Ontology

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Ontology

Andrew Buttner
Administrator
One of the biggest issues currently in CPE focuses around matching.  The current uri naming format implies a hierarchy, and this hierarchy is what matching is based off of.  This had led us to problems when vendors change names, or products are combined with other products, or versions don't follow the norm.

The idea of an ontology has been suggested before, and I have finally had some time to research what is meant by "ontology" and how CPE may be able to leverage it.  I still have a long way to go.

This is what I think I have figured out so far ...

- Each CPE Name could be a class in an ontology about platform types.
- Relationships can be defined like:
        - hasEdition
        - hasVersion
        - isSuccessorOf
        - isSameAs
- We could construct a directed acyclic graph using the CPE Names and the relationships (an ontology)
- Consumers could us this ontology to perform matching, as opposed to using the URI.

Granted this approach would necessitate the reliance on another file that represented the ontology.  No longer could a tool perform matching based solely on two different CPE Names.  Of course this approach would enable matching to be more powerful and more complete.

I know there are individuals in our community with experience / knowledge regarding ontologies?  Am I on the right track?  Is this how we might structure a CPE ontology?  Could we use an ontology in this way?  Is there a better way to utilize and ontology?

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Tim Keanini
I can't believe this topic has finally made it to the list.
I'm too excited to respond so give me a few hours to calm down and I'll
say something useful.
The right or wrong has everything to do with what is useful to infer.
Let me see if I can explain it in simple terms later today.
--tk

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 12:52 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Ontology

One of the biggest issues currently in CPE focuses around matching.  The
current uri naming format implies a hierarchy, and this hierarchy is
what matching is based off of.  This had led us to problems when vendors
change names, or products are combined with other products, or versions
don't follow the norm.

The idea of an ontology has been suggested before, and I have finally
had some time to research what is meant by "ontology" and how CPE may be
able to leverage it.  I still have a long way to go.

This is what I think I have figured out so far ...

- Each CPE Name could be a class in an ontology about platform types.
- Relationships can be defined like:
        - hasEdition
        - hasVersion
        - isSuccessorOf
        - isSameAs
- We could construct a directed acyclic graph using the CPE Names and
the relationships (an ontology)
- Consumers could us this ontology to perform matching, as opposed to
using the URI.

Granted this approach would necessitate the reliance on another file
that represented the ontology.  No longer could a tool perform matching
based solely on two different CPE Names.  Of course this approach would
enable matching to be more powerful and more complete.

I know there are individuals in our community with experience /
knowledge regarding ontologies?  Am I on the right track?  Is this how
we might structure a CPE ontology?  Could we use an ontology in this
way?  Is there a better way to utilize and ontology?

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Mark Seward
The problem that we see is that the same product is represented by two  
(or more) different names. One case in point is IIS which matches 4  
CVE records and internet_information_server which matches 134 CVEs. We  
want customers to adopt CPE as part of our product but without the  
data normalization these searches are all suspect.

Mark Seward
Qualys

Sent from my iPhone

On Feb 18, 2009, at 1:01 PM, Tim Keanini <[hidden email]> wrote:

> I can't believe this topic has finally made it to the list.
> I'm too excited to respond so give me a few hours to calm down and  
> I'll
> say something useful.
> The right or wrong has everything to do with what is useful to infer.
> Let me see if I can explain it in simple terms later today.
> --tk
>
> -----Original Message-----
> From: Buttner, Drew [mailto:[hidden email]]
> Sent: Wednesday, February 18, 2009 12:52 PM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] Ontology
>
> One of the biggest issues currently in CPE focuses around matching.  
> The
> current uri naming format implies a hierarchy, and this hierarchy is
> what matching is based off of.  This had led us to problems when  
> vendors
> change names, or products are combined with other products, or  
> versions
> don't follow the norm.
>
> The idea of an ontology has been suggested before, and I have finally
> had some time to research what is meant by "ontology" and how CPE  
> may be
> able to leverage it.  I still have a long way to go.
>
> This is what I think I have figured out so far ...
>
> - Each CPE Name could be a class in an ontology about platform types.
> - Relationships can be defined like:
>    - hasEdition
>    - hasVersion
>    - isSuccessorOf
>    - isSameAs
> - We could construct a directed acyclic graph using the CPE Names and
> the relationships (an ontology)
> - Consumers could us this ontology to perform matching, as opposed to
> using the URI.
>
> Granted this approach would necessitate the reliance on another file
> that represented the ontology.  No longer could a tool perform  
> matching
> based solely on two different CPE Names.  Of course this approach  
> would
> enable matching to be more powerful and more complete.
>
> I know there are individuals in our community with experience /
> knowledge regarding ontologies?  Am I on the right track?  Is this how
> we might structure a CPE ontology?  Could we use an ontology in this
> way?  Is there a better way to utilize and ontology?
>
> Thanks
> Drew
>
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Andrew Buttner
Administrator
I agree that this is a MAJOR problem.  Looking at the dictionary we see names:

cpe:/a:microsoft:iis:4.0
cpe:/a:microsoft:internet_information_server:4.0

This is unfortunate and something we hope to fix going forward.  This is a problem that we are starting to address and I hope that we can show some progress soon.  I wish I had more to say on this topic right now, but all I can say is that we will keep everyone informed as progress is made.

Thanks
Drew

>-----Original Message-----
>From: Mark Seward [mailto:[hidden email]]
>Sent: Wednesday, February 18, 2009 2:50 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>The problem that we see is that the same product is represented by two
>(or more) different names. One case in point is IIS which matches 4
>CVE records and internet_information_server which matches 134 CVEs. We
>want customers to adopt CPE as part of our product but without the
>data normalization these searches are all suspect.
>
>Mark Seward
>Qualys
>
>Sent from my iPhone
>
>On Feb 18, 2009, at 1:01 PM, Tim Keanini <[hidden email]> wrote:
>
>> I can't believe this topic has finally made it to the list.
>> I'm too excited to respond so give me a few hours to calm down and
>> I'll
>> say something useful.
>> The right or wrong has everything to do with what is useful to infer.
>> Let me see if I can explain it in simple terms later today.
>> --tk
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors
>> change names, or products are combined with other products, or
>> versions
>> don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE
>> may be
>> able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>>    - hasEdition
>>    - hasVersion
>>    - isSuccessorOf
>>    - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching
>> based solely on two different CPE Names.  Of course this approach
>> would
>> enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this how
>> we might structure a CPE ontology?  Could we use an ontology in this
>> way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Ernest Park-2
In reply to this post by Mark Seward
While clearly an older example, CVE has an older and active implementation of CPE 1. 

Take a look at Oracle. I found over 20 distinct vendor:product names to identify the same thing. 

CPE needs to avoid string as the data resolution medium and move to hierarchical format. 

We can add vendor tables for specific value-add attributes, and build the basic naming table for those must have and nice to have values. 

A "URI string" result is just the product of a good query, but still allows the use and consideration of a lot of complex data. A DB structure for the data would allow the integration of vendor specific information only requiring appropriate joins. The extended data can be hosted by each vendor, further extending the usefulness of the data. My concern is reinforced by the very high level of unintentional duplication within the CVE implementation for simple information. Trying to make data strings into a database is a flawed concept.

The other half of CPE is a constrained data entry system. 
  • Vendors need to be selected from preexisting vendors. If they do not exist, the vendor is submitted separately. 
  • Product names are selected from those available for the vendor. If a new name is to be used, perhaps we can use Google API to normalize the most prevalent string reference for that product.
We are trying to represent complex 3 dimensional data in 1 dimension as the sole data repository. I currently store almost a million release records for FOSS, and I can extract CPE content as a query while still maintaining a high level of complex extended metadata that cannot be represented in a human readable GUID.



Therefore - 

Creating names needs to be constrained so that a pending name cannot be created "free form". A series of validation and queries against existing vendors and then products, and an objective comparison for the file/product in question against known aliases for that product will arrive at a likely common name.

The data needs to be stored in a multi-dimensional format.

The URI type string can be an approved result set that can be validated against a service, or using a query against the dataset.



On Wed, Feb 18, 2009 at 2:50 PM, Mark Seward <[hidden email]> wrote:
The problem that we see is that the same product is represented by two (or more) different names. One case in point is IIS which matches 4 CVE records and internet_information_server which matches 134 CVEs. We want customers to adopt CPE as part of our product but without the data normalization these searches are all suspect.

Mark Seward
Qualys

Sent from my iPhone


On Feb 18, 2009, at 1:01 PM, Tim Keanini <[hidden email]> wrote:

I can't believe this topic has finally made it to the list.
I'm too excited to respond so give me a few hours to calm down and I'll
say something useful.
The right or wrong has everything to do with what is useful to infer.
Let me see if I can explain it in simple terms later today.
--tk

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 12:52 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Ontology

One of the biggest issues currently in CPE focuses around matching.  The
current uri naming format implies a hierarchy, and this hierarchy is
what matching is based off of.  This had led us to problems when vendors
change names, or products are combined with other products, or versions
don't follow the norm.

The idea of an ontology has been suggested before, and I have finally
had some time to research what is meant by "ontology" and how CPE may be
able to leverage it.  I still have a long way to go.

This is what I think I have figured out so far ...

- Each CPE Name could be a class in an ontology about platform types.
- Relationships can be defined like:
  - hasEdition
  - hasVersion
  - isSuccessorOf
  - isSameAs
- We could construct a directed acyclic graph using the CPE Names and
the relationships (an ontology)
- Consumers could us this ontology to perform matching, as opposed to
using the URI.

Granted this approach would necessitate the reliance on another file
that represented the ontology.  No longer could a tool perform matching
based solely on two different CPE Names.  Of course this approach would
enable matching to be more powerful and more complete.

I know there are individuals in our community with experience /
knowledge regarding ontologies?  Am I on the right track?  Is this how
we might structure a CPE ontology?  Could we use an ontology in this
way?  Is there a better way to utilize and ontology?

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Ernest Park-2
In reply to this post by Andrew Buttner
In th example above, they are both alias names, and I was going to use the google API to classify which is the most common, so that I could display the most common name.


On Wed, Feb 18, 2009 at 3:03 PM, Buttner, Drew <[hidden email]> wrote:
I agree that this is a MAJOR problem.  Looking at the dictionary we see names:

cpe:/a:microsoft:iis:4.0
cpe:/a:microsoft:internet_information_server:4.0

This is unfortunate and something we hope to fix going forward.  This is a problem that we are starting to address and I hope that we can show some progress soon.  I wish I had more to say on this topic right now, but all I can say is that we will keep everyone informed as progress is made.

Thanks
Drew

>-----Original Message-----
>From: Mark Seward [mailto:[hidden email]]
>Sent: Wednesday, February 18, 2009 2:50 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>The problem that we see is that the same product is represented by two
>(or more) different names. One case in point is IIS which matches 4
>CVE records and internet_information_server which matches 134 CVEs. We
>want customers to adopt CPE as part of our product but without the
>data normalization these searches are all suspect.
>
>Mark Seward
>Qualys
>
>Sent from my iPhone
>
>On Feb 18, 2009, at 1:01 PM, Tim Keanini <[hidden email]> wrote:
>
>> I can't believe this topic has finally made it to the list.
>> I'm too excited to respond so give me a few hours to calm down and
>> I'll
>> say something useful.
>> The right or wrong has everything to do with what is useful to infer.
>> Let me see if I can explain it in simple terms later today.
>> --tk
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors
>> change names, or products are combined with other products, or
>> versions
>> don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE
>> may be
>> able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>>    - hasEdition
>>    - hasVersion
>>    - isSuccessorOf
>>    - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching
>> based solely on two different CPE Names.  Of course this approach
>> would
>> enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this how
>> we might structure a CPE ontology?  Could we use an ontology in this
>> way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: Ontology

unifiedcompliance
The UCF team have been working with taxonomic ontologies for a number of years now.
 
The problems we see are twofold.
 
1) taxonomic ontologies that are based on name spaces, other than those strictly controlled by such groups as the Oxford English Dictionary team, never work as the names are too in flux. The answer is to create a persistent and unique ID system to assign to each name so that each name's ID, once assigned, is never changed nor deleted (only deprecated if no longer in use). By doing that, you can edit the names and provide an audit log (which becomes a roll back log if necessary) for any naming edits the ID might encounter.
 
2) Once a unique and persistent ID system is in place, that ID system can be used to track taxonomic genealogy as you've been discussing.
 
3) The UCF team, gratis, can set this up and create a methodology that the group can have. We have the technology, and methodology, down pat.
 
Let me know if you want me to elucidate or provide samples...
 

Dorian J. Cougias 
Founder and Lead Analyst
Unified Compliance Framework

Remember this: The Main Thing is to keep The Main Thing the Main Thing

 


From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 12:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

In th example above, they are both alias names, and I was going to use the google API to classify which is the most common, so that I could display the most common name.


On Wed, Feb 18, 2009 at 3:03 PM, Buttner, Drew <[hidden email]> wrote:
I agree that this is a MAJOR problem.  Looking at the dictionary we see names:

cpe:/a:microsoft:iis:4.0
cpe:/a:microsoft:internet_information_server:4.0

This is unfortunate and something we hope to fix going forward.  This is a problem that we are starting to address and I hope that we can show some progress soon.  I wish I had more to say on this topic right now, but all I can say is that we will keep everyone informed as progress is made.

Thanks
Drew

>-----Original Message-----
>From: Mark Seward [mailto:[hidden email]]
>Sent: Wednesday, February 18, 2009 2:50 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>The problem that we see is that the same product is represented by two
>(or more) different names. One case in point is IIS which matches 4
>CVE records and internet_information_server which matches 134 CVEs. We
>want customers to adopt CPE as part of our product but without the
>data normalization these searches are all suspect.
>
>Mark Seward
>Qualys
>
>Sent from my iPhone
>
>On Feb 18, 2009, at 1:01 PM, Tim Keanini <[hidden email]> wrote:
>
>> I can't believe this topic has finally made it to the list.
>> I'm too excited to respond so give me a few hours to calm down and
>> I'll
>> say something useful.
>> The right or wrong has everything to do with what is useful to infer.
>> Let me see if I can explain it in simple terms later today.
>> --tk
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors
>> change names, or products are combined with other products, or
>> versions
>> don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE
>> may be
>> able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>>    - hasEdition
>>    - hasVersion
>>    - isSuccessorOf
>>    - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching
>> based solely on two different CPE Names.  Of course this approach
>> would
>> enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this how
>> we might structure a CPE ontology?  Could we use an ontology in this
>> way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515

Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Waltermire, David A.

Dorian,

 

Could you please provide examples?

 

Dave

 


From: Dorian Cougias [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 3:26 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

 

The UCF team have been working with taxonomic ontologies for a number of years now.

 

The problems we see are twofold.

 

1) taxonomic ontologies that are based on name spaces, other than those strictly controlled by such groups as the Oxford English Dictionary team, never work as the names are too in flux. The answer is to create a persistent and unique ID system to assign to each name so that each name's ID, once assigned, is never changed nor deleted (only deprecated if no longer in use). By doing that, you can edit the names and provide an audit log (which becomes a roll back log if necessary) for any naming edits the ID might encounter.

 

2) Once a unique and persistent ID system is in place, that ID system can be used to track taxonomic genealogy as you've been discussing.

 

3) The UCF team, gratis, can set this up and create a methodology that the group can have. We have the technology, and methodology, down pat.

 

Let me know if you want me to elucidate or provide samples...

 

Dorian J. Cougias 
Founder and Lead Analyst
Unified Compliance Framework

Remember this: The Main Thing is to keep The Main Thing the Main Thing

 

 


From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 12:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

In th example above, they are both alias names, and I was going to use the google API to classify which is the most common, so that I could display the most common name.

 

On Wed, Feb 18, 2009 at 3:03 PM, Buttner, Drew <[hidden email]> wrote:

I agree that this is a MAJOR problem.  Looking at the dictionary we see names:

cpe:/a:microsoft:iis:4.0
cpe:/a:microsoft:internet_information_server:4.0

This is unfortunate and something we hope to fix going forward.  This is a problem that we are starting to address and I hope that we can show some progress soon.  I wish I had more to say on this topic right now, but all I can say is that we will keep everyone informed as progress is made.

Thanks
Drew


>-----Original Message-----
>From: Mark Seward [mailto:[hidden email]]
>Sent: Wednesday, February 18, 2009 2:50 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>The problem that we see is that the same product is represented by two
>(or more) different names. One case in point is IIS which matches 4
>CVE records and internet_information_server which matches 134 CVEs. We
>want customers to adopt CPE as part of our product but without the
>data normalization these searches are all suspect.
>
>Mark Seward
>Qualys
>
>Sent from my iPhone
>
>On Feb 18, 2009, at 1:01 PM, Tim Keanini <[hidden email]> wrote:
>
>> I can't believe this topic has finally made it to the list.
>> I'm too excited to respond so give me a few hours to calm down and
>> I'll
>> say something useful.
>> The right or wrong has everything to do with what is useful to infer.
>> Let me see if I can explain it in simple terms later today.
>> --tk
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors
>> change names, or products are combined with other products, or
>> versions
>> don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE
>> may be
>> able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>>    - hasEdition
>>    - hasVersion
>>    - isSuccessorOf
>>    - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching
>> based solely on two different CPE Names.  Of course this approach
>> would
>> enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this how
>> we might structure a CPE ontology?  Could we use an ontology in this
>> way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515

 

Reply | Threaded
Open this post in threaded view
|

Re: Ontology

unifiedcompliance
Included is a quick spreadsheet showing the basics
 

Dorian J. Cougias 
Founder and Lead Analyst
Unified Compliance Framework

Remember this: The Main Thing is to keep The Main Thing the Main Thing

 


From: David Waltermire [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 1:28 PM
To: [hidden email]
Cc: [hidden email]
Subject: RE: [CPE-DISCUSSION-LIST] Ontology

Dorian,

 

Could you please provide examples?

 

Dave

 


From: Dorian Cougias [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 3:26 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

 

The UCF team have been working with taxonomic ontologies for a number of years now.

 

The problems we see are twofold.

 

1) taxonomic ontologies that are based on name spaces, other than those strictly controlled by such groups as the Oxford English Dictionary team, never work as the names are too in flux. The answer is to create a persistent and unique ID system to assign to each name so that each name's ID, once assigned, is never changed nor deleted (only deprecated if no longer in use). By doing that, you can edit the names and provide an audit log (which becomes a roll back log if necessary) for any naming edits the ID might encounter.

 

2) Once a unique and persistent ID system is in place, that ID system can be used to track taxonomic genealogy as you've been discussing.

 

3) The UCF team, gratis, can set this up and create a methodology that the group can have. We have the technology, and methodology, down pat.

 

Let me know if you want me to elucidate or provide samples...

 

Dorian J. Cougias 
Founder and Lead Analyst
Unified Compliance Framework

Remember this: The Main Thing is to keep The Main Thing the Main Thing

 

 


From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 12:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

In th example above, they are both alias names, and I was going to use the google API to classify which is the most common, so that I could display the most common name.

 

On Wed, Feb 18, 2009 at 3:03 PM, Buttner, Drew <[hidden email]> wrote:

I agree that this is a MAJOR problem.  Looking at the dictionary we see names:

cpe:/a:microsoft:iis:4.0
cpe:/a:microsoft:internet_information_server:4.0

This is unfortunate and something we hope to fix going forward.  This is a problem that we are starting to address and I hope that we can show some progress soon.  I wish I had more to say on this topic right now, but all I can say is that we will keep everyone informed as progress is made.

Thanks
Drew


>-----Original Message-----
>From: Mark Seward [mailto:[hidden email]]
>Sent: Wednesday, February 18, 2009 2:50 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>The problem that we see is that the same product is represented by two
>(or more) different names. One case in point is IIS which matches 4
>CVE records and internet_information_server which matches 134 CVEs. We
>want customers to adopt CPE as part of our product but without the
>data normalization these searches are all suspect.
>
>Mark Seward
>Qualys
>
>Sent from my iPhone
>
>On Feb 18, 2009, at 1:01 PM, Tim Keanini <[hidden email]> wrote:
>
>> I can't believe this topic has finally made it to the list.
>> I'm too excited to respond so give me a few hours to calm down and
>> I'll
>> say something useful.
>> The right or wrong has everything to do with what is useful to infer.
>> Let me see if I can explain it in simple terms later today.
>> --tk
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors
>> change names, or products are combined with other products, or
>> versions
>> don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE
>> may be
>> able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>>    - hasEdition
>>    - hasVersion
>>    - isSuccessorOf
>>    - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching
>> based solely on two different CPE Names.  Of course this approach
>> would
>> enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this how
>> we might structure a CPE ontology?  Could we use an ontology in this
>> way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515

 


simple taxonomy.xls (21K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

unifiedcompliance
BTW, all of the XML for this is posted at the URL below.
 
If you would like us to turn this over to you to manage (the language for describing ontologies that is), we're more than happy to do so.
 
Or, we can maintain it for you gratis.
 

Dorian J. Cougias 
Founder and Lead Analyst
Unified Compliance Framework

Remember this: The Main Thing is to keep The Main Thing the Main Thing

 


From: Dorian Cougias [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 2:21 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

Included is a quick spreadsheet showing the basics
 

Dorian J. Cougias 
Founder and Lead Analyst
Unified Compliance Framework

Remember this: The Main Thing is to keep The Main Thing the Main Thing

 


From: David Waltermire [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 1:28 PM
To: [hidden email]
Cc: [hidden email]
Subject: RE: [CPE-DISCUSSION-LIST] Ontology

Dorian,

 

Could you please provide examples?

 

Dave

 


From: Dorian Cougias [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 3:26 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

 

The UCF team have been working with taxonomic ontologies for a number of years now.

 

The problems we see are twofold.

 

1) taxonomic ontologies that are based on name spaces, other than those strictly controlled by such groups as the Oxford English Dictionary team, never work as the names are too in flux. The answer is to create a persistent and unique ID system to assign to each name so that each name's ID, once assigned, is never changed nor deleted (only deprecated if no longer in use). By doing that, you can edit the names and provide an audit log (which becomes a roll back log if necessary) for any naming edits the ID might encounter.

 

2) Once a unique and persistent ID system is in place, that ID system can be used to track taxonomic genealogy as you've been discussing.

 

3) The UCF team, gratis, can set this up and create a methodology that the group can have. We have the technology, and methodology, down pat.

 

Let me know if you want me to elucidate or provide samples...

 

Dorian J. Cougias 
Founder and Lead Analyst
Unified Compliance Framework

Remember this: The Main Thing is to keep The Main Thing the Main Thing

 

 


From: Ernest Park [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 12:09 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

In th example above, they are both alias names, and I was going to use the google API to classify which is the most common, so that I could display the most common name.

 

On Wed, Feb 18, 2009 at 3:03 PM, Buttner, Drew <[hidden email]> wrote:

I agree that this is a MAJOR problem.  Looking at the dictionary we see names:

cpe:/a:microsoft:iis:4.0
cpe:/a:microsoft:internet_information_server:4.0

This is unfortunate and something we hope to fix going forward.  This is a problem that we are starting to address and I hope that we can show some progress soon.  I wish I had more to say on this topic right now, but all I can say is that we will keep everyone informed as progress is made.

Thanks
Drew


>-----Original Message-----
>From: Mark Seward [mailto:[hidden email]]
>Sent: Wednesday, February 18, 2009 2:50 PM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>The problem that we see is that the same product is represented by two
>(or more) different names. One case in point is IIS which matches 4
>CVE records and internet_information_server which matches 134 CVEs. We
>want customers to adopt CPE as part of our product but without the
>data normalization these searches are all suspect.
>
>Mark Seward
>Qualys
>
>Sent from my iPhone
>
>On Feb 18, 2009, at 1:01 PM, Tim Keanini <[hidden email]> wrote:
>
>> I can't believe this topic has finally made it to the list.
>> I'm too excited to respond so give me a few hours to calm down and
>> I'll
>> say something useful.
>> The right or wrong has everything to do with what is useful to infer.
>> Let me see if I can explain it in simple terms later today.
>> --tk
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors
>> change names, or products are combined with other products, or
>> versions
>> don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE
>> may be
>> able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>>    - hasEdition
>>    - hasVersion
>>    - isSuccessorOf
>>    - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching
>> based solely on two different CPE Names.  Of course this approach
>> would
>> enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this how
>> we might structure a CPE ontology?  Could we use an ontology in this
>> way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515

 

Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Tim Keanini
In reply to this post by Andrew Buttner
Hello Drew,
Your original post, if I understand it correctly, explores the theory
that a matching strategy that is based on a more graph oriented model
might help overcome some of the problems CPE is experiencing with its
hierarchical form.   Whether this holds or not, I would like to begin
with a clear definition of an ontological knowledge representation
because there seems to be some confusion between taxonomy and ontology
as the terms are used in a knowledge representational context.

Some of you are tired of hearing me say this but the world we are trying
to model is NOT a simple (or stable) hierarchy but a graph whereby an
openworld assumption must be made.
(http://en.wikipedia.org/wiki/Open_World_Assumption )
We can either choose to fight it or embrace it.  First a quick
definition of what is meant by taxonomic formalisms versus ontological
formalism again as it applies to the domain of knowledge representation.

If we were to take a triple in the form of "Subject Predicate Object" ,
a taxonomical formalism would not offer the facility to specify a
variety of predicates other than a subordinate therefore the inferences
one can draw are limited to one element orienting itself as a super/sub
relationship with another.  An ontological formalism like RDFS or OWL
allows the modeler to create relationships (predicates) that adequately
represent what is being modeled - especially when one requires more than
a super/sub relationship.  

I personally don't believe that anything needs to be invented here
because the W3C standards, namely RDF/RDFS/OWL provide more than enough
of a facility to tackle this modeling problem as well as delivering the
promise of interoperability.  

For example, one problem being stated on this discussion thread can be
described as a "syntactical difference with semantic equivalence".  
Using OWL as the ontological form, we can state in the model that:
cpe:/a:microsoft:iis:4.0   owl:SameAs
cpe:/a:microsoft:internet_information_server:4.0
such that all statements about one instance hold for the other.
 
Given then the triple of:
cpe:/a:microsoft:iis:4.0   hasCVE:  cve:2002-0079:
we can then infer that
cpe:/a:microsoft:internet_information_server:4.0 hasCVE: cve:2002-0079:
without it being asserted.  (note that owl:SameAs is symmetrical so that
A owl:SameAs B can infer B owl:SameAs A)

Drew asks: Am I on the right track?  
IMHO: if you are looking to solve the matching problems, there might be
many other appropriate strategies.  If you are looking to solve the
matching problem for CPE and even a federated matching problem across
all of SCAP, I can point you to these ontological standards that will do
the trick.

Drew asks: Is this how we might structure a CPE ontology?  
The answer here lies in the questions that will be asked of the model
and the inferences that are most useful to the community.  
Already we can see that the community is looking for a way to state
semantic equivalence and I've shown an example of that.
This is fun stuff and if you want to put in the time, lets do it.

Drew asks: Could we use an ontology in this way?  
In short, just modeling CPE in OWL is necessary but not sufficient to
meet your goals. The power of an ontological model is the ability for
you to infer triples (subject predicate objects) as opposed to having to
assert them all. This is the force multiplier.  To do so, one needs to
use a RDF-store, Inference Engine, and the SPARQL query language.  It
sounds complicated but it is surprisingly simple.

Drew asks: Is there a better way to utilize and ontology?
If this group has a bias toward open standards and interoperability, I
see no better way to faithfully model a complex graph with anything
other than RDF/RDFS/OWL.

--tk

Timothy D. Keanini Sr., CTO    nCircle Network Security
Office: +1 (415) 625-5939
www.ncircle.com
blog.ncircle.com

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 12:52 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Ontology

One of the biggest issues currently in CPE focuses around matching.  The
current uri naming format implies a hierarchy, and this hierarchy is
what matching is based off of.  This had led us to problems when vendors
change names, or products are combined with other products, or versions
don't follow the norm.

The idea of an ontology has been suggested before, and I have finally
had some time to research what is meant by "ontology" and how CPE may be
able to leverage it.  I still have a long way to go.

This is what I think I have figured out so far ...

- Each CPE Name could be a class in an ontology about platform types.
- Relationships can be defined like:
        - hasEdition
        - hasVersion
        - isSuccessorOf
        - isSameAs
- We could construct a directed acyclic graph using the CPE Names and
the relationships (an ontology)
- Consumers could us this ontology to perform matching, as opposed to
using the URI.

Granted this approach would necessitate the reliance on another file
that represented the ontology.  No longer could a tool perform matching
based solely on two different CPE Names.  Of course this approach would
enable matching to be more powerful and more complete.

I know there are individuals in our community with experience /
knowledge regarding ontologies?  Am I on the right track?  Is this how
we might structure a CPE ontology?  Could we use an ontology in this
way?  Is there a better way to utilize and ontology?

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

unifiedcompliance
Funny enough, we at the UCF use both an Open World Assumption methodology
when deciding the hierarchical structure of placement for new controls into
our database *and* we would definitely back the use of RDF/OWL for coding
this into the database schema.

OWL would absolutely answer one of the basic questions we've had when
mapping CCEs to CPEs -- namely, the use of predicates for inferring
relationships between sameas elements.

Well stated Timothy.


Dorian J. Cougias
Founder and Lead Analyst
Unified Compliance Framework

Remember this: The Main Thing is to keep The Main Thing the Main Thing


-----Original Message-----
From: Tim Keanini [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 11:26 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

Hello Drew,
Your original post, if I understand it correctly, explores the theory that a
matching strategy that is based on a more graph oriented model might help
overcome some of the problems CPE is experiencing with its
hierarchical form.   Whether this holds or not, I would like to begin
with a clear definition of an ontological knowledge representation because
there seems to be some confusion between taxonomy and ontology as the terms
are used in a knowledge representational context.

Some of you are tired of hearing me say this but the world we are trying to
model is NOT a simple (or stable) hierarchy but a graph whereby an openworld
assumption must be made.
(http://en.wikipedia.org/wiki/Open_World_Assumption ) We can either choose
to fight it or embrace it.  First a quick definition of what is meant by
taxonomic formalisms versus ontological formalism again as it applies to the
domain of knowledge representation.

If we were to take a triple in the form of "Subject Predicate Object" , a
taxonomical formalism would not offer the facility to specify a variety of
predicates other than a subordinate therefore the inferences one can draw
are limited to one element orienting itself as a super/sub relationship with
another.  An ontological formalism like RDFS or OWL allows the modeler to
create relationships (predicates) that adequately represent what is being
modeled - especially when one requires more than a super/sub relationship.  

I personally don't believe that anything needs to be invented here because
the W3C standards, namely RDF/RDFS/OWL provide more than enough of a
facility to tackle this modeling problem as well as delivering the promise
of interoperability.  

For example, one problem being stated on this discussion thread can be
described as a "syntactical difference with semantic equivalence".  
Using OWL as the ontological form, we can state in the model that:
cpe:/a:microsoft:iis:4.0   owl:SameAs
cpe:/a:microsoft:internet_information_server:4.0
such that all statements about one instance hold for the other.
 
Given then the triple of:
cpe:/a:microsoft:iis:4.0   hasCVE:  cve:2002-0079:
we can then infer that
cpe:/a:microsoft:internet_information_server:4.0 hasCVE: cve:2002-0079:
without it being asserted.  (note that owl:SameAs is symmetrical so that A
owl:SameAs B can infer B owl:SameAs A)

Drew asks: Am I on the right track?  
IMHO: if you are looking to solve the matching problems, there might be many
other appropriate strategies.  If you are looking to solve the matching
problem for CPE and even a federated matching problem across all of SCAP, I
can point you to these ontological standards that will do the trick.

Drew asks: Is this how we might structure a CPE ontology?  
The answer here lies in the questions that will be asked of the model and
the inferences that are most useful to the community.  
Already we can see that the community is looking for a way to state semantic
equivalence and I've shown an example of that.
This is fun stuff and if you want to put in the time, lets do it.

Drew asks: Could we use an ontology in this way?  
In short, just modeling CPE in OWL is necessary but not sufficient to meet
your goals. The power of an ontological model is the ability for you to
infer triples (subject predicate objects) as opposed to having to assert
them all. This is the force multiplier.  To do so, one needs to use a
RDF-store, Inference Engine, and the SPARQL query language.  It sounds
complicated but it is surprisingly simple.

Drew asks: Is there a better way to utilize and ontology?
If this group has a bias toward open standards and interoperability, I see
no better way to faithfully model a complex graph with anything other than
RDF/RDFS/OWL.

--tk

Timothy D. Keanini Sr., CTO    nCircle Network Security
Office: +1 (415) 625-5939
www.ncircle.com
blog.ncircle.com

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, February 18, 2009 12:52 PM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Ontology

One of the biggest issues currently in CPE focuses around matching.  The
current uri naming format implies a hierarchy, and this hierarchy is what
matching is based off of.  This had led us to problems when vendors change
names, or products are combined with other products, or versions don't
follow the norm.

The idea of an ontology has been suggested before, and I have finally had
some time to research what is meant by "ontology" and how CPE may be able to
leverage it.  I still have a long way to go.

This is what I think I have figured out so far ...

- Each CPE Name could be a class in an ontology about platform types.
- Relationships can be defined like:
        - hasEdition
        - hasVersion
        - isSuccessorOf
        - isSameAs
- We could construct a directed acyclic graph using the CPE Names and the
relationships (an ontology)
- Consumers could us this ontology to perform matching, as opposed to using
the URI.

Granted this approach would necessitate the reliance on another file that
represented the ontology.  No longer could a tool perform matching based
solely on two different CPE Names.  Of course this approach would enable
matching to be more powerful and more complete.

I know there are individuals in our community with experience / knowledge
regarding ontologies?  Am I on the right track?  Is this how we might
structure a CPE ontology?  Could we use an ontology in this way?  Is there a
better way to utilize and ontology?

Thanks
Drew


---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Raffael Marty-3
In reply to this post by Tim Keanini
Good morning

I apologize for jumping in here after not paying much attention to the  
progress of CPE lately.

Let me ask you this: Why do we need any ontologies and mappings? I  
thought the reason for CPE was to come up with standard names exactly  
to counter the problem of naming confusions. What has happened? It  
seems to me that we are back at square one.

Cheers

   Raffael

--
Raffael Marty                                               @zrlram
Chief Security Strategist                                 @ Splunk>
Security Visualization: http://secviz.org             raffy.ch/blog

On Feb 18, 2009, at 11:26 PM, Tim Keanini wrote:

> Hello Drew,
> Your original post, if I understand it correctly, explores the theory
> that a matching strategy that is based on a more graph oriented model
> might help overcome some of the problems CPE is experiencing with its
> hierarchical form.   Whether this holds or not, I would like to begin
> with a clear definition of an ontological knowledge representation
> because there seems to be some confusion between taxonomy and ontology
> as the terms are used in a knowledge representational context.
>
> Some of you are tired of hearing me say this but the world we are  
> trying
> to model is NOT a simple (or stable) hierarchy but a graph whereby an
> openworld assumption must be made.
> (http://en.wikipedia.org/wiki/Open_World_Assumption )
> We can either choose to fight it or embrace it.  First a quick
> definition of what is meant by taxonomic formalisms versus ontological
> formalism again as it applies to the domain of knowledge  
> representation.
>
> If we were to take a triple in the form of "Subject Predicate  
> Object" ,
> a taxonomical formalism would not offer the facility to specify a
> variety of predicates other than a subordinate therefore the  
> inferences
> one can draw are limited to one element orienting itself as a super/
> sub
> relationship with another.  An ontological formalism like RDFS or OWL
> allows the modeler to create relationships (predicates) that  
> adequately
> represent what is being modeled - especially when one requires more  
> than
> a super/sub relationship.
>
> I personally don't believe that anything needs to be invented here
> because the W3C standards, namely RDF/RDFS/OWL provide more than  
> enough
> of a facility to tackle this modeling problem as well as delivering  
> the
> promise of interoperability.
>
> For example, one problem being stated on this discussion thread can be
> described as a "syntactical difference with semantic equivalence".
> Using OWL as the ontological form, we can state in the model that:
> cpe:/a:microsoft:iis:4.0   owl:SameAs
> cpe:/a:microsoft:internet_information_server:4.0
> such that all statements about one instance hold for the other.
>
> Given then the triple of:
> cpe:/a:microsoft:iis:4.0   hasCVE:  cve:2002-0079:
> we can then infer that
> cpe:/a:microsoft:internet_information_server:4.0 hasCVE: cve:
> 2002-0079:
> without it being asserted.  (note that owl:SameAs is symmetrical so  
> that
> A owl:SameAs B can infer B owl:SameAs A)
>
> Drew asks: Am I on the right track?
> IMHO: if you are looking to solve the matching problems, there might  
> be
> many other appropriate strategies.  If you are looking to solve the
> matching problem for CPE and even a federated matching problem across
> all of SCAP, I can point you to these ontological standards that  
> will do
> the trick.
>
> Drew asks: Is this how we might structure a CPE ontology?
> The answer here lies in the questions that will be asked of the model
> and the inferences that are most useful to the community.
> Already we can see that the community is looking for a way to state
> semantic equivalence and I've shown an example of that.
> This is fun stuff and if you want to put in the time, lets do it.
>
> Drew asks: Could we use an ontology in this way?
> In short, just modeling CPE in OWL is necessary but not sufficient to
> meet your goals. The power of an ontological model is the ability for
> you to infer triples (subject predicate objects) as opposed to  
> having to
> assert them all. This is the force multiplier.  To do so, one needs to
> use a RDF-store, Inference Engine, and the SPARQL query language.  It
> sounds complicated but it is surprisingly simple.
>
> Drew asks: Is there a better way to utilize and ontology?
> If this group has a bias toward open standards and interoperability, I
> see no better way to faithfully model a complex graph with anything
> other than RDF/RDFS/OWL.
>
> --tk
>
> Timothy D. Keanini Sr., CTO    nCircle Network Security
> Office: +1 (415) 625-5939
> www.ncircle.com
> blog.ncircle.com
>
> -----Original Message-----
> From: Buttner, Drew [mailto:[hidden email]]
> Sent: Wednesday, February 18, 2009 12:52 PM
> To: [hidden email]
> Subject: [CPE-DISCUSSION-LIST] Ontology
>
> One of the biggest issues currently in CPE focuses around matching.  
> The
> current uri naming format implies a hierarchy, and this hierarchy is
> what matching is based off of.  This had led us to problems when  
> vendors
> change names, or products are combined with other products, or  
> versions
> don't follow the norm.
>
> The idea of an ontology has been suggested before, and I have finally
> had some time to research what is meant by "ontology" and how CPE  
> may be
> able to leverage it.  I still have a long way to go.
>
> This is what I think I have figured out so far ...
>
> - Each CPE Name could be a class in an ontology about platform types.
> - Relationships can be defined like:
> - hasEdition
> - hasVersion
> - isSuccessorOf
> - isSameAs
> - We could construct a directed acyclic graph using the CPE Names and
> the relationships (an ontology)
> - Consumers could us this ontology to perform matching, as opposed to
> using the URI.
>
> Granted this approach would necessitate the reliance on another file
> that represented the ontology.  No longer could a tool perform  
> matching
> based solely on two different CPE Names.  Of course this approach  
> would
> enable matching to be more powerful and more complete.
>
> I know there are individuals in our community with experience /
> knowledge regarding ontologies?  Am I on the right track?  Is this how
> we might structure a CPE ontology?  Could we use an ontology in this
> way?  Is there a better way to utilize and ontology?
>
> Thanks
> Drew
>
>
> ---------
>
> Andrew Buttner
> The MITRE Corporation
> [hidden email]
> 781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Andrew Buttner
Administrator
The question I am looking to explore is if an ontonoly based around CPE Names could be used to solve many of the problems we currently face with matching. I have not been thinking that this is something that would replace CPE as it currently stands, etc.  Would an ontology be a good complement to today's CPE?  Not a replacement.

Thanks
Drew


>-----Original Message-----
>From: Raffael Marty [mailto:[hidden email]]
>Sent: Thursday, February 19, 2009 11:55 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>Good morning
>
>I apologize for jumping in here after not paying much attention to the
>progress of CPE lately.
>
>Let me ask you this: Why do we need any ontologies and mappings? I
>thought the reason for CPE was to come up with standard names exactly
>to counter the problem of naming confusions. What has happened? It
>seems to me that we are back at square one.
>
>Cheers
>
>   Raffael
>
>--
>Raffael Marty                                               @zrlram
>Chief Security Strategist                                 @ Splunk>
>Security Visualization: http://secviz.org             raffy.ch/blog
>
>On Feb 18, 2009, at 11:26 PM, Tim Keanini wrote:
>
>> Hello Drew,
>> Your original post, if I understand it correctly, explores the theory
>> that a matching strategy that is based on a more graph oriented model
>> might help overcome some of the problems CPE is experiencing with its
>> hierarchical form.   Whether this holds or not, I would like to begin
>> with a clear definition of an ontological knowledge representation
>> because there seems to be some confusion between taxonomy and ontology
>> as the terms are used in a knowledge representational context.
>>
>> Some of you are tired of hearing me say this but the world we are
>> trying
>> to model is NOT a simple (or stable) hierarchy but a graph whereby an
>> openworld assumption must be made.
>> (http://en.wikipedia.org/wiki/Open_World_Assumption )
>> We can either choose to fight it or embrace it.  First a quick
>> definition of what is meant by taxonomic formalisms versus ontological
>> formalism again as it applies to the domain of knowledge
>> representation.
>>
>> If we were to take a triple in the form of "Subject Predicate
>> Object" ,
>> a taxonomical formalism would not offer the facility to specify a
>> variety of predicates other than a subordinate therefore the
>> inferences
>> one can draw are limited to one element orienting itself as a super/
>> sub
>> relationship with another.  An ontological formalism like RDFS or OWL
>> allows the modeler to create relationships (predicates) that
>> adequately
>> represent what is being modeled - especially when one requires more
>> than
>> a super/sub relationship.
>>
>> I personally don't believe that anything needs to be invented here
>> because the W3C standards, namely RDF/RDFS/OWL provide more than
>> enough
>> of a facility to tackle this modeling problem as well as delivering
>> the
>> promise of interoperability.
>>
>> For example, one problem being stated on this discussion thread can be
>> described as a "syntactical difference with semantic equivalence".
>> Using OWL as the ontological form, we can state in the model that:
>> cpe:/a:microsoft:iis:4.0   owl:SameAs
>> cpe:/a:microsoft:internet_information_server:4.0
>> such that all statements about one instance hold for the other.
>>
>> Given then the triple of:
>> cpe:/a:microsoft:iis:4.0   hasCVE:  cve:2002-0079:
>> we can then infer that
>> cpe:/a:microsoft:internet_information_server:4.0 hasCVE: cve:
>> 2002-0079:
>> without it being asserted.  (note that owl:SameAs is symmetrical so
>> that
>> A owl:SameAs B can infer B owl:SameAs A)
>>
>> Drew asks: Am I on the right track?
>> IMHO: if you are looking to solve the matching problems, there might
>> be
>> many other appropriate strategies.  If you are looking to solve the
>> matching problem for CPE and even a federated matching problem across
>> all of SCAP, I can point you to these ontological standards that
>> will do
>> the trick.
>>
>> Drew asks: Is this how we might structure a CPE ontology?
>> The answer here lies in the questions that will be asked of the model
>> and the inferences that are most useful to the community.
>> Already we can see that the community is looking for a way to state
>> semantic equivalence and I've shown an example of that.
>> This is fun stuff and if you want to put in the time, lets do it.
>>
>> Drew asks: Could we use an ontology in this way?
>> In short, just modeling CPE in OWL is necessary but not sufficient to
>> meet your goals. The power of an ontological model is the ability for
>> you to infer triples (subject predicate objects) as opposed to
>> having to
>> assert them all. This is the force multiplier.  To do so, one needs to
>> use a RDF-store, Inference Engine, and the SPARQL query language.  It
>> sounds complicated but it is surprisingly simple.
>>
>> Drew asks: Is there a better way to utilize and ontology?
>> If this group has a bias toward open standards and interoperability, I
>> see no better way to faithfully model a complex graph with anything
>> other than RDF/RDFS/OWL.
>>
>> --tk
>>
>> Timothy D. Keanini Sr., CTO    nCircle Network Security
>> Office: +1 (415) 625-5939
>> www.ncircle.com
>> blog.ncircle.com
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors
>> change names, or products are combined with other products, or
>> versions
>> don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE
>> may be
>> able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>> - hasEdition
>> - hasVersion
>> - isSuccessorOf
>> - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching
>> based solely on two different CPE Names.  Of course this approach
>> would
>> enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this how
>> we might structure a CPE ontology?  Could we use an ontology in this
>> way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Wolfkiel, Joseph
I share some of Marty's concerns.  I'm worried that solving CPE's current
shortcomings by making all vendors use RDF/OWL is like driving a nail with a
shotgun.

I think documenting the relationships in CPE using some sort of ontological
notation would be a useful exercise, but I would think a simple E-R diagram
would probably solve the majority of the problems and not require everyone
to spend time and effort transitioning to an emerging technology like RDF.

We've had pretty good success modeling CPE relationships with UML 2.0 class
diagrams and implementing in standard XML using tags.

I also want to discourage the use of "sameAs".  I think it's highly
desirable that CPEs be unique, so I would encourage "deprecatedBy" as the
default behavior for CPEs that are considered synonyms, with only a single
CPE identifier existing for any given product in an undeprecated state.
(There can be only one!)

As an initial point of contention for any Ontology, I would submit that
using Vendor as the base element for CPE is not a good option.  My personal
belief is that product is the appropriate base for a CPE with vendor being a
"distributedBy" relationship.  I think this is a fundamental problem that
makes dealing with open source products and products that are "discovered"
versus distributed really difficult in the current URI structure.


Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Thursday, February 19, 2009 12:15 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

The question I am looking to explore is if an ontonoly based around CPE
Names could be used to solve many of the problems we currently face with
matching. I have not been thinking that this is something that would replace
CPE as it currently stands, etc.  Would an ontology be a good complement to
today's CPE?  Not a replacement.

Thanks
Drew


>-----Original Message-----
>From: Raffael Marty [mailto:[hidden email]]
>Sent: Thursday, February 19, 2009 11:55 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>Good morning
>
>I apologize for jumping in here after not paying much attention to the
>progress of CPE lately.
>
>Let me ask you this: Why do we need any ontologies and mappings? I
>thought the reason for CPE was to come up with standard names exactly
>to counter the problem of naming confusions. What has happened? It
>seems to me that we are back at square one.
>
>Cheers
>
>   Raffael
>
>--
>Raffael Marty                                               @zrlram
>Chief Security Strategist                                 @ Splunk>
>Security Visualization: http://secviz.org             raffy.ch/blog
>
>On Feb 18, 2009, at 11:26 PM, Tim Keanini wrote:
>
>> Hello Drew,
>> Your original post, if I understand it correctly, explores the theory
>> that a matching strategy that is based on a more graph oriented model
>> might help overcome some of the problems CPE is experiencing with its
>> hierarchical form.   Whether this holds or not, I would like to begin
>> with a clear definition of an ontological knowledge representation
>> because there seems to be some confusion between taxonomy and
>> ontology as the terms are used in a knowledge representational context.
>>
>> Some of you are tired of hearing me say this but the world we are
>> trying to model is NOT a simple (or stable) hierarchy but a graph
>> whereby an openworld assumption must be made.
>> (http://en.wikipedia.org/wiki/Open_World_Assumption ) We can either
>> choose to fight it or embrace it.  First a quick definition of what
>> is meant by taxonomic formalisms versus ontological formalism again
>> as it applies to the domain of knowledge representation.
>>
>> If we were to take a triple in the form of "Subject Predicate Object"
>> , a taxonomical formalism would not offer the facility to specify a
>> variety of predicates other than a subordinate therefore the
>> inferences one can draw are limited to one element orienting itself
>> as a super/ sub relationship with another.  An ontological formalism
>> like RDFS or OWL allows the modeler to create relationships
>> (predicates) that adequately represent what is being modeled -
>> especially when one requires more than a super/sub relationship.
>>
>> I personally don't believe that anything needs to be invented here
>> because the W3C standards, namely RDF/RDFS/OWL provide more than
>> enough of a facility to tackle this modeling problem as well as
>> delivering the promise of interoperability.
>>
>> For example, one problem being stated on this discussion thread can
>> be described as a "syntactical difference with semantic equivalence".
>> Using OWL as the ontological form, we can state in the model that:
>> cpe:/a:microsoft:iis:4.0   owl:SameAs
>> cpe:/a:microsoft:internet_information_server:4.0
>> such that all statements about one instance hold for the other.
>>
>> Given then the triple of:
>> cpe:/a:microsoft:iis:4.0   hasCVE:  cve:2002-0079:
>> we can then infer that
>> cpe:/a:microsoft:internet_information_server:4.0 hasCVE: cve:
>> 2002-0079:
>> without it being asserted.  (note that owl:SameAs is symmetrical so
>> that A owl:SameAs B can infer B owl:SameAs A)
>>
>> Drew asks: Am I on the right track?
>> IMHO: if you are looking to solve the matching problems, there might
>> be many other appropriate strategies.  If you are looking to solve
>> the matching problem for CPE and even a federated matching problem
>> across all of SCAP, I can point you to these ontological standards
>> that will do the trick.
>>
>> Drew asks: Is this how we might structure a CPE ontology?
>> The answer here lies in the questions that will be asked of the model
>> and the inferences that are most useful to the community.
>> Already we can see that the community is looking for a way to state
>> semantic equivalence and I've shown an example of that.
>> This is fun stuff and if you want to put in the time, lets do it.
>>
>> Drew asks: Could we use an ontology in this way?
>> In short, just modeling CPE in OWL is necessary but not sufficient to
>> meet your goals. The power of an ontological model is the ability for
>> you to infer triples (subject predicate objects) as opposed to having
>> to assert them all. This is the force multiplier.  To do so, one
>> needs to use a RDF-store, Inference Engine, and the SPARQL query
>> language.  It sounds complicated but it is surprisingly simple.
>>
>> Drew asks: Is there a better way to utilize and ontology?
>> If this group has a bias toward open standards and interoperability,
>> I see no better way to faithfully model a complex graph with anything
>> other than RDF/RDFS/OWL.
>>
>> --tk
>>
>> Timothy D. Keanini Sr., CTO    nCircle Network Security
>> Office: +1 (415) 625-5939
>> www.ncircle.com
>> blog.ncircle.com
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors change names, or products are combined with other products,
>> or versions don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE may
>> be able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>> - hasEdition
>> - hasVersion
>> - isSuccessorOf
>> - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching based solely on two different CPE Names.  Of course this
>> approach would enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this
>> how we might structure a CPE ontology?  Could we use an ontology in
>> this way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ontology (U)

Smith, Robert J Mr NII/DoD-CIO
UNCLASSIFIED

This is a very interesting and excellent discussion thread and the question
at hand about duplicate names for the same product is a serious one for the
DoD asset management team.  The DoD IT Asset Management (ITAM) Integrated
Product Team (IPT), which is made up of members from Army, Air Force,
Department of Navy, DISA, DLA and OSD, has decided to use the CPE data
dictionary as a primary software library source for commercial software
naming conventions.  This will provide the DoD team some standardization for
commercial software product titles.  The plan is for the Components to use
the CPE data dictionary in conjunction with their asset management and auto
discovery tools.  We are currently setting up a DoD data work group to
review and finalize the attributes and standardization of our asset data
elements and to agree upon a Net Centric process using DISA's Net Centric
Enterprise Services for reporting asset data using an XML schema and web
services.

The DoD ITAM is a major part of the DoD Enterprise Software Initiative
(ESI).  The ESI work group with support from the Component Software Product
Managers (SPM) and contracting officers put Enterprise Software Agreements
(ESA) in place that can be used by all Department of Defense (DoD)
Components.  The ITAM data will provide the ESI Team with strategic sourcing
opportunities, better information for SPM business cases, and up to date
information for contract negotiations.

The ESI Enterprise Software Agreements define DoD Component as:  the Office
of the Secretary of Defense (OSD), the Military Departments, the Chairman of
the Joint Chiefs of Staff, the Combatant Commands, the Inspector General of
the Department of Defense (DoD IG), the Defense Agencies, the DoD Field
Activities, the U. S. Coast Guard, NATO, the Intelligence Community (IC) and
Foreign Military Sales (FMS) with a Letter of Authorization.  The ESI
agreements can also be used by contractors supporting government contracts.


The CPE team has done an outstanding job and we hope to learn and benefit a
lot more from what you have already done.
Does the CPE team envision setting up a web service as part of the CPE
solution that could be used by end users to pull in or get updates on
commercial software product titles?  Has the CPE team considered looking at
open source software as part of the CPE Data Dictionary?


R/
Bob

Robert J. Smith
PM - DoD IT Asset Management
DoD CIO / IT Investments & Commercial Policy
201 12th Street South
Crystal Gateway North, Suite 501
Arlington, VA 22202-4301
COM: (703) 601-4729 ext 124
BB: (571) 309-4941
FAX: (703) 601-4738
Email: [hidden email]




-----Original Message-----
From: Wolfkiel, Joseph [mailto:[hidden email]]
Sent: Thursday, February 19, 2009 5:22 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

I share some of Marty's concerns.  I'm worried that solving CPE's current
shortcomings by making all vendors use RDF/OWL is like driving a nail with a
shotgun.

I think documenting the relationships in CPE using some sort of ontological
notation would be a useful exercise, but I would think a simple E-R diagram
would probably solve the majority of the problems and not require everyone
to spend time and effort transitioning to an emerging technology like RDF.

We've had pretty good success modeling CPE relationships with UML 2.0 class
diagrams and implementing in standard XML using tags.

I also want to discourage the use of "sameAs".  I think it's highly
desirable that CPEs be unique, so I would encourage "deprecatedBy" as the
default behavior for CPEs that are considered synonyms, with only a single
CPE identifier existing for any given product in an undeprecated state.
(There can be only one!)

As an initial point of contention for any Ontology, I would submit that
using Vendor as the base element for CPE is not a good option.  My personal
belief is that product is the appropriate base for a CPE with vendor being a
"distributedBy" relationship.  I think this is a fundamental problem that
makes dealing with open source products and products that are "discovered"
versus distributed really difficult in the current URI structure.


Lt Col Joseph L. Wolfkiel
Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial
410-854-5401 DSN 244-5401 Fax 410-854-6700

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Thursday, February 19, 2009 12:15 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

The question I am looking to explore is if an ontonoly based around CPE
Names could be used to solve many of the problems we currently face with
matching. I have not been thinking that this is something that would replace
CPE as it currently stands, etc.  Would an ontology be a good complement to
today's CPE?  Not a replacement.

Thanks
Drew


>-----Original Message-----
>From: Raffael Marty [mailto:[hidden email]]
>Sent: Thursday, February 19, 2009 11:55 AM
>To: cpe-discussion-list CPE Community Forum
>Subject: Re: [CPE-DISCUSSION-LIST] Ontology
>
>Good morning
>
>I apologize for jumping in here after not paying much attention to the
>progress of CPE lately.
>
>Let me ask you this: Why do we need any ontologies and mappings? I
>thought the reason for CPE was to come up with standard names exactly
>to counter the problem of naming confusions. What has happened? It
>seems to me that we are back at square one.
>
>Cheers
>
>   Raffael
>
>--
>Raffael Marty                                               @zrlram
>Chief Security Strategist                                 @ Splunk>
>Security Visualization: http://secviz.org             raffy.ch/blog
>
>On Feb 18, 2009, at 11:26 PM, Tim Keanini wrote:
>
>> Hello Drew,
>> Your original post, if I understand it correctly, explores the theory
>> that a matching strategy that is based on a more graph oriented model
>> might help overcome some of the problems CPE is experiencing with its
>> hierarchical form.   Whether this holds or not, I would like to begin
>> with a clear definition of an ontological knowledge representation
>> because there seems to be some confusion between taxonomy and
>> ontology as the terms are used in a knowledge representational context.
>>
>> Some of you are tired of hearing me say this but the world we are
>> trying to model is NOT a simple (or stable) hierarchy but a graph
>> whereby an openworld assumption must be made.
>> (http://en.wikipedia.org/wiki/Open_World_Assumption ) We can either
>> choose to fight it or embrace it.  First a quick definition of what
>> is meant by taxonomic formalisms versus ontological formalism again
>> as it applies to the domain of knowledge representation.
>>
>> If we were to take a triple in the form of "Subject Predicate Object"
>> , a taxonomical formalism would not offer the facility to specify a
>> variety of predicates other than a subordinate therefore the
>> inferences one can draw are limited to one element orienting itself
>> as a super/ sub relationship with another.  An ontological formalism
>> like RDFS or OWL allows the modeler to create relationships
>> (predicates) that adequately represent what is being modeled -
>> especially when one requires more than a super/sub relationship.
>>
>> I personally don't believe that anything needs to be invented here
>> because the W3C standards, namely RDF/RDFS/OWL provide more than
>> enough of a facility to tackle this modeling problem as well as
>> delivering the promise of interoperability.
>>
>> For example, one problem being stated on this discussion thread can
>> be described as a "syntactical difference with semantic equivalence".
>> Using OWL as the ontological form, we can state in the model that:
>> cpe:/a:microsoft:iis:4.0   owl:SameAs
>> cpe:/a:microsoft:internet_information_server:4.0
>> such that all statements about one instance hold for the other.
>>
>> Given then the triple of:
>> cpe:/a:microsoft:iis:4.0   hasCVE:  cve:2002-0079:
>> we can then infer that
>> cpe:/a:microsoft:internet_information_server:4.0 hasCVE: cve:
>> 2002-0079:
>> without it being asserted.  (note that owl:SameAs is symmetrical so
>> that A owl:SameAs B can infer B owl:SameAs A)
>>
>> Drew asks: Am I on the right track?
>> IMHO: if you are looking to solve the matching problems, there might
>> be many other appropriate strategies.  If you are looking to solve
>> the matching problem for CPE and even a federated matching problem
>> across all of SCAP, I can point you to these ontological standards
>> that will do the trick.
>>
>> Drew asks: Is this how we might structure a CPE ontology?
>> The answer here lies in the questions that will be asked of the model
>> and the inferences that are most useful to the community.
>> Already we can see that the community is looking for a way to state
>> semantic equivalence and I've shown an example of that.
>> This is fun stuff and if you want to put in the time, lets do it.
>>
>> Drew asks: Could we use an ontology in this way?
>> In short, just modeling CPE in OWL is necessary but not sufficient to
>> meet your goals. The power of an ontological model is the ability for
>> you to infer triples (subject predicate objects) as opposed to having
>> to assert them all. This is the force multiplier.  To do so, one
>> needs to use a RDF-store, Inference Engine, and the SPARQL query
>> language.  It sounds complicated but it is surprisingly simple.
>>
>> Drew asks: Is there a better way to utilize and ontology?
>> If this group has a bias toward open standards and interoperability,
>> I see no better way to faithfully model a complex graph with anything
>> other than RDF/RDFS/OWL.
>>
>> --tk
>>
>> Timothy D. Keanini Sr., CTO    nCircle Network Security
>> Office: +1 (415) 625-5939
>> www.ncircle.com
>> blog.ncircle.com
>>
>> -----Original Message-----
>> From: Buttner, Drew [mailto:[hidden email]]
>> Sent: Wednesday, February 18, 2009 12:52 PM
>> To: [hidden email]
>> Subject: [CPE-DISCUSSION-LIST] Ontology
>>
>> One of the biggest issues currently in CPE focuses around matching.
>> The
>> current uri naming format implies a hierarchy, and this hierarchy is
>> what matching is based off of.  This had led us to problems when
>> vendors change names, or products are combined with other products,
>> or versions don't follow the norm.
>>
>> The idea of an ontology has been suggested before, and I have finally
>> had some time to research what is meant by "ontology" and how CPE may
>> be able to leverage it.  I still have a long way to go.
>>
>> This is what I think I have figured out so far ...
>>
>> - Each CPE Name could be a class in an ontology about platform types.
>> - Relationships can be defined like:
>> - hasEdition
>> - hasVersion
>> - isSuccessorOf
>> - isSameAs
>> - We could construct a directed acyclic graph using the CPE Names and
>> the relationships (an ontology)
>> - Consumers could us this ontology to perform matching, as opposed to
>> using the URI.
>>
>> Granted this approach would necessitate the reliance on another file
>> that represented the ontology.  No longer could a tool perform
>> matching based solely on two different CPE Names.  Of course this
>> approach would enable matching to be more powerful and more complete.
>>
>> I know there are individuals in our community with experience /
>> knowledge regarding ontologies?  Am I on the right track?  Is this
>> how we might structure a CPE ontology?  Could we use an ontology in
>> this way?  Is there a better way to utilize and ontology?
>>
>> Thanks
>> Drew
>>
>>
>> ---------
>>
>> Andrew Buttner
>> The MITRE Corporation
>> [hidden email]
>> 781-271-3515

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Andrew Buttner
Administrator
>Does the CPE team envision setting up a web service as part of the CPE
>solution that could be used by end users to pull in or get updates on
>commercial software product titles?

We do envision this at some point, but I don't think there is any timeline
on this.  Our focus today is on cleaning up the existing dictionary and on
clarifying issues in the current spec.  Having said that, know that members
of the community are waiting on web services helps us better prioritize
things.


>Has the CPE team considered looking at
>open source software as part of the CPE Data Dictionary?

Yes, and I know others in the community are interested in OSS as well.  This
is an area we are actively working in, specifically how to leverage existing
OSS information so that we can import it into the Official CPE Dictionary.


Thanks
Drew

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Andrew Buttner
Administrator
In reply to this post by Wolfkiel, Joseph
>I also want to discourage the use of "sameAs".  I think it's highly
>desirable that CPEs be unique, so I would encourage "deprecatedBy" as
>the
>default behavior for CPEs that are considered synonyms, with only a
>single
>CPE identifier existing for any given product in an undeprecated state.
>(There can be only one!)

Agree, agree, agree.

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Tim Keanini
First things first, I have no agenda to change CPE so for the most part this
discussion thread is over.
However, I would like to clarify my previous OWL statements (using
owl:sameAs) at the design principle level.  

The principles of the W3C's RDF/RDFS/OWL standards and the principles of
this community are at opposite ends of the spectrum.
The CPE community is making the case below that "there can only be one" both
syntactically and semantically; the semantic stack the W3C presents assumes
that anyone, anywhere, can say anything.  The latter, demanded that
RDF/RDFS/OWL be added to the stack to take them beyond the capabilities of
XML-Schema.  While this has not seen massive success on the Internet, it
sure has helped address designs whereby federated systems under different
administrative controls need to play nicely together.  

I'm making this point because I don't think this group has run into a
problem or business case yet that requires it to leverage the semantic stack
- nothing higher than XML-Schema is required.  

Back to the fundamental question Drew was trying to address:  He asserted
that there was a problem today with matching.
Is there a problem with matching or not?  Because if there is, and it is not
being addressed in the design today, maybe we need a clearer definition of
the problem.
 
--tk


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Friday, February 20, 2009 9:12 AM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] Ontology

>I also want to discourage the use of "sameAs".  I think it's highly
>desirable that CPEs be unique, so I would encourage "deprecatedBy" as
>the
>default behavior for CPEs that are considered synonyms, with only a
>single
>CPE identifier existing for any given product in an undeprecated state.
>(There can be only one!)

Agree, agree, agree.

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Ontology

Andrew Buttner
Administrator
>Back to the fundamental question Drew was trying to address:  He
>asserted that there was a problem today with matching.
>Is there a problem with matching or not?  Because if there is, and
>it is not being addressed in the design today, maybe we need a
>clearer definition of the problem.

There are three problems that I am aware of that our current matching
algorithm:

1) the hierarchy of version numbers can't be matched
2) updates and editions can often be rolled up multiple ways
        - eg win xp sp1 pro should match win xp sp1 and win xp pro
3) vendors / products changing names

My question is if an ontology (I'm still confused about what exactly an
ontology is) can be leveraged to solve these problems?  I tried to come up
with an example of what I am thinking.  Please cut me some slack as you look
over this as I know I have a lot to learn here!

The ides is:

CPE naming format (URI) - used to create unique ids
CPE ontology (??OWL XML doc??) - used for matching

Thanks
Drew

cpe_ontology.pdf (41K) Download Attachment
smime.p7s (4K) Download Attachment