diff --git a/Makefile b/Makefile index 8de42185..b32bcc45 100644 --- a/Makefile +++ b/Makefile @@ -7,6 +7,8 @@ D3FEND_RELEASE_DATE :="2024-04-26T00:00:00.000Z" ATTACK_VERSION := 15.0 +ATLAS_VERSION := 4.5.2 + JENA_VERSION := 4.5.0 JENA_PATH := "bin/jena/apache-jena-${JENA_VERSION}/bin" @@ -134,6 +136,16 @@ update-attack: bash src/util/update_attack.sh $(ATTACK_VERSION) $(END) +download-atlas: + mkdir -p data + echo "Version: $(ATLAS_VERSION)" + cd data; wget https://github.com/mitre-atlas/atlas-navigator-data/raw/3323ec5e88f4838d7c3e787dae8e1cbc5ffcbb0b/dist/stix-atlas.json + $(END) + +update-atlas: + bash src/util/update_atlas.sh $(ATLAS_VERSION) + $(END) + update-puns: bash src/util/update_puns.sh $(END) diff --git a/src/ontology/d3fend-protege.ttl b/src/ontology/d3fend-protege.ttl index c6b5999f..79949651 100644 --- a/src/ontology/d3fend-protege.ttl +++ b/src/ontology/d3fend-protege.ttl @@ -1391,6 +1391,14 @@ skos:altLabel a owl:AnnotationProperty . rdfs:range xsd:anyURI ; :comment "schema.org's archivedAt vice schema.org notion of url, previously has-link" . +:atlas-id a owl:DatatypeProperty, + owl:FunctionalProperty ; + rdfs:label "atlas-id" ; + rdfs:subPropertyOf :d3fend-kb-data-property ; + rdfs:domain :ATLASThing ; + rdfs:range xsd:string ; + :definition "x atlas-id y: The ATLAS thing x is identified by string y." . + :attack-kb-data-property a owl:DatatypeProperty ; rdfs:label "attack-kb-data-property" ; skos:altLabel "attack-kb-property" ; @@ -2030,6 +2038,1038 @@ Agglomerative clustering starts with each data point as its own cluster. The alg owl:onProperty :creates ; owl:someValuesFrom :MemoryBlock ] . +:AML.T0000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Search for Victim's Publicly Available Research Materials" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0002 ] ; + :atlas-id "AML.T0000" ; + :definition "Adversaries may search publicly available research to learn how and where machine learning is used within a victim organization." ; + rdfs:seeAlso . + +:AML.T0000.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Journals and Conference Proceedings" ; + rdfs:subClassOf :AML.T0000 ; + :atlas-id "AML.T0000.000" ; + :definition "Many of the publications accepted at premier machine learning conferences and journals come from commercial labs." ; + rdfs:seeAlso . + +:AML.T0000.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Pre-Print Repositories" ; + rdfs:subClassOf :AML.T0000 ; + :atlas-id "AML.T0000.001" ; + :definition "Pre-Print repositories, such as arXiv, contain the latest academic research papers that haven't been peer reviewed." ; + rdfs:seeAlso . + +:AML.T0000.002 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Technical Blogs" ; + rdfs:subClassOf :AML.T0000 ; + :atlas-id "AML.T0000.002" ; + :definition "Research labs at academic institutions and Company R&D divisions often have blogs that highlight their use of machine learning and its application to the organizations unique problems." ; + rdfs:seeAlso . + +:AML.T0001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Search for Publicly Available Adversarial Vulnerability Analysis" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0002 ] ; + :atlas-id "AML.T0001" ; + :definition "Much like the [Search for Victim's Publicly Available Research Materials](/techniques/AML.T0000), there is often ample research available on the vulnerabilities of common models. Once a target has been identified, an adversary will likely try to identify any pre-existing work that has been done for this class of models." ; + rdfs:seeAlso . + +:AML.T0002 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Acquire Public ML Artifacts" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0003 ] ; + :atlas-id "AML.T0002" ; + :definition "Adversaries may search public sources, including cloud storage, public-facing services, and software or data repositories, to identify machine learning artifacts." ; + rdfs:seeAlso . + +:AML.T0002.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Datasets" ; + rdfs:subClassOf :AML.T0002 ; + :atlas-id "AML.T0002.000" ; + :definition "Adversaries may collect public datasets to use in their operations." ; + rdfs:seeAlso . + +:AML.T0002.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Models" ; + rdfs:subClassOf :AML.T0002 ; + :atlas-id "AML.T0002.001" ; + :definition "Adversaries may acquire public models to use in their operations." ; + rdfs:seeAlso . + +:AML.T0003 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Search Victim-Owned Websites" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0002 ] ; + :atlas-id "AML.T0003" ; + :definition "Adversaries may search websites owned by the victim for information that can be used during targeting." ; + rdfs:seeAlso . + +:AML.T0004 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Search Application Repositories" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0002 ] ; + :atlas-id "AML.T0004" ; + :definition "Adversaries may search open application repositories during targeting." ; + rdfs:seeAlso . + +:AML.T0005 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Create Proxy ML Model" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0001 ] ; + :atlas-id "AML.T0005" ; + :definition "Adversaries may obtain models to serve as proxies for the target model in use at the victim organization." ; + rdfs:seeAlso . + +:AML.T0005.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Train Proxy via Gathered ML Artifacts" ; + rdfs:subClassOf :AML.T0005 ; + :atlas-id "AML.T0005.000" ; + :definition "Proxy models may be trained from ML artifacts (such as data, model architectures, and pre-trained models) that are representative of the target model gathered by the adversary." ; + rdfs:seeAlso . + +:AML.T0005.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Train Proxy via Replication" ; + rdfs:subClassOf :AML.T0005 ; + :atlas-id "AML.T0005.001" ; + :definition "Adversaries may replicate a private model." ; + rdfs:seeAlso . + +:AML.T0005.002 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Use Pre-Trained Model" ; + rdfs:subClassOf :AML.T0005 ; + :atlas-id "AML.T0005.002" ; + :definition "Adversaries may use an off-the-shelf pre-trained model as a proxy for the victim model to aid in staging the attack." ; + rdfs:seeAlso . + +:AML.T0006 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Active Scanning (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0002 ] ; + :atlas-id "AML.T0006" ; + :definition "An adversary may probe or scan the victim system to gather information for targeting." ; + rdfs:seeAlso . + +:AML.T0007 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Discover ML Artifacts" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0008 ] ; + :atlas-id "AML.T0007" ; + :definition "Adversaries may search private sources to identify machine learning artifacts that exist on the system and gather information about them." ; + rdfs:seeAlso . + +:AML.T0008 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Acquire Infrastructure" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0003 ] ; + :atlas-id "AML.T0008" ; + :definition "Adversaries may buy, lease, or rent infrastructure for use throughout their operation." ; + rdfs:seeAlso . + +:AML.T0008.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML Development Workspaces" ; + rdfs:subClassOf :AML.T0008 ; + :atlas-id "AML.T0008.000" ; + :definition "Developing and staging machine learning attacks often requires expensive compute resources." ; + rdfs:seeAlso . + +:AML.T0008.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Consumer Hardware" ; + rdfs:subClassOf :AML.T0008 ; + :atlas-id "AML.T0008.001" ; + :definition "Adversaries may acquire consumer hardware to conduct their attacks." ; + rdfs:seeAlso . + +:AML.T0010 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML Supply Chain Compromise" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0004 ] ; + :atlas-id "AML.T0010" ; + :definition "Adversaries may gain initial access to a system by compromising the unique portions of the ML supply chain." ; + rdfs:seeAlso . + +:AML.T0010.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "GPU Hardware" ; + rdfs:subClassOf :AML.T0010 ; + :atlas-id "AML.T0010.000" ; + :definition "Most machine learning systems require access to certain specialized hardware, typically GPUs." ; + rdfs:seeAlso . + +:AML.T0010.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML Software" ; + rdfs:subClassOf :AML.T0010 ; + :atlas-id "AML.T0010.001" ; + :definition "Most machine learning systems rely on a limited set of machine learning frameworks." ; + rdfs:seeAlso . + +:AML.T0010.002 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Data" ; + rdfs:subClassOf :AML.T0010 ; + :atlas-id "AML.T0010.002" ; + :definition "Data is a key vector of supply chain compromise for adversaries." ; + rdfs:seeAlso . + +:AML.T0010.003 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Model" ; + rdfs:subClassOf :AML.T0010 ; + :atlas-id "AML.T0010.003" ; + :definition "Machine learning systems often rely on open sourced models in various ways." ; + rdfs:seeAlso . + +:AML.T0011 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "User Execution (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0005 ] ; + :atlas-id "AML.T0011" ; + :definition "An adversary may rely upon specific actions by a user in order to gain execution." ; + rdfs:seeAlso . + +:AML.T0011.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Unsafe ML Artifacts" ; + rdfs:subClassOf :AML.T0011 ; + :atlas-id "AML.T0011.000" ; + :definition "Adversaries may develop unsafe ML artifacts that when executed have a deleterious effect." ; + rdfs:seeAlso . + +:AML.T0012 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Valid Accounts (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0004 ] ; + :atlas-id "AML.T0012" ; + :definition "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access." ; + rdfs:seeAlso . + +:AML.T0013 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Discover ML Model Ontology" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0008 ] ; + :atlas-id "AML.T0013" ; + :definition "Adversaries may discover the ontology of a machine learning model's output space, for example, the types of objects a model can detect." ; + rdfs:seeAlso . + +:AML.T0014 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Discover ML Model Family" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0008 ] ; + :atlas-id "AML.T0014" ; + :definition "Adversaries may discover the general family of model." ; + rdfs:seeAlso . + +:AML.T0015 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Evade ML Model" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0004 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0007 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0011 ] ; + :atlas-id "AML.T0015" ; + :definition "Adversaries can [Craft Adversarial Data](/techniques/AML.T0043) that prevent a machine learning model from correctly identifying the contents of the data." ; + rdfs:seeAlso . + +:AML.T0016 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Obtain Capabilities (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0003 ] ; + :atlas-id "AML.T0016" ; + :definition "Adversaries may search for and obtain software capabilities for use in their operations." ; + rdfs:seeAlso . + +:AML.T0016.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Adversarial ML Attack Implementations" ; + rdfs:subClassOf :AML.T0016 ; + :atlas-id "AML.T0016.000" ; + :definition "Adversaries may search for existing open source implementations of machine learning attacks. The research community often publishes their code for reproducibility and to further future research. Libraries intended for research purposes, such as CleverHans, the Adversarial Robustness Toolbox, and FoolBox, can be weaponized by an adversary. Adversaries may also obtain and use tools that were not originally designed for adversarial ML attacks as part of their attack." ; + rdfs:seeAlso . + +:AML.T0016.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Software Tools (ATLAS)" ; + rdfs:subClassOf :AML.T0016 ; + :atlas-id "AML.T0016.001" ; + :definition "Adversaries may search for and obtain software tools to support their operations." ; + rdfs:seeAlso . + +:AML.T0017 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Develop Capabilities (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0003 ] ; + :atlas-id "AML.T0017" ; + :definition "Adversaries may develop their own capabilities to support operations. This process encompasses identifying requirements, building solutions, and deploying capabilities. Capabilities used to support attacks on ML systems are not necessarily ML-based themselves. Examples include setting up websites with adversarial information or creating Jupyter notebooks with obfuscated exfiltration code." ; + rdfs:seeAlso . + +:AML.T0017.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Adversarial ML Attacks" ; + rdfs:subClassOf :AML.T0017 ; + :atlas-id "AML.T0017.000" ; + :definition "Adversaries may develop their own adversarial attacks." ; + rdfs:seeAlso . + +:AML.T0018 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Backdoor ML Model" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0001 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0006 ] ; + :atlas-id "AML.T0018" ; + :definition "Adversaries may introduce a backdoor into a ML model." ; + rdfs:seeAlso . + +:AML.T0018.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Poison ML Model" ; + rdfs:subClassOf :AML.T0018 ; + :atlas-id "AML.T0018.000" ; + :definition "Adversaries may introduce a backdoor by training the model poisoned data, or by interfering with its training process." ; + rdfs:seeAlso . + +:AML.T0018.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Inject Payload" ; + rdfs:subClassOf :AML.T0018 ; + :atlas-id "AML.T0018.001" ; + :definition "Adversaries may introduce a backdoor into a model by injecting a payload into the model file." ; + rdfs:seeAlso . + +:AML.T0019 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Publish Poisoned Datasets" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0003 ] ; + :atlas-id "AML.T0019" ; + :definition "Adversaries may [Poison Training Data](/techniques/AML.T0020) and publish it to a public location." ; + rdfs:seeAlso . + +:AML.T0020 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Poison Training Data" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0003 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0006 ] ; + :atlas-id "AML.T0020" ; + :definition "Adversaries may attempt to poison datasets used by a ML model by modifying the underlying data or its labels." ; + rdfs:seeAlso . + +:AML.T0021 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Establish Accounts (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0003 ] ; + :atlas-id "AML.T0021" ; + :definition "Adversaries may create accounts with various services for use in targeting, to gain access to resources needed in [ML Attack Staging](/tactics/AML.TA0001), or for victim impersonation." ; + rdfs:seeAlso . + +:AML.T0024 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Exfiltration via ML Inference API" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0010 ] ; + :atlas-id "AML.T0024" ; + :definition "Adversaries may exfiltrate private information via [ML Model Inference API Access](/techniques/AML.T0040)." ; + rdfs:seeAlso . + +:AML.T0024.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Infer Training Data Membership" ; + rdfs:subClassOf :AML.T0024 ; + :atlas-id "AML.T0024.000" ; + :definition "Adversaries may infer the membership of a data sample in its training set, which raises privacy concerns." ; + rdfs:seeAlso . + +:AML.T0024.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Invert ML Model" ; + rdfs:subClassOf :AML.T0024 ; + :atlas-id "AML.T0024.001" ; + :definition "Machine learning models' training data could be reconstructed by exploiting the confidence scores that are available via an inference API." ; + rdfs:seeAlso . + +:AML.T0024.002 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Extract ML Model" ; + rdfs:subClassOf :AML.T0024 ; + :atlas-id "AML.T0024.002" ; + :definition "Adversaries may extract a functional copy of a private model." ; + rdfs:seeAlso . + +:AML.T0025 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Exfiltration via Cyber Means" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0010 ] ; + :atlas-id "AML.T0025" ; + :definition "Adversaries may exfiltrate ML artifacts or other information relevant to their goals via traditional cyber means." ; + rdfs:seeAlso . + +:AML.T0029 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Denial of ML Service" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0011 ] ; + :atlas-id "AML.T0029" ; + :definition "Adversaries may target machine learning systems with a flood of requests for the purpose of degrading or shutting down the service." ; + rdfs:seeAlso . + +:AML.T0031 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Erode ML Model Integrity" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0011 ] ; + :atlas-id "AML.T0031" ; + :definition "Adversaries may degrade the target model's performance with adversarial data inputs to erode confidence in the system over time." ; + rdfs:seeAlso . + +:AML.T0034 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Cost Harvesting" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0011 ] ; + :atlas-id "AML.T0034" ; + :definition "Adversaries may target different machine learning services to send useless queries or computationally expensive inputs to increase the cost of running services at the victim organization." ; + rdfs:seeAlso . + +:AML.T0035 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML Artifact Collection" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0009 ] ; + :atlas-id "AML.T0035" ; + :definition "Adversaries may collect ML artifacts for [Exfiltration](/tactics/AML.TA0010) or for use in [ML Attack Staging](/tactics/AML.TA0001)." ; + rdfs:seeAlso . + +:AML.T0036 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Data from Information Repositories (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0009 ] ; + :atlas-id "AML.T0036" ; + :definition "Adversaries may leverage information repositories to mine valuable information." ; + rdfs:seeAlso . + +:AML.T0037 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Data from Local System (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0009 ] ; + :atlas-id "AML.T0037" ; + :definition "Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration." ; + rdfs:seeAlso . + +:AML.T0040 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML Model Inference API Access" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0000 ] ; + :atlas-id "AML.T0040" ; + :definition "Adversaries may gain access to a model via legitimate access to the inference API." ; + rdfs:seeAlso . + +:AML.T0041 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Physical Environment Access" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0000 ] ; + :atlas-id "AML.T0041" ; + :definition "In addition to the attacks that take place purely in the digital domain, adversaries may also exploit the physical environment for their attacks." ; + rdfs:seeAlso . + +:AML.T0042 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Verify Attack" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0001 ] ; + :atlas-id "AML.T0042" ; + :definition "Adversaries can verify the efficacy of their attack via an inference API or access to an offline copy of the target model." ; + rdfs:seeAlso . + +:AML.T0043 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Craft Adversarial Data" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0001 ] ; + :atlas-id "AML.T0043" ; + :definition "Adversarial data are inputs to a machine learning model that have been modified such that they cause the adversary's desired effect in the target model." ; + rdfs:seeAlso . + +:AML.T0043.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "White-Box Optimization" ; + rdfs:subClassOf :AML.T0043 ; + :atlas-id "AML.T0043.000" ; + :definition "In White-Box Optimization, the adversary has full access to the target model and optimizes the adversarial example directly." ; + rdfs:seeAlso . + +:AML.T0043.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Black-Box Optimization" ; + rdfs:subClassOf :AML.T0043 ; + :atlas-id "AML.T0043.001" ; + :definition "In Black-Box attacks, the adversary has black-box (i.e. [ML Model Inference API Access](/techniques/AML.T0040) via API access) access to the target model." ; + rdfs:seeAlso . + +:AML.T0043.002 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Black-Box Transfer" ; + rdfs:subClassOf :AML.T0043 ; + :atlas-id "AML.T0043.002" ; + :definition "In Black-Box Transfer attacks, the adversary uses one or more proxy models (trained via [Create Proxy ML Model](/techniques/AML.T0005) or [Train Proxy via Replication](/techniques/AML.T0005.001)) they have full access to and are representative of the target model." ; + rdfs:seeAlso . + +:AML.T0043.003 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Manual Modification" ; + rdfs:subClassOf :AML.T0043 ; + :atlas-id "AML.T0043.003" ; + :definition "Adversaries may manually modify the input data to craft adversarial data." ; + rdfs:seeAlso . + +:AML.T0043.004 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Insert Backdoor Trigger" ; + rdfs:subClassOf :AML.T0043 ; + :atlas-id "AML.T0043.004" ; + :definition "The adversary may add a perceptual trigger into inference data." ; + rdfs:seeAlso . + +:AML.T0044 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Full ML Model Access" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0000 ] ; + :atlas-id "AML.T0044" ; + :definition "Adversaries may gain full \"white-box\" access to a machine learning model." ; + rdfs:seeAlso . + +:AML.T0046 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Spamming ML System with Chaff Data" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0011 ] ; + :atlas-id "AML.T0046" ; + :definition "Adversaries may spam the machine learning system with chaff data that causes increase in the number of detections." ; + rdfs:seeAlso . + +:AML.T0047 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML-Enabled Product or Service" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0000 ] ; + :atlas-id "AML.T0047" ; + :definition "Adversaries may use a product or service that uses machine learning under the hood to gain access to the underlying machine learning model." ; + rdfs:seeAlso . + +:AML.T0048 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "External Harms" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0011 ] ; + :atlas-id "AML.T0048" ; + :definition "Adversaries may abuse their access to a victim system and use its resources or capabilities to further their goals by causing harms external to that system." ; + rdfs:seeAlso . + +:AML.T0048.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Financial Harm" ; + rdfs:subClassOf :AML.T0048 ; + :atlas-id "AML.T0048.000" ; + :definition "Financial harm involves the loss of wealth, property, or other monetary assets due to theft, fraud or forgery, or pressure to provide financial resources to the adversary." ; + rdfs:seeAlso . + +:AML.T0048.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Reputational Harm" ; + rdfs:subClassOf :AML.T0048 ; + :atlas-id "AML.T0048.001" ; + :definition "Reputational harm involves a degradation of public perception and trust in organizations. Examples of reputation-harming incidents include scandals or false impersonations." ; + rdfs:seeAlso . + +:AML.T0048.002 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Societal Harm" ; + rdfs:subClassOf :AML.T0048 ; + :atlas-id "AML.T0048.002" ; + :definition "Societal harms might generate harmful outcomes that reach either the general public or specific vulnerable groups such as the exposure of children to vulgar content." ; + rdfs:seeAlso . + +:AML.T0048.003 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "User Harm" ; + rdfs:subClassOf :AML.T0048 ; + :atlas-id "AML.T0048.003" ; + :definition "User harms may encompass a variety of harm types including financial and reputational that are directed at or felt by individual victims of the attack rather than at the organization level." ; + rdfs:seeAlso . + +:AML.T0048.004 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML Intellectual Property Theft" ; + rdfs:subClassOf :AML.T0048 ; + :atlas-id "AML.T0048.004" ; + :definition "Adversaries may exfiltrate ML artifacts to steal intellectual property and cause economic harm to the victim organization." ; + rdfs:seeAlso . + +:AML.T0049 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Exploit Public-Facing Application (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0004 ] ; + :atlas-id "AML.T0049" ; + :definition "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services." ; + rdfs:seeAlso . + +:AML.T0050 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Command and Scripting Interpreter (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0005 ] ; + :atlas-id "AML.T0050" ; + :definition "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell." ; + rdfs:seeAlso . + +:AML.T0051 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "LLM Prompt Injection" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0004 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0006 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0007 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0012 ] ; + :atlas-id "AML.T0051" ; + :definition "An adversary may craft malicious prompts as inputs to an LLM that cause the LLM to act in unintended ways." ; + rdfs:seeAlso . + +:AML.T0051.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Direct" ; + rdfs:subClassOf :AML.T0051 ; + :atlas-id "AML.T0051.000" ; + :definition "An adversary may inject prompts directly as a user of the LLM. This type of injection may be used by the adversary to gain a foothold in the system or to misuse the LLM itself, as for example to generate harmful content." ; + rdfs:seeAlso . + +:AML.T0051.001 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Indirect" ; + rdfs:subClassOf :AML.T0051 ; + :atlas-id "AML.T0051.001" ; + :definition "An adversary may inject prompts indirectly via separate data channel ingested by the LLM such as include text or multimedia pulled from databases or websites." ; + rdfs:seeAlso . + +:AML.T0052 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Phishing (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0004 ] ; + :atlas-id "AML.T0052" ; + :definition "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns." ; + rdfs:seeAlso . + +:AML.T0052.000 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Spearphishing via Social Engineering LLM" ; + rdfs:subClassOf :AML.T0052 ; + :atlas-id "AML.T0052.000" ; + :definition "Adversaries may turn LLMs into targeted social engineers." ; + rdfs:seeAlso . + +:AML.T0053 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "LLM Plugin Compromise" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0005 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0012 ] ; + :atlas-id "AML.T0053" ; + :definition "Adversaries may use their access to an LLM that is part of a larger system to compromise connected plugins." ; + rdfs:seeAlso . + +:AML.T0054 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "LLM Jailbreak" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0007 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0012 ] ; + :atlas-id "AML.T0054" ; + :definition "An adversary may use a carefully crafted [LLM Prompt Injection](/techniques/AML.T0051) designed to place LLM in a state in which it will freely respond to any user input, bypassing any controls, restrictions, or guardrails placed on the LLM." ; + rdfs:seeAlso . + +:AML.T0055 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Unsecured Credentials (ATLAS)" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0013 ] ; + :atlas-id "AML.T0055" ; + :definition "Adversaries may search compromised systems to find and obtain insecurely stored credentials." ; + rdfs:seeAlso . + +:AML.T0056 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "LLM Meta Prompt Extraction" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0008 ], + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0010 ] ; + :atlas-id "AML.T0056" ; + :definition "An adversary may induce an LLM to reveal its initial instructions, or \"meta prompt.\"" ; + rdfs:seeAlso . + +:AML.T0057 a :ATLASTechnique, + owl:Class, + owl:NamedIndividual ; + rdfs:label "LLM Data Leakage" ; + rdfs:subClassOf :ATLASTechnique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :AML.TA0010 ] ; + :atlas-id "AML.T0057" ; + :definition "Adversaries may craft prompts that induce the LLM to leak sensitive information." ; + rdfs:seeAlso . + +:AML.TA0000 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML Model Access (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0000" ; + :definition "The adversary is attempting to gain some level of access to a machine learning model." ; + rdfs:seeAlso . + +:AML.TA0001 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "ML Attack Staging (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0001" ; + :definition "The adversary is leveraging their knowledge of and access to the target system to tailor the attack." ; + rdfs:seeAlso . + +:AML.TA0002 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Reconnaissance (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0002" ; + :definition "The adversary is trying to gather information about the machine learning system they can use to plan future operations." ; + rdfs:seeAlso . + +:AML.TA0003 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Resource Development (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0003" ; + :definition "The adversary is trying to establish resources they can use to support operations." ; + rdfs:seeAlso . + +:AML.TA0004 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Initial Access (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0004" ; + :definition "The adversary is trying to gain access to the machine learning system." ; + rdfs:seeAlso . + +:AML.TA0005 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Execution (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0005" ; + :definition "The adversary is trying to run malicious code embedded in machine learning artifacts or software." ; + rdfs:seeAlso . + +:AML.TA0006 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Persistence (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0006" ; + :definition "The adversary is trying to maintain their foothold via machine learning artifacts or software." ; + rdfs:seeAlso . + +:AML.TA0007 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Defense Evasion (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0007" ; + :definition "The adversary is trying to avoid being detected by machine learning-enabled security software." ; + rdfs:seeAlso . + +:AML.TA0008 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Discovery (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0008" ; + :definition "The adversary is trying to figure out your machine learning environment." ; + rdfs:seeAlso . + +:AML.TA0009 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Collection (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0009" ; + :definition "The adversary is trying to gather machine learning artifacts and other related information relevant to their goal." ; + rdfs:seeAlso . + +:AML.TA0010 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Exfiltration (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0010" ; + :definition "The adversary is trying to steal machine learning artifacts or other information about the machine learning system." ; + rdfs:seeAlso . + +:AML.TA0011 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Impact (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0011" ; + :definition "The adversary is trying to manipulate, interrupt, erode confidence in, or destroy your machine learning systems and data." ; + rdfs:seeAlso . + +:AML.TA0012 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Privilege Escalation (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0012" ; + :definition "The adversary is trying to gain higher-level permissions." ; + rdfs:seeAlso . + +:AML.TA0013 a :ATLASTactic, + owl:Class, + owl:NamedIndividual ; + rdfs:label "Credential Access (ATLAS Tactic)" ; + rdfs:subClassOf :ATLASTactic ; + :atlas-id "AML.TA0013" ; + :definition "The adversary is trying to steal account names and passwords." ; + rdfs:seeAlso . + :AnalysisOfAlternatives a owl:Class ; rdfs:label "Analysis of Alternatives" ; rdfs:subClassOf :D3FENDCatalogThing, @@ -2345,6 +3385,40 @@ Day, O., & Khoshgoftaar, T.M. (2017). A survey on heterogeneous transfer learnin :definition "Asymmetric keys are public and private keys, paired such that asymmetric (public-key) cryptography algorithms can be implemented using them. Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys that may be disseminated widely paired with private keys which are known only to the owner. There are two functions that can be achieved: using a public key to authenticate that a message originated with a holder of the paired private key; or encrypting a message with a public key to ensure that only the holder of the paired private key can decrypt it." ; rdfs:seeAlso . +:ATLASMitigation a owl:Class ; + rdfs:label "ATLAS Mitigation" ; + rdfs:subClassOf :ATLASThing, + [ a owl:Restriction ; + owl:onProperty :semantic-relation ; + owl:someValuesFrom :DefensiveTechnique ] ; + :definition "ATLAS mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed." ; + rdfs:seeAlso . + +:ATLASTactic a owl:Class ; + rdfs:label "ATLAS Tactic" ; + rdfs:subClassOf :ATLASThing, + :Goal, + [ a owl:Restriction ; + owl:onProperty :enabled-by ; + owl:someValuesFrom :ATLASTechnique ] ; + :definition "An ATLAS Tactic is a categorical classification of techniques within the MITRE ATLAS™ framework, representing adversarial goals particular to artificial intelligence systems. It also adapts MITRE ATT&CK® Enterprise Matrix tactics by integrating machine learning concepts, thus capturing the unique motives behind actions in AI-specific operations." ; + rdfs:seeAlso . + +:ATLASTechnique a owl:Class ; + rdfs:label "ATLAS Technique" ; + rdfs:subClassOf :Action, + :ATLASThing, + :Technique, + [ a owl:Restriction ; + owl:onProperty :enables ; + owl:someValuesFrom :ATLASTactic ] ; + :definition "An ATLAS Technique is an action conducted by adversaries to accomplish tactical goals within the context of artificial intelligence systems. These techniques articulate both 'how' adversaries execute these actions to reach their objectives and 'what' outcomes are achieved from these maneuvers." ; + rdfs:seeAlso . + +:ATLASThing a owl:Class ; + rdfs:label "ATLAS Thing" ; + rdfs:subClassOf :ExternalThreatModelThing . + :ATTACKEnterpriseMitigation a owl:Class ; rdfs:label "ATTACK Enterprise Mitigation" ; rdfs:subClassOf :ATTACKEnterpriseThing, @@ -26793,6 +27867,217 @@ Wikipedia. (n.d.). Central tendency. [Link](https://en.wikipedia.org/wiki/Centra :ProcessCodeSegment ; rdfs:label "AMD64 Code Segment" . +:AML.M0000 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Limit Release of Public Information" ; + :atlas-id "AML.M0000" ; + :definition "Limit the public release of technical information about the machine learning stack used in an organization's products or services. Technical knowledge of how machine learning is used can be leveraged by adversaries to perform targeting and tailor attacks to the target system. Additionally, consider limiting the release of organizational information - including physical locations, researcher names, and department structures - from which technical details such as machine learning techniques, model architectures, or datasets may be inferred." ; + rdfs:seeAlso ; + :related :AML.T0000, + :AML.T0002, + :AML.T0003, + :AML.T0004 . + +:AML.M0001 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Limit Model Artifact Release" ; + :atlas-id "AML.M0001" ; + :definition "Limit public release of technical project details including data, algorithms, model architectures, and model checkpoints that are used in production, or that are representative of those used in production." ; + rdfs:seeAlso ; + :related :AML.T0002.000, + :AML.T0002.001, + :AML.T0020 . + +:AML.M0002 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Passive ML Output Obfuscation" ; + :atlas-id "AML.M0002" ; + :definition "Decreasing the fidelity of model outputs provided to the end user can reduce an adversaries ability to extract information about the model and optimize attacks for the model." ; + rdfs:seeAlso ; + :related :AML.T0013, + :AML.T0014, + :AML.T0024.000, + :AML.T0024.001, + :AML.T0024.002, + :AML.T0043.001 . + +:AML.M0003 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Model Hardening" ; + :atlas-id "AML.M0003" ; + :definition "Use techniques to make machine learning models robust to adversarial inputs such as adversarial training or network distillation." ; + rdfs:seeAlso ; + :related :AML.T0015, + :AML.T0031 . + +:AML.M0004 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Restrict Number of ML Model Queries" ; + :atlas-id "AML.M0004" ; + :definition "Limit the total number and rate of queries a user can perform." ; + rdfs:seeAlso ; + :related :AML.T0013, + :AML.T0014, + :AML.T0024, + :AML.T0024.000, + :AML.T0024.001, + :AML.T0024.002, + :AML.T0029, + :AML.T0034, + :AML.T0043.001, + :AML.T0046 . + +:AML.M0005 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Control Access to ML Models and Data at Rest" ; + :atlas-id "AML.M0005" ; + :definition "Establish access controls on internal model registries and limit internal access to production models. Limit access to training data only to approved users." ; + rdfs:seeAlso ; + :related :AML.T0010.002, + :AML.T0010.003, + :AML.T0018.000, + :AML.T0018.001, + :AML.T0020, + :AML.T0025, + :AML.T0048.004 . + +:AML.M0006 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Use Ensemble Methods" ; + :atlas-id "AML.M0006" ; + :definition "Use an ensemble of models for inference to increase robustness to adversarial inputs. Some attacks may effectively evade one model or model family but be ineffective against others." ; + rdfs:seeAlso ; + :related :AML.T0010.001, + :AML.T0010.003, + :AML.T0014, + :AML.T0015, + :AML.T0031 . + +:AML.M0007 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Sanitize Training Data" ; + :atlas-id "AML.M0007" ; + :definition "Detect and remove or remediate poisoned training data. Training data should be sanitized prior to model training and recurrently for an active learning model." ; + rdfs:seeAlso ; + :related :AML.T0010.002, + :AML.T0018.000, + :AML.T0020 . + +:AML.M0008 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Validate ML Model" ; + :atlas-id "AML.M0008" ; + :definition "Validate that machine learning models perform as intended by testing for backdoor triggers or adversarial bias." ; + rdfs:seeAlso ; + :related :AML.T0010.003, + :AML.T0018.000, + :AML.T0018.001 . + +:AML.M0009 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Use Multi-Modal Sensors" ; + :atlas-id "AML.M0009" ; + :definition "Incorporate multiple sensors to integrate varying perspectives and modalities to avoid a single point of failure susceptible to physical attacks." ; + rdfs:seeAlso ; + :related :AML.T0015, + :AML.T0041 . + +:AML.M0010 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Input Restoration" ; + :atlas-id "AML.M0010" ; + :definition "Preprocess all inference data to nullify or reverse potential adversarial perturbations." ; + rdfs:seeAlso ; + :related :AML.T0015, + :AML.T0031, + :AML.T0043.001 . + +:AML.M0011 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Restrict Library Loading" ; + :atlas-id "AML.M0011" ; + :definition "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software." ; + rdfs:seeAlso ; + :related :AML.T0011.000 . + +:AML.M0012 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Encrypt Sensitive Information" ; + :atlas-id "AML.M0012" ; + :definition "Encrypt sensitive data such as ML models to protect against adversaries attempting to access sensitive data." ; + rdfs:seeAlso ; + :related :AML.T0007, + :AML.T0035, + :AML.T0048.004 . + +:AML.M0013 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Code Signing" ; + :atlas-id "AML.M0013" ; + :definition "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing. Adversaries can embed malicious code in ML software or models. Enforcement of code signing can prevent the compromise of the machine learning supply chain and prevent execution of malicious code." ; + rdfs:seeAlso ; + :related :AML.T0010.001, + :AML.T0010.003, + :AML.T0011.000 . + +:AML.M0014 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Verify ML Artifacts" ; + :atlas-id "AML.M0014" ; + :definition "Verify the cryptographic checksum of all machine learning artifacts to verify that the file was not modified by an attacker." ; + rdfs:seeAlso ; + :related :AML.T0010, + :AML.T0011.000, + :AML.T0019 . + +:AML.M0015 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Adversarial Input Detection" ; + :atlas-id "AML.M0015" ; + :definition "Detect and block adversarial inputs or atypical queries that deviate from known benign behavior, exhibit behavior patterns observed in previous attacks or that come from potentially malicious IPs." ; + rdfs:seeAlso ; + :related :AML.T0015, + :AML.T0029, + :AML.T0031, + :AML.T0043.001 . + +:AML.M0016 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Vulnerability Scanning" ; + :atlas-id "AML.M0016" ; + :definition "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them." ; + rdfs:seeAlso ; + :related :AML.T0011.000, + :AML.T0018 . + +:AML.M0017 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Model Distribution Methods" ; + :atlas-id "AML.M0017" ; + :definition "Deploying ML models to edge devices can increase the attack surface of the system." ; + rdfs:seeAlso ; + :related :AML.T0010.003, + :AML.T0043.000, + :AML.T0044 . + +:AML.M0018 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "User Training" ; + :atlas-id "AML.M0018" ; + :definition "Educate ML model developers on secure coding practices and ML vulnerabilities." ; + rdfs:seeAlso ; + :related :AML.T0011, + :AML.T0011.000 . + +:AML.M0019 a :ATLASMitigation, + owl:NamedIndividual ; + rdfs:label "Control Access to ML Models and Data in Production" ; + :atlas-id "AML.M0019" ; + :definition "Require users to verify their identities before accessing a production model." ; + rdfs:seeAlso ; + :related :AML.T0024, + :AML.T0040 . + :ARM32CodeSegment a :ImageCodeSegment, owl:NamedIndividual, :ProcessCodeSegment ; diff --git a/src/util/update_atlas.py b/src/util/update_atlas.py new file mode 100644 index 00000000..88cbffa9 --- /dev/null +++ b/src/util/update_atlas.py @@ -0,0 +1,506 @@ +from stix2 import MemoryStore, Filter +from rdflib import URIRef, Literal, RDF, RDFS, Namespace, BNode +from build import get_graph, _xmlns as _XMLNS +import sys + +owl = Namespace("http://www.w3.org/2002/07/owl#") +rdfs = Namespace("http://www.w3.org/2000/01/rdf-schema#") +d3fend = Namespace("http://d3fend.mitre.org/ontologies/d3fend.owl#") + + +def _print(*args): + print(" ".join([str(a) for a in args]).rjust(80, " ")) + print() + + +# Parses data in stix-atlas.json and returns list of techniques with following annotations: +# id: atlas id +# superclasses: superclass, list of superclasses if not subtechnique +# label: technique name +# missing: is tech missing from d3fend graph +# label_change: does tech's label need updating +# deprecated: if tech is deprecated +# revoked: if tech is revoked +# revoked_by: tech revoked technique is revoked by +def get_stix_data(thesrc, graph): + data = [] + query_results = thesrc.query( + [ + Filter("external_references.source_name", "=", "mitre-atlas"), + Filter("type", "=", "attack-pattern"), + ] + ) + superclasses_dict = generate_superclass(query_results, thesrc) + for tech in query_results: + deprecated = tech.get("x_mitre_deprecated", False) + revoked = tech.get("revoked", False) + atlas_id = next( + ( + ref.get("external_id") + for ref in tech["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + superclasses = superclasses_dict[atlas_id] + atlas_uri = URIRef(_XMLNS + atlas_id) + current_label = graph.value(atlas_uri, RDFS.label) + label_change = False + + if current_label is not None: + label_change = current_label.strip() != tech["name"] + + revoked_by_id = "" + if revoked: + revoked_by_dict = get_revoked_by(thesrc) + revoked_by = revoked_by_dict[tech["id"]] + revoked_by_tech = [ + obj for obj in query_results if obj.get("id") == revoked_by + ][0] + revoked_by_id = next( + ( + ref.get("external_id") + for ref in revoked_by_tech["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + + entry = { + "data": tech, + "id": atlas_id, + "superclasses": superclasses, + "label": tech["name"], + "missing": current_label is None, + "label_change": label_change, + "deprecated": deprecated, + "revoked": revoked, + "revoked_by": revoked_by_id, + } + data.append(entry) + + return data + + +# Adds deprecated annotations to techniques in d3fend graph +def add_deprecated(graph, tech): + tech = tech["data"] + atlas_id = next( + ( + ref.get("external_id") + for ref in tech["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + atlas_uri = URIRef(_XMLNS + atlas_id) + new = 0 + + if (None, None, Literal(atlas_id)) in graph: + deprecated_property = graph.value(atlas_uri, owl.deprecated) + # Check if tech already has deprecated annotations + if deprecated_property is None: + new = 1 + # Add a triple indicating deprecation + graph.add((atlas_uri, owl.deprecated, Literal(True))) + graph.add( + (atlas_uri, rdfs.comment, Literal(tech["description"].split("\n")[0])) + ) + return new + + +# Adds revoked annotations to techniques in d3fend graph +def add_revoked(graph, tech): + revoked_by = tech["revoked_by"] + tech = tech["data"] + atlas_id = next( + ( + ref.get("external_id") + for ref in tech["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + atlas_uri = URIRef(_XMLNS + atlas_id) + new = 0 + + if (None, None, Literal(atlas_id)) in graph: + revoked_property = graph.value(atlas_uri, owl.deprecated) + # Check if tech already has revoked annotations + if revoked_property is None: + new = 1 + # Add a triple indicating deprecation + graph.add((atlas_uri, rdfs.seeAlso, Literal(revoked_by))) + graph.add((atlas_uri, owl.deprecated, Literal(True))) + graph.add( + ( + atlas_uri, + rdfs.comment, + Literal(f"This technique has been revoked by {revoked_by}"), + ) + ) + return new + + +# Returns a dictionary of which technique was revoked by another technique +# Parses relationship objects in stix-atlas.json +def get_revoked_by(thesrc): + revoked_by = {} + relationships = thesrc.query( + [ + Filter("type", "=", "relationship"), + Filter("relationship_type", "=", "revoked-by"), + ] + ) + for relationship in relationships: + revoked_by[relationship.source_ref] = relationship.target_ref + + return revoked_by + + +# Returns a dictionary of superclasses for each technique +# If subtechnique, superclass is just parent technique +# If technique, superclass is tactic or list of tactics +def generate_superclass(all_techniques, thesrc): + superclass = {} + + # Query to retrieve all tactics from the source + tactics = thesrc.query( + [ + Filter("external_references.source_name", "=", "mitre-atlas"), + Filter("type", "=", "x-mitre-tactic"), + ] + ) + + # Create a dictionary to map tactic short names to their IDs + tactic_dict = {} + for tactic in tactics: + # Assume each tactic has one or more external_references and has a property x_mitre_shortname + shortname = tactic["x_mitre_shortname"] + for ref in tactic["external_references"]: + if ref.get("source_name") == "mitre-atlas": + tactic_dict[shortname] = ref.get("external_id") + + for tech in all_techniques: + atlas_id = next( + ( + ref.get("external_id") + for ref in tech["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + if atlas_id: + # Check if it is a subtechnique + if tech.get("x_mitre_is_subtechnique", False): + # Parent technique's ID is part of the atlas_id for subtechniques + superclass[atlas_id] = ( + atlas_id.split(".")[0] + "." + atlas_id.split(".")[1] + ) + else: + # List to hold all superclasses for this technique + classes = [] + # Iterate over kill chain phases + for obj in tech["kill_chain_phases"]: + # Retrieve the tactic ID using the short name + tactic_id = tactic_dict[obj["phase_name"]] + classes.append(tactic_id) + superclass[atlas_id] = classes + + return superclass + + +# Adds missing techniques to ttl file +def add_to_ttl(tech, graph): + # 3 cases: + # Not deprecated or revoked: add class, label, atlas-id, subClassOf + # Deprecated: add class, label, atlas-id, subclassOf, owl:deprecated true + # Revoked: add class, label, atlas-id, subClassOf, owl:deprecated true, rdfs:seeAlso revoked_by_technique + # Have not seen any cases of deprecated & revoked + + name = tech["label"] + atlas_id = tech["id"] + subclass = tech["superclasses"] + revoked_by = tech["revoked_by"] + subtechnique = tech["data"].get("x_mitre_is_subtechnique", False) + atlas_uri = URIRef(_XMLNS + atlas_id) + key = "" + + if tech["deprecated"]: + graph.add((atlas_uri, RDF.type, owl.Class)) + graph.add((atlas_uri, RDFS.label, Literal(name))) + if subtechnique: + graph.add((atlas_uri, RDFS.subClassOf, d3fend[subclass])) + else: + # Handle multiple superclasses + for subclass_of in subclass: + graph.add((atlas_uri, RDFS.subClassOf, d3fend[subclass_of])) + graph.add((atlas_uri, d3fend["atlas-id"], Literal(atlas_id))) + graph.add((atlas_uri, owl.deprecated, Literal(True))) + graph.add( + ( + atlas_uri, + rdfs.comment, + Literal(tech["data"]["description"].split("\n")[0]), + ) + ) + key = "missing_deprecated" + + elif tech["revoked"]: + graph.add((atlas_uri, RDF.type, owl.Class)) + graph.add((atlas_uri, RDFS.label, Literal(name))) + if subtechnique: + graph.add((atlas_uri, RDFS.subClassOf, d3fend[subclass])) + else: + for subclass_of in subclass: + graph.add((atlas_uri, RDFS.subClassOf, d3fend[subclass_of])) + graph.add((atlas_uri, d3fend["atlas-id"], Literal(atlas_id))) + graph.add((atlas_uri, owl.deprecated, Literal(True))) + graph.add((atlas_uri, rdfs.seeAlso, Literal(revoked_by))) + graph.add( + ( + atlas_uri, + rdfs.comment, + Literal(f"This technique has been revoked by {revoked_by}"), + ) + ) + key = "missing_revoked" + + else: + graph.add((atlas_uri, RDF.type, owl.Class)) + graph.add((atlas_uri, RDF.type, owl.NamedIndividual)) + graph.add((atlas_uri, RDF.type, d3fend["ATLASTechnique"])) + graph.add((atlas_uri, RDFS.label, Literal(name))) + graph.add( + ( + atlas_uri, + RDFS.seeAlso, + URIRef("https://atlas.mitre.org/techniques/" + atlas_id), + ) + ) + if subtechnique: + graph.add((atlas_uri, RDFS.subClassOf, d3fend[subclass])) + else: + graph.add((atlas_uri, RDFS.subClassOf, d3fend["ATLASTechnique"])) + for subclass_of in subclass: + enables = BNode() + graph.add((enables, RDF.type, owl.Restriction)) + graph.add((enables, owl.onProperty, d3fend["enables"])) + graph.add((enables, owl.someValuesFrom, d3fend[subclass_of])) + graph.add((atlas_uri, RDFS.subClassOf, enables)) + graph.add((atlas_uri, d3fend["atlas-id"], Literal(atlas_id))) + key = "missing_neither" + return key + + +def update_definition(graph, tech): + tech = tech["data"] + atlas_id = next( + ( + ref.get("external_id") + for ref in tech["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + atlas_uri = URIRef(_XMLNS + atlas_id) + new = 0 + + if (None, None, Literal(atlas_id)) in graph: + + def_property = graph.value(atlas_uri, d3fend["definition"]) + # Check if tech already has definition + if def_property is None: + new = 1 + # Add definition + graph.add( + ( + atlas_uri, + d3fend["definition"], + Literal(tech["description"].split("\n")[0]), + ) + ) + return new + + +def update_and_add(graph, data, thesrc): + # If tech is missing, add it to d3fend-protege.atlas.ttl + # Else, handle if technique has recently become deprecated, revoked, or has an updated label + + counters = { + "missing": 0, + "missing_deprecated": 0, + "missing_revoked": 0, + "missing_neither": 0, + "recently_deprecated": 0, + "recently_revoked": 0, + "label_change": 0, + } + + for tech in data: + if tech["missing"]: + key = add_to_ttl(tech, graph) + counters["missing"] += 1 + counters[key] += 1 + else: + if tech["deprecated"]: + new = add_deprecated(graph, tech) + counters["recently_deprecated"] += new + elif tech["revoked"]: + new = add_revoked(graph, tech) + counters["recently_revoked"] += new + elif tech["label_change"]: + atlas_uri = URIRef(_XMLNS + tech["id"]) + current_label = graph.value(atlas_uri, RDFS.label) + graph.remove((atlas_uri, RDFS.label, current_label)) + graph.add((atlas_uri, RDFS.label, Literal(tech["label"]))) + counters["label_change"] += 1 + update_definition(graph, tech) + + # Add tactics to graph + for tactic in thesrc.query( + [ + Filter("external_references.source_name", "=", "mitre-atlas"), + Filter("type", "=", "x-mitre-tactic"), + ] + ): + atlas_id = next( + ( + ref.get("external_id") + for ref in tactic["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + tactic_uri = URIRef(_XMLNS + atlas_id) + if (tactic_uri, None, None) not in graph: + graph.add((tactic_uri, RDF.type, owl.Class)) + graph.add((tactic_uri, RDF.type, owl.NamedIndividual)) + graph.add((tactic_uri, RDF.type, d3fend["ATLASTactic"])) + graph.add( + (tactic_uri, RDFS.label, Literal(tactic["name"] + " (ATLAS Tactic)")) + ) + graph.add((tactic_uri, RDFS.subClassOf, d3fend["ATLASTactic"])) + graph.add( + ( + tactic_uri, + d3fend["definition"], + Literal(tactic["description"].split("\n")[0]), + ) + ) + graph.add((tactic_uri, d3fend["atlas-id"], Literal(atlas_id))) + graph.add( + ( + tactic_uri, + RDFS.seeAlso, + URIRef("https://atlas.mitre.org/tactics/" + atlas_id), + ) + ) + + # Add mitigations to graph + for mitigation in thesrc.query( + [ + Filter("external_references.source_name", "=", "mitre-atlas"), + Filter("type", "=", "course-of-action"), + ] + ): + atlas_id = next( + ( + ref.get("external_id") + for ref in mitigation["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + mitigation_uri = URIRef(_XMLNS + atlas_id) + + relations = thesrc.relationships( + mitigation["id"], "mitigates", source_only=True + ) + mitigates_techs = [ + tech + for tech in thesrc.query( + [Filter("id", "in", [rel.target_ref for rel in relations])] + ) + ] + mitigates = [ + next( + ( + ref.get("external_id") + for ref in tech["external_references"] + if ref.get("source_name") == "mitre-atlas" + ), + None, + ) + for tech in mitigates_techs + ] + + if (mitigation_uri, None, None) not in graph: + graph.add((mitigation_uri, RDF.type, owl.NamedIndividual)) + graph.add((mitigation_uri, RDF.type, d3fend["ATLASMitigation"])) + graph.add((mitigation_uri, RDFS.label, Literal(mitigation["name"]))) + graph.add( + ( + mitigation_uri, + d3fend["definition"], + Literal(mitigation["description"].split("\n")[0]), + ) + ) + graph.add((mitigation_uri, d3fend["atlas-id"], Literal(atlas_id))) + graph.add( + ( + mitigation_uri, + RDFS.seeAlso, + URIRef("https://atlas.mitre.org/mitigations/" + atlas_id), + ) + ) + + for tech_atlas_id in mitigates: + graph.add((mitigation_uri, d3fend["related"], d3fend[tech_atlas_id])) + + return counters + + +def main(do_counters=True, ATLAS_VERSION="4.5.2"): + + src = MemoryStore() + src.load_from_file("data/stix-atlas.json") + d3fend_graph = get_graph(filename="src/ontology/d3fend-protege.atlas.ttl") + + data = get_stix_data(src, d3fend_graph) # parse stix data + counters = update_and_add( + d3fend_graph, data, src + ) # add new techniques and modify current ones + + d3fend_graph.serialize( + destination="src/ontology/d3fend-protege.atlas.ttl", format="turtle" + ) + + if do_counters: + # Print some stats + _print("Valid ATLAS ids found in stix document:", len(data)) + _print("Valid ATLAS ids missing from D3FEND graph:", counters["missing"]) + _print( + "Valid Deprecated ATLAS ids missing from D3FEND graph:", + counters["missing_deprecated"], + ) + _print( + "Valid Revoked ATLAS ids missing from D3FEND graph:", + counters["missing_revoked"], + ) + _print( + "Recently Deprecated ATLAS ids in D3FEND graph:", + counters["recently_deprecated"], + ) + _print( + "Recently Revoked ATLAS ids in D3FEND graph:", counters["recently_revoked"] + ) + _print( + "Valid ATLAS ids in graph that needed label change in graph:", + counters["label_change"], + ) + + +if __name__ == "__main__": + version = sys.argv[1] + main(do_counters=True, ATLAS_VERSION=version) diff --git a/src/util/update_atlas.sh b/src/util/update_atlas.sh new file mode 100644 index 00000000..5274fd16 --- /dev/null +++ b/src/util/update_atlas.sh @@ -0,0 +1,32 @@ +## +## This script creates a D3FEND ontology update from the ATLAS STIX JSON document +## After running the user must manually compare & replace d3fend-protege.atlas.ttl +## + +GREEN='\033[0;32m' +YELLOW='\033[0;33m' + +ATLAS_VERSION=$1 + +atlas="data/stix-atlas.json" +if [ ! -f "$atlas" ]; then + echo -e "${GREEN}No ATLAS file found \n" + echo -e "${GREEN}Running make download-atlas ATLAS_VERSION=${ATLAS_VERSION} \n" + make download-atlas ATLAS_VERSION="${ATLAS_VERSION}" +else + echo -e "${GREEN}Using ${atlas} for atlas data \n" +fi + +cp src/ontology/d3fend-protege.ttl src/ontology/d3fend-protege.atlas.ttl + +pipenv run python src/util/test_cases.py || exit 1 + +echo -e "${GREEN}All test cases passed \n" + +pipenv run python src/util/update_atlas.py "$ATLAS_VERSION" || exit 1 + +pipenv run ttlfmt src/ontology/d3fend-protege.atlas.ttl + +echo -e "${YELLOW}Created new ontology file with updates here: src/ontology/d3fend-protege.atlas.ttl \n" +echo -e "Please manually review and compare to: src/ontology/d3fend-protege.ttl \n" +echo -e "If changes acceptable, replace files \n"