https://orcid.org/0000-0002-0782-1077
Figures
Abstract
The advent of artificial intelligence (AI) models presents significant opportunities alongside inherent security risks, such as the exploitation by adversaries generating malicious data to compromise other AI-enabled systems. Despite the urgent need to address such threats, AI-based threat modelling remains largely underexplored in research, primarily constrained by three key challenges: (i) the lack of formal representation of security and AI-based data, (ii) the absence of inference rules for automated threat identification, and (iii) inconsistent risk and vulnerability assessment. As a result, these limitations, coupled with stakeholders’ insufficient security knowledge and AI expertise, lead to erroneous threat modelling of AI-enabled systems. This research aims to develop and implement OntoSecAI, an ontology-based approach to automate threat modelling and assessment for AI-enabled systems. In particular, we design 03 ontologies and 30 inference rules, followed by risk and CVSS-based vulnerability assessments to perform automated threat modelling and assessment comprehensively. In addition, the approach is validated through 10 case studies and verified using mathematical theorems to confirm its correctness and completeness. The research findings demonstrate that the developed ontologies effectively facilitate unified representation and comprehensive coverage of security and AI systems’ data. Furthermore, the inference rules implemented effectively map system assets to potential security threats. Crucially, the utilization of ontologies provides consistent risk and vulnerability assessments across AI-enabled systems. Consequently, a comprehensive security knowledge base is offered to stakeholders, regardless of their varying security and AI expertise, ensuring uniform threat modelling across diverse AI systems and adaptability to emerging security threats.
Citation: Ullah U, Haleem M, Ullah A (2025) OntoSecAI: Ontology-driven security automation for AI-enabled systems. PLoS One 20(12): e0337806. https://doi.org/10.1371/journal.pone.0337806
Editor: Sohail Saif, Maulana Abul Kalam Azad University of Technology West Bengal, INDIA
Received: May 25, 2025; Accepted: November 13, 2025; Published: December 18, 2025
Copyright: © 2025 Ullah et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All data files are available in Gitup Repository: https://github.com/UbaidUllahResearch/OntologyDrivenAISecurity.
Funding: The author(s) received no specific funding for this work.
Competing interests: The authors have declared that no competing interests exist.
1 Introduction
In recent years, artificial intelligence (AI) has emerged as a transformative technology, with its applications extending across diverse fields such as healthcare, finance, and education [1]. It also plays a central role on social media platforms [2], where AI algorithms are used to recommend personalized content, target advertising, and detect malicious activities [3]. This adoption of AI technologies is clearly illustrated by the rapid rise of platforms such as ChatGPT [4], which accumulated 100 million active monthly users in a short period, underscoring its broad appeal and value [5]. However, this widespread use of AI systems also faces significant security challenges [6,3]. Studies, such as those examined under MITRE ATLAS [7], show that AI systems are largely vulnerable to security threats by adversaries. Specifically, these threats exhibit a range of characteristics, encompassing (1) diverse attack vectors such as evasion, poisoning, and model replication [8,9]; (2) susceptibility in various deployment environments, including cloud [10], and edge-hosted machine learning models [11]; and (3) applicability to a wide range of use cases, notably attacks targeting AI systems like chatbots [3]. This scenario arises from the proliferation of readily accessible AI technologies, notably large language models (LLMs), among individuals and corporations, which amplified the potential to target other AI-enabled systems [6,12]. Examining this amplified scenario, a study [5] investigated the consequences of LLMs within the Swiss cybersecurity context, identifying threats such as spear phishing, vulnerable code injections, and remote code execution. This accessibility-driven expansion of AI underscores the increasing challenges in securing interconnected AI ecosystems. Based on this understanding, further studies, including those examined by OWASP [13], reveal that AI-enabled systems and models are highly susceptible to numerous security vulnerabilities. This susceptibility is further underscored by the fact that additional research highlights similar vulnerabilities in other AI technologies, including machine learning [14], federated learning [15], and computer vision [16], which can be exploited by adversaries.
Given the widespread vulnerability of AI systems to various threats, there is a critical need for effective security measures specifically tailored to AI systems [12]. One such measure is threat modelling, a proven technique in computer security that offers a valuable method for addressing the security challenges faced by AI systems [17]. Although recent studies have explored how to apply threat modelling specifically to AI [18,19,20,21], these efforts lack a broad coverage of security and AI systems data, which reduces the effectiveness of threat modelling as a tool for a wider assessment of AI security.
Furthermore, at present, supported solutions for threat modelling pose the following challenges: The primary challenge lies in the lack of formal data and conceptual models to support the fundamental representation of security aspects and AI systems. Conceptual models serve as a structured foundation defining how system data should be presented. The absence of clearly defined rules for inference hampers the reasoning process during threat identification. Inference rules guide how conclusions are drawn from available information. There is a gap in the definition of security threats specific to AI-enabled systems. Security threats need to be precisely described for effective threat modelling. The absence of consistent risk assessments for identified threats means that the severity and potential impact of each threat remain unclear. Moreover, without a clear understanding of the associated vulnerability assessment, prioritizing and addressing vulnerabilities becomes challenging. As a result of these limitations, different stakeholders may struggle to perform threat modelling and assessment effectively. This challenge is particularly pronounced for those with limited exposure to AI-related information, little cybersecurity expertise, or insufficient domain knowledge, ultimately reducing the overall security posture of AI systems. Hence, these gaps underscore the need for continued research on AI-specific security to keep pace with AI’s evolving threat landscape, as the importance of securing AI-enabled systems against emerging threats has become increasingly critical [6,22].
To fill these gaps, the main objective of this study is to design and implement OntoSecAI, an ontology-driven approach for the automated threat modelling and assessment of AI-enabled systems. To achieve the main objective, we pursue the following specific objectives: (1) to construct a holistic ontology that comprehensively models the lifecycle of the AI system and its unique security characteristics, thereby establishing a unified security knowledge base for AI-enabled systems; (2) to design and implement a set of robust inference rules that enable automated threat identification; (3) to conduct risk and vulnerability assessments aligned with threat modelling practices; and (4) to verify and validate the correctness and completeness of the proposed approach through formal mathematical proofs and across diverse case studies. These objectives collectively structure the research contributions as their outcomes.
In this context, the ontology provides a structured way to organize and represent the entities of the system and their relationships, allowing the knowledge base to be consistently interpreted and applied across different AI-enabled systems in the security domain [23,24,25].
In summary, our contribution is fivefold:
- We designed a domain ontology to comprehensively describe entire AI-enabled systems, overcoming domain-specific challenges through a formal and shared vocabulary for all stakeholders.
- We developed a unified knowledge base for general AI-enabled systems by including diverse assets, security threats, system vulnerabilities, adversarial tactics and techniques, AI system lifecycle, and mitigations from multiple data sources.
- We provided a well-defined rule set to characterize threat modelling logic and accurately map AI entities to potential security threats. This ensures accuracy in mapping the system to potential security threats.
- We performed a consistent risk assessment to understand the severity of defined threats. In addition, we performed a vulnerability assessment to help define the severity of the vulnerabilities.
- We validated our methodology using 10 case studies and verified its correctness and completeness using mathematical theorems. This rigorous validation and verification process provides strong evidence for the reliability and trustworthiness of our automated AI threat modelling methodology.
Beyond its contributions, our approach also faces two limitations that define its scope. Since the cybersecurity landscape continuously evolves with new threats and vulnerabilities, maintaining the ontology is a challenging and ongoing task. Furthermore, scalability must be considered; as the knowledge base expands, reasoning demands may increase significantly, potentially hindering real-time analysis in resource-constrained environments.
The organization of this paper is as follows: Sect 2 discusses related work, which encompasses a review of existing approaches covering AI-centric threat modelling, ontology-driven threat modelling, and risk and vulnerability assessments. Sect 3 presents the research design for automated threat modelling and assessment using ontologies. In Sect 4, the validation and verification of the approach are performed. In Sect 5, we identify potential threats to validity and how to deter these threats. Sect 6 presents the conclusion of our work and outlines future directions.
2 Related work
This study builds on existing work in three important areas: (i) AI-centric methodologies, focusing on AI-based threat modelling; (ii) ontology-centric methodologies, focusing on ontology-based threat modelling in various areas; and (iii) risk and vulnerability assessment. To provide a foundational basis for our study, we performed a literature review using Google Scholar and IEEE Xplore, widely recognized sources for academic research. We applied the search strings “ontology-driven threat modelling”, “AI-driven threat modelling”, and “risk and vulnerability assessment”. From the retrieved works, we applied a strict relevance criterion: only studies that directly addressed our research scope are included, while less relevant studies are excluded. This method ensured that only contributions closely aligned with our objectives were considered. The most relevant findings from previous studies are summarized in the following sections.
2.1 AI-centric threat modelling
Wang et al. [14] reviewed the security challenges and recent advances in AI research. They categorized security threats at each stage, including (1) sensor spoofing and scaling attacks during data preprocessing and (2) poisoning and adversarial attacks during training and inference. Their work provides a comprehensive overview of the AI security landscape. However, their study does not address the novel threats and mitigation strategies that have emerged with the advent of LLMs. Similarly, Hu et al. [26] examined recent advances throughout the AI lifecycle, from data collection to deployment, and provided an overview of the AI security landscape. The authors summarized relevant countermeasures and discussed challenges and opportunities in securing AI systems. Although the study provides a useful overview of AI security throughout the lifecycle, it relies on outdated threats and mitigations, overlooking risks from emerging technologies such as LLMs. It also omits system weaknesses, risk and vulnerability assessments, and evolving adversarial tactics.
Guembea et al. [27] investigated the emerging dangers of AI-powered cyberattacks. Their findings revealed that a significant portion of AI-driven attacks occur during the access and penetration phase of the cyber kill chain. Their investigations highlight the potential inadequacy of existing cyber defenses against the increasing complexity of these attacks, emphasizing the need to invest in AI cybersecurity infrastructures.
To evolve the AI threat landscape, Assen et al. [18] introduced ThreatFinderAI, an approach to model AI-related assets, threats, countermeasures, and residual risk quantification. To evaluate its practicality, the approach is validated through an AI-based healthcare platform. In addition, the tool was used to identify and discuss strategic risks in an LLM-based application through a case study. In parallel, Hoseini et al. [28] proposed a structured approach to threat modelling for AI and machine learning (ML) systems using attack trees and a risk analysis method. It outlines a multistep procedure for designing and evaluating threat models and classifying attacker goals and attack outcomes based on security violations. However, their attack tree model is a static representation of threats. Their work has a limited scope, as it excludes key attack details, assumes a centralized learning environment, and does not address the unique security challenges of non-centralized scenarios like federated learning. Our approach is designed with the flexibility to handle such complex systems.
To further extend the threat landscape of AI, Das et al. [29] provided a review of the security and privacy challenges associated with AI models. The authors examined vulnerabilities in both training data and user interactions, discussed application-based risks across various domains, and reviewed potential defense mechanisms against these emerging threats. However, its main limitations are the scope and the absence of a concrete framework. Although it offers a useful overview of LLM security, its survey-based nature lacks a specific and implementable solution. This contrasts with our work, which develops a novel ontology-driven solution. In a related effort to address the security concerns of AI, Mauri et al. [30] addressed the risks associated with AI’s increasing application in socio-technical infrastructures, particularly focusing on the unique vulnerabilities of machine learning (ML). The authors proposed STRIDE-AI, a methodology that aims to guide ML practitioners in selecting effective security controls, illustrated with a real-world use case. The primary limitations are its reliance on a manual process, a static and limited scope, and a lack of integrated assessment. Unlike STRIDE-AI, our ontology is automated, extensible, and capable of integrating risk analysis for a more comprehensive security view.
2.2 Ontology-centric threat modelling
Preuveneers et al. [21] proposed an ontology-based framework specifically designed for AI-enabled systems to model prevalent threats and countermeasures. However, its selective threat coverage and lack of explicit automation rules contrast with our research. We offer a more comprehensive representation of cybersecurity knowledge, including various threats, weaknesses, and mitigations, along with a formalized set of rules for automated threat identification targeting AI system assets, a feature absent from their approach.
Similarly, Kougioumtzidou et al. [31] presented an AI-assisted framework to build and update cybersecurity taxonomies and ontologies. For ontology construction, they propose a conceptual schema based on the STIX 2.1 standard and utilize the Owlready2 Python library. Their framework is limited by domain specificity, as the paper’s core technology is a language model fine-tuned for the cybersecurity domain and is limited to knowledge only encoded in text. In contrast, our approach enables broader formal reasoning, comprehensive threat modelling, and coverage of a wide range of cybersecurity knowledge and related assessments.
Manzoor et al. [32] addressed the challenges of complex cloud threat analysis through the development of a dedicated ontology. This ontology comprehensively models actors in the cloud, their requirements, interactions between cloud services, and potential vulnerabilities that could violate these requirements. By mapping this ontology to a design structure matrix, their approach facilitates security assessments from various actor viewpoints.
Another contribution comes from Kamongi et al. [33], who introduced Nemesis, an automated architecture for cloud threat modelling and risk assessment. They utilized ontologies as knowledge bases to model threats and assess risks in cloud systems. Their approach built ontologies for vulnerabilities, defenses, and attacks, automatically instantiating them into Ontology Knowledge Bases (OKBs) that capture relationships between these elements.
Salini et al. [34] proposed an ontology-based system to predict and classify web application attacks. Their system effectively stores information about threats, vulnerabilities, and attacks, enabling the prediction of attacks by analyzing the relationships between threats and vulnerabilities. Attacks are classified according to their severity regarding security goals. Furthermore, the system offers suggestions for prevention and countermeasures in order to assist developers in building more secure web applications. In contrast, Tok et al. [35] proposed SCOPE to address cybercrime and digital forensics in Smart City Infrastructures (SCI). Recognizing limitations in existing tools and ontologies regarding information sharing and interoperability, SCOPE integrates SCI threat models, digital forensic evidence, and MITRE attack information. They showcased SCOPE’s ability to represent complex SCI-specific threats and investigation workflows using real-world APT incident scenarios, making it available for community-based identification and sharing of cyber threats in emerging SCI trends.
Similarly, Välja et al. [36] addressed the complexity and resource demands of threat modelling by proposing an ontology framework to improve automation. They highlighted the issue of lacking context in automatically collected data and suggested using ontologies to inject domain knowledge. The framework aimed to simplify the creation of the model by standardizing the input sources, eliminating duplicates, and logically grouping software.
Luh et al. [37] presented TAON, an OWL-based ontology designed to mitigate advanced persistent threats (APTs). TAON provides a holistic view of actors, assets, and threat details, mapping them to detectable events and anomalies. The ontology aims to facilitate the development of behavior-based detection systems and offers a means for organizations to plan defenses against APTs by understanding the "how, why, and by whom" of targeted attacks. Populated with data, TAON becomes a smart correlation framework for semantic assessment. In contrast, Sabbagh et al. [38] proposed a socio-technical framework for the modelling of threats within the global software supply chain, with their approach validated through a case study of the Swedish Armed Forces. Their framework addresses modelling the target system, identifying threats within the complex socio-technical landscape of the supply chain, and analyzing potential countermeasures. Finally, Rosa et al. [24] presented ThreMA, an approach to automate threat modelling for ICT infrastructures using ontologies. They highlighted the challenges of manual threat modelling and the need for standardized representations and automated reasoning. ThreMA provides a formal vocabulary for modelling ICT infrastructure, a threat catalog, and inference rules for threat identification. The approach was validated through case studies from the Italian public sector.
2.3 Risk and vulnerability assessment
Maunero et al. [39] proposed an ontology-based approach to automate the risk assessment process for ICT infrastructures. Their work focuses on creating a structured and formal representation of the descriptions of the ICT infrastructure and related security information using a defined ontology. The ontology follows an asset-oriented approach, linking infrastructure components with security data to improve automation. In contrast, Phillips et al. [40] introduced a simulation-based method for the automated assessment of the risk of cyberphysical systems (ISO 27005). Modelling threat cause-and-effect and system interdependencies, it uses a knowledge base to simulate attacks and calculate risk based on controls. Implemented in Spyderisk, it was validated with a steel mill attack case study.
Furthermore, Arora et al. [41] examined risk and vulnerability assessment techniques for the automotive industry due to increased cybercrime threats with wireless car connections and advancements in autonomous driving. The study highlights the potential for significant damage from vehicle breaches and the importance of enhancing vehicle security.
2.4 Research summary
Table 1 presents a conceptual comparison of existing threat modelling studies, evaluated against 15 key coverage criteria. The AI-centric studies generally fail to address many of these criteria, while the remaining 12 non-AI-focused studies also exhibit significant gaps and limitations. In the table, a checkmark (✓) indicates that the criterion is addressed, whereas a dash (–) denotes a lack of coverage. However, it should be noted that a checkmark may represent only a partial fulfillment of the criterion, rather than a comprehensive one. Furthermore, analysis of existing studies, including those beyond the related work, reveals several other critical limitations. These studies present a constrained scope, as their coverage of threats, countermeasures, and weaknesses is outdated or highly limited, thereby failing to address the vulnerabilities of modern AI systems and technologies. A significant gap is the absence of standard vulnerability assessment, with the few studies that attempt it using outdated methodologies and failing to adopt standardized systems like CVSS. In addition, there is a notable lack of comprehensive inference rules and a complete absence of verification for the proposed approaches. Mitigation strategies are often absent throughout the AI lifecycle, and even in studies that address them, the coverage of the complete AI lifecycle phases is consistently incomplete. Key aspects of adversarial modelling, including adversaries, their activities, tactics, and techniques, have either been only partially addressed or completely overlooked. Hence, all observed deficiencies underscore the critical need for a robust approach to address these identified gaps.
To address these research gaps and limitations, this study introduces a formally verified, ontology-driven approach for the automated threat modelling and assessment of AI-enabled systems. The proposed approach designs a comprehensive domain ontology for AI systems and establishes precise rule-based threat mappings to support systematic analysis. The inference rules that map system assets to their potential security threats are formally defined using the Semantic Web Rule Language (SWRL). OntoUML is adopted as the conceptual modelling language due to its formal ontological foundation, which ensures semantic consistency across AI security concepts. The ontology is implemented in Protégé, serving as the primary development environment, and incorporates risk and vulnerability assessments directly within the threat modelling process to achieve an integrated and coherent representation of AI systems security. In contrast to prior studies, which exhibit limited coverage across multiple criteria, the proposed approach provides comprehensive coverage across the entire threat modelling spectrum. It explicitly integrates security threats, weaknesses, and mitigations coverage and enables adversaries and assets modelling. This approach effectively addresses the fragmented and narrowly scoped nature of existing studies, many of which lack adaptability to emerging AI threats or fail to incorporate formal validation mechanisms.
3 Research design
This study aims to automate threat modelling for AI-enabled systems using ontologies. To achieve this aim, we are required to (i) build a comprehensive ontology using formal data, (ii) generate inference rules to map security threats to the corresponding system assets correctly, and (iii) calculate risk and vulnerability to provide a consistent assessment across AI systems. Consequently, we formulate the following research questions (RQs): to guide our investigation:
- RQ1: How can a comprehensive ontology be constructed to represent AI-enabled systems and their security aspects to enable effective automated threat modelling?
The purpose of RQ1 is to construct a comprehensive domain ontology that captures AI-enabled systems and their security aspects, forming a unified knowledge base that serves as the foundation for effective automated threat modelling. The purpose frames the constructive task (how to build it), domain scope (AI-enabled systems and their security aspects), and intended outcome (effective automated threat modelling). - RQ2: How effective are inference rules in accurately identifying potential threats to system assets in AI-enabled systems?
The purpose of RQ2 is to assess how well the inference rules can accurately detect potential threats to assets in AI systems. - RQ3: How can a risk and vulnerability assessment be effectively conducted for AI-enabled systems in alignment with threat modelling practices?
The purpose of RQ3 is to perform risk assessments of identified threats and vulnerability assessments of system weaknesses in AI-enabled systems to support effective security modelling.
Collectively, these RQs establish an interconnected flow: we begin by constructing ontologies (RQ1), then define inference rules to automate threat identification (RQ2), and conclude by performing the risk and vulnerability assessment (RQ3).
3.1 Proposed approach
This section introduces the proposed approach,OntoSecAI, which provides a structured and automated process for AI security threat modelling and assessment. Automation in the approach encompasses three core capabilities: (i) automated identification of security threats through inference rules; (ii) automated risk and vulnerability assessment based on defined attributes; and (iii) automated generation of reports summarizing identified threats, vulnerabilities, and mitigations. The approach is supported by a formally defined ontology, OntoSecAI-DO (Domain Ontology), which encapsulates the conceptual knowledge essential for enabling the process. Fig 1 depicts the high-level conceptual workflow through which domain experts construct the domain ontology using predefined ontological elements.
OntoSecAI-DO consists of three sub-ontologies, i.e., an assets-driven sub-ontology, a weaknesses-driven sub-ontology, and a threats-driven sub-ontology, each representing a distinct yet interrelated dimension of AI-enabled system security. The assets-driven sub-ontology focuses on the system assets, their operational aspects, and structural dependencies. The weaknesses-driven sub-ontology specifically focuses on the known vulnerabilities within the AI system’s infrastructure, such as network insecurities or flawed data management practices. The threats-driven sub-ontology encompasses a wide range of tactics and techniques, security threats, and mitigation mechanisms. These sub-ontologies are discussed in Sect 3.3. These ontologies consist of classes interconnected by relationship properties. The data property is used to instantiate data instances, while the individual property is utilized to create object instances for the ontologies. Similarly, the annotation property describes the ontologies, providing essential context. In contrast, the usage property enables stakeholders to visualize how specific ontology elements, such as classes, properties, or individuals, are utilized, facilitating effective management and maintenance of the ontology. Furthermore, the approach incorporates risk and vulnerability assessments, which are calculated using the risk scoring model and the Common Vulnerability Scoring System (CVSS) v3.1 metrics [42], respectively. The Semantic Web Rule Language (SWRL) [43] specifies the inference rules that map system assets to the security threats they may encounter. The automated reasoner, configured with specific settings and types, validates these rules to generate a comprehensive security knowledge base for all AI-based systems. Each of these components plays a critical role in automating ontology-driven threat modelling.
Protégé [44] serves as the collaboration platform, facilitating the creation and maintenance of these ontologies and rules. This tool is also used in an ontology-driven approach to automate threat modelling for ICT infrastructure [24]. Furthermore, built-in features such as OWL provide the foundational language for constructing ontologies that capture intricate domain knowledge. The axioms within these ontologies define essential logical constraints, ensure data consistency, and accurately classify entities. Automated reasoners (e.g., Pellet, HermiT) process axioms and SWRL rules to generate a security knowledge base. To save the knowledge base, the tool offers several format choices, with RDF/XML being a widely used and well-supported standard. We can use the description logic (DL) feature to retrieve ontology knowledge using expressions based on defined relationships.
3.2 Data collection and validation
In this study, the data is collected from four widely recognized cybersecurity repositories: OWASP AI [13], CWE [45], MITRE ATLAS [7], and CAPEC [46], which provide highly comprehensive data that form the foundation of the ontological structure. These repositories are chosen because they provide community-validated data, which makes them highly relevant to AI threat modelling. Data are extracted from OWASP AI and MITRE ATLAS through a semi-automated process, since both repositories provide structured and downloadable formats. In contrast, data from CWE and CAPEC required manual curation to ensure contextual relevance and proper mapping to specific threats. This hybrid approach ensured that only AI-relevant data is included. Table 2 presents the complete statistics of the ontological data, including classes and their corresponding instances.
To ensure the data compliance with our approach, it is validated through a two-step process: (1) collected data are cross-checked against definitions provided in the repositories, ensuring consistency with community-accepted standards; (2) class definitions and their mappings are reviewed through an expert validation exercise involving two domain experts in cybersecurity and AI, who verified that the classes and relationships are relevant, correctly classified, and semantically consistent. This process ensured that the ontology not only reflected widely recognized terminologies but also maintained accuracy for AI threat modelling.
3.3 Ontology design
To design the domain ontology using a standard conceptual language, we adopted OntoUML [47], a modelling language that extends Unified Modelling Language (UML) with a formal ontological foundation to ensure semantic soundness. Unlike standard UML, OntoUML distinguishes classes through specific stereotypes (e.g., <<kind>>, <<quantity>>), providing ontological clarity beyond object-oriented abstractions. It also supports precise relationships, including part–whole associations (aggregation, composition) and generalizations, enabling precise representation of complex domains. Cardinality in diagrams specifies the number of instances allowed in a relationship, thereby ensuring a precise and unambiguous interpretation (for example, 1 denotes exactly one instance, while 1..* indicates one or more).
Table 3 defines 29 core ontology classes, which capture adversarial behavior (e.g., Tactics, Techniques, Adversary, Threats), system assets (e.g., Software, Data, Platform, etc.), system properties and vulnerabilities (e.g., CIA, Weaknesses, Risks), and defensive mechanisms (e.g., Mitigations, Security Mechanisms). Table 4 summarizes the 18 relationships connecting the ontology classes.
The main ontology consists of three sub-ontologies. The implementation of these ontologies involves the conversion of conceptual models into a functional ontology. This process, guided by our approach, ensures that all relationships and logical constraints are instantiated accurately, making the ontology ready for automated reasoning. The conceptual designs and compositions of the three proposed ontologies are presented as follows:
3.3.1 Assets-driven sub-ontology.
Fig 2 illustrates the conceptual model designed to create an assets-driven sub-ontology, representing AI systems and their associated assets. Due to the increasing vulnerability of these assets to various attacks [48], the ontology emphasizes effective asset management and threat identification. The development of this ontology underscores the need to consider a wide range of assets, encompassing software and hardware components, as well as network communications. Within the model, relationships are carefully defined to show how assets are related to other classes, such as security threats and inherent weaknesses.
3.3.2 Weaknesses-driven sub-ontology.
The weaknesses-driven sub-ontology forms a key component of the main ontology, designed to enhance the modelling of weaknesses in AI-enabled systems. As illustrated in Fig 3, its conceptual model specifically structures known weaknesses and vulnerabilities associated with AI systems. The vulnerabilities are derived from two primary sources: OWASP AI and CWE, which provide a comprehensive overview of potential security weaknesses. By systematically organizing these weaknesses, the sub-ontology enables security professionals to identify and prioritize the most critical weaknesses requiring attention.
3.3.3 Threats-driven sub-ontology.
The threats-driven conceptual model, as shown in Fig 4, is employed for threats-driven sub-ontology. We extract security threats from the MITRE ATLAS and CAPEC, which offer a comprehensive catalog of tactics, techniques, and mitigations. Additionally, we incorporate mitigation strategies from OWASP AI and MITRE ATLAS to ensure a robust foundation for addressing these threats. Furthermore, we integrate the AI lifecycle into this ontology, enabling the mapping of mitigation mechanisms to the corresponding phases of the lifecycle to effectively prevent potential threats.
3.4 Threat modelling rules
Threat modelling automation in AI systems uses inference rules specified through the SWRL. These rules, processed by an automated reasoner, facilitate the mapping of security threats to the corresponding components of the system. SWRL rules consist of two components: the antecedent and the consequent. The antecedent defines the conditions that must be satisfied for the rule to apply, while the consequent specifies the actions to be executed if the antecedent conditions are met. This can be mathematically expressed as: If P, Then Q
In the context of the rule , it asserts that if P is true, then Q must also be true. Consequently, the inference rules shown in Table 5 are derived to identify threats to assets. The specific relationships used in these rules are defined in Table 6. The first 19 relationships are used to express the antecedent, while the 20th relationship is used for the consequent, which is consistent with its definition in Table 4.
Mathematically, a general SWRL rule infers relationships based on classes and relationships within an ontology , where
,
, and
represent classes, relationships, and axioms within the ontology, respectively. The structure of the rule can be given as:
represent class from the set of classes
.
represent relationship from the set of relationships
.
are user-defined variables for classes.
This generalized form illustrates that SWRL rules are constructed over the ontology schema by specifying ontology classes and relationships. In total, 30 inference rules are designed and executed to capture adversarial attack scenarios. These rules are implemented in Protégé and processed using an automated reasoner, ensuring output that is both machine-readable and human-interpretable.
To evaluate the correctness and feasibility of these rules, we perform a quantitative assessment in terms of the coverage of the rules and logical consistency. Furthermore, computational performance is measured by recording the execution time required per rule. The evaluation focuses primarily on qualitative aspects, such as the accuracy and coverage of the rules.
3.5 Assessment
3.5.1 Risk assessment.
Risk assessment systematically identifies, analyzes, and manages risks associated with a system [49]. The core of this assessment involves calculating risk by evaluating two key factors: likelihood and impact, based on identified security threats [39]. The likelihood measures the probability that a threat will successfully exploit a vulnerability in the AI system. It can be assessed using threat scenarios, historical data, and expert judgment. Impact, on the other hand, refers to the potential consequences of successful threat exploitation, including financial loss, reputational damage, and operational disruption.
The risk assessment frequently employs a 3x3 risk matrix [50] and is classified into high, medium, and low categories, as shown in Table 7. These categories can also be represented by scores of 3, 2, and 1, respectively, which serve as a guide for the urgency of mitigation efforts [50]. To calculate risk, we used the classic formula [39]:(3)
Where Li denotes the likelihood value of the i-th threat, Ii indicates the impact value of the i-th threat, and R (Ti) represents the calculated risk value for the i-th threat.
3.5.2 Vulnerability assessment.
The vulnerability assessment is a crucial assessment that identifies and quantifies weaknesses within a system [49]. CVSS is a widely recognized tool for evaluating the severity of vulnerabilities. CVSS relies on mandatory base metrics that must be included in the evaluation, as shown in Table 8. Temporal and environmental metrics are optional and do not need to be considered for evaluation [51]. The resulting score, which is based on base metrics, can be translated into qualitative categories (such as none, low, medium, high, and critical), helping stakeholders effectively prioritize their vulnerability management efforts.
Using the Exploitability and Impact scores, we calculate the final base score. The Exploitability score reflects how easily a vulnerability can be exploited, while the impact score measures the potential damage caused by a successful exploit. To calculate the score, the following formulas are used, which are based on the CVSS v3.1 metrics. The final rating score can be shown in Table 9.
- Exploitability Score: The Exploitability score is calculated using the formula:
(4)
- Impact Score: The Impact score depends on whether the Scope (S) is unchanged (U) or changed (C):
- Base Score: The final Score is calculated based on the condition of Unchanged and Changed Scope:
3.6 Automated reasoner
An automated reasoner operates on a knowledge base (which is built using an ontology) to perform key inference tasks. After operating the automated reasoner, the resulting knowledge base, enriched with inferred relationships, provides a comprehensive resource for assessing threats, vulnerabilities, mitigation strategies, and security assessments within AI-enabled systems and serves as a valuable resource for continuous monitoring and updating, adapting to the evolving threat landscape and emerging vulnerabilities.
3.7 Querying knowledge
The description logic (DL) can be used to retrieve knowledge using expressions based on defined relationships [52]. To identify which asset is threatened by a specific threat can be given as:
Let:
- A represents Threat (Individual).
- C0 represents a specific Asset (Class).
- R represents IsThreatenedBy (ObjectProperty).
The DL Query for individuals of the specific asset class that are threatened can be represented as:
represents the set of all individuals c such that the conditions following the "
" are true.
means that c is an individual belonging to the specific Asset Class C0.
means that the individual asset c is related to a specific threat individual a through the IsThreatenedBy property.
This query returns all individuals that are members of the specific Asset Class C0 and have an IsThreatenedBy relationship with the individual representing a threat.
4 Validation and verification
To validate the research questions, we leveraged 10 MITRE ATLAS case studies (CS) [7], as shown in Table 10, that reveal a diverse collection of attack vectors, including evasion, poisoning, and model replication. In particular, these threats are no longer limited to controlled environments but actively target production systems, underscoring the need for a comprehensive ontology that can evolve in response to emerging threat intelligence. Moreover, to mitigate potential selection bias in choosing these case studies, we ensured their relevance to AI-enabled systems and diversity in security contexts. The selection criteria included broad asset coverage, representation of diverse AI-specific attack vectors, inclusion of a wide range of known vulnerabilities, and coverage of distinct phases of the attacker tactics. This systematic approach ensured a thorough coverage of our ontology scope and effectively tested its ability to represent a variety of AI systems.
To answer RQ1, this study investigates the effectiveness of a designed ontology in addressing the challenges of inconsistent or insufficient AI systems representation. By developing a formal data representation and automating the threat identification process, this RQ aims to enhance the security analysis capabilities across the evolving AI threat landscape. To evaluate, the provided case studies serve as a foundation to evaluate how ontology can encapsulate and integrate data within a unified knowledge base.
To begin with, the ontologies are crafted to provide a general representation of AI assets. These ontologies include classes and subclasses that standardize the description of various AI assets across systems, ensuring unified representation. The representation of the identified assets across all cases from ontology is outlined as follows in Table 11. These classes are structured hierarchically to reflect their interrelationships within the system. For example, a Deep Learning Detector is modelled as a sub-asset of a Security Mechanism, which in turn is a sub-asset of an Asset. Consequently, the Deep Learning Detector is classified as a subsub-asset of an Asset. This organization facilitates a clear and consistent representation of the relationships among various AI system components, thereby enhancing the semantic clarity of the ontology.
Building upon the foundational representation, the ontology establishes relationships that describe interactions between entities, covering a broad spectrum of interactions. For example, in the case of "CS001", we discover a threat named "Detection Evasion", which provides broad information through various relationships, as follows:
- Name: Detection Evasion
- Type: Security Threat
- Has: High Risk
- Description: This type of threat involves techniques designed to evade detection from AI-powered security systems. Attackers may use methods that manipulate data inputs in a way that causes the AI model to misclassify or overlook malicious activities. This can include the use of adversarial examples that subtly alter data points so they appear benign to AI models but are malicious.
- IsMitigatedBy:
- AML.M0003 (Model Hardening)
- AML.M0015 (Adversarial Input Detection)
- OWASP.M0019 (Input Validation)
- Exploits:
- Training Data Poisoning
- Improper Input Validation
- Deserialization of Untrusted Data
- Violates: Integrity, Confidentiality
- IsInitiatedBy: Bots
- Individual: AML.A0001
- Techniques LeadsTo Threat:
- AML.T0000 → AML.A0001
- AML.T0006 → AML.A0001
- AML.T0015 → AML.A0001
- AML.T0043 → AML.A0001
The description of this threat highlights its capability to define risk and suggest mitigation measures. It also identifies which weaknesses are potentially exploited and which properties are violated by this threat. Additionally, it identifies the adversarial techniques that could contribute to this threat. Thus, ontology facilitates the description of entities and their relationships with other entities to provide complete information that guides the development of effective countermeasures, ensuring the security of AI systems.
Moreover, to enhance the inferential capabilities, the ontology incorporates inference rules to enforce logical consistency across AI systems. SWRL specifies logical rules using threat scenarios to identify potential threats to at-risk assets and facilitate mitigation strategies. For instance, in the case of CS002, we outline the scenario and apply the rule, which assists in identifying threats to a machine translation system’s model, as detailed as:
Rule Scenario: If a model is replicated for an adversarial attack, then this model is threatened by a model replication attack.
SWRL Rule: Model(?M), IsReplicatedBy(?M, ?A), AMLA0004(?T), Adversary(?A) -> IsThreatenedBy(?M, ?T).
Rule Mapping: Replication Attack to Model
Furthermore, to ensure a holistic perspective, the ontology integrates the stages of the AI lifecycle, including data understanding, data preparation, model engineering, model evaluation, deployment, monitoring, and maintenance. This coverage ensures that the standardization process encompasses the entire AI lifecycle, facilitating the integration of a vast number of mitigation mechanisms and updates. For example, the following stages incorporate several mitigation strategies that can be applied in response to emerging threats and vulnerabilities.
- 06 Mitigations AreIncludedIn Business and Data Understanding
- 08 Mitigations AreIncludedIn Data Preparation
- 17 Mitigations AreIncludedIn Model Engineering
- 14 Mitigations AreIncludedIn Model Evaluation
- 15 Mitigations AreIncludedIn Deployment
- 14 Mitigations AreIncludedIn Monitoring and Maintenance
Complementarily, to provide a broader context, the ontology also integrates the tactics and techniques used by adversaries, providing a more general view of the security landscape; for example, in case studies, various tactics and techniques are used by the adversary, as shown in Table 12.
Ultimately, enabling practical application, the ontology can be queried to extract information. DL queries are a powerful way to retrieve specific knowledge that is explicitly stated or logically implied within the ontology. Hence, the ontology supports a wide range of such information retrieval requests, enabling users to explore and understand the relationships and characteristics of the concepts (like assets and threats) defined within it.
- Query: Assets and (IsThreatenedBy value AML.A0022)
- Query Results:
- Training Data
- Validation Data
- Digital Data
To conclude, our ontology-driven approach may help address domain-specific challenges by establishing a formal vocabulary. Although not yet a widespread or standardized vocabulary, it offers a shared knowledge base that can support consistent understanding and implementation of AI security measures across different systems. This knowledge base also has the potential to facilitate collaboration among various stakeholders.
RQ1 Summary: Our findings indicate that the ontology supports a unified representation of knowledge and provides broader coverage of AI-specific threat modelling aspects compared to existing approaches. In particular, the ontology captures (1) AI-specific assets, (2) weaknesses, (3) security threats, and their (4) potential mitigations, (5) AI lifecycle stages, and (6) adversarial tactics and techniques in a single knowledge base, while also linking them to risk and vulnerability assessments. This integrated view enables reasoning across different dimensions of AI security that, to our knowledge, are not jointly addressed in prior research.
To answer RQ2, we evaluated the effectiveness of the inference rules in accurately identifying potential threats to system assets across various AI systems through the case studies. These rules are crafted to detect a wide array of security threats to AI systems by automating the threat identification process.
To begin with, by automating threat identification, these rules demonstrate the capability to uncover vulnerabilities that might otherwise remain undetected in complex AI environments. Table 13 summarizes various potential threats to AI systems and the corresponding assets affected, the potential mitigations suggested, and the vulnerabilities that can be potentially exploited by the threats are outlined.
For instance, in the case of CS0001, the threat labeled Detection Evasion targets the Deep Learning Detector, a critical asset responsible for identifying malicious or adversarial behaviors. This threat involves attempts by adversaries to bypass detection mechanisms, often by exploiting weaknesses within AI models. To mitigate such risks, several measures are recommended: (1) Model Hardening, which involves strengthening the model against adversarial attacks through techniques such as adversarial training; (2) Adversarial Input Detection, to identify and filter potentially malicious inputs before they affect model performance; and (3) Validation of Machine Learning Models, ensuring regular evaluation to detect vulnerabilities. The identified vulnerabilities associated with this threat include CWE-20: Improper Input Validation, where unvalidated inputs allow system manipulation, and LLM03: Training Data Poisoning, where adversaries inject malicious samples into training datasets to corrupt the model’s behavior.
In addition, the rules are effective in maintaining a high level of accuracy. For example, rules targeting specific threats like detection evasion are not only accurate in their identification but also adaptable to various AI system components, such as chatbots, facial recognition systems, and authentication mechanisms.
Finally, the rules identify which mitigation measures for the respective threats can be incorporated at their respective lifecycle stages. This ensures that security is integrated throughout the AI system’s development process. For example, during the Model Engineering Phase, we can incorporate the mitigation measures such as:
- Model Hardening
- Model Obfuscation
- Adversarial Input Detection
In general, inference rules effectively uncover threats and vulnerabilities with high accuracy. Their integration across lifecycle stages enhances proactive security, validating their role in strengthening AI threat modelling. The results demonstrated consistency and accuracy in mapping threats and vulnerabilities to their respective entities of the AI system. Importantly, the rules enabled proactive identification of risks before deployment, highlighting their usefulness in early-stage threat modelling. From a performance perspective, the reasoning achieved 100% logical consistency with no redundant or contradictory outputs, and each rule executed in less than two seconds, demonstrating computational feasibility. Hence, the current validation primarily across case studies emphasizes qualitative accuracy and coverage.
RQ2 Summary: Our findings demonstrate that the inference rules help to identify security threats to AI-enabled system assets, reveal their effectiveness in mapping out potential vulnerabilities, and corresponding mitigation strategies.
To answer RQ3, to effectively conduct the assessment of AI-enabled systems in alignment with threat modelling, ontology reduces the likelihood of inconsistencies in the evaluation of different AI systems. For example, when assessing the risks of identified threats, an ontology-based approach allows the calculation of key risk factors, such as likelihood and impact, as illustrated in Table 14 in all cases. This ensures that the risk assessment process remains consistent, regardless of who assesses the AI system. The final risk score represents the severity of a threat: a score of 6 indicates high severity, whereas a score of 4 denotes medium severity. For example:
- CS0001 - Detection Evasion Has High Severity
- CS0008 - Prompt Injection Has Medium Severity
Similarly, the severity of each system weakness is assessed using the CVSS metrics, which assigns a numerical score ranging from 0 to 10 to quantify the severity level of each identified weakness. A higher score indicates greater severity and urgency, while a lower score reflects a less critical weakness. In the case studies, we identified the potential weaknesses along with their severity scores, as shown in Table 15. This scoring helps prioritize which vulnerabilities require immediate attention and remediation. For example, CWE-20 (Improper Input Validation) is rated with the highest severity (score 10) in 4 case studies, implying it is a critical and common weakness that can lead to serious exploitation if not addressed. LLM03 (Training Data Poisoning), with a high score (7.4) in 3 case studies, shows that data integrity attacks in large language models are also a major concern, particularly for AI models relying heavily on external data.
In general, the findings underscore the need to implement targeted mitigation strategies for both high-risk threats and high-severity vulnerabilities. The findings also emphasize the effectiveness of using risk and severity-based scoring systems in systematically prioritizing security efforts.
RQ3 Summary: Our findings reveal that the ontology-driven method provides a structured and semantically consistent approach to risk and vulnerability assessment in AI-enabled systems. Unlike previous approaches, which often rely on manual evaluations or lack assessment mechanisms, our method enhances consistency among stakeholders and delivers assessment benefits aligned with established threat-modelling practices.
To verify the correctness and completeness of ontology-driven threat modelling, we adopt a theorem-based approach to formally validate the transformation process [53,54]. In this context, transformation refers to the formal mapping of ontological elements from their initial representation into their updated representation after the application of inference rules and reasoning mechanisms. This validation ensures that, before and after the automated reasoner’s execution, the transformation preserves the logical structure of the ontology. Specifically, it guarantees that the integrity of relationships, classes, and objects within the ontology, i.e., the logical connections among these elements, remains consistent and is not disrupted throughout the reasoning process. Here, correctness ensures that the inference rules and reasoning steps do not introduce contradictions or invalid relationships in the ontology. In contrast, completeness ensures that all classes, objects, and relationships derivable from the ontology are indeed captured and represented during the reasoning process.
Correctness of ontology-driven approach
Ensuring the correctness of an ontology-driven solution requires that the transformation preserve logical consistency and semantic soundness. As established in prior ontology engineering studies [55,56], correctness can be demonstrated through structural induction, where transformation maintains the validity of the ontology’s axioms and relationships.
To verify correctness, consider classes S, objects a, and relationships c. The correctness can be proved by demonstrating the truth of the following expression:
Here, O represents the ontology, which consists of classes, objects, and relationships; represents the ontology before transformation (T), and
represents the ontology after transformation (T).
Base case.
In the base case, we establish the conditions for the transformation process:
- S = S: The component S in its initial state remains unchanged before transformation.
- a = a: Similarly, the component a remains unchanged before the transformation.
- c = c: Likewise, the component c remains unchanged before the transformation.
These statements emphasize that no change has occurred yet; each component is in its original state. Using these conditions, the base case for performing the transformation is represented as:
The base case implies that the ontology (O) along with its components, S, a, and c undergoes a process that changes their state from "before" to "after," but these remain consistent and the same before and after the transformation.
Induction hypothesis.
To extend the proof, we use an induction hypothesis. Assume: . Substituting these into expression (10) gives us expression (12):
To further verify the correctness, we transform the ontologies along with their classes, objects, and relationships. After the transformation process, the ontology equation becomes:
By applying the induction hypothesis, the state of the ontology after the transformation process becomes:
By applying the transitivity relation between steps (13) and (14), the resulting transformation is:
Hence, the final equation (15) proves expression (10), confirming that the ontology-driven approach is correct. The equation demonstrates the accurate transformation process from to
.
Completeness of ontological-driven approach
In addition to correctness, completeness ensures that all relevant entities and relationships within the domain are representable and inferable through the ontology. Previous works [56,57] define completeness as the preservation of structural integrity and inferential coverage after transformation. Building on this, our verification process demonstrates that every defined entity, relationship, and rule within OntoSecAI-DO remains intact and inferable following reasoning.
To verify completeness, the proof should demonstrate the preservation of structural integrity within the scope of the defined ontology and its associated inference rules. In this context, equation (16) confirms that all entities and relationships specified in the ontology are preserved throughout the transformation process. This preservation is guaranteed under the assumption of correctness, as formally established in equation (15).
In this expression:
represents the state of the ontology before transformation.
represents the state of the ontology after transformation.
denotes the complete ontology or knowledge base.
Base case.
For the base case, we start by considering the basic transformation, which can be represented as follows:
Here, we know that the initial state is equivalent to the ontology O. Therefore, the expression simplifies to:
This base case shows that the transformation retains the integrity of the ontology’s basic structure.
Induction hypothesis.
To extend this proof through induction, we assume that the hypothesis holds for the transformation. Specifically, let and
. Under this assumption, expression (16) from the previous section becomes:
This expression represents the transformation process leading to the complete ontology. Within this ontology, the classes (S), objects (a), and relationships (c) constitute the core elements of the ontology (O), such that . The transformation process can be summarized by the following expression:
We know that when a transformation is applied, the resulting ontological state is equivalent to an ontological state represented as
:
Furthermore, based on the formal definition of completeness, we assert that:
Applying the transitivity relations of equations (21) and (22), we obtain:
The expression (23) shows that after transformation, the ontology consists of all classes, objects, and relationships. Further, given the expressions (20) and (23) and their transitive relations, we conclude that:
The final equation (24) confirms that the transformation of the ontology is complete, as it fully encompasses the structure and relationships initially present in the ontology O. The completeness of our framework is thus proven in terms of ensuring that all necessary components of the ontology are preserved and completely transformed through each stage of the process.
5 Threats to validity
This section recognizes and addresses potential threats to the robustness of the proposed approach. By recognizing and mitigating these threats, this study ensures the integrity of its methodology, from internal consistency to the generalizability and applicability of its findings.
Threats to Internal Validity include the influence of confounding factors on the methodology. These factors may include limitations of the tool used, ambiguities in the entities’ definition, and contextual differences among them, which could affect the accuracy of the approach. To mitigate such threats, this study used a formal vocabulary that ensures consistent and precise definitions of all relevant entities. In addition, a standard tool designed for automation is employed, which further minimizes the impact of the confounding factors. Hence, it ensures that any contextual differences do not adversely affect the accuracy of the overall approach.
Threats to External Validity stem from the domain-specific focus of this study. Since the research primarily targets AI-enabled systems, the generalizability of the proposed approach to other domains may be constrained. However, while the study remains AI-centric, it contributes as a foundational structure that could be adapted and extended to support security automation in other technological domains in the future.
Threats to Construct Validity may arise from inaccuracies in the definition and representation of ontologies, inference rules, and the assessment of risks and vulnerabilities. To mitigate this, the study populated the ontologies using a formal vocabulary carefully selected from four recognized repositories, which was then refined to support the consistent modelling of threats and vulnerabilities in AI-enabled systems. Inference rules are formally designed using SWRL, enabling a consistent and machine-interpretable representation of security logic across AI-enabled systems. Furthermore, risk and vulnerability assessments are conducted using established metrics, ensuring alignment between theoretical constructs and the study’s measures. Hence, these measures strengthen the validity of the evaluated constructs.
Threats to Conclusion Validity may arise if there are inaccuracies in the results obtained from case studies after validation. These inaccuracies can potentially undermine the credibility of the findings. In this study, a large number of case studies are used to demonstrate the effectiveness of the proposed approach. To further support the reliability of the conclusions drawn, the approach is also verified using mathematical theorems, ensuring both completeness and correctness. This dual validation strategy, i.e., demonstration through case studies and theoretical verification, helps in enhancing the overall reliability of the research results.
6 Conclusion
In this study, we presented an automated threat modelling approach that utilizes ontologies to improve AI security. This work is motivated by the fact that the widespread use of AI-enabled systems presents significant security challenges, with studies revealing their high vulnerability to various threats. Furthermore, the growing availability of AI technologies, particularly large language models like ChatGPT, Gemini, and Llama, has intensified these risks by introducing new avenues for potential threats. This presents a critical problem to existing threat modelling practices, as these new attack surfaces are often not well-documented or understood. To address these challenges, we proposed the OntoSecAI approach, in which ontologies are populated with data from well-established repositories. This practice ensures that the knowledge base provides a verifiable and accurate representation of adversarial behavior and the security posture of AI-enabled systems, a comprehensive and data-driven foundation that is essential for producing reliable threat modelling. Our findings reveal that domain ontology plays a crucial role in providing a comprehensive and consistent knowledge base for terminology and structural definitions across diverse AI systems, which in turn facilitates a shared understanding of security concepts among stakeholders and enables the implementation of more appropriate security controls. Additionally, the use of inference rules has proven highly effective in accurately identifying potential threats to system assets across various AI systems, significantly improving threat detection capabilities. By contributing to more accurate and consistent risk and vulnerability assessments, ontologies provide a well-defined approach to evaluating and managing risks and potential weaknesses in AI systems. In the future, we plan to enhance our approach by incorporating additional data sources to further enrich the ontology and by expanding the set of inference rules to capture and automate emerging threats.
References
- 1. Vinothkumar J, Karunamurthy A. Recent advancements in artificial intelligence technology: Trends and implications. qijmsrd. 2023;2(1):1–11.
- 2. Sadiku MNO, Ashaolu TJ, Ajayi-Majebi A, Musa SM. Artificial intelligence in social media. Int J Sci Adv. 2021;2(1).
- 3.
Ullah U, Laudanna S, Vinod P, Di Sorbo A, Visaggio CA, Canfora G. Beyond words: Stylometric analysis for detecting AI manipulation on social media. In: European symposium on research in computer security; 2024. p. 208–28.
- 4.
OpenAI. ChatGPT. https://chat.openai.com/. Accessed 2024.
- 5. Hu K. ChatGPT sets record for fastest-growing user base-analyst note. Reuters. 2023;2023:12.
- 6. Yazmyradov S. A comprehensive review of AI security: Threats, challenges, and mitigation strategies. Int J Internet Broadcast Commun. 2024;16(4):375–84.
- 7.
ATLAS M. Adversarial threat landscape for artificial-intelligence systems; 2024. https://atlas.mitre.org.
- 8. Mintoo AA, Nabil AR, Alam MA, Ahmad I. Adversarial machine learning in network security: A systematic review of threat vectors and defense mechanisms. ITEJ. 2024;1(01):80–98.
- 9. Malik J, Muthalagu R, Pawar PM. A systematic review of adversarial machine learning attacks, defensive controls, and technologies. IEEE Access. 2024;12:99382–421.
- 10. Oduri S. AI-powered threat detection in cloud environments. IJRITCC. 2021;9(12):57–62.
- 11.
Roy I, Modak R, Ghosh E, Rahaman SN, Chatterjee S, Majumder K, Shaw RN, Ghosh A. A review on machine learning based security in edge computing environment. In International conference on advanced communication and intelligent systems. Cham: Springer Nature Switzerland; 2023 Jun 16. p. 120–37.
- 12. Jada I, Mayayise TO. The impact of artificial intelligence on organisational cyber security: An outcome of a systematic literature review. Data Inform Manag. 2024;8(2):100063.
- 13.
OWASP T. OWASP top 10 for large language model applications.
- 14. Wang X, Li J, Kuang X, Tan Y, Li J. The security of machine learning in an adversarial setting: A survey. J Parall Distrib Comput. 2019;130:12–23.
- 15.
Lyu L, Yu H, Zhao J, Yang Q. Threats to federated learning. Federated Learning: Privacy and Incentive. Cham: Springer International Publishing; 2020. p. 3–16.
- 16. Akhtar N, Mian A. Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access. 2018;6:14410–30.
- 17. Omotunde H, Ibrahim R. A review of threat modelling and its hybrid approaches to software security testing. ARPN J Eng Appl Sci. 2015;10(23):17657–64.
- 18.
von der Assen J, Sharif J, Feng C, Killer C, Bovet G, Stiller B. Asset-centric threat modeling for AI-based systems. In: 2024 IEEE international conference on cyber security and resilience (CSR); 2024. p. 437–44. http://dx.doi.org/10.1109/csr61664.2024.10679445
- 19.
Mauri L, Damiani E. STRIDE-AI: An approach to identifying vulnerabilities of machine learning assets. In: 2021 IEEE international conference on cyber security and resilience (CSR); 2021. p. 147–54. http://dx.doi.org/10.1109/csr51186.2021.9527917
- 20.
Wilhjelm C, Younis AA. A threat analysis methodology for security requirements elicitation in machine learning based systems. In: 2020 IEEE 20th international conference on software quality, reliability and security companion (QRS-C); 2020. p. 426–33.
- 21. Preuveneers D, Joosen W. An ontology-based cybersecurity framework for AI-enabled systems and applications. Future Internet. 2024;16(3):69.
- 22. Sarker IH. Multi-aspects AI -based modeling and adversarial learning for cybersecurity intelligence and robustness: A comprehensive overview. Secur Privacy. 2023;6(5).
- 23.
Grimm S. Knowledge representation and ontologies. Scientific data mining and knowledge discovery. Springer Berlin Heidelberg; 2009. p. 111–37. https://doi.org/10.1007/978-3-642-02788-8_6
- 24. De Rosa F, Maunero N, Prinetto P, Talentino F, Trussoni M. Threma: Ontology-based automated threat modeling for ICT infrastructures. IEEE Access. 2022 Nov 3;10:116514–26.
- 25.
Mozzaquatro BA, Melo R, Agostinho C, Jardim-Goncalves R. An ontology-based security framework for decision-making in industrial systems. In: In 2016 4th international conference on model-driven engineering and software development (MODELSWARD); 2016. p. 779–88.
- 26. Hu Y, Kuang W, Qin Z, Li K, Zhang J, Gao Y, et al. Artificial intelligence security: Threats and countermeasures. ACM Comput Surv. 2021;55(1):1–36.
- 27. Guembe B, Azeta A, Misra S, Osamor VC, Fernandez-Sanz L, Pospelova V. The emerging threat of AI-driven cyber attacks: A review. Appl Artif Intell. 2022;36(1):2037254.
- 28. Hoseini SV, Suutala J, Partala J, Halunen K. IEEE Access. 2024;12:172610–37.
- 29. Das BC, Amini MH, Wu Y. Security and privacy challenges of large language models: A survey. ACM Comput Surv. 2025;57(6):1–39.
- 30. Mauri L, Damiani E. Modeling threats to AI-ML systems using STRIDE. Sensors (Basel). 2022;22(17):6662. pmid:36081121
- 31.
Kougioumtzidou A, Papoutsis A, Kavallieros D, Mavropoulos T, Tsikrika T, Vrochidis S, et al. An end-to-end framework for cybersecurity taxonomy and ontology generation and updating. In: 2024 IEEE international conference on cyber security and resilience (CSR); 2024. p. 247–54. http://dx.doi.org/10.1109/csr61664.2024.10679346
- 32.
Manzoor S, Vateva-Gurova T, Trapero R, Suri N. Threat modeling the cloud: An ontology based approach. In: International workshop on information and operational technology security systems. Cham: Springer International Publishing; 2018 Sep 13. p. 61–72.
- 33.
Kamongi P, Gomathisankaran M, Kavi K. Nemesis: Automated architecture for threat modeling and risk assessment for cloud computing. In: Proc. 6th ASE international conference on privacy, security, risk and trust (PASSAT); 2014 Dec 13.
- 34. Salini P, Shenbagam J. Prediction and classification of web application attacks using vulnerability ontology. IJCA. 2015;116(21):42–7.
- 35. Tok YC, Zheng DY, Chattopadhyay S. A smart city Infrastructure ontology for threats, cybercrime, and digital forensic investigation. For Sci Int: Digital Investig. 2025;52:301883.
- 36. Välja M, Heiding F, Franke U, Lagerström R. Automating threat modeling using an ontology framework. Cybersecurity. 2020;3(1).
- 37.
Luh R, Schrittwieser S, Marschalek S. TAON: An ontology-based approach to mitigating targeted attacks. In: Proceedings of the 18th international conference on information integration and web-based applications and services; 2016. p. 303–12.
- 38. Al Sabbagh B, Kowalski S. A socio-technical framework for threat modeling a software supply chain. IEEE Secur Privacy. 2015;13(4).
- 39.
Maunero N, De Rosa F, Prinetto P. Towards cybersecurity risk assessment automation: An ontological approach. In: 2023 IEEE international conference on dependable, autonomic and secure computing, International conference on pervasive intelligence and computing, International conference on cloud and big data computing, International conference on cyber science and technology congress (DASC/PiCom/CBDCom/CyberSciTech); 2023. p. 0628–35. http://dx.doi.org/10.1109/dasc/picom/cbdcom/cy59711.2023.10361456
- 40. Phillips SC, Taylor S, Boniface M, Modafferi S, Surridge M. Automated knowledge-based cybersecurity risk assessment of cyber-physical systems. IEEE Access. 2024 May 22;12:82482–505.
- 41. Arora P, Bhardwaj S. Methods for threat and risk assessment and mitigation to improve security in the automotive sector. Methods. 2021;8(2).
- 42.
Common Vulnerability Scoring System (CVSS). https://www.first.org/cvss/
- 43. Horrocks I, Patel-Schneider PF, Boley H, Tabet S, Grosof B, Dean M. SWRL: A semantic web rule language combining OWL and RuleML. W3C Member submission. 2004 May 21;21(79):1–31.
- 44.
Stanford University. Protégé Desktop and Web. https://protege.stanford.edu/
- 45.
MITRE. Common Weakness Enumeration (CWE). https://cwe.mitre.org/index.html
- 46.
MITRE. Common Attack Pattern Enumeration and Classification (CAPEC). https://capec.mitre.org/
- 47.
OntoUML Project. OntoUML – Documentation. https://ontouml.readthedocs.io/
- 48.
Deshpande A. Cybersecurity in financial services: Addressing AI-related threats and vulnerabilities. In: 2024 international conference on knowledge engineering and communication systems (ICKECS); 2024. p. 1–6. http://dx.doi.org/10.1109/ickecs61492.2024.10616498
- 49.
Dabit A, Al-Haija QA, Al-Fayoumi M. Identifying weaknesses: A guide to conducting an effective network vulnerability assessment. In: 2023 24th international Arab conference on information technology (ACIT); 2023. p. 1–6. http://dx.doi.org/10.1109/acit58888.2023.10453877
- 50. Kovačević N, Stojiljković A, Kovač M. Application of the matrix approach in risk assessment. Oper Res Eng Sci Theor Appl. 2019;2(3):55–64.
- 51.
Joh H, Malaiya YK. Defining, assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: The 2011 international conference on security and management (SAM); 2011. p. 10–6.
- 52. Calvanese D, Guarino N. Ontologies and description logics. Intelligenza artificiale. 2006;3(1–2):21–7.
- 53. Ullah U, Faiz RB, Haleem M. Modeling and verification of authentication threats mitigation in aspect-oriented mal sequence woven model. PLoS One. 2022;17(7):e0270702. pmid:35793370
- 54. Ullah U, Musharaf U, Haleem M. An authentication-oriented approach to model the crosscutting constraints in sequence diagram using aspect OCL. Secur Commun Netw. 2022;2022(1):3083909.
- 55.
Guarino N, Welty CA. An overview of OntoClean. Handbook on ontologies; 2009. p. 201–20.
- 56.
Gómez-Pérez A. Some ideas and examples to evaluate ontologies. In: Proceedings the 11th conference on artificial intelligence for applications. IEEE; 1995 Feb 20. p. 299–305.
- 57. Guizzardi G, Wagner G, Almeida JPA, Guizzardi RSS. Towards ontological foundations for conceptual modeling: The unified foundational ontology (UFO) story. AO. 2015;10(3–4):259–71.