A Smart City Infrastructure Ontology for Threats, Cybercrime, and Digital Forensic Investigation

TL;DR

This paper introduces SCOPE, an expanded ontology integrating Smart City Infrastructure context into existing cyber threat and forensic models to improve information sharing and interoperability in cybercrime investigations.

Contribution

The paper presents SCOPE, a novel ontology that enhances existing models with Smart City Infrastructure data, addressing gaps in threat representation and tool interoperability.

Findings

SCOPE effectively models SCI-specific threats and evidence.

It demonstrates improved data sharing for cybercrime investigation.

The ontology is made publicly available for community use.

Abstract

Cybercrime and the market for cyber-related compromises are becoming attractive revenue sources for state-sponsored actors, cybercriminals and technical individuals affected by financial hardships. Due to burgeoning cybercrime on new technological frontiers, efforts have been made to assist digital forensic investigators (DFI) and law enforcement agencies (LEA) in their investigative efforts. Forensic tool innovations and ontology developments, such as the Unified Cyber Ontology (UCO) and Cyber-investigation Analysis Standard Expression (CASE), have been proposed to assist DFI and LEA. Although these tools and ontologies are useful, they lack extensive information sharing and tool interoperability features, and the ontologies lack the latest Smart City Infrastructure (SCI) context that was proposed. To mitigate the weaknesses in both solutions and to ensure a safer cyber-physical environment for all, we propose the Smart City Ontological Paradigm Expression (SCOPE), an expansion profile of the UCO and CASE ontology that implements SCI threat models, SCI digital forensic evidence, attack techniques, patterns and classifications from MITRE. We showcase how SCOPE could present complex data such as SCI-specific threats, cybercrime, investigation data and incident handling workflows via an incident scenario modelled after publicly reported real-world incidents attributed to Advanced Persistent Threat (APT) groups. We also make SCOPE available to the community so that threats, digital evidence and cybercrime in emerging trends such as SCI can be identified, represented, and shared collaboratively.