chg: [release] add the NIDS decaying model, clarify license and add some documentation.
parent
3dc7aa9efa
commit
f38d1604f1
|
@ -0,0 +1,32 @@
|
|||
The MISP decaying models (JSON files) are dual-licensed under:
|
||||
|
||||
- [CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/legalcode) (CC0 1.0) - Public Domain Dedication.
|
||||
|
||||
or
|
||||
|
||||
~~~~
|
||||
Copyright (c) 2019 CIRCL - Computer Incident Response Center Luxembourg
|
||||
Copyright (c) 2019 Sami Mokaddem
|
||||
Copyright (c) 2019 Alexandre Dulaunoy - a@foo.be
|
||||
Copyright (c) 2019 Various contributors to MISP Project
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification,
|
||||
are permitted provided that the following conditions are met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright notice,
|
||||
this list of conditions and the following disclaimer.
|
||||
2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
this list of conditions and the following disclaimer in the documentation
|
||||
and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
||||
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
~~~~~
|
18
README.md
18
README.md
|
@ -1,3 +1,17 @@
|
|||
# misp-decaying-models
|
||||
# MISP Decaying Models
|
||||
|
||||
Test model for DEV and experimentation.
|
||||
Starting from MISP 2.4.114, a decaying feature is available to apply decaying on attributes in your MISP instance. MISP comes with a set of default decaying models which
|
||||
can be customised by the users. This repository contains all the default models.
|
||||
|
||||
## Models
|
||||
|
||||
- [nids-simple-model](./models/nids-simple-model.json) - Simple decaying model for Network Intrusion Detection System (NIDS).
|
||||
- [phishing-model](./models/phishing-model.json) - Simple model to rapidly decay phishing website.
|
||||
|
||||
## How to contribute your decaying model?
|
||||
|
||||
It's very easy. Fork the repository, create a new JSON file with your model and make a pull-request.
|
||||
|
||||
## License
|
||||
|
||||
The MISP decaying models are [dual-licensed](./LICENSE.md) under CC-0 and a simple 2-clause BSD license.
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
#!/bin/bash
|
||||
|
||||
#Validate all Jsons first
|
||||
for dir in `find . -name "*.json"`
|
||||
do
|
||||
echo validating ${dir}
|
||||
# python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();"
|
||||
cat ${dir} | jq . >/dev/null
|
||||
rc=$?
|
||||
if [[ $rc != 0 ]]; then exit $rc; fi
|
||||
done
|
||||
|
||||
set -e
|
||||
set -x
|
||||
|
||||
# Seeds sponge, from moreutils
|
||||
|
||||
for dir in ./models/*.json
|
||||
do
|
||||
cat ${dir} | jq . | sponge ${dir}
|
||||
done
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
{
|
||||
"uuid": "073fae4a-2377-4cfa-bd34-2516830d33c3",
|
||||
"name": "NIDS Simple Decaying Model",
|
||||
"formula": "Polynomial",
|
||||
"ref": [
|
||||
"https://arxiv.org/abs/1902.03914",
|
||||
"https://arxiv.org/abs/1803.11052"
|
||||
],
|
||||
"authors": [
|
||||
"MISP Project"
|
||||
],
|
||||
"parameters": {
|
||||
"lifetime": 120,
|
||||
"decay_speed": 2,
|
||||
"threshold": 30,
|
||||
"default_base_score": 80,
|
||||
"base_score_config": {
|
||||
"estimative-language": 0.25,
|
||||
"priority-level": 0.25,
|
||||
"retention": 0.25,
|
||||
"targeted-threat-index": 0.125,
|
||||
"false-positive": 0.125
|
||||
}
|
||||
},
|
||||
"description": "Simple decaying model for Network Intrusion Detection System (NIDS). ",
|
||||
"attribute_types": [
|
||||
"domain",
|
||||
"domain|ip",
|
||||
"hostname",
|
||||
"hostname|port",
|
||||
"ip-dst",
|
||||
"ip-dst|port",
|
||||
"ip-src",
|
||||
"ip-src|port",
|
||||
"url",
|
||||
"snort",
|
||||
"suricata",
|
||||
"zeek",
|
||||
"bro"
|
||||
],
|
||||
"version": 1
|
||||
}
|
|
@ -1,32 +1,35 @@
|
|||
{
|
||||
"uuid":"dbbd7ba7-6559-48fc-ab58-cc499d1b1143",
|
||||
"name":"Phishing model",
|
||||
"formula": "Polynomial",
|
||||
"ref":[
|
||||
"https://arxiv.org/abs/1902.03914",
|
||||
"https://arxiv.org/abs/1803.11052"
|
||||
],
|
||||
"parameters": {
|
||||
"lifetime": 3,
|
||||
"decay_speed": 2.3,
|
||||
"threshold":30,
|
||||
"default_base_score": 80,
|
||||
"base_score_config":{
|
||||
"estimative-language": 0.5,
|
||||
"phishing": 0.5
|
||||
}
|
||||
},
|
||||
"description":"Simple model to rapidly decay phishing website.",
|
||||
"attribute_types": [
|
||||
"domain",
|
||||
"domain|ip",
|
||||
"hostname",
|
||||
"hostname|port",
|
||||
"ip-dst",
|
||||
"ip-dst|port",
|
||||
"ip-src",
|
||||
"ip-src|port",
|
||||
"url"
|
||||
],
|
||||
"version":1
|
||||
}
|
||||
"uuid": "dbbd7ba7-6559-48fc-ab58-cc499d1b1143",
|
||||
"name": "Phishing model",
|
||||
"formula": "Polynomial",
|
||||
"authors": [
|
||||
"MISP Project"
|
||||
],
|
||||
"ref": [
|
||||
"https://arxiv.org/abs/1902.03914",
|
||||
"https://arxiv.org/abs/1803.11052"
|
||||
],
|
||||
"parameters": {
|
||||
"lifetime": 3,
|
||||
"decay_speed": 2.3,
|
||||
"threshold": 30,
|
||||
"default_base_score": 80,
|
||||
"base_score_config": {
|
||||
"estimative-language": 0.5,
|
||||
"phishing": 0.5
|
||||
}
|
||||
},
|
||||
"description": "Simple model to rapidly decay phishing website.",
|
||||
"attribute_types": [
|
||||
"domain",
|
||||
"domain|ip",
|
||||
"hostname",
|
||||
"hostname|port",
|
||||
"ip-dst",
|
||||
"ip-dst|port",
|
||||
"ip-src",
|
||||
"ip-src|port",
|
||||
"url"
|
||||
],
|
||||
"version": 1
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue