OntoSecU: An ontology‑based framework for proactive vulnerability management in Ecuadorian universities through semantic integration of Nmap, Nessus, and Shodan

Authors

DOI:

https://doi.org/10.64747/hcg93557

Keywords:

higher‑education cybersecurity, vulnerability management, semantic web, ontologies, risk prioritization

Abstract

The objective of the article is to present OntoSecU: An ontological framework that semantically integrates findings from Nmap, Nessus, and Shodan with standardized catalogs (CVE, CWE, CPE, NVD) and the CISA KEV list, to prioritize the remediation of vulnerabilities in an explainable manner within an Ecuadorian higher education institution. This article directly derives from the master's thesis of Eng. Bolívar Ramos and presents as novel contributions: (a) an updated synthesis of the state of the art on ontologies in cybersecurity; (b) clear formalization of prioritization rules with operational examples; (c) an expanded comparative discussion with recent literature; and (d) specific projections for the Ecuadorian university context. Methods: an applied design combined ontology engineering (OWL, SHACL, SPARQL), data-normalization pipelines, and rule-based prioritization. The empirical assessment corresponds exclusively to a validation of acceptability and explainability via a Likert-type questionnaire applied to an institutional expert panel (n=5), without operational impact metrics. Results: all ten items achieved specific acceptance percentages at the highest agreement level (Likert=5): Item 1 (80%), Item 2 (100%), Item 3 (80%), Item 4 (100%), Item 5 (80%), Item 6 (100%), Item 7 (80%), Item 8 (100%), Item 9 (80%), Item 10 (100%). The median was Me=5 for all items, indicating expert acceptance in constructs such as usefulness, explainability, centralized visibility, semantic integration, rule-engine suitability, and dashboard usability. This level of evidence corresponds to prototype acceptance/explainability validation, not to operational impact assessment. Conclusions: OntoSecU shows conceptual feasibility and perceived utility for the Ecuadorian university context, offering shared semantics, validations, and reproducible queries that enable traceability and auditability. A longitudinal phase with real telemetry is proposed to quantify operational impact and consolidate data-and-rules governance.

References

CISA (Cybersecurity and Infrastructure Security Agency). (2025). Known Exploited Vulnerabilities (KEV) Catalog. https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Fenza, G., Gallo, M., Loia, V., & Orciuoli, F. (2020). A knowledge-based framework for cybersecurity investment. Knowledge-Based Systems, 207, 106395. https://doi.org/10.1016/j.knosys.2020.106395

ISO (International Organization for Standardization). (2022). ISO/IEC 27001:2022 Information security management systems --- Requirements.

Lyon, G. (2009). Nmap Network Scanning. Insecure.Org.

Mell, P., Scarfone, K., & Romanosky, S. (2020). Common vulnerability scoring system (CVSS). NIST Interagency Report 7435.

MITRE. (2023). Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org

Navarro, E., Alcaraz, C., & López, J. (2021). A comprehensive review of ontologies for the cybersecurity domain. Computer Standards & Interfaces, 77, 103521. https://doi.org/10.1016/j.csi.2021.103521

NIST (National Institute of Standards and Technology). (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). https://doi.org/10.6028/NIST.CSWP.29

Ramos Mosquera, B. (2025). OntoSecU: Marco ontológico para la gestión proactiva de vulnerabilidades en universidades ecuatorianas mediante integración semántica de Nmap, Nessus y Shodan (Tesis de maestría). Universidad Internacional de La Rioja, Ecuador.

Shodan. (2024). Shodan API Documentation. Shodan LLC.

Simões, P., Ferreira, J., & Bernardino, J. (2023). Cybersecurity ontologies: A survey and research directions. Future Internet, 15(7), 236. https://doi.org/10.3390/fi15070236

Tenable. (2024). Nessus Professional: User Guide. Tenable, Inc.

W3C. (2012). OWL 2 Web Ontology Language: Document Overview (W3C Recommendation). https://www.w3.org/TR/owl2-overview/

W3C. (2017). Shapes Constraint Language (SHACL) (W3C Recommendation). https://www.w3.org/TR/shacl/

Downloads

Published

2026-02-19

Issue

Vol. 4 No. 1 (2026): Periodical publication. Multidisciplinary research articles

Section

Article

License

Copyright (c) 2026 Myriam Cecilia García-Enríquez, Bolívar Ramos-Mosquera, Irwin Alfredo Fernández-Avilés (Autor/a)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

García Enríquez, M. C., Ramos Mosquera, B., & Fernández Avilés, I. A. (2026). OntoSecU: An ontology‑based framework for proactive vulnerability management in Ecuadorian universities through semantic integration of Nmap, Nessus, and Shodan. Horizonte Cientifico International Journal, 4(1), 1-19. https://doi.org/10.64747/hcg93557