2018-12-29 23:18:21 +01:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin { frame} [t,plain]
\titlepage
\end { frame}
2019-09-25 12:17:58 +02:00
\section { Expiring IOCs: Why and How?}
2018-12-29 23:18:21 +01:00
\begin { frame}
\frametitle { Indicators - Problem Statement}
\begin { itemize}
2019-09-24 08:32:32 +02:00
\item Various users and organisations can share data via MISP, multiple parties can be involved
\begin { itemize}
\item \textbf { Trust} , \textbf { data quality} and \textbf { time-to-live} issues
\item Each user/organisation has \textbf { different use-cases} and interests
\begin { itemize}
\item Conflicting interests such as operational security, attribution,... (depends on the user)
\end { itemize}
\end { itemize}
\item [] $ \rightarrow $ Can be partially solved with \textit { Taxonomies}
\pause
2018-12-29 23:18:21 +01:00
\vspace { 0.5cm}
2019-09-16 18:01:43 +02:00
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt { MISPPRIV} )
2018-12-29 23:18:21 +01:00
\begin { itemize}
2019-09-25 12:17:58 +02:00
\item Partial info about their \textbf { freshness} (\textit { Sightings} )
2019-09-24 08:32:32 +02:00
\item Partial info about their \textbf { validity} (last update)
2018-12-29 23:18:21 +01:00
\end { itemize}
2019-09-24 08:32:32 +02:00
\item [] $ \rightarrow $ Can be partially solved with our \textit { Decaying model}
2018-12-29 23:18:21 +01:00
\end { itemize}
\end { frame}
2019-09-25 17:05:32 +02:00
\begin { frame}
\frametitle { Decaying Features in MISP}
\begin { itemize}
\item Starting from MISP 2.4.116, the decaying feature is available
\item Don't forget to update the decay model and enable the ones you want
\item The decaying feature has no impact on the information in MISP, it's just an overlay to be used in ther user-interface and API
\item Decay strongly relies on taxonomies and sighting, don't forget to review their configuration
\end { itemize}
\end { frame}
2018-12-29 23:18:21 +01:00
\begin { frame}
2019-09-24 08:32:32 +02:00
\frametitle { \textit { Sightings} - Refresher}
\textit { Sightings} add temporal context to indicators.
2018-12-29 23:18:21 +01:00
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that
an indicator has been \texttt { seen} , or that an indicator can be considered as a \texttt { false-positive}
\vspace { 0.5cm}
\begin { itemize}
2019-09-24 08:32:32 +02:00
\item \textit { Sightings} give more credibility/visibility to indicators
2018-12-29 23:18:21 +01:00
\item This information can be used to { \bf prioritise and decay indicators}
\end { itemize}
2019-09-16 18:01:43 +02:00
\begin { center}
\includegraphics [scale=1.00] { pics/sightings.png}
\end { center}
2018-12-29 23:18:21 +01:00
\end { frame}
\begin { frame}
\frametitle { Organisations opt-in - setting a level of confidence}
MISP is a peer-to-peer system, information passes through multiple instances.
\begin { itemize}
2019-09-25 12:17:58 +02:00
\item \textbf { Producers can add context} (such as tags from \textit { Taxonomies} , \textit { Galaxies} ) about their asserted confidence or the reliability of the data
\item Consumers can have \textbf { different levels of trust} in the producers and/or analysts themselves
2019-09-16 18:01:43 +02:00
\item Users might have other contextual needs
\end { itemize}
2019-09-25 12:17:58 +02:00
\begin { center}
$ \rightarrow $ Achieved thanks to \textit { Taxonomies}
\end { center}
2019-09-16 18:01:43 +02:00
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (1)}
\includegraphics [width=1.00\linewidth] { pics/taxonomies.png}
2019-09-25 12:17:58 +02:00
\begin { itemize}
\item Tagging is a simple way to attach a classification to an \textit { Event} or an \textit { Attribute}
\item Classification must be globally used to be efficient
\end { itemize}
2019-09-16 18:01:43 +02:00
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (2)}
\includegraphics [width=1.00\linewidth] { pics/taxonomy-admiralty-scale.png}
2019-09-25 12:17:58 +02:00
\begin { center}
$ \rightarrow $ Cherry-pick allowed \textit { Tags}
\end { center}
2019-09-16 18:01:43 +02:00
\end { frame}
\begin { frame}
\frametitle { Taxonomies - Refresher (3)}
\begin { itemize}
\item Some taxonomies have \texttt { numerical\_ value}
\begin { itemize}
\item [$\rightarrow$] Can be used to prioritise \textit { Attributes}
\end { itemize}
2018-12-29 23:18:21 +01:00
\end { itemize}
2019-09-16 18:01:43 +02:00
\vspace { 1cm}
2018-12-29 23:18:21 +01:00
2019-09-16 18:01:43 +02:00
\begin { footnotesize}
2018-12-29 23:18:21 +01:00
\begin { columns} [T] % align columns
\begin { column} { .40\textwidth }
\begin { tabular} { |ll|}
\hline
\textbf { Description} & \textbf { Value} \\
\hline
Completely reliable & 100\\
Usually reliable & 75\\
Fairly reliable & 50\\
Not usually reliable & 25\\
Unreliable & 0\\
2019-09-24 08:32:32 +02:00
Reliability cannot be judged & 50 \textbf { \color { red} ?} \\
2019-09-16 18:01:43 +02:00
Deliberatly deceptive & 0 \textbf { \color { red} ?} \\
2018-12-29 23:18:21 +01:00
\hline
\end { tabular}
\end { column} %
\hfill %
\begin { column} { .48\textwidth }
\begin { tabular} { |ll|}
\hline
\textbf { Description} & \textbf { Value} \\
\hline
Confirmed by other sources & 100\\
Probably true & 75\\
Possibly true & 50\\
Doubtful & 25\\
Improbable & 0\\
2019-09-16 18:01:43 +02:00
Truth cannot be judged & 50 \textbf { \color { red} ?} \\
2018-12-29 23:18:21 +01:00
\hline
\end { tabular}
\end { column} %
\end { columns}
2019-09-16 18:01:43 +02:00
\end { footnotesize}
2018-12-29 23:18:21 +01:00
\end { frame}
\begin { frame}
2019-09-16 18:01:43 +02:00
\frametitle { Scoring Indicators: Our solution}
2019-09-18 15:49:00 +02:00
$$ \texttt { score } ( \texttt { \tiny Attribute } ) = \texttt { base \_ score } ( \texttt { \tiny Attribute, Model } ) \; \; \bullet \; \; \texttt { decay } ( \texttt { \tiny Model, time } ) $$
2019-09-16 18:01:43 +02:00
Where,\vspace { 0.5cm}
\begin { itemize}
\item \texttt { score} $ \in [ 0 , + \infty $
\item \texttt { base\_ score} $ \in [ 0 , 100 ] $
\item \texttt { decay} is a function defined by model's parameters controlling decay speed
2019-09-25 12:17:58 +02:00
\item \texttt { Attribute} Contains \textit { Attribute} 's values and metadata { \scriptsize (\textit { Taxonomies} , \textit { Galaxies} , ...)}
\item \texttt { Model} Contains the \textit { Model} 's configuration
2019-09-16 18:01:43 +02:00
\end { itemize}
\end { frame}
2019-09-25 12:17:58 +02:00
\section { Current implementation in MISP}
2019-09-24 08:32:32 +02:00
\begin { frame}
\frametitle { Implementation in MISP: \texttt { Event/view} }
\includegraphics [width=1.00\linewidth] { pics/decaying-event.png}
2019-09-25 12:17:58 +02:00
\begin { itemize}
\item \texttt { Decay score} toggle button
\begin { itemize}
\item Shows Score for each \textit { Models} associated to the \textit { Attribute} type
\end { itemize}
\end { itemize}
2019-09-24 08:32:32 +02:00
\end { frame}
\begin { frame} [fragile]
\frametitle { Implementation in MISP: API result}
\texttt { /attributes/restSearch}
\begin { lstlisting}
"Attribute": [
{
"category": "Network activity",
"type": "ip-src",
"to_ ids": true,
"timestamp": "1565703507",
[...]
"value": "8.8.8.8",
"decay_ score": [
{
"score": 54.475223849544456,
"decayed": false,
"DecayingModel": {
"id": "85",
"name": "NIDS Simple Decaying Model"
}
}
],
[...]
\end { lstlisting}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Playing with Models}
\begin { itemize}
\item \textbf { Automatic scoring} based on default values
2019-09-25 12:17:58 +02:00
\item \textbf { User-friendly UI} to manually set \textit { Model} configuration (lifetime, decay, etc.)
2019-09-24 08:32:32 +02:00
\item \textbf { Simulation} tool
\item Interaction through the \textbf { API}
\item Opportunity to create your \textbf { own} formula or algorythm
\end { itemize}
\end { frame}
2019-09-25 12:17:58 +02:00
\section { Decaying Models in Depth}
2019-09-16 18:01:43 +02:00
\begin { frame}
\frametitle { Scoring Indicators: \texttt { base\_ score} (1)}
2019-09-18 15:49:00 +02:00
$$ \texttt { score } ( \texttt { \tiny Attribute } ) = \texttt { base \_ score } ( \texttt { \tiny Attribute, Model } ) \; \; \bullet \; \; { \color { gray } \texttt { decay } ( \texttt { \tiny Model, time } ) } $$
2018-12-29 23:18:21 +01:00
When scoring indicators\footnote { Paper available: \url { https://arxiv.org/pdf/1803.11052} } , multiple parameters\footnote { at a variable extent as required} can be taken into account. The { \bf base score} is calculated with the following in mind:
\begin { itemize}
2019-09-16 18:01:43 +02:00
\item { \color { purple} Data reliability, credibility, analyst skills, custom prioritisation tags (economical-impact), etc.}
\item { \color { orange} Trust in the source}
2018-12-29 23:18:21 +01:00
\end { itemize}
2019-09-18 15:49:00 +02:00
\vspace { 0.3cm}
2019-09-16 18:01:43 +02:00
$$ \texttt { base \_ score } = \omega _ { tg } \cdot { \color { purple } tags } + \omega _ { sc } \cdot { \color { orange } source \_ confidence } $$
2019-09-18 15:49:00 +02:00
Where,
\begin { itemize}
\item [] $ \omega _ { sc } + \omega _ { tg } = 1 $
\end { itemize}
2019-09-16 18:01:43 +02:00
\end { frame}
\begin { frame}
\frametitle { Scoring Indicators: \texttt { base\_ score} (2)}
2019-09-25 12:17:58 +02:00
Current implentation ignores \texttt { source\_ confidence} :
2019-09-18 15:49:00 +02:00
$$ \rightarrow \texttt { base \_ score } = tags $$
2019-09-16 18:01:43 +02:00
\includegraphics [width=1.0\linewidth] { pics/bs-computation-steps.png}
2018-12-29 23:18:21 +01:00
\end { frame}
\begin { frame}
2019-09-16 18:01:43 +02:00
\frametitle { Scoring Indicators: decay speed (1)}
2019-09-18 15:49:00 +02:00
$$ \texttt { score } ( \texttt { \tiny Attribute } ) = { \color { gray } \texttt { base \_ score } ( \texttt { \tiny Attribute, Model } ) } \; \; \bullet \; \; \texttt { decay } ( \texttt { \tiny Model, time } ) $$
The \texttt { decay} is calculated using:
2019-09-16 18:01:43 +02:00
\begin { itemize}
2019-09-18 15:49:00 +02:00
\item The \texttt { lifetime} of the indicator
2019-09-16 18:01:43 +02:00
\begin { itemize}
2019-09-18 15:49:00 +02:00
\item May vary depending on the indicator type
\item short for an IP, long for an hash
2019-09-16 18:01:43 +02:00
\end { itemize}
2019-09-25 12:17:58 +02:00
\item The \texttt { decay rate} , or speed at which an attribute loses score over time
\item The \texttt { time} elapsed since the latest update or sighting
2019-09-16 18:01:43 +02:00
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Scoring Indicators: putting it all toghether}
2019-09-24 08:32:32 +02:00
$ \rightarrow $ \texttt { decay rate} is \textbf { re-initialized upon sighting} addition, or said differently, the \texttt { score} is reset to its base score as new \textit { sightings} are applied.
2019-09-25 12:17:58 +02:00
$$ score = base \_ score \cdot \left ( 1 - \left ( \frac { t } { \tau } \right ) ^ { \frac { 1 } { \delta } } \right ) $$
2019-09-16 18:01:43 +02:00
\begin { itemize}
2019-09-25 12:17:58 +02:00
\item $ \tau = $ \texttt { lifetime}
\item $ \delta = $ \texttt { decay speed}
2019-09-16 18:01:43 +02:00
\end { itemize}
\end { frame}
\begin { frame}
2019-09-18 15:49:00 +02:00
\frametitle { Implementation in MISP: Models definition}
2019-09-25 12:17:58 +02:00
\hspace { 190pt}
\raisebox { -1.0ex} { \Large $ \Rsh $ } { \tiny $ score = base \_ score \cdot \left ( 1 - \left ( \frac { t } { \tau } \right ) ^ { \frac { 1 } { \delta } } \right ) $ }
2019-09-24 08:32:32 +02:00
\textit { Models} are an instanciation of the formula where elements can be defined:
2019-09-18 15:49:00 +02:00
\begin { itemize}
\item Parameters: \texttt { lifetime, decay\_ rate, threshold}
\item \texttt { base\_ score}
\item \texttt { default base\_ score}
\item formula
\item associate \textit { Attribute} types
\item creator organisation
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Models Types}
2019-09-16 18:01:43 +02:00
Multiple model types are available
\begin { itemize}
2019-09-25 12:17:58 +02:00
\item \textbf { Default Models} : Models created and shared by the community. Available from \texttt { misp-decaying-models} repository\footnote { \url { https://github.com/MISP/misp-decaying-models.git} } .
2018-12-29 23:18:21 +01:00
\begin { itemize}
2019-09-16 18:01:43 +02:00
\item $ \rightarrow $ Not editable
2018-12-29 23:18:21 +01:00
\end { itemize}
2019-09-25 12:17:58 +02:00
\item \textbf { Organisation Models} : Models created by a user belonging to an organisation
2019-09-16 18:01:43 +02:00
\begin { itemize}
\item These models can be hidden or shared to other organisation
\item $ \rightarrow $ Editable
\end { itemize}
\end { itemize}
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Index}
\includegraphics [width=1.00\linewidth] { pics/decaying-index.png}
2019-09-25 12:17:58 +02:00
View, update, add, create, delete, enable, export, import
2019-09-16 18:01:43 +02:00
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: Fine tuning tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-tool.png}
2019-09-25 12:17:58 +02:00
Create, modify, visualise, perform mapping
2019-09-16 18:01:43 +02:00
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: \texttt { base\_ score} tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-basescore.png}
2019-09-25 12:17:58 +02:00
Adjust Taxonomies relative weights
2019-09-16 18:01:43 +02:00
\end { frame}
\begin { frame}
\frametitle { Implementation in MISP: simulation tool}
\includegraphics [width=1.00\linewidth] { pics/decaying-simulation.png}
2019-09-25 12:17:58 +02:00
Simulate \textit { Attributes} with different \textit { Models}
2019-09-16 18:01:43 +02:00
\end { frame}
\begin { frame} [fragile]
2019-09-18 15:49:00 +02:00
\frametitle { Implementation in MISP: API query body}
2019-09-16 18:01:43 +02:00
\texttt { /attributes/restSearch}
\begin { lstlisting}
{
"includeDecayScore": 1,
"includeFullModel": 0,
"excludeDecayed": 0,
"decayingModel": [85],
"modelOverrides": {
"threshold": 30
}
"score": 30,
}
\end { lstlisting}
\end { frame}
2018-12-29 23:18:21 +01:00
\begin { frame}
2019-09-16 18:01:43 +02:00
\frametitle { Creating a new decay algorithm (1)}
The current architecture allows users to create their \textbf { own} formulae.
2019-09-24 15:17:15 +02:00
\begin { enumerate}
2019-09-16 18:01:43 +02:00
\item Create a new file \texttt { { \$ } filename} in \texttt { app/Model/DecayingModelsFormulas/}
\item Extend the Base class as defined in \texttt { DecayingModelBase}
\item Implement the two mandatory functions \texttt { computeScore} and \texttt { isDecayed} using your own formula/algorithm
\item Create a Model and set the formula field to \texttt { { \$ } filename}
2019-09-24 15:17:15 +02:00
\end { enumerate}
2019-09-16 18:01:43 +02:00
2019-09-18 15:49:00 +02:00
Use cases:
\begin { itemize}
\item Add support for \textbf { more feature} (expiration taxonomy)
\item \textbf { Query external services} then influence the score
\item Completely \textbf { different approach} (i.e streaming algorithm)
\item ...
\end { itemize}
\end { frame}
2019-09-16 18:01:43 +02:00
2019-09-18 15:49:00 +02:00
\lstset { language=PHP}
2019-09-16 18:01:43 +02:00
\begin { frame} [fragile]
\frametitle { Creating a new decay algorithm (2)}
\lstset { basicstyle=\scriptsize }
\begin { lstlisting}
<?php
include_ once 'Base.php';
class Polynomial extends DecayingModelBase
{
public const DESCRIPTION = 'The description of your new decaying algorithm';
public function computeScore($ model, $ attribute, $ base _ score, $ elapsed_ time)
{
// algorithm returning a numerical score
}
public function isDecayed($ model, $ attribute, $ score )
{
// algorithm returning a boolean stating
// if the attribute is expired or not
}
}
?>
\end { lstlisting}
2018-12-29 23:18:21 +01:00
\end { frame}
2019-09-25 14:01:52 +02:00
\begin { frame}
\frametitle { Decaying Models 2.0}
\begin { itemize}
\item Improved support of \textit { Sightings}
\begin { itemize}
\item \texttt { False positive} \textit { Sightings} should somehow reduce the score
\item \texttt { Expiration} \textit { Sightings} should mark the attribute as decayed
\end { itemize}
\item Potential \textit { Model} improvements
\begin { itemize}
\item Instead of resetting the score to \texttt { base\_ score} once a \textit { Sighting} is set, the score should be increased additively (based on a defined coefficient); thus \textbf { prioritizing surges} rather than infrequent \textit { Sightings}
\item Take into account related \textit { Tags} or \textit { Correlations} when computing score
\end { itemize}
\item Increase \textit { Taxonomy} coverage
\begin { itemize}
\item Users should be able to manually override the \texttt { numerical\_ value} of \textit { Tags}
\end { itemize}
\item For specific type, take into account data from other services
\begin { itemize}
\item Could fetch data from \textit { BGP ranking} , \textit { Virus Total} , \textit { Passive X} for IP/domain/... and adapt the score
\end { itemize}
\end { itemize}
\end { frame}