scieee Science in your language
[en] (orig)

D2.10 Certification Graph – v1

Author: Geist, Verena; Schöberl, Stefan
Publisher: Zenodo
DOI: 10.5281/zenodo.17181816
Source: https://zenodo.org/records/17181816/files/EMERALD_D2.10_Certification-Graph-v1_v1.0.pdf
Deli e able D2.10
Ce i ica ion G aph – 1
Edi o (s):
Ve ena Geis , S e an Schöbe l
Responsible Pa ne :
So wa e Compe enc
e
Cen e Hagenbe
g
GmbH
S a us
-
Ve sion:
Final
Da e:
31
.
0
1
.
202
5
Type:
OTHER
Dis ibu ion le el (
SEN
, PU):
PU
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 2 o 28
www.eme ald-he.eu
P ojec Numbe :
101120688
P ojec Ti le:
EMERALD
Ti le o Deli e able:
Ce i ica ion G aph
–
1
Due Da e o Deli e y o he EC
:
31
.
01
.202
5
Wo kpackage esponsible o he
Deli e able: WP2 – Me hodology o Knowledge Ex ac ion
Edi o (s):
Ve ena Geis , S e an Schöbe l (SCCH)
Con ibu o (s):
Angelika Schneide , Flo ian Wendland
, Ch is ian Banse
(FHG)
Re iewe (s):
Angela
Fessl
(KNOW)
C is ina Ma ínez, Juncal Alonso (TECNALIA)
App o ed by:
All Pa ne s
Recommended/manda o y
eade s: WP2, WP3
Abs ac :
EMERALD aims o in eg a e e idence collec ed a
di e en le els o he cloud se ice in o a single g aph-
based s uc u e, he Ce i ica ion G aph. This documen
desc ibes he in e im e sion o he g aph, i.e. i s schema
(o on ology), wi h seman ically linked and combined
e idence. The de elopmen mainly in ol es wo k o T2.1
and T2.6, bu also inpu s o T2.2, T2.3, T2.4, T2.5, and
T3.1 a e conside ed.
Keywo d Lis :
Knowledge g aph schema, on ology ex ensions,
secu i y
ea u es, knowledge in eg a ion, combined e idence
analysis.
Licensing in o ma ion:
This wo k is licensed unde C ea i e Commons
A ibu ion-Sha eAlike 4.0 In e na ional (CC BY-SA 4.0
DEED h ps://c ea i ecommons.o g/licenses/by-sa/4.0/)
Disclaime
Funded by he Eu opean Union. Views and opinions
exp essed a e howe e hose o he au ho (s) only and
do no necessa ily e lec hose o he Eu opean Union.
The Eu opean Union canno be held esponsible o
hem.
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 3 o 28
www.eme ald-he.eu
Documen Desc ip ion
Ve sion Da e
Modi ica ions In oduced
Modi ica ion Reason
Modi ied by
0.1
03
.
12
.
20
2
4
Fi s d a e sion
, key in o ma ion,
and TOC.
Ve ena Geis (SCCH)
0.2
05
.
12
.202
4
Execu i e
s
umma y,
i
n oduc ion,
unc ional desc ip ion, equi emen s
ul ilmen , echnical speci ica ions,
licensing in o ma ion, and download.
Ve ena Geis (SCCH)
0.3
09.12.2024
Recap and changes, a chi ec u e, and
e e ences.
Ve ena Geis (SCCH)
0.4
08.01.2025
De ails on on ology ex ensions,
deli e y, and usage
S e an Schöbe l (SCCH)
0.5
10.01.2025
Re iew o
con en
Angelika Schneide
(FHG)
0.
6
13.01.2025
Finaliza ion be o e in e nal e iew
Ve ena Geis (SCCH)
S e an Schöbe l (SCCH)
0.7
15.01.2025
In e nal Re iew
Angela Fessl (KNOW)
0.8
23.01.2025
Add essing in e nal e iew and
imp o ing subcomponen s desc ip ion
and illus a i e example
Ve ena Geis (SCCH)
S e an Schöbe l (SCCH)
0.9
27.01.2025
Final e iewed e sion
C is ina Ma ínez,
Juncal Alonso
(TECNALIA)
1.0
31.01.2025
Submi ed o he Eu opean
Commission
C is ina Ma ínez,
Juncal Alonso
(TECNALIA)
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 4 o 28
www.eme ald-he.eu
Table o con en s
Te ms and abb e ia ions ............................................................................................................... 6
Execu i e Summa y ....................................................................................................................... 7
1 In oduc ion ........................................................................................................................... 8
1.1 Abou his deli e able .................................................................................................... 8
1.2 Documen s uc u e ....................................................................................................... 9
2 Recap o he ini ial d a o he Ce G aph on ology and changes ..................................... 10
3 The Ce G aph on ology (in e im e sion) .......................................................................... 11
3.1 Func ional desc ip ion ................................................................................................. 11
3.2 Technical desc ip ion ................................................................................................... 14
3.2.1 A chi ec u e ....................................................................................................... 14
3.2.2 Subcomponen s desc ip ion .............................................................................. 15
3.2.3 Technical speci ica ions ..................................................................................... 21
3.3 Deli e y and usage ....................................................................................................... 21
3.3.1 Download .......................................................................................................... 21
3.3.2 Package in o ma ion .......................................................................................... 22
3.3.3 Ins uc ions o use ............................................................................................ 22
3.3.4 Licensing in o ma ion ........................................................................................ 22
3.4 Limi a ions and u u e wo k ........................................................................................ 23
4 Re ined illus a i e example o modelling and combining e idence in o ma ion o he used
TLS Ve sion .................................................................................................................................. 24
5 Conclusions .......................................................................................................................... 26
6 Re e ences ........................................................................................................................... 27
Lis o ables
TABLE 1. REQ.01 - FORMAL LANGUAGE.............................................................................................. 11
TABLE 2. REQ.02 - CLEAR CONCEPTUALIZATION ................................................................................... 11
TABLE 3. REQ.03 - HIERARCHICAL STRUCTURE OF CONCEPTS ................................................................. 11
TABLE 4. REQ.04 - REASONING AND CONSISTENCY CHECKING ................................................................ 12
TABLE 5. REQ.05 - INTEROPERABILITY AND EXTENSIBILITY ...................................................................... 12
TABLE 6. REQ.06 - DOCUMENTATION AND ANNOTATION ...................................................................... 12
TABLE 7. REQ.07 - VERSIONING ........................................................................................................ 12
TABLE 8. OVERVIEW AND DESCRIPTION OF PACKAGE STRUCTURE FOR THE CERTGRAPH ONTOLOGY ............... 22
Lis o igu es
FIGURE 1. INITIAL DESIGN OF THE CERTGRAPH ONTOLOGY WITH SUB-ONTOLOGIES AND EXTENSIONS FROM D2.1
[1] ........................................................................................................................................ 10
FIGURE 2. EMERALD COMPONENT OVERVIEW DIAGRAM [12] ............................................................... 14
FIGURE 3. UPDATED DESIGN OF THE CERTGRAPH ONTOLOGY .................................................................. 15
FIGURE 4. EXCERPT OF THE EVIDENCE SUB-ONTOLOGY ........................................................................... 16
FIGURE 5. EXCERPT OF THE FRAMEWORK SUB-ONTOLOGY ...................................................................... 16
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 5 o 28
www.eme ald-he.eu
FIGURE 6. EXCERPT OF THE FUNCTIONALITY SUB-ONTOLOGY ................................................................... 17
FIGURE 7. EXCERPT OF THE PROPERTIES SUB-ONTOLOGY ........................................................................ 17
FIGURE 8. EXCERPT OF THE SECURITY SUB-ONTOLOGY ........................................................................... 18
FIGURE 9. EXCERPT OF THE CLOUD ONTOLOGY EXTENSION ..................................................................... 19
FIGURE 10. EXCERPT OF THE APPLICATION ONTOLOGY EXTENSION ........................................................... 19
FIGURE 11. EXCERPT OF THE ML ONTOLOGY EXTENSION ........................................................................ 20
FIGURE 12. EXCERPT OF THE DOCUMENT ONTOLOGY EXTENSION ............................................................. 21
FIGURE 13. CLASSES (RECTANGLES) AND INSTANCES (HEXAGONS) FOR THE TLS EXAMPLE, SHOWING EVIDENCE
FOUND IN SOURCE CODE (IMPLEMENTED) AND CORRESPONDING EVIDENCE IN A DOCUMENT (SPECIFIED)
REGARDING TRANSPORT ENCRYPTION, WHICH CAN BE USED TO VERIFY CRY-02 FROM BSI C5:2020
(ADAPTED FROM [9])................................................................................................................ 24

D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 6 o 28
www.eme ald-he.eu
Te ms and abb e ia ions
AI
A i icial In elligence
AI
-
SEC
AI Secu i y E idence Collec o
AMOE
Assessmen and Managemen o O ganiza ional E idence
BSI
Bundesam ü Siche hei in de In o ma ions echnik
BSI C5
BSI Cloud Compu ing Compliance C i e ia Ca alogue
Ce G aph
Ce i ica ion G aph
Codyze
S a ic Code Analyze
EC
Eu opean Commission
eknows
Pla o m o so wa e analysis
eknows
-
e3
Ex ac o componen de eloped in he con ex o EMERALD
GA
G an Ag eemen o he p ojec
HTTP
Hype ex T ans e P o ocol
ID
Iden i y
KR
Key Resul
MEDINA
P edecesso p ojec o EMERALD
ML
Machine Lea ning
NLP
Na u al Language P ocessing
OTP
One
-
ime passwo d
OWL
Web On ology Language
PDF
Po able Documen Fo ma
P o obu
P o ocol Bu e s
RDF
Resou ce Desc ip ion F amewo k
RCM
Reposi o y o Con ols and Me ics
SSO
Single Sign
-
On
SPARQL
SPARQL P o ocol And RDF Que y Language
SWRL
Seman ic Web Rule Language
TLS
T anspo Laye Secu i y
UI
Use In e ace
URI
Uni o m Resou ce Iden i ie
WP
Wo k Package
XML
Ex ensible Ma kup Language
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 7 o 28
www.eme ald-he.eu
Execu i e Summa y
This deli e able desc ibes he in e im e sion o he cen al Ce i ica ion G aph schema (i.e., he
Ce G aph on ology) o s o ing e idence in a g aph-based o ma and is he e inemen o he
ini ial wo k on designing he Ce G aph on ology in D2.1 [1]. This on ology se es as a common
s uc u e o seman ically linked and combined e idence ha is illed by all e idence ex ac ion
componen s o WP2.
By de eloping he Ce G aph on ology, his deli e able con ibu es o he key esul CERTGRAPH
(KR2) o he EMERALD p ojec o p o ide a uni ied g aph-based model o he cloud se ice unde
ce i ica ion a di e en laye s o he se ice. Following a knowledge g aph-based app oach in
EMERALD, he on ology o s o ing and linking he e ogenous e idence in o ma ion is de eloped
in WP2, and he model is hen implemen ed as a knowledge g aph in WP3.
Fi s , his documen s a s wi h a ecap o he Ce G aph on ology om D2.1 [1] and indica es
cu en changes. Second, he main pa p o ides he unc ional and echnical desc ip ions o he
on ology, including i s sub-on ologies and ex ensions o suppo he holis ic app oach o
e idence collec ion. Some ins uc ions o deli e y and usage as well as cu en limi a ions a e
also p esen ed. Thi d, a e ined example o modelling and combining e idence in o ma ion o
TLS enc yp ion om di e en sou ces illus a es he pu pose and inno a ion o he on ology.
Finally, he documen concludes wi h a sho summa y and discussion o u u e wo k.
The main esul o his deli e able is a uni o m g aph-based model o
(i) consolida e all ex ac ed e idence in o ma ion,
(ii) enable he e ie al o combined e idence by agg ega ing indi idual pieces o
in o ma ion o a highe -le el iewpoin ,
(iii) main ain aceabili y back o di e en in o ma ion sou ces and ex ac ion ools, and
(i ) p o ide all equi ed concep s o esou ce ypes and secu i y ea u es o assess
ce i ica ion- ele an secu i y me ics.
Based on his model, he uni o m schema o e idence in o ma ion will be u he e ined and
analysed. The inal e sion o he Ce G aph on ology will hen be epo ed in D2.11 [2], due in
mon h 27.
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 8 o 28
www.eme ald-he.eu
1 In oduc ion
The Ce G aph on ology, p e iously d a ed in D2.1 [1], is a cen al g aph-based model o
suppo ce i ica ion by b idging di e en laye s and sou ces o ex ac ed in o ma ion, called
e idence, om a cloud se ice. Fo his pu pose, he on ology p o ides a highly s uc u ed,
o mal ep esen a ion o a se o concep s (o classes) and hei ela ionships and p ope ies
wi hin he cloud se ice ce i ica ion domain. I is c ea ed using a o mal language, i.e. he Web
On ology Language (OWL), which suppo s complex exp essions and logical in e ences, including
cons ain s, class hie a chies, and mo e. The main pu pose o an on ology is o suppo
knowledge sha ing and euse h ough s uc u ed domain knowledge as well as easoning abou
he en i ies wi hin he domain. In EMERALD, he Ce G aph on ology enables ha moniza ion o
e idence ga he ing and assessmen . Secu i y con ols de ined in di e en schemas o ca alogues
a e assigned o on ological concep s and hose on ological ypes will be u he used in me ic
de ini ions.
Fo au oma ed compliance ools o wo k, sui able e idence needs o be ex ac ed and linked.
The e idence ex ac o s de eloped in he EMERALD p ojec and desc ibed in D2.2 [3], D2.4 [4],
D2.6 [5], and D2.8 [6] ex ac and p o ide sui able e idence om
(i) he sou ce code o se ices, o en w i en in di e en p og amming languages, such as
Ja a, Go, o Py hon (Codyze and eknows-e31),
(ii) ele an pa s o legal and policy documen s, such as equi emen o a chi ec u e
documen s (AMOE),
(iii) applied machine lea ning (ML) models wi h espec o a ious c i e ia, such as
obus ness, ai ness, and explainabili y (AI-SEC), and
(i ) he i ual in as uc u e, such as i ual machines, con aine s, o s o age as well as
un ime in o ma ion, such as con igu a ion o log iles (Cloudi o -Disco e y).
The Ce G aph On ology wi h i s espec i e ex ensions desc ibed in his documen is a cen al
ool o b idge hose di e en laye s and sou ces o e idence. The e o e, he on ology de ines a
ocabula y o mapping be ween he p ope ies ha shall be measu ed and he espec i e
ga he ing o adequa e e idence. I allows o agg ega e indi idual aspec s and agmen s o
in o ma ion o a highe -le el iewpoin o combined e idence, no p e iously de ec able by a
single ool.
1.1 Abou his deli e able
This documen aims o desc ibe he Ce G aph on ology o modelling e idence in o ma ion in
he cloud se ice ce i ica ion domain as a common s uc u e o seman ically linked and
combined e idence. I consis s o a co e on ology and se e al sub-on ologies o cap u ing
secu i y ea u es as well as domain concep s and ela ionships o di e en ex ensions. In his
deli e able, he s uc u e and he main concep s o he ex ensions o consolida e all ex ac ed
e idence in o ma ion in e ms o axonomies is p esen ed. In addi ion, p ope ies a e discussed
which main ain aceabili y back o di e en in o ma ion sou ces and ex ac ion ools. Fo
be e illus a ion, we base he explana ions on an example which uses one selec ed secu i y
c i e ia “enc yp ion o da a o ansmission”, which is speci ied in he BSI C5:20202 (CRY-02).
The Ce G aph on ology ep esen s he basis o in eg a ing and ins an ia ing he knowledge
g aph in he E idence S o e componen in Task 3.1. I is also he ounda ion o analysing he
seman ic in o ma ion and con ex o he he e ogeneous e idence in o ma ion in Task 2.6 o
enable he e ie al o combined e idence. Ano he impo an aspec is o seman ically desc ibe
1 No e ha he componen was enamed om eknows o eknows e idence ex ac o (eknows-e3)
2 h ps://www.bsi.bund.de/dok/13368652
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 9 o 28
www.eme ald-he.eu
how speci ic Resou ce Types a e ela ed o Secu i y Fea u es, which a e essen ial concep s o
assess ce i ica ion- ele an secu i y me ics in Task 3.4.
1.2 Documen s uc u e
The documen is s uc u ed as ollows.
In Sec ion 2, we gi e a sho ecap o he Ce G aph on ology as in oduced in D2.1 [1]. We also
indica e any changes om he ini ial d a and discuss cu en e inemen s.
Sec ion 3 p o ides unc ional and echnical desc ip ions o he Ce G aph on ology a he cu en
de elopmen s age, as well as in o ma ion on deli e y and usage. De ails on he sub-on ologies
and ex ensions o he di e en cloud se ice laye s a e p esen ed, i.e., o ex ac ed e idence
om sou ce code, om policy documen s, om ML models, and om cloud un ime
en i onmen s. We u he discuss e inemen s and limi a ions o concep s o combining
e idence and suppo ing aceabili y, as well as o secu i y ea u es o assess new secu i y
me ics.
In Sec ion 4, he illus a i e example o iginally ou lined in D2.1 [1] o modelling and combining
ex ac ed e idence in o ma ion om di e en sou ces is e ined.
Sec ion 5 ends up wi h he conclusions, including a sho summa y o he con en p esen ed,
open challenges, and u u e wo k.
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 16 o 28
www.eme ald-he.eu
Figu e 4. Exce p o he E idence sub-on ology
3.2.2.1.2 F amewo k – con aining common ypes o so wa e componen s
Common (high-le el) ypes o so wa e componen s a e modelled in he F amewo k on ology
(see Figu e 5), which can be eused ac oss di e en esou ces. This includes, o example, a
H pSe e o a Logging componen . This on ology is based on he axonomy wi h he same
name om he Cloud P ope y G aph [7].
Figu e 5. Exce p o he F amewo k sub-on ology
3.2.2.1.3 Func ionali y – con aining common da a ypes
In addi ion o he high-le el ypes (de ined in F amewo k), smalle pa s o so wa e mus be
modelled. Also, in many pa s o he Ce G aph on ology, simple eco d ypes a e needed. The
Func ionali y on ology (see Figu e 6) models all needed ypes, wi hou es ic ion o a speci ic
domain. Fo example, H pEndpoin o H pReques s a e wo classes in his on ology, which
model smalle pa s o so wa e. On he con as , Ciphe Sui e, o example, is used as a eco d
ype and w aps he espec i e p ope ies. This on ology is based on he axonomy wi h he same
name om he Cloud P ope y G aph [7].

D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 17 o 28
www.eme ald-he.eu
Figu e 6. Exce p o he Func ionali y sub-on ology
3.2.2.1.4 P ope ies – con aining common objec and da a p ope ies
Wi hin he whole Ce G aph on ology, classes a e connec ed by objec and da a p ope ies.
O en, hese connec ions a e qui e simila o ha e simila seman ics. The P ope ies on ology
(see exce p in Figu e 7) de ines a common se o objec and da a p ope ies, which can be
eused ac oss he whole on ology. This includes gene ic p ope ies o model *- o-one and *- o-
many ela ionships like has and hasMul iple, and speci ic ones like ilename o ile ype o
connec he espec i e p ope ies o ile-like classes and ins ances. P ope ies con ained in his
on ology a e based on he ones om he Cloud P ope y G aph [7].
Figu e 7. Exce p o he P ope ies sub-on ology
3.2.2.1.5 Secu i y – con aining Secu i y Fea u e
Secu i y models secu i y p ope ies o all kind o domains (see Figu e 8) and is based on he
axonomy wi h he same name om he Cloud P ope y G aph [7].
Concep s in his on ology include:
 Audi ing – including anomaly de ec ion o logging, o example.
 Au hen ici y – including di e en ypes o au hen ica ions like passwo ds, OTP o SSO,
o example.
 Au ho iza ion – including i ewalls o access con ol, o example.
 A ailabili y – including backups o edundancy, o example.
 Con iden iali y – including anspo enc yp ion o enc yp ion a es , o example.
 In eg i y – including signa u es o hashes, o example.
 Reliabili y – including ML- ela ed sco es o obus ness o explainabili y, o example.
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 18 o 28
www.eme ald-he.eu
Figu e 8. Exce p o he Secu i y sub-on ology
3.2.2.2 Cloud – an on ology ex ension o cloud esou ces
Cloud models cloud esou ces (see Figu e 9), and his ex ension is based on he CloudResou ce
axonomy om he Cloud P ope y G aph [7].
Cu en ly, his on ology ex ension is al eady he mos de eloped one. High-le el concep s in his
on ology include, among o he s:
 CICDSe ice – including jobs, and wo k lows.
 Compu e – including di e en ypes o compu e esou ces like con aine s, unc ions,
and i ual machines.
 C eden ial – including ce i ica es, keys, and sec e s.
 Ne wo king – including i ual ne wo ks, and load balance s.
 S o age – including ile and da a base s o age.
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 19 o 28
www.eme ald-he.eu
Figu e 9. Exce p o he Cloud on ology ex ension
3.2.2.3 Applica ion – an on ology ex ension o sou ce code
Applica ion models sou ce code and code-like a i ac s (see Figu e 10). A i s d a o his
ex ension, based on he gene a idea o [11], is included in he cu en e sion. S ill, u he
e inemen o his ex ension is needed. This includes ex ending links o o he classes and e ining
he abs ac ion le el, as jus s o ing he syn ax ee would be a oo de ailed.
High-le el concep s in his on ology include:
 Componen – models la ge so wa e componen s and o ms he base class o
Applica ion and Lib a y.
 Module – models small so wa e componen s like sou ce code iles.
 Applica ion – models sou ce so wa e applica ions and s o es p ope ies like he
p og amming language.
 Lib a y – desc ibes dependencies o componen s.
Figu e 10. Exce p o he Applica ion on ology ex ension
3.2.2.4 ML – an on ology ex ension o AI/ML models
A axonomy o assessing secu i y- ela ed c i e ia o ML models deployed in he cloud se es
as a s uc u ed amewo k o e alua e, ca ego ize, and mi iga e po en ial h ea s and secu i y
ulne abili ies (see Figu e 11). Whe eas scien i ic wo k (e.g. [14]) p o ides a comp ehensi e
axonomy on deep lea ning echniques, in EMERALD we ocus on equi ed da a o assess key
c i e ia such as obus ness agains ad e sa ial a acks and explainabili y ( anspa ency and
in e p e abili y o decisions). We base ou wo k on exis ing esea ch [15] o be able o p o ide
a gene ic app oach ha can be applied o a ious ypes o ML models.
To assess he obus ness and explainabili y sco es o a ML model, he ollowing in o ma ion is
ypically equi ed in he axonomy on a high concep ual le el:
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 20 o 28
www.eme ald-he.eu
 MLModel – ep esen ing he model in o ma ion, ha is he model a chi ec u e
(including model pa ame e s, hype pa ame e s, loss unc ion, e c.), he espec i e ask
(image ecogni ion, NLP, e c.), he equi ed inpu and ou pu da a ypes and o ma s,
and e alua ion me ics (such as accu acy, esponse ime, con idence, e c.)
 Da ase – speci ying he da a ac ually used by he model, o i s subse .
Figu e 11. Exce p o he ML on ology ex ension
Cu en ly, classes con ained in his on ology ex ension can be used o ep esen ML models and
hei con ex in a e y high-le el and abs ac way. Mo e de ails (e.g., p ope ies) need o be
elabo a ed and included in o he axonomy acco ding o he needs and scope in EMERALD and
will be documen ed in in he inal deli e able D2.11 [2] due in mon h 27. Also, amewo ks o
Machine Lea ning need o be modelled. He e i s ill mus be decided whe he hey a e pa s o
he ML ex ension o i be e in he F amewo k sub-on ology o Co e.
3.2.2.5 Documen – an on ology ex ension o secu i y- ela ed documen s
C ea ing a axonomy o documen s, which p ima ily con ains human- eadable ex (see Figu e
12), o au oma ically assessing secu i y policies and s anda ds in ol es o ganizing con en in o
hie a chical o ca ego ized g oups ha e lec he na u e, pu pose, and con ex o he
documen s [16] [17] [18] [19].
High-le el concep s in his axonomy include:
 PolicyDocumen – documen ing policies ega ding in o ma ion secu i y, accep able use,
da a p o ec ion, passwo d, enc yp ion, au hen ica ion, e c.
 Secu i yAd iso yDocumen – documen ing egula o s equi emen s, in e nal
guidelines, e c.
 Se iceMe ada aDocumen – documen ing in o ma ion on ne wo k secu i y,
applica ion secu i y, secu e so wa e de elopmen li ecycle, e c.
 Gene icDocumen – ep esen ing a placeholde o addi ional documen s ha a e no
ye modelled sepa a ely.
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 21 o 28
www.eme ald-he.eu
Figu e 12. Exce p o he Documen on ology ex ension
A he ime o w i ing, he axonomy o secu i y- ela ed documen s is only designed a a high
le el o abs ac ion, which will be adjus ed in he inal deli e able D2.11 [2] due in mon h 27
depending on speci ic needs and scope in EMERALD.
3.2.3 Technical speci ica ions
The P o égé6 and Gi 7 ools a e used o de elop he Ce G aph on ology in EMERALD. P o égé is
a desk op applica ion de eloped by S an o d uni e si y ha enables he modelling o on ologies
using OWL concep s. I suppo s he spli ing o he on ology in o mul iple iles o be e
s uc u ing and linking o concep s using di e en namespaces, i.e., h ough di e en sub-
on ologies and ex ensions. A easoning componen can de i e new in o ma ion based on ules,
which is e y use ul o he usion o mul iple e idence pa s and can de ec inconsis encies in
on ologies.
All sub-on ologies and ex ensions a e sa ed as OWL/XML8. Changes a e checked in o he Gi
eposi o y. The discussion and e iew o hese changes occu ia pull eques s on Gi Lab, be o e
he changes a e me ged in o he main b anch. This p ocess ensu es ha he c ea ed on ologies
a e secu ed in he sense o allowing o e sion con ol, o make su e ha he newly de eloped
on ologies a e discussed, and only co ec ed and accep ed e sions a e me ged in o he main
b anch.
3.3 Deli e y and usage
The ollowing sub-sec ions de ail he deli e y and usage o he Ce G aph on ology. The
p o ided in o ma ion is cu en ly wo k in p og ess and may change.
3.3.1 Download
The Ce G aph on ology is a ailable om he public EMERALD Gi Lab eposi o y9 hos ed by
TECNALIA. The eposi o y will hos all sub-on ologies and ex ensions in he OWL/XML on ology
o ma (*.owx).
7 h ps://www.gi -scm.com/
8 h ps://www.w3.o g/TR/owl-xmlsyn ax/
9 h ps://gi .code. ecnalia.de /eme ald/public/ce g aph

D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 22 o 28
www.eme ald-he.eu
3.3.2 Package in o ma ion
Table 8 shows he s uc u e o he Gi lab eposi o y9 and i s con en s.
Table 8. O e iew and desc ip ion o package s uc u e o he Ce G aph on ology
Folde / File
Desc ip ion
eme ald.owx
En y
poin o he whole on ology, which can be used o
open i in P o égé, o example (used o con enien
de elopmen wi hin he EMERALD p ojec )
co e.owx
Co e
on ology
. In addi ion, i
impo s he
i e
co e
on ologies below
co e/e idence.owx
E idence
On ology
co e/ amewo k.owx
F amewo k
On ology
co e/ unc ionali y.owx
Func ionali y
On ology
co e/p ope ies.owx
P ope ies
On ology
co e/secu i y.owx
Secu i y Fea u e On ology
esou ce.owx
W appe on ology, which impo s he ou ex ension
on ologies below (used o con enien de elopmen
wi hin he EMERALD p ojec )
esou ce/in as uc u e.owx
On ology ex ension o cloud esou ces
esou ce/applica ion.owx
On ology ex ension o sou ce code
esou ce/ml.owx
On ology ex ension o machine lea ning models
esou ce/documen .owx
On ology ex ension o documen s
3.3.3 Ins uc ions o use
Ins uc ions o use a e p o ided as pa o he README in he public Gi Lab eposi o y9.
In summa y, ollowing equi emen s mus be me be o e using he Ce G aph on ology:
 To explo e he on ology, an on ology modelling ool ha suppo s he OWL on ology
o ma , such as P o égé, mus be ins alled.
 I he on ology should be ex ended o changed, a e sion con ol ool, such as Gi , is
ecommended.
The whole on ology can be iewed in P o égé by opening eme ald.owx. In addi ion, i only
pa s o he on ology a e o be iewed, he espec i e owx ile can also be opened on i s own.
To ins an ia e he on ology, he ollowing wo k low is ecommended:
1. C ea e a new on ology ile.
2. Impo co e.owx using he Impo ed On ologies iew.
3. Impo ele an ex ensions om he esou ce olde o all o hem by impo ing
esou ce.owx.
4. C ea ed ins ances will be s o ed in he newly c ea ed on ology ile.
No e ha he Ce G aph on ology will no be isualized in he EMERALD UI.
3.3.4 Licensing in o ma ion
The Ce G aph on ology and i s sub-on ologies and ex ensions a e licensed as open sou ce unde
Apache License, Ve sion 2.0.
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 23 o 28
www.eme ald-he.eu
3.4 Limi a ions and u u e wo k
The Ce G aph on ology wi h i s sub-on ologies and ex ensions will con inuously be ex ended in
he cou se o he p ojec . Fu he mo e, some design decisions a e no inal and a e s ill unde
discussion. This includes, bu is no limi ed o, connec ions be ween classes in gene al o new
classes equi ed o desc ibing he ex ension domains. The on ology is cons an ly being u he
de eloped, in pa icula , he Applica ion and ML ex ensions equi e mo e ex ensi e e inemen .
To meaning ully use he knowledge, which is p o ided by he e idence ex ac ion ools, we
ha e discussed se e al ideas on how o accomplish his. One idea is o use SWRL10 o simila
languages o desc ibe ules, which a e used o de i e new knowledge om ga he ed e idence,
hus new edges a e added o he g aph, which in u n leads o dense in e linking o da a. In his
con ex , i has al eady become appa en ha a unique ID is necessa y o iden i y se ice
ins ances (i.e., each se ice can be e e enced by a unique URI ac oss ex ac o s). Ano he idea
is o use SPARQL11 o que y he g aph and in his way o link he in o ma ion in he g aph and
ecei e i as a que y esul . Cu en ly, we a e e alua ing wha can be implemen ed, which
lib a ies a e a ailable, and wha is suppo ed by he used g aph da abase.
A he ime o w i ing, he implica ions o each decision canno ye be en i ely es ima ed, and
he s uc u e o he Ce G aph on ology will con inue o e ol e. The esul s will be epo ed in
he upcoming deli e able D2.11 [2].
10 h ps://www.w3.o g/submissions/SWRL/
11 h ps://www.w3.o g/TR/spa ql11-que y/
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 24 o 28
www.eme ald-he.eu
4 Re ined illus a i e example o modelling and combining
e idence in o ma ion o he used TLS Ve sion
Fo be e illus a ion, we base he idea o modelling and combining e idence in o ma ion om
di e en sou ces on an example (see Figu e 13), which uses a selec ed secu i y c i e ia:
“Enc yp ion o da a o ansmission”, which is speci ied in he BSI C5:20201 (CRY-02). In his
example we model he used TLS (T anspo Laye Secu i y) e sion om di e en iews.
This is a e inemen o he i s idea d a ed in D2.1 [1]. The ocus is on illus a ing
in e connec i i y be ween selec ed sub-on ologies and ex ensions, and no on con ained
de ails. The es uc u ing and ex ension o he Ce G aph on ology is e lec ed in Figu e 13. In
he diag am, classes a e isualized as ec angles and ins ances as hexagons. Open-headed
a ows wi h a illed line (⇾) ep esen “subclass o ” ela ions, which connec subclasses o hei
pa en class, and open headed a ows wi h a dashed line (┉▹) ep esen “ins ance o ” ela ions,
which connec ins ances o hei class. Simple a ows (→) ep esen da a and objec p ope ies.
These a ows a e used be ween classes o de ine he schema, as well as be ween ins ances in
hei ma e ialized o m.
Figu e 13. Classes ( ec angles) and ins ances (hexagons) o he TLS example, showing e idence ound in
sou ce code (implemen ed) and co esponding e idence in a documen (speci ied) ega ding anspo
enc yp ion, which can be used o e i y CRY-02 om BSI C5:2020 (adap ed om [9])
As desc ibed in Sec ion 3.2.2, he on ology Co e o ms he basis o he Ce G aph on ology. I
de ines he me amodel o EMERALD e idence and uses he concep s de ined in he Secu i y
Fea u e sub-on ology, which con ains a a ie y o secu i y ea u es and da a p ope ies:
 E idence is he cen al class and ins ances o i ep esen de ec ed secu i y e idence.
Each e idence has connec ions o Secu i yFea u e, Ce i ica ionTa ge , Resou ce, and
Tool.
 Resou ce ep esen s he sou ce o a piece o e idence and s o es ele an me ada a o
he loca ion. Each Resou ce has a connec ion o an Resou ceType.
 Resou ceType classi ies he ole o esou ce wi hin he sys em. Resou ceType is
modelled as an enume a ion ype in on ology e ms. Fo his, a class is needed, and an
D2.10 – Ce i ica ion G aph – 1 Ve sion 1.0 – Final. Da e: 31.01.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 25 o 28
www.eme ald-he.eu
ins ance is c ea ed o each possible a ian . Cu en ly, we dis inguish be ween hese
wo possible a ian s:
o The i s a ian , Speci ica ion, is used o e idence ound in esou ces, which
desc ibe how he sys em should beha e. The main applica ion o his a ian is
in human- eadable documen s which a e no au oma ically p ocessed o
compila ion, e.g. policy documen s.
o The second a ian , Implemen a ion, is used o e idence ound in esou ces,
which desc ibe, how he sys em ac ually beha es. This a ian is mainly used o
e idence ound in machine-p ocessed asse s, e.g. sou ce code, con igu a ion
iles, o un ime in o ma ion.
 Ce i ica ionTa ge ies he e idence o a ce ain se ice. This connec ion enables he
usion o e idence om mul iple sou ces using a unique iden i ie o each se ice,
which will be used as URI o he se ice ins ance.
 Tool ep esen s he ex ac o componen ha has collec ed he e idence.
 To keep hings simple, only a single ea u e (T anspo Enc yp ion class) is showcased in
his example and he hie a chy has also been simpli ied o wo le els. The base class o
his hie a chy is Secu i yFea u e. Also, o simplici y easons, jus one da a p ope y
e sion is shown o s o e he TLS e sion.
Resou ce (de ined in Co e) is he s a ing poin o on ology ex ensions. In his example, we used
he Documen and Applica ion ex ensions, which a e buil on op o he Co e on ology, and limi
he scope o jus one class pe ex ension. As p e iously desc ibed, he classes in he ex ensions
should model hei espec i e domains. The ollowing wo classes a e used in he example:
 PolicyDocumen ep esen s a human- eadable ex ual documen o policies. I is
modelled as a sub-class o Documen and includes (has) wo shown da a p ope ies ype
and pa h.
 Sou ceCodeFile ep esen s a sou ce code ile which is compiled o a gi en se ice and
is s o ed in a eposi o y. I is modelled as a (indi ec ) sub-class o So wa eResou ce and
includes (has) a da a p ope ies language.
Ga he ed e idence p o ided by ools is modelled by ins an ia ing classes de ined in Co e and in
ex ensions. In he example in Figu e 13, e idence o he ce i ica ion a ge P oduc Se ice is
p o ided by wo ex ac ion componen s:
 AMOE scanned he De Guide (a PDF documen s o ed a docs/guide.pd ) and ound ha
TLS e sion 1.2 is equi ed o be used in de elopmen .
 eknows-e3 scanned he P oduc Se e (w i en in Ja a) and ound ha TLS e sion 1.2
is used in he implemen a ion.
 Found e idence is ep esen ed as he ins ances TEFoundInDoc and TEFoundInCode,
which ha e espec i e connec ions o he o he ins ances. Please no e ha
“T anspo Enc yp ion” is abb e ia ed as “TE” in he diag am.
To sum up, he example illus a es he key idea o he Ce i ica ion G aph o ep esen secu i y-
ela ed pa s o a cloud se ice, e.g. o he sou ce code, in a g aph s uc u e and p o ide
addi ional con ex h ough he disco e y o o he ela ed cloud esou ces, e.g. policy
documen s. B idging di e en domains allows o combine e idence a a highe le el o
knowledge and enables a compa ison, o example, o wha is desc ibed in policy documen s
and wha is ac ually implemen ed in so wa e. An impo an poin o maximising he po en ial
o he Ce i ica ion G aph is ha e idence om o he ex ac ion componen s mus link o he
same se ice ins ance. In OWL, wo ins ances a e conside ed as he same i hey a e iden i ied
by he same URI. This enables knowledge usion la e on o he assessmen in WP3.