Creating Proprietary Terms Using Lightweight Ontology: A Case Study - - PowerPoint PPT Presentation
Creating Proprietary Terms Using Lightweight Ontology: A Case Study on Acquisition Phase in a Cyber Forensic Process Tamer Gayed Hakim Lounis Moncef Bari July 2014 1 Agenda Introduction & Definitions Research Motivations
Tamer Gayed Hakim Lounis Moncef Bari
1 July 2014
2
2
3
CF Definitions 4
CF Definitions 5
B C
HTML HTML HTML Web Browsers Search Engines hyper- links
A
SW Definitions
hyper- links
6
SW Definitions
7
B C
RDF RDF link
A D E
RDF links RDF links RDF links RDF RDF RDF RDF RDF RDF RDF RDF RDF
SW Definitions 8
SW Definitions
9
SW Definitions 10
Forensic Process
Role players
Jury
CF-CoC
e-CoC
11
12
12
13
14
15
16
about forensic process
ambiguity
17
18
19
20
20
21
22
23
23
24
25
25
– Why ?
certain data set or a new domain context.
– Lightweight ontology of LD (Linked Data) is the RDFS++. – RDFS++ combines the RDFS constructors and some primitives constructors from OWL. – The primitives constructors imported from OWL are those which are used to equivalent and map between different class and property terms
26
– Don’t create a term if an existing one will suffice. – When you define a new term, you need to have a namespace that you own and control. – When you create new terms, it is recommended to map these terms to those in existing vocabularies. – Apply all the LDP (HTTP, URL, and RDF) to the term. – If your term is a property (predicate), you have to define its domain and range using the constructors of RDFS++ (RDFS, OWL Primitives) and do not overload your new term with
– If at later time, you discover that another term was enough, an RDF link should be set between the new created term and the existing one. – Label and comment each term you create
26
– Don’t create a term if an existing one will suffice. – When you define a new term, you need to have a namespace that you own and control. – When you create new terms, it is recommended to map these terms to those in existing vocabularies. – Apply all the LDP (HTTP, URL, and RDF) to the term. – If your term is a property (predicate), you have to define its domain and range using the constructors of RDFS++ (RDFS, OWL Primitives) and do not overload your new term with
– If at later time, you discover that another term was enough, an RDF link should be set between the new created term and the existing one. – Label and comment each term you create
26
Any term should have a label. A label is used to provide a human- readable name for a resource. Label is an instance of rdf : Property rdfs : label Any term should have a comment. A comment is used to provide a human-readable description of a resource. Comment is an instance of rdf : Property rdfs : comment Common Constructors between Property and Class terms When the term X is of type Class, it can bee also a sub class of another Class term. The subClassOf of a property term is a term of type Class rdfs : subClassOf If X is a term of type ( rdf : type ) Class ( rdfs : Class ) The domain of a property term is always a Class. A domain of a property term X states that the subject slot of the X (i.e., where X is a predicate, because X is a property), interpreted by a reasoners as an instance of said domain of X rdfs : domain The range of a property term is always a Class. A range of a property term X states that the object slot of the X (i.e., where X is a predicate, because X is a property), interpreted by a reasoners as an instance of said range of X rdfs : range When the term X is of type property it can be also a sub property of another property term. The subPropertyOf of a property term is a term
rdfs : subPropertyOf If X is a term of type ( rdf : type ) Property ( rdfs : Property / owl : ObjectProperty )
27
When the type ( rdf:type ) of a property term X is defined to be of InverseFuntionalProperty, Whenever X property is used as a predicate in a triple, its object will have one and only one subject. Thus, each object should be able to uniquely identify a subject. This constructor is a sub class of owl : objectProperty
InverseFunctionalProperty This constructor is used to state that one property is the inverse of
(i.e., exactly like the passive voice in the grammar)
This constructor is used to map between two terms of type Property
Same idea as the last constructor, but here, when X is defined to be
can have at most one object. This constructor is a subclass of rdf : property
Two URI terms can be mapped together using the sameas
refer to the same thing. It can be used as well to map between two
Common Constructors between Property and Class terms This constructor is used to map between two terms of type Class
If X is a term of type ( rdf : type ) Class ( rdfs : Class ) If X is a term of type ( rdf : type ) Property ( rdfs : Property / owl : ObjectProperty )
28
Lightweight Ontology (Vocabulary) Forensic Phase
Forensic Task 1 Forensic Task 2 Forensic Task 3 Category 1 Category 2 Category 3 Category n Forensic Task n Term 2-1 Term 2-2 Term 2-m Forensic Term 2-1 Forensic Term 2-2 Forensic Term 2-m
29
Analysis : examining the data in order to identify pieces of evidence and determine their significance Authentication : ensuring that the acquired evidence has not been altered and kept its integrity Acquisition : acquiring evidence from suspect storage devices
Example : Kruse Model
Acquisition Phase containing 3 forensics tasks :
30
31
Property preserve Object 0G-4023-32-362 Subject/Object PDA-device Subject/Object Jean-Pierre A- Box (publication) Property SN Property preservedby Class Digital_media Ontology Acquisition Class Role_player Class First_responder T- Box (design) Type Term name
32
Definition of Acquisition Ontology
33
Lightweight ontology of Forensic Preservation task
34
Lightweight ontology of Forensic Preservation task (Cont)
34
Lightweight ontology of Forensic Preservation task (Cont)
34
https://127.0.0.1/roleplayer/Acquisition#Jean-Pierre cf-coc-Acq:preserve PDA device cf-coc-Acq:preservedby 0G-4023-32-362 cf-coc-Acq:SN
e-CoC of Forensic Preservation State
35
36
36
37