Ontology
|
|
|
||||||||
|
|
||||||||
|
|
||||||||
|
|
|
||||||||
|
In reply to this post
by Mark Seward
|
||||||||
|
|
In reply to this post
by Andrew Buttner
|
||||||||
|
|
||||||||
|
|
||||||||
|
|
Some javascript/style in this post has been disabled (why?)
Included is a quick spreadsheet showing the
basics
Dorian J.
Cougias Remember this: The Main Thing is to keep The Main Thing the Main Thing From: David Waltermire [mailto:[hidden email]] Sent: Wednesday, February 18, 2009 1:28 PM To: [hidden email] Cc: [hidden email] Subject: RE: [CPE-DISCUSSION-LIST] Ontology Dorian, Could you please
provide examples? Dave From: Dorian
Cougias [mailto:[hidden email]] The UCF team have been
working with taxonomic ontologies for a number of years
now. The problems we see are
twofold. 1) taxonomic ontologies
that are based on name spaces, other than those strictly controlled by such
groups as the Oxford English Dictionary team, never work as the names are
too in flux. The answer is to
create a persistent and unique ID system to assign to each name so that each
name's ID, once assigned, is never changed nor deleted (only deprecated if no
longer in use). By doing that, you can edit the names and provide an audit log
(which becomes a roll back log if necessary) for any naming edits the ID might
encounter. 2) Once a unique and
persistent ID system is in place, that ID system can be used to track taxonomic
genealogy as you've been discussing. 3) The UCF team,
gratis, can set this up and create a methodology that the group can have. We
have the technology, and methodology, down pat. Let me know if you want
me to elucidate or provide samples... Dorian
J. Cougias Remember this: The Main Thing is to
keep The Main Thing the Main Thing From: Ernest
Park [mailto:[hidden email]] In th example above, they are both alias names, and I
was going to use the google API to classify which is the most common, so that I
could display the most common name. On Wed, Feb 18, 2009 at 3:03 PM, Buttner, Drew <[hidden email]>
wrote: I agree that this is a MAJOR problem. Looking at
the dictionary we see
names:
|
||||||||
simple taxonomy.xls (21K) |
|
|
||||||||
|
|
In reply to this post
by Andrew Buttner
|
||||||||
|
|
|
||||||||
|
In reply to this post
by Tim Keanini
|
||||||||
|
|
|
||||||||
|
I share some of Marty's concerns. I'm worried that solving CPE's current
shortcomings by making all vendors use RDF/OWL is like driving a nail with a shotgun. I think documenting the relationships in CPE using some sort of ontological notation would be a useful exercise, but I would think a simple E-R diagram would probably solve the majority of the problems and not require everyone to spend time and effort transitioning to an emerging technology like RDF. We've had pretty good success modeling CPE relationships with UML 2.0 class diagrams and implementing in standard XML using tags. I also want to discourage the use of "sameAs". I think it's highly desirable that CPEs be unique, so I would encourage "deprecatedBy" as the default behavior for CPEs that are considered synonyms, with only a single CPE identifier existing for any given product in an undeprecated state. (There can be only one!) As an initial point of contention for any Ontology, I would submit that using Vendor as the base element for CPE is not a good option. My personal belief is that product is the appropriate base for a CPE with vendor being a "distributedBy" relationship. I think this is a fundamental problem that makes dealing with open source products and products that are "discovered" versus distributed really difficult in the current URI structure. Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Thursday, February 19, 2009 12:15 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] Ontology The question I am looking to explore is if an ontonoly based around CPE Names could be used to solve many of the problems we currently face with matching. I have not been thinking that this is something that would replace CPE as it currently stands, etc. Would an ontology be a good complement to today's CPE? Not a replacement. Thanks Drew >-----Original Message----- >From: Raffael Marty [mailto:[hidden email]] >Sent: Thursday, February 19, 2009 11:55 AM >To: cpe-discussion-list CPE Community Forum >Subject: Re: [CPE-DISCUSSION-LIST] Ontology > >Good morning > >I apologize for jumping in here after not paying much attention to the >progress of CPE lately. > >Let me ask you this: Why do we need any ontologies and mappings? I >thought the reason for CPE was to come up with standard names exactly >to counter the problem of naming confusions. What has happened? It >seems to me that we are back at square one. > >Cheers > > Raffael > >-- >Raffael Marty @zrlram >Chief Security Strategist @ Splunk> >Security Visualization: http://secviz.org raffy.ch/blog > >On Feb 18, 2009, at 11:26 PM, Tim Keanini wrote: > >> Hello Drew, >> Your original post, if I understand it correctly, explores the theory >> that a matching strategy that is based on a more graph oriented model >> might help overcome some of the problems CPE is experiencing with its >> hierarchical form. Whether this holds or not, I would like to begin >> with a clear definition of an ontological knowledge representation >> because there seems to be some confusion between taxonomy and >> ontology as the terms are used in a knowledge representational context. >> >> Some of you are tired of hearing me say this but the world we are >> trying to model is NOT a simple (or stable) hierarchy but a graph >> whereby an openworld assumption must be made. >> (http://en.wikipedia.org/wiki/Open_World_Assumption ) We can either >> choose to fight it or embrace it. First a quick definition of what >> is meant by taxonomic formalisms versus ontological formalism again >> as it applies to the domain of knowledge representation. >> >> If we were to take a triple in the form of "Subject Predicate Object" >> , a taxonomical formalism would not offer the facility to specify a >> variety of predicates other than a subordinate therefore the >> inferences one can draw are limited to one element orienting itself >> as a super/ sub relationship with another. An ontological formalism >> like RDFS or OWL allows the modeler to create relationships >> (predicates) that adequately represent what is being modeled - >> especially when one requires more than a super/sub relationship. >> >> I personally don't believe that anything needs to be invented here >> because the W3C standards, namely RDF/RDFS/OWL provide more than >> enough of a facility to tackle this modeling problem as well as >> delivering the promise of interoperability. >> >> For example, one problem being stated on this discussion thread can >> be described as a "syntactical difference with semantic equivalence". >> Using OWL as the ontological form, we can state in the model that: >> cpe:/a:microsoft:iis:4.0 owl:SameAs >> cpe:/a:microsoft:internet_information_server:4.0 >> such that all statements about one instance hold for the other. >> >> Given then the triple of: >> cpe:/a:microsoft:iis:4.0 hasCVE: cve:2002-0079: >> we can then infer that >> cpe:/a:microsoft:internet_information_server:4.0 hasCVE: cve: >> 2002-0079: >> without it being asserted. (note that owl:SameAs is symmetrical so >> that A owl:SameAs B can infer B owl:SameAs A) >> >> Drew asks: Am I on the right track? >> IMHO: if you are looking to solve the matching problems, there might >> be many other appropriate strategies. If you are looking to solve >> the matching problem for CPE and even a federated matching problem >> across all of SCAP, I can point you to these ontological standards >> that will do the trick. >> >> Drew asks: Is this how we might structure a CPE ontology? >> The answer here lies in the questions that will be asked of the model >> and the inferences that are most useful to the community. >> Already we can see that the community is looking for a way to state >> semantic equivalence and I've shown an example of that. >> This is fun stuff and if you want to put in the time, lets do it. >> >> Drew asks: Could we use an ontology in this way? >> In short, just modeling CPE in OWL is necessary but not sufficient to >> meet your goals. The power of an ontological model is the ability for >> you to infer triples (subject predicate objects) as opposed to having >> to assert them all. This is the force multiplier. To do so, one >> needs to use a RDF-store, Inference Engine, and the SPARQL query >> language. It sounds complicated but it is surprisingly simple. >> >> Drew asks: Is there a better way to utilize and ontology? >> If this group has a bias toward open standards and interoperability, >> I see no better way to faithfully model a complex graph with anything >> other than RDF/RDFS/OWL. >> >> --tk >> >> Timothy D. Keanini Sr., CTO nCircle Network Security >> Office: +1 (415) 625-5939 >> www.ncircle.com >> blog.ncircle.com >> >> -----Original Message----- >> From: Buttner, Drew [mailto:[hidden email]] >> Sent: Wednesday, February 18, 2009 12:52 PM >> To: [hidden email] >> Subject: [CPE-DISCUSSION-LIST] Ontology >> >> One of the biggest issues currently in CPE focuses around matching. >> The >> current uri naming format implies a hierarchy, and this hierarchy is >> what matching is based off of. This had led us to problems when >> vendors change names, or products are combined with other products, >> or versions don't follow the norm. >> >> The idea of an ontology has been suggested before, and I have finally >> had some time to research what is meant by "ontology" and how CPE may >> be able to leverage it. I still have a long way to go. >> >> This is what I think I have figured out so far ... >> >> - Each CPE Name could be a class in an ontology about platform types. >> - Relationships can be defined like: >> - hasEdition >> - hasVersion >> - isSuccessorOf >> - isSameAs >> - We could construct a directed acyclic graph using the CPE Names and >> the relationships (an ontology) >> - Consumers could us this ontology to perform matching, as opposed to >> using the URI. >> >> Granted this approach would necessitate the reliance on another file >> that represented the ontology. No longer could a tool perform >> matching based solely on two different CPE Names. Of course this >> approach would enable matching to be more powerful and more complete. >> >> I know there are individuals in our community with experience / >> knowledge regarding ontologies? Am I on the right track? Is this >> how we might structure a CPE ontology? Could we use an ontology in >> this way? Is there a better way to utilize and ontology? >> >> Thanks >> Drew >> >> >> --------- >> >> Andrew Buttner >> The MITRE Corporation >> [hidden email] >> 781-271-3515 |
||||||||
|
UNCLASSIFIED
This is a very interesting and excellent discussion thread and the question at hand about duplicate names for the same product is a serious one for the DoD asset management team. The DoD IT Asset Management (ITAM) Integrated Product Team (IPT), which is made up of members from Army, Air Force, Department of Navy, DISA, DLA and OSD, has decided to use the CPE data dictionary as a primary software library source for commercial software naming conventions. This will provide the DoD team some standardization for commercial software product titles. The plan is for the Components to use the CPE data dictionary in conjunction with their asset management and auto discovery tools. We are currently setting up a DoD data work group to review and finalize the attributes and standardization of our asset data elements and to agree upon a Net Centric process using DISA's Net Centric Enterprise Services for reporting asset data using an XML schema and web services. The DoD ITAM is a major part of the DoD Enterprise Software Initiative (ESI). The ESI work group with support from the Component Software Product Managers (SPM) and contracting officers put Enterprise Software Agreements (ESA) in place that can be used by all Department of Defense (DoD) Components. The ITAM data will provide the ESI Team with strategic sourcing opportunities, better information for SPM business cases, and up to date information for contract negotiations. The ESI Enterprise Software Agreements define DoD Component as: the Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Inspector General of the Department of Defense (DoD IG), the Defense Agencies, the DoD Field Activities, the U. S. Coast Guard, NATO, the Intelligence Community (IC) and Foreign Military Sales (FMS) with a Letter of Authorization. The ESI agreements can also be used by contractors supporting government contracts. The CPE team has done an outstanding job and we hope to learn and benefit a lot more from what you have already done. Does the CPE team envision setting up a web service as part of the CPE solution that could be used by end users to pull in or get updates on commercial software product titles? Has the CPE team considered looking at open source software as part of the CPE Data Dictionary? R/ Bob Robert J. Smith PM - DoD IT Asset Management DoD CIO / IT Investments & Commercial Policy 201 12th Street South Crystal Gateway North, Suite 501 Arlington, VA 22202-4301 COM: (703) 601-4729 ext 124 BB: (571) 309-4941 FAX: (703) 601-4738 Email: [hidden email] -----Original Message----- From: Wolfkiel, Joseph [mailto:[hidden email]] Sent: Thursday, February 19, 2009 5:22 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] Ontology I share some of Marty's concerns. I'm worried that solving CPE's current shortcomings by making all vendors use RDF/OWL is like driving a nail with a shotgun. I think documenting the relationships in CPE using some sort of ontological notation would be a useful exercise, but I would think a simple E-R diagram would probably solve the majority of the problems and not require everyone to spend time and effort transitioning to an emerging technology like RDF. We've had pretty good success modeling CPE relationships with UML 2.0 class diagrams and implementing in standard XML using tags. I also want to discourage the use of "sameAs". I think it's highly desirable that CPEs be unique, so I would encourage "deprecatedBy" as the default behavior for CPEs that are considered synonyms, with only a single CPE identifier existing for any given product in an undeprecated state. (There can be only one!) As an initial point of contention for any Ontology, I would submit that using Vendor as the base element for CPE is not a good option. My personal belief is that product is the appropriate base for a CPE with vendor being a "distributedBy" relationship. I think this is a fundamental problem that makes dealing with open source products and products that are "discovered" versus distributed really difficult in the current URI structure. Lt Col Joseph L. Wolfkiel Director, Computer Network Defense Research & Technology (CND R&T) Program Management Office 9800 Savage Rd Ste 6767 Ft Meade, MD 20755-6767 Commercial 410-854-5401 DSN 244-5401 Fax 410-854-6700 -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Thursday, February 19, 2009 12:15 PM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] Ontology The question I am looking to explore is if an ontonoly based around CPE Names could be used to solve many of the problems we currently face with matching. I have not been thinking that this is something that would replace CPE as it currently stands, etc. Would an ontology be a good complement to today's CPE? Not a replacement. Thanks Drew >-----Original Message----- >From: Raffael Marty [mailto:[hidden email]] >Sent: Thursday, February 19, 2009 11:55 AM >To: cpe-discussion-list CPE Community Forum >Subject: Re: [CPE-DISCUSSION-LIST] Ontology > >Good morning > >I apologize for jumping in here after not paying much attention to the >progress of CPE lately. > >Let me ask you this: Why do we need any ontologies and mappings? I >thought the reason for CPE was to come up with standard names exactly >to counter the problem of naming confusions. What has happened? It >seems to me that we are back at square one. > >Cheers > > Raffael > >-- >Raffael Marty @zrlram >Chief Security Strategist @ Splunk> >Security Visualization: http://secviz.org raffy.ch/blog > >On Feb 18, 2009, at 11:26 PM, Tim Keanini wrote: > >> Hello Drew, >> Your original post, if I understand it correctly, explores the theory >> that a matching strategy that is based on a more graph oriented model >> might help overcome some of the problems CPE is experiencing with its >> hierarchical form. Whether this holds or not, I would like to begin >> with a clear definition of an ontological knowledge representation >> because there seems to be some confusion between taxonomy and >> ontology as the terms are used in a knowledge representational context. >> >> Some of you are tired of hearing me say this but the world we are >> trying to model is NOT a simple (or stable) hierarchy but a graph >> whereby an openworld assumption must be made. >> (http://en.wikipedia.org/wiki/Open_World_Assumption ) We can either >> choose to fight it or embrace it. First a quick definition of what >> is meant by taxonomic formalisms versus ontological formalism again >> as it applies to the domain of knowledge representation. >> >> If we were to take a triple in the form of "Subject Predicate Object" >> , a taxonomical formalism would not offer the facility to specify a >> variety of predicates other than a subordinate therefore the >> inferences one can draw are limited to one element orienting itself >> as a super/ sub relationship with another. An ontological formalism >> like RDFS or OWL allows the modeler to create relationships >> (predicates) that adequately represent what is being modeled - >> especially when one requires more than a super/sub relationship. >> >> I personally don't believe that anything needs to be invented here >> because the W3C standards, namely RDF/RDFS/OWL provide more than >> enough of a facility to tackle this modeling problem as well as >> delivering the promise of interoperability. >> >> For example, one problem being stated on this discussion thread can >> be described as a "syntactical difference with semantic equivalence". >> Using OWL as the ontological form, we can state in the model that: >> cpe:/a:microsoft:iis:4.0 owl:SameAs >> cpe:/a:microsoft:internet_information_server:4.0 >> such that all statements about one instance hold for the other. >> >> Given then the triple of: >> cpe:/a:microsoft:iis:4.0 hasCVE: cve:2002-0079: >> we can then infer that >> cpe:/a:microsoft:internet_information_server:4.0 hasCVE: cve: >> 2002-0079: >> without it being asserted. (note that owl:SameAs is symmetrical so >> that A owl:SameAs B can infer B owl:SameAs A) >> >> Drew asks: Am I on the right track? >> IMHO: if you are looking to solve the matching problems, there might >> be many other appropriate strategies. If you are looking to solve >> the matching problem for CPE and even a federated matching problem >> across all of SCAP, I can point you to these ontological standards >> that will do the trick. >> >> Drew asks: Is this how we might structure a CPE ontology? >> The answer here lies in the questions that will be asked of the model >> and the inferences that are most useful to the community. >> Already we can see that the community is looking for a way to state >> semantic equivalence and I've shown an example of that. >> This is fun stuff and if you want to put in the time, lets do it. >> >> Drew asks: Could we use an ontology in this way? >> In short, just modeling CPE in OWL is necessary but not sufficient to >> meet your goals. The power of an ontological model is the ability for >> you to infer triples (subject predicate objects) as opposed to having >> to assert them all. This is the force multiplier. To do so, one >> needs to use a RDF-store, Inference Engine, and the SPARQL query >> language. It sounds complicated but it is surprisingly simple. >> >> Drew asks: Is there a better way to utilize and ontology? >> If this group has a bias toward open standards and interoperability, >> I see no better way to faithfully model a complex graph with anything >> other than RDF/RDFS/OWL. >> >> --tk >> >> Timothy D. Keanini Sr., CTO nCircle Network Security >> Office: +1 (415) 625-5939 >> www.ncircle.com >> blog.ncircle.com >> >> -----Original Message----- >> From: Buttner, Drew [mailto:[hidden email]] >> Sent: Wednesday, February 18, 2009 12:52 PM >> To: [hidden email] >> Subject: [CPE-DISCUSSION-LIST] Ontology >> >> One of the biggest issues currently in CPE focuses around matching. >> The >> current uri naming format implies a hierarchy, and this hierarchy is >> what matching is based off of. This had led us to problems when >> vendors change names, or products are combined with other products, >> or versions don't follow the norm. >> >> The idea of an ontology has been suggested before, and I have finally >> had some time to research what is meant by "ontology" and how CPE may >> be able to leverage it. I still have a long way to go. >> >> This is what I think I have figured out so far ... >> >> - Each CPE Name could be a class in an ontology about platform types. >> - Relationships can be defined like: >> - hasEdition >> - hasVersion >> - isSuccessorOf >> - isSameAs >> - We could construct a directed acyclic graph using the CPE Names and >> the relationships (an ontology) >> - Consumers could us this ontology to perform matching, as opposed to >> using the URI. >> >> Granted this approach would necessitate the reliance on another file >> that represented the ontology. No longer could a tool perform >> matching based solely on two different CPE Names. Of course this >> approach would enable matching to be more powerful and more complete. >> >> I know there are individuals in our community with experience / >> knowledge regarding ontologies? Am I on the right track? Is this >> how we might structure a CPE ontology? Could we use an ontology in >> this way? Is there a better way to utilize and ontology? >> >> Thanks >> Drew >> >> >> --------- >> >> Andrew Buttner >> The MITRE Corporation >> [hidden email] >> 781-271-3515 |
||||||||
|
|
>Does the CPE team envision setting up a web service as part of the CPE
>solution that could be used by end users to pull in or get updates on >commercial software product titles? We do envision this at some point, but I don't think there is any timeline on this. Our focus today is on cleaning up the existing dictionary and on clarifying issues in the current spec. Having said that, know that members of the community are waiting on web services helps us better prioritize things. >Has the CPE team considered looking at >open source software as part of the CPE Data Dictionary? Yes, and I know others in the community are interested in OSS as well. This is an area we are actively working in, specifically how to leverage existing OSS information so that we can import it into the Official CPE Dictionary. Thanks Drew |
||||||||
|
|
In reply to this post
by Wolfkiel, Joseph
>I also want to discourage the use of "sameAs". I think it's highly
>desirable that CPEs be unique, so I would encourage "deprecatedBy" as >the >default behavior for CPEs that are considered synonyms, with only a >single >CPE identifier existing for any given product in an undeprecated state. >(There can be only one!) Agree, agree, agree. |
||||||||
|
|
First things first, I have no agenda to change CPE so for the most part this
discussion thread is over. However, I would like to clarify my previous OWL statements (using owl:sameAs) at the design principle level. The principles of the W3C's RDF/RDFS/OWL standards and the principles of this community are at opposite ends of the spectrum. The CPE community is making the case below that "there can only be one" both syntactically and semantically; the semantic stack the W3C presents assumes that anyone, anywhere, can say anything. The latter, demanded that RDF/RDFS/OWL be added to the stack to take them beyond the capabilities of XML-Schema. While this has not seen massive success on the Internet, it sure has helped address designs whereby federated systems under different administrative controls need to play nicely together. I'm making this point because I don't think this group has run into a problem or business case yet that requires it to leverage the semantic stack - nothing higher than XML-Schema is required. Back to the fundamental question Drew was trying to address: He asserted that there was a problem today with matching. Is there a problem with matching or not? Because if there is, and it is not being addressed in the design today, maybe we need a clearer definition of the problem. --tk -----Original Message----- From: Buttner, Drew [mailto:[hidden email]] Sent: Friday, February 20, 2009 9:12 AM To: [hidden email] Subject: Re: [CPE-DISCUSSION-LIST] Ontology >I also want to discourage the use of "sameAs". I think it's highly >desirable that CPEs be unique, so I would encourage "deprecatedBy" as >the >default behavior for CPEs that are considered synonyms, with only a >single >CPE identifier existing for any given product in an undeprecated state. >(There can be only one!) Agree, agree, agree. |
||||||||
|
|
>Back to the fundamental question Drew was trying to address: He
>asserted that there was a problem today with matching. >Is there a problem with matching or not? Because if there is, and >it is not being addressed in the design today, maybe we need a >clearer definition of the problem. There are three problems that I am aware of that our current matching algorithm: 1) the hierarchy of version numbers can't be matched 2) updates and editions can often be rolled up multiple ways - eg win xp sp1 pro should match win xp sp1 and win xp pro 3) vendors / products changing names My question is if an ontology (I'm still confused about what exactly an ontology is) can be leveraged to solve these problems? I tried to come up with an example of what I am thinking. Please cut me some slack as you look over this as I know I have a lot to learn here! The ides is: CPE naming format (URI) - used to create unique ids CPE ontology (??OWL XML doc??) - used for matching Thanks Drew |
||||||||
| Free Embeddable Forum Powered by Nabble | Help |
