unchecked Error Condition" ; rdfs:subClassOf d3f:CWE-754 ; d3f:cwe-id "CWE-391" ; d3f:definition "[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed." . d3f:CWE-392 a owl:Class ; rdfs:label "Missing Report of Error Condition" ; rdfs:subClassOf d3f:CWE-684, d3f:CWE-703, d3f:CWE-755 ; d3f:cwe-id "CWE-392" ; d3f:definition "The product encounters an error but does not provide a status code or return value to indicate that an error has occurred." . d3f:CWE-393 a owl:Class ; rdfs:label "Return of Wrong Status Code" ; rdfs:subClassOf d3f:CWE-684, d3f:CWE-703 ; d3f:cwe-id "CWE-393" ; d3f:definition "A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result." . d3f:CWE-394 a owl:Class ; rdfs:label "Unexpected Status Code or Return Value" ; rdfs:subClassOf d3f:CWE-754 ; d3f:cwe-id "CWE-394" ; d3f:definition "The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product." . d3f:CWE-395 a owl:Class ; rdfs:label "Use of NullPointerException Catch to Detect NULL Pointer Dereference" ; rdfs:subClassOf d3f:CWE-705, d3f:CWE-755 ; d3f:cwe-id "CWE-395" ; d3f:definition "Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer." . d3f:CWE-396 a owl:Class ; rdfs:label "Declaration of Catch for Generic Exception" ; rdfs:subClassOf d3f:CWE-221, d3f:CWE-705, d3f:CWE-755 ; d3f:cwe-id "CWE-396" ; d3f:definition "Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities." . d3f:CWE-397 a owl:Class ; rdfs:label "Declaration of Throws for Generic Exception" ; rdfs:subClassOf d3f:CWE-221, d3f:CWE-703, d3f:CWE-705 ; d3f:cwe-id "CWE-397" ; d3f:definition "The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions." . d3f:CWE-400 a owl:Class ; rdfs:label "Uncontrolled Resource Consumption" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-400" ; d3f:definition "The product does not properly control the allocation and maintenance of a limited resource." ; d3f:synonym "Resource Exhaustion" . d3f:CWE-401 a owl:Class ; rdfs:label "Missing Release of Memory after Effective Lifetime" ; rdfs:subClassOf d3f:CWE-772 ; d3f:cwe-id "CWE-401" ; d3f:definition "The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse." ; d3f:synonym "Memory Leak" . d3f:CWE-402 a owl:Class ; rdfs:label "Transmission of Private Resources into a New Sphere ('Resource Leak')" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-402" ; d3f:definition "The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product." ; d3f:synonym "Resource Leak" . d3f:CWE-403 a owl:Class ; rdfs:label "Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')" ; rdfs:subClassOf d3f:CWE-402 ; d3f:cwe-id "CWE-403" ; d3f:definition "A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors." ; d3f:synonym "File descriptor leak" . d3f:CWE-404 a owl:Class ; rdfs:label "Improper Resource Shutdown or Release" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-404" ; d3f:definition "The product does not release or incorrectly releases a resource before it is made available for re-use." . d3f:CWE-405 a owl:Class ; rdfs:label "Asymmetric Resource Consumption (Amplification)" ; rdfs:subClassOf d3f:CWE-400, d3f:CWE-664 ; d3f:cwe-id "CWE-405" ; d3f:definition "The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is \"asymmetric.\"" . d3f:CWE-406 a owl:Class ; rdfs:label "Insufficient Control of Network Message Volume (Network Amplification)" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-406" ; d3f:definition "The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor." . d3f:CWE-407 a owl:Class ; rdfs:label "Inefficient Algorithmic Complexity" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-407" ; d3f:definition "An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached." ; d3f:synonym "Quadratic Complexity" . d3f:CWE-408 a owl:Class ; rdfs:label "Incorrect Behavior Order: Early Amplification" ; rdfs:subClassOf d3f:CWE-405, d3f:CWE-696 ; d3f:cwe-id "CWE-408" ; d3f:definition "The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place." . d3f:CWE-409 a owl:Class ; rdfs:label "Improper Handling of Highly Compressed Data (Data Amplification)" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-409" ; d3f:definition "The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output." . d3f:CWE-410 a owl:Class ; rdfs:label "Insufficient Resource Pool" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-410" ; d3f:definition "The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources." . d3f:CWE-412 a owl:Class ; rdfs:label "Unrestricted Externally Accessible Lock" ; rdfs:subClassOf d3f:CWE-667 ; d3f:cwe-id "CWE-412" ; d3f:definition "The product properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control." . d3f:CWE-413 a owl:Class ; rdfs:label "Improper Resource Locking" ; rdfs:subClassOf d3f:CWE-667 ; d3f:cwe-id "CWE-413" ; d3f:definition "The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource." . d3f:CWE-414 a owl:Class ; rdfs:label "Missing Lock Check" ; rdfs:subClassOf d3f:CWE-667 ; d3f:cwe-id "CWE-414" ; d3f:definition "A product does not check to see if a lock is present before performing sensitive operations on a resource." . d3f:CWE-415 a owl:Class, owl:NamedIndividual ; rdfs:label "Double Free" ; rdfs:subClassOf d3f:CWE-666, d3f:CWE-825, d3f:CWE-1341, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:MemoryFreeFunction ] ; d3f:cwe-id "CWE-415" ; d3f:definition "The product calls free() twice on the same memory address." ; d3f:synonym "Double-free" ; d3f:weakness-of d3f:MemoryFreeFunction . d3f:CWE-416 a owl:Class ; rdfs:label "Use After Free" ; rdfs:subClassOf d3f:CWE-825 ; d3f:cwe-id "CWE-416" ; d3f:definition "The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory \"belongs\" to the code that operates on the new pointer." ; d3f:synonym "Dangling pointer", "UAF", "Use-After-Free" . d3f:CWE-419 a owl:Class ; rdfs:label "Unprotected Primary Channel" ; rdfs:subClassOf d3f:CWE-923 ; d3f:cwe-id "CWE-419" ; d3f:definition "The product uses a primary channel for administration or restricted functionality, but it does not properly protect the channel." . d3f:CWE-420 a owl:Class ; rdfs:label "Unprotected Alternate Channel" ; rdfs:subClassOf d3f:CWE-923 ; d3f:cwe-id "CWE-420" ; d3f:definition "The product protects a primary channel, but it does not use the same level of protection for an alternate channel." . d3f:CWE-421 a owl:Class ; rdfs:label "Race Condition During Access to Alternate Channel" ; rdfs:subClassOf d3f:CWE-362, d3f:CWE-420 ; d3f:cwe-id "CWE-421" ; d3f:definition "The product opens an alternate channel to communicate with an authorized user, but the channel is accessible to other actors." . d3f:CWE-422 a owl:Class ; rdfs:label "Unprotected Windows Messaging Channel ('Shatter')" ; rdfs:subClassOf d3f:CWE-360, d3f:CWE-420 ; d3f:cwe-id "CWE-422" ; d3f:definition "The product does not properly verify the source of a message in the Windows Messaging System while running at elevated privileges, creating an alternate channel through which an attacker can directly send a message to the product." . d3f:CWE-424 a owl:Class ; rdfs:label "Improper Protection of Alternate Path" ; rdfs:subClassOf d3f:CWE-638, d3f:CWE-693 ; d3f:cwe-id "CWE-424" ; d3f:definition "The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources." . d3f:CWE-425 a owl:Class ; rdfs:label "Direct Request ('Forced Browsing')" ; rdfs:subClassOf d3f:CWE-288, d3f:CWE-424, d3f:CWE-862 ; d3f:cwe-id "CWE-425" ; d3f:definition "The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files." ; d3f:synonym "forced browsing" . d3f:CWE-426 a owl:Class ; rdfs:label "Untrusted Search Path" ; rdfs:subClassOf d3f:CWE-642, d3f:CWE-673 ; d3f:cwe-id "CWE-426" ; d3f:definition "The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control." ; d3f:synonym "Untrusted Path" . d3f:CWE-427 a owl:Class ; rdfs:label "Uncontrolled Search Path Element" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-427" ; d3f:definition "The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors." ; d3f:synonym "Binary planting", "Dependency confusion", "DLL preloading", "Insecure library loading" . d3f:CWE-428 a owl:Class ; rdfs:label "Unquoted Search Path or Element" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-428" ; d3f:definition "The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path." . d3f:CWE-430 a owl:Class ; rdfs:label "Deployment of Wrong Handler" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-430" ; d3f:definition "The wrong \"handler\" is assigned to process an object." . d3f:CWE-431 a owl:Class ; rdfs:label "Missing Handler" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-431" ; d3f:definition "A handler is not available or implemented." . d3f:CWE-432 a owl:Class ; rdfs:label "Dangerous Signal Handler not Disabled During Sensitive Operations" ; rdfs:subClassOf d3f:CWE-364 ; d3f:cwe-id "CWE-432" ; d3f:definition "The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running." . d3f:CWE-433 a owl:Class ; rdfs:label "Unparsed Raw Web Content Delivery" ; rdfs:subClassOf d3f:CWE-219 ; d3f:cwe-id "CWE-433" ; d3f:definition "The product stores raw content or supporting code under the web document root with an extension that is not specifically handled by the server." . d3f:CWE-434 a owl:Class, owl:NamedIndividual ; rdfs:label "Unrestricted Upload of File with Dangerous Type" ; rdfs:subClassOf d3f:CWE-669, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-434" ; d3f:definition "The product allows the upload or transfer of dangerous file types that are automatically processed within its environment." ; d3f:synonym "Unrestricted File Upload" ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-435 a owl:Class ; rdfs:label "Improper Interaction Between Multiple Correctly-Behaving Entities" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-435" ; d3f:definition "An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses." ; d3f:synonym "Emergent Fault", "Interaction Error" . d3f:CWE-436 a owl:Class ; rdfs:label "Interpretation Conflict" ; rdfs:subClassOf d3f:CWE-435 ; d3f:cwe-id "CWE-436" ; d3f:definition "Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state." . d3f:CWE-437 a owl:Class ; rdfs:label "Incomplete Model of Endpoint Features" ; rdfs:subClassOf d3f:CWE-436 ; d3f:cwe-id "CWE-437" ; d3f:definition "A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, potentially causing the product to perform incorrect actions based on this incomplete model." . d3f:CWE-439 a owl:Class ; rdfs:label "Behavioral Change in New Version or Environment" ; rdfs:subClassOf d3f:CWE-435 ; d3f:cwe-id "CWE-439" ; d3f:definition "A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B." ; d3f:synonym "Functional change" . d3f:CWE-440 a owl:Class ; rdfs:label "Expected Behavior Violation" ; rdfs:subClassOf d3f:CWE-684 ; d3f:cwe-id "CWE-440" ; d3f:definition "A feature, API, or function does not perform according to its specification." . d3f:CWE-441 a owl:Class ; rdfs:label "Unintended Proxy or Intermediary ('Confused Deputy')" ; rdfs:subClassOf d3f:CWE-610 ; d3f:cwe-id "CWE-441" ; d3f:definition "The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor." ; d3f:synonym "Confused Deputy" . d3f:CWE-444 a owl:Class ; rdfs:label "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')" ; rdfs:subClassOf d3f:CWE-436 ; d3f:cwe-id "CWE-444" ; d3f:definition "The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination." ; d3f:synonym "HTTP Request Smuggling", "HTTP Response Smuggling", "HTTP Smuggling" . d3f:CWE-446 a owl:Class ; rdfs:label "UI Discrepancy for Security Feature" ; rdfs:subClassOf d3f:CWE-684 ; d3f:cwe-id "CWE-446" ; d3f:definition "The user interface does not correctly enable or configure a security feature, but the interface provides feedback that causes the user to believe that the feature is in a secure state." . d3f:CWE-447 a owl:Class ; rdfs:label "Unimplemented or Unsupported Feature in UI" ; rdfs:subClassOf d3f:CWE-446, d3f:CWE-671 ; d3f:cwe-id "CWE-447" ; d3f:definition "A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not implemented." . d3f:CWE-448 a owl:Class ; rdfs:label "Obsolete Feature in UI" ; rdfs:subClassOf d3f:CWE-446 ; d3f:cwe-id "CWE-448" ; d3f:definition "A UI function is obsolete and the product does not warn the user." . d3f:CWE-449 a owl:Class ; rdfs:label "The UI Performs the Wrong Action" ; rdfs:subClassOf d3f:CWE-446 ; d3f:cwe-id "CWE-449" ; d3f:definition "The UI performs the wrong action with respect to the user's request." . d3f:CWE-450 a owl:Class ; rdfs:label "Multiple Interpretations of UI Input" ; rdfs:subClassOf d3f:CWE-357 ; d3f:cwe-id "CWE-450" ; d3f:definition "The UI has multiple interpretations of user input but does not prompt the user when it selects the less secure interpretation." . d3f:CWE-451 a owl:Class ; rdfs:label "User Interface (UI) Misrepresentation of Critical Information" ; rdfs:subClassOf d3f:CWE-221, d3f:CWE-684 ; d3f:cwe-id "CWE-451" ; d3f:definition "The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks." . d3f:CWE-453 a owl:Class ; rdfs:label "Insecure Default Variable Initialization" ; rdfs:subClassOf d3f:CWE-1188 ; d3f:cwe-id "CWE-453" ; d3f:definition "The product, by default, initializes an internal variable with an insecure or less secure value than is possible." . d3f:CWE-454 a owl:Class ; rdfs:label "External Initialization of Trusted Variables or Data Stores" ; rdfs:subClassOf d3f:CWE-665, d3f:CWE-1419 ; d3f:cwe-id "CWE-454" ; d3f:definition "The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors." . d3f:CWE-455 a owl:Class ; rdfs:label "Non-exit on Failed Initialization" ; rdfs:subClassOf d3f:CWE-636, d3f:CWE-665, d3f:CWE-705 ; d3f:cwe-id "CWE-455" ; d3f:definition "The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format error or a hardware security module (HSM) cannot be activated, which can cause the product to execute in a less secure fashion than intended by the administrator." . d3f:CWE-456 a owl:Class ; rdfs:label "Missing Initialization of a Variable" ; rdfs:subClassOf d3f:CWE-909 ; d3f:cwe-id "CWE-456" ; d3f:definition "The product does not initialize critical variables, which causes the execution environment to use unexpected values." . d3f:CWE-457 a owl:Class ; rdfs:label "Use of Uninitialized Variable" ; rdfs:subClassOf d3f:CWE-908 ; d3f:cwe-id "CWE-457" ; d3f:definition "The code uses a variable that has not been initialized, leading to unpredictable or unintended results." . d3f:CWE-459 a owl:Class ; rdfs:label "Incomplete Cleanup" ; rdfs:subClassOf d3f:CWE-404 ; d3f:cwe-id "CWE-459" ; d3f:definition "The product does not properly \"clean up\" and remove temporary or supporting resources after they have been used." ; d3f:synonym "Insufficient Cleanup" . d3f:CWE-460 a owl:Class ; rdfs:label "Improper Cleanup on Thrown Exception" ; rdfs:subClassOf d3f:CWE-459, d3f:CWE-755 ; d3f:cwe-id "CWE-460" ; d3f:definition "The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow." . d3f:CWE-462 a owl:Class ; rdfs:label "Duplicate Key in Associative List (Alist)" ; rdfs:subClassOf d3f:CWE-694 ; d3f:cwe-id "CWE-462" ; d3f:definition "Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error." . d3f:CWE-463 a owl:Class ; rdfs:label "Deletion of Data Structure Sentinel" ; rdfs:subClassOf d3f:CWE-707 ; d3f:cwe-id "CWE-463" ; d3f:definition "The accidental deletion of a data-structure sentinel can cause serious programming logic problems." . d3f:CWE-464 a owl:Class ; rdfs:label "Addition of Data Structure Sentinel" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-464" ; d3f:definition "The accidental addition of a data-structure sentinel can cause serious programming logic problems." . d3f:CWE-466 a owl:Class ; rdfs:label "Return of Pointer Value Outside of Expected Range" ; rdfs:subClassOf d3f:CWE-119 ; d3f:cwe-id "CWE-466" ; d3f:definition "A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference." . d3f:CWE-467 a owl:Class ; rdfs:label "Use of sizeof() on a Pointer Type" ; rdfs:subClassOf d3f:CWE-131 ; d3f:cwe-id "CWE-467" ; d3f:definition "The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to." . d3f:CWE-468 a owl:Class ; rdfs:label "Incorrect Pointer Scaling" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-468" ; d3f:definition "In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled." . d3f:CWE-469 a owl:Class ; rdfs:label "Use of Pointer Subtraction to Determine Size" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-469" ; d3f:definition "The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk." . d3f:CWE-470 a owl:Class ; rdfs:label "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')" ; rdfs:subClassOf d3f:CWE-610, d3f:CWE-913 ; d3f:cwe-id "CWE-470" ; d3f:definition "The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code." ; d3f:synonym "Reflection Injection" . d3f:CWE-471 a owl:Class ; rdfs:label "Modification of Assumed-Immutable Data (MAID)" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-471" ; d3f:definition "The product does not properly protect an assumed-immutable element from being modified by an attacker." . d3f:CWE-472 a owl:Class ; rdfs:label "External Control of Assumed-Immutable Web Parameter" ; rdfs:subClassOf d3f:CWE-471, d3f:CWE-642 ; d3f:cwe-id "CWE-472" ; d3f:definition "The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields." ; d3f:synonym "Assumed-Immutable Parameter Tampering" . d3f:CWE-473 a owl:Class ; rdfs:label "PHP External Variable Modification" ; rdfs:subClassOf d3f:CWE-471 ; d3f:cwe-id "CWE-473" ; d3f:definition "A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies. This can expose the application to numerous weaknesses that would not exist otherwise." . d3f:CWE-474 a owl:Class ; rdfs:label "Use of Function with Inconsistent Implementations" ; rdfs:subClassOf d3f:CWE-758 ; d3f:cwe-id "CWE-474" ; d3f:definition "The code uses a function that has inconsistent implementations across operating systems and versions." . d3f:CWE-475 a owl:Class ; rdfs:label "Undefined Behavior for Input to API" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-475" ; d3f:definition "The behavior of this function is undefined unless its control parameter is set to a specific value." . d3f:CWE-476 a owl:Class, owl:NamedIndividual ; rdfs:label "NULL Pointer Dereference" ; rdfs:subClassOf d3f:CWE-710, d3f:CWE-754, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:PointerDereferencingFunction ] ; d3f:cwe-id "CWE-476" ; d3f:definition "The product dereferences a pointer that it expects to be valid but is NULL." ; d3f:synonym "nil pointer dereference", "NPD", "NPE", "null deref" ; d3f:weakness-of d3f:PointerDereferencingFunction . d3f:CWE-477 a owl:Class ; rdfs:label "Use of Obsolete Function" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-477" ; d3f:definition "The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained." . d3f:CWE-478 a owl:Class ; rdfs:label "Missing Default Case in Multiple Condition Expression" ; rdfs:subClassOf d3f:CWE-1023 ; d3f:cwe-id "CWE-478" ; d3f:definition "The code does not have a default case in an expression with multiple conditions, such as a switch statement." . d3f:CWE-479 a owl:Class ; rdfs:label "Signal Handler Use of a Non-reentrant Function" ; rdfs:subClassOf d3f:CWE-663, d3f:CWE-828 ; d3f:cwe-id "CWE-479" ; d3f:definition "The product defines a signal handler that calls a non-reentrant function." . d3f:CWE-480 a owl:Class ; rdfs:label "Use of Incorrect Operator" ; rdfs:subClassOf d3f:CWE-670 ; d3f:cwe-id "CWE-480" ; d3f:definition "The product accidentally uses the wrong operator, which changes the logic in security-relevant ways." . d3f:CWE-481 a owl:Class ; rdfs:label "Assigning instead of Comparing" ; rdfs:subClassOf d3f:CWE-480 ; d3f:cwe-id "CWE-481" ; d3f:definition "The code uses an operator for assignment when the intention was to perform a comparison." . d3f:CWE-482 a owl:Class ; rdfs:label "Comparing instead of Assigning" ; rdfs:subClassOf d3f:CWE-480 ; d3f:cwe-id "CWE-482" ; d3f:definition "The code uses an operator for comparison when the intention was to perform an assignment." . d3f:CWE-483 a owl:Class ; rdfs:label "Incorrect Block Delimitation" ; rdfs:subClassOf d3f:CWE-670 ; d3f:cwe-id "CWE-483" ; d3f:definition "The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error." . d3f:CWE-484 a owl:Class ; rdfs:label "Omitted Break Statement in Switch" ; rdfs:subClassOf d3f:CWE-670, d3f:CWE-710 ; d3f:cwe-id "CWE-484" ; d3f:definition "The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition." . d3f:CWE-486 a owl:Class ; rdfs:label "Comparison of Classes by Name" ; rdfs:subClassOf d3f:CWE-1025 ; d3f:cwe-id "CWE-486" ; d3f:definition "The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name." . d3f:CWE-487 a owl:Class ; rdfs:label "Reliance on Package-level Scope" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-487" ; d3f:definition "Java packages are not inherently closed; therefore, relying on them for code security is not a good practice." . d3f:CWE-488 a owl:Class ; rdfs:label "Exposure of Data Element to Wrong Session" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-488" ; d3f:definition "The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session." . d3f:CWE-489 a owl:Class ; rdfs:label "Active Debug Code" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-489" ; d3f:definition "The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information." ; d3f:synonym "Leftover debug code" . d3f:CWE-491 a owl:Class ; rdfs:label "Public cloneable() Method Without Final ('Object Hijack')" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-491" ; d3f:definition "A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state." . d3f:CWE-492 a owl:Class ; rdfs:label "Use of Inner Class Containing Sensitive Data" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-492" ; d3f:definition "Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers." . d3f:CWE-493 a owl:Class ; rdfs:label "Critical Public Variable Without Final Modifier" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-493" ; d3f:definition "The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values." . d3f:CWE-494 a owl:Class ; rdfs:label "Download of Code Without Integrity Check" ; rdfs:subClassOf d3f:CWE-345, d3f:CWE-669 ; d3f:cwe-id "CWE-494" ; d3f:definition "The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code." . d3f:CWE-495 a owl:Class ; rdfs:label "Private Data Structure Returned From A Public Method" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-495" ; d3f:definition "The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways." . d3f:CWE-496 a owl:Class ; rdfs:label "Public Data Assigned to Private Array-Typed Field" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-496" ; d3f:definition "Assigning public data to a private array is equivalent to giving public access to the array." . d3f:CWE-497 a owl:Class ; rdfs:label "Exposure of Sensitive System Information to an Unauthorized Control Sphere" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-497" ; d3f:definition "The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does." . d3f:CWE-498 a owl:Class ; rdfs:label "Cloneable Class Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-498" ; d3f:definition "The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class." . d3f:CWE-499 a owl:Class ; rdfs:label "Serializable Class Containing Sensitive Data" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-499" ; d3f:definition "The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class." . d3f:CWE-500 a owl:Class ; rdfs:label "Public Static Field Not Marked Final" ; rdfs:subClassOf d3f:CWE-493 ; d3f:cwe-id "CWE-500" ; d3f:definition "An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways." . d3f:CWE-501 a owl:Class ; rdfs:label "Trust Boundary Violation" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-501" ; d3f:definition "The product mixes trusted and untrusted data in the same data structure or structured message." . d3f:CWE-502 a owl:Class, owl:NamedIndividual ; rdfs:label "Deserialization of Untrusted Data" ; rdfs:subClassOf d3f:CWE-913, [ a owl:Restriction ; owl:onProperty d3f:may-be-weakness-of ; owl:someValuesFrom d3f:UserInputFunction ], [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:DeserializationFunction ] ; d3f:cwe-id "CWE-502" ; d3f:definition "The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid." ; d3f:may-be-weakness-of d3f:UserInputFunction ; d3f:synonym "Marshaling, Unmarshaling", "PHP Object Injection", "Pickling, Unpickling" ; d3f:weakness-of d3f:DeserializationFunction . d3f:CWE-506 a owl:Class ; rdfs:label "Embedded Malicious Code" ; rdfs:subClassOf d3f:CWE-912 ; d3f:cwe-id "CWE-506" ; d3f:definition "The product contains code that appears to be malicious in nature." . d3f:CWE-507 a owl:Class ; rdfs:label "Trojan Horse" ; rdfs:subClassOf d3f:CWE-506 ; d3f:cwe-id "CWE-507" ; d3f:definition "The product appears to contain benign or useful functionality, but it also contains code that is hidden from normal operation that violates the intended security policy of the user or the system administrator." . d3f:CWE-508 a owl:Class ; rdfs:label "Non-Replicating Malicious Code" ; rdfs:subClassOf d3f:CWE-507 ; d3f:cwe-id "CWE-508" ; d3f:definition "Non-replicating malicious code only resides on the target system or product that is attacked; it does not attempt to spread to other systems." . d3f:CWE-509 a owl:Class ; rdfs:label "Replicating Malicious Code (Virus or Worm)" ; rdfs:subClassOf d3f:CWE-507 ; d3f:cwe-id "CWE-509" ; d3f:definition "Replicating malicious code, including viruses and worms, will attempt to attack other systems once it has successfully compromised the target system or the product." . d3f:CWE-510 a owl:Class ; rdfs:label "Trapdoor" ; rdfs:subClassOf d3f:CWE-506 ; d3f:cwe-id "CWE-510" ; d3f:definition "A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism." . d3f:CWE-511 a owl:Class ; rdfs:label "Logic/Time Bomb" ; rdfs:subClassOf d3f:CWE-506 ; d3f:cwe-id "CWE-511" ; d3f:definition "The product contains code that is designed to disrupt the legitimate operation of the product (or its environment) when a certain time passes, or when a certain logical condition is met." . d3f:CWE-512 a owl:Class ; rdfs:label "Spyware" ; rdfs:subClassOf d3f:CWE-506 ; d3f:cwe-id "CWE-512" ; d3f:definition "The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's explicit approval or direct input into the product." . d3f:CWE-514 a owl:Class ; rdfs:label "Covert Channel" ; rdfs:subClassOf d3f:CWE-1229 ; d3f:cwe-id "CWE-514" ; d3f:definition "A covert channel is a path that can be used to transfer information in a way not intended by the system's designers." . d3f:CWE-515 a owl:Class ; rdfs:label "Covert Storage Channel" ; rdfs:subClassOf d3f:CWE-514 ; d3f:cwe-id "CWE-515" ; d3f:definition "A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information." . d3f:CWE-520 a owl:Class ; rdfs:label ".NET Misconfiguration: Use of Impersonation" ; rdfs:subClassOf d3f:CWE-266 ; d3f:cwe-id "CWE-520" ; d3f:definition "Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks." . d3f:CWE-521 a owl:Class ; rdfs:label "Weak Password Requirements" ; rdfs:subClassOf d3f:CWE-1391 ; d3f:cwe-id "CWE-521" ; d3f:definition "The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts." . d3f:CWE-522 a owl:Class ; rdfs:label "Insufficiently Protected Credentials" ; rdfs:subClassOf d3f:CWE-668, d3f:CWE-1390 ; d3f:cwe-id "CWE-522" ; d3f:definition "The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval." . d3f:CWE-523 a owl:Class ; rdfs:label "Unprotected Transport of Credentials" ; rdfs:subClassOf d3f:CWE-522 ; d3f:cwe-id "CWE-523" ; d3f:definition "Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server." . d3f:CWE-524 a owl:Class ; rdfs:label "Use of Cache Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-524" ; d3f:definition "The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere." . d3f:CWE-525 a owl:Class ; rdfs:label "Use of Web Browser Cache Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-524 ; d3f:cwe-id "CWE-525" ; d3f:definition "The web application does not use an appropriate caching policy that specifies the extent to which each web page and associated form fields should be cached." . d3f:CWE-526 a owl:Class ; rdfs:label "Cleartext Storage of Sensitive Information in an Environment Variable" ; rdfs:subClassOf d3f:CWE-312 ; d3f:cwe-id "CWE-526" ; d3f:definition "The product uses an environment variable to store unencrypted sensitive information." . d3f:CWE-527 a owl:Class ; rdfs:label "Exposure of Version-Control Repository to an Unauthorized Control Sphere" ; rdfs:subClassOf d3f:CWE-552 ; d3f:cwe-id "CWE-527" ; d3f:definition "The product stores a CVS, git, or other repository in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors." . d3f:CWE-528 a owl:Class ; rdfs:label "Exposure of Core Dump File to an Unauthorized Control Sphere" ; rdfs:subClassOf d3f:CWE-552 ; d3f:cwe-id "CWE-528" ; d3f:definition "The product generates a core dump file in a directory, archive, or other resource that is stored, transferred, or otherwise made accessible to unauthorized actors." . d3f:CWE-529 a owl:Class ; rdfs:label "Exposure of Access Control List Files to an Unauthorized Control Sphere" ; rdfs:subClassOf d3f:CWE-552 ; d3f:cwe-id "CWE-529" ; d3f:definition "The product stores access control list files in a directory or other container that is accessible to actors outside of the intended control sphere." . d3f:CWE-530 a owl:Class ; rdfs:label "Exposure of Backup File to an Unauthorized Control Sphere" ; rdfs:subClassOf d3f:CWE-552 ; d3f:cwe-id "CWE-530" ; d3f:definition "A backup file is stored in a directory or archive that is made accessible to unauthorized actors." . d3f:CWE-531 a owl:Class ; rdfs:label "Inclusion of Sensitive Information in Test Code" ; rdfs:subClassOf d3f:CWE-540 ; d3f:cwe-id "CWE-531" ; d3f:definition "Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions." . d3f:CWE-532 a owl:Class ; rdfs:label "Insertion of Sensitive Information into Log File" ; rdfs:subClassOf d3f:CWE-538 ; d3f:cwe-id "CWE-532" ; d3f:definition "The product writes sensitive information to a log file." . d3f:CWE-535 a owl:Class ; rdfs:label "Exposure of Information Through Shell Error Message" ; rdfs:subClassOf d3f:CWE-211 ; d3f:cwe-id "CWE-535" ; d3f:definition "A command shell error message indicates that there exists an unhandled exception in the web application code. In many cases, an attacker can leverage the conditions that cause these errors in order to gain unauthorized access to the system." . d3f:CWE-536 a owl:Class ; rdfs:label "Servlet Runtime Error Message Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-211 ; d3f:cwe-id "CWE-536" ; d3f:definition "A servlet error message indicates that there exists an unhandled exception in your web application code and may provide useful information to an attacker." . d3f:CWE-537 a owl:Class ; rdfs:label "Java Runtime Error Message Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-211 ; d3f:cwe-id "CWE-537" ; d3f:definition "In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system." . d3f:CWE-538 a owl:Class ; rdfs:label "Insertion of Sensitive Information into Externally-Accessible File or Directory" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-538" ; d3f:definition "The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information." . d3f:CWE-539 a owl:Class ; rdfs:label "Use of Persistent Cookies Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-552 ; d3f:cwe-id "CWE-539" ; d3f:definition "The web application uses persistent cookies, but the cookies contain sensitive information." . d3f:CWE-540 a owl:Class ; rdfs:label "Inclusion of Sensitive Information in Source Code" ; rdfs:subClassOf d3f:CWE-538 ; d3f:cwe-id "CWE-540" ; d3f:definition "Source code on a web server or repository often contains sensitive information and should generally not be accessible to users." . d3f:CWE-541 a owl:Class ; rdfs:label "Inclusion of Sensitive Information in an Include File" ; rdfs:subClassOf d3f:CWE-540 ; d3f:cwe-id "CWE-541" ; d3f:definition "If an include file source is accessible, the file can contain usernames and passwords, as well as sensitive information pertaining to the application and system." . d3f:CWE-543 a owl:Class ; rdfs:label "Use of Singleton Pattern Without Synchronization in a Multithreaded Context" ; rdfs:subClassOf d3f:CWE-820 ; d3f:cwe-id "CWE-543" ; d3f:definition "The product uses the singleton pattern when creating a resource within a multithreaded environment." . d3f:CWE-544 a owl:Class ; rdfs:label "Missing Standardized Error Handling Mechanism" ; rdfs:subClassOf d3f:CWE-755 ; d3f:cwe-id "CWE-544" ; d3f:definition "The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses." . d3f:CWE-546 a owl:Class ; rdfs:label "Suspicious Comment" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-546" ; d3f:definition "The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses." . d3f:CWE-547 a owl:Class ; rdfs:label "Use of Hard-coded, Security-relevant Constants" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-547" ; d3f:definition "The product uses hard-coded constants instead of symbolic names for security-critical values, which increases the likelihood of mistakes during code maintenance or security policy change." . d3f:CWE-548 a owl:Class ; rdfs:label "Exposure of Information Through Directory Listing" ; rdfs:subClassOf d3f:CWE-497 ; d3f:cwe-id "CWE-548" ; d3f:definition "The product inappropriately exposes a directory listing with an index of all the resources located inside of the directory." . d3f:CWE-549 a owl:Class ; rdfs:label "Missing Password Field Masking" ; rdfs:subClassOf d3f:CWE-522 ; d3f:cwe-id "CWE-549" ; d3f:definition "The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords." . d3f:CWE-550 a owl:Class ; rdfs:label "Server-generated Error Message Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-209 ; d3f:cwe-id "CWE-550" ; d3f:definition "Certain conditions, such as network failure, will cause a server error message to be displayed." . d3f:CWE-551 a owl:Class ; rdfs:label "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization" ; rdfs:subClassOf d3f:CWE-696, d3f:CWE-863 ; d3f:cwe-id "CWE-551" ; d3f:definition "If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection." . d3f:CWE-552 a owl:Class ; rdfs:label "Files or Directories Accessible to External Parties" ; rdfs:subClassOf d3f:CWE-285, d3f:CWE-668 ; d3f:cwe-id "CWE-552" ; d3f:definition "The product makes files or directories accessible to unauthorized actors, even though they should not be." . d3f:CWE-553 a owl:Class ; rdfs:label "Command Shell in Externally Accessible Directory" ; rdfs:subClassOf d3f:CWE-552 ; d3f:cwe-id "CWE-553" ; d3f:definition "A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server." . d3f:CWE-554 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Not Using Input Validation Framework" ; rdfs:subClassOf d3f:CWE-1173 ; d3f:cwe-id "CWE-554" ; d3f:definition "The ASP.NET application does not use an input validation framework." . d3f:CWE-555 a owl:Class ; rdfs:label "J2EE Misconfiguration: Plaintext Password in Configuration File" ; rdfs:subClassOf d3f:CWE-260 ; d3f:cwe-id "CWE-555" ; d3f:definition "The J2EE application stores a plaintext password in a configuration file." . d3f:CWE-556 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Use of Identity Impersonation" ; rdfs:subClassOf d3f:CWE-266 ; d3f:cwe-id "CWE-556" ; d3f:definition "Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges." . d3f:CWE-558 a owl:Class ; rdfs:label "Use of getlogin() in Multithreaded Application" ; rdfs:subClassOf d3f:CWE-663 ; d3f:cwe-id "CWE-558" ; d3f:definition "The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values." . d3f:CWE-560 a owl:Class ; rdfs:label "Use of umask() with chmod-style Argument" ; rdfs:subClassOf d3f:CWE-687 ; d3f:cwe-id "CWE-560" ; d3f:definition "The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod()." . d3f:CWE-561 a owl:Class ; rdfs:label "Dead Code" ; rdfs:subClassOf d3f:CWE-1164 ; d3f:cwe-id "CWE-561" ; d3f:definition "The product contains dead code, which can never be executed." . d3f:CWE-562 a owl:Class ; rdfs:label "Return of Stack Variable Address" ; rdfs:subClassOf d3f:CWE-758 ; d3f:cwe-id "CWE-562" ; d3f:definition "A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash." . d3f:CWE-563 a owl:Class ; rdfs:label "Assignment to Variable without Use" ; rdfs:subClassOf d3f:CWE-1164 ; d3f:cwe-id "CWE-563" ; d3f:definition "The variable's value is assigned but never used, making it a dead store." ; d3f:synonym "Unused Variable" . d3f:CWE-564 a owl:Class ; rdfs:label "SQL Injection: Hibernate" ; rdfs:subClassOf d3f:CWE-89 ; d3f:cwe-id "CWE-564" ; d3f:definition "Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands." . d3f:CWE-565 a owl:Class ; rdfs:label "Reliance on Cookies without Validation and Integrity Checking" ; rdfs:subClassOf d3f:CWE-602, d3f:CWE-642 ; d3f:cwe-id "CWE-565" ; d3f:definition "The product relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user." . d3f:CWE-566 a owl:Class ; rdfs:label "Authorization Bypass Through User-Controlled SQL Primary Key" ; rdfs:subClassOf d3f:CWE-639 ; d3f:cwe-id "CWE-566" ; d3f:definition "The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor." . d3f:CWE-567 a owl:Class ; rdfs:label "Unsynchronized Access to Shared Data in a Multithreaded Context" ; rdfs:subClassOf d3f:CWE-820 ; d3f:cwe-id "CWE-567" ; d3f:definition "The product does not properly synchronize shared data, such as static variables across threads, which can lead to undefined behavior and unpredictable data changes." . d3f:CWE-568 a owl:Class ; rdfs:label "finalize() Method Without super.finalize()" ; rdfs:subClassOf d3f:CWE-459, d3f:CWE-573 ; d3f:cwe-id "CWE-568" ; d3f:definition "The product contains a finalize() method that does not call super.finalize()." . d3f:CWE-570 a owl:Class ; rdfs:label "Expression is Always False" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-570" ; d3f:definition "The product contains an expression that will always evaluate to false." . d3f:CWE-571 a owl:Class ; rdfs:label "Expression is Always True" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-571" ; d3f:definition "The product contains an expression that will always evaluate to true." . d3f:CWE-572 a owl:Class ; rdfs:label "Call to Thread run() instead of start()" ; rdfs:subClassOf d3f:CWE-821 ; d3f:cwe-id "CWE-572" ; d3f:definition "The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee." . d3f:CWE-573 a owl:Class ; rdfs:label "Improper Following of Specification by Caller" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-573" ; d3f:definition "The product does not follow or incorrectly follows the specifications as required by the implementation language, environment, framework, protocol, or platform." . d3f:CWE-574 a owl:Class ; rdfs:label "EJB Bad Practices: Use of Synchronization Primitives" ; rdfs:subClassOf d3f:CWE-695, d3f:CWE-821 ; d3f:cwe-id "CWE-574" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives." . d3f:CWE-575 a owl:Class ; rdfs:label "EJB Bad Practices: Use of AWT Swing" ; rdfs:subClassOf d3f:CWE-695 ; d3f:cwe-id "CWE-575" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing." . d3f:CWE-576 a owl:Class ; rdfs:label "EJB Bad Practices: Use of Java I/O" ; rdfs:subClassOf d3f:CWE-695 ; d3f:cwe-id "CWE-576" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package." . d3f:CWE-577 a owl:Class ; rdfs:label "EJB Bad Practices: Use of Sockets" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-577" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using sockets." . d3f:CWE-578 a owl:Class ; rdfs:label "EJB Bad Practices: Use of Class Loader" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-578" ; d3f:definition "The product violates the Enterprise JavaBeans (EJB) specification by using the class loader." . d3f:CWE-579 a owl:Class ; rdfs:label "J2EE Bad Practices: Non-serializable Object Stored in Session" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-579" ; d3f:definition "The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability." . d3f:CWE-580 a owl:Class ; rdfs:label "clone() Method Without super.clone()" ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-664 ; d3f:cwe-id "CWE-580" ; d3f:definition "The product contains a clone() method that does not call super.clone() to obtain the new object." . d3f:CWE-581 a owl:Class ; rdfs:label "Object Model Violation: Just One of Equals and Hashcode Defined" ; rdfs:subClassOf d3f:CWE-573, d3f:CWE-697 ; d3f:cwe-id "CWE-581" ; d3f:definition "The product does not maintain equal hashcodes for equal objects." . d3f:CWE-582 a owl:Class ; rdfs:label "Array Declared Public, Final, and Static" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-582" ; d3f:definition "The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified." . d3f:CWE-583 a owl:Class ; rdfs:label "finalize() Method Declared Public" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-583" ; d3f:definition "The product violates secure coding principles for mobile code by declaring a finalize() method public." . d3f:CWE-584 a owl:Class ; rdfs:label "Return Inside Finally Block" ; rdfs:subClassOf d3f:CWE-705 ; d3f:cwe-id "CWE-584" ; d3f:definition "The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded." . d3f:CWE-585 a owl:Class ; rdfs:label "Empty Synchronized Block" ; rdfs:subClassOf d3f:CWE-1071 ; d3f:cwe-id "CWE-585" ; d3f:definition "The product contains an empty synchronized block." . d3f:CWE-586 a owl:Class ; rdfs:label "Explicit Call to Finalize()" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-586" ; d3f:definition "The product makes an explicit call to the finalize() method from outside the finalizer." . d3f:CWE-587 a owl:Class ; rdfs:label "Assignment of a Fixed Address to a Pointer" ; rdfs:subClassOf d3f:CWE-344, d3f:CWE-758 ; d3f:cwe-id "CWE-587" ; d3f:definition "The product sets a pointer to a specific address other than NULL or 0." . d3f:CWE-588 a owl:Class ; rdfs:label "Attempt to Access Child of a Non-structure Pointer" ; rdfs:subClassOf d3f:CWE-704, d3f:CWE-758 ; d3f:cwe-id "CWE-588" ; d3f:definition "Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption." . d3f:CWE-589 a owl:Class ; rdfs:label "Call to Non-ubiquitous API" ; rdfs:subClassOf d3f:CWE-474 ; d3f:cwe-id "CWE-589" ; d3f:definition "The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences." . d3f:CWE-590 a owl:Class, owl:NamedIndividual ; rdfs:label "Free of Memory not on the Heap" ; rdfs:subClassOf d3f:CWE-762, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:MemoryFreeFunction ] ; d3f:cwe-id "CWE-590" ; d3f:definition "The product calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc()." ; d3f:weakness-of d3f:MemoryFreeFunction . d3f:CWE-591 a owl:Class ; rdfs:label "Sensitive Data Storage in Improperly Locked Memory" ; rdfs:subClassOf d3f:CWE-413 ; d3f:cwe-id "CWE-591" ; d3f:definition "The product stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors." . d3f:CWE-593 a owl:Class ; rdfs:label "Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created" ; rdfs:subClassOf d3f:CWE-666, d3f:CWE-1390 ; d3f:cwe-id "CWE-593" ; d3f:definition "The product modifies the SSL context after connection creation has begun." . d3f:CWE-594 a owl:Class ; rdfs:label "J2EE Framework: Saving Unserializable Objects to Disk" ; rdfs:subClassOf d3f:CWE-710, d3f:CWE-1076 ; d3f:cwe-id "CWE-594" ; d3f:definition "When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully." . d3f:CWE-595 a owl:Class ; rdfs:label "Comparison of Object References Instead of Object Contents" ; rdfs:subClassOf d3f:CWE-1025 ; d3f:cwe-id "CWE-595" ; d3f:definition "The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects." . d3f:CWE-597 a owl:Class ; rdfs:label "Use of Wrong Operator in String Comparison" ; rdfs:subClassOf d3f:CWE-480, d3f:CWE-595 ; d3f:cwe-id "CWE-597" ; d3f:definition "The product uses the wrong operator when comparing a string, such as using \"==\" when the .equals() method should be used instead." . d3f:CWE-598 a owl:Class ; rdfs:label "Use of GET Request Method With Sensitive Query Strings" ; rdfs:subClassOf d3f:CWE-201 ; d3f:cwe-id "CWE-598" ; d3f:definition "The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request." . d3f:CWE-599 a owl:Class ; rdfs:label "Missing Validation of OpenSSL Certificate" ; rdfs:subClassOf d3f:CWE-295 ; d3f:cwe-id "CWE-599" ; d3f:definition "The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements." . d3f:CWE-600 a owl:Class ; rdfs:label "Uncaught Exception in Servlet" ; rdfs:subClassOf d3f:CWE-248 ; d3f:cwe-id "CWE-600" ; d3f:definition "The Servlet does not catch all exceptions, which may reveal sensitive debugging information." ; d3f:synonym "Missing Catch Block" . d3f:CWE-601 a owl:Class ; rdfs:label "URL Redirection to Untrusted Site ('Open Redirect')" ; rdfs:subClassOf d3f:CWE-610 ; d3f:cwe-id "CWE-601" ; d3f:definition "The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect." ; d3f:synonym "Cross-domain Redirect", "Cross-site Redirect", "Open Redirect", "Unvalidated Redirect" . d3f:CWE-602 a owl:Class ; rdfs:label "Client-Side Enforcement of Server-Side Security" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-602" ; d3f:definition "The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server." . d3f:CWE-603 a owl:Class ; rdfs:label "Use of Client-Side Authentication" ; rdfs:subClassOf d3f:CWE-602, d3f:CWE-1390 ; d3f:cwe-id "CWE-603" ; d3f:definition "A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check." . d3f:CWE-605 a owl:Class ; rdfs:label "Multiple Binds to the Same Port" ; rdfs:subClassOf d3f:CWE-666, d3f:CWE-675 ; d3f:cwe-id "CWE-605" ; d3f:definition "When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed." . d3f:CWE-606 a owl:Class ; rdfs:label "Unchecked Input for Loop Condition" ; rdfs:subClassOf d3f:CWE-1284 ; d3f:cwe-id "CWE-606" ; d3f:definition "The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping." . d3f:CWE-607 a owl:Class ; rdfs:label "Public Static Final Field References Mutable Object" ; rdfs:subClassOf d3f:CWE-471 ; d3f:cwe-id "CWE-607" ; d3f:definition "A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package." . d3f:CWE-608 a owl:Class ; rdfs:label "Struts: Non-private Field in ActionForm Class" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-608" ; d3f:definition "An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter." . d3f:CWE-609 a owl:Class ; rdfs:label "Double-Checked Locking" ; rdfs:subClassOf d3f:CWE-667 ; d3f:cwe-id "CWE-609" ; d3f:definition "The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient." . d3f:CWE-610 a owl:Class ; rdfs:label "Externally Controlled Reference to a Resource in Another Sphere" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-610" ; d3f:definition "The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere." . d3f:CWE-611 a owl:Class, owl:NamedIndividual ; rdfs:label "Improper Restriction of XML External Entity Reference" ; rdfs:subClassOf d3f:CWE-610, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:ExternalContentInclusionFunction ] ; d3f:cwe-id "CWE-611" ; d3f:definition "The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output." ; d3f:synonym "XXE" ; d3f:weakness-of d3f:ExternalContentInclusionFunction . d3f:CWE-612 a owl:Class ; rdfs:label "Improper Authorization of Index Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-1230 ; d3f:cwe-id "CWE-612" ; d3f:definition "The product creates a search index of private or sensitive documents, but it does not properly limit index access to actors who are authorized to see the original information." . d3f:CWE-613 a owl:Class ; rdfs:label "Insufficient Session Expiration" ; rdfs:subClassOf d3f:CWE-672 ; d3f:cwe-id "CWE-613" ; d3f:definition "According to WASC, \"Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.\"" . d3f:CWE-614 a owl:Class ; rdfs:label "Sensitive Cookie in HTTPS Session Without 'Secure' Attribute" ; rdfs:subClassOf d3f:CWE-319 ; d3f:cwe-id "CWE-614" ; d3f:definition "The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session." . d3f:CWE-615 a owl:Class ; rdfs:label "Inclusion of Sensitive Information in Source Code Comments" ; rdfs:subClassOf d3f:CWE-540 ; d3f:cwe-id "CWE-615" ; d3f:definition "While adding general comments is very useful, some programmers tend to leave important data, such as: filenames related to the web application, old links or links which were not meant to be browsed by users, old code fragments, etc." . d3f:CWE-616 a owl:Class ; rdfs:label "Incomplete Identification of Uploaded File Variables (PHP)" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-616" ; d3f:definition "The PHP application uses an old method for processing uploaded files by referencing the four global variables that are set for each file (e.g. $varname, $varname_size, $varname_name, $varname_type). These variables could be overwritten by attackers, causing the application to process unauthorized files." . d3f:CWE-617 a owl:Class ; rdfs:label "Reachable Assertion" ; rdfs:subClassOf d3f:CWE-670 ; d3f:cwe-id "CWE-617" ; d3f:definition "The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary." ; d3f:synonym "assertion failure" . d3f:CWE-618 a owl:Class ; rdfs:label "Exposed Unsafe ActiveX Method" ; rdfs:subClassOf d3f:CWE-749 ; d3f:cwe-id "CWE-618" ; d3f:definition "An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain)." . d3f:CWE-619 a owl:Class ; rdfs:label "Dangling Database Cursor ('Cursor Injection')" ; rdfs:subClassOf d3f:CWE-402 ; d3f:cwe-id "CWE-619" ; d3f:definition "If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor \"dangling.\"" . d3f:CWE-620 a owl:Class ; rdfs:label "Unverified Password Change" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-620" ; d3f:definition "When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication." . d3f:CWE-621 a owl:Class ; rdfs:label "Variable Extraction Error" ; rdfs:subClassOf d3f:CWE-914 ; d3f:cwe-id "CWE-621" ; d3f:definition "The product uses external input to determine the names of variables into which information is extracted, without verifying that the names of the specified variables are valid. This could cause the program to overwrite unintended variables." ; d3f:synonym "Variable overwrite" . d3f:CWE-622 a owl:Class ; rdfs:label "Improper Validation of Function Hook Arguments" ; rdfs:subClassOf d3f:CWE-20 ; d3f:cwe-id "CWE-622" ; d3f:definition "The product adds hooks to user-accessible API functions, but it does not properly validate the arguments. This could lead to resultant vulnerabilities." . d3f:CWE-623 a owl:Class ; rdfs:label "Unsafe ActiveX Control Marked Safe For Scripting" ; rdfs:subClassOf d3f:CWE-267 ; d3f:cwe-id "CWE-623" ; d3f:definition "An ActiveX control is intended for restricted use, but it has been marked as safe-for-scripting." . d3f:CWE-624 a owl:Class ; rdfs:label "Executable Regular Expression Error" ; rdfs:subClassOf d3f:CWE-77 ; d3f:cwe-id "CWE-624" ; d3f:definition "The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers." . d3f:CWE-625 a owl:Class ; rdfs:label "Permissive Regular Expression" ; rdfs:subClassOf d3f:CWE-185 ; d3f:cwe-id "CWE-625" ; d3f:definition "The product uses a regular expression that does not sufficiently restrict the set of allowed values." . d3f:CWE-626 a owl:Class ; rdfs:label "Null Byte Interaction Error (Poison Null Byte)" ; rdfs:subClassOf d3f:CWE-147, d3f:CWE-436 ; d3f:cwe-id "CWE-626" ; d3f:definition "The product does not properly handle null bytes or NUL characters when passing data between different representations or components." . d3f:CWE-627 a owl:Class ; rdfs:label "Dynamic Variable Evaluation" ; rdfs:subClassOf d3f:CWE-914 ; d3f:cwe-id "CWE-627" ; d3f:definition "In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions." ; d3f:synonym "Dynamic evaluation" . d3f:CWE-628 a owl:Class ; rdfs:label "Function Call with Incorrectly Specified Arguments" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-628" ; d3f:definition "The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses." . d3f:CWE-636 a owl:Class ; rdfs:label "Not Failing Securely ('Failing Open')" ; rdfs:subClassOf d3f:CWE-657, d3f:CWE-755 ; d3f:cwe-id "CWE-636" ; d3f:definition "When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions." ; d3f:synonym "Failing Open" . d3f:CWE-637 a owl:Class ; rdfs:label "Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')" ; rdfs:subClassOf d3f:CWE-657 ; d3f:cwe-id "CWE-637" ; d3f:definition "The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used." ; d3f:synonym "Unnecessary Complexity" . d3f:CWE-638 a owl:Class ; rdfs:label "Not Using Complete Mediation" ; rdfs:subClassOf d3f:CWE-657, d3f:CWE-862 ; d3f:cwe-id "CWE-638" ; d3f:definition "The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's rights or privileges change over time." . d3f:CWE-639 a owl:Class ; rdfs:label "Authorization Bypass Through User-Controlled Key" ; rdfs:subClassOf d3f:CWE-863 ; d3f:cwe-id "CWE-639" ; d3f:definition "The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data." ; d3f:synonym "Broken Object Level Authorization / BOLA", "Horizontal Authorization", "Insecure Direct Object Reference / IDOR" . d3f:CWE-640 a owl:Class ; rdfs:label "Weak Password Recovery Mechanism for Forgotten Password" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-640" ; d3f:definition "The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak." . d3f:CWE-641 a owl:Class ; rdfs:label "Improper Restriction of Names for Files and Other Resources" ; rdfs:subClassOf d3f:CWE-99 ; d3f:cwe-id "CWE-641" ; d3f:definition "The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name." . d3f:CWE-642 a owl:Class ; rdfs:label "External Control of Critical State Data" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-642" ; d3f:definition "The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors." . d3f:CWE-643 a owl:Class ; rdfs:label "Improper Neutralization of Data within XPath Expressions ('XPath Injection')" ; rdfs:subClassOf d3f:CWE-91, d3f:CWE-943 ; d3f:cwe-id "CWE-643" ; d3f:definition "The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query." . d3f:CWE-644 a owl:Class ; rdfs:label "Improper Neutralization of HTTP Headers for Scripting Syntax" ; rdfs:subClassOf d3f:CWE-116 ; d3f:cwe-id "CWE-644" ; d3f:definition "The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash." . d3f:CWE-645 a owl:Class ; rdfs:label "Overly Restrictive Account Lockout Mechanism" ; rdfs:subClassOf d3f:CWE-287 ; d3f:cwe-id "CWE-645" ; d3f:definition "The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out." . d3f:CWE-646 a owl:Class ; rdfs:label "Reliance on File Name or Extension of Externally-Supplied File" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-646" ; d3f:definition "The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion." . d3f:CWE-647 a owl:Class ; rdfs:label "Use of Non-Canonical URL Paths for Authorization Decisions" ; rdfs:subClassOf d3f:CWE-863 ; d3f:cwe-id "CWE-647" ; d3f:definition "The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization." . d3f:CWE-648 a owl:Class ; rdfs:label "Incorrect Use of Privileged APIs" ; rdfs:subClassOf d3f:CWE-269 ; d3f:cwe-id "CWE-648" ; d3f:definition "The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly." . d3f:CWE-649 a owl:Class ; rdfs:label "Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-649" ; d3f:definition "The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified." . d3f:CWE-650 a owl:Class ; rdfs:label "Trusting HTTP Permission Methods on the Server Side" ; rdfs:subClassOf d3f:CWE-436 ; d3f:cwe-id "CWE-650" ; d3f:definition "The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state." . d3f:CWE-651 a owl:Class ; rdfs:label "Exposure of WSDL File Containing Sensitive Information" ; rdfs:subClassOf d3f:CWE-538 ; d3f:cwe-id "CWE-651" ; d3f:definition "The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (e.g. what parameters they expect and what types they return)." . d3f:CWE-652 a owl:Class ; rdfs:label "Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')" ; rdfs:subClassOf d3f:CWE-91, d3f:CWE-943 ; d3f:cwe-id "CWE-652" ; d3f:definition "The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query." . d3f:CWE-653 a owl:Class ; rdfs:label "Improper Isolation or Compartmentalization" ; rdfs:subClassOf d3f:CWE-657, d3f:CWE-693 ; d3f:cwe-id "CWE-653" ; d3f:definition "The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions." ; d3f:synonym "Separation of Privilege" . d3f:CWE-654 a owl:Class ; rdfs:label "Reliance on a Single Factor in a Security Decision" ; rdfs:subClassOf d3f:CWE-657, d3f:CWE-693 ; d3f:cwe-id "CWE-654" ; d3f:definition "A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality." ; d3f:synonym "Separation of Privilege" . d3f:CWE-655 a owl:Class ; rdfs:label "Insufficient Psychological Acceptability" ; rdfs:subClassOf d3f:CWE-657, d3f:CWE-693 ; d3f:cwe-id "CWE-655" ; d3f:definition "The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose." . d3f:CWE-656 a owl:Class ; rdfs:label "Reliance on Security Through Obscurity" ; rdfs:subClassOf d3f:CWE-657, d3f:CWE-693 ; d3f:cwe-id "CWE-656" ; d3f:definition "The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism." ; d3f:synonym "Never Assuming your secrets are safe" . d3f:CWE-657 a owl:Class ; rdfs:label "Violation of Secure Design Principles" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-657" ; d3f:definition "The product violates well-established principles for secure design." . d3f:CWE-662 a owl:Class ; rdfs:label "Improper Synchronization" ; rdfs:subClassOf d3f:CWE-664, d3f:CWE-691 ; d3f:cwe-id "CWE-662" ; d3f:definition "The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes." . d3f:CWE-663 a owl:Class ; rdfs:label "Use of a Non-reentrant Function in a Concurrent Context" ; rdfs:subClassOf d3f:CWE-662 ; d3f:cwe-id "CWE-663" ; d3f:definition "The product calls a non-reentrant function in a concurrent context in which a competing code sequence (e.g. thread or signal handler) may have an opportunity to call the same function or otherwise influence its state." . d3f:CWE-664 a owl:Class ; rdfs:label "Improper Control of a Resource Through its Lifetime" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-664" ; d3f:definition "The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release." . d3f:CWE-665 a owl:Class ; rdfs:label "Improper Initialization" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-665" ; d3f:definition "The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used." . d3f:CWE-666 a owl:Class ; rdfs:label "Operation on Resource in Wrong Phase of Lifetime" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-666" ; d3f:definition "The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors." . d3f:CWE-667 a owl:Class ; rdfs:label "Improper Locking" ; rdfs:subClassOf d3f:CWE-662 ; d3f:cwe-id "CWE-667" ; d3f:definition "The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors." . d3f:CWE-668 a owl:Class ; rdfs:label "Exposure of Resource to Wrong Sphere" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-668" ; d3f:definition "The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource." . d3f:CWE-669 a owl:Class ; rdfs:label "Incorrect Resource Transfer Between Spheres" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-669" ; d3f:definition "The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource." . d3f:CWE-670 a owl:Class ; rdfs:label "Always-Incorrect Control Flow Implementation" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-670" ; d3f:definition "The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated." . d3f:CWE-671 a owl:Class ; rdfs:label "Lack of Administrator Control over Security" ; rdfs:subClassOf d3f:CWE-657 ; d3f:cwe-id "CWE-671" ; d3f:definition "The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator." . d3f:CWE-672 a owl:Class ; rdfs:label "Operation on a Resource after Expiration or Release" ; rdfs:subClassOf d3f:CWE-666 ; d3f:cwe-id "CWE-672" ; d3f:definition "The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked." . d3f:CWE-673 a owl:Class ; rdfs:label "External Influence of Sphere Definition" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-673" ; d3f:definition "The product does not prevent the definition of control spheres from external actors." . d3f:CWE-674 a owl:Class ; rdfs:label "Uncontrolled Recursion" ; rdfs:subClassOf d3f:CWE-834 ; d3f:cwe-id "CWE-674" ; d3f:definition "The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack." ; d3f:synonym "Stack Exhaustion" . d3f:CWE-675 a owl:Class ; rdfs:label "Multiple Operations on Resource in Single-Operation Context" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-675" ; d3f:definition "The product performs the same operation on a resource two or more times, when the operation should only be applied once." . d3f:CWE-676 a owl:Class ; rdfs:label "Use of Potentially Dangerous Function" ; rdfs:subClassOf d3f:CWE-1177 ; d3f:cwe-id "CWE-676" ; d3f:definition "The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely." . d3f:CWE-680 a owl:Class ; rdfs:label "Integer Overflow to Buffer Overflow" ; rdfs:subClassOf d3f:CWE-119, d3f:CWE-190 ; d3f:cwe-id "CWE-680" ; d3f:definition "The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow." . d3f:CWE-681 a owl:Class ; rdfs:label "Incorrect Conversion between Numeric Types" ; rdfs:subClassOf d3f:CWE-704 ; d3f:cwe-id "CWE-681" ; d3f:definition "When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur." . d3f:CWE-682 a owl:Class ; rdfs:label "Incorrect Calculation" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-682" ; d3f:definition "The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management." . d3f:CWE-683 a owl:Class ; rdfs:label "Function Call With Incorrect Order of Arguments" ; rdfs:subClassOf d3f:CWE-628 ; d3f:cwe-id "CWE-683" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies the arguments in an incorrect order, leading to resultant weaknesses." . d3f:CWE-684 a owl:Class ; rdfs:label "Incorrect Provision of Specified Functionality" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-684" ; d3f:definition "The code does not function according to its published specifications, potentially leading to incorrect usage." . d3f:CWE-685 a owl:Class ; rdfs:label "Function Call With Incorrect Number of Arguments" ; rdfs:subClassOf d3f:CWE-628 ; d3f:cwe-id "CWE-685" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses." . d3f:CWE-686 a owl:Class ; rdfs:label "Function Call With Incorrect Argument Type" ; rdfs:subClassOf d3f:CWE-628 ; d3f:cwe-id "CWE-686" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses." . d3f:CWE-687 a owl:Class ; rdfs:label "Function Call With Incorrectly Specified Argument Value" ; rdfs:subClassOf d3f:CWE-628 ; d3f:cwe-id "CWE-687" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses." . d3f:CWE-688 a owl:Class ; rdfs:label "Function Call With Incorrect Variable or Reference as Argument" ; rdfs:subClassOf d3f:CWE-628 ; d3f:cwe-id "CWE-688" ; d3f:definition "The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined behavior and resultant weaknesses." . d3f:CWE-689 a owl:Class ; rdfs:label "Permission Race Condition During Resource Copy" ; rdfs:subClassOf d3f:CWE-362 ; d3f:cwe-id "CWE-689" ; d3f:definition "The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to other spheres while the copy is taking place." . d3f:CWE-690 a owl:Class ; rdfs:label "Unchecked Return Value to NULL Pointer Dereference" ; rdfs:subClassOf d3f:CWE-252, d3f:CWE-476 ; d3f:cwe-id "CWE-690" ; d3f:definition "The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference." . d3f:CWE-691 a owl:Class ; rdfs:label "Insufficient Control Flow Management" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-691" ; d3f:definition "The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways." . d3f:CWE-692 a owl:Class ; rdfs:label "Incomplete Denylist to Cross-Site Scripting" ; rdfs:subClassOf d3f:CWE-79, d3f:CWE-184 ; d3f:cwe-id "CWE-692" ; d3f:definition "The product uses a denylist-based protection mechanism to defend against XSS attacks, but the denylist is incomplete, allowing XSS variants to succeed." . d3f:CWE-693 a owl:Class ; rdfs:label "Protection Mechanism Failure" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-693" ; d3f:definition "The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product." . d3f:CWE-694 a owl:Class ; rdfs:label "Use of Multiple Resources with Duplicate Identifier" ; rdfs:subClassOf d3f:CWE-99, d3f:CWE-573 ; d3f:cwe-id "CWE-694" ; d3f:definition "The product uses multiple resources that can have the same identifier, in a context in which unique identifiers are required." . d3f:CWE-695 a owl:Class ; rdfs:label "Use of Low-Level Functionality" ; rdfs:subClassOf d3f:CWE-573 ; d3f:cwe-id "CWE-695" ; d3f:definition "The product uses low-level functionality that is explicitly prohibited by the framework or specification under which the product is supposed to operate." . d3f:CWE-696 a owl:Class ; rdfs:label "Incorrect Behavior Order" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-696" ; d3f:definition "The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses." . d3f:CWE-697 a owl:Class ; rdfs:label "Incorrect Comparison" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-697" ; d3f:definition "The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses." . d3f:CWE-698 a owl:Class ; rdfs:label "Execution After Redirect (EAR)" ; rdfs:subClassOf d3f:CWE-670, d3f:CWE-705 ; d3f:cwe-id "CWE-698" ; d3f:definition "The web application sends a redirect to another location, but instead of exiting, it executes additional code." ; d3f:synonym "Redirect Without Exit" . d3f:CWE-703 a owl:Class ; rdfs:label "Improper Check or Handling of Exceptional Conditions" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-703" ; d3f:definition "The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product." . d3f:CWE-704 a owl:Class ; rdfs:label "Incorrect Type Conversion or Cast" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-704" ; d3f:definition "The product does not correctly convert an object, resource, or structure from one type to a different type." . d3f:CWE-705 a owl:Class ; rdfs:label "Incorrect Control Flow Scoping" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-705" ; d3f:definition "The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition." . d3f:CWE-706 a owl:Class ; rdfs:label "Use of Incorrectly-Resolved Name or Reference" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-706" ; d3f:definition "The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere." . d3f:CWE-707 a owl:Class ; rdfs:label "Improper Neutralization" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-707" ; d3f:definition "The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component." . d3f:CWE-708 a owl:Class ; rdfs:label "Incorrect Ownership Assignment" ; rdfs:subClassOf d3f:CWE-282 ; d3f:cwe-id "CWE-708" ; d3f:definition "The product assigns an owner to a resource, but the owner is outside of the intended control sphere." . d3f:CWE-710 a owl:Class ; rdfs:label "Improper Adherence to Coding Standards" ; rdfs:subClassOf d3f:Weakness ; d3f:cwe-id "CWE-710" ; d3f:definition "The product does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities." . d3f:CWE-732 a owl:Class ; rdfs:label "Incorrect Permission Assignment for Critical Resource" ; rdfs:subClassOf d3f:CWE-285, d3f:CWE-668 ; d3f:cwe-id "CWE-732" ; d3f:definition "The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors." . d3f:CWE-733 a owl:Class ; rdfs:label "Compiler Optimization Removal or Modification of Security-critical Code" ; rdfs:subClassOf d3f:CWE-1038 ; d3f:cwe-id "CWE-733" ; d3f:definition "The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified." . d3f:CWE-749 a owl:Class ; rdfs:label "Exposed Dangerous Method or Function" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-749" ; d3f:definition "The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted." . d3f:CWE-754 a owl:Class ; rdfs:label "Improper Check for Unusual or Exceptional Conditions" ; rdfs:subClassOf d3f:CWE-703 ; d3f:cwe-id "CWE-754" ; d3f:definition "The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product." . d3f:CWE-755 a owl:Class ; rdfs:label "Improper Handling of Exceptional Conditions" ; rdfs:subClassOf d3f:CWE-703 ; d3f:cwe-id "CWE-755" ; d3f:definition "The product does not handle or incorrectly handles an exceptional condition." . d3f:CWE-756 a owl:Class ; rdfs:label "Missing Custom Error Page" ; rdfs:subClassOf d3f:CWE-755 ; d3f:cwe-id "CWE-756" ; d3f:definition "The product does not return custom error pages to the user, possibly exposing sensitive information." . d3f:CWE-757 a owl:Class ; rdfs:label "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-757" ; d3f:definition "A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties." . d3f:CWE-758 a owl:Class ; rdfs:label "Reliance on Undefined, Unspecified, or Implementation-Defined Behavior" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-758" ; d3f:definition "The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity." . d3f:CWE-759 a owl:Class ; rdfs:label "Use of a One-Way Hash without a Salt" ; rdfs:subClassOf d3f:CWE-916 ; d3f:cwe-id "CWE-759" ; d3f:definition "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input." . d3f:CWE-760 a owl:Class ; rdfs:label "Use of a One-Way Hash with a Predictable Salt" ; rdfs:subClassOf d3f:CWE-916 ; d3f:cwe-id "CWE-760" ; d3f:definition "The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input." . d3f:CWE-761 a owl:Class, owl:NamedIndividual ; rdfs:label "Free of Pointer not at Start of Buffer" ; rdfs:subClassOf d3f:CWE-763, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:MemoryFreeFunction ] ; d3f:cwe-id "CWE-761" ; d3f:definition "The product calls free() on a pointer to a memory resource that was allocated on the heap, but the pointer is not at the start of the buffer." ; d3f:weakness-of d3f:MemoryFreeFunction . d3f:CWE-762 a owl:Class ; rdfs:label "Mismatched Memory Management Routines" ; rdfs:subClassOf d3f:CWE-763 ; d3f:cwe-id "CWE-762" ; d3f:definition "The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource." . d3f:CWE-763 a owl:Class ; rdfs:label "Release of Invalid Pointer or Reference" ; rdfs:subClassOf d3f:CWE-404 ; d3f:cwe-id "CWE-763" ; d3f:definition "The product attempts to return a memory resource to the system, but it calls the wrong release function or calls the appropriate release function incorrectly." . d3f:CWE-764 a owl:Class ; rdfs:label "Multiple Locks of a Critical Resource" ; rdfs:subClassOf d3f:CWE-667, d3f:CWE-675 ; d3f:cwe-id "CWE-764" ; d3f:definition "The product locks a critical resource more times than intended, leading to an unexpected state in the system." . d3f:CWE-765 a owl:Class ; rdfs:label "Multiple Unlocks of a Critical Resource" ; rdfs:subClassOf d3f:CWE-667, d3f:CWE-675 ; d3f:cwe-id "CWE-765" ; d3f:definition "The product unlocks a critical resource more times than intended, leading to an unexpected state in the system." . d3f:CWE-766 a owl:Class ; rdfs:label "Critical Data Element Declared Public" ; rdfs:subClassOf d3f:CWE-732, d3f:CWE-1061 ; d3f:cwe-id "CWE-766" ; d3f:definition "The product declares a critical variable, field, or member to be public when intended security policy requires it to be private." . d3f:CWE-767 a owl:Class ; rdfs:label "Access to Critical Private Variable via Public Method" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-767" ; d3f:definition "The product defines a public method that reads or modifies a private variable." . d3f:CWE-768 a owl:Class ; rdfs:label "Incorrect Short Circuit Evaluation" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-768" ; d3f:definition "The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring." . d3f:CWE-770 a owl:Class ; rdfs:label "Allocation of Resources Without Limits or Throttling" ; rdfs:subClassOf d3f:CWE-400, d3f:CWE-665 ; d3f:cwe-id "CWE-770" ; d3f:definition "The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor." . d3f:CWE-771 a owl:Class ; rdfs:label "Missing Reference to Active Allocated Resource" ; rdfs:subClassOf d3f:CWE-400 ; d3f:cwe-id "CWE-771" ; d3f:definition "The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed." . d3f:CWE-772 a owl:Class ; rdfs:label "Missing Release of Resource after Effective Lifetime" ; rdfs:subClassOf d3f:CWE-404 ; d3f:cwe-id "CWE-772" ; d3f:definition "The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed." . d3f:CWE-773 a owl:Class ; rdfs:label "Missing Reference to Active File Descriptor or Handle" ; rdfs:subClassOf d3f:CWE-771 ; d3f:cwe-id "CWE-773" ; d3f:definition "The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed." . d3f:CWE-774 a owl:Class ; rdfs:label "Allocation of File Descriptors or Handles Without Limits or Throttling" ; rdfs:subClassOf d3f:CWE-770 ; d3f:cwe-id "CWE-774" ; d3f:definition "The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor." ; d3f:synonym "File Descriptor Exhaustion" . d3f:CWE-775 a owl:Class ; rdfs:label "Missing Release of File Descriptor or Handle after Effective Lifetime" ; rdfs:subClassOf d3f:CWE-772 ; d3f:cwe-id "CWE-775" ; d3f:definition "The product does not release a file descriptor or handle after its effective lifetime has ended, i.e., after the file descriptor/handle is no longer needed." . d3f:CWE-776 a owl:Class ; rdfs:label "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')" ; rdfs:subClassOf d3f:CWE-405, d3f:CWE-674 ; d3f:cwe-id "CWE-776" ; d3f:definition "The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities." ; d3f:synonym "Billion Laughs Attack", "XEE", "XML Bomb" . d3f:CWE-777 a owl:Class ; rdfs:label "Regular Expression without Anchors" ; rdfs:subClassOf d3f:CWE-625 ; d3f:cwe-id "CWE-777" ; d3f:definition "The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through." . d3f:CWE-778 a owl:Class ; rdfs:label "Insufficient Logging" ; rdfs:subClassOf d3f:CWE-223, d3f:CWE-693 ; d3f:cwe-id "CWE-778" ; d3f:definition "When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it." . d3f:CWE-779 a owl:Class ; rdfs:label "Logging of Excessive Data" ; rdfs:subClassOf d3f:CWE-400 ; d3f:cwe-id "CWE-779" ; d3f:definition "The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack." . d3f:CWE-780 a owl:Class ; rdfs:label "Use of RSA Algorithm without OAEP" ; rdfs:subClassOf d3f:CWE-327 ; d3f:cwe-id "CWE-780" ; d3f:definition "The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption." . d3f:CWE-781 a owl:Class ; rdfs:label "Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code" ; rdfs:subClassOf d3f:CWE-1285 ; d3f:cwe-id "CWE-781" ; d3f:definition "The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided." . d3f:CWE-782 a owl:Class ; rdfs:label "Exposed IOCTL with Insufficient Access Control" ; rdfs:subClassOf d3f:CWE-749 ; d3f:cwe-id "CWE-782" ; d3f:definition "The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL." . d3f:CWE-783 a owl:Class ; rdfs:label "Operator Precedence Logic Error" ; rdfs:subClassOf d3f:CWE-670 ; d3f:cwe-id "CWE-783" ; d3f:definition "The product uses an expression in which operator precedence causes incorrect logic to be used." . d3f:CWE-784 a owl:Class ; rdfs:label "Reliance on Cookies without Validation and Integrity Checking in a Security Decision" ; rdfs:subClassOf d3f:CWE-565, d3f:CWE-807 ; d3f:cwe-id "CWE-784" ; d3f:definition "The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user." . d3f:CWE-785 a owl:Class ; rdfs:label "Use of Path Manipulation Function without Maximum-sized Buffer" ; rdfs:subClassOf d3f:CWE-120, d3f:CWE-676 ; d3f:cwe-id "CWE-785" ; d3f:definition "The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX." . d3f:CWE-786 a owl:Class ; rdfs:label "Access of Memory Location Before Start of Buffer" ; rdfs:subClassOf d3f:CWE-119 ; d3f:cwe-id "CWE-786" ; d3f:definition "The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer." . d3f:CWE-787 a owl:Class, owl:NamedIndividual ; rdfs:label "Out-of-bounds Write" ; rdfs:subClassOf d3f:CWE-119, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:RawMemoryAccessFunction ] ; d3f:cwe-id "CWE-787" ; d3f:definition "The product writes data past the end, or before the beginning, of the intended buffer." ; d3f:synonym "Memory Corruption" ; d3f:weakness-of d3f:RawMemoryAccessFunction . d3f:CWE-788 a owl:Class ; rdfs:label "Access of Memory Location After End of Buffer" ; rdfs:subClassOf d3f:CWE-119 ; d3f:cwe-id "CWE-788" ; d3f:definition "The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer." . d3f:CWE-789 a owl:Class ; rdfs:label "Memory Allocation with Excessive Size Value" ; rdfs:subClassOf d3f:CWE-770, d3f:CWE-1284 ; d3f:cwe-id "CWE-789" ; d3f:definition "The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated." ; d3f:synonym "Stack Exhaustion" . d3f:CWE-790 a owl:Class ; rdfs:label "Improper Filtering of Special Elements" ; rdfs:subClassOf d3f:CWE-138 ; d3f:cwe-id "CWE-790" ; d3f:definition "The product receives data from an upstream component, but does not filter or incorrectly filters special elements before sending it to a downstream component." . d3f:CWE-791 a owl:Class ; rdfs:label "Incomplete Filtering of Special Elements" ; rdfs:subClassOf d3f:CWE-790 ; d3f:cwe-id "CWE-791" ; d3f:definition "The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component." . d3f:CWE-792 a owl:Class ; rdfs:label "Incomplete Filtering of One or More Instances of Special Elements" ; rdfs:subClassOf d3f:CWE-791 ; d3f:cwe-id "CWE-792" ; d3f:definition "The product receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component." . d3f:CWE-793 a owl:Class ; rdfs:label "Only Filtering One Instance of a Special Element" ; rdfs:subClassOf d3f:CWE-792 ; d3f:cwe-id "CWE-793" ; d3f:definition "The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component." . d3f:CWE-794 a owl:Class ; rdfs:label "Incomplete Filtering of Multiple Instances of Special Elements" ; rdfs:subClassOf d3f:CWE-792 ; d3f:cwe-id "CWE-794" ; d3f:definition "The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component." . d3f:CWE-795 a owl:Class ; rdfs:label "Only Filtering Special Elements at a Specified Location" ; rdfs:subClassOf d3f:CWE-791 ; d3f:cwe-id "CWE-795" ; d3f:definition "The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component." . d3f:CWE-796 a owl:Class ; rdfs:label "Only Filtering Special Elements Relative to a Marker" ; rdfs:subClassOf d3f:CWE-795 ; d3f:cwe-id "CWE-796" ; d3f:definition "The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g. \"at the beginning/end of a string; the second argument\"), thereby missing remaining special elements that may exist before sending it to a downstream component." . d3f:CWE-797 a owl:Class ; rdfs:label "Only Filtering Special Elements at an Absolute Position" ; rdfs:subClassOf d3f:CWE-795 ; d3f:cwe-id "CWE-797" ; d3f:definition "The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g. \"byte number 10\"), thereby missing remaining special elements that may exist before sending it to a downstream component." . d3f:CWE-798 a owl:Class, owl:NamedIndividual ; rdfs:label "Use of Hard-coded Credentials" ; rdfs:subClassOf d3f:CWE-344, d3f:CWE-671, d3f:CWE-1391, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:AuthenticationFunction ] ; d3f:cwe-id "CWE-798" ; d3f:definition "The product contains hard-coded credentials, such as a password or cryptographic key." ; d3f:weakness-of d3f:AuthenticationFunction . d3f:CWE-799 a owl:Class ; rdfs:label "Improper Control of Interaction Frequency" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-799" ; d3f:definition "The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests." ; d3f:synonym "Brute force", "Insufficient anti-automation" . d3f:CWE-804 a owl:Class ; rdfs:label "Guessable CAPTCHA" ; rdfs:subClassOf d3f:CWE-863, d3f:CWE-1390 ; d3f:cwe-id "CWE-804" ; d3f:definition "The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor." . d3f:CWE-805 a owl:Class ; rdfs:label "Buffer Access with Incorrect Length Value" ; rdfs:subClassOf d3f:CWE-119 ; d3f:cwe-id "CWE-805" ; d3f:definition "The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer." . d3f:CWE-806 a owl:Class ; rdfs:label "Buffer Access Using Size of Source Buffer" ; rdfs:subClassOf d3f:CWE-805 ; d3f:cwe-id "CWE-806" ; d3f:definition "The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer." . d3f:CWE-807 a owl:Class ; rdfs:label "Reliance on Untrusted Inputs in a Security Decision" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-807" ; d3f:definition "The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism." . d3f:CWE-820 a owl:Class ; rdfs:label "Missing Synchronization" ; rdfs:subClassOf d3f:CWE-662 ; d3f:cwe-id "CWE-820" ; d3f:definition "The product utilizes a shared resource in a concurrent manner but does not attempt to synchronize access to the resource." . d3f:CWE-821 a owl:Class ; rdfs:label "Incorrect Synchronization" ; rdfs:subClassOf d3f:CWE-662 ; d3f:cwe-id "CWE-821" ; d3f:definition "The product utilizes a shared resource in a concurrent manner, but it does not correctly synchronize access to the resource." . d3f:CWE-822 a owl:Class, owl:NamedIndividual ; rdfs:label "Untrusted Pointer Dereference" ; rdfs:subClassOf d3f:CWE-119, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:PointerDereferencingFunction ] ; d3f:cwe-id "CWE-822" ; d3f:definition "The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer." ; d3f:weakness-of d3f:PointerDereferencingFunction . d3f:CWE-823 a owl:Class ; rdfs:label "Use of Out-of-range Pointer Offset" ; rdfs:subClassOf d3f:CWE-119 ; d3f:cwe-id "CWE-823" ; d3f:definition "The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer." ; d3f:synonym "Untrusted pointer offset" . d3f:CWE-824 a owl:Class, owl:NamedIndividual ; rdfs:label "Access of Uninitialized Pointer" ; rdfs:subClassOf d3f:CWE-119, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:PointerDereferencingFunction ] ; d3f:cwe-id "CWE-824" ; d3f:definition "The product accesses or uses a pointer that has not been initialized." ; d3f:weakness-of d3f:PointerDereferencingFunction . d3f:CWE-825 a owl:Class, owl:NamedIndividual ; rdfs:label "Expired Pointer Dereference" ; rdfs:subClassOf d3f:CWE-119, d3f:CWE-672, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-825" ; d3f:definition "The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid." ; d3f:synonym "Dangling pointer" ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-826 a owl:Class ; rdfs:label "Premature Release of Resource During Expected Lifetime" ; rdfs:subClassOf d3f:CWE-666 ; d3f:cwe-id "CWE-826" ; d3f:definition "The product releases a resource that is still intended to be used by itself or another actor." . d3f:CWE-827 a owl:Class ; rdfs:label "Improper Control of Document Type Definition" ; rdfs:subClassOf d3f:CWE-706, d3f:CWE-829 ; d3f:cwe-id "CWE-827" ; d3f:definition "The product does not restrict a reference to a Document Type Definition (DTD) to the intended control sphere. This might allow attackers to reference arbitrary DTDs, possibly causing the product to expose files, consume excessive system resources, or execute arbitrary http requests on behalf of the attacker." . d3f:CWE-828 a owl:Class ; rdfs:label "Signal Handler with Functionality that is not Asynchronous-Safe" ; rdfs:subClassOf d3f:CWE-364 ; d3f:cwe-id "CWE-828" ; d3f:definition "The product defines a signal handler that contains code sequences that are not asynchronous-safe, i.e., the functionality is not reentrant, or it can be interrupted." . d3f:CWE-829 a owl:Class ; rdfs:label "Inclusion of Functionality from Untrusted Control Sphere" ; rdfs:subClassOf d3f:CWE-669 ; d3f:cwe-id "CWE-829" ; d3f:definition "The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere." . d3f:CWE-830 a owl:Class ; rdfs:label "Inclusion of Web Functionality from an Untrusted Source" ; rdfs:subClassOf d3f:CWE-829 ; d3f:cwe-id "CWE-830" ; d3f:definition "The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source." . d3f:CWE-831 a owl:Class ; rdfs:label "Signal Handler Function Associated with Multiple Signals" ; rdfs:subClassOf d3f:CWE-364 ; d3f:cwe-id "CWE-831" ; d3f:definition "The product defines a function that is used as a handler for more than one signal." . d3f:CWE-832 a owl:Class ; rdfs:label "Unlock of a Resource that is not Locked" ; rdfs:subClassOf d3f:CWE-667 ; d3f:cwe-id "CWE-832" ; d3f:definition "The product attempts to unlock a resource that is not locked." . d3f:CWE-833 a owl:Class ; rdfs:label "Deadlock" ; rdfs:subClassOf d3f:CWE-667 ; d3f:cwe-id "CWE-833" ; d3f:definition "The product contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock." . d3f:CWE-834 a owl:Class ; rdfs:label "Excessive Iteration" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-834" ; d3f:definition "The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed." . d3f:CWE-835 a owl:Class ; rdfs:label "Loop with Unreachable Exit Condition ('Infinite Loop')" ; rdfs:subClassOf d3f:CWE-834 ; d3f:cwe-id "CWE-835" ; d3f:definition "The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop." . d3f:CWE-836 a owl:Class ; rdfs:label "Use of Password Hash Instead of Password for Authentication" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-836" ; d3f:definition "The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store." . d3f:CWE-837 a owl:Class ; rdfs:label "Improper Enforcement of a Single, Unique Action" ; rdfs:subClassOf d3f:CWE-799 ; d3f:cwe-id "CWE-837" ; d3f:definition "The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction." . d3f:CWE-838 a owl:Class ; rdfs:label "Inappropriate Encoding for Output Context" ; rdfs:subClassOf d3f:CWE-116 ; d3f:cwe-id "CWE-838" ; d3f:definition "The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component." . d3f:CWE-839 a owl:Class ; rdfs:label "Numeric Range Comparison Without Minimum Check" ; rdfs:subClassOf d3f:CWE-1023 ; d3f:cwe-id "CWE-839" ; d3f:definition "The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum." ; d3f:synonym "Signed comparison" . d3f:CWE-841 a owl:Class ; rdfs:label "Improper Enforcement of Behavioral Workflow" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-841" ; d3f:definition "The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in the required sequence." . d3f:CWE-842 a owl:Class ; rdfs:label "Placement of User into Incorrect Group" ; rdfs:subClassOf d3f:CWE-286 ; d3f:cwe-id "CWE-842" ; d3f:definition "The product or the administrator places a user into an incorrect group." . d3f:CWE-843 a owl:Class ; rdfs:label "Access of Resource Using Incompatible Type ('Type Confusion')" ; rdfs:subClassOf d3f:CWE-704 ; d3f:cwe-id "CWE-843" ; d3f:definition "The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type." ; d3f:synonym "Object Type Confusion" . d3f:CWE-862 a owl:Class ; rdfs:label "Missing Authorization" ; rdfs:subClassOf d3f:CWE-285 ; rdfs:comment "Broad and could apply to all resource accesses." ; d3f:cwe-id "CWE-862" ; d3f:definition "The product does not perform an authorization check when an actor attempts to access a resource or perform an action." ; d3f:synonym "AuthZ" . d3f:CWE-863 a owl:Class ; rdfs:label "Incorrect Authorization" ; rdfs:subClassOf d3f:CWE-285 ; d3f:cwe-id "CWE-863" ; d3f:definition "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check." ; d3f:synonym "AuthZ" . d3f:CWE-908 a owl:Class ; rdfs:label "Use of Uninitialized Resource" ; rdfs:subClassOf d3f:CWE-665 ; d3f:cwe-id "CWE-908" ; d3f:definition "The product uses or accesses a resource that has not been initialized." . d3f:CWE-909 a owl:Class ; rdfs:label "Missing Initialization of Resource" ; rdfs:subClassOf d3f:CWE-665 ; d3f:cwe-id "CWE-909" ; d3f:definition "The product does not initialize a critical resource." . d3f:CWE-910 a owl:Class ; rdfs:label "Use of Expired File Descriptor" ; rdfs:subClassOf d3f:CWE-672 ; d3f:cwe-id "CWE-910" ; d3f:definition "The product uses or accesses a file descriptor after it has been closed." ; d3f:synonym "Stale file descriptor" . d3f:CWE-911 a owl:Class ; rdfs:label "Improper Update of Reference Count" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-911" ; d3f:definition "The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count." . d3f:CWE-912 a owl:Class ; rdfs:label "Hidden Functionality" ; rdfs:subClassOf d3f:CWE-684 ; d3f:cwe-id "CWE-912" ; d3f:definition "The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators." . d3f:CWE-913 a owl:Class ; rdfs:label "Improper Control of Dynamically-Managed Code Resources" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-913" ; d3f:definition "The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements." . d3f:CWE-914 a owl:Class ; rdfs:label "Improper Control of Dynamically-Identified Variables" ; rdfs:subClassOf d3f:CWE-99, d3f:CWE-913 ; d3f:cwe-id "CWE-914" ; d3f:definition "The product does not properly restrict reading from or writing to dynamically-identified variables." . d3f:CWE-915 a owl:Class ; rdfs:label "Improperly Controlled Modification of Dynamically-Determined Object Attributes" ; rdfs:subClassOf d3f:CWE-913 ; d3f:cwe-id "CWE-915" ; d3f:definition "The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified." ; d3f:synonym "AutoBinding", "Mass Assignment", "PHP Object Injection" . d3f:CWE-916 a owl:Class ; rdfs:label "Use of Password Hash With Insufficient Computational Effort" ; rdfs:subClassOf d3f:CWE-327, d3f:CWE-328 ; d3f:cwe-id "CWE-916" ; d3f:definition "The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive." . d3f:CWE-917 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')" ; rdfs:subClassOf d3f:CWE-77 ; d3f:cwe-id "CWE-917" ; d3f:definition "The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed." ; d3f:synonym "EL Injection" . d3f:CWE-918 a owl:Class, owl:NamedIndividual ; rdfs:label "Server-Side Request Forgery (SSRF)" ; rdfs:subClassOf d3f:CWE-441, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserInputFunction ] ; d3f:cwe-id "CWE-918" ; d3f:definition "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination." ; d3f:synonym "SSRF", "XSPA" ; d3f:weakness-of d3f:UserInputFunction . d3f:CWE-920 a owl:Class ; rdfs:label "Improper Restriction of Power Consumption" ; rdfs:subClassOf d3f:CWE-400 ; d3f:cwe-id "CWE-920" ; d3f:definition "The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not properly restrict the amount of power that its operation consumes." . d3f:CWE-921 a owl:Class ; rdfs:label "Storage of Sensitive Data in a Mechanism without Access Control" ; rdfs:subClassOf d3f:CWE-922 ; d3f:cwe-id "CWE-921" ; d3f:definition "The product stores sensitive information in a file system or device that does not have built-in access control." . d3f:CWE-922 a owl:Class ; rdfs:label "Insecure Storage of Sensitive Information" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-922" ; d3f:definition "The product stores sensitive information without properly limiting read or write access by unauthorized actors." . d3f:CWE-923 a owl:Class ; rdfs:label "Improper Restriction of Communication Channel to Intended Endpoints" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-923" ; d3f:definition "The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint." . d3f:CWE-924 a owl:Class ; rdfs:label "Improper Enforcement of Message Integrity During Transmission in a Communication Channel" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-924" ; d3f:definition "The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission." . d3f:CWE-925 a owl:Class ; rdfs:label "Improper Verification of Intent by Broadcast Receiver" ; rdfs:subClassOf d3f:CWE-940 ; d3f:cwe-id "CWE-925" ; d3f:definition "The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source." ; d3f:synonym "Intent Spoofing" . d3f:CWE-926 a owl:Class ; rdfs:label "Improper Export of Android Application Components" ; rdfs:subClassOf d3f:CWE-285 ; d3f:cwe-id "CWE-926" ; d3f:definition "The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains." . d3f:CWE-927 a owl:Class ; rdfs:label "Use of Implicit Intent for Sensitive Communication" ; rdfs:subClassOf d3f:CWE-285, d3f:CWE-668 ; d3f:cwe-id "CWE-927" ; d3f:definition "The Android application uses an implicit intent for transmitting sensitive data to other applications." . d3f:CWE-939 a owl:Class ; rdfs:label "Improper Authorization in Handler for Custom URL Scheme" ; rdfs:subClassOf d3f:CWE-862 ; d3f:cwe-id "CWE-939" ; d3f:definition "The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme." . d3f:CWE-940 a owl:Class ; rdfs:label "Improper Verification of Source of a Communication Channel" ; rdfs:subClassOf d3f:CWE-346, d3f:CWE-923 ; d3f:cwe-id "CWE-940" ; d3f:definition "The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin." . d3f:CWE-941 a owl:Class ; rdfs:label "Incorrectly Specified Destination in a Communication Channel" ; rdfs:subClassOf d3f:CWE-923 ; d3f:cwe-id "CWE-941" ; d3f:definition "The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor." . d3f:CWE-942 a owl:Class ; rdfs:label "Permissive Cross-domain Policy with Untrusted Domains" ; rdfs:subClassOf d3f:CWE-183, d3f:CWE-863, d3f:CWE-923 ; d3f:cwe-id "CWE-942" ; d3f:definition "The product uses a cross-domain policy file that includes domains that should not be trusted." . d3f:CWE-943 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements in Data Query Logic" ; rdfs:subClassOf d3f:CWE-74 ; d3f:cwe-id "CWE-943" ; d3f:definition "The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query." ; d3f:synonym "NoSQL Injection, NoSQLi" . d3f:CWE-1004 a owl:Class ; rdfs:label "Sensitive Cookie Without 'HttpOnly' Flag" ; rdfs:subClassOf d3f:CWE-732 ; d3f:cwe-id "CWE-1004" ; d3f:definition "The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag." . d3f:CWE-1007 a owl:Class ; rdfs:label "Insufficient Visual Distinction of Homoglyphs Presented to User" ; rdfs:subClassOf d3f:CWE-451 ; d3f:cwe-id "CWE-1007" ; d3f:definition "The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action." ; d3f:synonym "Homograph Attack" . d3f:CWE-1021 a owl:Class ; rdfs:label "Improper Restriction of Rendered UI Layers or Frames" ; rdfs:subClassOf d3f:CWE-441, d3f:CWE-451 ; d3f:cwe-id "CWE-1021" ; d3f:definition "The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with." ; d3f:synonym "Clickjacking", "Tapjacking", "UI Redress Attack" . d3f:CWE-1022 a owl:Class ; rdfs:label "Use of Web Link to Untrusted Target with window.opener Access" ; rdfs:subClassOf d3f:CWE-266 ; d3f:cwe-id "CWE-1022" ; d3f:definition "The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property." ; d3f:synonym "tabnabbing" . d3f:CWE-1023 a owl:Class ; rdfs:label "Incomplete Comparison with Missing Factors" ; rdfs:subClassOf d3f:CWE-697 ; d3f:cwe-id "CWE-1023" ; d3f:definition "The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors." . d3f:CWE-1024 a owl:Class ; rdfs:label "Comparison of Incompatible Types" ; rdfs:subClassOf d3f:CWE-697 ; d3f:cwe-id "CWE-1024" ; d3f:definition "The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide correct results when they are directly compared." . d3f:CWE-1025 a owl:Class ; rdfs:label "Comparison Using Wrong Factors" ; rdfs:subClassOf d3f:CWE-697 ; d3f:cwe-id "CWE-1025" ; d3f:definition "The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead to incorrect results and resultant weaknesses." . d3f:CWE-1037 a owl:Class ; rdfs:label "Processor Optimization Removal or Modification of Security-critical Code" ; rdfs:subClassOf d3f:CWE-1038 ; d3f:cwe-id "CWE-1037" ; d3f:definition "The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified." . d3f:CWE-1038 a owl:Class ; rdfs:label "Insecure Automated Optimizations" ; rdfs:subClassOf d3f:CWE-435, d3f:CWE-758 ; d3f:cwe-id "CWE-1038" ; d3f:definition "The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side effect that might violate an intended security assumption." . d3f:CWE-1039 a owl:Class ; rdfs:label "Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations", "Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism" ; rdfs:subClassOf d3f:CWE-693, d3f:CWE-697 ; d3f:cwe-id "CWE-1039" ; d3f:definition "The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept." . d3f:CWE-1041 a owl:Class ; rdfs:label "Use of Redundant Code" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1041" ; d3f:definition "The product has multiple functions, methods, procedures, macros, etc. that contain the same code." . d3f:CWE-1042 a owl:Class ; rdfs:label "Static Member Data Element outside of a Singleton Class Element" ; rdfs:subClassOf d3f:CWE-1176 ; d3f:cwe-id "CWE-1042" ; d3f:definition "The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' association of a Create action." . d3f:CWE-1043 a owl:Class ; rdfs:label "Data Element Aggregating an Excessively Large Number of Non-Primitive Elements" ; rdfs:subClassOf d3f:CWE-1093 ; d3f:cwe-id "CWE-1043" ; d3f:definition "The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects." . d3f:CWE-1044 a owl:Class ; rdfs:label "Architecture with Number of Horizontal Layers Outside of Expected Range" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1044" ; d3f:definition "The product's architecture contains too many - or too few - horizontal layers." . d3f:CWE-1045 a owl:Class ; rdfs:label "Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-1045" ; d3f:definition "A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor." . d3f:CWE-1046 a owl:Class ; rdfs:label "Creation of Immutable Text Using String Concatenation" ; rdfs:subClassOf d3f:CWE-1176 ; d3f:cwe-id "CWE-1046" ; d3f:definition "The product creates an immutable text string using string concatenation operations." . d3f:CWE-1047 a owl:Class ; rdfs:label "Modules with Circular Dependencies" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1047" ; d3f:definition "The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies." . d3f:CWE-1048 a owl:Class ; rdfs:label "Invokable Control Element with Large Number of Outward Calls" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1048" ; d3f:definition "The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e. a Fan-Out value that is excessively large." . d3f:CWE-1049 a owl:Class ; rdfs:label "Excessive Data Query Operations in a Large Data Table" ; rdfs:subClassOf d3f:CWE-1176 ; d3f:cwe-id "CWE-1049" ; d3f:definition "The product performs a data query with a large number of joins and sub-queries on a large data table." . d3f:CWE-1050 a owl:Class ; rdfs:label "Excessive Platform Resource Consumption within a Loop" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-1050" ; d3f:definition "The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. messaging, sessions, locks, or file descriptors." . d3f:CWE-1051 a owl:Class ; rdfs:label "Initialization with Hard-Coded Network Resource Configuration Data" ; rdfs:subClassOf d3f:CWE-665, d3f:CWE-1419 ; d3f:cwe-id "CWE-1051" ; d3f:definition "The product initializes data using hard-coded values that act as network resource identifiers." . d3f:CWE-1052 a owl:Class ; rdfs:label "Excessive Use of Hard-Coded Literals in Initialization" ; rdfs:subClassOf d3f:CWE-665, d3f:CWE-1419 ; d3f:cwe-id "CWE-1052" ; d3f:definition "The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element." . d3f:CWE-1053 a owl:Class ; rdfs:label "Missing Documentation for Design" ; rdfs:subClassOf d3f:CWE-1059 ; d3f:cwe-id "CWE-1053" ; d3f:definition "The product does not have documentation that represents how it is designed." . d3f:CWE-1054 a owl:Class ; rdfs:label "Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer" ; rdfs:subClassOf d3f:CWE-1061 ; d3f:cwe-id "CWE-1054" ; d3f:definition "The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer." . d3f:CWE-1055 a owl:Class ; rdfs:label "Multiple Inheritance from Concrete Classes" ; rdfs:subClassOf d3f:CWE-1093 ; d3f:cwe-id "CWE-1055" ; d3f:definition "The product contains a class with inheritance from more than one concrete class." . d3f:CWE-1056 a owl:Class ; rdfs:label "Invokable Control Element with Variadic Parameters" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1056" ; d3f:definition "A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments." . d3f:CWE-1057 a owl:Class ; rdfs:label "Data Access Operations Outside of Expected Data Manager Component" ; rdfs:subClassOf d3f:CWE-1061 ; d3f:cwe-id "CWE-1057" ; d3f:definition "The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do not use this data manager." . d3f:CWE-1058 a owl:Class ; rdfs:label "Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element" ; rdfs:subClassOf d3f:CWE-662 ; d3f:cwe-id "CWE-1058" ; d3f:definition "The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static storable or member data element." . d3f:CWE-1059 a owl:Class ; rdfs:label "Insufficient Technical Documentation" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1059" ; d3f:definition "The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contains descriptions of all the relevant software/hardware elements of the product, such as its usage, structure, architectural components, interfaces, design, implementation, configuration, operation, etc." . d3f:CWE-1060 a owl:Class ; rdfs:label "Excessive Number of Inefficient Server-Side Data Accesses" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1060" ; d3f:definition "The product performs too many data queries without using efficient data processing functionality such as stored procedures." . d3f:CWE-1061 a owl:Class ; rdfs:label "Insufficient Encapsulation" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1061" ; d3f:definition "The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functionality, or introduce dependencies that the programmer did not intend." . d3f:CWE-1062 a owl:Class ; rdfs:label "Parent Class with References to Child Class" ; rdfs:subClassOf d3f:CWE-1061 ; d3f:cwe-id "CWE-1062" ; d3f:definition "The code has a parent class that contains references to a child class, its methods, or its members." . d3f:CWE-1063 a owl:Class ; rdfs:label "Creation of Class Instance within a Static Code Block" ; rdfs:subClassOf d3f:CWE-1176 ; d3f:cwe-id "CWE-1063" ; d3f:definition "A static code block creates an instance of a class." . d3f:CWE-1064 a owl:Class ; rdfs:label "Invokable Control Element with Signature Containing an Excessive Number of Parameters" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1064" ; d3f:definition "The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments." . d3f:CWE-1065 a owl:Class ; rdfs:label "Runtime Resource Management Control Element in a Component Built to Run on Application Servers" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1065" ; d3f:definition "The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server." . d3f:CWE-1066 a owl:Class ; rdfs:label "Missing Serialization Control Element" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1066" ; d3f:definition "The product contains a serializable data element that does not have an associated serialization method." . d3f:CWE-1067 a owl:Class ; rdfs:label "Excessive Execution of Sequential Searches of Data Resource" ; rdfs:subClassOf d3f:CWE-1176 ; d3f:cwe-id "CWE-1067" ; d3f:definition "The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause sequential searches to be performed." . d3f:CWE-1068 a owl:Class ; rdfs:label "Inconsistency Between Implementation and Documented Design" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1068" ; d3f:definition "The implementation of the product is not consistent with the design as described within the relevant documentation." . d3f:CWE-1069 a owl:Class ; rdfs:label "Empty Exception Block" ; rdfs:subClassOf d3f:CWE-1071 ; d3f:cwe-id "CWE-1069" ; d3f:definition "An invokable code block contains an exception handling block that does not contain any code, i.e. is empty." . d3f:CWE-1070 a owl:Class ; rdfs:label "Serializable Data Element Containing non-Serializable Item Elements" ; rdfs:subClassOf d3f:CWE-710, d3f:CWE-1076 ; d3f:cwe-id "CWE-1070" ; d3f:definition "The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable." . d3f:CWE-1071 a owl:Class ; rdfs:label "Empty Code Block" ; rdfs:subClassOf d3f:CWE-1164 ; d3f:cwe-id "CWE-1071" ; d3f:definition "The source code contains a block that does not contain any code, i.e., the block is empty." . d3f:CWE-1072 a owl:Class ; rdfs:label "Data Resource Access without Use of Connection Pooling" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-1072" ; d3f:definition "The product accesses a data resource through a database without using a connection pooling capability." . d3f:CWE-1073 a owl:Class ; rdfs:label "Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-1073" ; d3f:definition "The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities." . d3f:CWE-1074 a owl:Class ; rdfs:label "Class with Excessively Deep Inheritance" ; rdfs:subClassOf d3f:CWE-1093 ; d3f:cwe-id "CWE-1074" ; d3f:definition "A class has an inheritance level that is too high, i.e., it has a large number of parent classes." . d3f:CWE-1075 a owl:Class ; rdfs:label "Unconditional Control Flow Transfer outside of Switch Block" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1075" ; d3f:definition "The product performs unconditional control transfer (such as a \"goto\") in code outside of a branching structure such as a switch block." . d3f:CWE-1076 a owl:Class ; rdfs:label "Insufficient Adherence to Expected Conventions" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1076" ; d3f:definition "The product's architecture, source code, design, documentation, or other artifact does not follow required conventions." . d3f:CWE-1077 a owl:Class ; rdfs:label "Floating Point Comparison with Incorrect Operator" ; rdfs:subClassOf d3f:CWE-697 ; d3f:cwe-id "CWE-1077" ; d3f:definition "The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision." . d3f:CWE-1078 a owl:Class ; rdfs:label "Inappropriate Source Code Style or Formatting" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-1078" ; d3f:definition "The source code does not follow desired style or formatting for indentation, white space, comments, etc." . d3f:CWE-1079 a owl:Class ; rdfs:label "Parent Class without Virtual Destructor Method" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-1079" ; d3f:definition "A parent class contains one or more child classes, but the parent class does not have a virtual destructor method." . d3f:CWE-1080 a owl:Class ; rdfs:label "Source Code File with Excessive Number of Lines of Code" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1080" ; d3f:definition "A source code file has too many lines of code." . d3f:CWE-1082 a owl:Class ; rdfs:label "Class Instance Self Destruction Control Element" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-1082" ; d3f:definition "The code contains a class instance that calls the method or function to delete or destroy itself." . d3f:CWE-1083 a owl:Class ; rdfs:label "Data Access from Outside Expected Data Manager Component" ; rdfs:subClassOf d3f:CWE-1061 ; d3f:cwe-id "CWE-1083" ; d3f:definition "The product is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component." . d3f:CWE-1084 a owl:Class ; rdfs:label "Invokable Control Element with Excessive File or Data Access Operations" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-1084" ; d3f:definition "A function or method contains too many operations that utilize a data manager or file resource." . d3f:CWE-1085 a owl:Class ; rdfs:label "Invokable Control Element with Excessive Volume of Commented-out Code" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1085" ; d3f:definition "A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body." . d3f:CWE-1086 a owl:Class ; rdfs:label "Class with Excessive Number of Child Classes" ; rdfs:subClassOf d3f:CWE-1093 ; d3f:cwe-id "CWE-1086" ; d3f:definition "A class contains an unnecessarily large number of children." . d3f:CWE-1087 a owl:Class ; rdfs:label "Class with Virtual Method without a Virtual Destructor" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-1087" ; d3f:definition "A class contains a virtual method, but the method does not have an associated virtual destructor." . d3f:CWE-1088 a owl:Class ; rdfs:label "Synchronous Access of Remote Resource without Timeout" ; rdfs:subClassOf d3f:CWE-821 ; d3f:cwe-id "CWE-1088" ; d3f:definition "The code has a synchronous call to a remote resource, but there is no timeout for the call, or the timeout is set to infinite." . d3f:CWE-1089 a owl:Class ; rdfs:label "Large Data Table with Excessive Number of Indices" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-1089" ; d3f:definition "The product uses a large data table that contains an excessively large number of indices." . d3f:CWE-1090 a owl:Class ; rdfs:label "Method Containing Access of a Member Element from Another Class" ; rdfs:subClassOf d3f:CWE-1061 ; d3f:cwe-id "CWE-1090" ; d3f:definition "A method for a class performs an operation that directly accesses a member element from another class." . d3f:CWE-1091 a owl:Class ; rdfs:label "Use of Object without Invoking Destructor Method" ; rdfs:subClassOf d3f:CWE-772, d3f:CWE-1076 ; d3f:cwe-id "CWE-1091" ; d3f:definition "The product contains a method that accesses an object but does not later invoke the element's associated finalize/destructor method." . d3f:CWE-1092 a owl:Class ; rdfs:label "Use of Same Invokable Control Element in Multiple Architectural Layers" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1092" ; d3f:definition "The product uses the same control element across multiple architectural layers." . d3f:CWE-1093 a owl:Class ; rdfs:label "Excessively Complex Data Representation" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1093" ; d3f:definition "The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures." . d3f:CWE-1094 a owl:Class ; rdfs:label "Excessive Index Range Scan for a Data Resource" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-1094" ; d3f:definition "The product contains an index range scan for a large data table, but the scan can cover a large number of rows." . d3f:CWE-1095 a owl:Class ; rdfs:label "Loop Condition Value Update within the Loop" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1095" ; d3f:definition "The product uses a loop with a control flow condition based on a value that is updated within the body of the loop." . d3f:CWE-1096 a owl:Class ; rdfs:label "Singleton Class Instance Creation without Proper Locking or Synchronization" ; rdfs:subClassOf d3f:CWE-820 ; d3f:cwe-id "CWE-1096" ; d3f:definition "The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once." . d3f:CWE-1097 a owl:Class ; rdfs:label "Persistent Storable Data Element without Associated Comparison Control Element" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-1097" ; d3f:definition "The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison." . d3f:CWE-1098 a owl:Class ; rdfs:label "Data Element containing Pointer Item without Proper Copy Control Element" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-1098" ; d3f:definition "The code contains a data element with a pointer that does not have an associated copy or constructor method." . d3f:CWE-1099 a owl:Class ; rdfs:label "Inconsistent Naming Conventions for Identifiers" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1099" ; d3f:definition "The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or similar types of elements." . d3f:CWE-1100 a owl:Class ; rdfs:label "Insufficient Isolation of System-Dependent Functions" ; rdfs:subClassOf d3f:CWE-1061 ; d3f:cwe-id "CWE-1100" ; d3f:definition "The product or code does not isolate system-dependent functionality into separate standalone modules." . d3f:CWE-1101 a owl:Class ; rdfs:label "Reliance on Runtime Component in Generated Code" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1101" ; d3f:definition "The product uses automatically-generated code that cannot be executed without a specific runtime support component." . d3f:CWE-1102 a owl:Class ; rdfs:label "Reliance on Machine-Dependent Data Representation" ; rdfs:subClassOf d3f:CWE-758 ; d3f:cwe-id "CWE-1102" ; d3f:definition "The code uses a data representation that relies on low-level data representation or constructs that may vary across different processors, physical machines, OSes, or other physical components." . d3f:CWE-1103 a owl:Class ; rdfs:label "Use of Platform-Dependent Third Party Components" ; rdfs:subClassOf d3f:CWE-758 ; d3f:cwe-id "CWE-1103" ; d3f:definition "The product relies on third-party components that do not provide equivalent functionality across all desirable platforms." . d3f:CWE-1104 a owl:Class ; rdfs:label "Use of Unmaintained Third Party Components" ; rdfs:subClassOf d3f:CWE-1357 ; d3f:cwe-id "CWE-1104" ; d3f:definition "The product relies on third-party components that are not actively supported or maintained by the original developer or a trusted proxy for the original developer." . d3f:CWE-1105 a owl:Class ; rdfs:label "Insufficient Encapsulation of Machine-Dependent Functionality" ; rdfs:subClassOf d3f:CWE-758, d3f:CWE-1061 ; d3f:cwe-id "CWE-1105" ; d3f:definition "The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code." . d3f:CWE-1106 a owl:Class ; rdfs:label "Insufficient Use of Symbolic Constants" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1106" ; d3f:definition "The source code uses literal constants that may need to change or evolve over time, instead of using symbolic constants." . d3f:CWE-1107 a owl:Class ; rdfs:label "Insufficient Isolation of Symbolic Constant Definitions" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1107" ; d3f:definition "The source code uses symbolic constants, but it does not sufficiently place the definitions of these constants into a more centralized or isolated location." . d3f:CWE-1108 a owl:Class ; rdfs:label "Excessive Reliance on Global Variables" ; rdfs:subClassOf d3f:CWE-1076 ; d3f:cwe-id "CWE-1108" ; d3f:definition "The code is structured in a way that relies too much on using or setting global variables throughout various points in the code, instead of preserving the associated information in a narrower, more local context." . d3f:CWE-1109 a owl:Class ; rdfs:label "Use of Same Variable for Multiple Purposes" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1109" ; d3f:definition "The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data." . d3f:CWE-1110 a owl:Class ; rdfs:label "Incomplete Design Documentation" ; rdfs:subClassOf d3f:CWE-1059 ; d3f:cwe-id "CWE-1110" ; d3f:definition "The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design." . d3f:CWE-1111 a owl:Class ; rdfs:label "Incomplete I/O Documentation" ; rdfs:subClassOf d3f:CWE-1059 ; d3f:cwe-id "CWE-1111" ; d3f:definition "The product's documentation does not adequately define inputs, outputs, or system/software interfaces." . d3f:CWE-1112 a owl:Class ; rdfs:label "Incomplete Documentation of Program Execution" ; rdfs:subClassOf d3f:CWE-1059 ; d3f:cwe-id "CWE-1112" ; d3f:definition "The document does not fully define all mechanisms that are used to control or influence how product-specific programs are executed." . d3f:CWE-1113 a owl:Class ; rdfs:label "Inappropriate Comment Style" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1113" ; d3f:definition "The source code uses comment styles or formats that are inconsistent or do not follow expected standards for the product." . d3f:CWE-1114 a owl:Class ; rdfs:label "Inappropriate Whitespace Style" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1114" ; d3f:definition "The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product." . d3f:CWE-1115 a owl:Class ; rdfs:label "Source Code Element without Standard Prologue" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1115" ; d3f:definition "The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project." . d3f:CWE-1116 a owl:Class ; rdfs:label "Inaccurate Comments" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1116" ; d3f:definition "The source code contains comments that do not accurately describe or explain aspects of the portion of the code with which the comment is associated." . d3f:CWE-1117 a owl:Class ; rdfs:label "Callable with Insufficient Behavioral Summary" ; rdfs:subClassOf d3f:CWE-1078 ; d3f:cwe-id "CWE-1117" ; d3f:definition "The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes." . d3f:CWE-1118 a owl:Class ; rdfs:label "Insufficient Documentation of Error Handling Techniques" ; rdfs:subClassOf d3f:CWE-1059 ; d3f:cwe-id "CWE-1118" ; d3f:definition "The documentation does not sufficiently describe the techniques that are used for error handling, exception processing, or similar mechanisms." . d3f:CWE-1119 a owl:Class ; rdfs:label "Excessive Use of Unconditional Branching" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1119" ; d3f:definition "The code uses too many unconditional branches (such as \"goto\")." . d3f:CWE-1120 a owl:Class ; rdfs:label "Excessive Code Complexity" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1120" ; d3f:definition "The code is too complex, as calculated using a well-defined, quantitative measure." . d3f:CWE-1121 a owl:Class ; rdfs:label "Excessive McCabe Cyclomatic Complexity" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1121" ; d3f:definition "The code contains McCabe cyclomatic complexity that exceeds a desirable maximum." . d3f:CWE-1122 a owl:Class ; rdfs:label "Excessive Halstead Complexity" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1122" ; d3f:definition "The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum." . d3f:CWE-1123 a owl:Class ; rdfs:label "Excessive Use of Self-Modifying Code" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1123" ; d3f:definition "The product uses too much self-modifying code." . d3f:CWE-1124 a owl:Class ; rdfs:label "Excessively Deep Nesting" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1124" ; d3f:definition "The code contains a callable or other code grouping in which the nesting / branching is too deep." . d3f:CWE-1125 a owl:Class ; rdfs:label "Excessive Attack Surface" ; rdfs:subClassOf d3f:CWE-1120 ; d3f:cwe-id "CWE-1125" ; d3f:definition "The product has an attack surface whose quantitative measurement exceeds a desirable maximum." . d3f:CWE-1126 a owl:Class ; rdfs:label "Declaration of Variable with Unnecessarily Wide Scope" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1126" ; d3f:definition "The source code declares a variable in one scope, but the variable is only used within a narrower scope." . d3f:CWE-1127 a owl:Class ; rdfs:label "Compilation with Insufficient Warnings or Errors" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1127" ; d3f:definition "The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues." . d3f:CWE-1164 a owl:Class ; rdfs:label "Irrelevant Code" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1164" ; d3f:definition "The product contains code that is not essential for execution, i.e. makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact to functionality or correctness." . d3f:CWE-1173 a owl:Class ; rdfs:label "Improper Use of Validation Framework" ; rdfs:subClassOf d3f:CWE-20 ; d3f:cwe-id "CWE-1173" ; d3f:definition "The product does not use, or incorrectly uses, an input validation framework that is provided by the source language or an independent library." . d3f:CWE-1174 a owl:Class ; rdfs:label "ASP.NET Misconfiguration: Improper Model Validation" ; rdfs:subClassOf d3f:CWE-1173 ; d3f:cwe-id "CWE-1174" ; d3f:definition "The ASP.NET application does not use, or incorrectly uses, the model validation framework." . d3f:CWE-1176 a owl:Class ; rdfs:label "Inefficient CPU Computation" ; rdfs:subClassOf d3f:CWE-405 ; d3f:cwe-id "CWE-1176" ; d3f:definition "The product performs CPU computations using algorithms that are not as efficient as they could be for the needs of the developer, i.e., the computations can be optimized further." . d3f:CWE-1177 a owl:Class ; rdfs:label "Use of Prohibited Code" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1177" ; d3f:definition "The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer." . d3f:CWE-1188 a owl:Class ; rdfs:label "Initialization of a Resource with an Insecure Default", "Insecure Default Initialization of Resource" ; rdfs:subClassOf d3f:CWE-665, d3f:CWE-1419 ; d3f:cwe-id "CWE-1188" ; d3f:definition "The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure." . d3f:CWE-1189 a owl:Class ; rdfs:label "Improper Isolation of Shared Resources on System-on-a-Chip (SoC)" ; rdfs:subClassOf d3f:CWE-653, d3f:CWE-668 ; d3f:cwe-id "CWE-1189" ; d3f:definition "The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents." . d3f:CWE-1190 a owl:Class ; rdfs:label "DMA Device Enabled Too Early in Boot Phase" ; rdfs:subClassOf d3f:CWE-696 ; d3f:cwe-id "CWE-1190" ; d3f:definition "The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data from or gain privileges on the product." . d3f:CWE-1191 a owl:Class ; rdfs:label "On-Chip Debug and Test Interface With Improper Access Control" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1191" ; d3f:definition "The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface." . d3f:CWE-1192 a owl:Class ; rdfs:label "Improper Identifier for IP Block used in System-On-Chip (SOC)", "System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers" ; rdfs:subClassOf d3f:CWE-657 ; d3f:cwe-id "CWE-1192" ; d3f:definition "The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components." . d3f:CWE-1193 a owl:Class ; rdfs:label "Power-On of Untrusted Execution Core Before Enabling Fabric Access Control" ; rdfs:subClassOf d3f:CWE-696 ; d3f:cwe-id "CWE-1193" ; d3f:definition "The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled." . d3f:CWE-1204 a owl:Class ; rdfs:label "Generation of Weak Initialization Vector (IV)" ; rdfs:subClassOf d3f:CWE-330 ; d3f:cwe-id "CWE-1204" ; d3f:definition "The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive." . d3f:CWE-1209 a owl:Class ; rdfs:label "Failure to Disable Reserved Bits" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1209" ; d3f:definition "The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design. However, designers might covertly use these bits to debug or further develop new capabilities in production hardware. Adversaries with access to these bits will write to them in hopes of compromising hardware state." . d3f:CWE-1220 a owl:Class ; rdfs:label "Insufficient Granularity of Access Control" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1220" ; d3f:definition "The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets." . d3f:CWE-1221 a owl:Class ; rdfs:label "Incorrect Register Defaults or Module Parameters" ; rdfs:subClassOf d3f:CWE-665, d3f:CWE-1419 ; d3f:cwe-id "CWE-1221" ; d3f:definition "Hardware description language code incorrectly defines register defaults or hardware Intellectual Property (IP) parameters to insecure values." . d3f:CWE-1222 a owl:Class ; rdfs:label "Insufficient Granularity of Address Regions Protected by Register Locks" ; rdfs:subClassOf d3f:CWE-1220 ; d3f:cwe-id "CWE-1222" ; d3f:definition "The product defines a large address region protected from modification by the same register lock control bit. This results in a conflict between the functional requirement that some addresses need to be writable by software during operation and the security requirement that the system configuration lock bit must be set during the boot process." . d3f:CWE-1223 a owl:Class ; rdfs:label "Race Condition for Write-Once Attributes" ; rdfs:subClassOf d3f:CWE-362 ; d3f:cwe-id "CWE-1223" ; d3f:definition "A write-once register in hardware design is programmable by an untrusted software component earlier than the trusted software component, resulting in a race condition issue." . d3f:CWE-1224 a owl:Class ; rdfs:label "Improper Restriction of Write-Once Bit Fields" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1224" ; d3f:definition "The hardware design control register \"sticky bits\" or write-once bit fields are improperly implemented, such that they can be reprogrammed by software." . d3f:CWE-1229 a owl:Class ; rdfs:label "Creation of Emergent Resource" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-1229" ; d3f:definition "The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy." . d3f:CWE-1230 a owl:Class ; rdfs:label "Exposure of Sensitive Information Through Metadata" ; rdfs:subClassOf d3f:CWE-285 ; d3f:cwe-id "CWE-1230" ; d3f:definition "The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information." . d3f:CWE-1231 a owl:Class ; rdfs:label "Improper Prevention of Lock Bit Modification" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1231" ; d3f:definition "The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set." . d3f:CWE-1232 a owl:Class ; rdfs:label "Improper Lock Behavior After Power State Transition" ; rdfs:subClassOf d3f:CWE-667 ; d3f:cwe-id "CWE-1232" ; d3f:definition "Register lock bit protection disables changes to system configuration once the bit is set. Some of the protected registers or lock bits become programmable after power state transitions (e.g., Entry and wake from low power sleep modes) causing the system configuration to be changeable." . d3f:CWE-1233 a owl:Class ; rdfs:label "Security-Sensitive Hardware Controls with Missing Lock Bit Protection" ; rdfs:subClassOf d3f:CWE-284, d3f:CWE-667 ; d3f:cwe-id "CWE-1233" ; d3f:definition "The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration." . d3f:CWE-1234 a owl:Class ; rdfs:label "Hardware Internal or Debug Modes Allow Override of Locks" ; rdfs:subClassOf d3f:CWE-667 ; d3f:cwe-id "CWE-1234" ; d3f:definition "System configuration protection may be bypassed during debug mode." . d3f:CWE-1235 a owl:Class ; rdfs:label "Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations" ; rdfs:subClassOf d3f:CWE-400 ; d3f:cwe-id "CWE-1235" ; d3f:definition "The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations." . d3f:CWE-1236 a owl:Class ; rdfs:label "Improper Neutralization of Formula Elements in a CSV File" ; rdfs:subClassOf d3f:CWE-74 ; d3f:cwe-id "CWE-1236" ; d3f:definition "The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product." ; d3f:synonym "CSV Injection", "Excel Macro Injection", "Formula Injection" . d3f:CWE-1239 a owl:Class ; rdfs:label "Improper Zeroization of Hardware Register" ; rdfs:subClassOf d3f:CWE-226 ; d3f:cwe-id "CWE-1239" ; d3f:definition "The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes." . d3f:CWE-1240 a owl:Class ; rdfs:label "Use of a Cryptographic Primitive with a Risky Implementation" ; rdfs:subClassOf d3f:CWE-327 ; d3f:cwe-id "CWE-1240" ; d3f:definition "To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation." . d3f:CWE-1241 a owl:Class ; rdfs:label "Use of Predictable Algorithm in Random Number Generator" ; rdfs:subClassOf d3f:CWE-330 ; d3f:cwe-id "CWE-1241" ; d3f:definition "The device uses an algorithm that is predictable and generates a pseudo-random number." . d3f:CWE-1242 a owl:Class ; rdfs:label "Inclusion of Undocumented Features or Chicken Bits" ; rdfs:subClassOf d3f:CWE-284, d3f:CWE-912 ; d3f:cwe-id "CWE-1242" ; d3f:definition "The device includes chicken bits or undocumented features that can create entry points for unauthorized actors." . d3f:CWE-1243 a owl:Class ; rdfs:label "Sensitive Non-Volatile Information Not Protected During Debug" ; rdfs:subClassOf d3f:CWE-1263 ; d3f:cwe-id "CWE-1243" ; d3f:definition "Access to security-sensitive information stored in fuses is not limited during debug." . d3f:CWE-1244 a owl:Class ; rdfs:label "Internal Asset Exposed to Unsafe Debug Access Level or State" ; rdfs:subClassOf d3f:CWE-863 ; d3f:cwe-id "CWE-1244" ; d3f:definition "The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents." . d3f:CWE-1245 a owl:Class ; rdfs:label "Improper Finite State Machines (FSMs) in Hardware Logic" ; rdfs:subClassOf d3f:CWE-684 ; d3f:cwe-id "CWE-1245" ; d3f:definition "Faulty finite state machines (FSMs) in the hardware logic allow an attacker to put the system in an undefined state, to cause a denial of service (DoS) or gain privileges on the victim's system." . d3f:CWE-1246 a owl:Class ; rdfs:label "Improper Write Handling in Limited-write Non-Volatile Memories" ; rdfs:subClassOf d3f:CWE-400 ; d3f:cwe-id "CWE-1246" ; d3f:definition "The product does not implement or incorrectly implements wear leveling operations in limited-write non-volatile memories." . d3f:CWE-1247 a owl:Class ; rdfs:label "Improper Protection Against Voltage and Clock Glitches" ; rdfs:subClassOf d3f:CWE-1384 ; d3f:cwe-id "CWE-1247" ; d3f:definition "The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device." . d3f:CWE-1248 a owl:Class ; rdfs:label "Semiconductor Defects in Hardware Logic with Security-Sensitive Implications" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1248" ; d3f:definition "The security-sensitive hardware module contains semiconductor defects." . d3f:CWE-1249 a owl:Class ; rdfs:label "Application-Level Admin Tool with Inconsistent View of Underlying Operating System" ; rdfs:subClassOf d3f:CWE-1250 ; d3f:cwe-id "CWE-1249" ; d3f:definition "The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; that is, the application's model of the OS's state is inconsistent with the OS's actual state." ; d3f:synonym "Ghost in the Shell" . d3f:CWE-1250 a owl:Class ; rdfs:label "Improper Preservation of Consistency Between Independent Representations of Shared State" ; rdfs:subClassOf d3f:CWE-664 ; d3f:cwe-id "CWE-1250" ; d3f:definition "The product has or supports multiple distributed components or sub-systems that are each required to keep their own local copy of shared data - such as state or cache - but the product does not ensure that all local copies remain consistent with each other." . d3f:CWE-1251 a owl:Class ; rdfs:label "Mirrored Regions with Different Values" ; rdfs:subClassOf d3f:CWE-1250 ; d3f:cwe-id "CWE-1251" ; d3f:definition "The product's architecture mirrors regions without ensuring that their contents always stay in sync." . d3f:CWE-1252 a owl:Class ; rdfs:label "CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1252" ; d3f:definition "The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory." . d3f:CWE-1253 a owl:Class ; rdfs:label "Incorrect Selection of Fuse Values" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1253" ; d3f:definition "The logic level used to set a system to a secure state relies on a fuse being unblown. An attacker can set the system to an insecure state merely by blowing the fuse." . d3f:CWE-1254 a owl:Class ; rdfs:label "Incorrect Comparison Logic Granularity" ; rdfs:subClassOf d3f:CWE-208, d3f:CWE-697 ; d3f:cwe-id "CWE-1254" ; d3f:definition "The product's comparison logic is performed over a series of steps rather than across the entire string in one operation. If there is a comparison logic failure on one of these steps, the operation may be vulnerable to a timing attack that can result in the interception of the process for nefarious purposes." . d3f:CWE-1255 a owl:Class ; rdfs:label "Comparison Logic is Vulnerable to Power Side-Channel Attacks" ; rdfs:subClassOf d3f:CWE-1300 ; d3f:cwe-id "CWE-1255" ; d3f:definition "A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token." . d3f:CWE-1256 a owl:Class ; rdfs:label "Improper Restriction of Software Interfaces to Hardware Features" ; rdfs:subClassOf d3f:CWE-285 ; d3f:cwe-id "CWE-1256" ; d3f:definition "The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels." . d3f:CWE-1257 a owl:Class ; rdfs:label "Improper Access Control Applied to Mirrored or Aliased Memory Regions" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1257" ; d3f:definition "Aliased or mirrored memory regions in hardware designs may have inconsistent read/write permissions enforced by the hardware. A possible result is that an untrusted agent is blocked from accessing a memory region but is not blocked from accessing the corresponding aliased memory region." . d3f:CWE-1258 a owl:Class ; rdfs:label "Exposure of Sensitive System Information Due to Uncleared Debug Information" ; rdfs:subClassOf d3f:CWE-200, d3f:CWE-212 ; d3f:cwe-id "CWE-1258" ; d3f:definition "The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered." . d3f:CWE-1259 a owl:Class ; rdfs:label "Improper Restriction of Security Token Assignment" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1259" ; d3f:definition "The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected." . d3f:CWE-1260 a owl:Class ; rdfs:label "Improper Handling of Overlap Between Protected Memory Ranges" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1260" ; d3f:definition "The product allows address regions to overlap, which can result in the bypassing of intended memory protection." . d3f:CWE-1261 a owl:Class ; rdfs:label "Improper Handling of Single Event Upsets" ; rdfs:subClassOf d3f:CWE-1384 ; d3f:cwe-id "CWE-1261" ; d3f:definition "The hardware logic does not effectively handle when single-event upsets (SEUs) occur." . d3f:CWE-1262 a owl:Class ; rdfs:label "Improper Access Control for Register Interface" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1262" ; d3f:definition "The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers." . d3f:CWE-1263 a owl:Class ; rdfs:label "Improper Physical Access Control" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1263" ; d3f:definition "The product is designed with access restricted to certain information, but it does not sufficiently protect against an unauthorized actor with physical access to these areas." . d3f:CWE-1264 a owl:Class ; rdfs:label "Hardware Logic with Insecure De-Synchronization between Control and Data Channels" ; rdfs:subClassOf d3f:CWE-821 ; d3f:cwe-id "CWE-1264" ; d3f:definition "The hardware logic for error handling and security checks can incorrectly forward data before the security check is complete." . d3f:CWE-1265 a owl:Class ; rdfs:label "Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-1265" ; d3f:definition "During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code." . d3f:CWE-1266 a owl:Class ; rdfs:label "Improper Scrubbing of Sensitive Data from Decommissioned Device" ; rdfs:subClassOf d3f:CWE-404 ; d3f:cwe-id "CWE-1266" ; d3f:definition "The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect." . d3f:CWE-1267 a owl:Class ; rdfs:label "Policy Uses Obsolete Encoding" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1267" ; d3f:definition "The product uses an obsolete encoding mechanism to implement access controls." . d3f:CWE-1268 a owl:Class ; rdfs:label "Policy Privileges are not Assigned Consistently Between Control and Data Agents" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1268" ; d3f:definition "The product's hardware-enforced access control for a particular resource improperly accounts for privilege discrepancies between control and write policies." . d3f:CWE-1269 a owl:Class ; rdfs:label "Product Released in Non-Release Configuration" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1269" ; d3f:definition "The product released to market is released in pre-production or manufacturing configuration." . d3f:CWE-1270 a owl:Class ; rdfs:label "Generation of Incorrect Security Tokens" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1270" ; d3f:definition "The product implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens generated in the system are incorrect." . d3f:CWE-1271 a owl:Class ; rdfs:label "Uninitialized Value on Reset for Registers Holding Security Settings" ; rdfs:subClassOf d3f:CWE-909 ; d3f:cwe-id "CWE-1271" ; d3f:definition "Security-critical logic is not set to a known value on reset." . d3f:CWE-1272 a owl:Class ; rdfs:label "Sensitive Information Uncleared Before Debug/Power State Transition" ; rdfs:subClassOf d3f:CWE-226 ; d3f:cwe-id "CWE-1272" ; d3f:definition "The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions." . d3f:CWE-1273 a owl:Class ; rdfs:label "Device Unlock Credential Sharing" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-1273" ; d3f:definition "The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information." . d3f:CWE-1274 a owl:Class ; rdfs:label "Improper Access Control for Volatile Memory Containing Boot Code" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1274" ; d3f:definition "The product conducts a secure-boot process that transfers bootloader code from Non-Volatile Memory (NVM) into Volatile Memory (VM), but it does not have sufficient access control or other protections for the Volatile Memory." . d3f:CWE-1275 a owl:Class ; rdfs:label "Sensitive Cookie with Improper SameSite Attribute" ; rdfs:subClassOf d3f:CWE-923 ; d3f:cwe-id "CWE-1275" ; d3f:definition "The SameSite attribute for sensitive cookies is not set, or an insecure value is used." . d3f:CWE-1276 a owl:Class ; rdfs:label "Hardware Child Block Incorrectly Connected to Parent System" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1276" ; d3f:definition "Signals between a hardware IP and the parent system design are incorrectly connected causing security risks." . d3f:CWE-1277 a owl:Class ; rdfs:label "Firmware Not Updateable" ; rdfs:subClassOf d3f:CWE-1329 ; d3f:cwe-id "CWE-1277" ; d3f:definition "The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present." . d3f:CWE-1278 a owl:Class ; rdfs:label "Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1278" ; d3f:definition "Information stored in hardware may be recovered by an attacker with the capability to capture and analyze images of the integrated circuit using techniques such as scanning electron microscopy." . d3f:CWE-1279 a owl:Class ; rdfs:label "Cryptographic Operations are run Before Supporting Units are Ready" ; rdfs:subClassOf d3f:CWE-665, d3f:CWE-696 ; d3f:cwe-id "CWE-1279" ; d3f:definition "Performing cryptographic operations without ensuring that the supporting inputs are ready to supply valid data may compromise the cryptographic result." . d3f:CWE-1280 a owl:Class ; rdfs:label "Access Control Check Implemented After Asset is Accessed" ; rdfs:subClassOf d3f:CWE-284, d3f:CWE-696 ; d3f:cwe-id "CWE-1280" ; d3f:definition "A product's hardware-based access control check occurs after the asset has been accessed." . d3f:CWE-1281 a owl:Class ; rdfs:label "Sequence of Processor Instructions Leads to Unexpected Behavior" ; rdfs:subClassOf d3f:CWE-691 ; d3f:cwe-id "CWE-1281" ; d3f:definition "Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed." . d3f:CWE-1282 a owl:Class ; rdfs:label "Assumed-Immutable Data is Stored in Writable Memory" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-1282" ; d3f:definition "Immutable data, such as a first-stage bootloader, device identifiers, and \"write-once\" configuration settings are stored in writable memory that can be re-programmed or updated in the field." . d3f:CWE-1283 a owl:Class ; rdfs:label "Mutable Attestation or Measurement Reporting Data" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1283" ; d3f:definition "The register contents used for attestation or measurement reporting data to verify boot flow are modifiable by an adversary." . d3f:CWE-1284 a owl:Class ; rdfs:label "Improper Validation of Specified Quantity in Input" ; rdfs:subClassOf d3f:CWE-20 ; d3f:cwe-id "CWE-1284" ; d3f:definition "The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties." . d3f:CWE-1285 a owl:Class ; rdfs:label "Improper Validation of Specified Index, Position, or Offset in Input" ; rdfs:subClassOf d3f:CWE-20 ; d3f:cwe-id "CWE-1285" ; d3f:definition "The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties." . d3f:CWE-1286 a owl:Class ; rdfs:label "Improper Validation of Syntactic Correctness of Input" ; rdfs:subClassOf d3f:CWE-20 ; d3f:cwe-id "CWE-1286" ; d3f:definition "The product receives input that is expected to be well-formed - i.e., to comply with a certain syntax - but it does not validate or incorrectly validates that the input complies with the syntax." . d3f:CWE-1287 a owl:Class ; rdfs:label "Improper Validation of Specified Type of Input" ; rdfs:subClassOf d3f:CWE-20 ; d3f:cwe-id "CWE-1287" ; d3f:definition "The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type." . d3f:CWE-1288 a owl:Class ; rdfs:label "Improper Validation of Consistency within Input" ; rdfs:subClassOf d3f:CWE-20 ; d3f:cwe-id "CWE-1288" ; d3f:definition "The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent." . d3f:CWE-1289 a owl:Class ; rdfs:label "Improper Validation of Unsafe Equivalence in Input" ; rdfs:subClassOf d3f:CWE-20 ; d3f:cwe-id "CWE-1289" ; d3f:definition "The product receives an input value that is used as a resource identifier or other type of reference, but it does not validate or incorrectly validates that the input is equivalent to a potentially-unsafe value." . d3f:CWE-1290 a owl:Class ; rdfs:label "Incorrect Decoding of Security Identifiers" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1290" ; d3f:definition "The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers. If the decoding is implemented incorrectly, then untrusted agents can now gain unauthorized access to the asset." . d3f:CWE-1291 a owl:Class ; rdfs:label "Public Key Re-Use for Signing both Debug and Production Code" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1291" ; d3f:definition "The same public key is used for signing both debug and production code." . d3f:CWE-1292 a owl:Class ; rdfs:label "Incorrect Conversion of Security Identifiers" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1292" ; d3f:definition "The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers. However, if the conversion is incorrectly implemented, untrusted agents can gain unauthorized access to the asset." . d3f:CWE-1293 a owl:Class ; rdfs:label "Missing Source Correlation of Multiple Independent Data" ; rdfs:subClassOf d3f:CWE-345 ; d3f:cwe-id "CWE-1293" ; d3f:definition "The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source." . d3f:CWE-1294 a owl:Class ; rdfs:label "Insecure Security Identifier Mechanism" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1294" ; d3f:definition "The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Identifiers are not correctly implemented." . d3f:CWE-1295 a owl:Class ; rdfs:label "Debug Messages Revealing Unnecessary Information" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-1295" ; d3f:definition "The product fails to adequately prevent the revealing of unnecessary and potentially sensitive system information within debugging messages." . d3f:CWE-1296 a owl:Class ; rdfs:label "Incorrect Chaining or Granularity of Debug Components" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1296" ; d3f:definition "The product's debug components contain incorrect chaining or granularity of debug components." . d3f:CWE-1297 a owl:Class ; rdfs:label "Unprotected Confidential Information on Device is Accessible by OSAT Vendors" ; rdfs:subClassOf d3f:CWE-285 ; d3f:cwe-id "CWE-1297" ; d3f:definition "The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors." . d3f:CWE-1298 a owl:Class ; rdfs:label "Hardware Logic Contains Race Conditions" ; rdfs:subClassOf d3f:CWE-362 ; d3f:cwe-id "CWE-1298" ; d3f:definition "A race condition in the hardware logic results in undermining security guarantees of the system." . d3f:CWE-1299 a owl:Class ; rdfs:label "Missing Protection Mechanism for Alternate Hardware Interface" ; rdfs:subClassOf d3f:CWE-288, d3f:CWE-420 ; d3f:cwe-id "CWE-1299" ; d3f:definition "The lack of protections on alternate paths to access control-protected assets (such as unprotected shadow registers and other external facing unguarded interfaces) allows an attacker to bypass existing protections to the asset that are only performed against the primary path." . d3f:CWE-1300 a owl:Class ; rdfs:label "Improper Protection of Physical Side Channels" ; rdfs:subClassOf d3f:CWE-203 ; d3f:cwe-id "CWE-1300" ; d3f:definition "The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions." . d3f:CWE-1301 a owl:Class ; rdfs:label "Insufficient or Incomplete Data Removal within Hardware Component" ; rdfs:subClassOf d3f:CWE-226 ; d3f:cwe-id "CWE-1301" ; d3f:definition "The product's data removal process does not completely delete all data and potentially sensitive information within hardware components." . d3f:CWE-1302 a owl:Class ; rdfs:label "Missing Security Identifier", "Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)" ; rdfs:subClassOf d3f:CWE-1294 ; d3f:cwe-id "CWE-1302" ; d3f:definition "The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier." . d3f:CWE-1303 a owl:Class ; rdfs:label "Non-Transparent Sharing of Microarchitectural Resources" ; rdfs:subClassOf d3f:CWE-203, d3f:CWE-1189 ; d3f:cwe-id "CWE-1303" ; d3f:definition "Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts." . d3f:CWE-1304 a owl:Class ; rdfs:label "Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1304" ; d3f:definition "The product performs a power save/restore operation, but it does not ensure that the integrity of the configuration state is maintained and/or verified between the beginning and ending of the operation." . d3f:CWE-1310 a owl:Class ; rdfs:label "Missing Ability to Patch ROM Code" ; rdfs:subClassOf d3f:CWE-1329 ; d3f:cwe-id "CWE-1310" ; d3f:definition "Missing an ability to patch ROM code may leave a System or System-on-Chip (SoC) in a vulnerable state." . d3f:CWE-1311 a owl:Class ; rdfs:label "Improper Translation of Security Attributes by Fabric Bridge" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1311" ; d3f:definition "The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another." . d3f:CWE-1312 a owl:Class ; rdfs:label "Missing Protection for Mirrored Regions in On-Chip Fabric Firewall" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1312" ; d3f:definition "The firewall in an on-chip fabric protects the main addressed region, but it does not protect any mirrored memory or memory-mapped-IO (MMIO) regions." . d3f:CWE-1313 a owl:Class ; rdfs:label "Hardware Allows Activation of Test or Debug Logic at Runtime" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1313" ; d3f:definition "During runtime, the hardware allows for test or debug logic (feature) to be activated, which allows for changing the state of the hardware. This feature can alter the intended behavior of the system and allow for alteration and leakage of sensitive data by an adversary." . d3f:CWE-1314 a owl:Class ; rdfs:label "Missing Write Protection for Parametric Data Values" ; rdfs:subClassOf d3f:CWE-862 ; d3f:cwe-id "CWE-1314" ; d3f:definition "The device does not write-protect the parametric data values for sensors that scale the sensor value, allowing untrusted software to manipulate the apparent result and potentially damage hardware or cause operational failure." . d3f:CWE-1315 a owl:Class ; rdfs:label "Improper Setting of Bus Controlling Capability in Fabric End-point" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1315" ; d3f:definition "The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric." . d3f:CWE-1316 a owl:Class ; rdfs:label "Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1316" ; d3f:definition "The address map of the on-chip fabric has protected and unprotected regions overlapping, allowing an attacker to bypass access control to the overlapping portion of the protected region." . d3f:CWE-1317 a owl:Class ; rdfs:label "Improper Access Control in Fabric Bridge" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1317" ; d3f:definition "The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP blocks." . d3f:CWE-1318 a owl:Class ; rdfs:label "Missing Support for Security Features in On-chip Fabrics or Buses" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1318" ; d3f:definition "On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control." . d3f:CWE-1319 a owl:Class ; rdfs:label "Improper Protection against Electromagnetic Fault Injection (EM-FI)" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1319" ; d3f:definition "The device is susceptible to electromagnetic fault injection attacks, causing device internal information to be compromised or security mechanisms to be bypassed." . d3f:CWE-1320 a owl:Class ; rdfs:label "Improper Protection for Outbound Error Messages and Alert Signals" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1320" ; d3f:definition "Untrusted agents can disable alerts about signal conditions exceeding limits or the response mechanism that handles such alerts." . d3f:CWE-1321 a owl:Class ; rdfs:label "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')" ; rdfs:subClassOf d3f:CWE-915 ; d3f:cwe-id "CWE-1321" ; d3f:definition "The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype." . d3f:CWE-1322 a owl:Class ; rdfs:label "Use of Blocking Code in Single-threaded, Non-blocking Context" ; rdfs:subClassOf d3f:CWE-834 ; d3f:cwe-id "CWE-1322" ; d3f:definition "The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invoked." . d3f:CWE-1323 a owl:Class ; rdfs:label "Improper Management of Sensitive Trace Data" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1323" ; d3f:definition "Trace data collected from several sources on the System-on-Chip (SoC) is stored in unprotected locations or transported to untrusted agents." . d3f:CWE-1325 a owl:Class ; rdfs:label "Improperly Controlled Sequential Memory Allocation" ; rdfs:subClassOf d3f:CWE-770 ; d3f:cwe-id "CWE-1325" ; d3f:definition "The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memory that is consumed by all of the combined objects." ; d3f:synonym "Stack Exhaustion" . d3f:CWE-1326 a owl:Class ; rdfs:label "Missing Immutable Root of Trust in Hardware" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1326" ; d3f:definition "A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code." . d3f:CWE-1327 a owl:Class ; rdfs:label "Binding to an Unrestricted IP Address" ; rdfs:subClassOf d3f:CWE-668 ; d3f:cwe-id "CWE-1327" ; d3f:definition "The product assigns the address 0.0.0.0 for a database server, a cloud service/instance, or any computing resource that communicates remotely." . d3f:CWE-1328 a owl:Class ; rdfs:label "Security Version Number Mutable to Older Versions" ; rdfs:subClassOf d3f:CWE-285 ; d3f:cwe-id "CWE-1328" ; d3f:definition "Security-version number in hardware is mutable, resulting in the ability to downgrade (roll-back) the boot firmware to vulnerable code versions." . d3f:CWE-1329 a owl:Class ; rdfs:label "Reliance on Component That is Not Updateable" ; rdfs:subClassOf d3f:CWE-664, d3f:CWE-1357 ; d3f:cwe-id "CWE-1329" ; d3f:definition "The product contains a component that cannot be updated or patched in order to remove vulnerabilities or significant bugs." . d3f:CWE-1330 a owl:Class ; rdfs:label "Remanent Data Readable after Memory Erase" ; rdfs:subClassOf d3f:CWE-1301 ; d3f:cwe-id "CWE-1330" ; d3f:definition "Confidential information stored in memory circuits is readable or recoverable after being cleared or erased." . d3f:CWE-1331 a owl:Class ; rdfs:label "Improper Isolation of Shared Resources in Network On Chip (NoC)" ; rdfs:subClassOf d3f:CWE-653, d3f:CWE-668 ; d3f:cwe-id "CWE-1331" ; d3f:definition "The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels." . d3f:CWE-1332 a owl:Class ; rdfs:label "Improper Handling of Faults that Lead to Instruction Skips" ; rdfs:subClassOf d3f:CWE-1384 ; d3f:cwe-id "CWE-1332" ; d3f:definition "The device is missing or incorrectly implements circuitry or sensors that detect and mitigate the skipping of security-critical CPU instructions when they occur." . d3f:CWE-1333 a owl:Class ; rdfs:label "Inefficient Regular Expression Complexity" ; rdfs:subClassOf d3f:CWE-407 ; d3f:cwe-id "CWE-1333" ; d3f:definition "The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles." ; d3f:synonym "Catastrophic backtracking", "ReDoS", "Regular Expression Denial of Service" . d3f:CWE-1334 a owl:Class ; rdfs:label "Unauthorized Error Injection Can Degrade Hardware Redundancy" ; rdfs:subClassOf d3f:CWE-284 ; d3f:cwe-id "CWE-1334" ; d3f:definition "An unauthorized agent can inject errors into a redundant block to deprive the system of redundancy or put the system in a degraded operating mode." . d3f:CWE-1335 a owl:Class ; rdfs:label "Incorrect Bitwise Shift of Integer" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-1335" ; d3f:definition "An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result." . d3f:CWE-1336 a owl:Class ; rdfs:label "Improper Neutralization of Special Elements Used in a Template Engine" ; rdfs:subClassOf d3f:CWE-94 ; d3f:cwe-id "CWE-1336" ; d3f:definition "The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine." ; d3f:synonym "Client-Side Template Injection / CSTI", "Server-Side Template Injection / SSTI" . d3f:CWE-1338 a owl:Class ; rdfs:label "Improper Protections Against Hardware Overheating" ; rdfs:subClassOf d3f:CWE-693 ; d3f:cwe-id "CWE-1338" ; d3f:definition "A hardware device is missing or has inadequate protection features to prevent overheating." . d3f:CWE-1339 a owl:Class ; rdfs:label "Insufficient Precision or Accuracy of a Real Number" ; rdfs:subClassOf d3f:CWE-682 ; d3f:cwe-id "CWE-1339" ; d3f:definition "The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result." . d3f:CWE-1341 a owl:Class ; rdfs:label "Multiple Releases of Same Resource or Handle" ; rdfs:subClassOf d3f:CWE-675 ; d3f:cwe-id "CWE-1341" ; d3f:definition "The product attempts to close or release a resource or handle more than once, without any successful open between the close operations." . d3f:CWE-1342 a owl:Class ; rdfs:label "Information Exposure through Microarchitectural State after Transient Execution" ; rdfs:subClassOf d3f:CWE-226 ; d3f:cwe-id "CWE-1342" ; d3f:definition "The processor does not properly clear microarchitectural state after incorrect microcode assists or speculative execution, resulting in transient execution." . d3f:CWE-1351 a owl:Class ; rdfs:label "Improper Handling of Hardware Behavior in Exceptionally Cold Environments" ; rdfs:subClassOf d3f:CWE-1384 ; d3f:cwe-id "CWE-1351" ; d3f:definition "A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below standard operating temperatures." . d3f:CWE-1357 a owl:Class ; rdfs:label "Reliance on Insufficiently Trustworthy Component" ; rdfs:subClassOf d3f:CWE-710 ; d3f:cwe-id "CWE-1357" ; d3f:definition "The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability." . d3f:CWE-1384 a owl:Class ; rdfs:label "Improper Handling of Physical or Environmental Conditions" ; rdfs:subClassOf d3f:CWE-703 ; d3f:cwe-id "CWE-1384" ; d3f:definition "The product does not properly handle unexpected physical or environmental conditions that occur naturally or are artificially induced." . d3f:CWE-1385 a owl:Class ; rdfs:label "Missing Origin Validation in WebSockets" ; rdfs:subClassOf d3f:CWE-346 ; d3f:cwe-id "CWE-1385" ; d3f:definition "The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid." ; d3f:synonym "Cross-Site WebSocket hijacking (CSWSH)" . d3f:CWE-1386 a owl:Class ; rdfs:label "Insecure Operation on Windows Junction / Mount Point" ; rdfs:subClassOf d3f:CWE-59 ; d3f:cwe-id "CWE-1386" ; d3f:definition "The product opens a file or directory, but it does not properly prevent the name from being associated with a junction or mount point to a destination that is outside of the intended control sphere." . d3f:CWE-1389 a owl:Class ; rdfs:label "Incorrect Parsing of Numbers with Different Radices" ; rdfs:subClassOf d3f:CWE-704 ; d3f:cwe-id "CWE-1389" ; d3f:definition "The product parses numeric input assuming base 10 (decimal) values, but it does not account for inputs that use a different base number (radix)." . d3f:CWE-1390 a owl:Class ; rdfs:label "Weak Authentication" ; rdfs:subClassOf d3f:CWE-287 ; d3f:cwe-id "CWE-1390" ; d3f:definition "The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct." . d3f:CWE-1391 a owl:Class ; rdfs:label "Use of Weak Credentials" ; rdfs:subClassOf d3f:CWE-1390 ; d3f:cwe-id "CWE-1391" ; d3f:definition "The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker." . d3f:CWE-1392 a owl:Class ; rdfs:label "Use of Default Credentials" ; rdfs:subClassOf d3f:CWE-1391 ; d3f:cwe-id "CWE-1392" ; d3f:definition "The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality." . d3f:CWE-1393 a owl:Class, owl:NamedIndividual ; rdfs:label "Use of Default Password" ; rdfs:subClassOf d3f:CWE-1392, [ a owl:Restriction ; owl:onProperty d3f:weakness-of ; owl:someValuesFrom d3f:UserAccount ] ; d3f:cwe-id "CWE-1393" ; d3f:definition "The product uses default passwords for potentially critical functionality." ; d3f:weakness-of d3f:UserAccount . d3f:CWE-1394 a owl:Class ; rdfs:label "Use of Default Cryptographic Key" ; rdfs:subClassOf d3f:CWE-1392 ; d3f:cwe-id "CWE-1394" ; d3f:definition "The product uses a default cryptographic key for potentially critical functionality." . d3f:CWE-1395 a owl:Class ; rdfs:label "Dependency on Vulnerable Third-Party Component" ; rdfs:subClassOf d3f:CWE-657 ; d3f:cwe-id "CWE-1395" ; d3f:definition "The product has a dependency on a third-party component that contains one or more known vulnerabilities." . d3f:CWE-1419 a owl:Class ; rdfs:label "Incorrect Initialization of Resource" ; rdfs:subClassOf d3f:CWE-665 ; d3f:cwe-id "CWE-1419" ; d3f:definition "The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed." . d3f:CWE-1420 a owl:Class ; rdfs:label "Exposure of Sensitive Information during Transient Execution" ; rdfs:subClassOf d3f:CWE-669 ; d3f:cwe-id "CWE-1420" ; d3f:definition "A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel." . d3f:CWE-1421 a owl:Class ; rdfs:label "Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution" ; rdfs:subClassOf d3f:CWE-1420 ; d3f:cwe-id "CWE-1421" ; d3f:definition "A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel." . d3f:CWE-1422 a owl:Class ; rdfs:label "Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution" ; rdfs:subClassOf d3f:CWE-1420 ; d3f:cwe-id "CWE-1422" ; d3f:definition "A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel." . d3f:CWE-1423 a owl:Class ; rdfs:label "Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution" ; rdfs:subClassOf d3f:CWE-1420 ; d3f:cwe-id "CWE-1423" ; d3f:definition "Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel." . d3f:CWE-1426 a owl:Class ; rdfs:label "Improper Validation of Generative AI Output" ; rdfs:subClassOf d3f:CWE-707 ; d3f:cwe-id "CWE-1426" ; d3f:definition "The product invokes a generative AI/ML component whose behaviors and outputs cannot be directly controlled, but the product does not validate or insufficiently validates the outputs to ensure that they align with the intended security, content, or privacy policy." . d3f:CWE-1427 a owl:Class ; rdfs:label "Improper Neutralization of Input Used for LLM Prompting" ; rdfs:subClassOf d3f:CWE-77 ; d3f:cwe-id "CWE-1427" ; d3f:definition "The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives." ; d3f:synonym "prompt injection" . d3f:CWE-1428 a owl:Class ; rdfs:label "Reliance on HTTP instead of HTTPS" ; rdfs:subClassOf d3f:CWE-319 ; d3f:cwe-id "CWE-1428" ; d3f:definition "The product provides or relies on use of HTTP communications when HTTPS is available." . d3f:CWE-1429 a owl:Class ; rdfs:label "Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface" ; rdfs:subClassOf d3f:CWE-223 ; d3f:cwe-id "CWE-1429" ; d3f:definition "The product has a hardware interface that silently discards operations in situations for which feedback would be security-relevant, such as the timely detection of failures or attacks." . d3f:CWE-1431 a owl:Class ; rdfs:label "Driving Intermediate Cryptographic State/Results to Hardware Module Outputs" ; rdfs:subClassOf d3f:CWE-200 ; d3f:cwe-id "CWE-1431" ; d3f:definition "The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires (typically the output port containing the final result)." . d3f:CyberAction a owl:Class ; rdfs:label "Cyber Action" ; rdfs:subClassOf d3f:Action . d3f:CyberSensor a owl:Class ; rdfs:label "Cyber Sensor" ; rdfs:subClassOf d3f:Sensor ; d3f:definition "A cyber sensor collects and monitors data related to cyber activities, events, or environments." . d3f:CyberTechnique a owl:Class ; rdfs:label "Cyber Technique" ; rdfs:subClassOf d3f:Technique, [ a owl:Restriction ; owl:onProperty d3f:implemented-by ; owl:someValuesFrom d3f:Procedure ] . d3f:CycleGAN a owl:Class, owl:NamedIndividual ; rdfs:label "CycleGAN" ; rdfs:subClassOf d3f:Image-to-ImageTranslationGAN ; d3f:d3fend-id "D3A-CYC" ; d3f:definition "The Cycle Generative Adversarial Network (CycleGAN) is an approach to training a deep convolutional neural network for image-to-image translation tasks by mapping between input and output images using unpaired dataset." ; d3f:kb-article """## References Esri. (n.d.). How CycleGAN Works. [Link](https://developers.arcgis.com/python/guide/how-cyclegan-works/)""" . d3f:D3FENDCore a owl:Class, owl:NamedIndividual ; rdfs:label "D3FEND Core" . d3f:D3FENDKBThing a owl:Class ; rdfs:label "D3FEND KB Thing" . d3f:DataAcquisitionAgent a owl:Class, owl:NamedIndividual ; rdfs:label "Data Acquisition Agent" ; rdfs:subClassOf d3f:Application ; d3f:definition "A software component which connects to data sources to gather raw, time-stamped data. It often connects to databases or historian gateways for storage and analysis." ; d3f:synonym "Data Gateway; Historian Collector" ; rdfs:seeAlso . d3f:DataAcquisitionUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Data Acquisition Unit" ; rdfs:subClassOf d3f:HardwareDevice, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:DataAcquisitionAgent ] ; d3f:definition "The hardware component which connects to data sources to gather raw, time-stamped data. It often connects to databases or historian gateways for storage and analysis." ; d3f:may-contain d3f:DataAcquisitionAgent ; rdfs:seeAlso . d3f:DataArtifactServer a owl:Class ; rdfs:label "Data Artifact Server" ; rdfs:subClassOf d3f:ArtifactServer ; d3f:definition "A data artifact server provides access services to content in a content repository. The content repository or content store is a database of digital content with an associated set of data management, search and access methods allowing application-independent access to the content, rather like a digital library, but with the ability to store and modify content in addition to searching and retrieving. The content repository acts as the storage engine for a larger application such as a content management system or a document management system, which adds a user interface on top of the repository's application programming interface." ; rdfs:seeAlso . d3f:Database a owl:Class, owl:NamedIndividual ; rdfs:label "Database" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:DatabaseRecord ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:StoredProcedure ] ; rdfs:isDefinedBy ; d3f:contains d3f:DatabaseRecord ; d3f:definition "A database is an organized collection of data, generally stored and accessed electronically from a computer system. Where databases are more complex they are often developed using formal design and modeling techniques." ; d3f:may-contain d3f:StoredProcedure ; rdfs:seeAlso . d3f:DatabaseApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Database Application" ; rdfs:subClassOf d3f:Application ; rdfs:isDefinedBy ; d3f:definition "A database application is a computer program whose primary purpose is retrieving information from a computerized database." ; d3f:synonym "Database Management System (DBMS)" . d3f:DatabaseFile a owl:Class, owl:NamedIndividual ; rdfs:label "Database File" ; rdfs:subClassOf d3f:File, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Database ] ; d3f:contains d3f:Database ; d3f:definition "A file that stores data and metadata in an organized format, managed by a database management system." . d3f:DatabaseQuery a owl:Class, owl:NamedIndividual ; rdfs:label "Database Query" ; rdfs:subClassOf d3f:Command, [ a owl:Restriction ; owl:onProperty d3f:queries ; owl:someValuesFrom d3f:Database ] ; d3f:definition "A specific query expressed in SQL, SPARQL, or similar language against a database." ; d3f:queries d3f:Database . d3f:DatabaseQueryStringAnalysis a d3f:DatabaseQueryStringAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Database Query String Analysis" ; rdfs:subClassOf d3f:ProcessAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:DatabaseQuery ] ; d3f:analyzes d3f:DatabaseQuery ; d3f:d3fend-id "D3-DQSA" ; d3f:definition "Analyzing database queries to detect [SQL Injection](https://capec.mitre.org/data/definitions/66.html)." ; d3f:kb-article """## How it works Some implementations use software hooks to intercept function calls related to database query operations. Other implementations might intercept or collect network traffic. The database query string is then extracted and analyzed with various methods, for example: * Detecting specific administrative SQL commands * Anomalous sequences of commands when compared to a statistical baseline. * Anomalous commands for a given user role. ## Considerations Some capabilities sanitize queries before permitting them to be transmitted to the database. This incurs risks such altering data in an undesired way or breaking application functionality.""" ; d3f:kb-reference d3f:Reference-SystemAndMethodForInternetSecurity_CylanceInc . d3f:DatabaseRecord a owl:Class, owl:NamedIndividual ; rdfs:label "Database Record" ; rdfs:subClassOf d3f:Record ; d3f:definition "A single, implicitly structured data item in a table in a database." ; rdfs:seeAlso "https://dbpedia.org/page/Row_(database)" . d3f:DatabaseServer a owl:Class, owl:NamedIndividual ; rdfs:label "Database Server" ; skos:altLabel "Network Database Resource" ; rdfs:subClassOf d3f:Server, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:DatabaseApplication ] ; rdfs:isDefinedBy ; d3f:contains d3f:DatabaseApplication ; d3f:definition "A database server is a server which uses a database application that provides database services to other computer programs or to computers, as defined by the client-server model. Database management systems (DBMSs) frequently provide database-server functionality, and some database management systems (such as MySQL) rely exclusively on the client-server model for database access (while others e.g. SQLite are meant for using as an embedded database). For clarification, a database server is simply a server that maintains services related to clients via database applications." . d3f:DatabaseService a owl:Class, owl:NamedIndividual ; rdfs:label "Database Service" ; rdfs:subClassOf d3f:ServiceApplicationProcess, [ a owl:Restriction ; owl:onProperty d3f:executes ; owl:someValuesFrom d3f:DatabaseQuery ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:Database ] ; d3f:definition "A database service interacts with a database, either retrieving data through queries or making modifications to its contents." ; d3f:executes d3f:DatabaseQuery ; d3f:manages d3f:Database . d3f:DatabaseServiceApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Database Service Application" ; rdfs:subClassOf d3f:DatabaseApplication, d3f:ServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:instructs ; owl:someValuesFrom d3f:DatabaseService ] ; d3f:definition "A software application that interacts with a database management system (DBMS) hosted as a separate, standalone service or server." ; d3f:instructs d3f:DatabaseService . d3f:DataDependency a owl:Class, owl:NamedIndividual ; rdfs:label "Data Dependency" ; rdfs:subClassOf d3f:Dependency ; d3f:definition "A Data Dependency exists when a process, operation, or system requires specific data in order to execute correctly." ; d3f:synonym "Transactional Dependency" . d3f:DataExchangeMapping a d3f:DataExchangeMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Data Exchange Mapping" ; rdfs:subClassOf d3f:SystemMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:DataDependency ] ; d3f:d3fend-id "D3-DEM" ; d3f:definition "Data exchange mapping identifies and models the organization's intended design for the flows of the data types, formats, and volumes between systems at the application layer." ; d3f:kb-reference d3f:Reference-CatiaUAFPlugin, d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources, d3f:Reference-UnifiedArchitectureFrameworkUAF ; d3f:maps d3f:DataDependency ; d3f:synonym "Data Flow Mapping", "Information Exchange Mapping" . d3f:DataInventory a d3f:DataInventory, owl:Class, owl:NamedIndividual ; rdfs:label "Data Inventory" ; rdfs:subClassOf d3f:AssetInventory, [ a owl:Restriction ; owl:onProperty d3f:inventories ; owl:someValuesFrom d3f:Database ], [ a owl:Restriction ; owl:onProperty d3f:inventories ; owl:someValuesFrom d3f:DocumentFile ] ; d3f:d3fend-id "D3-DI" ; d3f:definition "Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture." ; d3f:inventories d3f:Database, d3f:DocumentFile ; d3f:kb-reference d3f:Reference-DataProcessingAndScanningSystemsForGeneratingAndPopulatingADataInventory ; d3f:synonym "Data Discovery", "Data Inventorying" . d3f:DataLinkLink a owl:Class ; rdfs:label "Data Link Link" ; rdfs:subClassOf d3f:LogicalLink ; d3f:definition "A communication link between two network devices connected directly at the physical layer and on the same network segment; i.e., an OSI Layer 2 link." ; d3f:synonym "Data Link Layer Link", "Layer-2 Link", "Link Layer Link" ; rdfs:seeAlso . d3f:Datalog a owl:Class, owl:NamedIndividual ; rdfs:label "Datalog" ; rdfs:subClassOf d3f:LogicProgramming ; d3f:d3fend-id "D3A-DAT" ; d3f:definition "Datalog is a declarative logic programming language that is a syntactically a subset of Prolog." ; d3f:kb-article """## How it works Datalog generally uses a bottom-up rather than top-down evaluation model. This difference yields significantly different behavior and properties from Prolog. It is often used as a query language for deductive databases. Datalog has been applied to problems in data integration, networking, program analysis, and more. ## References 1. Datalog. (2023, April 20). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Datalog)""" . d3f:DBSCAN a owl:Class, owl:NamedIndividual ; rdfs:label "DBSCAN" ; rdfs:subClassOf d3f:Density-basedClustering ; d3f:d3fend-id "D3A-DBS" ; d3f:definition "A density-based clustering algorithm that works on the assumption that clusters are dense regions in space separated by regions of lower density." ; d3f:kb-article """## References Analytics Vidhya. (2020, September 15). How DBSCAN Clustering Works: A Comprehensive Guide with Implementations in Python. [Link](https://www.analyticsvidhya.com/blog/2020/09/how-dbscan-clustering-works/#:~:text=DBSCAN%20is%20a%20density%2Dbased,points%20into%20a%20single%20cluster.)""" . d3f:DE-0001 a owl:Class ; rdfs:label "Disable Fault Management - SPARTA" ; skos:prefLabel "Disable Fault Management" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; d3f:attack-id "DE-0001" ; d3f:definition "The adversary suppresses or alters fault detection, isolation, and recovery (FDIR) so unauthorized actions proceed without triggering safing or alerts. Targets include watchdogs and heartbeat monitors; limit and sanity checks on sensor/command values; command interlocks and inhibit masks; voting and redundancy-management logic; and event/alert generation and routing. Techniques range from patching or bypassing checks in flight code, to rewriting parameter/limit tables, to muting publishers that report faults. More subtle variants desensitize thresholds, freeze counters, or delay responses just long enough for a malicious sequence to complete. With FDIR dulled or offline, anomalous states resemble nominal behavior and automated mitigations do not engage, masking the attack from ground oversight." ; rdfs:seeAlso . d3f:DE-0002 a owl:Class, owl:NamedIndividual ; rdfs:label "Disrupt or Deceive Downlink - SPARTA" ; skos:prefLabel "Disrupt or Deceive Downlink" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:impairs ; owl:someValuesFrom d3f:WirelessLink ] ; d3f:attack-id "DE-0002" ; d3f:definition "Threat actors may target ground-side telemetry reception, processing, or display to disrupt the operator’s visibility into spacecraft health and activity. This may involve denial-based attacks that prevent the spacecraft from transmitting telemetry to the ground (e.g., disabling telemetry links or crashing telemetry software), or more subtle deception-based attacks that manipulate telemetry content to conceal unauthorized actions. Since telemetry is the primary method ground controllers rely on to monitor spacecraft status, any disruption or manipulation can delay or prevent detection of malicious activity, suppress automated or manual mitigations, or degrade trust in telemetry-based decision support systems." ; d3f:impairs d3f:WirelessLink ; rdfs:seeAlso . d3f:DE-0002.01 a owl:Class ; rdfs:label "Inhibit Ground System Functionality - SPARTA" ; skos:prefLabel "Inhibit Ground System Functionality" ; rdfs:subClassOf d3f:DE-0002 ; d3f:attack-id "DE-0002.01" ; d3f:definition "Threat actors may utilize access to the ground system to inhibit its ability to accurately process, render, or interpret spacecraft telemetry, effectively leaving ground controllers unaware of the spacecraft’s true state or activity. This may involve traditional denial-based techniques, such as disabling telemetry software, corrupting processing pipelines, or crashing display interfaces. In addition, more subtle deception-based techniques may be used to falsify telemetry data within the ground system , such as modifying command counters, acknowledgments, housekeeping data, or sensor outputs , to provide the appearance of nominal operation. These actions can suppress alerts, mask unauthorized activity, or prevent both automated and manual mitigations from being initiated based on misleading ground-side information. Because telemetry is the primary method by which ground controllers monitor the health, behavior, and safety of the spacecraft, any disruption or falsification of this data directly undermines situational awareness and operational control." ; rdfs:seeAlso . d3f:DE-0002.02 a owl:Class ; rdfs:label "Jam Link Signal - SPARTA" ; skos:prefLabel "Jam Link Signal" ; rdfs:subClassOf d3f:DE-0002 ; d3f:attack-id "DE-0002.02" ; d3f:definition "Threat actors may overwhelm/jam the downlink signal to prevent transmitted telemetry signals from reaching their destination without severe modification/interference, effectively leaving ground controllers unaware of vehicle activity during this time. Telemetry is the only method in which ground controllers can monitor the health and stability of the spacecraft while in orbit. By disabling this downlink, threat actors may be able to stop mitigations from taking place." ; rdfs:seeAlso . d3f:DE-0002.03 a owl:Class ; rdfs:label "Inhibit Spacecraft Functionality - SPARTA" ; skos:prefLabel "Inhibit Spacecraft Functionality" ; rdfs:subClassOf d3f:DE-0002 ; d3f:attack-id "DE-0002.03" ; d3f:definition "In this variant, telemetry is suppressed at the source by manipulating on-board generation or transmission. Methods include disabling or pausing telemetry publishers, altering packet filters and rates, muting event/report channels, reconfiguring recorder playback, retuning/muting transmitters, or switching to modes that emit only minimal beacons. The spacecraft continues operating, but the downlink no longer reflects true activity or arrives too sparsely to support monitoring. By constraining what is produced or transmitted, the adversary reduces opportunities for detection while other actions proceed." ; rdfs:seeAlso . d3f:DE-0003 a owl:Class ; rdfs:label "On-Board Values Obfuscation - SPARTA" ; skos:prefLabel "On-Board Values Obfuscation" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; d3f:attack-id "DE-0003" ; d3f:definition "The adversary manipulates housekeeping and control values that operators and autonomy rely on to judge activity, health, and command hygiene. Targets include command/telemetry counters, event/severity flags, downlink/reporting modes, cryptographic-mode indicators, and the system clock. By rewriting, freezing, or biasing these fields, and by selecting reduced or summary telemetry modes, unauthorized actions can proceed while the downlinked picture appears routine or incomplete. The result is delayed recognition, misattribution to environmental effects, or logs that cannot be reconciled post-facto." ; rdfs:seeAlso . d3f:DE-0003.01 a owl:Class, owl:NamedIndividual ; rdfs:label "Vehicle Command Counter (VCC) - SPARTA" ; skos:prefLabel "Vehicle Command Counter (VCC)" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SystemPlatformVariable ] ; d3f:attack-id "DE-0003.01" ; d3f:definition "The VCC tracks how many commands the spacecraft has accepted. An adversary masks activity by zeroing, freezing, or selectively decrementing the VCC, or by steering actions through paths that do not increment it (maintenance dictionaries, alternate receivers, hidden handlers). They may also overwrite the telemetry field that reports the VCC so ground displays show a lower or steady count while high volumes of commands are processed. This breaks simple “command volume” heuristics and makes bursty activity look normal." ; d3f:modifies d3f:SystemPlatformVariable ; rdfs:seeAlso . d3f:DE-0003.02 a owl:Class, owl:NamedIndividual ; rdfs:label "Rejected Command Counter - SPARTA" ; skos:prefLabel "Rejected Command Counter" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SystemPlatformVariable ] ; d3f:attack-id "DE-0003.02" ; d3f:definition "This counter records commands that failed checks or were refused. To hide probing and trial-and-error, the adversary suppresses increments, periodically clears the value, or forges the downlinked field so rejection rates appear benign. Variants also tamper with associated reason codes or event entries, replacing them with innocuous outcomes. Analysts reviewing telemetry see no evidence of failed attempts even as the system is being exercised aggressively." ; d3f:modifies d3f:SystemPlatformVariable ; rdfs:seeAlso . d3f:DE-0003.03 a owl:Class, owl:NamedIndividual ; rdfs:label "Command Receiver On/Off Mode - SPARTA" ; skos:prefLabel "Command Receiver On/Off Mode" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OperatingMode ] ; d3f:attack-id "DE-0003.03" ; d3f:definition "By toggling receiver enable states (per-receiver, per-antenna, or per-band), the adversary creates deliberate “quiet windows” in which outside intervention cannot arrive. Turning a command receiver off, or shifting to a configuration that ignores the primary path, allows queued actions or onboard procedures to run without interruption, while operators perceive a transient loss of commandability consistent with geometry or environment. Brief, well-timed toggles can also desynchronize counters and handovers, complicating reconstruction of what occurred." ; d3f:modifies d3f:OperatingMode ; rdfs:seeAlso . d3f:DE-0003.04 a owl:Class, owl:NamedIndividual ; rdfs:label "Command Receivers Received Signal Strength - SPARTA" ; skos:prefLabel "Command Receivers Received Signal Strength" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SystemPlatformVariable ] ; d3f:attack-id "DE-0003.04" ; d3f:definition "Threat actors may target the on-board command receivers received signal parameters (i.e., automatic gain control (AGC)) in order to stop specific commands or signals from being processed by the spacecraft. For ground controllers to communicate with spacecraft in orbit, the on-board receivers need to be configured to receive signals with a specific signal to noise ratio (ratio of signal power to the noise power). Targeting values related to the antenna signaling that are modifiable can prevent the spacecraft from receiving ground commands." ; d3f:modifies d3f:SystemPlatformVariable ; rdfs:seeAlso . d3f:DE-0003.05 a owl:Class, owl:NamedIndividual ; rdfs:label "Command Receiver Lock Modes - SPARTA" ; skos:prefLabel "Command Receiver Lock Modes" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OperatingMode ] ; d3f:attack-id "DE-0003.05" ; d3f:definition "Receivers advertise acquisition states, bit lock, frame lock, and command lock, that indicate readiness to accept telecommands. Adversaries leverage these indicators in two ways: (1) use command-lock tests to validate geometry, power, Doppler, and polarization without risking visible command execution; and (2) tamper with the values that report lock status so ground views never show that lock was achieved. Techniques include freezing or clearing lock flags and counters, raising/lowering internal thresholds so lock occurs without being reported (or vice versa), and timing brief lock intervals between telemetry samples. The result is a window where the spacecraft is receptive to commands while downlinked status suggests otherwise." ; d3f:modifies d3f:OperatingMode ; rdfs:seeAlso . d3f:DE-0003.06 a owl:Class, owl:NamedIndividual ; rdfs:label "Telemetry Downlink Modes - SPARTA" ; skos:prefLabel "Telemetry Downlink Modes" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OperatingMode ] ; d3f:attack-id "DE-0003.06" ; d3f:definition "Spacecraft expose modes that control what telemetry is sent and how, real-time channels, recorder playback, beacon/summary only, event-driven reporting, and per-virtual-channel/APID selections. By switching modes or editing the associated parameters (rates, filters, playback queues, index ranges), an adversary can thin, defer, or reroute observability. Typical effects include suppressing high-rate engineering streams in favor of minimal beacons, delaying playback of time periods of interest, replaying benign segments, or redirecting packets to alternate virtual channels that are not routinely monitored. Telemetry continues to flow, but it no longer reflects the activity the operators need to see." ; d3f:modifies d3f:OperatingMode ; rdfs:seeAlso . d3f:DE-0003.07 a owl:Class ; rdfs:label "Cryptographic Modes - SPARTA" ; skos:prefLabel "Cryptographic Modes" ; rdfs:subClassOf d3f:DE-0003 ; d3f:attack-id "DE-0003.07" ; d3f:definition "Many missions separate authentication from confidentiality and allow on-orbit selection of algorithms, keys, profiles, or “crypto off/clear” states. Adversaries manipulate these mode controls and selectors to desynchronize ground and space or to hide content: flipping to a profile that the ground is not using, requesting clear telemetry while maintaining authenticated uplink, or rotating key IDs so frames validate internally but appear undecodable to external tools. Mode indicators and status words can also be biased so ground displays show expected settings while the link actually operates under attacker-chosen parameters, masking command and data exchanges within normal-looking traffic." ; rdfs:seeAlso . d3f:DE-0003.08 a owl:Class, owl:NamedIndividual ; rdfs:label "Received Commands - SPARTA" ; skos:prefLabel "Received Commands" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:CommandHistoryLog ] ; d3f:attack-id "DE-0003.08" ; d3f:definition "Spacecraft typically maintain histories of accepted, rejected, and executed commands, buffers, logs, or file records that can be downlinked on demand or periodically. An adversary conceals activity by editing or pruning these artifacts: removing entries, altering opcodes or arguments, rewriting timestamps and source identifiers, rolling logs early, or repopulating with benign-looking commands to balance counters. Related acknowledgments and event records may be suppressed or reclassified so cross-checks appear consistent. After manipulation, the official command history shows a plausible narrative that omits or mischaracterizes the adversary’s actions." ; d3f:modifies d3f:CommandHistoryLog ; rdfs:seeAlso . d3f:DE-0003.09 a owl:Class, owl:NamedIndividual ; rdfs:label "System Clock for Evasion - SPARTA" ; skos:prefLabel "System Clock for Evasion" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SystemTime ] ; d3f:attack-id "DE-0003.09" ; d3f:definition "The adversary biases the spacecraft’s authoritative time so that telemetry, event logs, and command histories appear shifted or inconsistent. By writing clock registers, altering disciplining sources (e.g., GNSS vs. free-running oscillator), or tweaking distribution services and offsets, they can make stored commands execute “earlier” or “later” on the timeline and misalign acknowledgments with actual actions. Downlinked frames still carry plausible timestamps near packet headers, but those stamps no longer reflect when data was produced, complicating reconstruction of sequences and masking causality during incident analysis." ; d3f:modifies d3f:SystemTime ; rdfs:seeAlso . d3f:DE-0003.10 a owl:Class ; rdfs:label "GPS Ephemeris - SPARTA" ; skos:prefLabel "GPS Ephemeris" ; rdfs:subClassOf d3f:DE-0003 ; d3f:attack-id "DE-0003.10" ; d3f:definition "A satellite with a GPS receiver can use ephemeris data from GPS satellites to estimate its own position in space. A hostile actor could spoof the GPS signals to cause erroneous calculations of the satellite’s position. The received ephemeris data is often telemetered and can be monitored for indications of GPS spoofing. Reception of ephemeris data that changes suddenly without a reasonable explanation (such as a known GPS satellite handoff), could provide an indication of GPS spoofing and warrant further analysis. Threat actors could also change the course of the vehicle and falsify the telemetered data to temporarily convince ground operators the vehicle is still on a proper course." ; rdfs:seeAlso . d3f:DE-0003.11 a owl:Class, owl:NamedIndividual ; rdfs:label "Watchdog Timer (WDT) for Evasion - SPARTA" ; skos:prefLabel "Watchdog Timer (WDT) for Evasion" ; rdfs:subClassOf d3f:DE-0003, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:WatchdogTimer ] ; d3f:attack-id "DE-0003.11" ; d3f:definition "By modifying watchdog parameters or who “pets” them, an adversary shapes what evidence survives. Extending or disabling timeouts allows long-running processes to operate without forced resets that would expose abnormal CPU or power usage; conversely, shortening windows or relocating the petting source to a low-level ISR can induce frequent resets that wipe volatile traces, break correlation in logs, and explain anomalies as “spurious reboots.” In both directions, the watchdog becomes a timing tool for hiding activity rather than a guardrail against it." ; d3f:modifies d3f:WatchdogTimer ; rdfs:seeAlso . d3f:DE-0003.12 a owl:Class ; rdfs:label "Poison AI/ML Training for Evasion - SPARTA" ; skos:prefLabel "Poison AI/ML Training for Evasion" ; rdfs:subClassOf d3f:DE-0003 ; d3f:attack-id "DE-0003.12" ; d3f:definition "When security monitoring relies on AI/ML (e.g., anomaly detection on telemetry, RF fingerprints, or command semantics), the training data itself is a target. Data-poisoning introduces crafted examples or labels so the learned model embeds false associations, treating attacker behaviors as normal, or flagging benign patterns instead. Variants include clean-label backdoors keyed to subtle triggers, label flipping that shifts decision boundaries, and biased sampling that suppresses rare-but-critical signatures. Models trained on tainted corpora are later deployed as routine updates; once in service, the adversary presents inputs containing the trigger or profile they primed, and the detector omits or downranks the very behaviors that would reveal the intrusion." ; rdfs:seeAlso . d3f:DE-0004 a owl:Class ; rdfs:label "Masquerading - SPARTA" ; skos:prefLabel "Masquerading" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; d3f:attack-id "DE-0004" ; d3f:definition "The adversary presents themselves as an authorized origin so activity appears legitimate across RF, protocol, and organizational boundaries. Techniques include crafting telecommand frames with correct headers, counters, and dictionaries; imitating station “fingerprints” such as Doppler, polarization, timing, and framing; replaying or emulating crosslink identities; and using insider-derived credentials or roles to operate mission tooling. Masquerading can also target metadata, virtual channel IDs, APIDs, source sequence counts, and facility identifiers, so logs and telemetry attribute actions to expected entities. The effect is that commands, file transfers, or configuration changes are processed as if they came from approved sources, reducing scrutiny and delaying detection." ; rdfs:seeAlso . d3f:DE-0005 a owl:Class, owl:NamedIndividual ; rdfs:label "Subvert Protections via Safe-Mode - SPARTA" ; skos:prefLabel "Subvert Protections via Safe-Mode" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:VehicleOperatingMode ] ; d3f:attack-id "DE-0005" ; d3f:definition "The adversary exploits the spacecraft’s recovery posture to bypass controls that are stricter in nominal operations. During safe-mode, vehicles often accept contingency dictionaries, relax rate/size and timetag checks, activate alternate receivers or antennas, and emit reduced or summary telemetry. By timing actions to this state, or deliberately inducing it, the attacker issues maintenance-looking edits, loads, or mode changes that proceed under broadened acceptance while downlink visibility is thinned. Unauthorized activity blends with anomaly response, evading both automated safeguards and operator suspicion." ; d3f:modifies d3f:VehicleOperatingMode ; rdfs:seeAlso . d3f:DE-0006 a owl:Class, owl:NamedIndividual ; rdfs:label "Modify Whitelist - SPARTA" ; skos:prefLabel "Modify Whitelist" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:AccessControlConfiguration ] ; d3f:attack-id "DE-0006" ; d3f:definition "Threat actors may target whitelists on the spacecrafts as a means to execute and/or hide malicious processes/programs. Whitelisting is a common technique used on traditional IT systems but has also been used on spacecrafts. Whitelisting is used to prevent execution of unknown or potentially malicious software. However, this technique can be bypassed if not implemented correctly but threat actors may also simply attempt to modify the whitelist outright to ensure their malicious software will operate on the spacecraft that utilizes whitelisting." ; d3f:modifies d3f:AccessControlConfiguration ; rdfs:seeAlso . d3f:DE-0007 a owl:Class, owl:NamedIndividual ; rdfs:label "Evasion via Rootkit - SPARTA" ; skos:prefLabel "Evasion via Rootkit" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:BootSector ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:Kernel ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:KernelModule ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SystemFirmware ] ; d3f:attack-id "DE-0007" ; d3f:definition "A rootkit hides malicious activity by interposing on reporting paths after the system has booted. In flight contexts this includes patching flight software APIs, kernel syscalls, message queues, and telemetry publishers so task lists, counters, health channels, and event severities are falsified before downlink. Command handlers can be hooked to suppress evidence of certain opcodes or sources; recorder catalogs and file listings can be rewritten on the fly; and housekeeping can be biased to show nominal temperatures, currents, or voltages while actions proceed. The defining feature is runtime concealment: the observability surfaces operators rely on are altered to present a curated, benign narrative." ; d3f:modifies d3f:BootSector, d3f:Kernel, d3f:KernelModule, d3f:SystemFirmware ; rdfs:seeAlso . d3f:DE-0008 a owl:Class, owl:NamedIndividual ; rdfs:label "Evasion via Bootkit - SPARTA" ; skos:prefLabel "Evasion via Bootkit" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:BootLoader ] ; d3f:attack-id "DE-0008" ; d3f:definition "A bootkit hides activity by running first and shaping what higher layers will later observe. Positioned in boot ROM handoff or early loaders, it can select or patch images in memory, alter device trees and driver tables, seed forged counters and timestamps, and preconfigure telemetry/crypto modes so subsequent components launch into a reality curated by the attacker. Because integrity and logging mechanisms are initialized afterward, the resulting view of processes, files, and histories reflects the bootkit’s choices, allowing long-term evasion that persists across resets and mode transitions." ; d3f:modifies d3f:BootLoader ; rdfs:seeAlso . d3f:DE-0009 a owl:Class ; rdfs:label "Camouflage, Concealment, and Decoys (CCD) - SPARTA" ; skos:prefLabel "Camouflage, Concealment, and Decoys (CCD)" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; d3f:attack-id "DE-0009" ; d3f:definition "The adversary exploits the physical and operational environment to reduce detectability or to mislead observers. Tactics include signature management (minimizing RF/optical/thermal/RCS), controlled emissions timing, deliberate power-down/dormancy, geometry choices that hide within clutter or eclipse, and the deployment of decoys that generate convincing tracks. CCD can also leverage naturally noisy conditions, debris-rich regions, auroral radio noise, solar storms, to mask proximity operations or to provide plausible alternate explanations for anomalies. The unifying theme is environmental manipulation: shape what external sensors perceive so surveillance and attribution lag, misclassify, or look elsewhere." ; rdfs:seeAlso . d3f:DE-0009.01 a owl:Class ; rdfs:label "Debris Field - SPARTA" ; skos:prefLabel "Debris Field" ; rdfs:subClassOf d3f:DE-0009 ; d3f:attack-id "DE-0009.01" ; d3f:definition "The attacker co-orbits within or near clusters of small objects, matching apparent characteristics (brightness, RCS, tumbling, intermittent emissions) so the vehicle blends with background debris. Dormant periods with minimized attitude control and emissions further the illusion. This posture supports covert inspection, staging for a later intercept, or timing cyber-physical actions (e.g., propulsion or actuator manipulation) to coincide with passages through clutter, increasing the chance that damage or anomalies are attributed to debris strikes rather than deliberate activity. Maintenance of the disguise may involve small, infrequent maneuvers to keep relative motion consistent with “free” debris dynamics." ; rdfs:seeAlso . d3f:DE-0009.02 a owl:Class ; rdfs:label "Space Weather - SPARTA" ; skos:prefLabel "Space Weather" ; rdfs:subClassOf d3f:DE-0009 ; d3f:attack-id "DE-0009.02" ; d3f:definition "The adversary aligns operations with heightened solar/geomagnetic activity so effects resemble natural disturbances. During storms, receivers struggle with scintillation and increased noise; SEUs and resets rise; navigation and timing degrade; and operators expect anomalies. By conducting EMI, spoofing, or timing-sensitive sequences within these windows, the attacker benefits from ambient interference and plausible attribution to space weather. Telemetry gaps, link fades, or transient upsets appear consistent with the environment, delaying suspicion that a deliberate action occurred." ; rdfs:seeAlso . d3f:DE-0009.03 a owl:Class ; rdfs:label "Trigger Premature Intercept - SPARTA" ; skos:prefLabel "Trigger Premature Intercept" ; rdfs:subClassOf d3f:DE-0009 ; d3f:attack-id "DE-0009.03" ; d3f:definition "Decoys and deceptive signatures are used to provoke defenders into committing limited resources early, inspection vehicles, interceptors, laser dwell time, maneuver fuel, or analyst attention. The attacker deploys objects or emissions that mimic credible threats (trajectories, RCS/brightness, modulation) so tracking and discrimination systems prioritize the decoy. While defenses engage, the true operation proceeds with reduced scrutiny, or follows shortly after when defensive capacity and timelines are depleted. The effect is resource exhaustion and timeline compression on the defender’s side, increasing the success window for the actual action." ; rdfs:seeAlso . d3f:DE-0009.04 a owl:Class ; rdfs:label "Targeted Deception of Onboard SSA/SDA Sensors - SPARTA" ; skos:prefLabel "Targeted Deception of Onboard SSA/SDA Sensors" ; rdfs:subClassOf d3f:DE-0009 ; d3f:attack-id "DE-0009.04" ; d3f:definition "The attacker aims at the spacecraft’s own proximity-awareness stack, cameras, star-tracker side products, lidar/radar, RF transponders, and the onboard fusion that estimates nearby objects. Methods include optical dazzling or reflective camouflage that confuses centroiding and detection, RCS management to fall below radar gate thresholds, intermittent or misleading transponder replies, and presentation of spoofed fiducials or optical patterns tuned to the vehicle’s detection algorithms. By biasing these local sensors and their fusion logic, the adversary hides approach, distorts relative-state estimates, or induces the target to classify a nearby object as benign clutter, masking proximity operations without relying on external catalog errors." ; rdfs:seeAlso . d3f:DE-0009.05 a owl:Class ; rdfs:label "Corruption or Overload of Ground-Based SDA Systems - SPARTA" ; skos:prefLabel "Corruption or Overload of Ground-Based SDA Systems" ; rdfs:subClassOf d3f:DE-0009 ; d3f:attack-id "DE-0009.05" ; d3f:definition "The adversary targets terrestrial space-domain awareness pipelines, sensor networks, tracking centers, catalogs, and their data flows, to blind or confuse broad-area monitoring. Paths include compromising or spoofing observational feeds (radar/optical returns, TLE updates, ephemeris exchanges), injecting falsified or time-shifted tracks, tampering with fusion/association parameters, and saturating ingestion and alerting with noisy or adversarial inputs. Where SDA employs AI/ML for detection and correlation, the attacker can degrade models by flooding them with ambiguous scenes or crafted features that increase false positives/negatives and consume analyst cycles. Unlike onboard deception, this approach skews the external decision-support picture across many assets at once, delaying detection of real maneuvers and providing cover for concurrent operations." ; rdfs:seeAlso . d3f:DE-0010 a owl:Class, owl:NamedIndividual ; rdfs:label "Overflow Audit Log - SPARTA" ; skos:prefLabel "Overflow Audit Log" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:abuses ; owl:someValuesFrom d3f:EventLog ] ; d3f:abuses d3f:EventLog ; d3f:attack-id "DE-0010" ; d3f:definition "The adversary hides activity by exhausting finite on-board logging and telemetry buffers so incriminating events are overwritten before they can be downlinked. Spacecraft typically use ring buffers with severity filters, per-subsystem quotas, and scheduled dump windows; by generating bursts of benign but high-frequency events (file listings, status queries, low-severity housekeeping, repeated mode toggles) or by provoking chatter from chatty subsystems, the attacker accelerates rollover. Variants target recorder indexes and event catalogs so new entries displace older ones, or they align floods with known downlink gaps and pass handovers when retention is shortest. To analysts on the ground, logs appear present but incomplete, showing a plausible narrative that omits the very interval when unauthorized commands or updates occurred." ; rdfs:seeAlso . d3f:DE-0011 a owl:Class, owl:NamedIndividual ; rdfs:label "Credentialed Evasion - SPARTA" ; skos:prefLabel "Credentialed Evasion" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:Credential ] ; d3f:attack-id "DE-0011" ; d3f:definition "Threat actors may leverage valid credentials to conduct unauthorized actions against a spacecraft or related system in a way that conceals their presence and evades detection. By using trusted authentication mechanisms attackers can blend in with legitimate operations and avoid triggering access control alarms or anomaly detection systems. This technique enables evasion by appearing authorized, allowing adversaries to issue commands, access sensitive subsystems, or move laterally within spacecraft or constellation architectures without exploiting software vulnerabilities. When credential use is poorly segmented or monitored, this form of access can be used to maintain stealthy persistence or facilitate other tactics under the guise of legitimate activity." ; d3f:uses d3f:Credential ; rdfs:seeAlso . d3f:DE-0012 a owl:Class ; rdfs:label "Component Collusion - SPARTA" ; skos:prefLabel "Component Collusion" ; rdfs:subClassOf d3f:SPARTADefenseEvasionTechnique ; d3f:attack-id "DE-0012" ; d3f:definition """This technique involves two or more compromised components operating in coordination to conceal malicious activity. Threat actors compromise multiple software modules during the supply chain process and design them to behave cooperatively. Each component independently performs only a limited, seemingly benign function, such that when analyzed in isolation, no single module appears malicious. An example of implementation involves one component acting as a trigger agent, waiting for specific mission or system conditions (e.g., GPS fix, telemetry state) and writing a signal to a shared resource (e.g., file, bus). A separate action agent monitors this resource and only executes the malicious behavior (such as data exfiltration or command injection) upon receiving the trigger. This division of responsibilities significantly undermines traditional detection techniques, such as log analysis, static code review, or heuristic-based behavior monitoring.""" ; rdfs:seeAlso . d3f:DeadCodeElimination a d3f:DeadCodeElimination, owl:Class, owl:NamedIndividual ; rdfs:label "Dead Code Elimination" ; rdfs:subClassOf d3f:ApplicationHardening ; d3f:d3fend-id "D3-DCE" ; d3f:definition "Removing unreachable or \"dead code\" from compiled source code." ; d3f:kb-article """## How it works Dead code is code that is considered unreachable by normal program execution. Dead code can be created by adding code under a condition that never evaluates to true. Dead code should be removed since this type of code can produce unexpected results, if accidentally or maliciously forced to execute. Dead code identification is typically performed by algorithms that implement program flows analysis looking for unreachable code. The dead code is eliminated by instructing compilers to remove the code through compiler flags, i.e., '-fdce' is used for Dead Code Elimination. ## Considerations Code can also be deemed unreachable for certain run-time conditions. Different deployed systems and environments may contain some code that is unreachable for the given environment. This technique does not consider run-time conditions for unreachable code.""" ; d3f:kb-reference d3f:Reference-DeadCodeElimination . d3f:Deceive a d3f:DefensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Deceive" ; rdfs:subClassOf d3f:DefensiveTactic ; d3f:definition "The deceive tactic is used to advertise, entice, and allow potential attackers access to an observed or controlled environment." ; d3f:display-order 3 ; d3f:display-priority 0 . d3f:DecisionTree a owl:Class, owl:NamedIndividual ; rdfs:label "Decision Tree" ; rdfs:subClassOf d3f:Classification ; d3f:d3fend-id "D3A-DT" ; d3f:definition "Decision tree learning is a supervised learning approach used in statistics, data mining, and machine learning. In this formalism, a classification or regression decision tree is used as a predictive model to draw conclusions about a set of observations." ; d3f:kb-article """## How it works A decision tree starts with a root node, which does not have any incoming branches. The outgoing branches from the root node then feed into the internal nodes, also known as decision nodes. Based on the available features, both node types conduct evaluations to form homogenous subsets, which are denoted by leaf nodes, or terminal nodes. The leaf nodes represent all the possible outcomes within the dataset. ## Considerations While the basic underlying model is that of a decision tree, the decision tree node criteria, and the method for identifying splits varies significantly depending on the learning algorithm selected (e.g., CART, ID3, C4.5, C5.0, CHAID, MARS.) Extensions like linear and logistic trees can add additional expressiveness as well. ## Key Test Considerations - **Machine Learning**: - **Verify the dataset quality**: Check the data to make sure it is free of errors. Quantify the degree of missing values, outliers, and noise in the data collection. If the data quality is low, it may be difficult or impossible to create models and systems with the desired performance. - **Verify development datasets are representative**: of expected operational environment and data collection means. Compare distributions of dataset features and labels with exploratory data analysis and assess the difference in tests on training data and tests on evaluation data (where the evaluation data must be drawn from a representative dataset.) - **Use a variety of data sets**: where available and applicable, to reflect different operating and environment conditions that are likley to be be encountered. - **Use software libraries**: and tools built for ML where possible, so that the underlying code is verified by prior use.** - **Diagnose model errors with domain SMEs**: Have problem domain SMEs investigate model errors for conditions for which the model may underperform and suggest refinements. - **Classification**: - **Use Standard Classification Performance Measures**: Not all of the following may be necessary, but should be considered for both verification (developmental test) and operational test stages use: - **Accuracy**: The fraction of predictions that were corret. - **Precision**: The proportion of positive identifications that were correct. - **Recall**: The proportion of actual positive cases identified correctly. - **F-Measure**: Combines the preicion and recall into a single score. It is the harmonic mean of the precision and recall. - **Receiver Operating Characteristic (ROC) Curve**: A ROC curve shows the performance of a classification model at all classification thresholds. It graphs the True Positive Rate over the False Positive Rate. - **Area Under the ROC Curve (AUC)**: This measures the two-dimensional area under the ROC Curve. AUC is scale-invariant and classification-threshold invariant. - **ROC TP vs FP points**: In addition to a specific AUC score, the performance at points - **Confusion Matrix**: A confusion matrix is a table layout that allows the visualization of the performance of an algorithm. Each row of the matrix represents the instances in an actual class while each column represents the instances in a predicted class, or vice versa. It is a special kind of contingency table, with two dimensions ("actual" and "predicted"), and identical sets of "classes" in both dimensions (each combination of dimension and class is a variable in the contingency table.) - **Prediction Bias**: The difference between the average of the predicted labels and the average of the labels in the data set. One should check for prediction bias when evaluating the classifier's results. Causes of bias can include: - **Noisy data set**: Errors in original data can as the collection method may have an underlying bias. - **Processing bug**: Errors in the data pipeline can introduce bias. - **Biased training sample (unbalanced samples)**: Model parameters may be skewed towards majority classes. - **Overly strong regularization**: Model may be underfitting model and too simple. - **Proxy variables**: Model features may be highly correlated. - **Supervised Learning**: - **Overfitting and Underfitting**: Overfitting occurs when the the model built corresponds too closely or exactly to a particular set of data, and thus may fail to fit to predict additional data reliably. An overfitted model is a mathematical model that contains more parameters than can be justified by the data. Underfitting occurs when the model built does adequately capture the patterns in the data. As an example, a linear model will underfit a non-linear dataset. - **Sensitivity**: Perform N-fold Cross validation to indicate how much sensitivity the algorithm has to data variation and to avoid overfitting operational models. - **Decision Tree Learning**: - **Sensitive to unbalanced classes**: Examine and determine target class balance; decision tree learning algorithms are especially sensitive to unbalanced target classes. - **Consider decision boundaries**: Perform exploratory data analysis to determine if decision boundaries lie alongaxes of features. _Decision trees are ideal when decision boundaries can be found that lie along axes of features._ - **Decision tree overfitting** may require tuning algorithm hyperparameters such as tree depth, max features used, max leaf nodes, etc. - **Pruning** may result in a more robust model in real-word applications. - **Missing values**: Inspect the data set to determine if there are missing values and select a means to address them, either by choosing an algorithm that works well or a way to impute the value or eliminate the missing values in the data sensors or pipeline. ## Platforms, Tools, or Libraries - **scikit-learn**: includes tree algorithms for ID3, C4.5, C5.0, and CART. - **Weka**: includes J48 (C4.5), SimpleCart (CART), Logistic Model Trees, Naive Bayes Trees, and more. ### Validation Approach - Use operationally relevant data across the range of application's operating environment. - Incorporate some kind of continuous validation to address concept drift and the need to retrain the model and/or check data quality. ## References 1. Decision tree learning. (2023, May 30). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Decision_tree_learning). 2. Decision Trees. (n.d.). In _scikit-learn User Guide 1.2.2_. [Link](https://scikit-learn.org/stable/modules/tree.html). 3. Concept drift. (2023, April 17). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Concept_drift). 4. 8 Concept Drift Detection Methods. (n.d.). In _Aporia Learning Center_. [Link](https://www.aporia.com/learn/data-drift/concept-drift-detection-methods/).""" . d3f:DecisionTreeRegression a owl:Class, owl:NamedIndividual ; rdfs:label "Decision Tree Regression" ; rdfs:subClassOf d3f:RegressionAnalysisLearning ; d3f:d3fend-id "D3A-DTR" ; d3f:definition "Decision Trees Regression is asupervised learning method with the goal to create a model that predicts the value of a target variable by learning simple decision rules inferred from the data features" ; d3f:kb-article """## References scikit-learn. (n.d.). Decision Trees. [Link](https://scikit-learn.org/stable/modules/tree.html#tree)""" . d3f:DecoderApplication a owl:Class ; rdfs:label "Decoder Application" ; rdfs:subClassOf d3f:CodecApplication ; d3f:definition "An application that decodes digital data." . d3f:DecoyArtifact a owl:Class, owl:NamedIndividual ; rdfs:label "Decoy Artifact" ; skos:altLabel "Decoy", "Decoy Object", "Lure", "Trap" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:DigitalArtifact ] ; d3f:definition "A decoy is an imitation digital artifact in any sense of a digital artifact, object, or phenomenon that is intended to deceive a cyber attacker's surveillance devices or mislead their evaluation. Examples include fake files, accounts, hosts (honeypots), and network segments (honeynets)." ; d3f:may-contain d3f:DigitalArtifact ; rdfs:seeAlso , , . d3f:DecoyEnvironment a d3f:DecoyEnvironment, owl:Class, owl:NamedIndividual ; rdfs:label "Decoy Environment" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Deceive ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:DecoyArtifact ] ; d3f:d3fend-id "D3-DE" ; d3f:definition "A Decoy Environment comprises hosts and networks for the purposes of deceiving an attacker." ; d3f:enables d3f:Deceive ; d3f:kb-article """## Technique Overview Systems in a decoy environment are typically configured so that some detectable means of communication does not have any legitimate business purpose. Any communication via these means should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems.""" ; d3f:manages d3f:DecoyArtifact ; d3f:synonym "Honeypot" . d3f:DecoyFile a d3f:DecoyFile, owl:Class, owl:NamedIndividual ; rdfs:label "Decoy File" ; rdfs:subClassOf d3f:DecoyObject, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-DF" ; d3f:definition "A file created for the purposes of deceiving an adversary." ; d3f:kb-article """## How it works The decoy file is made available as a local or network resource. Accesses to the file may be monitored. The files may be configurations, documents, executables, or other file types. ## Considerations Properties of the file such as cryptographic checksums, file creation date, file modified date, file size, file owner etc may be modified to improve the credibility of the file. ## Example * A CSV file with decoy user credentials is placed on a system. The system or network is then monitored to detect any accesses to the decoy files.""" ; d3f:kb-reference d3f:Reference-OpenSourceIntelligenceDeceptions_IllusiveNetworksLtd, d3f:Reference-SystemAndAMethodForIdentifyingThePresenceOfMalwareAndRansomwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc, d3f:Reference-SystemAndMethodsThereofForPreventingRansomwareFromEncryptingDataElementsStoredInAMemoryOfAComputer-basedSystem_PaloAltoNetworksInc, ; d3f:spoofs d3f:File . d3f:DecoyNetworkResource a d3f:DecoyNetworkResource, owl:Class, owl:NamedIndividual ; rdfs:label "Decoy Network Resource" ; rdfs:subClassOf d3f:DecoyObject, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:NetworkResource ] ; d3f:d3fend-id "D3-DNR" ; d3f:definition "Deploying a network resource for the purposes of deceiving an adversary." ; d3f:kb-article """## How it works Decoy network resources are deployed to web application servers, network file shares, or other network based sharing services. A "honeypot" may serve a variety of decoy network resources. ## Considerations * Developing a deployment and placement strategy for the decoy network resource. * Personnel responsible for creation of decoy networks should consider the potential for resource exhaustion through denial of service attacks. ## Examples * Honeypots are typically used to mimic a known system with fake vulnerabilities. This may attract attackers to the honeypot. * Decoy accounts are also used to scan for attempted logins. The decoy accounts can provide security analysts with the attacker's potential intents and strategies. * Tarpits are used to monitor unallocated IP space for unauthorized network activity.""" ; d3f:kb-reference d3f:Reference-AutomaticallyGeneratingNetworkResourceGroupsAndAssigningCustomizedDecoyPoliciesThereto_IllusiveNetworksLtd, d3f:Reference-Deception-BasedResponsesToSecurityAttacks_CrowdstrikeInc, d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc, d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc ; d3f:spoofs d3f:NetworkResource . d3f:DecoyObject a d3f:DecoyObject, owl:Class, owl:NamedIndividual ; rdfs:label "Decoy Object" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Deceive ] ; d3f:d3fend-id "D3-DO" ; d3f:definition "A Decoy Object is created and deployed for the purposes of deceiving attackers." ; d3f:enables d3f:Deceive ; d3f:kb-article """## Technique Overview Decoy objects are typically configured with detectable means of communication but do not have any legitimate business purpose. Any communication via or to these objects should be logged and analyzed to find potential indicators of compromise for a possible past or future attack against other systems.""" ; d3f:synonym "Lure" . d3f:DecoyPersona a d3f:DecoyPersona, owl:Class, owl:NamedIndividual ; rdfs:label "Decoy Persona" ; rdfs:subClassOf d3f:DecoyObject, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:User ] ; d3f:d3fend-id "D3-DP" ; d3f:definition "Establishing a fake online identity to misdirect, deceive, and or interact with adversaries." ; d3f:kb-article """## How it works A false online identity is created for the purposes of interacting with adversaries in a direct or indirect manner. This includes the associated email addresses, social media accounts, and other online communication profiles. ## Considerations * Include phone numbers and online social profiles as well as automatically or manually responding to contact made to the persona to improve realism. * Continuous updating and managing the decoy personas and online activity streams to ensure personas do not become stale and outdated.""" ; d3f:kb-reference d3f:Reference-DecoyPersonasForSafeguardingOnlineIdentityUsingDeception_, ; d3f:spoofs d3f:User . d3f:DecoyPublicRelease a d3f:DecoyPublicRelease, owl:Class, owl:NamedIndividual ; rdfs:label "Decoy Public Release" ; rdfs:subClassOf d3f:DecoyObject ; d3f:d3fend-id "D3-DPR" ; d3f:definition "Issuing publicly released media to deceive adversaries." ; d3f:kb-article """## How it works Publicly released media includes press release, videos, or other marketing collateral. The media may include URLs, points of contact, or other identifiers to entice interaction from adversaries. ## Considerations * Information used in decoy public released media must contain enough realism to deceive and provide interaction from adversaries. * Continuous development, creation, and distribution of media and identifiers are needed to ensure adversary interaction continues over time. * Decoy public releases could be placed on platforms with different degrees of ownership, including entirely enterprise-owned infrastructure, IaaS, and SaaS (including social applications). Platforms that are not entirely enterprise-owned may be more likely to gather information""" ; d3f:kb-reference d3f:Reference-MockAttackCybersecurityTrainingSystemAndMethods_WOMBATSECURITYTECHNOLOGIESInc . d3f:DecoySessionToken a d3f:DecoySessionToken, owl:Class, owl:NamedIndividual ; rdfs:label "Decoy Session Token" ; rdfs:subClassOf d3f:DecoyObject, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:SessionToken ] ; d3f:d3fend-id "D3-DST" ; d3f:definition "An authentication token created for the purposes of deceiving an adversary." ; d3f:kb-article """## How it works Usage of decoy session tokens may be monitored to track attacker behavior or otherwise control the beliefs of the attacker. ## Considerations * Interaction and activity with the decoy session token must be constantly monitored and analyzed to detect unauthorized activity. * Session tokens are typically short-lived and therefore the decoy must be continuously updated to provide the appearance of it being used in the production environment. * Automated tools can assist with maintenance and updates by automatically adjusting the decoy session token and environment to mimic the production environment.""" ; d3f:kb-reference d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc ; d3f:spoofs d3f:SessionToken . d3f:DecoyUserCredential a d3f:DecoyUserCredential, owl:Class, owl:NamedIndividual ; rdfs:label "Decoy User Credential" ; rdfs:subClassOf d3f:DecoyObject, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:Credential ] ; d3f:d3fend-id "D3-DUC" ; d3f:definition "A Credential created for the purpose of deceiving an adversary." ; d3f:kb-article """## How it works A detection analytic is developed to determine when a user uses decoy credentials. Subsequent actions by that user may be monitored or controlled by the defender. A credential may be: * Domain username and password * Local system username and password ## Considerations * Decoy credentials should be integrated with a larger decoy environment to ensure that when decoy credentials are compromised, the credentials are used to interact with a decoy asset that is being monitored. * Continuous maintenance and updates are needed to ensure the legitimacy of the larger decoy environment and specifically the assets that utilize the decoy credentials.""" ; d3f:kb-reference d3f:Reference-DecoyAndDeceptiveDataObjectTechnology_CymmetriaInc, d3f:Reference-DecoyNetwork-BasedServiceForDeceivingAttackers-AmazonTechnologies, d3f:Reference-SystemAndMethodForIdentifyingThePresenceOfMalwareUsingMini-trapsSetAtNetworkEndpoints_FidelisCybersecuritySolutionsInc ; d3f:spoofs d3f:Credential . d3f:DeepConvolutionalGAN a owl:Class, owl:NamedIndividual ; rdfs:label "Deep Convolutional GAN" ; rdfs:subClassOf d3f:ImageSynthesisGAN ; d3f:d3fend-id "D3A-DCG" ; d3f:definition "Deep Convolutional GAN (DCGAN) uses convolutional and convolutional-transpose layers in the generator and discriminator, respectively." ; d3f:kb-article """## References Analytics Vidhya. (2021). Deep Convolutional Generative Adversarial Network (DCGAN) for Beginners. [Link](https://www.analyticsvidhya.com/blog/2021/07/deep-convolutional-generative-adversarial-network-dcgan-for-beginners/)""" ; d3f:synonym "DCGAN" . d3f:DeepNeuralNetClassification a owl:Class, owl:NamedIndividual ; rdfs:label "Deep Neural Network Classification" ; rdfs:subClassOf d3f:ArtificialNeuralNetClassification ; d3f:d3fend-id "D3A-DNNC" ; d3f:definition "A deep neural network (DNN) is an artificial neural network (ANN) with multiple layers between the input and output layers. There are different types of neural networks but they always consist of the same components: neurons, synapses, weights, biases, and functions. These components as a whole function similarly to a human brain, and can be trained like any other ML algorithm" ; d3f:kb-article """## References Deep learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Deep_learning).""" . d3f:DeepQ-learning a owl:Class, owl:NamedIndividual ; rdfs:label "Deep Q-learning" ; rdfs:subClassOf d3f:Q-Learning ; d3f:d3fend-id "D3A-DQL" ; d3f:definition "Uses a deep convolutional neural network, with layers of tiled convolutional filters to mimic the effects of receptive fields." ; d3f:kb-article """## References Q-learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Q-learning#Deep_Q-learning).""" . d3f:DefaultUserAccount a owl:Class, owl:NamedIndividual ; rdfs:label "Default User Account" ; rdfs:subClassOf d3f:UserAccount ; d3f:definition "Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices." ; rdfs:seeAlso . d3f:DefenseEvasionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Defense Evasion Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0005 ] ; d3f:definition "The adversary is trying to avoid being detected." ; d3f:enables d3f:TA0005 . d3f:DefensiveAction a owl:Class ; rdfs:label "Defensive Action" ; rdfs:subClassOf d3f:CyberAction . d3f:DefensiveTactic a owl:Class ; rdfs:label "Defensive Tactic" ; rdfs:subClassOf d3f:Goal, [ a owl:Restriction ; owl:onProperty d3f:enabled-by ; owl:someValuesFrom d3f:DefensiveTechnique ] ; rdfs:isDefinedBy ; d3f:definition "A plan for attaining a particular goal." . d3f:DefensiveTechnique a d3f:DefensiveTechnique, owl:Class, owl:NamedIndividual ; rdfs:label "Defensive Technique" ; rdfs:subClassOf d3f:CyberTechnique, [ a owl:Restriction ; owl:onProperty d3f:d3fend-id ; owl:someValuesFrom xsd:string ], [ a owl:Restriction ; owl:onProperty d3f:date ; owl:someValuesFrom xsd:dateTime ], [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:DefensiveTactic ], [ a owl:Restriction ; owl:onProperty d3f:kb-reference ; owl:someValuesFrom d3f:TechniqueReference ] ; d3f:definition "A method which makes a computer system more difficult to attack." ; d3f:display-baseurl "/technique/" ; d3f:synonym "Countermeasure Technique", "Defensive Capability Feature", "Technical Security Control" ; rdfs:seeAlso . d3f:DeleteFile a owl:Class, owl:NamedIndividual ; rdfs:label "Delete File" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:File ] ; d3f:definition "Remove a file from a machine." ; d3f:deletes d3f:File . d3f:Density-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Density-based Clustering" ; rdfs:subClassOf d3f:ClusterAnalysis ; d3f:d3fend-id "D3A-DBC" ; d3f:definition "Density-based clustering connects areas of high example density into clusters. This allows for arbitrary-shaped distributions as long as dense areas can be connected." ; d3f:kb-article """## References Google Developers. (n.d.). Clustering algorithms. [Link](https://developers.google.com/machine-learning/clustering/clustering-algorithms)""" . d3f:Density-weightedMethod a owl:Class, owl:NamedIndividual ; rdfs:label "Density-weighted Method" ; rdfs:subClassOf d3f:ActiveLearning ; d3f:d3fend-id "D3A-DWM" ; d3f:definition "An Actvie Learning technique that uses a density estimate meta-parameter to avoid sampling sparsely populated regions of the feature space and can be based parametrically or from a parameter free model." ; d3f:kb-article """## References Intro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).""" . d3f:DeonticLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Deontic Logic" ; rdfs:subClassOf d3f:ModalLogic ; d3f:d3fend-id "D3A-DL" ; d3f:definition "Deontic logic addresses the modality of obligations and norms; i.e., the modality of morality." ; d3f:kb-article """## References 1. Deontic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Deontic_logic)""" . d3f:Dependency a owl:Class, owl:NamedIndividual ; rdfs:label "Dependency" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:dependent ; owl:someValuesFrom d3f:D3FENDCore ], [ a owl:Restriction ; owl:onProperty d3f:provider ; owl:someValuesFrom d3f:D3FENDCore ] ; d3f:definition "A dependency is the relationship of relying on or being controlled by someone or something else. This class reifies dependencies that correspond to the object property depends-on." ; d3f:dependent d3f:D3FENDCore ; d3f:provider d3f:D3FENDCore ; rdfs:seeAlso , . d3f:DescriptionLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Description Logic" ; rdfs:subClassOf d3f:SymbolicAI ; d3f:d3fend-id "D3A-DL" ; d3f:definition "A description logic (DL) is a form of logic usually more expressive than propositional logic but less expressive than first-order logic." ; d3f:kb-article """## How it works The core reasoning problems for description logics (DLs) are (usually) decidable, and efficient decision procedures have been designed and implemented for these problems. There are general, spatial, temporal, spatiotemporal, and fuzzy description logics, and each description logic features a different balance between expressive power and reasoning complexity by supporting different sets of mathematical constructors. DLs are used in artificial intelligence to describe and reason about the relevant concepts of an application domain (known as terminological knowledge). It is of particular importance in providing a logical formalism for ontologies and the Semantic Web: the Web Ontology Language (OWL) and its profiles are based on DLs. ## References 1. Description logic. (2023, April 16). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Description_logic)""" . d3f:DescriptiveStatistics a owl:Class, owl:NamedIndividual ; rdfs:label "Descriptive Statistics" ; rdfs:subClassOf d3f:StatisticalMethod ; d3f:d3fend-id "D3A-DS" ; d3f:definition "Descriptive statistics provide simple summaries about the sample and about the observations that have been made." ; d3f:kb-article """## References Wikipedia. (n.d.). Descriptive statistics. [Link](https://en.wikipedia.org/wiki/Descriptive_statistics)""" . d3f:DeserializationFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Deserialization Function" ; rdfs:subClassOf d3f:Subroutine ; d3f:definition "Function with an input of serialized data which deserializes that data, usually with data parsing methods." . d3f:DesktopComputer a owl:Class ; rdfs:label "Desktop Computer" ; rdfs:subClassOf d3f:PersonalComputer ; rdfs:isDefinedBy ; d3f:definition "A desktop computer is a personal computer designed for regular use at a single location on or near a desk or table due to its size and power requirements. The most common configuration has a case that houses the power supply, motherboard (a printed circuit board with a microprocessor as the central processing unit (CPU), memory, bus, and other electronic components, disk storage (usually one or more hard disk drives, solid state drives, optical disc drives, and in early models a floppy disk drive); a keyboard and mouse for input; and a computer monitor, speakers, and, often, a printer for output. The case may be oriented horizontally or vertically and placed either underneath, beside, or on top of a desk." . d3f:Detect a d3f:DefensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Detect" ; rdfs:subClassOf d3f:DefensiveTactic ; d3f:definition "The detect tactic is used to identify adversary access to or unauthorized activity on computer networks." ; d3f:display-order 1 ; d3f:display-priority 0 . d3f:DetectionEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Detection Event" ; rdfs:subClassOf d3f:SecurityEvent ; d3f:definition "An event capturing the identification of a potential security issue, such as unauthorized access attempts, policy violations, or anomalous activities. Detection events form the foundation of cybersecurity monitoring and response." ; d3f:related d3f:Detect ; rdfs:seeAlso . d3f:DeveloperApplication a owl:Class ; rdfs:label "Developer Application" ; rdfs:subClassOf d3f:UserApplication ; d3f:definition "An application used to develop computer software including applications used for software construction, analysis, testing, packaging, or management." ; rdfs:seeAlso , . d3f:DHCPAckEvent a owl:Class ; rdfs:label "DHCP Ack Event" ; skos:altLabel "DHCPACK" ; rdfs:subClassOf d3f:DHCPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPRequestEvent ] ; d3f:definition "An event where a DHCP server sends an ACK message to acknowledge a client's REQUEST, confirming the allocation of an IP address and associated network settings." . d3f:DHCPDiscoverEvent a owl:Class ; rdfs:label "DHCP Discover Event" ; skos:altLabel "DHCPDISCOVER" ; rdfs:subClassOf d3f:DHCPEvent ; d3f:definition "An event where a DHCP client broadcasts a DISCOVER message to identify available DHCP servers capable of providing IP configuration." . d3f:DHCPEvent a owl:Class ; rdfs:label "DHCP Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, d3f:UDPEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:DHCPNetworkTraffic ] ; d3f:definition "An event involving the Dynamic Host Configuration Protocol (DHCP), a UDP-based protocol used to dynamically assign IP addresses and configure network parameters, enabling devices to communicate efficiently on a network." ; rdfs:seeAlso . d3f:DHCPInformEvent a owl:Class ; rdfs:label "DHCP Inform Event" ; skos:altLabel "DHCPINFORM" ; rdfs:subClassOf d3f:DHCPEvent ; d3f:definition "An event where a DHCP client sends an INFORM message to request configuration parameters, such as DNS or gateway information, without requiring IP address assignment." . d3f:DHCPLeaseExpireEvent a owl:Class ; rdfs:label "DHCP Lease Expire Event" ; skos:altLabel "DHCPLEASEEXPIRE" ; rdfs:subClassOf d3f:DHCPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPAckEvent ] ; d3f:definition "An event indicating that a DHCP lease has expired, rendering the previously assigned IP address available for reassignment to other devices." . d3f:DHCPNakEvent a owl:Class ; rdfs:label "DHCP Nak Event" ; skos:altLabel "DHCPNAK" ; rdfs:subClassOf d3f:DHCPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPRequestEvent ] ; d3f:definition "An event where a DHCP server sends a NAK message to reject a client's REQUEST, indicating that the requested configuration cannot be granted." . d3f:DHCPNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "DHCP Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "DHCP Network Traffic is network traffic related to the DHCP protocol, used by network nodes to negotiate and configure either IPv4 or IPv6 addresses." . d3f:DHCPOfferEvent a owl:Class ; rdfs:label "DHCP Offer Event" ; skos:altLabel "DHCPOFFER" ; rdfs:subClassOf d3f:DHCPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPDiscoverEvent ] ; d3f:definition "An event where a DHCP server sends an OFFER message to a client in response to a DISCOVER request, proposing an IP address and associated configuration parameters." . d3f:DHCPReleaseEvent a owl:Class ; rdfs:label "DHCP Release Event" ; skos:altLabel "DHCPRELEASE" ; rdfs:subClassOf d3f:DHCPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPAckEvent ] ; d3f:definition "An event where a DHCP client sends a RELEASE message to relinquish its assigned IP address and cancel any remaining lease duration." . d3f:DHCPRequestEvent a owl:Class ; rdfs:label "DHCP Request Event" ; skos:altLabel "DHCPREQUEST" ; rdfs:subClassOf d3f:DHCPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DHCPOfferEvent ] ; d3f:definition "An event where a DHCP client sends a REQUEST message to confirm or renew its desired IP configuration with a specific DHCP server." . d3f:DHCPServer a owl:Class, owl:NamedIndividual ; rdfs:label "DHCP Server" ; rdfs:subClassOf d3f:Server, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:DHCPServiceApplication ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:DHCPService ] ; rdfs:isDefinedBy ; d3f:contains d3f:DHCPServiceApplication ; d3f:definition "A Dynamic Host Configuration Protocol (DHCP) server is a type of server that assigns IP addresses to computers. DHCP servers are used to assign IP addresses to computers and other devices automatically. The DHCP server is responsible for assigning the unique IP address to each device." ; d3f:manages d3f:DHCPService . d3f:DHCPService a owl:Class, owl:NamedIndividual ; rdfs:label "DHCP Service" ; rdfs:subClassOf d3f:NetworkService, [ a owl:Restriction ; owl:onProperty d3f:may-produce ; owl:someValuesFrom d3f:DHCPNetworkTraffic ] ; d3f:definition "A DHCP service assigns IP address and modifies network configurations." ; d3f:may-produce d3f:DHCPNetworkTraffic . d3f:DHCPServiceApplication a owl:Class, owl:NamedIndividual ; rdfs:label "DHCP Service Application" ; rdfs:subClassOf d3f:ServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:instructs ; owl:someValuesFrom d3f:DHCPService ] ; d3f:definition "An application that automates the assignment of IP addresses and other network configuration parameters to devices on a network" ; d3f:instructs d3f:DHCPService . d3f:DialUpModem a owl:Class ; rdfs:label "Dial Up Modem" ; rdfs:subClassOf d3f:Modem ; rdfs:isDefinedBy ; d3f:definition "A dial-up modem transmits computer data over an ordinary switched telephone line that has not been designed for data use. This contrasts with leased line modems, which also operate over lines provided by a telephone company, but ones which are intended for data use and do not impose the same signaling constraints. The modulated data must fit the frequency constraints of a normal voice audio signal, and the modem must be able to perform the actions needed to connect a call through a telephone exchange, namely: picking up the line, dialing, understanding signals sent back by phone company equipment (dial tone, ringing, busy signal,) and on the far end of the call, the second modem in the connection must be able to recognize the incoming ring signal and answer the line." . d3f:DifferentialVolumeSnapshot a owl:Class ; rdfs:label "Differential Volume Snapshot" ; rdfs:subClassOf d3f:VolumeSnapshot ; d3f:definition "A differential volume snapshot is a point-in-time capture of the files and directories that were changed since the last full snapshot." ; rdfs:seeAlso . d3f:DigitalAccessBadge a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Access Badge" ; rdfs:subClassOf d3f:Credential, [ a owl:Restriction ; owl:onProperty d3f:operates ; owl:someValuesFrom d3f:ElectronicCombinationLock ] ; d3f:definition "A credential used to gain entry to an area having automated access control entry points. Example media being magnetic stripe, proximity, barcode, or smart cards are examples." ; d3f:operates d3f:ElectronicCombinationLock ; d3f:synonym "CAC", "Common Access Card", "Personal Identity Verification", "PIV" ; rdfs:seeAlso , . d3f:DigitalArtifact a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Artifact" ; rdfs:subClassOf d3f:Artifact ; d3f:definition "An information-bearing artifact (object) that is, or is encoded to be used with, a digital computer system. This concept is broad to include the literal instances of an artifact, or an implicit summarization of changes to or properties of other artifacts." ; d3f:display-baseurl "/dao/artifact/" ; d3f:synonym "Digital Asset" ; rdfs:seeAlso , , . d3f:DigitalAudio a owl:Class ; rdfs:label "Digital Audio" ; rdfs:subClassOf d3f:DigitalMedia ; rdfs:isDefinedBy "https://dbpedia.org/page/Digital_audio" ; d3f:definition "Digital audio is a representation of sound recorded in, or converted into, digital form." . d3f:DigitalAudioVisualMedia a owl:Class ; rdfs:label "Digital Audio Visual Media" ; rdfs:subClassOf d3f:DigitalMultimedia ; rdfs:isDefinedBy "https://dbpedia.org/page/Audiovisual" ; d3f:definition "Audiovisual (AV) is electronic media possessing both a sound and a visual component." . d3f:DigitalCamera a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Camera" ; rdfs:subClassOf d3f:HardwareDevice ; rdfs:isDefinedBy ; d3f:definition "An optical instrument that can capture an image. A digital camera that captures photographs in digital memory." . d3f:DigitalDocument a owl:Class ; rdfs:label "Digital Document" ; rdfs:subClassOf d3f:DigitalMedia ; rdfs:isDefinedBy "https://dbpedia.org/page/Electronic_document" ; d3f:definition "An digital document is any electronic media content (other than computer programs or system files) that is intended to be used in either an electronic form or as printed output." . d3f:DigitalEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Event" ; rdfs:subClassOf d3f:Event ; d3f:definition "A digital event represents an observable occurrence, action, or state change within digital systems, networks, or their interactions. These events are characterized by their impact on the confidentiality, integrity, availability, or functionality of digital resources, processes, identities, or communications. Digital events are essential units of information in cybersecurity, serving as the basis for detecting threats, analyzing anomalies, and orchestrating responses in complex, interconnected environments." . d3f:DigitalEventRecord a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Event Record" ; rdfs:subClassOf d3f:Record, [ a owl:Restriction ; owl:onProperty d3f:records ; owl:someValuesFrom d3f:DigitalEvent ] ; d3f:definition "A digital event record is a structured representation of a digital event, encapsulating all relevant details about the occurrence for storage, analysis, and response. These records serve as the primary artifacts for cybersecurity operations, enabling threat detection, forensic investigations, and compliance reporting. Digital event records include metadata such as timestamps, origin, context, and associated resources, ensuring traceability and actionable intelligence in digital ecosystems." ; d3f:records d3f:DigitalEvent . d3f:DigitalFingerprint a owl:Class ; rdfs:label "Digital Fingerprint" ; rdfs:subClassOf d3f:Identifier ; rdfs:isDefinedBy ; d3f:definition "A digital signature uniquely identifies data and has the property that changing a single bit in the data will cause a completely different message digest to be generated." ; rdfs:seeAlso . d3f:DigitalIdentity a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Identity" ; rdfs:subClassOf d3f:DigitalInformation, [ a owl:Restriction ; owl:onProperty d3f:identified-by ; owl:someValuesFrom d3f:Identifier ] ; rdfs:comment "Variously describes or designates. Designation is not compete or definite without context. The representation generally can be identified by a unique identifier, though this may be private information." ; d3f:definition "The unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject's real-life identity is known. Note: There is no single, widely accepted definition for this term and context is important. This definition is specific to online transactions." ; d3f:identified-by d3f:Identifier ; rdfs:seeAlso . d3f:DigitalImage a owl:Class ; rdfs:label "Digital Image" ; rdfs:subClassOf d3f:DigitalMedia ; rdfs:isDefinedBy "https://dbpedia.org/page/Digital_image" ; d3f:definition "A digital image is a pixel-based visual representation stored in formats like JPEG or PNG, used for various digital applications." . d3f:DigitalInformation a owl:Class ; rdfs:label "Digital Information" ; rdfs:subClassOf d3f:DigitalArtifact ; d3f:definition "Digital information is a broad category of encoded representations in digital form that convey meaning, instructions, or functionality." . d3f:DigitalInformationBearer a owl:Class ; rdfs:label "Digital Information Bearer" ; rdfs:subClassOf d3f:DigitalArtifact ; d3f:definition "A digital information bearer is a physical or virtual entity that stores, transmits, or processes digital information." . d3f:DigitalMedia a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Media" ; rdfs:subClassOf d3f:DigitalInformation ; rdfs:isDefinedBy "https://dbpedia.org/page/Digital_media" ; d3f:definition "Digital media refers to any communication media that operate in conjunction with various encoded machine-readable data formats." . d3f:DigitalMessage a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Message" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A discrete unit of digital communication created by a sender for one or more intended recipients. Encoded in an application-layer format, a digital message conveys semantics such as commands, data, or status and is transported inside lower-layer containers like network frames or packets." . d3f:DigitalMultimedia a owl:Class, owl:NamedIndividual ; rdfs:label "Digital Multimedia" ; rdfs:subClassOf d3f:DigitalMedia ; rdfs:isDefinedBy "https://dbpedia.org/page/Multimedia" ; d3f:definition "Digital Multimedia refers to content that combines text, audio, images, animations, and video in a digital format for interactive applications." . d3f:DigitalSignalProcessingApplication a owl:Class ; rdfs:label "Digital Signal Processing Application" ; rdfs:subClassOf d3f:Application ; d3f:definition "A Digital Signal Processing (DSP) application is a software system that ingests discrete-time or discrete-space signals (from sensors, ADCs, or files) and applies digital signal processing algorithms to analyze, transform, synthesize, or make decisions about those signals, often under real-time throughput and latency constraints. It encompasses capabilities such as filtering, spectral analysis, modulation/demodulation, channelization, synchronization, detection and estimation, compression, beamforming, and reconstruction, and spans domains including software-defined radio (e.g., waveform generation and physical-layer stacks), audio and speech, image and video, radar/sonar/LiDAR, biomedical signals, instrumentation, and control." ; d3f:synonym "DSP Application" ; rdfs:seeAlso . d3f:DigitalSystem a owl:Class, owl:NamedIndividual ; rdfs:label "Digital System" ; rdfs:subClassOf d3f:DigitalInformationBearer, d3f:System ; d3f:definition "A digital system is a group of interacting or interrelated digital artifacts that act according to a set of rules to form a unified whole. A digital system, surrounded and influenced by its environment, is described by its boundaries, structure and purpose and expressed in its functioning. Systems are the subjects of study of systems theory." ; rdfs:seeAlso . d3f:DigitalText a owl:Class ; rdfs:label "Digital Text" ; rdfs:subClassOf d3f:DigitalMedia ; d3f:definition "Digital text is written content encoded in a digital format, allowing for storage, retrieval, and manipulation by electronic devices." . d3f:DigitalVideo a owl:Class ; rdfs:label "Digital Video" ; rdfs:subClassOf d3f:DigitalMedia ; rdfs:isDefinedBy "https://dbpedia.org/page/Digital_video" ; d3f:definition "Digital video is an electronic representation of moving visual images (video) in the form of encoded digital data." . d3f:DimensionReduction a owl:Class, owl:NamedIndividual ; rdfs:label "Dimension Reduction" ; rdfs:subClassOf d3f:UnsupervisedLearning ; d3f:d3fend-id "D3A-DR" ; d3f:definition "Dimensionality reduction is a key technique within unsupervised learning. It compresses the data by finding a smaller, different set of variables that capture what matters most in the original features, while minimizing the loss of information." ; d3f:kb-article """## References O'Reilly Media. (n.d.). Chapter 7. Machine Learning and Security: Protecting Systems with Data and Algorithms. [Link](https://www.oreilly.com/library/view/machine-learning-and/9781492073048/ch07.html)""" . d3f:DirectionalNetworkLink a d3f:DirectionalNetworkLink, owl:Class, owl:NamedIndividual ; rdfs:label "Directional Network Link" ; rdfs:subClassOf d3f:NetworkIsolation, [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:PhysicalLink ], [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:PhysicalDataDiode ] ; d3f:d3fend-id "D3-DNL" ; d3f:definition "Enforce one-way network communication by preventing two-way communication." ; d3f:kb-article """## How it works Using a device such as a data diode, or otherwise enforcing unidirectional (one-way) network communication / data transfer, to physically prevent signals from traveling in the reverse direction. Unidirectional network link enforcement is a security measure used to separate control and safety systems in operational technology (OT) environments. By employing physical data diodes, this approach ensures one-way communication, allowing information from safety systems to be viewed without permitting any modification or interference, thereby protecting the integrity of the safety system. """ ; d3f:kb-reference d3f:Reference-SecureOneWayDataTransferUsingCommunicationInterfaceCircuitry ; d3f:restricts d3f:PhysicalLink ; d3f:uses d3f:PhysicalDataDiode . d3f:Directory a owl:Class, owl:NamedIndividual ; rdfs:label "Directory" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:File ] ; rdfs:isDefinedBy ; d3f:definition "In computing, a directory is a file system cataloging structure which contains references to other computer files, and possibly other directories. On many computers, directories are known as folders, or drawers to provide some relevancy to a workbench or the traditional office file cabinet." ; d3f:may-contain d3f:File . d3f:DirectoryService a owl:Class, owl:NamedIndividual ; rdfs:label "Directory Service" ; rdfs:subClassOf d3f:NetworkService ; rdfs:isDefinedBy ; d3f:definition "In computing, directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object." . d3f:DirectPhysicalLinkMapping a d3f:DirectPhysicalLinkMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Direct Physical Link Mapping" ; rdfs:subClassOf d3f:PhysicalLinkMapping ; d3f:d3fend-id "D3-DPLM" ; d3f:definition "Direct physical link mapping creates a physical link map by direct observation and recording of the physical network links." ; d3f:kb-article """## How it works Direct Physical Link Mapping involves a manual process where a network engineer or administrator physically observes and documents the physical connections within the network infrastructure. ## Considerations * Constructing and maintaining physical topologies for extensive networks can be challenging and time-consuming using manual methods. Therefore, where feasible, automated methods like active physical link mapping should be considered as a partial or complete solution for physical link mapping processes. * In scenarios where active physical link mapping is not an option, physical inspection of networks is necessary to accomplish physical link mapping. This is due to the lack of reliable techniques to accurately map physical links solely through passive network traffic monitoring.""" ; d3f:kb-reference d3f:Reference-NetworkMapping ; d3f:synonym "Manual Physical Link Mapping" ; rdfs:seeAlso . d3f:DisableRemoteAccess a d3f:DisableRemoteAccess, owl:Class, owl:NamedIndividual ; rdfs:label "Disable Remote Access" ; rdfs:subClassOf d3f:ApplicationConfigurationHardening, [ a owl:Restriction ; owl:onProperty d3f:configures ; owl:someValuesFrom d3f:ApplicationConfiguration ] ; d3f:configures d3f:ApplicationConfiguration ; d3f:d3fend-id "D3-DRA" ; d3f:definition "Limiting access to a computing device which is not required through or from a non-organization-controlled network." ; d3f:kb-article """## How It Works There are several different methods of achieving remote access restriction. This could include: time-based controls, just-in-time authorization, and deny-by-default controls. This can be done on a Windows machine by unchecking an "allow remote assistance" or checking the "don't allow remote connections" boxes; creating firewall rules to block remote access protocols; uninstalling remote access software; disabling Wi-Fi, Ethernet, Bluetooth, or other connection methods enabling remote access. One way to achieve remote access restrictions in OT is by programming logic in the OT Controller to give the Operator authorizing abilities which ensures local control is maintained. In this situation, a remote access modem would be powered on/off using a discrete output from an I/O module of the OT controller. """ ; rdfs:seeAlso "M0800 Authorization Enforcement", . d3f:DiscoveryTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Discovery Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0007 ] ; d3f:definition "The adversary is trying to figure out your environment." ; d3f:enables d3f:TA0007 . d3f:DiscriminantAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Discriminant Analysis" ; rdfs:subClassOf d3f:MultivariateAnalysis ; d3f:d3fend-id "D3A-DA" ; d3f:definition "Discriminant analysis attempts to establish whether a set of variables can be used to distinguish between two or more groups of cases." ; d3f:kb-article """## References Wikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)""" . d3f:DiskEncryption a d3f:DiskEncryption, owl:Class, owl:NamedIndividual ; rdfs:label "Disk Encryption" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:encrypts ; owl:someValuesFrom d3f:Storage ] ; d3f:d3fend-id "D3-DENCR" ; d3f:definition "Encrypting a hard disk partition to prevent cleartext access to a file system." ; d3f:encrypts d3f:Storage ; d3f:kb-reference d3f:Reference-LUKS1On-DiskFormatSpecificationVersion1.2.3 . d3f:DiskErasure a d3f:DiskErasure, owl:Class, owl:NamedIndividual ; rdfs:label "Disk Erasure" ; rdfs:subClassOf d3f:DiskFormatting, [ a owl:Restriction ; owl:onProperty d3f:erases ; owl:someValuesFrom d3f:SecondaryStorage ] ; d3f:d3fend-id "D3-DKE" ; d3f:definition "Disk Erasure is the process of securely deleting all data on a disk to ensure that it cannot be recovered by any means." ; d3f:erases d3f:SecondaryStorage ; d3f:kb-article """### How it works Disk Erasure involves overwriting the existing data with random or specific patterns multiple times. Disk erasure is crucial for data sanitization, ensuring that sensitive information is completely removed from storage devices before they are repurposed, disposed of, or transferred to another party.""" ; d3f:kb-reference . d3f:DiskFormatting a d3f:DiskFormatting, owl:Class, owl:NamedIndividual ; rdfs:label "Disk Formatting" ; rdfs:subClassOf d3f:ObjectEviction, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SecondaryStorage ] ; d3f:d3fend-id "D3-DKF" ; d3f:definition "Disk Formatting is the process of preparing a data storage device, such as a hard drive, solid-state drive, or USB flash drive, for initial use." ; d3f:kb-article """### How it works This process involves setting up an empty file system on the disk, which includes creating a directory structure and initializing metadata structures. In cybersecurity, disk formatting can be used to remove all existing data on a disk, making it a clean slate for new data storage or to prevent unauthorized access to previously stored data.""" ; d3f:kb-reference ; d3f:modifies d3f:SecondaryStorage . d3f:DiskImage a owl:Class ; rdfs:label "Disk Image" ; rdfs:subClassOf d3f:StorageImage ; rdfs:isDefinedBy ; d3f:definition "A disk image is a snapshot of a storage device's structure and data typically stored in one or more computer files on another storage device." ; rdfs:seeAlso . d3f:DiskPartitioning a d3f:DiskPartitioning, owl:Class, owl:NamedIndividual ; rdfs:label "Disk Partitioning" ; rdfs:subClassOf d3f:DiskFormatting, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:PartitionTable ] ; d3f:creates d3f:PartitionTable ; d3f:d3fend-id "D3-DKP" ; d3f:definition "Disk Partitioning is the process of dividing a disk into multiple distinct sections, known as partitions." ; d3f:kb-article """### How it works Each partition can be managed separately and can have its own file system. Disk partitioning can be used to segregate sensitive data from less critical data, improve system performance, and enhance data management and recovery processes. It can also help in isolating different operating systems or environments on the same physical disk.""" ; d3f:kb-reference . d3f:DisplayAdapter a owl:Class, owl:NamedIndividual ; rdfs:label "Display Adapter" ; skos:altLabel "Display Card", "Graphics Adapter", "Video Card" ; rdfs:subClassOf d3f:OutputDevice ; rdfs:isDefinedBy ; d3f:definition "A graphics card (also called a display card, video card, display adapter, or graphics adapter) is an expansion card which generates a feed of output images to a display device (such as a computer monitor). Frequently, these are advertised as discrete or dedicated graphics cards, emphasizing the distinction between these and integrated graphics. At the core of both is the graphics processing unit (GPU), which is the main part that does the actual computations, but should not be confused with the video card as a whole, although \"GPU\" is often used to refer to video cards." . d3f:DisplayDeviceDriver a owl:Class, owl:NamedIndividual ; rdfs:label "Display Device Driver" ; rdfs:subClassOf d3f:HardwareDriver, [ a owl:Restriction ; owl:onProperty d3f:drives ; owl:someValuesFrom d3f:DisplayAdapter ] ; d3f:definition "A device driver for a display adapter." ; d3f:drives d3f:DisplayAdapter ; rdfs:seeAlso , . d3f:DisplayServer a owl:Class, owl:NamedIndividual ; rdfs:label "Display Server" ; skos:altLabel "Window Server" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A display server or window server is a program whose primary task is to coordinate the input and output of its clients to and from the rest of the operating system, the hardware, and each other. The display server communicates with its clients over the display server protocol, a communications protocol, which can be network-transparent or simply network-capable. The display server is a key component in any graphical user interface, specifically the windowing system." . d3f:Distribution-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Distribution-based Clustering" ; rdfs:subClassOf d3f:ClusterAnalysis ; d3f:d3fend-id "D3A-DBC" ; d3f:definition "Distribution-based clustering creates and groups data points based on their likely hood of belonging to the same probability distribution (Gaussian, Binomial, etc.) in the data." ; d3f:kb-article """## References AnalytixLabs. (n.d.). Types of Clustering Algorithms. [Link](https://www.analytixlabs.co.in/blog/types-of-clustering-algorithms/#:~:text=Distribution-Based)""" . d3f:DistributionProperties a owl:Class, owl:NamedIndividual ; rdfs:label "Distribution Properties" ; rdfs:subClassOf d3f:DescriptiveStatistics ; d3f:d3fend-id "D3A-DP" ; d3f:definition "The properties derived from a probability distribution." ; d3f:kb-article """## References Wikipedia. (n.d.). Probability distribution. [Link](https://en.wikipedia.org/wiki/Probability_distribution)""" . d3f:DivisiveClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Divisive Clustering" ; rdfs:subClassOf d3f:HierarchicalClustering ; d3f:d3fend-id "D3A-DC" ; d3f:definition "A divisive clustering approach is a hierarchical, top-down approach to clustering a dataset." . d3f:DNN-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "DNN-based Clustering" ; rdfs:subClassOf d3f:ANN-basedClustering ; d3f:d3fend-id "D3A-DBC" ; d3f:definition "DNNs serve for clustering as mappings to better representations. The features of these representations can be drawn from different layers of the network or even from several layers." ; d3f:kb-article """## References OpenReview. (n.d.). Unsupervised Clustering using Pseudo Ensemble Models. [Link](https://openreview.net/pdf?id=B1eT9VMgOX)""" . d3f:DNSAllowlisting a d3f:DNSAllowlisting, owl:Class, owl:NamedIndividual ; rdfs:label "DNS Allowlisting" ; rdfs:subClassOf d3f:NetworkIsolation, [ a owl:Restriction ; owl:onProperty d3f:blocks ; owl:someValuesFrom d3f:OutboundInternetDNSLookupTraffic ] ; d3f:blocks d3f:OutboundInternetDNSLookupTraffic ; d3f:d3fend-id "D3-DNSAL" ; d3f:definition "Permitting only approved domains and their subdomains to be resolved." ; d3f:kb-reference d3f:Reference-DNSWhitelist-DNSWL-EmailAuthenticationMethodExtension ; d3f:synonym "DNS Whitelisting" . d3f:DNSCacheEviction a d3f:DNSCacheEviction, owl:Class, owl:NamedIndividual ; rdfs:label "DNS Cache Eviction" ; rdfs:subClassOf d3f:ObjectEviction, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:DNSRecord ] ; d3f:d3fend-id "D3-DNSCE" ; d3f:definition "Flushing DNS to clear any IP addresses or other DNS records from the cache." ; d3f:deletes d3f:DNSRecord ; d3f:kb-article """# How it works Flushing the DNS Cache will clear the IP addresses of websites you have visited recently. This can help remediate DNS Cache Poisoning attacks, which is a type of cyber attack where corrupted DNS data is inserted into the cache, causing redirects to malicious websites. On windows, the DNS cache can be wiped by issuing the command `ipconfig /flushdns`.""" ; d3f:kb-reference ; d3f:synonym "Flush DNS Cache" . d3f:DNSDenylisting a d3f:DNSDenylisting, owl:Class, owl:NamedIndividual ; rdfs:label "DNS Denylisting" ; rdfs:subClassOf d3f:NetworkIsolation, [ a owl:Restriction ; owl:onProperty d3f:blocks ; owl:someValuesFrom d3f:DNSNetworkTraffic ] ; d3f:blocks d3f:DNSNetworkTraffic ; d3f:d3fend-id "D3-DNSDL" ; d3f:definition "Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type." ; d3f:kb-article """## How it works Rules are implemented that filter DNS queries using criteria such as: - Client subnet - Type of network protocol used in query - Fully qualified domain name (FQDN) of record in the query - DNS Server IP address that received the DNS request - Type of DNS record being queried - Time of day the query is received - Size of the response For example, a DNS policy can be created for blocking DNS queries for FQDNs that have been identified as unauthorized. ## Considerations - Implementation considerations for DNS filtering policies to avoid over-blocking or under-blocking domains. - Continuous maintenance of unauthorized domain lists is needed to keep up to date with possible site content changes. - File sharing or content delivery networks may require other filtering techniques that are more fine-grained (URL blocking). - Access to malicious websites or other network resources directly by IP instead of by DNS record, or after alteration of local DNS hosts file, may not result in DNS network traffic.""" ; d3f:kb-reference d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries ; d3f:synonym "DNS Blacklisting" . d3f:DNSEvent a owl:Class ; rdfs:label "DNS Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, [ a owl:Class ; owl:unionOf ( d3f:TCPEvent d3f:UDPEvent ) ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:DNSNetworkTraffic ] ; d3f:definition "An event involving the Domain Name System (DNS), which translates domain names to IP addresses and operates over UDP and TCP." ; rdfs:seeAlso . d3f:DNSLookup a owl:Class, owl:NamedIndividual ; rdfs:label "DNS Lookup" ; rdfs:subClassOf d3f:DigitalInformationBearer ; d3f:definition "A Domain Name System (DNS) lookup is a record returned from a DNS resolver after querying a DNS name server. Typically considered an A or AAAA record, where a domain name is resolved to an IPv4 or IPv6 address, respectively." ; rdfs:seeAlso , , . d3f:DNSNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "DNS Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "DNS network traffic is network traffic related to queries and responses involving the Domain Name System. DNS traffic can involve clients, servers such as relays or resolvers. This includes only network traffic conforming to standard DNS protocol; not custom protocols." . d3f:DNSQueryEvent a owl:Class ; rdfs:label "DNS Query Event" ; rdfs:subClassOf d3f:DNSEvent ; d3f:definition "An event where a DNS query is made to resolve a domain name." . d3f:DNSRecord a owl:Class, owl:NamedIndividual ; rdfs:label "DNS Record" ; rdfs:subClassOf d3f:Record ; d3f:definition "A Domain Name System (DNS) record is a record of information returned to clients seeking to find computers, services, and other resources connected to the Internet or a private network. Record information is stored on a domain name server so it can respond to DNS queries from clients.There are a variety of record types, depending on the client's information needs. Common types include Start of Authority, IP addresses, SMTP mail exchangers, name servers, reverse DNS lookup pointers, etc." ; rdfs:seeAlso , . d3f:DNSResponseEvent a owl:Class ; rdfs:label "DNS Response Event" ; rdfs:subClassOf d3f:DNSEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DNSQueryEvent ] ; d3f:definition "An event where a DNS server responds to a query with resolution data." . d3f:DNSServer a owl:Class ; rdfs:label "DNS Server" ; rdfs:subClassOf d3f:Server ; rdfs:isDefinedBy ; d3f:definition """A Domain Name System (DNS) name server is a kind of name server. Domain names are one of the two principal namespaces of the Internet. The most important function of DNS servers is the translation (resolution) of human-memorable domain names and hostnames into the corresponding numeric Internet Protocol (IP) addresses, the second principal name space of the Internet which is used to identify and locate computer systems and resources on the Internet. (en). More generally, a name server is a computer application that implements a network service for providing responses to queries against a directory service. It translates an often humanly meaningful, text-based identifier to a system-internal, often numeric identification or addressing component. This service is performed by the server in response to a service protocol request.""" . d3f:DNSTrafficAnalysis a d3f:DNSTrafficAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "DNS Traffic Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:OutboundInternetDNSLookupTraffic ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:DNSLookup ] ; d3f:analyzes d3f:OutboundInternetDNSLookupTraffic ; d3f:d3fend-id "D3-DNSTA" ; d3f:definition "Analysis of domain name metadata, including name and DNS records, to determine whether the domain is likely to resolve to an undesirable host." ; d3f:kb-article """## How it works This technique can be accomplished in a number of ways. * One example analytic determines whether or not a domain name was generated with an algorithm. Domain generation algorithms (DGAs) are sometimes used to create a domain name automatically that will resolve to C2 infrastructure, without directly coding the domains in question into the malicious code. * Another method analyzes information about domains that have been visited, including whether a domain name is longer than a common length, if a dynamic DNS domain was visited, if a fast-flux domain was visited, and if a recently created domain was visited. These factors are used to develop a score and if that score is over a certain threshold, an alert is generated. * Collected malware samples can be executed in a virtual environment to identify network domains that are connected to during execution. The network domains are then generated into signatures to identity bad domains for other hosts. This technique does not check for content hosted at the domain. ## Considerations * DNS produces a large amount of traffic which can be resource-intensive to analyze in real time. * If a server is compromised, for example, as part of a watering hole attack, but the DNS information pointing to that server is not altered, this technique would not catch such an incident.""" ; d3f:kb-reference d3f:Reference-DomainAgeRegistrationAlert_IncRapid7IncRAPID7Inc, d3f:Reference-HeuristicBotnetDetection_PaloAltoNetworksInc, d3f:Reference-MethodAndSystemForDetectingAlgorithm-generatedDomains_VECTRANETWORKSInc, d3f:Reference-PredictingDomainGenerationAlgorithmsWithLongShort-TermMemoryNetworks_, d3f:Reference-SinkholingBadNetworkDomainsByRegisteringTheBadNetworkDomainsOnTheInternet_PaloAltoNetworksInc ; d3f:may-contain d3f:DNSLookup ; d3f:synonym "Domain Name Analysis" . d3f:DocumentFile a owl:Class, owl:NamedIndividual ; rdfs:label "Document File" ; rdfs:subClassOf d3f:File, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ExecutableScript ] ; d3f:definition "A document is a written, drawn, presented or recorded representation of thoughts. An electronic document file is usually used to describe a primarily textual file, along with its structure and design, such as fonts, colors and additional images." ; d3f:may-contain d3f:ExecutableScript ; rdfs:seeAlso . d3f:DomainAccountMonitoring a d3f:DomainAccountMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Domain Account Monitoring" ; rdfs:subClassOf d3f:UserBehaviorAnalysis, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:DomainUserAccount ] ; d3f:d3fend-id "D3-DAM" ; d3f:definition "Monitoring the existence of or changes to Domain User Accounts." ; d3f:kb-reference d3f:Reference-AuditUserAccountManagement ; d3f:monitors d3f:DomainUserAccount . d3f:DomainLogicValidation a d3f:DomainLogicValidation, owl:Class, owl:NamedIndividual ; rdfs:label "Domain Logic Validation" ; rdfs:subClassOf d3f:SourceCodeHardening, [ a owl:Restriction ; owl:onProperty d3f:validates ; owl:someValuesFrom d3f:Subroutine ] ; d3f:d3fend-id "D3-DLV" ; d3f:definition "Validation of variable state in the context of the domain application." ; d3f:kb-article """## How it works Validates the type, value, and/or range of an variable taking into context the current application in the business domain.""" ; d3f:kb-reference d3f:Reference-SecurePLCCodingPracticesTop20List ; d3f:validates d3f:Subroutine . d3f:DomainName a owl:Class, owl:NamedIndividual ; rdfs:label "Domain Name" ; rdfs:subClassOf d3f:Identifier, [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:IPAddress ] ; d3f:definition "A domain name is an identification string that defines a realm of administrative autonomy, authority or control within the Internet. Domain names are formed by the rules and procedures of the Domain Name System (DNS). Any name registered in the DNS is a domain name.Domain names are used in various networking contexts and application-specific naming and addressing purposes. In general, a domain name represents an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, a server computer hosting a web site, or the web site itself or any other service communicated via the Internet. In 2015, 294 million domain names had been registered." ; d3f:identifies d3f:IPAddress . d3f:DomainNameReputationAnalysis a d3f:DomainNameReputationAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Domain Name Reputation Analysis" ; rdfs:subClassOf d3f:IdentifierReputationAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:DomainName ] ; d3f:analyzes d3f:DomainName ; d3f:d3fend-id "D3-DNRA" ; d3f:definition "Analyzing the reputation of a domain name." ; d3f:kb-reference d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages, d3f:Reference-Finding_phishing_sites . d3f:DomainRegistration a owl:Class, owl:NamedIndividual ; rdfs:label "Domain Registration" ; skos:altLabel "Domain Name Registration Data" ; rdfs:subClassOf d3f:DigitalInformation, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:DomainName ] ; d3f:definition "A domain registration, or domain name registration data, is the relevant registration data from Internet resources such as domain names, IP addresses, and autonomous system numbers. Registration data is typically retrieved by means of either the Registration Data Access Protocol (RDAP) or its predecessor, the WHOIS protocol." ; d3f:may-contain d3f:DomainName ; rdfs:seeAlso , . d3f:DomainRegistrationTakedown a d3f:DomainRegistrationTakedown, owl:Class, owl:NamedIndividual ; rdfs:label "Domain Registration Takedown" ; rdfs:subClassOf d3f:ObjectEviction, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:DomainRegistration ] ; d3f:d3fend-id "D3-DRT" ; d3f:definition "The process of performing a takedown of the attacker's domain registration infrastructure." ; d3f:deletes d3f:DomainRegistration ; d3f:kb-article """## How it works Most nameserver hosts and domain name registrars comply with internationally recognised standards and supply their services based on terms and conditions that provide users and organisations protection from abuse and trademark infringement. Performing a WHOIS query on the attacker's domain will provide a contact that can be notified in the case of abuse. Formal takedown processes should be initiated to suspend or disable the normal function of the domain name. ## Considerations - Takedown notifications should clearly demonstrate (with evidence) that the nameserver or registrars Terms and Conditions have been breached. - Takedown processes are notoriously slow and sometimes unsuccessful. - Many government organisations will have takedown processes that should also be followed. They may use this for intelligence to assist other organisations suffering an attack. - Top level domain registrars will have takedown processes that can be followed, as an escalation path, when the nameserver host and/or registrar have not responded or complied timeously or inline with the TLD expectations. ## Examples of Domain Registration Abuse Attackers will create infrastructure from which to carry out their operations and this may include registering domain names to be used in the various attacks. Known misuse cases include: - Registering domain names that are similar to the victim's. This is known as typosquatting or URL hijacking. Legitimate looking mails or URLs could be sent using this domain in phishing campaigns. - Registring domain names that are used in C2 beacons.""" ; d3f:kb-reference d3f:Reference-UnderstandingtheDomainRegistrationBehaviorofSpammers . d3f:DomainTrustPolicy a d3f:DomainTrustPolicy, owl:Class, owl:NamedIndividual ; rdfs:label "Domain Trust Policy" ; rdfs:subClassOf d3f:AccessPolicyAdministration, [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:DirectoryService ], [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:T1087.002 ] ; d3f:d3fend-id "D3-DTP" ; d3f:definition "Restricting inter-domain trust by modifying domain configuration." ; d3f:kb-reference d3f:Reference-HowTrustRelationshipsWorkForResourceForestsInAzureActiveDirectoryDomainServices ; d3f:restricts d3f:DirectoryService, d3f:T1087.002 . d3f:DomainUserAccount a owl:Class, owl:NamedIndividual ; rdfs:label "Domain User Account" ; rdfs:subClassOf d3f:UserAccount ; d3f:definition "A domain user account in Microsoft Windows (2000) defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to a domain." ; rdfs:seeAlso . d3f:DriverLoadIntegrityChecking a d3f:DriverLoadIntegrityChecking, owl:Class, owl:NamedIndividual ; rdfs:label "Driver Load Integrity Checking" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:HardwareDriver ] ; d3f:authenticates d3f:HardwareDriver ; d3f:d3fend-id "D3-DLIC" ; d3f:definition "Ensuring the integrity of drivers loaded during initialization of the operating system." ; d3f:kb-article """## How it works This technique can be accomplished in a number of ways: * A kernel level security agent installed on a host machine ensures that the driver associated with the agent is first in the initialization order. A dependent DLL associated with the driver is configured to be processed before other dependent DLLs and executes a number of operations to ensure the driver associated with the security agent is initialized first. * Kernel components can be signed by a certificate obtained by a third party to verify the source of the component and whether it has been modified. When signed, the component will include a signature block implemented as a hash value of the component header and can also include a certificate chain. The signature and certificate data are typically added before the kernel component is distributed to the public. ## Considerations * The private keys to sign certificates as reputable companies have been stolen in the past -- in cases such as where certificates from Adobe, Realtek, and JMicron have been used to sign malicious executables. (Source: https://resources.infosecinstitute.com/cybercrime-exploits-digital-certificates/#gref) * Trusted Root Certificate Authorities have been compromised, yielding the ability to use the compromised keys to generate certificates with an arbitrary company name. * It may not be difficult for an attacker to start an organization which can obtain a signed certificate. * A root certificate authority (CA) whose certificate is trusted in the verification logic could generate incorrect certificates, if they are lax or have ulterior motives.""" ; d3f:kb-reference d3f:Reference-IntegrityAssuranceThroughEarlyLoadingInTheBootPhase_CrowdstrikeInc, d3f:Reference-ProtectedComputingEnvironment_MicrosoftTechnologyLicensingLLC . d3f:Dyna-Q a owl:Class, owl:NamedIndividual ; rdfs:label "Dyna-Q" ; rdfs:subClassOf d3f:Model-basedReinforcementLearning ; d3f:d3fend-id "D3A-DQ" ; d3f:definition "A Dyna-Q agent combines acting, learning, and planning." ; d3f:kb-article """## References CompNeuro Neuromatch Academy Tutorials. [Link](https://compneuro.neuromatch.io/tutorials/W3D4_ReinforcementLearning/student/W3D4_Tutorial4.html)""" . d3f:DynamicAnalysis a d3f:DynamicAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Dynamic Analysis" ; rdfs:subClassOf d3f:FileAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:DocumentFile ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:ExecutableFile ] ; d3f:analyzes d3f:DocumentFile, d3f:ExecutableFile ; d3f:d3fend-id "D3-DA" ; d3f:definition "Executing or opening a file in a synthetic \"sandbox\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader." ; d3f:kb-article """## How it works Analyzing the interaction of a piece of code with a system while the code is being executed in a controlled environment such as a sandbox, virtual machine, or simulator. This exposes the natural behavior of the piece of code without requiring the code to be disassembled. ## Considerations * Malware often detects a fake environment, then changes its behavior accordingly. For example, it could detect that the system clock is being sped up in an effort to get it to execute commands that it would normally only execute at a later time, or that the hardware manufacturer of the machine is a virtualization provider. * Malware can attempt to determine if it is being debugged, and change its behavior accordingly. * For maximum fidelity, the simulated and real environments should be as similar as possible because the malware could perform differently in different environments. * Sometimes the malware behavior is triggered only under certain conditions (on a specific system date, after a certain time, or after it is sent a specific command) and can't be detected through a short execution in a virtual environment. ## Implementations * Cuckoo Sandbox""" ; d3f:kb-reference d3f:Reference-MalwareAnalysisSystem_PaloAltoNetworksInc, d3f:Reference-UseOfAnApplicationControllerToMonitorAndControlSoftwareFileAndApplicationEnvironments_SophosLtd ; d3f:synonym "Malware Detonation", "Malware Sandbox" . d3f:DynamicAnalysisTool a owl:Class ; rdfs:label "Dynamic Analysis Tool" ; rdfs:subClassOf d3f:CodeAnalyzer ; rdfs:isDefinedBy ; d3f:definition "Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor." . d3f:ElectricalSignal a owl:Class ; rdfs:label "Electrical Signal" ; rdfs:subClassOf d3f:Signal ; rdfs:isDefinedBy ; d3f:definition "Time-varying voltage or current that carries information." . d3f:ElectromagneticRadiationHardening a d3f:ElectromagneticRadiationHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Electromagnetic Radiation Hardening" ; skos:altLabel "Electromagnetic Hardening" ; rdfs:subClassOf d3f:RadiationHardening ; rdfs:isDefinedBy ; d3f:d3fend-id "D3-EMH" ; d3f:definition "The application of physical and material-level design measures to electronic systems, components, or facilities to reduce their susceptibility to damage or disruption from electromagnetic threats." ; d3f:kb-article """## How it works EM hardening operates on the principle of controlling the coupling path between an electromagnetic threat and the sensitive electronics it could affect. At the most fundamental level, this involves creating barriers that reflect, absorb, or redirect unwanted electromagnetic energy before it can induce damaging or disruptive currents in protected circuitry. The physical mechanisms exploited include the Faraday cage effect (conductive enclosures that attenuate external fields), skin-depth shielding (where conductive materials dissipate high-frequency fields before they penetrate), and transient suppression components (such as surge protectors and ferrite chokes) that clamp induced voltages at I/O interfaces. For threats at higher energy levels or involving ionizing radiation, such as nuclear EMP (NEMP) or space radiation, hardening extends beyond shielding to encompass radiation-tolerant component selection, redundant circuit architectures, and layout practices that minimize antenna-like structures susceptible to field coupling. The approach is inherently defense-in-depth: no single measure provides complete protection, so hardened systems typically layer multiple techniques across the facility, chassis, board, and component levels. ## Considerations * Threat scope must be defined early: design choices differ significantly between defending against ambient RFI, conducted EMI on power lines, intentional jamming, HEMP (High-Altitude EMP), or ionizing radiation in space or nuclear environments. * Hardening can conflict with thermal management: fully sealed enclosures that maximize shielding often restrict airflow, requiring careful thermal design trade-offs. * Testing and certification are mandatory for assurance: claimed shielding effectiveness must be validated through standardized testing (e.g., IEEE 299, MIL-STD-461) rather than inferred from design alone. * Maintenance can degrade hardening: field modifications, connector re-terminations, or enclosure repairs can inadvertently introduce shielding gaps, necessitating re-verification procedures. """ ; d3f:kb-reference d3f:Reference-SystemAndMethodForProvidingCertifiableElectromagneticPulseAndRFIProtection_InstantAccessNetworksLLC ; d3f:synonym "EM Hardening" . d3f:ElectromagneticSignal a owl:Class ; rdfs:label "Electromagnetic Signal" ; rdfs:subClassOf d3f:Signal ; rdfs:isDefinedBy ; d3f:definition "An electromagnetic wave that carries information." . d3f:ElectronicCombinationLock a owl:Class, owl:NamedIndividual ; rdfs:label "Electronic Combination Lock" ; rdfs:subClassOf d3f:CombinationLock, d3f:HardwareDevice, [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:Password ] ; rdfs:isDefinedBy "NRC Regulatory Guide 5.12 Rev1" ; d3f:definition "A system comprised of an automatic door closer on the door, an input device, a controlling device, and a lock, usually mechanical, which is released or activated when the correct combination is entered or correct token is presented." ; d3f:uses d3f:Password ; rdfs:seeAlso . d3f:ElectronicCombinationLockEvent a owl:Class ; rdfs:label "Electronic Combination Lock Event" ; rdfs:subClassOf d3f:PhysicalAccessAlarmEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ElectronicCombinationLock ] ; rdfs:comment "An event occuring when combination lock's bolt changes position." ; rdfs:seeAlso "NRC Regulatory Guide 5.12 Rev1" . d3f:ElectronicLockMonitoring a d3f:ElectronicLockMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Electronic Lock Monitoring" ; rdfs:subClassOf d3f:PhysicalAccessMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:ElectronicCombinationLock ] ; d3f:d3fend-id "D3-ELM" ; d3f:definition "Monitoring electronic lock and door hardware states and access events (e.g., locked/unlocked, access granted/denied, door forced/held, tamper) to detect and respond to unauthorized entry." ; d3f:kb-article """## How it works Electronic lock monitoring collects status and events from door controllers, readers (badge/PIV, keypad), and door hardware (door position switch, request-to-exit, bolt/latch, tamper). The physical access control system (PACS) logs access decisions, correlates door-held/forced conditions, and generates alarms for response. Secure, supervised reader links, such as Open Supervised Device Protocol (OSDP), help detect wiring faults and reduce credential interception. Integration with video systems can pop relevant camera views on lock-related alarms. ## Considerations * Use encrypted, supervised reader-to-controller protocols to protect credentials and detect wiring faults. * Harden door controllers and isolate the PACS network to limit the attack surface. * Configure fail-safe or fail-secure behavior and emergency release to meet life-safety requirements. * Tune alarms for door-held, door-forced, and invalid retries to reduce noise while catching misuse. * Supervise inputs, provide backup power, and regularly test door, bolt, and tamper sensors to ensure reliability.""" ; d3f:kb-reference d3f:Reference-FIPS-201-3, d3f:Reference-NIST-SP800-116r1, d3f:Reference-NIST-Special-Publication-800-53-Revision-5, d3f:Reference-SIA-OSDP-2-2 ; d3f:monitors d3f:ElectronicCombinationLock ; d3f:synonym "Door Lock Monitoring", "Lock State Monitoring" . d3f:Email a owl:Class, owl:NamedIndividual ; rdfs:label "Email" ; rdfs:subClassOf d3f:DocumentFile, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:URL ] ; d3f:definition "An email, or email message, is a document that is sent between computer users across computer networks." ; d3f:may-contain d3f:File, d3f:URL ; rdfs:seeAlso , . d3f:EmailAttachment a owl:Class, owl:NamedIndividual ; rdfs:label "Email Attachment" ; rdfs:subClassOf d3f:DocumentFile, [ a owl:Restriction ; owl:onProperty d3f:attached-to ; owl:someValuesFrom d3f:Email ] ; rdfs:isDefinedBy ; d3f:attached-to d3f:Email ; d3f:definition "An email attachment is a computer file sent along with an email message. One or more files can be attached to any email message, and be sent along with it to the recipient. This is typically used as a simple method to share documents and images." . d3f:EmailEvent a owl:Class ; rdfs:label "Email Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, d3f:TCPEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:MailNetworkTraffic ] ; d3f:definition "An event involving email communication, including sending, receiving, and processing emails. Email events encapsulate activities essential to the transmission and analysis of email messages in a networked environment." ; rdfs:seeAlso . d3f:EmailFiltering a d3f:EmailFiltering, owl:Class, owl:NamedIndividual ; rdfs:label "Email Filtering" ; rdfs:subClassOf d3f:InboundTrafficFiltering, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:Email ] ; d3f:d3fend-id "D3-EF" ; d3f:definition "Filtering incoming email traffic based on specific criteria." ; d3f:filters d3f:Email ; d3f:kb-article """## How it works Mail filters can be implemented to scan inbound email messages at the initial SMTP connection stage to detect and reject email containing spam and malware. This technique is distinct from d3f:EmailDeletion because it prevents an email from reaching an user's inbox. This technique can also be used for outbound email traffic. ## Considerations * The effectiveness of mail filters depend on the completeness of the filter policies""" ; d3f:kb-reference d3f:Reference-SystemAndMethodForProvidingAnonymousRemailingAndFilteringOfElectronicMail_Nokia . d3f:EmailReceiveEvent a owl:Class ; rdfs:label "Email Receive Event" ; rdfs:subClassOf d3f:EmailEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:EmailSendEvent ] ; d3f:definition "An event where an email is delivered to a recipient's mail server or mailbox. This includes receiving messages from internal or external sources via protocols such as IMAP, POP3, or their secure variants." . d3f:EmailRemoval a d3f:EmailRemoval, owl:Class, owl:NamedIndividual ; rdfs:label "Email Removal" ; rdfs:subClassOf d3f:FileEviction, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:Email ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:MailServer ] ; d3f:d3fend-id "D3-ER" ; d3f:definition "The email removal technique deletes email files from system storage." ; d3f:deletes d3f:Email ; d3f:kb-article """## How it works Email removal is a technique that can be used to prevent a user from executing malware or responding to phishing attempts. Security software or users themselves may detect malicious or suspicious email in a local or remote mail folder email and then employ this technique. ## Considerations For email that needs to be removed, an infosec organization may choose to take additional follow-up actions (such as blocking the sources or notifying providers), rather than only relying on email deletion. For the case where users detect likely suspicious email files, the organization should consider implementing a means for reporting these emails to their infosec organization. Email files may propagate through many storage systems across the an organization's systems over time, so early detection and blocking helps avoid residual, latent stores of malicous email content in the enterprise.""" ; d3f:kb-reference d3f:Reference-SystemAndMethodForScanningRemoteServicesToLocateStoredObjectsWithMalware ; d3f:may-access d3f:MailServer ; d3f:synonym "Email Deletion" . d3f:EmailRule a owl:Class, owl:NamedIndividual ; rdfs:label "Email Rule" ; rdfs:subClassOf d3f:ApplicationRule ; d3f:definition "A configuration of an email application which is used to apply logical or data processing functions to data processed by the email application." . d3f:EmailScanEvent a owl:Class ; rdfs:label "Email Scan Event" ; rdfs:subClassOf d3f:EmailEvent ; d3f:definition "An event where an email is inspected or analyzed for content, security, or compliance purposes. Scanning often involves identifying spam, detecting malware, or ensuring policy adherence before delivery or after reception." . d3f:EmailSendEvent a owl:Class ; rdfs:label "Email Send Event" ; rdfs:subClassOf d3f:EmailEvent ; d3f:definition "An event where an email is transmitted from a client to a recipient via a mail server. This process often involves protocols such as SMTP or its secure variants, with potential authentication and encryption for secure delivery." . d3f:EmbeddedComputer a owl:Class ; rdfs:label "Embedded Computer" ; skos:altLabel "Embedded System" ; rdfs:subClassOf d3f:ClientComputer ; rdfs:isDefinedBy ; d3f:definition "An embedded computer is a computer system -- a combination of a computer processor, computer memory, and input/output peripheral devices-that has a dedicated function within a larger mechanical or electrical system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use today. Ninety-eight percent of all microprocessors manufactured are used in embedded systems." . d3f:EmbeddedDatabaseApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Embedded Database Application" ; rdfs:subClassOf d3f:DatabaseApplication, [ a owl:Restriction ; owl:onProperty d3f:executes ; owl:someValuesFrom d3f:DatabaseQuery ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:Database ] ; d3f:definition "A software application that integrates a database management system (DBMS) directly within its own structure, rather than relying on a separate, standalone database server. Examples include SQLite and Berkeley DB." ; d3f:executes d3f:DatabaseQuery ; d3f:manages d3f:Database . d3f:EmulatedFileAnalysis a d3f:EmulatedFileAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Emulated File Analysis" ; rdfs:subClassOf d3f:FileAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:DocumentFile ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:ExecutableFile ] ; d3f:analyzes d3f:DocumentFile, d3f:ExecutableFile ; d3f:d3fend-id "D3-EFA" ; d3f:definition "Emulating instructions in a file looking for specific patterns." ; d3f:kb-reference d3f:Reference-Network-levelPolymorphicShellcodeDetectionUsingEmulation . d3f:Enclave a owl:Class, owl:NamedIndividual ; rdfs:label "Enclave" ; skos:altLabel "Network Enclave" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:LocalAreaNetwork ] ; rdfs:isDefinedBy ; d3f:definition "Network enclaves consist of standalone assets that do not interact with other information systems or networks. A major difference between a DMZ or demilitarized zone and a network enclave is a DMZ allows inbound and outbound traffic access, where firewall boundaries are traversed. In an enclave, firewall boundaries are not traversed. Enclave protection tools can be used to provide protection within specific security domains. These mechanisms are installed as part of an Intranet to connect networks that have similar security requirements." ; d3f:may-contain d3f:LocalAreaNetwork . d3f:EncoderApplication a owl:Class ; rdfs:label "Encoder Application" ; rdfs:subClassOf d3f:CodecApplication ; d3f:definition "An application that encodes digital data." . d3f:EncryptedCredential a owl:Class, owl:NamedIndividual ; rdfs:label "Encrypted Credential" ; rdfs:subClassOf d3f:Credential ; d3f:definition "A credential that is encrypted." . d3f:EncryptedPassword a owl:Class ; rdfs:label "Encrypted Password" ; rdfs:subClassOf d3f:EncryptedCredential, d3f:Password ; d3f:definition "A password that is encrypted." . d3f:EncryptedTunnels a d3f:EncryptedTunnels, owl:Class, owl:NamedIndividual ; rdfs:label "Encrypted Tunnels" ; rdfs:subClassOf d3f:NetworkIsolation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:IntranetNetwork ] ; d3f:d3fend-id "D3-ET" ; d3f:definition "Encrypted encapsulation of routable network traffic." ; d3f:isolates d3f:IntranetNetwork ; d3f:kb-reference d3f:Reference-SecurityArchitectureForTheInternetProtocol . d3f:Endpoint-basedWebServerAccessMediation a d3f:Endpoint-basedWebServerAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Endpoint-based Web Server Access Mediation" ; rdfs:subClassOf d3f:WebSessionAccessMediation ; d3f:d3fend-id "D3-EBWSAM" ; d3f:definition "Endpoint-based web server access mediation regulates web server access directly from user endpoints by implementing mechanisms such as client-side certificates and endpoint security software to authenticate devices and ensure compliant access." ; d3f:kb-article """## How it works Endpoint-based Web Server Access Mediation focuses on managing access to web servers directly from user devices. This involves implementing security measures like client certificates or endpoint security software to ensure that only authorized devices can initiate sessions with web servers. Examples include direct access to internal web applications from company laptops. """ ; d3f:kb-reference d3f:Reference-NIST-Special-Publication-800-41-Revision-1 . d3f:EndpointHealthBeacon a d3f:EndpointHealthBeacon, owl:Class, owl:NamedIndividual ; rdfs:label "Endpoint Health Beacon" ; rdfs:subClassOf d3f:OperatingSystemMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:NetworkNode ] ; d3f:d3fend-id "D3-EHB" ; d3f:definition "Monitoring the security status of an endpoint by sending periodic messages with health status, where absence of a response may indicate that the endpoint has been compromised." ; d3f:kb-article """## How it works Endpoints are configured to periodically generate and transmit a secure heartbeat that is delivered on a configured schedule and provides endpoint status information. Status information can include software details (version, configuration, etc), endpoint identification (MAC, IP address, machine ID) or other hardware/software configuration information. Interruption of the heartbeat can signal that the endpoint has been compromised. ## Considerations * Security of heartbeat messages to ensure message integrity * Disappearance of the heartbeat could simply mean that the endpoint is powered off or intentionally disconnected from the network. Therefore other criteria may need to be used to accurately detect endpoint compromise. * Attacker presence on the machine may leave the heartbeat intact. * An attacker may determine the format of the heartbeat and continue to send it even after the machine is compromised.""" ; d3f:kb-reference d3f:Reference-IntrusionDetectionUsingAHeartbeat_SophosLtd ; d3f:monitors d3f:NetworkNode ; d3f:synonym "Endpoint Health Telemetry" . d3f:EndpointSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Endpoint Sensor" ; rdfs:subClassOf d3f:CyberSensor ; d3f:definition "A sensor application installed on a endpoint (platform) to collect information on platform components." ; rdfs:seeAlso d3f:ComputerPlatform . d3f:EnsembleLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Ensemble Learning" ; rdfs:subClassOf d3f:MachineLearning ; d3f:d3fend-id "D3A-EL" ; d3f:definition "In statistics and machine learning, ensemble methods use multiple learning algorithms to obtain better predictive performance than could be obtained from any of the constituent learning algorithms alone" ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).""" . d3f:EpistemicLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Epistemic Logic" ; rdfs:subClassOf d3f:ModalLogic ; d3f:d3fend-id "D3A-EL" ; d3f:definition "Epistemic logic addresses modalities of knowledge; i.e., the certainty of sentences." ; d3f:kb-article """## References 1. Epistemic logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic#Epistemic_logic)""" ; d3f:synonym "Epistemic Modal Logic" . d3f:EquivalenceMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Equivalence Matching" ; rdfs:subClassOf d3f:LogicalRules ; d3f:d3fend-id "D3A-EM" ; d3f:definition "Equivalence matching is matching two values, which may be bound to variables, to see if they are equivalent." ; d3f:kb-article """## How it works Equality is a relationship between two quantities or, more generally two mathematical expressions, asserting that the quantities have the same value, or that the expressions represent the same mathematical object. Programming languages can have multiple senses of equality that may include, but are not limited to: - Identity: The objects are identical; often indicated by having values indicating the same logical address. - Equality: The values of the expessions and properties are equivalent when evaluated; they do not need to have the same logical address. ## References 1. Equality (mathematics). (2023, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Equality_(mathematics)] 2. Types of Equality. (2007, March 2). In _WikiWikiWeb_. [Link](https://wiki.c2.com/?TypesOfEquality)""" . d3f:Estimation a owl:Class, owl:NamedIndividual ; rdfs:label "Estimation" ; rdfs:subClassOf d3f:InferentialStatistics ; d3f:d3fend-id "D3A-EST" ; d3f:definition "Estimation represents ways or a process of learning and determining the population parameter based on the model fitted to the data." ; d3f:kb-article """## References Pennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)""" . d3f:EvalFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Eval Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:Subroutine ] ; d3f:definition "Takes inputs of strings and evaluations them as expressions." ; d3f:invokes d3f:Subroutine . d3f:Event a owl:Class ; rdfs:label "Event" ; rdfs:subClassOf d3f:D3FENDCore ; d3f:definition "An Event is an occurrence or action within a system, process, or environment within a finite span of time." . d3f:EventLog a owl:Class, owl:NamedIndividual ; rdfs:label "Event Log" ; rdfs:subClassOf d3f:Log, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:DigitalEventRecord ] ; rdfs:isDefinedBy ; d3f:contains d3f:DigitalEventRecord ; d3f:definition "Event logs record events taking place in the execution of a system in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in the case of applications with little user interaction (such as server applications)." ; d3f:synonym "Digital Event Log" . d3f:EventLogArchiveEvent a owl:Class ; rdfs:label "Event Log Archive Event" ; rdfs:subClassOf d3f:EventLogEvent ; d3f:definition "An event involving the archiving of event log data, typically to preserve historical records in a compressed or secure format." . d3f:EventLogClearEvent a owl:Class ; rdfs:label "Event Log Clear Event" ; rdfs:subClassOf d3f:EventLogEvent ; d3f:definition "An event where the event log data is cleared from the system, often as part of log maintenance or potentially to cover tracks." . d3f:EventLogDeleteEvent a owl:Class ; rdfs:label "Event Log Delete Event" ; rdfs:subClassOf d3f:EventLogEvent ; d3f:definition "An event where the event log database, file, or cache is deleted from the system, removing the log's historical records." . d3f:EventLogDisableEvent a owl:Class ; rdfs:label "Event Log Disable Event" ; rdfs:subClassOf d3f:EventLogEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:EventLogEnableEvent ] ; d3f:definition "An event indicating that the event logging service has been disabled, preventing it from collecting or recording logs." . d3f:EventLogEnableEvent a owl:Class ; rdfs:label "Event Log Enable Event" ; rdfs:subClassOf d3f:EventLogEvent ; d3f:definition "An event where the event logging service is enabled, allowing it to actively collect and record logs." . d3f:EventLogEvent a owl:Class ; rdfs:label "Event Log Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:EventLog ] ; d3f:definition "An event that captures actions or operations related to the management of system event logs, including modifications, access, and service state changes." ; rdfs:seeAlso . d3f:EventLogExportEvent a owl:Class ; rdfs:label "Event Log Export Event" ; rdfs:subClassOf d3f:EventLogEvent ; d3f:definition "An event representing the export of event log data to a file or external system for backup or analysis purposes." . d3f:EventLogRestartEvent a owl:Class ; rdfs:label "Event Log Restart Event" ; rdfs:subClassOf d3f:EventLogEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:EventLogStopEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:EventLogStartEvent ] ; d3f:definition "An event representing the restarting of the event logging service, often performed during system maintenance or troubleshooting." . d3f:EventLogRotateEvent a owl:Class ; rdfs:label "Event Log Rotate Event" ; rdfs:subClassOf d3f:EventLogEvent ; d3f:definition "An event where the event log is rotated, often as part of log rotation policies to manage storage and ensure continuity." . d3f:EventLogStartEvent a owl:Class ; rdfs:label "Event Log Start Event" ; rdfs:subClassOf d3f:EventLogEvent ; d3f:definition "An event where the event logging service is started, enabling the collection and recording of system events." . d3f:EventLogStopEvent a owl:Class ; rdfs:label "Event Log Stop Event" ; rdfs:subClassOf d3f:EventLogEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:EventLogStartEvent ] ; d3f:definition "An event indicating that the event logging service has been stopped, halting the recording of system events." . d3f:Evict a d3f:DefensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Evict" ; rdfs:subClassOf d3f:DefensiveTactic ; d3f:definition "The eviction tactic is used to remove an adversary from a computer network." ; d3f:display-order 4 ; d3f:display-priority 0 . d3f:EvictionEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Eviction Event" ; rdfs:subClassOf d3f:SecurityEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:DetectionEvent ] ; d3f:definition "An event describing actions to remove adversaries or malicious resources from a system, re-establishing security and operational integrity." ; d3f:related d3f:Evict . d3f:EX-0001 a owl:Class ; rdfs:label "Replay - SPARTA" ; skos:prefLabel "Replay" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0001" ; d3f:definition "Replay is the re-transmission of previously captured traffic, over RF links, crosslinks, or internal buses, to elicit the same processing and effects a second time. Adversaries first observe and record authentic exchanges (telecommands, ranging/acquisition frames, housekeeping telemetry acknowledgments, bus messages), then resend them within acceptance conditions that the system recognizes, matching link geometry, timetags, counters, or mode states. The aim can be functional (re-triggering an action such as a mode change), observational (fingerprinting how the vehicle reacts at different states), or disruptive (saturating queues and bandwidth to crowd out legitimate traffic). Because replays preserve valid syntax and often valid context, they can blend with normal operations, especially during periods with reduced monitoring or when counters and windows reset (e.g., handovers, safing entries). On encrypted links, metadata replays (acquisition beacons, schedule requests) may still yield informative responses." ; rdfs:seeAlso . d3f:EX-0001.01 a owl:Class, owl:NamedIndividual ; rdfs:label "Command Packets - SPARTA" ; skos:prefLabel "Command Packets" ; rdfs:subClassOf d3f:EX-0001, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:OTProtocolMessage ] ; d3f:attack-id "EX-0001.01" ; d3f:definition "Threat actors may resend authentic-looking telecommands that were previously accepted by the spacecraft. Captures may include whole command PDUs with framing, CRC/MAC, counters, and timetags intact, or they may be reconstructed from operator tooling and procedure logs. When timing, counters, and mode preconditions align, the replayed packet can cause the same effect: toggling relays, initiating safing or recovery scripts, adjusting tables, commanding momentum dumps, or scheduling delta-v events. Even when outright execution fails, repeated “near-miss” injections can map acceptance windows, rate/size limits, and interlocks by observing the spacecraft’s acknowledgments and state changes. At scale, streams of valid-but-stale commands can congest command queues, delay legitimate activity, or trigger nuisance FDIR responses." ; d3f:produces d3f:OTProtocolMessage ; rdfs:seeAlso . d3f:EX-0001.02 a owl:Class, owl:NamedIndividual ; rdfs:label "Bus Traffic Replay - SPARTA" ; skos:prefLabel "Bus Traffic Replay" ; rdfs:subClassOf d3f:EX-0001, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:BusNetworkTraffic ] ; d3f:attack-id "EX-0001.02" ; d3f:definition "Instead of the RF path, the attacker targets internal command/data handling by injecting or retransmitting messages on the spacecraft bus (e.g., 1553, SpaceWire, custom). Because many subsystems act on the latest message or on message rate rather than on uniqueness, a flood of historical yet well-formed frames can consume bandwidth, starve critical publishers, or cause subsystems to perform the same action repeatedly. Secondary effects include stale sensor values being re-consumed, watchdog timers being reset at incorrect intervals, and autonomy rules misclassifying the situation due to out-of-order but valid-looking events. On time-triggered or scheduled buses, replaying at precise offsets can collide with or supersede legitimate messages, steering system state without changing software. The goal is to harness the bus’s determinism, repeating prior internal stimuli to recreate prior effects or to induce resource exhaustion." ; d3f:produces d3f:BusNetworkTraffic ; rdfs:seeAlso . d3f:EX-0002 a owl:Class, owl:NamedIndividual ; rdfs:label "Position, Navigation, and Timing (PNT) Geofencing - SPARTA" ; skos:prefLabel "Position, Navigation, and Timing (PNT) Geofencing" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:RuntimeVariable ] ; d3f:accesses d3f:RuntimeVariable ; d3f:attack-id "EX-0002" ; d3f:definition "Malware or implanted procedures execute only when the spacecraft’s state meets geometric and temporal criteria. Triggers can be defined in orbital elements, inertial or Earth-fixed coordinates, relative geometry, lighting conditions, or time references. The code monitors on-board navigation solutions, ephemerides, or propagated TLEs and arms itself when thresholds are met (e.g., “only fire over region X,” “only activate during LEOP,” or “only run within N seconds of a scheduled downlink.”) Geofencing reduces exposure and aids deniability: triggers are rare, aligned with mission cadence, and hard to reproduce on the ground. More elaborate variants require conjunctions of conditions (position + attitude + clock epoch) or incorporate drift so the trigger slowly evolves with the orbit. The result is effect-on-demand: execution occurs precisely where and when the actor intends, while remaining dormant elsewhere." ; rdfs:seeAlso . d3f:EX-0003 a owl:Class ; rdfs:label "Modify Authentication Process - SPARTA" ; skos:prefLabel "Modify Authentication Process" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0003" ; d3f:definition "The adversary alters how the spacecraft validates authority so that future inputs are accepted on their terms. Modifications can target code (patching flight binaries, hot-patching functions in memory, hooking command handlers), data (changing key identifiers, policy tables, or counter initialization), or control flow (short-circuiting MAC checks, widening anti-replay windows, bypassing interlocks on specific opcodes). Common choke points include telecommand verification routines, bootloader or update verifiers, gateway processors that bridge payload and bus traffic, and maintenance dictionaries invoked in special modes. Subtle variants preserve outward behavior, producing normal-looking acknowledgments and counters, while internally accepting a broader set of origins, opcodes, or timetags. Others introduce conditional logic so the backdoor only activates under specific geometry or timing, masking during routine audit. Once resident, the modified process becomes the new trust oracle, enabling recurring execution for the attacker and, in some cases, denying legitimate control by causing authentic inputs to fail verification or to be deprioritized." ; rdfs:seeAlso . d3f:EX-0004 a owl:Class, owl:NamedIndividual ; rdfs:label "Compromise Boot Memory - SPARTA" ; skos:prefLabel "Compromise Boot Memory" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique, [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:BootLoader ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:BootROM ] ; d3f:attack-id "EX-0004" ; d3f:definition "The attacker manipulates memory and configuration used in the earliest stages of boot so that their code runs before normal protections and integrity checks take hold. Targets include boot ROM vectors, first-stage/second-stage bootloaders, boot configuration words and strap pins, one-time-programmable (OTP) fuses, non-volatile images in flash/EEPROM, and scratch regions copied into RAM during cold start. Techniques range from replacing or patching boot images to flipping configuration bits that alter trust decisions (e.g., image selection, fallback order, watchdog behavior). Faults can be induced deliberately (timed power/clock/EM glitches) or via crafted update/write sequences that leave a partially programmed but executable state. Once resident, the modification can insert early hooks, disable or short-circuit checks, or select downgraded images; destructive variants corrupt the boot path to induce a persistent reset loop or safeing entry (a denial of service). Because boot logic initializes buses, memory maps, and handler tables, even small changes at this stage cascade, shaping how command handlers load, how keys and counters are initialized, and which peripherals are trusted for subsequent execution." ; d3f:may-modify d3f:BootLoader, d3f:BootROM ; rdfs:seeAlso . d3f:EX-0005 a owl:Class ; rdfs:label "Exploit Hardware/Firmware Corruption - SPARTA" ; skos:prefLabel "Exploit Hardware/Firmware Corruption" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0005" ; d3f:definition "The adversary achieves execution or effect by corrupting or steering behavior beneath the software stack, in device firmware, programmable logic, or the hardware itself. Examples include tampering with firmware images or configuration blobs burned into non-volatile memory; targeting MCU/SoC boot ROM fallbacks; editing FPGA bitstreams or partial-reconfiguration frames; or leveraging physical phenomena and timing to flip bits or skip checks. Because these actions occur below or alongside the operating system and application FSW, traditional endpoint safeguards see normal interfaces while trust anchors are already altered." ; rdfs:seeAlso . d3f:EX-0005.01 a owl:Class ; rdfs:label "Design Flaws - SPARTA" ; skos:prefLabel "Design Flaws" ; rdfs:subClassOf d3f:EX-0005 ; d3f:attack-id "EX-0005.01" ; d3f:definition "Threat actors may exploit inherent properties or errata in the hardware/logic design rather than injecting new code. Levers include undocumented or weakly specified behaviors (scan chains, test modes, debug straps), counter/timer rollovers and wraparound, interrupt storms and priority inversions, MMU/TLB corner cases, DMA engines that can write outside intended buffers, and bus arbitration or clock-domain crossing issues that permit stale or reordered writes. RNGs and crypto accelerators with flawed seeding or side-channel leakage can expose secrets or enable predictable authentication values. In programmable logic, vulnerable state machines, insufficient reset paths, and hazardous partial-reconfiguration regions create opportunities to drive the design into privileged or undefined states. Even reliability features can be turned: hardware timers intended for liveness can be paced to starve control loops; ECC policies can be nudged so correction conceals attacker-induced drift. The common thread is using the platform’s own guarantees, timing, priority, persistence, or fault handling, to cause privileged behavior that the software stack accepts as “by design.”" ; rdfs:seeAlso . d3f:EX-0005.02 a owl:Class, owl:NamedIndividual ; rdfs:label "Malicious Use of Hardware Commands - SPARTA" ; skos:prefLabel "Malicious Use of Hardware Commands" ; rdfs:subClassOf d3f:EX-0005, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:OTModifyDeviceConfigurationCommand ] ; d3f:attack-id "EX-0005.02" ; d3f:definition "Threat actors may issue low-level device or maintenance commands that act directly on hardware, bypassing much of the high-level command mediation. These may be memory-mapped register writes forwarded over the bus, vendor-specific instrument/control opcodes, built-in-test and calibration modes, boot-mode or fuse-programming sequences, file/sector operations to on-board non-volatile stores, or actuator primitives for wheels, thrusters, motors, heaters, and RF chains. Because these interfaces exist to configure sensors, zero momentum, switch power domains, tune gains, or adjust clocks, they can also be sequenced to produce harmful effects: over-driving mechanisms, altering persistent calibration, disabling watchdogs, or switching timing sources. Some hardware command sets are only exposed in maintenance or contingency modes, while others are always reachable through gateway processors that translate high-level telecommands into device-level operations. By crafting orders that respect expected framing and rate/size limits, the adversary can induce mechanical, electrical, or logical state changes with immediate, high-privilege impact, all while appearing to exercise legitimate device capabilities." ; d3f:produces d3f:OTModifyDeviceConfigurationCommand ; rdfs:seeAlso . d3f:EX-0006 a owl:Class ; rdfs:label "Disable/Bypass Encryption - SPARTA" ; skos:prefLabel "Disable/Bypass Encryption" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0006" ; d3f:definition "The adversary alters how confidentiality or integrity is applied so traffic or data is processed in clear or with weakened protection. Paths include toggling configuration flags that place links or storage into maintenance/test modes; forcing algorithm “fallbacks” or null ciphers; downgrading negotiated suites or keys; manipulating anti-replay/counter state so checks are skipped; substituting crypto libraries or tables during boot/update; and selecting alternate routes that carry the same content without encryption. On some designs, distinct modes handle authentication and confidentiality separately, allowing an actor who obtains authentication material to request unencrypted service or to switch to legacy profiles. The end state is that command, telemetry, or data products traverse a path the spacecraft accepts while cryptographic protection is absent, weakened, or inconsistently applied, enabling subsequent tactics such as inspection, manipulation, or exfiltration." ; rdfs:seeAlso . d3f:EX-0007 a owl:Class, owl:NamedIndividual ; rdfs:label "Trigger Single Event Upset - SPARTA" ; skos:prefLabel "Trigger Single Event Upset" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique, [ a owl:Restriction ; owl:onProperty d3f:may-corrupt ; owl:someValuesFrom d3f:CacheMemory ], [ a owl:Restriction ; owl:onProperty d3f:may-corrupt ; owl:someValuesFrom d3f:FlashMemory ], [ a owl:Restriction ; owl:onProperty d3f:may-corrupt ; owl:someValuesFrom d3f:MemoryExtent ], [ a owl:Restriction ; owl:onProperty d3f:may-corrupt ; owl:someValuesFrom d3f:ProcessorRegister ] ; d3f:attack-id "EX-0007" ; d3f:definition "The attacker induces or opportunistically exploits a single-event upset (SEU), a transient bit flip or latch disturbance in logic or memory, so that software executes in a state advantageous to the attack. SEUs arise when charge is deposited at sensitive nodes by energetic particles or intense electromagnetic stimuli. An actor may time operations to coincide with natural radiation peaks or use artificial means from close range. Outcomes include corrupted stacks or tables, altered branch conditions, flipped configuration bits in FPGAs or controllers, and transient faults that push autonomy/FDIR into recovery modes with broader command acceptance. SEU exploitation is probabilistic; the technique couples repeated stimulation with careful observation of mode transitions, watchdogs, and error counters to land the system in a desired but nominal-looking state from which other actions can proceed." ; d3f:may-corrupt d3f:CacheMemory, d3f:FlashMemory, d3f:MemoryExtent, d3f:ProcessorRegister ; rdfs:seeAlso . d3f:EX-0008 a owl:Class ; rdfs:label "Time Synchronized Execution - SPARTA" ; skos:prefLabel "Time Synchronized Execution" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0008" ; d3f:definition "Malicious logic is arranged to run at precise times derived from onboard clocks or distributed time sources. The trigger may be absolute or relative. Spacecraft commonly maintain multiple clocks and counters and schedule autonomous sequences against them. An attacker leverages this machinery to ensure effects occur during tactically advantageous windows. Time-based execution reduces exposure, simplifies coordination across assets, and makes reproduction difficult in lab settings that lack the same temporal context." ; rdfs:seeAlso . d3f:EX-0008.01 a owl:Class ; rdfs:label "Absolute Time Sequences - SPARTA" ; skos:prefLabel "Absolute Time Sequences" ; rdfs:subClassOf d3f:EX-0008 ; d3f:attack-id "EX-0008.01" ; d3f:definition "Execution is keyed to a fixed wall-clock timestamp or epoch, independent of current vehicle state. The implant watches a trusted time source, GNSS-derived time, crosslink-distributed network time, oscillator-disciplined UTC/TAI, or mission elapsed time anchored at activation, and triggers exactly at a programmed date/time. Absolute triggering supports coordinated multi-asset actions and allows long dormancy with a precise activation moment. Variants incorporate calendar logic (e.g., “first visible pass after YYYY-MM-DD hh:mm:ss”) or guard bands to fire only if the clock is within certain tolerances, ensuring the event occurs even with minor drift yet remains rare enough to blend with scheduled operations." ; rdfs:seeAlso . d3f:EX-0008.02 a owl:Class ; rdfs:label "Relative Time Sequences - SPARTA" ; skos:prefLabel "Relative Time Sequences" ; rdfs:subClassOf d3f:EX-0008 ; d3f:attack-id "EX-0008.02" ; d3f:definition "Execution is keyed to elapsed time since a reference event. The implant latches a start point, boot, reset, safing entry/exit, receipt of a particular telemetry/command pattern, achievement of sun-pointing, and arms a countdown or set of offsets (“N seconds after event,” “repeat every M cycles”). Relative sequences are resilient to clock discontinuities and mirror how many spacecraft schedule internal activities (e.g., after boot, run calibrations; after acquisition, start downlink). An attacker exploits this to ensure the trigger fires only within specific operational phases and to survive resets that would thwart absolute timestamps: after every reboot, wait for housekeeping steady state, then act; or, after a wheel unload completes, inject an additional command while control laws are in a known configuration." ; rdfs:seeAlso . d3f:EX-0009 a owl:Class ; rdfs:label "Exploit Code Flaws - SPARTA" ; skos:prefLabel "Exploit Code Flaws" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0009" ; d3f:definition "The adversary executes actions on-board by abusing defects in software that runs on the vehicle, ranging from application logic in flight software to libraries, drivers, and supporting services. Outcomes range from arbitrary code execution and privilege escalation to silent logic manipulation (e.g., bypassing interlocks, suppressing alarms) that appears operationally plausible. The hallmark of this technique is that the attacker co-opts existing code paths, often rarely used ones, to run unintended behavior under nominal interfaces. These attacks may be extremely targeted and tailored to specific coding errors introduced as a result of poor coding practices or they may target known issues in the commercial software components." ; rdfs:seeAlso . d3f:EX-0009.01 a owl:Class, owl:NamedIndividual ; rdfs:label "Flight Software - SPARTA" ; skos:prefLabel "Flight Software" ; rdfs:subClassOf d3f:EX-0009, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:Application ] ; d3f:attack-id "EX-0009.01" ; d3f:definition "Flight software presents rich attack surface where mission-specific parsing and autonomy live. Vulnerable components include command and telemetry handlers, table loaders, file transfer services, mode management and safing logic, payload control applications, and gateway processes that bridge payload and bus protocols. Typical flaws are unchecked lengths and indices in command fields, arithmetic overflows in rate/size calculations, insufficient validation of table contents, format-string misuse in logging, incomplete state cleanup across rapid mode changes, and race conditions in concurrent message processing. Some FSW suites expose operator-facing APIs or scripting/procedure engines used for automation; malformed invocations can coerce unexpected behaviors or enable arbitrary expressions. Because many subsystems act on “last write wins,” logic errors can yield durable configuration changes without obvious anomalies in protocol syntax. Successful exploitation lets an adversary execute code, alter persistent parameters, or chain effects across partitions that would otherwise be segmented by design." ; d3f:modifies d3f:Application ; rdfs:seeAlso . d3f:EX-0009.02 a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System - SPARTA" ; skos:prefLabel "Operating System" ; rdfs:subClassOf d3f:EX-0009, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OperatingSystem ] ; d3f:attack-id "EX-0009.02" ; d3f:definition "At the OS layer the attacker targets primitives that schedule work and mediate hardware. Maintenance builds may expose shells or management consoles; misconfigurations around these interfaces can provide paths to command interpreters or privileged syscalls. Exploitation yields kernel-mode execution, arbitrary memory read/write, or control of scheduling and address spaces, letting the actor tamper with FSW processes, intercept command paths, or manipulate storage and bus drivers beneath application checks. The technique leverages generic OS weaknesses adapted to the spacecraft’s particular build, turning low-level control into mission-facing effects that appear to originate from legitimate processes." ; d3f:modifies d3f:OperatingSystem ; rdfs:seeAlso . d3f:EX-0009.03 a owl:Class ; rdfs:label "Known Vulnerability (COTS/FOSS) - SPARTA" ; skos:prefLabel "Known Vulnerability (COTS/FOSS)" ; rdfs:subClassOf d3f:EX-0009 ; d3f:attack-id "EX-0009.03" ; d3f:definition "Using knowledge of the software composition on-board, the adversary maps components and versions to publicly or privately known defects and then crafts inputs to trigger them. Typical targets include standard libraries (libc, STL), cryptographic and compression libraries, protocol stacks (CCSDS implementations, IP over space links, SpaceWire bridges), filesystems and parsers (FITS/CCSDS packetization, custom table formats), and vendor SDKs for radios, sensors, or payloads. Triggers arrive as well-formed but malicious packets, frames, or files whose edge-case fields exercise version-specific bugs, overflowing a parser, bypassing an authentication check, or causing a kernel/driver fault that reboots into a more permissive mode. Because these flaws are documented somewhere, exploitation emphasizes matching the exact build and build-time options used on the mission." ; rdfs:seeAlso . d3f:EX-0010 a owl:Class ; rdfs:label "Malicious Code - SPARTA" ; skos:prefLabel "Malicious Code" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0010" ; d3f:definition "The adversary achieves on-board effects by introducing executable logic that runs on the vehicle, either native binaries and scripts, injected shellcode, or “data payloads” that an interpreter treats as code (e.g., procedure languages, table-driven automations). Delivery commonly piggybacks on legitimate pathways: software/firmware updates, file transfer services, table loaders, maintenance consoles, or command sequences that write to executable regions. Once staged, activation can be explicit (a specific command, mode change, or file open), environmental (time/geometry triggers), or accidental, where operator actions or routine autonomy invoke the implanted logic. Malicious code can target any layer it can reach: altering flight software behavior, manipulating payload controllers, patching boot or device firmware, or installing hooks in drivers and gateways that bridge bus and payload traffic. Effects range from subtle logic changes (quiet data tampering, command filtering) to overt actions (forced mode transitions, resource starvation), and may include secondary capabilities like covert communications, key material harvesting, or persistence across resets by rewriting images or configuration entries." ; rdfs:seeAlso . d3f:EX-0010.01 a owl:Class ; rdfs:label "Ransomware - SPARTA" ; skos:prefLabel "Ransomware" ; rdfs:subClassOf d3f:EX-0010 ; d3f:attack-id "EX-0010.01" ; d3f:definition "Ransomware on a spacecraft encrypts data or critical configuration so that nominal operations can no longer proceed without the attacker’s cooperation. Targets include mass-memory file stores (engineering telemetry, payload data), configuration and command tables, event logs, on-board ephemerides, and even intermediate buffers used by downlink pipelines. Some variants interfere with key services instead of bulk data, e.g., encrypting a command dictionary or table index so valid inputs are rejected, or wrapping the payload data path in an attacker-chosen cipher so downlinked products appear as noise. By denying access to on-board content or control artifacts at scale, attackers convert execution into bargaining power or irreversible mission degradation." ; rdfs:seeAlso . d3f:EX-0010.02 a owl:Class, owl:NamedIndividual ; rdfs:label "Wiper Malware - SPARTA" ; skos:prefLabel "Wiper Malware" ; rdfs:subClassOf d3f:EX-0010, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:File ] ; d3f:attack-id "EX-0010.02" ; d3f:definition "Wipers deliberately destroy or irreversibly corrupt data and, in some cases, executable images to impair or end mission operations. Destructive routines may overwrite with patterns or pseudorandom data, repeatedly reformat volumes, trigger wear mechanisms on non-volatile memory, or manipulate low-level translation layers so recovery tools see a blank or inconsistent device. Activation can be immediate or staged, sleeping until a specific time, pass, or maintenance action, and may be paired with anti-recovery steps such as erasing checksums, undo logs, or golden images. Because wipers operate at storage and image layers that underpin many subsystems, collateral effects can cascade: autonomy enters safing without viable recovery paths, downlinks carry only noise, and subsequent updates cannot be authenticated or applied. The defining feature is irreversible loss of data or executables as the primary objective, rather than concealment or monetization." ; d3f:modifies d3f:File ; rdfs:seeAlso . d3f:EX-0010.03 a owl:Class, owl:NamedIndividual ; rdfs:label "Rootkit - SPARTA" ; skos:prefLabel "Rootkit" ; rdfs:subClassOf d3f:EX-0010, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:BootSector ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:Kernel ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:KernelModule ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SystemFirmware ] ; d3f:attack-id "EX-0010.03" ; d3f:definition "A rootkit hides the presence and activity of other malicious components by interposing on the mechanisms that report system state. On spacecraft this can occur within flight software processes, at OS kernel level, inside separation kernels/hypervisors, or down in system firmware where drivers and initialization routines run. Techniques include API and syscall hooking, patching message queues and inter-process communication paths, altering task lists and scheduler views, filtering telemetry packets and event logs, and rewriting sensor or health values before they are recorded or downlinked. Rootkits may also hook command handlers and gateways so certain opcodes, timetags, or sources are silently accepted or ignored while external observers see normal acknowledgments. Because many missions rely on deterministic procedures and limited observability, even small alterations to reporting can make malicious actions appear as plausible mode transitions or benign anomalies. Persistence often pairs with the concealment layer, with the rootkit reinjecting companions after resets or rebuilds by monitoring for specific files, tables, or image loads and modifying them on the fly." ; d3f:modifies d3f:BootSector, d3f:Kernel, d3f:KernelModule, d3f:SystemFirmware ; rdfs:seeAlso . d3f:EX-0010.04 a owl:Class, owl:NamedIndividual ; rdfs:label "Bootkit - SPARTA" ; skos:prefLabel "Bootkit" ; rdfs:subClassOf d3f:EX-0010, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:BootLoader ] ; d3f:attack-id "EX-0010.04" ; d3f:definition "A bootkit positions itself in the pre-OS boot chain so that it executes before normal integrity checks and can shape what the system subsequently trusts. After seizing early control, the bootkit can redirect image selection, patch kernels or flight binaries in memory, adjust device trees and driver tables, or install hooks that persist across warm resets. Some variants maintain shadow copies of legitimate images and present them to basic verification routines while steering actual execution to a modified payload; others manipulate fallback logic so recovery modes load attacker-controlled code. Because the boot path initializes memory maps, buses, and authentication material, a bootkit can also influence key/counter setup and gateway configurations, creating conditions favorable to later tactics. The central characteristic is precedence: by running first, the implant defines the reality higher layers observe, ensuring that every subsequent component launches under conditions curated by the attacker." ; d3f:modifies d3f:BootLoader ; rdfs:seeAlso . d3f:EX-0011 a owl:Class ; rdfs:label "Exploit Reduced Protections During Safe-Mode - SPARTA" ; skos:prefLabel "Exploit Reduced Protections During Safe-Mode" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0011" ; d3f:definition "The adversary times on-board actions to the period when the vehicle is in safe-mode and operating with altered guardrails. In many designs, safe-mode enables contingency command dictionaries, activates alternate receivers or antennas, reduces data rates, and prioritizes survival behaviors (sun-pointing, thermal/power conservation). Authentication checks, anti-replay windows, rate/size limits, and interlocks may differ from nominal; counters can be reset, timetag screening relaxed, or maintenance procedures made available for recovery. Ground cadence also changes, longer passes, emergency scheduling, atypical station selection, creating predictable windows for interaction. Using knowledge of these patterns, an attacker issues maintenance-looking loads, recovery scripts, parameter edits, or boot/patch sequences that the spacecraft is primed to accept while safed. Because responses (telemetry beacons, acknowledgments, mode bits) resemble normal anomaly recovery, the first execution event blends with expected behavior, allowing unauthorized reconfiguration, software modification, or state manipulation to occur under the cover of fault response." ; rdfs:seeAlso . d3f:EX-0012 a owl:Class, owl:NamedIndividual ; rdfs:label "Modify On-Board Values - SPARTA" ; skos:prefLabel "Modify On-Board Values" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:RuntimeVariable ] ; d3f:attack-id "EX-0012" ; d3f:definition "The attacker alters live or persistent data that the spacecraft uses to make decisions and route work. Targets include device and control registers, parameter and limit tables, internal routing/subscriber maps, schedules and timelines, priority/QoS settings, watchdog and timer values, autonomy/FDIR rule tables, ephemeris and attitude references, and power/thermal setpoints. Many missions expose legitimate mechanisms for updating these artifacts, direct memory read/write commands, table load services, file transfers, or maintenance procedures, which can be invoked to steer behavior without changing code. Edits may be transient (until reset) or latched/persistent across boots; they can be narrowly scoped (a single bit flip on an enable mask) or systemic (rewriting a routing table so commands are misdelivered). The effect space spans subtle biasing of control loops, selective blackholing of commands or telemetry, rescheduling of operations, and wholesale changes to mode logic, all accomplished by modifying the values the software already trusts and consumes." ; d3f:modifies d3f:RuntimeVariable ; rdfs:seeAlso . d3f:EX-0012.01 a owl:Class ; rdfs:label "Registers - SPARTA" ; skos:prefLabel "Registers" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.01" ; d3f:definition "Threat actors may target the internal registers of the victim spacecraft in order to modify specific values as the FSW is functioning or prevent certain subsystems from working. Most aspects of the spacecraft rely on internal registers to store important data and temporary values. By modifying these registers at certain points in time, threat actors can disrupt the workflow of the subsystems or onboard payload, causing them to malfunction or behave in an undesired manner." ; rdfs:seeAlso . d3f:EX-0012.02 a owl:Class ; rdfs:label "Internal Routing Tables - SPARTA" ; skos:prefLabel "Internal Routing Tables" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.02" ; d3f:definition "Threat actors may rewrite the maps that tell software where to send and receive things. In publish/subscribe or message-queued flight frameworks, tables map message IDs to subscribers, opcodes to handlers, and pipes to processes; at interfaces, address/port maps define how traffic traverses bridges and gateways (e.g., SpaceWire node/port routes, 1553 RT/subaddress mappings, CAN IDs). By altering these structures, commands can be misdelivered, dropped, duplicated, or routed through unintended paths; telemetry can be redirected or blackholed; and handler bindings can be swapped so an opcode triggers the wrong function. Schedule/routing hybrids, used to sequence activities and distribute results, can be edited to reorder execution or to create feedback loops that occupy bandwidth and processor time. The result is control over who hears what and when, achieved by changing the lookup tables that underpin command/telemetry distribution rather than the code that processes them." ; rdfs:seeAlso . d3f:EX-0012.03 a owl:Class ; rdfs:label "Memory Write/Loads - SPARTA" ; skos:prefLabel "Memory Write/Loads" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.03" ; d3f:definition "The adversary uses legitimate direct-memory commands or load services to place chosen bytes at chosen addresses. Many spacecraft support raw read/write operations, block loads into RAM or non-volatile stores, and table/file loaders that copy content into working memory. With knowledge of address maps and data structures, an attacker can patch function pointers or vtables, alter limit and configuration records, seed scripts or procedures into interpreter buffers, adjust DMA descriptors, or overwrite portions of executable images resident in RAM. Loads may be sized and paced to fit link and queue constraints, then activated by a subsequent command, mode change, or natural reference by the software." ; rdfs:seeAlso . d3f:EX-0012.04 a owl:Class ; rdfs:label "App/Subscriber Tables - SPARTA" ; skos:prefLabel "App/Subscriber Tables" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.04" ; d3f:definition "In publish/subscribe flight frameworks, applications and subsystems register interest in specific message classes via subscriber (or application) tables. These tables map message IDs/topics to subscribers, define delivery pipes/queues, and often include filters, priorities, and rate limits. By altering these mappings, an adversary can quietly reshape information flow: critical consumers stop receiving health or sensor messages; non-critical tasks get flooded; handlers are rebound so an opcode or message ID reaches the wrong task; or duplicates create feedback loops that consume bandwidth and CPU. Because subscription state is usually read at init or refreshed on command, subtle edits can persist across reboots or take effect at predictable times. Similar effects appear in legacy MIL-STD-1553 deployments by modifying Remote Terminal (RT), subaddress, or mode-code configurations so that messages are misaddressed or dropped at the bus interface. The net result is control-by-misdirection: the software still “works,” but the right data no longer reaches the right recipient at the right time." ; rdfs:seeAlso . d3f:EX-0012.05 a owl:Class ; rdfs:label "Scheduling Algorithm - SPARTA" ; skos:prefLabel "Scheduling Algorithm" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.05" ; d3f:definition "Spacecraft typically rely on real-time scheduling, fixed-priority or deadline/periodic schemes, driven by timers, tick sources, and per-task parameters. Threat actors target these parameters and associated tables to skew execution order and timing. Edits may change priorities, periods, or deadlines; adjust CPU budgets and watchdog thresholds; alter ready-queue disciplines; or reconfigure timer tick rates and clock sources. They may also modify task affinities, message-queue depths, and interrupt masks so preemption and latency characteristics shift. Small changes can have large effects: high-rate control loops see added jitter, estimator updates miss deadlines, command/telemetry handling starves, or low-priority maintenance tasks monopolize cores due to mis-set periods. Manipulated schedules can create intermittent, state-dependent malfunctions that are hard to distinguish from environmental load. The essence of the technique is to weaponize time, reshaping when work happens so that otherwise correct code produces unsafe or exploitable behavior." ; rdfs:seeAlso . d3f:EX-0012.06 a owl:Class ; rdfs:label "Science/Payload Data - SPARTA" ; skos:prefLabel "Science/Payload Data" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.06" ; d3f:definition "Payload data, and the metadata that gives it meaning, can be altered in place to steal value, mislead users, or degrade mission outputs. Targets include raw detector frames, packetized Level-0 streams, onboard preprocessed products, and file catalogs/directories on mass memory. Adjacent metadata such as timestamps, pointing/attitude tags, calibration coefficients, compression settings, and quality flags are equally potent; slight bias in a calibration table or time tag can skew entire downlink campaigns while appearing routine. An adversary may rewrite frame headers, reorder packets, substitute segments from prior passes, or flip quality bits so ground pipelines silently discard or misclassify products. Recorder index manipulation can orphan files or cause downlinks to serve stale or fabricated content. Because many missions perform some processing or filtering onboard, tampering upstream of downlink propagates forward as “authoritative” truth, jeopardizing mission objectives without obvious protocol anomalies." ; rdfs:seeAlso . d3f:EX-0012.07 a owl:Class ; rdfs:label "Propulsion Subsystem - SPARTA" ; skos:prefLabel "Propulsion Subsystem" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.07" ; d3f:definition "Propulsion relies on parameters and sensed values that govern burns, pressure management, and safing. Editable items include thruster calibration and minimum impulse bit, valve timing and duty limits, inhibit masks, delta-V tables, plume keep-out constraints, tank pressure/temperature thresholds, leak-detection limits, and momentum-management coupling with attitude control. By modifying these, an adversary can provoke over-correction, waste propellant through repeated trims, bias orbit maintenance, or trigger protective sequences at inopportune times. False pressure or temperature readings can cause autonomous venting or lockouts; tweaked alignment matrices or misapplied gimbal limits can yield off-axis thrust and attitude excursions; altered desaturation rules can induce frequent wheel unloads that sap resources. Because consumables are finite and margins tight, even modest parameter drift can shorten mission life or violate keep-out and conjunction constraints while presenting as “normal” control activity." ; rdfs:seeAlso . d3f:EX-0012.08 a owl:Class ; rdfs:label "Attitude Determination & Control Subsystem - SPARTA" ; skos:prefLabel "Attitude Determination & Control Subsystem" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.08" ; d3f:definition "ADCS depends on tightly coupled models and parameters: star-tracker catalogs and masks, sensor alignments and bias terms, gyro scale factors and drift rates, estimator covariances and process/measurement noise, controller gains and saturation limits, wheel/CMG torque constants, magnetic torquer maps, and sun sensor thresholds. Editing these values skews estimation or control, producing slow bias, limit cycles, loss of lock, or abrupt safing triggers. For example, a small change to a star-tracker mask can force frequent dropouts; an inflated gyro bias drives the filter away from truth; softened actuator limits or mis-set gains let disturbances accumulate; altered sun-point entry criteria cause unnecessary mode switches. Secondary impacts propagate to power, thermal, and communications because pointing and geometry underpin array generation, radiator view factors, and antenna gain. The technique turns the spacecraft against itself by nudging the parameters that close the loop between what the vehicle believes and how it responds." ; rdfs:seeAlso . d3f:EX-0012.09 a owl:Class ; rdfs:label "Electrical Power Subsystem - SPARTA" ; skos:prefLabel "Electrical Power Subsystem" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.09" ; d3f:definition "Adversaries alter parameters and sensed values that govern power generation, storage, and distribution so the spacecraft draws or allocates energy in harmful ways. Editable items include bus voltage/current limits, MPPT setpoints and sweep behavior, array and SADA modes, battery charge/discharge thresholds and temperature derates, state-of-charge estimation constants, latching current limiter (LCL) trip/retry settings, load-shed priorities, heater duty limits, and survival/keep-alive rules. By changing these, a threat actor can drive excess consumption (e.g., disabling load shed, raising heater floors), misreport remaining energy (skewed SoC), or push batteries outside healthy ranges, producing brownouts, repeated safing, or premature capacity loss. Manipulating thresholds and hysteresis can also create oscillations where loads repeatedly drop and re-engage, wasting energy and stressing components. The effect is accelerated depletion or misallocation of finite power, degrading mission operations and potentially preventing recovery after eclipse or anomalies." ; rdfs:seeAlso . d3f:EX-0012.10 a owl:Class ; rdfs:label "Command & Data Handling Subsystem - SPARTA" ; skos:prefLabel "Command & Data Handling Subsystem" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.10" ; d3f:definition "C&DH relies on tables and runtime values that define how commands are parsed, queued, and dispatched and how telemetry is collected, stored, and forwarded. Targets include opcode-to-handler maps, argument limits and schemas, queue depths and priorities, message ID routing, publish/subscribe bindings, timeline/schedule entries, file catalog indices, compression and packetization settings, and event/telemetry filters. Edits to these artifacts reshape control and visibility: commands are delayed, dropped, or misrouted; telemetry is suppressed or redirected; timelines slip; and housekeeping/data products are repackaged in ways that confuse ground processing. Because many frameworks treat these values as authoritative configuration, small changes can silently propagate across subsystems, degrading responsiveness, creating backlogs, or severing the logical pathways that keep the vehicle coordinated, without modifying the underlying code." ; rdfs:seeAlso . d3f:EX-0012.11 a owl:Class, owl:NamedIndividual ; rdfs:label "Watchdog Timer (WDT) - SPARTA" ; skos:prefLabel "Watchdog Timer (WDT)" ; rdfs:subClassOf d3f:EX-0012, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:WatchdogTimer ] ; d3f:attack-id "EX-0012.11" ; d3f:definition "Watchdogs supervise liveness by requiring software to “pet” within defined windows or the system resets. Threat actors manipulate WDT behavior by changing timeout durations, windowed-WDT bounds, reset actions, enable/mask bits, or the source that performs the petting (e.g., moving it into a low-level ISR so higher layers can be stalled indefinitely). Software WDTs can be disabled or starved; hardware WDTs are influenced via control registers, strap pins, or supervisor commands that alter prescalers and reset ladders. Outcomes include preventing intended resets so runaway tasks consume power and bandwidth, or forcing repeated resets at tactically chosen moments, e.g., during updates or handovers, to keep the system in a degraded or easily predictable state. The technique converts a safety mechanism into a tool for either unbounded execution or rhythmic disruption, depending on how the WDT parameters are rewritten." ; d3f:modifies d3f:WatchdogTimer ; rdfs:seeAlso . d3f:EX-0012.12 a owl:Class, owl:NamedIndividual ; rdfs:label "System Clock - SPARTA" ; skos:prefLabel "System Clock" ; rdfs:subClassOf d3f:EX-0012, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SystemTime ] ; d3f:attack-id "EX-0012.12" ; d3f:definition "Spacecraft maintain multiple time bases and distribute time to schedule sequences, validate timetags, manage anti-replay counters, and align navigation/attitude processing. By writing to clock registers, altering time-distribution services, switching disciplining sources, or biasing oscillator parameters, an adversary can skew these references. Effects include reordering or prematurely firing stored command sequences, invalidating timetag checks, desynchronizing counters used by authentication or ranging, misaligning estimator windows, and corrupting timestamped payload data. Even small offsets can accumulate into observable misbehavior when autonomy and scheduling depend on tight temporal guarantees. The result is execution that happens at the wrong moment, or not at all, because the system’s notion of “now” has been shifted." ; d3f:modifies d3f:SystemTime ; rdfs:seeAlso . d3f:EX-0012.13 a owl:Class ; rdfs:label "Poison AI/ML Training Data - SPARTA" ; skos:prefLabel "Poison AI/ML Training Data" ; rdfs:subClassOf d3f:EX-0012 ; d3f:attack-id "EX-0012.13" ; d3f:definition "When missions employ AI/ML, for onboard detection/classification, compression, anomaly screening, guidance aids, or ground-side planning, training data becomes a control surface. Data poisoning inserts crafted examples or labels into the training corpus or fine-tuning set so the resulting model behaves incorrectly while appearing valid. Variants include clean-label backdoors (benign-looking samples with a hidden trigger that later induces a targeted response), label flipping and biased sampling (to skew decision boundaries), and corruption of calibration/ground-truth products that the pipeline trusts. For space systems, poisoning may occur in science archives, test vectors, simulated scenes, or housekeeping datasets used to train autonomy/anomaly models; models trained on poisoned corpora are then packaged and uplinked as routine updates. Once fielded, a simple trigger pattern in imagery, telemetry, or RF features can cause misclassification, suppression, or false positives at the time and place the adversary chooses, turning model behavior into an execution mechanism keyed by data rather than code." ; rdfs:seeAlso . d3f:EX-0013 a owl:Class ; rdfs:label "Flooding - SPARTA" ; skos:prefLabel "Flooding" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0013" ; d3f:definition "Flooding overwhelms a communication or processing path by injecting traffic at rates or patterns the system cannot comfortably absorb. In space contexts this can occur across layers: RF/optical links (continuous carriers, wideband noise, or protocol-shaped bursts); link/protocol layers (valid-looking frames at excessive cadence); application layers (command and telemetry messages that saturate parsers and queues); and internal vehicles buses where repeated messages starve critical publishers. Effects range from outright denial of service, dropped commands, lost telemetry, missed windows, to subtler corruption, such as out-of-order processing, watchdog trips, or autonomy entering protective modes due to backlogged health data. Secondary impacts include power and thermal strain as decoders, modems, or software loops spin at maximum duty, storage filling from retries, and control loops jittering when their messages are delayed. Timing matters: floods during handovers, maneuvers, or safing transitions can magnify consequences because margins are thinnest." ; rdfs:seeAlso . d3f:EX-0013.01 a owl:Class, owl:NamedIndividual ; rdfs:label "Valid Commands - SPARTA" ; skos:prefLabel "Valid Commands" ; rdfs:subClassOf d3f:EX-0013, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:OTProtocolMessage ] ; d3f:attack-id "EX-0013.01" ; d3f:definition "Here the adversary saturates paths with legitimate telecommands or bus messages so the spacecraft burns scarce resources honoring them. Inputs may be innocuous (no-ops, time queries, telemetry requests) or low-risk configuration edits, but at scale they consume command handler cycles, fill queues, generate events and logs, trigger acknowledgments, and provoke downstream work in subsystems (e.g., repeated state reports, mode toggles, or file listings). On internal buses, valid actuator or housekeeping messages replayed at high rate can starve higher-priority publishers or cause control laws to chase stale stimuli. Because the traffic is syntactically correct, and often contextually plausible, the system attempts to process it rather than discard it early, increasing CPU usage, memory pressure, and power draw. Consequences include delayed or preempted legitimate operations, transient loss of commandability, and knock-on FDIR activity as deadlines slip and telemetry appears inconsistent." ; d3f:produces d3f:OTProtocolMessage ; rdfs:seeAlso . d3f:EX-0013.02 a owl:Class ; rdfs:label "Erroneous Input - SPARTA" ; skos:prefLabel "Erroneous Input" ; rdfs:subClassOf d3f:EX-0013 ; d3f:attack-id "EX-0013.02" ; d3f:definition "In this variant, the attacker injects non-useful energy or data, noise, malformed frames, or near-valid messages, so receivers and parsers labor to acquire, decode, and reject it. At the RF layer, wideband or protocol-shaped interference drives AGC and clock recovery to hunt, elevates BER, and forces repeated acquisitions; at the link layer, frames with correct preambles but bad CRCs keep decoders busy while yielding no payload; at the application layer, malformed packets force parse/validate/deny cycles that still consume CPU and fill error logs. On internal buses, collisions or bursts of misaddressed traffic reduce effective bandwidth and reorder legitimate messages. Even though little of the injected content passes semantic checks, the effort of dealing with it crowds out real work and may trigger retransmission storms or fallback modes that further increase load. The hallmark is volumetric invalid activity, crafted to engage front ends and parsers just long enough, that degrades integrity and availability without relying on privileged or authenticated commands." ; rdfs:seeAlso . d3f:EX-0014 a owl:Class ; rdfs:label "Spoofing - SPARTA" ; skos:prefLabel "Spoofing" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0014" ; d3f:definition "The adversary forges inputs that subsystems treat as trustworthy truth, time tags, sensor measurements, bus messages, or navigation signals, so onboard logic acts on fabricated reality. Because many control loops and autonomy rules assume data authenticity once it passes basic sanity checks, carefully shaped spoofs can trigger mode transitions, safing, actuator commands, or payload behaviors without touching flight code. Spoofing may occur over RF (e.g., GNSS, crosslinks, TT&C beacons), over internal networks/buses (message injection with valid identifiers), or at sensor/actuator interfaces (electrical/optical stimulation that produces plausible readings). Effects range from subtle bias (drifting estimates, skewed calibrations) to acute events (unexpected slews, power reconfiguration, recorder re-indexing), and can also pollute downlinked telemetry or science products so ground controllers interpret a false narrative. The hallmark is that the spacecraft chooses the adversary’s action path because the forged data passes through normal processing chains." ; rdfs:seeAlso . d3f:EX-0014.01 a owl:Class ; rdfs:label "Time Spoof - SPARTA" ; skos:prefLabel "Time Spoof" ; rdfs:subClassOf d3f:EX-0014 ; d3f:attack-id "EX-0014.01" ; d3f:definition "Time underpins sequencing, anti-replay, navigation filtering, and data labeling. An attacker that forges or biases the time seen by onboard consumers can reorder stored command execution, break timetag validation, desynchronize counters, and misalign estimation windows. Spoofing vectors include manipulating the distributed time service, introducing a higher-priority/cleaner time source (e.g., GNSS-derived time), or crafting messages that cause clock discipline to slew toward attacker-chosen values. Once time shifts, autonomous routines keyed to epochs, wheel unloads, downlink starts, heater schedules, fire early/late or not at all, and telemetry appears inconsistent to ground analysis. The signature is correct-looking time metadata that steadily or abruptly departs from truth, driving downstream logic to act at the wrong moment." ; rdfs:seeAlso . d3f:EX-0014.02 a owl:Class, owl:NamedIndividual ; rdfs:label "Bus Traffic Spoofing - SPARTA" ; skos:prefLabel "Bus Traffic Spoofing" ; rdfs:subClassOf d3f:EX-0014, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:BusNetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:BusMessage ], [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:BusNetworkNode ] ; d3f:attack-id "EX-0014.02" ; d3f:definition "Here the adversary forges messages on internal command/data paths (e.g., 1553, SpaceWire, CAN, custom). By emitting frames with valid identifiers, addresses, and timing, the attacker can make subscribers accept actuator setpoints, power switch toggles, mode changes, or housekeeping values that originated off-path. Because many consumers act on “latest value wins” or on message cadence, forged traffic can mask real publishers, starve critical topics, or force handlers to execute unintended branches. Gateways that translate between networks amplify impact: a spoofed message on one side can propagate to multiple domains as legitimate payload. Outcomes include misdelivered commands, silent configuration drift, and control loops chasing phantom stimuli, all while bus monitors show protocol-conformant traffic." ; d3f:produces d3f:BusNetworkTraffic ; d3f:spoofs d3f:BusMessage ; d3f:uses d3f:BusNetworkNode ; rdfs:seeAlso . d3f:EX-0014.03 a owl:Class ; rdfs:label "Sensor Data - SPARTA" ; skos:prefLabel "Sensor Data" ; rdfs:subClassOf d3f:EX-0014 ; d3f:attack-id "EX-0014.03" ; d3f:definition "The attacker presents fabricated or biased measurements that estimation and control treat as ground truth. Targets include attitude/position sensors (star trackers, gyros/IMUs, sun sensors, magnetometers, GNSS), environmental and health sensors (temperatures, currents, voltages, pressures), and payload measurements used in autonomy. Spoofs may be injected electrically at interfaces, optically (blinding/dazzling trackers or sun sensors), magnetically, or by crafting packets fed into sensor gateways. Even small, consistent biases can drive filters to incorrect states; stepwise changes can trigger fault responses or mode switches. Downstream, timestamps, quality flags, and derived products inherit the deception, creating uncertainty for operators and potentially inducing temporary loss of service as autonomy reacts to a world that never existed." ; rdfs:seeAlso . d3f:EX-0014.04 a owl:Class, owl:NamedIndividual ; rdfs:label "Position, Navigation, and Timing (PNT) Spoofing - SPARTA" ; skos:prefLabel "Position, Navigation, and Timing (PNT) Spoofing" ; rdfs:subClassOf d3f:EX-0014, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:GNSSSignal ] ; d3f:attack-id "EX-0014.04" ; d3f:definition "The adversary transmits GNSS-like signals (or manipulates crosslink-distributed time/ephemeris) so the spacecraft’s navigation solution reflects attacker-chosen states. With believable code phases, Doppler, and navigation messages, the victim can be pulled to a false position/velocity/time, causing downstream functions, attitude pointing limits, station visibility prediction, eclipse timing, antenna pointing, and anti-replay windows, to misbehave. Even when GNSS is not the primary navigation source, spoofed PNT can bias timekeeping or seed filters that fuse multiple sensors, leading to mis-scheduling and errant control. The defining feature is externally provided navigation/time that passes validity checks yet encodes a crafted trajectory or epoch." ; d3f:spoofs d3f:GNSSSignal ; rdfs:seeAlso . d3f:EX-0014.05 a owl:Class ; rdfs:label "Ballistic Missile Spoof - SPARTA" ; skos:prefLabel "Ballistic Missile Spoof" ; rdfs:subClassOf d3f:EX-0014 ; d3f:attack-id "EX-0014.05" ; d3f:definition "In this variant, attackers deploy decoys or emitters designed to mimic ballistic-missile signatures so early-warning and missile-defense systems allocate interceptors and attention to false targets. Decoys can shape radar cross-section and thermal profiles, stage deployment to simulate staging events, or use cooling/heating to emulate plume and body signatures, while coordinated timing and trajectories reinforce plausibility. The objective is resource depletion and distraction: saturate tracking, cueing, and discrimination so defenses are preoccupied prior to an actual strike or are left with reduced capacity afterward. Although the immediate target is the defense architecture, space-based sensors and their ground processing are integral to the effect; spoofed scenes enter the normal detection and tracking pipelines and propagate as authoritative truth until later discrimination overturns them." ; rdfs:seeAlso . d3f:EX-0015 a owl:Class, owl:NamedIndividual ; rdfs:label "Side-Channel Attack - SPARTA" ; skos:prefLabel "Side-Channel Attack" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTEmbeddedComputer ] ; d3f:attack-id "EX-0015" ; d3f:definition "Adversaries extract secrets or steer execution by observing or perturbing physical byproducts of computation rather than the intended interfaces. Passive channels include timing, power draw, electromagnetic emissions, acoustic/optical leakage, and thermal patterns correlated with operations such as key use, counter updates, or parser activity. Active channels deliberately induce faults during runtime, e.g., voltage or clock glitches, electromagnetic/laser injection, or targeted radiation, to flip bits, skip checks, or bias intermediate values. On spacecraft, prime targets include crypto modules, SDR/FPGA pipelines, bootloaders, and bus controllers whose switching behavior or error handling reveals protocol state or key material. With sufficient samples, or with repeated fault attempts, statistical features emerge that reduce entropy of the sensitive variable under study; in effect, a successful fault campaign turns into information leakage comparable to a passive side channel. Collection vantage points range from on-orbit proximity (for EM/optical), to ATLO and ground test (for direct probing), to instrumented compromised hardware already in the signal path." ; d3f:modifies d3f:OTEmbeddedComputer ; rdfs:seeAlso . d3f:EX-0016 a owl:Class ; rdfs:label "Jamming - SPARTA" ; skos:prefLabel "Jamming" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0016" ; d3f:definition """Jamming is an electronic attack that uses radio frequency signals to interfere with communications. A jammer must operate in the same frequency band and within the field of view of the antenna it is targeting. Unlike physical attacks, jamming is completely reversible, once the jammer is disengaged, communications can be restored. Attribution of jamming can be tough because the source can be small and highly mobile, and users operating on the wrong frequency or pointed at the wrong satellite can jam friendly communications.* Similiar to intentional jamming, accidential jamming can cause temporary signal degradation. Accidental jamming refers to unintentional interference with communication signals, and it can potentially impact spacecraft in various ways, depending on the severity, frequency, and duration of the interference. *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso . d3f:EX-0016.01 a owl:Class, owl:NamedIndividual ; rdfs:label "Uplink Jamming - SPARTA" ; skos:prefLabel "Uplink Jamming" ; rdfs:subClassOf d3f:EX-0016, [ a owl:Restriction ; owl:onProperty d3f:impairs ; owl:someValuesFrom d3f:Receiver ], [ a owl:Restriction ; owl:onProperty d3f:jams ; owl:someValuesFrom d3f:WirelessLink ] ; d3f:attack-id "EX-0016.01" ; d3f:definition "The attacker transmits toward the spacecraft’s uplink receive antenna, within its main lobe or significant sidelobes, at the operating frequency and sufficient power spectral density to drive the uplink Eb/N₀ below the demodulator’s threshold. Uplink jamming prevents acceptance of telecommands and ranging/acquisition traffic, delaying or blocking scheduled operations. Because the receiver resides on the spacecraft, the jammer must be located within the spacecraft’s receive footprint and match its polarization and Doppler conditions well enough to couple energy into the front end." ; d3f:impairs d3f:Receiver ; d3f:jams d3f:WirelessLink ; rdfs:seeAlso . d3f:EX-0016.02 a owl:Class, owl:NamedIndividual ; rdfs:label "Downlink Jamming - SPARTA" ; skos:prefLabel "Downlink Jamming" ; rdfs:subClassOf d3f:EX-0016, [ a owl:Restriction ; owl:onProperty d3f:impairs ; owl:someValuesFrom d3f:Receiver ], [ a owl:Restriction ; owl:onProperty d3f:jams ; owl:someValuesFrom d3f:WirelessLink ] ; d3f:attack-id "EX-0016.02" ; d3f:definition """Downlink jammers target the users of a satellite by creating noise in the same frequency as the downlink signal from the satellite. A downlink jammer only needs to be as powerful as the signal being received on the ground and must be within the field of view of the receiving terminal’s antenna. This limits the number of users that can be affected by a single jammer. Since many ground terminals use directional antennas pointed at the sky, a downlink jammer typically needs to be located above the terminal it is attempting to jam. This limitation can be overcome by employing a downlink jammer on an air or space-based platform, which positions the jammer between the terminal and the satellite. This also allows the jammer to cover a wider area and potentially affect more users. Ground terminals with omnidirectional antennas, such as many GPS receivers, have a wider field of view and thus are more susceptible to downlink jamming from different angles on the ground.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; d3f:impairs d3f:Receiver ; d3f:jams d3f:WirelessLink ; rdfs:seeAlso . d3f:EX-0016.03 a owl:Class ; rdfs:label "Position, Navigation, and Timing (PNT) Jamming - SPARTA" ; skos:prefLabel "Position, Navigation, and Timing (PNT) Jamming" ; rdfs:subClassOf d3f:EX-0016 ; d3f:attack-id "EX-0016.03" ; d3f:definition "The attacker raises the noise floor in GNSS bands so satellite navigation signals are not acquired or tracked. Loss of PNT manifests as degraded or unavailable position/velocity/time solutions, which in turn disrupts functions that depend on them, time distribution, attitude aiding, scheduling, anti-replay windows, and visibility prediction. Because GNSS signals at the receiver are extremely weak, modest jammers within the antenna field of view can produce outsized effects; mobile emitters can create intermittent outages aligned with the attacker’s objectives." ; rdfs:seeAlso . d3f:EX-0017 a owl:Class ; rdfs:label "Kinetic Physical Attack - SPARTA" ; skos:prefLabel "Kinetic Physical Attack" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique ; d3f:attack-id "EX-0017" ; d3f:definition "The adversary inflicts damage by physically striking space assets or their supporting elements, producing irreversible effects that are generally visible to space situational awareness. Kinetic attacks in orbit are commonly grouped into direct-ascent engagements, launched from Earth to intercept a target on a specific pass, and co-orbital engagements, in which an on-orbit vehicle maneuvers to collide with or detonate near the target. Outcomes include structural breakup, loss of attitude control, sensor or antenna destruction, and wholesale mission termination; secondary effects include debris creation whose persistence depends on altitude and geometry. Because launches and on-orbit collisions are measurable, these actions tend to be more attributable and offer near–real-time confirmation of effect compared to non-kinetic methods." ; rdfs:seeAlso . d3f:EX-0017.01 a owl:Class ; rdfs:label "Direct Ascent ASAT - SPARTA" ; skos:prefLabel "Direct Ascent ASAT" ; rdfs:subClassOf d3f:EX-0017 ; d3f:attack-id "EX-0017.01" ; d3f:definition """A direct-ascent ASAT is often the most commonly thought of threat to space assets. It typically involves a medium- or long-range missile launching from the Earth to damage or destroy a satellite in orbit. This form of attack is often easily attributed due to the missile launch which can be easily detected. Due to the physical nature of the attacks, they are irreversible and provide the attacker with near real-time confirmation of success. Direct-ascent ASATs create orbital debris which can be harmful to other objects in orbit. Lower altitudes allow for more debris to burn up in the atmosphere, while attacks at higher altitudes result in more debris remaining in orbit, potentially damaging other spacecraft in orbit.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso . d3f:EX-0017.02 a owl:Class ; rdfs:label "Co-Orbital ASAT - SPARTA" ; skos:prefLabel "Co-Orbital ASAT" ; rdfs:subClassOf d3f:EX-0017 ; d3f:attack-id "EX-0017.02" ; d3f:definition "A co-orbital ASAT uses a spacecraft already in space to conduct a deliberate collision or near-field detonation. After insertion, often well before any hostile action, the vehicle performs rendezvous and proximity operations to achieve the desired relative geometry, then closes to impact or triggers a kinetic or explosive device. Guidance relies on relative navigation (optical, lidar, crosslink cues) and precise timing to manage closing speeds and contact angle. Compared with direct-ascent shots, co-orbital approaches can loiter, shadow, or “stalk” a target for extended periods, masking as inspection or servicing until the terminal maneuver. Effects include mechanical disruption, fragmentation, or mission-ending damage, with debris characteristics shaped by the chosen altitude, closing velocity, and collision geometry." ; rdfs:seeAlso . d3f:EX-0018 a owl:Class, owl:NamedIndividual ; rdfs:label "Non-Kinetic Physical Attack - SPARTA" ; skos:prefLabel "Non-Kinetic Physical Attack" ; rdfs:subClassOf d3f:SPARTAExecutionTechnique, [ a owl:Restriction ; owl:onProperty d3f:impairs ; owl:someValuesFrom d3f:OTEmbeddedComputer ] ; d3f:attack-id "EX-0018" ; d3f:definition "The adversary inflicts physical effects on a satellite without mechanical contact, using energy delivered through the environment. Principal modalities are electromagnetic pulse (EMP), high-power laser (optical/thermal effects), and high-power microwave (HPM). These methods can be tuned for reversible disruption (temporary sensor saturation, processor upsets) or irreversible damage (component burnout, optics degradation), and may be executed from ground, airborne, or space platforms given line-of-sight and power/aperture conditions. Forensics are often ambiguous: signatures may resemble environmental phenomena or normal degradations, and confirmation of effect is frequently limited to what the operator observes in telemetry or performance loss." ; d3f:impairs d3f:OTEmbeddedComputer ; rdfs:seeAlso . d3f:EX-0018.01 a owl:Class ; rdfs:label "Electromagnetic Pulse (EMP) - SPARTA" ; skos:prefLabel "Electromagnetic Pulse (EMP)" ; rdfs:subClassOf d3f:EX-0018 ; d3f:attack-id "EX-0018.01" ; d3f:definition "An EMP delivers a broadband, high-amplitude electromagnetic transient that couples into spacecraft electronics and harnesses, upsetting or damaging components over wide areas. In space, the archetype is a high-altitude nuclear event whose prompt fields induce immediate upsets and whose secondary radiation environment elevates dose and charging for an extended period along affected orbits. Consequences include widespread single-event effects, latch-ups, permanent degradation of sensitive devices, and accelerated aging of solar arrays and materials. The effect envelope is large and largely indiscriminate: multiple satellites within view can experience simultaneous anomalies consistent with intense electromagnetic stress and enhanced radiation." ; rdfs:seeAlso . d3f:EX-0018.02 a owl:Class ; rdfs:label "High-Powered Laser - SPARTA" ; skos:prefLabel "High-Powered Laser" ; rdfs:subClassOf d3f:EX-0018 ; d3f:attack-id "EX-0018.02" ; d3f:definition """A high-powered laser can be used to permanently or temporarily damage critical satellite components (i.e. solar arrays or optical centers). If directed toward a satellite’s optical center, the attack is known as blinding or dazzling. Blinding, as the name suggests, causes permanent damage to the optics of a satellite. Dazzling causes temporary loss of sight for the satellite. While there is clear attribution of the location of the laser at the time of the attack, the lasers used in these attacks may be mobile, which can make attribution to a specific actor more difficult because the attacker does not have to be in their own nation, or even continent, to conduct such an attack. Only the satellite operator will know if the attack is successful, meaning the attacker has limited confirmation of success, as an attacked nation may not choose to announce that their satellite has been attacked or left vulnerable for strategic reasons. A high-powered laser attack can also leave the targeted satellite disabled and uncontrollable, which could lead to collateral damage if the satellite begins to drift. A higher-powered laser may permanently damage a satellite by overheating its parts. The parts most susceptible to this are satellite structures, thermal control panels, and solar panels.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso . d3f:EX-0018.03 a owl:Class ; rdfs:label "High-Powered Microwave - SPARTA" ; skos:prefLabel "High-Powered Microwave" ; rdfs:subClassOf d3f:EX-0018 ; d3f:attack-id "EX-0018.03" ; d3f:definition """High-powered microwave (HPM) weapons can be used to disrupt or destroy a satellite’s electronics. A “front-door” HPM attack uses a satellite’s own antennas as an entry path, while a “back-door” attack attempts to enter through small seams or gaps around electrical connections and shielding. A front-door attack is more straightforward to carry out, provided the HPM is positioned within the field of view of the antenna that it is using as a pathway, but it can be thwarted if the satellite uses circuits designed to detect and block surges of energy entering through the antenna. In contrast, a back-door attack is more challenging, because it must exploit design or manufacturing flaws, but it can be conducted from many angles relative to the satellite. Both types of attacks can be either reversible or irreversible; however, the attacker may not be able to control the severity of the damage from the attack. Both front-door and back-door HPM attacks can be difficult to attribute to an attacker, and like a laser weapon, the attacker may not know if the attack has been successful. A HPM attack may leave the target satellite disabled and uncontrollable which can cause it to drift into other satellites, creating further collateral damage.* *https://aerospace.csis.org/aerospace101/counterspace-weapons-101""" ; rdfs:seeAlso . d3f:ExactMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Exact Matching" ; rdfs:subClassOf d3f:EquivalenceMatching, d3f:NumericPatternMatching ; d3f:d3fend-id "D3A-EM" ; d3f:definition "Exact matching for numeric types is just the simple test for mathematical equivalence of the values being matched." ; d3f:kb-article """## References 1. Equality (mathematics). (2023, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Equality_(mathematics)]""" ; d3f:synonym "Numeric Equivalence Matching" . d3f:ExceptionHandler a owl:Class ; rdfs:label "Exception Handler" ; rdfs:subClassOf d3f:Subroutine ; d3f:definition "An exception handler is a code segment that processes an exception." ; rdfs:seeAlso . d3f:ExceptionHandlerPointerValidation a d3f:ExceptionHandlerPointerValidation, owl:Class, owl:NamedIndividual ; rdfs:label "Exception Handler Pointer Validation" ; rdfs:subClassOf d3f:ApplicationHardening, [ a owl:Restriction ; owl:onProperty d3f:validates ; owl:someValuesFrom d3f:Pointer ] ; d3f:d3fend-id "D3-EHPV" ; d3f:definition "Validates that a referenced exception handler pointer is a valid exception handler." ; d3f:kb-article """## How It Works When a process encounters an exception, it calls an exception handler to deal with the exception. The method by which this exception handler is determined varies by the operating system. The exception handler is called, even if it is the default exception handler to terminate the program and display a message that the program stopped working. In the case that no valid exception handler is found, the program would fail to proceed as normal and could be programmed to terminate. In Windows, the address of the exception registration record is stored at the very start of the the Thread Information Block; the GS register points to this structure. The exception registration record contains two pointers: a pointer to the next exception registration record should this handler fail to handle the exception, and a pointer to the handler. A buffer overflow can overwrite the saved return pointer with an invalid location to execute memory; this often triggers the exception handler chain, which could also be corrupted by the buffer overflow. Although Process Exception Handler Validation does not make sure that the exception handler pointer or the code at the exception handler was unaltered, or that the exception handler code is secure, this technique does ensure that the pointer is at least an exception handler that could be called by the program. With Process Exception Handler Validation, before the handler is called, it checks the exception handler against a source of valid exception handlers. If the requested handler is not in this list, other techniques such as those in Process Eviction might be invoked, such as Process Termination to end the current process, or Executable Blacklisting to blacklist the potentially vulnerable or malfunctioning executable. ### Runtime valid exception handler source generation The source of valid exception handlers could be generated at runtime, with the risk of the information that is used to determine the validity of exception handlers being compromised. ### Compile-time The source of valid exception handlers could also be generated at compile time or as a binary patch. Given the source code, it would be rather straightforward to find the exceptions, as they are pointed in the catch statement of a try-catch clause and the compiler must already generate the code to call exceptions from this. ## Considerations If the program file can be altered by the attacker, then the security could be bypassed by replacing it with any desired program, without even bypassing SEH. If the attacker was already able to overwrite the code for a valid exception handler via other functionality in the program, this defense would not prevent arbitrary code execution. If an exception handler recognized as valid is vulnerable, it would be executed anyway. SafeSEH might be applied only to some executable files or modules, allowing an attacker to call any piece of code as an exception handler in the unprotected modules.""" ; d3f:kb-reference d3f:Reference-SAFESEH_ImageHasSafeExceptionHandlers_MicrosoftDocs ; d3f:synonym "Exception Handler Validation" ; d3f:validates d3f:Pointer . d3f:Exec a owl:Class, owl:NamedIndividual ; rdfs:label "Exec" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:executes ; owl:someValuesFrom d3f:ExecutableBinary ] ; d3f:executes d3f:ExecutableBinary ; rdfs:seeAlso . d3f:ExecutableAllowlisting a d3f:ExecutableAllowlisting, d3f:PlatformHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Executable Allowlisting" ; rdfs:subClassOf d3f:ExecutionIsolation, [ a owl:Restriction ; owl:onProperty d3f:blocks ; owl:someValuesFrom d3f:ExecutableFile ], [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:CreateProcess ] ; d3f:blocks d3f:ExecutableFile ; d3f:d3fend-id "D3-EAL" ; d3f:definition "Using a digital signature to authenticate a file before opening." ; d3f:filters d3f:CreateProcess ; d3f:kb-article """## How it works This technique is generic and there are numerous ways to compute and authenticate digital signatures. A digital certificate is generated from a private/public key pair issued by a certificate authority (CA). A hash of the file is encrypted using the private key. When the file is downloaded by another user, the user's system uses the public key to decrypt the hash and a new hash is created of the downloaded file. The hash decrypted by the public key is compared to the new hash and if there is a mismatch, further techniques, such as file deletion, file quarantine, or **Executable Blacklisting** may be invoked. This technique may be invoked when deciding whether to load or execute a file. ## Considerations Organizations which download or create high volumes of software make management complex, in particular engineering or scientific organizations.""" ; d3f:kb-reference d3f:Reference-EnhancingNetworkSecurityByPreventingUser-InitiatedMalwareExecution_, ; d3f:synonym "File Signature Authentication" . d3f:ExecutableBinary a owl:Class, owl:NamedIndividual ; rdfs:label "Executable Binary" ; rdfs:subClassOf d3f:ExecutableFile, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ImageCodeSegment ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ImageDataSegment ], [ a owl:Restriction ; owl:onProperty d3f:may-interpret ; owl:someValuesFrom d3f:ExecutableScript ] ; d3f:contains d3f:ImageCodeSegment, d3f:ImageDataSegment ; d3f:definition "An executable binary contains machine code instructions for a physical CPU. D3FEND also considers byte code for a virtual machine to be binary code. This is in contrast to executable scripts written in a scripting language." ; d3f:may-interpret d3f:ExecutableScript ; rdfs:seeAlso . d3f:ExecutableDenylisting a d3f:ExecutableDenylisting, owl:Class, owl:NamedIndividual ; rdfs:label "Executable Denylisting" ; rdfs:subClassOf d3f:ExecutionIsolation, [ a owl:Restriction ; owl:onProperty d3f:blocks ; owl:someValuesFrom d3f:ExecutableFile ], [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:CreateProcess ] ; d3f:blocks d3f:ExecutableFile ; d3f:d3fend-id "D3-EDL" ; d3f:definition "Blocking the execution of files on a host in accordance with defined application policy rules." ; d3f:filters d3f:CreateProcess ; d3f:kb-article """## How it works #### Criteria A policy-enforcing application can register an application for denylisting based on conditions including the following: * File attributes * file name * file path * file hash * file publisher, as obtained from the digital signature * permissions of the file * File malware scan (eg. Windows SmartScreen) * User-File combination This may be done to prevent execution of applications which are: * an old version with known vulnerabilities * without a valid license, which could cause legal issues * in a directory that is accessible to low-privileged users, that could be accessed by a malware dropper * known trojan horse programs * too open in their permissions, possibly set to run as a user other than the originator or allowing execution when they should not be * a match to the hash of other known malware * are detected as undesirable based on a file scan runtime behavior System administrators will customize the rules for the given environment. #### Backend The policy-enforcing program may work by running in kernel mode, and [intercepting] [system calls which execute a process]. ## Considerations * If denylisting is done by filename, filepath, or hash, these mechanisms may be a worthy first line of defense and detection, but could still be evaded by an attacker. * Continuous management is needed to keep the denylist up to date, whether it is based on hash, publisher, behavior, or any other digital artifact. * Although denylists based on attributes such as file path and virus scan could defend against some threats which they have not been explicitly coded to block, denylists may not provide protection from new, unknown, or zero day attacks. ## Examples On a Windows machine the Windows Defender Application Control (WDAC) policy enforcement is run in the kernel and allows for restricting applications.""" ; d3f:kb-reference d3f:Reference-MethodAndApparatusForIncreasingTheSpeedAtWhichComputerVirusesAreDetected_McAfeeLLC, ; d3f:synonym "Executable Blacklisting" . d3f:ExecutableFile a owl:Class, owl:NamedIndividual ; rdfs:label "Executable File" ; skos:altLabel "Executable" ; rdfs:subClassOf d3f:File, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Subroutine ] ; rdfs:isDefinedBy ; d3f:contains d3f:Subroutine ; d3f:definition "In computing, executable code or an executable file or executable program, sometimes simply an executable, causes a computer \"to perform indicated tasks according to encoded instructions,\" as opposed to a data file that must be parsed by a program to be meaningful. These instructions are traditionally machine code instructions for a physical CPU. However, in a more general sense, a file containing instructions (such as bytecode) for a software interpreter may also be considered executable; even a scripting language source file may therefore be considered executable in this sense. The exact interpretation depends upon the use; while the term often refers only to machine code files, in the context of protection against computer viruses all files which cause potentially hazardous instruction" . d3f:ExecutableScript a owl:Class, owl:NamedIndividual ; rdfs:label "Executable Script" ; rdfs:subClassOf d3f:ExecutableFile ; d3f:definition "An executable script is written in a scripting language and interpreted at run time. This is in contrast with an executable binary, which contains machine code instructions for a physical CPU or byte code for a virtual machine." ; rdfs:seeAlso . d3f:ExecutionIsolation a d3f:ExecutionIsolation, owl:Class, owl:NamedIndividual ; rdfs:label "Execution Isolation" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Isolate ] ; d3f:d3fend-id "D3-EI" ; d3f:definition "Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files." ; d3f:enables d3f:Isolate . d3f:ExecutionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Execution Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0002 ] ; d3f:definition "The adversary is trying to run malicious code." ; d3f:enables d3f:TA0002 . d3f:EXF-0001 a owl:Class ; rdfs:label "Replay - SPARTA" ; skos:prefLabel "Replay" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0001" ; d3f:definition "The adversary re-sends previously valid commands or procedures to cause the spacecraft to transmit data again, then captures the resulting downlink. Typical targets are recorder playbacks, payload product dumps, housekeeping snapshots, or file directory listings. By aligning replays with geometry (e.g., when the satellite is in view of actor-controlled apertures) and with acceptance conditions (counters, timetags, mode), the attacker induces legitimate transmissions that appear routine to operators. Variants include selectively replaying index ranges to fetch only high-value intervals, reissuing subscription/telemetry-rate changes to increase data volume, or queueing playbacks that fire during later passes when interception is feasible." ; rdfs:seeAlso . d3f:EXF-0002 a owl:Class ; rdfs:label "Side-Channel Exfiltration - SPARTA" ; skos:prefLabel "Side-Channel Exfiltration" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0002" ; d3f:definition "Information is extracted not by reading files or decrypting frames but by observing physical or protocol byproducts of computation, power draw, electromagnetic emissions, timing, thermal signatures, or traffic patterns. Repeated measurements create distinctive fingerprints correlated with internal states (key use, table loads, parser branches, buffer occupancy). Matching those fingerprints to models or templates yields sensitive facts without direct access to the protected data. In space systems, vantage points span proximity assets (for EM/thermal), ground testing and ATLO (for direct probing), compromised on-board modules that can sample rails or sensors, and remote observation of link-layer timing behaviors." ; rdfs:seeAlso . d3f:EXF-0002.01 a owl:Class ; rdfs:label "Power Analysis Attacks - SPARTA" ; skos:prefLabel "Power Analysis Attacks" ; rdfs:subClassOf d3f:EXF-0002 ; d3f:attack-id "EXF-0002.01" ; d3f:definition "The attacker infers secrets by measuring instantaneous power consumption of target devices, often crypto engines or controllers, and correlating traces with hypothesized internal operations. Simple power analysis (SPA) extracts structure (operation sequences, key-dependent branches); differential/correlation power analysis (DPA/CPA) uses many traces and statistics to recover key bits from tiny data-dependent variations. Practically, measurements may come from instrumented rails during I&T, from a compromised payload monitoring local supplies, or from co-located hardware that senses current/voltage fluctuations. With sufficient traces and alignment (triggering on command/crypto invocation), internal values become observable through their power signatures." ; rdfs:seeAlso . d3f:EXF-0002.02 a owl:Class ; rdfs:label "Electromagnetic Leakage Attacks - SPARTA" ; skos:prefLabel "Electromagnetic Leakage Attacks" ; rdfs:subClassOf d3f:EXF-0002 ; d3f:attack-id "EXF-0002.02" ; d3f:definition "Switching activity in chips, buses, and clocks radiates EM energy that can be captured and analyzed to reveal internal computation. Near-field probes (in test) or proximity receivers (on-orbit assets) can observe harmonics and modulation tied to cipher rounds, key schedules, or protocol framing, sometimes with finer granularity than power analysis. Coupling paths include packages, harnesses, SDR front ends, and poorly shielded enclosures. By training on known operations and comparing spectra or time-domain signatures, an adversary can recover keys or reconstruct processed data without touching logical interfaces." ; rdfs:seeAlso . d3f:EXF-0002.03 a owl:Class ; rdfs:label "Traffic Analysis Attacks - SPARTA" ; skos:prefLabel "Traffic Analysis Attacks" ; rdfs:subClassOf d3f:EXF-0002 ; d3f:attack-id "EXF-0002.03" ; d3f:definition "In a terrestrial environment, threat actors use traffic analysis attacks to analyze traffic flow to gather topological information. This traffic flow can divulge information about critical nodes, such as the aggregator node in a sensor network. In the space environment, specifically with relays and constellations, traffic analysis can be used to understand the energy capacity of spacecraft node and the fact that the transceiver component of a spacecraft node consumes the most power. The spacecraft nodes in a constellation network limit the use of the transceiver to transmit or receive information either at a regulated time interval or only when an event has been detected. This generally results in an architecture comprising some aggregator spacecraft nodes within a constellation network. These spacecraft aggregator nodes are the sensor nodes whose primary purpose is to relay transmissions from nodes toward the ground station in an efficient manner, instead of monitoring events like a normal node. The added functionality of acting as a hub for information gathering and preprocessing before relaying makes aggregator nodes an attractive target to side channel attacks. A possible side channel attack could be as simple as monitoring the occurrences and duration of computing activities at an aggregator node. If a node is frequently in active states (instead of idle states), there is high probability that the node is an aggregator node and also there is a high probability that the communication with the node is valid. Such leakage of information is highly undesirable because the leaked information could be strategically used by threat actors in the accumulation phase of an attack." ; rdfs:seeAlso . d3f:EXF-0002.04 a owl:Class ; rdfs:label "Timing Attacks - SPARTA" ; skos:prefLabel "Timing Attacks" ; rdfs:subClassOf d3f:EXF-0002 ; d3f:attack-id "EXF-0002.04" ; d3f:definition "Execution time varies with inputs and branches; precise measurement turns that variance into information. The attacker times acknowledgments, response latencies, or framing gaps to learn which code paths ran (e.g., MAC verified vs. failed, table entry present vs. absent) and to infer bits of secrets in timing-sensitive routines such as cryptographic checks. On resource-constrained processors and deterministic RTOSes, small differences persist across runs, making remote timing feasible over RF if clocks and propagation are accounted for. Combined with chosen inputs and statistics, these measurements leak internal state faster than brute-force cryptanalysis." ; rdfs:seeAlso . d3f:EXF-0002.05 a owl:Class ; rdfs:label "Thermal Imaging attacks - SPARTA" ; skos:prefLabel "Thermal Imaging attacks" ; rdfs:subClassOf d3f:EXF-0002 ; d3f:attack-id "EXF-0002.05" ; d3f:definition "Threat actors can leverage thermal imaging attacks (e.g., infrared images) to measure heat that is emitted as a means to exfiltrate information from spacecraft processors. Thermal attacks rely on temperature profiling using sensors to extract critical information from the chip(s). The availability of highly sensitive thermal sensors, infrared cameras, and techniques to calculate power consumption from temperature distribution [7] has enhanced the effectiveness of these attacks. As a result, side-channel attacks can be performed by using temperature data without measuring power pins of the chip." ; rdfs:seeAlso . d3f:EXF-0003 a owl:Class ; rdfs:label "Signal Interception - SPARTA" ; skos:prefLabel "Signal Interception" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0003" ; d3f:definition "The adversary captures mission traffic in transit, on ground networks or over the space link, so that payload products, housekeeping, and command/ack exchanges can be reconstructed offline. Vantage points include tapped ground LANs/WANs between MOC and stations, baseband interfaces (IF/IQ), RF/optical receptions within the antenna field of view, and crosslink monitors. Depending on protection, the haul ranges from plaintext frames to encrypted bitstreams whose headers, rates, and schedules still yield valuable context (APIDs, VCIDs, pass timing, file manifest cues). Intercepted sessions can guide later replay, cloning, or targeted downlink requests." ; rdfs:seeAlso . d3f:EXF-0003.01 a owl:Class ; rdfs:label "Uplink Exfiltration - SPARTA" ; skos:prefLabel "Uplink Exfiltration" ; rdfs:subClassOf d3f:EXF-0003 ; d3f:attack-id "EXF-0003.01" ; d3f:definition "Here the target is command traffic from ground to space. By receiving or tapping the uplink path, the adversary collects telecommand frames, ranging/acquisition exchanges, and any file or table uploads. If confidentiality is weak or absent, opcode/argument content, dictionaries, and procedures become directly readable; even when encrypted, session structure, counters, and acceptance timing inform future command-link intrusion or replay. Captured material can reveal maintenance windows, contingency dictionaries, and authentication schemes that enable subsequent exploitation." ; rdfs:seeAlso . d3f:EXF-0003.02 a owl:Class ; rdfs:label "Downlink Exfiltration - SPARTA" ; skos:prefLabel "Downlink Exfiltration" ; rdfs:subClassOf d3f:EXF-0003 ; d3f:attack-id "EXF-0003.02" ; d3f:definition "The attacker records spacecraft-to-ground traffic, real-time telemetry, recorder playbacks, payload products, and mirrored command sessions, to obtain mission data and health/state information. With sufficient signal quality and protocol knowledge, frames and packets are demodulated and extracted for offline use; where protection exists only on uplink or is inconsistently applied, downlink content may still be in clear. Downlinked command echoes, event logs, and file catalogs can expose internal activities and aid follow-on targeting while the primary objective remains data capture at scale." ; rdfs:seeAlso . d3f:EXF-0004 a owl:Class ; rdfs:label "Out-of-Band Communications Link - SPARTA" ; skos:prefLabel "Out-of-Band Communications Link" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0004" ; d3f:definition "Some missions field secondary links, separate frequencies and hardware, for limited, purpose-built functions (e.g., rekeying, emergency commanding, beacons, custodial crosslinks). Adversaries co-opt these channels as covert data paths: embedding content in maintenance messages, beacon fields, or low-rate housekeeping; initiating vendor/service modes that carry file fragments; or switching to contingency profiles that bypass normal routing and monitoring. Because these paths are distinct from the main TT&C and may be sparsely supervised, they provide discreet avenues to move data off the spacecraft or to external relays without altering the primary link’s traffic patterns." ; rdfs:seeAlso . d3f:EXF-0005 a owl:Class ; rdfs:label "Proximity Operations - SPARTA" ; skos:prefLabel "Proximity Operations" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0005" ; d3f:definition "A nearby vehicle serves as the collection platform for unintended emissions and other proximate signals, effectively a mobile TEMPEST/EMSEC sensor. From close range, the adversary measures near-field RF, conducted/structure-borne emissions, optical/IR signatures, or leaked crosslink traffic correlated with on-board activity, then decodes or models those signals to recover information (keys, tables, procedure execution, payload content). Proximity also enables directional gain and repeated sampling passes, turning weak side channels into usable exfiltration without engaging the victim’s logical interfaces." ; rdfs:seeAlso . d3f:EXF-0006 a owl:Class ; rdfs:label "Modify Communications Configuration - SPARTA" ; skos:prefLabel "Modify Communications Configuration" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0006" ; d3f:definition "The adversary alters radio/optical link configuration so the spacecraft emits mission data over paths the program does not monitor or control. Levers include retuning carriers, adding sidebands or subcarriers, changing modulation/coding profiles, remapping virtual channels/APIDs, editing beacon content, or redirecting routing tables in regenerative payloads. Data can be embedded steganographically (idle fields, padding, frame counters, pilot tones) or carried on a covert auxiliary downlink/crosslink pointed at attacker-owned apertures. Because these emissions conform to plausible waveforms and scheduler behavior, they appear as ordinary link activity while quietly conveying payload products, housekeeping, or file fragments to non-mission receivers." ; rdfs:seeAlso . d3f:EXF-0006.01 a owl:Class, owl:NamedIndividual ; rdfs:label "Software Defined Radio - SPARTA" ; skos:prefLabel "Software Defined Radio" ; rdfs:subClassOf d3f:EXF-0006, [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Software-definedRadioConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Software-definedRadioWaveformApplication ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:Software-definedRadio ] ; d3f:attack-id "EXF-0006.01" ; d3f:definition "Programmable SDRs let an attacker introduce new waveforms or piggyback payloads into existing ones. By modifying DSP chains (filters, mixers, FEC, framing), the actor can: add a low-rate subcarrier under the main modulation, alter preamble/pilot sequences to encode bits, vary puncturing/interleaver patterns as a covert channel, or schedule brief “maintenance” bursts that actually carry exfiltrated data. Changes may be packaged as legitimate updates or configuration profiles so the SDR transmits toward attacker-visible geometry using standard equipment, while mission tooling interprets the emission as routine." ; d3f:may-modify d3f:Software-definedRadioConfiguration, d3f:Software-definedRadioWaveformApplication ; d3f:modifies d3f:Software-definedRadio ; rdfs:seeAlso . d3f:EXF-0006.02 a owl:Class, owl:NamedIndividual ; rdfs:label "Transponder - SPARTA" ; skos:prefLabel "Transponder" ; rdfs:subClassOf d3f:EXF-0006, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SatelliteTransponder ] ; d3f:attack-id "EXF-0006.02" ; d3f:definition "On bent-pipe or regenerative transponders, configuration controls what is translated, amplified, and routed. An adversary can remap input–output paths, shift translation frequencies, adjust polarization or gain to favor non-mission receivers, or enable auxiliary ports so selected virtual channels or recorder playbacks are forwarded outside the planned ground segment. In regenerative systems, edited routing tables or QoS rules can mirror traffic to an attacker-controlled endpoint. The result is a sanctioned-looking carrier that quietly delivers mission data to unauthorized listeners." ; d3f:modifies d3f:SatelliteTransponder ; rdfs:seeAlso . d3f:EXF-0007 a owl:Class ; rdfs:label "Compromised Ground System - SPARTA" ; skos:prefLabel "Compromised Ground System" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0007" ; d3f:definition "The adversary resides in mission ground infrastructure and uses its trusted position to siphon data at scale. With access to operator workstations, mission control servers, baseband/modem chains, telemetry processing pipelines, or archive databases, the attacker can mirror real-time streams, scrape recorder playbacks, export payload products, and harvest procedure logs and command histories. Because exfiltration rides normal paths, file staging areas, data distribution services, cloud relays, or cross-site links, it blends with routine dissemination. Compromise of scheduling tools and pass plans also lets the actor time captures to high-value downlinks and automate bulk extraction without touching the spacecraft." ; rdfs:seeAlso . d3f:EXF-0008 a owl:Class ; rdfs:label "Compromised Developer Site - SPARTA" ; skos:prefLabel "Compromised Developer Site" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0008" ; d3f:definition "By breaching development or integration environments (at the mission owner, contractor, or partner), the adversary gains access to source code, test vectors, telemetry captures, build artifacts, documentation, and configuration data, material that is often more complete than flight archives. Beyond theft of intellectual property, the attacker can embed telemetry taps, extended logging, or data “export” features into test harnesses, simulators, or flight builds so that, once fielded, the system produces extra observables or forwards content to non-mission endpoints. This activity typically occurs pre-launch during software production and ATLO, positioning exfiltration mechanisms to activate later in flight." ; rdfs:seeAlso . d3f:EXF-0009 a owl:Class ; rdfs:label "Compromised Partner Site - SPARTA" ; skos:prefLabel "Compromised Partner Site" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0009" ; d3f:definition "The adversary leverages third-party infrastructure connected to the mission, commercial ground stations, relay networks, operations service providers, data processing partners, to capture or relay mission data outside official channels. From these footholds, the attacker can mirror TT&C and payload feeds, scrape shared repositories, and man-in-the-middle cross-organization links (e.g., between partner stations and the primary MOC). Because partner environments vary in segmentation and monitoring, exfiltration can affect multiple missions or operators simultaneously, with stolen data exiting through the partner’s routine distribution mechanisms." ; rdfs:seeAlso . d3f:EXF-0010 a owl:Class ; rdfs:label "Payload Communication Channel - SPARTA" ; skos:prefLabel "Payload Communication Channel" ; rdfs:subClassOf d3f:SPARTAExfiltrationTechnique ; d3f:attack-id "EXF-0010" ; d3f:definition "Many payloads maintain communications separate from the primary TT&C, direct downlinks to user terminals, customer networks, or experimenter VPNs. An adversary who implants code in the payload (or controls its gateway) can route host-bus data into these channels, embed content within payload products (e.g., steganographic fields in imagery/telemetry), or schedule covert file transfers alongside legitimate deliveries. Because these paths are expected to carry high-rate mission data and may bypass TT&C monitoring, they provide a discreet conduit to exfiltrate payload or broader spacecraft information without altering the primary command link’s profile." ; rdfs:seeAlso . d3f:ExfiltrationTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Exfiltration Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0010 ] ; d3f:definition "The adversary is trying to steal data." ; d3f:enables d3f:TA0010 . d3f:Expectation-maximizationClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Expectation-maximization Clustering" ; rdfs:subClassOf d3f:Distribution-basedClustering ; d3f:d3fend-id "D3A-EMC" ; d3f:definition "An unsupervised clustering algorithm and extends to NLP applications like Latent Dirichlet Allocation, the Baum-Welch algorithm for Hidden Markov Models, and medical imaging." ; d3f:kb-article """## References Towards Data Science. (n.d.). Expectation Maximization Explained. [Link](https://towardsdatascience.com/expectation-maximization-explained-c82f5ed438e5#:~:text=Expectation%20Maximization%20(EM)%20is%20a,Markov%20Models%2C%20and%20medical%20imaging.)""" . d3f:ExpectedErrorReduction a owl:Class, owl:NamedIndividual ; rdfs:label "Expected Error Reduction" ; rdfs:subClassOf d3f:ActiveLearning ; d3f:d3fend-id "D3A-EER" ; d3f:definition "Expected Error Reduction (EER) follows similar ideas as EMC, but again looks at the model output instead of the model itself and also takes the other data into account. In particular, a sample x is considered useful, if we can expect that knowing the label will reduce the future error on unseen samples" ; d3f:kb-article """## References Intro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).""" . d3f:ExpectedModelChange a owl:Class, owl:NamedIndividual ; rdfs:label "Expected Model Change" ; rdfs:subClassOf d3f:ActiveLearning ; d3f:d3fend-id "D3A-EMC" ; d3f:definition "Supervised learning establishes a relationship between the known input and output variables to conduct a predictive analysis." ; d3f:kb-article """nal Consiterations ## References Intro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).""" . d3f:ExternalContentInclusionFunction a owl:Class, owl:NamedIndividual ; rdfs:label "External Content Inclusion Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:File ] ; d3f:accesses d3f:File ; d3f:definition "A subroutine which handles a content inclusion directive from an original file. When invoked, the external content is included in the resulting open file." . d3f:ExternalControl a owl:Class ; rdfs:label "External Control" ; rdfs:subClassOf d3f:ExternalControlThing, [ a owl:Restriction ; owl:onProperty d3f:member-of ; owl:someValuesFrom d3f:ControlCatalog ], [ a owl:Restriction ; owl:onProperty d3f:semantic-relation ; owl:someValuesFrom d3f:DefensiveTechnique ] . d3f:ExternalControlThing a owl:Class ; rdfs:label "External Control Thing" ; rdfs:subClassOf d3f:ExternalThing . d3f:ExternalKnowledgeBase a owl:Class ; rdfs:label "External Knowledge Base" ; rdfs:subClassOf d3f:TechniqueReference ; d3f:pref-label "External Knowledge Base" . d3f:ExternalThing a owl:Class ; rdfs:label "External Thing" . d3f:ExternalThreatModelThing a owl:Class ; rdfs:label "External Threat Model Thing" ; rdfs:subClassOf d3f:ExternalThing . d3f:FastSymbolicLink a owl:Class ; rdfs:label "Fast Symbolic Link" ; skos:altLabel "Fast Symlink" ; rdfs:subClassOf d3f:SymbolicLink, d3f:UnixLink ; owl:disjointWith d3f:SlowSymbolicLink ; rdfs:isDefinedBy ; d3f:definition "Fast symbolic links, allow storage of the target path within the data structures used for storing file information on disk (e.g., within the inodes). This space normally stores a list of disk block addresses allocated to a file. Thus, symlinks with short target paths are accessed quickly. Systems with fast symlinks often fall back to using the original method if the target path exceeds the available inode space." ; rdfs:seeAlso . d3f:File a owl:Class, owl:NamedIndividual ; rdfs:label "File" ; rdfs:subClassOf d3f:Resource, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:FileSection ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:URL ] ; d3f:contains d3f:FileSection ; d3f:definition "A file maintained in computer-readable form." ; d3f:may-contain d3f:File, d3f:URL ; rdfs:seeAlso . d3f:FileAccessEvent a owl:Class ; rdfs:label "File Access Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:FilePathOpenFunction ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ] ; d3f:definition "An event where a file is accessed for operations such as reading, opening, or inspecting its contents or metadata, without necessarily modifying its state." . d3f:FileAccessPatternAnalysis a d3f:FileAccessPatternAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "File Access Pattern Analysis" ; rdfs:subClassOf d3f:ProcessAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:LocalResourceAccess ] ; d3f:analyzes d3f:LocalResourceAccess ; d3f:d3fend-id "D3-FAPA" ; d3f:definition "Analyzing the files accessed by a process to identify unauthorized activity." ; d3f:kb-article """## How it works File modifying malware such as wipers and ransomware are detected by identifying file access patterns that are associated with a malicious process. Examples of file access patterns include accessing a large number of files, accessing multiple file types, files being accessed located in multiple locations in a directory, and copying a file and encrypting the contents of that file into a copy. ## Considerations Certain file access actions may not be statistically different from authorized activity.""" ; d3f:kb-reference d3f:Reference-File-modifyingMalwareDetection_CrowdstrikeInc . d3f:FileAnalysis a d3f:FileAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "File Analysis" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Detect ] ; d3f:analyzes d3f:File ; d3f:d3fend-id "D3-FA" ; d3f:definition "File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc." ; d3f:enables d3f:Detect ; d3f:kb-article """## Technique Overview Some techniques use file signatures or file metadata to compare against historical collections of malware. Files may also be compared against a source of ground truth such as cryptographic signatures. Examining files for potential malware using pattern matching against file contents/file behavior. Binary code may be dissembled and analyzed for predictive malware behavior, such as API call signatures. Analysis might occur within a protected environment such as a sandbox or live system.""" . d3f:FileCarving a d3f:FileCarving, owl:Class, owl:NamedIndividual ; rdfs:label "File Carving" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileTransferNetworkTraffic ] ; d3f:analyzes d3f:FileTransferNetworkTraffic ; d3f:d3fend-id "D3-FC" ; d3f:definition "Identifying and extracting files from network application protocols through the use of network stream reassembly software." ; d3f:kb-article """## How it works Protocol stream reassembly software recreates a directional byte stream by analyzing captured network packets. Once the stream is reassembled pattern matching is applied to determine if it contains a file of interest. Files of interest range from executable, archive, or document file formats. Once the file is captured, it is then processed with standard File Analysis Techniques. Example network protocols include HTTP, SMTP, FTP, HTTP/2, and TLS/HTTP/Dropbox. ## Considerations - This is an error prone process due to the intricacies of network protocols and network packet capture. For example reassembly may be done in real-time or streaming fashion, or packets may be written to disk, then bulk processed. The packets may arrive out of order, with fragmentation, duplicates, or re-transmissions. The reassembly software must compensate for the imperfect packet stream in order to recreate the well formed file which was transmitted. - File type identification can be a difficult process which can be exploited by adversaries.""" ; d3f:kb-reference d3f:Reference-ComputerWormDefenseSystemAndMethod_FireEyeInc . d3f:FileContentAnalysis a d3f:FileContentAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "File Content Analysis" ; rdfs:subClassOf d3f:FileAnalysis ; d3f:d3fend-id "D3-FCOA" ; d3f:definition "Employing a pattern matching algorithm to statically analyze the content of files." ; d3f:kb-article """## How it works Analyzing a piece of code without it being executed in a sandbox, virtual machine, or simulator. Patterns or signatures in the file can indicate whati kind of software it is, including whether it is malware.""" ; d3f:kb-reference d3f:Reference-CyberVaccineAndPredictiveMalwareDefensiveMethodsAndSystems . d3f:FileContentBlock a owl:Class, owl:NamedIndividual ; rdfs:label "File Content Block" ; rdfs:subClassOf d3f:FileSection ; d3f:definition "A section within a file that contains the main content or data payload." . d3f:FileContentBlockData a owl:Class, owl:NamedIndividual ; rdfs:label "File Content Block Data" ; rdfs:subClassOf d3f:DigitalInformation ; d3f:definition "The actual content or main data within a file or data block." . d3f:FileContentBlockMetadata a owl:Class ; rdfs:label "File Content Block Metadata" ; rdfs:subClassOf d3f:FileMetadata ; d3f:definition "Content Blocks may contain metadata specific to the block's content at the beginning." . d3f:FileContentDecompressionChecking a d3f:FileContentDecompressionChecking, owl:Class, owl:NamedIndividual ; rdfs:label "File Content Decompression Checking" ; rdfs:subClassOf d3f:FileFormatVerification, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileContentBlockData ] ; d3f:analyzes d3f:FileContentBlockData ; d3f:d3fend-id "D3-FCDC" ; d3f:definition "Checking if compressed or encoded data sections can be successfully decompressed or decoded. Can follow with further analysis with semantic knowledge" ; d3f:kb-article """## How it works Some file formats such as JPEGs include encoded or compressed sections. This technique verfies that those expected sections are present and can be properly decoded according to the spec.""" ; d3f:kb-reference d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation, d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics . d3f:FileContentRules a d3f:FileContentRules, owl:Class, owl:NamedIndividual ; rdfs:label "File Content Rules" ; rdfs:subClassOf d3f:FileContentAnalysis ; d3f:d3fend-id "D3-FCR" ; d3f:definition "Employing a pattern matching rule language to analyze the content of files." ; d3f:kb-article """## How it works Rules, often called signatures, are used for both generic and targeted malware detection. The rules are usually expressed in a domain specific language (DSL), then deployed to software that scans files for matches. The rules are developed and broadly distributed by commercial vendors, or they are developed and deployed by enterprise security teams to address highly targeted or custom malware. Conceptually, there are public and private rule sets. Both leverage the same technology, but they are intended to detect different types of cyber adversaries. ## Considerations * Patterns expressed in the DSLs range in their complexity. Some scanning engines support file parsing and normalization for high fidelity matching, others support only simple regular expression matching against raw file data. Engineers must make a trade-off in terms of: * The fidelity of the matching capabilities in order to balance high recall with avoiding false positives, * The computational load for scanning, and * The resilience of the engine to deal with adversarial content presented in different forms-- content which in some cases is designed to exploit or defeat the scanning engines. * Signature libraries can become large over time and impact scanning performance. * Some vendors who sell signatures have to delete old signatures over time. * Simple signatures against raw content cannot match against encoded, encrypted, or sufficiently obfuscated content. ## Implementations * YARA * ClamAV""" ; d3f:kb-reference d3f:Reference-ComputationalModelingAndClassificationOfDataStreams_CrowdstrikeInc, d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc, d3f:Reference-DistributedMeta-informationQueryInANetwork_Bit9Inc, d3f:Reference-SystemAndMethodsThereofForLogicalIdentificationOfMaliciousThreatsAcrossAPluralityOfEnd-pointDevicesCommunicativelyConnectedByANetwork_PaloAltoNetworksIncCyberSecdoLtd ; d3f:synonym "File Content Signatures", "File Signatures" . d3f:FileCopyEvent a owl:Class ; rdfs:label "File Copy Event" ; rdfs:subClassOf d3f:FileCreationEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ] ; d3f:definition "An event where a file is duplicated, creating a new file in a different location or under a different name while preserving the original file's content and attributes." . d3f:FileCreationAnalysis a d3f:FileCreationAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "File Creation Analysis" ; rdfs:subClassOf d3f:SystemCallAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:CreateFile ] ; d3f:analyzes d3f:CreateFile ; d3f:d3fend-id "D3-FCA" ; d3f:definition "Analyzing the properties of file create system call invocations." ; d3f:kb-reference d3f:Reference-CAR-2020-09-001%3AScheduledTask-FileAccess_MITRE, d3f:Reference-LsassProcessDumpViaProcdump_MITRE . d3f:FileCreationEvent a owl:Class ; rdfs:label "File Creation Event" ; rdfs:subClassOf d3f:FileEvent ; d3f:definition "An event representing the creation of a new file within the system, establishing its existence and initial attributes in the file system or storage medium." . d3f:FileDecryptionEvent a owl:Class ; rdfs:label "File Decryption Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileEncryptionEvent ] ; d3f:definition "An event where a previously encrypted file is decoded, rendering its content accessible to authorized users or processes." . d3f:FileDeletionEvent a owl:Class ; rdfs:label "File Deletion Event" ; rdfs:subClassOf d3f:FileEvent ; d3f:definition "An event where a file is permanently removed from the file system or storage medium, potentially triggering actions related to data retention or recovery." . d3f:FileEncryption a d3f:FileEncryption, owl:Class, owl:NamedIndividual ; rdfs:label "File Encryption" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:encrypts ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-FE" ; d3f:definition "Encrypting a file using a cryptographic key." ; d3f:encrypts d3f:File ; d3f:kb-article """## How it Works Files are encrypted using either a single key for both encryption and decryption or separate keys. Single key encryption is symmetric encryption and using two key distinct keys is asymmetric encryption. ### Symmetric Cryptography Symmetric encryption uses the same cryptographic key for both the encryption and decryption a file. Managing keys at scale sometimes uses asymmetric key exchange. Protocols such as RSA or Diffie-Hellman can be used to share the symmetric cryptographic key with the others. ### Asymmetric Cryptography Asymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. Files are encrypted using the public key and decrypted using their private key. Asymmetric encryption is typically slower than symmetric encryption and not widely used for large file encryption, but is popular for key wrapping, key exchanges, and digital signatures. ## Considerations - Continuous monitoring must be carried out to ensure private keys are not compromised and the certificate authority (CA) is trusted. - Transfer of private keys between multiple devices must be performed securely.""" ; d3f:kb-reference d3f:Reference-FileEncryption101SafeguardingYourSensitiveData, d3f:Reference-GuideToStorageEncryptionTechnologiesForEndUserDevices, d3f:Reference-SecurityConsiderationsForExchangingFilesOverTheInternet . d3f:FileEncryptionEvent a owl:Class ; rdfs:label "File Encryption Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ] ; d3f:definition "An event involving the application of cryptographic techniques to a file, ensuring its content is securely encoded and inaccessible without proper decryption keys." . d3f:FileEvent a owl:Class ; rdfs:label "File Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:File ] ; d3f:definition "An event involving operations performed on digital files, encompassing actions such as creation, modification, deletion, access, and attribute or permission changes." ; rdfs:seeAlso . d3f:FileEviction a d3f:FileEviction, owl:Class, owl:NamedIndividual ; rdfs:label "File Eviction" ; rdfs:subClassOf d3f:ObjectEviction, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-FEV" ; d3f:definition "File eviction techniques delete files from system storage." ; d3f:deletes d3f:File ; d3f:kb-article """## How it works Adversaries may place files or programs into a computer's file system to perform malicious actions. As part of the eviction process, these files and programs should be removed to prevent further compromise or reinfection. Examples of malicious types of files are malware which is directly harmful and content files with the intent to deceive users (e.g., phishing.) On Windows systems, antivirus (AV) software should be used to safely and permanently remove malicious files. AV software may first quarantine a suspected malicious file, which is the process of moving a file from its original location to a new location and makes changes so that it cannot be executed. Users can then verify that the file is not benign and then permanently delete it. ## Considerations When it is determined that a file should be removed for security purposes, the organization--or systems implementing an organization's policies--may determine that the file should not simply be deleted from the enterprise's mission systems, but be quarantined to a secure system by an approved mechanism, so as to allow follow-up investigation by security staff. On Windows systems, deleting a file in File Explorer does not permanently delete a file - it sends it to the Recycle Bin instead. The Recycle Bin must be emptied, or alternative steps must be performed to remove files completely. Even then, in some cases the data may persist in disk, so data shredder tools may be needed to completely wipe a file. Thus, AV tools are recommended.""" ; d3f:kb-reference d3f:Reference-HowDoesAntivirusQuarantineWork-SafetyDetectives . d3f:FileFooterBlock a owl:Class, owl:NamedIndividual ; rdfs:label "File Footer Block" ; rdfs:subClassOf d3f:FileSection ; d3f:definition "A section at the end of a file that contains metadata or control information." . d3f:FileFooterBlockContent a owl:Class ; rdfs:label "File Footer Block Content" ; rdfs:subClassOf d3f:FileMetadata ; d3f:definition "The content of a footer block not including the signature." . d3f:FileFooterBlockSignature a owl:Class ; rdfs:label "File Footer Block Signature" ; rdfs:subClassOf d3f:FileMetadata ; d3f:definition "A sequence of bytes used to identify and validate the footer section within a file." . d3f:FileFormatVerification a d3f:FileFormatVerification, owl:Class, owl:NamedIndividual ; rdfs:label "File Format Verification" ; rdfs:subClassOf d3f:ContentValidation, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileSection ] ; d3f:analyzes d3f:FileSection ; d3f:d3fend-id "D3-FFV" ; d3f:definition "Verifying that a file conforms to its expected format specifications" ; d3f:kb-reference d3f:Reference-FileSecurityUsingFileFormatValidation_OPSWATInc . d3f:FileGetAttributesEvent a owl:Class ; rdfs:label "File Get Attributes Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ] ; d3f:definition "An event where a file's metadata attributes, such as size, creation date, or type, are queried or retrieved without altering its content." . d3f:FileGetPermissionsEvent a owl:Class ; rdfs:label "File Get Permissions Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ] ; d3f:definition "An event where a file's security settings or access control list (ACL) is retrieved, detailing permissions granted to users or processes." . d3f:FileHash a owl:Class, owl:NamedIndividual ; rdfs:label "File Hash" ; rdfs:subClassOf d3f:DigitalFingerprint, [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:File ] ; d3f:definition "A File Hash is a fixed-length, unique digital fingerprint generated by applying a cryptographic hash function to the contents of a file." ; d3f:identifies d3f:File . d3f:FileHashing a d3f:FileHashing, owl:Class, owl:NamedIndividual ; rdfs:label "File Hashing" ; rdfs:subClassOf d3f:FileAnalysis ; d3f:d3fend-id "D3-FH" ; d3f:definition "Employing file hash comparisons to detect known malware." ; d3f:kb-article """## How it works This technique requires a list of hashes to compare a file against. ## Considerations Performance on large files or very large numbers of files.""" ; d3f:kb-reference d3f:Reference-Munin . d3f:FileHashReputationAnalysis a d3f:FileHashReputationAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "File Hash Reputation Analysis" ; rdfs:subClassOf d3f:IdentifierReputationAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileHash ] ; d3f:analyzes d3f:FileHash ; d3f:d3fend-id "D3-FHRA" ; d3f:definition "Analyzing the reputation of a file hash." ; d3f:kb-reference d3f:Reference-Reputation_of_an_entity_associated_with_a_content_item . d3f:FileHeaderBlock a owl:Class, owl:NamedIndividual ; rdfs:label "File Header Block" ; rdfs:subClassOf d3f:FileSection ; d3f:definition "Headers are sections of a file that organize and provide information about specific sections or components of the file. Typically found at the beginning of a file, they often contain file type identification, version information, and metadata such as size, format, and encoding." . d3f:FileHeaderBlockContent a owl:Class ; rdfs:label "File Header Block Content" ; rdfs:subClassOf d3f:FileMetadata ; d3f:definition "The content of a header block not including the signature." . d3f:FileHeaderBlockSignature a owl:Class ; rdfs:label "File Header Block Signature" ; rdfs:subClassOf d3f:FileMetadata ; d3f:definition "A sequence of bytes used to identify and validate specific header sections within a file." . d3f:FileIntegrityMonitoring a d3f:FileIntegrityMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "File Integrity Monitoring" ; rdfs:subClassOf d3f:PlatformMonitoring, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:File ] ; d3f:analyzes d3f:File ; d3f:d3fend-id "D3-FIM" ; d3f:definition "Detecting any suspicious changes to files in a computer system." ; d3f:kb-article """## How it Works There are a number of tools in Windows and Unix that can monitor specific files in a system and generate alerts if any artifacts have been created, modified, or removed. They accomplish this by comparing the current artifacts to a previous snapshot. Unix - Unix systems have a file integrity checker tool called tripwire. Tripwire first initializes a database that serves as a basis for comparison and can then scan the system to compare the state of the current file system against the initial baseline database. Additionally, users can define policies that specify potential violations. Windows - In Microsoft Azure, file integrity monitoring can be enabled which can track file and registry key creation, removals, and modifications of specific files. ## Considerations Files can change constantly due to the non-static nature of a computer system. File Integrity Monitoring works best when pointed at a narrow scope of critical files to limit the number of unneccessary files that may be modified over the course of normal use. The accuracy and precision of defined policies also affect the efficacy of this technique.""" ; d3f:kb-reference d3f:Reference-FileIntegrityMonitoringinMicrosoftDefenderforCloud-Microsoft, d3f:Reference-Tripwire . d3f:FileInternalStructureVerification a d3f:FileInternalStructureVerification, owl:Class, owl:NamedIndividual ; rdfs:label "File Internal Structure Verification" ; rdfs:subClassOf d3f:FileFormatVerification, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileContentBlock ] ; d3f:analyzes d3f:FileContentBlock ; d3f:d3fend-id "D3-FISV" ; d3f:definition "The process of checking specific static values within a file, such as file signatures or magic numbers, to ensure they match the expected values defined by the file format specification." ; d3f:kb-article """## How it works File format specifications often define expected values for specific fields. A common example are file signatures, or magic numbers, which are used to quickly identify files. Another example is within the Compound Document Header of Microsoft Office files, the 29th and 30th byte identifies the byte order, specifically 0xFFFE for little-endian. This technique verifies that the file's static values match the values of the declared file format's specification.""" ; d3f:kb-reference d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation, d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics . d3f:FileMagicBytes a owl:Class, owl:NamedIndividual ; rdfs:label "File Magic Bytes" ; rdfs:subClassOf d3f:FileHeaderBlockSignature ; d3f:definition "A specific type of header signature located at the beginning of a file, used to identify the file format." . d3f:FileMagicByteVerification a d3f:FileMagicByteVerification, owl:Class, owl:NamedIndividual ; rdfs:label "File Magic Byte Verification" ; rdfs:subClassOf d3f:FileMetadataValueVerification, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileMagicBytes ] ; d3f:analyzes d3f:FileMagicBytes ; d3f:d3fend-id "D3-FMBV" ; d3f:definition "Utilizing the magic number to verify the file" ; d3f:kb-article """## How it works Many file formats use magic numbers to identify a file format or protocol. Verifying that the magic number matches the expected value of its declared format is a simple way of verifying the file format.""" ; d3f:kb-reference d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation, d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics . d3f:FileMetadata a owl:Class, owl:NamedIndividual ; rdfs:label "File Metadata" ; rdfs:subClassOf d3f:Metadata ; d3f:definition "Information that describes and provides context about a file's content, structure, and attributes." . d3f:FileMetadataConsistencyValidation a d3f:FileMetadataConsistencyValidation, owl:Class, owl:NamedIndividual ; rdfs:label "File Metadata Consistency Validation" ; rdfs:subClassOf d3f:FileFormatVerification, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileContentBlockData ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileMetadata ] ; d3f:analyzes d3f:FileContentBlockData, d3f:FileMetadata ; d3f:d3fend-id "D3-FMCV" ; d3f:definition "The process of validating the consistency between a file's metadata and its actual content, ensuring that elements like declared lengths, pointers, and checksums accurately describe the file's content." ; d3f:kb-article """## How it works This technique involves validating the consistency between a file's metadata and its actual content. It checks elements like declared lengths, pointers, and checksums to ensure they accurately describe the file's content. For instance, if a header specifies a content block of 50 bytes, this should be verified, and CRC values should be recalculated and compared.""" ; d3f:kb-reference d3f:Reference-GatheringEvidenceModel-DrivenSoftwareEngineeringinAutomatedDigitalForensics . d3f:FileMetadataValueVerification a d3f:FileMetadataValueVerification, owl:Class, owl:NamedIndividual ; rdfs:label "File Metadata Value Verification" ; rdfs:subClassOf d3f:FileFormatVerification, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileFooterBlock ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:FileHeaderBlock ] ; d3f:analyzes d3f:FileFooterBlock, d3f:FileHeaderBlock ; d3f:d3fend-id "D3-FMVV" ; d3f:definition "The process of checking specific static values within a file, such as file signatures or magic numbers, to ensure they match the expected values defined by the file format specification." ; d3f:description """## How it works File format specifications often define expected values for specific fields. A common example are file signatures, or magic numbers, which are used to quickly identify files. Another example is within the Compound Document Header of Microsoft Office files, the 29th and 30th byte identifies the byte order, specifically 0xFFFE for little-endian. This technique verifies that the file's static values match the values of the declared file format's specification.""" ; d3f:kb-reference d3f:Reference-CarvingContiguousandFragmentedFilesWithFastObjectValidation, d3f:Reference-IntroductoryComputerForensics . d3f:FileMountEvent a owl:Class ; rdfs:label "File Mount Event" ; rdfs:subClassOf d3f:FileEvent ; d3f:definition "An event where a file system or storage volume is mounted, making its files and directories accessible to the operating system or applications." . d3f:FilePathOpenFunction a owl:Class, owl:NamedIndividual ; rdfs:label "File Path Open Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:OpenFile ] ; d3f:accesses d3f:File ; d3f:definition "Has an input of a file path, and opens a file handle for reading or writing." ; d3f:invokes d3f:OpenFile . d3f:FileRenamingEvent a owl:Class ; rdfs:label "File Renaming Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ] ; d3f:definition "An event representing the renaming of a file, modifying its identifier within the file system while retaining its content and metadata." . d3f:FileSection a owl:Class, owl:NamedIndividual ; rdfs:label "File Section" ; skos:altLabel "File Part" ; rdfs:subClassOf d3f:DigitalInformationBearer ; d3f:definition "A file section is one of the portions of a file in which the file is regarded as divided and where together the file sections constitute the whole file." ; rdfs:seeAlso . d3f:FileServer a owl:Class ; rdfs:label "File Server" ; rdfs:subClassOf d3f:Server ; rdfs:isDefinedBy ; d3f:definition "The term server highlights the role of the machine in the traditional client-server scheme, where the clients are the workstations using the storage. A file server does not normally perform computational tasks or run programs on behalf of its client workstations. File servers are commonly found in schools and offices, where users use a local area network to connect their client computers." . d3f:FileSetAttributesEvent a owl:Class ; rdfs:label "File Set Attributes Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ] ; d3f:definition "An event where a file's metadata attributes are modified, such as changing its timestamps, labels, or categorization within the system." . d3f:FileSetPermissionsEvent a owl:Class ; rdfs:label "File Set Permissions Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ] ; d3f:definition "An event involving the modification of a file's permissions or access control list (ACL), specifying which users or processes are granted or restricted access." . d3f:FileShareService a owl:Class ; rdfs:label "File Share Service" ; rdfs:subClassOf d3f:NetworkService ; d3f:definition "A file sharing service (or file share service) provides the ability to share data across a network." ; rdfs:seeAlso . d3f:FileSystem a owl:Class, owl:NamedIndividual ; rdfs:label "File System" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Directory ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:FileSystemLink ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:FileSystemMetadata ] ; rdfs:isDefinedBy ; d3f:contains d3f:Directory, d3f:File, d3f:FileSystemLink, d3f:FileSystemMetadata ; d3f:definition "In computing, a file system or filesystem is used to control how data is stored and retrieved. Without a file system, information placed in a storage medium would be one large body of data with no way to tell where one piece of information stops and the next begins. By separating the data into pieces and giving each piece a name, the information is easily isolated and identified. Taking its name from the way paper-based information systems are named, each group of data is called a \"file\". The structure and logic rules used to manage the groups of information and their names is called a \"file system\"." . d3f:FileSystemLink a owl:Class, owl:NamedIndividual ; rdfs:label "File System Link" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A file system link associates a name with a file on a file system. Most generally, this may be a direct reference (a hard link) or an indirect one (a soft link)." . d3f:FileSystemMetadata a owl:Class, owl:NamedIndividual ; rdfs:label "File System Metadata" ; rdfs:subClassOf d3f:Metadata ; d3f:definition "Metadata about the files and directories in a file system. For example file name, file length, time modified, group and user ids, and other file attributes." ; rdfs:seeAlso . d3f:FileSystemSensor a owl:Class, owl:NamedIndividual ; rdfs:label "File System Sensor" ; rdfs:subClassOf d3f:EndpointSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:File ] ; d3f:definition "Collects files and file metadata on an endpoint." ; d3f:monitors d3f:File . d3f:FileTransferNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "File Transfer Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "File transfer network traffic is network traffic related to file transfers between network nodes. This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols." . d3f:FileUnmountEvent a owl:Class ; rdfs:label "File Unmount Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileMountEvent ] ; d3f:definition "An event where a file system or storage volume is unmounted, disconnecting its files and directories from the operating system or applications." . d3f:FileUpdateEvent a owl:Class ; rdfs:label "File Update Event" ; rdfs:subClassOf d3f:FileEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileAccessEvent ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FileCreationEvent ] ; d3f:definition "An event involving changes to the content or metadata of an existing file, reflecting updates that alter its state or properties." . d3f:FingerPrintScannerInputDevice a owl:Class ; rdfs:label "Finger Print Scanner Input Device" ; skos:altLabel "Fingerprint Sensor" ; rdfs:subClassOf d3f:ImageScannerInputDevice ; rdfs:isDefinedBy ; d3f:definition "A fingerprint sensor is an electronic device used to capture a digital image of the fingerprint pattern. The captured image is called a live scan. This live scan is digitally processed to create a biometric template (a collection of extracted features) which is stored and used for matching. Many technologies have been used including optical, capacitive, RF, thermal, piezoresistive, ultrasonic, piezoelectric, and MEMS." . d3f:Firewall a owl:Class, owl:NamedIndividual ; rdfs:label "Firewall" ; skos:altLabel "Network Firewall" ; rdfs:subClassOf d3f:ComputerNetworkNode, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:definition "In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet. Firewalls are often categorized as either network firewalls or host-based firewalls. Network firewalls filter traffic between two or more networks and run on network hardware. Host-based firewalls run on host computers and control network traffic in and out of those machines. This definition refers to network firewalls." ; d3f:filters d3f:NetworkTraffic ; rdfs:seeAlso . d3f:Firmware a owl:Class, owl:NamedIndividual ; rdfs:label "Firmware" ; rdfs:subClassOf d3f:Software ; rdfs:isDefinedBy ; d3f:definition "In electronic systems and computing, firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. Typical examples of devices containing firmware are embedded systems (such as traffic lights, consumer appliances, remote controls and digital watches), computers, computer peripherals, mobile phones, and digital cameras. The firmware contained in these devices provides the low-level control program for the device." . d3f:FirmwareBehaviorAnalysis a d3f:FirmwareBehaviorAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Firmware Behavior Analysis" ; rdfs:subClassOf d3f:PlatformMonitoring, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Firmware ] ; d3f:analyzes d3f:Firmware ; d3f:d3fend-id "D3-FBA" ; d3f:definition "Analyzing the behavior of embedded code in firmware and looking for anomalous behavior and suspicious activity." ; d3f:kb-article """## How it works Firmware behavior analysis provides protections by ensuring that installed firmware has not been tampered with or modified. Firmware analysis applies to mutable firmware and immutable read-only memory (ROMs). Firmware in deployed network devices is typically not analyzed and monitored for vulnerabilities and thus is subject to potential attacks. This technique makes use of known and measured behavioral attributes, including timing attributes, of analyzed firmware on deployed devices. A behavioral method that employs known timing measurements may use the timing results from a challenge and response protocol to detect the presence of malware in embedded firmware. Firmware device timing measurements are made, specific to the installed device, and are used in the verifying function. The original firmware image is modified by injecting a monitoring software component into the embedded firmware code. The injected software components will allow for a software root of trust, the challenge and response protocol, to be implement in the firmware. A challenge-response is issued and includes a nonce so that replays are not allowed. The firmware will calculate a checksum over all of memory, including the nonce, and return the result. The verification system will compare the computed checksum and the time it took for the computation of the checksum to determine if the firmware has been modified. ## Considerations * The firmware code will need to be modified to include the behavioral monitoring functionality. * This technique is sensitive to the device the embedded firmware is hosted on and it is expected that the devices and firmware will need to be profiled and analyzed to determine timing estimation. * This technique is not expected to be one hundred percent correct as you would expect in a hardware root of trust solution and may require some tuning.""" ; d3f:kb-reference d3f:Reference-FirmwareBehaviorAnalysisConFirm, d3f:Reference-FirmwareBehaviorAnalysisVIPER ; d3f:synonym "Firmware Timing Analysis" . d3f:FirmwareEmbeddedMonitoringCode a d3f:FirmwareEmbeddedMonitoringCode, owl:Class, owl:NamedIndividual ; rdfs:label "Firmware Embedded Monitoring Code" ; rdfs:subClassOf d3f:PlatformMonitoring, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Firmware ] ; d3f:analyzes d3f:Firmware ; d3f:d3fend-id "D3-FEMC" ; d3f:definition "Monitoring code is injected into firmware for integrity monitoring of firmware and firmware data." ; d3f:kb-article """## How it works Firmware in deployed network devices is typically not monitored for malicious changes. This technique provides a method to embed a software security component into the deployed firmware which provides a near real-time monitoring hook. The exception handling code, in the firmware, is typically used to expose any detected vulnerabilities. The injected software components provide a feature similar to intrusion detection systems for the firmware by detecting unauthorized modifications of the embedded firmware. The integrity of static code and firmware data are monitored continuously in the hosted devices. Comparisons are made to monitored elements like firmware memory addresses and data segments. Memory pages are scanned and if a modification is detected the software component may lock the page. This will protect subsequent attempted modifications to the firmware. The software component may utilize the exception handling code and thus be able to disclose the exact address of the modified memory. The injected software components are inserted during the firmware imaging process. The injected software is assumed to have knowledge of both the embedded code and the current execution state of the host program. The injected software will monitor and alert, in near real-time, on potential suspicious activity. The injected code is run alongside of the embedded code in the host. The injected software operates as an independent entity and is not dependent on the host software. Finally, this technique may implement other countermeasure techniques as part of their analytical processes. These should be identified by referencing other countermeasure techniques directly as necessary. ## Considerations * The firmware code will need to be modified and re-hosted on the device. * Exposing monitoring hooks to the injected code may introduce additional risk.""" ; d3f:kb-reference d3f:Reference-FirmwareEmbeddedMonitoringCodeRedBalloon, d3f:Reference-FirmwareEmbeddedMonitoringCodeSymbiotes . d3f:FirmwareSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Firmware Sensor" ; rdfs:subClassOf d3f:EndpointSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:Firmware ] ; d3f:definition "Collects information on firmware installed on an Endpoint." ; d3f:monitors d3f:Firmware . d3f:FirmwareVerification a d3f:FirmwareVerification, owl:Class, owl:NamedIndividual ; rdfs:label "Firmware Verification" ; rdfs:subClassOf d3f:PlatformMonitoring, [ a owl:Restriction ; owl:onProperty d3f:verifies ; owl:someValuesFrom d3f:Firmware ] ; d3f:d3fend-id "D3-FV" ; d3f:definition "Cryptographically verifying firmware integrity." ; d3f:kb-article """## How it works Cryptographic hash values are computed for system and peripheral firmware. The hash values are compared against precomputed hash values for the identified firmware. A hash value mismatch may indicate that the firmware may have been tampered with or updated with a non-current release indicating a misconfiguration for the system. ## Considerations * Requires cryptographically computed hash values of firmware * Requires storage of precomputed firmware hash values""" ; d3f:kb-reference d3f:Reference-FirmwareVerificationEclypsium, d3f:Reference-FirmwareVerificationTrapezoid, d3f:Reference-PlatformFirmwareResiliencyGuidelines_NIST ; d3f:verifies d3f:Firmware . d3f:First-orderLogic a owl:Class, owl:NamedIndividual ; rdfs:label "First-order Logic" ; rdfs:subClassOf d3f:PredicateLogic ; d3f:d3fend-id "D3A-FOL" ; d3f:definition "First-order logic is a collection of formal systems used in mathematics, philosophy, linguistics, and computer science. First-order logic uses quantified variables over non-logical objects, and allows the use of sentences that contain variables." ; d3f:kb-article """## How it works For propositions such as "Socrates is a man", one can have expressions in the form "there exists x such that x is Socrates and x is a man", where "there exists" is a quantifier, while x is a variable. This distinguishes it from propositional logic, which does not use quantifiers or relations. The term "first-order" distinguishes first-order logic from higher-order logic, in which there are predicates having predicates or functions as arguments, or in which quantification over predicates, functions, or both, are permitted. ## Considerations - Advantages: -- First-order logic is more expressive than propositional logic; one can talk about objects and their properties, relations between objects. -- First-order logic is able to make use of variables and quantifiers (e.g., "for all" and "exists".) -- First-order logic supports power forms of reasoning, such as inferring the properties of an unknown object from the properties of known objects. - Disadvantages: -- First-order logic is more difficult to learn and use than propositional logic, due to its greater complexity. -- First-order logic is also less tractable than propositional logic in many cases; reasoning about quantifiers and variables adds complexity. -- First-order logic can be difficult to apply in practice, due to the need to find appropriate axioms and rules for each application. ### Verification Approach - Automated theorem provers can assist in formal verification, performing automated reasoning over system modeled in first-order logic and explore a complete space of system behaviors - First-order logic may be more expressive than necessary for many types of problems and may be more difficult to verify by SMEs. - Theorem provers based in FOL are capable of use in software verification tasks, but an SMT solver such as Z3 might be more appropriate. - Defining a set of competency questions (i.e., query use cases for a first-order logic ontology) can help scope the logic required for a complete solution. ### Validation Approach - Domain SMEs should be identified to review the analytics results and compare them to expected results for a given input. - Where possible, an outside team of SMEs should inspect the formal logic specification of a system against its stated requirements and suitability to address its domain problem sets. - Defining a set of competency questions and the expected results provides one means of validation. ## References 1. First-order logic. (2023, May 26). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/First-order_logic) 2. Shapiro, S. and Kissel, T. Classical Logic. (2022). Stanford Encyclopedia of Philosophy. [Link](https://plato.stanford.edu/entries/logic-classical/) 3. A.I. For Anyone. First-order Logic (n.d.). [Link](https://www.aiforanyone.org/glossary/first-order-logic) 4. Smith, P. An Introduction to Formal Logic. (2020). [Link](https://doi.org/10.1017/9781108328999) 5. Gruninger, M. and Fox, M. (1995). Methodology for the Design and Evaluation of Ontologies. [Link](https://www.researchgate.net/publication/2288533_Methodology_for_the_Design_and_Evaluation_of_Ontologies) 6. Keet, C., Suarez-Figurosa, M., and Poveda-Villalon, M. (2014). Pitfalls in Ontologies and TIPS to Prevent Them. [Link](https://dl.acm.org/doi/10.4018/ijswis.2014040102) 7. Bjorner, N. et al. The inner magic behind the Z3 theorem prover. (2019) [Link](https://www.microsoft.com/en-us/research/blog/the-inner-magic-behind-the-z3-theorem-prover/)""" ; d3f:synonym "First-order Predicate Calculus", "FOL", "Quantificational Logic" . d3f:First-stageBootLoader a owl:Class, owl:NamedIndividual ; rdfs:label "First-stage Boot Loader" ; rdfs:subClassOf d3f:BootLoader ; d3f:definition "The very first routine run in order to load the operating system." . d3f:FlashMemory a owl:Class, owl:NamedIndividual ; rdfs:label "Flash Memory" ; rdfs:subClassOf d3f:SecondaryStorage ; rdfs:isDefinedBy ; d3f:definition "Flash memory is an electronic non-volatile computer memory storage medium that can be electrically erased and reprogrammed." . d3f:FlightSoftware a owl:Class, owl:NamedIndividual . d3f:Forecasting a owl:Class ; rdfs:label "Forecasting" ; rdfs:subClassOf d3f:AnalyticalPurpose . d3f:ForwardProxyServer a owl:Class ; rdfs:label "Forward Proxy Server" ; rdfs:subClassOf d3f:ProxyServer ; rdfs:isDefinedBy ; d3f:definition "An forward (or open) proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server only allows users within a network group (i.e. a closed proxy) to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group. With an open proxy, however, any user on the Internet is able to use this forwarding service." . d3f:ForwardResolutionDomainDenylisting a d3f:ForwardResolutionDomainDenylisting, owl:Class, owl:NamedIndividual ; rdfs:label "Forward Resolution Domain Denylisting" ; rdfs:subClassOf d3f:DNSDenylisting, [ a owl:Restriction ; owl:onProperty d3f:blocks ; owl:someValuesFrom d3f:OutboundInternetDNSLookupTraffic ] ; d3f:blocks d3f:OutboundInternetDNSLookupTraffic ; d3f:d3fend-id "D3-FRDDL" ; d3f:definition "Blocking a lookup based on the query's domain name value." ; d3f:kb-article """## How it works Policies are created that filter DNS queries using fully qualified domain name (FQDN) of record in the query. A DNS policy can be created for blocking DNS queries from FQDNs that have been identified as unauthorized. ## Considerations Continuous maintenance of unauthorized domain lists is needed to keep up to date as updates occur.""" ; d3f:kb-reference d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries ; d3f:synonym "Forward Resolution Domain Blacklisting" . d3f:ForwardResolutionIPDenylisting a d3f:ForwardResolutionIPDenylisting, owl:Class, owl:NamedIndividual ; rdfs:label "Forward Resolution IP Denylisting" ; rdfs:subClassOf d3f:DNSDenylisting, [ a owl:Restriction ; owl:onProperty d3f:blocks ; owl:someValuesFrom d3f:InboundInternetDNSResponseTraffic ] ; d3f:blocks d3f:InboundInternetDNSResponseTraffic ; d3f:d3fend-id "D3-FRIDL" ; d3f:definition "Blocking a DNS lookup's answer's IP address value." ; d3f:kb-article """## How it works This technique prevents a client from learning IP addresses deemed to be potentially malicious, which would have been delivered via forward resolution responses. Responses to forward resolution requests (that is, requests where a domain is sent and IP(s) are returned) are collected, and the IP address(es) included as a response are examined. If the IP address(es) are in a range included in the blacklist, then the response is dropped and not forwarded to the client. The DNS lookup can be blocked by either dropping the network traffic with an inline device, or modifying the value of the response sent by the DNS server. To transparently prevent client applications from hanging on a request, it is common practice to replace malicious values with addresses in the range 127.0.0.0/8 or the address of a honeypot maintained by the network administrators. ## Considerations * This technique does not prevent the client from contacting the blacklisted IP, only from learning about this IP address via a nameserver lookup request. * DNS Response traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS answer IP address value(s). * DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP. * Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS responses. These protocols have often been enabled in browser settings transparently after a browser update, with DNS requests proxied over one of these cryptographic protocols through a specified host. * This technique must be implemented logically between the application that receives the response and the server which sent the response. * DNS responses sent in an encrypted manner, such as those using DoH or DoT, will require interception of the TLS connections in order to determine the IP address(es) in the response. * Replacing the response is not effective in the case that the nameserver uses a technique to provide integrity of its responses, such as DNSSEC for DNS responses.""" ; d3f:kb-reference d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries ; d3f:synonym "Forward Resolution IP Blacklisting" . d3f:FPGABitstream a owl:Class, owl:NamedIndividual ; rdfs:label "FPGA Bitstream" ; rdfs:subClassOf d3f:ApplicationConfigurationFile ; d3f:definition "A binary configuration file generated by synthesizing and placing-and-routing an HDL design, which is loaded into a Field-Programmable Gate Array (FPGA) to physically define its internal logic, interconnects, and I/O behavior. Rather than being executed by a processor, it programs the device itself." ; rdfs:seeAlso . d3f:FreeMemory a owl:Class, owl:NamedIndividual ; rdfs:label "Free Memory" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:MemoryBlock ] ; d3f:deletes d3f:MemoryBlock . d3f:FTPDeleteEvent a owl:Class ; rdfs:label "FTP Delete Event" ; rdfs:subClassOf d3f:FTPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FTPPutEvent ] ; d3f:definition "An event where files or directories are removed from an FTP server, resulting in their permanent deletion from the remote system." . d3f:FTPEvent a owl:Class ; rdfs:label "FTP Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, d3f:TCPEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:FileTransferNetworkTraffic ] ; d3f:definition "An event involving the File Transfer Protocol (FTP), a standard network protocol used to transfer files between a client and server over a TCP/IP network. FTP facilitates operations such as file uploads, downloads, directory listing, and remote file management." ; rdfs:seeAlso . d3f:FTPGetEvent a owl:Class ; rdfs:label "FTP Get Event" ; rdfs:subClassOf d3f:FTPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FTPPutEvent ] ; d3f:definition "An event where a file is downloaded from an FTP server to a client, retrieving data from the remote system to the local destination." . d3f:FTPListEvent a owl:Class ; rdfs:label "FTP List Event" ; rdfs:subClassOf d3f:FTPEvent ; d3f:definition "An event where the contents of a directory on an FTP server are listed, providing metadata such as file names, sizes, and timestamps." . d3f:FTPPollEvent a owl:Class ; rdfs:label "FTP Poll Event" ; rdfs:subClassOf d3f:FTPEvent ; d3f:definition "An event where a client queries an FTP server to check for the presence of specific files or directories without initiating a transfer." . d3f:FTPPutEvent a owl:Class ; rdfs:label "FTP Put Event" ; rdfs:subClassOf d3f:FTPEvent ; d3f:definition "An event where a file is uploaded from a client to an FTP server, transferring data from the local system to the remote destination." . d3f:FTPRenameEvent a owl:Class ; rdfs:label "FTP Rename Event" ; rdfs:subClassOf d3f:FTPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:FTPPutEvent ] ; d3f:definition "An event where files or directories on an FTP server are renamed, modifying their identifiers without altering their content or location." . d3f:FullVolumeSnapshot a owl:Class ; rdfs:label "Full Volume Snapshot" ; rdfs:subClassOf d3f:VolumeSnapshot ; d3f:definition "A full volume snapshot is a point-in-time copy of the complete contents of a volume." ; rdfs:seeAlso . d3f:FuzzyLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Fuzzy Logic" ; rdfs:subClassOf d3f:SymbolicAI ; d3f:d3fend-id "D3A-FL" ; d3f:definition "Fuzzy logic is a form of many-valued logic in which the truth value of variables may be any real number between 0 and 1." ; d3f:kb-article """## How it works It is employed to handle the concept of partial truth, where the truth value may range between completely true and completely false.[1] By contrast, in Boolean logic, the truth values of variables may only be the integer values 0 or 1. ## References 1. Fuzzy logic. (2023, May 28). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Fuzzy_logic)""" . d3f:GatedRecurrentUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Gated Recurrent Unit" ; rdfs:subClassOf d3f:RecurrentNeuralNetwork ; d3f:d3fend-id "D3A-GRU" ; d3f:definition "The GRU is like a long short-term memory (LSTM) with a forget gate, but has fewer parameters than LSTM, as it lacks an output gate. GRU's performance on certain tasks of polyphonic music modeling, speech signal modeling and natural language processing was found to be similar to that of LSTM" ; d3f:kb-article """## References Wikipedia. (2021, September 20). Gated Recurrent Unit. [Link](https://en.wikipedia.org/wiki/Gated_recurrent_unit)""" . d3f:Generation a owl:Class ; rdfs:label "Media Generation" ; rdfs:subClassOf d3f:AnalyticalPurpose . d3f:GenerativeAdversarialNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "Generative Adversarial Network" ; rdfs:subClassOf d3f:UnsupervisedLearning ; d3f:d3fend-id "D3A-GAN" ; d3f:definition "Generative Adversarial Networks (GAN) are an approach to generative modeling using deep learning methods, such as convolutional neural networks." ; d3f:kb-article """## References Brownlee, J. (2019). What Are Generative Adversarial Networks (GANs)? Machine Learning Mastery. [Link](https://machinelearningmastery.com/what-are-generative-adversarial-networks-gans/)""" ; d3f:synonym "GAN" . d3f:GeometricMean a owl:Class, owl:NamedIndividual ; rdfs:label "Geometric Mean" ; rdfs:subClassOf d3f:CentralTendency ; d3f:d3fend-id "D3A-GM" ; d3f:definition "The nth root of the product of the data values, where there are n of these. This measure is valid only for data that are measured absolutely on a strictly positive scale." ; d3f:kb-article """## References Wikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)""" . d3f:GetOpenSockets a owl:Class, owl:NamedIndividual ; rdfs:label "Get Open Sockets" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:enumerates ; owl:someValuesFrom d3f:Pipe ] ; d3f:enumerates d3f:Pipe . d3f:GetOpenWindows a owl:Class, owl:NamedIndividual ; rdfs:label "Get Open Windows" ; rdfs:subClassOf d3f:SystemCall . d3f:GetRunningProcesses a owl:Class, owl:NamedIndividual ; rdfs:label "Get Running Processes" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:enumerates ; owl:someValuesFrom d3f:Process ] ; d3f:enumerates d3f:Process . d3f:GetScreenCapture a owl:Class, owl:NamedIndividual ; rdfs:label "Get Screen Capture" ; rdfs:subClassOf d3f:SystemCall . d3f:GetSystemConfigValue a owl:Class, owl:NamedIndividual ; rdfs:label "Get System Config Value" ; rdfs:subClassOf d3f:SystemConfigSystemCall, [ a owl:Restriction ; owl:onProperty d3f:reads ; owl:someValuesFrom d3f:SystemConfigurationDatabaseRecord ] ; d3f:reads d3f:SystemConfigurationDatabaseRecord ; rdfs:seeAlso . d3f:GetSystemNetworkConfigValue a owl:Class, owl:NamedIndividual ; rdfs:label "Get System Network Config Value" ; rdfs:subClassOf d3f:GetSystemConfigValue . d3f:GetSystemTime a owl:Class, owl:NamedIndividual ; rdfs:label "Get System Time" ; rdfs:subClassOf d3f:SystemCall ; d3f:definition "A system call that gets the system time. For POSIX.1 systems, time() invokes a call to get the system time." ; rdfs:seeAlso . d3f:GetThreadContext a owl:Class, owl:NamedIndividual ; rdfs:label "Get Thread Context" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:queries ; owl:someValuesFrom d3f:Thread ] ; d3f:queries d3f:Thread ; rdfs:seeAlso . d3f:GlobalUserAccount a owl:Class, owl:NamedIndividual ; rdfs:label "Global User Account" ; rdfs:subClassOf d3f:DomainUserAccount ; d3f:definition "A type of user account in Microsoft Windows (NT) that has a domain-wide scope.defines that user's access to a logical group of network objects (computers, users, devices) that share the same Active Directory databases; that is, a user's access to the domain." ; rdfs:seeAlso . d3f:GNSSReceiver a owl:Class ; rdfs:label "GNSS Receiver" ; rdfs:subClassOf d3f:Receiver ; d3f:definition "A GNSS (Global Navigation Satellite System) receiver is an electronic device that picks up signals from one or more satellite constellations (like GPS, GLONASS, Galileo, BeiDou) to calculate precise location, velocity, and time." ; rdfs:seeAlso . d3f:GNSSSatellite a owl:Class ; rdfs:label "GNSS Satellite" ; rdfs:subClassOf d3f:Satellite, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:AtomicClock ], [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:GNSSSignal ] ; d3f:definition "A GNSS satellite is part of a space-based constellation that transmits signals, allowing receivers on Earth to determine their position, navigation, and timing (PNT) through trilateration." ; rdfs:seeAlso . d3f:GNSSSignal a owl:Class, owl:NamedIndividual ; rdfs:label "GNSS Signal" ; rdfs:subClassOf d3f:ElectromagneticSignal, [ a owl:Restriction ; owl:onProperty d3f:carries ; owl:someValuesFrom d3f:GNSSTimeRecord ] ; d3f:definition "A GNSS (Global Navigation Satellite System) signal is a low-power radio signal broadcast from satellites that contains a carrier wave, a ranging code, and a navigation message. The receiver uses the carrier wave to precisely measure the time it takes for the signal to travel from the satellite, while the navigation message provides essential information like the satellite's position (ephemeris) and clock information." ; d3f:synonym "Global Navigation Satellite System Signal" ; rdfs:seeAlso , . d3f:GNSSTimeRecord a owl:Class ; rdfs:label "GNSS Time Record" ; rdfs:subClassOf d3f:TimeRecord ; d3f:definition "A GNSS Time Record is an information content entity encoded in a GNSS signal that represents the transmission time of that signal as determined by the transmitting satellite, expressed relative to a constellation-specific time standard and epoch." ; rdfs:seeAlso . d3f:Goal a owl:Class ; rdfs:label "Goal" ; rdfs:subClassOf d3f:D3FENDCore . d3f:GoodmanAndKruskalsGamma a owl:Class, owl:NamedIndividual ; rdfs:label "Goodman and Kruskal's Gamma" ; rdfs:subClassOf d3f:RankCorrelationCoefficient ; rdfs:isDefinedBy ; d3f:d3fend-id "D3A-GAKG" ; d3f:definition "Goodman-Kruskal $\\\\gamma$ is a measure of rank correlation between x and y and is given by $(n_c -n_d) / (n_c + n_d)$, where $n_c$ is the number of concordant pairs of the observations and $n_d$ is the number of discordant pairs." ; d3f:kb-article """## References 1. Wolfram Research. (2012). GoodmanKruskalGamma. Wolfram Language function. [Link](https://reference.wolfram.com/language/ref/GoodmanKruskalGamma.html) 1. Goodman and Kruskal's gamma. (2022, Nov 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Goodman_and_Kruskal%27s_gamma]""" . d3f:GPT a owl:Class, owl:NamedIndividual ; rdfs:label "GPT" ; rdfs:subClassOf d3f:Transformer-basedLearning ; d3f:d3fend-id "D3A-GPT" ; d3f:definition "Generative pre-trained transformers (GPT) are a type of large language model (LLM) and a prominent framework for generative artificial intelligence." ; d3f:kb-article """## References Generative pre-trained transformer. (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wiki/Generative_pre-trained_transformer)""" ; d3f:synonym "Generative Pre-trained Transformer" . d3f:GradientBoostedDecisionTree a owl:Class, owl:NamedIndividual ; rdfs:label "Gradient-Boosted Decision Tree" ; rdfs:subClassOf d3f:CART ; d3f:d3fend-id "D3A-GBDT" ; d3f:definition "A gradient-boosted decision tree is, as in other bagging and boosting methods, a method where the relatively 'weak' machine learning model (a decision tree) is used in an ensemble to form a 'strong' machine learning model." ; d3f:kb-article """## Reference 1. Google. (28 Sep 2023). Gradient Boosted Decision Trees. [Link](https://developers.google.com/machine-learning/decision-forests/intro-to-gbdt).""" . d3f:Graph-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Graph-based Clustering" ; rdfs:subClassOf d3f:ClusterAnalysis ; d3f:d3fend-id "D3A-GBC" ; d3f:definition "Graph-based Clustering is a form of clustering where data is represented with graphs to identify clusters. We include Connection-based Clustering in this class." ; d3f:kb-article """## References 1. Jagota, A. (13 Dec 2020). Density-based and Graph-based Clustering. towardsdatascience.com. [Link](https://towardsdatascience.com/density-based-and-graph-based-clustering-a1f0d45ff5fb) 1. Connectivity-Based Clustering. Sarang, P. (2023) in Thinking Data Science. The Springer Series in Applied Machine Learning. Springer, Cham. [Link](https://doi.org/10.1007/978-3-031-02363-7_10).""" ; d3f:synonym "Connection-based Clustering" . d3f:Graph-basedSemi-supervisedLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Graph-based Semi-supervised Learning" ; rdfs:subClassOf d3f:Semi-supervisedTransductiveLearning ; d3f:d3fend-id "D3A-GBSSL" ; d3f:definition "Graph-based Semi-Supervised Learning (GSSL) methods aim to classify unlabeled data by learning the graph structure and labeled data jointly." ; d3f:kb-article """## References Yang, S., Pan, L., & Cheng, J. (2021). Graph-based Semi-Supervised Learning Methods for Imbalanced Data Classification. [Link](https://www.sciencedirect.com/science/article/pii/S0031320321002132?viewFullText=true).""" . d3f:GraphicalUserInterface a owl:Class, owl:NamedIndividual ; rdfs:label "Graphical User Interface" ; skos:altLabel "GUI" ; rdfs:subClassOf d3f:UserInterface ; rdfs:isDefinedBy ; d3f:definition "A graphical user interface (GUI) is a type of user interface that allows users to interact with electronic devices through graphical icons and visual indicators such as secondary notation, instead of text-based user interfaces, typed command labels or text navigation. GUIs were introduced in reaction to the perceived steep learning curve of command-line interfaces (CLIs), which require commands to be typed on a computer keyboard." . d3f:GraphicsCardFirmware a owl:Class, owl:NamedIndividual ; rdfs:label "Graphics Card Firmware" ; skos:altLabel "Video Card Firmware" ; rdfs:subClassOf d3f:PeripheralFirmware ; d3f:definition "Firmware that is installed on computer graphics card." ; rdfs:seeAlso d3f:Firmware . d3f:GraphicsProcessingUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Graphics Processing Unit" ; rdfs:subClassOf d3f:Processor, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:GraphicsCardFirmware ] ; d3f:contains d3f:GraphicsCardFirmware ; d3f:definition "A Graphics Processing Unit (GPU) is a specialized processor designed to efficiently perform parallel computations, primarily for rendering graphics and visual data." ; d3f:synonym "GPU" . d3f:Grid-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Grid-based Clustering" ; rdfs:subClassOf d3f:High-dimensionClustering ; d3f:d3fend-id "D3A-GBC" ; d3f:definition "Divides the entire data space into a finite number of cells reducing the complexity of the data and focuses on the cells rather than the data." ; d3f:kb-article """## References TechVidvan. (n.d.). Clustering in Machine Learning Tutorial. [Link](https://techvidvan.com/tutorials/clustering-in-machine-learning/)""" . d3f:Grid-CNN a owl:Class, owl:NamedIndividual ; rdfs:label "Grid-CNN" ; rdfs:subClassOf d3f:ConvolutionalNeuralNetwork ; d3f:d3fend-id "D3A-GC" ; d3f:definition "A class of neural networks that specializes in processing data that has a grid-like topology, such as an image." ; d3f:kb-article """## References Talukdar, P. (2020, June 10). Convolutional Neural Networks Explained. Towards Data Science. [Link](https://towardsdatascience.com/convolutional-neural-networks-explained-9cc5188c4939)""" . d3f:Group a owl:Class ; rdfs:label "Group" ; rdfs:subClassOf d3f:D3FENDCore . d3f:GroupCreationEvent a owl:Class ; rdfs:label "Group Creation Event" ; rdfs:subClassOf d3f:GroupManagementEvent ; d3f:definition "An event where a new group is established within the system, defining an entity to manage users and permissions collectively." . d3f:GroupDeletionEvent a owl:Class ; rdfs:label "Group Deletion Event" ; rdfs:subClassOf d3f:GroupManagementEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:GroupCreationEvent ] ; d3f:definition "An event where an existing group is permanently removed from the system, dissolving its associated memberships and privileges." . d3f:Grouping a owl:Class ; rdfs:label "Grouping" ; rdfs:subClassOf d3f:Summarizing . d3f:GroupManagementEvent a owl:Class ; rdfs:label "Group Management Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:AccessControlGroup ] ; d3f:definition "An event involving the creation, modification, or deletion of a group, or changes to its membership and privileges. Group management events facilitate the enforcement of role-based access control by organizing users and permissions into logical units for streamlined administration and policy enforcement." ; rdfs:seeAlso . d3f:GroupPolicy a owl:Class, owl:NamedIndividual ; rdfs:label "Group Policy" ; rdfs:subClassOf d3f:AccessControlConfiguration ; d3f:definition "Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A version of Group Policy called Local Group Policy (\"LGPO\" or \"LocalGPO\") also allows Group Policy Object management on standalone and non-domain computers." . d3f:GuidelineReference a owl:Class ; rdfs:label "Guideline Reference" ; rdfs:subClassOf d3f:PolicyReference ; d3f:pref-label "Guideline" . d3f:HardDiskFirmware a owl:Class ; rdfs:label "Hard Disk Firmware" ; skos:altLabel "Hard Drive Firmware" ; rdfs:subClassOf d3f:PeripheralFirmware ; d3f:definition "Firmware that is installed on a hard disk device." ; rdfs:seeAlso . d3f:Harden a d3f:DefensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Harden" ; rdfs:subClassOf d3f:DefensiveTactic ; d3f:definition "The harden tactic is used to increase the opportunity cost of computer network exploitation. Hardening differs from Detection in that it generally is conducted before a system is online and operational." ; d3f:display-order 0 ; d3f:display-priority 0 . d3f:HardeningEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Hardening Event" ; rdfs:subClassOf d3f:SecurityEvent ; d3f:definition "An event involving actions to strengthen defenses, such as applying patches or implementing secure configurations, reducing attack surfaces, and increasing the difficulty of exploitation by adversaries." ; d3f:related d3f:Harden . d3f:HardLink a owl:Class ; rdfs:label "Hard Link" ; rdfs:subClassOf d3f:FileSystemLink ; rdfs:isDefinedBy ; d3f:definition "In computing, a hard link is a directory entry that associates a name with a file on a file system. All directory-based file systems must have at least one hard link giving the original name for each file. The term \"hard link\" is usually only used in file systems that allow more than one hard link for the same file. Multiple hard links -- that is, multiple directory entries to the same file -- are supported by POSIX-compliant and partially POSIX-compliant operating systems, such as Linux, Android, macOS, and also Windows NT4 and later Windows NT operating systems." . d3f:Hardware-basedProcessIsolation a d3f:Hardware-basedProcessIsolation, owl:Class, owl:NamedIndividual ; rdfs:label "Hardware-based Process Isolation" ; rdfs:subClassOf d3f:ExecutionIsolation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:Process ], [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:CreateProcess ] ; d3f:d3fend-id "D3-HBPI" ; d3f:definition "Preventing one process from writing to the memory space of another process through hardware based address manager implementations." ; d3f:isolates d3f:Process ; d3f:kb-article """## How it works Process isolation, in this context, is address space separation controlled by a security function that limits the communication between processes so that one process cannot directly modify the executing code of another process. For example with virtual address space: * Process A address space is different from process B address space, which prevents process A from writing to process B Hardware process isolation is commonly implemented through Direct Memory Access (DMA) which collaborates with a Memory Management Unit (MMU), or Input-Output Memory Management Unit (IOMMU). These hardware controls are deployed directly on processors to aid hosts or enclaves in process isolation. * DMA - Direct memory access allows memory access to occur independently of the program currently run by the microprocessor. DMA allows for I/O devices to directly read from and write to memory, or it can be used to efficiently copy blocks of memory. During DMA transfers, the microprocessor can execute an unrelated program. * MMU - A memory management unit acts as an access control and is responsible for performing the translation of virtual memory addresses to physical memory addresses. The MMU allocates each process its own virtual memory space. * IOMMU - An input-output memory management unit is used to allocate each I/O device its own virtual address space to the underlying physical addresses. IOMMU allows devices that do not support long memory addresses to address the entire memory space. ## Considerations * Private hosts may be vulnerable to DMA attack if they have a PCI or PCI Express port that connects attached devices directly to physical address space. ## Implementations: * Intel Virtualization Technology for Directed I/O (Intel VT-d) * Firecracker""" ; d3f:kb-reference d3f:Reference-VirtualizedProcessIsolation_AdvancedMicroDevicesInc, , ; d3f:restricts d3f:CreateProcess ; d3f:synonym "Virtualization" . d3f:Hardware-basedWriteProtection a d3f:Hardware-basedWriteProtection, owl:Class, owl:NamedIndividual ; rdfs:label "Hardware-based Write Protection" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:SecondaryStorage ] ; d3f:d3fend-id "D3-HBWP" ; d3f:definition "Physical methods of preventing data from being written to computer storage." ; d3f:hardens d3f:SecondaryStorage ; d3f:kb-reference d3f:Reference-WhatisHardwareWriteProtect . d3f:HardwareClock a owl:Class, owl:NamedIndividual ; rdfs:label "Hardware Clock" ; rdfs:subClassOf d3f:Clock, d3f:HardwareDevice ; d3f:definition "A clock implemented using physical electronic components, typically providing timekeeping independent of system power or software state." ; rdfs:seeAlso . d3f:HardwareClockDeviceDriver a owl:Class, owl:NamedIndividual ; rdfs:label "Hardware Clock Device Driver" ; rdfs:subClassOf d3f:HardwareDriver, [ a owl:Restriction ; owl:onProperty d3f:drives ; owl:someValuesFrom d3f:HardwareClock ] ; d3f:definition "A device driver for a hardware clock." ; d3f:drives d3f:HardwareClock ; rdfs:seeAlso . d3f:HardwareClockEvent a owl:Class ; rdfs:label "Hardware Clock Event" ; rdfs:subClassOf d3f:ClockEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:HardwareClock ] ; d3f:definition "A clock event involving a physical timekeeping mechanism implemented in hardware components." . d3f:HardwareComponentInventory a d3f:HardwareComponentInventory, owl:Class, owl:NamedIndividual ; rdfs:label "Hardware Component Inventory" ; rdfs:subClassOf d3f:AssetInventory, [ a owl:Restriction ; owl:onProperty d3f:inventories ; owl:someValuesFrom d3f:HardwareDevice ] ; d3f:d3fend-id "D3-HCI" ; d3f:definition "Hardware component inventorying identifies and records the hardware items in the organization's architecture." ; d3f:inventories d3f:HardwareDevice ; d3f:kb-article """## How it works Administrators collect information on hardware devices such as peripherals, NICs, processors, and memory devices that are components of the computers in their architecture using a variety of administrative and management tools that query for this information. In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through remote adminstration tools and system commands, either manually or using scripts. ## Considerations * Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems. * An adversary conducting network enumeration may engage in activities that parallel normal hardware inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools ## Examples * Bus discovery * Admin-scripted PCI Bus inventory using ssh and pciutils * Application-layer discovery * Simple Network Management Protocol (SNMP) collects MIB information * Web-based Enterprise Management (WBEM) collects CIM information * Windows Management Instrumentation (WMI) * Windows Management Infrastructure (MI)""" ; d3f:kb-reference d3f:Reference-AdvancedDeviceMatchingSystem ; d3f:synonym "Hardware Component Discovery", "Hardware Component Inventorying" . d3f:HardwareCryptographicModule a owl:Class . d3f:HardwareDevice a owl:Class, owl:NamedIndividual ; rdfs:label "Hardware Device" ; rdfs:subClassOf d3f:DigitalInformationBearer, d3f:PhysicalArtifact ; rdfs:isDefinedBy ; d3f:definition "Hardware devices are the physical artifacts that constitute a network or computer system. Hardware devices are the physical parts or components of a computer, such as the monitor, keyboard, computer data storage, hard disk drive (HDD), graphic cards, sound cards, memory (RAM), motherboard, and so on, all of which are tangible physical objects. By contrast, software is instructions that can be stored and run by hardware. Hardware is directed by the software to execute any command or instruction. A combination of hardware and software forms a usable computing system." ; rdfs:seeAlso . d3f:HardwareDeviceBindEvent a owl:Class ; rdfs:label "Hardware Device Bind Event" ; rdfs:subClassOf d3f:HardwareDeviceStateEvent ; d3f:definition "An event where a device is logically bound to a system or process, typically for exclusive use or integration with specific software components." . d3f:HardwareDeviceConfiguration a owl:Class ; rdfs:label "Hardware Device Configuration" ; rdfs:subClassOf d3f:ConfigurationResource ; d3f:definition "Information used to configure the parameters and settings for hardware devices." . d3f:HardwareDeviceConnectionEvent a owl:Class ; rdfs:label "Hardware Device Connection Event" ; rdfs:subClassOf d3f:HardwareDeviceStateEvent ; d3f:definition "An event representing the physical or logical attachment of a device to a system, enabling its operational functionality." . d3f:HardwareDeviceDisabledEvent a owl:Class ; rdfs:label "Hardware Device Disabled Event" ; rdfs:subClassOf d3f:HardwareDeviceStateEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceEnabledEvent ] ; d3f:definition "An event where a device transitions to an inactive or unavailable state, often due to deactivation, failure, or maintenance." . d3f:HardwareDeviceDisconnectionEvent a owl:Class ; rdfs:label "Hardware Device Disconnection Event" ; rdfs:subClassOf d3f:HardwareDeviceStateEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceConnectionEvent ] ; d3f:definition "An event representing the removal of a device from a system, ceasing its operational functionality or availability." . d3f:HardwareDeviceEnabledEvent a owl:Class ; rdfs:label "Hardware Device Enabled Event" ; rdfs:subClassOf d3f:HardwareDeviceStateEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceConnectionEvent ] ; d3f:definition "An event where a device becomes operational and available for use, typically following initialization, activation, or repair." . d3f:HardwareDeviceEvent a owl:Class ; rdfs:label "Hardware Device Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:HardwareDevice ] ; d3f:definition "An event capturing the existence, state, or interaction of hardware or virtual devices within a system. Device events encompass activities such as discovery, connection, disconnection, operational state changes, or configuration modifications, providing visibility into device behavior and health." . d3f:HardwareDeviceMoveEvent a owl:Class ; rdfs:label "Hardware Device Move Event" ; rdfs:subClassOf d3f:HardwareDeviceStateEvent ; d3f:definition "An event where a device is relocated or reassigned within a system or network, potentially affecting its operational scope or connectivity." . d3f:HardwareDeviceStateEvent a owl:Class ; rdfs:label "Hardware Device State Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent ; d3f:definition "An event involving a change to a device's state, such as connection, disconnection, modification, or operational state transitions (e.g., online or offline). Device state events provide visibility into device availability and operational conditions." . d3f:HardwareDeviceUnbindEvent a owl:Class ; rdfs:label "Hardware Device Unbind Event" ; rdfs:subClassOf d3f:HardwareDeviceStateEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceBindEvent ] ; d3f:definition "An event where a device is logically unbound from a system or process, releasing it from exclusive use or integration." . d3f:HardwareDeviceUpdateEvent a owl:Class ; rdfs:label "Hardware Device Update Event" ; rdfs:subClassOf d3f:HardwareDeviceStateEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HardwareDeviceConnectionEvent ] ; d3f:definition "An event capturing updates or changes to a device's configuration, properties, or state, including firmware updates, reconfigurations, or optimizations." . d3f:HardwareDriver a owl:Class, owl:NamedIndividual ; rdfs:label "Hardware Driver" ; skos:altLabel "Device Driver" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:drives ; owl:someValuesFrom d3f:HardwareDevice ] ; rdfs:isDefinedBy ; d3f:definition "In computing, a device driver (commonly referred to simply as a driver) is a computer program that operates or controls a particular type of device that is attached to a computer. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details of the hardware being used. A driver communicates with the device through the computer bus or communications subsystem to which the hardware connects. When a calling program invokes a routine in the driver, the driver issues commands to the device. Once the device sends data back to the driver, the driver may invoke routines in the original calling program. Drivers are hardware dependent and operating-system-specific. They usually provide the interrupt handling required for any necessary asynchronous time-dependent hardware interface." ; d3f:drives d3f:HardwareDevice . d3f:HardwareTimer a owl:Class, owl:NamedIndividual ; rdfs:label "Hardware Timer" ; rdfs:subClassOf d3f:HardwareDevice, d3f:Timer ; rdfs:isDefinedBy ; d3f:definition "A hardware timer is defined as an electronic component that serves as an 8-bit or 16-bit counter, capable of measuring time intervals, generating timed outputs, and driving loads through mechanisms such as pulse width modulation (PWM)." . d3f:HardwareTimerConfigurationEvent a owl:Class ; rdfs:label "Hardware Timer Configuration Event" ; rdfs:subClassOf d3f:HardwareTimerEvent ; d3f:definition "An event in which a hardware timer's registers or operational parameters are programmed or modified." . d3f:HardwareTimerDeviceDriver a owl:Class, owl:NamedIndividual ; rdfs:label "Hardware Timer Device Driver" ; rdfs:subClassOf d3f:HardwareDriver, [ a owl:Restriction ; owl:onProperty d3f:drives ; owl:someValuesFrom d3f:HardwareTimer ] ; d3f:definition "A device driver for a hardware timer." ; d3f:drives d3f:HardwareTimer ; rdfs:seeAlso . d3f:HardwareTimerEvent a owl:Class ; rdfs:label "Hardware Timer Event" ; rdfs:subClassOf d3f:TimerEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:HardwareTimer ] ; d3f:definition "A timer event involving a physical timer mechanism implemented in hardware components." . d3f:HardwareTimerInterruptEvent a owl:Class ; rdfs:label "Hardware Timer Interrupt Event" ; rdfs:subClassOf d3f:HardwareTimerEvent ; d3f:definition "An event in which a hardware timer generates an interrupt signal upon expiration or interval completion." . d3f:HardwareWatchdogTimer a owl:Class, owl:NamedIndividual ; rdfs:label "Hardware Watchdog Timer" ; rdfs:subClassOf d3f:HardwareTimer, d3f:WatchdogTimer ; d3f:definition "A hardware watchdog timer is a watchdog timer implemented using electronic components." . d3f:HarmonicMean a owl:Class, owl:NamedIndividual ; rdfs:label "Harmonic Mean" ; rdfs:subClassOf d3f:CentralTendency ; d3f:d3fend-id "D3A-HM" ; d3f:definition "The reciprocal of the arithmetic mean of the reciprocals of the data values. This measure too is valid only for data that are measured absolutely on a strictly positive scale." ; d3f:kb-article """## References Wikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)""" . d3f:HeapSegment a owl:Class ; rdfs:label "Heap Segment" ; rdfs:subClassOf d3f:ProcessSegment ; d3f:definition "The heap segment (or free store) is a large pool of memory from which dynamic memory requests of a process are allocated and satisfied." ; rdfs:seeAlso . d3f:HeterogeneousAsymmetricFeature-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Heterogeneous Asymmetric Feature-based Transfer Learning" ; rdfs:subClassOf d3f:HeterogeneousTransferLearning ; d3f:d3fend-id "D3A-HAFBTL" ; d3f:definition "Asymmetric transformation mapping transforms the source feature space to align with that of the target or the target to that of the source. This, in effect, bridges the feature space gap and reduces the problem into a homogeneous transfer problem when further distribution differences need to be corrected." ; d3f:kb-article """## References Wang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).""" . d3f:HeterogeneousFeature-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Heterogeneous Feature-based Transfer Learning" ; rdfs:subClassOf d3f:HeterogeneousTransferLearning ; d3f:d3fend-id "D3A-HFBTL" ; d3f:definition "Symmetric transformation takes both the source feature space Xs and target feature space Xt and learns feature transformations as to project each onto a common subspace Xc for adaptation purposes. This derived subspace becomes a domain-invariant feature subspace to associate cross-domain data, and in effect, reduces marginal distribution differences." ; d3f:kb-article """## References Wang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).""" . d3f:HeterogeneousTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Heterogeneous Transfer Learning" ; rdfs:subClassOf d3f:TransferLearning ; d3f:d3fend-id "D3A-HTL" ; d3f:definition "Heterogeneous transfer learning is characterized by the source and target domains having differing feature spaces, but may also be combined with other issues such as differing data distributions and label spaces." ; d3f:kb-article """## References Wang, Q., Mao, K. Z., Wang, B., & Guan, J. (2017). Big data clustering by hybrid optimization algorithm. Journal of Big Data, 4(1), 25. [Link](https://journalofbigdata.springeropen.com/articles/10.1186/s40537-017-0089-0).""" . d3f:HierarchicalClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Hierarchical Clustering" ; rdfs:subClassOf d3f:ClusterAnalysis ; d3f:d3fend-id "D3A-HC" ; d3f:definition "Hierarchical clustering (also called hierarchical cluster analysis or HCA) is a method of cluster analysis that seeks to build a hierarchy of clusters." ; d3f:kb-article """## References Wikipedia. (2021, August 10). Hierarchical clustering. [Link](https://en.wikipedia.org/wiki/Hierarchical_clustering) html)""" . d3f:HierarchicalDomainDenylisting a d3f:HierarchicalDomainDenylisting, owl:Class, owl:NamedIndividual ; rdfs:label "Hierarchical Domain Denylisting" ; rdfs:subClassOf d3f:ForwardResolutionDomainDenylisting ; d3f:d3fend-id "D3-HDDL" ; d3f:definition "Blocking the resolution of any subdomain of a specified domain name." ; d3f:kb-article """## How it works This technique is used to block DNS queries from related domains and subdomains that are unauthorized. Hierarchical domain blacklisting considers the blacklisting of second level domains and additional sub-domains and specific hosts for a given query value. A denylist is maintained that contains DNS names and corresponding subdomains, including wildcards, that should be blocked for a given lookup. ## Considerations * The denylist of domain names will have to be maintained and will need to be kept up to date * Other domains that resolve to the domain of interest for blocking (CNAME, etc). * Denylists should have identified maintenance cycles to ensure lists are not stale.""" ; d3f:kb-reference d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries ; d3f:synonym "Hierarchical Domain Blacklisting" . d3f:High-dimensionClustering a owl:Class, owl:NamedIndividual ; rdfs:label "High-dimension Clustering" ; rdfs:subClassOf d3f:ClusterAnalysis ; d3f:d3fend-id "D3A-HDC" ; d3f:definition "The cluster analysis of data with anywhere from a few dozen to many thousands of dimensions." ; d3f:kb-article """## References Wikipedia. (n.d.). Clustering high-dimensional data. [Link](https://en.wikipedia.org/wiki/Clustering_high-dimensional_data)""" . d3f:Higher-orderLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Higher-order Logic" ; rdfs:subClassOf d3f:PredicateLogic ; d3f:d3fend-id "D3A-HOL" ; d3f:definition "Higher-order logic is a form of predicate logic that is distinguished from first-order logic by additional quantifiers and, sometimes, stronger semantics. Higher-order logics with their standard semantics are more expressive, but their model-theoretic properties are less well-behaved than those of first-order logic." ; d3f:kb-article """## References 1. Higher-order logic. (2023, May 13). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Higher-order_logic)""" ; d3f:synonym "HOL" . d3f:Histogramming a owl:Class ; rdfs:label "Histogramming" ; rdfs:subClassOf d3f:Summarizing . d3f:HMIApplication a owl:Class, owl:NamedIndividual ; rdfs:label "HMI Application" ; rdfs:subClassOf d3f:ServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OTControlFunction ], [ a owl:Restriction ; owl:onProperty d3f:instructs ; owl:someValuesFrom d3f:HMIApplicationProcess ] ; d3f:contains d3f:OTControlFunction ; d3f:definition "Application software which runs the main program in an HMI." ; d3f:instructs d3f:HMIApplicationProcess . d3f:HMIApplicationProcess a owl:Class, owl:NamedIndividual ; rdfs:label "HMI Application Process" ; rdfs:subClassOf d3f:Process ; d3f:definition "The instructions within an HMI defined by user programming to interpret visual (and potentially audio) inputs and define visual (and potentially) audio outputs." . d3f:HomogenousTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Homogenous Transfer Learning" ; rdfs:subClassOf d3f:TransferLearning ; d3f:d3fend-id "D3A-HTL" ; d3f:definition "In homogeneous transfer learning, the feature spaces of the source and target domains is of the same dimension (Ds = Dt) while the data of both domains is represented by the same attributes (Xs = Xt) and labels (Ys = Yt). Thus, homogeneous transfer learning aims to bridge the gap in the data distributions experienced during cross-domain transfer." ; d3f:kb-article """## References Khalil, K., Asgher, U., & Ayaz, Y. (2022). Novel fNIRS study on homogeneous symmetric feature-based transfer learning for brain-computer interface. Scientific Reports, 12, 3198. [Link](https://www.nature.com/articles/s41598-022-06805-4).""" . d3f:HomoglyphDenylisting a d3f:HomoglyphDenylisting, owl:Class, owl:NamedIndividual ; rdfs:label "Homoglyph Denylisting" ; rdfs:subClassOf d3f:ForwardResolutionDomainDenylisting ; d3f:d3fend-id "D3-HDL" ; d3f:definition "Blocking DNS queries that are deceptively similar to legitimate domain names." ; d3f:kb-article """## How it works Homoglyph domain blacklisting considers the domain and subdomain structure of a lookup and compares the named components to blacklisted named components. The blacklisted named components are typically crafted modifications of known good domains, e.g., gooogle.com versus google.com. The blacklisted domains typically resemble trusted domains, but have been altered slightly to deceive users. The blacklisted named components also include consideration for fonts or Unicode characters that can make certain characters appear very similar (zero vs capital O and the letter l vs the number one). The blacklisted domains under certain fonts will appear to be a trusted domain. ## Considerations * Maintaining the currency of the list can be a challenge especially with newly registered domain entries. * Blacklists should have identified maintenance cycles to ensure lists are not stale.""" ; d3f:kb-reference d3f:Reference-DetectionOfMaliciousIDNHomoglyphDomains ; d3f:synonym "Homoglyph Blacklisting" . d3f:HomoglyphDetection a d3f:HomoglyphDetection, owl:Class, owl:NamedIndividual ; rdfs:label "Homoglyph Detection" ; rdfs:subClassOf d3f:IdentifierAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Email ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:URL ] ; d3f:analyzes d3f:Email, d3f:URL ; d3f:d3fend-id "D3-HD" ; d3f:definition "Comparing strings using a variety of techniques to determine if a deceptive or malicious string is being presented to a user." ; d3f:kb-article """## How it works A homoglyph, in this context, is a deceptive string or word which looks like a trusted word, but is composed of different characters, for example: goooogle.com versus google.com. This is commonly found in phishing and typo squatting attacks where a human exploiting through a social engineering campaign. ## Considerations * In very large environments processing DNS queries can be computationally expensive due to the amount of traffic that is generated * Legitimate companies and products use non-dictionary words in their names that could result in many false positives""" ; d3f:kb-reference d3f:Reference-Computer-implementedMethodsAndSystemsForIdentifyingVisuallySimilarTextCharacterStrings_GreathornInc, d3f:Reference-SystemAndMethodForDetectingHomoglyphAttacksWithASiameseConvolutionalNeuralNetwork_EndgameInc . d3f:Host a owl:Class, owl:NamedIndividual ; rdfs:label "Host" ; skos:altLabel "Network Host" ; rdfs:subClassOf d3f:ComputerNetworkNode, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Application ] ; rdfs:isDefinedBy ; d3f:contains d3f:Application ; d3f:definition "A host is a computer or other device, typically connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address. Network hosts that participate in applications that use the client-server model of computing, are classified as server or client systems. Network hosts may also function as nodes in peer-to-peer applications, in which all nodes share and consume resources in an equipotent manner." ; rdfs:seeAlso , . d3f:Host-basedFirewall a owl:Class, owl:NamedIndividual ; rdfs:label "Host-based Firewall" ; rdfs:subClassOf d3f:SystemSoftware ; d3f:definition "A software firewall which controls network inbound and outbound network traffic to the host computer." . d3f:HostConfigurationSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Host Configuration Sensor" ; rdfs:subClassOf d3f:EndpointSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:ApplicationConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:OperatingSystemConfiguration ] ; d3f:definition "Collects the configuration data on an endpoint." ; d3f:monitors d3f:ApplicationConfiguration, d3f:OperatingSystemConfiguration . d3f:HostGroup a owl:Class, owl:NamedIndividual ; rdfs:label "Host Group" ; rdfs:subClassOf d3f:AccessControlGroup, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Host ] ; d3f:contains d3f:Host ; d3f:definition "A collection of Hosts used to allow operations such as access control to be applied to the entire group." . d3f:Hostname a d3f:DomainName, owl:Class, owl:NamedIndividual ; rdfs:label "Hostname" ; skos:altLabel "Nodename" ; rdfs:subClassOf d3f:Identifier, [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:Host ] ; rdfs:isDefinedBy ; d3f:definition "In computer networking, a hostname (archaically nodename) is a label that is assigned to a device connected to a computer network and that is used to identify the device in various forms of electronic communication, such as the World Wide Web. Hostnames may be simple names consisting of a single word or phrase, or they may be structured." ; d3f:identifies d3f:Host . d3f:HostReboot a d3f:HostReboot, owl:Class, owl:NamedIndividual ; rdfs:label "Host Reboot" ; rdfs:subClassOf d3f:HostShutdown, [ a owl:Restriction ; owl:onProperty d3f:terminates ; owl:someValuesFrom d3f:Process ] ; d3f:d3fend-id "D3-HR" ; d3f:definition "Initiating a host's reboot sequence to terminate all running processes." ; d3f:kb-article """## How It Works Host reboot can either be initiated in the physical presence of the device using the power functions or remotely using the provided user interface or an installed EDR agent (with the available function). This process may allow for the removal of specific types of malware, such as fileless malware, and can also prevent further damage, for example, if the system is part of a botnet. ## Considerations - If the attacker has achieved persistence techniques, this technique may not be effective - Compromised systems may not respond to remote commands to shutdown or reboot, requiring physical intervention. - Shutting down a system will usually result in the memory losing its state which can be useful in forensic activities so this should be considered when deciding to shutdown. - Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.""" ; d3f:kb-reference d3f:Reference-NearMemoryInMemoryDetectionofFilelessMalware ; d3f:terminates d3f:Process . d3f:HostShutdown a d3f:HostShutdown, d3f:ProcessTermination, owl:Class, owl:NamedIndividual ; rdfs:label "Host Shutdown" ; rdfs:subClassOf d3f:ProcessEviction, [ a owl:Restriction ; owl:onProperty d3f:terminates ; owl:someValuesFrom d3f:Process ] ; d3f:d3fend-id "D3-HS" ; d3f:definition "Initiating a host's shutdown sequence to terminate all running processes." ; d3f:kb-article """## How It Works Host shutdown can either be initiated in the physical presence of the device using the power functions or remotely using the provided user interface or an installed EDR agent (with the available function). This process may allow for the removal of specific types of malware, such as fileless malware, and can also prevent further damage, for example, if the system is part of a botnet. ## Considerations - If the attacker has achieved persistence techniques, this technique may not be effective - Compromised systems may not respond to remote commands to shutdown or reboot, requiring physical intervention. - Shutting down a system will usually result in the memory losing its state which can be useful in forensic activities so this should be considered when deciding to shutdown. - Shutting down systems may disrupt access to computer resources for legitimate users.""" ; d3f:kb-reference d3f:Reference-NearMemoryInMemoryDetectionofFilelessMalware ; d3f:terminates d3f:Process . d3f:HTMLFile a owl:Class ; rdfs:label "HTML File" ; skos:altLabel "HTML File" ; rdfs:subClassOf d3f:DocumentFile ; d3f:definition "A document file encoded in HTML.The HyperText Markup Language, or HTML is the standard markup language for documents designed to be displayed in a web browser. It can be assisted by technologies such as Cascading Style Sheets (CSS) and scripting languages such as JavaScript. Web browsers receive HTML documents from a web server or from local storage and render the documents into multimedia web pages. HTML describes the structure of a web page semantically and originally included cues for the appearance of the document." ; rdfs:seeAlso . d3f:HTTPConnectEvent a owl:Class ; rdfs:label "HTTP CONNECT Event" ; rdfs:subClassOf d3f:HTTPRequestEvent ; d3f:definition "An event where the HTTP CONNECT method is used to establish a tunnel to the server identified by the target resource." . d3f:HTTPDeleteEvent a owl:Class ; rdfs:label "HTTP DELETE Event" ; rdfs:subClassOf d3f:HTTPRequestEvent ; d3f:definition "An event where the HTTP DELETE method is used to delete the specified resource." . d3f:HTTPEvent a owl:Class ; rdfs:label "HTTP Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, d3f:TCPEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:WebNetworkTraffic ] ; d3f:definition "An event involving the Hypertext Transfer Protocol (HTTP), which operates over TCP to transmit hypermedia documents." ; rdfs:seeAlso . d3f:HTTPGetEvent a owl:Class ; rdfs:label "HTTP GET Event" ; rdfs:subClassOf d3f:HTTPRequestEvent ; d3f:definition "An event where the HTTP GET method is used to request a representation of the specified resource." . d3f:HTTPHeadEvent a owl:Class ; rdfs:label "HTTP HEAD Event" ; rdfs:subClassOf d3f:HTTPRequestEvent ; d3f:definition "An event where the HTTP HEAD method is used to request metadata about the specified resource without the response body." . d3f:HTTPOptionsEvent a owl:Class ; rdfs:label "HTTP OPTIONS Event" ; rdfs:subClassOf d3f:HTTPRequestEvent ; d3f:definition "An event where the HTTP OPTIONS method is used to describe the communication options for the target resource." . d3f:HTTPPostEvent a owl:Class ; rdfs:label "HTTP POST Event" ; rdfs:subClassOf d3f:HTTPRequestEvent ; d3f:definition "An event where the HTTP POST method is used to submit data to the specified resource, often causing a change in state or side effects on the server." . d3f:HTTPPutEvent a owl:Class ; rdfs:label "HTTP PUT Event" ; rdfs:subClassOf d3f:HTTPRequestEvent ; d3f:definition "An event where the HTTP PUT method is used to replace all current representations of the target resource with the request payload." . d3f:HTTPRequestEvent a owl:Class ; rdfs:label "HTTP Request Event" ; rdfs:subClassOf d3f:HTTPEvent ; d3f:definition "An event where an HTTP request is sent from a client to a server over an established TCP connection." . d3f:HTTPResponseEvent a owl:Class ; rdfs:label "HTTP Response Event" ; rdfs:subClassOf d3f:HTTPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:HTTPRequestEvent ] ; d3f:definition "An event where an HTTP response is sent from a server to a client over an established TCP connection." . d3f:HTTPTraceEvent a owl:Class ; rdfs:label "HTTP TRACE Event" ; rdfs:subClassOf d3f:HTTPRequestEvent ; d3f:definition "An event where the HTTP TRACE method is used to perform a message loop-back test along the path to the target resource." . d3f:HumanInputDeviceFirmware a owl:Class ; rdfs:label "Human Input Device Firmware" ; rdfs:subClassOf d3f:PeripheralFirmware ; d3f:definition "Firmware that is installed on an HCI device such as a mouse or keyboard." ; rdfs:seeAlso d3f:Firmware, . d3f:Hybrid-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Hybrid-based Transfer Learning" ; rdfs:subClassOf d3f:HomogenousTransferLearning ; d3f:d3fend-id "D3A-HBTL" ; d3f:definition "This method creates an asymmetric mapping from the target to the source and takes into account bias issues of cross-domain correspondences." ; d3f:kb-article """## References Day, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. Journal of Big Data, 4(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).""" . d3f:HypothesisTesting a owl:Class, owl:NamedIndividual ; rdfs:label "Hypothesis Testing" ; rdfs:subClassOf d3f:InferentialStatistics ; d3f:d3fend-id "D3A-HT" ; d3f:definition "A statistical hypothesis test is a method of statistical inference used to decide whether the data at hand sufficiently support a particular hypothesis. Hypothesis testing allows us to make probabilistic statements about population parameters." ; d3f:kb-article """## References Wikipedia. (n.d.). Statistical hypothesis testing. [Link](https://en.wikipedia.org/wiki/Statistical_hypothesis_testing)""" . d3f:IA-0001 a owl:Class ; rdfs:label "Compromise Supply Chain - SPARTA" ; skos:prefLabel "Compromise Supply Chain" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0001" ; d3f:definition "Adversaries achieve first execution before the spacecraft ever flies by inserting malicious code, data, or configuration during manufacturing, integration, or delivery. Targets include software sources and dependencies, build systems and compilers, firmware/bitstreams for MCUs and FPGAs, configuration tables, test vectors, and off-the-shelf avionics. Inserted artifacts are designed to appear legitimate, propagate through normal processes, and activate under routine procedures or specific modes (e.g., safing, maintenance). Common insertion points align with where trust is assumed, vendor updates, mirrors and registries, CI/CD runners, programming stations, and “golden image” repositories. The result is pre-positioned access that blends with baseline behavior, often with delayed or conditional triggers and strong deniability." ; rdfs:seeAlso . d3f:IA-0001.01 a owl:Class ; rdfs:label "Software Dependencies & Development Tools - SPARTA" ; skos:prefLabel "Software Dependencies & Development Tools" ; rdfs:subClassOf d3f:IA-0001 ; d3f:attack-id "IA-0001.01" ; d3f:definition "This technique targets what developers import and the tools that transform source into flight binaries. Methods include dependency confusion and typosquatting, poisoned container/base images, malicious IDE plugins, and compromised compilers, linkers, or build runners that subtly alter output. Because flight and ground stacks frequently reuse open-source RTOS components, crypto libraries, protocol parsers, and build scripts, an upstream change can deterministically reproduce a backdoor downstream. Attackers also seed private mirrors or caches so “trust-on-first-use” locks in tainted packages, or abuse CI secrets and environment variables to pivot further. Effects range from inserting covert handlers into command parsers, to weakening integrity checks in update paths, to embedding telemetry beacons that exfiltrate build metadata helpful for later stages." ; rdfs:seeAlso . d3f:IA-0001.02 a owl:Class ; rdfs:label "Software Supply Chain - SPARTA" ; skos:prefLabel "Software Supply Chain" ; rdfs:subClassOf d3f:IA-0001 ; d3f:attack-id "IA-0001.02" ; d3f:definition "Here the manipulation targets software delivered to flight or ground systems: altering source before build, swapping signed binaries at distribution edges, subverting update metadata, or using stolen signing keys to issue malicious patches. Space-specific vectors include mission control applications, schedulers, gateway services, flight tables and configuration packages, and firmware loads during I&T or LEOP. Adversaries craft payloads that pass superficial validation, trigger under particular operating modes, or reintroduce known weaknesses through version rollback. “Data payloads” such as malformed tables, ephemerides, or calibration products can double as exploits when parsers are permissive. The objective is to ride the normal promotion pipeline so the implant arrives pre-trusted and executes as part of routine operations." ; rdfs:seeAlso . d3f:IA-0001.03 a owl:Class ; rdfs:label "Hardware Supply Chain - SPARTA" ; skos:prefLabel "Hardware Supply Chain" ; rdfs:subClassOf d3f:IA-0001 ; d3f:attack-id "IA-0001.03" ; d3f:definition "Adversaries alter boards, modules, or programmable logic prior to delivery to create latent access or reliability sabotage. Tactics include inserting hardware Trojans in ASIC/FPGA designs, modifying bitstreams or disabling security fuses, leaving debug interfaces (JTAG/SWD/UART) active, substituting near-spec counterfeits, or embedding parts that fail after specific environmental or temporal conditions (“time-bomb” components). Other avenues target programming stations and “golden” images so entire lots inherit the same weakness. Microcontroller boot configurations, peripheral EEPROMs, and supervisory controllers are common leverage points because small changes there can reshape trust boundaries across the bus. The effect is a platform that behaves nominally through acceptance test yet enables covert control, targeted degradation, or delayed failure once on orbit." ; rdfs:seeAlso . d3f:IA-0002 a owl:Class, owl:NamedIndividual ; rdfs:label "Compromise Software Defined Radio - SPARTA" ; skos:prefLabel "Compromise Software Defined Radio" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique, [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Software-definedRadioConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Software-definedRadioWaveformApplication ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:Software-definedRadio ] ; d3f:attack-id "IA-0002" ; d3f:definition "Adversaries target SDR-based transceivers and payload radios because reconfigurable waveforms, FPGA bitstreams, and software flowgraphs create programmable footholds. Manipulation can occur in the radio’s development pipeline (toolchains, out-of-tree modules), at integration (loading of bitstreams, DSP coefficients, calibration tables), or in service via update channels that deliver new waveforms or patches. On-orbit SDRs often expose control planes (command sets for mode/load/select), data planes (baseband I/Q), and management/telemetry paths, any of which can embed covert behavior, alternate demod paths, or hidden subcarriers. A compromised SDR can establish clandestine command-and-control by activating non-public waveforms, piggybacking on idle fields, or toggling to time/ephemeris-triggered profiles that blend with nominal operations. On the ground, compromised SDR modems can be used to fabricate mission-compatible emissions or to decode protected downlinks for reconnaissance. Attackers leverage the SDR’s malleability so that malicious signaling, once seeded, presents as a legitimate but rarely exercised configuration." ; d3f:may-modify d3f:Software-definedRadioConfiguration, d3f:Software-definedRadioWaveformApplication ; d3f:modifies d3f:Software-definedRadio ; rdfs:seeAlso . d3f:IA-0003 a owl:Class ; rdfs:label "Crosslink via Compromised Neighbor - SPARTA" ; skos:prefLabel "Crosslink via Compromised Neighbor" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0003" ; d3f:definition "Where spacecraft exchange data over inter-satellite links (RF or optical), a compromise on one vehicle can become a bridgehead to others. Threat actors exploit crosslink trust: shared routing, time distribution, service discovery, or gateway functions that forward commands and data between vehicles and ground. With knowledge of crosslink framing, addressing, and authentication semantics, an adversary can craft traffic that appears to originate from a trusted neighbor, injecting control messages, malformed service advertisements, or payload tasking that propagates across the mesh. In tightly coupled constellations, crosslinks may terminate on gateways that also touch the C&DH or payload buses, providing additional pivot opportunities. Because crosslink traffic is expected and often high volume, attacker activity can be timed to blend with synchronization intervals, ranging exchanges, or scheduled data relays." ; rdfs:seeAlso . d3f:IA-0004 a owl:Class ; rdfs:label "Secondary/Backup Communication Channel - SPARTA" ; skos:prefLabel "Secondary/Backup Communication Channel" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0004" ; d3f:definition "Adversaries pursue alternative paths to the spacecraft that differ from the primary TT&C in configuration, monitoring, or authentication. Examples include backup MOC/ground networks, contingency TT&C chains, maintenance or recovery consoles, low-rate emergency beacons, and secondary receivers or antennas on the vehicle. These channels exist to preserve commandability during outages, safing, or maintenance; they may use different vendors, legacy settings, or simplified procedures. Initial access typically pairs reconnaissance of failover rules with actions that steer operations onto the backup path, natural events, induced denial on the primary, or simple patience until scheduled tests and handovers occur. Once traffic flows over the alternate path, the attacker leverages its distinct procedures, dictionaries, or rate/size limits to introduce commands or data that would be harder to inject on the primary." ; rdfs:seeAlso . d3f:IA-0004.01 a owl:Class ; rdfs:label "Ground Station - SPARTA" ; skos:prefLabel "Ground Station" ; rdfs:subClassOf d3f:IA-0004 ; d3f:attack-id "IA-0004.01" ; d3f:definition "Threat actors may target the backup ground segment, standby MOC sites, alternate commercial stations, or contingency chains held in reserve. Threat actors establish presence on the backup path (operator accounts, scheduler/orchestration, modem profiles, antenna control) and then exploit moments when operations shift: planned exercises, maintenance at the primary site, weather diversions, or failover during anomalies. They may also shape conditions so traffic is re-routed, e.g., by saturating the primary’s RF front end or consuming its schedules, without revealing their involvement. Once on the backup, prepositioned procedures, macros, or configuration sets allow command injection, manipulation of pass timelines, or quiet collection of downlink telemetry." ; rdfs:seeAlso . d3f:IA-0004.02 a owl:Class ; rdfs:label "Receiver - SPARTA" ; skos:prefLabel "Receiver" ; rdfs:subClassOf d3f:IA-0004 ; d3f:attack-id "IA-0004.02" ; d3f:definition "Threat actors may target the spacecraft’s secondary (backup) RF receive path, often a differently sourced radio, alternate antenna/feed, or cross-strapped front end that is powered or enabled under specific modes. Threat actors map when the backup comes into play (safing, antenna obscuration, maintenance, link degradation) and what command dictionaries, framing, or authentication it expects. If the backup receiver has distinct waveforms, counters, or vendor defaults, the attacker can inject traffic that is accepted only when that path is active, limiting exposure during nominal ops. Forcing conditions that enable the backup, jamming the primary, exploiting geometry, or waiting for routine tests, creates the window for first execution. The result is a foothold gained through a rarely used RF path, exploiting differences in implementation and operational cadence between primary and standby receive chains." ; rdfs:seeAlso . d3f:IA-0005 a owl:Class ; rdfs:label "Rendezvous & Proximity Operations - SPARTA" ; skos:prefLabel "Rendezvous & Proximity Operations" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0005" ; d3f:definition "Adversaries may execute a sequence of orbital maneuvers to co-orbit and approach a target closely enough for local sensing, signaling, or physical interaction. Proximity yields advantages that are difficult to achieve from Earth: high signal-to-noise for interception, narrowly targeted interference or spoofing, observation of attitude/thermal behavior, and, if interfaces exist, opportunities for mechanical mating. The approach typically unfolds through phasing, far-field rendezvous, relative navigation (e.g., vision, lidar, crosslink cues), and closed-loop final approach. At close distances, an attacker can monitor side channels, stimulate acquisition beacons, test crosslinks, or prepare for contact operations (capture or docking)." ; rdfs:seeAlso . d3f:IA-0005.01 a owl:Class ; rdfs:label "Compromise Emanations - SPARTA" ; skos:prefLabel "Compromise Emanations" ; rdfs:subClassOf d3f:IA-0005 ; d3f:attack-id "IA-0005.01" ; d3f:definition "With a local vantage point, an adversary analyzes unintentional emissions to infer sensitive information. Crypto modules, command decoders, and main bus controllers can emit patterns correlated with key use, counter updates, or command parsing. Close-range sampling enables coherent averaging, directional sensing, and correlation against known command/telemetry sequences to separate signal from noise. If the emanations are information-bearing (e.g., side-channel leakage of keys, counters, or protocol state), they can be used to reconstruct authentication material, predict anti-replay windows, or derive decoder settings, providing a basis for initial access via crafted traffic." ; rdfs:seeAlso . d3f:IA-0005.02 a owl:Class ; rdfs:label "Docked Vehicle / OSAM - SPARTA" ; skos:prefLabel "Docked Vehicle / OSAM" ; rdfs:subClassOf d3f:IA-0005 ; d3f:attack-id "IA-0005.02" ; d3f:definition "Docking, berthing, or service capture during on-orbit servicing, assembly, and manufacturing (OSAM) creates a high-trust bridge between vehicles. Threat actors exploit this moment, either by pre-positioning code on a servicing vehicle or by manipulating ground updates to it, so that, once docked, lateral movement occurs across the mechanical/electrical interface. Interfaces may expose power and data umbilicals, standardized payload ports, or gateways into the target’s C&DH or payload networks (e.g., SpaceWire, Ethernet, 1553). Service tools that push firmware, load tables, transfer files, or share time/ephemeris become conduits for staged procedures or implants that execute under maintenance authority. Malware can be timed to activation triggers such as “link up,” “maintenance mode entered,” or specific device enumerations that only appear when docked. Because OSAM operations are scheduled and well-documented, the adversary can align preparation with published timelines, ensuring that the first point of execution coincides with the brief window when cross-vehicle trust is intentionally elevated." ; rdfs:seeAlso . d3f:IA-0005.03 a owl:Class ; rdfs:label "Proximity Grappling - SPARTA" ; skos:prefLabel "Proximity Grappling" ; rdfs:subClassOf d3f:IA-0005 ; d3f:attack-id "IA-0005.03" ; d3f:definition "In this variant, the attacker employs a capture mechanism (robotic arm, grappling fixture, magnetic or mechanical coupler) to establish physical contact without full docking. Once grappled, covers can be manipulated, temporary umbilicals attached, or exposed test points engaged; if design provisions exist (service ports, checkout connectors, external debug pads), these become direct pathways to device programming interfaces (e.g., JTAG/SWD/UART), mass-storage access, or maintenance command sets. Grappling also enables precise attitude control relative to the target, allowing contact-based sensors to read buses inductively or capacitively, or to inject signals onto harness segments reachable from the exterior. Initial access arises when a maintenance or debug path, normally latent in flight, is electrically or logically completed by the grappled connection, allowing authentication-bypassing actions such as boot-mode strapping, image replacement, or scripted command ingress. The operation demands accurate geometry, approach constraints, and fixture knowledge, but yields a transient, high-privilege bridge tailored for short, decisive actions that leave minimal on-orbit RF signature." ; rdfs:seeAlso . d3f:IA-0006 a owl:Class ; rdfs:label "Compromise Hosted Payload - SPARTA" ; skos:prefLabel "Compromise Hosted Payload" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0006" ; d3f:definition "Adversaries target hosted payloads as an alternate doorway into the host spacecraft. Hosted payloads often expose their own command sets, file services, and telemetry paths, sometimes via the host’s TT&C chain, sometimes through a parallel ground infrastructure under different operational control. Initial access arises when an attacker obtains the ability to issue payload commands, upload files, or alter memory/register state on the hosted unit. Because data and control must traverse an interface to the host bus (power, time, housekeeping, data routing, gateway processors), the payload–host boundary can also carry management functions: mode transitions, table loads, firmware updates, and cross-strapped links that appear only in maintenance or contingency modes. With knowledge of the interface specification and command dictionaries, a threat actor can activate rarely used modes, inject crafted data products, or trigger gateway behaviors that extend influence beyond the payload itself. In multi-tenant or commercial hosting arrangements, differences in keying, procedures, or scheduling between the payload operator and the bus operator provide additional opportunity for a first foothold that looks like routine payload commanding." ; rdfs:seeAlso . d3f:IA-0007 a owl:Class ; rdfs:label "Compromise Ground System - SPARTA" ; skos:prefLabel "Compromise Ground System" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0007" ; d3f:definition "Compromising the ground segment gives an adversary the most direct path to first execution against a spacecraft. Ground systems encompass operator workstations and mission control mission control software, scheduling/orchestration services, front-end processors and modems, antenna control, key-loading tools and HSMs, data gateways (SLE/CSP), identity providers, and cloud-hosted mission services. Once inside, a threat actor can prepare on-orbit updates, craft and queue valid telecommands, replay captured traffic within acceptance windows, or manipulate authentication material and counters to pass checks. The same foothold enables deep reconnaissance: enumerating mission networks and enclaves, discovering which satellites are operated from a site, mapping logical topology between MOC and stations, identifying in-band “birds” reachable from a given aperture, and learning pass plans, dictionaries, and automation hooks. From there, initial access to the spacecraft is a matter of timing and presentation, injecting commands, procedures, or update packages that align with expected operations so the first execution event appears indistinguishable from normal activity." ; rdfs:seeAlso . d3f:IA-0007.01 a owl:Class ; rdfs:label "Compromise On-Orbit Update - SPARTA" ; skos:prefLabel "Compromise On-Orbit Update" ; rdfs:subClassOf d3f:IA-0007 ; d3f:attack-id "IA-0007.01" ; d3f:definition "Adversaries may target the pipeline that produces and transmits updates to an on-orbit vehicle. Manipulation points include source repositories and configuration tables, build and packaging steps that generate images or differential patches, staging areas on ground servers, update metadata (versions, counters, manifests), and the transmission process itself. Spacecraft updates span flight software patches, FPGA bitstreams, bootloader or device firmware loads, and operational data products such as command tables, ephemerides, and calibration files, each with distinct formats, framing, and acceptance rules. An attacker positioned in the ground system can substitute or modify an artifact, alter its timing and timetags to match pass windows, and queue it through the same procedures operators use for nominal maintenance. Activation can be immediate or deferred: implants may lie dormant until a specific mode, safing entry, or table index is referenced." ; rdfs:seeAlso . d3f:IA-0007.02 a owl:Class ; rdfs:label "Malicious Commanding via Valid GS - SPARTA" ; skos:prefLabel "Malicious Commanding via Valid GS" ; rdfs:subClassOf d3f:IA-0007 ; d3f:attack-id "IA-0007.02" ; d3f:definition "Adversaries may use a compromised, mission-owned ground system to transmit legitimate-looking commands to the target spacecraft. Because the ground equipment is already configured for the mission, correct waveforms, framing, dictionaries, and scheduling, the attacker’s traffic blends with routine operations. Initial access unfolds by inserting commands or procedures into existing timelines, modifying rate/size limits or command queues, or invoking maintenance dictionaries and rapid-response workflows that accept broader command sets. Pre-positioned scripts can chain actions across multiple passes and stations, while telemetry routing provides immediate feedback to refine follow-on steps. Exfiltration can be embedded in standard downlink channels or forwarded through gateways as ordinary mission data. The distinguishing feature is that command origin appears valid, transmitted from approved apertures using expected parameters, so the first execution event is not a protocol anomaly but a misuse of legitimate command authority obtained through the compromised ground system." ; rdfs:seeAlso . d3f:IA-0008 a owl:Class ; rdfs:label "Rogue External Entity - SPARTA" ; skos:prefLabel "Rogue External Entity" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0008" ; d3f:definition "Adversaries obtain a foothold by interacting with the spacecraft from platforms outside the authorized ground architecture. A “rogue external entity” is any actor-controlled transmitter or node, ground, maritime, airborne, or space-based, that can radiate or exchange traffic using mission-compatible waveforms, framing, or crosslink protocols. The technique exploits the fact that many vehicles must remain commandable and discoverable over wide areas and across multiple modalities. Using public ephemerides, pass predictions, and knowledge of acquisition procedures, the actor times transmissions to line-of-sight windows, handovers, or maintenance periods. Initial access stems from presenting traffic that the spacecraft will parse or prioritize: syntactically valid telecommands, crafted ranging/acquisition exchanges, crosslink service advertisements, or payload/user-channel messages that bridge into the command/data path." ; rdfs:seeAlso . d3f:IA-0008.01 a owl:Class ; rdfs:label "Rogue Ground Station - SPARTA" ; skos:prefLabel "Rogue Ground Station" ; rdfs:subClassOf d3f:IA-0008 ; d3f:attack-id "IA-0008.01" ; d3f:definition "Adversaries may field their own ground system, transportable or fixed, to transmit and receive mission-compatible signals. A typical setup couples steerable apertures and GPS-disciplined timing with SDR/modems configured for the target’s bands, modulation/coding, framing, and beacon structure. Using pass schedules and Doppler/polarization predictions, the actor crafts over-the-air traffic that appears valid at the RF and protocol layers." ; rdfs:seeAlso . d3f:IA-0008.02 a owl:Class ; rdfs:label "Rogue Spacecraft - SPARTA" ; skos:prefLabel "Rogue Spacecraft" ; rdfs:subClassOf d3f:IA-0008 ; d3f:attack-id "IA-0008.02" ; d3f:definition "Adversaries may employ their own satellite or hosted payload to achieve proximity and a privileged RF geometry. After phasing into the appropriate plane or drift orbit, the rogue vehicle operates as a local peer: emitting narrow-beam or crosslink-compatible signals, relaying user-channel traffic that the target will honor, or advertising services that appear to originate from a trusted neighbor. Close range reduces path loss and allows highly selective interactions, e.g., targeted spoofing of acquisition exchanges, presentation of crafted routing/time distribution messages, or injection of payload tasking that rides established inter-satellite protocols. The rogue platform can also perform spectrum and protocol reconnaissance in situ, refining message formats and timing before attempting first execution." ; rdfs:seeAlso . d3f:IA-0008.03 a owl:Class ; rdfs:label "ASAT/Counterspace Weapon - SPARTA" ; skos:prefLabel "ASAT/Counterspace Weapon" ; rdfs:subClassOf d3f:IA-0008 ; d3f:attack-id "IA-0008.03" ; d3f:definition "Adversaries leverage counterspace platforms to create conditions under which initial execution becomes possible or to impose effects directly. Electronic warfare systems can jam or spoof links so that the target shifts to contingency channels or accepts crafted navigation/control signals; directed-energy systems can dazzle sensors or upset electronics, shaping mode transitions and autonomy responses; kinetic or contact-capable systems can enable mechanical interaction that exposes maintenance or debug paths. In each case, the counterspace asset is an external actor-controlled node that interacts with the spacecraft outside authorized ground pathways. Initial access may be the immediate result of accepted spoofed traffic, or it may be secondary, arising when the target enters states with broader command acceptance, alternative receivers, or service interfaces that the adversary can then exploit." ; rdfs:seeAlso . d3f:IA-0009 a owl:Class ; rdfs:label "Trusted Relationship - SPARTA" ; skos:prefLabel "Trusted Relationship" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0009" ; d3f:definition "Adversaries obtain first execution by riding connections that the mission already trusts, formal interconnections with partners, vendors, and user communities. Once a third party is compromised, the actor inherits that entity’s approved routes into mission enclaves: VPNs and jump hosts into ground networks, API keys into cloud tenants, automated file drops that feed command or update pipelines, and collaboration spaces where procedures and dictionaries circulate. Because traffic, credentials, and artifacts originate from known counterparts, the initial execution event can appear as a routine payload task, scheduled procedure, or software update promoted through established processes." ; rdfs:seeAlso . d3f:IA-0009.01 a owl:Class ; rdfs:label "Mission Collaborator (academia, international, etc.) - SPARTA" ; skos:prefLabel "Mission Collaborator (academia, international, etc.)" ; rdfs:subClassOf d3f:IA-0009 ; d3f:attack-id "IA-0009.01" ; d3f:definition "Missions frequently depend on distributed teams, instrument builders at universities, science operations centers, and international partners, connected by data portals, shared repositories, and federated credentials. A compromise of a collaborator yields access to telescience networks, analysis pipelines, instrument commanding tools, and file exchanges that deliver ephemerides, calibration products, procedures, or configuration tables into mission workflows. Partners may operate their own ground elements or payload gateways under delegated authority, creating additional entry points whose authentication and logging differ from the prime’s. Initial access emerges when attacker-modified artifacts or commands traverse these sanctioned paths: a revised calibration script uploaded through a science portal, a configuration table promoted by a cross-org CI job, or a payload task submitted via a collaboration queue and forwarded by the prime as routine work. Variations in process rigor, identity proofing, and toolchains across institutions amplify the attacker’s options while preserving the appearance of legitimate partner activity." ; rdfs:seeAlso . d3f:IA-0009.02 a owl:Class ; rdfs:label "Vendor - SPARTA" ; skos:prefLabel "Vendor" ; rdfs:subClassOf d3f:IA-0009 ; d3f:attack-id "IA-0009.02" ; d3f:definition "Vendors that design, integrate, or support mission systems often hold elevated, persistent routes into operations: remote administration of ground software and modems, access to identity providers and license servers, control of cloud-hosted services, and authority to deliver firmware, bitstreams, or patches. Attackers who compromise a vendor’s enterprise or build environment can assume these roles, issuing commands through approved consoles, queuing updates in provider-operated portals, or invoking maintenance procedures that the mission expects the vendor to perform. Some vendor pathways terminate directly on RF equipment or key-management infrastructure; others ride cross-account cloud roles or managed SaaS backends that handle mission data and scheduling." ; rdfs:seeAlso . d3f:IA-0009.03 a owl:Class ; rdfs:label "User Segment - SPARTA" ; skos:prefLabel "User Segment" ; rdfs:subClassOf d3f:IA-0009 ; d3f:attack-id "IA-0009.03" ; d3f:definition "The “user segment” encompasses end users and their equipment that interact with mission services, SATCOM terminals, customer ground gateways, tasking portals, and downstream processing pipelines for delivered data. Where these environments interconnect with mission cores, a compromised user domain becomes a springboard. Attackers can inject malformed tasking requests that propagate into payload scheduling, craft user-plane messages that traverse gateways into control or management planes, or seed data products that flow back to mission processing systems and automation. In broadband constellations and hosted services, user terminals may share infrastructure with TT&C or provider management networks, creating opportunities to pivot from customer equipment into provider-run nodes that the spacecraft trusts." ; rdfs:seeAlso . d3f:IA-0010 a owl:Class ; rdfs:label "Unauthorized Access During Safe-Mode - SPARTA" ; skos:prefLabel "Unauthorized Access During Safe-Mode" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0010" ; d3f:definition "Adversaries time their first execution to coincide with safe-mode, when the vehicle prioritizes survival and recovery. In many designs, safe-mode reconfigures attitude, reduces payload activity, lowers data rates, and enables contingency dictionaries or maintenance procedures that are dormant in nominal operations. Authentication, rate/size limits, command interlocks, and anti-replay handling may differ; some implementations reset counters, relax timetag screening, accept broader command sets, or activate alternate receivers and beacons to improve commandability. Ground behavior also shifts: extended passes, emergency scheduling, and atypical station use create predictable windows. An attacker who understands these patterns can present syntactically valid traffic that aligns with safe-mode expectations, maintenance loads, recovery scripts, table edits, or reboot/patch sequences, so the first accepted action appears consistent with fault recovery rather than intrusion." ; rdfs:seeAlso . d3f:IA-0011 a owl:Class ; rdfs:label "Auxiliary Device Compromise - SPARTA" ; skos:prefLabel "Auxiliary Device Compromise" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0011" ; d3f:definition "Adversaries abuse peripherals and removable media that the spacecraft (or its support equipment) ingests during development, I&T, or on-orbit operations. Small satellites and hosted payloads frequently expose standard interfaces, USB, UART, Ethernet, SpaceWire, CAN, or mount removable storage for loading ephemerides, tables, configuration bundles, or firmware. A tainted device can masquerade as a trusted class (mass-storage, CDC/HID) or present crafted files that trigger auto-ingest workflows, file watchers, or maintenance utilities. Malware may be staged by modifying the peripheral’s firmware, seeding the images written by lab formatting tools, or swapping media during handling. Once connected, the device can deliver binaries, scripts, or malformed data products that execute under existing procedures. Because these interactions often occur during hurried timelines (checkouts, rehearsals, contingency maintenance), the initial execution blends with legitimate peripheral use while traversing a path already privileged to reach flight software or controllers." ; rdfs:seeAlso . d3f:IA-0012 a owl:Class ; rdfs:label "Assembly, Test, and Launch Operation Compromise - SPARTA" ; skos:prefLabel "Assembly, Test, and Launch Operation Compromise" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0012" ; d3f:definition "Assembly, Test, and Launch Operation (ATLO) concentrates people, tools, and authority while components first exchange real traffic across flight interfaces. Test controllers, EGSE, simulators, flatsats, loaders, and data recorders connect to the same buses and command paths that will exist on orbit. Threat actors exploit this density and dynamism: compromised laptops or transient cyber assets push images and tables; lab networks bridge otherwise separate enclaves; vendor support accounts move software between staging and flight hardware; and “golden” artifacts created or modified in ATLO propagate into the as-flown baseline. Malware can traverse shared storage and scripting environments, ride update/checklist execution, or piggyback on protocol translators and gateways used to stimulate subsystems. Because ATLO often introduces late firmware loads, key/counter initialization, configuration freezes, and full-system rehearsals, a single well-placed change can yield first execution on multiple devices and persist into LEOP." ; rdfs:seeAlso . d3f:IA-0013 a owl:Class ; rdfs:label "Compromise Host Spacecraft - SPARTA" ; skos:prefLabel "Compromise Host Spacecraft" ; rdfs:subClassOf d3f:SPARTAInitialAccessTechnique ; d3f:attack-id "IA-0013" ; d3f:definition "The inverse of \"IA-0006: Compromise Hosted Payload\", this technique describes adversaries that are targeting a hosted payload, the host space vehicle (SV) can serve as an initial access vector to compromise the payload through vulnerabilities in the SV's onboard systems, communication interfaces, or software. If the SV's command and control systems are exploited, an attacker could gain unauthorized access to the vehicle's internal network. Once inside, the attacker may laterally move to the hosted payload, particularly if it shares data buses, processors, or communication links with the vehicle." ; rdfs:seeAlso . d3f:ID3 a owl:Class, owl:NamedIndividual ; rdfs:label "ID3" ; rdfs:subClassOf d3f:DecisionTree ; d3f:d3fend-id "D3A-ID3" ; d3f:definition "ID3 stands for Iterative Dichotomiser 3 and is named such because the algorithm iteratively (repeatedly) dichotomizes(divides) features into two or more groups at each step." ; d3f:kb-article """## Addtional Consiterations ID3 is the basis of C4.5, and is best used in natural language processing. ## References Decision Trees for Classification: ID3 Algorithm Explained. Towards Data Science. [Link](https://towardsdatascience.com/decision-trees-for-classification-id3-algorithm-explained-89df76e72df1).""" . d3f:Identifier a owl:Class, owl:NamedIndividual ; rdfs:label "Identifier" ; skos:altLabel "ID" ; rdfs:subClassOf d3f:DigitalInformation, [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:Artifact ] ; rdfs:isDefinedBy ; d3f:definition "An identifier is a name that identifies (that is, labels the identity of) either a unique object or a unique class of objects, where the \"object\" or class may be an idea, physical [countable] object (or class thereof), or physical [noncountable] substance (or class thereof). The abbreviation ID often refers to identity, identification (the process of identifying), or an identifier (that is, an instance of identification). An identifier may be a word, number, letter, symbol, or any combination of those." ; d3f:identifies d3f:Artifact . d3f:IdentifierActivityAnalysis a d3f:IdentifierActivityAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Identifier Activity Analysis" ; rdfs:subClassOf d3f:IdentifierAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Identifier ] ; d3f:analyzes d3f:Identifier ; d3f:d3fend-id "D3-IAA" ; d3f:definition "Taking known malicious identifiers and determining if they are present in a system." ; d3f:kb-article """## How it works Identifier activity analysis is the process of taking identifiers--typically known malicious identifiers--and determining the artifacts that have interacted with those identifiers. There are many open and closed source repositories of identifiers that represent indicators of compromise. For example, VirusTotal contains hash signatures of malware and IP Addresses used by threat actors. Defenders can search for these indicators of compromise their own systems to gain context on activity around an identifier. ## Considerations Indicator activity analysis is a good way to gain high precision analysis, but adversaries can modify their own signatures such as hashes quickly to evade detection. This is related to David Bianco’s Pyramid of Pain - Indicators on the lower level (hash values, IP addresses domain names) are easy for adversaries to change. Identifier activity data of interest for analysis with the identifier might include, but is not limited to: * network traffic activity where the identifier was used to identify communicating entities or referred to in the communication * process activity referencing the identifier, especially for resource access * file activity referencing the identifier * registry settings referencing the identifier""" ; d3f:kb-reference d3f:Reference-ThePyramidOfPain-DavidBianco . d3f:IdentifierAnalysis a d3f:IdentifierAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Identifier Analysis" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Detect ] ; d3f:d3fend-id "D3-ID" ; d3f:definition "Analyzing identifier artifacts such as IP address, domain names, or URL(I)s." ; d3f:enables d3f:Detect . d3f:IdentifierReputationAnalysis a d3f:IdentifierReputationAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Identifier Reputation Analysis" ; rdfs:subClassOf d3f:IdentifierAnalysis ; d3f:d3fend-id "D3-IRA" ; d3f:definition "Analyzing the reputation of an identifier." ; d3f:kb-reference d3f:Reference-Finding_phishing_sites . d3f:Image-to-ImageTranslationGAN a owl:Class, owl:NamedIndividual ; rdfs:label "Image-to-Image Translation GAN" ; rdfs:subClassOf d3f:GenerativeAdversarialNetwork ; d3f:d3fend-id "D3A-ITITG" ; d3f:definition "Image-to-image translation is the task of transferring styles and characteristics from one image domain to another." ; d3f:kb-article """## References MathWorks. (n.d.). Get Started with GANs for Image-to-Image Translation. [Link](https://www.mathworks.com/help/images/get-started-with-gans-for-image-to-image-translation.html)""" . d3f:ImageCodeSegment a owl:Class, owl:NamedIndividual ; rdfs:label "Image Code Segment" ; rdfs:subClassOf d3f:ImageSegment, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Subroutine ] ; d3f:contains d3f:Subroutine ; d3f:definition "An image code segment, also known as a text segment or simply as text, is a portion of an object file that contains executable instructions. The term \"segment\" comes from the memory segment, which is a historical approach to memory management that has been succeeded by paging. When a program is stored in an object file, the code segment is a part of this file; when the loader places a program into memory so that it may be executed, various memory regions are allocated (in particular, as pages), corresponding to both the segments in the object files and to segments only needed at run time. For example, the code segment of an object file is loaded into a corresponding code segment in memory." ; rdfs:seeAlso d3f:ProcessCodeSegment, . d3f:ImageDataSegment a owl:Class, owl:NamedIndividual ; rdfs:label "Image Data Segment" ; rdfs:subClassOf d3f:ImageSegment ; d3f:definition "An image data segment (often denoted .data) is a portion of an object file that contains initialized static variables, that is, global variables and static local variables. The size of this segment is determined by the size of the values in the program's source code, and does not change at run time. This segmenting of the memory space into discrete blocks with specific tasks carried over into the programming languages of the day and the concept is still widely in use within modern programming languages." ; rdfs:seeAlso d3f:ProcessDataSegment, . d3f:ImageFile a owl:Class, owl:NamedIndividual ; rdfs:label "Image File" ; rdfs:subClassOf d3f:File ; d3f:definition "A file that contains graphics data." . d3f:ImageScannerInputDevice a owl:Class ; rdfs:label "Image Scanner Input Device" ; skos:altLabel "Scanner" ; rdfs:subClassOf d3f:VideoInputDevice ; rdfs:isDefinedBy ; d3f:definition "An image scanner -- often abbreviated to just scanner, is a device that optically scans images, printed text, handwriting or an object and converts it to a digital image. Commonly used in offices are variations of the desktop flatbed scanner where the document is placed on a glass window for scanning. Hand-held scanners, where the device is moved by hand, have evolved from text scanning \"wands\" to 3D scanners used for industrial design, reverse engineering, test and measurement, orthotics, gaming and other applications. Mechanically driven scanners that move the document are typically used for large-format documents, where a flatbed design would be impractical." . d3f:ImageSegment a owl:Class ; rdfs:label "Image Segment" ; rdfs:subClassOf d3f:BinarySegment, d3f:FileSection ; d3f:definition "Image segments are distinct partitions of an object file. Both data and code segments are examples of image segments." ; rdfs:seeAlso d3f:ObjectFile, . d3f:ImageSynthesisGAN a owl:Class, owl:NamedIndividual ; rdfs:label "Image Synthesis GAN" ; rdfs:subClassOf d3f:GenerativeAdversarialNetwork ; d3f:d3fend-id "D3A-ISG" ; d3f:definition "Image synthesis thorugh the application of Generative Adversarial Networks." ; d3f:kb-article """## References Zhang, Q., Wang, H., Lu, H., Won, D., & Yoon, S. W. (2018). Medical Image Synthesis with Generative Adversarial Networks for Tissue Recognition. 2018 IEEE International Conference on Healthcare Informatics (ICHI), 199-207. doi: 10.1109/ICHI.2018.00030. [Link](https://ieeexplore.ieee.org/document/8419363)""" . d3f:IMP-0001 a owl:Class ; rdfs:label "Deception (or Misdirection) - SPARTA" ; skos:prefLabel "Deception (or Misdirection)" ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; d3f:attack-id "IMP-0001" ; d3f:definition "Measures designed to mislead an adversary by manipulation, distortion, or falsification of evidence or information into a system to induce the adversary to react in a manner prejudicial to their interests. Threat actors may seek to deceive mission stakeholders (or even military decision makers) for a multitude of reasons. Telemetry values could be modified, attacks could be designed to intentionally mimic another threat actor's TTPs, and even allied ground infrastructure could be compromised and used as the source of communications to the spacecraft." ; rdfs:seeAlso . d3f:IMP-0002 a owl:Class ; rdfs:label "Disruption - SPARTA" ; skos:prefLabel "Disruption" ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; d3f:attack-id "IMP-0002" ; d3f:definition "Measures designed to temporarily impair the use or access to a system for a period of time. Threat actors may seek to disrupt communications from the victim spacecraft to the ground controllers or other interested parties. By disrupting communications during critical times, there is the potential impact of data being lost or critical actions not being performed. This could cause the spacecraft's purpose to be put into jeopardy depending on what communications were lost during the disruption. This behavior is different than Denial as this attack can also attempt to modify the data and messages as they are passed as a way to disrupt communications." ; rdfs:seeAlso . d3f:IMP-0003 a owl:Class ; rdfs:label "Denial - SPARTA" ; skos:prefLabel "Denial" ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; d3f:attack-id "IMP-0003" ; d3f:definition "Measures designed to temporarily eliminate the use, access, or operation of a system for a period of time, usually without physical damage to the affected system. Threat actors may seek to deny ground controllers and other interested parties access to the victim spacecraft. This would be done exhausting system resource, degrading subsystems, or blocking communications entirely. This behavior is different from Disruption as this seeks to deny communications entirely, rather than stop them for a length of time." ; rdfs:seeAlso . d3f:IMP-0004 a owl:Class ; rdfs:label "Degradation - SPARTA" ; skos:prefLabel "Degradation" ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; d3f:attack-id "IMP-0004" ; d3f:definition "Measures designed to permanently impair (either partially or totally) the use of a system. Threat actors may target various subsystems or the hosted payload in such a way to rapidly increase it's degradation. This could potentially shorten the lifespan of the victim spacecraft." ; rdfs:seeAlso . d3f:IMP-0005 a owl:Class ; rdfs:label "Destruction - SPARTA" ; skos:prefLabel "Destruction" ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; d3f:attack-id "IMP-0005" ; d3f:definition "Measures designed to permanently eliminate the use of a system, potentially through some physical damage to the system. Threat actors may destroy data, commands, subsystems, or attempt to destroy the victim spacecraft itself. This behavior is different from Degradation, as the individual parts are destroyed rather than put in a position in which they would slowly degrade over time." ; rdfs:seeAlso . d3f:IMP-0006 a owl:Class ; rdfs:label "Theft - SPARTA" ; skos:prefLabel "Theft" ; rdfs:subClassOf d3f:SPARTAImpactTechnique ; d3f:attack-id "IMP-0006" ; d3f:definition "Threat actors may attempt to steal the data that is being gathered, processed, and sent from the victim spacecraft. Many spacecraft have a particular purpose associated with them and the data they gather is deemed mission critical. By attempting to steal this data, the mission, or purpose, of the spacecraft could be lost entirely." ; rdfs:seeAlso . d3f:ImpactTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Impact Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0040 ] ; d3f:definition "The adversary is trying to manipulate, interrupt, or destroy your systems and data." ; d3f:enables d3f:TA0040 . d3f:ImpersonateUser a d3f:SystemCall, owl:Class, owl:NamedIndividual ; rdfs:label "Impersonate User" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:forges ; owl:someValuesFrom d3f:UserAccount ] ; d3f:forges d3f:UserAccount . d3f:ImportLibraryFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Import Library Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:loads ; owl:someValuesFrom d3f:SharedLibraryFile ] ; d3f:definition "Loads an external software library to enable the invocations of its methods." ; d3f:loads d3f:SharedLibraryFile . d3f:In-memoryPasswordStore a owl:Class, owl:NamedIndividual ; rdfs:label "In-memory Password Store" ; rdfs:subClassOf d3f:PasswordStore ; d3f:definition "A password store held in memory." . d3f:InboundInternetDNSResponseTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Inbound Internet DNS Response Traffic" ; rdfs:subClassOf d3f:InboundInternetNetworkTraffic ; d3f:definition "Inbound internet DNS response traffic is DNS response traffic from a host outside a given network initiated on an incoming connection to a host inside that network." ; rdfs:seeAlso . d3f:InboundInternetEncryptedTraffic a owl:Class ; rdfs:label "Inbound Internet Encrypted Traffic" ; rdfs:subClassOf d3f:InboundInternetNetworkTraffic ; d3f:definition "Inbound internet encrypted traffic is encrypted network traffic on an incoming connection initiated from a host outside the network to a host within a network ." . d3f:InboundInternetEncryptedWebTraffic a owl:Class ; rdfs:label "Inbound Internet Encrypted Web Traffic" ; rdfs:subClassOf d3f:InboundInternetEncryptedTraffic, d3f:InboundInternetWebTraffic ; d3f:definition "Inbound internet web traffic is network traffic that is: (a) on an incoming connection initiated from a host outside the network to a host within a network, and (b) using a standard web encryption protocol." ; rdfs:seeAlso . d3f:InboundInternetMailTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Inbound Internet Mail Traffic" ; rdfs:subClassOf d3f:InboundInternetNetworkTraffic, d3f:InboundNetworkTraffic, d3f:MailNetworkTraffic ; d3f:definition "Inbound internet mail traffic is network traffic that is: (a) coming from a host outside a given network via an incoming connection to a host inside that same network, and (b) using a standard protocol for email." ; rdfs:seeAlso . d3f:InboundInternetNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Inbound Internet Network Traffic" ; rdfs:subClassOf d3f:InboundNetworkTraffic, d3f:InternetNetworkTraffic, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:definition "Inbound internet traffic is network traffic from a host outside a given network initiated on an incoming connection to a host inside that network." ; d3f:produces d3f:NetworkTraffic ; rdfs:seeAlso . d3f:InboundInternetWebTraffic a owl:Class ; rdfs:label "Inbound Internet Web Traffic" ; rdfs:subClassOf d3f:InboundInternetNetworkTraffic ; d3f:definition "Inbound internet web traffic is network traffic that is: (a) on an incoming connection initiated from a host outside the network to a host within a network, and (b) using a standard web protocol." ; rdfs:seeAlso , . d3f:InboundNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Inbound Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "Inbound traffic is network traffic originating from another host (client), to the host of interest (server)." . d3f:InboundSessionVolumeAnalysis a d3f:InboundSessionVolumeAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Inbound Session Volume Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:InboundInternetNetworkTraffic ] ; d3f:analyzes d3f:InboundInternetNetworkTraffic ; d3f:d3fend-id "D3-ISVA" ; d3f:definition "Analyzing inbound network session or connection attempt volume." ; d3f:kb-article """## How it works Network appliances are configured to alert on certain packets that typically are involved in DoS attacks. Typical packets include ICMP packets and SYN requests that are commonly used to flood networks. A sampling period is used to define a time window in which collected counts of the identified packets can be measured. If the collected number of packets exceeds a predefined limit then an alert is generated. ## Considerations Scalability as volume of attacks increase; single servers may not have the memory and storage resources to handle high volumes of network traffic.""" ; d3f:kb-reference d3f:Reference-DetectingDDoSAttackUsingSnort, , d3f:Reference-MethodAndSystemForUDPFloodAttackDetection-RioreyLLC, , . d3f:InboundTrafficFiltering a d3f:InboundTrafficFiltering, owl:Class, owl:NamedIndividual ; rdfs:label "Inbound Traffic Filtering" ; rdfs:subClassOf d3f:NetworkTrafficFiltering, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:InboundNetworkTraffic ] ; d3f:d3fend-id "D3-ITF" ; d3f:definition "Restricting network traffic originating from untrusted networks destined towards a private host or enclave." ; d3f:filters d3f:InboundNetworkTraffic ; d3f:kb-article """## How it works Inbound Traffic, in this context, is network traffic originating from an untrusted network towards a private host or enclave. For example: * An untrusted network host connecting to a internal commercial portal, shopping.example.com * An external mail server connecting to an internal mail server, mail.example.com Filtering policies are developed by administrators to meet business requirements and limit connectivity. These policies are implemented on edge devices such as firewalls, routers, and intrusion prevention systems. Examples of filters: * Blocking incoming traffic from spoofed internally facing IP addresses * Blocking specific ports and services from establishing connections * Limiting specific IP ranges from connecting to the network * Dynamic inbound filtering (Hole punching, STUN, NAT-T) ## Considerations * Business requirements typically drive the development of filtering rulesets * Protocols using non-standard ports may circumvent filtering technology, which does not detect application protocol based on traffic content ## Implementations * OpenWRT (Embedded) * Netfilter (Linux) * Windows Firewall * pf(BSD)""" ; d3f:kb-reference d3f:Reference-ActiveFirewallSystemAndMethodology_McAfeeLLC, d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft, d3f:Reference-FirewallForInterentAccess_SecureComputingLLC, d3f:Reference-FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency, d3f:Reference-FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency, d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp, d3f:Reference-FWTK-FirewallToolkit_, d3f:Reference-MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd, d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC . d3f:IndirectBranchCallAnalysis a d3f:IndirectBranchCallAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Indirect Branch Call Analysis" ; rdfs:subClassOf d3f:ProcessAnalysis ; d3f:d3fend-id "D3-IBCA" ; d3f:definition "Analyzing vendor specific branch call recording in order to detect ROP style attacks." ; d3f:kb-article """## How it works This technique is used to detect an attacker attempting to exploit and execute code on a target system's call stack using return-oriented programming (ROP). Modern processors that have the ability to maintain a list of the branching calls, e.g., Intel's Last Branch Recording (LBR), can be used to track and analyze indirect branching calls that are indicative of malicious activity. In order to reduce the number of indirect branch calls to analyze to a manageable set it is assumed that malicious ROP activity will involve the use of system calls. The technique observes indirect branch calls that are part of paths that lead to system calls, all others are ignored. Branching calls chained together is often referred to as gadgets and gadgets are often used in ROP attacks. Indirect branch calls that involve a transfer from user-space to kernel-space are of interest for this technique. Identification of potential ROP exploit execution includes: - Inspecting the LBR when a system function call is made - The LBR is configured to return only instruction of interest (ret, indirect jmp, indirect calls) - Behavior is analyzed for - Ret instructions that appear to target areas not preceded by the call sites - Sequences of small code fragments that appear to be chained through the indirect branching calls (gadgets) - Of interest are returns that appear to not render control back after calls - Typical ret-call are paired - gadgets will appear to have ret followed by instruction of next instruction of the following gadget ## Considerations * May be operating system dependent since specific system calls are used to scope branching behavoir * Processors need to support access to a Last Branch Recording list feature * The size of the LBR stack can limit the expected size of the analyzed execution stack * If processor does not support LBR then overhead costs for the analysis can be significant""" ; d3f:kb-reference d3f:Reference-IndirectBranchingCalls . d3f:InferentialStatistics a owl:Class, owl:NamedIndividual ; rdfs:label "Inferential Statistics" ; rdfs:subClassOf d3f:StatisticalMethod ; d3f:d3fend-id "D3A-IS" ; d3f:definition "Statistical inference is the process of using data analysis to infer properties of an underlying distribution of probability." ; d3f:kb-article """## References Wikipedia. (n.d.). Statistical inference. [Link](https://en.wikipedia.org/wiki/Statistical_inference)""" . d3f:InitialAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Initial Access Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0001 ] ; d3f:definition "The adversary is trying to get into your network." ; d3f:enables d3f:TA0001 . d3f:InitScript a owl:Class ; rdfs:label "Init Script" ; skos:altLabel "Initialization Script" ; rdfs:subClassOf d3f:ExecutableScript ; d3f:definition "An init script (or initialization script) is an executable script that initializes the an application, a process, or a service's state. Examples include scripts run at boot by Unix or Windows, or those run to initialize a shell." ; rdfs:seeAlso , . d3f:InputDevice a owl:Class, owl:NamedIndividual ; rdfs:label "Input Device" ; rdfs:subClassOf d3f:HardwareDevice, d3f:LocalResource ; rdfs:isDefinedBy ; d3f:definition "In computing, an input device is a piece of equipment used to provide data and control signals to an information processing system such as a computer or information appliance. Examples of input devices include keyboards, mouse, scanners, digital cameras, joysticks, and microphones." . d3f:InputDeviceAnalysis a d3f:InputDeviceAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Input Device Analysis" ; rdfs:subClassOf d3f:OperatingSystemMonitoring, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:InputDevice ] ; d3f:analyzes d3f:InputDevice ; d3f:d3fend-id "D3-IDA" ; d3f:definition "Operating system level mechanisms to prevent abusive input device exploitation." ; d3f:kb-article """## How it works Input Device Hardening techniques filter certain commands, or disable related operating system functionality. ### Analytics All of these values can be analyzed and compared to a baseline: * Amount of input * Duration of a single input * Durations between inputs * Value of input Context can also include: * User which is logged in, to include attributes such as physical location of the user * Date and time * System which is processing the input * Source device of input, to include its properties (eg. manufacturer), configuration (eg. keyboard layout) and behavioral attributes of this device (eg. first use) * Source system of input (local or remote system) * Other hardware devices attached to the system ### Actions Actions can include: * Disabling the source device * Sending an alert * Locking the current session (eg. system screen lock, or returning to an authentication screen in a web app) and requiring one or more methods of authentication to continue * Administratively disabling credentials for the account or the entire account -- the technique *Account Locking* ### Examples A malicious input device sends many keystrokes with approximately the same delay between each. This does not match the normal cadence of input, and the device is disabled. Input to type the session user's name takes abnormally longer for each keystroke. The system is locked to the password prompt screen. A system receives key press events from two different devices -- one device sends keystrokes after the other has been idle for a long time. A system receives physical input in a user session, while that user has sent input from a device located out of the country in the past hour. Network traffic is suddenly routed through a new external device, and nearly the same volume of network traffic is subsequently sent out the previously existing interface. The new external device is disabled, and an alert is raised to investigate the network configuration for a potential compromise. ## Considerations Given some example of legitimate behavioral input patterns, attackers could mimic those input patterns, a technique which has been used in popular culture in the creation of Deepfake videos and [This Person Does Not Exist](https://thispersondoesnotexist.com).""" ; d3f:kb-reference d3f:Reference-www.biometric-solutions.com_keystroke-dynamics, . d3f:InputDeviceEvent a owl:Class ; rdfs:label "Input Device Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:InputDevice ] ; d3f:definition "An event involving human-machine interface devices, such as keyboards, mice, or touchscreens." . d3f:InputFunction a owl:Class ; rdfs:label "Input Function" ; rdfs:subClassOf d3f:Subroutine ; d3f:definition "Generic function that receives input from an untrusted source." . d3f:Instance-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Instance-based Transfer Learning" ; rdfs:subClassOf d3f:HomogenousTransferLearning ; d3f:d3fend-id "D3A-IBTL" ; d3f:definition "Instance-based transfer learning methods try to reweight the samples in the source domain in an attempt to correct for marginal distribution differences. These reweighted instances are then directly used in the target domain for training." ; d3f:kb-article """## References Georgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).""" . d3f:InstantMessagingClient a owl:Class ; rdfs:label "Instant Messaging Client" ; rdfs:subClassOf d3f:CollaborativeSoftware ; rdfs:isDefinedBy ; d3f:definition "Client software used to engage in Instant Messaging, a type of online chat that offers real-time text transmission over the Internet. A LAN messenger operates in a similar way over a local area network. Short messages are typically transmitted between two parties, when each user chooses to complete a thought and select \"send\". Some IM applications can use push technology to provide real-time text, which transmits messages character by character, as they are composed. More advanced instant messaging can add file transfer, clickable hyperlinks, Voice over IP, or video chat." . d3f:IntegerRangeValidation a owl:Class, owl:NamedIndividual ; rdfs:label "Integer Range Validation" ; rdfs:subClassOf d3f:SourceCodeHardening, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:MathematicalFunction ] ; d3f:d3fend-id "D3-IRV" ; d3f:definition "Ensuring that an integer is within a valid range." ; d3f:hardens d3f:MathematicalFunction ; d3f:kb-article """## How it Works Integer Range Validation can be done by programmatically checking the value of an integer before or after an operation to determine if the resulting value will be valid. Checking the value of an integer to ensure it is in a valid range helps prevent integer overflow, wraparound, and logical errors. ## Considerations * A valid range can be defined by language, data-type, or logical constraints. * Take extra care when doing operations on integers that will result in a value close to the bounds of a valid range. * Note: This resource should not be considered a definitive or exhaustive coding guideline.""" ; d3f:kb-reference d3f:Reference-IntegerRangeValidation_SEI . d3f:IntegratedHoneynet a d3f:IntegratedHoneynet, owl:Class, owl:NamedIndividual ; rdfs:label "Integrated Honeynet" ; rdfs:subClassOf d3f:DecoyEnvironment, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:IntranetNetwork ] ; d3f:d3fend-id "D3-IHN" ; d3f:definition "The practice of setting decoys in a production environment to entice interaction from attackers." ; d3f:kb-article """## How it works Integrated honeynets use full production environments connected to the enterprise network, that utilize computing resources or software that attract attackers, and allow full interaction and access that provides a complete view of an attack. ## Considerations An attacker with control of a system on an Integrated Honeynet could: * try to attack other connected hosts on the network, its IP range of internal hosts not properly configured to react to connections from machines on the integrated honeynet, or position behind the firewall. * exploit its position by eavesdropping on network traffic If an attacker manages to stop the processes used to log an attack without setting off any alarms. [1] 1. Honeypots for Windows, Roger Grimes, 2005""" ; d3f:kb-reference d3f:Reference-SynchronizingAHoneyNetworkConfigurationToReflectATargetNetworkEnvironment_PaloAltoNetworksInc ; d3f:spoofs d3f:IntranetNetwork . d3f:IntegrationTestExecutionTool a owl:Class ; rdfs:label "Integration Test Execution Tool" ; rdfs:subClassOf d3f:TestExecutionTool ; d3f:definition "An integration test execution tool automatically performs integration testing. Integration testing (sometimes called integration and testing, abbreviated I&T) is the phase in software testing in which individual software modules are combined and tested as a group." ; rdfs:seeAlso . d3f:InternetArticleReference a owl:Class ; rdfs:label "Internet Article Reference" ; skos:altLabel "Internet Blog Reference" ; rdfs:subClassOf d3f:TechniqueReference ; d3f:pref-label "Internet Article" . d3f:InternetBasedAttacker a owl:Class ; rdfs:label "Internet-based Attacker" ; rdfs:subClassOf d3f:RemoteAttacker, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:WideAreaNetwork ] ; d3f:definition "A remote attacker who leverages the internet to conduct attacks, such as through phishing, malware, or direct network attacks." . d3f:InternetDNSLookup a owl:Class ; rdfs:label "Internet DNS Lookup" ; rdfs:subClassOf d3f:DNSLookup ; d3f:definition "An internet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a different network." ; rdfs:seeAlso . d3f:InternetFileTransferTraffic a owl:Class ; rdfs:label "Internet File Transfer Traffic" ; rdfs:subClassOf d3f:FileTransferNetworkTraffic, d3f:InternetNetworkTraffic ; d3f:definition "Internet file transfer network traffic is network traffic related to file transfers between network nodes that crosses a boundary between networks. This includes only network traffic conforming to standard file transfer protocols, not custom transfer protocols." . d3f:InternetNetwork a owl:Class ; rdfs:label "Internet Network" ; skos:altLabel "Interconnected Network", "Internet", "Internetwork" ; rdfs:subClassOf d3f:Network ; rdfs:isDefinedBy ; d3f:definition "A network of multiple, connected networks. Internetworking is the practice of connecting a computer network with other networks through the use of gateways that provide a common method of routing information packets between the networks. The resulting system of interconnected networks are called an internetwork, or simply an internet. Internetworking is a combination of the words inter (\"between\") and networking; not internet-working or international-network." . d3f:InternetNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Internet Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "Internet network traffic is network traffic that crosses a boundary between networks. [This is the general sense of inter-networking; It may or may not cross to or from the Internet]" ; rdfs:seeAlso . d3f:InternetPersona a owl:Class ; rdfs:label "Internet Persona" ; skos:altLabel "Online Identity", "Online Persona", "Online Personality" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A social identity that an Internet user establishes in online communities and websites. It may also be an actively constructed presentation of oneself." ; rdfs:seeAlso . d3f:InterprocessCommunication a owl:Class, owl:NamedIndividual ; rdfs:label "Interprocess Communication" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "In computer science, inter-process communication or inter-process communication (IPC) refers specifically to the mechanisms an operating system provides to allow processes it manages to share data. Typically, applications can use IPC categorized as clients and servers, where the client requests data and the server responds to client requests. Many applications are both clients and servers, as commonly seen in distributed computing. Methods for achieving IPC are divided into categories which vary based on software requirements, such as performance and modularity requirements, and system circumstances, such as network bandwidth and latency." . d3f:InterquartileRange a owl:Class, owl:NamedIndividual ; rdfs:label "Interquartile Range" ; rdfs:subClassOf d3f:Variability ; d3f:d3fend-id "D3A-IR" ; d3f:definition "The interquartile range (IQR) is a measure of statistical dispersion, which is the spread of the data and is defined as the difference between the 75th and 25th percentiles of the data." ; d3f:kb-article """## References Wikipedia. (n.d.). Interquartile range. [Link](https://en.wikipedia.org/wiki/Interquartile_range)""" ; d3f:synonym "IQR" . d3f:IntervalEstimation a owl:Class, owl:NamedIndividual ; rdfs:label "Interval Estimation" ; rdfs:subClassOf d3f:Estimation ; d3f:d3fend-id "D3A-IE" ; d3f:definition "Interval estimation is the use of sample data to estimate an interval of possible values of a parameter of interest." ; d3f:kb-article """## References Wikipedia. (n.d.). Interval estimation. [Link](https://en.wikipedia.org/wiki/Interval_estimation)""" . d3f:IntranetAdministrativeNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Intranet Administrative Network Traffic" ; rdfs:subClassOf d3f:AdministrativeNetworkTraffic, d3f:IntranetNetworkTraffic ; d3f:definition "Intranet administrative network traffic is administrative network traffic that does not cross a given network's boundaries and uses a standard administrative protocol." ; rdfs:seeAlso . d3f:IntranetDNSLookup a owl:Class ; rdfs:label "Intranet DNS Lookup" ; rdfs:subClassOf d3f:DNSLookup ; d3f:definition "An Intranet Domain Name System (DNS) lookup is a DNS lookup made from a host on a network that is resolved after querying a DNS name server hosted on a that same network." ; rdfs:seeAlso . d3f:IntranetFileTransferTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Intranet File Transfer Traffic" ; rdfs:subClassOf d3f:FileTransferNetworkTraffic, d3f:IntranetNetworkTraffic ; d3f:definition "Intranet file transfer traffic is file transfer traffic that does not cross a given network's boundaries and uses a standard file transfer protocol." ; rdfs:seeAlso , . d3f:IntranetIPCNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Intranet IPC Network Traffic" ; rdfs:subClassOf d3f:IntranetNetworkTraffic, d3f:IPCNetworkTraffic, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:File ] ; d3f:definition "Intranet IPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard inter-process communication (IPC) networking protocol." ; d3f:may-contain d3f:File ; rdfs:seeAlso , . d3f:IntranetMulticastNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Intranet Multicast Network Traffic" ; rdfs:subClassOf d3f:IntranetNetworkTraffic ; d3f:definition "Intranet IPC network traffic is multicast network traffic that does not cross a given network's boundaries." ; rdfs:seeAlso . d3f:IntranetNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "Intranet Network" ; rdfs:subClassOf d3f:Network ; rdfs:isDefinedBy ; d3f:definition "An intranet is a private network accessible only to an organization's staff or delegates. Generally a wide range of information and services from the organization's internal IT systems are available that would not be available to the public from the Internet. A company-wide intranet can constitute an important focal point of internal communication and collaboration, and provide a single starting point to access internal and external resources. In its simplest form an intranet is established with the technologies for local area networks (LANs) and wide area networks (WANs)." . d3f:IntranetNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Intranet Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "Intranet network traffic is network traffic traversing that does not traverse a given network's boundaries." ; rdfs:seeAlso . d3f:IntranetRPCNetworkTraffic a owl:Class ; rdfs:label "Intranet RPC Network Traffic" ; rdfs:subClassOf d3f:IntranetNetworkTraffic, d3f:RPCNetworkTraffic ; d3f:definition "Intranet RPC network traffic is network traffic that does not cross a given network's boundaries and uses a standard remote procedure call (e.g., RFC 1050) protocol." ; rdfs:seeAlso , . d3f:IntranetWebNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Intranet Web Network Traffic" ; rdfs:subClassOf d3f:IntranetNetworkTraffic, d3f:WebNetworkTraffic, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:File ] ; d3f:definition "Intranet web network traffic is network traffic that does not cross a given network's boundaries and uses a standard web protocol." ; d3f:may-contain d3f:File ; rdfs:seeAlso . d3f:IntrinsicallySemi-supervisedLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Intrinsically Semi-supervised Learning" ; rdfs:subClassOf d3f:Semi-SupervisedLearning ; d3f:d3fend-id "D3A-ISSL" ; d3f:definition "These methods directly optimize an objective function with components for labeled and unlabeled samples and do not rely on any intermediate steps or supervised base learners. Basically, these methods are extension of existing supervised methods to include the effect of unlabeled data samples in the objective function." ; d3f:kb-article """## References Beginner's Guide to Semi-Supervised Learning. Jashish Blog. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/).""" . d3f:IntrusionDetectionSystem a owl:Class ; rdfs:label "Intrusion Detection System" ; skos:altLabel "IDS" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms." . d3f:IntrusionPreventionSystem a owl:Class ; rdfs:label "Intrusion Prevention System" ; skos:altLabel "IDPS", "Intrusion Detection and Prevention System", "IPS" ; rdfs:subClassOf d3f:IntrusionDetectionSystem ; rdfs:isDefinedBy ; d3f:definition """Intrusion prevention systems (IPS), also known as intrusion detection and prevention systems (IDPS), are network security appliances that monitor network or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, report it and attempt to block or stop it. Intrusion prevention systems are considered extensions of intrusion detection systems because they both monitor network traffic and/or system activities for malicious activity. The main differences are, unlike intrusion detection systems, intrusion prevention systems are placed in-line and are able to actively prevent or block intrusions that are detected. IPS can take such actions as sending an alarm, dropping detected malicious packets, resetting a connection or blocking traffic from the offending IP address. An IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.""" ; rdfs:seeAlso . d3f:IOModule a owl:Class, owl:NamedIndividual ; rdfs:label "I/O Module" ; rdfs:subClassOf d3f:HardwareDevice ; d3f:definition "An I/O Module is a hardware device that translates signals between external sensors or actuators and control systems. It typically handles analog-to-digital (and vice versa) conversion, serving as the data interface that allows physical processes to be monitored and controlled by digital controllers." . d3f:IOPortRestriction a d3f:IOPortRestriction, owl:Class, owl:NamedIndividual ; rdfs:label "IO Port Restriction" ; rdfs:subClassOf d3f:AccessMediation, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:InputDevice ], [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:RemovableMediaDevice ], [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:IOModule ] ; d3f:d3fend-id "D3-IOPR" ; d3f:definition "Limiting access to computer input/output (IO) ports to restrict unauthorized devices." ; d3f:filters d3f:InputDevice, d3f:RemovableMediaDevice ; d3f:isolates d3f:IOModule ; d3f:kb-article """## How It works Software-based restriction uses agent software installed on a computer system. The agent software monitors all IO port system traffic. The agent software is configurable to limit the use of certain devices connected to IO ports. The restriction software can also be configured to limit the access to files and applications on external storage devices connected to IO ports. Hardware-based restriction can also be employed to limit access to IO ports. For example, a hardware USB filter device that is placed between the host system and the external devices can filter IO port connections based on configurable rules. When new devices are connected to the USB filter the type of device is determined. Using an allow list a connection determination is made for the device. Some implementations detect when a device is connected in order to authorize the connection against a list of approved devices, in some cases by device type. For example, if the device is determined to be a storage device, then the contained files and executables are examined to more accurately identify the device type. Types of restrictions that may be applied: - Device connection - Device command filtering - Device file system read or write restrictions ## Considerations * Agent software will need to be installed on host systems * Configurations for allow/deny for devices and files will need to be maintained""" ; d3f:kb-reference d3f:Reference-ComputerMotherboardHavingPeripheralSecurityFunctions, d3f:Reference-MethodAndSystemForControllingCommunicationPorts, d3f:Reference-USBFilterForHubMaliciousCodePreventionSystem . d3f:IPAddress a owl:Class, owl:NamedIndividual ; rdfs:label "IP Address" ; rdfs:subClassOf d3f:Identifier, [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:NetworkNode ] ; rdfs:isDefinedBy ; d3f:definition "An Internet Protocol address (IP address) is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.An IP address serves two main functions: host or network interface identification and location addressing. Internet Protocol version 4 (IPv4) defines an IP address as a 32-bit number. However, because of the growth of the Internet and the depletion of available IPv4 addresses, a new version of IP (IPv6), using 128 bits for the IP address, was standardized in 1998. IPv6 deployment has been ongoing since the mid-2000s." ; d3f:identifies d3f:NetworkNode . d3f:IPCNetworkTraffic a owl:Class ; rdfs:label "IPC Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "IPC network traffic is network traffic related to inter-process communication (IPC) between network nodes..This includes only network traffic conforming to a standard IPC protocol; not custom protocols." . d3f:IPCTrafficAnalysis a d3f:IPCTrafficAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "IPC Traffic Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:IntranetIPCNetworkTraffic ] ; d3f:analyzes d3f:IntranetIPCNetworkTraffic ; d3f:d3fend-id "D3-IPCTA" ; d3f:definition "Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity." ; d3f:kb-article """## How it works Inter process communication enables applications or threads to share data. This can involve one or more computers. Monitoring IPC in your environment can reveal abnormal or malicious activity. IPC can occur within a single computer or between multiple computers remotely through network protocols. Thus there are multiple ways to collect and monitor these exchanges between processes. A network protocol analyzer may monitor and parse SMB network traffic to record system activity. A host based monitoring agent may monitor IPC activity contained within a single host to look for deviations from standard usages. ### Examples * SMB * Zeromq * Java RMI API ## Considerations * IPC can generate substantial amounts of data, and it may not be feasible to collect all of it. * IPC may occur over loopback interfaces or direct memory access granted by the operating system.""" ; d3f:kb-reference d3f:Reference-CAR-2015-04-001%3ARemotelyScheduledTasksViaAT_MITRE, d3f:Reference-SecuritySystemWithMethodologyForInterprocessCommunicationControl_CheckPointSoftwareTechInc, d3f:Reference-SMBCopyAndExecution_MITRE, d3f:Reference-SMBEventsMonitoring_MITRE, d3f:Reference-SMBSessionSetups_MITRE, d3f:Reference-SMBWriteRequest-NamedPipes_MITRE, d3f:Reference-SMBWriteRequest_MITRE ; d3f:synonym "IPC Analysis" . d3f:IPPhone a owl:Class ; rdfs:label "IP Phone" ; skos:altLabel "VoIP Phone" ; rdfs:subClassOf d3f:PersonalComputer ; rdfs:isDefinedBy ; d3f:definition "A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet, instead of the traditional public switched telephone network (PSTN). Digital IP-based telephone service uses control protocols such as the Session Initiation Protocol (SIP), Skinny Client Control Protocol (SCCP) or various other proprietary protocols." . d3f:IPReputationAnalysis a d3f:IPReputationAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "IP Reputation Analysis" ; rdfs:subClassOf d3f:IdentifierReputationAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:IPAddress ] ; d3f:analyzes d3f:IPAddress ; d3f:d3fend-id "D3-IPRA" ; d3f:definition "Analyzing the reputation of an IP address." ; d3f:kb-reference d3f:Reference-Database_for_receiving_storing_and_compiling_information_about_email_messages, d3f:Reference-Finding_phishing_sites . d3f:Isolate a d3f:DefensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Isolate" ; rdfs:subClassOf d3f:DefensiveTactic ; d3f:definition "The isolate tactic creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses." ; d3f:display-order 2 ; d3f:display-priority 0 . d3f:IsolationEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Isolation Event" ; rdfs:subClassOf d3f:SecurityEvent ; d3f:definition "An event involving actions to create logical or physical barriers that isolate compromised components, preventing adversary movement and reducing attack surfaces." ; d3f:related d3f:Isolate . d3f:JavaArchive a owl:Class ; rdfs:label "Java Archive" ; rdfs:subClassOf d3f:ArchiveFile, d3f:SoftwarePackage ; d3f:definition "A JAR (Java ARchive) is a package file format typically used to aggregate many Java class files and associated metadata and resources (text, images, etc.) into one file for distribution." ; rdfs:seeAlso . d3f:JavaScriptBlob a owl:Class, owl:NamedIndividual ; rdfs:label "JavaScript Blob" ; rdfs:subClassOf d3f:BinaryLargeObject ; d3f:definition "A JavaScript Blob is a Blob that was created by a JavaScript Blob() constructor call or equivalent function." . d3f:JobFunctionAccessPatternAnalysis a d3f:JobFunctionAccessPatternAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Job Function Access Pattern Analysis" ; rdfs:subClassOf d3f:UserBehaviorAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Authorization ] ; d3f:analyzes d3f:Authorization ; d3f:d3fend-id "D3-JFAPA" ; d3f:definition "Detecting anomalies in user access patterns by comparing user access activity to behavioral profiles that categorize users by role such as job title, function, department." ; d3f:kb-article """## How it works Peer group analysis identifies functionally similar groups of actors (users or resources) based on categorizations such as job title, organizational hierarchy, or other attribute that indicates similarity of job function. Current user access activity is then compared to the appropriate peer group behavior profile to identify anomalies. ## Considerations Potential for false positives from anomalies that are not associated with malicious activity.""" ; d3f:kb-reference d3f:Reference-AnomalyDetectionUsingAdaptiveBehavioralProfiles_SecuronixInc . d3f:JobSchedule a owl:Class, owl:NamedIndividual ; rdfs:label "Job Schedule" ; rdfs:subClassOf d3f:DigitalInformation, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ScheduledJob ], [ a owl:Restriction ; owl:onProperty d3f:modified-by ; owl:someValuesFrom d3f:JobSchedulerSoftware ] ; d3f:contains d3f:ScheduledJob ; d3f:definition "A job schedule contains specification of tasks to be executed at particular times or time intervals. The schedule is a plan that enacted by a task scheduling process. In Windows, the schedule can be accessed at 'C:\\Windows\\System32\\Tasks' or in the registry. In Linux, the schedule is located at '/etc/crontab'" ; d3f:modified-by d3f:JobSchedulerSoftware ; d3f:synonym "Task Schedule" ; rdfs:seeAlso , . d3f:JobSchedulerSoftware a owl:Class, owl:NamedIndividual ; rdfs:label "Job Scheduler Software" ; rdfs:subClassOf d3f:SystemServiceSoftware, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:ScheduledJob ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:JobSchedule ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:ScheduledJob ] ; d3f:creates d3f:ScheduledJob ; d3f:definition "A job scheduler software is operating system software that when run executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking). Processes running such software are task scheduler processes. In Windows, Scheduled Tasks are created and managed by the Task Scheduler. In Unix-like OSes, the `cron` utitility serves a similar role." ; d3f:modifies d3f:JobSchedule, d3f:ScheduledJob ; d3f:synonym "Task Scheduler Software" ; rdfs:seeAlso d3f:ScheduledJob, , . d3f:K-CenterClustering a owl:Class, owl:NamedIndividual ; rdfs:label "K-Center Clustering" ; rdfs:subClassOf d3f:Graph-basedClustering ; d3f:d3fend-id "D3A-KCC" ; d3f:definition "K-center Clustering is a type of clustering based on an combinatorial optimization methods. It clusters a set of points so as to minimize the maximum intercluster distance." ; d3f:kb-article """## How it works An example K-center Clustering problem is to mimimize the number of points in a set that are necessary so that a every other point in the set is within some fixed distance of those points. For instance, given n cities with specified distances, one wants to build k warehouses in different cities and minimize the maximum distance of a city to a warehouse. ## Considerations - **Scalability**: Exact solutions are NP-hard. However, algorithms that have been proven effective and create no more than 2x the optimal set of clusters can run in O(kn) proportional to k*n where k is the minimum number of clusters and n is the number of data points being clustered. ## Key Test Considerations - **Unsupervised Learning**: - **Number of Clusters**: The Gonzalez (Gon) algorithm guarantees creating no more than twice the optimal number of clusters, where the optimal number is the minimum number of clusters to minimize total distance between representative points in the clusters [1]. - **Cluster Analysis**: - **Rand Index and Adjusted Rand Index**: Given ground truth set of class labels for the data, the Rand Index is a measure of the similarity between two data clusterings. The Rand Index is the accuracy of determining if a link belongs within a cluster or not. A form of the Rand Index may be defined that is adjusted for the chance grouping of elements, this is the Adjusted Rand Index [5]. - **Adjusted Mutual Information**: Given ground truth set of class labels for the data, Adjusted Mutual Information corrects the effect of agreement solely due to chance between clusterings, similar to the way the Adjusted Rand Index corrects the Rand Index [6]. - **Connection-based Clustering**: - **Choice of Distance Metric**: The outcome can vary significantly depending on the chosen distance metric (e.g., Euclidean, Manhattan). - **Sensitivity**: Connection-based method can be sensitive to outliers, which might affect the quality of the clusters formed. - **K-center Clustering**: - **Silhouette Score**: The silhouette score refers to a scoring method that helps validate the consistency between clusters of data. The evaluation technique also produces a concise graphical representation of how well each object appear to have been classified. It is suited to K-centric Clustering in that it also works for different metric spaces. - **Distance Metric**: The distance measure must be a true metric (see [2]). Differences in the metric chosen may (e.g., Euclidean,a Manhattan) affect results significantly. - **Sensitivity**: Greedy implementations may be sensitive to outliers. ## Platforms, Tools, or Libraries N/A. _Note that this algorithm is relatively simple and so it is usually implemented from scratch by those incorporating this algorithm into a system._ ## References 1. Gonzalez, T.F. (1985). Clustering to Minimize the Maximum Intercluster Distance. Theor. Comput. Sci., 38, 293-306. [Link](https://www.sciencedirect.com/science/article/pii/0304397585902245?via%3Dihub). 1. Weisstein, Eric W. (n.d.). "Metric." From MathWorld--A Wolfram Web Resource. [Link](https://mathworld.wolfram.com/Metric.html). 1. Wikipedia. (8 Aug 2023). Metric k-center [Link](https://en.wikipedia.org/wiki/Metric_k-center). 1. Wikipedia. (14 Aug 2023). Vertex k-center problem. [Link](https://en.wikipedia.org/wiki/Vertex_k-center_problem). 1. Wikipedia. (n.d.). Rand Index. [Link](https://en.wikipedia.org/wiki/Rand_index). 1. Wikipedia. (n.d.). Adjusted Mutual Information. [Link](https://en.wikipedia.org/wiki/Adjusted_mutual_information). 1. Wikipedia. (1 Aug 2023). Silhouette (clustering). [Link](https://en.wikipedia.org/wiki/Silhouette_(clustering)).""" . d3f:K-FoldCross-Validation a owl:Class, owl:NamedIndividual ; rdfs:label "K-Fold Cross-Validation" ; rdfs:subClassOf d3f:ResamplingEnsemble ; d3f:d3fend-id "D3A-KFCV" ; d3f:definition "Cross-validation is a resampling procedure used to evaluate machine learning models on a limited data sample. The procedure has a single parameter called k that refers to the number of groups that a given data sample is to be split into. As such, the procedure is often called k-fold cross-validation. When a specific value for k is chosen, it may be used in place of k in the reference to the model, such as k=10 becoming 10-fold cross-validation" ; d3f:kb-article """## References K-Fold Cross-Validation. Machine Learning Mastery. [Link](https://machinelearningmastery.com/k-fold-cross-validation/#:~:text=Cross%2Dvalidation%20is%20a%20resampling,k%2Dfold%20cross%2Dvalidation).""" . d3f:K-meansClustering a owl:Class, owl:NamedIndividual ; rdfs:label "K-means Clustering" ; rdfs:subClassOf d3f:Centroid-basedClustering ; d3f:d3fend-id "D3A-KMC" ; d3f:definition "K-means algorithm identifies k number of centroids, and then allocates every data point to the nearest cluster, while keeping the centroids as small as possible." ; d3f:kb-article """## References Towards Data Science. (n.d.). Understanding K-means Clustering in Machine Learning. [Link](https://towardsdatascience.com/understanding-k-means-clustering-in-machine-learning-6a6e67336aa1)""" . d3f:K-NearestNeighbors a owl:Class, owl:NamedIndividual ; rdfs:label "K-Nearest Neighbors" ; rdfs:subClassOf d3f:Classification ; d3f:d3fend-id "D3A-KNN" ; d3f:definition "The k-nearest neighbors algorithm, also known as KNN or k-NN, is a non-parametric, supervised learning classifier, which uses proximity to make classifications or predictions about the grouping of an individual data point." ; d3f:kb-article """## **How it works** The goal of the k-nearest neighbor algorithm is to identify the nearest neighbors of a given query point, so that we can assign a class label to that point. To determine which data points are closest to a given query point, the distance between the query point and the other data points will need to be calculated. The distance measures used can vary depending on the data set or implementation and help inform decision boundaries, which query points into different regions. Then, by defining the k-value (the number of neighbors to be checked to determine the classification of a specific query point), the data can be assigned its class label. For classification problems, a class label is assigned on the basis of a majority vote—i.e. the label that is most frequently represented around a given data point is used (the term “majority vote” is commonly used in literature, however, the technique is more technically considered “plurality voting”). Regression problems use a similar concept as classification problem, but in this case, the average the k nearest neighbors is taken to make a prediction about a classification. The main distinction here is that classification is used for discrete values, whereas regression is used with continuous ones. Unlike other algorithms that explicitly model the problem, such as linear regression, KNN is instance-based. It means that the algorithm doesn't explicitly learn a model. Instead, it memorizes the training instances and uses them as "knowledge" for the prediction phase. It's also worth noting that the KNN algorithm is also part of a family of “lazy learning” models, meaning that it only stores a training dataset versus undergoing a training stage. ## **Considerations** * **Scaling:** Scaling is a problem as KNN is a lazy algorithm and takes up more memory and storage compared to other classification methods. * **Implementation and Hyperparameters:** As KNN only requires a k-value and a distance metric, it is often an easy implementation and can adjust will to new training data. ## Key Test Considerations - **Supervised Learning:** - **Cross Validation:** As cross validation methods like k-fold, leave-one-out, and stratified cross validation can help validate model performance. However, nuances like pessimism bias in k-fold cross validation or high variability in leave-one-out cross validation may need consideration. - **Classification:** - **ROC Curve:** A standard technique used to summarize classifier performance over a range of tradeoffs between true and false positives is the Receiver Operating Characteristic (ROC) curve. - **Data Imbalance:** Imbalanced data sets where one class significantly outnumbers others, under sampling techniques like SMOTE may be beneficial in sampling minority classes. - **K-Nearest Neighbor** - **Choice of K:** The number of neighbors, K, affects the decision boundary. A smaller K can lead to a noisy decision boundary, while a large K can smooth it out, but may also blur class distinctions. - **K-d Tree:** Exact searching on large datasets can be computationally costly and inefficient. Implementing approximate nearest neighbor algorithms like the K-d tree algorithm. - **Dimensionality:** KNN does not perform well while using high-dimensional data and can be sensitive to irrelevant features which can lead to overfitting. - **Distance Metric:** Choosing the appropriate distance metric (Euclidean, Manhattan, MinKowski, Hamming etc.) is essential, based on the nature of the data. ## **References** 1. IBM. K-Nearest Neighbors Algorithm. [Link](https://www.ibm.com/topics/knn?mhsrc=ibmsearch_a&mhq=k-nearest%20neighbors%20). 2. Muja, M., & Lowe, D. G. (2014). Scalable nearest neighbor algorithms for high dimensional data. IEEE Transactions on Pattern Analysis and Machine Intelligence. [Link]( https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6809191). 3. Chawla, N. V., Bowyer, K. W., Hall, L. O., & Kegelmeyer, W. P. (2002). SMOTE: synthetic minority over-sampling technique. Journal of artificial intelligence research, 16, 321-357. [Link]( https://www.jair.org/index.php/jair/article/view/10302/24590). 4. Kohavi, R. (1995). A study of cross-validation and bootstrap for accuracy estimation and model selection. Proceedings of the 14th international joint conference on Artificial intelligence . [Link]( https://www.ijcai.org/Proceedings/95-2/Papers/016.pdf).""" . d3f:KendallsRankCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Kendall's Rank Correlation Coefficient" ; rdfs:subClassOf d3f:RankCorrelationCoefficient ; rdfs:isDefinedBy ; d3f:d3fend-id "D3A-KRCC" ; d3f:definition "Kendall's $\\\\tau$ between and is given by $(n_c - n_d) / \\\\sqrt((n_c+n_d+n_x)(n_c+n_d+n_y)$, where is the number of concordant pairs of observations, is the number of discordant pairs, is the number of ties involving only the variable, and is the number of ties involving only the variable.\" ;" ; d3f:kb-article """## References 1. Wolfram Research. (2012). KendallTau. Wolfram Language function. [Link](https://reference.wolfram.com/language/ref/KendallTau.html) 1. Kendall's Tau. (2023, May 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Kendall_rank_correlation_coefficient]\"\"\",""" ; d3f:synonym "Kendall's Tau Coefficient" . d3f:KerberosTicket a owl:Class, owl:NamedIndividual ; rdfs:label "Kerberos Ticket" ; rdfs:subClassOf d3f:AccessToken ; d3f:definition "An access ticket/token issued by a Kerberos system." . d3f:KerberosTicketGrantingServiceTicket a owl:Class ; rdfs:label "Kerberos Ticket Granting Service Ticket" ; skos:altLabel "TGS Ticket" ; rdfs:subClassOf d3f:KerberosTicket ; d3f:definition "A Kerberos ticket-granting service (TGS) ticket is given in response to requesting a Kerberos TGS request." . d3f:KerberosTicketGrantingTicket a owl:Class, owl:NamedIndividual ; rdfs:label "Kerberos Ticket Granting Ticket" ; rdfs:subClassOf d3f:KerberosTicket, d3f:TicketGrantingTicket ; d3f:definition "A ticket granting ticket issued by a Kerberos system; that is, a ticket that grants a user domain admin access." ; rdfs:seeAlso . d3f:KerberosTicketGrantingTicketAccount a owl:Class, owl:NamedIndividual ; rdfs:label "Kerberos Ticket Granting Ticket Account" ; rdfs:subClassOf d3f:ServiceAccount, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:KerberosTicketGrantingTicket ] ; d3f:creates d3f:KerberosTicketGrantingTicket ; d3f:definition "KRBTGT is an account used by Key Distribution Center (KDC) service to issue Ticket Granting Tickets (TGTs) as part of the Kerberos authentication protocol." ; d3f:synonym "krbtgt" ; rdfs:seeAlso . d3f:Kernel a owl:Class, owl:NamedIndividual ; rdfs:label "Kernel" ; rdfs:subClassOf d3f:SystemSoftware, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:KernelProcessTable ], [ a owl:Restriction ; owl:onProperty d3f:loads ; owl:someValuesFrom d3f:Application ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:OperatingSystemProcess ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:UserProcess ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:HardwareDriver ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:KernelModule ] ; rdfs:isDefinedBy ; d3f:contains d3f:KernelProcessTable ; d3f:definition "The kernel is a computer program that constitutes the central core of a computer's operating system. It has complete control over everything that occurs in the system. As such, it is the first program loaded on startup, and then manages the remainder of the startup, as well as input/output requests from software, translating them into data processing instructions for the central processing unit. It is also responsible for managing memory, and for managing and communicating with computing peripherals, like printers, speakers, etc. The kernel is a fundamental part of a modern computer's operating system." ; d3f:loads d3f:Application ; d3f:manages d3f:OperatingSystemProcess, d3f:UserProcess ; d3f:may-contain d3f:HardwareDriver, d3f:KernelModule ; rdfs:seeAlso . d3f:Kernel-basedProcessIsolation a d3f:Kernel-basedProcessIsolation, owl:Class, owl:NamedIndividual ; rdfs:label "Kernel-based Process Isolation" ; rdfs:subClassOf d3f:ExecutionIsolation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:Process ] ; rdfs:comment "e.g. KVM" ; d3f:d3fend-id "D3-KBPI" ; d3f:definition "Using kernel-level capabilities to isolate processes." ; d3f:isolates d3f:Process ; d3f:kb-reference d3f:Reference-OverviewOfTheSeccompSandbox . d3f:KernelAPISensor a owl:Class, owl:NamedIndividual ; rdfs:label "Kernel API Sensor" ; rdfs:subClassOf d3f:EndpointSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:SystemCall ] ; d3f:definition "Monitors system calls (operating system api functions)." ; d3f:monitors d3f:SystemCall . d3f:KernelEvent a owl:Class ; rdfs:label "Kernel Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Kernel ] ; d3f:definition "An event involving operations at the kernel level of an operating system, encompassing interactions with core system resources such as drivers, modules, system calls, and other privileged processes. Kernel events are critical for understanding low-level system behavior and ensuring the integrity of the operating environment." ; rdfs:seeAlso . d3f:KernelModule a owl:Class, owl:NamedIndividual ; rdfs:label "Kernel Module" ; skos:altLabel "LKM", "Loadable Kernel Module" ; rdfs:subClassOf d3f:ObjectFile ; rdfs:isDefinedBy ; d3f:definition """A loadable kernel module (LKM) is an object file that contains code to extend the running kernel, or so-called base kernel, of an operating system. LKMs are typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls. When the functionality provided by a LKM is no longer required, it can be unloaded in order to free memory and other resources. Most current Unix-like systems and Microsoft Windows support loadable kernel modules, although they might use a different name for them, such as kernel loadable module (kld) in FreeBSD, kernel extension (kext) in macOS,[1] kernel extension module in AIX, kernel-mode driver in Windows NT[2] and downloadable kernel module (DKM) in VxWorks. They are also known as kernel loadable modules (or KLM), and simply as kernel modules (KMOD).""" ; rdfs:seeAlso . d3f:KernelModuleEvent a owl:Class ; rdfs:label "Kernel Module Event" ; rdfs:subClassOf d3f:KernelEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:HardwareDriver ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:KernelModule ] ; d3f:definition "An event involving the management of kernel modules, such as the loading or unloading of device drivers, extensions, or other dynamically linked components essential for kernel functionality." ; rdfs:seeAlso . d3f:KernelModuleLoadEvent a owl:Class ; rdfs:label "Kernel Module Load Event" ; rdfs:subClassOf d3f:KernelModuleEvent, [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:MemoryAllocationEvent ] ; d3f:definition "An event representing the loading of a kernel module, such as a device driver or dynamically linked extension, into the operating system kernel to extend or modify its capabilities." . d3f:KernelModuleUnloadEvent a owl:Class ; rdfs:label "Kernel Module Unload Event" ; rdfs:subClassOf d3f:KernelModuleEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:KernelModuleLoadEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:MemoryDeletionEvent ] ; d3f:definition "An event representing the removal of a kernel module from the operating system kernel, deallocating resources and potentially altering system functionality." . d3f:KernelProcessTable a owl:Class, owl:NamedIndividual ; rdfs:label "Kernel Process Table" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A data structure in the kernel which is a table containing all of the information that must be saved when the CPU switches from running one process to another in a multitasking system. It allows the operating system to track all the process's execution status, and contains the For every process managed by the kernel, there is a process control block (PCB) in the process table." ; rdfs:seeAlso , . d3f:KeyboardInputDevice a owl:Class, owl:NamedIndividual ; rdfs:label "Keyboard Input Device" ; skos:altLabel "Computer Keyboard", "Keyboard" ; rdfs:subClassOf d3f:InputDevice ; rdfs:isDefinedBy ; d3f:definition "A computer keyboard is a typewriter-style device which uses an arrangement of buttons or keys to act as mechanical levers or electronic switches. Following the decline of punch cards and paper tape, interaction via teleprinter-style keyboards became the main input method for computers. A keyboard is also used to give commands to the operating system of a computer, such as Windows' Control-Alt-Delete combination. Although on Pre-Windows 95 Microsoft operating systems this forced a re-boot, now it brings up a system security options screen." . d3f:KioskComputer a owl:Class ; rdfs:label "Kiosk Computer" ; skos:altLabel "Interactive Kiosk" ; rdfs:subClassOf d3f:SharedComputer ; rdfs:isDefinedBy ; d3f:definition "An interactive kiosk is a computer terminal featuring specialized hardware and software that provides access to information and applications for communication, commerce, entertainment, or education. Early interactive kiosks sometimes resembled telephone booths, but have been embraced by retail, food service and hospitality to improve customer service and streamline operations. Interactive kiosks are typically placed in high foot traffic settings such as shops, hotel lobbies or airports." . d3f:Kurtosis a owl:Class, owl:NamedIndividual ; rdfs:label "Kurtosis" ; rdfs:subClassOf d3f:DistributionProperties ; d3f:d3fend-id "D3A-KUR" ; d3f:definition "The measure of the \"fatness\" of the tails of a pmf or pdf. The fourth standardized moment of the distribution." ; d3f:kb-article """## References Wikipedia. (n.d.). Probability distribution. [Link](https://en.wikipedia.org/wiki/Probability_distribution)""" . d3f:LANAccessMediation a d3f:LANAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "LAN Access Mediation" ; rdfs:subClassOf d3f:NetworkAccessMediation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:LocalAreaNetwork ] ; rdfs:comment "Layer 2 Enforcement" ; d3f:d3fend-id "D3-LAMED" ; d3f:definition "LAN access mediation encompasses the application of strict access control policies, systematic verification of devices, and authentication mechanisms to govern connectivity to a Local Area Network." ; d3f:isolates d3f:LocalAreaNetwork ; d3f:kb-article """## How it works LAN Access Mediation is a network security approach that manages and controls access to a Local Area Network by using key components such as Access Control Lists (ACLs) to specify which devices are allowed or denied access, Port Security to restrict device connections to specific switch ports, RADIUS for determining the level of access or specific resources available to users or devices, and 802.1X for enforcing device authentication before granting network access. This comprehensive strategy ensures that only authorized devices and users can connect to the network, enhancing overall security.""" ; d3f:kb-reference d3f:Reference-WhatIsNetworkAccessControl ; rdfs:seeAlso . d3f:LaptopComputer a owl:Class ; rdfs:label "Laptop Computer" ; skos:altLabel "Laptop", "Notebook" ; rdfs:subClassOf d3f:PersonalComputer ; rdfs:isDefinedBy ; d3f:definition "A laptop computer (also laptop), is a small, portable personal computer (PC) with a \"clamshell\" form factor, typically having a thin LCD or LED computer screen mounted on the inside of the upper lid of the clamshell and an alphanumeric keyboard on the inside of the lower lid. The clamshell is opened up to use the computer. Laptops are folded shut for transportation, and thus are suitable for mobile use. Its name comes from lap, as it was deemed to be placed on a person's lap when being used. Although originally there was a distinction between laptops and notebooks (the former being bigger and heavier than the latter), as of 2014, there is often no longer any difference. Today, laptops are commonly used in a variety of settings, such as at work, in education, for playing games, web browsing" . d3f:LateralMovementTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Lateral Movement Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0008 ] ; d3f:definition "The adversary is trying to move through your environment." ; d3f:enables d3f:TA0008 . d3f:LegacySystem a owl:Class, owl:NamedIndividual ; rdfs:label "Legacy System" ; rdfs:subClassOf d3f:DigitalSystem ; rdfs:isDefinedBy ; d3f:definition "In computing, a legacy system is an old method, technology, computer system, or application program, \"of, relating to, or being a previous or outdated computer system,\" yet still in use. Often referencing a system as \"legacy\" means that it paved the way for the standards that would follow it. This can also imply that the system is out of date or in need of replacement." ; d3f:synonym "Legacy Digital System" . d3f:LevenshteinMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Levenschtein Matching" ; rdfs:subClassOf d3f:ApproximateStringMatching ; d3f:d3fend-id "D3A-LM" ; d3f:definition "The Levenshtein distance (LD) is a metric for measuring the differences between two sequences - or strings. Informally, the LD is the number of individual edits one would have to make to turn one sequence into another." ; d3f:kb-article """## References 1. Navarro, G. (2001). A guided tour to approximate string matching. _ACM Computing Surveys_, 33(1), 31-88. [Link](https://doi.org/10.1145/375360.375365)""" ; d3f:synonym "Edit Distance" . d3f:LinearClassifier a owl:Class, owl:NamedIndividual ; rdfs:label "Linear Classifier" ; rdfs:subClassOf d3f:Classification ; d3f:d3fend-id "D3A-LC" ; d3f:definition "A linear classifier is a model that makes a decision to categories a set of data points to a discrete class based on a linear combination of its explanatory variables" ; d3f:kb-article """## References A Look at the Maths Behind Linear Classification. Towards Data Science. [Link](https://towardsdatascience.com/a-look-at-the-maths-behind-linear-classification-166e99a9e5fb).""" . d3f:LinearLogicProgramming a owl:Class, owl:NamedIndividual ; rdfs:label "Linear Logic Programming" ; rdfs:subClassOf d3f:LogicProgramming ; d3f:d3fend-id "D3A-LLP" ; d3f:definition "Linear logic programming is a form of logic programming that uses linear logic, that is, it emphasizes the use of formulas as resources." ; d3f:kb-article """## References 1. Cosmo, R. and Miller D. (2019, May 24). _Linear logic_. Stanford Encyclopedia of Philosophy. [Link](https://plato.stanford.edu/entries/logic-linear/#LinLogComSci) 2. Linear logic programming. (2023, May 16). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Logic_programming#Linear_logic_programming)""" . d3f:LinearRegression a owl:Class, owl:NamedIndividual ; rdfs:label "Linear Regression" ; rdfs:subClassOf d3f:RegressionAnalysis ; d3f:d3fend-id "D3A-LR" ; d3f:definition "Statistical regression method used for predictive analysis by modeling the linear relationship between independent and dependent variables." ; d3f:kb-article """## How it works Takes independent variables (i.e. covariate, features, predictors, input variables) and dependent variables (i.e. response, output, “thing to be estimated”) and produces the coefficient(s) and intercept for a linear equation (e.g. (β1, β0) for y = β1x + β0) which predicts the relationship between the independent and independent variables by minimizing a cost function, Mean Squared Error, either directly in the case of univariate linear regression or by gradient descent* in the case of multivariate linear regression. ## Considerations - There are four principal assumptions required for good results using linear regression (the first letters of the four principal assumptions form the "LINE" mnemonic): - Linearity and Additivity - Independent Residuals - Normal Residual Distributions - Equal Variances (i.e. homoscedasticity) - Linear regression is a low variance/high bias model. - Optimizers like Adam, Batch, and Mini-Batch and others are available for certain applications and data sets. - A large learning ratio or training coefficient may lead to divergent behavior of the model and too small of values may lead to long run times and inefficiency. ## Verification Approach - Models are often evaluated by examining one or more of the metrics of R2, Root Mean Squared Error (RMSE), Mean Absolute Error (MAE), and Mean Absolute Percentage Error (MAPE). - While there is no generally accepted single best performance metric as a criterion, users of linear regression should consider the suitability of one or more of these metrics for assessing the performance of their model. - Use well known data sets to verify model execution. ## Validation Approach - Violating the principal assumptions of linear regression results in poor or misleading results. - Ensure data is truly representative and if there are any known biases. ## References 1. Gawali, Suvarna. “Linear Regression Algorithm to Make Predictions Easily.” Analytics Vidhya, 22 July 2022, https://www.analyticsvidhya.com/blog/2021/06/linear-regression-in-machine-learning/. 1. Nau, Robert. “Statistical Forecasting: Notes On Regression and Time Series Analysis.” Introduction to Linear Regression Analysis, Duke University Fuqua School of Business, 18 Aug. 2020, https://people.duke.edu/~rnau/regintro.htm. 1. Ng, Ritchie. “Evaluating a Linear Regression Model.” Ritchieng.github.io, 8 Jan. 2023, https://www.ritchieng.com/machine-learning-evaluate-linear-regression-model/. 1. Bochkarev, Alexei. "A New Typology Design of Performance Metrics to Measure Errors in Machine Learning Regression Algorithms", 2019, https://www.researchgate.net/publication/330661543_A_New_Typology_Design_of_Performance_Metrics_to_Measure_Errors_in_Machine_Learning_Regression_Algorithms.""" . d3f:LinearRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Linear Regression Learning" ; rdfs:subClassOf d3f:RegressionAnalysisLearning ; d3f:d3fend-id "D3A-LRL" ; d3f:definition "A supervised learning method that builds a linear regression model using training data." ; d3f:kb-article """## References - Gawali, Suvarna. “Linear Regression Algorithm to Make Predictions Easily.” Analytics Vidhya, 22 July 2022, https://www.analyticsvidhya.com/blog/2021/06/linear-regression-in-machine-learning/. - Nau, Robert. “Statistical Forecasting: Notes On Regression and Time Series Analysis.” Introduction to Linear Regression Analysis, Duke University Fuqua School of Business, 18 Aug. 2020, https://people.duke.edu/~rnau/regintro.htm. - Ng, Ritchie. “Evaluating a Linear Regression Model.” Ritchieng.github.io, 8 Jan. 2023, https://www.ritchieng.com/machine-learning-evaluate-linear-regression-model/. - Bochkarev, Alexei. "A New Typology Design of Performance Metrics to Measure Errors in Machine Learning Regression Algorithms", 2019, https://www.researchgate.net/publication/330661543_A_New_Typology_Design_of_Performance_Metrics_to_Measure_Errors_in_Machine_Learning_Regression_Algorithms.""" ; rdfs:seeAlso d3f:LinearRegression . d3f:Link a owl:Class ; rdfs:label "Link" ; rdfs:subClassOf d3f:D3FENDCore, d3f:DigitalInformationBearer ; d3f:definition "A link is a connection or association between two entities that facilitates communication, interaction, or data transfer." ; rdfs:seeAlso . d3f:Linux_Exit a owl:Class ; rdfs:label "Linux _Exit" ; rdfs:subClassOf d3f:OSAPITerminateProcess ; rdfs:isDefinedBy ; d3f:definition "Terminate the calling process." . d3f:LinuxClone a owl:Class ; rdfs:label "Linux Clone" ; rdfs:subClassOf d3f:OSAPICreateProcess ; rdfs:isDefinedBy ; d3f:definition "Creates a child process and provides more precise control over the data shared between the parent and child processes." . d3f:LinuxClone3 a owl:Class ; rdfs:label "Linux Clone3" ; rdfs:subClassOf d3f:OSAPICreateProcess ; rdfs:isDefinedBy ; d3f:definition """Creates a child process and provides more precise control over the data shared between the parent and child processes. Newer system call.""" . d3f:LinuxClone3ArgumentCLONE_THREAD a owl:Class ; rdfs:label "Linux Clone3 Argument CLONE_THREAD" ; rdfs:subClassOf d3f:OSAPICreateThread ; rdfs:isDefinedBy ; d3f:definition "A flag parameter to the Clone3 syscall. If set, the child is placed in the same thread group as the calling process." . d3f:LinuxCloneArgumentCLONE_THREAD a owl:Class ; rdfs:label "Linux Clone Argument CLONE_THREAD" ; rdfs:subClassOf d3f:OSAPICreateThread ; rdfs:isDefinedBy ; d3f:definition "A flag parameter to the Clone syscall. If set, the child is placed in the same thread group as the calling process." . d3f:LinuxConnect a owl:Class ; rdfs:label "Linux Connect" ; rdfs:subClassOf d3f:OSAPIConnectSocket ; rdfs:isDefinedBy ; d3f:definition "Initiate a connection on a socket." . d3f:LinuxCreat a owl:Class ; rdfs:label "Linux Creat" ; rdfs:subClassOf d3f:OSAPICreateFile ; rdfs:isDefinedBy ; d3f:definition "Equivalent to calling Linux Open with flags equal to O_CREAT|O_WRONLY|O_TRUNC." . d3f:LinuxDeleteModule a owl:Class ; rdfs:label "Linux Delete Module" ; rdfs:subClassOf d3f:OSAPIUnloadModule ; rdfs:isDefinedBy ; d3f:definition "Attempts to remove the unused loadable module entry identified by name. If the module has an exit function, then that function is executed before unloading the module." . d3f:LinuxExecve a owl:Class ; rdfs:label "Linux Execve" ; rdfs:subClassOf d3f:OSAPIExec ; rdfs:isDefinedBy ; d3f:definition "Executes a program by replacing the calling process with a new program, with newly initialized stack, heap, and (initialized and uninitialized) data segments. The PID stays the same." . d3f:LinuxExecveat a owl:Class ; rdfs:label "Linux Execveat" ; rdfs:subClassOf d3f:OSAPIExec ; rdfs:isDefinedBy ; d3f:definition "Execute program relative to a directory file descriptor. Behavior is similar to Linux Execve." . d3f:LinuxFork a owl:Class ; rdfs:label "Linux Fork" ; rdfs:subClassOf d3f:OSAPICreateProcess ; rdfs:isDefinedBy ; d3f:definition "Creates a child process with unique PID but retains parent PID as Parent Process Identifier (PPID)." . d3f:LinuxInitModule a owl:Class ; rdfs:label "Linux Init_Module" ; rdfs:subClassOf d3f:OSAPILoadModule ; rdfs:isDefinedBy ; d3f:definition "Loads an ELF image into kernel space, performs any necessary symbol relocations, initializes module parameters to values provided by the caller, and then runs the module's init function." . d3f:LinuxKillArgumentSIGKILL a owl:Class ; rdfs:label "Linux Kill Argument SIGKILL" ; rdfs:subClassOf d3f:OSAPITerminateProcess ; rdfs:isDefinedBy ; d3f:definition "Send SIGKILL signal to a process." . d3f:LinuxMmap a owl:Class ; rdfs:label "Linux Mmap" ; rdfs:subClassOf d3f:OSAPIAllocateMemory ; rdfs:isDefinedBy ; d3f:definition "Map files or devices into memory." . d3f:LinuxMmap2 a owl:Class ; rdfs:label "Linux Mmap2" ; rdfs:subClassOf d3f:OSAPIAllocateMemory ; rdfs:isDefinedBy ; d3f:definition "Map files or devices into memory." . d3f:LinuxMunmap a owl:Class ; rdfs:label "Linux Munmap" ; rdfs:subClassOf d3f:OSAPIFreeMemory ; rdfs:isDefinedBy ; d3f:definition "Unmap files or devices from memory." . d3f:LinuxOpenArgumentO_CREAT a owl:Class ; rdfs:label "Linux Open Argument O_CREAT" ; rdfs:subClassOf d3f:OSAPICreateFile ; rdfs:isDefinedBy ; d3f:definition "Create a regular file." . d3f:LinuxOpenArgumentO_RDONLY-O_WRONLY-O_RDWR a owl:Class ; rdfs:label "Linux Open Argument O_RDONLY, O_WRONLY, O_RDWR" ; rdfs:subClassOf d3f:OSAPIOpenFile ; rdfs:isDefinedBy ; d3f:definition "Opens a file specified by pathname." . d3f:LinuxOpenAt2ArgumentO_CREAT a owl:Class ; rdfs:label "Linux OpenAt2 Argument O_CREAT" ; rdfs:subClassOf d3f:OSAPICreateFile ; rdfs:isDefinedBy ; d3f:definition "Create a regular file. Extension of Linux Openat." . d3f:LinuxOpenAt2ArgumentO_RDONLY-O_WRONLY-O_RDWR a owl:Class ; rdfs:label "Linux OpenAt2 Argument O_RDONLY, O_WRONLY, O_RDWR" ; rdfs:subClassOf d3f:OSAPIOpenFile ; rdfs:isDefinedBy ; d3f:definition "Extension of Linux Openat." . d3f:LinuxOpenAtArgumentO_CREAT a owl:Class ; rdfs:label "Linux OpenAt Argument O_CREAT" ; rdfs:subClassOf d3f:OSAPICreateFile ; rdfs:isDefinedBy ; d3f:definition "Create a regular file. Same functionality as Linux Open but slight differences in parameter." . d3f:LinuxOpenAtArgumentO_RDONLY-O_WRONLY-O_RDWR a owl:Class ; rdfs:label "Linux OpenAt Argument O_RDONLY, O_WRONLY, O_RDWR" ; rdfs:subClassOf d3f:OSAPIOpenFile ; rdfs:isDefinedBy ; d3f:definition "Same functionality as Linux Open but slight differences in parameter." . d3f:LinuxPauseProcess a owl:Class ; rdfs:label "Linux Pause Process" ; rdfs:subClassOf d3f:OSAPISuspendProcess ; rdfs:isDefinedBy ; d3f:definition "Causes the calling process to sleep until a signal is delivered that either terminates the process or causes the invocation of a signal-catching function." . d3f:LinuxPauseThread a owl:Class ; rdfs:label "Linux Pause Thread" ; rdfs:subClassOf d3f:OSAPISuspendThread ; rdfs:isDefinedBy ; d3f:definition "Causes the calling thread to sleep until a signal is delivered that either terminates the thread or causes the invocation of a signal-catching function." . d3f:LinuxPtraceArgumentPTRACE_DETACH a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_DETACH" ; rdfs:subClassOf d3f:OSAPIResumeProcess ; rdfs:isDefinedBy ; d3f:definition "Restart the stopped tracee as for PTRACE_CONT, but first detach from it." . d3f:LinuxPtraceArgumentPTRACE_TRACEME a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_TRACEME" ; rdfs:subClassOf d3f:OSAPITraceProcess ; rdfs:isDefinedBy ; d3f:definition "Indicates that the process is to be traced by its parent." . d3f:LinuxPtraceArgumentPTRACEATTACH a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_ATTACH" ; rdfs:subClassOf d3f:OSAPIAccessProcess ; rdfs:isDefinedBy ; d3f:definition "Attach to the process specified in pid, making it a tracee of the calling process." . d3f:LinuxPtraceArgumentPTRACECONT a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_CONT" ; rdfs:subClassOf d3f:OSAPIResumeProcess ; rdfs:isDefinedBy ; d3f:definition "Restart the stopped tracee process." . d3f:LinuxPtraceArgumentPTRACEGETREGS a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_GETREGS" ; rdfs:subClassOf d3f:OSAPISaveRegisters ; rdfs:isDefinedBy ; d3f:definition "Copy the tracee's general-purpose or floating-point registers, respectively, to the address data in the tracer." . d3f:LinuxPtraceArgumentPTRACEINTERRUPT a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_INTERRUPT" ; rdfs:subClassOf d3f:OSAPISuspendProcess ; rdfs:isDefinedBy ; d3f:definition "Stops a tracee." . d3f:LinuxPtraceArgumentPTRACEPEEKTEXT a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_PEEKTEXT" ; rdfs:subClassOf d3f:OSAPIReadMemory ; rdfs:isDefinedBy ; d3f:definition "Read a word at the address addr in the tracee's memory, returning the word as the result of the ptrace() call." . d3f:LinuxPtraceArgumentPTRACEPOKETEXT a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_POKETEXT" ; rdfs:subClassOf d3f:OSAPIWriteMemory ; rdfs:isDefinedBy ; d3f:definition "Copy the word data to the address addr in the tracee's memory." . d3f:LinuxPtraceArgumentPTRACESETREGS a owl:Class ; rdfs:label "Linux Ptrace Argument PTRACE_SETREGS" ; rdfs:subClassOf d3f:OSAPISetRegisters ; rdfs:isDefinedBy ; d3f:definition "Modify the tracee's general-purpose or floating-point registers, respectively, from the address data in the tracer." . d3f:LinuxRead a owl:Class ; rdfs:label "Linux Read" ; rdfs:subClassOf d3f:OSAPIReadFile ; rdfs:isDefinedBy ; d3f:definition "Read from a file descriptor." . d3f:LinuxReadv a owl:Class ; rdfs:label "Linux Readv" ; rdfs:subClassOf d3f:OSAPIReadFile ; rdfs:isDefinedBy ; d3f:definition "Read data into multiple buffers." . d3f:LinuxRename a owl:Class ; rdfs:label "Linux Rename" ; rdfs:subClassOf d3f:OSAPIMoveFile ; rdfs:isDefinedBy ; d3f:definition "Change the name or location of a file." . d3f:LinuxRenameat a owl:Class ; rdfs:label "Linux Renameat" ; rdfs:subClassOf d3f:OSAPIMoveFile ; rdfs:isDefinedBy ; d3f:definition "Change the name or location of a file. Different parameter handling than Linux Rename." . d3f:LinuxRenameat2 a owl:Class ; rdfs:label "Linux Renameat2" ; rdfs:subClassOf d3f:OSAPIMoveFile ; rdfs:isDefinedBy ; d3f:definition "Change the name or location of a file. Additional flags argument." . d3f:LinuxSocket a owl:Class ; rdfs:label "Linux Socket" ; rdfs:subClassOf d3f:OSAPICreateSocket ; rdfs:isDefinedBy ; d3f:definition "Create an endpoint for communication." . d3f:LinuxSocketcallArgumentSYS_CONNECT a owl:Class ; rdfs:label "Linux Socketcall Argument SYS_CONNECT" ; rdfs:subClassOf d3f:OSAPIConnectSocket ; rdfs:isDefinedBy . d3f:LinuxSocketcallArgumentSYS_SOCKET a owl:Class ; rdfs:label "Linux Socketcall Argument SYS_SOCKET" ; rdfs:subClassOf d3f:OSAPICreateSocket ; rdfs:isDefinedBy . d3f:LinuxTime a owl:Class ; rdfs:label "Linux Time" ; rdfs:subClassOf d3f:OSAPIGetSystemTime ; rdfs:isDefinedBy ; d3f:definition "Get time in seconds." . d3f:LinuxUnlink a owl:Class ; rdfs:label "Linux Unlink" ; rdfs:subClassOf d3f:OSAPIDeleteFile ; rdfs:isDefinedBy ; d3f:definition "Delete a name and possibly the file it refers to." . d3f:LinuxUnlinkat a owl:Class ; rdfs:label "Linux Unlinkat" ; rdfs:subClassOf d3f:OSAPIDeleteFile ; rdfs:isDefinedBy ; d3f:definition "Delete a name and possibly the file it refers to. Different parameter handling than Linux Unlink" . d3f:LinuxVfork a owl:Class ; rdfs:label "Linux Vfork" ; rdfs:subClassOf d3f:OSAPICreateProcess ; rdfs:isDefinedBy ; d3f:definition "Create child process that temp suspends parent process until it terminates." . d3f:LinuxWrite a owl:Class ; rdfs:label "Linux Write" ; rdfs:subClassOf d3f:OSAPIWriteFile ; rdfs:isDefinedBy ; d3f:definition "Write to a file descriptor." . d3f:LinuxWritev a owl:Class ; rdfs:label "Linux Writev" ; rdfs:subClassOf d3f:OSAPIWriteFile ; rdfs:isDefinedBy ; d3f:definition "Write data into multiple buffers." . d3f:LM-0001 a owl:Class ; rdfs:label "Hosted Payload - SPARTA" ; skos:prefLabel "Hosted Payload" ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; d3f:attack-id "LM-0001" ; d3f:definition "The adversary pivots through the host–payload boundary to reach additional subsystems. Hosted payloads exchange power, time, housekeeping, and data with the bus via defined gateways (e.g., SpaceWire, 1553, Ethernet) and often support file services, table loads, and command dictionaries distinct from the host’s. A foothold on the payload can be used to inject traffic through the gateway processor, request privileged services (time/ephemeris distribution, firmware loads), or ride shared backplanes where payload traffic is bridged into C&DH networks. In some designs, payload processes execute on host compute or expose maintenance modes that temporarily widen access, creating paths from the payload into attitude, power, storage, or recorder resources. The movement is transitive: compromise a co-resident unit, then traverse the trusted interface that already exists for mission operations." ; rdfs:seeAlso . d3f:LM-0002 a owl:Class ; rdfs:label "Exploit Lack of Bus Segregation - SPARTA" ; skos:prefLabel "Exploit Lack of Bus Segregation" ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; d3f:attack-id "LM-0002" ; d3f:definition "On flat architectures, where remote terminals, subsystems, and payloads share a common bus with minimal partitioning, any node that can transmit may influence many others. An attacker leverages this by forging message IDs or terminal addresses, replaying actuator/sensor frames, seizing or imitating bus-controller roles, or abusing gateway bridges that forward traffic between links (e.g., 1553↔SpaceWire/CAN). Because consumers often act on the latest valid-looking message, crafted traffic from one compromised device can reconfigure peers, toggle power domains, or write persistent parameters. Weak role enforcement and broadcast semantics allow privilege escalation from a peripheral to effective system-wide influence, turning the shared medium into a highway for further compromise." ; rdfs:seeAlso . d3f:LM-0003 a owl:Class ; rdfs:label "Constellation Hopping via Crosslink - SPARTA" ; skos:prefLabel "Constellation Hopping via Crosslink" ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; d3f:attack-id "LM-0003" ; d3f:definition "In networks where vehicles exchange data over inter-satellite links, a compromise on one spacecraft becomes a springboard to others. The attacker crafts crosslink traffic, routing updates, service advertisements, time/ephemeris distribution, file or tasking messages, that appears to originate from a trusted neighbor and targets gateway functions that bridge crosslink traffic into command/data paths. Once accepted, those messages can queue procedures, deliver configuration/table edits, or open file transfer sessions on adjacent vehicles. In mesh or hub-and-spoke constellations, this enables “hop-by-hop” spread: a single foothold uses shared trust and protocol uniformity to reach additional satellites without contacting the ground segment." ; rdfs:seeAlso . d3f:LM-0004 a owl:Class ; rdfs:label "Visiting Vehicle Interface(s) - SPARTA" ; skos:prefLabel "Visiting Vehicle Interface(s)" ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; d3f:attack-id "LM-0004" ; d3f:definition "Docking, berthing, or short-duration attach events create high-trust, high-bandwidth connections between vehicles. During these operations, automatic sequences verify latches, exchange status, synchronize time, and enable umbilicals that carry data and power; maintenance tools may also push firmware or tables across the interface. An attacker positioned on the visiting vehicle can exploit these handshakes and service channels to inject commands, transfer files, or access bus gateways on the host. Because many actions are expected “just after dock,” malicious traffic can ride the same procedures that commission the interface, allowing lateral movement from the visiting craft into the target spacecraft’s C&DH, payload, or support subsystems." ; rdfs:seeAlso . d3f:LM-0005 a owl:Class ; rdfs:label "Virtualization Escape - SPARTA" ; skos:prefLabel "Virtualization Escape" ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; d3f:attack-id "LM-0005" ; d3f:definition "The adversary pivots across partitions by abusing the mechanisms a separation kernel or hypervisor exposes for inter-partition communication and device sharing. Paths include message ports/queues, shared-memory windows, virtual NICs and bridges, hypercalls, and common driver backends (e.g., storage or DMA engines without strict IOMMU bounds). A foothold in a less-trusted partition, often a payload or guest OS, can be turned into access to a higher-privilege domain by crafting traffic that exploits parser flaws in port services, racing management channels, or coercing backend drivers to perform out-of-bounds operations. Once the boundary is crossed, the actor can reach bus gateways, file systems, or control applications hosted in adjacent partitions and continue movement under the guise of permitted inter-partition exchanges." ; rdfs:seeAlso . d3f:LM-0006 a owl:Class ; rdfs:label "Launch Vehicle Interface - SPARTA" ; skos:prefLabel "Launch Vehicle Interface" ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; d3f:attack-id "LM-0006" ; d3f:definition "During integration and ascent, payloads and the launch vehicle exchange power, discrete lines, and data via umbilicals, separation avionics, and shared EGSE networks. Protections can be reduced or heterogeneous because timelines are tight and responsibilities cross organizations. An attacker positioned on either side (vehicle or payload) can use these commissioning links, health/status queries, time distribution, inhibit lines, separation commands, or telemetry gateways, to inject messages, transfer files, or alter configuration that propagates across the interface. Before fairing close and prior to separation, this brief but high-trust coupling provides a route to move from one platform to the other and to seed artifacts that persist after deployment." ; rdfs:seeAlso . d3f:LM-0006.01 a owl:Class ; rdfs:label "Rideshare Payload - SPARTA" ; skos:prefLabel "Rideshare Payload" ; rdfs:subClassOf d3f:LM-0006 ; d3f:attack-id "LM-0006.01" ; d3f:definition "In shared launches, multiple independent payloads cohabit common infrastructure until separation. If isolation is incomplete (e.g., shared data buses, mispartitioned deployer controllers, common logging/telemetry collectors, or cross-connected laptops and recorders), a compromise in one payload’s domain can be leveraged to observe or influence another’s traffic before release. Threat actors exploit these transient but real connections to read configuration, pivot through deployer control paths, or stage data/commands that execute as neighboring payloads power and check out, enabling cross-payload access or tampering prior to independent flight." ; rdfs:seeAlso . d3f:LM-0007 a owl:Class ; rdfs:label "Credentialed Traversal - SPARTA" ; skos:prefLabel "Credentialed Traversal" ; rdfs:subClassOf d3f:SPARTALateralMovementTechnique ; d3f:attack-id "LM-0007" ; d3f:definition "Movement is achieved by reusing legitimate credentials and keys to cross boundaries that rely on trust rather than strict isolation. Using operator or service accounts, maintenance logins, station certificates, or spacecraft-recognized crypto, the adversary invokes gateways that bridge domains, C&DH to payload, crosslink routers to onboard networks, or constellation management planes to individual vehicles. Because the traversal occurs through approved interfaces (file services, table loaders, remote procedure calls, crosslink tasking), actions appear as routine operations while reaching progressively more privileged subsystems or neighboring spacecraft. Where roles and scopes are broad or reused, the same credential opens multiple enclaves, turning authorization itself into the lateral path." ; rdfs:seeAlso . d3f:LoadLibraryEvent a owl:Class ; rdfs:label "Load Library Event" ; rdfs:subClassOf d3f:ProcessEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SharedLibraryFile ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ProcessCreationEvent ] ; d3f:definition "An event where a process dynamically loads a library or module into its memory space, extending its capabilities." ; rdfs:seeAlso . d3f:LoadModule a owl:Class, owl:NamedIndividual ; rdfs:label "Load Module" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:loads ; owl:someValuesFrom d3f:HardwareDriver ], [ a owl:Restriction ; owl:onProperty d3f:loads ; owl:someValuesFrom d3f:KernelModule ] ; d3f:definition "A system call that loads a driver or extension into the kernel." ; d3f:loads d3f:HardwareDriver, d3f:KernelModule . d3f:LocalAccountMonitoring a d3f:LocalAccountMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Local Account Monitoring" ; rdfs:subClassOf d3f:UserBehaviorAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:LocalUserAccount ] ; d3f:analyzes d3f:LocalUserAccount ; d3f:d3fend-id "D3-LAM" ; d3f:definition "Analyzing local user accounts to detect unauthorized activity." ; d3f:kb-reference d3f:Reference-AuditUserAccountManagement, d3f:Reference-CAR-2016-04-004_SuccessfulLocalAccountLogin, d3f:Reference-OSQueryWindowsUserCollectionCode . d3f:LocalAreaNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "Local Area Network" ; skos:altLabel "LAN" ; rdfs:subClassOf d3f:Network, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:Host ] ; rdfs:isDefinedBy ; d3f:definition "A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building and has its network equipment and interconnects locally managed. Ethernet and Wi-Fi are the two most common transmission technologies in use for local area networks. Historical technologies include ARCNET, Token ring, and AppleTalk." ; d3f:may-contain d3f:Host . d3f:LocalAreaNetworkAttacker a owl:Class ; rdfs:label "Local Area Network Attacker" ; rdfs:subClassOf d3f:LocalAttacker, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:LocalAreaNetwork ] ; d3f:definition "An attacker who exploits vulnerabilities within the same local area network." ; d3f:synonym "LAN Attacker" . d3f:LocalAreaNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Local Area Network Traffic" ; rdfs:subClassOf d3f:IntranetNetworkTraffic ; d3f:definition "Intranet local area network (LAN) traffic is network traffic that does not cross a given network's boundaries; where that network is defined as a LAN." ; rdfs:seeAlso . d3f:LocalAttacker a owl:Class ; rdfs:label "Local Attacker" ; rdfs:subClassOf d3f:Attacker ; d3f:definition "An attacker who is physically near or on the premises of the target network or systems." . d3f:LocalAuthenticationService a owl:Class, owl:NamedIndividual ; rdfs:label "Local Authentication Service" ; rdfs:subClassOf d3f:AuthenticationService, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:LocalUserAccount ] ; d3f:authenticates d3f:LocalUserAccount ; d3f:definition "A local authentication service running on a host can authenticate a user logged into just that local host computer." . d3f:LocalAuthorizationService a owl:Class, owl:NamedIndividual ; rdfs:label "Local Authorization Service" ; rdfs:subClassOf d3f:AuthorizationService, [ a owl:Restriction ; owl:onProperty d3f:authorizes ; owl:someValuesFrom d3f:LocalUserAccount ] ; d3f:authorizes d3f:LocalUserAccount ; d3f:definition "A local authorization service running on a host can authorize a user logged into just that local host computer." . d3f:LocalFileAccessMediation a d3f:LocalFileAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Local File Access Mediation" ; rdfs:subClassOf d3f:SystemCallFiltering, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:OpenFile ] ; rdfs:comment "Replaces d3-LFP" ; d3f:d3fend-id "D3-LFAM" ; d3f:definition "Local file access mediation is the process of an operating system granting or denying a specific access request to a local file." ; d3f:filters d3f:OpenFile ; d3f:kb-reference d3f:Reference-FileAndFolderPermissions ; d3f:synonym "Local File Access Control" . d3f:LocalFilePermissions a d3f:LocalFilePermissions, owl:Class, owl:NamedIndividual ; rdfs:label "Local File Permissions" ; rdfs:subClassOf d3f:AccessPolicyAdministration, [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:Directory ], [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-LFP" ; d3f:definition "Local file permissions is the systematic process of defining, implementing, and managing access control policies that dictate user permissions for accessing files on a local system through the configuration of operating system functionality." ; d3f:kb-reference d3f:Reference-FileAndFolderPermissions ; d3f:restricts d3f:Directory, d3f:File . d3f:LocalResource a owl:Class, owl:NamedIndividual ; rdfs:label "Local Resource" ; skos:altLabel "System Resource" ; rdfs:subClassOf d3f:Resource ; d3f:definition "In computing, a system resource, or simply resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource. Virtual system resources include files (concretely file handles), network connections (concretely network sockets), and memory areas. Managing resources is referred to as resource management, and includes both preventing resource leaks (releasing a resource when a process has finished using it) and dealing with resource contention (when multiple processes wish to access a limited resource)." ; rdfs:seeAlso . d3f:LocalResourceAccess a owl:Class, owl:NamedIndividual ; rdfs:label "Local Resource Access" ; skos:altLabel "Endpoint Resource Access" ; rdfs:subClassOf d3f:ResourceAccess, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:LocalResource ] ; d3f:accesses d3f:LocalResource ; d3f:definition "Ephemeral digital artifact comprising a request of a local resource and any response from that resource." . d3f:LocalUserAccount a owl:Class, owl:NamedIndividual ; rdfs:label "Local User Account" ; rdfs:subClassOf d3f:UserAccount ; d3f:definition "A user account on a given host is a local user account for that specific host." . d3f:Log a owl:Class, owl:NamedIndividual ; rdfs:label "Log" ; skos:altLabel "Chronology" ; rdfs:subClassOf d3f:D3FENDCore, d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A record of events in the order of their occurrence." ; rdfs:seeAlso . d3f:LogFile a owl:Class, owl:NamedIndividual ; rdfs:label "Log File" ; rdfs:subClassOf d3f:File, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Log ] ; rdfs:isDefinedBy ; d3f:contains d3f:Log ; d3f:definition """A log file is a file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Logging is the act of keeping a log. In the simplest case, messages are written to a single log file. A transaction log is a file (i.e., log) of the communications between a system and the users of that system, or a data collection method that automatically captures the type, content, or time of transactions made by a person from a terminal with that system. For Web searching, a transaction log is an electronic record of interactions that have occurred during a searching episode between a Web search engine and users searching for information on that Web search engine. Many operating systems, software frameworks and programs include a logging system. A widely used logging standard is syslog, defined in Internet Engineering Task Force (IETF) RFC 5424). The syslog standard enables a dedicated, standardized subsystem to generate, filter, record, and analyze log messages. This relieves software developers of having to design and code their own ad hoc logging systems.""" ; rdfs:seeAlso . d3f:LogicalLink a owl:Class, owl:NamedIndividual ; rdfs:label "Logical Link" ; rdfs:subClassOf d3f:Link ; d3f:definition "A Logical Link is an abstract or virtual connection between two entities that facilitates communication or data exchange without requiring a direct physical connection." . d3f:LogicalLinkMapping a d3f:LogicalLinkMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Logical Link Mapping" ; rdfs:subClassOf d3f:NetworkMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:LogicalLink ], [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:Network ], [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:NetworkNode ] ; d3f:d3fend-id "D3-LLM" ; d3f:definition "Logical link mapping creates a model of existing or previous node-to-node connections using network-layer data or metadata." ; d3f:kb-reference d3f:Reference-LibreNMSDocsNetworkMapExtension ; d3f:maps d3f:LogicalLink, d3f:Network, d3f:NetworkNode . d3f:LogicalRules a owl:Class, owl:NamedIndividual ; rdfs:label "Logical Rules" ; rdfs:subClassOf d3f:SymbolicLogic ; d3f:d3fend-id "D3A-LR" ; d3f:definition "A logical rule matches event data or set of values to a conditional expression and results in the determination of a truth value, which may be used to determine the next action or step to take." ; d3f:kb-article """## How it works Logic rules define a set of patterns that in some patterns must match input data. If the the conditions are met, then the rule will "fire" and some action will be taken, usually notifying a person or another system that the event being monitored needs further processing or attention. ## Key Test Considerations - **Performance (Accuracy)** Identify instances in data where rule is expected to be triggered. Implement traceability and metrics for individual rule performance. Traceability of cases could be implemented as unit tests or as part of a fine-grained classification performance platform. For simple rule-based matching systems with many rules, individual rules may be unused or may create unusually high false positives (or false negatives relative to expectation. - **Performance (Computational)** Generate model performance measures (see Classification Performance Measures), esp. a confusion matrix for each rule and identify outliers and relative contribution of rule to overall performance. ## References 1. Event condition action. (2019, Nov 21). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Event_condition_action). 2. Business rule. (2023, April 10). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Business_rule). 3. YARA. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/YARA).""" . d3f:LogicProgramming a owl:Class, owl:NamedIndividual ; rdfs:label "Logic Programming" ; rdfs:subClassOf d3f:SymbolicAI ; d3f:d3fend-id "D3A-LP" ; d3f:definition "Logic programming is a programming paradigm which is largely based on formal logic." ; d3f:kb-article """## How it works Any program written in a logic programming language is a set of sentences in logical form, expressing facts and rules about some problem domain. Major logic programming language families include Prolog, answer set programming (ASP) and Datalog. In all of these languages, rules are written in the form of clauses: H :- B_1, ..., B_n. ## References 1. Logic programming. (2023, May 29). In _Wikipedia_. [Link]( https://en.wikipedia.org/wiki/Logic_programming)""" . d3f:LoginSession a owl:Class, owl:NamedIndividual ; rdfs:label "Login Session" ; skos:altLabel "Logon Session" ; rdfs:subClassOf d3f:Session ; rdfs:isDefinedBy ; d3f:definition "In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system. This includes local login sessions, where a user has direct physical access to a computer, as well as domain login sessions, where a user logs into a computer that is part of a network domain." ; rdfs:seeAlso . d3f:LogisticRegression a owl:Class, owl:NamedIndividual ; rdfs:label "Logistic Regression" ; rdfs:subClassOf d3f:RegressionAnalysis ; d3f:d3fend-id "D3A-LR" ; d3f:definition "Logistic regression is estimating the parameters of a logistic model." ; d3f:kb-article """## References Wikipedia. (n.d.). Logistic regression. [Link](https://en.wikipedia.org/wiki/Logistic_regression)""" . d3f:LogististicRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Logistic Regression Learning" ; rdfs:subClassOf d3f:RegressionAnalysisLearning ; d3f:d3fend-id "D3A-LRL" ; d3f:definition "A supervised learning method that builds a logistic regression model using training data." ; d3f:kb-article """## References Wikipedia. (n.d.). Logistic regression. [Link](https://en.wikipedia.org/wiki/Logistic_regression)""" ; rdfs:seeAlso d3f:LogisticRegression . d3f:LogMessageFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Log Message Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:DigitalEventRecord ] ; d3f:definition "Produces an entry in a log." ; d3f:produces d3f:DigitalEventRecord . d3f:LogoffEvent a owl:Class ; rdfs:label "Logoff Event" ; rdfs:subClassOf d3f:AuthenticationEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Session ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:LogonEvent ] ; d3f:definition "An authentication event where an active session is conclusively terminated, resulting in the cessation of access and deallocation of resources associated with the session, ensuring that the connection to the system, application, or resource no longer exists." . d3f:LogonEvent a owl:Class ; rdfs:label "Logon Event" ; rdfs:subClassOf d3f:AuthenticationEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Session ] ; d3f:definition "An authentication event where a new session is initiated, signifying the successful validation of credentials and establishment of an authorized connection to a system, application, or resource. This marks the beginning of the subject’s authenticated interaction with the system." . d3f:LogonUser a owl:Class, owl:NamedIndividual ; rdfs:label "Logon User" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:UserAccount ] ; d3f:authenticates d3f:UserAccount . d3f:LongShort-termMemory a owl:Class, owl:NamedIndividual ; rdfs:label "Long Short-term Memory" ; rdfs:subClassOf d3f:RecurrentNeuralNetwork ; d3f:d3fend-id "D3A-LSTM" ; d3f:definition "Unlike standard feedforward neural networks, LSTM has feedback connections. Such a recurrent neural network (RNN) can process not only single data points (such as images), but also entire sequences of data (such as speech or video). This characteristic makes LSTM networks ideal for processing and predicting data" ; d3f:kb-article """## References Wikipedia. (2021, September 29). Long short-term memory. [Link](https://en.wikipedia.org/wiki/Long_short-term_memory)""" . d3f:MACAddress a owl:Class, owl:NamedIndividual ; rdfs:label "MAC Address" ; rdfs:subClassOf d3f:Identifier, [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:NetworkInterfaceCard ] ; rdfs:isDefinedBy ; d3f:definition "A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment." ; d3f:identifies d3f:NetworkInterfaceCard . d3f:MachineLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Machine Learning" ; rdfs:subClassOf d3f:AnalyticTechnique ; d3f:d3fend-id "D3A-ML" ; d3f:definition "Machine learning techniques are computational methods that combine statistics, probability, and optimization to make accurate predictions and/or improve performance." ; d3f:kb-article """## References Machine learning." Wikipedia. [Link](https://en.wikipedia.org/wiki/Machine_learning).""" . d3f:MacOSKeychain a owl:Class, owl:NamedIndividual ; rdfs:label "MacOS Keychain" ; skos:altLabel "Keychain" ; rdfs:subClassOf d3f:PasswordStore ; rdfs:isDefinedBy ; d3f:definition "Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of the operating system, now known as macOS. A Keychain can contain various types of data: passwords (for websites, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, encrypted disk images), private keys, certificates, and secure notes." . d3f:MailNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Mail Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Email ] ; d3f:contains d3f:Email ; d3f:definition "Mail traffic is network traffic that uses a standard mail transfer protocol." . d3f:MailServer a owl:Class, owl:NamedIndividual ; rdfs:label "Mail Server" ; skos:altLabel "Email Server Resource", "Mail Exchanger", "Mail transfer agent", "Message transfer agent", "MTA", "MX Host" ; rdfs:subClassOf d3f:Server, [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:MessageTransferAgent ] ; rdfs:isDefinedBy ; d3f:definition "Within the Internet email system, a message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host are also used in some contexts. Messages exchanged across networks are passed between mail servers, including any attached data files (such as images, multimedia or documents). These servers also often keep mailboxes for email. Access to this email by end users is typically either via webmail or an email client." ; d3f:runs d3f:MessageTransferAgent . d3f:MailService a owl:Class ; rdfs:label "Mail Service" ; skos:altLabel "Email Service" ; rdfs:subClassOf d3f:NetworkService ; d3f:definition "A mail service provides the ability to send and receive mail across a computer network. The mail service runs on message transfer agents (i.e., mail servers) and is accessed by users through an email client." ; rdfs:seeAlso , . d3f:Matching a owl:Class ; rdfs:label "Matching" ; rdfs:subClassOf d3f:AnalyticalPurpose . d3f:MathematicalFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Mathematical Function" ; rdfs:subClassOf d3f:Subroutine ; d3f:definition "Computes mathematical expressions." . d3f:Maximum-marginLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Maximum-margin Learning" ; rdfs:subClassOf d3f:IntrinsicallySemi-supervisedLearning ; d3f:d3fend-id "D3A-MML" ; d3f:definition "Maximum-margin classifiers attempt to maximize the distance between the given data points and the decision boundary" ; d3f:kb-article """## References Engelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6). Support Vector Machines for Machine Learning. [Link](https://machinelearningmastery.com/support-vector-machines-for-machine-learning/#:~:text=The%20distance%20between%20the%20line,called%20the%20Maximal%2DMargin%20hyperplane.)""" . d3f:Mean a owl:Class, owl:NamedIndividual ; rdfs:label "Mean" ; rdfs:subClassOf d3f:CentralTendency ; d3f:d3fend-id "D3A-MEA" ; d3f:definition "The sum of all measurements divided by the number of observations in the data set." ; d3f:kb-article """## References Wikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)""" . d3f:MeanAbsoluteDeviation a owl:Class, owl:NamedIndividual ; rdfs:label "Mean Absolute Deviation" ; rdfs:subClassOf d3f:AverageAbsoluteDeviation ; d3f:d3fend-id "D3A-MAD" ; d3f:definition "The mean absolute deviation (MAD), also referred to as the \"mean deviation\" or sometimes \"average absolute deviation\", is the mean of the data's absolute deviations around the data's mean: the average (absolute) distance from the mean." ; d3f:kb-article """## References Wikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)""" ; d3f:synonym "MAD" . d3f:MediaGeneration a owl:Class ; rdfs:label "Media Generation" ; rdfs:subClassOf d3f:Generation ; owl:disjointWith d3f:Simulation . d3f:Median a owl:Class, owl:NamedIndividual ; rdfs:label "Median" ; rdfs:subClassOf d3f:CentralTendency ; d3f:d3fend-id "D3A-MED" ; d3f:definition "The middle value that separates the higher half from the lower half of the data set. The median and the mode are the only measures of central tendency that can be used for ordinal data, in which values are ranked relative to each other but are not measured absolutely." ; d3f:kb-article """## References Wikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)""" . d3f:MedianAbsoluteDeviation a owl:Class, owl:NamedIndividual ; rdfs:label "Median Absolute Deviation" ; rdfs:subClassOf d3f:AverageAbsoluteDeviation ; d3f:d3fend-id "D3A-MAD" ; d3f:definition "The median absolute deviation (also MAD) is the median of the absolute deviation from the median." ; d3f:kb-article """## References Wikipedia. (n.d.). Average absolute deviation. [Link](https://en.wikipedia.org/wiki/Average_absolute_deviation)""" . d3f:MediaServer a owl:Class ; rdfs:label "Media Server" ; rdfs:subClassOf d3f:Server ; rdfs:isDefinedBy ; d3f:definition "A media server is a computer appliance or an application software that stores digital media (video, audio or images) and makes it available over a network. Media servers range from servers that provide video on demand to smaller personal computers or NAS (Network Attached Storage) for the home." . d3f:MemoryAddress a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Address" ; rdfs:subClassOf d3f:DigitalInformation, [ a owl:Restriction ; owl:onProperty d3f:addresses ; owl:someValuesFrom d3f:MemoryWord ] ; rdfs:isDefinedBy ; d3f:addresses d3f:MemoryWord ; d3f:definition "In computing, a memory address is a reference to a specific memory location used at various levels by software and hardware." . d3f:MemoryAddressSpace a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Address Space" ; rdfs:subClassOf d3f:AddressSpace, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:MemoryAddress ] ; d3f:contains d3f:MemoryAddress ; d3f:definition "A memory address space is a space containing memory addresses." . d3f:MemoryAllocationEvent a owl:Class ; rdfs:label "Memory Allocation Event" ; rdfs:subClassOf d3f:MemoryEvent ; d3f:definition "An event representing the allocation of memory resources to a process, providing it with the capacity to store data or execute instructions." . d3f:MemoryAllocationFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Allocation Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:AllocateMemory ] ; d3f:definition "Reserves memory for a running process to use." ; d3f:invokes d3f:AllocateMemory . d3f:MemoryBlock a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Block" ; rdfs:subClassOf d3f:MemoryExtent, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:MemoryWord ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:Record ] ; rdfs:isDefinedBy ; d3f:contains d3f:MemoryWord ; d3f:definition "In computing (specifically data transmission and data storage), a block, sometimes called a physical record, is a sequence of bytes or bits, usually containing some whole number of records, having a maximum length; a block size. Data thus structured are said to be blocked. The process of putting data into blocks is called blocking, while deblocking is the process of extracting data from blocks. Blocked data is normally stored in a data buffer and read or written a whole block at a time." ; d3f:may-contain d3f:Record . d3f:MemoryBlockStartValidation a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Block Start Validation" ; rdfs:subClassOf d3f:PointerValidation, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:MemoryFreeFunction ] ; d3f:d3fend-id "D3-MBSV" ; d3f:definition "Ensuring that a pointer accurately references the beginning of a designated memory block." ; d3f:hardens d3f:MemoryFreeFunction ; d3f:kb-article """## How it Works Ensure that a pointer is referencing the beginning of the intended block before using. ## Considerations Be careful with pointer arithmetic.""" ; d3f:kb-reference d3f:Reference-CManualPointerArithmetic_GNU . d3f:MemoryBoundaryTracking a d3f:MemoryBoundaryTracking, owl:Class, owl:NamedIndividual ; rdfs:label "Memory Boundary Tracking" ; rdfs:subClassOf d3f:OperatingSystemMonitoring, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:ProcessCodeSegment ] ; d3f:analyzes d3f:ProcessCodeSegment ; d3f:d3fend-id "D3-MBT" ; d3f:definition "Analyzing a call stack for return addresses which point to unexpected memory locations." ; d3f:kb-article """## How it works This technique monitors for indicators of whether a return address is outside memory previously allocated for an object (i.e. function, module, process, or thread). If so, code that the return address points to is treated as malicious code. ## Considerations Kernel malware can manipulate memory contents, for example modifying pointers to hide processes, and thereby impact the accuracy of memory allocation information used to perform the analysis.""" ; d3f:kb-reference d3f:Reference-InferentialExploitAttemptDetection_CrowdstrikeInc . d3f:MemoryDeletionEvent a owl:Class ; rdfs:label "Memory Deletion Event" ; rdfs:subClassOf d3f:MemoryEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:MemoryFreeFunction ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ] ; d3f:definition "An event marking the release or deallocation of memory resources, reclaiming them for reuse within the system." . d3f:MemoryDeviceEvent a owl:Class ; rdfs:label "Memory Device Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:PrimaryStorage ] ; d3f:definition "An event describing activity in primary storage devices, such as DRAM or SRAM memory initialization, reconfiguration, or failures." . d3f:MemoryEvent a owl:Class ; rdfs:label "Memory Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:MemoryAddress ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:MemoryExtent ] ; d3f:definition "An event capturing operations on the memory resources of a system, encompassing allocation, modification, access, protection, or deallocation." ; rdfs:seeAlso . d3f:MemoryExtent a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Extent" ; rdfs:subClassOf d3f:DigitalInformation ; d3f:definition "A memory extent is a defined, contiguous region of memory within a computing system, characterized by its size, location, and purpose. It represents an abstraction of physical or virtual memory used for storing data, instructions, or other computational artifacts." . d3f:MemoryFreeFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Free Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:FreeMemory ] ; d3f:definition "Releases previously reserved memory associated with a process." ; d3f:invokes d3f:FreeMemory . d3f:MemoryManagementUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Management Unit" ; rdfs:subClassOf d3f:ProcessorComponent, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:TranslationLookasideBuffer ], [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:VirtualAddress ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:PageTable ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:Storage ] ; rdfs:isDefinedBy ; d3f:contains d3f:TranslationLookasideBuffer ; d3f:creates d3f:VirtualAddress ; d3f:definition "A computer’s memory management unit (MMU) is the physical hardware that handles its virtual memory and caching operations. The MMU is usually located within the computer’s central processing unit (CPU), but sometimes operates in a separate integrated chip (IC)." ; d3f:manages d3f:PageTable, d3f:Storage ; rdfs:seeAlso . d3f:MemoryManagementUnitComponent a owl:Class ; rdfs:label "Memory Management Unit Component" ; rdfs:subClassOf d3f:HardwareDevice ; d3f:definition "A Memory Management Unit Component is a hardware or software element that contributes to the functionality of a Memory Management Unit, which is responsible for managing and translating memory addresses in a computing system." . d3f:MemoryMapEvent a owl:Class ; rdfs:label "Memory Map Event" ; rdfs:subClassOf d3f:MemoryEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:VirtualMemorySpace ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ] ; d3f:definition "An event representing the mapping of memory regions into a process's virtual address space, enabling efficient access to shared or reserved memory." . d3f:MemoryModificationEvent a owl:Class ; rdfs:label "Memory Modification Event" ; rdfs:subClassOf d3f:MemoryEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ] ; d3f:definition "An event where a process modifies allocated memory, potentially altering its content, behavior, or state." . d3f:MemoryPool a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Pool" ; rdfs:subClassOf d3f:MemoryExtent, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:MemoryBlock ] ; rdfs:isDefinedBy ; d3f:contains d3f:MemoryBlock ; d3f:definition "Memory pools, also called fixed-size blocks allocation, is the use of pools for memory management… preallocating a number of memory blocks with the same size called the memory pool. The application can allocate, access, and free blocks represented by handles at run time." . d3f:MemoryProtectionUnit a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Protection Unit" ; rdfs:subClassOf d3f:ProcessorComponent ; d3f:definition "A Memory Protection Unit (MPU) is a processor component that enforces access control policies on memory regions to ensure the integrity, security, and proper operation of a computing system." ; d3f:synonym "MPU" . d3f:MemoryReadEvent a owl:Class ; rdfs:label "Memory Read Event" ; rdfs:subClassOf d3f:MemoryEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:RawMemoryAccessFunction ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ] ; d3f:definition "An event where a process retrieves data from a specific memory address, either from its own allocated space or that of another process." . d3f:MemoryWord a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Word" ; rdfs:subClassOf d3f:MemoryExtent ; rdfs:isDefinedBy ; d3f:definition "A memory word is the natural unit of data used by a particular computer processor design; a fixed-size piece of data handled as a unit by the instruction set or the hardware of the processor." . d3f:MemoryWriteEvent a owl:Class ; rdfs:label "Memory Write Event" ; rdfs:subClassOf d3f:MemoryEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:MemoryAllocationEvent ] ; d3f:definition "An event where a process writes data to a memory address, storing new information or updating existing content." . d3f:MessageAnalysis a d3f:MessageAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Message Analysis" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Detect ] ; d3f:d3fend-id "D3-MA" ; d3f:definition "Analyzing email or instant message content to detect unauthorized activity." ; d3f:enables d3f:Detect ; d3f:kb-article """## Technique Overview Email and messaging are frequently used to deliver malicious content to targets. These enterprise capabilities are used to deliver software exploits or social engineering tricks. If the recipient of a message trusts the sender, attackers can avoid escalating suspicion. Emails and messages are also complex data structures. They contain files and links, and complex data encodings which vary region to region. Thus the defensive techniques used to analyze emails and messages are highly varied ranging from deep content analysis and execution to social network graph-style analytics to analyze trust or risk.""" ; d3f:synonym "Electronic Message Analysis", "Email Or Messaging Analysis" . d3f:MessageAuthentication a d3f:MessageAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Message Authentication" ; rdfs:subClassOf d3f:MessageHardening, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:DigitalMessage ] ; d3f:authenticates d3f:DigitalMessage ; d3f:d3fend-id "D3-MAN" ; d3f:definition "Authenticating the sender of a message and ensuring message integrity." ; d3f:kb-article """## How it works ### Digital Signature Digital signatures are used to verifying a message is from the expected sender. In email, Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol is typically used to digitally sign messages. A hash value of the sender's message is created and encrypted with the sender's private key to create a digital signature. The message and the digital signature are sent to the recipient where the sender's public key is used to decrypt the digital signature and compute the hash of the message. The computed hash is compared with the hash from the received message, and any difference in the hash values signify the message did not originate from the sender and has been alerted in transit. ### Message Authentication Code (MAC) MAC is a fixed size string that is appended to a message to provide message authentication and integrity. The sender MAC signing algorithm takes as input a secret symmetric key shared between sender and recipient and the message to calculate a short tag that is appended to the message. The recipient receives the message with the appended tag, and a MAC verification algorithm is run using the symmetric key to verify the message came from the stated sender and ensure the message has not been tampered with. ## Considerations - Public keys associated with digital signatures should be verified by a Certification Authority (CA) to prevent impersonation. The CA verifies the owner of a public key and puts the sender's identity and public key into a certificate that is signed by the CA. - Digital signatures provide non-repudiation where a third party can verify the authenticity of the message using the sender's digital certificate signed by the CA. - Symmetric keys must be exchanged securely via a private channel and management of new symmetric keys are needed for each pair of participants wishing to exchange messages.""" ; d3f:kb-reference d3f:Reference-DomainKeysIdentifiedMail-Signatures-IETF, d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1 . d3f:MessageEncryption a d3f:MessageEncryption, owl:Class, owl:NamedIndividual ; rdfs:label "Message Encryption" ; rdfs:subClassOf d3f:MessageHardening, [ a owl:Restriction ; owl:onProperty d3f:encrypts ; owl:someValuesFrom d3f:DigitalMessage ] ; d3f:d3fend-id "D3-MENCR" ; d3f:definition "Encrypting a message body using a cryptographic key." ; d3f:encrypts d3f:DigitalMessage ; d3f:kb-article """## How it works ### Asymmetric Cryptography Asymmetric encryption is typically accomplished using public and private key certificates based on the X.509 standard. The sender encrypts messages using the recipient's public key and the receipt decrypts the message using their private key. Standards that can be used to implement user message encryption include S/MIME (Secure/Multipurpose Internet Mail Extensions) and PGP. ### Symmetric Cryptography Symmetric encryption uses the same cryptographic key by both the sender and receiver to encrypt and decrypt a message. Asymmetric key exchange protocols such as Diffie-Hellman can be used to share the cryptographic key with the recipient. For synchronous or low-latency environments (like a message bus), a pre-shared or dynamically derived symmetric key is typically used to minimize computational overhead. ## Considerations - Separate configuration settings to enable message encryption are often needed for each messenger client (e.g. webmail, desktop client, mobile). - Continuous monitoring to ensure private keys are not compromised and the certificate authority (CA) is trusted. - Secure transfer of private keys between multiple devices. - Encryption adds latency and increases CPU utilization; while negligible for user-to-user messages, it can be a critical factor for real-time bus systems.""" ; d3f:kb-reference d3f:Reference-SecureMultipurposeInternetMailExtensionsMIME-Version3.1 . d3f:MessageHardening a d3f:MessageHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Message Hardening" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Harden ] ; d3f:d3fend-id "D3-MH" ; d3f:definition "The application of security controls to user-to-user and system-to-system communications so messages remain confidential, unaltered, and verifiable while resisting injection, replay, and tampering." ; d3f:enables d3f:Harden . d3f:MessageTransferAgent a owl:Class, owl:NamedIndividual ; rdfs:label "Message Transfer Agent" ; skos:altLabel "Mail Transfer Agent", "MTA" ; rdfs:subClassOf d3f:MailService ; d3f:definition "A message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client-server application architecture. An MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol." ; rdfs:seeAlso . d3f:Metadata a owl:Class ; rdfs:label "Metadata" ; rdfs:subClassOf d3f:DigitalInformation ; rdfs:isDefinedBy ; d3f:definition "Metadata is information which describes aspects of other information." ; rdfs:seeAlso . d3f:Microcode a owl:Class ; rdfs:label "Microcode" ; rdfs:subClassOf d3f:Firmware ; rdfs:isDefinedBy ; d3f:definition "Microcode is a computer hardware technique that interposes a layer of organization between the CPU hardware and the programmer-visible instruction set architecture of the computer. As such, the microcode is a layer of hardware-level instructions that implement higher-level machine code instructions or internal state machine sequencing in many digital processing elements." . d3f:MicrosoftHTMLApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Microsoft HTML Application" ; rdfs:subClassOf d3f:HTMLFile, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ExecutableScript ] ; rdfs:isDefinedBy ; d3f:definition "An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript." ; d3f:may-contain d3f:ExecutableScript ; d3f:synonym "HTA" . d3f:MobilePhone a owl:Class ; rdfs:label "Mobile Phone" ; skos:altLabel "Cellphone", "Cellular Phone" ; rdfs:subClassOf d3f:PersonalComputer ; rdfs:isDefinedBy ; d3f:definition "A mobile phone, cellular phone, cell phone, cellphone or hand phone, sometimes shortened to simply mobile, cell or just phone, is a portable telephone that can make and receive calls over a radio frequency link while the user is moving within a telephone service area. The radio frequency link establishes a connection to the switching systems of a mobile phone operator, which provides access to the public switched telephone network (PSTN). Modern mobile telephone services use a cellular network architecture and, therefore, mobile telephones are called cellular telephones or cell phones in North America. In addition to telephony, digital mobile phones (2G) support a variety of other services, such as text messaging, MMS, email, Internet access, short-range wireless communications (infrared," . d3f:ModalLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Modal Logic" ; rdfs:subClassOf d3f:SymbolicAI ; d3f:d3fend-id "D3A-ML" ; d3f:definition "Modal logic is a collection of formal systems developed to represent statements about necessity and possibility. It plays a major role in philosophy of language, epistemology, metaphysics, and natural language semantics." ; d3f:kb-article """## References 1. Modal logic. (2023, June 4). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Modal_logic)""" . d3f:Mode a owl:Class, owl:NamedIndividual ; rdfs:label "Mode" ; rdfs:subClassOf d3f:CentralTendency ; d3f:d3fend-id "D3A-MOD" ; d3f:definition "The most frequent value in the data set. This is the only central tendency measure that can be used with nominal data, which have purely qualitative category assignments." ; d3f:kb-article """## References Wikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Central_tendency)""" . d3f:Model a d3f:DefensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Model" ; rdfs:subClassOf d3f:DefensiveTactic ; d3f:definition "The model tactic is used to apply security engineering, vulnerability, threat, and risk analyses to digital systems. This is accomplished by creating and maintaining a common understanding of the systems being defended, the operations on those systems, actors using the systems, and the relationships and interactions between these elements." ; d3f:display-order -1 ; d3f:display-priority 1 . d3f:Model-basedPolicyOptimization a owl:Class, owl:NamedIndividual ; rdfs:label "Model-based Policy Optimization" ; rdfs:subClassOf d3f:Model-basedReinforcementLearning ; d3f:d3fend-id "D3A-MBPO" ; d3f:definition "Model-based policy optimization (MBPO) is a model-based, online, off-policy reinforcement learning algorithm. For more information on the different types of reinforcement learning agents" ; d3f:kb-article """## References MBPO Agents. MathWorks. [Link](https://www.mathworks.com/help/reinforcement-learning/ug/mbpo-agents.html).""" . d3f:Model-basedReinforcementLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Model-based Reinforcement Learning" ; rdfs:subClassOf d3f:ReinforcementLearning ; d3f:d3fend-id "D3A-MBRL" ; d3f:definition "Model-based Reinforcement Learning refers to learning optimal behavior indirectly by learning a model of the environment by taking actions and observing the outcomes that include the next state and the immediate reward. The models predict the outcomes of actions and are used in lieu of or in addition to interaction with the environment to learn optimal policies." ; d3f:kb-article """## References Model-Based Reinforcement Learning. In *Encyclopedia of Machine Learning*, pp. 642-644. Springer, 2010. [Link](https://link.springer.com/referenceworkentry/10.1007/978-0-387-30164-8_556#:~:text=Model%2Dbased%20Reinforcement%20Learning%20refers,state%20and%20the%20immediate%20reward).""" . d3f:Model-basedValueIteration a owl:Class, owl:NamedIndividual ; rdfs:label "Model-based Value Iteration" ; rdfs:subClassOf d3f:Model-basedReinforcementLearning ; d3f:d3fend-id "D3A-MBVI" ; d3f:definition "Value Iteration effectively reducesthe evaluation stage down to a single sweep of the states. Additionally, to improve things further, it combines the Policy Evaluation and Policy Improvement stages into a single update." ; d3f:kb-article """## References Policy and Value Iteration. Towards Data Science. [Link](https://towardsdatascience.com/policy-and-value-iteration-78501afb41d2).""" ; d3f:synonym "MBVI" . d3f:Model-freeReinforcementLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Model-free Reinforcement Learning" ; rdfs:subClassOf d3f:ReinforcementLearning ; d3f:d3fend-id "D3A-MFRL" ; d3f:definition "In reinforcement learning (RL), a model-free algorithm (as opposed to a model-based one) is an algorithm which does not use the transition probability distribution (and the reward function) associated with the Markov decision process (MDP),which, in RL, represents the problem to be solved. The transition probability distribution (or transition model) and the reward function are often collectively called the \"model\" of the environment (or MDP), hence the name \"model-free\". A model-free RL algorithm can be thought of as an \"explicit\" trial-and-error algorithm. An example of a model-free algorithm is Q-learning." ; d3f:kb-article """## References Model-free (reinforcement learning). Wikipedia. [Link](https://en.wikipedia.org/wiki/Model-free_(reinforcement_learning)).)""" . d3f:Modem a owl:Class ; rdfs:label "Modem" ; rdfs:subClassOf d3f:ComputerNetworkNode ; rdfs:isDefinedBy ; d3f:definition "A modem -- a portmanteau of \"modulator-demodulator\" -- is a hardware device that converts data into a format suitable for a transmission medium so that it can be transmitted from one computer to another (historically along telephone wires). A modem modulates one or more carrier wave signals to encode digital information for transmission and demodulates signals to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded reliably to reproduce the original digital data. Modems can be used with almost any means of transmitting analog signals from light-emitting diodes to radio. A common type of modem is one that turns the digital data of a computer into modulated electrical signal for transmission over telephone lines and demodulated by another modem at the receiver side to recover the digital data." . d3f:Moments a owl:Class, owl:NamedIndividual ; rdfs:label "Moments" ; rdfs:subClassOf d3f:DistributionProperties ; d3f:d3fend-id "D3A-MOM" ; d3f:definition "With a probability distribution function, the the first moment is the expected value, the second central moment is the variance, the third standardized moment is the skewness, and the fourth standardized moment is the kurtosis." ; d3f:kb-article """## References Wikipedia. (n.d.). Moment (mathematics). [Link](https://en.wikipedia.org/wiki/Moment_(mathematics))""" . d3f:MotionDetectedEvent a owl:Class ; rdfs:label "Motion Detected Event" ; rdfs:subClassOf d3f:PhysicalAccessAlarmEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:MotionDetector ] . d3f:MotionDetector a owl:Class, owl:NamedIndividual ; rdfs:label "Motion Detector" ; rdfs:subClassOf d3f:HardwareDevice, d3f:Sensor ; rdfs:isDefinedBy ; d3f:definition "An electrical device that utilizes a sensor to detect nearby motion." . d3f:MotionSensorMonitoring a d3f:MotionSensorMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Motion Sensor Monitoring" ; rdfs:subClassOf d3f:PhysicalAccessMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:MotionDetector ] ; d3f:d3fend-id "D3-MSM" ; d3f:definition "Monitoring events from motion detectors (e.g., passive IR, microwave, dual-technology) to detect presence or movement within protected areas." ; d3f:kb-article """## How it works Motion sensors generate events when movement is detected within their coverage pattern. Alarm panels or PACS correlate motion with arming schedules, door openings, and other sensors; video systems can use motion to trigger recording or bookmarks. Cross-zoning and sensitivity/pulse-count settings are commonly adjusted to balance detection and false-alarm rates. ## Considerations * Place sensors at appropriate height and angle with clear line of sight, avoiding obstructions or reflective surfaces that can cause missed or false detections. * Reduce false alarms by tuning sensitivity and pulse-count, using cross-zoning when needed, and accounting for HVAC airflow or rapid thermal changes. * Monitor tamper and supervision signals; for wireless devices, verify periodic check-ins and battery levels; perform regular walk tests to validate coverage. * Integrate motion events with cameras and with door position switches and other sensors in the protected area to provide context and faster verification; use motion to trigger recording or bookmarks.""" ; d3f:kb-reference d3f:Reference-NIST-Special-Publication-800-53-Revision-5, d3f:Reference-Wikipedia-MotionDetector, d3f:Reference-Wikipedia-PIRSensor ; d3f:monitors d3f:MotionDetector ; d3f:synonym "Motion Alarm Monitoring", "Motion Detector Monitoring" . d3f:MouseInputDevice a owl:Class ; rdfs:label "Mouse Input Device" ; skos:altLabel "Computer Mouse" ; rdfs:subClassOf d3f:InputDevice ; rdfs:isDefinedBy ; d3f:definition "A computer mouse (plural mice or mouses) is a hand-held pointing device that detects two-dimensional motion relative to a surface. This motion is typically translated into the motion of a pointer on a display, which allows a smooth control of the graphical user interface of a computer. In addition to moving a cursor, computer mice have one or more buttons to allow operations such as selection of a menu item on a display. Mice often also feature other elements, such as touch surfaces and scroll wheels, which enable additional control and dimensional input." ; rdfs:seeAlso . d3f:MoveFile a owl:Class, owl:NamedIndividual ; rdfs:label "Move File" ; skos:altLabel "Rename File" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:FileSystemMetadata ] ; d3f:definition "A system call to rename or move a file. Linux's rename() is an example of this kind of system call. Another way of handling it is to call a copy file system call followed by a delete file system call." ; d3f:modifies d3f:FileSystemMetadata ; rdfs:seeAlso . d3f:MovingAverageModel a owl:Class, owl:NamedIndividual ; rdfs:label "Moving Average Model" ; rdfs:subClassOf d3f:TimeSeriesAnalysis ; d3f:d3fend-id "D3A-MAM" ; d3f:definition "the moving-average model (MA model) is an approach for modeling univariate time series and specifies that the output variable is cross-correlated with a non-identical to itself random-variable." ; d3f:kb-article """## Refrences Wikipedia. (n.d.). Moving average model. [Link](https://en.wikipedia.org/wiki/Moving_average_model)""" ; d3f:synonym "MA Model" . d3f:Multi-factorAuthentication a d3f:Multi-factorAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Multi-factor Authentication" ; rdfs:subClassOf d3f:AgentAuthentication, [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:Credential ] ; d3f:d3fend-id "D3-MFA" ; d3f:definition "Requiring proof of two or more pieces of evidence in order to authenticate a user." ; d3f:kb-article """## How it works When logging into an account users present two or more credentials that fall into different categories: something you know (password or PIN), something you have (smart card or phone), or something you are (fingerprint). ## Considerations MFA configuration steps may vary across accounts and in some cases left up to users to activate and implement.""" ; d3f:kb-reference ; d3f:uses d3f:Credential . d3f:MulticlassClassification a owl:Class ; rdfs:label "Multiclass Classification" ; rdfs:subClassOf d3f:Classifying . d3f:MultilayerPerceptronClassification a owl:Class, owl:NamedIndividual ; rdfs:label "Multilayer Perceptron Classification" ; rdfs:subClassOf d3f:ArtificialNeuralNetClassification ; d3f:d3fend-id "D3A-MPC" ; d3f:definition "A multilayer perceptron (MLP) is a fully connected class of feedforward artificial neural network (ANN).An MLP consists of at least three layers of nodes: an input layer, a hidden layer and an output layer." ; d3f:kb-article """## References Multilayer perceptron. Wikipedia. [Link](https://en.wikipedia.org/wiki/Multilayer_perceptron).""" . d3f:MultimediaDocumentFile a owl:Class ; rdfs:label "Multimedia Document File" ; rdfs:subClassOf d3f:DocumentFile ; d3f:definition "Digital video files which often contain audio." ; rdfs:seeAlso . d3f:MultimediaFile a owl:Class, owl:NamedIndividual ; rdfs:label "Multimedia File" ; rdfs:subClassOf d3f:File, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:DigitalMultimedia ] ; d3f:contains d3f:DigitalMultimedia ; d3f:definition "A file that contains digital multimedia." . d3f:MultipleRegression a owl:Class, owl:NamedIndividual ; rdfs:label "Multiple Regression" ; rdfs:subClassOf d3f:RegressionAnalysis ; d3f:d3fend-id "D3A-MR" ; d3f:definition "Multiple (linear) regression attempts to model the relationship between two or more explanatory variables and a response variable by fitting a linear equation to observed data." ; d3f:kb-article """## References Yale University Department of Statistics. (1997-98). Linear regression and multivariate analysis. [Link](http://www.stat.yale.edu/Courses/1997-98/101/linmult.htm)""" ; d3f:synonym "Multiple Linear Regression" . d3f:MultipleRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Multiple Regression Learning" ; rdfs:subClassOf d3f:RegressionAnalysisLearning ; d3f:d3fend-id "D3A-MRL" ; d3f:definition "A supervised learning method that builds a multiple regression model using training data." ; d3f:kb-article """## References Yale University Department of Statistics. (1997-98). Linear regression and multivariate analysis. [Link](http://www.stat.yale.edu/Courses/1997-98/101/linmult.htm)""" ; rdfs:seeAlso d3f:MultipleRegression . d3f:MultivariateAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Multivariate Analysis" ; rdfs:subClassOf d3f:StatisticalMethod ; d3f:d3fend-id "D3A-MA" ; d3f:definition "Multivariate statistics encompassed the simultaneous observation and analysis of more than one outcome variable, i.e., multivariate random variables." ; d3f:kb-article """## References Wikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)""" . d3f:NaiveBayesClassifier a owl:Class, owl:NamedIndividual ; rdfs:label "Naive Bayes Classifier" ; rdfs:subClassOf d3f:Classification ; d3f:d3fend-id "D3A-NBC" ; d3f:definition "The Naïve Bayes classifier is a supervised machine learning algorithm, which is used for classification tasks, like text classification. It is also part of a family of generative learning algorithms, meaning that it seeks to model the distribution of inputs of a given class or category." ; d3f:kb-article """## References Naive Bayes. IBM. [Link](https://www.ibm.com/topics/naive-bayes?mhsrc=ibmsearch_a&mhq=naive%20bayes).""" . d3f:NamedPipe a owl:Class, owl:NamedIndividual ; rdfs:label "Named Pipe" ; rdfs:subClassOf d3f:Pipe ; rdfs:isDefinedBy ; d3f:definition "In computing, a named pipe (also known as a FIFO for its behavior) is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication (IPC). The concept is also found in OS/2 and Microsoft Windows, although the semantics differ substantially. A traditional pipe is 'unnamed' and lasts only as long as the process. A named pipe, however, can last as long as the system is up, beyond the life of the process. It can be deleted if no longer used. Usually a named pipe appears as a file, and generally processes attach to it for IPC." ; rdfs:seeAlso . d3f:Network a owl:Class, owl:NamedIndividual ; rdfs:label "Network" ; skos:altLabel "Computer Network" ; rdfs:subClassOf d3f:DigitalInformationBearer ; d3f:definition "A network is a group of computers that use a set of common communication protocols over digital interconnections for the purpose of sharing resources located on or provided by the network nodes. The interconnections between nodes are formed from a broad spectrum of telecommunication network technologies, based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies." ; rdfs:seeAlso . d3f:NetworkAccessMediation a d3f:NetworkAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Network Access Mediation" ; rdfs:subClassOf d3f:AccessMediation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:Network ] ; d3f:d3fend-id "D3-NAM" ; d3f:definition "Network access mediation is the control method for authorizing access to a system by a user (or a process acting on behalf of a user) communicating through a network, including a local area network, a wide area network, and the Internet." ; d3f:isolates d3f:Network ; d3f:kb-article """## How it works Network Access Mediation is a crucial process in telecommunications and IT networks that involves controlling access to network resources. It acts as an intermediary layer between network access requests and the actual network resources, ensuring that only authorized users and devices can access the network.""" ; d3f:kb-reference d3f:Reference-WhatIsNetworkAccessControl ; d3f:synonym "Network Access Control" ; rdfs:seeAlso . d3f:NetworkAgent a owl:Class, owl:NamedIndividual ; rdfs:label "Network Agent" ; rdfs:subClassOf d3f:Software ; d3f:definition "A network agent is software installed on a network node or device that transmits information back to a collector agent or management system. Kinds of network agents include SNMP Agent, IPMI agents, WBEM agents, and many proprietary agents capturing network monitoring and management information." ; d3f:synonym "Exporter" . d3f:NetworkAudioStreamingResource a owl:Class ; rdfs:label "Network Audio Streaming Resource" ; rdfs:subClassOf d3f:NetworkMediaStreamingResource ; d3f:definition "A server that provides digital audio media content to users." . d3f:NetworkAudioVisualStreamingResource a owl:Class ; rdfs:label "Network Audio Visual Streaming Resource" ; rdfs:subClassOf d3f:NetworkMultimediaStreamingResource ; d3f:definition "A server that provides digital audio-visual media content to users." . d3f:NetworkCardFirmware a owl:Class, owl:NamedIndividual ; rdfs:label "Network Card Firmware" ; skos:altLabel "Network Controller Firmware" ; rdfs:subClassOf d3f:PeripheralFirmware ; d3f:definition "Firmware that is installed on a network card (network interface controller)." ; rdfs:seeAlso . d3f:NetworkConnectionCloseEvent a owl:Class ; rdfs:label "Network Connection Close Event" ; rdfs:subClassOf d3f:NetworkConnectionEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:NetworkConnectionOpenEvent ] ; d3f:definition "An event where a network connection is closed." . d3f:NetworkConnectionEvent a owl:Class ; rdfs:label "Network Connection Event" ; rdfs:subClassOf d3f:NetworkEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:NetworkSession ] ; d3f:definition "An event related to the establishment, maintenance, or termination of a network connection." ; rdfs:seeAlso . d3f:NetworkConnectionFailEvent a owl:Class ; rdfs:label "Network Connection Fail Event" ; rdfs:subClassOf d3f:NetworkConnectionEvent ; d3f:definition "An event where a network connection attempt fails." . d3f:NetworkConnectionListenEvent a owl:Class ; rdfs:label "Network Connection Listen Event" ; rdfs:subClassOf d3f:NetworkConnectionEvent ; d3f:definition "An event where a network endpoint begins listening for new network connections." . d3f:NetworkConnectionOpenEvent a owl:Class ; rdfs:label "Network Connection Open Event" ; rdfs:subClassOf d3f:NetworkConnectionEvent ; d3f:definition "An event where a network connection is successfully opened." . d3f:NetworkConnectionRefuseEvent a owl:Class ; rdfs:label "Network Connection Refuse Event" ; rdfs:subClassOf d3f:NetworkConnectionEvent ; d3f:definition "An event where a network connection is refused." . d3f:NetworkConnectionResetEvent a owl:Class ; rdfs:label "Network Connection Reset Event" ; rdfs:subClassOf d3f:NetworkConnectionEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:NetworkConnectionOpenEvent ] ; d3f:definition "An event where an attempt is made to establish a network connection." . d3f:NetworkDeviceEvent a owl:Class ; rdfs:label "Network Device Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent ; d3f:definition "An event capturing the activity or state of network devices, such as Ethernet adapters, Wi-Fi modules, or virtual interfaces. These events highlight connectivity, configuration, or performance changes." . d3f:NetworkDirectoryResource a owl:Class, owl:NamedIndividual ; rdfs:label "Network Directory Resource" ; rdfs:subClassOf d3f:NetworkFileShareResource, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Directory ] ; d3f:contains d3f:Directory ; d3f:definition "A directory resource made available from one host to other hosts on a computer network." . d3f:NetworkEvent a owl:Class ; rdfs:label "Network Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:definition "An event involving network communications within or between digital systems." ; rdfs:seeAlso . d3f:NetworkFileResource a owl:Class, owl:NamedIndividual ; rdfs:label "Network File Resource" ; rdfs:subClassOf d3f:NetworkFileShareResource, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:File ] ; d3f:contains d3f:File ; d3f:definition "A computer file resource made available from one host to other hosts on a computer network." . d3f:NetworkFileShareResource a owl:Class, owl:NamedIndividual ; rdfs:label "Network File Share Resource" ; rdfs:subClassOf d3f:NetworkResource ; d3f:definition "A shared file resource, or network file share, is a computer file made available from one host to other hosts on a computer network. Network sharing is made possible by inter-process communication over the network. It includes both files and directories." . d3f:NetworkFlow a owl:Class, owl:NamedIndividual ; rdfs:label "Network Flow" ; rdfs:subClassOf d3f:DigitalInformation, [ a owl:Restriction ; owl:onProperty d3f:summarizes ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:definition "A summarization of network transactions between a client and server. It often summarizes bytes sent, bytes received, and protocol flags." ; d3f:summarizes d3f:NetworkTraffic . d3f:NetworkFlowSensor a owl:Class, owl:NamedIndividual ; rdfs:label "Network Flow Sensor" ; rdfs:subClassOf d3f:NetworkSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:NetworkFlow ] ; d3f:definition "Monitors network traffic and produces summaries of data flows traversing the network." ; d3f:monitors d3f:NetworkFlow . d3f:NetworkFrame a owl:Class ; rdfs:label "Network Frame" ; skos:altLabel "Frame" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A finite, self-delimited sequence of bits exchanged as one unit over a single data link. Formed by link-layer encapsulation, a frame typically begins with synchronization and control fields, carries a payload, ends with an integrity check, and is bounded from adjacent frames by explicit timing or delimiter symbols." . d3f:NetworkInitScriptFileResource a owl:Class, owl:NamedIndividual ; rdfs:label "Network Init Script File Resource" ; rdfs:subClassOf d3f:InitScript, d3f:NetworkFileResource ; d3f:definition "A computer file resource made available from one host to other hosts on a computer network that is also an initialization script." . d3f:NetworkInterfaceCard a owl:Class, owl:NamedIndividual ; rdfs:label "Network Interface Card" ; rdfs:subClassOf d3f:HardwareDevice, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:NetworkCardFirmware ] ; rdfs:isDefinedBy ; d3f:contains d3f:NetworkCardFirmware ; d3f:definition "A network interface card (NIC, also known as a network interface controller, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network." ; d3f:synonym "Network Interface Controller" ; rdfs:seeAlso . d3f:NetworkIsolation a d3f:NetworkIsolation, owl:Class, owl:NamedIndividual ; rdfs:label "Network Isolation" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Isolate ] ; d3f:d3fend-id "D3-NI" ; d3f:definition "Network Isolation techniques prevent network hosts from accessing non-essential system network resources." ; d3f:enables d3f:Isolate . d3f:NetworkLink a owl:Class ; rdfs:label "Network Link" ; rdfs:subClassOf d3f:LogicalLink ; d3f:definition "A network link is a link within the network layer, which is responsible for packet forwarding including routing through intermediate routers." ; d3f:synonym "Layer-3 Link", "Network Layer Link" ; rdfs:seeAlso , . d3f:NetworkMapping a d3f:NetworkMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Network Mapping" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Model ] ; d3f:d3fend-id "D3-NM" ; d3f:definition "Network mapping encompasses the techniques to identify and model the physical layer, network layer, and data exchange layers of the organization's network and their physical location, and determine allowed pathways through that network." ; d3f:display-order 3 ; d3f:enables d3f:Model ; rdfs:seeAlso . d3f:NetworkMediaStreamingResource a owl:Class ; rdfs:label "Network Media Streaming Resource" ; rdfs:subClassOf d3f:NetworkResource ; d3f:definition "A server that provides digital media content to users." . d3f:NetworkMultimediaStreamingResource a owl:Class ; rdfs:label "Network Multimedia Streaming Resource" ; rdfs:subClassOf d3f:NetworkMediaStreamingResource ; d3f:definition "A server that provides digital multimedia content to users." . d3f:NetworkNode a owl:Class, owl:NamedIndividual ; rdfs:label "Network Node" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "In telecommunications networks, a node (Latin nodus, 'knot') is either a redistribution point or a communication endpoint. The definition of a node depends on the network and protocol layer referred to. A physical network node is an electronic device that is attached to a network, and is capable of creating, receiving, or transmitting information over a communications channel. A passive distribution point such as a distribution frame or patch panel is consequently not a node." . d3f:NetworkNodeInventory a d3f:NetworkNodeInventory, owl:Class, owl:NamedIndividual ; rdfs:label "Network Node Inventory" ; rdfs:subClassOf d3f:AssetInventory, [ a owl:Restriction ; owl:onProperty d3f:inventories ; owl:someValuesFrom d3f:NetworkNode ] ; d3f:d3fend-id "D3-NNI" ; d3f:definition "Network node inventorying identifies and records all the network nodes (hosts, routers, switches, firewalls, etc.) in the organization's architecture." ; d3f:inventories d3f:NetworkNode ; d3f:kb-article """## How it works Administrators collect information on network nodes in their architecture using a variety of administrative and management tools that query network devices and nodes for information. In some cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through network enumeration methods to include host discovery and scanning for active ports and services. ## Considerations * Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems. * An adversary conducting network enumeration may engage in activities that parallel normal network node inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools ## Examples * Link-layer discovery * Link-layer Discovery Protocol (LLDP) * Cisco Discovery Protocol (CDP) * Application-layer discovery * Simple Network Management Protocol (SNMP) collects MIB information * Web-based Enterprise Management (WBEM) collects CIM information * Windows Management Instrumentation (WMI) * Windows Management Infrastructure (MI)""" ; d3f:kb-reference d3f:Reference-IEEE-802_1AB-2016, d3f:Reference-QualysNetworkPassiveSensorGettingStartedGuide, d3f:Reference-RFC3411-AnArchitectureForDescribingSimpleNetworkManagementProtocolSNMPManagementFrameworks, d3f:Reference-Web-BasedEnterpriseManagement, d3f:Reference-Windows-Management-Infrastructure, d3f:Reference-Windows-Management-Instrumentation ; d3f:synonym "System Discovery", "System Inventorying" . d3f:NetworkPacket a owl:Class, owl:NamedIndividual ; rdfs:label "Network Packet" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A network packet is a formatted unit of data carried by a packet-switched network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a bit stream. When data is formatted into packets, packet switching is possible and the bandwidth of the communication medium can be better shared among users than with circuit switching." . d3f:NetworkPrinter a owl:Class ; rdfs:label "Network Printer" ; rdfs:subClassOf d3f:SharedComputer ; rdfs:isDefinedBy ; d3f:definition "In computing, a network printer is a device that can be accessed over a network which makes a persistent representation of graphics or text, usually on paper. While most output is human-readable, bar code printers are an example of an expanded use for printers. The different types of printers include 3D printer, inkjet printer, laser printer, thermal printer, etc. Note that not all printers are networked and the digital information to be printed must be passed either by removable media or as directly connecting the printer to a computer (e.g., by USB.)" . d3f:NetworkProtocolAnalyzer a owl:Class, owl:NamedIndividual ; rdfs:label "Network Protocol Analyzer" ; rdfs:subClassOf d3f:NetworkSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:definition "Monitors and parses network protocols to extract values from various network protocol layers." ; d3f:monitors d3f:NetworkTraffic . d3f:NetworkResource a owl:Class, owl:NamedIndividual ; rdfs:label "Network Resource" ; skos:altLabel "Shared Resource" ; rdfs:subClassOf d3f:RemoteResource ; d3f:definition "In computing, a shared resource, or network share, is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise intranet, transparently as if it were a resource in the local machine.Network sharing is made possible by inter-process communication over the network." ; rdfs:seeAlso . d3f:NetworkResourceAccess a owl:Class, owl:NamedIndividual ; rdfs:label "Network Resource Access" ; rdfs:subClassOf d3f:ResourceAccess, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:NetworkResource ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Resource ] ; d3f:accesses d3f:NetworkResource, d3f:Resource ; d3f:definition "Ephemeral digital artifact comprising a request of a network resource and any response from that network resource." . d3f:NetworkResourceAccessMediation a d3f:NetworkResourceAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Network Resource Access Mediation" ; rdfs:subClassOf d3f:AccessMediation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:NetworkResource ] ; d3f:d3fend-id "D3-NRAM" ; d3f:definition "Control of access to organizational systems and services by users or processes over a network." ; d3f:isolates d3f:NetworkResource ; d3f:kb-article """## How it works Network Resource Access Control involves managing and regulating access to resources within an organization's network. This includes ensuring that only authorized users or processes can access specific systems or data, often through authentication and authorization mechanisms. Examples include accessing internal databases, file servers, or application services.""" ; d3f:kb-reference d3f:Reference-NIST-Special-Publication-800-53-Revision-5 ; d3f:synonym "Remote Access Control" . d3f:NetworkScanner a owl:Class, owl:NamedIndividual ; rdfs:label "Network Scanner" ; skos:altLabel "Network Enumerator" ; rdfs:subClassOf d3f:CyberSensor, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:Network ] ; rdfs:isDefinedBy ; d3f:definition "A network scanner is a computer program used to retrieve usernames and info on groups, shares, and services of networked computers. This type of program scans networks for vulnerabilities in the security of that network. If there is a vulnerability with the security of the network, it will send a report back to a hacker who may use this info to exploit that network glitch to gain entry to the network or for other malicious activities. Ethical hackers often also use the information to remove the glitches and strengthen their network." ; d3f:monitors d3f:Network ; rdfs:seeAlso . d3f:NetworkSensor a owl:Class ; rdfs:label "Network Sensor" ; rdfs:subClassOf d3f:CyberSensor ; d3f:definition "A Network Sensor monitors network traffic and communication patterns." . d3f:NetworkService a owl:Class ; rdfs:label "Network Service" ; rdfs:subClassOf d3f:ServiceApplicationProcess ; rdfs:isDefinedBy ; d3f:definition "In computer networking, a network service is an application running at the network application layer and above, that provides data storage, manipulation, presentation, communication or other capability which is often implemented using a client-server or peer-to-peer architecture based on application layer network protocols. Clients and servers will often have a user interface, and sometimes other hardware associated with it." . d3f:NetworkSession a owl:Class, owl:NamedIndividual ; rdfs:label "Network Session" ; rdfs:subClassOf d3f:Session, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:definition "A network session is a temporary and interactive information interchange between two or more devices communicating over a network. A session is established at a certain point in time, and then 'torn down' - brought to an end - at some later point. An established communication session may involve more than one message in each direction. A session is typically stateful, meaning that at least one of the communicating parties needs to hold current state information and save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses. Network sessions may be established and implemented as part of protocols and services at the application, session, or transport layers of the OSI model." ; d3f:produces d3f:NetworkTraffic ; rdfs:seeAlso , , . d3f:NetworkTimeServer a owl:Class ; rdfs:label "Network Time Server" ; rdfs:subClassOf d3f:Server ; d3f:definition "A network time server is a server computer that reads the actual time from a reference clock and distributes this information to its clients using a computer network. The time server may be a local network time server or an internet time server. The time server may also be a stand-alone hardware device. It can use NTP (RFC5905) or other protocols." ; rdfs:seeAlso . d3f:NetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Network Traffic" ; skos:altLabel "Data Traffic" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:NetworkPacket ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:DomainName ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:RemoteCommand ], [ a owl:Restriction ; owl:onProperty d3f:originates-from ; owl:someValuesFrom d3f:PhysicalLocation ] ; d3f:contains d3f:NetworkPacket ; d3f:definition "Network traffic or data traffic is the data, or alternatively the amount of data, moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network." ; d3f:may-contain d3f:DomainName, d3f:RemoteCommand ; d3f:originates-from d3f:PhysicalLocation ; rdfs:seeAlso , . d3f:NetworkTrafficAnalysis a d3f:NetworkTrafficAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Network Traffic Analysis" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Detect ] ; d3f:d3fend-id "D3-NTA" ; d3f:definition "Analyzing intercepted or summarized computer network traffic to detect unauthorized activity." ; d3f:enables d3f:Detect . d3f:NetworkTrafficAnalysisSoftware a owl:Class ; rdfs:label "Network Traffic Analysis Software" ; rdfs:subClassOf d3f:DeveloperApplication ; d3f:definition "A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network.\"" ; d3f:synonym "Network Sniffer" . d3f:NetworkTrafficCommunityDeviation a d3f:NetworkTrafficCommunityDeviation, owl:Class, owl:NamedIndividual ; rdfs:label "Network Traffic Community Deviation" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:analyzes d3f:NetworkTraffic ; d3f:d3fend-id "D3-NTCD" ; d3f:definition "Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication." ; d3f:kb-article """## How it works Hosts/users within a computer network are analyzed to identify communities of hosts which frequently communicate. Future communications between communities that don't usually communicate can then be detected. For example, if a community of hosts that communicate in support of a company's finance division suddenly starts to access the code server usually accessed only by engineers, this may indicate unauthorized activity. ## Considerations * Potential for false positives in very dynamic network environments. * Attackers that move low and slow may not differentiate their behavior enough to trigger an alert.""" ; d3f:kb-reference d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc . d3f:NetworkTrafficFiltering a d3f:NetworkTrafficFiltering, owl:Class, owl:NamedIndividual ; rdfs:label "Network Traffic Filtering" ; rdfs:subClassOf d3f:NetworkIsolation, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:NetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:OTProtocolMessage ], [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:RemoteCommand ] ; d3f:d3fend-id "D3-NTF" ; d3f:definition "Restricting network traffic originating from any location." ; d3f:filters d3f:NetworkTraffic, d3f:OTProtocolMessage, d3f:RemoteCommand ; d3f:kb-reference d3f:Reference-ActiveFirewallSystemAndMethodology_McAfeeLLC, d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft, d3f:Reference-FirewallForInterentAccess_SecureComputingLLC, d3f:Reference-FirewallForProcessingAConnectionlessNetworkPacket_NationalSecurityAgency, d3f:Reference-FirewallForProcessingConnection-orientedAndConnectionlessDatagramsOverAConnection-orientedNetwork_NationalSecurityAgency, d3f:Reference-FirewallsThatFilterBasedUponProtocolCommands_IntelCorp, d3f:Reference-FWTK-FirewallToolkit_, d3f:Reference-MethodForControllingComputerNetworkSecurity_CheckpointSoftwareTechnologiesLtd, d3f:Reference-NetworkFirewallWithProxy_SecureComputingLLC . d3f:NetworkTrafficPolicyMapping a d3f:NetworkTrafficPolicyMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Network Traffic Policy Mapping" ; rdfs:subClassOf d3f:NetworkMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:AccessControlConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:queries ; owl:someValuesFrom d3f:NetworkAgent ] ; d3f:d3fend-id "D3-NTPM" ; d3f:definition "Network traffic policy mapping identifies and models the allowed pathways of data at the network, transport, and/or application levels." ; d3f:kb-reference d3f:Reference-CiscoASR9000AccessListCommands ; d3f:maps d3f:AccessControlConfiguration ; d3f:queries d3f:NetworkAgent ; d3f:synonym "DLP Policy Mapping", "Firewall Mapping", "IPS Policy Mapping", "Web Security Gateway Policy Mapping" . d3f:NetworkTrafficSignatureAnalysis a d3f:NetworkTrafficSignatureAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Network Traffic Signature Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:analyzes d3f:NetworkTraffic ; d3f:d3fend-id "D3-NTSA" ; d3f:definition "Analyzing network traffic and compares it to known signatures" ; d3f:kb-article """## How it works Network signature analysis relies on predefined patterns, or signatures, to identify malicious network activity. These signatures typically match against specific byte sequences, packet header information, or protocol anomalies indicative of known threats. The process works as follows: * Packet Capture: Network traffic is captured on an interface or port, resulting in a stream of raw packets. * Preprocessing: The captured packets are preprocessed, cleaning and normalizing the data for efficient analysis. * Signature Matching: Each packet is compared against a database of signatures using dedicated engines. ## Considerations ### False Negatives Network signature analysis is susceptible to generating false negatives. These occur when malicious activity evades detection due to limitations in the signature-based approach. Here are some common causes: * Evolving threats: Attackers frequently modify their tactics, rendering existing signatures ineffective against new variants. * Obfuscation: Attackers may disguise malicious content using encryption, encoding, or other techniques to bypass signature detection. * Limited visibility: Signatures rely on specific patterns. If crucial information is encrypted or hidden, the signature might miss the threat. * Zero-day attacks: By definition, new and unknown attacks lack corresponding signatures, allowing them to pass undetected. ### False Positives Network signature analysis is susceptible to generating false positives. These occur when the signature analysis triggers an alert for benign traffic. Common causes include: * Overly broad signatures: Rules designed to be too general might match harmless activities, generating false alarms. * Network misconfigurations: Improperly configured devices or legitimate network activity can mimic malicious patterns, triggering false positives. * Data errors: Corrupted or incomplete network data can lead to misinterpretations and false alerts. """ ; d3f:kb-reference d3f:Reference-SystemAndMethodForStrategicAntiMalwareMonitoring . d3f:NetworkVideoStreamingResource a owl:Class ; rdfs:label "Network Video Streaming Resource" ; rdfs:subClassOf d3f:NetworkMediaStreamingResource ; d3f:definition "A server that provides digital video media content to users." . d3f:NetworkVulnerabilityAssessment a d3f:NetworkVulnerabilityAssessment, owl:Class, owl:NamedIndividual ; rdfs:label "Network Vulnerability Assessment" ; rdfs:subClassOf d3f:NetworkMapping, [ a owl:Restriction ; owl:onProperty d3f:evaluates ; owl:someValuesFrom d3f:Network ], [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:Vulnerability ] ; d3f:d3fend-id "D3-NVA" ; d3f:definition "Network vulnerability assessment relates all the vulnerabilities of a network's components in the context of their configuration and interdependencies and can also include assessing risk emerging from the network's design as a whole, not just the sum of individual network node or network segment vulnerabilities." ; d3f:evaluates d3f:Network ; d3f:identifies d3f:Vulnerability ; d3f:kb-reference d3f:Reference-ReachabilityGraphBasedSafeRemediationsforSecuirytofOnPremiseAndCloudComputingEnvironments . d3f:NISTControl a owl:Class ; rdfs:label "NIST Control" ; rdfs:subClassOf d3f:ExternalControl, [ a owl:Restriction ; owl:onProperty d3f:member-of ; owl:someValuesFrom d3f:NISTSP800-53ControlCatalog ] . d3f:NISTSP800-53ControlCatalog a owl:Class ; rdfs:label "NIST SP 800-53 Control Catalog" ; rdfs:subClassOf d3f:ControlCatalog, [ a owl:Restriction ; owl:onProperty d3f:has-member ; owl:someValuesFrom d3f:NISTControl ] ; d3f:definition "A NIST SP 800-53 control catalog provides the entire set of security and privacy controls for a version of NIST SP 800-53." ; rdfs:seeAlso . d3f:Non-monotonicLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Non-monotonic Logic" ; rdfs:subClassOf d3f:SymbolicAI ; d3f:d3fend-id "D3A-NML" ; d3f:definition "Non-monotonic logic is a formal logic whose conclusion relation is not monotonic. In other words, non-monotonic logics are devised to capture and represent defeasible inferences (cf. defeasible reasoning), i.e., a kind of inference in which reasoners draw tentative conclusions, enabling reasoners to retract their conclusion(s) based on further evidence." ; d3f:kb-article """## References 1. Non-monotonic logic. (2023, June 1). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Non-monotonic_logic)""" . d3f:Non-ParametricTests a owl:Class, owl:NamedIndividual ; rdfs:label "Non-Parametric Tests" ; rdfs:subClassOf d3f:HypothesisTesting ; d3f:d3fend-id "D3A-NPT" ; d3f:definition "A non-parametric test relies is used when the underlying distribution of data is non-symmetric (non-normal distribution)." ; d3f:kb-article """## References Newcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/non-parametric-hypothesis-tests.html)""" . d3f:Non-PersonEntity a owl:Class ; rdfs:label "Non-Person Entity" ; rdfs:subClassOf d3f:Agent ; d3f:definition "An entity related to information technology with a digital identity that acts in cyberspace, but is not a human actor. This can include organizations, hardware objects (physical entities/devices), software objects (virtual/logical entities), and information artifacts." ; d3f:synonym "NPE" ; rdfs:seeAlso d3f:NIST_SP_800-53_R5, d3f:Reference-CNNSI-4009, . d3f:NonlinearRegression a owl:Class, owl:NamedIndividual ; rdfs:label "Nonlinear Regression" ; rdfs:subClassOf d3f:RegressionAnalysis ; d3f:d3fend-id "D3A-NR" ; d3f:definition "Nonlinear regression is a form of regression analysis in which observational data are modeled by a function which is a nonlinear combination of the model parameters and depends on one or more independent variables." ; d3f:kb-article """## References Wikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/Nonlinear_regression)""" . d3f:NonlinearRegressionLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Nonlinear Regression Learning" ; rdfs:subClassOf d3f:RegressionAnalysisLearning ; d3f:d3fend-id "D3A-NRL" ; d3f:definition "A supervised learning method that builds a non-linear regression model using training data." ; d3f:kb-article """## References Wikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/Nonlinear_regression)""" ; rdfs:seeAlso d3f:NonlinearRegression . d3f:NTFSHardLink a owl:Class ; rdfs:label "NTFS Hard Link" ; rdfs:subClassOf d3f:HardLink, d3f:NTFSLink ; rdfs:isDefinedBy ; d3f:definition "An NTFS hard link points to another file, and files share the same MFT entry (inode), in the same filesystem." ; rdfs:seeAlso . d3f:NTFSJunctionPoint a owl:Class ; rdfs:label "NTFS Junction Point" ; skos:altLabel "Junction Point" ; rdfs:subClassOf d3f:NTFSLink, d3f:SymbolicLink ; rdfs:isDefinedBy ; d3f:definition "NTFS junction points are are similar to NTFS symlinks but are defined only for directories. Only accepts local absolute paths." . d3f:NTFSLink a owl:Class ; rdfs:label "NTFS Link" ; rdfs:subClassOf d3f:File, d3f:FileSystemLink ; d3f:definition "The NTFS filesystem defines various ways to link files, i.e. to make a file point to another file or its contents. The object being pointed to is called the target. There are three classes of NTFS links: (a) Hard links, which have files share the same MFT entry (inode), in the same filesystem; (b) Symbolic links, which record the path of another file that the links contents should show and can accept relative paths; and (c) Junction points, which are similar to symlinks but defined only for directories and only accepts local absolute paths" . d3f:NTFSSymbolicLink a owl:Class ; rdfs:label "NTFS Symbolic Link" ; skos:altLabel "NTFS Symlink" ; rdfs:subClassOf d3f:NTFSLink, d3f:SymbolicLink ; rdfs:isDefinedBy ; d3f:definition "An NTFS symbolic link records the path of another file that the links contents should show. Can accept relative paths. SMB networking (UNC path) and directory support added in NTFS 3.1." . d3f:NTPBroadcastEvent a owl:Class ; rdfs:label "NTP Broadcast Event" ; rdfs:subClassOf d3f:NTPEvent ; d3f:definition "An event where an NTP server broadcasts time synchronization messages to multiple clients simultaneously, enabling synchronization without individual request-response cycles." . d3f:NTPClientSyncEvent a owl:Class ; rdfs:label "NTP Client Synchronization Event" ; rdfs:subClassOf d3f:NTPEvent ; d3f:definition "An event where an NTP client requests and adjusts its clock based on time synchronization data provided by an NTP server, ensuring alignment with a standard time source." . d3f:NTPControlMessageEvent a owl:Class ; rdfs:label "NTP Control Message Event" ; rdfs:subClassOf d3f:NTPEvent ; d3f:definition "An event where an NTP client or server exchanges control messages used for diagnostic, monitoring, or administrative management of the NTP protocol, rather than time synchronization." . d3f:NTPEvent a owl:Class ; rdfs:label "NTP Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, d3f:UDPEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:NetworkTimeServer ] ; d3f:definition "An event involving the Network Time Protocol (NTP), a protocol designed to synchronize the clocks of computer systems over packet-switched, variable-latency data networks, UDP as its transport protocol." ; rdfs:seeAlso . d3f:NTPServerResponseEvent a owl:Class ; rdfs:label "NTP Server Response Event" ; rdfs:subClassOf d3f:NTPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:NTPClientSyncEvent ] ; d3f:definition "An event where an NTP server sends time synchronization data to a client, enabling the client to align its local clock with the server's reference time." . d3f:NTPSymmetricActiveExchangeEvent a owl:Class ; rdfs:label "NTP Symmetric Active Exchange Event" ; rdfs:subClassOf d3f:NTPEvent ; d3f:definition "An event where an NTP peer operating in symmetric active mode initiates clock synchronization messages to a peer in symmetric passive mode, enabling time synchronization between equal-status systems." . d3f:NTPSymmetricPassiveExchangeEvent a owl:Class ; rdfs:label "NTP Symmetric Passive Exchange Event" ; rdfs:subClassOf d3f:NTPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:NTPSymmetricActiveExchangeEvent ] ; d3f:definition "An event where an NTP peer operating in symmetric passive mode responds to clock synchronization messages initiated by a symmetric active peer, facilitating mutual timekeeping." . d3f:NullPointerChecking a owl:Class, owl:NamedIndividual ; rdfs:label "Null Pointer Checking" ; rdfs:subClassOf d3f:PointerValidation, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:MemoryFreeFunction ], [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:PointerDereferencingFunction ] ; d3f:d3fend-id "D3-NPC" ; d3f:definition "Checking if a pointer is NULL." ; d3f:hardens d3f:MemoryFreeFunction, d3f:PointerDereferencingFunction ; d3f:kb-article """ ## How it Works Programmatically checking if a pointer is NULL before use. ## Considerations * Pointers should be checked prior to use after they have, or may have been modified. * Note that it may vary by circumstance whether the caller, or callee is responsible for checking if a pointer is NULL. * Note: This resource should not be considered a definitive or exhaustive coding guideline.""" ; d3f:kb-reference d3f:Reference-NullPointerChecking_SEI, d3f:Reference-NullPointerDereference_CWE, d3f:Reference-PointerValidationFunction_SEI ; d3f:synonym "Nil Pointer Checking" . d3f:NumericPatternMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Numeric Pattern Matching" ; rdfs:subClassOf d3f:PatternMatching ; d3f:d3fend-id "D3A-NPM" ; d3f:definition "Numeric pattern matching uses a pattern specification and sees if the numeric value matches that pattern--simple forms include exact matching and range matching." . d3f:ObjectEviction a d3f:ObjectEviction, owl:Class, owl:NamedIndividual ; rdfs:label "Object Eviction" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Evict ] ; d3f:d3fend-id "D3-OE" ; d3f:definition "Terminate or remove an object from a host machine. This is the broadest class for object eviction." ; d3f:enables d3f:Evict . d3f:ObjectFile a owl:Class, owl:NamedIndividual ; rdfs:label "Object File" ; rdfs:subClassOf d3f:File ; d3f:definition "An object file is a file that contains relocatable machine code." ; rdfs:seeAlso . d3f:OffensiveAction a owl:Class ; rdfs:label "Offensive Action" ; rdfs:subClassOf d3f:CyberAction . d3f:OffensiveTactic a owl:Class ; rdfs:label "Offensive Tactic" ; rdfs:subClassOf d3f:Goal, [ a owl:Restriction ; owl:onProperty d3f:enabled-by ; owl:someValuesFrom d3f:OffensiveTechnique ] ; rdfs:isDefinedBy ; d3f:definition "Per ATT&CK, these are defined as Tactical Goals, not Tactics per se. Many children also fit definition of tactics. Some are neither tactics or tactical goals really (e.g., Execution, which is a useful grouping, but an action, not really a tactic or technique." ; d3f:synonym "Tactical Objective" . d3f:OffensiveTechnique a owl:Class ; rdfs:label "Offensive Technique" ; rdfs:subClassOf d3f:CyberTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:OffensiveTactic ], [ a owl:Restriction ; owl:onProperty d3f:initiates ; owl:someValuesFrom d3f:Access ] ; rdfs:isDefinedBy ; d3f:display-baseurl "/offensive-technique/attack/" . d3f:OfficeApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Office Application" ; rdfs:subClassOf d3f:UserApplication ; d3f:definition "An office application is one that is part of an application suite (e.g., Microsoft Office, Open Office)." . d3f:OfficeApplicationFile a owl:Class, owl:NamedIndividual ; rdfs:label "Office Application File" ; rdfs:subClassOf d3f:DocumentFile, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ImageFile ] ; d3f:definition "A document file in a format associated with an d3f:OfficeApplication." ; d3f:may-contain d3f:ImageFile ; rdfs:seeAlso d3f:OfficeApplication . d3f:OnboardComputer a owl:Class, owl:NamedIndividual ; rdfs:label "Onboard Computer" ; rdfs:subClassOf d3f:OTEmbeddedComputer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:HardwareClock ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:FlashMemory ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:HardwareWatchdogTimer ], [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:BootLoader ], [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:FlightSoftware ], [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:RealTimeOperatingSystem ] ; rdfs:isDefinedBy ; d3f:contains d3f:HardwareClock ; d3f:definition "A self-contained, embedded computing unit installed within a vehicle or other autonomous platform that executes real-time control, data-handling, and mission-management software. It interfaces directly with the platform's sensors, actuators, and communication links, processes and stores operational data, and issues commands to subsystems, enabling the system to function independently of external computing resources." ; d3f:may-contain d3f:FlashMemory, d3f:HardwareWatchdogTimer ; d3f:runs d3f:BootLoader, d3f:FlightSoftware, d3f:RealTimeOperatingSystem ; d3f:synonym "OBC" ; rdfs:seeAlso . d3f:One-timePassword a d3f:One-timePassword, owl:Class, owl:NamedIndividual ; rdfs:label "One-time Password" ; rdfs:subClassOf d3f:PasswordRotation, [ a owl:Restriction ; owl:onProperty d3f:use-limits ; owl:someValuesFrom d3f:Password ] ; d3f:d3fend-id "D3-OTP" ; d3f:definition "A one-time password is valid for only one user authentication." ; d3f:kb-article """## How it works When a user initiates authentication, they are asked for a one-time password, often in addition to other credentials such as a traditional password or smart card. The one-time password may be from a list provided in advance, sent via a channel such as SMS or HTTPS to an app, or a generated token. In the case of a physical token which generates one-time passwords incrementally based on time elapsed, that token device need not be connected to the internet. In different implementations, an administrator of the system, or a user with additional verification, can adjust for clock skew between the token and the verification system as needed. ## Considerations ### Compromise of delivery channel - SIM Swapping - Secure token visual compromise - Insecure delivery channel ### Compromise of delivery device Physical loss of One-time Password device. ### Compromise of long-term backup codes These are often provided in the form of a downloadable document with a regular name, which can be searched for in the case that the user forgets where they put them. This digital file or printed document could be stolen. Additionally, after the code file is printed, it could be recovered from the system printer spool unless the spooler cache is cleared.""" ; d3f:kb-reference d3f:Reference-DigitalIdentityGuidelines800-63-3, d3f:Reference-RFC2289-AOne-TimePasswordSystem ; d3f:synonym "OTP" ; d3f:use-limits d3f:Password ; rdfs:seeAlso . d3f:Open-sourceDeveloper a owl:Class ; rdfs:label "Open-source Developer" ; rdfs:subClassOf d3f:ProductDeveloper ; d3f:definition "An open-source developer contributes to the development, maintenance, or improvement of open-source projects." . d3f:OpenFile a owl:Class, owl:NamedIndividual ; rdfs:label "Open File" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:File ] ; rdfs:isDefinedBy ; d3f:accesses d3f:File ; d3f:definition "For most file systems, a program initializes access to a file in a file system using the open system call. This allocates resources associated to the file (the file descriptor), and returns a handle that the process will use to refer to that file. In some cases the open is performed by the first access. During the open, the filesystem may allocate memory for buffers, or it may wait until the first operation. Various other errors which may occur during the open include directory update failures, un-permitted multiple connections, media failures, communication link failures and device failures." . d3f:OperatingMode a owl:Class, owl:NamedIndividual ; rdfs:label "Operating Mode" ; rdfs:subClassOf d3f:SystemPlatformVariable ; d3f:definition "An operating mode designates the specific way a system, product, or service functions for a particular task, configuration, or phase of operation" ; rdfs:seeAlso . d3f:OperatingModeMonitoring a d3f:OperatingModeMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Operating Mode Monitoring" ; rdfs:subClassOf d3f:PlatformMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; d3f:d3fend-id "D3-OMM" ; d3f:definition "Detects operating modes such as Program, Run, Remote, or Stop." ; d3f:kb-article """## How it works Many OT Controllers have key switches to change the controller into various modes of operation. These modes of operation can include Program, Run, Remote, or Stop. The key switch position is often available as a system diagnostic function block of the programming logic. ## Considerations * It is advised to configure a key switch alarm such that an operator is alerted when the controller is put into a programming mode, as this could indicate unintentional or malicious changes to operational code.""" ; d3f:kb-reference d3f:Reference-PLCKeySwitchMonitoring, d3f:Reference-TRITONMalwareRemainsThreattoGlobalCriticalInfrastructureICS ; d3f:monitors d3f:OTControllerOperatingMode . d3f:OperatingModeRestriction a d3f:OperatingModeRestriction, owl:Class, owl:NamedIndividual ; rdfs:label "Operating Mode Restriction" ; rdfs:subClassOf d3f:AccessMediation, [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; d3f:d3fend-id "D3-OPR" ; d3f:definition "Restricting unauthorized changes to the operating mode prevents devices from switching into inappropriate or vulnerable states during normal use." ; d3f:kb-article """## How it works Many OT Controllers use key switches to change the controller into different modes of operation. These modes of operation can include Program, Run, Remote, or Stop. The key switch should be left in the appropriate key switch position, e.g., run or remote during normal operations. Implement a key management procedure to include removing the physical key from the key switch when not in use.""" ; d3f:kb-reference d3f:Reference-MITREATTACKAuthorizationEnforcement, d3f:Reference-TRITONMalwareRemainsThreattoGlobalCriticalInfrastructureICS ; d3f:restricts d3f:OTControllerOperatingMode . d3f:OperatingSystem a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Kernel ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:LocalUserAccount ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OperatingSystemClock ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:SystemServiceSoftware ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:OperatingSystemConfigurationComponent ] ; d3f:contains d3f:Kernel, d3f:LocalUserAccount, d3f:OperatingSystemClock, d3f:SystemServiceSoftware ; d3f:definition "An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs. All computer programs, excluding firmware, require an operating system to function. Time-sharing operating systems schedule tasks for efficient use of the system and may also include accounting software for cost allocation of processor time, mass storage, printing, and other resources." ; d3f:may-contain d3f:OperatingSystemConfigurationComponent ; rdfs:seeAlso , . d3f:OperatingSystemClock a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Clock" ; rdfs:subClassOf d3f:SoftwareClock, [ a owl:Restriction ; owl:onProperty d3f:implemented-by ; owl:someValuesFrom d3f:Kernel ] ; d3f:definition "An operating system clock is the primary software clock maintained by the operating system, representing the system's current time. It is used for timestamping files, scheduling tasks, and synchronizing processes." ; d3f:implemented-by d3f:Kernel ; rdfs:seeAlso . d3f:OperatingSystemConfiguration a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Configuration" ; rdfs:subClassOf d3f:ConfigurationResource ; d3f:definition "Information used to configure the services, parameters, and initial settings for an operating system." . d3f:OperatingSystemConfigurationComponent a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Configuration Component" ; skos:altLabel "Operating System Configuration Information", "System Configuration" ; rdfs:subClassOf d3f:OperatingSystemConfiguration ; d3f:definition "An component of the overall information necessary for the configuration of an operating system." ; rdfs:seeAlso . d3f:OperatingSystemConfigurationFile a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Configuration File" ; skos:altLabel "System Configuration File" ; rdfs:subClassOf d3f:ConfigurationFile, d3f:OperatingSystemFile ; d3f:definition "An operating system configuration file is a file used to configure the operating system." ; rdfs:seeAlso d3f:ConfigurationFile, d3f:OperatingSystem, . d3f:OperatingSystemConfigurationModificationEvent a owl:Class ; rdfs:label "Operating System Configuration Modification Event" ; rdfs:subClassOf d3f:ConfigurationModificationEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OperatingSystemConfiguration ] ; d3f:definition "An event that alters persistent operating-system configuration resources such as kernel options, registry keys, service definitions, or security policies; affecting system startup, hardware interfaces, or global security enforcement." . d3f:OperatingSystemExecutableFile a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Executable File" ; rdfs:subClassOf d3f:OperatingSystemFile ; d3f:definition "An operating system executable is a critical executable that is part of the operating system, and without which, the operating system may not operate correctly." . d3f:OperatingSystemFile a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System File" ; rdfs:subClassOf d3f:File ; d3f:definition "An operating system file is a file that is part of, or used to store information about, the operating system itself." ; rdfs:seeAlso , . d3f:OperatingSystemLogFile a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Log File" ; rdfs:subClassOf d3f:LogFile, d3f:OperatingSystemFile ; rdfs:isDefinedBy ; d3f:definition "An operating system log file records events that occur in an operating system." . d3f:OperatingSystemMonitoring a d3f:OperatingSystemMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Monitoring" ; rdfs:subClassOf d3f:PlatformMonitoring ; d3f:d3fend-id "D3-OSM" ; d3f:definition "The operating system software, for D3FEND's purposes, includes the kernel and its process management functions, hardware drivers, initialization or boot logic. It also includes and other key system daemons and their configuration. The monitoring or analysis of these components for unauthorized activity constitute **Operating System Monitoring**." ; d3f:enables d3f:Detect ; d3f:kb-article """## Technique Overview "An operating system (OS) is system software that manages computer hardware and software resources and provides common services for computer programs." [1] Operating System Monitoring Techniques have varied implementations including built-in kernel modules, third-party privileged system daemons, or even standard systems administration tools included with an operating system. 1. http://dbpedia.org/resource/Operating_system""" ; d3f:kb-reference d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd, d3f:Reference-UserActivityFromClearingEventLogs_MITRE . d3f:OperatingSystemPackagingTool a owl:Class ; rdfs:label "Operating System Packaging Tool" ; rdfs:subClassOf d3f:SoftwarePackagingTool ; d3f:definition "A software packaging tool oriented on building a software package for a particular operating system (e.g. rpmbuild.)" . d3f:OperatingSystemProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Process" ; skos:altLabel "System Process" ; rdfs:subClassOf d3f:Process ; d3f:definition "An operating system process, or system process, is a process running to perform operating system functions." ; rdfs:seeAlso . d3f:OperatingSystemSharedLibraryFile a owl:Class, owl:NamedIndividual ; rdfs:label "Operating System Shared Library File" ; rdfs:subClassOf d3f:OperatingSystemFile, d3f:SharedLibraryFile ; d3f:definition "An operating system shared library file is a shared library file that is part of the operating system and that incorporates common operating system code for use by any application or to provide operating system services." ; rdfs:seeAlso . d3f:OperationalActivityMapping a d3f:OperationalActivityMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Operational Activity Mapping" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Model ] ; d3f:d3fend-id "D3-OAM" ; d3f:definition "Operational activity mapping identifies activities of the organization and the organization's suborganizations, groups, roles, and individuals that carry out the activities and then establishes the dependencies of the activities on the systems and people that perform those activities." ; d3f:enables d3f:Model ; d3f:kb-reference d3f:Reference-CatiaUAFPlugin ; d3f:synonym "Mission Mapping" . d3f:OperationalActivityPlan a owl:Class, owl:NamedIndividual ; rdfs:label "Operational Activity Plan" ; rdfs:subClassOf d3f:Plan ; d3f:definition "An activity is a specific behavior representing a set of actions that may be accomplished by an agent." ; d3f:synonym "Business Process", "Mission Critical Function", "Mission Function", "Organizational Activity Plan" ; rdfs:seeAlso , , , . d3f:OperationalDependencyMapping a d3f:OperationalDependencyMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Operational Dependency Mapping" ; rdfs:subClassOf d3f:OperationalActivityMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:Dependency ], [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:OperationalActivityPlan ] ; d3f:d3fend-id "D3-ODM" ; d3f:definition "Operational dependency mapping identifies and models the dependencies of the organization's activities on each other and on the organization's performers (people, systems, and services.) This may include modeling the higher- and lower-level activities of an organization forming a hierarchy, or layering, of the dependencies in an organization's activities." ; d3f:kb-reference d3f:Reference-CatiaUAFPlugin, d3f:Reference-CyberCommandSystemCYCS, d3f:Reference-DaggerFactSheet, d3f:Reference-DaggerModelingAndVisualizationForMissionImpactSituationalAwareness, d3f:Reference-MissionDependencyModelingForCyberSituationalAwareness, d3f:Reference-UnifiedArchitectureFrameworkUAF ; d3f:maps d3f:Dependency, d3f:OperationalActivityPlan . d3f:OperationalEvent a owl:Class ; rdfs:label "Operational Event" ; rdfs:subClassOf d3f:Action ; d3f:definition "An Operational Event is an action or occurrence within an organization's mission or business operations that happens over a period of time." ; d3f:synonym "Business Event", "Business Process", "Mission Event", "Operational Activity Event", "Operational Occurrence" ; rdfs:seeAlso , , . d3f:OperationalLogicValidation a d3f:OperationalLogicValidation, owl:Class, owl:NamedIndividual ; rdfs:label "Operational Logic Validation" ; rdfs:subClassOf d3f:DomainLogicValidation, [ a owl:Restriction ; owl:onProperty d3f:validates ; owl:someValuesFrom d3f:OTControlFunction ] ; d3f:d3fend-id "D3-OLV" ; d3f:definition "Validation of variable state in the context of the control logic of the operational application." ; d3f:kb-article """## How it works Validates the type, value, and/or range of a variable taking into account the local operational logic and operational state. For example, if a controller has a restricted range when in a specified state, this may crosscheck the value against the state in addition to a more general range validation. """ ; d3f:kb-reference d3f:Reference-SecurePLCCodingPracticesTop20List ; d3f:validates d3f:OTControlFunction . d3f:OperationalProcessMonitoring a d3f:OperationalProcessMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Operational Process Monitoring" ; rdfs:subClassOf d3f:PlatformMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:EventLog ], [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:OTProcessDataHistorian ] ; d3f:d3fend-id "D3-OPM" ; d3f:definition "Monitoring physical parameters and operator actions related to an operational environment." ; d3f:kb-article """## How it works While some Operational Technology systems are designed to operate without human intervention, most systems are designed with the ability to monitor and modify the physical process with user input. This technique detects adversarial risks to operational processes by observing physical events and operator actions and analyzing event logs. Key steps in operational process security monitoring are: 1. Read logs generated by controllers, and HMIs, through DAU's and DA agents; 2. Produce digital event records; 3. Display the aggregated data to a device such as an HMI or process historian, and write those records to event logs and/or to the OT process data historian for traceability and incident reconstruction. 4. Monitor the procees and detect incidents or indicators of tampering such as: - malfunctions - unauthorized commands, - unsafe setpoint changes, - alarm suppression, and - anomalous mode transitions; """ ; d3f:kb-reference d3f:Reference-GuideToOTSecurity ; d3f:monitors d3f:EventLog ; d3f:synonym "Supervisory Control Monitoring" ; d3f:uses d3f:OTProcessDataHistorian . d3f:OperationalRiskAssessment a d3f:OperationalRiskAssessment, owl:Class, owl:NamedIndividual ; rdfs:label "Operational Risk Assessment" ; rdfs:subClassOf d3f:OperationalActivityMapping, [ a owl:Restriction ; owl:onProperty d3f:evaluates ; owl:someValuesFrom d3f:Organization ], [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:Vulnerability ] ; d3f:d3fend-id "D3-ORA" ; d3f:definition "Operational risk assessment identifies and models the vulnerabilities of, and risks to, an organization's activities individually and as a whole." ; d3f:evaluates d3f:Organization ; d3f:identifies d3f:Vulnerability ; d3f:kb-reference d3f:Reference-MGT516ManagingSecurityVulnerabilitiesEnterpriseAndCloud, d3f:Reference-NIST-RMF-Quick-Start-Guide-Assess-Step-FAQ, d3f:Reference-NIST-Special-Publication-800-37-Revision-2, d3f:Reference-NIST-Special-Publication-800-53A-Revision-5, d3f:Reference-NIST-Special-Publication-800-160-Volume-1, d3f:Reference-NISTIR-8011-Volume-1 ; d3f:synonym "Mission Risk Assessment" . d3f:OperationsCenterComputer a owl:Class ; rdfs:label "Operations Center Computer" ; skos:altLabel "Mainframe" ; rdfs:subClassOf d3f:SharedComputer ; rdfs:isDefinedBy ; d3f:definition "Mainframe computers or mainframes (colloquially referred to as \"big iron\") are computers used primarily by large organizations for critical applications; bulk data processing, such as census, industry and consumer statistics, and enterprise resource planning; and transaction processing. They are larger and have more processing power than some other classes of computers: minicomputers, servers, workstations, and personal computers." ; rdfs:seeAlso . d3f:OpticalDiscImage a owl:Class ; rdfs:label "Optical Disc Image" ; rdfs:subClassOf d3f:DiskImage ; rdfs:isDefinedBy ; d3f:definition "An optical disc image (or ISO image, from the ISO 9660 file system used with CD-ROM media) is a disk image that contains everything that would be written to an optical disc, disk sector by disc sector, including the optical disc file system." ; rdfs:seeAlso . d3f:OpticalModem a owl:Class ; rdfs:label "Optical Modem" ; rdfs:subClassOf d3f:Modem ; rdfs:isDefinedBy ; d3f:definition "A modem that connects to a fiber optic network is known as an optical network terminal (ONT) or optical network unit (ONU). These are commonly used in fiber to the home installations, installed inside or outside a house to convert the optical medium to a copper Ethernet interface, after which a router or gateway is often installed to perform authentication, routing, NAT, and other typical consumer internet functions, in addition to \"triple play\" features such as telephony and television service." . d3f:OrchestrationController a owl:Class, owl:NamedIndividual ; rdfs:label "Orchestration Controller" ; rdfs:subClassOf d3f:OrchestrationServer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ContainerOrchestrationSoftware ] ; d3f:contains d3f:ContainerOrchestrationSoftware ; d3f:definition "An orchestration server provides orchestration services that automate the configuration, coordination, and management of computer systems and software." . d3f:OrchestrationServer a owl:Class ; rdfs:label "Orchestration Server" ; rdfs:subClassOf d3f:Server ; d3f:definition "A d3f:Server which is involved with the orchestration of workloads or the execution of orchestrated workloads." ; rdfs:seeAlso . d3f:OrchestrationWorker a owl:Class ; rdfs:label "Orchestration Worker" ; rdfs:subClassOf d3f:OrchestrationServer ; d3f:definition "A d3f:Server which receives commands from a d3f:OrchestrationController to execute workloads." ; rdfs:seeAlso d3f:OrchestrationController . d3f:Organization a owl:Class, owl:NamedIndividual ; rdfs:label "Organization" ; rdfs:subClassOf d3f:AgentGroup, d3f:Non-PersonEntity, [ a owl:Restriction ; owl:onProperty d3f:has-member ; owl:someValuesFrom d3f:Person ] ; d3f:definition "An organization with a defined mission/goal and a defined boundary, using systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, human resources, financial management, security, and systems, information and mission management" ; rdfs:seeAlso d3f:NIST_SP_800-53_R5 . d3f:OrganizationMapping a d3f:OrganizationMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Organization Mapping" ; rdfs:subClassOf d3f:OperationalActivityMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:Dependency ], [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:Organization ], [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:Person ], [ a owl:Restriction ; owl:onProperty d3f:may-map ; owl:someValuesFrom d3f:OperationalActivityPlan ] ; d3f:d3fend-id "D3-OM" ; d3f:definition "Organization mapping identifies and models the people, roles, and groups with an organization and the relations between them." ; d3f:display-order 4 ; d3f:kb-reference d3f:Reference-CatiaUAFPlugin, d3f:Reference-OrganizationalManagementInSAPERPHCM, d3f:Reference-UnifiedArchitectureFrameworkUAF ; d3f:maps d3f:Dependency, d3f:Organization, d3f:Person ; d3f:may-map d3f:OperationalActivityPlan . d3f:OSAPIAccessProcess a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Access Process" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:AccessProcess ] ; d3f:definition "An OS API function for interacting with processes." ; d3f:invokes d3f:AccessProcess . d3f:OSAPIAllocateMemory a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Allocate Memory" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:AllocateMemory ] ; d3f:definition "An OS API function that requests and allocates a region of memory for use by a process or application." ; d3f:invokes d3f:AllocateMemory . d3f:OSAPIConnectSocket a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Connect Socket" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:ConnectSocket ] ; d3f:definition "An OS API function that establishes a connection between a socket and a endpooint." ; d3f:invokes d3f:ConnectSocket . d3f:OSAPICopyToken a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Copy Token" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:CopyToken ] ; d3f:definition "An OS API function that creates a duplicate or copy of an existing security token." ; d3f:invokes d3f:CopyToken . d3f:OSAPICreateFile a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Create File" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:CreateFile ] ; d3f:definition "An OS API function that creates a file." ; d3f:invokes d3f:CreateFile . d3f:OSAPICreateProcess a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Create Process" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:CreateProcess ] ; d3f:definition "An OS API function that creates a new process within the system." ; d3f:invokes d3f:CreateProcess . d3f:OSAPICreateSocket a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Create Socket" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:CreateSocket ] ; d3f:definition "An OS API function that creates a socket." ; d3f:invokes d3f:CreateSocket . d3f:OSAPICreateThread a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Create Thread" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:CreateThread ] ; d3f:definition "An OS API function that creates a new thread of execution within a process." ; d3f:invokes d3f:CreateThread . d3f:OSAPIDeleteFile a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Delete File" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:DeleteFile ] ; d3f:definition "An OS API function that removes a file from the file system." ; d3f:invokes d3f:DeleteFile . d3f:OSAPIExec a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Exec" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:Exec ] ; d3f:definition "An OS API function that replaces the current process image with a new processs image, executing a specified program." ; d3f:invokes d3f:Exec . d3f:OSAPIFreeMemory a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Free Memory" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:FreeMemory ] ; d3f:definition "An OS API function that releases or deallocates memory that was previously allocated by the program." ; d3f:invokes d3f:FreeMemory . d3f:OSAPIFunction a owl:Class ; rdfs:label "OS API Function" ; rdfs:subClassOf d3f:Software ; d3f:definition "A callable interface provided by an operating system that allows applications or other software components to interact with and utilize the underlying system resources, services, or functionalities." ; rdfs:seeAlso , . d3f:OSAPIGetSystemTime a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Get System Time" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:GetSystemTime ] ; d3f:definition "An OS API function that retrieves the current system time or timestamp." ; d3f:invokes d3f:GetSystemTime . d3f:OSAPIGetThreadContext a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Get Thread Context" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:GetThreadContext ] ; d3f:definition "An OS API function that retrieves the execution context or state of a specific thread in a process." ; d3f:invokes d3f:GetThreadContext . d3f:OSAPILoadModule a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Load Module" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:LoadModule ] ; d3f:definition "An OS API function that loads a module into memory and makes it available for execution." ; d3f:invokes d3f:LoadModule . d3f:OSAPIMoveFile a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Move File" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:MoveFile ] ; d3f:definition "An OS API function that moves or renames a file or directory from one location to another within the file system." ; d3f:invokes d3f:MoveFile . d3f:OSAPIOpenFile a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Open File" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:OpenFile ] ; d3f:definition "An OS API function that opens a file for reading, writing, or both, and return a handle or descriptor that can be used to interact with the file." ; d3f:invokes d3f:OpenFile . d3f:OSAPIReadFile a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Read File" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:ReadFile ] ; d3f:definition "An OS API function that reads data from a file or input stream into memory." ; d3f:invokes d3f:ReadFile . d3f:OSAPIReadMemory a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Read Memory" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:ReadMemory ] ; d3f:definition "An OS API function that reads the contents of memory from a specific address or region." ; d3f:invokes d3f:ReadMemory . d3f:OSAPIResumeProcess a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Resume Process" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:ResumeProcess ] ; d3f:definition "An OS API function that resumes the execution of a paused, stopped, or suspended process." ; d3f:invokes d3f:ResumeProcess . d3f:OSAPIResumeThread a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Resume Thread" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:ResumeThread ] ; d3f:definition "An OS API function that resumes the execution of a paused, stopped, or suspended thread." ; d3f:invokes d3f:ResumeThread . d3f:OSAPISaveRegisters a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Save Registers" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:SaveRegister ] ; d3f:definition "An OS API function that retrieves and saves the values of CPU registers for a specific process or thread." ; d3f:invokes d3f:SaveRegister . d3f:OSAPISetRegisters a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Set Registers" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:SetRegisters ] ; d3f:definition "An OS API function that modifies the values of CPU registers." ; d3f:invokes d3f:SetRegisters . d3f:OSAPISetThreadContext a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Set Thread Context" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:SetThreadContext ] ; d3f:definition "An OS API function that modifies the execution context of a thread." ; d3f:invokes d3f:SetThreadContext . d3f:OSAPISuspendProcess a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Suspend Process" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:SuspendProcess ] ; d3f:definition "An OS API function that pauses the execution of a process." ; d3f:invokes d3f:SuspendProcess . d3f:OSAPISuspendThread a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Suspend Thread" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:SuspendThread ] ; d3f:definition "An OS API function that pauses the execution of a thread." ; d3f:invokes d3f:SuspendThread . d3f:OSAPISystemFunction a owl:Class ; rdfs:label "OS API System Function" ; rdfs:subClassOf d3f:OSAPIFunction ; d3f:definition "Indirect System calls are made through an OS-specific library (like glibc in Linux) that provides a higher-level API for the system calls." ; d3f:synonym "Indirect System Call" . d3f:OSAPITerminateProcess a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Terminate Process" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:TerminateProcess ] ; d3f:invokes d3f:TerminateProcess ; rdfs:seeAlso "An OS API function taht stops the execution of a process." . d3f:OSAPITraceProcess a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Trace Process" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:TraceProcess ] ; d3f:definition "An OS API function that enables a program to monitor, control, or interact with the execution of a process." ; d3f:invokes d3f:TraceProcess . d3f:OSAPITraceThread a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Trace Thread" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:TraceThread ] ; d3f:definition "An OS API function that enables a program to monitor, control, or interact with the execution of a thread." ; d3f:invokes d3f:TraceThread . d3f:OSAPIUnloadModule a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Unload Module" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:UnloadModule ] ; d3f:definition "An OS API function that removes a previously loaded module from memory." ; d3f:invokes d3f:UnloadModule . d3f:OSAPIWriteFile a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Write File" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:WriteFile ] ; d3f:definition "An OS API function that writes data from a buffer in memory to a file or output stream." ; d3f:invokes d3f:WriteFile . d3f:OSAPIWriteMemory a owl:Class, owl:NamedIndividual ; rdfs:label "OS API Write Memory" ; rdfs:subClassOf d3f:OSAPISystemFunction, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:WriteMemory ] ; d3f:definition "An OS API function that writes data into the memory space of another process or into specific regions of memory." ; d3f:invokes d3f:WriteMemory . d3f:OTAbortCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Abort Command" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, "GE-SRTP: SET PLC (RUN VS STOP)" ; d3f:definition "Commands a device to abort a service/program." ; d3f:modifies d3f:OTControllerOperatingMode ; rdfs:seeAlso , , . d3f:OTAbortCommandEvent a owl:Class ; rdfs:label "OT Abort Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTAbortCommand ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:OTRunCommandEvent ] . d3f:OTActuator a owl:Class, owl:NamedIndividual ; rdfs:label "OT Actuator" ; rdfs:subClassOf d3f:Actuator ; rdfs:isDefinedBy ; d3f:definition "An OT actuator is an industrial-grade actuator optimized for operational technology (OT) environments, such as SCADA or process-control systems. It tolerates harsher conditions, meets stricter safety and reliability standards, and integrates seamlessly with ICS protocols to enable real-time mechanical motion or adjustments in production lines and critical infrastructure." . d3f:OTAlarmMessage a owl:Class ; rdfs:label "OT Alarm Message" ; rdfs:subClassOf d3f:OTDiagnosticsMessage ; rdfs:comment """BACnet: acknowledgeAlarm BACnet: confirmedEventNotification BACnet: getAlarmSummary BACnet: unconfirmedEventNotification BACnet: lifeSafetyOperation BACnet: Abort: 1 BACnet: Abort: 2 BACnet: Abort: 3 BACnet: Abort: 4 BACnet: Abort: 5 BACnet: Abort: 6 BACnet: Abort: 7 BACnet: Abort: 8 BACnet: Abort: 9 BACnet: Abort: 10 BACnet: Abort: 11 BACnet: Abort: 12 """, """GE-SRTP: RETURN FAULT TABLE GE-SRTP: CLEAR FAULT TABLE""" ; d3f:definition "Report danger, hazards, or serious errors." ; rdfs:seeAlso , , . d3f:OTAlarmMessageEvent a owl:Class ; rdfs:label "OT Alarm Message Event" ; rdfs:subClassOf d3f:OTDiagnosticsMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTAlarmMessage ] ; d3f:definition "Report danger, hazards, or serious errors." . d3f:OTChangeControlProgramCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Change Control Program Command" ; rdfs:subClassOf d3f:OTModifyControlProgramCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControlProgram ] ; rdfs:comment """GE-SRTP: WRITE PROGRAM BLOCK MEMORY GE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL GE-SRTP: SET CONTROL ID(CPU ID) GE-SRTP: PROGRAM STORE (UPLOAD FROM PLC) GE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC) GE-SRTP: TOGGLE FORCE SYSTEM MEMORY""" ; d3f:definition "Commands a remote device to modify an existing control program." ; d3f:modifies d3f:OTControlProgram ; rdfs:seeAlso , , . d3f:OTChangeControlProgramCommandEvent a owl:Class ; rdfs:label "OT Change Control Program Command Event" ; rdfs:subClassOf d3f:OTModifyControlProgramCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTChangeControlProgramCommand ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ] ; d3f:definition "Commands a remote device to modify an existing control program." . d3f:OTChangeDataCommand a owl:Class ; rdfs:label "OT Change Data Command" ; rdfs:subClassOf d3f:OTWriteCommand ; rdfs:comment """BACnet: atomicWriteFile BACnet: writeProperty BACnet: writePropertyMultiple BACnet: write-group """, """CIP: Set Attributes All CIP: Set Attribute List CIP: Set Attribute Single CIP: Set Member""", """GE-SRTP: WRITE SYSTEM MEMORY GE-SRTP: WRITE TASK MEMORY """, """Modbus: Write Single Coil Modbus: Write Single Register Modbus: Write Multiple Coils Modbus: Write Multiple Registers Modbus: Write File Record Modbus: Mask Write Register Modbus: Read Write Register""" ; d3f:definition "OT command that modifies existing data on a remote device." ; rdfs:seeAlso , , . d3f:OTChangeDataCommandEvent a owl:Class ; rdfs:label "OT Change Data Command Event" ; rdfs:subClassOf d3f:OTWriteCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTChangeDataCommand ] ; d3f:definition "OT command that modifies existing data on a remote device." . d3f:OTConnectionCommand a owl:Class ; rdfs:label "OT Connection Command" ; rdfs:subClassOf d3f:OTNetworkManagementCommand ; rdfs:comment """BACnet: vtOpen BACnet: vtClose """, """ENIP: Register Session ENIP: Unregister Session""" ; d3f:definition "Establish a network connection with a device." ; rdfs:seeAlso , , . d3f:OTConnectionCommandEvent a owl:Class ; rdfs:label "OT Connection Command Event" ; rdfs:subClassOf d3f:OTNetworkManagementCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:NetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTConnectionCommand ] ; d3f:definition "Establish a network connection with a device." . d3f:OTControlCommand a owl:Class ; rdfs:label "OT Control Command" ; rdfs:subClassOf d3f:OTProcessDataCommand ; rdfs:comment """CIP: Reset CIP: Start CIP: Stop CIP: Create CIP: Delete CIP: Apply Attributes CIP: Restore CIP: Save """, "GE-SRTP: PLC SHORT STATUS REQUEST" ; d3f:definition "Command and control the managed process." ; rdfs:seeAlso , , . d3f:OTControlCommandEvent a owl:Class ; rdfs:label "OT Control Command Event" ; rdfs:subClassOf d3f:OTProcessDataCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlCommand ] ; d3f:definition "Command and control the managed process." . d3f:OTControlFunction a owl:Class, owl:NamedIndividual ; rdfs:label "OT Control Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:OTLogicVariable ] ; d3f:accesses d3f:OTLogicVariable ; d3f:definition "A function which accesses OT Control Variables" . d3f:OTController a owl:Class, owl:NamedIndividual ; rdfs:label "OT Controller" ; rdfs:subClassOf d3f:OTEmbeddedComputer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OTControlProgram ], [ a owl:Restriction ; owl:onProperty d3f:has-operating-mode ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:OTControlLogicProcess ], [ a owl:Restriction ; owl:onProperty d3f:powered-by ; owl:someValuesFrom d3f:OTPowerSupply ] ; rdfs:isDefinedBy ; d3f:contains d3f:OTControlProgram ; d3f:definition "An OT Controller is an industrial control device that automatically regulates one or more controlled variables in response to command inputs and real-time feedback signals." ; d3f:has-operating-mode d3f:OTControllerOperatingMode ; d3f:manages d3f:OTControlLogicProcess ; d3f:powered-by d3f:OTPowerSupply . d3f:OTControllerOperatingMode a owl:Class, owl:NamedIndividual ; rdfs:label "OT Controller Operating Mode" ; rdfs:subClassOf d3f:OperatingMode ; d3f:definition "The OT controller operating mode designates the specific, selectable state of an OT controller that delineates its operational behavior and governs access to engineering functions, commonly including Program, Run, Remote, Test, or Stop." ; d3f:synonym "Keyswitch Position" . d3f:OTControlLogicProcess a owl:Class, owl:NamedIndividual ; rdfs:label "OT Control Logic Process" ; rdfs:subClassOf d3f:ServiceApplicationProcess, [ a owl:Restriction ; owl:onProperty d3f:communicates-with ; owl:someValuesFrom d3f:OTIOModule ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OTLogicVariable ], [ a owl:Restriction ; owl:onProperty d3f:controls ; owl:someValuesFrom d3f:OTActuator ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:OTSensor ] ; d3f:communicates-with d3f:OTIOModule ; d3f:contains d3f:OTLogicVariable ; d3f:controls d3f:OTActuator ; d3f:definition "The instructions and algorithms within an OT Controller defined by user programming to interpret inputs, process information, and determine outputs." ; d3f:monitors d3f:OTSensor . d3f:OTControlProgram a owl:Class, owl:NamedIndividual ; rdfs:label "OT Control Program" ; rdfs:subClassOf d3f:ServiceApplication, [ a owl:Restriction ; owl:onProperty d3f:instructs ; owl:someValuesFrom d3f:OTControlLogicProcess ] ; d3f:definition "The file stored in controller memory that is used to operate the controller." ; d3f:instructs d3f:OTControlLogicProcess ; d3f:synonym "OT Project File" . d3f:OTControlVariable a owl:Class ; rdfs:label "OT Control Variable" ; rdfs:subClassOf d3f:OTLogicVariable ; rdfs:isDefinedBy "https://isagca.org/hubfs/2023%20ISA%20Website%20Redesigns/ISAGCA/PDFs/Industrial%20Cybersecurity%20Knowledge%20FINAL.pdf?hsLang=en" ; d3f:definition "A control variable is the measurement of the physical condition of the device that influences the Process Variables." ; skos:example "If the Set Point of a temperature control system for a residential dwelling is 72 degrees, and the Process Variable is 82 degrees, the Control Variable for the air conditioner should be 'on.'" . d3f:OTCreateDataCommand a owl:Class ; rdfs:label "OT Create Data Command" ; rdfs:subClassOf d3f:OTWriteCommand ; rdfs:comment """BACnet: addListElement BACnet: createObject""", "CIP: Insert Member" ; d3f:definition "OT command that creates data on a remote device." ; rdfs:seeAlso , , . d3f:OTCreateDataCommandEvent a owl:Class ; rdfs:label "OT Create Data Command Event" ; rdfs:subClassOf d3f:OTWriteCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTCreateDataCommand ] ; d3f:definition "OT command that creates data on a remote device." . d3f:OTCreateNewControlProgramCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Create New Control Program Command" ; rdfs:subClassOf d3f:OTModifyControlProgramCommand, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ] ; rdfs:comment """GE-SRTP: WRITE PROGRAM BLOCK MEMORY GE-SRTP: SET CONTROL ID(CPU ID) GE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC) GE-SRTP: TOGGLE FORCE SYSTEM MEMORY""" ; d3f:definition "Commands a remote device to create an control program." ; d3f:has-participant d3f:OTControlProgram ; rdfs:seeAlso , , . d3f:OTCreateNewControlProgramCommandEvent a owl:Class ; rdfs:label "OT Create New Control Program Command Event" ; rdfs:subClassOf d3f:OTModifyControlProgramCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTCreateNewControlProgramCommand ] ; d3f:definition "Commands a remote device to create an control program." . d3f:OTDebugCommand a owl:Class ; rdfs:label "OT Debug Command" ; rdfs:subClassOf d3f:OTDiagnosticsMessage ; rdfs:comment """BACnet: getEnrollmentSummary BACnet: confirmed-audit-notification BACnet: audit-log-query BACnet: unconfirmed-audit-notification """, """Modbus: Get Comm. Event Log Modbus: Return Query Data Modbus: Clear Counters Modbus: Get Comm. Event Counters""" ; d3f:definition "Investigate or analyze the current state of the system." ; rdfs:seeAlso , , . d3f:OTDebugCommandEvent a owl:Class ; rdfs:label "OT Debug Command Event" ; rdfs:subClassOf d3f:OTDiagnosticsMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDebugCommand ] ; d3f:definition "Investigate or analyze the current state of the system." . d3f:OTDeleteControlProgramCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Delete Control Program Command" ; rdfs:subClassOf d3f:OTModifyControlProgramCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControlProgram ] ; d3f:definition "Commands a remote device to remove an existing control program." ; d3f:modifies d3f:OTControlProgram ; rdfs:seeAlso , , . d3f:OTDeleteControlProgramCommandEvent a owl:Class ; rdfs:label "OT Delete Control Program Command Event" ; rdfs:subClassOf d3f:OTModifyControlProgramCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeleteControlProgramCommand ] ; d3f:definition "Commands a remote device to remove an existing control program." . d3f:OTDeleteDataCommand a owl:Class ; rdfs:label "OT Delete Data Command" ; rdfs:subClassOf d3f:OTWriteCommand ; rdfs:comment """BACnet: removeListElement BACnet: deleteObject""" ; d3f:definition "OT command that removes data on a remote device." ; rdfs:seeAlso , , . d3f:OTDeleteDataCommandEvent a owl:Class ; rdfs:label "OT Delete Data Command Event" ; rdfs:subClassOf d3f:OTWriteCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeleteDataCommand ] ; d3f:definition "OT command that removes data on a remote device." . d3f:OTDeviceConfigurationCommand a owl:Class ; rdfs:label "OT Device Configuration Command" ; rdfs:subClassOf d3f:OTDeviceManagementMessage ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, """GE-SRTP: READ PROGRAM MEMORY GE-SRTP: WRITE PROGRAM BLOCK MEMORY GE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL GE-SRTP: SET CONTROL ID(CPU ID) GE-SRTP: SET PLC (RUN VS STOP) GE-SRTP: PROGRAM STORE (UPLOAD FROM PLC) GE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC) GE-SRTP: TOGGLE FORCE SYSTEM MEMORY""" ; d3f:definition "Configure or administer managed devices." ; rdfs:seeAlso , , . d3f:OTDeviceConfigurationCommandEvent a owl:Class ; rdfs:label "OT Device Configuration Command Event" ; rdfs:subClassOf d3f:OTDeviceManagementMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeviceConfigurationCommand ] ; d3f:definition "Configure or administer managed devices." . d3f:OTDeviceDescriptionMessage a owl:Class ; rdfs:label "OT Device Description Message" ; rdfs:subClassOf d3f:OTDeviceManagementMessage ; rdfs:comment """ENIP: List Services ENIP: List Interfaces """, """GE-SRTP: RETURN CONTROL PROGRAM NAMES GE-SRTP: RETURN CONTROLLER TYPE AND ID INFORMATION""" ; d3f:definition "Describe features, abilities, or performance of system components." ; rdfs:seeAlso , , . d3f:OTDeviceDescriptionMessageEvent a owl:Class ; rdfs:label "OT Device Description Message Event" ; rdfs:subClassOf d3f:OTDeviceManagementMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeviceDescriptionMessage ] ; d3f:definition "Describe features, abilities, or performance of system components." . d3f:OTDeviceFirmwareCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Device Firmware Command" ; rdfs:subClassOf d3f:OTDeviceManagementMessage ; d3f:definition "Interact with the software responsible for low-level control of the system." ; rdfs:seeAlso , , . d3f:OTDeviceFirmwareCommandEvent a owl:Class ; rdfs:label "OT Device Firmware Command Event" ; rdfs:subClassOf d3f:OTDeviceManagementMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeviceFirmwareCommand ] ; d3f:definition "Interact with the software responsible for low-level control of the system." . d3f:OTDeviceIdentificationMessage a owl:Class ; rdfs:label "OT Device Identification Message" ; rdfs:subClassOf d3f:OTDeviceManagementMessage ; rdfs:comment """BACnet: i-Am BACnet: i-Have BACnet: who-Has BACnet: who-Is """, "ENIP: List Identity", """Modbus: Read Device Identification Modbus: Report Slave ID""" ; d3f:definition "Identify devices on the network." ; rdfs:seeAlso , , . d3f:OTDeviceIdentificationMessageEvent a owl:Class ; rdfs:label "OT Device Identification Message Event" ; rdfs:subClassOf d3f:OTDeviceManagementMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeviceIdentificationMessage ] ; d3f:definition "Identify devices on the network." . d3f:OTDeviceManagementMessage a owl:Class ; rdfs:label "OT Device Management Message" ; rdfs:subClassOf d3f:OTProtocolMessage ; d3f:definition "Manage devices and their configurations." ; rdfs:seeAlso , , . d3f:OTDeviceManagementMessageEvent a owl:Class ; rdfs:label "OT Device Management Message Event" ; rdfs:subClassOf d3f:OTEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDeviceManagementMessage ] ; d3f:definition "Manage devices and their configurations." . d3f:OTDiagnosticsMessage a owl:Class ; rdfs:label "OT Diagnostics Message" ; rdfs:subClassOf d3f:OTProtocolMessage ; d3f:definition "Relay error, exception, alarm, or log information." ; rdfs:seeAlso , , . d3f:OTDiagnosticsMessageEvent a owl:Class ; rdfs:label "OT Diagnostics Message Event" ; rdfs:subClassOf d3f:OTEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDiagnosticsMessage ] ; d3f:definition "Relay error, exception, alarm, or log information." . d3f:OTDisconnectRemoteConnectionCommand a owl:Class ; rdfs:label "OT Disconnect Remote Connection Command" ; rdfs:subClassOf d3f:OTConnectionCommand ; d3f:definition "The Disconnect Request message is sent to the message receiver to indicate that the transmitter is terminating its TCP socket." ; rdfs:seeAlso , , . d3f:OTDisconnectRemoteConnectionCommandEvent a owl:Class ; rdfs:label "OT Disconnect Remote Connection Command Event" ; rdfs:subClassOf d3f:OTConnectionCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDisconnectRemoteConnectionCommand ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:OTEstablishRemoteConnectionCommandEvent ] ; d3f:definition "The Disconnect Request message is sent to the message receiver to indicate that the transmitter is terminating its TCP socket." . d3f:OTDownloadControlProgramCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Download Control Program Command" ; rdfs:subClassOf d3f:OTModifyControlProgramCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControlProgram ] ; rdfs:comment """GE-SRTP: PROGRAM STORE (UPLOAD FROM PLC) GE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC)""" ; d3f:definition "Commands a remote device to download a control program." ; d3f:modifies d3f:OTControlProgram ; d3f:synonym "OT Program Download" ; rdfs:seeAlso , , , . d3f:OTDownloadControlProgramCommandEvent a owl:Class ; rdfs:label "OT Download Control Program Command Event" ; rdfs:subClassOf d3f:OTModifyControlProgramCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTDownloadControlProgramCommand ] ; d3f:definition "Commands a remote device to download a control program." . d3f:OTEmbeddedComputer a owl:Class, owl:NamedIndividual ; rdfs:label "OT Embedded Computer" ; rdfs:subClassOf d3f:EmbeddedComputer ; d3f:definition "A ruggedized computational device, embedded in industrial control systems, designed to handle real-time tasks and environmental stressors common in OT." . d3f:OTEngineeringSoftware a owl:Class, owl:NamedIndividual ; rdfs:label "OT Engineering Software" ; rdfs:subClassOf d3f:DeveloperApplication, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:OTControlProgram ] ; d3f:definition "Software used in an industrial process to help engineers design, test, and maintain OT. This software enables the programming of OT controllers." ; d3f:produces d3f:OTControlProgram . d3f:OTEngineeringWorkstation a owl:Class, owl:NamedIndividual ; rdfs:label "OT Engineering Workstation" ; rdfs:subClassOf d3f:ClientComputer, [ a owl:Restriction ; owl:onProperty d3f:communicates-with ; owl:someValuesFrom d3f:OTController ], [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:OTEngineeringSoftware ] ; rdfs:isDefinedBy ; d3f:communicates-with d3f:OTController ; d3f:definition "An Engineering Workstation (EWS) is used to perform various maintenance, configuration, or diagnostics functions for a control system. The EWS will likely require dedicated application software to interface with various devices (e.g., RTUs, PLCs), and may be used to transfer data or files between the control system devices and other networks." ; d3f:runs d3f:OTEngineeringSoftware ; d3f:synonym "EWS" . d3f:OTErrorMessage a owl:Class ; rdfs:label "OT Error Message" ; rdfs:subClassOf d3f:OTDiagnosticsMessage ; rdfs:comment """BACnet: Error: 1 BACnet: Error: 2 BACnet: Error: 3 BACnet: Error: 4 BACnet: Error: 5 BACnet: Error: 6 BACnet: Error: 7 BACnet: Error: 8""" ; d3f:definition "An anticipated, reproducible defect occurred within the system." ; rdfs:seeAlso , , . d3f:OTErrorMessageEvent a owl:Class ; rdfs:label "OT Error Message Event" ; rdfs:subClassOf d3f:OTDiagnosticsMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTErrorMessage ] ; d3f:definition "An anticipated, reproducible defect occurred within the system." . d3f:OTEstablishRemoteConnectionCommand a owl:Class ; rdfs:label "OT Establish Remote Connection Command" ; rdfs:subClassOf d3f:OTConnectionCommand ; d3f:definition "Used to establish an TCP/IP Connection to the target device." ; rdfs:seeAlso , , . d3f:OTEstablishRemoteConnectionCommandEvent a owl:Class ; rdfs:label "OT Establish Remote Connection Command Event" ; rdfs:subClassOf d3f:OTConnectionCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTEstablishRemoteConnectionCommand ] ; d3f:definition "Used to establish an TCP/IP Connection to the target device." . d3f:OTEvent a owl:Class ; rdfs:label "OT Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTProtocolMessage ] ; d3f:definition "A discrete occurrence within an operational technology environment that denotes a significant change in state, execution of a command, or transmission of information." . d3f:OTExceptionMessage a owl:Class ; rdfs:label "OT Exception Message" ; rdfs:subClassOf d3f:OTDiagnosticsMessage ; rdfs:comment """BACnet: Reject: 1 BACnet: Reject: 2 BACnet: Reject: 3 BACnet: Reject: 4 BACnet: Reject: 5 BACnet: Reject: 6 BACnet: Reject: 7 BACnet: Reject: 8 BACnet: Reject: 9 BACnet: Reject: 10 """, """Modbus: Read Exception Status Modbus: Exception: Illegal Function Modbus: Exception: Illegal Data Address Modbus: Exception: Illegal Data Value Modbus: Exception: Slave Device Failure Modbus: Exception: Acknowledge Modbus: Exception: Slave Device Busy Modbus: Exception: Memory Parity Error Modbus: Exception: Gateway Path Unavailable Modbus: Exception: Gateway Target Device Failed to Respond""" ; d3f:definition "An unknown or anomalous condition occurred in the system." ; rdfs:seeAlso , , . d3f:OTExceptionMessageEvent a owl:Class ; rdfs:label "OT Exception Message Event" ; rdfs:subClassOf d3f:OTDiagnosticsMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTExceptionMessage ] ; d3f:definition "An unknown or anomalous condition occurred in the system." . d3f:OTHumanMachineInterface a owl:Class, owl:NamedIndividual ; rdfs:label "OT Human Machine Interface" ; rdfs:subClassOf d3f:OTEmbeddedComputer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:HMIApplication ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:InputDevice ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OutputDevice ], [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTLogicVariable ], [ a owl:Restriction ; owl:onProperty d3f:reads ; owl:someValuesFrom d3f:OTProcessDataHistorian ] ; d3f:contains d3f:HMIApplication, d3f:InputDevice, d3f:OutputDevice ; d3f:definition "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters." ; d3f:modifies d3f:OTLogicVariable ; d3f:reads d3f:OTProcessDataHistorian ; d3f:synonym "HMI" ; rdfs:seeAlso . d3f:OTIOModule a owl:Class, owl:NamedIndividual ; rdfs:label "OT I/O Module" ; rdfs:subClassOf d3f:IOModule, [ a owl:Restriction ; owl:onProperty d3f:communicates-with ; owl:someValuesFrom d3f:OTActuator ], [ a owl:Restriction ; owl:onProperty d3f:communicates-with ; owl:someValuesFrom d3f:OTSensor ] ; rdfs:comment "There are many types of I/O modules, including: analog input, analog output, HART input, HART output, digital input, digital output, mV input, pulse input, universal I/O, vibration input, and many other types of input or output modules. The functionality of the I/O Module can be embedded in the controller or as a separate module connected via chassis or I/O link." ; rdfs:isDefinedBy ; d3f:communicates-with d3f:OTActuator, d3f:OTSensor ; d3f:definition "An OT I/O Module is an industrial-grade interface designed for harsh Operational Technology (OT) environments. It reliably connects sensors and actuators to industrial control systems, ensuring precise, real-time data exchange in applications such as SCADA or ICS. Engineered for ruggedness and consistent performance, it can manage analog, digital, or other specialized signal types while enduring demanding conditions." ; rdfs:seeAlso ; skos:example "Rockwell Compact 5000 IO Module" . d3f:OTLogicVariable a owl:Class, owl:NamedIndividual ; rdfs:label "OT Logic Variable" ; rdfs:subClassOf d3f:RuntimeVariable ; d3f:definition "A variable which directly affects a program running on an OT controller, involving an OT Process." . d3f:OTModeSwitch a owl:Class, owl:NamedIndividual ; rdfs:label "OT Mode Switch" ; rdfs:subClassOf d3f:ApplicationConfiguration, [ a owl:Restriction ; owl:onProperty d3f:controls ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment "An OT Mode Switch is a dedicated mechanism, implemented as either a physical keyswitch or a software control, that permits authorized users to transition an OT controller between its operating modes." ; d3f:controls d3f:OTControllerOperatingMode ; d3f:definition "Keyswitch or mode switch is the mechanism for changing the operating mode of an OT controller or device." ; d3f:synonym "Mode Switch", "Programming Key Switch" ; rdfs:seeAlso , . d3f:OTModifyControlProgramCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Modify Control Program Command" ; rdfs:subClassOf d3f:OTModifyDeviceConfigurationCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControlProgram ] ; rdfs:comment """GE-SRTP: WRITE PROGRAM BLOCK MEMORY GE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL GE-SRTP: SET CONTROL ID(CPU ID) GE-SRTP: PROGRAM STORE (UPLOAD FROM PLC) GE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC) GE-SRTP: TOGGLE FORCE SYSTEM MEMORY""" ; d3f:definition "OT command that adds, removes, or changes, process data on a remote device." ; d3f:modifies d3f:OTControlProgram ; rdfs:seeAlso , , . d3f:OTModifyControlProgramCommandEvent a owl:Class ; rdfs:label "OT Modify Control Program Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceConfigurationCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControlProgram ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTModifyControlProgramCommand ] ; d3f:definition "OT command that adds, removes, or changes, process data on a remote device." . d3f:OTModifyDeviceConfigurationCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Modify Device Configuration Command" ; rdfs:subClassOf d3f:OTDeviceConfigurationCommand ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, """GE-SRTP: WRITE PROGRAM BLOCK MEMORY GE-SRTP: CHANGE PLC CPU PRIVILEGE LEVEL GE-SRTP: SET CONTROL ID(CPU ID) GE-SRTP: SET PLC (RUN VS STOP) GE-SRTP: PROGRAM STORE (UPLOAD FROM PLC) GE-SRTP: PROGRAM LOAD (DOWNLOAD TO PLC) GE-SRTP: TOGGLE FORCE SYSTEM MEMORY""" ; d3f:definition "Modify device configuration." ; rdfs:seeAlso , , . d3f:OTModifyDeviceConfigurationCommandEvent a owl:Class ; rdfs:label "OT Modify Device Configuration Command Event" ; rdfs:subClassOf d3f:OTDeviceConfigurationCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTModifyDeviceConfigurationCommand ] ; d3f:definition "Modify device configuration." . d3f:OTModifyDeviceOperatingModeCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Modify Device Operating Mode Command" ; rdfs:subClassOf d3f:OTModifyDeviceConfigurationCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, "GE-SRTP: SET PLC (RUN VS STOP)" ; d3f:definition "Modifies the running state of an application or program on a device." ; d3f:modifies d3f:OTControllerOperatingMode ; rdfs:seeAlso , , . d3f:OTModifyDeviceOperatingModeCommandEvent a owl:Class ; rdfs:label "OT Modify Device Operating Mode Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceConfigurationCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTModifyDeviceOperatingModeCommand ] ; d3f:definition "Modifies the running state of an application or program on a device." . d3f:OTNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "OT Network" ; rdfs:subClassOf d3f:IntranetNetwork, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OTEmbeddedComputer ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:OTEngineeringWorkstation ] ; d3f:contains d3f:OTEmbeddedComputer ; d3f:definition "A computer network which connects OT devices." ; d3f:may-contain d3f:OTEngineeringWorkstation . d3f:OTNetworkManagementCommand a owl:Class ; rdfs:label "OT Network Management Command" ; rdfs:subClassOf d3f:OTProtocolMessage ; d3f:definition "Manage message routing or network connection mechanisms." ; rdfs:seeAlso , , . d3f:OTNetworkManagementCommandEvent a owl:Class ; rdfs:label "OT Network Management Command Event" ; rdfs:subClassOf d3f:OTEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTNetworkManagementCommand ] ; d3f:definition "Manage message routing or network connection mechanisms." . d3f:OTNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "OT Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:OTProtocolMessage ] ; d3f:definition "Network traffic generated by operational technology devices, e.g., programmable logic controllers." ; d3f:may-contain d3f:OTProtocolMessage . d3f:OTPauseCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Pause Command" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, "GE-SRTP: SET PLC (RUN VS STOP)" ; d3f:definition "Commands a device to pause a service/program." ; d3f:modifies d3f:OTControllerOperatingMode ; rdfs:seeAlso , , . d3f:OTPauseCommandEvent a owl:Class ; rdfs:label "OT Pause Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTPauseCommand ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:OTRunCommandEvent ] ; d3f:definition "Commands a device to pause a service/program." . d3f:OTPowerSupply a owl:Class, owl:NamedIndividual ; rdfs:label "OT Power Supply" ; rdfs:subClassOf d3f:PowerSupply ; d3f:definition "An OT power supply is a power supply whose control amplifier is optimized for signal-processing tasks rather than supplying mere steady-state power to a load. It is a self-contained combination of operational amplifiers, power amplifiers, and integral power circuits designed for higher-level operations in industrial or OT contexts." ; rdfs:seeAlso ; skos:example "Phoenix Contact QUINT, Eaton PSG, and many controller-branded power supplies." . d3f:OTProcessDataCommand a owl:Class ; rdfs:label "OT Process Data Command" ; rdfs:subClassOf d3f:OTProtocolMessage ; d3f:definition "Manage data associated with a controlled process." ; rdfs:seeAlso , , . d3f:OTProcessDataCommandEvent a owl:Class ; rdfs:label "OT Process Data Command Event" ; rdfs:subClassOf d3f:OTEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTProcessDataCommand ] ; d3f:definition "Manage data associated with a controlled process." . d3f:OTProcessDataHistorian a owl:Class, owl:NamedIndividual ; rdfs:label "OT Process Data Historian" ; rdfs:subClassOf d3f:Application, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:TimeSeriesDatabase ] ; rdfs:isDefinedBy ; d3f:contains d3f:TimeSeriesDatabase ; d3f:definition "A system used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices." . d3f:OTProcessVariable a owl:Class, owl:NamedIndividual ; rdfs:label "OT Process Variable" ; rdfs:subClassOf d3f:OTLogicVariable ; d3f:definition "Process variables are the current actual measurement of the physical characteristics of a system. Common process variables include but are not limited to Temperature, Pressure, Level, and Flow." ; rdfs:seeAlso ; skos:example "If the current temperature in a home is 82 degrees Fahrenheit, the process variable is 82 degrees." . d3f:OTProgramModeCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Program Mode Command" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, "GE-SRTP: SET PLC (RUN VS STOP)" ; d3f:definition "Command that places the controller in a mode capable of reprogramming logic. This may or may not stop the program." ; d3f:modifies d3f:OTControllerOperatingMode ; rdfs:seeAlso , , . d3f:OTProgramModeCommandEvent a owl:Class ; rdfs:label "OT Program Mode Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTProgramModeCommand ] ; d3f:definition "Command that places the controller in a mode capable of reprogramming logic. This may or may not stop the program." . d3f:OTProprietaryMessage a owl:Class ; rdfs:label "OT Proprietary Message" ; rdfs:subClassOf d3f:OTProtocolMessage ; d3f:definition "Vendor specific and may not be publicly documented, or values left for device specific configuration." ; rdfs:seeAlso , , . d3f:OTProprietaryMessageEvent a owl:Class ; rdfs:label "OT Proprietary Message Event" ; rdfs:subClassOf d3f:OTEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTProprietaryMessage ] ; d3f:definition "Vendor specific and may not be publicly documented, or values left for device specific configuration." . d3f:OTProtocolMessage a owl:Class, owl:NamedIndividual ; rdfs:label "OT Protocol Message" ; rdfs:subClassOf d3f:DigitalMessage ; d3f:definition "Packets generated by an operational technology protocol contain an OT protocol message." . d3f:OTReadCommand a owl:Class ; rdfs:label "OT Read Command" ; rdfs:subClassOf d3f:OTProcessDataCommand ; rdfs:comment """BACnet: confirmedCOVNotification BACnet: subscribeCOV BACnet: atomicReadFile BACnet: readProperty BACnet: readPropertyConditional BACnet: readPropertyMultiple BACnet: unconfirmedCOVNotification BACnet: readRange BACnet: subscribeCOVProperty BACnet: getEventInformation BACnet: subscribe-cov-property-multiple BACnet: confirmed-cov-notification-multiple BACnet: unconfirmed-cov-notification-multiple """, """CIP: Get Attributes All CIP: Get Attribute List CIP: Get Attribute Single CIP: Find Next Object Instance CIP: Get Member """, """GE-SRTP: READ SYSTEM MEMORY GE-SRTP: READ TASK MEMORY """, """Modbus: Read Coils Modbus: Read Discrete Inputs Modbus: Read Holding Registers Modbus: Read Input Registers Modbus: Read File Record Modbus: Read FIFO Queue""" ; d3f:definition "Read or retrieve data." ; rdfs:seeAlso , , . d3f:OTReadCommandEvent a owl:Class ; rdfs:label "OT Read Command Event" ; rdfs:subClassOf d3f:OTProcessDataCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadCommand ] ; d3f:definition "Read or retrieve data." . d3f:OTReadDeviceConfigurationCommand a owl:Class ; rdfs:label "OT Read Device Configuration Command" ; rdfs:subClassOf d3f:OTDeviceConfigurationCommand ; rdfs:comment "BACnet: deviceCommunicationControl", "GE-SRTP: READ PROGRAM MEMORY" ; d3f:definition "Read device configuration." ; rdfs:seeAlso , , . d3f:OTReadDeviceConfigurationCommandEvent a owl:Class ; rdfs:label "OT Read Device Configuration Command Event" ; rdfs:subClassOf d3f:OTDeviceConfigurationCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadDeviceConfigurationCommand ] ; d3f:definition "Read device configuration." . d3f:OTReadFileCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Read File Command" ; rdfs:subClassOf d3f:OTReadCommand, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:File ] ; rdfs:comment "BACnet: atomicReadFile", "Modbus: Read File Record" ; d3f:definition "Reads data in specified chuncks or the contents of a specified file stored in the file device connected to the PC." ; d3f:has-participant d3f:File ; rdfs:seeAlso , , . d3f:OTReadFileCommandEvent a owl:Class ; rdfs:label "OT Read File Command Event" ; rdfs:subClassOf d3f:OTReadCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadFileCommand ] ; d3f:definition "Reads data in specified chuncks or the contents of a specified file stored in the file device connected to the PC." . d3f:OTReadTimeCommand a owl:Class ; rdfs:label "OT Read Time Command" ; rdfs:subClassOf d3f:OTTimeCommand ; rdfs:comment "example" ; d3f:definition "Read timing mechanisms." ; rdfs:seeAlso , , . d3f:OTReadTimeCommandEvent a owl:Class ; rdfs:label "OT Read Time Command Event" ; rdfs:subClassOf d3f:OTTimeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadTimeCommand ] ; d3f:definition "Read timing mechanisms." . d3f:OTReadValueCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Read Value Command" ; rdfs:subClassOf d3f:OTReadCommand, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTLogicVariable ] ; rdfs:comment """BACnet: confirmedCOVNotification BACnet: subscribeCOV BACnet: readProperty BACnet: readPropertyConditional BACnet: readPropertyMultiple BACnet: unconfirmedCOVNotification BACnet: readRange BACnet: subscribeCOVProperty BACnet: getEventInformation BACnet: subscribe-cov-property-multiple BACnet: confirmed-cov-notification-multiple BACnet: unconfirmed-cov-notification-multiple """, """CIP: Get Attributes All CIP: Get Attribute List CIP: Get Attribute Single CIP: Find Next Object Instance CIP: Get Member """, """GE-SRTP: READ SYSTEM MEMORY GE-SRTP: READ TASK MEMORY """, """Modbus: Read Coils Modbus: Read Discrete Inputs Modbus: Read Holding Registers Modbus: Read Input Registers Modbus: Read FIFO Queue""" ; d3f:definition "Reads the contents of the specified number of consecutive parameter areawords starting from the specified word." ; d3f:has-participant d3f:OTLogicVariable ; rdfs:seeAlso , , . d3f:OTReadValueCommandEvent a owl:Class ; rdfs:label "OT Read Value Command Event" ; rdfs:subClassOf d3f:OTReadCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTLogicVariable ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTReadValueCommand ] ; d3f:definition "Reads the contents of the specified number of consecutive parameter areawords starting from the specified word." . d3f:OTRemoteModeCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Remote Mode Command" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, "GE-SRTP: SET PLC (RUN VS STOP)" ; d3f:definition "Command that places the controller in a mode capable of receiving read/write communication from a networked entity." ; d3f:modifies d3f:OTControllerOperatingMode ; rdfs:seeAlso , , . d3f:OTRemoteModeCommandEvent a owl:Class ; rdfs:label "OT Remote Mode Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:NetworkTraffic ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTRemoteModeCommand ] ; d3f:definition "Command that places the controller in a mode capable of receiving read/write communication from a networked entity." . d3f:OTRunCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Run Command" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, "GE-SRTP: SET PLC (RUN VS STOP)" ; d3f:definition "Commands a device to start or resume a service/program." ; d3f:modifies d3f:OTControllerOperatingMode ; rdfs:seeAlso , , . d3f:OTRunCommandEvent a owl:Class ; rdfs:label "OT Run Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTRunCommand ] ; d3f:definition "Commands a device to start or resume a service/program." . d3f:OTScanTime a owl:Class ; rdfs:label "OT Scan Time" ; rdfs:subClassOf d3f:ApplicationScanTime ; d3f:definition "An OT controller system variable that tracks the measured time it takes to read input status, apply logic, and write output values." . d3f:OTSecurityCommand a owl:Class ; rdfs:label "OT Security Command" ; rdfs:subClassOf d3f:OTNetworkManagementCommand ; rdfs:comment """BACnet: authenticate BACnet: requestKey """, "GE-SRTP: PROGRAMMER LOGON" ; d3f:definition "Ensure confidentiality, integrity, or availability of system information." ; rdfs:seeAlso , , . d3f:OTSecurityCommandEvent a owl:Class ; rdfs:label "OT Security Command Event" ; rdfs:subClassOf d3f:OTNetworkManagementCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTSecurityCommand ] ; d3f:definition "Ensure confidentiality, integrity, or availability of system information." . d3f:OTSensor a owl:Class, owl:NamedIndividual ; rdfs:label "OT Sensor" ; rdfs:subClassOf d3f:HardwareDevice, d3f:Sensor, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ClientComputer ], [ a owl:Restriction ; owl:onProperty d3f:writes ; owl:someValuesFrom d3f:OTProcessVariable ] ; rdfs:comment "Components of the sensor include a sensing element and may include a power source, display, housing, communication interface or signal processor." ; rdfs:isDefinedBy ; d3f:definition "An OT Sensor is an industrial-grade sensing device engineered for operational technology (OT) environments (e.g. SCADA, ICS). It measures physical variables—such as pressure, temperature, or flow—under demanding conditions, converting them into reliable signals for real-time monitoring and process control loops." ; d3f:may-contain d3f:ClientComputer ; d3f:writes d3f:OTProcessVariable ; rdfs:seeAlso , , , . d3f:OTSetTimeCommand a owl:Class ; rdfs:label "OT Set Time Command" ; rdfs:subClassOf d3f:OTTimeCommand ; d3f:definition "Set timing mechanisms." ; rdfs:seeAlso , , . d3f:OTSetTimeCommandEvent a owl:Class ; rdfs:label "OT Set Time Command Event" ; rdfs:subClassOf d3f:OTTimeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTSetTimeCommand ] ; d3f:definition "Set timing mechanisms." . d3f:OTStopCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Stop Command" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, "GE-SRTP: SET PLC (RUN VS STOP)" ; d3f:definition "Commands a device to stop a service/program." ; d3f:modifies d3f:OTControllerOperatingMode ; rdfs:seeAlso , , . d3f:OTStopCommandEvent a owl:Class ; rdfs:label "OT Stop Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTStopCommand ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:OTRunCommandEvent ] ; d3f:definition "Commands a device to stop a service/program." . d3f:OTSynchronizeTimeCommand a owl:Class ; rdfs:label "OT Synchronize Time Command" ; rdfs:subClassOf d3f:OTTimeCommand ; rdfs:comment "example" ; d3f:definition "Used to align timing mechanisms." ; rdfs:seeAlso , , . d3f:OTSynchronizeTimeCommandEvent a owl:Class ; rdfs:label "OT Synchronize Time Command Event" ; rdfs:subClassOf d3f:OTTimeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTSynchronizeTimeCommand ] ; d3f:definition "Used to align timing mechanisms." . d3f:OTTestCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Test Command" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommand, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; rdfs:comment """BACnet: deviceCommunicationControl BACnet: reinitializeDevice """, "GE-SRTP: SET PLC (RUN VS STOP)" ; d3f:definition "Commands a device to run a program in Test mode." ; d3f:modifies d3f:OTControllerOperatingMode ; rdfs:seeAlso , , . d3f:OTTestCommandEvent a owl:Class ; rdfs:label "OT Test Command Event" ; rdfs:subClassOf d3f:OTModifyDeviceOperatingModeCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTControllerOperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTTestCommand ] ; d3f:definition "Commands a device to run a program in Test mode." . d3f:OTTimeCommand a owl:Class ; rdfs:label "OT Time Command" ; rdfs:subClassOf d3f:OTDeviceManagementMessage ; rdfs:comment """BACnet: timeSynchronization BACnet: utcTimeSynchronization """, """GE-SRTP: SET PLC TIME/DATE GE-SRTP: RETURN PLC TIME/DATE""" ; d3f:definition "Read, set, or calculate timing mechanisms." ; rdfs:seeAlso , , . d3f:OTTimeCommandEvent a owl:Class ; rdfs:label "OT Time Command Event" ; rdfs:subClassOf d3f:OTDeviceManagementMessageEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTTimeCommand ] ; d3f:definition "Read, set, or calculate timing mechanisms." . d3f:OTTransportConfigurationCommand a owl:Class ; rdfs:label "OT Transport Configuration Command" ; rdfs:subClassOf d3f:OTNetworkManagementCommand ; rdfs:comment "Modbus: Encapsulated Interface Transport" ; d3f:definition "Configure transport settings for a communication channel." ; rdfs:seeAlso , , . d3f:OTTransportConfigurationCommandEvent a owl:Class ; rdfs:label "OT Transport Configuration Command Event" ; rdfs:subClassOf d3f:OTNetworkManagementCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTTransportConfigurationCommand ] ; d3f:definition "Configure transport settings for a communication channel." . d3f:OTVariableAccessRestriction a owl:Class, owl:NamedIndividual ; rdfs:label "OT Variable Access Restriction" ; rdfs:subClassOf d3f:AccessMediation, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Isolate ], [ a owl:Restriction ; owl:onProperty d3f:limits ; owl:someValuesFrom d3f:OTLogicVariable ], [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:OTWriteCommand ] ; rdfs:isDefinedBy "Top 20 Secure Coding Practices, #10" ; d3f:d3fend-id "D3-OVAR" ; d3f:definition "Assign read/write access controls on designated registers or data tags to prevent unauthorized writes." ; d3f:enables d3f:Isolate ; d3f:kb-article """ ## How it works Many OT Controllers and OT Communication Modules enable Read-Only or Read/Write access on a per-tag basis. As an example, when configuring OT process tags which can be accessed using the Modbus protocol, configure the tag to a Modbus Input Register to leverage the protocol's registry ranges, restricting the ability of external sources to modify data. In Siemens, each data block (DB) tag can be configured as "data block write-protected in the device." """ ; d3f:kb-reference d3f:Reference-PLX3x-Series-Multi-Protocol-Gateways, d3f:Reference-S7-1200-Programmable-controller, d3f:Reference-SecurePLCCodingPracticesTop20List ; d3f:limits d3f:OTLogicVariable ; d3f:restricts d3f:OTWriteCommand ; d3f:synonym "OT Variable Access Policy" . d3f:OTWatchdogTimer a owl:Class ; rdfs:label "OT Watchdog Timer" ; rdfs:subClassOf d3f:OTProcessVariable, d3f:SoftwareWatchdogTimer ; d3f:definition "An OT Watchdog Timer is a software-based monitoring mechanism used in operational technology (OT) environments to continuously supervise the execution and responsiveness of critical control applications, devices, or communication links. It operates by requiring periodic “heartbeat” signals or status updates from monitored processes within a defined time window; if these signals are not received on time (indicating a hang, fault, or abnormal delay) the OT Watchdog Timer automatically triggers predefined safety or recovery actions, such as placing equipment in a fail-safe state, restarting services, generating alarms, or initiating controlled shutdowns." ; rdfs:seeAlso . d3f:OTWriteCommand a owl:Class, owl:NamedIndividual ; rdfs:label "OT Write Command" ; rdfs:subClassOf d3f:OTProcessDataCommand ; rdfs:comment """BACnet: atomicWriteFile BACnet: addListElement BACnet: removeListElement BACnet: createObject BACnet: deleteObject BACnet: writeProperty BACnet: writePropertyMultiple BACnet: write-group """, """CIP: Set Attributes All CIP: Set Attribute List CIP: Set Attribute Single CIP: Set Member CIP: Insert Member CIP: Remove Member """, """GE-SRTP: WRITE SYSTEM MEMORY GE-SRTP: WRITE TASK MEMORY """, """Modbus: Write Single Coil Modbus: Write Single Register Modbus: Write Multiple Coils Modbus: Write Multiple Registers Modbus: Write File Record Modbus: Mask Write Register Modbus: Read Write Register""" ; d3f:definition "Write or store data." ; rdfs:seeAlso , , . d3f:OTWriteCommandEvent a owl:Class ; rdfs:label "OT Write Command Event" ; rdfs:subClassOf d3f:OTProcessDataCommandEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OTWriteCommand ] ; d3f:definition "Write or store data." . d3f:OutboundInternetDNSLookupTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Internet DNS Lookup Traffic" ; rdfs:subClassOf d3f:DNSNetworkTraffic, d3f:OutboundInternetNetworkTraffic, d3f:OutboundNetworkTraffic, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:DNSLookup ] ; d3f:definition "Outbound internet DNS lookup traffic is network traffic using the DNS protocol on an outgoing connection initiated from a host within a network to a host outside the network." ; d3f:may-contain d3f:DNSLookup ; rdfs:seeAlso . d3f:OutboundInternetEncryptedRemoteTerminalTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Internet Encrypted Remote Terminal Traffic" ; skos:altLabel "Outbound Internet Encrypted RDP Traffic", "Outbound Internet Encrypted SSH Traffic" ; rdfs:subClassOf d3f:OutboundInternetEncryptedTraffic ; d3f:definition "Outbound internet encrypted remote terminal traffic is encrypted network traffic for a standard remote terminal protocol on an outgoing connection initiated from a host within a network to a host outside the network." . d3f:OutboundInternetEncryptedTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Internet Encrypted Traffic" ; rdfs:subClassOf d3f:OutboundInternetNetworkTraffic ; d3f:definition "Outbound internet encrypted traffic is encrypted network traffic on an outgoing connection initiated from a host within a network to a host outside the network." ; rdfs:seeAlso . d3f:OutboundInternetEncryptedWebTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Internet Encrypted Web Traffic" ; rdfs:subClassOf d3f:OutboundInternetEncryptedTraffic, d3f:OutboundInternetWebTraffic ; d3f:definition "Outbound internet encrypted web traffic is network traffic using a standard web protocol on an outgoing connection initiated from a host within a network to a host outside the network." ; rdfs:seeAlso . d3f:OutboundInternetFileTransferTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Internet File Transfer Traffic" ; rdfs:subClassOf d3f:FileTransferNetworkTraffic, d3f:OutboundInternetNetworkTraffic, d3f:OutboundNetworkTraffic, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:File ] ; d3f:contains d3f:File ; d3f:definition "Outbound internet file transfer traffic is file transfer traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard file transfer protocol." ; rdfs:seeAlso , . d3f:OutboundInternetMailTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Internet Mail Traffic" ; skos:altLabel "Outbound Internet Email Traffic" ; rdfs:subClassOf d3f:OutboundInternetNetworkTraffic ; d3f:definition "Outbound internet DNS lookup traffic is network traffic using a standard email protocol on an outgoing connection initiated from a host within a network to a host outside the network." ; rdfs:seeAlso . d3f:OutboundInternetNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Internet Network Traffic" ; rdfs:subClassOf d3f:InternetNetworkTraffic, d3f:OutboundNetworkTraffic ; d3f:definition "Outbound internet network traffic is network traffic on an outgoing connection initiated from a host within a network to a host outside the network." ; rdfs:seeAlso . d3f:OutboundInternetRPCTraffic a owl:Class ; rdfs:label "Outbound Internet RPC Traffic" ; rdfs:subClassOf d3f:OutboundInternetNetworkTraffic, d3f:OutboundNetworkTraffic, d3f:RPCNetworkTraffic ; d3f:definition "Outbound internet RPC traffic is RPC traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard RPC protocol." ; rdfs:seeAlso , . d3f:OutboundInternetWebTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Internet Web Traffic" ; rdfs:subClassOf d3f:OutboundInternetNetworkTraffic, d3f:WebNetworkTraffic, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:URL ] ; d3f:definition "Outbound internet web traffic is network traffic that is: (a) on an outgoing connection initiated from a host within a network to a host outside the network, and (b) using a standard web protocol." ; d3f:may-contain d3f:URL ; rdfs:seeAlso , . d3f:OutboundNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "Outbound traffic is network traffic originating from a host of interest (client), to another host (server)." . d3f:OutboundTrafficFiltering a d3f:OutboundTrafficFiltering, owl:Class, owl:NamedIndividual ; rdfs:label "Outbound Traffic Filtering" ; rdfs:subClassOf d3f:NetworkTrafficFiltering, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:OutboundNetworkTraffic ] ; d3f:d3fend-id "D3-OTF" ; d3f:definition "Restricting network traffic originating from a private host or enclave destined towards untrusted networks." ; d3f:filters d3f:OutboundNetworkTraffic ; d3f:kb-article """## How it works Outbound traffic, in this context, is network traffic originating from a private host or enclave destined towards untrusted networks. For example: * An enterprise desktop intranet user connecting to www.example.com * An internal mail server connecting to an external mail server, mail.example.com Filtering is commonly implemented as firewall rulesets to limit outbound traffic permitted to egress a host or network. Firewalls are deployed either directly on hosts through kernel level software implementations or installed in-line directly on network links. There are benefits and disadvantages to each approach. There are various strategies for developing filtering rulesets: * Block everything by default * Limit destination hosts * Limit destination transport or application protocols * Restrict content outbound (Ex. strings formatted as social security numbers, or proprietary data) ## Considerations * Dynamic IP assignment creates challenges for Outbound Traffic Filtering because users are not necessarily associated with the same IP address. This can be addressed by linking IP address management information with the filtering logic. * Connections using non-standard transport layer ports may circumvent outbound traffic filtering technology which does not detect application protocol based on traffic content. * Business requirements typically drive the development of filtering rule sets. ## Implementations - iptables (Linux) - Windows Firewall - pf (BSD)""" ; d3f:kb-reference d3f:Reference-AutomaticallyGeneratingRulesForConnectionSecurity_Microsoft . d3f:OutputDevice a owl:Class, owl:NamedIndividual ; rdfs:label "Output Device" ; rdfs:subClassOf d3f:HardwareDevice ; rdfs:isDefinedBy ; d3f:definition "An output device is any piece of computer hardware equipment which converts information into human-readable form. It can be text, graphics, tactile, audio, and video. Some of the output devices are Visual Display Units (VDU) i.e. a Monitor, Printer, Graphic Output devices, Plotters, Speakers etc. A new type of Output device is been developed these days, known as Speech synthesizer, a mechanism attached to the computer which produces verbal output sounding almost like human speeches." . d3f:OutputDeviceEvent a owl:Class ; rdfs:label "Output Device Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OutputDevice ] ; d3f:definition "An event describing the activity or state of output devices, including sound cards, display adapters, or media controllers. These events relate to audio, video, or graphics functionality." . d3f:OWL a owl:Class, owl:NamedIndividual ; rdfs:label "OWL" ; rdfs:subClassOf d3f:DescriptionLogic ; d3f:d3fend-id "D3A-OWL" ; d3f:definition "The Web Ontology Language (OWL) is a family of knowledge representation languages for authoring ontologies." ; d3f:kb-article """## How it works Ontologies are a formal way to describe taxonomies and classification networks, essentially defining the structure of knowledge for various domains: the nouns representing classes of objects and the verbs representing relations between the objects. The OWL languages are characterized by formal semantics. They are built upon the World Wide Web Consortium's (W3C) standard for objects called the Resource Description Framework (RDF). OWL classes correspond to description logic (DL) _concepts_. OWL properties to DL _roles_, and individuals are named the same way in OWL and other DLs. ## References 1. Web Ontology Language. (2023, April 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Web_Ontology_Language)""" ; d3f:synonym "Web Ontology Language" . d3f:PackageURL a owl:Class, owl:NamedIndividual ; rdfs:label "Package URL" ; skos:altLabel "purl" ; rdfs:subClassOf d3f:URL, [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:SoftwarePackage ] ; rdfs:isDefinedBy ; d3f:definition "A package URL, or purl, is a URL used to identify a software package in a mostly universal and uniform way across programming languages, package managers, packaging conventions, tools, APIs and databases." ; d3f:identifies d3f:SoftwarePackage ; rdfs:seeAlso . d3f:PacketCaptureFile a owl:Class, owl:NamedIndividual ; rdfs:label "Packet Capture File" ; rdfs:subClassOf d3f:File, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:NetworkPacket ] ; d3f:contains d3f:NetworkPacket ; d3f:definition "A file which contains raw representations of collected packets." . d3f:PacketLog a owl:Class, owl:NamedIndividual ; rdfs:label "Packet Log" ; rdfs:subClassOf d3f:Log, [ a owl:Restriction ; owl:onProperty d3f:records ; owl:someValuesFrom d3f:NetworkSession ], [ a owl:Restriction ; owl:onProperty d3f:summarizes ; owl:someValuesFrom d3f:PacketCaptureFile ] ; d3f:definition "A log of all the network packet data captured from a network by a network sensor (i.e., packet analyzer)," ; d3f:records d3f:NetworkSession ; d3f:summarizes d3f:PacketCaptureFile ; rdfs:seeAlso . d3f:Page a owl:Class ; rdfs:label "Page" ; rdfs:subClassOf d3f:MemoryBlock ; rdfs:isDefinedBy ; d3f:definition "A page, memory page, logical page, or virtual page is a fixed-length contiguous block of virtual memory, described by a single entry in the page table. It is the smallest unit of data for memory management in a virtual memory operating system." . d3f:PageFrame a owl:Class, owl:NamedIndividual ; rdfs:label "Page Frame" ; rdfs:subClassOf d3f:MemoryBlock, [ a owl:Restriction ; owl:onProperty d3f:contained-by ; owl:someValuesFrom d3f:PrimaryStorage ] ; rdfs:isDefinedBy ; d3f:contained-by d3f:PrimaryStorage ; d3f:definition "A page frame is the smallest fixed-length contiguous block of physical memory into which memory pages are mapped by the operating system." . d3f:PageTable a owl:Class, owl:NamedIndividual ; rdfs:label "Page Table" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:PhysicalAddress ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:VirtualAddress ] ; rdfs:isDefinedBy ; d3f:contains d3f:PhysicalAddress, d3f:VirtualAddress ; d3f:definition "A page table is the data structure used by the MMU in a virtual memory computer system to store the mapping between virtual addresses (virtual pages) and physical addresses (page frames)." . d3f:Parameter-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Parameter-based Transfer Learning" ; rdfs:subClassOf d3f:HomogenousTransferLearning ; d3f:d3fend-id "D3A-PBTL" ; d3f:definition "The idea behind parameter-based methods is that a well-trained model on the source domain has learned a well-defined structure, and if two tasks are related, this structure can be transferred to the target model." ; d3f:kb-article """## References Georgian Impact Blog. (n.d.). Transfer Learning Part 1. [Link](https://medium.com/georgian-impact-blog/transfer-learning-part-1-ed0c174ad6e7#:~:text=Homogeneous%20Transfer%20Learning-,1.,the%20target%20domain%20for%20training).""" . d3f:ParametricTests a owl:Class, owl:NamedIndividual ; rdfs:label "Parametric Tests" ; rdfs:subClassOf d3f:HypothesisTesting ; d3f:d3fend-id "D3A-PT" ; d3f:definition "A parametric test relies upon the assumption that the data you want to test is (or approximately is) normally distributed." ; d3f:kb-article """## References Newcastle University. (n.d.). Parametric Hypothesis Tests. [Link](https://www.ncl.ac.uk/webtemplate/ask-assets/external/maths-resources/psychology/parametric-hypothesis-tests.html)""" . d3f:ParentProcess a owl:Class ; rdfs:label "Parent Process" ; rdfs:subClassOf d3f:Process ; rdfs:isDefinedBy ; d3f:definition "In computing, a parent process is a process that has created one or more child processes." ; rdfs:seeAlso . d3f:PartialMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Partial Matching" ; rdfs:subClassOf d3f:StringPatternMatching ; d3f:d3fend-id "D3A-PM" ; d3f:definition "Partial string pattern matching is a special case of string pattern matching where one seeks to find a pattern within a larger string (text). It allows for the detection of patterns that occur as substrings or partial segments within the full string, rather than requiring an exact match across the entire string." ; d3f:kb-article """## References 1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)""", "Numeric pattern matching is a method of matching some defined pattern specification against a numeric value." . d3f:ParticleRadiationHardening a d3f:ParticleRadiationHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Particle Radiation Hardening" ; rdfs:subClassOf d3f:RadiationHardening ; rdfs:isDefinedBy ; d3f:definition "The application of material, process, layout, or circuit-level design measures to electronic systems and components to reduce susceptibility to total ionizing dose degradation and single-event effects caused by ionizing particles such as protons, heavy ions, neutrons, or electrons." ; d3f:synonym "Ionizing Particle Hardening" . d3f:Partition a owl:Class, owl:NamedIndividual ; rdfs:label "Partition" ; skos:altLabel "Disk Partition", "Disk Slice" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A partition is a region on secondary storage device created so that the region can be managed by itself; separate from any other regions (partitions) on that secondary storage device. Creating partitions is typically the first step of preparing a newly installed storage device, before any file system is created. The device stores the information about the partitions' locations and sizes in an area known as the partition table that the operating system reads before any other part of the disk. Each partition then appears to the operating system as a distinct \"logical\" storage device that uses part of the actual device. System administrators use a program called a partition editor to create, resize, delete, and manipulate the partitions. Partitioning allows the use of different filesystems to be installed for different kinds of files. Separating user data from system data can prevent the system partition from becoming full and rendering the system unusable. Partitioning can also make backing up easier. [Definition adapted as generalization from definition of disk partitioning and distinct from in-memory partitions.]" ; rdfs:seeAlso , . d3f:PartitionTable a owl:Class, owl:NamedIndividual ; rdfs:label "Partition Table" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:addresses ; owl:someValuesFrom d3f:Partition ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:BootRecord ] ; rdfs:isDefinedBy ; d3f:addresses d3f:Partition ; d3f:definition "A partition is a fixed-size subset of a storage device which is treated as a unit by the operating system. A partition table is a table maintained on the storage device by the operating system describing the partitions on that device. The terms partition table and partition map are most commonly associated with the MBR partition table of a Master Boot Record (MBR) in IBM PC compatibles, but it may be used generically to refer to other \"formats\" that divide a disk drive into partitions, such as: GUID Partition Table (GPT), Apple partition map (APM), or BSD disklabel." ; d3f:may-contain d3f:BootRecord . d3f:PassiveCertificateAnalysis a d3f:PassiveCertificateAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Passive Certificate Analysis" ; rdfs:subClassOf d3f:CertificateAnalysis ; d3f:d3fend-id "D3-PCA" ; d3f:definition "Collecting host certificates from network traffic or other passive sources like a certificate transparency log and analyzing them for unauthorized activity." ; d3f:kb-article """## How it works Certificates are analyzed outside of a TLS server connection using third-party secure update logs, domain name analysis and analytics. ### Secure update certificate logs * Certificate Logs The key enabling feature is a secure service that maintains record logs of certificate activities. The logs allow users to only append certificates and never to delete or modify the log entries. The logs use Merkle Tree Hashes to ensure they have not been tampered with. The logging service also allows for public auditing by any user. The logging service, upon receipt of a certificate to log, will respond with a signed certificate timestamp (SCT). The SCT guarantees the certificate will be added to the log within the time specified. The SCT must be present with the certificate during a TLS handshake. * Certificate Monitoring Certificate monitoring, of the logs, is typically done by the CA and they watch for suspicious certificate logging and unusual certificates or extensions or permissions. Monitors are also responsible for verifying the logs are accurate and public. * Certificate Auditors Log integrity is verified by log auditors. Auditors make use of log proofs are used to validate the cryptographic hashes (Merkle Trees) that the log employs are consistent. In order to ensure consistency throughout multiple monitors and auditors, sharing a common logging service, gossip protocol is employed. ### Phishing domain name analysis * A curated corpus of known benign domains and phishing domain names is used as training text for machine learning. Through the use of feature set extraction, vectors labels are created with scoring to indicated if they are considered benign or phishing domains. * A stream of new or updated SSL certificates with fully qualified domain names (FQDN) is analyzed against the feature vectors and a predictive model determines a score for the domains. The scoring considers distance measures such as Levenshtein distance to help in determining the final label score. Supervised learning is also employed using the curated domains of benign and phishing domains. * Subdomain phishing analysis, prepending a trusted domain to a phishing domain, and regular expression comparisons are also used in the label scoring model. A tunable measure is used to determine the threshold for alerting. This measure helps to balance between precision and recall measures. ## Considerations * Some entity will need to run the logging service and a trusted entity is preferred. * Certificate Authorities will likely need to monitor the logging service for consistency. * Certificate revocation is unchanged and remains outside of Certificate Transparency, but certificates needing to be revoked are visible. * Technique dependent of reliable feed of new and updated certificates * Some certificate authorities allow for certificates to be registered with wildcards in the FQDN and thus will fail some of the subdomain scoring * Phishing HTTP domains will not be discovered""" ; d3f:kb-reference d3f:Reference-CertificateTransparency, d3f:Reference-StreamingPhish . d3f:PassiveLogicalLinkMapping a d3f:PassiveLogicalLinkMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Passive Logical Link Mapping" ; rdfs:subClassOf d3f:LogicalLinkMapping ; d3f:d3fend-id "D3-PLLM" ; d3f:definition "Passive logical link mapping only listens to network traffic as a means to map the the whole data link layer, where the links represent logical data flows rather than physical connections." ; d3f:kb-reference d3f:Reference-TenablePassiveNetworkMonitoring ; d3f:synonym "Passive Logical Layer Mapping" . d3f:Password a owl:Class, owl:NamedIndividual ; rdfs:label "Password" ; skos:altLabel "Passcode" ; rdfs:subClassOf d3f:Credential ; rdfs:isDefinedBy ; d3f:definition "A password, sometimes called a passcode, is a memorized secret, typically a string of characters, usually used to confirm the identity of a user. Using the terminology of the NIST Digital Identity Guidelines, the secret is memorized by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity." . d3f:PasswordAuthentication a d3f:PasswordAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Password Authentication" ; rdfs:subClassOf d3f:AgentAuthentication, [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:Password ] ; d3f:d3fend-id "D3-PWA" ; d3f:definition "Password authentication is a security mechanism used to verify the identity of a user or entity attempting to access a system or resource by requiring the input of a secret string of characters, known as a password, that is associated with the user or entity." ; d3f:kb-reference d3f:Reference-NIST-Special-Publication-800-53-Revision-5 ; d3f:uses d3f:Password . d3f:PasswordDatabase a owl:Class ; rdfs:label "Password Database" ; rdfs:subClassOf d3f:Database ; d3f:definition "A password database is a database that holds passwords for user accounts and is usually encrypted (i.e.., the passwords are hashed). Password databases are found supporting system services (such as SAM) or part of user applications such as password managers." . d3f:PasswordFile a owl:Class, owl:NamedIndividual ; rdfs:label "Password File" ; rdfs:subClassOf d3f:File, d3f:PasswordDatabase ; d3f:definition "Simple form of password database held in a single file (e.g., /etc/password)" . d3f:PasswordManager a owl:Class, owl:NamedIndividual ; rdfs:label "Password Manager" ; rdfs:subClassOf d3f:Application, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Credential ] ; rdfs:isDefinedBy ; d3f:contains d3f:Credential ; d3f:definition "A password manager is a software application or hardware that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password: a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user's computer (called offline password managers), whereas others store data in the provider's cloud (often called online password managers). However offline password managers also offer data storage in the user's own cloud accounts rather than the provider's cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling and password generation." . d3f:PasswordRotation a d3f:PasswordRotation, owl:Class, owl:NamedIndividual ; rdfs:label "Password Rotation" ; rdfs:subClassOf d3f:CredentialRotation, [ a owl:Restriction ; owl:onProperty d3f:regenerates ; owl:someValuesFrom d3f:Password ] ; d3f:d3fend-id "D3-PR" ; d3f:definition "Password rotation is a security policy that mandates the periodic change of user account passwords to mitigate the risk of unauthorized access due to compromised credentials." ; d3f:kb-article """## How it works Users may be requested to change their passwords on a regular schedule. Management servers with enterprise policies for account management provide the ability to change or reset passwords for accounts. ## Considerations Requiring users to change their passwords frequently can result in insecure password practices by the user. The latest update of NIST SP 800-63B, Digital Identity Guidelines, recommends requiring password reset only when a known compromise has occurred, or every 365 days, rather than every 60 or 90 days.""" ; d3f:kb-reference d3f:Reference-PasswordandKeyRotation-SSH ; d3f:regenerates d3f:Password ; rdfs:seeAlso , . d3f:PasswordStore a owl:Class, owl:NamedIndividual ; rdfs:label "Password Store" ; rdfs:subClassOf d3f:PasswordDatabase ; d3f:definition "A user repository of account passwords, often accessed via a password manager." ; rdfs:seeAlso . d3f:PatentReference a owl:Class ; rdfs:label "Patent Reference" ; rdfs:subClassOf d3f:TechniqueReference ; d3f:pref-label "Patent" . d3f:PatternMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Pattern Matching" ; rdfs:subClassOf d3f:LogicalRules ; d3f:d3fend-id "D3A-PM" ; d3f:definition "Pattern matching is the act of checking a given sequence of tokens for the presence of the constituents of some pattern." ; d3f:kb-article """## References 1. Pattern matching. (2023, May 20). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Pattern_matching)""" . d3f:PearsonsCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Pearson's Correlation Coefficient" ; rdfs:subClassOf d3f:Correlation ; d3f:d3fend-id "D3A-PCC" ; d3f:kb-article """## References Wolfram MathWorld. (n.d.). Correlation Coefficient. [Link](https://mathworld.wolfram.com/CorrelationCoefficient.html)""" . d3f:PER-0001 a owl:Class, owl:NamedIndividual ; rdfs:label "Memory Compromise - SPARTA" ; skos:prefLabel "Memory Compromise" ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:PrimaryStorage ] ; d3f:attack-id "PER-0001" ; d3f:definition "The adversary arranges for malicious content to survive resets and mode changes by targeting memories and execution paths that initialize the system. Candidates include boot ROM handoff vectors, first/second-stage loaders, non-volatile images (flash/EEPROM), “golden” fallback partitions, configuration words/fuses, and RAM regions reconstructed at start-up from stored files or tables. Persistence may also ride auto-run mechanisms, init scripts, procedure engines, stored command sequences, or event hooks that execute on boot, safe-mode entry/exit, time triggers, or receipt of specific telemetry/commands. Variants keep the core payload only in RAM but ensure it is reloaded after every restart by patching copy-on-boot routines, altering file catalogs, or modifying table loaders so the same bytes are restored. The common thread is control of where the spacecraft looks for what to run next, so unauthorized logic is reinstated whenever the system resets or transitions modes." ; d3f:modifies d3f:PrimaryStorage ; rdfs:seeAlso . d3f:PER-0002 a owl:Class ; rdfs:label "Backdoor - SPARTA" ; skos:prefLabel "Backdoor" ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique ; d3f:attack-id "PER-0002" ; d3f:definition "A backdoor is a covert access path that bypasses normal authentication, authorization, or operational checks so the attacker can reenter the system on demand. Backdoors may be preexisting (undocumented service modes, maintenance accounts, debug features) or introduced by the adversary during development, integration, or on-orbit updates. Triggers range from “magic” opcodes and timetags to specific geometry/time conditions, counters, or data patterns embedded in routine traffic. The access they provide varies from expanded command sets and relaxed rate/size limits to alternate communications profiles and hidden file/parameter interfaces. Well-crafted backdoors blend with nominal behavior, appearing as ordinary operations while quietly accepting instructions that other paths would reject, thereby sustaining the attacker’s foothold across passes, resets, and operator handovers." ; rdfs:seeAlso . d3f:PER-0002.01 a owl:Class ; rdfs:label "Hardware Backdoor - SPARTA" ; skos:prefLabel "Hardware Backdoor" ; rdfs:subClassOf d3f:PER-0002 ; d3f:attack-id "PER-0002.01" ; d3f:definition "Hardware backdoors leverage properties of the physical design to provide durable, low-visibility reentry. Examples include enabled test/scan chains, manufacturing or boot-strap modes invoked by pins or registers, persistent debug interfaces (JTAG/SWD/UART), undocumented device commands, and logic inserted in FPGA/ASIC designs that activates under specific stimuli. Because these mechanisms sit below or beside flight software, they can grant direct access to buses, memories, or peripheral control even when higher layers appear healthy. Triggers may be electrical (pin states, voltage/clock sequences), protocol-level (special patterns on an instrument link), or environmental/temporal (particular temperature ranges, timing offsets). Once on orbit, such pathways are difficult to remove or reconfigure, allowing the attacker to persist by reusing the same physical entry points whenever conditions are met." ; rdfs:seeAlso . d3f:PER-0002.02 a owl:Class ; rdfs:label "Software Backdoor - SPARTA" ; skos:prefLabel "Software Backdoor" ; rdfs:subClassOf d3f:PER-0002 ; d3f:attack-id "PER-0002.02" ; d3f:definition "Software backdoors are code paths intentionally crafted or later inserted to provide privileged functionality on cue. In flight contexts, they appear as hidden command handlers, alternate authentication checks, special user/role constructs, or procedure/script hooks that accept nonpublic inputs. They can be embedded in flight applications, separation kernels or drivers, gateway processors that translate bus/payload traffic, or update/loader utilities that handle tables and images. SDR configurations offer another avenue: non-public waveforms, subcarriers, or framing profiles that, when selected, expose a private command channel. Activation is often conditional, specific timetags, geometry, message sequences, or file names, to keep the feature dormant during routine testing and operations. Once present, the backdoor provides a repeatable way to execute commands or modify state without traversing the standard control surfaces, sustaining the adversary’s access over time." ; rdfs:seeAlso . d3f:PER-0003 a owl:Class ; rdfs:label "Ground System Presence - SPARTA" ; skos:prefLabel "Ground System Presence" ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique ; d3f:attack-id "PER-0003" ; d3f:definition "The adversary maintains long-lived access by residing within mission ground infrastructure that already has end-to-end reach to the spacecraft. Persistence can exist in operator workstations and mission control software, schedulers/orchestrators, station control (antenna/mount, modem/baseband), automation scripts and procedure libraries, identity and ticketing systems, and cloud-hosted mission services. With this foothold, the actor can repeatedly queue commands, updates, or file transfers during routine passes; mirror legitimate operator behavior to blend in; and refresh their tooling as software is upgraded. Presence on the ground also supports durable reconnaissance (pass plans, dictionaries, key/counter states) and continuous staging so each window to the vehicle can be exploited without re-establishing access." ; rdfs:seeAlso . d3f:PER-0004 a owl:Class, owl:NamedIndividual ; rdfs:label "Replace Cryptographic Keys - SPARTA" ; skos:prefLabel "Replace Cryptographic Keys" ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique, [ a owl:Restriction ; owl:onProperty d3f:adds ; owl:someValuesFrom d3f:CryptographicKey ] ; d3f:adds d3f:CryptographicKey ; d3f:attack-id "PER-0004" ; d3f:definition "The adversary cements control by changing the cryptographic material the spacecraft uses to authenticate or protect links and updates. Targets include uplink authentication keys and counters, link-encryption/session keys and key-encryption keys (KEKs), key identifiers/selectors, and algorithm profiles. Using authorized rekey commands or key-loading procedures, often designed for over-the-air use, the attacker installs new values in non-volatile storage and updates selectors so subsequent traffic must use the attacker’s keys to be accepted. Variants desynchronize anti-replay by advancing counters or switching epochs, or strand operators by flipping profiles to a mode for which only the adversary holds parameters. Once replaced, the new material persists across resets and mode changes, turning the spacecraft into a node that recognizes the adversary’s channel while rejecting former controllers." ; rdfs:seeAlso . d3f:PER-0005 a owl:Class, owl:NamedIndividual ; rdfs:label "Credentialed Persistence - SPARTA" ; skos:prefLabel "Credentialed Persistence" ; rdfs:subClassOf d3f:SPARTAPersistenceTechnique, [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:Credential ] ; d3f:attack-id "PER-0005" ; d3f:definition "Threat actors may acquire or leverage valid credentials to maintain persistent access to a spacecraft or its supporting command and control (C2) systems. These credentials may include system service accounts, user accounts, maintenance access credentials, cryptographic keys, or other authentication mechanisms that enable continued entry without triggering access alarms. By operating with legitimate credentials, adversaries can sustain access over extended periods, evade detection, and facilitate follow-on tactics such as command execution, data exfiltration, or lateral movement. Credentialed persistence is particularly effective in environments lacking strong credential lifecycle management, segmentation, or monitoring allowing threat actors to exploit trusted pathways while remaining embedded in mission operations." ; d3f:uses d3f:Credential ; rdfs:seeAlso . d3f:PerHostDownload-UploadRatioAnalysis a d3f:PerHostDownload-UploadRatioAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Per Host Download-Upload Ratio Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:analyzes d3f:NetworkTraffic ; d3f:d3fend-id "D3-PHDURA" ; d3f:definition "Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host." ; d3f:kb-article """## How it works Aggregate pull vs. push ratios from metadata are used to develop a baseline for a given host over a specific time period, e.g., over a three-hour period, one day, one week, etc. Anomalies identified over a threshold produce an alert. ## Considerations Collection and analysis of large network packet captures requires large storage and intensive computing power. The time windows used to calculate the ratio may vary in implementations, this consideration should take into account a threat model and likely effects (impacts) delivered by an adversary.""" ; d3f:kb-reference d3f:Reference-SystemForDetectingThreatsUsingScenario-basedTrackingOfInternalAndExternalNetworkTraffic_VECTRANETWORKSInc . d3f:PeripheralDeviceEvent a owl:Class ; rdfs:label "Peripheral Device Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:RemovableMediaDevice ] ; d3f:definition "An event involving external or auxiliary devices, such as USB drives, Thunderbolt peripherals, or Bluetooth devices. Peripheral events provide visibility into resource availability and potential unauthorized access." . d3f:PeripheralFirmware a owl:Class, owl:NamedIndividual ; rdfs:label "Peripheral Firmware" ; rdfs:subClassOf d3f:Firmware ; d3f:definition "Firmware that is installed on computer peripheral devices." ; rdfs:seeAlso d3f:Firmware, . d3f:PeripheralFirmwareVerification a d3f:PeripheralFirmwareVerification, owl:Class, owl:NamedIndividual ; rdfs:label "Peripheral Firmware Verification" ; rdfs:subClassOf d3f:FirmwareVerification, [ a owl:Restriction ; owl:onProperty d3f:verifies ; owl:someValuesFrom d3f:PeripheralFirmware ] ; d3f:d3fend-id "D3-PFV" ; d3f:definition "Cryptographically verifying peripheral firmware integrity." ; d3f:kb-article """# How it works Peripherial firmware is collected and analyzed on a host either periodically or on demand. This information may be collected for future comparisons. Changes in firmware hash values may indicate that the firmware has been tampered with or that firmware images are not maintained to current baselined versions, or even known vulnerable versions are deployed. ## Considerations * Trust baselines will need to be generated for specific devices * Changes to trusted configurations will need to be managed across the enterprise""" ; d3f:kb-reference d3f:Reference-FirmwareVerificationEclypsium, d3f:Reference-FirmwareVerificationTrapezoid ; d3f:verifies d3f:PeripheralFirmware . d3f:PeripheralHubFirmware a owl:Class ; rdfs:label "Peripheral Hub Firmware" ; skos:altLabel "USB Hub Firmware" ; rdfs:subClassOf d3f:PeripheralFirmware ; d3f:definition "Firmware that is installed on peripheral hub device such as a USB or Firewire hub." ; rdfs:seeAlso . d3f:PermissionGrantingEvent a owl:Class ; rdfs:label "Permission Granting Event" ; rdfs:subClassOf d3f:AccessControlAdministrationEvent ; d3f:definition "An administrative event where authorization is given, allowing a subject to perform specific operations on a protected resource, effectuating a policy decision to allow access rights." ; rdfs:seeAlso . d3f:PermissionRevokingEvent a owl:Class ; rdfs:label "Permission Revoking Event" ; rdfs:subClassOf d3f:AccessControlAdministrationEvent ; d3f:definition "An administrative event entailing the withdrawal of previously granted access rights, reconfiguring permissions to prevent a subject from performing specific actions on a resource, in accordance with updated access policies." . d3f:PersistenceTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Persistence Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0003 ] ; d3f:definition "The adversary is trying to maintain their foothold." ; d3f:enables d3f:TA0003 . d3f:Person a owl:Class, owl:NamedIndividual ; rdfs:label "Person" ; rdfs:subClassOf d3f:Agent, [ a owl:Restriction ; owl:onProperty d3f:name ; owl:someValuesFrom xsd:string ] ; d3f:definition "A person is a human being." . d3f:PersonalComputer a owl:Class ; rdfs:label "Personal Computer" ; rdfs:subClassOf d3f:ClientComputer ; rdfs:isDefinedBy ; d3f:definition "A personal computer (PC) is a multi-purpose computer whose size, capabilities, and price make it feasible for individual use. Personal computers are intended to be operated directly by an end user, rather than by a computer expert or technician. Unlike large, costly minicomputers and mainframes, time-sharing by many people at the same time is not used with personal computers. PCs have in practice become powerful enough that they may be shared by multiple users at any given time, though this is not common practice nor the primary purpose of a PC." . d3f:Perturbation-basedLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Perturbation-based Learning" ; rdfs:subClassOf d3f:IntrinsicallySemi-supervisedLearning ; d3f:d3fend-id "D3A-PBL" ; d3f:definition "Perturbation based methods are proposed under the smoothness assumption, which indicates that two data points close to each other in feature space are likely to have the same label." ; d3f:kb-article """## References Zheng, Y., & Song, Y. (2021). An Effective Perturbation-Based Semi-Supervised Learning Method for Acoustic Event Classification. IEEE/ACM Transactions on Audio, Speech, and Language Processing, 29, 3580-3591. [Link](https://www.semanticscholar.org/paper/An-Effective-Perturbation-Based-Semi-Supervised-for-Zheng-Song/b75ae37d137ac354eb2ed42917e461b4dccdc977). Engelen, S., & Hoos, H. (2020). A survey on semi-supervised learning. Machine Learning, 109(2), 299-337. [Link](https://link.springer.com/article/10.1007/s10994-019-05855-6).""" . d3f:PhiCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Phi Coefficient" ; rdfs:subClassOf d3f:Correlation ; d3f:d3fend-id "D3A-PC" ; d3f:definition "The phi coefficient (or mean square contingency coefficient is a measure of association for two binary variables." ; d3f:kb-article """## References \\Wikipedia. (n.d.). Phi coefficient. [Link](https://en.wikipedia.org/wiki/Phi_coefficient)""" ; d3f:synonym "Matthews Correlation Coefficient (in machine learning)", "MCC" . d3f:PhysicalAccessAlarmEvent a owl:Class ; rdfs:label "Physical Access Alarm Event" ; rdfs:subClassOf d3f:DigitalEvent ; rdfs:comment "An event occuring when a physical threshold is crossed." . d3f:PhysicalAccessMediation a d3f:PhysicalAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Physical Access Mediation" ; rdfs:subClassOf d3f:AccessMediation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:PhysicalArtifact ], [ a owl:Restriction ; owl:onProperty d3f:mediates-access-to ; owl:someValuesFrom d3f:PhysicalArtifact ] ; d3f:d3fend-id "D3-PAM" ; d3f:definition "Physical access mediation is the process of granting or denying specific requests to enter specific physical facilities (e.g., Federal buildings, military establishments, border crossing entrances.)" ; d3f:isolates d3f:PhysicalArtifact ; d3f:kb-reference d3f:Reference-CNNSI-4009 ; d3f:mediates-access-to d3f:PhysicalArtifact ; d3f:synonym "Physical Access Control" . d3f:PhysicalAccessMonitoring a d3f:PhysicalAccessMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Physical Access Monitoring" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Detect ] ; d3f:d3fend-id "D3-PHAM" ; d3f:definition "Monitoring the physical access of a specified environment through detection, recording, reviewing, and logging of who/what enters and exists areas." ; d3f:enables d3f:Detect ; d3f:kb-reference d3f:Reference-NIST-SP-800-53-R5 . d3f:PhysicalAddress a owl:Class, owl:NamedIndividual ; rdfs:label "Physical Address" ; rdfs:subClassOf d3f:MemoryAddress ; rdfs:isDefinedBy ; d3f:definition "In a computer supporting virtual memory, the term physical address is used mostly to differentiate from a virtual address. In particular, in computers utilizing a memory management unit(MMU) to translate memory addresses, the virtual and physical addresses refer to an address before and after translation performed by the MMU, respectively." . d3f:PhysicalArtifact a owl:Class, owl:NamedIndividual ; rdfs:label "Physical Artifact" ; skos:altLabel "Physical Object" ; rdfs:subClassOf d3f:Artifact, [ a owl:Restriction ; owl:onProperty d3f:has-location ; owl:someValuesFrom d3f:PhysicalLocation ] . d3f:PhysicalAttacker a owl:Class ; rdfs:label "Physical Attacker" ; rdfs:subClassOf d3f:LocalAttacker, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:ComputerPlatform ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:HardwareDevice ] ; d3f:definition "An attacker who is physically close enough to interact with the system directly, such as through physical access to devices." . d3f:PhysicalDataDiode a owl:Class, owl:NamedIndividual ; rdfs:label "Physical Data Diode" ; rdfs:subClassOf d3f:HardwareDevice ; rdfs:isDefinedBy ; d3f:definition "A device that physically enforces one-way (unidirectional) network communication." ; skos:example . d3f:PhysicalEnclosureHardening a d3f:PhysicalEnclosureHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Physical Enclosure Hardening" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:ComputerEnclosure ] ; d3f:d3fend-id "D3-PEH" ; d3f:definition "Physical changes to a computer enclosure which reduce the ability for agents or the environment to affect the contained computer system." ; d3f:hardens d3f:ComputerEnclosure ; d3f:kb-article """## How it works System designers or operators make physical changes to a computer enclosure which reduce the ability for agents or the environment to affect the contained computer system. These additions to the enclosure may be of various materials to reduce the effects of heat, gases, vibration, or agent access. ## Considerations * Use asset inventory tools to track physical equipment and monitor both people and devices for access control. * Consider relevant regulations to ensure enclosures are in compliance. * Properly hardened enclosures should be installed and maintained to ensure they are operable and free of tampering. Access to these enclosures is controlled through physical barriers, such as locks and bolts, and may include tamper-evident hardware. * Records should be maintained concerning maintenance performed, access, and any possible tampering marks or associated incidents.""" ; d3f:kb-reference d3f:Reference-GeneralUseOfLocksInTheProtectionAndControlOfFacilitiesRadioActiveMaterialsClassifiedInformationClassifiedMatterAndSafeguardsInformation, d3f:Reference-GuideToOTSecurity . d3f:PhysicalKey a owl:Class ; rdfs:label "Physical Key" ; rdfs:subClassOf d3f:PhysicalArtifact, [ a owl:Restriction ; owl:onProperty d3f:operates ; owl:someValuesFrom d3f:PhysicalKeyLock ] ; d3f:definition "A physical key is used to operate a lock, typically metal, designed with specific markers that match the internal mechanism of a lock, allowing it to rotate the lock when inserted." . d3f:PhysicalKeyLock a owl:Class ; rdfs:label "Physical Key Lock" ; rdfs:subClassOf d3f:PhysicalLock, [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:PhysicalKey ] ; rdfs:isDefinedBy "NRC Regulatory Guide 5.12 Rev1" ; d3f:definition "A mechanical locking device for securing moveable portions of physical barriers (e.g., doors, gates, drawers) in a secured position." ; d3f:synonym "keyed lock" . d3f:PhysicalLink a owl:Class, owl:NamedIndividual ; rdfs:label "Physical Link" ; rdfs:subClassOf d3f:Link, [ a owl:Restriction ; owl:onProperty d3f:carries ; owl:someValuesFrom d3f:Signal ] ; d3f:carries d3f:Signal ; d3f:definition """A physical link is a dedicated connection for communication that uses some physical media (electrical, electromagnetic, optical, to include clear spaces or vacuums.) A physical link represents only a single hop (link) in any larger communcations path, circuit, or network. NOTE: not synonymous with data link as a data link can be over a telecommunications circuit, which may be a virtual circuit composed of multiple phyical links.""" ; d3f:synonym "Layer-1 Link" ; rdfs:seeAlso . d3f:PhysicalLinkConnectEvent a owl:Class ; rdfs:label "Physical Link Connect Event" ; rdfs:subClassOf d3f:PhysicalLinkEvent, [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:PhysicalLinkUpEvent ] ; d3f:definition "The medium is attached or the port is enabled, establishing electrical or optical continuity so that link negotiation can begin." . d3f:PhysicalLinkDisableEvent a owl:Class ; rdfs:label "Physical Link Disable Event" ; rdfs:subClassOf d3f:PhysicalLinkEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:PhysicalLinkUpEvent ] ; d3f:definition "An administrator issues a shutdown or disable command, forcing the link out of service regardless of signal status." . d3f:PhysicalLinkDisconnectEvent a owl:Class ; rdfs:label "Physical Link Disconnect Event" ; rdfs:subClassOf d3f:PhysicalLinkEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:PhysicalLinkDownEvent ] ; d3f:definition "The transmission medium is removed or power is cut, physically breaking the path between the two interfaces." . d3f:PhysicalLinkDownEvent a owl:Class ; rdfs:label "Physical Link Down Event" ; rdfs:subClassOf d3f:PhysicalLinkEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:PhysicalLinkUpEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:PhysicalLinkDisconnectEvent ] ; d3f:definition "Carrier or negotiation is lost, or the port is shut, rendering the link non-operational while the medium remains connected." . d3f:PhysicalLinkErrorDisableEvent a owl:Class ; rdfs:label "Physical Link Error Disable Event" ; rdfs:subClassOf d3f:PhysicalLinkEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:PhysicalLinkDownEvent ] ; d3f:definition "The device automatically disables the link in response to fault conditions such as excessive faults or signal degradation." . d3f:PhysicalLinkEvent a owl:Class ; rdfs:label "Physical Link Event" ; rdfs:subClassOf d3f:NetworkDeviceEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:PhysicalLink ] ; d3f:definition "A discrete event that changes either the presence of the transmission medium or the operational state of a single-hop layer-1 link between two network nodes." . d3f:PhysicalLinkMapping a d3f:PhysicalLinkMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Physical Link Mapping" ; rdfs:subClassOf d3f:NetworkMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:NetworkNode ], [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:PhysicalLink ] ; d3f:d3fend-id "D3-PLM" ; d3f:definition "Physical link mapping identifies and models the link connectivity of the network devices within a physical network." ; d3f:kb-reference d3f:Reference-LibreNMSDocsNetworkMapExtension ; d3f:maps d3f:NetworkNode, d3f:PhysicalLink ; d3f:synonym "Layer 1 Mapping" ; rdfs:seeAlso . d3f:PhysicalLinkUpEvent a owl:Class ; rdfs:label "Physical Link Up Event" ; rdfs:subClassOf d3f:PhysicalLinkEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:PhysicalLinkConnectEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:PhysicalLinkDownEvent ] ; d3f:definition "Auto-negotiation and signal detection complete; carrier is present and the link can forward frames." . d3f:PhysicalLocation a owl:Class, owl:NamedIndividual ; rdfs:label "Physical Location" ; rdfs:subClassOf d3f:D3FENDCore ; rdfs:isDefinedBy ; d3f:definition "The terms location [here, a physical location] and place in geography are used to identify a point or an area on the Earth's surface or elsewhere. The term location generally implies a higher degree of certainty than place, which often indicates an entity with an ambiguous boundary, relying more on human or social attributes of place identity and sense of place than on geometry. The distinction between space and place is considered a central concern of geography, and has been addressed by scholars such as Yi-Fu Tuan and John Agnew." ; rdfs:seeAlso . d3f:PhysicalLock a owl:Class ; rdfs:label "Physical Lock" ; rdfs:subClassOf d3f:PhysicalArtifact ; d3f:definition "A lock is a mechanical latching device for securing moveable portions of physical barriers in a secured position." ; rdfs:seeAlso . d3f:PhysicalLocking a d3f:PhysicalLocking, owl:Class, owl:NamedIndividual ; rdfs:label "Physical Locking" ; rdfs:subClassOf d3f:PhysicalAccessMediation, [ a owl:Restriction ; owl:onProperty d3f:mediates-access-to ; owl:someValuesFrom d3f:ComputerEnclosure ] ; d3f:d3fend-id "D3-EPL" ; d3f:definition "Employ a mechanical locking device for securing moveable portions of physical barriers (e.g., doors, gates, drawers) in a secured position." ; d3f:kb-article """## How it works A physical mechanism which has a associated credential which when entered enables the lock bolt to operate, i.e. open or close. ## Considerations * Consider that locks for specified materials should adhere to relevant regulations. * Lock equipment cabinets when not needed for operation or safety; set OT asset keys of devices (e.g., PLCs and safety systems) to the “RUN” position unless otherwise specified. * Locks and all associated hardware should be properly installed, operable, and free of substantive indications of tampering. * Records should be maintained concerning maintenance performed, access, and any possible tampering marks or associated incidents. * For locks operated by a physical key, a key management system should be implemented to manage and secure physical keys. * Key locks should provide a high degree of resistance to opening by force and tampering techniques.""" ; d3f:kb-reference d3f:Reference-GeneralUseOfLocksInTheProtectionAndControlOfFacilitiesRadioActiveMaterialsClassifiedInformationClassifiedMatterAndSafeguardsInformation, d3f:Reference-GuideToOTSecurity ; d3f:mediates-access-to d3f:ComputerEnclosure . d3f:Pipe a owl:Class, owl:NamedIndividual ; rdfs:label "Pipe" ; skos:altLabel "Pipeline" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "In Unix-like computer operating systems, a pipeline is a mechanism for inter-process communication using message passing. In the strictest sense, a pipe is a single segment of a pipeline, allowing one process to pass information forward to another. Network pipes allow processes on different hosts to interact." ; rdfs:seeAlso . d3f:Pix2Pix a owl:Class, owl:NamedIndividual ; rdfs:label "Pix2Pix" ; rdfs:subClassOf d3f:Image-to-ImageTranslationGAN ; d3f:d3fend-id "D3A-PIX" ; d3f:definition "Pix2Pix is based on condtional GAN architecture and are trained on paired set of images or scenes from two domains to be used for translation." ; d3f:kb-article """## References Esri. (n.d.). How Pix2Pix Works. [Link](https://developers.arcgis.com/python/guide/how-pix2pix-works/)""" . d3f:Plan a owl:Class ; rdfs:label "Plan" ; rdfs:subClassOf d3f:D3FENDCore . d3f:Planning a owl:Class ; rdfs:label "Planning" ; rdfs:subClassOf d3f:AnalyticalPurpose . d3f:PlatformHardening a d3f:PlatformHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Platform Hardening" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Harden ] ; d3f:d3fend-id "D3-PH" ; d3f:definition """Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components""" ; d3f:enables d3f:Harden ; d3f:synonym "Endpoint Hardening", "System Hardening" . d3f:PlatformMonitoring a d3f:PlatformMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Platform Monitoring" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Detect ] ; d3f:d3fend-id "D3-PM" ; d3f:definition "Monitoring platform components such as operating systems software, hardware devices, or firmware." ; d3f:enables d3f:Detect ; d3f:kb-article """Platform monitoring consists of the analysis and monitoring of system level devices and low-level components, including hardware devices, to detect unauthorized modifications or suspicious activity. Monitored platform components includes system files and embedded devices such as: * Kernel software modules * Boot process code and load logic * Operating system components and device files * System libraries and dynamically loaded files * Hardware device drivers * Embedded firmware devices""" . d3f:PlatformUptime a owl:Class, owl:NamedIndividual ; rdfs:label "Platform Uptime" ; rdfs:subClassOf d3f:SystemPlatformVariable ; rdfs:comment "In OT controllers this may not be a default tag rather something that should be defined using other system tags." ; d3f:definition "A variable that notes the amount of time a platform has been running since its last power cycle or reset." . d3f:PlatformUptimeMonitoring a d3f:PlatformUptimeMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Platform Uptime Monitoring" ; rdfs:subClassOf d3f:PlatformMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:PlatformUptime ] ; d3f:d3fend-id "D3-PUM" ; d3f:definition "Monitor the amount of time since the last power cycle or restart." ; d3f:kb-article """## How it works Monitoring the time since the last power cycle or restart alerts operators to unexpected restarts and their frequency. This can indicate potential issues or malicious activity, and provides valuable information for forensic investigations. ## Considerations The source of the variable may be mutable depending on the platform, and the provenance of the value.""" ; d3f:kb-reference d3f:Reference-SecurePLCCodingPracticesTop20List ; d3f:monitors d3f:PlatformUptime . d3f:Point-biserialCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Point-biserial Correlation Coefficient" ; rdfs:subClassOf d3f:Correlation ; d3f:d3fend-id "D3A-PBCC" ; d3f:definition "The point biserial correlation coefficient (rpb) is a correlation coefficient used when one variable (e.g. Y) is dichotomous; Y can either be \"naturally\" dichotomous, like whether a coin lands heads or tails, or an artificially dichotomized variable." ; d3f:kb-article """## References Wikipedia. (n.d.). Point-biserial correlation coefficient. [Link](https://en.wikipedia.org/wiki/Point-biserial_correlation_coefficient)""" . d3f:Pointer a owl:Class, owl:NamedIndividual ; rdfs:label "Pointer" ; rdfs:subClassOf d3f:DigitalInformation ; rdfs:isDefinedBy ; d3f:definition "In computer science, a pointer is a programming language object, whose value refers to (or \"points to\") another value stored elsewhere in the computer memory using its memory address. A pointer references a location in memory, and obtaining the value stored at that location is known as dereferencing the pointer. As an analogy, a page number in a book's index could be considered a pointer to the corresponding page; dereferencing such a pointer would be done by flipping to the page with the given page number." . d3f:PointerAuthentication a d3f:PointerAuthentication, owl:Class, owl:NamedIndividual ; rdfs:label "Pointer Authentication" ; rdfs:subClassOf d3f:ApplicationHardening, [ a owl:Restriction ; owl:onProperty d3f:authenticates ; owl:someValuesFrom d3f:Pointer ] ; d3f:authenticates d3f:Pointer ; d3f:d3fend-id "D3-PAN" ; d3f:definition "Comparing the cryptographic hash or derivative of a pointer's value to an expected value." ; d3f:kb-article """## How It Works Pointer Authentication (frequently referred to as PAC, although the technique is properly Pointer Authentication) is a security feature to provide protection against attackers with memory read/write access. A Pointer Authentication Code (PAC) is a cryptographic hash or derivative computed on the value of a pointer and some additional context information which can then provide a cryptographically strong guarantee about the likelihood that a pointer has been tampered with by an attacker. Although pointers are 64 bits, most systems have a substantially smaller virtual address space, leaving unused bits in pointers that can store the value of the PAC, this can be done to reduce memory space requirements. One implementation is in ARMv8.3-A. A PAC is computed over the 64-bit pointer value and a 64-bit context value. Instructions are introduced to deal with pointers: one category to compute and insert the PAC into a pointer, another category to verify the pointer and invalidate the pointer if the PAC does not check, and a third category to remove the pointer and restore the original value without verifying. The ARM standard specifies a cryptographic algorithm called QARMA-64 (designed by Qualcomm) to compute the signature, although this algorithm is not required. The architecture provides for five secret 128-bit Pointer Authentication keys: two for instruction pointers, two for data pointers, and a general key for signing larger blocks of data. ## Considerations In the ARM implementation, the mechanisms above for manipulating PACS are provided, but it is up to the code developer to manage the keys for the cryptographic algorithm. A known potential limitation of PACs concerns signing gadgets. Under certain circumstances PACs can be bypassed by forcing the system to run a signing gadget which will allow the signing of arbitrary pointers to occur.""" ; d3f:kb-reference d3f:Reference-PointerAuthenticationOnARMv8.3, d3f:Reference-PointerAuthenticationProjectZero . d3f:PointerDereferencingFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Pointer Dereferencing Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:addresses ; owl:someValuesFrom d3f:MemoryBlock ], [ a owl:Restriction ; owl:onProperty d3f:addresses ; owl:someValuesFrom d3f:Pointer ] ; rdfs:comment "Note, this is not the actual code which performs the dereferencing operation internal to an application runtime." ; d3f:addresses d3f:MemoryBlock, d3f:Pointer ; d3f:definition "A function which has an operation which dereferences a pointer." . d3f:PointerValidation a owl:Class, owl:NamedIndividual ; rdfs:label "Pointer Validation" ; rdfs:subClassOf d3f:SourceCodeHardening ; d3f:d3fend-id "D3-PV" ; d3f:definition "Ensuring that a pointer variable has the required properties for use." ; d3f:kb-reference d3f:Reference-PointerValidationFunction_SEI . d3f:PointEstimation a owl:Class, owl:NamedIndividual ; rdfs:label "Point Estimation" ; rdfs:subClassOf d3f:Estimation ; d3f:d3fend-id "D3A-PE" ; d3f:definition "A point estimation is a single value that estimates the parameter. Point estimates are single values calculated from the sample" ; d3f:kb-article """## References Pennsylvania State University. (n.d.). Statistical Inference and Estimation. [Link](https://online.stat.psu.edu/stat504/lesson/statistical-inference-and-estimation)""" . d3f:PolicyGradient a owl:Class, owl:NamedIndividual ; rdfs:label "Policy Gradient" ; rdfs:subClassOf d3f:Model-freeReinforcementLearning ; d3f:d3fend-id "D3A-PG" ; d3f:definition "The objective of a Reinforcement Learning Policy Gradient agent is to maximize the “expected” reward when following a policy" ; d3f:kb-article """## References Policy Gradients in a Nutshell. Towards Data Science. [Link](https://towardsdatascience.com/policy-gradients-in-a-nutshell-8b72f9743c5d).""" . d3f:PolicyReference a owl:Class ; rdfs:label "Policy Reference" ; rdfs:subClassOf d3f:TechniqueReference ; d3f:pref-label "Policy" . d3f:POSIXSymbolicLink a owl:Class ; rdfs:label "POSIX Symbolic Link" ; rdfs:subClassOf d3f:SymbolicLink, d3f:UnixLink ; rdfs:isDefinedBy ; d3f:definition "A POSIX-compliant symbolic link. These are often fast symbolic links, but need not be." . d3f:PowerAndThermalDeviceEvent a owl:Class ; rdfs:label "Power and Thermal Device Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Sensor ] ; d3f:definition "An event involving power supplies, batteries, or thermal management devices. These events represent changes in power states, temperature thresholds, or cooling system activity." . d3f:PowerShellProfileScript a owl:Class, owl:NamedIndividual ; rdfs:label "PowerShell Profile Script" ; rdfs:subClassOf d3f:UserInitScript ; d3f:definition "A PowerShell profile script is a script that runs when PowerShell starts and can be used as a logon script to customize user environments." ; rdfs:seeAlso . d3f:PowerSupply a owl:Class ; rdfs:label "Power Supply" ; rdfs:subClassOf d3f:HardwareDevice ; d3f:definition "A power supply is an electrical device or module that converts and regulates energy from a source (e.g., the power grid or batteries) to an appropriate voltage, current, and frequency for one or more loads. It may stand alone or be integrated into its host appliance, often providing overcurrent protection, voltage regulation, or power conditioning for safe, stable operation." ; rdfs:seeAlso . d3f:PreAuthenticationEvent a owl:Class ; rdfs:label "Pre-Authentication Event" ; rdfs:subClassOf d3f:AuthenticationEvent, [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:Authentication ] ; d3f:definition "An event representing preparatory steps or processes conducted prior to the primary authentication operation. Pre-authentication often involves initial protocol exchanges, cryptographic challenges, or the validation of supplemental factors (e.g., pre-shared keys) to ensure the readiness and security of the authentication workflow." . d3f:PredicateLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Predicate Logic" ; rdfs:subClassOf d3f:SymbolicAI ; d3f:d3fend-id "D3A-PL" ; d3f:definition "Predicate logic is is collection of formal systems used in mathematics, philosophy, linguistics, and computer science. First-order logic and Higher-order logic both incorporate predicate logic." ; d3f:kb-article """## References 1. First-order logic. (2023, May 26). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/First-order_logic) 2. Higher-order logic. (2023, May 13) [Link](https://en.wikipedia.org/wiki/Higher-order_logic)""" . d3f:PrimaryStorage a owl:Class, owl:NamedIndividual ; rdfs:label "Primary Storage" ; rdfs:subClassOf d3f:HardwareDevice, d3f:Storage, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:PageFrame ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ProcessSegment ] ; rdfs:isDefinedBy ; d3f:contains d3f:PageFrame, d3f:ProcessSegment ; d3f:definition "Primary memory of a computer is memory that is wired directly to the processor, consisting of RAM and possibly ROM. These terms are used in contrast to mass storage devices and cache memory (although we may note that when a program accesses main memory, it is often actually interacting with a cache)." ; rdfs:seeAlso . d3f:PrincipalComponentAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Principal Component Analysis" ; rdfs:subClassOf d3f:MultivariateAnalysis ; d3f:d3fend-id "D3A-PCA" ; d3f:definition "Principal components analysis (PCA) creates a new set of orthogonal variables that contain the same information as the original set. It rotates the axes of variation to give a new set of orthogonal axes, ordered so that they summarize decreasing proportions of the variation." ; d3f:kb-article """## References Wikipedia. (n.d.). Multivariate statistics. [Link](https://en.wikipedia.org/wiki/Multivariate_statistics)""" ; d3f:synonym "PCA" . d3f:PrincipalComponentsAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Principal Components Analysis" ; rdfs:subClassOf d3f:DimensionReduction ; d3f:d3fend-id "D3A-PCA" ; d3f:definition "Principal Component Analysis (PCA) is a statistic-based method of identifying patterns in a large dataset while increasing interpretability and preserving information." ; d3f:kb-article """## References Wikipedia. (n.d.). Principal component analysis. [Link](https://en.wikipedia.org/wiki/Principal_component_analysis)""" . d3f:PrintServer a owl:Class ; rdfs:label "Print Server" ; rdfs:subClassOf d3f:Server ; rdfs:isDefinedBy ; d3f:definition "A print server, or printer server, is a device that connects printers to client computers over a network. It accepts print jobs from the computers and sends the jobs to the appropriate printers, queuing the jobs locally to accommodate the fact that work may arrive more quickly than the printer can actually handle." . d3f:PrivateKey a owl:Class, owl:NamedIndividual ; rdfs:label "Private Key" ; rdfs:subClassOf d3f:AsymmetricKey, [ a owl:Restriction ; owl:onProperty d3f:has-dependent ; owl:someValuesFrom d3f:PublicKey ] ; d3f:definition "A private key can be used to decrypt messages encrypted using the corresponding public key, or used to sign a message that can be authenticated with the corresponding public key." ; d3f:has-dependent d3f:PublicKey ; rdfs:seeAlso . d3f:PrivilegedUserAccount a owl:Class ; rdfs:label "Privileged User Account" ; rdfs:subClassOf d3f:UserAccount ; rdfs:isDefinedBy ; d3f:definition "A privileged account is a user account that has more privileges than ordinary users. Privileged accounts might, for example, be able to install or remove software, upgrade the operating system, or modify system or application configurations. They might also have access to files that are not normally accessible to standard users. Typical examples are root and administrator accounts. But there also service accounts, system accounts, etc. Privileged accounts are especially powerful, and should be monitored especially closely." ; rdfs:seeAlso . d3f:PrivilegeEscalationTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Privilege Escalation Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0004 ] ; d3f:definition "The adversary is trying to gain higher-level permissions." ; d3f:enables d3f:TA0004 . d3f:ProbabilisticLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Probabilistic Logic" ; rdfs:subClassOf d3f:SymbolicAI ; d3f:d3fend-id "D3A-PL" ; d3f:definition "Probabilistic logic extends traditional logic truth tables with probabilistic expressions." ; d3f:kb-article """## References 1. Probabilistic logic. (2023, June 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Probabilistic_logic)""" . d3f:Procedure a owl:Class ; rdfs:label "Procedure" ; rdfs:subClassOf d3f:Plan, [ a owl:Restriction ; owl:onProperty d3f:implements ; owl:someValuesFrom d3f:Technique ], [ a owl:Restriction ; owl:onProperty d3f:start ; owl:allValuesFrom d3f:Step ] . d3f:Process a owl:Class, owl:NamedIndividual ; rdfs:label "Process" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ProcessImage ], [ a owl:Restriction ; owl:onProperty d3f:instructed-by ; owl:someValuesFrom d3f:Software ], [ a owl:Restriction ; owl:onProperty d3f:may-execute ; owl:someValuesFrom d3f:Thread ], [ a owl:Restriction ; owl:onProperty d3f:process-command-line-arguments ; owl:someValuesFrom xsd:string ], [ a owl:Restriction ; owl:onProperty d3f:process-environmental-variables ; owl:someValuesFrom xsd:string ], [ a owl:Restriction ; owl:onProperty d3f:process-identifier ; owl:someValuesFrom xsd:integer ], [ a owl:Restriction ; owl:onProperty d3f:process-image-path ; owl:someValuesFrom d3f:ExecutableBinary ], [ a owl:Restriction ; owl:onProperty d3f:process-security-context ; owl:someValuesFrom xsd:string ], [ a owl:Restriction ; owl:onProperty d3f:process-user ; owl:someValuesFrom d3f:UserAccount ], [ a owl:Restriction ; owl:onProperty d3f:uses ; owl:someValuesFrom d3f:Resource ] ; rdfs:isDefinedBy ; d3f:contains d3f:ProcessImage ; d3f:definition "A process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system (OS), a process may be made up of multiple threads of execution that execute instructions concurrently. A computer program is a passive collection of instructions, while a process is the actual execution of those instructions. Several processes may be associated with the same program; for example, opening up several instances of the same program often means more than one process is being executed." ; d3f:instructed-by d3f:Software ; d3f:may-execute d3f:Thread ; d3f:process-image-path d3f:ExecutableBinary ; d3f:process-user d3f:UserAccount ; d3f:uses d3f:Resource ; rdfs:seeAlso . d3f:ProcessAccessEvent a owl:Class ; rdfs:label "Process Access Event" ; rdfs:subClassOf d3f:ProcessEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ProcessCreationEvent ] ; d3f:definition "An event where one process interacts with another, such as reading memory, inspecting state, or altering behavior." . d3f:ProcessAnalysis a d3f:ProcessAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Process Analysis" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Detect ] ; d3f:d3fend-id "D3-PA" ; d3f:definition "Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations." ; d3f:enables d3f:Detect . d3f:ProcessCodeSegment a owl:Class, owl:NamedIndividual ; rdfs:label "Process Code Segment" ; skos:altLabel "Process Text Segment" ; rdfs:subClassOf d3f:ProcessSegment, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Subroutine ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ProcessSegment ] ; d3f:contains d3f:Subroutine ; d3f:definition "A process code segment, also known as a text segment or simply as text, is a portion of the program's virtual address space that contains executable instructions and corresponds to the loaded image code segment. Includes additional sections such as an import table." ; d3f:may-contain d3f:ProcessSegment ; rdfs:seeAlso d3f:ImageCodeSegment, . d3f:ProcessCodeSegmentVerification a d3f:ProcessCodeSegmentVerification, owl:Class, owl:NamedIndividual ; rdfs:label "Process Code Segment Verification" ; rdfs:subClassOf d3f:ProcessAnalysis, [ a owl:Restriction ; owl:onProperty d3f:verifies ; owl:someValuesFrom d3f:ProcessCodeSegment ] ; d3f:d3fend-id "D3-PCSV" ; d3f:definition "Comparing the \"text\" or \"code\" memory segments to a source of truth." ; d3f:kb-article """## How it works A process code segment is an executable portion of computer memory allocated to a particular process. Process Code Segment Verification implements verification to compare a process code segment to some expected value. ### Verification logic Verification can occur during application startup, or continuously during execution. The logic which verifies the process code may be separate in a third-party process, embedded in the application itself at compile time, or dynamically linked at runtime. ### System of record Examples of systems of record: * On-disk application binary files or checksums * Remotely stored binary data or checksums * Embedded binary data or checksums ### Post Verification Actions If the verification function determines a process code segment may have been altered, a capability may invoke Eviction techniques as **Process Termination** to end the current process, or **Executable Blacklisting** to prevent the executable from launching in the future. ## Considerations ### False positives False positives commonly occur in the case that the layout of code in the process segment is legitimately modified: * Operating system features or third-party security software may modify the layout of process code, for example in the defensive technique **Segment Address Offset Randomization**, or in the case that a module is rebased. In both of these cases, the alteration occurs before the code is fully loaded into memory, and it would be possible to avoid the false positive by securely feeding this constant offset and any relocation data into the verification logic. * Process code segments may be written to modify themselves or other process code segments; however, this goes against widely-accepted current practices in software development. ### False negatives False negatives can occur via alteration of the verification logic or source of truth, or insufficient verification logic. * Verification techniques which are executed only locally may be defeated by altering the local verification logic. * Verification that is run only on a recurring basis could be evaded if the malicious alteration is completed before verification is run. * Verification that requests an operation to be performed on a subset of the code segment could be evaded by performing that operation on a copy of the relevant bytes of the code segment. * Verification based on a system of record that can be altered may fail if that system of record is modifiable by a malicious user.""" ; d3f:kb-reference d3f:Reference-Anti-tamperSystemWithSelf-adjustingGuards_ARXANTECHNOLOGIESInc, d3f:Reference-GuardsForApplicationInSoftwareTamperproofing_PurdueResearchFoundation, d3f:Reference-SystemAndMethodForDetectingMalwareInjectedIntoMemoryOfAComputingDevice_EndgameInc, d3f:Reference-SystemAndMethodForValidatingIn-memoryIntegrityOfExecutableFilesToIdentifyMaliciousActivity_EndgameInc, d3f:Reference-TamperProofMutatingSoftware_ARXANTECHNOLOGIESInc, d3f:Reference-ThreatDetectionThroughTheAccumulatedDetectionOfThreatCharacteristics_SophosLtd ; d3f:verifies d3f:ProcessCodeSegment . d3f:ProcessCreationEvent a owl:Class ; rdfs:label "Process Creation Event" ; rdfs:subClassOf d3f:ProcessEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ProcessStartFunction ] ; d3f:definition "An event where a new process is spawned, initializing its execution context and resource allocation." . d3f:ProcessDataSegment a owl:Class ; rdfs:label "Process Data Segment" ; rdfs:subClassOf d3f:ProcessSegment ; d3f:definition "A process data segment, is a portion of the program's virtual address space that contains executable instructions and corresponds to the loaded image data segment." ; rdfs:seeAlso d3f:ImageDataSegment, . d3f:ProcessEnvironmentVariable a owl:Class, owl:NamedIndividual ; rdfs:label "Process Environment Variable" ; skos:altLabel "Environment Variable" ; rdfs:subClassOf d3f:ApplicationConfiguration ; rdfs:isDefinedBy ; d3f:definition "An environment variable is a dynamic-named value that can affect the way running processes will behave on a computer. They are part of the environment in which a process runs." . d3f:ProcessEvent a owl:Class ; rdfs:label "Process Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Process ] ; d3f:definition "An event capturing lifecycle transitions, interactions, or activities of computer processes, including their creation, termination, and inter-process communication." ; rdfs:seeAlso . d3f:ProcessEviction a d3f:ProcessEviction, owl:Class, owl:NamedIndividual ; rdfs:label "Process Eviction" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Evict ] ; d3f:d3fend-id "D3-PE" ; d3f:definition "Process eviction techniques terminate or remove running process." ; d3f:enables d3f:Evict ; d3f:kb-reference d3f:Reference-MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc . d3f:ProcessImage a owl:Class, owl:NamedIndividual ; rdfs:label "Process Image" ; rdfs:subClassOf d3f:ComputingImage, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ProcessSegment ] ; rdfs:isDefinedBy ; d3f:contains d3f:ProcessSegment ; d3f:definition "A process image is a copy of a given process's state at a given point in time. It is often used to create persistence within an otherwise volatile system." . d3f:ProcessLineageAnalysis a d3f:ProcessLineageAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Process Lineage Analysis" ; rdfs:subClassOf d3f:ProcessSpawnAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Process ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:ProcessTree ] ; d3f:analyzes d3f:Process, d3f:ProcessTree ; d3f:d3fend-id "D3-PLA" ; d3f:definition "Identification of suspicious processes executing on an end-point device by examining the ancestry and siblings of a process, and the associated metadata of each node on the tree, such as process execution, duration, and order relative to siblings and ancestors." ; d3f:kb-article """## How it works Process tree analysis techniques gather information on how a process was initiated to determine if a process is malicious. For example, if a process was not initiated from boot or not initiated by another process, that process is identified as suspicious. Also, if a new process was started before a process initiated by the device (ex. during boot) and that new process was not initiated by a user (which can be determined by examining process parameters such as type of process, its creator, source, etc.) the process is identified as suspicious. For example, Microsoft Word may block execution of any subprocess that is not in an approved path. ## Considerations * Attackers may spoof the parent PID (https://attack.mitre.org/techniques/T1502/), rendering such after-the-fact analysis on process lineage ineffective. * Processes may hide from various means of detection; an example on Linux is where a rootkit might remove key files for the process from its directory in /proc. * Zombie processes.""" ; d3f:kb-reference d3f:Reference-CAR-2020-11-002%3ALocalNetworkSniffing_MITRE, d3f:Reference-CAR-2020-11-004%3AProcessesStartedFromIrregularParent_MITRE, d3f:Reference-CAR-2021-02-002%3AGetSystemElevation_MITRE, d3f:Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification_MITRE, d3f:Reference-CommandLaunchedFromWinLogon_MITRE, d3f:Reference-DebuggersForAccessibilityApplications_MITRE, d3f:Reference-GenericRegsvr32_MITRE, d3f:Reference-OutlierParentsOfCmd_MITRE, d3f:Reference-ProcessesSpawningCmd.exe_MITRE, d3f:Reference-QuickExecutionOfASeriesOfSuspiciousCommands_MITRE, d3f:Reference-Reg.exeCalledFromCommandShell_MITRE, d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE, d3f:Reference-ServiceOutlierExecutables_MITRE, d3f:Reference-ServiceSearchPathInterception_MITRE, d3f:Reference-ServicesLaunchingCmd_MITRE, d3f:Reference-SystemAndMethodsThereofForCausalityIdentificationAndAttributionsDeterminationOfProcessesInANetwork_PaloAltoNetworksIncCyberSecdoLtd, d3f:Reference-SystemAndMethodsThereofForIdentificationOfSuspiciousSystemProcesses_PaloAltoNetworksInc, d3f:Reference-UACBypass_MITRE ; d3f:synonym "Process Tree Analysis" . d3f:Processor a owl:Class ; rdfs:label "Processor" ; rdfs:subClassOf d3f:HardwareDevice ; d3f:definition "A processor is a hardware component or integrated circuit that performs computations, executes instructions, and processes data to carry out tasks within a computing system." ; d3f:synonym "Computer Processor" . d3f:ProcessorComponent a owl:Class ; rdfs:label "Processor Component" ; rdfs:subClassOf d3f:HardwareDevice ; d3f:definition "A Processor Component is a functional subunit or module within a processor that performs specific tasks to support the processor's overall operation." ; rdfs:seeAlso d3f:Processor . d3f:ProcessorRegister a owl:Class, owl:NamedIndividual ; rdfs:label "Processor Register" ; rdfs:subClassOf d3f:PrimaryStorage, [ a owl:Restriction ; owl:onProperty d3f:contained-by ; owl:someValuesFrom d3f:CentralProcessingUnit ] ; rdfs:isDefinedBy ; d3f:contained-by d3f:CentralProcessingUnit ; d3f:definition "A processor register is a quickly accessible location available to a computer's processor. Registers usually consist of a small amount of fast storage, although some registers have specific hardware functions, and may be read-only or write-only." ; rdfs:seeAlso . d3f:ProcessSegment a owl:Class, owl:NamedIndividual ; rdfs:label "Process Segment" ; rdfs:subClassOf d3f:BinarySegment ; d3f:definition "Process segments are distinct partitions of the memory space of a running process. Heap, data, code, and stack segments are examples of process segments." ; d3f:synonym "Process Memory" . d3f:ProcessSegmentExecutionPrevention a d3f:ProcessSegmentExecutionPrevention, owl:Class, owl:NamedIndividual ; rdfs:label "Process Segment Execution Prevention" ; rdfs:subClassOf d3f:ApplicationHardening, [ a owl:Restriction ; owl:onProperty d3f:neutralizes ; owl:someValuesFrom d3f:ProcessSegment ] ; d3f:d3fend-id "D3-PSEP" ; d3f:definition "Preventing execution of any address in a memory region other than the code segment." ; d3f:kb-article """## How it works During execution of a process, the instruction pointer register should only point to addresses in a code segment (also called the .text segment), as this is the sole segment which should contain program code. When this technique detects an attempt to execute something that has been designated as non-executable, other techniques such as those in **Process Eviction** might be invoked, such as **Process Termination** to end the current process, or **Executable Blacklisting** to blacklist the potentially vulnerable or malfunctioning executable. ### Software-based implementations The software-based implementation in Windows XP SP2 might not check that every time the instruction pointer is changed, and does not check on each jump or return. Before calling an exception handler, Windows XP SP2 software-enforced DEP checks whether the exception handler is located in a memory region marked as executable. If the program was also built with SafeSEH, this implementation also checks before changing control to the exception handler whether it is a registered exception handler in the program's file on disk. ### Hardware-based implementations The NX (No Execute) or XD (Execute Disable) bit on the processor specifies whether a certain part of memory is executable. Early implementations set this bit by the memory segment, while modern implementations which are built on the flat memory model often store this bit in each entry of the page table, to control execution by the page. ## Considerations Non-hardware process data segment execution prevention is more susceptible to being able to be turned off for a page of memory. Different implementations of this defense have been in place since the 1980s, but implementation stalled when larger 16-bit programs began stuffing code in the segments usually reserved for data. Many modern programs follow the best practice of separation of code and data, are able to run under this defense. ROP or ret2libc/return-to-function attacks could bypass this defense, as although they may pass attacker-controlled data or stack frames to a function, they abuse functions that are legitimately located in the .text segment (code segment) of the program. For those, more advanced defenses such as a table of valid jump addresses, function call analysis, or return depth analysis could be used.""" ; d3f:kb-reference d3f:Reference-DataExecutionPrevention_Microsoft, d3f:Reference-WhatIsNX_XDFeature_RedHat ; d3f:neutralizes d3f:ProcessSegment ; d3f:synonym "Execute Disable", "No Execute" . d3f:ProcessSelf-ModificationDetection a d3f:ProcessSelf-ModificationDetection, owl:Class, owl:NamedIndividual ; rdfs:label "Process Self-Modification Detection" ; rdfs:subClassOf d3f:ProcessAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Process ] ; d3f:analyzes d3f:Process ; d3f:d3fend-id "D3-PSMD" ; d3f:definition "Detects processes that modify, change, or replace their own code at runtime." ; d3f:kb-article """## How it Works A security agent installed on the host machine intercepts API calls between a process and operating system. Intercepted API calls are then compared against attack signatures/patterns to identify API calls that modify executable memory or modify the entry point address of a suspended child process. Attack patterns include: * Executable code of a suspended child process removed from memory by one or more API calls. * New executable code injected and / or loaded into memory of a suspended child process by one or more API calls. * Executable code modified by one or more API calls. * Next instruction pointer value in memory modified by one or more API calls. ## Considerations Comparing loaded code segments of processes with what is expected to have been loaded from a file can result in false positives, due to legitimate uses of self-modification for decrypting or uncompressing code segments.""" ; d3f:kb-reference d3f:Reference-SystemAndMethodForProcessHollowingDetection_CarbonBlackInc . d3f:ProcessSetUserIDEvent a owl:Class ; rdfs:label "Process Set User ID Event" ; rdfs:subClassOf d3f:ProcessEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ProcessCreationEvent ] ; d3f:definition "An event where a process changes or adopts a specific user identity, modifying its access privileges or operational context." . d3f:ProcessSpawnAnalysis a d3f:ProcessSpawnAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Process Spawn Analysis" ; rdfs:subClassOf d3f:ProcessAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:CreateProcess ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Process ] ; d3f:analyzes d3f:CreateProcess, d3f:Process ; d3f:d3fend-id "D3-PSA" ; d3f:definition "Analyzing spawn arguments or attributes of a process to detect processes that are unauthorized." ; d3f:kb-article """## How it works Process attributes are established when an operating system spawns a new process. These attributes are analyzed to look for the presence or absence of specific values or patterns. Some attributes of interest are: - user - process name - image path - security content ## Considerations - Attackers can spoof the parent process identifier (PPID), which could bypass this defense to allow execution of a malicious process from an arbitrary parent process. - Attackers could have legitimately compromised any of the process properties, such as the user, to make the execution appear legitimate. - Location: If the full image path is not checked, there could be a conflict with an executable that appears earlier due to resolution involving the system environment path/classpath variable. - Parsing issues: If the raw command from a shell is analyzed, rather than the actual function call, it is important to identify the actual command being run from its arguments. In Windows, services with unquoted file paths containing spaces will try to use the first token as the executable and the rest as arguments -- and shift tokens to the executable until a valid one is found. - Some [operating systems](/dao/artifact/d3f:OperatingSystem) can spawn processes without forking.""" ; d3f:kb-reference d3f:Reference-ActiveDirectoryDumpingViaNTDSUtil_MITRE, d3f:Reference-CAR-2020-04-001%3AShadowCopyDeletion_MITRE, d3f:Reference-CAR-2020-05-003%3ARareLolBASCommandLines_MITRE, d3f:Reference-CAR-2020-08-001%3ANTFSAlternateDataStreamExecution-SystemUtilities_MITRE, d3f:Reference-CAR-2020-09-003%3AIndicatorBlocking-DriverUnloaded_MITRE, d3f:Reference-CAR-2020-09-004%3ACredentialsInFiles%26Registry_MITRE, d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE, d3f:Reference-CAR-2020-11-003%3ADLLInjectionWithMavinject_MITRE, d3f:Reference-CAR-2020-11-005%3AClearPowershellConsoleCommandHistory_MITRE, d3f:Reference-CAR-2020-11-006%3ALocalPermissionGroupDiscovery_MITRE, d3f:Reference-CAR-2020-11-007%3ANetworkShareConnectionRemoval_MITRE, d3f:Reference-CAR-2020-11-008%3AMSBuildAndMsxsl_MITRE, d3f:Reference-CAR-2020-11-009%3ACompiledHTMLAccess_MITRE, d3f:Reference-CAR-2021-01-002%3AUnusuallyLongCommandLineStrings_MITRE, d3f:Reference-CAR-2021-01-003%3AClearingWindowsLogsWithWevtutil_MITRE, d3f:Reference-CAR-2021-01-004%3AUnusualChildProcessForSpoolsv.ExeOrConnhost.Exe_MITRE, d3f:Reference-CAR-2021-01-006%3AUnusualChildProcessSpawnedUsingDDEExploit_MITRE, d3f:Reference-CAR-2021-01-007%3ADetectingTamperingOfWindowsDefenderCommandPrompt_MITRE, d3f:Reference-CAR-2021-01-008%3ADisableUAC_MITRE, d3f:Reference-CAR-2021-01-009%3ADetectingShadowCopyDeletionViaVssadmin.exe_MITRE, d3f:Reference-CAR-2021-02-001%3AWebshell-IndicativeProcessTree_MITRE, d3f:Reference-CAR-2021-04-001%3ACommonWindowsProcessMasquerading_MITRE, d3f:Reference-CAR-2021-05-001%3AAttemptToAddCertificateToUntrustedStore_MITRE, d3f:Reference-CAR-2021-05-002%3ABatchFileWriteToSystem32_MITRE, d3f:Reference-CAR-2021-05-003%3ABCDEditFailureRecoveryModification_MITRE, d3f:Reference-CAR-2021-05-004%3ABITSJobPersistence_MITRE, d3f:Reference-CAR-2021-05-005%3ABITSAdminDownloadFile_MITRE, d3f:Reference-CAR-2021-05-006%3ACertUtilDownloadWithURLCacheAndSplitArguments_MITRE, d3f:Reference-CAR-2021-05-007%3ACertUtilDownloadWithVerifyCtlAndSplitArguments_MITRE, d3f:Reference-CAR-2021-05-008%3ACertutilExeCertificateExtraction_MITRE, d3f:Reference-CAR-2021-05-009%3ACertUtilWithDecodeArgument_MITRE, d3f:Reference-CAR-2021-05-010%3ACreateLocalAdminAccountsUsingNetExe_MITRE, d3f:Reference-CommandLineUsageOfArchivingSoftware_MITRE, d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other, d3f:Reference-CredentialDumpingViaMimikatz_MITRE, d3f:Reference-HostDiscoveryCommands_MITRE, d3f:Reference-LsassProcessDumpViaProcdump_MITRE, d3f:Reference-PowershellExecution_MITRE, d3f:Reference-RunDLL32.exeMonitoring_MITRE, d3f:Reference-Squiblydoo_MITRE, d3f:Reference-SuspiciousArguments_MITRE, d3f:Reference-SuspiciousRunLocations_MITRE . d3f:ProcessStartFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Process Start Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:invokes ; owl:someValuesFrom d3f:CreateProcess ] ; d3f:definition "A function creates a new computer process, usually by invoking a create process system call." ; d3f:invokes d3f:CreateProcess . d3f:ProcessSuspension a d3f:ProcessSuspension, owl:Class, owl:NamedIndividual ; rdfs:label "Process Suspension" ; rdfs:subClassOf d3f:ProcessEviction, [ a owl:Restriction ; owl:onProperty d3f:suspends ; owl:someValuesFrom d3f:Process ] ; d3f:d3fend-id "D3-PS" ; d3f:definition "Suspending a running process on a computer system." ; d3f:kb-article """## How it works A running process might be suspended to mitigate its immediate effects if it is exhibiting anomalous, unauthorized, or malicious behavior. Defenders may choose to suspend rather than terminate to analyze the process first and resume the process if deemed benign. ### System-provided functions #### Windows tools In Windows, the `PsSuspend` command line utility from the SysInternals Suite provides functionality to suspend processes on a local or remote system.""" ; d3f:kb-reference d3f:Reference-PsSuspend ; d3f:suspends d3f:Process . d3f:ProcessTermination a d3f:ProcessTermination, owl:Class, owl:NamedIndividual ; rdfs:label "Process Termination" ; rdfs:subClassOf d3f:ProcessEviction, [ a owl:Restriction ; owl:onProperty d3f:terminates ; owl:someValuesFrom d3f:Process ] ; d3f:d3fend-id "D3-PT" ; d3f:definition "Terminating a running application process on a computer system." ; d3f:kb-article """## How it works Processes are managed by the operating system kernel. Different operating system kernels manage the creation and termination of processes in a different manner, and expose this functionality via the kernel API. A running process might be terminated to mitigate its immediate effects if it is exhibiting anomalous, unauthorized, or malicious behavior; such as after detecting anomalous behavior via Administrative Network Activity Analysis, after a failed check from Stack Frame Canary Validation, or after System Call Analysis finds an attempt to execute an unauthorized system call. ### Proprietary technology Security software might use proprietary technology to terminate processes, instead of the system-provided functions. Further research may provide specific detail on such methods used. ### System-provided functions #### Windows tools In Windows, `ExitProcess()` is used to send a signal to a process to request it to exit, and `TerminateProcess()` is used to force a process to exit. The `taskkill` executable available in the cmd shell is used to kill a process, with the `/F` switch forcing termination as with `TerminateProcess()`. In PowerShell, `Stop-Process` is used, which is aliased by default to `spps` and `kill`. Processes started in the Windows Subsystem for Linux (WSL) environment may be terminated there with the `kill` command. In some cases, existing drivers can also be leveraged to kill processes. #### Unix/Linux tools In Unix-like systems, all process termination requests are handled using signals. The `kill` function takes the Process ID and signal to send, and is accessible with the `kill` command. Some shells have a `kill` builtin function which is separate than the `kill` binary, which can also kill background jobs in the shell and additionally perform the function faster, and can run from an existing instance of the shell if the process table is full. The signal SIGTERM specifies that the process to terminate may invoke a handler that it has defined instead of terminating, and the signal SIGKILL forces immediate termination. The related command `xkill` terminates the connection of a program to the X window server, after which the user process may decide to terminate itself; however, termination is not guaranteed as the process, which could be on the same or different host, could then run in a terminal or reconnect to a different X server on any host. Emacs is such a program that would not terminate itself after its connection to the X server is terminated. ## Considerations ### Persistence Mechanisms Terminating a malicious process is not enough to stop an adversary that has already gained persistence in the host via any initial access mechanism, including through that process or another access mechanism. ### Terminating Multiple Processes On most operating systems, process termination operations typically occur independently of each other, without functionality provided to atomically terminate multiple processes. If there are multiple malicious processes which can make system calls to spawn other processes once one of them is closed, user session termination or system restart might be required. ### Process Access Permissions Users must have permissions to kill the process. On Unix-like systems, either root or the process user can kill the process. On Windows systems, process permissions are managed separately via process security tokens. ### Process Resource Handles #### Terminating Processes with Open Resource Handles Processes may have open resource handles, which could leave those resources in an undesired state if the process is forced to terminate. As such, most operating systems provide a means to send a signal to a process to inform it to gracefully terminate, and on most of these operating systems, it is the typical first step used to terminate a process. #### Signal Traps As the process may have open resource handles, commonly-used methods of process termination involve sending a signal to the process to terminate. On Windows, the `ExitProcess()` function is used for this purpose. Process instructions, as well as a third-party DLL can also cause the process to exit. On Linux, the process is sent a signal on the occurrence of various events: when it loses the console, `SIGHUP`; when termination is requested, `SIGTERM`. The processor then redirects execution to the function registered to handle the signal. Therefore, sending a signal to the process to ask it to terminate may not always work. ##### Avoiding Signal Traps On Unix-like systems, sending the `SIGKILL` signal for a process does not send a message to the process or invoke an implementation-defined handler; instead, it immediately does not allow the process to execute any further processor instructions. On Windows `TerminateProcess()` instead of `ExitProcess()` performs the equivalent. #### Hang on System Call Execution Even still, as the operating system kernel manages the processes, kernel code may block process signals, including those which cannot be trapped, and does in certain circumstances. Signals are blocked and queued for the duration of the system call when interrupting the system call would result in a kernel invariant being violated, such as when an action results in a malformed data structure; this blocking is common for filesystem requests. Such system calls can hang when a filesystem has gone offline, leading to a long-term uninterruptible sleep, represented in POSIX command `ps` output as D state. Any malicious system calls or system call handlers are issues of a much larger problem (a kernel-level rootkit) and the system should be redeployed entirely or restored from a backup known to be prior to compromise, and other systems accessible directly and indirectly from that one should also be examined. A process that is truly hung in a system call may prevent the system from shutting down and leave it in an unresponsive state; a hard power off is required. To speed up the action of terminating a process in uninterruptible sleep, the process resource accesses (handles) could be analyzed. On Linux, [`sync` followed by `echo 3 > /proc/sys/vm/drop_caches`](https://www.kernel.org/doc/Documentation/sysctl/vm.txt) is a safe way to free up some inactive resource handles. #### Kernel Processes and Threads The kernel may not allow kernel processes, which are created via methods other than user-space processes, to be terminated. #### Other Code using the Process Terminating a shared library can lead to unexpected errors; such shared libraries have their own mechanisms for termination. On Windows, a DLL is unloaded when the reference count of the library reaches 0. #### Zombie process After a process has been terminated, it may still take up an entry in the operating system process table until another event occurs. ##### Windows In Windows, a process object is deleted when the last handle to the process is closed. ##### Linux In Linux, a process is removed from the process table when it is reaped by its parent process. If the parent terminates, historically the parent has been changed to pid 1; however, in the Linux kernel 3.4 and above, processes can set a different process as the subreaper using the `prctl()` system call. Zombie processes and hung processes could be resolved with a restart of the system. #### System restart Finally a system restart might be required to kill a process. Systems which are only accessible via a remote in-band connection may become inaccessible if a process termination operation that is necessary for reboot does not complete. ### Subsystems Processes that are started in a subsystem might not be fully terminated if they are terminated using the command for that subsystem. For example, in the Windows Subsystem for Linux (WSL), processes started and terminated via WSL calls such as with the `kill` command in Bash may still have an entry in the Windows process table.""" ; d3f:kb-reference d3f:Reference-InstantProcessTerminationToolToRecoverControlOfAnInformationHandlingSystem_DellProductsLP, d3f:Reference-MalwareDetectionUsingLocalComputationalModels_CrowdstrikeInc ; d3f:terminates d3f:Process . d3f:ProcessTerminationEvent a owl:Class ; rdfs:label "Process Termination Event" ; rdfs:subClassOf d3f:ProcessEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ProcessCreationEvent ] ; d3f:definition "An event marking the cessation of a process, including resource deallocation and cleanup, either due to normal completion or abnormal termination." . d3f:ProcessTree a owl:Class, owl:NamedIndividual ; rdfs:label "Process Tree" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Process ] ; d3f:contains d3f:Process ; d3f:definition "A process tree is a tree structure representation of parent-child relationships established via process spawn operations." ; rdfs:seeAlso d3f:ProcessSpawnAnalysis, , . d3f:ProductDeveloper a owl:Class ; rdfs:label "Product Developer" ; rdfs:subClassOf d3f:Provider ; d3f:definition "A product developer intentionally designs, creates, or improves products, which may include physical goods, software, or other outputs." . d3f:ProgressivelyGrowingGAN a owl:Class, owl:NamedIndividual ; rdfs:label "Progressively Growing GAN" ; rdfs:subClassOf d3f:ImageSynthesisGAN ; d3f:d3fend-id "D3A-PGG" ; d3f:definition "Progressive Growing GAN (ProGAN) is an extension to the GAN training process that allows for the stable training of generator models that can output large high-quality images." ; d3f:kb-article """## References Machine Learning Mastery. (n.d.). Introduction to Progressive Growing Generative Adversarial Networks. [Link](https://machinelearningmastery.com/introduction-to-progressive-growing-generative-adversarial-networks/)""" ; d3f:synonym "ProGAN" . d3f:ProjectedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Projected Clustering" ; rdfs:subClassOf d3f:High-dimensionClustering ; d3f:d3fend-id "D3A-PC" ; d3f:definition "Projected clustering is a dimension reduction subspace clustering method." ; d3f:kb-article """## References GeeksforGeeks. (n.d.). Projected Clustering in Data Analytics. [Link](https://www.geeksforgeeks.org/projected-clustering-in-data-analytics/)""" . d3f:Projection-basedClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Projection-based Clustering" ; rdfs:subClassOf d3f:High-dimensionClustering ; d3f:d3fend-id "D3A-PBC" ; d3f:definition "Projection Based Clustering is a clustering framework based on a chosen projection method and projection method a parameter-free high-dimensional data visualization technique." ; d3f:kb-article """## References R Core Team. (2021). ProjectionBasedClustering: Projection Based Clustering. [Link](https://cran.r-project.org/web/packages/ProjectionBasedClustering/ProjectionBasedClustering.pdf) Lai, J. H., Liu, Y., & Wu, W. (2017). Projection Based Clustering. [Link](https://www.researchgate.net/publication/319006501_Projection_Based_Clustering)""" . d3f:Prolog a owl:Class, owl:NamedIndividual ; rdfs:label "Prolog" ; rdfs:subClassOf d3f:LogicProgramming ; d3f:d3fend-id "D3A-PRO" ; d3f:definition "Prolog has its roots in first-order logic, a formal logic, and unlike many other programming languages." ; d3f:kb-article """## How it works Prolog is intended primarily as a declarative programming language: the program logic is expressed in terms of relations, represented as facts and rules. A computation is initiated by running a query over these relations. ## References 1. Prolog. (2023, April 5). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Prolog)""" . d3f:PropertyListFile a owl:Class, owl:NamedIndividual ; rdfs:label "Property List File" ; skos:altLabel "Plist File" ; rdfs:subClassOf d3f:ConfigurationFile ; rdfs:isDefinedBy ; d3f:definition "In the OS X, iOS, NeXTSTEP, and GNUstep programming frameworks, property list files are files that store serialized objects. Property list files use the filename extension .plist, and thus are often referred to as p-list files. Property list files are often used to store a user's settings. They are also used to store information about bundles and applications, a task served by the resource fork in the old Mac OS." . d3f:PropositionalLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Propositional Logic" ; rdfs:subClassOf d3f:SymbolicAI ; d3f:d3fend-id "D3A-PL" ; d3f:definition "Propositional logic deals with statements (i.e., propositions, which can be true or false) and relations between propositions, including the construction of arguments based on them." ; d3f:kb-article """## How it works Compound propositions are formed by connecting propositions by logical connectives. Propositions that contain no logical connectives are called atomic propositions. ## References 1. Propositional Calculus. (2022, May 31). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Propositional_calculus)""" ; d3f:synonym "Propositional Calculus" . d3f:ProtocolMetadataAnomalyDetection a d3f:ProtocolMetadataAnomalyDetection, owl:Class, owl:NamedIndividual ; rdfs:label "Protocol Metadata Anomaly Detection" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:analyzes d3f:NetworkTraffic ; d3f:d3fend-id "D3-PMAD" ; d3f:definition "Collecting network communication protocol metadata and identifying statistical outliers." ; d3f:kb-article """## How it works Network protocol metadata is first collected and processed in real-time or post-facto. Metadata may include packet header information or information about a session (ex. time between requests/responses). Metadata is then grouped based on shared characteristics and those groups are compared to each other. If particular metadata differs significantly from other data, an alert is generated, identifying the network event as anomalous. Anomalous activity may indicate unauthorized activity. ## Considerations Metadata collection on enterprises can yield large data sets. Storage, indexing, querying, and aging should be considered prior to implementation.""" ; d3f:kb-reference d3f:Reference-MethodAndSystemForDetectingThreatsUsingMetadataVectors_VECTRANETWORKSInc, d3f:Reference-MethodAndSystemForDetectingThreatsUsingPassiveClusterMapping_VectraNetworksInc, d3f:Reference-SystemForImplementingThreatDetectionUsingDailyNetworkTrafficCommunityOutliers_VECTRANETWORKSInc . d3f:Provider a owl:Class ; rdfs:label "Provider" ; rdfs:subClassOf d3f:Organization ; d3f:definition "Providers are entities that intentionally offer, supply, or facilitate goods, services, or resources through actions of their agents." . d3f:ProximitySensor a owl:Class, owl:NamedIndividual ; rdfs:label "Proximity Sensor" ; rdfs:subClassOf d3f:HardwareDevice, d3f:Sensor ; rdfs:isDefinedBy ; d3f:definition "A sensor able to detect the presence of nearby objects without any physical contact." . d3f:ProximitySensorEvent a owl:Class ; rdfs:label "Proximity Sensor Event" ; rdfs:subClassOf d3f:PhysicalAccessAlarmEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ProximitySensor ] . d3f:ProximitySensorMonitoring a d3f:ProximitySensorMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Proximity Sensor Monitoring" ; rdfs:subClassOf d3f:PhysicalAccessMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:ProximitySensor ] ; d3f:d3fend-id "D3-PSM" ; d3f:definition "Monitoring events from proximity sensors that indicate a credential or tagged asset is within the sensor’s read range or a defined zone. Common enabling technologies include RFID, Bluetooth Low Energy (BLE), and Ultra-Wideband (UWB)." ; d3f:kb-article """## How it works Proximity readers and sensors detect credentials or tagged assets within their read field, then report presence and, when applicable, authenticate to a controller for access decisions. Systems may use RSSI, dwell time, or time-of-flight to enforce zones and policies such as anti-passback. Secure, authenticated communication between readers and controllers helps prevent cloning and replay attacks. ## Considerations * Place readers and align antennas to achieve consistent read ranges; account for materials like metal and liquids that can detune signals. * Use cryptographic credentials with mutual authentication and encrypted, supervised reader links to mitigate cloning and relay attacks. * Protect privacy by minimizing collected data, limiting retention, and restricting access to proximity logs. * Calibrate detection thresholds and zone boundaries; re-test after layout changes or equipment moves. * Monitor reader and tag health, including battery status for BLE and UWB tags and supervision signals for wired and wireless devices.""" ; d3f:kb-reference d3f:Reference-FIPS-201-3, d3f:Reference-NIST-SP800-116r1, d3f:Reference-Wikipedia-ProximityCard, d3f:Reference-Wikipedia-RFID ; d3f:monitors d3f:ProximitySensor ; d3f:synonym "Proximity Reader Monitoring", "RFID Reader Monitoring" . d3f:Proxy-basedWebServerAccessMediation a d3f:Proxy-basedWebServerAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Proxy-based Web Server Access Mediation" ; rdfs:subClassOf d3f:WebSessionAccessMediation ; d3f:d3fend-id "D3-PBWSAM" ; d3f:definition "Proxy-based web server access mediation focuses on the regulation of web server access through intermediary proxy servers." ; d3f:kb-article """## How it works Proxy-based Web Server Access Mediation involves controlling access to web servers via proxy servers, which act as intermediaries between users and web resources. This approach can enhance security by anonymizing user requests, filtering content, and enforcing access policies. Examples include using corporate proxies to access external websites or services.""" ; d3f:kb-reference d3f:Reference-NIST-Special-Publication-800-41-Revision-1 . d3f:ProxyServer a owl:Class ; rdfs:label "Proxy Server" ; rdfs:subClassOf d3f:ComputerNetworkNode, d3f:Server ; rdfs:isDefinedBy ; d3f:definition "In computer networking, a proxy server is a server application or appliance that acts as an intermediary for requests from clients seeking resources from servers that provide those resources. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server." ; rdfs:seeAlso . d3f:PublicKey a owl:Class, owl:NamedIndividual ; rdfs:label "Public Key" ; rdfs:subClassOf d3f:AsymmetricKey, [ a owl:Restriction ; owl:onProperty d3f:depends-on ; owl:someValuesFrom d3f:PrivateKey ] ; d3f:definition "A public key can be disseminated widely as part of an asymmetric cryptography framework and be used to encrypt messages to send to the public key's owner or to authenticate signed messages from that sender." ; d3f:depends-on d3f:PrivateKey ; rdfs:seeAlso . d3f:PythonPackage a owl:Class ; rdfs:label "Python Package" ; rdfs:subClassOf d3f:SoftwarePackage ; d3f:definition "A Python package is an aggregation of many Python files - either in source code or in bytecode - and associated metadata and resources (text, images, etc.). Python packages can be distributed in different file formats." ; rdfs:seeAlso . d3f:PythonScriptFile a owl:Class ; rdfs:label "Python Script File" ; rdfs:subClassOf d3f:ExecutableScript ; d3f:synonym "A script file written in the Python programming language." . d3f:Q-Learning a owl:Class, owl:NamedIndividual ; rdfs:label "Q-Learning" ; rdfs:subClassOf d3f:Model-freeReinforcementLearning ; d3f:d3fend-id "D3A-QL" ; d3f:definition "Q-learning is a model-free reinforcement learning algorithm to learn the value of an action in a particular state. It does not require a model of the environment (hence \"model-free\"), and it can handle problems with stochastic transitions and rewards without requiring adaptations." ; d3f:kb-article """## References Q-learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Q-learning).""" . d3f:QueryByCommittee a owl:Class, owl:NamedIndividual ; rdfs:label "Query By Committee" ; rdfs:subClassOf d3f:ActiveLearning ; d3f:d3fend-id "D3A-QBC" ; d3f:definition "Query by Committee (QBC) takes inspiration from ensemble methods. Instead of just one classifier, it takes into account the decision of a committee C=ℎ1,…,ℎc of classifiers ℎi. Each classifier has the same target classes, but a different underlying model or a different view on the data." ; d3f:kb-article """## References Intro to Active Learning. inovex Blog. [Link](https://www.inovex.de/de/blog/intro-to-active-learning/).""" . d3f:RadiationHardening a d3f:RadiationHardening, owl:Class, owl:NamedIndividual ; rdfs:label "Radiation Hardening" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:HardwareDevice ] ; d3f:d3fend-id "D3-RH" ; d3f:definition "Radiation hardening is the process of making electronic components and circuits resistant to damage or malfunction caused by high levels of ionizing radiation." ; d3f:hardens d3f:HardwareDevice ; d3f:kb-article """## How it works There are three core radiation hardening methodologies: 1. Radiation Hardening by Process (RHBP): modifying the physical fabrication of a semiconductor (e.g., using SOI - Silicon on Insulator), offering the highest intrinsic protection. Usually the most expensive option as it requires a specialized semiconducter fabrication plant. 2. Radiation Hardening by Design (RHBD): modifying circuit topology and physical layout using techniques such as Triple Modular Redundancy (TMM). A more cost-effective option, with the constraint of potentially increasing chip area and power. 3. Radiation Hardening by Shielding (RHBS): using physical materials (e.g., aluminum or tantalum) to block ionizing particles. Simple to implement, with the constraint of increasing size and weight.""" ; d3f:kb-reference d3f:Reference-ARadiationHardenedSARADCWithDelayBasedDualFeedbackFlipFlopsForSensorReadoutSystems, d3f:Reference-DiagnosisOfFaultsInducedByRadiationAndCircuitLevelDesignMitigationTechniques, d3f:Reference-MethodOfMakingThinAtomicZGradeShields . d3f:RadioModem a owl:Class ; rdfs:label "Radio Modem" ; rdfs:subClassOf d3f:Modem ; rdfs:isDefinedBy ; d3f:definition "A radio modem provides the means to send digital data wirelessly. Radio modems are used to communicate by direct broadcast satellite, WiFi, WiMax, mobile phones, GPS, Bluetooth and NFC. Modern telecommunications and data networks also make extensive use of radio modems where long distance data links are required. Such systems are an important part of the PSTN, and are also in common use for high-speed computer network links to outlying areas where fiber optic is not economical." . d3f:RAM a owl:Class, owl:NamedIndividual ; rdfs:label "RAM" ; rdfs:subClassOf d3f:PrimaryStorage, [ a owl:Restriction ; owl:onProperty d3f:carries ; owl:someValuesFrom d3f:MemoryExtent ] ; rdfs:isDefinedBy ; d3f:carries d3f:MemoryExtent ; d3f:definition "Random-access memory (RAM) is a form of computer memory that can be read and changed in any order, typically used to store working data and machine code." ; d3f:synonym "Random-access Memory" . d3f:RandomForest a owl:Class, owl:NamedIndividual ; rdfs:label "Random Forest" ; rdfs:subClassOf d3f:BootstrapAggregating ; d3f:d3fend-id "D3A-RF" ; d3f:definition "Random Forest is a ML method that combines several other ML methods. At its core, Random Forest is an ensemble method of multiple bootstrapped decision trees filled with training data and random feature selection." ; d3f:kb-article """## References Random forest. Wikipedia. [Link](https://en.wikipedia.org/wiki/Random_forest).""" . d3f:RandomSplits a owl:Class, owl:NamedIndividual ; rdfs:label "Random Splits" ; rdfs:subClassOf d3f:ResamplingEnsemble ; d3f:d3fend-id "D3A-RS" ; d3f:definition "The dataset is repeatedly sampled with a random split of the data into train and test sets." ; d3f:kb-article """## References How to Create a Random Split Cross-Validation and Bagging Ensemble for Deep Learning in Keras."*Machine Learning Mastery*. [Link](https://machinelearningmastery.com/how-to-create-a-random-split-cross-validation-and-bagging-ensemble-for-deep-learning-in-keras/).""" . d3f:Range a owl:Class, owl:NamedIndividual ; rdfs:label "Range" ; rdfs:subClassOf d3f:Variability ; d3f:d3fend-id "D3A-RAN" ; d3f:definition "The range of a set of data is the difference between the largest and smallest value." ; d3f:kb-article """## References Wikipedia. (n.d.). Range (statistics). [Link](https://en.wikipedia.org/wiki/Range_(statistics))""" . d3f:RangeMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Range Matching" ; rdfs:subClassOf d3f:NumericPatternMatching ; d3f:d3fend-id "D3A-RM" ; d3f:definition "Numeric Range Matching determines if a value lies with an interval of values (i.e., within the range of values.)" . d3f:RankCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Rank Correlation" ; rdfs:subClassOf d3f:Correlation ; d3f:d3fend-id "D3A-RC" ; d3f:definition "A rank correlation is any of several statistics that measure an ordinal association-the relationship between rankings of different ordinal variables or different rankings of the same variable, where a \"ranking\" is the assignment of the ordering labels \"first\", \"second\", \"third\", etc. to different observations of a particular variable." ; d3f:kb-article "Wikipedia. (n.d.). Rank correlation. [Link](https://en.wikipedia.org/wiki/Rank_correlation)" . d3f:RawMemoryAccessFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Raw Memory Access Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:MemoryBlock ] ; d3f:accesses d3f:MemoryBlock ; d3f:definition "A function which accesses raw memory, usually using memory addresses." . d3f:RD-0001 a owl:Class ; rdfs:label "Acquire Infrastructure - SPARTA" ; skos:prefLabel "Acquire Infrastructure" ; rdfs:subClassOf d3f:SPARTAResourceDevelopmentTechnique ; d3f:attack-id "RD-0001" ; d3f:definition "Adversaries assemble the people, platforms, and plumbing they will later use to observe, reach, or impersonate mission components. Infrastructure spans RF and optical ground assets (antennas, modems, timing sources, front-ends), compute and storage (on-prem and cloud), network presence (leased ASNs/IP space, VPS fleets, CDN relays), identity fabric (burner accounts, domains, certificates), and fabrication/test environments for hardware and software. They favor assets that are inexpensive, deniable, and geographically diverse, mixing self-hosted gear with commercial services and compromised third-party systems. To support spacecraft operations, they may build SDR-based labs that replicate waveforms and framing, stage command/telemetry tooling behind traffic mixers, and pre-position data pipelines for collection and analysis. The objective is persistence and flexibility: the ability to pivot between reconnaissance, delivery, and command with minimal attribution risk." ; rdfs:seeAlso . d3f:RD-0001.01 a owl:Class ; rdfs:label "Ground Station Equipment - SPARTA" ; skos:prefLabel "Ground Station Equipment" ; rdfs:subClassOf d3f:RD-0001 ; d3f:attack-id "RD-0001.01" ; d3f:definition "Rather than compromising existing stations, adversaries may acquire or assemble their own RF ground stack. Typical building blocks include: steerable mounts with auto-track, time/frequency standards, band-appropriate antennas and feeds, LNAs and filters at the feed, low-loss IF chains, T/R switching, medium/high-power amplifiers with protection and telemetry, and weather protection. Baseband equipment often mixes SDRs with commercial modems to generate/capture mission waveforms and framing; signal generators and spectrum analyzers support calibration and banner-grabbing. On the digital side, ground data processors translate captured frames to packetized formats for analysis and rehearsal. With this kit, an actor can passively collect, actively probe, or attempt spoofing if link-layer authentication is weak." ; rdfs:seeAlso . d3f:RD-0001.02 a owl:Class ; rdfs:label "Commercial Ground Station Services - SPARTA" ; skos:prefLabel "Commercial Ground Station Services" ; rdfs:subClassOf d3f:RD-0001 ; d3f:attack-id "RD-0001.02" ; d3f:definition "Instead of building dishes, adversaries may rent time on commercial ground networks or cloud-integrated “ground-station-as-a-service.” Access can be obtained legitimately (front companies, weak vetting) or via compromised customer accounts, allowing schedule requests, RF front-end configuration, and data egress through reputable providers. The appeal is speed, global reach, and plausible deniability; the risk to defenders is that traffic originates from expected stations and IP ranges. Misuse may include reconnaissance (passive capture), selective denial (misconfiguration or saturation attempts), or, where authentication is weak, unauthorized commanding." ; rdfs:seeAlso . d3f:RD-0001.03 a owl:Class ; rdfs:label "Spacecraft - SPARTA" ; skos:prefLabel "Spacecraft" ; rdfs:subClassOf d3f:RD-0001 ; d3f:attack-id "RD-0001.03" ; d3f:definition "A well-resourced actor may field their own spacecraft or hosted payload to gain proximity, visibility, or RF leverage. Small satellites can be launched into nearby planes or phasing orbits to observe emissions, perform spectrum measurements, or test spoofing and denial techniques at short range. Hosted payloads on commercial buses provide co-location without full spacecraft development. Proximity also enables on-orbit relay, crosslink probing, or attempts to exploit weak segmentation between payload and bus on rideshares. Regulatory and tracking regimes complicate overt misuse, but shell companies, benign-seeming mission declarations, or flags of convenience can mask intent." ; rdfs:seeAlso . d3f:RD-0001.04 a owl:Class ; rdfs:label "Launch Facility - SPARTA" ; skos:prefLabel "Launch Facility" ; rdfs:subClassOf d3f:RD-0001 ; d3f:attack-id "RD-0001.04" ; d3f:definition "In practice, adversaries are far more likely to purchase launch services (rideshare slots, hosted-payload opportunities) than to “acquire a launch facility.” Nevertheless, understanding and exploiting launch infrastructure, pads, integration cells, range networks, and control centers, could support resource development (e.g., positioning an asset, staging equipment near range telemetry). The realistic objective is influence over access to orbit, schedule, or integration touchpoints rather than ownership of a pad. Shell entities might book benign-sounding rides, insert dual-use payloads, or seek special handling that relaxes controls." ; rdfs:seeAlso . d3f:RD-0002 a owl:Class ; rdfs:label "Compromise Infrastructure - SPARTA" ; skos:prefLabel "Compromise Infrastructure" ; rdfs:subClassOf d3f:SPARTAResourceDevelopmentTechnique ; d3f:attack-id "RD-0002" ; d3f:definition "Rather than purchasing or renting assets, adversaries compromise existing infrastructure, mission-owned, third-party, or shared, to obtain ready-made reach into space, ground, or cloud environments with the benefit of plausible attribution. Targets range from physical RF chains and timing sources to mission control servers, automation/scheduling systems, SLE/CSP gateways, identity providers, and cloud data paths. Initial access often comes via stolen credentials, spear-phishing of operators and vendors, exposed remote-support paths, misconfigured multi-tenant platforms, or lateral movement from enterprise IT into operations enclaves. Once resident, actors can pre-position tools, modify configurations, suppress logging, and impersonate legitimate stations or operators to support later Execution, Exfiltration, or Denial." ; rdfs:seeAlso . d3f:RD-0002.01 a owl:Class ; rdfs:label "Mission-Operated Ground System - SPARTA" ; skos:prefLabel "Mission-Operated Ground System" ; rdfs:subClassOf d3f:RD-0002 ; d3f:attack-id "RD-0002.01" ; d3f:definition "Compromising a mission’s own ground system grants the adversary preconfigured access to TT&C and automation. High-value targets include operator workstations, mission control servers, procedure libraries, scheduler/orchestration services, key-loading tools and HSMs, antenna control systems, timing/distribution, and RF modems/baseband units. Typical paths: phishing an operator or contractor, abusing remote-support channels, pivoting from enterprise IT to ops, exploiting unpatched services on enclave gateways, or harvesting credentials from poorly segmented test environments. Once inside, an actor can stage malicious procedures, alter rate/size limits, manipulate pass schedules, downgrade authentication in maintenance modes, or quietly siphon telemetry and ephemerides to refine later attacks." ; rdfs:seeAlso . d3f:RD-0002.02 a owl:Class ; rdfs:label "3rd Party Ground System - SPARTA" ; skos:prefLabel "3rd Party Ground System" ; rdfs:subClassOf d3f:RD-0002 ; d3f:attack-id "RD-0002.02" ; d3f:definition "Third-party networks (commercial ground stations, hosted modems, cloud-integrated ground-station services) present attractive stepping-stones: they already have vetted RF chains, globally distributed apertures, and trusted IP space. Adversaries may acquire customer credentials via phishing or purchase, exploit weak vetting to create front-company accounts, or compromise provider portals/APIs to submit schedules, alter front-end settings, or exfiltrate collected data. Because traffic originates from “expected” stations and ASN ranges, misuse blends into normal operations. Multi-tenant risks include configuration bleed-over and shared management planes." ; rdfs:seeAlso . d3f:RD-0002.03 a owl:Class ; rdfs:label "3rd-Party Spacecraft - SPARTA" ; skos:prefLabel "3rd-Party Spacecraft" ; rdfs:subClassOf d3f:RD-0002 ; d3f:attack-id "RD-0002.03" ; d3f:definition "By compromising another operator’s spacecraft, or a hosted payload, an adversary can gain proximity, sensing, and relay capabilities that are costly to build from scratch and difficult to attribute. With control of an on-orbit asset, the actor may conduct local spectrum measurement and traffic analysis, attempt selective interference or spoofing at short range, or probe crosslinks and gateways where payload networks bridge to buses. In rideshare or hosted-payload contexts, weak segmentation and shared ground paths can provide insight into neighboring missions. More aggressive scenarios include remote proximity operations (RPO) to achieve advantageous geometry; however, physical grappling, docking, or exposure of debug/test interfaces is highly specialized and rare, with significant safety, legal, and tracking implications. Realistic attacker goals emphasize adjacency for RF leverage, covert relay, or data theft rather than mechanical capture." ; rdfs:seeAlso . d3f:RD-0003 a owl:Class ; rdfs:label "Obtain Cyber Capabilities - SPARTA" ; skos:prefLabel "Obtain Cyber Capabilities" ; rdfs:subClassOf d3f:SPARTAResourceDevelopmentTechnique ; d3f:attack-id "RD-0003" ; d3f:definition "Adversaries acquire ready-made tools, code, and knowledge so they can move faster and with lower attribution when operations begin. Capabilities span commodity malware and loaders, bespoke implants for mission control mission control and ground enclaves, privilege-escalation and lateral-movement kits, SDR/codec stacks for TT&C and payload links, fuzzers and protocol harnesses, exploit chains for RTOS/middleware and ground services, and databases of configuration playbooks from prior intrusions. Actors prefer modular kits that can be re-skinned (new C2, new certs) and exercised in flatsat or SIL/HIL labs before use. They also collect operational “how-tos”, procedures, scripts, and operator macros, that convert technical access into mission effects." ; rdfs:seeAlso . d3f:RD-0003.01 a owl:Class ; rdfs:label "Exploit/Payload - SPARTA" ; skos:prefLabel "Exploit/Payload" ; rdfs:subClassOf d3f:RD-0003 ; d3f:attack-id "RD-0003.01" ; d3f:definition "Threat actors obtain or adapt exploits (the trigger) and payloads (the action after exploitation) for space, ground, and cloud components. Targets include flight software parsers and table loaders, bootloaders and patch/update handlers, bus gateways, payload controllers, and ground services. Payloads may be binaries, scripts, or command/procedure sequences that alter modes, bypass FDIR, or stage follow-on access; they can also be “data payloads” that exploit weak validation (malformed tables, ephemeris, or calibration products). Acquisition paths mirror the broader market, brokered N-day/0-day packages, open-source exploits re-tooled for mission stacks, and theft from vendors or researchers. Actors tune timing, size/rate limits, and anti-replay nuances so delivery fits pass windows and link budgets, and they rehearse on flatsats to achieve deterministic outcomes." ; rdfs:seeAlso . d3f:RD-0003.02 a owl:Class ; rdfs:label "Cryptographic Keys - SPARTA" ; skos:prefLabel "Cryptographic Keys" ; rdfs:subClassOf d3f:RD-0003 ; d3f:attack-id "RD-0003.02" ; d3f:definition "Adversaries seek any cryptographic material that confers command or decryption authority: uplink authentication/MAC keys and counters, link-encryption/session keys and KEKs, loading/transfer keys for HSMs, PN/spreading codes, modem credentials, and station or crosslink keys. Acquisition routes include compromised ground systems and laptops, misconfigured repositories and ticket systems, memory/core dumps, training datasets and screenshots, contractor support channels, and poorly controlled key-loading or recovery procedures. Because some missions authenticate uplink without encrypting it, possession of the right keys/counters may be sufficient to inject accepted commands outside official channels or to desynchronize anti-replay." ; rdfs:seeAlso . d3f:RD-0004 a owl:Class ; rdfs:label "Stage Capabilities - SPARTA" ; skos:prefLabel "Stage Capabilities" ; rdfs:subClassOf d3f:SPARTAResourceDevelopmentTechnique ; d3f:attack-id "RD-0004" ; d3f:definition "Before execution, adversaries prepare the ground, literally and figuratively. They upload tooling, exploits, procedures, and datasets to infrastructure they own or have compromised, wire up C2 and telemetry pipelines, and pre-configure RF/baseband chains and protocol stacks to match mission parameters. Staging often uses cloud object stores, VPS fleets, or CI/CD runners masquerading as benign automation; artifacts are containerized or signed with hijacked material to blend in. For RF operations, actors assemble demod/encode flowgraphs, precompute CRC/MAC fields and timetags, and script rate/size pacing to fit pass windows. For ground/cloud, they stage credentials, macros, and schedule templates that can push changes or exfiltrate data quickly during handovers or safing. Dry-runs on flatsats/HIL rigs validate timing and error paths; OPSEC measures (rotating domains, domain fronting, traffic mixers) reduce attribution." ; rdfs:seeAlso . d3f:RD-0004.01 a owl:Class ; rdfs:label "Identify/Select Delivery Mechanism - SPARTA" ; skos:prefLabel "Identify/Select Delivery Mechanism" ; rdfs:subClassOf d3f:RD-0004 ; d3f:attack-id "RD-0004.01" ; d3f:definition "Adversaries select the pathway that best balances effect, risk, bandwidth, and attribution. Options include over-the-air telecommand injection on TT&C links, manipulation of payload downlinks or user terminals, abuse of crosslinks or gateways, pivoting through commercial ground networks, or pushing malicious updates via supply-chain paths (software, firmware, bitstreams). Selection considers modulation/coding, Doppler and polarization, anti-replay windows, pass geometry, rate/size limits, and expected operator workload (handover, LEOP, safing exits). For ground/cloud paths, actors account for identity boundaries, automation hooks, and change-control cadence. The “delivery mechanism” is end-to-end: RF front-end (antenna, converters, HPAs), baseband/SDR chain, protocol/framing, authentication/counter handling, scheduling, and fallbacks if detection occurs. Rehearsal artifacts, test vectors, mock dictionaries, ephemerides, are built alongside." ; rdfs:seeAlso . d3f:RD-0004.02 a owl:Class ; rdfs:label "Upload Exploit/Payload - SPARTA" ; skos:prefLabel "Upload Exploit/Payload" ; rdfs:subClassOf d3f:RD-0004 ; d3f:attack-id "RD-0004.02" ; d3f:definition "Having chosen a path, adversaries pre-position the specific packages and procedures they intend to use: binary exploits, malicious tables and ephemerides, patch images, modem profiles, and operator macros that chain actions. On compromised or leased infrastructure, they stage these items where execution will be fastest, provider portals, scheduler queues, ground station file drops, or automation repos, with triggers tied to pass start, beacon acquisition, or operator shift changes. Artifacts are formatted to mission protocols (framing, CRC/MAC, timetags), chunked to meet rate/size constraints, and signed or wrapped to evade superficial checks. Anti-forensics (timestamp tampering, log suppression, ephemeral storage) reduce audit visibility, while fallback payloads are kept for alternate modes (safe-mode dictionaries, recovery consoles)." ; rdfs:seeAlso . d3f:RD-0005 a owl:Class ; rdfs:label "Obtain Non-Cyber Capabilities - SPARTA" ; skos:prefLabel "Obtain Non-Cyber Capabilities" ; rdfs:subClassOf d3f:SPARTAResourceDevelopmentTechnique ; d3f:attack-id "RD-0005" ; d3f:definition "Adversaries may pursue non-cyber counterspace means to create access, leverage, or effects that complement cyber operations. These capabilities span kinetic physical (e.g., direct-ascent or co-orbital interceptors and attacks on ground segments), non-kinetic physical (e.g., lasers, high-power microwave/EMP), and electronic warfare (jamming and spoofing). Each class differs in required resources, detectability, attribution, and the permanence of effects, from reversible interference to irreversible destruction. A pragmatic actor mixes methods: electronic attack to mask or distract, directed energy to blind sensors or upset electronics, and, at the top end, kinetic capabilities to hold assets at risk. Resource development may involve acquisition, partnering, or covert access to such systems; rehearsals are often framed as testing or calibration." ; rdfs:seeAlso . d3f:RD-0005.01 a owl:Class ; rdfs:label "Launch Services - SPARTA" ; skos:prefLabel "Launch Services" ; rdfs:subClassOf d3f:RD-0005 ; d3f:attack-id "RD-0005.01" ; d3f:definition "Rather than “owning a pad,” a realistic path is purchasing launch services (rideshare, hosted payload) to place inspection or relay assets where they confer RF, optical, or proximity advantage. Launch providers deliver integration, testing, and scheduling; an actor can use benign mission covers to field small satellites that measure local spectrum, perform on-orbit characterization of target emissions, or support later rendezvous and proximity operations. The resource being developed is access to vantage points, not just spaceflight hardware." ; rdfs:seeAlso . d3f:RD-0005.02 a owl:Class ; rdfs:label "Non-Kinetic Physical ASAT - SPARTA" ; skos:prefLabel "Non-Kinetic Physical ASAT" ; rdfs:subClassOf d3f:RD-0005 ; d3f:attack-id "RD-0005.02" ; d3f:definition "Non-kinetic physical ASATs damage or degrade without contact, typically via directed energy or intense electromagnetic effects. Ground- or space-based lasers can dazzle or blind optical sensors; high-power microwave or related electromagnetic systems can disrupt or permanently damage susceptible electronics; some concepts aim to generate broader electromagnetic effects. These attacks propagate at light speed, can be tuned for reversible or lasting impact, and may leave limited forensic residue, complicating verification and attribution. Actors who obtain or partner for such systems can pair them with cyber operations (e.g., blind a star tracker while injecting misleading commands) to amplify effect." ; rdfs:seeAlso . d3f:RD-0005.03 a owl:Class ; rdfs:label "Kinetic Physical ASAT - SPARTA" ; skos:prefLabel "Kinetic Physical ASAT" ; rdfs:subClassOf d3f:RD-0005 ; d3f:attack-id "RD-0005.03" ; d3f:definition "Kinetic capabilities physically strike space or ground elements. In space, direct-ascent systems launch from Earth to intercept a satellite on orbit; co-orbital systems maneuver in space to approach and impact a target. On the ground, kinetic attacks can target stations or support infrastructure. These actions are generally easier to detect and attribute and often produce persistent, hazardous debris in orbit, especially at higher altitudes, making them strategically escalatory. Actors developing or accessing such capabilities gain credible coercive power but at significant political and operational cost." ; rdfs:seeAlso . d3f:RD-0005.04 a owl:Class ; rdfs:label "Electronic ASAT - SPARTA" ; skos:prefLabel "Electronic ASAT" ; rdfs:subClassOf d3f:RD-0005 ; d3f:attack-id "RD-0005.04" ; d3f:definition "Electronic ASAT attacks target the communications lifelines of space systems rather than their structures: jamming raises the noise floor to deny service; spoofing crafts believable but false signals (navigation, timing, or control). These effects are usually transient and can be difficult to attribute quickly, yet they are operationally useful and comparatively inexpensive. Actors may obtain portable or fixed jammers, high-gain antennas with agile waveforms, and specialized signal-processing toolchains; from orbit, a nearby asset can deliver highly selective interference." ; rdfs:seeAlso . d3f:RDPConnectRequestEvent a owl:Class ; rdfs:label "RDP Connect Request Event" ; rdfs:subClassOf d3f:RDPEvent ; d3f:definition "An event where an RDP client sends a connection request specifying session parameters, such as display settings, compression preferences, and security requirements, to prepare for an interactive session." . d3f:RDPConnectResponseEvent a owl:Class ; rdfs:label "RDP Connect Response Event" ; rdfs:subClassOf d3f:RDPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:RDPConnectRequestEvent ] ; d3f:definition "An event where an RDP server acknowledges a connection request, finalizing session parameters and confirming the transition to an interactive remote session." . d3f:RDPEvent a owl:Class ; rdfs:label "RDP Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, [ a owl:Class ; owl:unionOf ( d3f:TCPEvent d3f:UDPEvent ) ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:RDPSession ] ; d3f:definition "An event involving the Remote Desktop Protocol (RDP), a communication protocol developed by Microsoft that facilitates secure remote access to graphical interfaces on desktops or applications hosted on remote servers. RDP supports multi-channel communication for transferring input, output, and management commands." ; rdfs:seeAlso . d3f:RDPInitialRequestEvent a owl:Class ; rdfs:label "RDP Initial Request Event" ; rdfs:subClassOf d3f:RDPEvent ; d3f:definition "An event where an RDP client initiates communication with a server by sending a request to establish a session and negotiate protocol capabilities for remote interaction." . d3f:RDPInitialResponseEvent a owl:Class ; rdfs:label "RDP Initial Response Event" ; rdfs:subClassOf d3f:RDPEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:RDPInitialRequestEvent ] ; d3f:definition "An event where an RDP server responds to an initial request from a client, presenting its supported capabilities and agreeing to proceed with session negotiation." . d3f:RDPSession a owl:Class, owl:NamedIndividual ; rdfs:label "RDP Session" ; skos:altLabel "Remote Desktop Session", "Terminal Services" ; rdfs:subClassOf d3f:RemoteSession ; d3f:definition "A Remote Desktop Protocol (RDP) session is a session established using the RDP protocol to access Remove Desktop Services (RDS)." ; rdfs:seeAlso , . d3f:RDPTLSHandshakeEvent a owl:Class ; rdfs:label "RDP TLS Handshake Event" ; rdfs:subClassOf d3f:RDPEvent ; d3f:definition "An event representing the cryptographic exchange of keys and certificates between an RDP client and server to establish a secure communication channel. The handshake ensures encryption, integrity, and authentication for the session." . d3f:ReadFile a owl:Class, owl:NamedIndividual ; rdfs:label "Read File" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:reads ; owl:someValuesFrom d3f:File ] ; d3f:definition "A program that needs to access data from a file stored in a file system uses the read system call. The file is identified by a file descriptor that is normally obtained from a previous call to open. This system call reads in data in bytes, the number of which is specified by the caller, from the file and stores then into a buffer supplied by the calling process." ; d3f:reads d3f:File ; rdfs:seeAlso . d3f:ReadMemory a owl:Class, owl:NamedIndividual ; rdfs:label "Read Memory" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:reads ; owl:someValuesFrom d3f:MemoryBlock ] ; d3f:reads d3f:MemoryBlock . d3f:Real-timeOperatingSystem a owl:Class, owl:NamedIndividual ; rdfs:label "Real-time operating system" ; rdfs:subClassOf d3f:OperatingSystem ; rdfs:isDefinedBy ; d3f:definition "A real-time operating system (RTOS) is an operating system (OS) for real-time computing applications that processes data and events that have critically defined time constraints." ; d3f:synonym "RTOS" . d3f:RealtimeClock a owl:Class ; rdfs:label "Real-time Clock" ; rdfs:subClassOf d3f:HardwareClock ; rdfs:isDefinedBy ; d3f:definition "A real-time clock (RTC) is an electronic device (most often in the form of an integrated circuit) that measures the passage of time." ; d3f:synonym "RTC" . d3f:RealTimeOperatingSystem a owl:Class, owl:NamedIndividual . d3f:REC-0001 a owl:Class ; rdfs:label "Gather Spacecraft Design Information - SPARTA" ; skos:prefLabel "Gather Spacecraft Design Information" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0001" ; d3f:definition "Threat actors seek a coherent picture of the spacecraft and its supporting ecosystem to reduce uncertainty and plan follow-on actions. Useful design information spans avionics architecture, command and data handling, comms and RF chains, power and thermal control, flight dynamics constraints, payload-to-bus interfaces, redundancy schemes, and ground segment dependencies. Artifacts often include ICDs, block diagrams, SBOMs and toolchains, test procedures, AIT travelers, change logs, and “as-built” versus “as-flown” deltas. Adversaries combine open sources (papers, patents, theses, conference slides, procurement documents, FCC/ITU filings, marketing sheets) with gray sources (leaked RFP appendices, vendor manuals, employee resumes, social posts) to infer single points of failure, unsafe modes, or poorly defended pathways between space, ground, and supply chain. The output of this activity is not merely a document set but a working mental model and, often, a lab replica that enables rehearsal, timing studies, and failure-mode exploration." ; rdfs:seeAlso . d3f:REC-0001.01 a owl:Class ; rdfs:label "Software Design - SPARTA" ; skos:prefLabel "Software Design" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.01" ; d3f:definition "Adversaries target knowledge of flight and ground software to identify exploitable seams and to build high-fidelity emulators for rehearsal. Valuable details include RTOS selection and version, process layout, inter-process messaging patterns, memory maps and linker scripts, fault-detection/isolation/recovery logic, mode management and safing behavior, command handlers and table services, bootloaders, patch/update mechanisms, crypto libraries, device drivers, and test harnesses. Artifacts may be source code, binaries with symbols, stripped images with recognizable patterns, configuration tables, and SBOMs that reveal vulnerable dependencies. With these, a threat actor can reverse engineer command parsing, locate debug hooks, craft inputs that bypass FDIR, or time payload and bus interactions to produce cascading effects. Supply-chain access to vendors of COTS components, open-source communities, or integrators can be used to insert weaknesses or to harvest build metadata. Even partial disclosures, such as a unit test name, an assert message, or a legacy API, shrink the search space for exploitation." ; rdfs:seeAlso . d3f:REC-0001.02 a owl:Class ; rdfs:label "Firmware - SPARTA" ; skos:prefLabel "Firmware" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.02" ; d3f:definition "Firmware intelligence covers microcontroller images, programmable logic bitstreams, boot ROM behavior, peripheral configuration blobs, and anti-rollback or secure-boot settings for devices on the bus. Knowing device types, versions, and footprints enables inference of default passwords, debug interfaces (JTAG, SWD, UART), timing tolerances, and error handling under brownout or thermal stress. A threat actor may obtain firmware from vendor reference packages, public evaluation boards, leaked manufacturing files, over-the-air update images, or crash dumps. Correlating that with board layouts, harness drawings, or part markings helps map trust boundaries and locate choke points like power controllers, bus bridges, and watchdog supervisors. Attack goals include: preparing malicious but apparently valid updates, exploiting unsigned or weakly verified images, forcing downgrades, or manipulating configuration fuses to weaken later defenses. Even when cryptographic verification is present, knowledge of recovery modes, boot-pin strapping, or maintenance commands can offer alternate paths." ; rdfs:seeAlso . d3f:REC-0001.03 a owl:Class ; rdfs:label "Cryptographic Algorithms - SPARTA" ; skos:prefLabel "Cryptographic Algorithms" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.03" ; d3f:definition "Adversaries look for the complete crypto picture: algorithms and modes, key types and lifecycles, authentication schemes, counter or time-tag handling, anti-replay windows, link-layer protections, and any differences between uplink and downlink policy. With algorithm and key details, a threat actor can craft valid telecommands, masquerade as a trusted endpoint, or degrade availability through replay and desynchronization. Sources include interface specifications, ground software logs, test vectors, configuration files, contractor laptops, and payload-specific ICDs that reuse bus-level credentials. Particular risk arises when command links rely on authentication without confidentiality; once an adversary acquires the necessary keys or counters, they can issue legitimate-looking commands outside official channels. Programs should assume that partial disclosures, MAC length, counter reset rules, or key rotation cadence, aid exploitation." ; rdfs:seeAlso . d3f:REC-0001.04 a owl:Class ; rdfs:label "Data Bus - SPARTA" ; skos:prefLabel "Data Bus" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.04" ; d3f:definition "Bus intelligence focuses on which protocols are used (e.g., MIL-STD-1553, SpaceWire, etc.), controller roles, addressing, timings, arbitration, redundancy management, and the location of critical endpoints on each segment. Knowing the bus controller, remote terminal addresses, message identifiers, and schedule tables allows an adversary to craft frames that collide with or supersede legitimate traffic, to starve health monitoring, or to trigger latent behaviors in payload or power systems. Additional details such as line voltages, termination, connector types, harness pinouts, and EMC constraints inform feasibility of injection and disruption techniques. Attackers assemble this picture from ICDs, vendor datasheets, AIT procedures, harness drawings, lab photos, and academic or trade publications that reveal typical configurations. Enumeration of bridges and gateways is especially valuable because they concentrate trust across fault-containment regions and between payload and bus." ; rdfs:seeAlso . d3f:REC-0001.05 a owl:Class ; rdfs:label "Thermal Control System - SPARTA" ; skos:prefLabel "Thermal Control System" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.05" ; d3f:definition "Adversaries seek a working map of the thermal architecture and its operating envelopes to anticipate stress points and plan timing for other techniques. Valuable details include passive elements (MLI, coatings, radiators, heat pipes/straps, louvers) and active control (survival and control heaters, thermostats, pumped loops), plus sensor placement, setpoints, deadbands, heater priority tables, and autonomy rules that protect critical hardware during eclipses and anomalies. Artifacts often come from thermal math models (TMMs), TVAC test reports, heater maps and harness drawings, command mnemonics, and on-orbit thermal balance procedures. When correlated with attitude constraints, payload duty cycles, and power budgets, this information lets a threat actor infer when components run close to limits, how safing responds to off-nominal gradients, and where power-thermal couplings can be exploited. Even small fragments, such as louver hysteresis or a heater override used for decontamination, can reveal opportunities to mask heating signatures or provoke nuisance safing." ; rdfs:seeAlso . d3f:REC-0001.06 a owl:Class ; rdfs:label "Maneuver & Control - SPARTA" ; skos:prefLabel "Maneuver & Control" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.06" ; d3f:definition "Threat actors collect details of the guidance, navigation, and control (GNC) stack to predict vehicle response and identify leverage points during station-keeping, momentum management, and anomaly recovery. Useful specifics include propulsion type and layout (monoprop/biprop/electric; thruster locations, minimum impulse bit, plume keep-out zones), reaction wheels/CMGs and desaturation logic, control laws and gains, estimator design (e.g., EKF), timing and synchronization, detumble/safe-mode behaviors, and the full sensor suite (star trackers, sun sensors, gyros/IMUs, GNSS). Artifacts include AOCS/AOCS ICDs, maneuver procedures, delta-v budgets, ephemeris products, scheduler tables, and wheel management timelines. Knowing when and how attitude holds, acquisition sequences, or wheel unloads occur helps an adversary choose windows where injected commands or bus perturbations have outsized effect, or where sensor blinding and spoofing are most disruptive." ; rdfs:seeAlso . d3f:REC-0001.07 a owl:Class ; rdfs:label "Payload - SPARTA" ; skos:prefLabel "Payload" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.07" ; d3f:definition "Adversaries pursue a clear picture of payload type, operating modes, command set, and data paths to and from the bus and ground. High-value details include vendor and model, operating constraints (thermal, pointing, contamination), mode transition logic, timing of calibrations, safety inhibits and interlocks, firmware/software update paths, data formatting and compression, and any crypto posture differences between payload links and the main command link. Payload ICDs often reveal addresses, message identifiers, and gateway locations where payload traffic bridges to the C&DH or data-handling networks, creating potential pivot points. Knowledge of duty cycles and scheduler entries enables timing attacks that coincide with high-power or high-rate operations to stress power/thermal margins or saturate storage and downlink. Even partial information, calibration script names, test vectors, or engineering telemetry mnemonics, can shrink the search space for reverse engineering." ; rdfs:seeAlso . d3f:REC-0001.08 a owl:Class ; rdfs:label "Power - SPARTA" ; skos:prefLabel "Power" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.08" ; d3f:definition "Reconnaissance of the electrical power system (EPS) focuses on generation, storage, distribution, and autonomy. Useful details include solar array topology and SADA behavior, MPPT algorithms, array string voltages, eclipse depth assumptions, battery chemistry and configuration, BMS charge/discharge limits and thermal dependencies, PCDU architecture, load-shed priorities, latching current limiters, and survival power rules. Artifacts surface in EPS ICDs, acceptance test data, TVAC power margin reports, anomaly response procedures, and vendor manuals. Correlating these with attitude plans and payload schedules lets a threat actor infer when state-of-charge runs tight, which loads are shed first, and how fast recovery proceeds after a brownout or safing entry. Knowledge of housekeeping telemetry formats and rate caps helps identify blind spots where abusive load patterns or command sequences may evade detection." ; rdfs:seeAlso . d3f:REC-0001.09 a owl:Class ; rdfs:label "Fault Management - SPARTA" ; skos:prefLabel "Fault Management" ; rdfs:subClassOf d3f:REC-0001 ; d3f:attack-id "REC-0001.09" ; d3f:definition "Fault management (FDIR/autonomy/safing) materials are a prime reconnaissance target because they encode how the spacecraft detects, classifies, and responds to off-nominal states. Adversaries seek trigger thresholds and persistence timers, voting logic, inhibit and recovery ladders, safe-mode entry/exit criteria, command authority in safed states, watchdog/reset behavior, and any differences between flight and maintenance builds. Artifacts include fault trees, FMEAs, autonomy rule tables, safing flowcharts, and anomaly response playbooks. With these, a threat actor can craft inputs that remain just below detection thresholds, stack benign-looking events to cross safing boundaries at tactically chosen times, or exploit recovery windows when authentication, visibility, or redundancy is reduced. Knowledge of what telemetry is suppressed or rate-limited during safing further aids concealment." ; rdfs:seeAlso . d3f:REC-0002 a owl:Class ; rdfs:label "Gather Spacecraft Descriptors - SPARTA" ; skos:prefLabel "Gather Spacecraft Descriptors" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0002" ; d3f:definition "Threat actors compile a concise but highly actionable dossier of “who/what/where/when” attributes about the spacecraft and mission. Descriptors include identity elements (mission name, NORAD catalog number, COSPAR international designator, call signs), mission class and operator, country of registry, launch vehicle and date, orbit regime and typical ephemerides, and any publicly filed regulatory artifacts (e.g., ITU/FCC filings). They also harvest operational descriptors such as ground network affiliations, common pass windows by latitude band, and staffing patterns implied by press, social media, and schedules. Even when each item is benign, the aggregate picture enables precise timing (e.g., during beta-angle peaks, eclipse seasons, or planned maintenance), realistic social-engineering pretexts, and better targeting of ground or cloud resources that support the mission." ; rdfs:seeAlso . d3f:REC-0002.01 a owl:Class ; rdfs:label "Identifiers - SPARTA" ; skos:prefLabel "Identifiers" ; rdfs:subClassOf d3f:REC-0002 ; d3f:attack-id "REC-0002.01" ; d3f:definition "Adversaries enumerate and correlate all identifiers that uniquely tag the vehicle throughout its lifecycle and across systems. Examples include NORAD/Satellite Catalog numbers, COSPAR designators, mission acronyms, spacecraft serials and bus IDs, regulatory call signs, network addresses used by mission services, and any constellation slot or plane tags. These identifiers allow cross-reference across public catalogs, tracking services, regulatory filings, and operator materials, shrinking search spaces for pass prediction, link acquisition, and vendor ecosystem discovery. Seemingly minor clues, like a configuration filename embedding a serial number or an operator using the same short name across environments, can expose test assets or internal tools. Rideshare and hosted-payload contexts introduce additional ambiguity that an attacker can exploit to mask activity or misattribute traffic." ; rdfs:seeAlso . d3f:REC-0002.02 a owl:Class ; rdfs:label "Organization - SPARTA" ; skos:prefLabel "Organization" ; rdfs:subClassOf d3f:REC-0002 ; d3f:attack-id "REC-0002.02" ; d3f:definition "Threat actors map the human and institutional terrain surrounding the mission to find leverage for phishing, credential theft, invoice fraud, or supply-chain compromise. Targeted details include the owner/operator, prime and subcontractors (bus, payload, ground, launch), key facilities and labs, cloud/SaaS providers, organizational charts, distribution lists, and role/responsibility boundaries for operations, security, and engineering. The objective is to identify who can approve access, who can move money, who holds admin roles on ground and cloud systems, and which vendors maintain remote access for support. Understanding decision chains also reveals when changes control boards meet, when ops handovers occur, and where a single compromised account could bridge enclaves." ; rdfs:seeAlso . d3f:REC-0002.03 a owl:Class ; rdfs:label "Operations - SPARTA" ; skos:prefLabel "Operations" ; rdfs:subClassOf d3f:REC-0002 ; d3f:attack-id "REC-0002.03" ; d3f:definition "Adversaries collect high-level operational descriptors to predict when the mission will be busy, distracted, or temporarily less instrumented. Useful items include CONOPS overviews, daily/weekly activity rhythms, ground pass schedules, DSN or commercial network windows, calibration and maintenance timelines, planned wheel unloads or thruster burns, conjunction-assessment cycles, and anomaly response playbooks at the level of “who acts when.” For constellations, they seek plane/slot assignments, phasing and drift strategies, crosslink usage, and failover rules between vehicles. These descriptors enable time-targeted campaigns, e.g., sending malicious but syntactically valid commands near handovers, exploiting reduced telemetry during safing, or saturating links during high-rate downlinks." ; rdfs:seeAlso . d3f:REC-0003 a owl:Class ; rdfs:label "Gather Spacecraft Communications Information - SPARTA" ; skos:prefLabel "Gather Spacecraft Communications Information" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0003" ; d3f:definition "Threat actors assemble a detailed picture of the mission’s RF and networking posture across TT&C and payload links. Useful elements include frequency bands and allocations, emission designators, modulation/coding, data rates, polarization sense, Doppler profiles, timing and ranging schemes, link budgets, and expected Eb/N0 margins. They also seek antenna characteristics, beacon structures, and whether transponders are bent-pipe or regenerative. On the ground, they track station locations, apertures, auto-track behavior, front-end filters/LNAs, and handover rules, plus whether services traverse SLE, SDN, or commercial cloud backbones. Even small details, polarization sense, roll-off factors, or beacon cadence, shrink the search space for interception, spoofing, or denial. The outcome is a lab-replicable demod/decode chain and a calendar of advantageous windows." ; rdfs:seeAlso . d3f:REC-0003.01 a owl:Class ; rdfs:label "Communications Equipment - SPARTA" ; skos:prefLabel "Communications Equipment" ; rdfs:subClassOf d3f:REC-0003 ; d3f:attack-id "REC-0003.01" ; d3f:definition "Adversaries inventory space and ground RF equipment to infer capabilities, limits, and attack surfaces. On the spacecraft, they seek antenna type and geometry, placement and boresight constraints, polarization, RF front-end chains, transponder type, translation factors, gain control, saturation points, and protective features. On the ground, they collect dish size/aperture efficiency, feed/polarizer configuration, tracking modes, diversity sites, and backend modem settings. Beacon frequency/structure, telemetry signal type, symbol rates, and framing reveal demodulator parameters and help an actor build compatible SDR pipelines. Knowledge of power budgets and AGC behavior enables strategies to push hardware into non-linear regimes, causing self-inflicted denial or intermodulation. Equipment location and mounting inform visibility and interference opportunities." ; rdfs:seeAlso . d3f:REC-0003.02 a owl:Class ; rdfs:label "Commanding Details - SPARTA" ; skos:prefLabel "Commanding Details" ; rdfs:subClassOf d3f:REC-0003 ; d3f:attack-id "REC-0003.02" ; d3f:definition "Threat actors study how commands are formed, authorized, scheduled, and delivered. High-value details include the telecommand protocol (e.g., CCSDS TC), framing and CRC/MAC fields, authentication scheme (keys, counters, anti-replay windows), command dictionary/database formats, critical-command interlocks and enable codes, rate and size limits, timetag handling, command queue semantics, and the roles of scripts or procedures that batch actions. They also collect rules governing “valid commanding periods”: line-of-sight windows, station handovers, maintenance modes, safing states, timeouts, and when rapid-response commanding is permitted. With this, an adversary can craft syntactically valid traffic, time injections to coincide with reduced monitoring, or induce desynchronization (e.g., counter resets, stale timetags)." ; rdfs:seeAlso . d3f:REC-0003.03 a owl:Class ; rdfs:label "Mission-Specific Channel Scanning - SPARTA" ; skos:prefLabel "Mission-Specific Channel Scanning" ; rdfs:subClassOf d3f:REC-0003 ; d3f:attack-id "REC-0003.03" ; d3f:definition "Beyond TT&C, many missions expose additional RF or network surfaces: high-rate payload downlinks (e.g., X/Ka-band), user terminals, inter-satellite crosslinks, and hosted-payload channels that may be operated by different organizations. Adversaries scan spectrum and public telemetry repositories for these mission-specific channels, characterizing carrier plans, burst structures, access schemes (TDMA/FDMA/CDMA), addressing, and gateway locations. For commercial services, they enumerate forward/return links, user terminal waveforms, and provisioning backends that could be impersonated or jammed selectively. In hosted-payload or rideshare contexts, differences in configuration control and key management present opportunities for pivoting between enclaves." ; rdfs:seeAlso . d3f:REC-0003.04 a owl:Class ; rdfs:label "Valid Credentials - SPARTA" ; skos:prefLabel "Valid Credentials" ; rdfs:subClassOf d3f:REC-0003 ; d3f:attack-id "REC-0003.04" ; d3f:definition "Adversaries seek any credential that would let them authenticate as a legitimate actor in space, ground, or supporting cloud networks. Targets include TT&C authentication keys and counters, link-encryption keys, PN codes or spreading sequences, modem and gateway accounts, mission control mission control user and service accounts, station control credentials, VPN and identity-provider tokens, SLE/CSP service credentials, maintenance backdoor accounts, and automation secrets embedded in scripts or CI/CD pipelines. Acquisition paths include spear-phishing, supply-chain compromise, credential reuse across dev/test/ops, logs and core dumps, misconfigured repositories, contractor laptops, and improperly sanitized training data. Because some missions authenticate uplink without encrypting it, possession of valid keys or counters may be sufficient to issue accepted commands from outside official channels." ; rdfs:seeAlso . d3f:REC-0004 a owl:Class ; rdfs:label "Gather Launch Information - SPARTA" ; skos:prefLabel "Gather Launch Information" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0004" ; d3f:definition "Adversaries collect structured launch intelligence to forecast when and how mission assets will transition through their most time-compressed, change-prone phase. Useful elements include the launch date/time windows, launch site and range operator, participating organizations (launch provider, integrator, range safety, telemetry networks), vehicle family and configuration, fairing type, and upper-stage restart profiles. This picture enables realistic social-engineering pretexts, supply-chain targeting of contractors, and identification of auxiliary systems (range instrumentation, TLM/FTS links) that may be less hardened than the spacecraft itself. Knowledge of ascent comms (bands, beacons, ground stations), early-orbit operations (LEOP) procedures, and handovers to mission control further informs when authentication, staffing, or telemetry margins may be tight." ; rdfs:seeAlso . d3f:REC-0004.01 a owl:Class ; rdfs:label "Flight Termination - SPARTA" ; skos:prefLabel "Flight Termination" ; rdfs:subClassOf d3f:REC-0004 ; d3f:attack-id "REC-0004.01" ; d3f:definition "Threat actors may attempt to learn how the launch vehicle’s flight termination capability is architected and governed, command-destruct versus autonomous flight termination (AFTS), authority chains, cryptographic protections, arming interlocks, inhibit ladders, telemetry indicators, and range rules for safe-flight criteria. While FTS is a range safety function, its interfaces (command links, keys, timing sources, decision logic) can reveal design patterns, dependencies, and potential misconfigurations across the broader launch ecosystem. Knowledge of test modes, simulation harnesses, and pre-launch checks could inform social-engineering or availability-degrading actions against range or contractor systems during critical windows." ; rdfs:seeAlso . d3f:REC-0005 a owl:Class ; rdfs:label "Eavesdropping - SPARTA" ; skos:prefLabel "Eavesdropping" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0005" ; d3f:definition "Adversaries seek to passively (and sometimes semi-passively) capture mission communications across terrestrial networks and RF/optical links to reconstruct protocols, extract telemetry, and derive operational rhythms. On networks, packet captures, logs, and flow data from ground stations, mission control, and cloud backends can expose service boundaries, authentication patterns, and automation. In the RF domain, wideband recordings, spectrograms, and demodulation of TT&C and payload links, spanning VHF/UHF through S/L/X/Ka and, increasingly, optical, enable identification of modulation/coding, framing, and beacon structures. Even when links are encrypted, metadata such as carrier plans, symbol rates, polarization, and cadence can support traffic analysis, timing attacks, or selective interference. Community capture networks and open repositories amplify the reach of a modest adversary." ; rdfs:seeAlso . d3f:REC-0005.01 a owl:Class ; rdfs:label "Uplink Intercept Eavesdropping - SPARTA" ; skos:prefLabel "Uplink Intercept Eavesdropping" ; rdfs:subClassOf d3f:REC-0005 ; d3f:attack-id "REC-0005.01" ; d3f:definition "Uplink reconnaissance focuses on capturing the command path from ground to spacecraft to learn telecommand framing, authentication fields, timing, and anti-replay behavior. Valuable artifacts include emission designators, symbol rates, polarization sense, Doppler profiles, and any preambles or ranging tones that gate command acceptance. Even if payload and TT&C share spectrum, their authentication postures often differ, knowledge an adversary can exploit. Partial captures, console screenshots, or training recordings reduce the effort needed to build an SDR pipeline that “looks right” on the air. Where missions authenticate without encrypting the uplink, traffic analysis can reveal command cadence and maintenance windows." ; rdfs:seeAlso . d3f:REC-0005.02 a owl:Class ; rdfs:label "Downlink Intercept - SPARTA" ; skos:prefLabel "Downlink Intercept" ; rdfs:subClassOf d3f:REC-0005 ; d3f:attack-id "REC-0005.02" ; d3f:definition "Downlink collection aims to harvest housekeeping telemetry, event logs, ephemerides, payload data, and operator annotations that reveal system state and procedures. Even when payload content is encrypted, ancillary channels (beacons, health/status, low-rate engineering downlink) can disclose mode transitions, battery and thermal margins, safing events, and next-pass predictions. Community ground networks and public dashboards may inadvertently provide stitched datasets that make trend analysis trivial. Captured framing and coding parameters also help an adversary build testbeds and refine timing for later actions." ; rdfs:seeAlso . d3f:REC-0005.03 a owl:Class ; rdfs:label "Proximity Operations - SPARTA" ; skos:prefLabel "Proximity Operations" ; rdfs:subClassOf d3f:REC-0005 ; d3f:attack-id "REC-0005.03" ; d3f:definition "In proximity scenarios, an adversary platform (or co-located payload) attempts to observe emissions and intra-vehicle traffic at close range, RF side-channels, optical/lasercom leakage, and, in extreme cases, electromagnetic emanations consistent with TEMPEST/EMSEC concerns. Physical proximity can expose harmonics, intermodulation products, local oscillators, and bus activity that are undetectable from the ground, enabling reconstruction of timing, command acceptance windows, or even limited protocol content. In hosted-payload or rideshare contexts, a poorly segregated data path may permit passive observation of TT&C gateways, crosslinks, or payload buses." ; rdfs:seeAlso . d3f:REC-0005.04 a owl:Class ; rdfs:label "Active Scanning (RF/Optical) - SPARTA" ; skos:prefLabel "Active Scanning (RF/Optical)" ; rdfs:subClassOf d3f:REC-0005 ; d3f:attack-id "REC-0005.04" ; d3f:definition "Active scanning moves beyond passive collection: an adversary transmits or injects probes intended to elicit identifiable responses that reveal frequencies, protocols, or device behavior. Examples include stimulating auto-track or auto-reply beacons, provoking ranging responses, tickling access schemes (TDMA/FDMA bursts), or sending benign-looking frames to observe AGC, saturation, or error counters. Optical/lasercom analogs include alignment pings or modulation patterns that solicit acquisition messages. The objective is RF “banner grabbing”, learning enough to build compatible demod/decoder chains or to map control surfaces, without necessarily breaching authentication. Because scans can resemble normal acquisition attempts, they may blend into the noise floor of operations." ; rdfs:seeAlso . d3f:REC-0006 a owl:Class ; rdfs:label "Gather FSW Development Information - SPARTA" ; skos:prefLabel "Gather FSW Development Information" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0006" ; d3f:definition "Adversaries collect a cradle-to-operations view of how flight software is built, tested, signed, and released. Useful artifacts include architecture docs, source trees and SBOMs, compiler/linker toolchains and flags, RTOS and middleware versions, build scripts, CI/CD pipelines, code-signing workflows, defect trackers, and release notes that describe “as-built” vs. “as-flown” deltas. They also seek integration environments, emulators/SIL, flatsats/iron birds, hardware-in-the-loop rigs, and the autonomy/FDIR logic that governs mode transitions and patch acceptance. With this knowledge, a threat actor can identify weak crypto or provenance controls on update paths, predict error-handling behavior, and craft inputs that slip past unit/integration tests. Even small disclosures (e.g., a linker script, an assert string, or a sanitized crash dump) shrink the search space for exploitation." ; rdfs:seeAlso . d3f:REC-0006.01 a owl:Class ; rdfs:label "Development Environment - SPARTA" ; skos:prefLabel "Development Environment" ; rdfs:subClassOf d3f:REC-0006 ; d3f:attack-id "REC-0006.01" ; d3f:definition "Threat actors enumerate the exact environment used to produce flight builds: IDEs and plugins, cross-compilers and SDKs, container images/VMs, environment variables, path conventions, build systems, static libraries, and private package registries. They correlate repository layouts (mono- vs multi-repo), branch and review policies, protected branches/tags, and CI orchestrators to find where policy gaps allow unreviewed code or tool updates. Secrets embedded in configs (tokens, service accounts), permissive compiler/linker flags, or disabled hardening options are especially valuable. Knowledge of debug/diagnostic builds, symbol servers, and crash-dump handling lets an adversary reconstruct higher-fidelity testbeds or derive function boundaries in stripped images." ; rdfs:seeAlso . d3f:REC-0006.02 a owl:Class ; rdfs:label "Security Testing Tools - SPARTA" ; skos:prefLabel "Security Testing Tools" ; rdfs:subClassOf d3f:REC-0006 ; d3f:attack-id "REC-0006.02" ; d3f:definition "Adversaries study how you test to learn what you don’t test. They inventory static analyzers and coding standards (MISRA/C, CERT, CWE rulesets), dynamic tools (address/UB sanitizers, valgrind-class tools), fuzzers targeted at command parsers and protocols (e.g., CCSDS TC/TM, payload formats), property-based tests, mutation testing, coverage thresholds, and formal methods applied to mode logic or crypto. They also examine HIL setups, fault-injection frameworks, timing/jitter tests, and regression suites that gate release. Gaps, such as minimal negative testing on rare modes, weak corpus diversity, or untested rate/size limits, inform exploit design and the timing of inputs to evade FDIR or saturate queues." ; rdfs:seeAlso . d3f:REC-0007 a owl:Class ; rdfs:label "Monitor for Safe-Mode Indicators - SPARTA" ; skos:prefLabel "Monitor for Safe-Mode Indicators" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0007" ; d3f:definition "Adversaries watch for telltale signs that the spacecraft has entered a safed or survival configuration, typically sun-pointing or torque-limited attitude, reduced payload activity, conservative power/thermal setpoints, and low-rate engineering downlink. Indicators include specific mode bits or beacon fields, changes in modulation/coding and cadence, distinctive event packets (e.g., wheel unload aborts, brownout recovery), elevated heater duty, altered load-shed states, and operator behaviors such as emergency DSN requests, longer ground passes, or public anomaly notices. This reconnaissance helps time later actions to coincide with periods of reduced bandwidth, altered monitoring, or maintenance command availability. It may also reveal how safing affects authentication (e.g., whether rapid-response paths or recovery consoles differ from nominal)." ; rdfs:seeAlso . d3f:REC-0008 a owl:Class ; rdfs:label "Gather Supply Chain Information - SPARTA" ; skos:prefLabel "Gather Supply Chain Information" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0008" ; d3f:definition "Threat actors map the end-to-end pathway by which hardware, software, data, and people move from design through AIT, launch, and on-orbit sustainment. They catalog manufacturers and lots, test and calibration houses, logistics routes and waypoints, integrator touchpoints, key certificates and tooling, update and key-loading procedures, and who holds custody at each handoff. They correlate this with procurement artifacts, SBOMs, BOMs, and service contracts to locate where trust is assumed rather than verified. Particular attention falls on exceptions, engineering builds, rework tickets, advance replacements, depot repairs, and urgent field updates, because controls are frequently relaxed there. The result is a prioritized list of choke points (board fabrication, FPGA bitstream signing, image repositories, CI/CD runners, cloud artifact stores, freight forwarders) where compromise yields outsized effect." ; rdfs:seeAlso . d3f:REC-0008.01 a owl:Class ; rdfs:label "Hardware Recon - SPARTA" ; skos:prefLabel "Hardware Recon" ; rdfs:subClassOf d3f:REC-0008 ; d3f:attack-id "REC-0008.01" ; d3f:definition "Adversaries seek insight into component sources, screening levels, test histories, and configuration states to prepare pre-delivery manipulation of boards and modules. High-value details include ASIC/FPGA part numbers and stepping, security fuses and life-cycle states, JTAG/SWD access policies, secure-boot and anti-rollback configuration, golden bitstream handling, board layouts and test points, conformal coat practices, and acceptance test procedures with allowable tolerances. Knowledge of substitute/alternate parts, counterfeit screening thresholds, and waiver histories reveals where counterfeit insertion or parametric “near-miss” parts might evade detection. For programmable logic, attackers target synthesis/place-and-route toolchains, IP core versions, and bitstream encryption keys to enable hardware Trojans or debug backdoors that survive functional test. Logistics artifacts (packing lists, RMA workflows, depot addresses) expose moments when custody is thin and tamper opportunities expand." ; rdfs:seeAlso . d3f:REC-0008.02 a owl:Class ; rdfs:label "Software Recon - SPARTA" ; skos:prefLabel "Software Recon" ; rdfs:subClassOf d3f:REC-0008 ; d3f:attack-id "REC-0008.02" ; d3f:definition "Threat actors enumerate the software factory: where source lives, how dependencies are pulled, how artifacts are built, signed, stored, and promoted to flight. They inventory repos and access models, CI/CD orchestrators, build containers and base images, package registries, signing services/HSMs, update channels, and the policies that gate promotion (tests, reviews, attestations). With this, an adversary can plan dependency confusion or typosquatting attacks, modify build scripts, poison cached artifacts, or swap binaries at distribution edges (mirrors, CDN, ground station staging)." ; rdfs:seeAlso . d3f:REC-0008.03 a owl:Class ; rdfs:label "Known Vulnerabilities - SPARTA" ; skos:prefLabel "Known Vulnerabilities" ; rdfs:subClassOf d3f:REC-0008 ; d3f:attack-id "REC-0008.03" ; d3f:definition "Adversaries correlate discovered component and software versions with public and private vulnerability sources to assemble a ready exploit catalog. Inputs include CPE/CVE mappings, vendor advisories, CWE-class weaknesses common to selected RTOS/middleware, FPGA IP core errata, cryptographic library issues, and hardware stepping errata that interact with thermal/power regimes. They mine leaked documents, demo code, bug trackers, and community forums; pivot from ground assets to flight by following shared libraries and tooling; and watch for lag between disclosure and patch deployment. Even when a vulnerability seems “ground-only,” it may expose build systems or update paths that ultimately control flight artifacts." ; rdfs:seeAlso . d3f:REC-0008.04 a owl:Class ; rdfs:label "Business Relationships - SPARTA" ; skos:prefLabel "Business Relationships" ; rdfs:subClassOf d3f:REC-0008 ; d3f:attack-id "REC-0008.04" ; d3f:definition "Threat actors map contractual and operational relationships to identify the weakest well-connected node. They enumerate primes and subs (bus, payload, ground, launch), managed service providers, ground-network operators, cloud/SaaS tenants, testing and calibration labs, logistics and customs brokers, and warranty/repair depots, plus who holds remote access, who moves money, and who approves changes. Public artifacts (press releases, procurement records, org charts, job postings, conference bios) and technical traces (email MX/DMARC, shared SSO/IdP providers, cross-domain service accounts) reveal trust bridges between enclaves. Shipment paths and integration schedules expose when and where hardware and sensitive data concentrate. Understanding these ties enables tailored phishing, invoice fraud, credential reuse, and supply-chain insertion timed to integration milestones." ; rdfs:seeAlso . d3f:REC-0009 a owl:Class ; rdfs:label "Gather Mission Information - SPARTA" ; skos:prefLabel "Gather Mission Information" ; rdfs:subClassOf d3f:SPARTAReconnaissanceTechnique ; d3f:attack-id "REC-0009" ; d3f:definition "Adversaries compile a CONOPS-level portrait of the mission to predict priorities, constraints, and operational rhythms. They harvest stated needs, goals, and performance measures; enumerate key elements/instruments and their duty cycles; and extract mode logic, operational constraints (pointing, keep-outs, contamination, thermal/power margins), and contingency concepts. They mine the scientific and engineering basis, papers, algorithms, calibration methods, to anticipate data value, processing chains, and where integrity or availability attacks would have maximal effect. They correlate physical and support environments (ground networks, cloud pipelines, data distribution partners, user communities) and public schedules (campaigns, calibrations, maneuvers) to identify periods of elevated workload or reduced margin. The aim is not merely understanding but timing: choosing moments when authentication might be relaxed, monitoring is saturated, or rapid-response authority is invoked." ; rdfs:seeAlso . d3f:Receiver a owl:Class, owl:NamedIndividual ; rdfs:label "Receiver" ; rdfs:subClassOf d3f:HardwareDevice, [ a owl:Restriction ; owl:onProperty d3f:receives ; owl:someValuesFrom d3f:Signal ] ; d3f:definition "A receiver is a device or system that acquires signals and converts them into usable information. It senses a physical carrier (such as electromagnetic fields, light, electrical currents, or acoustic waves), conditions the input, and extracts the intended content through operations like filtering, amplification, detection, synchronization, demodulation, decoding, and error correction. A receiver may be analog or digital, implemented in hardware, software, or both, and is designed to mitigate impairments such as noise, interference, and distortion while delivering recovered data or media to downstream processes." ; d3f:receives d3f:Signal ; rdfs:seeAlso . d3f:ReconnaissanceTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Reconnaissance Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0043 ] ; d3f:definition "The adversary is trying to gather information they can use to plan future operations." ; d3f:enables d3f:TA0043 . d3f:Record a owl:Class, owl:NamedIndividual ; rdfs:label "Record" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "In computer science, a record (also called struct or compound data) is a basic data structure. A record is a collection of fields, possibly of different data types, typically in fixed number and sequence . The fields of a record may also be called members, particularly in object-oriented programming. Fields may also be called elements, though these risk confusion with the elements of a collection. A tuple may or may not be considered a record, and vice versa, depending on conventions and the specific programming language." . d3f:RecurrentNeuralNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "Recurrent Neural Network" ; rdfs:subClassOf d3f:DeepNeuralNetClassification ; d3f:d3fend-id "D3A-RNN" ; d3f:definition "Recurrent Nerual Networks (RNN) are a class of artificial neural networks where connections between nodes can create a cycle, allowing output from some nodes to affect subsequent input to the same nodes. This allows it to exhibit temporal dynamic behavior." ; d3f:kb-article """## References Wikipedia. (2021, September 7). Recurrent Neural Network. [Link](https://en.wikipedia.org/wiki/Recurrent_neural_network)""" . d3f:ReferenceNullification a owl:Class, owl:NamedIndividual ; rdfs:label "Reference Nullification" ; rdfs:subClassOf d3f:SourceCodeHardening, [ a owl:Restriction ; owl:onProperty d3f:hardens ; owl:someValuesFrom d3f:MemoryFreeFunction ] ; d3f:d3fend-id "D3-RN" ; d3f:definition "Invalidating all pointers that reference a specific memory block, ensuring that the block cannot be accessed or modified after deallocation." ; d3f:hardens d3f:MemoryFreeFunction ; d3f:kb-article """## How it Works Nullifying references to memory blocks makes those blocks no longer accessible. This is critical to prevent use-after-free errors. ## Considerations * If a memory block is freed, all other references to that block should be nullified. * This is particularly relevant when manually managing memory. * Note: This resource should not be considered a definitive or exhaustive coding guideline.""" ; d3f:kb-reference d3f:Reference-ReferenceNullification_SecureSoftwareInc . d3f:RegexMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Regex Matching" ; rdfs:subClassOf d3f:PartialMatching ; d3f:d3fend-id "D3A-RM" ; d3f:definition "Regular expression matching is type of partial string matching using a regular expression, which is a sequence of characters that specifies a match pattern in text." ; d3f:kb-article """## How it works A regular expression (shortened as regex or regexp) is a sequence of characters that specifies a match pattern in text. Usually such patterns are used by string-searching algorithms for "find" or "find and replace" operations on strings, or for input validation. ## Key Test Considerations - **External review of regular expressions**: Regular expressions used in rules should be reviewed by a independent developer SME. Regex testing and visualization tools may be used to aid this review. Back-tests for failure modes identified during the review shoud be developed. Regular expressions are easy to get wrong and may appear to work on limited tests; small mistakes can lead to unintended misses and matches.] - **Processing Performance Review**: Review of resource-intensive rules may be necessary if system performance degraded. Look for cases of “exponential backtracking” Some regexes are computationally expensive. ## References 1. Regular expression. (2023, June 1). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Regular_expression). 2. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm).""" ; d3f:synonym "Regex", "Regexp" . d3f:RegistryKeyDeletion a d3f:RegistryKeyDeletion, owl:Class, owl:NamedIndividual ; rdfs:label "Registry Key Deletion" ; rdfs:subClassOf d3f:ObjectEviction, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:WindowsRegistryKey ] ; d3f:d3fend-id "D3-RKD" ; d3f:definition "Delete a registry key." ; d3f:deletes d3f:WindowsRegistryKey ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks . d3f:RegressionAnalysis a owl:Class, owl:NamedIndividual ; rdfs:label "Regression Analysis" ; rdfs:subClassOf d3f:StatisticalMethod ; d3f:d3fend-id "D3A-RA" ; d3f:definition "Regression analysis is a set of statistical processes for estimating the relationships between a dependent variable (often called the 'outcome' or 'response' variable, or a 'label' in machine learning parlance) and one or more independent variables (often called 'predictors', 'covariates', 'explanatory variables' or 'features')." ; d3f:kb-article """## References Wikipedia. (n.d.). Regression analysis. [Link](https://en.wikipedia.org/wiki/Regression_analysis)""" . d3f:RegressionAnalysisLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Regression Analysis Learning" ; rdfs:subClassOf d3f:SupervisedLearning ; d3f:d3fend-id "D3A-RAL" ; d3f:definition "Regression is used to understand the relationship between dependent and independent variables which is then used to make projections, such as for sales revenue for a given business." ; d3f:kb-article """## References Supervised Learning. IBM. [Link](https://www.ibm.com/topics/supervised-learning).""" . d3f:ReinforcementLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Reinforcement Learning" ; rdfs:subClassOf d3f:MachineLearning ; d3f:d3fend-id "D3A-RL" ; d3f:definition "Reinforcement Learning is a subjugate technique of machine learning that uses feedback to reinforce good or valid rules and lessen the reliance of bad or ineffective rules" ; d3f:kb-article """## References Reinforcement learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Reinforcement_learning).""" . d3f:ReissueCredential a d3f:ReissueCredential, owl:Class, owl:NamedIndividual ; rdfs:label "Reissue Credential" ; rdfs:subClassOf d3f:RestoreAccess, [ a owl:Restriction ; owl:onProperty d3f:restores ; owl:someValuesFrom d3f:Credential ] ; d3f:d3fend-id "D3-RIC" ; d3f:definition "Issue a new credential to a user which supercedes their old credential." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks ; d3f:restores d3f:Credential . d3f:Relational-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Relational-based Transfer Learning" ; rdfs:subClassOf d3f:HomogenousTransferLearning ; d3f:d3fend-id "D3A-RBTL" ; d3f:definition "Relational-based Transfer Learning is a subfield of machine learning where knowledge and patterns learned from one domain, characterized by relational and structured data, are transferred to enhance the learning of another related domain. This approach leverages shared concepts, relations, and structures across domains, taking advantage of the rich semantic knowledge within relational data to improve learning performance in the target task." ; d3f:kb-article """## References V7 Labs. (n.d.). Transfer Learning Guide. [Link](https://www.v7labs.com/blog/transfer-learning-guide#:~:text=Relational%2Dbased%20transfer%20learning%20approaches,domain%20to%20the%20target%20domain).""" . d3f:RelayPatternAnalysis a d3f:RelayPatternAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Relay Pattern Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:OutboundInternetNetworkTraffic ] ; d3f:analyzes d3f:OutboundInternetNetworkTraffic ; d3f:d3fend-id "D3-RPA" ; d3f:definition "The detection of an internal host relaying traffic between the internal network and the external network." ; d3f:kb-article """## How it works A relay may use a variety of proxying, forwarding, or routing technologies to bridge a protected network with an external network. A defensive analytic to detect a relay network may compare the network sessions among multiple hosts. Hosts which have nearly similar network statistics may be part of a relay network. The statistics may include number of bytes sent to and from, time of session initiation, packet size, or packet arrival time data. ## Considerations Complex intranet VPNs or routing encapsulation may affect the detection analytics. In addition, unwanted packets might not be forwarded, and additional packets may be added at the relay, further complicating detection.""" ; d3f:kb-reference d3f:Reference-MaliciousRelayDetectionOnNetworks_VECTRANETWORKSInc ; d3f:synonym "Relay Network Detection" . d3f:RemoteAttacker a owl:Class ; rdfs:label "Remote Attacker" ; rdfs:subClassOf d3f:Attacker ; d3f:definition "An attacker who exploits systems without being physically present near the target, often over the internet." . d3f:RemoteAuthenticationService a owl:Class, owl:NamedIndividual ; rdfs:label "Remote Authentication Service" ; rdfs:subClassOf d3f:AuthenticationService, d3f:NetworkService ; d3f:definition "A remote authentication service provides for the authentication of a user across a network (i.e., remotely)." . d3f:RemoteAuthorizationService a owl:Class ; rdfs:label "Remote Authorization Service" ; rdfs:subClassOf d3f:AuthorizationService ; d3f:definition "A remote authorization service provides for the authorization of a user across a network (i.e., remotely)." . d3f:RemoteCommand a owl:Class, owl:NamedIndividual ; rdfs:label "Remote Command" ; rdfs:subClassOf d3f:Command ; d3f:definition "A remote command is an instruction or set of instructions issued from a geographically or logically distant location to control, configure, or elicit a response from a target system, device, or entity. The execution of a remote command does not require direct physical interaction with the target; instead, it relies on a communication link to transmit the instruction and receive any resulting feedback or data." . d3f:RemoteDatabaseQuery a owl:Class ; rdfs:label "Remote Database Query" ; rdfs:subClassOf d3f:DatabaseQuery, d3f:RemoteCommand ; d3f:definition "A remote query session enabling a user to make an SQL, SPARQL, or similar query over the network from one host to another." ; rdfs:seeAlso . d3f:RemoteFileAccessMediation a d3f:RemoteFileAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Remote File Access Mediation" ; rdfs:subClassOf d3f:NetworkResourceAccessMediation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-RFAM" ; d3f:definition "Remote file access mediation is the process of managing and securing access to file systems over a network to ensure that only authorized users or processes can interact with remote files." ; d3f:isolates d3f:File ; d3f:kb-article """## How it works Remote File Access Mediation focuses on controlling how users or processes access file systems from remote locations. This involves ensuring secure connections, often through protocols like SFTP or SMB, and enforcing permissions to prevent unauthorized access or data breaches. Examples of enforcement areas include accessing shared drives or cloud storage from remote offices or home networks.""" ; d3f:kb-reference d3f:Reference-NIST-Special-Publication-800-53-Revision-5 ; d3f:synonym "File Share Access Mediation" . d3f:RemoteFirmwareUpdateMonitoring a d3f:RemoteFirmwareUpdateMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "Remote Firmware Update Monitoring" ; rdfs:subClassOf d3f:ApplicationProtocolCommandAnalysis, [ a owl:Restriction ; owl:onProperty d3f:detects ; owl:someValuesFrom d3f:OTDeviceFirmwareCommand ], [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:OTNetworkTraffic ] ; d3f:d3fend-id "D3-RFUM" ; d3f:definition "Monitoring of remote firmware update commands to identify unauthorized software installations." ; d3f:detects d3f:OTDeviceFirmwareCommand ; d3f:kb-article """## How it works By deploying sensors within the OT environment to passively monitor network traffic, tools can leverage deep packet inspection to identify protocol-specific commands and generate logs of relevant firmware activity. Additionally, these tools may incorporate behavioral and signature-based analysis to enhance detection and alerting capabilities.""" ; d3f:kb-reference d3f:Reference-MethodForDetectingAnomaliesInTimeSeriesDataProducedByDevicesOfAnInfrastructureInANetwork ; d3f:monitors d3f:OTNetworkTraffic ; rdfs:seeAlso . d3f:RemoteLoginSession a owl:Class ; rdfs:label "Remote Login Session" ; rdfs:subClassOf d3f:NetworkSession ; d3f:definition "A remote login session is a login session where a client has logged in from their local host machine to a server via a network." . d3f:RemoteProcedureCall a owl:Class ; rdfs:label "Remote Procedure Call" ; rdfs:subClassOf d3f:RemoteCommand ; rdfs:isDefinedBy ; d3f:definition "In distributed computing a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in another address space (commonly on another computer on a shared network), which is coded as if it were a normal (local) procedure call, without the programmer explicitly coding the details for the remote interaction. That is, the programmer writes essentially the same code whether the subroutine is local to the executing program, or remote. This is a form of client-server interaction (caller is client, executor is server), typically implemented via a request-response message-passing system. The object-oriented programming analog is remote method invocation (RMI). The RPC model implies a level of location transparency." ; rdfs:seeAlso . d3f:RemoteResource a owl:Class ; rdfs:label "Remote Resource" ; rdfs:subClassOf d3f:Resource ; d3f:definition "In computing, a remote resource is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer, typically via a local area network or an enterprise intranet." ; rdfs:seeAlso d3f:NetworkResource . d3f:RemoteSession a owl:Class, owl:NamedIndividual ; rdfs:label "Remote Session" ; rdfs:subClassOf d3f:NetworkSession ; d3f:definition "A remote login session is a login session where a client has logged in from their local host machine to a server via a network." . d3f:RemoteShellCommand a owl:Class ; rdfs:label "Remote Shell Command" ; rdfs:subClassOf d3f:RemoteCommand ; d3f:definition "A remote shell command is a command sent from one computer to another to be executed on the remote computer. One example of this, is through a command-line interface (CLI) like using Invoke-Command from PowerShell or a command sent through an ssh session. This class generalizes to all means of sending a command through an established protocol to control capabilities on a remote computer." ; rdfs:seeAlso . d3f:RemoteTerminalSession a owl:Class ; rdfs:label "Remote Terminal Session" ; rdfs:subClassOf d3f:NetworkSession ; d3f:definition "A remote terminal session is a session that provides a user access from one host to another host via a terminal." . d3f:RemoteTerminalSessionDetection a d3f:RemoteTerminalSessionDetection, owl:Class, owl:NamedIndividual ; rdfs:label "Remote Terminal Session Detection" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:analyzes d3f:NetworkTraffic ; d3f:d3fend-id "D3-RTSD" ; d3f:definition "Detection of an unauthorized remote live terminal console session by examining network traffic to a network host." ; d3f:kb-article """## How it works An external attacker takes remote control of a host inside a company or organization's network and manually directs offensive techniques. Nonstandard terminal sessions and abnormal behaviors are analyzed in this technique. Abnormal behavior detection includes analysis of user input patterns in the real-time session, keyboard output and packet inspection. ### Network Traffic Inspection Network traffic from internal hosts is the main concern and focus for the traffic inspection. The network traffic is collected into inspection groups. The groups of traffic are assembled into distinct pair flows (outbound/inbound) and the pair flows are further divided into sessions. Only sessions originated inside of the network are considered for the inspection. Traffic inspection includes analysis to determine if a human is involved in the session exchanges. Time-based statistics are captured for each session being analyzed by the detection engine. ### Algorithm Analysis Description Analysis algorithms look for patterns in the network traffic captured from the session data. A detection engine groups the session traffic data, between the hosts, into rapid exchange instances. Analysis of rapid exchange traffic patterns can lead to the discovery of abnormal behavior which is indicative of a compromised internal host. The analysis algorithms look for patterns in the traffic which correlate to known activity (e.g., relay attacks, bot activity, bitcoin mining). Some metrics used during inspection include the following. * Number of rapid-exchange instances * Time interval between packets * Fixed cadence of traffic * Rhythm and direction of the initiation of instances * Volume of data flowing from internal to external controlling host * Data transfer characteristics * Variability in length of silent periods ## Considerations * Full packet capture is required which can be process intensive to analyze * Attackers that move low and slow may blend in with existing traffic resulting in false negatives""" ; d3f:kb-reference d3f:Reference-MethodAndSystemForDetectingExternalControlOfCompromisedHosts_VECTRANETWORKSInc, d3f:Reference-RDPConnectionDetection_MITRE, d3f:Reference-RemoteDesktopLogon_MITRE . d3f:RemovableMediaDevice a owl:Class, owl:NamedIndividual ; rdfs:label "Removable Media Device" ; rdfs:subClassOf d3f:HardwareDevice ; d3f:definition "A removable media device is a hardware device used for computer storage and that is designed to be inserted and removed from the system. It is distinct from other removable media in that all the hardware required to read the data are built into the device. So USB flash drives and external hard drives are removable media devices, whereas tapes and disks are not, as they require additional hardware to perform read/write operations." ; rdfs:seeAlso . d3f:RemoveUserFromGroupEvent a owl:Class ; rdfs:label "Remove User from Group Event" ; rdfs:subClassOf d3f:GroupManagementEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:UserAccount ], [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:AddUserToGroupEvent ] ; d3f:definition "An event where a user is removed from a group, revoking the permissions and privileges associated with the group from the user." . d3f:Repository a owl:Class ; rdfs:label "Repository" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "A centralized digital storage location where code, files, and related resources are systematically organized, managed, and maintained." . d3f:ResamplingEnsemble a owl:Class, owl:NamedIndividual ; rdfs:label "Resampling Ensemble" ; rdfs:subClassOf d3f:EnsembleLearning ; d3f:d3fend-id "D3A-RE" ; d3f:definition "In the method, the small classes are oversampled and large classes are undersampled. The resampling scale is determined by the ratio of the min class number and max class number. And multiple machine learning methods are selected to construct the ensemble" ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning). Torgo, L. (2014). A resampling ensemble algorithm for improved accuracy. *Neurocomputing*, 134, 55-66. [Link](https://www.sciencedirect.com/science/article/pii/S0925231214007644#:~:text=A%20resampling%20ensemble%20algorithm%20is,and%20undersampling%20are%20empirically%20analyzed).""" . d3f:ResidualNeuralNetwork a owl:Class, owl:NamedIndividual ; rdfs:label "Residual Neural Network" ; rdfs:subClassOf d3f:ConvolutionalNeuralNetwork ; d3f:d3fend-id "D3A-RNN" ; d3f:definition "A residual neural network (ResNet) is an artificial neural network (ANN). It is a gateless or open-gated variant of the HighwayNet, the first working very deep feedforward neural network with hundreds of layers, much deeper than previous neural networks." ; d3f:kb-article """## References Wikipedia contributors. (2021, August 23). Residual neural network. In Wikipedia, The Free Encyclopedia. [Link](https://en.wikipedia.org/wiki/Residual_neural_network)""" . d3f:Resource a owl:Class, owl:NamedIndividual ; rdfs:label "Resource" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "In computing, a system resource, or simply resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource. Virtual system resources include files (concretely file handles), network connections (concretely network sockets), and memory areas. Managing resources is referred to as resource management, and includes both preventing resource leaks (releasing a resource when a process has finished using it) and dealing with resource contention (when multiple processes wish to access a limited resource)." . d3f:ResourceAccess a owl:Class, owl:NamedIndividual ; rdfs:label "Resource Access" ; rdfs:subClassOf d3f:UserAction ; d3f:definition "Ephemeral digital artifact comprising a request of a resource and any response from that resource." ; rdfs:seeAlso . d3f:ResourceAccessPatternAnalysis a d3f:ResourceAccessPatternAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Resource Access Pattern Analysis" ; rdfs:subClassOf d3f:UserBehaviorAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Authentication ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Authorization ] ; d3f:analyzes d3f:Authentication, d3f:Authorization ; d3f:d3fend-id "D3-RAPA" ; d3f:definition "Analyzing the resources accessed by a user to identify unauthorized activity." ; d3f:kb-article """## How it works This technique analyzes a user's resource accesses by comparing the user's recent activity against a baseline activity model. Major differences between the current activity and the baseline model might indicate unauthorized activity if they are severe enough. ## Considerations * Potential for false positives from anomalies that are not associated with malicious activity. * Attackers that move low and slow may not differentiate their resource access activity behavior enough to trigger an alert.""" ; d3f:kb-reference d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd, d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC, d3f:Reference-ModelingUserAccessToComputerResources_DaedalusGroupLLC, d3f:Reference-SystemAndMethodThereofForIdentifyingAndRespondingToSecurityIncidentsBasedOnPreemptiveForensics_PaloAltoNetworksInc, . d3f:ResourceDevelopmentTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Resource Development Technique" ; rdfs:subClassOf d3f:ATTACKEnterpriseTechnique, d3f:OffensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:TA0042 ] ; d3f:definition "The adversary is trying to establish resources they can use to support operations." ; d3f:enables d3f:TA0042 . d3f:ResourceFork a owl:Class, owl:NamedIndividual ; rdfs:label "Resource Fork" ; rdfs:subClassOf d3f:FileSection ; rdfs:isDefinedBy ; d3f:definition "The resource fork is a fork or section of a file on Apple's classic Mac OS operating system, which was also carried over to the modern macOS for compatibility, used to store structured data along with the unstructured data stored within the data fork." . d3f:RestorationEvent a owl:Class, owl:NamedIndividual ; rdfs:label "Restoration Event" ; rdfs:subClassOf d3f:SecurityEvent ; d3f:definition "An event representing actions to return a compromised system or resource to a trusted operational state, such as through backup restoration, system reinstallation, or repair." ; d3f:related d3f:Restore . d3f:Restore a d3f:DefensiveTactic, owl:Class, owl:NamedIndividual ; rdfs:label "Restore" ; rdfs:subClassOf d3f:DefensiveTactic ; d3f:definition "The restore tactic is used to return the system to a better state." ; d3f:display-order 5 ; d3f:display-priority 0 . d3f:RestoreAccess a d3f:RestoreAccess, owl:Class, owl:NamedIndividual ; rdfs:label "Restore Access" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Restore ] ; d3f:d3fend-id "D3-RA" ; d3f:definition "Restoring an entity's access to resources." ; d3f:enables d3f:Restore ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks . d3f:RestoreConfiguration a d3f:RestoreConfiguration, owl:Class, owl:NamedIndividual ; rdfs:label "Restore Configuration" ; rdfs:subClassOf d3f:RestoreObject, [ a owl:Restriction ; owl:onProperty d3f:restores ; owl:someValuesFrom d3f:ConfigurationResource ] ; d3f:d3fend-id "D3-RC" ; d3f:definition "Restoring an software configuration." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks ; d3f:restores d3f:ConfigurationResource . d3f:RestoreDatabase a d3f:RestoreDatabase, owl:Class, owl:NamedIndividual ; rdfs:label "Restore Database" ; rdfs:subClassOf d3f:RestoreObject, [ a owl:Restriction ; owl:onProperty d3f:restores ; owl:someValuesFrom d3f:Database ] ; d3f:d3fend-id "D3-RD" ; d3f:definition "Restoring the data in a database." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks ; d3f:restores d3f:Database . d3f:RestoreDiskImage a d3f:RestoreDiskImage, owl:Class, owl:NamedIndividual ; rdfs:label "Restore Disk Image" ; rdfs:subClassOf d3f:RestoreObject ; d3f:d3fend-id "D3-RDI" ; d3f:definition "Restoring a previously captured disk image a hard drive." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks . d3f:RestoreEmail a d3f:RestoreEmail, owl:Class, owl:NamedIndividual ; rdfs:label "Restore Email" ; rdfs:subClassOf d3f:RestoreFile, [ a owl:Restriction ; owl:onProperty d3f:restores ; owl:someValuesFrom d3f:Email ] ; d3f:d3fend-id "D3-RE" ; d3f:definition "Restoring an email for an entity to access." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks ; d3f:restores d3f:Email . d3f:RestoreFile a d3f:RestoreFile, owl:Class, owl:NamedIndividual ; rdfs:label "Restore File" ; rdfs:subClassOf d3f:RestoreObject, [ a owl:Restriction ; owl:onProperty d3f:restores ; owl:someValuesFrom d3f:File ] ; d3f:d3fend-id "D3-RF" ; d3f:definition "Restoring a file for an entity to access." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks ; d3f:restores d3f:File . d3f:RestoreNetworkAccess a d3f:RestoreNetworkAccess, owl:Class, owl:NamedIndividual ; rdfs:label "Restore Network Access" ; rdfs:subClassOf d3f:RestoreAccess, [ a owl:Restriction ; owl:onProperty d3f:restores ; owl:someValuesFrom d3f:Host ] ; d3f:d3fend-id "D3-RNA" ; d3f:definition "Restoring a entity's access to a computer network." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks ; d3f:restores d3f:Host . d3f:RestoreObject a d3f:RestoreObject, owl:Class, owl:NamedIndividual ; rdfs:label "Restore Object" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Restore ] ; d3f:d3fend-id "D3-RO" ; d3f:definition "Restoring an object for an entity to access. This is the broadest class for object restoral." ; d3f:enables d3f:Restore . d3f:RestoreSoftware a d3f:RestoreSoftware, owl:Class, owl:NamedIndividual ; rdfs:label "Restore Software" ; rdfs:subClassOf d3f:RestoreObject, [ a owl:Restriction ; owl:onProperty d3f:restores ; owl:someValuesFrom d3f:Software ] ; d3f:d3fend-id "D3-RS" ; d3f:definition "Restoring software to a host." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks ; d3f:restores d3f:Software . d3f:RestoreUserAccountAccess a d3f:RestoreUserAccountAccess, owl:Class, owl:NamedIndividual ; rdfs:label "Restore User Account Access" ; rdfs:subClassOf d3f:RestoreAccess, [ a owl:Restriction ; owl:onProperty d3f:restores ; owl:someValuesFrom d3f:UserAccount ] ; d3f:d3fend-id "D3-RUAA" ; d3f:definition "Restoring a user account's access to resources." ; d3f:kb-reference d3f:Reference-CybersecurityIncidentandVulnerabilityResponsePlaybooks ; d3f:restores d3f:UserAccount . d3f:ResumeProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Resume Process" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:resumes ; owl:someValuesFrom d3f:Process ] ; d3f:resumes d3f:Process . d3f:ResumeThread a owl:Class, owl:NamedIndividual ; rdfs:label "Resume Thread" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:resumes ; owl:someValuesFrom d3f:Thread ] ; d3f:resumes d3f:Thread ; rdfs:seeAlso . d3f:ReverseProxyServer a owl:Class ; rdfs:label "Reverse Proxy Server" ; rdfs:subClassOf d3f:ProxyServer ; rdfs:isDefinedBy ; d3f:definition "In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s); a reverse proxy is usually an internal-facing proxy used as a 'front-end' to control and protect access to a server on a private network." . d3f:ReverseResolutionIPDenylisting a d3f:ReverseResolutionIPDenylisting, owl:Class, owl:NamedIndividual ; rdfs:label "Reverse Resolution IP Denylisting" ; rdfs:subClassOf d3f:DNSDenylisting, [ a owl:Restriction ; owl:onProperty d3f:blocks ; owl:someValuesFrom d3f:OutboundInternetDNSLookupTraffic ] ; d3f:blocks d3f:OutboundInternetDNSLookupTraffic ; d3f:d3fend-id "D3-RRID" ; d3f:definition "Blocking a reverse lookup based on the query's IP address value." ; d3f:kb-article """## How it works This technique prevents a client from learning domains deemed to be potentially malicious, which would have been delivered via reverse resolution responses over the DNS protocol. Queries for reverse resolution requests (that is, requests where IP(s) are sent and a domain is returned) are collected, and the IP address(es) included in the query are examined. If the IP address(es) are in a range included in the blacklist, then the query is dropped. ## Considerations - The blacklist will have to be maintained and will need to be kept up to date with identified maintenance cycles to ensure lists are not stale. - DNS query traffic can be transmitted over many different protocols, which presents a challenge to implementing methods to extract all DNS query IP address value(s). - DNS has historically used UDP port 53, with TCP port 53 instead used for responses over 512 bytes or after a lack of response over UDP. - Usage of new protocols to provide confidentiality for DNS traffic, such as DoH (DNS over HTTPS) and DoT (DNS over TLS), complicates collection of the IP address(es) in DNS queries. These protocols have often been enabled in browser settings transparently after a browser update, with DNS queries proxied over one of these cryptographic protocols through a specified host.""" ; d3f:kb-reference d3f:Reference-UseDNSPolicyForApplyingFiltersOnDNSQueries ; d3f:synonym "Reverse Resolution IP Blacklisting" . d3f:RevokePrivilegesFromGroupEvent a owl:Class ; rdfs:label "Revoke Privileges from Group Event" ; rdfs:subClassOf d3f:GroupManagementEvent, d3f:PermissionRevokingEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:AssignPrivilegesToGroupEvent ] ; d3f:definition "An event where specific privileges or rights are removed from a group, restricting its members from performing actions or accessing resources previously allowed by those privileges." . d3f:RFShielding a d3f:RFShielding, owl:Class, owl:NamedIndividual ; rdfs:label "RF Shielding" ; rdfs:subClassOf d3f:ElectromagneticRadiationHardening ; d3f:d3fend-id "D3-RFS" ; d3f:definition "Adding physical barriers to a platform to prevent undesired radio interference." ; d3f:kb-reference d3f:Reference-PrivacyAndSecuritySystemsAndMethodsOfUse, d3f:Reference-Technical_Specifications_for_Construction_and_Management_of_Sensitive_Compartmented_Information_Facilities . d3f:ROM a owl:Class ; rdfs:label "ROM" ; rdfs:subClassOf d3f:PrimaryStorage ; rdfs:isDefinedBy ; d3f:definition "Read-only memory (ROM) is a type of non-volatile memory used in computers and other electronic devices. Data stored in ROM cannot be electronically modified after the manufacture of the memory device. Read-only memory is useful for storing software that is rarely changed during the life of the system, also known as firmware." ; d3f:synonym "Read-only Memory" . d3f:Router a owl:Class ; rdfs:label "Router" ; rdfs:subClassOf d3f:ComputerNetworkNode ; rdfs:isDefinedBy ; d3f:definition "A router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions on the Internet. Data sent through the internet, such as a web page or email, is in the form of data packets. A packet is typically forwarded from one router to another router through the networks that constitute an internetwork (e.g. the Internet) until it reaches its destination node." . d3f:RoutingAccessMediation a d3f:RoutingAccessMediation, owl:Class, owl:NamedIndividual ; rdfs:label "Routing Access Mediation" ; rdfs:subClassOf d3f:NetworkAccessMediation, [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:Network ] ; d3f:d3fend-id "D3-RAM" ; d3f:definition "Routing access mediation is a network security approach that manages and controls access at the network layer using VPNs, tunneling protocols, firewall rules, and traffic inspection to ensure secure and efficient data routing." ; d3f:isolates d3f:Network ; d3f:kb-article """## How it works Routing Access Mediation is a network security strategy focused on managing and controlling access at the network layer. It includes the use of VPNs for secure remote access, tunneling protocols for encapsulating data, firewall rules for filtering traffic, and advanced inspection techniques like Cisco's Context-Based Access Control (CBAC) to monitor and regulate data flow. This approach ensures secure and efficient routing of data across networks, protecting against unauthorized access and enhancing overall network security.""" ; d3f:kb-reference d3f:Reference-WhatIsNetworkAccessControl ; rdfs:seeAlso . d3f:RPCNetworkTraffic a owl:Class, owl:NamedIndividual ; rdfs:label "RPC Network Traffic" ; rdfs:subClassOf d3f:NetworkTraffic ; d3f:definition "RPC network traffic is network traffic related to remote procedure calls between network nodes..This includes only network traffic conforming to a standard RPC protocol; not custom protocols." . d3f:RPCTrafficAnalysis a d3f:RPCTrafficAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "RPC Traffic Analysis" ; rdfs:subClassOf d3f:NetworkTrafficAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:RPCNetworkTraffic ] ; d3f:analyzes d3f:RPCNetworkTraffic ; d3f:d3fend-id "D3-RTA" ; d3f:definition "Monitoring the activity of remote procedure calls in communication traffic to establish standard protocol operations and potential attacker activities." ; d3f:kb-article """## How it works A remote procedure call (RPC) enables one computer to execute a specific function on another computer, as if it were a local application process. There are numerous RPC specifications and implementations. RPC capabilities can be abused by attackers in order to achieve a variety of tactical objectives including execution, persistence, initial access, and more. RPC proxies may be used to collect and store RPC traffic. RPCs can occur over network sockets or named pipes. Analytics look for unauthorized behavior such as: * Processes being launched or scheduled remotely * System configurations being changed remotely * Unauthorized file read activity Example RPC Protocols: * DCE/RPC * CORBA * Open Network Computing Remote Procedure Call * D-Bus * XML-RPC * JSON-RPC * SOAP * Apache Thrift ## Considerations * RPC is widely used in enterprise environments, and significant data filtering may be required in large environments to enable analytic processing. * RPC traffic may occur over a pipe, or within a host over loopback interface, thus making network collection difficult.""" ; d3f:kb-reference d3f:Reference-CAR-2014-05-001%3ARPCActivity_MITRE, d3f:Reference-CAR-2014-11-007-RemoteWindowsManagementInstrumentation_WMI_OverRPC_MITRE, d3f:Reference-CreateRemoteProcessViaWMIC_MITRE_Other, d3f:Reference-RemotelyLaunchedExecutablesViaServices_MITRE, d3f:Reference-RemotelyLaunchedExecutablesViaWMI_MITRE, d3f:Reference-RemotelyScheduledTasksViaSchtasks_MITRE, d3f:Reference-RPCCallInterception_CrowdstrikeInc, d3f:Reference-SMBWriteRequest-NamedPipes_MITRE ; d3f:synonym "RPC Protocol Analysis" . d3f:RTCUpdateEvent a owl:Class ; rdfs:label "RTC Update Event" ; rdfs:subClassOf d3f:HardwareClockEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:RealtimeClock ] ; d3f:definition "An event in which a Real-Time Clock's stored time value is read from or written to its battery-backed storage." . d3f:RTSPServer a owl:Class ; rdfs:label "RTSP Server" ; rdfs:subClassOf d3f:NetworkAudioVisualStreamingResource ; d3f:definition "A streaming server that utilizes the real-time streaming protocol." . d3f:RuntimeVariable a owl:Class, owl:NamedIndividual ; rdfs:label "Runtime Variable" ; rdfs:subClassOf d3f:DigitalInformationBearer ; d3f:definition "A runtime variable is an abstract storage location paired with an associated symbolic name, which contains some known or unknown quantity of data or object referred to as a value, which can change during the execution of a computer program." ; rdfs:seeAlso . d3f:SafeMode a owl:Class ; rdfs:label "Safe Mode" ; rdfs:subClassOf d3f:OperatingMode ; d3f:definition "An intentionally constrained operating mode of a system in which nonessential functions are disabled or limited and control is shifted to a minimal, well-tested configuration that prioritizes preventing harm (to the system, its environment, or data), maintaining basic stability and monitoring, and enabling diagnosis and recovery back to normal operation." ; rdfs:seeAlso . d3f:SARSA a owl:Class, owl:NamedIndividual ; rdfs:label "SARSA" ; rdfs:subClassOf d3f:Model-freeReinforcementLearning ; rdfs:isDefinedBy ; d3f:d3fend-id "D3A-SAR" ; d3f:definition "State-action-reward-state-action (SARSA) is an algorithm for learning a Markov decision process policy, used in the reinforcement learning area of machine learning." ; d3f:kb-article """## References State-action-reward-state-action. Wikipedia. [Link](https://en.wikipedia.org/wiki/State%E2%80%93action%E2%80%93reward%E2%80%93state%E2%80%93action).""" . d3f:Satellite a owl:Class ; rdfs:label "Satellite" ; rdfs:subClassOf d3f:Spacecraft, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:SatelliteTransponder ] ; rdfs:isDefinedBy ; d3f:definition "A satellite or an artificial satellite is an object, typically a spacecraft, placed into orbit around a celestial body. They have a variety of uses, including communication relay, weather forecasting, navigation (GPS), broadcasting, scientific research, and Earth observation." . d3f:SatelliteTransponder a owl:Class, owl:NamedIndividual ; rdfs:label "Satellite Transponder" ; rdfs:subClassOf d3f:Transponder ; rdfs:isDefinedBy ; d3f:definition "A communications satellite's transponder is the series of interconnected units that form a communications channel between the receiving and the transmitting antennas." . d3f:SavedInstructionPointer a owl:Class ; rdfs:label "Saved Instruction Pointer" ; rdfs:subClassOf d3f:Pointer, d3f:StackComponent ; d3f:definition "A saved instruction pointer points to the instruction that generated an exception (trap or fault)." ; rdfs:seeAlso . d3f:SaveRegister a owl:Class, owl:NamedIndividual ; rdfs:label "Save Registers" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:copies ; owl:someValuesFrom d3f:ProcessorRegister ] ; d3f:copies d3f:ProcessorRegister . d3f:ScheduledJob a owl:Class, owl:NamedIndividual ; rdfs:label "Scheduled Job" ; rdfs:subClassOf d3f:OperatingSystemProcess, [ a owl:Restriction ; owl:onProperty d3f:contained-by ; owl:someValuesFrom d3f:JobSchedule ], [ a owl:Restriction ; owl:onProperty d3f:created-by ; owl:someValuesFrom d3f:JobSchedulerSoftware ], [ a owl:Restriction ; owl:onProperty d3f:modified-by ; owl:someValuesFrom d3f:JobSchedulerSoftware ] ; d3f:contained-by d3f:JobSchedule ; d3f:created-by d3f:JobSchedulerSoftware ; d3f:definition "A task scheduler process is an operating system process that executes scheduled tasks (time-scheduling in the sense of wall clock time; not operating system scheduling of processes for multitasking)." ; d3f:modified-by d3f:JobSchedulerSoftware ; d3f:synonym "Scheduled Task", "Task Scheduler Process" ; rdfs:seeAlso , , , . d3f:ScheduledJobAnalysis a d3f:ScheduledJobAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Scheduled Job Analysis" ; rdfs:subClassOf d3f:OperatingSystemMonitoring, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:JobSchedule ] ; d3f:analyzes d3f:JobSchedule ; d3f:d3fend-id "D3-SJA" ; d3f:definition "Analysis of source files, processes, destination files, or destination servers associated with a scheduled job to detect unauthorized use of job scheduling." ; d3f:kb-article """## How it works Scheduled job execution can be utilized by adversaries for the purpose of persistence, conducting remote execution, or gaining privileges. Details of a scheduled job such as associated source files, processes, destination files, or destination servers are first identified and analyzed and then compared against an anti-malware signature database, whitelist, or reputation server. For example, a file associated with a scheduled job to be executed at a specified time or a remote server that is accessed as part of a scheduled task is compared against an anti-malware signature database, whitelist, or reputation server, and if a match is found, execution is denied and an alert is generated. In addition to traditional scheduled jobs, triggers can be set to execute a specific command after detecting a specific event in the system, such as with WMI Event Subscriptions in Windows. ## Considerations Jobs can be scheduled in many different and sometimes creative ways through operating system capabilities.""" ; d3f:kb-reference d3f:Reference-ExecutionWithAT_MITRE, d3f:Reference-ExecutionWithSchtasks_MITRE, d3f:Reference-PreventingExecutionOfTaskScheduledMalware_McAfeeLLC ; d3f:synonym "Scheduled Job Execution" . d3f:ScheduledJobCreationEvent a owl:Class ; rdfs:label "Scheduled Job Creation Event" ; rdfs:subClassOf d3f:ScheduledJobEvent ; d3f:definition "An event representing the addition of a new task to the system's scheduler, defining its execution criteria and associated actions." . d3f:ScheduledJobDeletionEvent a owl:Class ; rdfs:label "Scheduled Job Deletion Event" ; rdfs:subClassOf d3f:ScheduledJobEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobCreationEvent ] ; d3f:definition "An event marking the removal of a scheduled task from the system, terminating its execution schedule." . d3f:ScheduledJobDisableEvent a owl:Class ; rdfs:label "Scheduled Job Disable Event" ; rdfs:subClassOf d3f:ScheduledJobEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobEnableEvent ] ; d3f:definition "An event where a scheduled task is deactivated, preventing further execution until re-enabled." . d3f:ScheduledJobEnableEvent a owl:Class ; rdfs:label "Scheduled Job Enable Event" ; rdfs:subClassOf d3f:ScheduledJobEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobCreationEvent ] ; d3f:definition "An event where a scheduled task is activated, allowing it to execute according to its defined parameters." . d3f:ScheduledJobEvent a owl:Class ; rdfs:label "Scheduled Job Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ScheduledJob ] ; d3f:definition "An event capturing the lifecycle or management of scheduled tasks within a system, including creation, modification, execution, or removal." ; rdfs:seeAlso . d3f:ScheduledJobStartEvent a owl:Class ; rdfs:label "Scheduled Job Start Event" ; rdfs:subClassOf d3f:ScheduledJobEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobCreationEvent ] ; d3f:definition "An event indicating the execution of a scheduled task, triggered either automatically by the scheduler or manually by a user." . d3f:ScheduledJobUpdateEvent a owl:Class ; rdfs:label "Scheduled Job Update Event" ; rdfs:subClassOf d3f:ScheduledJobEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ScheduledJobCreationEvent ] ; d3f:definition "An event where an existing scheduled task is updated, altering parameters such as timing, conditions, or actions." . d3f:Scheduling a owl:Class ; rdfs:label "Scheduling" ; rdfs:subClassOf d3f:Planning . d3f:ScriptApplicationProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Script Application Process" ; skos:altLabel "Script Process" ; rdfs:subClassOf d3f:ApplicationProcess, [ a owl:Restriction ; owl:onProperty d3f:interprets ; owl:someValuesFrom d3f:ExecutableScript ] ; d3f:definition "A script application process is an application process interpreting an executable script." ; d3f:interprets d3f:ExecutableScript . d3f:ScriptExecutionAnalysis a d3f:ScriptExecutionAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Script Execution Analysis" ; rdfs:subClassOf d3f:ProcessAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:ScriptApplicationProcess ] ; d3f:analyzes d3f:ScriptApplicationProcess ; d3f:d3fend-id "D3-SEA" ; d3f:definition "Analyzing the execution of a script to detect unauthorized user activity." ; d3f:kb-article """## How it works Software installed on the host system hooks into a scripting engine to intercept commands before they are executed and block commands if they are determined to be harmful. Pattern matching is used to identify unauthorized commands or in the case of script files, a hash of the file is compared against hashes of known unauthorized script files. ## Considerations List of known unauthorized script files or regular expression patterns must be kept up to date to ensure detection of new threats.""" ; d3f:kb-reference d3f:Reference-DetectingScript-basedMalware_CrowdstrikeInc . d3f:Second-stageBootLoader a owl:Class ; rdfs:label "Second-stage Boot Loader" ; rdfs:subClassOf d3f:BootLoader ; d3f:definition "An optional, often feature rich, second stage set of routines run in order to load the operating system." . d3f:SecondaryStorage a owl:Class, owl:NamedIndividual ; rdfs:label "Secondary Storage" ; rdfs:subClassOf d3f:HardwareDevice, d3f:Storage ; rdfs:isDefinedBy ; d3f:definition "Secondary memory (storage, hard disk) is the computer component holding information that does not need to be accessed quickly and that needs to be retained long-term." ; rdfs:seeAlso . d3f:SecurityEvent a owl:Class ; rdfs:label "Security Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:caused-by ; owl:someValuesFrom d3f:DefensiveAction ] ; d3f:definition "An event describing occurrences related to cybersecurity, including detection, remediation, or enforcement actions. Security events provide critical insights into the state, behavior, and resilience of digital systems." . d3f:SecurityToken a owl:Class, owl:NamedIndividual ; rdfs:label "Security Token" ; rdfs:subClassOf d3f:HardwareDevice, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:AccessToken ] ; rdfs:isDefinedBy ; d3f:contains d3f:AccessToken ; d3f:definition "Security tokens are peripheral devices used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something." . d3f:SegmentAddressOffsetRandomization a d3f:SegmentAddressOffsetRandomization, owl:Class, owl:NamedIndividual ; rdfs:label "Segment Address Offset Randomization" ; rdfs:subClassOf d3f:ApplicationHardening, [ a owl:Restriction ; owl:onProperty d3f:obfuscates ; owl:someValuesFrom d3f:ProcessSegment ] ; d3f:d3fend-id "D3-SAOR" ; d3f:definition "Randomizing the base (start) address of one or more segments of memory during the initialization of a process." ; d3f:kb-article """## How it works Many application exploits rely on an attacker specifying a location in memory, which points to data or code used by the attacker. If the addresses are changed each time the program is run, then it becomes more difficult for the attacker to determine the location that will contain the code they wish to run. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing." Just as not all code is built for participation in ASLR, not all modules can be rebased; instead, modules must indicate whether they implement support for rebasing. Such information to relocate the executable is typically stored in the ".reloc" segment -- each of the addresses pointed to in this segment has its address increased by the amount of the offset. (An alternative method for relocation would be to add an amount to a global variable each time -- leading to less overhead in the module load, but more for each access. Still another implementation could instead contain code to deference each changeable memory location on the fly, so that each of the references do not need to be updated. ## Considerations As the offset for each segment is constant, it is possible to guess at the value of the address given the address of another variable. Alternatively, memory pointers may be kept around, which contain the address of another variable. Another bypass technique is known as an "egg hunt," whereby the attacker searches for a rather unique piece of the data or code in memory to determine its likely address. The program needs to store these addresses for the functions somewhere. In Linux, the PLT contains a "trampoline" to these addresses. If an attacker desires to jump to the start of an existing function, they can jump directly to the trampoline anyway, and may have the opportunity to provide their own stack frame to the function with a write to the stack. If they overwrite a saved stack pointer which is loaded back into memory, or execute a function, that changes the address of a stack pointer. If an attacker wants to inject some data into the program, for example as a parameter to a known function that is not under ASLR or a pointer to a trampoline function in the PLT, then they can repeat the data until they exceed the range of ASLR coverage, which on 32-bit systems is accomplishable in a few seconds with a heap spray. Microsoft's EMET and Windows 10 Exploit Guard can pre-allocate particular addresses that are commonly used in heap sprays. However, in many products, there does not seem to be nearly a complete coverage of such addresses, which only need to be executable and in the range of the heap; 0x0c0c0c0c is such an address that is commonly used for the x86 processor architecture, as when executed it only performs a numeric operation to a register four times.""" ; d3f:kb-reference d3f:Reference-DYNAMICBASE_UseAddressSpaceLayoutRandomization_MicrosoftDocs, d3f:Reference-HowASLRProtectsLinuxSystemsFromBufferOverflowAttacks_NetworkWorld ; d3f:obfuscates d3f:ProcessSegment ; d3f:synonym "Address Space Layout Randomization", "ASLR" . d3f:Self-organizingMap a owl:Class, owl:NamedIndividual ; rdfs:label "Self-organizing Map" ; rdfs:subClassOf d3f:ANN-basedClustering ; d3f:d3fend-id "D3A-SOM" ; d3f:definition "A Self-Organizing Map (SOM) is a unsupervised learning model in Artificial Neural Network where the feature maps are the generated two-dimensional discretized form of an input space during the model training (based on competitive learning)" ; d3f:kb-article """## References GeeksforGeeks. (n.d.). ANN - Self Organizing Neural Network (SONN). [Link](https://www.geeksforgeeks.org/ann-self-organizing-neural-network-sonn/)""" . d3f:Semi-supervisedBoosting a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Boosting" ; rdfs:subClassOf d3f:Semi-supervisedWrapperMethod ; d3f:d3fend-id "D3A-SSB" ; d3f:definition "Boosting methods can be readily extended to the semi-supervised setting, by introducing pseudo-labeled data after each learning step; which gives rise to the idea of semi-supervised boosting methods. The pseudo-labeling approach of self- training and co-training can be easily extended to boosting methods. Several boosting methods such as SSMBoost, ASSEMBLE, SemiBoost, RegBoost, etc can be found which can be applied for utilizing unlabeled datasets for supervised classifiers." ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" . d3f:Semi-supervisedCluster-then-label a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Cluster-then-label" ; rdfs:subClassOf d3f:UnsupervisedPreprocessing ; d3f:d3fend-id "D3A-SSCTL" ; d3f:definition "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data." ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" . d3f:Semi-supervisedCo-training a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Co-training" ; rdfs:subClassOf d3f:Semi-supervisedWrapperMethod ; d3f:d3fend-id "D3A-SSCT" ; d3f:definition "Multi-view co-training involves training the classifiers in completely different views of training data. On the other hand, single-view co-training methods are generally applied as ensemble methods." ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" . d3f:Semi-supervisedFeatureExtraction a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Feature Extraction" ; rdfs:subClassOf d3f:UnsupervisedPreprocessing ; d3f:d3fend-id "D3A-SSFE" ; d3f:definition "Feature extraction refers to reducing the number of dimensions in a data point so that it is computationally feasible and effective to learn a model." ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" . d3f:Semi-supervisedGenerativeModelLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Generative Model Learning" ; rdfs:subClassOf d3f:IntrinsicallySemi-supervisedLearning ; d3f:d3fend-id "D3A-SSGML" ; d3f:definition "A Semi Supervised Machine Learning model which assume that the distributions take some particular form p(x|y,theta) parameterized by the vector. If these assumptions are incorrect, the unlabeled data may actually decrease the accuracy of the solution relative to what would have been obtained from labeled data alone. However, if the assumptions are correct, then the unlabeled data necessarily improves performance." ; d3f:kb-article """## References Weak supervision. Wikipedia. [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).""" . d3f:Semi-supervisedInductiveLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Inductive Learning" ; rdfs:subClassOf d3f:Semi-SupervisedLearning ; d3f:d3fend-id "D3A-SSIL" ; d3f:definition "The goal of inductive learning is to infer the correct mapping from X to Y." ; d3f:kb-article """## References Semi-Supervised Learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning#Semi-supervised_learning). Zhou, D., & Li, M. (2005). Semi-supervised learning by higher order regularization. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL) (pp. 1-9). [Link](https://www.cs.sfu.ca/~anoop/papers/pdf/semisup_naacl.pdf).""" . d3f:Semi-SupervisedLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-Supervised Learning" ; rdfs:subClassOf d3f:MachineLearning ; d3f:d3fend-id "D3A-SSL" ; d3f:definition "Semi-supervised learning is a branch of machine learning that combines a small amount of labeled data with a large amount of unlabeled data during training." ; d3f:kb-article """## References Semi-Supervised Learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning).""" ; rdfs:seeAlso . d3f:Semi-supervisedManifoldLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Manifold Learning" ; rdfs:subClassOf d3f:IntrinsicallySemi-supervisedLearning ; d3f:d3fend-id "D3A-SSML" ; d3f:definition "A version of Semi-Supervised Learning that applies the Manifold assumption that the data like approximately on a manifold of much lower dimension than the input space." ; d3f:kb-article """## References Weak supervision. Wikipedia. [Link](https://en.wikipedia.org/wiki/Weak_supervision#Generative_models).""" . d3f:Semi-supervisedPre-training a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Pre-training" ; rdfs:subClassOf d3f:UnsupervisedPreprocessing ; d3f:d3fend-id "D3A-SSPT" ; d3f:definition "Pre-training methods are aimed to guide the parameters of a network towards interesting regions in model space using unlabeled data, before fine-tuning the parameters with the labeled data" ; d3f:kb-article """## References Jashish Shrestha. (n.d.). Beginner's Guide to Semi-Supervised Learning. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/)""" . d3f:Semi-supervisedSelf-training a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Self-training" ; rdfs:subClassOf d3f:Semi-supervisedWrapperMethod ; d3f:d3fend-id "D3A-SSST" ; d3f:definition "Self-training is the procedure in which a supervised method for classification or regression is modified it to work in a semi-supervised manner, taking advantage of labeled and unlabeled data" ; d3f:kb-article """## References AltexSoft. (n.d.). Semi-Supervised Learning: A Technical Guide with Python Examples. [Link](https://www.altexsoft.com/blog/semi-supervised-learning/#:~:text=One%20of%20the%20simplest%20examples,of%20labeled%20and%20unlabeled%20data.)""" . d3f:Semi-supervisedTransductiveLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Transductive Learning" ; rdfs:subClassOf d3f:Semi-SupervisedLearning ; d3f:d3fend-id "D3A-SSTL" ; d3f:definition """The goal of transductive learning is to infer the correct labels for the given unlabeled data x_{l+1},... ,x_{l+u} only""" ; d3f:kb-article """## References Semi-Supervised Learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Semi-Supervised_Learning#Semi-supervised_learning). Zhou, D., & Li, M. (2005). Semi-supervised learning by higher order regularization. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL) (pp. 1-9). [Link](https://www.cs.sfu.ca/~anoop/papers/pdf/semisup_naacl.pdf).""" . d3f:Semi-supervisedWrapperMethod a owl:Class, owl:NamedIndividual ; rdfs:label "Semi-supervised Wrapper Method" ; rdfs:subClassOf d3f:Semi-SupervisedLearning ; d3f:d3fend-id "D3A-SSWM" ; d3f:definition "The principle behind wrapper methods is that we train a model with labeled data and then generate pseudo-labels for the unlabeled data using the trained model iteratively." ; d3f:kb-article """## References Jashish, M. (n.d.). Beginner's Guide to Semi-Supervised Learning. Jashish Blog. [Link](http://jashish.com.np/blog/posts/beginners-guide-to-semi-supervised-learning/).""" . d3f:SenderMTAReputationAnalysis a d3f:SenderMTAReputationAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Sender MTA Reputation Analysis" ; rdfs:subClassOf d3f:MessageAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Email ] ; d3f:analyzes d3f:Email ; d3f:d3fend-id "D3-SMRA" ; d3f:definition "Characterizing the reputation of mail transfer agents (MTA) to determine the security risk in emails." ; d3f:kb-article """## How it works The sender message transfer agent (MTA) trust rating can be considered an indicator of the level of security risk and/or a trust level associated with sender MTAs in an email header. The features considered in determining the trust rating may include: * Length of time MTA has interacted with the enterprise * Number of sender domains sending emails from the MTA * Number of recipients in the enterprise the MTA sends emails to * Number of emails received from this MTA * Number of email replies received from this MTA For example, higher values for the length of time an MTA has interacted with the enterprise, or number of emails received from an MTA can result in a higher trust rating. The trust rating categorizes the sender MTA as unrated, neutral, trusted, suspicious, or malicious. ## Considerations Legitimate emails from a sender MTA may receive a lower trust rating over time if the sender's domain gets spoofed and is used to send unauthorized emails.""" ; d3f:kb-reference d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc . d3f:SenderReputationAnalysis a d3f:SenderReputationAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Sender Reputation Analysis" ; rdfs:subClassOf d3f:MessageAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Email ] ; d3f:analyzes d3f:Email ; d3f:d3fend-id "D3-SRA" ; d3f:definition "Ascertaining sender reputation based on information associated with a message (e.g. email/instant messaging)." ; d3f:kb-article """## How it works Sender trust rating can be considered an indicator of the level of security risk and/or a trust level associated with a sender. The features considered in determining the trust rating include: * Length of time sender has sent emails to the enterprise * Number of recipients in the enterprise the sender interacts with * Sender vs. enterprise originated message ratio * Sender messages opened vs. not-opened ratio * Number of emails received from this sender * Number of emails replied to this sender * Number of emails from this sender not opened * Number of emails from this sender not opened that contain an attachment * Number of emails from this sender not opened that contain a URL * Number of emails sent to this sender * Number of email replies received from this sender. Higher values for the number of recipients the sender has interacted with or the number of emails received from the sender, for example, results in a higher trust rating. The trust rating can categorize the sender as unrated, neutral, trusted, suspicious, or malicious. ## Considerations Legitimate emails from a sender may receive a lower trust rating over time if the sender's domain gets spoofed and is used to send unauthorized emails.""" ; d3f:kb-reference d3f:Reference-SystemsAndMethodsForDetectingAnd_orHandlingTargetedAttacksInTheEmailChannel_GraphusInc . d3f:Sensor a owl:Class ; rdfs:label "Sensor" ; rdfs:subClassOf d3f:D3FENDCore, d3f:DigitalInformationBearer ; d3f:definition "In the broadest definition, a sensor is a device, module, machine, or subsystem that detects events or changes in its environment and sends the information to other electronics, frequently a computer." ; rdfs:seeAlso , . d3f:SeqGAN a owl:Class, owl:NamedIndividual ; rdfs:label "SeqGAN" ; rdfs:subClassOf d3f:GenerativeAdversarialNetwork ; d3f:d3fend-id "D3A-SEQ" ; d3f:definition "Sequence Generation Framework (SeqGAN) models the data generator as a stochastic policy in reinforcement learning (RL), SeqGAN bypasses the generator differentiation problem by directly performing gradient policy update." ; d3f:kb-article """## References Yu, L., Zhang, W., Wang, J., & Yu, Y. (2017). SeqGAN: Sequence Generative Adversarial Nets with Policy Gradient. ArXiv preprint ArXiv:1609.05473. [Link](https://arxiv.org/abs/1609.05473)""" ; d3f:synonym "Sequence GAN" . d3f:SerializationFunction a owl:Class ; rdfs:label "Serialization Function" ; rdfs:subClassOf d3f:Subroutine ; d3f:definition "A function which has an operation that serializes data." . d3f:Server a owl:Class, owl:NamedIndividual ; rdfs:label "Server" ; rdfs:subClassOf d3f:Host, [ a owl:Restriction ; owl:onProperty d3f:manages ; owl:someValuesFrom d3f:ServiceApplicationProcess ], [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:ServiceApplication ] ; rdfs:isDefinedBy ; d3f:definition "In computing, a server is a piece of computer hardware or software (computer program) that provides functionality for other programs or devices, called \"clients\". This architecture is called the client-server model. Servers can provide various functionalities, often called \"services\", such as sharing data or resources among multiple clients, or performing computation for a client. A single server can serve multiple clients, and a single client can use multiple servers. A client process may run on the same device or may connect over a network to a server on a different device. Typical servers are database servers, file servers, mail servers, print servers, web servers, game servers, and application servers." ; d3f:manages d3f:ServiceApplicationProcess ; d3f:runs d3f:ServiceApplication . d3f:ServiceAccount a owl:Class ; rdfs:label "Service Account" ; rdfs:subClassOf d3f:UserAccount ; d3f:definition "A service account is a type of account used by an application or service to interact with the operating system." ; d3f:synonym "System Account" . d3f:ServiceApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Service Application" ; rdfs:subClassOf d3f:Application ; d3f:definition "An application that provides a set of software functionalities so that multiple clients who can reuse the functionality, provided they are authorized for use of the service." ; rdfs:seeAlso , , . d3f:ServiceApplicationProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Service Application Process" ; rdfs:subClassOf d3f:ApplicationProcess ; d3f:definition "A Service Application Process performs specific tasks or provides functionality to support other processes, applications, or users." . d3f:ServiceBinaryVerification a d3f:ServiceBinaryVerification, owl:Class, owl:NamedIndividual ; rdfs:label "Service Binary Verification" ; rdfs:subClassOf d3f:SystemFileAnalysis, [ a owl:Restriction ; owl:onProperty d3f:verifies ; owl:someValuesFrom d3f:ServiceApplication ] ; d3f:d3fend-id "D3-SBV" ; d3f:definition "Analyzing changes in service binary files by comparing to a source of truth." ; d3f:kb-article """## How it works System service applications may originate from the operating system installation or third-party applications installed with administrative privileges. These services have an entry point of some executable file-- a binary or a script. Attackers sometimes modify these executables to launch their own code. Analyzing changes in these files may uncover unauthorized activity. ## Considerations * These files change for legitimate reasons when the system or software updates. * The source of truth must not be corrupted in order for this method to work.""" ; d3f:kb-reference d3f:Reference-ServiceBinaryModifications_MITRE ; d3f:verifies d3f:ServiceApplication . d3f:ServiceDeletionEvent a owl:Class ; rdfs:label "Service Deletion Event" ; rdfs:subClassOf d3f:ApplicationDeletionEvent, d3f:ServiceEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceInstallationEvent ] ; d3f:definition "An event capturing the uninstallation or deregistration of a service application, ensuring it is no longer operational or available to clients." . d3f:ServiceDependency a owl:Class, owl:NamedIndividual ; rdfs:label "Service Dependency" ; rdfs:subClassOf d3f:Dependency ; d3f:definition "A service dependency indicates a service has an activity, agent, or another service which relies on it in order to be functional." . d3f:ServiceDependencyMapping a d3f:ServiceDependencyMapping, owl:Class, owl:NamedIndividual ; rdfs:label "Service Dependency Mapping" ; rdfs:subClassOf d3f:SystemMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:ServiceDependency ] ; d3f:d3fend-id "D3-SVCDM" ; d3f:definition "Service dependency mapping determines the services on which each given service relies." ; d3f:kb-article """## How it works The organization collects and models architectural information about the services and consumers of services and maps the dependencies between the services. ## Considerations * Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential. * Service dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis. * Service dependencies in cloud or microservice architectures may be discovered using distributed tracing capabilities""" ; d3f:kb-reference d3f:Reference-CatiaUAFPlugin, d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources, d3f:Reference-UnifiedArchitectureFrameworkUAF ; d3f:maps d3f:ServiceDependency ; d3f:synonym "Distributed Tracing" . d3f:ServiceDisableEvent a owl:Class ; rdfs:label "Service Disable Event" ; rdfs:subClassOf d3f:ApplicationDisableEvent, d3f:ServiceEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceEnableEvent ] ; d3f:definition "An event capturing the deactivation of a service application, preventing it from being started or accessed until re-enabled." . d3f:ServiceEnableEvent a owl:Class ; rdfs:label "Service Enable Event" ; rdfs:subClassOf d3f:ApplicationEnableEvent, d3f:ServiceEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceInstallationEvent ] ; d3f:definition "An event representing the activation of a service application, allowing it to start and provide its background or networked functionality." . d3f:ServiceEvent a owl:Class ; rdfs:label "Service Event" ; rdfs:subClassOf d3f:ApplicationEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:ServiceApplication ] ; d3f:definition "An event capturing the operation, configuration, or lifecycle of a service application. Services are specialized applications designed to provide reusable functionality to clients, systems, or other applications, often operating in the background or across networks." . d3f:ServiceInstallationEvent a owl:Class ; rdfs:label "Service Installation Event" ; rdfs:subClassOf d3f:ApplicationInstallationEvent, d3f:ServiceEvent ; d3f:definition "An event representing the installation or registration of a service application within the system, enabling it to provide background or reusable functionality." . d3f:ServiceProvider a owl:Class ; rdfs:label "Service Provider" ; rdfs:subClassOf d3f:Provider ; d3f:definition "A service provider offers delivery of intangible outputs such as expertise, support, or access to resources to individuals, organizations, or other entities." . d3f:ServiceRestartEvent a owl:Class ; rdfs:label "Service Restart Event" ; rdfs:subClassOf d3f:ApplicationRestartEvent, d3f:ServiceEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceStopEvent ], [ a owl:Restriction ; owl:onProperty d3f:precedes ; owl:someValuesFrom d3f:ServiceStartEvent ] ; d3f:definition "An event describing the sequential stopping and starting of a service application to refresh its state, apply updates, or resolve operational issues." . d3f:ServiceStartEvent a owl:Class ; rdfs:label "Service Start Event" ; rdfs:subClassOf d3f:ApplicationStartEvent, d3f:ServiceEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceInstallationEvent ] ; d3f:definition "An event representing the initiation of a service application, transitioning it from an inactive state to an active state, enabling its background or networked operations." . d3f:ServiceStopEvent a owl:Class ; rdfs:label "Service Stop Event" ; rdfs:subClassOf d3f:ApplicationStopEvent, d3f:ServiceEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceStartEvent ] ; d3f:definition "An event capturing the cessation of a service application’s operations, transitioning it to an inactive state while ceasing its functionality to clients or dependent systems." . d3f:ServiceUpdateEvent a owl:Class ; rdfs:label "Service Update Event" ; rdfs:subClassOf d3f:ApplicationUpdateEvent, d3f:ServiceEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:ServiceInstallationEvent ] ; d3f:definition "An event describing changes made to a service application, such as updates, reconfigurations, or patch installations, ensuring its continued availability and functionality." . d3f:Session a owl:Class, owl:NamedIndividual ; rdfs:label "Session" ; rdfs:subClassOf d3f:DigitalInformationBearer ; rdfs:isDefinedBy ; d3f:definition "In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and then torn down at some later point. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses." ; rdfs:seeAlso . d3f:SessionCookie a owl:Class, owl:NamedIndividual ; rdfs:label "Session Cookie" ; skos:altLabel "In-memory Cookie", "Non-persistent Cookie", "Transient Cookie", "Web Session Cookie" ; rdfs:subClassOf d3f:Credential ; rdfs:isDefinedBy ; d3f:definition "A session cookie, also known as an in-memory cookie, transient cookie or non-persistent cookie, exists only in temporary memory while the user navigates the website. Web browsers normally delete session cookies when the user closes the browser. Unlike other cookies, session cookies do not have an expiration date assigned to them, which is how the browser knows to treat them as session cookies." ; rdfs:seeAlso , . d3f:SessionDurationAnalysis a d3f:SessionDurationAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "Session Duration Analysis" ; rdfs:subClassOf d3f:UserBehaviorAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Authentication ], [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:Authorization ] ; d3f:analyzes d3f:Authentication, d3f:Authorization ; d3f:d3fend-id "D3-SDA" ; d3f:definition "Analyzing the duration of user sessions in order to detect unauthorized activity." ; d3f:kb-article """## How it works Detecting unauthorized user sessions by comparing the duration of a user logon session with a baseline behavior model. The behavior model comprises historical user session duration times. Abnormalities between session duration and the behavior model may indicate suspicious activity. ## Considerations * Potential for false positives from anomalies that are not associated with malicious activity. * Attackers may not differentiate their session duration enough to trigger an alert.""" ; d3f:kb-reference d3f:Reference-MethodAndApparatusForNetworkFraudDetectionAndRemediationThroughAnalytics_IdaptiveLLC, . d3f:SessionTermination a d3f:SessionTermination, owl:Class, owl:NamedIndividual ; rdfs:label "Session Termination" ; rdfs:subClassOf d3f:ProcessEviction, [ a owl:Restriction ; owl:onProperty d3f:deletes ; owl:someValuesFrom d3f:Session ] ; d3f:d3fend-id "D3-ST" ; d3f:definition "Forcefully end all active sessions associated with compromised accounts or devices." ; d3f:deletes d3f:Session ; d3f:kb-article "Defined in NIST 800-53 as AC-12." ; d3f:kb-reference d3f:Reference-NIST-Special-Publication-800-53A-Revision-5 . d3f:SessionToken a owl:Class, owl:NamedIndividual ; rdfs:label "Session Token" ; rdfs:subClassOf d3f:AccessToken ; rdfs:isDefinedBy ; d3f:definition "In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTPS) to identify a session, a series of related message exchanges." ; d3f:kb-article """## How it works Session identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP. For example, a buyer who visits a seller's website wants to collect a number of articles in a virtual shopping cart and then finalize the shopping by going to the site's checkout page. This typically involves an ongoing communication where several webpages are requested by the client and sent back to them by the server. In such a situation, it is vital to keep track of the current state of the shopper's cart, and a session ID is one way to achieve that goal.""" ; d3f:synonym "Session ID", "Session Identifier", "Session Token" . d3f:SetRegisters a owl:Class, owl:NamedIndividual ; rdfs:label "Set Registers" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:ProcessorRegister ] ; d3f:modifies d3f:ProcessorRegister . d3f:SetSystemConfigValue a owl:Class, owl:NamedIndividual ; rdfs:label "Set System Config Value" ; rdfs:subClassOf d3f:SystemConfigSystemCall, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:SystemConfigurationDatabaseRecord ] ; d3f:modifies d3f:SystemConfigurationDatabaseRecord ; rdfs:seeAlso . d3f:SetThreadContext a owl:Class, owl:NamedIndividual ; rdfs:label "Set Thread Context" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:Thread ] ; d3f:modifies d3f:Thread ; rdfs:seeAlso . d3f:ShadowStack a owl:Class, owl:NamedIndividual ; rdfs:label "Shadow Stack" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:copy-of ; owl:someValuesFrom d3f:CallStack ] ; rdfs:isDefinedBy ; d3f:copy-of d3f:CallStack ; d3f:definition "A shadow stack is a mechanism for protecting a procedure's stored return address, such as from a stack buffer overflow. The shadow stack itself is a second, separate stack that \"shadows\" the program call stack. In the function prologue, a function stores its return address to both the call stack and the shadow stack. In the function epilogue, a function loads the return address from both the call stack and the shadow stack, and then compares them. If the two records of the return address differ, then an attack is detected." . d3f:ShadowStackComparisons a d3f:ShadowStackComparisons, owl:Class, owl:NamedIndividual ; rdfs:label "Shadow Stack Comparisons" ; rdfs:subClassOf d3f:ProcessAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:StackFrame ] ; d3f:analyzes d3f:StackFrame ; d3f:d3fend-id "D3-SSC" ; d3f:definition "Comparing a call stack in system memory with a shadow call stack maintained by the processor to determine unauthorized shellcode activity." ; d3f:kb-article """## How it works This technique compares the call stack stored in system memory with the shadow call stack maintained in the cache memory of the processor. Mismatches between the two are compared since a return oriented programming attack may only be able to control or spoof the call stack and not the shadow call stack. Mismatches are counted and if the number of mismatches exceeds a certain threshold it is an indication of unauthorized activity and a security response action is performed. ## Considerations If the threshold for detecting a stack anomaly is low, it may not detect a return-oriented attack with just one gadget, such as a return-to-libc or return-to-plt attack. Additionally, this technique may not detect JOP (Jump-oriented programming), as the return instruction is not executed.""" ; d3f:kb-reference d3f:Reference-ThreatDetectionForReturnOrientedProgramming_CrowdstrikeInc . d3f:SharedComputer a owl:Class ; rdfs:label "Shared Computer" ; rdfs:subClassOf d3f:ClientComputer ; d3f:definition "A computer whose resources are intended to be shared widely." ; rdfs:seeAlso . d3f:SharedLibraryFile a owl:Class, owl:NamedIndividual ; rdfs:label "Shared Library File" ; skos:altLabel "Shared Library", "Shared Object" ; rdfs:subClassOf d3f:ObjectFile ; rdfs:isDefinedBy ; d3f:definition "A shared library file is a file that is intended to be shared by executable files and further shared library (object) files. Modules used by a program are loaded from individual shared objects into memory at load time or runtime, rather than being copied by a linker when it creates a single monolithic executable file for the program" . d3f:SharedResourceAccessFunction a owl:Class, owl:NamedIndividual ; rdfs:label "Shared Resource Access Function" ; rdfs:subClassOf d3f:Subroutine, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Resource ] ; d3f:accesses d3f:Resource ; d3f:definition "A function which access a shared resource." . d3f:ShellCommand a owl:Class, owl:NamedIndividual ; rdfs:label "Shell Command" ; rdfs:subClassOf d3f:Command, [ a owl:Restriction ; owl:onProperty d3f:may-create ; owl:someValuesFrom d3f:Process ], [ a owl:Restriction ; owl:onProperty d3f:may-execute ; owl:someValuesFrom d3f:ExecutableFile ], [ a owl:Restriction ; owl:onProperty d3f:recorded-in ; owl:someValuesFrom d3f:CommandHistoryLog ] ; rdfs:isDefinedBy ; d3f:definition "A shell command is a directive to some kind of command-line interface, such as a shell." ; d3f:may-create d3f:Process ; d3f:may-execute d3f:ExecutableFile ; d3f:recorded-in d3f:CommandHistoryLog . d3f:Shim a owl:Class, owl:NamedIndividual ; rdfs:label "Shim" ; rdfs:subClassOf d3f:Software ; rdfs:isDefinedBy ; d3f:definition "In computer programming, a shim is a small library that transparently intercepts API calls and changes the arguments passed, handles the operation itself, or redirects the operation elsewhere. Shims can be used to support an old API in a newer environment, or a new API in an older environment. Shims can also be used for running programs on different software platforms than those for which they were developed." . d3f:ShimDatabase a owl:Class, owl:NamedIndividual ; rdfs:label "Shim Database" ; rdfs:subClassOf d3f:ApplicationConfigurationDatabase ; d3f:definition "A application configuration database that contains or points to software shims (e.g., for backward compatibility, patches, etc.)" ; d3f:synonym "Microsoft Shim Database File" . d3f:ShortcutFile a owl:Class ; rdfs:label "Shortcut File" ; rdfs:subClassOf d3f:File ; d3f:definition """A shortcut file, or shortcut, is a handle that allows the user to find a file or resource located in a different directory or folder from the place where the shortcut is located. Shortcuts, which are supported by the graphical file browsers of some operating systems, may resemble symbolic links but differ in a number of important ways. One difference is what type of software is able to follow them: - Symbolic links are automatically resolved by the file system. Any software program, upon accessing a symbolic link, will see the target instead, whether the program is aware of symbolic links or not. - Shortcuts are treated like ordinary files by the file system and by software programs that are not aware of them. Only software programs that understand shortcuts (such as the Windows shell and file browsers) treat them as references to other files. Another difference are the capabilities of the mechanism: - Microsoft Windows shortcuts normally refer to a destination by an absolute path (starting from the root directory), whereas POSIX symbolic links can refer to destinations via either an absolute or a relative path. The latter is useful if both the location and destination of the symbolic link share a common path prefix[clarification needed], but that prefix is not yet known when the symbolic link is created (e.g., in an archive file that can be unpacked anywhere). - Microsoft Windows application shortcuts contain additional metadata that can be associated with the destination, whereas POSIX symbolic links are just strings that will be interpreted as absolute or relative pathnames. - Unlike symbolic links, Windows shortcuts maintain their references to their targets even when the target is moved or renamed. Windows domain clients may subscribe to a Windows service called Distributed Link Tracking to track the changes in files and folders to which they are interested. The service maintains the integrity of shortcuts, even when files and folders are moved across the network.[14] Additionally, in Windows 9x and later, Windows shell tries to find the target of a broken shortcut before proposing to delete it.""" ; rdfs:seeAlso , . d3f:Signal a owl:Class, owl:NamedIndividual ; rdfs:label "Signal" ; rdfs:subClassOf d3f:PhysicalArtifact, [ a owl:Restriction ; owl:onProperty d3f:carries ; owl:someValuesFrom d3f:DigitalInformation ] ; rdfs:isDefinedBy ; d3f:definition "In electronics and telecommunications, signal refers to any time-varying voltage, current, or electromagnetic wave that carries information." . d3f:Simulation a owl:Class ; rdfs:label "Simulation" ; rdfs:subClassOf d3f:Generation . d3f:SingularValueDecomposition a owl:Class, owl:NamedIndividual ; rdfs:label "Singular Value Decomposition" ; rdfs:subClassOf d3f:DimensionReduction ; d3f:d3fend-id "D3A-SVD" ; d3f:definition "Singular Value Decomposition (SVD) is an algorithm that represents a matrix as a linear series of data and to find the set of factors that will best predict an outcome" ; d3f:kb-article """## References Wikipedia. (n.d.). Singular value decomposition. [Link](https://en.wikipedia.org/wiki/Singular_value_decomposition)""" . d3f:Skewness a owl:Class, owl:NamedIndividual ; rdfs:label "Skewness" ; rdfs:subClassOf d3f:DistributionProperties ; d3f:d3fend-id "D3A-SKE" ; d3f:definition "Skewness is a measure of the asymmetry of the probability distribution of a real-valued random variable about its mean. The standardized moment of a probability distribution function." ; d3f:kb-article """## References Wikipedia. (n.d.). Skewness. [Link](https://en.wikipedia.org/wiki/Skewness)""" . d3f:SlowSymbolicLink a owl:Class ; rdfs:label "Slow Symbolic Link" ; skos:altLabel "Slow Symlink" ; rdfs:subClassOf d3f:SymbolicLink, d3f:UnixLink ; d3f:definition "A slow symbolic link is any symbolic link on a Unix filesystem that is not a fast symbolic link; slow symlink is thus retroactively termed from fast symlink. Slow symbolic links stored the symbolic link information as data in regular files." ; rdfs:seeAlso . d3f:SMBEvent a owl:Class ; rdfs:label "SMB Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, d3f:TCPEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:FileTransferNetworkTraffic ] ; d3f:definition "An event involving the Server Message Block (SMB) protocol, a network file sharing protocol that allows client-server communication for accessing files, printers, and other shared network resources. SMB supports both transactional file operations and communication over reliable transport layers." ; rdfs:seeAlso . d3f:SMBFileCreateEvent a owl:Class ; rdfs:label "SMB File Create Event" ; rdfs:subClassOf d3f:SMBEvent ; d3f:definition "An event where a file is created if it does not already exist, failing if the file is already present. This operation strictly enforces new file creation." . d3f:SMBFileOpenEvent a owl:Class ; rdfs:label "SMB File Open Event" ; rdfs:subClassOf d3f:SMBEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:SMBFileCreateEvent ] ; d3f:definition "An event where a file is opened if it exists, failing otherwise. This operation is used to access or query the existing file." . d3f:SMBFileOpenIfEvent a owl:Class ; rdfs:label "SMB File Open If Event" ; rdfs:subClassOf d3f:SMBEvent ; d3f:definition "An event where a file is opened if it exists, or created if it does not. This operation merges file creation and access behavior." . d3f:SMBFileOverwriteEvent a owl:Class ; rdfs:label "SMB File Overwrite Event" ; rdfs:subClassOf d3f:SMBEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:SMBFileCreateEvent ] ; d3f:definition "An event where a file is opened and truncated if it exists, failing if the file does not already exist. This operation is destructive and focuses on replacing the file's contents." . d3f:SMBFileOverwriteIfEvent a owl:Class ; rdfs:label "SMB File Overwrite If Event" ; rdfs:subClassOf d3f:SMBEvent ; d3f:definition "An event where a file is opened and truncated if it exists, or created otherwise. This operation combines destructive overwrite and creation behaviors." . d3f:SMBFileSupersedeEvent a owl:Class ; rdfs:label "SMB File Supersede Event" ; rdfs:subClassOf d3f:SMBEvent ; d3f:definition "An event where a file is overwritten if it exists or created if it does not. This operation combines file creation and modification semantics." . d3f:Software a owl:Class, owl:NamedIndividual ; rdfs:label "Software" ; rdfs:subClassOf d3f:DigitalInformation, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:ExecutableFile ], [ a owl:Restriction ; owl:onProperty d3f:implements ; owl:someValuesFrom d3f:Subroutine ], [ a owl:Restriction ; owl:onProperty d3f:instructs ; owl:someValuesFrom d3f:Process ] ; rdfs:isDefinedBy ; d3f:contains d3f:ExecutableFile ; d3f:definition "Computer software, or simply software, is that part of a computer system that consists of encoded information or computer instructions, in contrast to the physical hardware from which the system is built." ; d3f:implements d3f:Subroutine ; d3f:instructs d3f:Process . d3f:Software-definedRadio a owl:Class, owl:NamedIndividual ; rdfs:label "Software-defined Radio" ; rdfs:subClassOf d3f:HardwareDevice, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Receiver ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Software-definedRadioConfiguration ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:Transmitter ] ; rdfs:isDefinedBy ; d3f:contains d3f:Receiver, d3f:Software-definedRadioConfiguration ; d3f:definition "Software-defined radio (SDR) is a radio communication system where components that conventionally have been implemented in analog hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a computer or embedded system." ; d3f:may-contain d3f:Transmitter ; d3f:synonym "SDR" . d3f:Software-definedRadioComputer a owl:Class, owl:NamedIndividual ; rdfs:label "Software-Defined Radio Computer" ; rdfs:subClassOf d3f:OTEmbeddedComputer, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Software-definedRadio ], [ a owl:Restriction ; owl:onProperty d3f:may-run ; owl:someValuesFrom d3f:Real-timeOperatingSystem ], [ a owl:Restriction ; owl:onProperty d3f:runs ; owl:someValuesFrom d3f:Software-definedRadioWaveformApplication ] ; d3f:contains d3f:Software-definedRadio ; d3f:definition "An embedded computer that includes a self-contained radio system, onboard compute (e.g., SoC/CPU/DSP/FPGA), and software/firmware sufficient to run waveforms and manage RF functions without requiring a continuously attached host PC. It typically exposes control and data via network or other external interfaces and may run an embedded OS." ; d3f:may-run d3f:Real-timeOperatingSystem ; d3f:runs d3f:Software-definedRadioWaveformApplication ; d3f:synonym "Standalone SDR" ; rdfs:seeAlso . d3f:Software-definedRadioConfiguration a owl:Class, owl:NamedIndividual ; rdfs:label "Software-defined Radio Configuration" ; rdfs:subClassOf d3f:HardwareDeviceConfiguration ; d3f:definition "The physical radio hardware parameters used by a software-defined radio (SDR), including center frequency, bandwidth, gain settings, antenna selection, ADC/DAC sample rates, filter characteristics, power output, and others." ; rdfs:seeAlso . d3f:Software-definedRadioDevice a owl:Class ; rdfs:label "Software-Defined Radio Device" ; rdfs:subClassOf d3f:Software-definedRadio ; d3f:definition "A hardware device that functions primarily as an RF front end plus data conversion and transport, relying on an external host computer to run most waveform/DSP processing and to control operation. It is commonly connected via USB, PCIe, or similar links and behaves like a high-speed radio peripheral." ; d3f:synonym "Peripheral SDR" ; rdfs:seeAlso . d3f:Software-definedRadioEvent a owl:Class ; rdfs:label "Software-defined Radio Event" ; rdfs:subClassOf d3f:DigitalEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Software-definedRadio ] ; d3f:definition "An event involving a software-defined radio (SDR) device indicating that the SDR's lifecycle state, operational state, configuration, data-streaming status, timing/reference status, or fault condition has changed." ; d3f:synonym "SDR Event" . d3f:Software-definedRadioRFStateChangeEvent a owl:Class ; rdfs:label "Software-defined Radio RF State Change Event" ; rdfs:subClassOf d3f:Software-definedRadioEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Software-definedRadioConfiguration ] ; d3f:definition "A software-defined radio (SDR) event where one or more radio-frequency (RF) parameters have been changed in a way that affects reception or emission (e.g., center frequency retune, gain/attenuation update, bandwidth/filter selection, antenna/port switch, TX enable/disable, etc)." . d3f:Software-definedRadioWaveformApplication a owl:Class, owl:NamedIndividual ; rdfs:label "Software-defined Radio Waveform Application" ; rdfs:subClassOf d3f:DigitalSignalProcessingApplication, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:FPGABitstream ] ; rdfs:isDefinedBy ; d3f:definition "A software implementation of a radio waveform that executes on the programmable processing elements of a software-defined radio and realizes the signal processing functions necessary to transmit and receive a specific radio signal. On peripheral SDRs, this can take the form of a compiled flowgraph that runs on the host PC, whereas in stand-alone SDRs it may be an FPGA bitstream or waveform package that executes on the SDR's processing elements." ; d3f:may-contain d3f:FPGABitstream ; d3f:synonym "SDR waveform", "Waveform Software" ; rdfs:seeAlso . d3f:Software-definedRadioWaveformConfigurationEvent a owl:Class ; rdfs:label "Software-defined Radio Waveform Application Configuration Event" ; rdfs:subClassOf d3f:Software-definedRadioEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Software-definedRadioComputer ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Software-definedRadioWaveformApplication ] ; d3f:definition "An SDR event where the waveform application's operational parameters have been applied and validated (e.g., sample rate, bandwidth, channel selection, framing/modulation options), placing the waveform in a state ready to run." . d3f:Software-definedRadioWaveformLoadEvent a owl:Class ; rdfs:label "Software-defined Radio Waveform Application Load Event" ; rdfs:subClassOf d3f:Software-definedRadioEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Software-definedRadioComputer ], [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:Software-definedRadioWaveformApplication ] ; d3f:definition "An SDR event where a waveform application (software/firmware/FPGA image and associated descriptors) has been installed or selected on the SDR and is available to be configured." . d3f:SoftwareArtifactServer a owl:Class ; rdfs:label "Software Artifact Server" ; rdfs:subClassOf d3f:ArtifactServer ; d3f:definition "A software artifact server provides access to the software artifacts in a software repository. A software repository, or \"repo\" for short, is a storage location for software packages. Often a table of contents is stored, as well as metadata. Repositories group packages. Sometimes the grouping is for a programming language, such as CPAN for the Perl programming language, sometimes for an entire operating system, sometimes the license of the contents is the criteria. At client side, a package manager helps installing from and updating the repositories." ; rdfs:seeAlso , . d3f:SoftwareClock a owl:Class, owl:NamedIndividual ; rdfs:label "Software Clock" ; rdfs:subClassOf d3f:Clock, [ a owl:Restriction ; owl:onProperty d3f:implemented-by ; owl:someValuesFrom d3f:Software ] ; d3f:definition "A clock implemented in software which may synchronize with hardware clocks or external time sources." ; d3f:implemented-by d3f:Software ; rdfs:seeAlso . d3f:SoftwareClockEvent a owl:Class ; rdfs:label "Software Clock Event" ; rdfs:subClassOf d3f:ClockEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SoftwareClock ] ; d3f:definition "A clock event involving a software-based timekeeping mechanism maintained by an operating system or application." . d3f:SoftwareDeploymentTool a owl:Class, owl:NamedIndividual ; rdfs:label "Software Deployment Tool" ; rdfs:subClassOf d3f:ServiceApplication ; d3f:definition "Software that coordinates the deployment process of software to systems, typically remotely." . d3f:SoftwareInventory a d3f:SoftwareInventory, owl:Class, owl:NamedIndividual ; rdfs:label "Software Inventory" ; rdfs:subClassOf d3f:AssetInventory, [ a owl:Restriction ; owl:onProperty d3f:inventories ; owl:someValuesFrom d3f:Software ] ; d3f:d3fend-id "D3-SWI" ; d3f:definition "Software inventorying identifies and records the software items in the organization's architecture." ; d3f:inventories d3f:Software ; d3f:kb-article """## How it works Administrators collect information on software items in their architecture using a variety of administrative and management tools that query network nodes for information. In limited cases, where such queries are not supported or provide specific information of interest, an administrator may also collect this information through network enumeration methods to determine services responding on network nodes. ## Considerations * Scanning and probing techniques using mapping tools can result in side effects to information technology (IT) and operational technology (OT) systems. * An adversary conducting network enumeration may engage in activities that parallel normal software inventorying activities, but would require escalating to admin privileges for most of the operations requiting administrative tools. ## Examples Application-layer discovery: * Simple Network Management Protocol (SNMP) collects MIB information * Web-based Enterprise Management (WBEM) collects CIM information * Windows Management Instrumentation (WMI) * Windows Management Infrastructure (MI)""" ; d3f:kb-reference d3f:Reference-Web-BasedEnterpriseManagement, d3f:Reference-Windows-Management-Infrastructure, d3f:Reference-Windows-Management-Instrumentation ; d3f:synonym "Software Discovery", "Software Inventorying" . d3f:SoftwareLibrary a owl:Class, owl:NamedIndividual ; rdfs:label "Software Library" ; rdfs:subClassOf d3f:Software, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:SoftwareLibraryFile ] ; d3f:contains d3f:SoftwareLibraryFile ; d3f:definition "A software library is a collection of software components that are used to build a software product." ; rdfs:seeAlso . d3f:SoftwareLibraryFile a owl:Class, owl:NamedIndividual ; rdfs:label "Software Library File" ; rdfs:subClassOf d3f:File, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Subroutine ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ExecutableBinary ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:ExecutableScript ] ; d3f:contains d3f:Subroutine ; d3f:definition "A software library is a collection of software components that are used to build a software product." ; d3f:may-contain d3f:ExecutableBinary, d3f:ExecutableScript ; rdfs:seeAlso . d3f:SoftwarePackage a owl:Class, owl:NamedIndividual ; rdfs:label "Software Package" ; rdfs:subClassOf d3f:DigitalInformationBearer ; d3f:definition "A Software Package is a bundled collection of files, code, and metadata that provides functionality, libraries, or applications." ; rdfs:seeAlso . d3f:SoftwarePackagingTool a owl:Class ; rdfs:label "Software Packaging Tool" ; rdfs:subClassOf d3f:BuildTool ; d3f:definition "A tool that automates the process of packaging either or both binary code and source code for use on one or more target platforms." ; rdfs:seeAlso , . d3f:SoftwarePatch a owl:Class ; rdfs:label "Software Patch" ; skos:altLabel "Patch" ; rdfs:subClassOf d3f:Software ; rdfs:isDefinedBy ; d3f:definition "A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance. Although meant to fix problems, poorly designed patches can sometimes introduce new problems (see software regressions). In some special cases updates may knowingly break the functionality, for instance, by removing components for which the update provider is no longer licensed or disabling a device." . d3f:SoftwareRepository a owl:Class, owl:NamedIndividual ; rdfs:label "Software Repository" ; skos:altLabel "Package Repository" ; rdfs:subClassOf d3f:Repository, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:SoftwarePackage ] ; rdfs:isDefinedBy ; d3f:contains d3f:SoftwarePackage ; d3f:definition "A software repository, or repo for short, is a storage location for software packages. Often a table of contents is also stored, along with metadata. A software repository is typically managed by source or version control, or repository managers. Package managers allow automatically installing and updating repositories, sometimes called 'packages'." . d3f:SoftwareTimer a owl:Class, owl:NamedIndividual ; rdfs:label "Software Timer" ; rdfs:subClassOf d3f:Timer, [ a owl:Restriction ; owl:onProperty d3f:implemented-by ; owl:someValuesFrom d3f:Software ] ; d3f:definition "A timer implemented in software, typically managed by the operating system or application code. Software timers rely on underlying hardware timers or clocks to measure intervals and trigger actions. They are used for scheduling tasks, implementing timeouts, and managing periodic operations within software environments." ; d3f:implemented-by d3f:Software ; rdfs:seeAlso . d3f:SoftwareTimerEvent a owl:Class ; rdfs:label "Software Timer Event" ; rdfs:subClassOf d3f:TimerEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SoftwareTimer ] ; d3f:definition "A clock event involving a software-based timekeeping mechanism maintained by an operating system or application." . d3f:SoftwareUpdate a d3f:SoftwareUpdate, owl:Class, owl:NamedIndividual ; rdfs:label "Software Update" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:updates ; owl:someValuesFrom d3f:Software ] ; d3f:d3fend-id "D3-SU" ; d3f:definition "Replacing old software on a computer system component." ; d3f:kb-reference d3f:Reference-MethodAndSystemForProvidingSoftwareUpdatesToLocalMachines ; d3f:updates d3f:Software . d3f:SoftwareWatchdogTimer a owl:Class ; rdfs:label "Software Watchdog Timer" ; rdfs:subClassOf d3f:RuntimeVariable, d3f:SoftwareTimer, d3f:WatchdogTimer ; d3f:definition "A software watchdog timer is a watchdog timer implemented in software." . d3f:SomersD a owl:Class, owl:NamedIndividual ; rdfs:label "Somers' D" ; rdfs:subClassOf d3f:RankCorrelationCoefficient ; d3f:d3fend-id "D3A-SD" . d3f:SoundexMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Soundex Matching" ; rdfs:subClassOf d3f:PartialMatching ; d3f:d3fend-id "D3A-SM" ; d3f:definition "Soundex is a phonetic algorithm for indexing names by sound, as pronounced in English." ; d3f:kb-article """## How it works The goal is for homophones to be encoded to the same representation so that they can be matched despite minor differences in spelling. The algorithm mainly encodes consonants; a vowel will not be encoded unless it is the first letter. Soundex is the most widely known of all phonetic algorithms (in part because it is a standard feature of popular database software. Improvements to Soundex are the basis for many modern phonetic algorithms. ## References 1. Soundex. (2023, April 19). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Soundex)""" . d3f:SourceCodeAnalyzerTool a owl:Class ; rdfs:label "Source Code Analyzer Tool" ; rdfs:subClassOf d3f:StaticAnalysisTool ; d3f:definition "A source code analyzer tool is a static analysis tool that operates specifically on source code, but not object code." ; rdfs:seeAlso . d3f:SourceCodeHardening a owl:Class, owl:NamedIndividual ; rdfs:label "Source Code Hardening" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Harden ] ; d3f:d3fend-id "D3-SCH" ; d3f:definition "Hardening source code with the intention of making it more difficult to exploit and less error prone." ; d3f:enables d3f:Harden . d3f:SourceCodeReference a owl:Class ; rdfs:label "Source Code Reference" ; rdfs:subClassOf d3f:TechniqueReference ; d3f:pref-label "Source Code" . d3f:Spacecraft a owl:Class ; rdfs:label "Spacecraft" ; rdfs:subClassOf d3f:Vehicle, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OnboardComputer ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Receiver ], [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:Transmitter ], [ a owl:Restriction ; owl:onProperty d3f:has-operating-mode ; owl:someValuesFrom d3f:OperatingMode ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:BusNetwork ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:GNSSReceiver ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:HardwareCryptographicModule ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:Software-definedRadioComputer ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:TransducerSensor ] ; rdfs:isDefinedBy ; d3f:definition "A spacecraft is a vehicle that is designed to fly and operate in outer space. Spacecraft are used for a variety of purposes, including communications, Earth observation, meteorology, navigation, space colonization, planetary exploration, and transportation of humans and cargo." . d3f:SpacecraftSafeMode a owl:Class ; rdfs:label "Spacecraft Safe Mode" ; rdfs:subClassOf d3f:SafeMode ; rdfs:isDefinedBy ; d3f:definition "Safe mode is an operating mode of a modern uncrewed spacecraft during which all non-essential systems are shut down and only essential functions such as thermal management, radio reception and attitude control are active." . d3f:SPARTADefenseEvasionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Defense Evasion Technique - SPARTA" ; skos:prefLabel "Defense Evasion Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0006 ] ; d3f:enables d3f:ST0006 . d3f:SPARTAExecutionTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Execution Technique - SPARTA" ; skos:prefLabel "Execution Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0004 ] ; d3f:enables d3f:ST0004 . d3f:SPARTAExfiltrationTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Exfiltration Technique - SPARTA" ; skos:prefLabel "Exfiltration Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0008 ] ; d3f:enables d3f:ST0008 . d3f:SPARTAImpactTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Impact Technique - SPARTA" ; skos:prefLabel "Impact Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0009 ] ; d3f:enables d3f:ST0009 . d3f:SPARTAInitialAccessTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Initial Access Technique - SPARTA" ; skos:prefLabel "Initial Access Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0003 ] ; d3f:enables d3f:ST0003 . d3f:SPARTALateralMovementTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Lateral Movement Technique - SPARTA" ; skos:prefLabel "Lateral Movement Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0007 ] ; d3f:enables d3f:ST0007 . d3f:SPARTAPersistenceTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Persistence Technique - SPARTA" ; skos:prefLabel "Persistence Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0005 ] ; d3f:enables d3f:ST0005 . d3f:SPARTAReconnaissanceTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Reconnaissance Technique - SPARTA" ; skos:prefLabel "Reconnaissance Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0001 ] ; d3f:enables d3f:ST0001 . d3f:SPARTAResourceDevelopmentTechnique a owl:Class, owl:NamedIndividual ; rdfs:label "Resource Development Technique - SPARTA" ; skos:prefLabel "Resource Development Technique" ; rdfs:subClassOf d3f:SPARTATechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:ST0002 ] ; d3f:enables d3f:ST0002 . d3f:SPARTATactic a owl:Class ; rdfs:label "SPARTA Tactic" ; rdfs:subClassOf d3f:SPARTAThing ; d3f:definition "SPARTA Tactics represent the 'why' of a SPARTA technique. They denote the tactical goal of a threat actor and the reason for performing a technique." ; rdfs:seeAlso . d3f:SPARTATechnique a owl:Class ; rdfs:label "SPARTA Technique" ; rdfs:subClassOf d3f:SPARTAThing ; d3f:definition "SPARTA Techniques represent 'how' a threat actor achieves a tactical goal by performing a threat action." ; rdfs:seeAlso . d3f:SPARTAThing a owl:Class ; rdfs:label "SPARTA Thing" ; rdfs:subClassOf d3f:ExternalThreatModelThing . d3f:SpearmansRankCorrelationCoefficient a owl:Class, owl:NamedIndividual ; rdfs:label "Spearman's Rank Correlation Coefficient" ; rdfs:subClassOf d3f:RankCorrelationCoefficient ; d3f:d3fend-id "D3A-SRCC" ; d3f:synonym "Spearman's Rho" . d3f:SpecificationReference a owl:Class ; rdfs:label "Specification Reference" ; rdfs:subClassOf d3f:TechniqueReference ; d3f:pref-label "Specification" . d3f:SpectralClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Spectral Clustering" ; rdfs:subClassOf d3f:Graph-basedClustering ; d3f:d3fend-id "D3A-SC" ; d3f:definition "Spectral clustering is a technique that identifies communities of nodes in a graph based on the edges connecting them." ; d3f:kb-article """## References Towards Data Science. (n.d.). Spectral Clustering. [Link](https://towardsdatascience.com/spectral-clustering-aba2640c0d5b)""" . d3f:SSHConnectionCloseEvent a owl:Class ; rdfs:label "SSH Connection Close Event" ; rdfs:subClassOf d3f:NetworkConnectionCloseEvent, d3f:SSHEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:SSHConnectionOpenEvent ] ; d3f:definition "An event indicating the termination of an SSH connection, signaling the end of a secure session." . d3f:SSHConnectionFailEvent a owl:Class ; rdfs:label "SSH Connection Fail Event" ; rdfs:subClassOf d3f:NetworkConnectionFailEvent, d3f:SSHEvent ; d3f:definition "An event indicating a failure to establish an SSH connection, often due to issues such as authentication errors, network timeouts, or server unavailability." . d3f:SSHConnectionOpenEvent a owl:Class ; rdfs:label "SSH Connection Open Event" ; rdfs:subClassOf d3f:NetworkConnectionOpenEvent, d3f:SSHEvent ; d3f:definition "An event indicating the successful establishment of an SSH connection between a client and a server, marking the initiation of a secure session." . d3f:SSHConnectionRefuseEvent a owl:Class ; rdfs:label "SSH Connection Refuse Event" ; rdfs:subClassOf d3f:NetworkConnectionRefuseEvent, d3f:SSHEvent ; d3f:definition "An event indicating that an SSH connection attempt was refused, typically due to server-side restrictions or closed ports." . d3f:SSHConnectionResetEvent a owl:Class ; rdfs:label "SSH Connection Reset Event" ; rdfs:subClassOf d3f:NetworkConnectionResetEvent, d3f:SSHEvent, [ a owl:Restriction ; owl:onProperty d3f:preceded-by ; owl:someValuesFrom d3f:SSHConnectionOpenEvent ] ; d3f:definition "An event indicating the abrupt termination of an SSH connection due to protocol errors, network disruptions, or administrative actions." . d3f:SSHEvent a owl:Class ; rdfs:label "SSH Event" ; rdfs:subClassOf d3f:ApplicationLayerEvent, d3f:TCPEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SSHSession ] ; d3f:definition "An event involving the Secure Shell (SSH) protocol, a cryptographic network protocol designed to provide secure remote login, command execution, and data transfer. SSH facilitates encrypted communication between clients and servers, ensuring confidentiality, integrity, and authenticity." ; rdfs:seeAlso . d3f:SSHListenEvent a owl:Class ; rdfs:label "SSH Listen Event" ; rdfs:subClassOf d3f:NetworkConnectionListenEvent, d3f:SSHEvent ; d3f:definition "An event indicating that an SSH server has started listening for incoming connection requests, enabling potential clients to initiate secure sessions." . d3f:SSHSession a owl:Class, owl:NamedIndividual ; rdfs:label "SSH Session" ; rdfs:subClassOf d3f:RemoteSession ; d3f:definition "A Secure Shell Protocol (SSH) session is a session over a secure channel established using SSH to connect a client to a server and establish the remote session." ; rdfs:seeAlso . d3f:ST0001 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Reconnaissance - SPARTA" ; skos:prefLabel "Reconnaissance" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to gather information they can use to plan future operations." ; d3f:display-order 1 ; rdfs:seeAlso . d3f:ST0002 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Resource Development - SPARTA" ; skos:prefLabel "Resource Development" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to establish resources they can use to support operations." ; d3f:display-order 2 ; rdfs:seeAlso . d3f:ST0003 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Initial Access - SPARTA" ; skos:prefLabel "Initial Access" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to get point of presence/command execution on the spacecraft." ; d3f:display-order 3 ; rdfs:seeAlso . d3f:ST0004 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Execution - SPARTA" ; skos:prefLabel "Execution" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to execute malicious code on the spacecraft." ; d3f:display-order 4 ; rdfs:seeAlso . d3f:ST0005 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Persistence - SPARTA" ; skos:prefLabel "Persistence" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to maintain their foothold/access to command/execute code on the spacecraft." ; d3f:display-order 5 ; rdfs:seeAlso . d3f:ST0006 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Defense Evasion - SPARTA" ; skos:prefLabel "Defense Evasion" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to avoid being detected." ; d3f:display-order 6 ; rdfs:seeAlso . d3f:ST0007 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Lateral Movement - SPARTA" ; skos:prefLabel "Lateral Movement" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to move through across sub-systems of the spacecraft." ; d3f:display-order 7 ; rdfs:seeAlso . d3f:ST0008 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Exfiltration - SPARTA" ; skos:prefLabel "Exfiltration" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to steal information." ; d3f:display-order 8 ; rdfs:seeAlso . d3f:ST0009 a d3f:SPARTATactic, owl:Class, owl:NamedIndividual ; rdfs:label "Impact - SPARTA" ; skos:prefLabel "Impact" ; rdfs:subClassOf d3f:OffensiveTactic, d3f:SPARTATactic ; d3f:definition "Threat actor is trying to manipulate, interrupt, or destroy the space system(s) and/or data." ; d3f:display-order 9 ; rdfs:seeAlso . d3f:StackComponent a owl:Class ; rdfs:label "Stack Component" ; rdfs:subClassOf d3f:DigitalInformationBearer ; d3f:definition "A stack component is any component of a call stack used for stack-based memory allocation in a running process. Examples include saved instruction pointers, stack frames, and stack frame canaries." ; rdfs:seeAlso . d3f:StackFrame a owl:Class, owl:NamedIndividual ; rdfs:label "Stack Frame" ; skos:altLabel "Activation Frame", "Activation Record" ; rdfs:subClassOf d3f:StackComponent, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:Pointer ], [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:StackFrameCanary ] ; rdfs:isDefinedBy ; d3f:definition "A machine-dependent and application-binary-dependent (ABI-dependent) data structure containing subroutine state information including the arguments passed into the routine, the return address back to the routine's caller, and space for local variables of the routine." ; d3f:may-contain d3f:Pointer, d3f:StackFrameCanary ; rdfs:seeAlso . d3f:StackFrameCanary a owl:Class, owl:NamedIndividual ; rdfs:label "Stack Frame Canary" ; skos:altLabel "Stack Canary" ; rdfs:subClassOf d3f:StackComponent ; rdfs:isDefinedBy ; d3f:definition "Stack canaries, named for their analogy to a canary in a coal mine, are used to detect a stack buffer overflow before execution of malicious code can occur. This method works by placing a small integer, the value of which is randomly chosen at program start, in memory just before the stack return pointer. Most buffer overflows overwrite memory from lower to higher memory addresses, so in order to overwrite the return pointer (and thus take control of the process) the canary value must also be overwritten. This value is checked to make sure it has not changed before a routine uses the return pointer on the stack. This technique can greatly increase the difficulty of exploiting a stack buffer overflow because it forces the attacker to gain control of the instruction pointer by some non-traditional means such as corrupting other important variables on the stack." . d3f:StackFrameCanaryValidation a d3f:StackFrameCanaryValidation, owl:Class, owl:NamedIndividual ; rdfs:label "Stack Frame Canary Validation" ; rdfs:subClassOf d3f:ApplicationHardening, [ a owl:Restriction ; owl:onProperty d3f:validates ; owl:someValuesFrom d3f:StackFrame ] ; d3f:d3fend-id "D3-SFCV" ; d3f:definition "Comparing a value stored in a stack frame with a known good value in order to prevent or detect a memory segment overwrite." ; d3f:kb-article """## How it works This defense must be applied at compile-time, or via a patch to the program binary. Stack Frame Canary Verification inserts instructions at the prologue and epilogue of desired functions. In the prologue, a canary value, typically with the same size as the register size, is stored in the system of record and on the stack. Typically, the canary is loaded to where it has a memory address just below that of the saved instruction pointer and base pointer. In the epilogue, the canary value stored on the stack and, is compared to the canary value in the system of record. If the values are different, other techniques such as those in Process Eviction might be invoked, such as Process Termination to end the current process, or Executable Blacklisting to blacklist the potentially vulnerable or malfunctioning executable. Stack Frame Canary Verification is commonly used to detect potential tampering of a saved register value on the stack before it has been restored. Examples of registers with values commonly saved to the stack include the instruction pointer and the base pointer. The canary should be stored between where the start of a buffer overrun is likely, and the data to protect, in cases where the buffer size increases it will overwrite the data to be protected. On most processor architectures, including x86, x64, and ARM, a "push" operation to store data to the stack grows the stack towards a lower memory address. As in these architectures, saved register values are stored to the stack at a point in time just before space is made for the local function variables, the saved register values have a higher address than that of the local function variables. Values at increasing indexes of a buffer are written to increasing memory addresses; therefore, an overwrite in the local variable buffer could overwrite saved register values, and a stack canary between these two would be useful in detecting an overwrite. On some other processor architectures such as the B5000, the stack grows towards increasing memory addresses, and some architectures, such as System Z and RCA1802A, stack direction can be chosen. If the stack grows towards increasing memory addresses, while this architecture inherently provides more protection against a saved register being overwritten, other data including local function variables might be overwritten. ## Considerations There are several ways that the protection provided by a canary could be rendered ineffective. ### Performing a malicious action before the canary is checked If the attacker alters the memory in such a way that it performs a malicious action before the epilogue is called, then this protection will not be effective. This includes altering the logic of the program by altering the values of local variables stored on the function stack, or by causing an exception and exploiting the exception mechanism such as the SEH (Structured Exception Handling) mechanism on Windows. ### Determining the canary value Determining the canary value is possible through reading memory either for the code used to check the canary, or from the stored canary value itself in a stack frame. ### Changing the canary value A vulnerability such as a write-what-where condition that allows one to write data after the canary in the stack, would allow control of the value of the saved instruction pointer without needing to know the canary value.""" ; d3f:kb-reference d3f:Reference-GS_BufferSecurityCheck_MicrosoftDocs, d3f:Reference-StackSmashingProtection_StackGuard_RedHat ; d3f:validates d3f:StackFrame . d3f:Stacking a owl:Class, owl:NamedIndividual ; rdfs:label "Stacking" ; rdfs:subClassOf d3f:EnsembleLearning ; d3f:d3fend-id "D3A-STA" ; d3f:definition "Stacking is a method of using the results and predictions from one layer of ML models as inputs to another layer of ML models. Stacking (sometimes called stacked generalization) involves training a model to combine the predictions of several other learning algorithms." ; d3f:kb-article """## References Ensemble learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Ensemble_learning).""" . d3f:StackSegment a owl:Class, owl:NamedIndividual ; rdfs:label "Stack Segment" ; rdfs:subClassOf d3f:ProcessSegment, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:StackFrame ] ; d3f:contains d3f:StackFrame ; d3f:definition "The stack segment contains the program stack, a last-in-first-out structure, typically allocated in the higher parts of memory for the process." ; rdfs:seeAlso , . d3f:StandaloneHoneynet a d3f:StandaloneHoneynet, owl:Class, owl:NamedIndividual ; rdfs:label "Standalone Honeynet" ; rdfs:subClassOf d3f:DecoyEnvironment, [ a owl:Restriction ; owl:onProperty d3f:spoofs ; owl:someValuesFrom d3f:IntranetNetwork ] ; d3f:d3fend-id "D3-SHN" ; d3f:definition "An environment created for the purpose of attracting attackers and eliciting their behaviors that is not connected to any production enterprise systems." ; d3f:kb-article """## How it works A standalone honeynet does not directly interact with the real enterprise environment. It may be located near or in some portion of the enterprise address space, but it does not interact with enterprise resources. ## Considerations A standalone honeynet is a lower risk to deploy compared to connected or integrated honeynets due to its isolation from the enterprise network. However, this comes at cost in loss of fidelity and realism. Significant extra effort must be made in order to make the environment look realistic.""" ; d3f:kb-reference d3f:Reference-DynamicSelectionAndGenerationOfAVirtualCloneForDetonationOfSuspiciousContentWithinAHoneyNetwork_PaloAltoNetworksInc ; d3f:spoofs d3f:IntranetNetwork . d3f:StandardDeviation a owl:Class, owl:NamedIndividual ; rdfs:label "Standard Deviation" ; rdfs:subClassOf d3f:Variability ; d3f:d3fend-id "D3A-SD" ; d3f:definition "The standard deviation is a measure of the amount of variation or dispersion of a set of values." ; d3f:kb-article """## References Wikipedia. (n.d.). Standard deviation. [Link](https://en.wikipedia.org/wiki/Standard_deviation)""" ; d3f:synonym "SD" . d3f:StartupDirectory a owl:Class ; rdfs:label "Startup Directory" ; rdfs:subClassOf d3f:Directory, d3f:LocalResource ; d3f:definition "A startup directory is a directory containing executable files or links to executable files which are run when a user logs in or when a system component or service is started." . d3f:StaticAnalysisTool a owl:Class ; rdfs:label "Static Analysis Tool" ; skos:altLabel "Static Program Analysis Tool" ; rdfs:subClassOf d3f:CodeAnalyzer ; rdfs:isDefinedBy ; d3f:definition "A static [program] analysis tool performs an automated analysis of computer software without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code." ; rdfs:seeAlso , . d3f:StatisticalMethod a owl:Class, owl:NamedIndividual ; rdfs:label "Statistical Method" ; rdfs:subClassOf d3f:AnalyticTechnique ; d3f:d3fend-id "D3A-SM" ; d3f:definition "Building methods using the mathematical study of the likelihood and probability of events occurring based on known information and inferred by taking a limited number of samples." ; d3f:kb-article """## References Wolfram MathWorld. (n.d.). Statistics. [Link](https://mathworld.wolfram.com/Statistics.html)""" . d3f:Step a owl:Class ; rdfs:label "Step" ; rdfs:subClassOf d3f:Plan, [ a owl:Restriction ; owl:onProperty d3f:end ; owl:someValuesFrom d3f:Step ], [ a owl:Restriction ; owl:onProperty d3f:fork ; owl:someValuesFrom d3f:Step ], [ a owl:Restriction ; owl:onProperty d3f:may-be-associated-with ; owl:someValuesFrom d3f:Artifact ], [ a owl:Restriction ; owl:onProperty d3f:next ; owl:someValuesFrom d3f:Step ] . d3f:Storage a owl:Class, owl:NamedIndividual ; rdfs:label "Storage" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:may-contain ; owl:someValuesFrom d3f:FileSystem ] ; rdfs:isDefinedBy ; d3f:definition "Computer data storage, often called storage or memory, is a technology consisting of computer components and recording media used to retain digital data. It is a core function and fundamental component of computers. In the Von Neumann architecture, the CPU consists of two main parts: The control unit and the arithmetic / logic unit (ALU). The former controls the flow of data between the CPU and memory, while the latter performs arithmetic and logical operations on data." ; d3f:may-contain d3f:FileSystem ; d3f:synonym "Computer data storage", "Memory" . d3f:StorageDeviceEvent a owl:Class ; rdfs:label "Storage Device Event" ; rdfs:subClassOf d3f:HardwareDeviceEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SecondaryStorage ] ; d3f:definition "An event describing the activity, configuration, or errors of storage devices, including physical disks, SSDs, or logical partitions. These events often pertain to data availability, integrity, and storage health." . d3f:StorageImage a owl:Class ; rdfs:label "Storage Image" ; rdfs:subClassOf d3f:ComputingImage, d3f:File ; d3f:definition "A storage image is a complete, encapsulated representation of a storage medium or system environment. It contains all the data, files, and configurations necessary to replicate or deploy a specific system state or software setup." . d3f:StorageSnapshot a owl:Class ; rdfs:label "Storage Snapshot" ; rdfs:subClassOf d3f:ComputingSnapshot ; d3f:definition "A storage snapshot is a copy of a storage medium or system environment at a point in time." . d3f:StoredProcedure a owl:Class, owl:NamedIndividual ; rdfs:label "Stored Procedure" ; rdfs:subClassOf d3f:Subroutine ; rdfs:isDefinedBy ; d3f:definition "A stored procedure (also termed proc, storp, sproc, StoPro, StoredProc, StoreProc, sp, or SP) is a subroutine available to applications that access a relational database management system (RDBMS). Such procedures are stored in the database data dictionary." . d3f:StringEquivalenceMatching a owl:Class, owl:NamedIndividual ; rdfs:label "String Equivalence Matching" ; rdfs:subClassOf d3f:EquivalenceMatching, d3f:StringPatternMatching ; d3f:d3fend-id "D3A-SEM" ; d3f:definition "String equivalence matching is a type of string pattern matching which is exact; that is, the strings being compared must have the same value for each character in their sequence and be of the same length." ; d3f:kb-article """## References 1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm) 2. Types of Equality. (2007, March 2). In _WikiWikiWeb_. [Link](https://wiki.c2.com/?TypesOfEquality)""" . d3f:StringFormatFunction a owl:Class ; rdfs:label "String Format Function" ; rdfs:subClassOf d3f:Subroutine ; d3f:definition "A function which creates a new string based on a format specification and correspondingi specified values." . d3f:StringPatternMatching a owl:Class, owl:NamedIndividual ; rdfs:label "String Pattern Matching" ; rdfs:subClassOf d3f:PatternMatching ; d3f:d3fend-id "D3A-SPM" ; d3f:definition "String pattern-matching algorithms, also known as string-matching algorithms, are an important class of string algorithms that try to find a place where one or several strings (also called patterns) are found within a larger string or text" ; d3f:kb-article """## How it works A basic example of string searching is when the pattern and the searched text are arrays of elements of an alphabet (finite set) Σ. Σ may be a human language alphabet, for example, the letters A through Z and other applications may use a binary alphabet (Σ = {0,1}) or a DNA alphabet (Σ = {A,C,G,T}) in bioinformatics. In practice, the method of feasible string-search algorithm may be affected by the string encoding. In particular, if a variable-width encoding is in use, then it may be slower to find the Nth character, perhaps requiring time proportional to N. This may significantly slow some search algorithms. One of many possible solutions is to search for the sequence of code units instead, but doing so may produce false matches unless the encoding is specifically designed to avoid it. ## References 1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)""" . d3f:StrongPasswordPolicy a d3f:StrongPasswordPolicy, owl:Class, owl:NamedIndividual ; rdfs:label "Strong Password Policy" ; rdfs:subClassOf d3f:CredentialHardening, [ a owl:Restriction ; owl:onProperty d3f:strengthens ; owl:someValuesFrom d3f:Password ] ; d3f:d3fend-id "D3-SPP" ; d3f:definition "Modifying system configuration to increase password strength." ; d3f:kb-article """## How it works Password strength guidelines include increasing password length, permitting passwords that contain ASCII or Unicode characters, and requiring systems to screen new passwords against lists of commonly used or compromised passwords. ## Considerations Extremely complex password requirements may lead users to saving passwords in text files or picking obvious passwords that meet the policy.""" ; d3f:kb-reference d3f:Reference-DigitalIdentityGuidelines800-63-3, d3f:Reference-Testing_Metrics_for_Password_Creation_Policies_by_Attacking_Large_Sets_of_Revealed_Passwords ; d3f:strengthens d3f:Password . d3f:StyleGAN a owl:Class, owl:NamedIndividual ; rdfs:label "StyleGAN" ; rdfs:subClassOf d3f:ImageSynthesisGAN ; d3f:d3fend-id "D3A-STY" ; d3f:definition "Successor to the ProGAN." ; d3f:kb-article """## References Wikipedia. (n.d.). StyleGAN. [Link](https://en.wikipedia.org/wiki/StyleGAN)""" ; d3f:synonym "Style GAN" . d3f:Subroutine a owl:Class, owl:NamedIndividual ; rdfs:label "Subroutine" ; rdfs:subClassOf d3f:Software ; d3f:definition "In different programming languages, a subroutine may be called a procedure, a function, a routine, a method, or a subprogram. The generic term callable unit is sometimes used." ; d3f:synonym "Method", "Semantic Subroutine", "Software Function" ; rdfs:seeAlso . d3f:SubspaceClustering a owl:Class, owl:NamedIndividual ; rdfs:label "Subspace Clustering" ; rdfs:subClassOf d3f:CorrelationClustering ; d3f:d3fend-id "D3A-SC" ; d3f:definition "Subspace clustering is an extension of traditional clustering that seeks to find clusters in different subspaces within a dataset." ; d3f:kb-article """## References Parsons, L., Haque, E., & Liu, H. (2004). Subspace Clustering for High Dimensional Data: A Review. [Link](https://www.kdd.org/exploration_files/parsons.pdf)""" . d3f:SubstringMatching a owl:Class, owl:NamedIndividual ; rdfs:label "Substring Matching" ; rdfs:subClassOf d3f:PartialMatching ; d3f:d3fend-id "D3A-SM" ; d3f:definition "String-searching algorithms, sometimes called string-matching algorithms, are an important class of string algorithms that try to find a place where one or several strings (also called patterns) are found within a larger string or text." ; d3f:kb-article """## References 1. String-searching algorithm. (2023, April 8). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/String-searching_algorithm)""" . d3f:Summarizing a owl:Class ; rdfs:label "Summarizing" ; rdfs:subClassOf d3f:AnalyticalPurpose . d3f:SupervisedLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Supervised Learning" ; rdfs:subClassOf d3f:MachineLearning ; d3f:d3fend-id "D3A-SL" ; d3f:definition "Supervised learning establishes a relationship between the known input and output variables to conduct a predictive analysis." ; d3f:kb-article """## References Supervised learning. Wikipedia. [Link](https://en.wikipedia.org/wiki/Supervised_learning).""" . d3f:SupplyChainAttacker a owl:Class ; rdfs:label "Supply Chain Attacker" ; rdfs:subClassOf d3f:Attacker, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Software ] ; d3f:definition "An attacker who exploits vulnerabilities in the supply chain to compromise systems or data." . d3f:SupportVectorMachineClassification a owl:Class, owl:NamedIndividual ; rdfs:label "Support Vector Machine Classification" ; rdfs:subClassOf d3f:Classification ; d3f:d3fend-id "D3A-SVMC" ; d3f:definition "Support Vector Machine (SVM) is a robust classification and regression technique that maximizes the predictive accuracy of a model without overfitting the training data. SVM is particularly suited to analyzing data with very large numbers (for example, thousands) of predictor fields." ; d3f:kb-article """## References About Support Vector Machine (SVM). IBM SPSS Modeler SaaS Documentation. [Link](https://www.ibm.com/docs/en/spss-modeler/saas?topic=models-about-svm&mhsrc=ibmsearch_a&mhq=support%20vector%20machine).""" . d3f:SuspendProcess a owl:Class, owl:NamedIndividual ; rdfs:label "Suspend Process" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:suspends ; owl:someValuesFrom d3f:Process ] ; d3f:suspends d3f:Process . d3f:SuspendThread a owl:Class, owl:NamedIndividual ; rdfs:label "Suspend Thread" ; rdfs:subClassOf d3f:SystemCall, [ a owl:Restriction ; owl:onProperty d3f:suspends ; owl:someValuesFrom d3f:Thread ] ; d3f:definition "Suspending a thread causes the thread to stop executing user-mode code." ; d3f:suspends d3f:Thread ; rdfs:seeAlso . d3f:Switch a owl:Class ; rdfs:label "Switch" ; skos:altLabel "Bridging Hub", "MAC Bridge", "Network Switch", "Switching Hub" ; rdfs:subClassOf d3f:ComputerNetworkNode ; rdfs:isDefinedBy ; d3f:definition "A network switch (also called switching hub, bridging hub, and by the IEEE MAC bridge) is networking hardware that connects devices on a computer network by using packet switching to receive and forward data to the destination device. A network switch is a multiport network bridge that uses MAC addresses to forward data at the data link layer (layer 2) of the OSI model. Some switches can also forward data at the network layer (layer 3) by additionally incorporating routing functionality. Such switches are commonly known as layer-3 switches or multilayer switches." . d3f:SymbolicAI a owl:Class, owl:NamedIndividual ; rdfs:label "Symbolic AI" ; rdfs:subClassOf d3f:SymbolicLogic ; d3f:d3fend-id "D3A-SR" ; d3f:definition "Symbolic artificial intelligence is the term for the collection of all methods in artificial intelligence that are based on high-level symbolic (human-readable) representations of problems, logic, and search." ; d3f:kb-article """## How it works Symbolic artificial intelligence is used in tools such as logic programming, production rules, semantic nets and frames, and it developed applications such as knowledge-based systems (in particular, expert systems), symbolic mathematics, automated theorem provers, ontologies, the semantic web, and automated planning and scheduling systems. The Symbolic AI paradigm led to seminal ideas in search, symbolic programming languages, agents, multi-agent systems, the semantic web, and the strengths and limitations of formal knowledge and reasoning systems. ## References 1. Symbolic artifical intelligence. (2023, May 23). In _Wikipedia_. [Link](https://en.wikipedia.org/wiki/Symbolic_artificial_intelligence)""" ; d3f:synonym "Symbolic Artificial Intelligence" . d3f:SymbolicLink a owl:Class, owl:NamedIndividual ; rdfs:label "Symbolic Link" ; skos:altLabel "Soft Link", "Softlink", "Symlink" ; rdfs:subClassOf d3f:File, d3f:FileSystemLink, [ a owl:Restriction ; owl:onProperty d3f:addresses ; owl:someValuesFrom d3f:File ] ; rdfs:isDefinedBy ; d3f:addresses d3f:File ; d3f:definition "A symbolic link (also symlink or soft link) is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution." . d3f:SymbolicLogic a owl:Class, owl:NamedIndividual ; rdfs:label "Symbolic Logic" ; rdfs:subClassOf d3f:AnalyticTechnique ; d3f:d3fend-id "D3A-SL" ; d3f:definition "Symbolic Logic, also known as formal logic, is a branch of mathematics that uses symbolic representations for logical expressions and relationships. It provides a systematic method for examining the structure of arguments and reasoning, focusing on the relationships between propositions rather than the content of those propositions." ; d3f:kb-article """## How it Works ## References 1. Symbolic Logic. (2023, June 6). In _Wolfram Mathworld_. [Link](https://mathworld.wolfram.com/SymbolicLogic.html) 2. Hughes, G. and Schagrin, M. (2023, Apr 19). Formal Logic. _Encyclopedia Brittanica_. [Link](https://www.britannica.com/topic/formal-logic) 3. Carnap, R. (1953). Introduction to Symbolic Logic and Its Applications. Dover Publications. [Link](https://archive.org/details/rudolf-carnap-introduction-to-symbolic-logic-and-its-applications/page/3/mode/2up)""" . d3f:SymmetricFeature-basedTransferLearning a owl:Class, owl:NamedIndividual ; rdfs:label "Symmetric Feature-based Transfer Learning" ; rdfs:subClassOf d3f:HomogenousTransferLearning ; d3f:d3fend-id "D3A-SFTL" ; d3f:definition "Homogeneous symmetric transformation takes both the source feature space Xs and target feature space Xt and learns feature transformations as to project each onto a common subspace Xc for adaptation purposes. This derived subspace becomes a domain-invariant feature subspace to associate cross-domain data, and in effect, reduces marginal distribution differences." ; d3f:kb-article """## References Day, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learning. *Journal of Big Data, 4*(1), 29. [Link](https://doi.org/10.1186/s40537-017-0089-0).""" . d3f:SymmetricKey a owl:Class ; rdfs:label "Symmetric Key" ; rdfs:subClassOf d3f:CryptographicKey ; d3f:definition "A symmetric key is a single key used for both encryption and decryption and used with a symmetric-key algorithm. Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encrytption (also known as asymmetric key encryption)." ; rdfs:seeAlso . d3f:System a owl:Class ; rdfs:label "System" ; rdfs:subClassOf d3f:Artifact ; rdfs:isDefinedBy ; d3f:definition "An artifact (instrumentality) that combines interrelated interacting artifacts designed to work as a coherent entity. [Note that not all digital artifacts are systems nor are all systems digital artifacts.]" . d3f:SystemApplicationCycleCount a owl:Class, owl:NamedIndividual ; rdfs:label "System Application Cycle Count" ; rdfs:subClassOf d3f:SystemPlatformVariable ; rdfs:comment "In most controllers this is not a default tag rather something that should be programmed." ; d3f:definition "A system variable that tracks the number of times the controller has completed its main program loop (scan cycle) since startup or last reset." ; d3f:synonym "Controller Cycle Count" . d3f:SystemCall a owl:Class, owl:NamedIndividual ; rdfs:label "System Call" ; rdfs:subClassOf d3f:DigitalInformationBearer, [ a owl:Restriction ; owl:onProperty d3f:executes ; owl:someValuesFrom d3f:Subroutine ] ; rdfs:isDefinedBy ; d3f:definition "A system call is the programmatic way in which a computer program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system." ; d3f:executes d3f:Subroutine ; d3f:synonym "syscall" . d3f:SystemCallAnalysis a d3f:SystemCallAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "System Call Analysis" ; rdfs:subClassOf d3f:ProcessAnalysis, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:SystemCall ] ; d3f:analyzes d3f:SystemCall ; d3f:d3fend-id "D3-SCA" ; d3f:definition "Analyzing system calls to determine whether a process is exhibiting unauthorized behavior." ; d3f:kb-article """## How it works System calls are APIs between a user application and the operating system [1]. By analyzing a process's use of these APIs, it is, in some cases, possible to ascertain whether a program is exhibiting unauthorized behavior, including trying to escalate its privileges. ### Gathering System Calls A common method to capture system calls is to use kernel APIs to hook [2] a process's system call invocations. The Linux system call `ptrace` tracks other system calls in a process and allows their alteration; this is made use of by GDB. `strace` utilizes `ptrace` and will print to stdout each system call invoked. Other applications record this data in local or remote databases. The log entry for each system call, which may reference additional information such as the date and time, and the process tree for the process which made the system call, is relayed, in real time or post-facto, to an analysis module which consults a catalog or model to determine whether the distribution matches a known-good or known-bad pattern. ### Analysis System calls are analyzed with a variety of methods. Some analytics look for specific sequences of instructions, others may apply statistical methods to identify abnormal behavior. Sequences of instructions can be abstracted into conceptually higher order user activities, for example: * An attacker executes many system calls in a short period of time, with several sequences which could be used to escalate privileges. * Getting the contents from a URL, writing to a new file, and then executing the same file. * A ransomware program which either uses a loop or creates many threads to: read a specified file, encrypt its contents, create an output file with a similar name to the original file, and delete the unencrypted original. ## Considerations * Duplicative or extraneous system calls may be added to malware to defeat analytics. * Malware could replace API hooking instructions to allow system calls to be made without being monitored. * A model built from a training set of system calls and related data may not be updated fast enough to detect new threats. [1] [Syscalls](http://man7.org/linux/man-pages/man2/syscalls.2.html) [2] [Hooking](http://dbpedia.org/resource/Hooking)""" ; d3f:kb-reference d3f:Reference-CAR-2020-05-001%3AMiniDumpOfLSASS_MITRE, d3f:Reference-CAR-2021-05-011%3ACreateRemoteThreadIntoLSASS_MITRE, d3f:Reference-CredentialDumpingViaWindowsTaskManager_MITRE, d3f:Reference-DeterministicMethodForDetectingAndBlockingOfExploitsOnInterpretedCode_K2CyberSecurityInc, d3f:Reference-DLLInjectionViaLoadLibrary_MITRE, d3f:Reference-Hardware-assistedSystemAndMethodForDetectingAndAnalyzingSystemCallsMadeToAnOpertingSystemKernel_EndgameInc, d3f:Reference-MalwareDetectionInEventLoops_CrowdstrikeInc, d3f:Reference-PostSandboxMethodsAndSystemsForDetectingAndBlockingZero-dayExploitsViaApiCallValidation_K2CyberSecurityInc . d3f:SystemCallEvent a owl:Class ; rdfs:label "System Call Event" ; rdfs:subClassOf d3f:KernelEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:SystemCall ] ; d3f:definition "An event where a user-space process requests a service or resource from the operating system kernel through a system call interface, enabling controlled interactions with hardware or kernel-level operations." . d3f:SystemCallFiltering a d3f:SystemCallFiltering, owl:Class, owl:NamedIndividual ; rdfs:label "System Call Filtering" ; skos:altLabel "Mandatory Access Control", "System Call Mediation" ; rdfs:subClassOf d3f:AccessMediation, [ a owl:Restriction ; owl:onProperty d3f:filters ; owl:someValuesFrom d3f:SystemCall ], [ a owl:Restriction ; owl:onProperty d3f:isolates ; owl:someValuesFrom d3f:Process ] ; d3f:d3fend-id "D3-SCF" ; d3f:definition "Controlling access to local computer system resources with kernel-level capabilities." ; d3f:filters d3f:SystemCall ; d3f:isolates d3f:Process ; d3f:kb-article """## How it works System call filtering uses a mandatory access control paradigm (that is, a non-discretionary access control) system because the rules and polices that determine access is determined by a security control authority and not distributed to local users. Access determinations are based on designed access control polices and are not based on local resource owner determinations. Access is typically granted by defining sets of subjects and sets of objects. Subjects are the entities requesting access and objects are the resources that subjects are trying to access. Rules and policies are defined that associate subjects and object permissions and access controls. ### Common implementations #### Security label access control A fine-grained form control is to apply security labels to individual resources, including processes, and the access control decisions are against a particular resource and a given user attempting to gain access. This type of control requires that the file system has built-in support for security labels. Access controls are typically implemented through the use of label identifiers for every file system object. Identifier labels are applied to resources and users are assigned a similar access identifier. Users attempting to access a resource will result in the operating system performing an access control check. The access control check will compare the assigned user's credentials to that of the resource or object they are attempting to access. A security context is associated with resources and is used to determine assess. Typical basic access control elements include users, roles and types and together they form a security context which is the basis for the security labels. This type of access control is what is employed in SELinux [2]. This form of security kernel access control is considered the most flexible implementation, but it also is the most complex to deploy across the enterprise. Where multiple virtual machines (VM) are run together this type of access control is typically employed to ensure true isolation of processes and VMs. #### File path level controls A less fine-grained form of mandatory access control is to apply security labels that allow for access control at the file path level. Access control is filesystem agnostic and no relabeling of resources is required. Pathname access control usually seems more natural for implementation and corresponding access audits. This type of system call filtering is what is employed in AppArmor [3]. AppArmor was developed to provide a simpler alternative method with much less management overhead. A simple access policy is maintained that defines path resource access rules. Access control attributes are typically associated with programs instead of users. ## Considerations Some implementations of security label-based control contain complex rules set that are hard to verify and complex to maintain over time. Initial planning of access model and continuous monitoring of the available users, resources and object is necessary. ## Implementations * Linux C-Groups, and policy engines like SELinux and AppArmor * Windows Mandatory Integrity Control introduced in Windows Vista ### Citations 1. [SELinux](https://selinuxproject.org/) 2. [AppArmor](https://www.apparmor.net/)""" ; d3f:kb-reference d3f:Reference-AnalysisOfTheWindowsVistaSecurityModel_SymantecCorporation, d3f:Reference-ArchitectureOfTransparentNetworkSecurityForApplicationContainers_NeuvectorInc, d3f:Reference-OverviewOfTheSeccompSandbox ; d3f:synonym "System Call Control" . d3f:SystemClockUpdateEvent a owl:Class ; rdfs:label "System Clock Update Event" ; rdfs:subClassOf d3f:SoftwareClockEvent, [ a owl:Restriction ; owl:onProperty d3f:has-participant ; owl:someValuesFrom d3f:OperatingSystemClock ] ; d3f:definition "An event in which the operating system's primary timekeeping value is modified or synchronized." . d3f:SystemConfigSystemCall a owl:Class ; rdfs:label "System Config System Call" ; rdfs:subClassOf d3f:SystemCall . d3f:SystemConfigurationDatabase a owl:Class, owl:NamedIndividual ; rdfs:label "System Configuration Database" ; rdfs:subClassOf d3f:Database ; d3f:definition "A database used to hold system configuration data." . d3f:SystemConfigurationDatabaseRecord a owl:Class, owl:NamedIndividual ; rdfs:label "System Configuration Database Record" ; rdfs:subClassOf d3f:ConfigurationDatabaseRecord, d3f:OperatingSystemConfigurationComponent ; d3f:definition "A database record holding information used to configure the services, parameters, and initial settings for an operating system." . d3f:SystemConfigurationInitDatabaseRecord a owl:Class, owl:NamedIndividual ; rdfs:label "System Configuration Init Database Record" ; skos:altLabel "System Configuration Startup Database Record" ; rdfs:subClassOf d3f:SystemConfigurationDatabaseRecord, d3f:SystemConfigurationInitResource, d3f:SystemInitConfiguration ; d3f:definition "A database record holding information used to configure the services, parameters, and initial settings for an operating system at startup." . d3f:SystemConfigurationInitResource a owl:Class ; rdfs:label "System Configuration Init Resource" ; skos:altLabel "System Init Resource" ; rdfs:subClassOf d3f:LocalResource ; d3f:definition "A system configuration initialization resource has information for initializing (booting) a system." . d3f:SystemConfigurationPermissions a d3f:SystemConfigurationPermissions, owl:Class, owl:NamedIndividual ; rdfs:label "System Configuration Permissions" ; rdfs:subClassOf d3f:PlatformHardening, [ a owl:Restriction ; owl:onProperty d3f:restricts ; owl:someValuesFrom d3f:SystemConfigurationDatabase ] ; d3f:d3fend-id "D3-SCP" ; d3f:definition "Restricting system configuration modifications to a specific user or group of users." ; d3f:kb-reference d3f:Reference-HowToChangeRegistryValuesOrPermissionsFromACommandLineOrAScript ; d3f:restricts d3f:SystemConfigurationDatabase . d3f:SystemDaemonMonitoring a d3f:SystemDaemonMonitoring, owl:Class, owl:NamedIndividual ; rdfs:label "System Daemon Monitoring" ; rdfs:subClassOf d3f:OperatingSystemMonitoring, [ a owl:Restriction ; owl:onProperty d3f:monitors ; owl:someValuesFrom d3f:OperatingSystemProcess ] ; d3f:d3fend-id "D3-SDM" ; d3f:definition "Tracking changes to the state or configuration of critical system level processes." ; d3f:kb-article """## How it works Attackers may manipulate system settings or services to disable system logging or monitoring of security tools and events. Firewall and antivirus services are popular targets for attackers. Disabling system logs will also allow an attacker's actions to go unnoticed. Analysis of logs, registries, and process monitoring help defenders locate signs of tampering. Two possible approaches are to monitor hardened system services or to monitor registry updates for modifications to security settings.""" ; d3f:kb-reference d3f:Reference-HostIntrusionPreventionSystemUsingSoftwareAndUserBehaviorAnalysis_SophosLtd, d3f:Reference-MethodUsingKernelModeAssistanceForTheDetectionAndRemovalOfThreatsWhichAreActivelyPreventingDetectionAndRemovalFromARunningSystem_SymantecCorporation, d3f:Reference-UserActivityFromStoppingWindowsDefensiveServices_MITRE ; d3f:monitors d3f:OperatingSystemProcess . d3f:SystemDependency a owl:Class, owl:NamedIndividual ; rdfs:label "System Dependency" ; rdfs:subClassOf d3f:Dependency ; d3f:definition "A system dependency indicates a system has an activity, agent, or another system which relies on it in order to be functional." ; rdfs:seeAlso , , . d3f:SystemDependencyMapping a d3f:SystemDependencyMapping, owl:Class, owl:NamedIndividual ; rdfs:label "System Dependency Mapping" ; rdfs:subClassOf d3f:SystemMapping, [ a owl:Restriction ; owl:onProperty d3f:maps ; owl:someValuesFrom d3f:SystemDependency ] ; d3f:d3fend-id "D3-SYSDM" ; d3f:definition "System dependency mapping identifies and models the dependencies of system components on each other to carry out their function." ; d3f:kb-article """## How it works The organization collects and models architectural information about the software, hardware, and products and maps the dependencies between systems, including each system's internal components and dependencies. ## Considerations * Data exchanges identified in the network mapping efforts usually indicate such dependencies, but may not be part of the intended design. * Architectural design artifacts and SMEs may need to be consulted to determine if dependencies are intended or otherwise essential. * System depedency mapping can identify internal dependencies of standard and pre-built systems that should be incorporated into a complete system dependency model. * System dependencies for critical systems--those supporting critical organizational activities--should be prioritized for supply chain risk analysis. * System dependencies should identify the integral components of a given named system and their structure to form a system. * System dependencies with a given system may be fixed by a particular product's configuration, and leveraging external knowledge bases about dependencies available (e.g., from package managers) is essential.""" ; d3f:kb-reference d3f:Reference-CatiaUAFPlugin, d3f:Reference-SoftwareVulnerabilityGraphDatabase, d3f:Reference-TivoliApplicationDependencyDiscoverManager7_3_0DependenciesBetweenResources, d3f:Reference-UnifiedArchitectureFrameworkUAF ; d3f:maps d3f:SystemDependency . d3f:SystemFileAnalysis a d3f:SystemFileAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "System File Analysis" ; rdfs:subClassOf d3f:OperatingSystemMonitoring, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:OperatingSystemFile ] ; d3f:analyzes d3f:OperatingSystemFile ; d3f:d3fend-id "D3-SFA" ; d3f:definition "Monitoring system files such as authentication databases, configuration files, system logs, and system executables for modification or tampering." ; d3f:kb-article """## How it works This technique ensures the integrity of system owned file resources. System files can impact the behavior below the user level. ## Considerations * Need to manage the size of log file analysis. * False positives are a concern with this technique and filtering will need to be given additional thought. * A baseline or snapshot of file checksums should be established for future comparison.""" ; d3f:kb-reference d3f:Reference-AccessPermissionModification_MITRE, d3f:Reference-AutorunDifferences_MITRE, d3f:Reference-UserActivityFromClearingEventLogs_MITRE . d3f:SystemFirewallConfiguration a owl:Class, owl:NamedIndividual ; rdfs:label "System Firewall Configuration" ; rdfs:subClassOf d3f:OperatingSystemConfigurationComponent, [ a owl:Restriction ; owl:onProperty d3f:configures ; owl:someValuesFrom d3f:Host-basedFirewall ] ; d3f:configures d3f:Host-basedFirewall ; d3f:definition "The configuration for a individual host operating system's firewall." ; rdfs:seeAlso . d3f:SystemFirmware a owl:Class, owl:NamedIndividual ; rdfs:label "System Firmware" ; skos:altLabel "BIOS Firmware", "UEFI Firmware" ; rdfs:subClassOf d3f:Firmware ; d3f:definition "Firmware that is installed on a computer's main board which manages the initial boot process. It can also continue to run or function after the operating system boots." . d3f:SystemFirmwareVerification a d3f:SystemFirmwareVerification, owl:Class, owl:NamedIndividual ; rdfs:label "System Firmware Verification" ; rdfs:subClassOf d3f:FirmwareVerification, [ a owl:Restriction ; owl:onProperty d3f:verifies ; owl:someValuesFrom d3f:SystemFirmware ] ; d3f:d3fend-id "D3-SFV" ; d3f:definition "Cryptographically verifying installed system firmware integrity." ; d3f:kb-article """## How it works Cryptographic hash values are computed for system firmware. The hash values are compared against precomputed firmware hash values to determine if the firmware has been tampered with. When system firmware verification fails a set of predefined responses is typically invoked. The responses may direct the system to disable some devices or operations. ## Considerations * Requires the use of system provided security modules * Secure hash values will need to be computed for firmware""" ; d3f:kb-reference d3f:Reference-FirmwareVerificationEclypsium, d3f:Reference-PlatformFirmwareResiliencyGuidelines_NIST ; d3f:verifies d3f:SystemFirmware . d3f:SystemInitConfigAnalysis a d3f:SystemInitConfigAnalysis, owl:Class, owl:NamedIndividual ; rdfs:label "System Init Config Analysis" ; skos:altLabel "System Initialization Configuration Analysis" ; rdfs:subClassOf d3f:OperatingSystemMonitoring, [ a owl:Restriction ; owl:onProperty d3f:analyzes ; owl:someValuesFrom d3f:SystemInitConfiguration ] ; d3f:analyzes d3f:SystemInitConfiguration ; d3f:d3fend-id "D3-SICA" ; d3f:definition "Analysis of any system process startup configuration." ; d3f:kb-reference d3f:Reference-AutorunDifferences_MITRE, d3f:Reference-CAR-2020-09-005%3AAppInitDLLs_MITRE, d3f:Reference-CAR-2020-11-001%3ABootOrLogonInitializationScripts_MITRE ; d3f:synonym "Autorun Analysis", "Startup Analysis" . d3f:SystemInitConfiguration a owl:Class, owl:NamedIndividual ; rdfs:label "System Init Configuration" ; skos:altLabel "Autoruns" ; rdfs:subClassOf d3f:OperatingSystemConfigurationComponent ; d3f:definition "System initialization configuration information is configuration information used to configure the services, parameters, and initial settings for an operating system at startup." . d3f:SystemInitProcess a owl:Class ; rdfs:label "System Init Process" ; skos:altLabel "System Initialization Process", "System Startup Process" ; rdfs:subClassOf d3f:OperatingSystemProcess ; d3f:definition "A system initialization process is a process that executes to initialize (boot) an operating system." ; rdfs:seeAlso , , . d3f:SystemInitScript a owl:Class, owl:NamedIndividual ; rdfs:label "System Init Script" ; rdfs:subClassOf d3f:ExecutableScript, d3f:SystemConfigurationInitResource, d3f:SystemInitConfiguration ; d3f:definition "A script used to initialize and configure elements of the system's environment, applications, services, or its operating system." . d3f:SystemMapping a d3f:SystemMapping, owl:Class, owl:NamedIndividual ; rdfs:label "System Mapping" ; rdfs:subClassOf d3f:DefensiveTechnique, [ a owl:Restriction ; owl:onProperty d3f:enables ; owl:someValuesFrom d3f:Model ] ; d3f:d3fend-id "D3-SYSM" ; d3f:definition "System mapping encompasses the techniques to identify the organization's systems, how they are configured and decomposed into subsystems and components, how they are dependent on one another, and where they are physically located." ; d3f:display-order 2 ; d3f:enables d3f:Model . d3f:SystemPasswordDatabase a owl:Class, owl:NamedIndividual ; rdfs:label "System Password Database" ; rdfs:subClassOf d3f:PasswordDatabase ; d3f:definition "A password database used by a system service or process to authenticate users (e.g., Security Account Manager)" . d3f:SystemPlatformVariable a owl:Class, owl:NamedIndividual ; rdfs:label "System Platform Variable" ; rdfs:subClassOf d3f:RuntimeVariable ; d3f:definition "Runtime variables which may consist of memory usage, internal temperature, operating mode, clock time, scan time, hardware status, etc." ; d3f:synonym "Configuration Resource", "System Data", "System Properties", "System Variable" ; rdfs:seeAlso , . d3f:SystemServiceSoftware a owl:Class, owl:NamedIndividual ; rdfs:label "System Service Software" ; rdfs:subClassOf d3f:Software, [ a owl:Restriction ; owl:onProperty d3f:contains ; owl:someValuesFrom d3f:OperatingSystemFile ] ; d3f:contains d3f:OperatingSystemFile ; d3f:definition "Software services provided as part of the operating system, typically accessed through system calls." ; rdfs:seeAlso . d3f:SystemSoftware a owl:Class ; rdfs:label "System Software" ; rdfs:subClassOf d3f:Software ; d3f:definition "Computer software which enables operating system or platform functionality." . d3f:SystemStartupDirectory a owl:Class, owl:NamedIndividual ; rdfs:label "System Startup Directory" ; rdfs:subClassOf d3f:Directory, d3f:SystemConfigurationInitResource, d3f:SystemInitConfiguration ; d3f:definition "A system startup directory is a directory containing executable files or links to executable files which are run when the system starts." . d3f:SystemStateImage a owl:Class, owl:NamedIndividual ; rdfs:label "System State Image" ; skos:altLabel "System Image" ; rdfs:subClassOf d3f:StorageImage ; rdfs:isDefinedBy ; d3f:definition "In computing, a system image is a serialized copy of the entire state of a computer system stored in some non-volatile form, such as a binary executable file." ; rdfs:seeAlso . d3f:SystemTime a owl:Class, owl:NamedIndividual ; rdfs:label "System Time" ; rdfs:subClassOf d3f:SystemPlatformVariable, [ a owl:Restriction ; owl:onProperty d3f:carries ; owl:someValuesFrom d3f:TimeInstant ], [ a owl:Restriction ; owl:onProperty d3f:derived-from ; owl:someValuesFrom d3f:OperatingSystemClock ] ; rdfs:isDefinedBy ; d3f:carries d3f:TimeInstant ; d3f:definition "In computing, system time represents a computer system's notion of a point in time." ; d3f:derived-from d3f:OperatingSystemClock . d3f:SystemTimeApplication a owl:Class, owl:NamedIndividual ; rdfs:label "System Time Application" ; rdfs:subClassOf d3f:UtilitySoftware, [ a owl:Restriction ; owl:onProperty d3f:reads ; owl:someValuesFrom d3f:SystemTime ] ; d3f:definition "A system time utility is utility software that can get the system time, such as the Unix date command or Windows' Net utility." ; d3f:reads d3f:SystemTime . d3f:SystemUtilizationRecord a owl:Class ; rdfs:label "System Utilization Record" ; rdfs:subClassOf d3f:Record ; d3f:definition "A system utilization record is a record for the tracking of resource utilization e.g. CPU, Disk, Network, Memory Bandwidth, GPU, or other resources for a given time period." . d3f:SystemVulnerabilityAssessment a d3f:SystemVulnerabilityAssessment, owl:Class, owl:NamedIndividual ; rdfs:label "System Vulnerability Assessment" ; rdfs:subClassOf d3f:SystemMapping, [ a owl:Restriction ; owl:onProperty d3f:evaluates ; owl:someValuesFrom d3f:DigitalSystem ], [ a owl:Restriction ; owl:onProperty d3f:identifies ; owl:someValuesFrom d3f:Vulnerability ] ; d3f:d3fend-id "D3-SYSVA" ; d3f:definition "System vulnerability assessment relates all the vulnerabilities of a system's components in the context of their configuration and internal dependencies and can also include assessing risk emerging from the system's design as a whole, not just the sum of individual component vulnerabilities." ; d3f:evaluates d3f:DigitalSystem ; d3f:identifies d3f:Vulnerability ; d3f:kb-reference d3f:Reference-SoftwareVulnerabilityGraphDatabase . d3f:T0800 a owl:Class ; rdfs:label "Activate Firmware Update Mode - ATTACK ICS" ; skos:prefLabel "Activate Firmware Update Mode" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0800" ; d3f:definition "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities." . d3f:T0801 a owl:Class ; rdfs:label "Monitor Process State - ATTACK ICS" ; skos:prefLabel "Monitor Process State" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0801" ; d3f:definition "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic." . d3f:T0802 a owl:Class ; rdfs:label "Automated Collection - ATTACK ICS" ; skos:prefLabel "Automated Collection" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0802" ; d3f:definition "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices." . d3f:T0803 a owl:Class ; rdfs:label "Block Command Message - ATTACK ICS" ; skos:prefLabel "Block Command Message" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0803" ; d3f:definition "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)" . d3f:T0804 a owl:Class ; rdfs:label "Block Reporting Message - ATTACK ICS" ; skos:prefLabel "Block Reporting Message" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0804" ; d3f:definition "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator." . d3f:T0805 a owl:Class ; rdfs:label "Block Serial COM - ATTACK ICS" ; skos:prefLabel "Block Serial COM" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0805" ; d3f:definition "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages." . d3f:T0806 a owl:Class ; rdfs:label "Brute Force I/O - ATTACK ICS" ; skos:prefLabel "Brute Force I/O" ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique ; d3f:attack-id "T0806" ; d3f:definition "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point." . d3f:T0807 a owl:Class ; rdfs:label "Command-Line Interface - ATTACK ICS" ; skos:prefLabel "Command-Line Interface" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; d3f:attack-id "T0807" ; d3f:definition "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation." . d3f:T0808 a owl:Class ; owl:deprecated true ; rdfs:label "Control Device Identification - ATTACK ICS" ; skos:prefLabel "Control Device Identification" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0808" ; d3f:definition "Adversaries may perform control device identification to determine the make and model of a target device. Management software and device APIs may be utilized by the adversary to gain this information. By identifying and obtaining device specifics, the adversary may be able to determine device vulnerabilities. This device information can also be used to understand device functionality and inform the decision to target the environment." . d3f:T0809 a owl:Class ; rdfs:label "Data Destruction - ATTACK ICS" ; skos:prefLabel "Data Destruction" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0809" ; d3f:definition "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)" . d3f:T0810 a owl:Class ; owl:deprecated true ; rdfs:label "Data Historian Compromise - ATTACK ICS" ; skos:prefLabel "Data Historian Compromise" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0810" ; d3f:definition "Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment." . d3f:T0811 a owl:Class ; rdfs:label "Data from Information Repositories - ATTACK ICS" ; skos:prefLabel "Data from Information Repositories" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0811" ; d3f:definition "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)" . d3f:T0812 a owl:Class ; rdfs:label "Default Credentials - ATTACK ICS" ; skos:prefLabel "Default Credentials" ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique ; d3f:attack-id "T0812" ; d3f:definition "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)" . d3f:T0813 a owl:Class ; rdfs:label "Denial of Control - ATTACK ICS" ; skos:prefLabel "Denial of Control" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0813" ; d3f:definition "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" . d3f:T0814 a owl:Class ; rdfs:label "Denial of Service - ATTACK ICS" ; skos:prefLabel "Denial of Service" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0814" ; d3f:definition "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment." . d3f:T0815 a owl:Class ; rdfs:label "Denial of View - ATTACK ICS" ; skos:prefLabel "Denial of View" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0815" ; d3f:definition "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" . d3f:T0816 a owl:Class ; rdfs:label "Device Restart/Shutdown - ATTACK ICS" ; skos:prefLabel "Device Restart/Shutdown" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0816" ; d3f:definition "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands." . d3f:T0817 a owl:Class ; rdfs:label "Drive-by Compromise - ATTACK ICS" ; skos:prefLabel "Drive-by Compromise" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0817" ; d3f:definition "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website." . d3f:T0818 a owl:Class ; owl:deprecated true ; rdfs:label "Engineering Workstation Compromise - ATTACK ICS" ; skos:prefLabel "Engineering Workstation Compromise" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0818" ; d3f:definition "Adversaries will compromise and gain control of an engineering workstation for Initial Access into the control system environment. Access to an engineering workstation may occur through or physical means, such as a Valid Accounts with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to, and control of, other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system." . d3f:T0819 a owl:Class ; rdfs:label "Exploit Public-Facing Application - ATTACK ICS" ; skos:prefLabel "Exploit Public-Facing Application" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0819" ; d3f:definition "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility." . d3f:T0820 a owl:Class ; rdfs:label "Exploitation for Evasion - ATTACK ICS" ; skos:prefLabel "Exploitation for Evasion" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique ; d3f:attack-id "T0820" ; d3f:definition "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features." . d3f:T0821 a owl:Class ; rdfs:label "Modify Controller Tasking - ATTACK ICS" ; skos:prefLabel "Modify Controller Tasking" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; d3f:attack-id "T0821" ; d3f:definition "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller." . d3f:T0822 a owl:Class ; rdfs:label "External Remote Services - ATTACK ICS" ; skos:prefLabel "External Remote Services" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0822" ; d3f:definition "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)" . d3f:T0823 a owl:Class ; rdfs:label "Graphical User Interface - ATTACK ICS" ; skos:prefLabel "Graphical User Interface" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; d3f:attack-id "T0823" ; d3f:definition "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard." . d3f:T0824 a owl:Class ; owl:deprecated true ; rdfs:label "I/O Module Discovery - ATTACK ICS" ; skos:prefLabel "I/O Module Discovery" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0824" ; d3f:definition "Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes." . d3f:T0825 a owl:Class ; owl:deprecated true ; rdfs:label "Location Identification - ATTACK ICS" ; skos:prefLabel "Location Identification" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0825" ; d3f:definition "Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries (Citation: Guidance - NIST SP800-82). While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration." . d3f:T0826 a owl:Class ; rdfs:label "Loss of Availability - ATTACK ICS" ; skos:prefLabel "Loss of Availability" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0826" ; d3f:definition "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" . d3f:T0827 a owl:Class ; rdfs:label "Loss of Control - ATTACK ICS" ; skos:prefLabel "Loss of Control" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0827" ; d3f:definition "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" . d3f:T0828 a owl:Class ; rdfs:label "Loss of Productivity and Revenue - ATTACK ICS" ; skos:prefLabel "Loss of Productivity and Revenue" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0828" ; d3f:definition "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments." . d3f:T0829 a owl:Class ; rdfs:label "Loss of View - ATTACK ICS" ; skos:prefLabel "Loss of View" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0829" ; d3f:definition "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" . d3f:T0830 a owl:Class ; rdfs:label "Adversary-in-the-Middle - ATTACK ICS" ; skos:prefLabel "Adversary-in-the-Middle" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0830" ; d3f:definition "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)" . d3f:T0831 a owl:Class ; rdfs:label "Manipulation of Control - ATTACK ICS" ; skos:prefLabel "Manipulation of Control" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0831" ; d3f:definition "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection." . d3f:T0832 a owl:Class ; rdfs:label "Manipulation of View - ATTACK ICS" ; skos:prefLabel "Manipulation of View" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0832" ; d3f:definition "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)" . d3f:T0833 a owl:Class ; owl:deprecated true ; rdfs:label "Modify Control Logic - ATTACK ICS" ; skos:prefLabel "Modify Control Logic" ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique, d3f:ATTACKICSInhibitResponseFunctionTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0833" ; d3f:definition "Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates." . d3f:T0834 a owl:Class ; rdfs:label "Native API - ATTACK ICS" ; skos:prefLabel "Native API" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; d3f:attack-id "T0834" ; d3f:definition "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations." . d3f:T0835 a owl:Class ; rdfs:label "Manipulate I/O Image - ATTACK ICS" ; skos:prefLabel "Manipulate I/O Image" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0835" ; d3f:definition "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules." . d3f:T0836 a owl:Class ; rdfs:label "Modify Parameter - ATTACK ICS" ; skos:prefLabel "Modify Parameter" ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique ; d3f:attack-id "T0836" ; d3f:definition "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor." . d3f:T0837 a owl:Class ; rdfs:label "Loss of Protection - ATTACK ICS" ; skos:prefLabel "Loss of Protection" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0837" ; d3f:definition "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel." . d3f:T0838 a owl:Class ; rdfs:label "Modify Alarm Settings - ATTACK ICS" ; skos:prefLabel "Modify Alarm Settings" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0838" ; d3f:definition "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes." . d3f:T0839 a owl:Class ; rdfs:label "Module Firmware - ATTACK ICS" ; skos:prefLabel "Module Firmware" ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique, d3f:ATTACKICSPersistenceTechnique ; d3f:attack-id "T0839" ; d3f:definition "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment." . d3f:T0840 a owl:Class ; rdfs:label "Network Connection Enumeration - ATTACK ICS" ; skos:prefLabel "Network Connection Enumeration" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; d3f:attack-id "T0840" ; d3f:definition "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content." . d3f:T0841 a owl:Class ; owl:deprecated true ; rdfs:label "Network Service Scanning - ATTACK ICS" ; skos:prefLabel "Network Service Scanning" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0841" ; d3f:definition "Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on [https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml specific port numbers], the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is [https://nmap.org/ Nmap]." . d3f:T0842 a owl:Class ; rdfs:label "Network Sniffing - ATTACK ICS" ; skos:prefLabel "Network Sniffing" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; d3f:attack-id "T0842" ; d3f:definition "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information." . d3f:T0843 a owl:Class ; rdfs:label "Program Download - ATTACK ICS" ; skos:prefLabel "Program Download" ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique ; d3f:attack-id "T0843" ; d3f:definition "Adversaries may perform a program download to transfer a user program to a controller." . d3f:T0844 a owl:Class ; owl:deprecated true ; rdfs:label "Program Organization Units - ATTACK ICS" ; skos:prefLabel "Program Organization Units" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique, d3f:ATTACKICSLateralMovementTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0844" ; d3f:definition "Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. (Citation: Guidance - IEC61131) POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. (Citation: Guidance - IEC61131) Application - 201203 They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. (Citation: PLCBlaster - Spenneberg)" . d3f:T0845 a owl:Class ; rdfs:label "Program Upload - ATTACK ICS" ; skos:prefLabel "Program Upload" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0845" ; d3f:definition "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device." . d3f:T0846 a owl:Class ; rdfs:label "Remote System Discovery - ATTACK ICS" ; skos:prefLabel "Remote System Discovery" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; d3f:attack-id "T0846" ; d3f:definition "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)" . d3f:T0847 a owl:Class ; rdfs:label "Replication Through Removable Media - ATTACK ICS" ; skos:prefLabel "Replication Through Removable Media" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0847" ; d3f:definition "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible." . d3f:T0848 a owl:Class ; rdfs:label "Rogue Master - ATTACK ICS" ; skos:prefLabel "Rogue Master" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0848" ; d3f:definition "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection." . d3f:T0849 a owl:Class ; rdfs:label "Masquerading - ATTACK ICS" ; skos:prefLabel "Masquerading" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique ; d3f:attack-id "T0849" ; d3f:definition "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions." . d3f:T0850 a owl:Class ; owl:deprecated true ; rdfs:label "Role Identification - ATTACK ICS" ; skos:prefLabel "Role Identification" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0850" ; d3f:definition "Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack." . d3f:T0851 a owl:Class ; rdfs:label "Rootkit - ATTACK ICS" ; skos:prefLabel "Rootkit" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique, d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0851" ; d3f:definition "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018)" . d3f:T0852 a owl:Class ; rdfs:label "Screen Capture - ATTACK ICS" ; skos:prefLabel "Screen Capture" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0852" ; d3f:definition "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices." . d3f:T0853 a owl:Class ; rdfs:label "Scripting - ATTACK ICS" ; skos:prefLabel "Scripting" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; d3f:attack-id "T0853" ; d3f:definition "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions." . d3f:T0854 a owl:Class ; owl:deprecated true ; rdfs:label "Serial Connection Enumeration - ATTACK ICS" ; skos:prefLabel "Serial Connection Enumeration" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0854" ; d3f:definition "Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems." . d3f:T0855 a owl:Class ; rdfs:label "Unauthorized Command Message - ATTACK ICS" ; skos:prefLabel "Unauthorized Command Message" ; rdfs:subClassOf d3f:ATTACKICSImpairProcessControlTechnique ; d3f:attack-id "T0855" ; d3f:definition "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)" . d3f:T0856 a owl:Class ; rdfs:label "Spoof Reporting Message - ATTACK ICS" ; skos:prefLabel "Spoof Reporting Message" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique, d3f:ATTACKICSImpairProcessControlTechnique ; d3f:attack-id "T0856" ; d3f:definition "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values." . d3f:T0857 a owl:Class ; rdfs:label "System Firmware - ATTACK ICS" ; skos:prefLabel "System Firmware" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique, d3f:ATTACKICSPersistenceTechnique ; d3f:attack-id "T0857" ; d3f:definition "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network." . d3f:T0858 a owl:Class, owl:NamedIndividual ; rdfs:label "Change Operating Mode - ATTACK ICS" ; skos:prefLabel "Change Operating Mode" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique, d3f:ATTACKICSExecutionTechnique, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:OTControllerOperatingMode ] ; d3f:attack-id "T0858" ; d3f:definition "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:" ; d3f:modifies d3f:OTControllerOperatingMode . d3f:T0859 a owl:Class ; rdfs:label "Valid Accounts - ATTACK ICS" ; skos:prefLabel "Valid Accounts" ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique, d3f:ATTACKICSPersistenceTechnique ; d3f:attack-id "T0859" ; d3f:definition "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way." . d3f:T0860 a owl:Class ; rdfs:label "Wireless Compromise - ATTACK ICS" ; skos:prefLabel "Wireless Compromise" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0860" ; d3f:definition "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance." . d3f:T0861 a owl:Class ; rdfs:label "Point & Tag Identification - ATTACK ICS" ; skos:prefLabel "Point & Tag Identification" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0861" ; d3f:definition "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience." . d3f:T0862 a owl:Class ; rdfs:label "Supply Chain Compromise - ATTACK ICS" ; skos:prefLabel "Supply Chain Compromise" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0862" ; d3f:definition "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment." . d3f:T0863 a owl:Class ; rdfs:label "User Execution - ATTACK ICS" ; skos:prefLabel "User Execution" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; d3f:attack-id "T0863" ; d3f:definition "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents." . d3f:T0864 a owl:Class ; rdfs:label "Transient Cyber Asset - ATTACK ICS" ; skos:prefLabel "Transient Cyber Asset" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0864" ; d3f:definition "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required." . d3f:T0865 a owl:Class ; rdfs:label "Spearphishing Attachment - ATTACK ICS" ; skos:prefLabel "Spearphishing Attachment" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0865" ; d3f:definition "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019)" . d3f:T0866 a owl:Class ; rdfs:label "Exploitation of Remote Services - ATTACK ICS" ; skos:prefLabel "Exploitation of Remote Services" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique, d3f:ATTACKICSLateralMovementTechnique ; d3f:attack-id "T0866" ; d3f:definition "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)" . d3f:T0867 a owl:Class ; rdfs:label "Lateral Tool Transfer - ATTACK ICS" ; skos:prefLabel "Lateral Tool Transfer" ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique ; d3f:attack-id "T0867" ; d3f:definition "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)" . d3f:T0868 a owl:Class ; rdfs:label "Detect Operating Mode - ATTACK ICS" ; skos:prefLabel "Detect Operating Mode" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0868" ; d3f:definition "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:" . d3f:T0869 a owl:Class ; rdfs:label "Standard Application Layer Protocol - ATTACK ICS" ; skos:prefLabel "Standard Application Layer Protocol" ; rdfs:subClassOf d3f:ATTACKICSCommandAndControlTechnique ; d3f:attack-id "T0869" ; d3f:definition "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network." . d3f:T0870 a owl:Class ; owl:deprecated true ; rdfs:label "Detect Program State - ATTACK ICS" ; skos:prefLabel "Detect Program State" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0870" ; d3f:definition "Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it's running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program." . d3f:T0871 a owl:Class ; rdfs:label "Execution through API - ATTACK ICS" ; skos:prefLabel "Execution through API" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; d3f:attack-id "T0871" ; d3f:definition "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software." . d3f:T0872 a owl:Class ; rdfs:label "Indicator Removal on Host - ATTACK ICS" ; skos:prefLabel "Indicator Removal on Host" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique ; d3f:attack-id "T0872" ; d3f:definition "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device." . d3f:T0873 a owl:Class ; rdfs:label "Project File Infection - ATTACK ICS" ; skos:prefLabel "Project File Infection" ; rdfs:subClassOf d3f:ATTACKICSPersistenceTechnique ; d3f:attack-id "T0873" ; d3f:definition "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev)" . d3f:T0874 a owl:Class ; rdfs:label "Hooking - ATTACK ICS" ; skos:prefLabel "Hooking" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique, d3f:ATTACKICSPrivilegeEscalationTechnique ; d3f:attack-id "T0874" ; d3f:definition "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)" . d3f:T0875 a owl:Class ; owl:deprecated true ; rdfs:label "Change Program State - ATTACK ICS" ; skos:prefLabel "Change Program State" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique, d3f:ATTACKICSImpairProcessControlTechnique ; rdfs:comment "This technique has been deprecated." ; d3f:attack-id "T0875" ; d3f:definition "Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device." . d3f:T0877 a owl:Class ; rdfs:label "I/O Image - ATTACK ICS" ; skos:prefLabel "I/O Image" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0877" ; d3f:definition "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules." . d3f:T0878 a owl:Class ; rdfs:label "Alarm Suppression - ATTACK ICS" ; skos:prefLabel "Alarm Suppression" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0878" ; d3f:definition "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole." . d3f:T0879 a owl:Class ; rdfs:label "Damage to Property - ATTACK ICS" ; skos:prefLabel "Damage to Property" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0879" ; d3f:definition "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828)." . d3f:T0880 a owl:Class ; rdfs:label "Loss of Safety - ATTACK ICS" ; skos:prefLabel "Loss of Safety" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0880" ; d3f:definition "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner." . d3f:T0881 a owl:Class ; rdfs:label "Service Stop - ATTACK ICS" ; skos:prefLabel "Service Stop" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0881" ; d3f:definition "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)" . d3f:T0882 a owl:Class ; rdfs:label "Theft of Operational Information - ATTACK ICS" ; skos:prefLabel "Theft of Operational Information" ; rdfs:subClassOf d3f:ATTACKICSImpactTechnique ; d3f:attack-id "T0882" ; d3f:definition "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)" . d3f:T0883 a owl:Class ; rdfs:label "Internet Accessible Device - ATTACK ICS" ; skos:prefLabel "Internet Accessible Device" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique ; d3f:attack-id "T0883" ; d3f:definition "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique." . d3f:T0884 a owl:Class ; rdfs:label "Connection Proxy - ATTACK ICS" ; skos:prefLabel "Connection Proxy" ; rdfs:subClassOf d3f:ATTACKICSCommandAndControlTechnique ; d3f:attack-id "T0884" ; d3f:definition "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications." . d3f:T0885 a owl:Class ; rdfs:label "Commonly Used Port - ATTACK ICS" ; skos:prefLabel "Commonly Used Port" ; rdfs:subClassOf d3f:ATTACKICSCommandAndControlTechnique ; d3f:attack-id "T0885" ; d3f:definition "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below." . d3f:T0886 a owl:Class ; rdfs:label "Remote Services - ATTACK ICS" ; skos:prefLabel "Remote Services" ; rdfs:subClassOf d3f:ATTACKICSInitialAccessTechnique, d3f:ATTACKICSLateralMovementTechnique ; d3f:attack-id "T0886" ; d3f:definition "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019)" . d3f:T0887 a owl:Class ; rdfs:label "Wireless Sniffing - ATTACK ICS" ; skos:prefLabel "Wireless Sniffing" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique, d3f:ATTACKICSDiscoveryTechnique ; d3f:attack-id "T0887" ; d3f:definition "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum." . d3f:T0888 a owl:Class ; rdfs:label "Remote System Information Discovery - ATTACK ICS" ; skos:prefLabel "Remote System Information Discovery" ; rdfs:subClassOf d3f:ATTACKICSDiscoveryTechnique ; d3f:attack-id "T0888" ; d3f:definition "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage." . d3f:T0889 a owl:Class ; rdfs:label "Modify Program - ATTACK ICS" ; skos:prefLabel "Modify Program" ; rdfs:subClassOf d3f:ATTACKICSPersistenceTechnique ; d3f:attack-id "T0889" ; d3f:definition "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append." . d3f:T0890 a owl:Class ; rdfs:label "Exploitation for Privilege Escalation - ATTACK ICS" ; skos:prefLabel "Exploitation for Privilege Escalation" ; rdfs:subClassOf d3f:ATTACKICSPrivilegeEscalationTechnique ; d3f:attack-id "T0890" ; d3f:definition "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation)" . d3f:T0891 a owl:Class ; rdfs:label "Hardcoded Credentials - ATTACK ICS" ; skos:prefLabel "Hardcoded Credentials" ; rdfs:subClassOf d3f:ATTACKICSLateralMovementTechnique, d3f:ATTACKICSPersistenceTechnique ; d3f:attack-id "T0891" ; d3f:definition "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:" . d3f:T0892 a owl:Class ; rdfs:label "Change Credential - ATTACK ICS" ; skos:prefLabel "Change Credential" ; rdfs:subClassOf d3f:ATTACKICSInhibitResponseFunctionTechnique ; d3f:attack-id "T0892" ; d3f:definition "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces." . d3f:T0893 a owl:Class ; rdfs:label "Data from Local System - ATTACK ICS" ; skos:prefLabel "Data from Local System" ; rdfs:subClassOf d3f:ATTACKICSCollectionTechnique ; d3f:attack-id "T0893" ; d3f:definition "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes." . d3f:T0894 a owl:Class ; rdfs:label "System Binary Proxy Execution - ATTACK ICS" ; skos:prefLabel "System Binary Proxy Execution" ; rdfs:subClassOf d3f:ATTACKICSEvasionTechnique ; d3f:attack-id "T0894" ; d3f:definition "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. (Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands. Similarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands. (Citation: split man page)(Citation: GTFO split)" . d3f:T0895 a owl:Class ; rdfs:label "Autorun Image - ATTACK ICS" ; skos:prefLabel "Autorun Image" ; rdfs:subClassOf d3f:ATTACKICSExecutionTechnique ; d3f:attack-id "T0895" ; d3f:definition "Adversaries may leverage AutoRun functionality or scripts to execute malicious code. Devices configured to enable AutoRun functionality or legacy operating systems may be susceptible to abuse of these features to run malicious code stored on various forms of removeable media (i.e., USB, Disk Images [.ISO]). Commonly, AutoRun or AutoPlay are disabled in many operating systems configurations to mitigate against this technique. If a device is configured to enable AutoRun or AutoPlay, adversaries may execute code on the device by mounting the removable media to the device, either through physical or virtual means. This may be especially relevant for virtual machine environments where disk images may be dynamically mapped to a guest system on a hypervisor." . d3f:T1001 a owl:Class, owl:NamedIndividual ; rdfs:label "Data Obfuscation" ; rdfs:subClassOf d3f:CommandAndControlTechnique, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:OutboundInternetNetworkTraffic ] ; d3f:attack-id "T1001" ; d3f:definition "Adversaries may obfuscate command and control traffic to make it more difficult to detect.(Citation: Bitdefender FunnyDream Campaign November 2020) Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols." ; d3f:produces d3f:OutboundInternetNetworkTraffic . d3f:T1001.001 a owl:Class ; rdfs:label "Junk Data" ; rdfs:subClassOf d3f:T1001 ; d3f:attack-id "T1001.001" ; d3f:definition "Adversaries may add junk data to protocols used for command and control to make detection more difficult.(Citation: FireEye SUNBURST Backdoor December 2020) By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters." . d3f:T1001.002 a owl:Class ; rdfs:label "Steganography" ; rdfs:subClassOf d3f:T1001 ; d3f:attack-id "T1001.002" ; d3f:definition "Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control." . d3f:T1001.003 a owl:Class ; rdfs:label "Protocol or Service Impersonation" ; rdfs:subClassOf d3f:T1001 ; d3f:attack-id "T1001.003" ; d3f:definition "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic." . d3f:T1002 a owl:Class ; owl:deprecated true ; rdfs:label "Data Compressed" ; rdfs:subClassOf d3f:ExfiltrationTechnique ; rdfs:comment "This technique has been revoked by T1560" ; d3f:attack-id "T1002" ; d3f:definition "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib." ; rdfs:seeAlso d3f:T1560 . d3f:T1003 a owl:Class ; rdfs:label "OS Credential Dumping" ; rdfs:subClassOf d3f:CredentialAccessTechnique ; d3f:attack-id "T1003" ; d3f:definition "Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information." . d3f:T1003.001 a owl:Class, owl:NamedIndividual ; rdfs:label "LSASS Memory" ; rdfs:subClassOf d3f:T1003, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:AuthenticationService ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Process ] ; d3f:accesses d3f:AuthenticationService, d3f:Process ; d3f:attack-id "T1003.001" ; d3f:definition "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)." . d3f:T1003.002 a owl:Class, owl:NamedIndividual ; rdfs:label "Security Account Manager" ; rdfs:subClassOf d3f:T1003, [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:AuthenticationService ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:Process ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:SystemPasswordDatabase ] ; d3f:attack-id "T1003.002" ; d3f:definition "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access." ; d3f:may-access d3f:AuthenticationService, d3f:Process, d3f:SystemPasswordDatabase . d3f:T1003.003 a owl:Class, owl:NamedIndividual ; rdfs:label "NTDS" ; rdfs:subClassOf d3f:T1003, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:EncryptedCredential ] ; d3f:accesses d3f:EncryptedCredential ; d3f:attack-id "T1003.003" ; d3f:definition "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller.(Citation: Wikipedia Active Directory)" . d3f:T1003.004 a owl:Class, owl:NamedIndividual ; rdfs:label "LSA Secrets" ; rdfs:subClassOf d3f:T1003, [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:Process ], [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:SystemPasswordDatabase ] ; d3f:attack-id "T1003.004" ; d3f:definition "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)" ; d3f:may-access d3f:Process, d3f:SystemPasswordDatabase . d3f:T1003.005 a owl:Class, owl:NamedIndividual ; rdfs:label "Cached Domain Credentials" ; rdfs:subClassOf d3f:T1003, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:EncryptedCredential ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Log ] ; d3f:accesses d3f:EncryptedCredential ; d3f:attack-id "T1003.005" ; d3f:definition "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)" ; d3f:may-modify d3f:Log . d3f:T1003.006 a owl:Class, owl:NamedIndividual ; rdfs:label "DCSync" ; rdfs:subClassOf d3f:T1003, [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:EventLog ], [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:IntranetAdministrativeNetworkTraffic ] ; d3f:attack-id "T1003.006" ; d3f:definition "Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync." ; d3f:may-modify d3f:EventLog ; d3f:produces d3f:IntranetAdministrativeNetworkTraffic . d3f:T1003.007 a owl:Class, owl:NamedIndividual ; rdfs:label "Proc Filesystem" ; rdfs:subClassOf d3f:T1003, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:OperatingSystemFile ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:ProcessImage ] ; d3f:accesses d3f:OperatingSystemFile, d3f:ProcessImage ; d3f:attack-id "T1003.007" ; d3f:definition "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc//maps` file shows how memory is mapped within the process’s virtual address space. And `/proc//mem`, exposed for debugging purposes, provides access to the process’s virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)" . d3f:T1003.008 a owl:Class, owl:NamedIndividual ; rdfs:label "/etc/passwd and /etc/shadow" ; rdfs:subClassOf d3f:T1003, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:EncryptedCredential ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:PasswordFile ] ; d3f:accesses d3f:EncryptedCredential, d3f:PasswordFile ; d3f:attack-id "T1003.008" ; d3f:definition "Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats)" . d3f:T1004 a owl:Class ; owl:deprecated true ; rdfs:label "Winlogon Helper DLL" ; rdfs:subClassOf d3f:PersistenceTechnique ; rdfs:comment "This technique has been revoked by T1547.004" ; d3f:attack-id "T1004" ; d3f:definition "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software\\[Wow6432Node\\]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)" ; rdfs:seeAlso d3f:T1547.004 . d3f:T1005 a owl:Class, owl:NamedIndividual ; rdfs:label "Data from Local System" ; rdfs:subClassOf d3f:CollectionTechnique, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:File ], [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:LocalResource ] ; d3f:accesses d3f:File, d3f:LocalResource ; d3f:attack-id "T1005" ; d3f:definition "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration." . d3f:T1006 a owl:Class, owl:NamedIndividual ; rdfs:label "Direct Volume Access" ; rdfs:subClassOf d3f:DefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:Volume ] ; d3f:accesses d3f:Volume ; d3f:attack-id "T1006" ; d3f:definition "Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)" . d3f:T1007 a owl:Class, owl:NamedIndividual ; rdfs:label "System Service Discovery" ; rdfs:subClassOf d3f:DiscoveryTechnique, [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateProcess ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:GetRunningProcesses ] ; d3f:attack-id "T1007" ; d3f:definition "Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as sc query, tasklist /svc, systemctl --type=service, and net start." ; d3f:may-invoke d3f:CreateProcess, d3f:GetRunningProcesses . d3f:T1008 a owl:Class, owl:NamedIndividual ; rdfs:label "Fallback Channels" ; rdfs:subClassOf d3f:CommandAndControlTechnique, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:OutboundInternetNetworkTraffic ] ; d3f:attack-id "T1008" ; d3f:definition "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds." ; d3f:produces d3f:OutboundInternetNetworkTraffic . d3f:T1009 a owl:Class ; owl:deprecated true ; rdfs:label "Binary Padding" ; rdfs:subClassOf d3f:DefenseEvasionTechnique ; rdfs:comment "This technique has been revoked by T1027.001" ; d3f:attack-id "T1009" ; d3f:definition "Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations." ; rdfs:seeAlso d3f:T1027.001 . d3f:T1010 a owl:Class, owl:NamedIndividual ; rdfs:label "Application Window Discovery" ; rdfs:subClassOf d3f:DiscoveryTechnique, [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateProcess ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:GetOpenWindows ] ; d3f:attack-id "T1010" ; d3f:definition "Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)" ; d3f:may-invoke d3f:CreateProcess, d3f:GetOpenWindows . d3f:T1011 a owl:Class, owl:NamedIndividual ; rdfs:label "Exfiltration Over Other Network Medium" ; rdfs:subClassOf d3f:ExfiltrationTechnique, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:InternetNetworkTraffic ] ; d3f:attack-id "T1011" ; d3f:definition "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel." ; d3f:produces d3f:InternetNetworkTraffic . d3f:T1011.001 a owl:Class ; rdfs:label "Exfiltration Over Bluetooth" ; rdfs:subClassOf d3f:T1011 ; d3f:attack-id "T1011.001" ; d3f:definition "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an adversary may opt to exfiltrate data using a Bluetooth communication channel." . d3f:T1012 a owl:Class, owl:NamedIndividual ; rdfs:label "Query Registry" ; rdfs:subClassOf d3f:DiscoveryTechnique, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:SystemConfigurationDatabase ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:GetSystemConfigValue ] ; d3f:accesses d3f:SystemConfigurationDatabase ; d3f:attack-id "T1012" ; d3f:definition "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software." ; d3f:may-invoke d3f:GetSystemConfigValue . d3f:T1013 a owl:Class ; owl:deprecated true ; rdfs:label "Port Monitors" ; rdfs:subClassOf d3f:PersistenceTechnique, d3f:PrivilegeEscalationTechnique ; rdfs:comment "This technique has been revoked by T1547.010" ; d3f:attack-id "T1013" ; d3f:definition "A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors." ; rdfs:seeAlso d3f:T1547.010 . d3f:T1014 a owl:Class, owl:NamedIndividual ; rdfs:label "Rootkit" ; rdfs:subClassOf d3f:DefenseEvasionTechnique, [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:BootSector ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Firmware ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:Kernel ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:KernelModule ], [ a owl:Restriction ; owl:onProperty d3f:may-modify ; owl:someValuesFrom d3f:SharedLibraryFile ] ; d3f:attack-id "T1014" ; d3f:definition "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)" ; d3f:may-modify d3f:BootSector, d3f:Firmware, d3f:Kernel, d3f:KernelModule, d3f:SharedLibraryFile . d3f:T1015 a owl:Class ; owl:deprecated true ; rdfs:label "Accessibility Features" ; rdfs:subClassOf d3f:PersistenceTechnique, d3f:PrivilegeEscalationTechnique ; rdfs:comment "This technique has been revoked by T1546.008" ; d3f:attack-id "T1015" ; d3f:definition "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system." ; rdfs:seeAlso d3f:T1546.008 . d3f:T1016 a owl:Class, owl:NamedIndividual ; rdfs:label "System Network Configuration Discovery" ; rdfs:subClassOf d3f:DiscoveryTechnique, [ a owl:Restriction ; owl:onProperty d3f:may-execute ; owl:someValuesFrom d3f:ExecutableScript ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateProcess ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:GetSystemNetworkConfigValue ] ; d3f:attack-id "T1016" ; d3f:definition "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103)." ; d3f:may-execute d3f:ExecutableScript ; d3f:may-invoke d3f:CreateProcess, d3f:GetSystemNetworkConfigValue . d3f:T1016.001 a owl:Class ; rdfs:label "Internet Connection Discovery" ; rdfs:subClassOf d3f:T1016 ; d3f:attack-id "T1016.001" ; d3f:definition "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), tracert, and GET requests to websites." . d3f:T1016.002 a owl:Class ; rdfs:label "Wi-Fi Discovery" ; rdfs:subClassOf d3f:T1016 ; d3f:attack-id "T1016.002" ; d3f:definition "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns." . d3f:T1017 a owl:Class ; owl:deprecated true ; rdfs:label "Application Deployment Software" ; rdfs:subClassOf d3f:LateralMovementTechnique ; rdfs:comment "This technique has been revoked by T1072" ; d3f:attack-id "T1017" ; d3f:definition "Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment." ; rdfs:seeAlso d3f:T1072 . d3f:T1018 a owl:Class, owl:NamedIndividual ; rdfs:label "Remote System Discovery" ; rdfs:subClassOf d3f:DiscoveryTechnique, [ a owl:Restriction ; owl:onProperty d3f:may-access ; owl:someValuesFrom d3f:OperatingSystemConfigurationFile ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateProcess ], [ a owl:Restriction ; owl:onProperty d3f:may-invoke ; owl:someValuesFrom d3f:CreateSocket ], [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:NetworkTraffic ] ; d3f:attack-id "T1018" ; d3f:definition "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039)." ; d3f:may-access d3f:OperatingSystemConfigurationFile ; d3f:may-invoke d3f:CreateProcess, d3f:CreateSocket ; d3f:produces d3f:NetworkTraffic . d3f:T1019 a owl:Class ; owl:deprecated true ; rdfs:label "System Firmware" ; rdfs:subClassOf d3f:PersistenceTechnique ; rdfs:comment "This technique has been revoked by T1542.001" ; d3f:attack-id "T1019" ; d3f:definition "The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)" ; rdfs:seeAlso d3f:T1542.001 . d3f:T1020 a owl:Class, owl:NamedIndividual ; rdfs:label "Automated Exfiltration" ; rdfs:subClassOf d3f:ExfiltrationTechnique, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:InternetNetworkTraffic ] ; d3f:attack-id "T1020" ; d3f:definition "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)" ; d3f:produces d3f:InternetNetworkTraffic . d3f:T1020.001 a owl:Class ; rdfs:label "Traffic Duplication" ; rdfs:subClassOf d3f:T1020 ; d3f:attack-id "T1020.001" ; d3f:definition "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring)(Citation: Juniper Traffic Mirroring)" . d3f:T1021 a owl:Class, owl:NamedIndividual ; rdfs:label "Remote Services" ; rdfs:subClassOf d3f:LateralMovementTechnique, [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:IntranetNetworkTraffic ] ; d3f:attack-id "T1021" ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user." ; d3f:produces d3f:IntranetNetworkTraffic . d3f:T1021.001 a owl:Class, owl:NamedIndividual ; rdfs:label "Remote Desktop Protocol" ; rdfs:subClassOf d3f:T1021, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:RDPSession ], [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:AdministrativeNetworkTraffic ] ; d3f:attack-id "T1021.001" ; d3f:creates d3f:RDPSession ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user." ; d3f:produces d3f:AdministrativeNetworkTraffic . d3f:T1021.002 a owl:Class ; rdfs:label "SMB/Windows Admin Shares" ; rdfs:subClassOf d3f:T1021 ; d3f:attack-id "T1021.002" ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user." . d3f:T1021.003 a owl:Class ; rdfs:label "Distributed Component Object Model" ; rdfs:subClassOf d3f:T1021 ; d3f:attack-id "T1021.003" ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user." . d3f:T1021.004 a owl:Class, owl:NamedIndividual ; rdfs:label "SSH" ; rdfs:subClassOf d3f:T1021, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:SSHSession ], [ a owl:Restriction ; owl:onProperty d3f:produces ; owl:someValuesFrom d3f:AdministrativeNetworkTraffic ] ; d3f:attack-id "T1021.004" ; d3f:creates d3f:SSHSession ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user." ; d3f:produces d3f:AdministrativeNetworkTraffic . d3f:T1021.005 a owl:Class ; rdfs:label "VNC" ; rdfs:subClassOf d3f:T1021 ; d3f:attack-id "T1021.005" ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)" . d3f:T1021.006 a owl:Class ; rdfs:label "Windows Remote Management" ; rdfs:subClassOf d3f:T1021 ; d3f:attack-id "T1021.006" ; d3f:definition "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user." . d3f:T1021.007 a owl:Class ; rdfs:label "Cloud Services" ; rdfs:subClassOf d3f:T1021 ; d3f:attack-id "T1021.007" ; d3f:definition "Adversaries may log into accessible cloud services within a compromised environment using [Valid Accounts](https://attack.mitre.org/techniques/T1078) that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user." . d3f:T1021.008 a owl:Class ; rdfs:label "Direct Cloud VM Connections" ; rdfs:subClassOf d3f:T1021 ; d3f:attack-id "T1021.008" ; d3f:definition "Adversaries may leverage [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log directly into accessible cloud hosted compute infrastructure through cloud native methods. Many cloud providers offer interactive connections to virtual infrastructure that can be accessed through the [Cloud API](https://attack.mitre.org/techniques/T1059/009), such as Azure Serial Console(Citation: Azure Serial Console), AWS EC2 Instance Connect(Citation: EC2 Instance Connect)(Citation: lucr-3: Getting SaaS-y in the cloud), and AWS System Manager.(Citation: AWS System Manager)." . d3f:T1022 a owl:Class ; owl:deprecated true ; rdfs:label "Data Encrypted" ; rdfs:subClassOf d3f:ExfiltrationTechnique ; rdfs:comment "This technique has been revoked by T1560" ; d3f:attack-id "T1022" ; d3f:definition "Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip." ; rdfs:seeAlso d3f:T1560 . d3f:T1023 a owl:Class ; owl:deprecated true ; rdfs:label "Shortcut Modification" ; rdfs:subClassOf d3f:PersistenceTechnique ; rdfs:comment "This technique has been revoked by T1547.009" ; d3f:attack-id "T1023" ; d3f:definition "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program." ; rdfs:seeAlso d3f:T1547.009 . d3f:T1024 a owl:Class ; owl:deprecated true ; rdfs:label "Custom Cryptographic Protocol" ; rdfs:subClassOf d3f:CommandAndControlTechnique ; rdfs:comment "This technique has been revoked by T1573" ; d3f:attack-id "T1024" ; d3f:definition "Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext." ; rdfs:seeAlso d3f:T1573 . d3f:T1025 a owl:Class, owl:NamedIndividual ; rdfs:label "Data from Removable Media" ; rdfs:subClassOf d3f:CollectionTechnique, [ a owl:Restriction ; owl:onProperty d3f:accesses ; owl:someValuesFrom d3f:RemovableMediaDevice ] ; d3f:accesses d3f:RemovableMediaDevice ; d3f:attack-id "T1025" ; d3f:definition "Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information." . d3f:T1026 a owl:Class ; owl:deprecated true ; rdfs:label "Multiband Communication" ; rdfs:subClassOf d3f:CommandAndControlTechnique ; rdfs:comment "**This technique has been deprecated and should no longer be used.**" ; d3f:attack-id "T1026" ; d3f:definition "**This technique has been deprecated and should no longer be used.**" . d3f:T1027 a owl:Class ; rdfs:label "Obfuscated Files or Information" ; rdfs:subClassOf d3f:DefenseEvasionTechnique ; d3f:attack-id "T1027" ; d3f:definition "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses." . d3f:T1027.001 a owl:Class, owl:NamedIndividual ; rdfs:label "Binary Padding" ; rdfs:subClassOf d3f:T1027, [ a owl:Restriction ; owl:onProperty d3f:modifies ; owl:someValuesFrom d3f:ExecutableBinary ] ; d3f:attack-id "T1027.001" ; d3f:definition "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations." ; d3f:modifies d3f:ExecutableBinary . d3f:T1027.002 a owl:Class, owl:NamedIndividual ; rdfs:label "Software Packing" ; rdfs:subClassOf d3f:T1027, [ a owl:Restriction ; owl:onProperty d3f:obfuscates ; owl:someValuesFrom d3f:ExecutableFile ] ; d3f:attack-id "T1027.002" ; d3f:definition "Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)" ; d3f:obfuscates d3f:ExecutableFile . d3f:T1027.003 a owl:Class ; rdfs:label "Steganography" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.003" ; d3f:definition "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files." . d3f:T1027.004 a owl:Class, owl:NamedIndividual ; rdfs:label "Compile After Delivery" ; rdfs:subClassOf d3f:T1027, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:ExecutableFile ] ; d3f:attack-id "T1027.004" ; d3f:creates d3f:ExecutableFile ; d3f:definition "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)" . d3f:T1027.005 a owl:Class ; rdfs:label "Indicator Removal from Tools" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.005" ; d3f:definition "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems." . d3f:T1027.006 a owl:Class, owl:NamedIndividual ; rdfs:label "HTML Smuggling" ; rdfs:subClassOf d3f:T1027, [ a owl:Restriction ; owl:onProperty d3f:creates ; owl:someValuesFrom d3f:JavaScriptBlob ], [ a owl:Restriction ; owl:onProperty d3f:hides ; owl:someValuesFrom d3f:DigitalArtifact ] ; d3f:attack-id "T1027.006" ; d3f:creates d3f:JavaScriptBlob ; d3f:definition "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)" ; d3f:hides d3f:DigitalArtifact . d3f:T1027.007 a owl:Class ; rdfs:label "Dynamic API Resolution" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.007" ; d3f:definition "Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various [Native API](https://attack.mitre.org/techniques/T1106) functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts." . d3f:T1027.008 a owl:Class ; rdfs:label "Stripped Payloads" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.008" ; d3f:definition "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and other human readable information. Scripts and executables may contain variables names and other strings that help developers document code functionality. Symbols are often created by an operating system’s `linker` when executable payloads are compiled. Reverse engineers use these symbols and strings to analyze code and to identify functionality in payloads.(Citation: Mandiant golang stripped binaries explanation)(Citation: intezer stripped binaries elf files 2018)" . d3f:T1027.009 a owl:Class ; rdfs:label "Embedded Payloads" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.009" ; d3f:definition "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to [Subvert Trust Controls](https://attack.mitre.org/techniques/T1553) by not impacting execution controls such as digital signatures and notarization tickets.(Citation: Sentinel Labs)" . d3f:T1027.010 a owl:Class ; rdfs:label "Command Obfuscation" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.010" ; d3f:definition "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., [Phishing](https://attack.mitre.org/techniques/T1566) and [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)) or interactively via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059).(Citation: Akamai JS)(Citation: Malware Monday VBE)" . d3f:T1027.011 a owl:Class ; rdfs:label "Fileless Storage" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.011" ; d3f:definition "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Fileless storage can be broadly defined as any format other than a file. Common examples of non-volatile fileless storage include the Windows Registry, event logs, or WMI repository.(Citation: Microsoft Fileless)(Citation: SecureList Fileless)" . d3f:T1027.012 a owl:Class ; rdfs:label "LNK Icon Smuggling" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.012" ; d3f:definition "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory." . d3f:T1027.013 a owl:Class ; rdfs:label "Encrypted/Encoded File" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.013" ; d3f:definition "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as [Software Packing](https://attack.mitre.org/techniques/T1027/002), [Steganography](https://attack.mitre.org/techniques/T1027/003), and [Embedded Payloads](https://attack.mitre.org/techniques/T1027/009), share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)) at the time of execution/use." . d3f:T1027.014 a owl:Class ; rdfs:label "Polymorphic Code" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.014" ; d3f:definition "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detection. Polymorphic code is a type of software capable of changing its runtime footprint during code execution.(Citation: polymorphic-blackberry) With each execution of the software, the code is mutated into a different version of itself that achieves the same purpose or objective as the original. This functionality enables the malware to evade traditional signature-based defenses, such as antivirus and antimalware tools.(Citation: polymorphic-sentinelone)" . d3f:T1027.015 a owl:Class ; rdfs:label "Compression" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.015" ; d3f:definition "Adversaries may use compression to obfuscate their payloads or files. Compressed file formats such as ZIP, gzip, 7z, and RAR can compress and archive multiple files together to make it easier and faster to transfer files. In addition to compressing files, adversaries may also compress shellcode directly - for example, in order to store it in a Windows Registry key (i.e., [Fileless Storage](https://attack.mitre.org/techniques/T1027/011)).(Citation: Trustwave Pillowmint June 2020)" . d3f:T1027.016 a owl:Class ; rdfs:label "Junk Code Insertion" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.016" ; d3f:definition "Adversaries may use junk code / dead code to obfuscate a malware’s functionality. Junk code is code that either does not execute, or if it does execute, does not change the functionality of the code. Junk code makes analysis more difficult and time-consuming, as the analyst steps through non-functional code instead of analyzing the main code. It also may hinder detections that rely on static code analysis due to the use of benign functionality, especially when combined with [Compression](https://attack.mitre.org/techniques/T1027/015) or [Software Packing](https://attack.mitre.org/techniques/T1027/002).(Citation: ReasonLabs)(Citation: ReasonLabs Cyberpedia Junk Code)" . d3f:T1027.017 a owl:Class ; rdfs:label "SVG Smuggling" ; rdfs:subClassOf d3f:T1027 ; d3f:attack-id "T1027.017" ; d3f:definition "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.(Citation: Trustwave SVG Smuggling 2025) SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include `