The Influence Operation Ontology (IOO)
Alejandro David Cayuela Tudela, Javier Pastor-Galindo, Pantaleone Nespoli, José A. Ruipérez-Valiente
TL;DR
The paper addresses the challenge of characterizing influence operations in the information environment by proposing the Influence Operation Ontology (IOO), a CTI-aligned framework that unifies threat, channel, and social dimensions. Grounded in STIX v2.1, the DISARM framework, ABCDE, and Filigran extensions, IOO defines concrete classes for Threat Actors, Incidents, Attack Patterns, Campaigns, as well as Channel and Social-domain constructs like User Accounts, Messages, Cyber Personas, Narratives, and Locations. It emphasizes interoperability for CTI sharing and supports knowledge-graph workflows by enabling standardized representation across domains, with explicit attribute sets for each class. The work is iterative, with plans to formalize the ontology in RDF, validate via OOPS!, and develop automated knowledge extraction to build a knowledge graph, aiming to enhance analysis, sharing, and defense against IOs.
Abstract
Ontologies provide a systematic framework for organizing and leveraging knowledge, enabling smarter and more effective decision-making. In order to advance in the capitalization and augmentation of intelligence related to nowadays cyberoperations, the proposed Influence Operation Ontology (IOO) establishes the main entities and relationships to model offensive tactics and techniques by threat actors against the public audience through the information environment. It aims to stimulate research and development in the field, leading to innovative applications against influence operations, particularly in the fields of intelligence, security, and defense.