The University of Southampton
×
Filter your search:
University of Southampton Institutional Repository

A novel ontology for cyber-attack attribution and investigation

A novel ontology for cyber-attack attribution and investigation
A novel ontology for cyber-attack attribution and investigation
The rise in cyber-attacks has intensified the challenges faced by digital forensics and security analysts, who must investigate complex incidents quickly while handling large volumes of heterogeneous evidence. Current tools lack standardisation, resulting in incomplete representations and poor interoperability. Ontologies address this by providing structured vocabularies that ensure consistency, enable integration, and support structured and AI-assisted reasoning. In this paper, we introduce OCAI, a novel ontology for cyber-attack attribution and investigation. Built on the widely adopted STIX 2.1 standard, OCAI extends it with investigation- and attribution-specific knowledge. We add new objects, relationships, and axioms that deliver richer, more consistent, and extensible knowledge representation useful for the investigation and attribution process. Through empirical evaluation on real-world cyber-attacks, we refined OCAI to address critical gaps and ensure broader representational coverage. Comparative analysis shows that OCAI provides a broader and more comprehensive representation of cyber-attack investigation and attribution than existing ontologies. Moreover, its integration into a reasoning-based attribution tool demonstrates improvements in knowledge representation and reasoning capabilities. Our novel ontology establishes a robust foundation for advancing cyber-attack investigations and attribution.
Ontology, STIX, cyber-attack attribution, Cyber-Attack Investigation
2666-2817
Kaur Gill, Dilpreet
e9f1b3e6-342b-4529-a639-2fb87d8e300f
Karafili, Erisa
f5efa31c-22b8-443e-8107-e488bd28918e
Kaur Gill, Dilpreet
e9f1b3e6-342b-4529-a639-2fb87d8e300f
Karafili, Erisa
f5efa31c-22b8-443e-8107-e488bd28918e

Kaur Gill, Dilpreet and Karafili, Erisa (2026) A novel ontology for cyber-attack attribution and investigation. Forensic Science International: Digital Investigation. (In Press)

Record type: Article

Abstract

The rise in cyber-attacks has intensified the challenges faced by digital forensics and security analysts, who must investigate complex incidents quickly while handling large volumes of heterogeneous evidence. Current tools lack standardisation, resulting in incomplete representations and poor interoperability. Ontologies address this by providing structured vocabularies that ensure consistency, enable integration, and support structured and AI-assisted reasoning. In this paper, we introduce OCAI, a novel ontology for cyber-attack attribution and investigation. Built on the widely adopted STIX 2.1 standard, OCAI extends it with investigation- and attribution-specific knowledge. We add new objects, relationships, and axioms that deliver richer, more consistent, and extensible knowledge representation useful for the investigation and attribution process. Through empirical evaluation on real-world cyber-attacks, we refined OCAI to address critical gaps and ensure broader representational coverage. Comparative analysis shows that OCAI provides a broader and more comprehensive representation of cyber-attack investigation and attribution than existing ontologies. Moreover, its integration into a reasoning-based attribution tool demonstrates improvements in knowledge representation and reasoning capabilities. Our novel ontology establishes a robust foundation for advancing cyber-attack investigations and attribution.

Text
OCAI - Accepted Manuscript
Restricted to Repository staff only until 19 March 2028.
Available under License University of Southampton Accepted Manuscript Licence.
Request a copy
Text
A novel ontology for cyber-attack attribution and investigation
Restricted to Repository staff only
Request a copy

More information

Accepted/In Press date: 19 March 2026
Keywords: Ontology, STIX, cyber-attack attribution, Cyber-Attack Investigation
Learn more about the Cyber Security

Identifiers

Local EPrints ID: 510849
URI: http://eprints.soton.ac.uk/id/eprint/510849
ISSN: 2666-2817
PURE UUID: d60bd3ae-43d4-4e8c-a744-63761a5980b2
ORCID for Erisa Karafili: ORCID iD orcid.org/0000-0002-8250-4389

Catalogue record

Date deposited: 22 Apr 2026 16:59
Last modified: 23 Apr 2026 02:05

Export record

Contributors

Author: Dilpreet Kaur Gill
Author: Erisa Karafili ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Library staff additional information
Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×