An ontology for Security Operations Center people, process, and technologies knowledge.
The Ontology for SOC Creation Assistance and Replication (OSCAR) is a knowledge base designed by cybersecurity operations researchers within the CERT directory of the Software Engineering Institute of Carnegie Mellon University to assist organizations in the creation and development of Security Operations Centers (SOC) within the overarching cybersecurity domain. This knowledge base project was founded based on the fundamental idea that no two SOCs are one hundred percent identical in practice. While there exist exceptional bodies of work that place frameworks around security operations itself, these works are primarily based on other bodies of literary and academic study. OSCAR on the other hand was born out of the concepts within people, process and technology as described through interview study by well established cybersecurity experts. A comprehensive publication that describes the development of the interview, description of data collection methodologies, analysis of results and development of the ontological objects and relationships can be found within [HyperLinks](insert DTRAP journal link).
Version 1.0 of the OSCAR knowledge base was completed in October 2024. Development of the ontology relied on the Protege ontology creation and editing tool. The output of using this platform is an Resource Description Framework (RDF) filetype, chosen for its compatibility between Protege and other ontological querying and curation tools. The axioms within OSCAR have also been developed in the Manchester OWL syntax due to its cross compatibility with a number of tools and its user-friendly querying and editing syntax.
The OSCAR ontology explicitly relates to the subdomain of cybersecurity for security operations. The scope of data within OSCAR is categorized into two root functions. These functions are SOC Development Tasks and Levels. SOC Developments contain the core knowledge base that are consistent of elements of people, processes and technologies needed to build a SOC. Levels on the other hand are best described as maturity levels of the SOC, specifically mapped to various functions or classifications of tasks that the SOC can perform. Within Levels, the development team relied on the CSIRT Services Framework to determine security team functional areas of operation, from which were derived levels of capability. At the other root level of the ontology exists the SOC Development Tasks. This root object consists of sub classes that consists of assessment factors, planning considerations, requirements gathered and the SOC function properties. Within each of these classes exist further subclasses that have been derived from the research interviews with SOC curation experts.
Copyright 2024 Carnegie Mellon University.
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
[DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. Requests for permission for non-licensed uses should be directed to the Software Engineering Institute at permission@sei.cmu.edu.
DM24-1418
The latest version of OSCAR can be accessed on the Master Branch.
All released versions can be downloaded directly from the GitGub Releases.
The currently developed version is available on the default dev Branch.
The source code of the ontology is found in the folder /ontology/
The main file is /ontology/oscar.rdf
The following diagram illustrates an example of the class structure of the OSCAR. It depicts the types of tools used in a SOC for threat detection. These aggregated data points orgininated from expert interviews that were used to construct the objects and relationships.
We recommend to use the desktop version of Protégé to open and edit the ontology.
- Software Engineering Institute Contact Information
- Contact Us
- Software Engineering Institute Digital Library
- SEI Digital Library containing publications, presentations, webcasts and podcasts.
- SEI Digital Library containing publications, presentations, webcasts and podcasts.