Building an Ontology for Planning Attacks That Minimize Collateral Damage: Literature Survey.

A hot topic in cyber warfare research is automating cyber operations for speed and agility, typically using Artificial Intelligence (AI) techniques. AI has been used to generate cyber attack plans since 2005, albeit for defensive purposes. This paper reports on work in progress aimed at developing a set of AI planning operators for generating attack plans for offensive cyber operations (OCO). The ultimate research goal is to develop an operator-set for the complete attack process, including foot-printing, reconnaissance, planning, target access, penetration, payload delivery, and after action review, that complies with the legal requirement to minimize collateral damage. The development of planning operators is greatly aided by first creating a formal ontology of the objects and relationships in the planning domain. There is a substantial literature on cyber attack ontologies. This literature was surveyed, showing that most ontologies are intended to help defenders classify incoming attacks. Consequently, they cover only the penetration and payload delivery phases of an attack, with the vulnerabilities exploited, attack goals, and effects being only represented in abstract terms. Only one ontology was found which modelled an attacker planning an attack. While classes representing ethical, legal, military, and physical constraints were included in the ontology, collateral effects were not represented. Accordingly, two supplementary literature surveys were done, one on ontologies for intelligence, surveillance, target acquisition, and reconnaissance (ISTAR), and the other on means for controlling collateral damage in OCO. The purpose of this paper is to summarize the results of surveying the literature on cyber attack ontologies, on ontologies for ISTAR, and on means for controlling collateral damage in OCO. The three literature surveys are described. The results show that there is a need to construct an ontology for cyber ISTAR and to detail payload delivery and execution in existing cyber attack ontologies. The requirements for such an ontology are outlined. [ABSTRACT FROM AUTHOR]