wikipunk/d3fend

--- language: - en license: mit tags: - knowledge-graph - rdf - owl - ontology - cybersecurity annotations_creators: - expert-generated pretty_name: D3FEND size_categories: - 100K<n<1M task_categories: - graph-ml dataset_info: features: - name: subject dtype: string - name: predicate dtype: string - name: object dtype: string config_name: default splits: - name: train num_bytes: 46899451 num_examples: 231842 dataset_size: 46899451 viewer: false --- # D3FEND: A knowledge graph of cybersecurity countermeasures ### Overview D3FEND encodes a countermeasure knowledge base in the form of a knowledge graph. It meticulously organizes key concepts and relations in the cybersecurity countermeasure domain, linking each to pertinent references in the cybersecurity literature. ### Use-cases Researchers and cybersecurity enthusiasts can leverage D3FEND to: - Develop sophisticated graph-based models. - Fine-tune large language models, focusing on cybersecurity knowledge graph completion. - Explore the complexities and nuances of defensive techniques, mappings to MITRE ATT&CK, weaknesses (CWEs), and cybersecurity taxonomies. - Gain insight into ontology development and modeling in the cybersecurity domain. ### Dataset construction and pre-processing ### Source: - [Dataset Repository - 0.13.0-BETA-1](https://github.com/d3fend/d3fend-ontology/tree/release/0.13.0-BETA-1) - [Commit Details](https://github.com/d3fend/d3fend-ontology/commit/3dcc495879bb62cee5c4109e9b784dd4a2de3c9d) - [CWE Extension](https://github.com/d3fend/d3fend-ontology/tree/release/0.13.0-BETA-1/extensions/cwe) #### Building and Verification: 1. **Construction**: The ontology, denoted as `d3fend-full.owl`, was built from the beta version of the D3FEND ontology referenced above using documented README in d3fend-ontology. This includes the CWE extensions. 2. **Import and Reasoning**: Imported into Protege version 5.6.1, utilizing the Pellet reasoner plugin for logical reasoning and verification. 3. **Coherence Check**: Utilized the Debug Ontology plugin in Protege to ensure the ontology's coherence and consistency. #### Exporting, Transformation, and Compression: Note: The following steps were performed using Apache Jena's command line tools. (https://jena.apache.org/documentation/tools/) 1. **Exporting Inferred Axioms**: Post-verification, I exported inferred axioms along with asserted axioms and annotations. [Detailed Process](https://www.michaeldebellis.com/post/export-inferred-axioms) 2. **Filtering**: The materialized ontology was filtered using `d3fend.rq` to retain relevant triples. 3. **Format Transformation**: Subsequently transformed to Turtle and N-Triples formats for diverse usability. Note: I export in Turtle first because it is easier to read and verify. Then I convert to N-Triples. ```shell arq --query=d3fend.rq --data=d3fend.owl --results=turtle > d3fend.ttl riot --output=nt d3fend.ttl > d3fend.nt ``` 4. **Compression**: Compressed the resulting ontology files using gzip. ## Features The D3FEND dataset is composed of triples representing the relationships between different cybersecurity countermeasures. Each triple is a representation of a statement about a cybersecurity concept or a relationship between concepts. The dataset includes the following features: ### 1. **Subject** (`string`) The subject of a triple is the entity that the statement is about. In this dataset, the subject represents a cybersecurity concept or entity, such as a specific countermeasure or ATT&CK technique. ### 2. **Predicate** (`string`) The predicate of a triple represents the property or characteristic of the subject, or the nature of the relationship between the subject and the object. For instance, it might represent a specific type of relationship like "may-be-associated-with" or "has a reference." ### 3. **Object** (`string`) The object of a triple is the entity that is related to the subject by the predicate. It can be another cybersecurity concept, such as an ATT&CK technique, or a literal value representing a property of the subject, such as a name or a description. ### Usage First make sure you have the requirements installed: ```python pip install datasets pip install rdflib ``` You can load the dataset using the Hugging Face Datasets library with the following Python code: ```python from datasets import load_dataset dataset = load_dataset('wikipunk/d3fend', split='train') ``` #### Note on Format: The subject, predicate, and object are stored in N3 notation, a verbose serialization for RDF. This allows users to unambiguously parse each component using `rdflib.util.from_n3` from the RDFLib Python library. For example: ```python from rdflib.util import from_n3 subject_node = from_n3(dataset[0]['subject']) predicate_node = from_n3(dataset[0]['predicate']) object_node = from_n3(dataset[0]['object']) ``` Once loaded, each example in the dataset will be a dictionary with `subject`, `predicate`, and `object` keys corresponding to the features described above. ### Example Here is an example of a triple in the dataset: - Subject: `"<http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.002>"` - Predicate: `"<http://d3fend.mitre.org/ontologies/d3fend.owl#may-be-associated-with>"` - Object: `"<http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.014>"` This triple represents the statement that the ATT&CK technique identified by `T1550.002` may be associated with the ATT&CK technique identified by `T1218.014`. ### Acknowledgements This ontology is developed by MITRE Corporation and is licensed under the MIT license. I would like to thank the authors for their work which has opened my eyes to a new world of cybersecurity modeling. If you are a cybersecurity expert please consider [contributing to D3FEND](https://d3fend.mitre.org/contribute/). [D3FEND Resources](https://d3fend.mitre.org/resources/) ### Citation ```bibtex @techreport{kaloroumakis2021d3fend, title={Toward a Knowledge Graph of Cybersecurity Countermeasures}, author={Kaloroumakis, Peter E. and Smith, Michael J.}, institution={The MITRE Corporation}, year={2021}, url={https://d3fend.mitre.org/resources/D3FEND.pdf} } ```

语言： - 英语 许可证：MIT许可证 标签： - 知识图谱（knowledge graph） - 资源描述框架（RDF） - Web本体语言（OWL） - 本体（ontology） - 网络安全 标注生成者： - 专家生成 友好名称：D3FEND 样本规模分类： - 10万<样本数<100万 任务类别： - 图机器学习（graph-ml） 数据集信息： 特征： - 名称：subject（主题），数据类型：字符串 - 名称：predicate（谓词），数据类型：字符串 - 名称：object（客体），数据类型：字符串 配置名称：default（默认配置） 划分： - 名称：train（训练集），数据字节数：46899451，样本数：231842 数据集总大小：46899451 数据查看器：未启用 # D3FEND：网络安全防御措施知识图谱 ## 概述 D3FEND以知识图谱的形式编码了防御措施知识库，其精心梳理了网络安全防御领域的核心概念与关联关系，并将每个条目与网络安全领域文献中的相关参考文献进行关联。 ## 应用场景 研究人员与网络安全爱好者可借助D3FEND完成以下工作： - 构建复杂的基于图的模型 - 针对网络安全知识图谱补全任务，对大语言模型（LLM）进行微调 - 探究防御技术的复杂内涵与细微差异，以及其与MITRE攻击战术技术和通用知识库（MITRE ATT&CK）、通用弱点枚举（CWE）以及网络安全分类体系的映射关系 - 深入了解网络安全领域的本体开发与建模方法 ## 数据集构建与预处理 ### 数据源 - [数据集仓库 - 0.13.0-BETA-1版本](https://github.com/d3fend/d3fend-ontology/tree/release/0.13.0-BETA-1) - [提交详情](https://github.com/d3fend/d3fend-ontology/commit/3dcc495879bb62cee5c4109e9b784dd4a2de3c9d) - [CWE扩展模块](https://github.com/d3fend/d3fend-ontology/tree/release/0.13.0-BETA-1/extensions/cwe) #### 构建与验证 1. **构建**：本数据集基于上述引用的D3FEND本体测试版，结合d3fend-ontology仓库中的官方README文档完成构建，生成的本体文件名为`d3fend-full.owl`，其中包含CWE扩展模块。 2. **导入与推理**：将构建完成的本体导入至Protege 5.6.1版本本体开发工具中，并使用Pellet推理机插件进行逻辑推理与一致性验证。 3. **一致性检查**：通过Protege内置的Debug Ontology插件，对本体的连贯性与一致性进行校验。 #### 导出、格式转换与压缩 注：以下步骤均通过Apache Jena命令行工具完成（https://jena.apache.org/documentation/tools/） 1. **导出推理公理**：验证完成后，导出推理得到的公理与显式声明的公理及标注信息。[详细流程](https://www.michaeldebellis.com/post/export-inferred-axioms) 2. **过滤处理**：使用`d3fend.rq`查询文件对实例化后的本体进行过滤，仅保留符合要求的三元组。 3. **格式转换**：将过滤后的本体转换为Turtle与N-三元组（N-Triples）格式以适配不同使用场景。注：优先导出为Turtle格式是因其更便于阅读与校验，随后再将其转换为N-三元组格式。 shell arq --query=d3fend.rq --data=d3fend.owl --results=turtle > d3fend.ttl riot --output=nt d3fend.ttl > d3fend.nt 4. **压缩归档**：使用gzip工具对生成的本体文件进行压缩。 ## 数据集特征 D3FEND数据集由代表不同网络安全防御措施间关联关系的三元组构成，每个三元组均为一条关于网络安全概念或概念间关系的陈述。本数据集包含以下特征： ### 1. **主题（Subject）**（字符串类型） 三元组的主题是陈述所指向的实体。在本数据集中，主题代表一个网络安全概念或实体，例如特定的防御措施或MITRE ATT&CK技术。 ### 2. **谓词（Predicate）**（字符串类型） 三元组的谓词用于描述主题的属性或特征，或是主题与客体之间的关系类型。例如，它可以表示诸如“可关联至”或“包含参考文献”等特定关系。 ### 3. **客体（Object）**（字符串类型） 三元组的客体是通过谓词与主题产生关联的实体。它可以是另一个网络安全概念（如MITRE ATT&CK技术），或是代表主题属性的字面量值，例如名称或描述信息。 ## 使用方法 首先请确保已安装所需依赖： python pip install datasets pip install rdflib 你可以通过Hugging Face Datasets库加载本数据集，示例Python代码如下： python from datasets import load_dataset dataset = load_dataset('wikipunk/d3fend', split='train') #### 格式说明 主题、谓词与客体均以N3序列化格式存储，这是一种面向资源描述框架（RDF）的显式序列化方式。用户可通过Python库RDFLib中的`rdflib.util.from_n3`方法，对每个字段进行无歧义解析，示例如下： python from rdflib.util import from_n3 subject_node = from_n3(dataset[0]['subject']) predicate_node = from_n3(dataset[0]['predicate']) object_node = from_n3(dataset[0]['object']) 加载完成后，数据集中的每条样本均为一个字典，包含`subject`、`predicate`与`object`三个键，分别对应前文描述的特征。 ### 示例 以下为本数据集中的一条三元组示例： - 主题：`"<http://d3fend.mitre.org/ontologies/d3fend.owl#T1550.002>"` - 谓词：`"<http://d3fend.mitre.org/ontologies/d3fend.owl#may-be-associated-with>"` - 客体：`"<http://d3fend.mitre.org/ontologies/d3fend.owl#T1218.014>"` 该三元组表示：标识为`T1550.002`的MITRE ATT&CK技术可与标识为`T1218.014`的MITRE ATT&CK技术相关联。 ### 致谢 本本体由MITRE公司开发，并采用MIT许可证进行授权。在此感谢原作者的工作，其成果为网络安全建模领域开辟了全新的视角。 若您是网络安全领域专家，欢迎参与[D3FEND项目贡献](https://d3fend.mitre.org/contribute/)。 [D3FEND官方资源](https://d3fend.mitre.org/resources/) ### 引用 bibtex @techreport{kaloroumakis2021d3fend, title={Toward a Knowledge Graph of Cybersecurity Countermeasures}, author={Kaloroumakis, Peter E. and Smith, Michael J.}, institution={The MITRE Corporation}, year={2021}, url={https://d3fend.mitre.org/resources/D3FEND.pdf} }