Go to content Go to navigation

Threat Ontologies for Cybersecurity Analytics (TOCSA)

In the overwhelming majority of identified security incidents, there is no understanding of who the threat actor is, why they attack or how they operate. Most threat actors are never identified or held responsible for their actions, and promotes criminal behaviour that continues with little or no consequence. To help break this cycle and get ahead of our adversaries, we need digital threat intelligence that is structured, leverages automated analysis and is shared. This observation provides the motivation for sponsoring a Ph.D. candidate and their research on Threat Ontologies for Cybersecurity Analytics (TOCSA).


Too often security professionals are only observing the evidence of cyberattacks – trails of information that are the long left-behind remnants from an attacker’s past actions. When defending against these attacks, priority is understandably placed on recovering from the current attack, with identifying the attackers as an afterthought. The repercussion is that attackers are rarely identified, seldom prosecuted, and able to operate with an almost free-reign.

This observation provides the motivation for the research project that will develop models and tools based on ontologies for fully and semi-automated classification and discovery of cyberthreats. The research will be conducted through sponsoring a Ph.D. candidate.


Identify state of the art in ontology development in the Security area and how they are currently being applied to Threat analysis and identification.

Extend and develop ontologies appropriate for automated threat analysis.

Utilise and extend reasoner tools to perform automatic and smart analysis of threat relevant data streams (e.g. network traffic).

Perform case studies to test and validate the developed methods and tools on realistic data, as provided by the industry partner mnemonic.

TOCSA Contributers


Contact me for more information

PhD Student

Siri Bromander - PhD Student