Schema
Adhering to our aim for AVID resources to be expandable and adaptable to practitioner needs, we have adapted the MISP Taxonomy System to standardize and share the two views of our taxonomy. MISP taxonomies are used to tags cybersecurity events, indicators, and threats using three components:
namespace
is an unique identifier of the taxonomy being usedpredicate
is a high-level categoryvalue
is a low-level subcategory under a predicate.
Each MISP taxonomy is specified using a single JSON file that contains the namespace, a list of predicates, lists of values under each predicate, and auxiliary metadata. Below is a sample schema:
This specification can be used to tag any relevant threat information as namespace:predicate:value
. As long as a taxonomy is specified using the above structure, tags can be generated in the above structure, providing the user with the flexibility of using multiple taxonomies, some of which may be specific to their own application context.
Example
The MISP specifications of the AVID taxonomies are available for the Effect/SEP View and the Lifecycle View.
As an implementation example, consider the vulnerability AVID-2022-V013, which is about the Microsoft Tay Poisoning incident. We have assigned the following taxonomy categories to it:
The MISP tags for this vulnerability will be the following:
Custom Taxonomies
Using the MISP format allows us to seamlessly integrate arbitrary taxonomies into the AVID database and related workflows. This is crucial for driving practitioner adoption, since AI developers and vendors often work off of operational taxonomies specific to the context of their domain of application. Examples of such deep taxonomies/categorizations include MITRE ATLAS, taxonomies for and , and . As a specific example of a non-AVID taxonomy in the MISP format, see the specifications for the .
We welcome the AI community to contribute to our repository of taxonomies, which you can find here. Doing so is easy: just create a JSON file for your taxonomy in the above schema and submit a Pull Request!
Last updated