Ontology-driven Knowledge Graph for Android Malware

TL;DR

This paper introduces MalONT2.0, an expanded ontology for Android malware threat intelligence, enabling detailed semantic capture and construction of a dynamic knowledge graph from unstructured threat reports.

Contribution

The paper presents MalONT2.0, a comprehensive ontology with new classes and relations, and demonstrates its application in building a dynamic malware knowledge graph from diverse threat reports.

Findings

MalONT2.0 captures extensive malware features and relations.

Constructed MalKG as a semantic knowledge graph for Android malware.

Demonstrated the dynamic growth of TINKER knowledge graph.

Abstract

We present MalONT2.0 -- an ontology for malware threat intelligence \cite{rastogi2020malont}. New classes (attack patterns, infrastructural resources to enable attacks, malware analysis to incorporate static analysis, and dynamic analysis of binaries) and relations have been added following a broadened scope of core competency questions. MalONT2.0 allows researchers to extensively capture all requisite classes and relations that gather semantic and syntactic characteristics of an android malware attack. This ontology forms the basis for the malware threat intelligence knowledge graph, MalKG, which we exemplify using three different, non-overlapping demonstrations. Malware features have been extracted from CTI reports on android threat intelligence shared on the Internet and written in the form of unstructured text. Some of these sources are blogs, threat intelligence reports, tweets, and news articles. The smallest unit of information that captures malware features is written as triples comprising head and tail entities, each connected with a relation. In the poster and demonstration, we discuss MalONT2.0, MalKG, as well as the dynamically growing knowledge graph, TINKER.