Inference rules.

The advent of artificial intelligence (AI) models presents significant opportunities alongside inherent security risks, such as the exploitation by adversaries generating malicious data to compromise other AI-enabled systems. Despite the urgent need to address such threats, AI-based threat modelling remains largely underexplored in research, primarily constrained by three key challenges: (i) the lack of formal representation of security and AI-based data, (ii) the absence of inference rules for automated threat identification, and (iii) inconsistent risk and vulnerability assessment. As a result, these limitations, coupled with stakeholders’ insufficient security knowledge and AI expertise, lead to erroneous threat modelling of AI-enabled systems. This research aims to develop and implement OntoSecAI, an ontology-based approach to automate threat modelling and assessment for AI-enabled systems. In particular, we design 03 ontologies and 30 inference rules, followed by risk and CVSS-based vulnerability assessments to perform automated threat modelling and assessment comprehensively. In addition, the approach is validated through 10 case studies and verified using mathematical theorems to confirm its correctness and completeness. The research findings demonstrate that the developed ontologies effectively facilitate unified representation and comprehensive coverage of security and AI systems’ data. Furthermore, the inference rules implemented effectively map system assets to potential security threats. Crucially, the utilization of ontologies provides consistent risk and vulnerability assessments across AI-enabled systems. Consequently, a comprehensive security knowledge base is offered to stakeholders, regardless of their varying security and AI expertise, ensuring uniform threat modelling across diverse AI systems and adaptability to emerging security threats.