2019-10-17 15:32:05 +02:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame} [t,plain]
\titlepage
\end { frame}
2019-10-21 08:33:22 +02:00
\begin { frame}
\frametitle { Outline of the presentation}
\begin { itemize}
\item Present the components used in MISP to expire IOCs
\item Present the current state of Indicators life-cycle management in MISP
\item Present the current state of Indicators life-cycle management in MISP
\end { itemize}
\end { frame}
2019-10-17 15:32:05 +02:00
\section { Expiring IOCs: Why and How?}
\begin { frame} [fragile]
\frametitle { Indicators - Problem Statement}
\begin { itemize}
\item { \bf Sharing information} about threats { \bf is crucial}
\item Organisations are sharing more and more
\end { itemize}
\vspace { 1em}
Contribution by { \bf unique organisation} (\texttt { Orgc.name} ) on MISPPriv:\\
\vspace { 1em}
\begin { minipage} { 0.45\textwidth }
\begin { tabular} { ll}
\hline
Date & Unique Org \\
\hline
2013 & 17 \\
2014 & 43 \\
2015 & 82 \\
2016 & 105 \\
2017 & 118 \\
2018 & 125 \\
2019-10 & 135 \\
\hline
\end { tabular}
\vspace { 0.5em}
\end { minipage}
\begin { minipage} { 0.5\textwidth }
\begin { lstlisting}
{
"distribution": [1, 2, 3]
} \end { lstlisting}
\end { minipage}
\end { frame}
\begin { frame}
\frametitle { Indicators - Problem Statement}
\begin { itemize}
\item Various users and organisations can share data via MISP, multiple parties can be involved
\begin { itemize}
\item \textbf { Trust} , \textbf { data quality} and \textbf { time-to-live} issues
\item Each user/organisation has \textbf { different use-cases} and interests
\begin { itemize}
\item Conflicting interests such as operational security, attribution,... (depends on the user)
\end { itemize}
\end { itemize}
\item [] $ \rightarrow $ Can be partially solved with \textit { Taxonomies}
\pause
\vspace { 0.5cm}
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt { MISPPRIV} )
\begin { itemize}
\item Partial info about their \textbf { freshness} (\textit { Sightings} )
\item Partial info about their \textbf { validity} (last update)
\end { itemize}
\item [] $ \rightarrow $ Can be partially solved with our \textit { Decaying model}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Requirements to enjoy the decaying feature in MISP}
\begin { itemize}
\item Starting from \textbf { MISP 2.4.116} , the decaying feature is available
2019-10-21 08:33:22 +02:00
\item Don't forget to \textbf { update the decay models} and \textbf { enable} the ones you want
\item The decaying feature has no impact on the information in MISP, it's just an \textbf { overlay} to be used in the user-interface and API
2019-10-17 15:32:05 +02:00
\item Decay strongly relies on \textit { Taxonomies} and \textit { Sightings} , don't forget to review their configuration
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { \textit { Sightings} - Refresher}
2019-10-21 08:33:22 +02:00
\textit { Sightings} add \textbf { temporal context} to indicators.
2019-10-17 15:32:05 +02:00
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that
an indicator has been \texttt { seen} , or that an indicator can be considered as a \texttt { false-positive}
\vspace { 0.5cm}
\begin { itemize}
\item \textit { Sightings} give more credibility/visibility to indicators
\item This information can be used to { \bf prioritise and decay indicators}
\end { itemize}
\begin { center}
\includegraphics [scale=1.00] { pics/sightings.png}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (1)}
\includegraphics [width=1.00\linewidth] { pics/taxonomies.png}
\begin { itemize}
2019-10-21 08:33:22 +02:00
\item \textit { Taxonomies} are a simple way to attach a classification to an \textit { Event} or an \textit { Attribute}
\item Classification must be globally used to be efficient (or agreed on beforehand)
2019-10-17 15:32:05 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (2)}
\includegraphics [width=1.00\linewidth] { pics/taxonomy-admiralty-scale.png}
\begin { center}
$ \rightarrow $ Cherry-pick allowed \textit { Tags}
\end { center}
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (3)}
\begin { itemize}
\item Some taxonomies have \texttt { numerical\_ value}
\begin { itemize}
\item [$\rightarrow$] Can be used to prioritise \textit { Attributes}
\end { itemize}
\end { itemize}
2019-10-21 08:33:22 +02:00
\vspace { 0.5cm}
2019-10-17 15:32:05 +02:00
\begin { footnotesize}
\begin { columns} [T] % align columns
\begin { column} { .40\textwidth }
\begin { tabular} { |ll|}
\hline
\textbf { Description} & \textbf { Value} \\
\hline
Completely reliable & 100\\
Usually reliable & 75\\
Fairly reliable & 50\\
Not usually reliable & 25\\
Unreliable & 0\\
Reliability cannot be judged & 50 \textbf { \color { red} ?} \\
Deliberatly deceptive & 0 \textbf { \color { red} ?} \\
\hline
\end { tabular}
\end { column} %
\hfill %
\begin { column} { .48\textwidth }
\begin { tabular} { |ll|}
\hline
\textbf { Description} & \textbf { Value} \\
\hline
Confirmed by other sources & 100\\
Probably true & 75\\
Possibly true & 50\\
Doubtful & 25\\
Improbable & 0\\
Truth cannot be judged & 50 \textbf { \color { red} ?} \\
\hline
\end { tabular}
\end { column} %
\end { columns}
\end { footnotesize}
2019-10-21 08:33:22 +02:00
\vspace { 0.5cm}
$ \rightarrow $ In next version, Users will be able to override these \texttt { numerical\_ value}
2019-10-17 15:32:05 +02:00
\end { frame}
\begin { frame}
\frametitle { Scoring Indicators: Our solution}
$$ \texttt { score } ( \texttt { \tiny Attribute } ) = \texttt { base \_ score } ( \texttt { \tiny Attribute, Model } ) \; \; \bullet \; \; \texttt { decay } ( \texttt { \tiny Model, time } ) $$
Where,\vspace { 0.5cm}
\begin { itemize}
\item \texttt { score} $ \in [ 0 , + \infty $
\item \texttt { base\_ score} $ \in [ 0 , 100 ] $
\item \texttt { decay} is a function defined by model's parameters controlling decay speed
\item \texttt { Attribute} Contains \textit { Attribute} 's values and metadata { \scriptsize (\textit { Taxonomies} , \textit { Galaxies} , ...)}
\item \texttt { Model} Contains the \textit { Model} 's configuration
\end { itemize}
\end { frame}
2019-10-21 08:33:22 +02:00
\begin { frame}
\frametitle { Scoring Indicators: Our solution}
$$ \texttt { score } ( \texttt { \tiny Attribute } ) = \texttt { base \_ score } ( \texttt { \tiny Attribute, Model } ) \; \; \bullet \; \; \texttt { decay } ( \texttt { \tiny Model, time } ) $$
\begin { itemize}
\item \texttt { base\_ score} (\texttt { \tiny Attribute, Model} )
\begin { itemize}
\item Initial score of the \textit { Attribute} only considering the context (i.e. \textit { Tags} )
\end { itemize}
\vspace { 1cm}
\item \texttt { decay} (\texttt { \tiny Model, time} )
\begin { itemize}
\item Function composed of the \textbf { lifetime} and \textbf { Decay speed} decreasing the \texttt { base\_ score} over time
\end { itemize}
\end { itemize}
\end { frame}
2019-10-17 15:32:05 +02:00
\section { Current implementation in MISP}
\begin { frame}
\frametitle { Implementation in MISP: \texttt { Event/view} }
\includegraphics [width=1.00\linewidth] { pics/decaying-event.png}
\begin { itemize}
\item \texttt { Decay score} toggle button
\begin { itemize}
\item Shows Score for each \textit { Models} associated to the \textit { Attribute} type
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame} [fragile]
\frametitle { Implementation in MISP: API result}
\texttt { /attributes/restSearch}
\begin { lstlisting}
"Attribute": [
{
"category": "Network activity",
"type": "ip-src",
"to_ ids": true,
"timestamp": "1565703507",
[...]
"value": "8.8.8.8",
"decay_ score": [
{
"score": 54.475223849544456,
"decayed": false,
"DecayingModel": {
"id": "85",
"name": "NIDS Simple Decaying Model"
}
}
],
[...]
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Objectives}
\begin { itemize}
\item \textbf { Automatic scoring} based on default values
\item \textbf { User-friendly UI} to manually set \textit { Model} configuration (lifetime, decay, etc.)
\item \textbf { Simulation} tool
\item Interaction through the \textbf { API}
2019-10-21 13:52:02 +02:00
\item Opportunity to create your \textbf { own} formula or algorithm
2019-10-17 15:32:05 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Models definition}
\hspace { 190pt}
\raisebox { -1.0ex} { \Large $ \Rsh $ } { \tiny $ score = base \_ score \cdot \left ( 1 - \left ( \frac { t } { \tau } \right ) ^ { \frac { 1 } { \delta } } \right ) $ }
\textit { Models} are an instanciation of the formula where elements can be defined:
\begin { itemize}
\item Parameters: \texttt { lifetime, decay\_ rate, threshold}
\item \texttt { base\_ score}
\item \texttt { default base\_ score}
\item formula
\item associate \textit { Attribute} types
\item creator organisation
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Models Types}
Multiple model types are available
\begin { itemize}
\item \textbf { Default Models} : Models created and shared by the community. Available from \texttt { misp-decaying-models} repository\footnote { \url { https://github.com/MISP/misp-decaying-models.git} } .
\begin { itemize}
\item $ \rightarrow $ Not editable
\end { itemize}
\item \textbf { Organisation Models} : Models created by a user belonging to an organisation
\begin { itemize}
\item These models can be hidden or shared to other organisation
\item $ \rightarrow $ Editable
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Index}
\includegraphics [width=1.00\linewidth] { pics/decaying-index.png}
View, update, add, create, delete, enable, export, import
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Fine tuning tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-tool.png}
Create, modify, visualise, perform mapping
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: \texttt { base\_ score} tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-basescore.png}
Adjust Taxonomies relative weights
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: simulation tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-simulation.png}
Simulate \textit { Attributes} with different \textit { Models}
\end { frame}
\begin { frame} [fragile]
\frametitle { Implementation in MISP: API query body}
\texttt { /attributes/restSearch}
\begin { lstlisting}
{
"includeDecayScore": 1,
"includeFullModel": 0,
"excludeDecayed": 0,
"decayingModel": [85],
"modelOverrides": {
"threshold": 30
}
"score": 30,
}
\end { lstlisting}
\end { frame}
2019-10-21 11:56:57 +02:00
\lstset { language=PHP}
\begin { frame} [fragile]
\frametitle { Creating a new decay algorithm}
\lstset { basicstyle=\scriptsize }
\begin { lstlisting}
<?php
include_ once 'Base.php';
class Polynomial extends DecayingModelBase
{
public const DESCRIPTION = 'The description of your new decaying algorithm';
public function computeScore($ model, $ attribute, $ base _ score, $ elapsed_ time)
{
// algorithm returning a numerical score
}
public function isDecayed($ model, $ attribute, $ score )
{
// algorithm returning a boolean stating
// if the attribute is expired or not
}
}
?>
\end { lstlisting}
\end { frame}
2019-10-17 15:32:05 +02:00
\begin { frame}
\frametitle { Decaying Models 2.0}
\begin { itemize}
\item Improved support of \textit { Sightings}
\begin { itemize}
\item \texttt { False positive} \textit { Sightings} should somehow reduce the score
\item \texttt { Expiration} \textit { Sightings} should mark the attribute as decayed
\end { itemize}
\item Potential \textit { Model} improvements
\begin { itemize}
\item Instead of resetting the score to \texttt { base\_ score} once a \textit { Sighting} is set, the score should be increased additively (based on a defined coefficient); thus \textbf { prioritizing surges} rather than infrequent \textit { Sightings}
\item Take into account related \textit { Tags} or \textit { Correlations} when computing score
\end { itemize}
\item Increase \textit { Taxonomy} coverage
\begin { itemize}
\item Users should be able to manually override the \texttt { numerical\_ value} of \textit { Tags}
\end { itemize}
\end { itemize}
\end { frame}
