UCO transitions to the Linux Foundation

Posted by CDO Technical Steering Committee on December 07, 2021 · 11 mins read

The Unified Cyber Ontology Transitions to Linux Foundation

The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced that Unified Cyber Ontology (UCO) is becoming a community project as part of the ​​Cyber Domain Ontology (CDO) project under the Linux Foundation. UCO serves as a foundation for modeling cyber domain concepts and elements using a standardized representation that is both human-understandable and machine-interpretable. The primary motivation for UCO is to establish a middle domain ontology that supports information representations and interoperability across related application domain ontology communities.

“Elevating UCO as a Linux Foundation project is an important accomplishment for the community after many years of hard work,” said Sean Barnum, co-founder of UCO. “Increasing momentum and participation will enable UCO to mature and add application domain ontologies, realizing the benefits of broad interoperability across cyber domains. Our objective is to create a culture of common comprehension and collaborative problem solving across cyber-domains.”

UCO saves developers time and effort as they respond to the growing demand to interoperate with disparate and diverse systems across cyber domains. Developers can build on UCO to enrich their representations of information and enable interoperability across a broad range of domains, including cyber-investigation, digital forensics, incident response, cyber risk management, supply chain security, threat intelligence, and computer/network protection.

Through this approach not only are domain-focused representations defined consistently but they also can take advantage of shared APIs and tooling and information can flow in an automated fashion across subdomain boundaries.

Organizations involved in cyber domain activities can efficiently and consistently exchange and integrate information in standard format with UCO and it’s subdomain ontologies, breaking down data silos and increasing visibility across all information sources. Tools that support UCO facilitate the exchange of a diverse set of cyber information, ensure semantic interoperability and correlation of differing data sources and exploration of analytic questions, giving analysts a more comprehensive and cohesive view of available information, opening new opportunities for searching, pivoting, contextual analysis, pattern recognition, machine learning and visualization. UCO supports cyber domain tool testing and validation of results, it provides adopters the ability to import standard data marking standards for controlling access to privileged, proprietary, and personal information, and it supports custom or non-standardized structures by enabling tools containing these to still use and share information.

Development of UCO began in 2014 as a collaboration between the DoD Cyber Crime Center (DC3) and MITRE, led by Sean Barnum and Dr. Eoghan Casey, involving the National Institute of Standards and Technology (NIST). In response to international interest, this initiative became an open source evolving standard, with hundreds of participants in industry, government and academia around the globe.

The Cyber-investigation Analysis Standard Expression (CASE) was the first application domain ontology using UCO. Early contributors include the Netherlands Forensic Institute (NFI), the Italian Institute of Legal Informatics and Judicial Systems (IGSG-CNR), FireEye, and University of Lausanne. UCO community coordination was formalized with support of Dr. Harm van Beek, Rich Brown, Ryan Griffith, Cory Hall, Dr. Christopher Hargreaves, Jessica Hyde, Deborah Nichols, and Martin Westman.

The Ontology Committee is led by Dr. Alex Nelson. The Adoption Committee brings together developers from diverse backgrounds to share experiences and battle test ontologies. The success of these efforts depends on members of the community actively contributing to UCO and its domain-specific application ontologies’ development and implementation. The project welcomes anyone interested in elevating cyber-domain capabilities in the areas of semantic interoperability and analysis, graph-based analysis, and developing new subdomain ontology efforts.

Recent UCO developments include the release of v0.7.0 that supports the conversion of UCO ontologies to leverage the Shapes Constraint Language (SHACL) for instance-data validation, and adds a Continuous Integration (CI) method for testing and verifying the ontology. The UCO community is adding support for automated documentation generation and is currently developing domain-specific application ontologies for cyber risk management and cyber deception application domains.

The UCO community has multiple collaborative repositories and activities for developing and supporting shared tooling for adopters in each application domain. UCO uses the Apache-2.0 license. Organizations and individuals interested in contributing to UCO can go to https://unifiedcyberontology.org.

Supporting Comments


“The news that UCO will be transitioning to The Linux Foundation is an exciting move for the Digital Forensics, Incident Response, and Cyber Security communities,” said Jessica Hyde, founder of Hexordia. “One of the special things about UCO is that it has been developed to support multiple use cases in the cyber domain including Digital Investigations, Cyber Risk Management, Cyber Threat Intelligence, and Supply Chain Security. UCO is developed by specialists who understand the domains from a variety of sectors including academia, law enforcement, government, non-profits, and commercial entities. This uniquely positions UCO to describe a variety of data including intelligence information, provenance, metadata, and data recovered in a multitude of environments and allow different organizations and a variety of tools to look at cyber related data with the same definitions of what the data is describing. What an exciting day for uncovering truth in data and ensuring common definitions of data as it moves through the nexus of tools, organizations, and jurisdictions that need to work together in today’s cyber security environment.”


“The CASE transition to the Linux Foundation is remarkable news and encourages widespread use of this standard in a broad range of cyber-investigation domains to foster interoperability, establish authenticity, and advance analysis,” said Fabrizio Turchi, senior technologist at the IGSG-CNR, Italian National Research Council. “The European EXEC-II project includes a bespoke application for packaging evidence with metadata in CASE format for automated exchange, while maintaining provenance information to streamline cross-border cooperation among judicial authorities in the EU member states. In addition to searching for specific keywords or characteristics within a single case or across multiple cases, having a structured representation of cyber-investigation information allows more sophisticated processing such as data mining, machine learning and natural language processing techniques as in the European INSPECTr project and a shared intelligent platform for gathering, analysing and presenting key data to help predict, detect and manage crime in support of multiple law enforcement agencies. The announcement of the UCO transition to the Linux Foundation is outstanding news for the whole of the digital forensic community. In a broader sense it is incredibly satisfying for everyone, like me, who has worked with great commitment over the past few years to have the UCO adopted as standard in many European projects dealing with cross-border cooperation between judicial authorities in Europe and beyond. The UCO ontology has been the standard for the representation of the evidence metadata in the European INSPECTr project, a shared intelligent platform for gathering, analysing and presenting key data to help predict, detect and manage crime in support of multiple law enforcement agencies. Moreover, at the moment another relevant proposal for an European project is in development with the aim of developing a Judicial Cases Cross-Check system for case searching and correlation using the UCO ontology for Evidence representation.”


“The MITRE Corporation is proud to see the continued growth and acceptance of the Unified Cyber Ontology open source project. MITRE is one of several organizations that helped create UCO and convene the initial community of contributors,” said Cory Hall, principal cybersecurity engineer at MITRE. “With the transition of UCO to the Linux Foundation we see a bright future for the effort as the community advances our collective ability to improve semantic interoperability and analysis across several cyber subdomains.”


“As a long-term member of the UCO open source project, MSAB looks forward to the new possibilities that Linux Foundation will provide for UCO as the de facto standard for adoption by digital forensic tools. With the common data exchange ontology that UCO provides, our industry can process greater volumes of data faster, more accurately and with greater interoperability than ever before. We are committed to continuing to support the development of UCO under the Linux Foundation and are excited for the future of the project,” said Martin Westman, exploit research manager, MSAB.

Netherlands Forensic Institute

“UCO is an important foundation for capturing and sharing observable objects in the cyber-domain. Together with its extension CASE, this effort makes it possible to interconnect investigative tools and to gain new insights into their results. This is paramount not only for the NFI, but for the entire community to quickly apply science to day-to-day operations to fight crime,” said Harm van Beek, senior digital-forensic scientist at the Netherlands Forensic Institute. “By adding CASE/UCO functions to Hansken, our open digital-forensic platform, we support the UCO effort as well as the digital-forensic community.”


“Cellebrite is pleased to see wider involvement in the Unified Cyber Ontology open source project. As a key contributor to CASE, we are proud to be a driving force behind the initiative to address gaps in UCO and support shared use cases. We look forward to seeing greater synergies between UCO and CASE under the Linux Foundation, which we believe will help to achieve data interoperability across cyber domains and jurisdictions in support of Cellebrite’s mission to help protect and save lives, accelerate justice, and preserve privacy.”

← Previous Post