Abstract
Ontologies are a field within semantic technologies concerned with modeling knowledge of a domain through the use of well-defined concepts and relationships. Cyber threat intelligence (CTI) is a field within the domain of cyber security, and consist of collecting, exchanging, and analyzing threat intelligence to detect, prevent, and attribute cyber attacks. The field of CTI is relatively new, and recent years have seen a growth in the development of taxonomies and enumerations for describing vulnerabilities, malware, tools, attack patterns, and other categories of CTI. The CTI sharing standard STIX 2 provides a basis for integrating such frameworks. An ontology based on the concepts found in STIX 2 can aid in gathering data on formats that comply with standards defined by these frameworks, to define a shared language for describing CTI, and provide the ability to reason about data to infer new knowledge. An ontology which can be used for modeling threat actors and attack behaviour was developed to investigate whether CTI ontologies can aid in analyzing data through the use of reasoning. The basis for the ontology was identified from existing research evaluating CTI frameworks. Based on these frameworks the concepts and relationships relevant to the domain were identified and modeled. To test the ontology's reasoning abilities, it was queried with the aim of inferring new knowledge that was not explicitly stated in the ontology. The results showed that it was possible to infer such knowledge.