jupyter-naas
diff --git a/‎src/marketplace/domains/cyber-security-analyst/samples/attack_simulation_analysis.md‎
Lines changed: 220 additions & 0 deletions b/‎src/marketplace/domains/cyber-security-analyst/samples/attack_simulation_analysis.md‎
Lines changed: 220 additions & 0 deletions
@@ -0,0 +1,220 @@
+# Attack Simulation Data Analysis
+
+## Overview
+
+This document analyzes the generated attack simulation data (`attack_simulation_data.ttl`) and demonstrates how it enables answering all competency questions defined in `CyberSecurityQueries.ttl`.
+
+## Attack Scenarios Covered
+
+### 1. Stuxnet (Industrial Control System Attack)
+- **Timeline**: June 2010
+- **Attack Vector**: Supply chain compromise via USB drives
+- **Key Artifacts**: Stuxnet payload, rootkit driver, configuration files, activity logs
+- **Attack Chain**: Initial infection → Persistence → ICS attack
+- **Techniques**: Supply chain compromise, privilege escalation, data exfiltration
+
+### 2. SolarStorm (Supply Chain Attack)
+- **Timeline**: March 2020
+- **Attack Vector**: Compromised SolarWinds Orion software
+- **Key Artifacts**: SolarStorm backdoor, configuration files, stolen credentials
+- **Attack Chain**: Initial compromise → Credential theft
+- **Techniques**: Supply chain compromise, credential access
+
+### 3. HeartBleed (OpenSSL Vulnerability)
+- **Timeline**: April 2014
+- **Attack Vector**: Buffer overflow in OpenSSL heartbeat extension
+- **Key Artifacts**: Exploit code, stolen private keys, certificates
+- **Attack Chain**: Exploitation → Certificate theft
+- **Techniques**: Buffer overflow, data exfiltration
+
+### 4. APT29 (Russian State-Sponsored)
+- **Timeline**: January 2021
+- **Attack Vector**: Spear phishing with macro documents
+- **Key Artifacts**: Phishing emails, macro documents, PowerShell scripts
+- **Attack Chain**: Phishing campaign → Lateral movement
+- **Techniques**: Spear phishing, lateral movement
+
+### 5. Lazarus Group (North Korean State-Sponsored)
+- **Timeline**: March 2022
+- **Attack Vector**: Ransomware deployment
+- **Key Artifacts**: Ransomware binary, encrypted files, ransom notes
+- **Attack Chain**: Ransomware deployment → Ransom demand
+- **Techniques**: Ransomware deployment, impact
+
+## Competency Question Coverage
+
+### CQ1: Digital Events - What digital artifacts participated in a given cyber event?
+
+**Example Results:**
+- `stuxnet_file_creation_event` → `stuxnet_payload`, `stuxnet_driver`
+- `solarstorm_network_communication_event` → `solarstorm_backdoor`, `solarstorm_credentials`
+- `heartbleed_network_communication_event` → `heartbleed_exploit_code`, `stolen_private_key`
+
+**Data Pattern:**
+```sparql
+?event :hasParticipant ?artifact
+```
+
+### CQ2: Which processes resulted in creation of files/payloads?
+
+**Example Results:**
+- `stuxnet_initial_infection` → `stuxnet_driver`
+- `solarstorm_initial_compromise` → `solarstorm_config`
+- `heartbleed_exploitation` → `stolen_private_key`
+
+**Data Pattern:**
+```sparql
+?process :produces ?artifact
+```
+
+### CQ3: Which artifacts or processes generated other artifacts?
+
+**Example Results:**
+- `stuxnet_worm` (agent) → `stuxnet_initial_infection` (process) → `stuxnet_driver` (artifact)
+- `solarstorm_malware` (agent) → `solarstorm_initial_compromise` (process) → `solarstorm_config` (artifact)
+
+**Data Pattern:**
+```sparql
+?producer :agent_in ?process
+?process :produces ?producedArtifact
+```
+
+### CQ4: What is the temporal sequence of events in an attack chain?
+
+**Example Results:**
+- Stuxnet: `stuxnet_initial_infection` → `stuxnet_persistence` → `stuxnet_ics_attack`
+- SolarStorm: `solarstorm_initial_compromise` → `solarstorm_credential_theft`
+- HeartBleed: `heartbleed_exploitation` → `heartbleed_certificate_theft`
+
+**Data Pattern:**
+```sparql
+?event bfo:precedes ?nextEvent
+```
+
+### CQ5: Which processes or events are temporally simultaneous with others?
+
+**Example Results:**
+- `stuxnet_campaign` contains `stuxnet_initial_infection`, `stuxnet_persistence`, `stuxnet_ics_attack`
+- `solarstorm_campaign` contains `solarstorm_initial_compromise`, `solarstorm_credential_theft`
+
+**Data Pattern:**
+```sparql
+?superProcess :contains ?subProcess
+```
+
+### CQ6: Which agents executed or triggered a digital event?
+
+**Example Results:**
+- `stuxnet_operator` → `stuxnet_file_creation_event`
+- `solarstorm_operator` → `solarstorm_file_creation_event`
+- `apt29_operator` → `apt29_email_send_event`
+
+**Data Pattern:**
+```sparql
+?agent bfo:participatesIn ?event
+```
+
+### CQ7: Which artifacts were the targets or outputs of specific attack stages?
+
+**Example Results:**
+- **Outputs**: `stuxnet_driver` (from `stuxnet_initial_infection`), `solarstorm_config` (from `solarstorm_initial_compromise`)
+- **Targets**: `stuxnet_payload` (participates in `stuxnet_initial_infection`), `solarstorm_backdoor` (participates in `solarstorm_initial_compromise`)
+
+**Data Pattern:**
+```sparql
+?artifact :produced-by ?attackStage  # output
+?attackStage :hasParticipant ?artifact  # target
+```
+
+### CQ9: What are the high-level goals that an attacker is trying to achieve?
+
+**Example Results:**
+- `stuxnet_operator` → `stuxnet_ics_attack` → `supply_chain_compromise` → `initial_access`
+- `lazarus_operator` → `lazarus_ransomware_deployment` → `ransomware_deployment` → `impact`
+
+**Data Pattern:**
+```sparql
+?agent :participatesIn ?action
+?action :implements ?technique
+?technique :enables ?tactic
+```
+
+### CQ10: Which network events were correlated with malicious artifacts?
+
+**Example Results:**
+- `stuxnet_network_communication_event` → `stuxnet_payload` (participant)
+- `solarstorm_network_communication_event` → `solarstorm_backdoor` (participant)
+- `heartbleed_network_communication_event` → `heartbleed_exploit_code` (participant)
+
+**Data Pattern:**
+```sparql
+?networkEvent :hasParticipant ?artifact
+?networkEvent :produces ?artifact
+```
+
+### CQ21: Can we correlate digital events with physical-world entities?
+
+**Example Results:**
+- `stuxnet_operator` (physical entity) → `stuxnet_file_creation_event` (digital event)
+- `system_admin` (physical entity) → `stuxnet_network_communication_event` (digital event)
+- `regular_user` (physical entity) → `apt29_email_send_event` (digital event)
+
+**Data Pattern:**
+```sparql
+?entity bfo:participatesIn ?digitalEvent
+```
+
+## Key Data Relationships
+
+### 1. Agent Participation
+- Human operators participate in attack actions
+- Malicious software agents participate in automated processes
+- System administrators participate in defensive events
+
+### 2. Artifact Generation
+- Attack actions produce malicious artifacts
+- Processes generate configuration files, logs, and data
+- Network events produce packet captures
+
+### 3. Temporal Sequences
+- Attack chains follow logical progression
+- Events are temporally ordered with timestamps
+- Processes contain sub-processes
+
+### 4. Network Correlations
+- Network events correlate with malicious artifacts
+- Packet captures document network activities
+- Communication events involve specific payloads
+
+### 5. Physical-Digital Correlations
+- Human operators correlate with digital events
+- System administrators participate in defensive activities
+- Regular users are targets of attacks
+
+## Validation Results
+
+The generated data successfully enables answering all competency questions by providing:
+
+1. **Comprehensive Agent Coverage**: Human operators, malicious software, system administrators, and regular users
+2. **Rich Artifact Ecosystem**: Payloads, configurations, logs, memory dumps, network captures
+3. **Realistic Attack Chains**: Multi-stage attacks with temporal progression
+4. **Network Event Correlations**: Network activities linked to malicious artifacts
+5. **Physical-Digital Mappings**: Human operators and system entities participating in digital events
+
+## Usage Instructions
+
+1. Load the TTL file into a SPARQL endpoint (e.g., Apache Jena Fuseki, GraphDB)
+2. Execute the competency queries from `CyberSecurityQueries.ttl`
+3. Analyze results to understand attack patterns and relationships
+4. Use for training, testing, and validation of cybersecurity analysis tools
+
+## Extensibility
+
+The data model supports adding:
+- Additional attack scenarios
+- More detailed artifact relationships
+- Extended temporal sequences
+- Cross-domain correlations
+- Defensive countermeasures
+
+This simulation data provides a comprehensive foundation for cybersecurity analysis, training, and research.