misp-training/a.5-decaying-indicators/content.tex

424 lines
16 KiB
TeX
Raw Normal View History

2018-12-29 23:18:21 +01:00
% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}[t,plain]
\titlepage
\end{frame}
2019-09-25 12:17:58 +02:00
\section{Expiring IOCs: Why and How?}
\begin{frame}[fragile]
\frametitle{Indicators - Problem Statement}
\begin{itemize}
\item {\bf Sharing information} about threats {\bf is crucial}
\item Organisations are sharing more and more
\end{itemize}
\vspace{1em}
Contribution by {\bf unique organisation} (\texttt{Orgc.name}) on MISPPriv:\\
\vspace{1em}
\begin{minipage}{0.45\textwidth}
\begin{tabular}{ll}
\hline
Date & Unique Org \\
\hline
2013 & 17 \\
2014 & 43 \\
2015 & 82 \\
2016 & 105 \\
2017 & 118 \\
2018 & 125 \\
2019-10 & 135 \\
\hline
\end{tabular}
\vspace{0.5em}
\end{minipage}
\begin{minipage}{0.5\textwidth}
\begin{lstlisting}
{
"distribution": [1, 2, 3]
}\end{lstlisting}
\end{minipage}
\end{frame}
2018-12-29 23:18:21 +01:00
\begin{frame}
\frametitle{Indicators - Problem Statement}
\begin{itemize}
\item Various users and organisations can share data via MISP, multiple parties can be involved
\begin{itemize}
\item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues
\item Each user/organisation has \textbf{different use-cases} and interests
\begin{itemize}
\item Conflicting interests such as operational security, attribution,... (depends on the user)
\end{itemize}
\end{itemize}
\item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies}
\pause
2018-12-29 23:18:21 +01:00
\vspace{0.5cm}
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV})
2018-12-29 23:18:21 +01:00
\begin{itemize}
2019-09-25 12:17:58 +02:00
\item Partial info about their \textbf{freshness} (\textit{Sightings})
\item Partial info about their \textbf{validity} (last update)
2018-12-29 23:18:21 +01:00
\end{itemize}
\item[] $\rightarrow$ Can be partially solved with our \textit{Decaying model}
2018-12-29 23:18:21 +01:00
\end{itemize}
\end{frame}
\begin{frame}
2019-09-25 17:24:02 +02:00
\frametitle{Requirements to enjoy the decaying feature in MISP}
\begin{itemize}
2019-09-25 17:24:02 +02:00
\item Starting from \textbf{MISP 2.4.116}, the decaying feature is available
\item Don't forget to update the decay models and enable the ones you want
\item The decaying feature has no impact on the information in MISP, it's just an overlay to be used in the user-interface and API
\item Decay strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration
\end{itemize}
\end{frame}
2018-12-29 23:18:21 +01:00
\begin{frame}
\frametitle{\textit{Sightings} - Refresher}
\textit{Sightings} add temporal context to indicators.
2018-12-29 23:18:21 +01:00
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that
an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive}
\vspace{0.5cm}
\begin{itemize}
\item \textit{Sightings} give more credibility/visibility to indicators
2018-12-29 23:18:21 +01:00
\item This information can be used to {\bf prioritise and decay indicators}
\end{itemize}
\begin{center}
\includegraphics[scale=1.00]{pics/sightings.png}
\end{center}
2018-12-29 23:18:21 +01:00
\end{frame}
\begin{frame}
\frametitle{Organisations opt-in - setting a level of confidence}
MISP is a peer-to-peer system, information passes through multiple instances.
\begin{itemize}
2019-09-25 12:17:58 +02:00
\item \textbf{Producers can add context} (such as tags from \textit{Taxonomies}, \textit{Galaxies}) about their asserted confidence or the reliability of the data
\item Consumers can have \textbf{different levels of trust} in the producers and/or analysts themselves
\item Users might have other contextual needs
\end{itemize}
2019-09-25 12:17:58 +02:00
\begin{center}
$\rightarrow$ Achieved thanks to \textit{Taxonomies}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Taxonomies - Refresher (1)}
\includegraphics[width=1.00\linewidth]{pics/taxonomies.png}
2019-09-25 12:17:58 +02:00
\begin{itemize}
\item Tagging is a simple way to attach a classification to an \textit{Event} or an \textit{Attribute}
\item Classification must be globally used to be efficient
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Taxonomies - Refresher (2)}
\includegraphics[width=1.00\linewidth]{pics/taxonomy-admiralty-scale.png}
2019-09-25 12:17:58 +02:00
\begin{center}
$\rightarrow$ Cherry-pick allowed \textit{Tags}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Taxonomies - Refresher (3)}
\begin{itemize}
\item Some taxonomies have \texttt{numerical\_value}
\begin{itemize}
\item[$\rightarrow$] Can be used to prioritise \textit{Attributes}
\end{itemize}
2018-12-29 23:18:21 +01:00
\end{itemize}
\vspace{1cm}
2018-12-29 23:18:21 +01:00
\begin{footnotesize}
2018-12-29 23:18:21 +01:00
\begin{columns}[T] % align columns
\begin{column}{.40\textwidth}
\begin{tabular}{|ll|}
\hline
\textbf{Description} & \textbf{Value}\\
\hline
Completely reliable & 100\\
Usually reliable & 75\\
Fairly reliable & 50\\
Not usually reliable & 25\\
Unreliable & 0\\
Reliability cannot be judged & 50 \textbf{\color{red}?}\\
Deliberatly deceptive & 0 \textbf{\color{red}?}\\
2018-12-29 23:18:21 +01:00
\hline
\end{tabular}
\end{column}%
\hfill%
\begin{column}{.48\textwidth}
\begin{tabular}{|ll|}
\hline
\textbf{Description} & \textbf{Value}\\
\hline
Confirmed by other sources & 100\\
Probably true & 75\\
Possibly true & 50\\
Doubtful & 25\\
Improbable & 0\\
Truth cannot be judged & 50 \textbf{\color{red}?}\\
2018-12-29 23:18:21 +01:00
\hline
\end{tabular}
\end{column}%
\end{columns}
\end{footnotesize}
2018-12-29 23:18:21 +01:00
\end{frame}
\begin{frame}
\frametitle{Scoring Indicators: Our solution}
2019-09-18 15:49:00 +02:00
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
Where,\vspace{0.5cm}
\begin{itemize}
\item \texttt{score} $ \in [0, +\infty $
\item \texttt{base\_score} $ \in [0, 100] $
\item \texttt{decay} is a function defined by model's parameters controlling decay speed
2019-09-25 12:17:58 +02:00
\item \texttt{Attribute} Contains \textit{Attribute}'s values and metadata {\scriptsize (\textit{Taxonomies}, \textit{Galaxies}, ...)}
\item \texttt{Model} Contains the \textit{Model}'s configuration
\end{itemize}
\end{frame}
2019-09-25 12:17:58 +02:00
\section{Current implementation in MISP}
\begin{frame}
\frametitle{Implementation in MISP: \texttt{Event/view}}
\includegraphics[width=1.00\linewidth]{pics/decaying-event.png}
2019-09-25 12:17:58 +02:00
\begin{itemize}
\item \texttt{Decay score} toggle button
\begin{itemize}
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Implementation in MISP: API result}
\texttt{/attributes/restSearch}
\begin{lstlisting}
"Attribute": [
{
"category": "Network activity",
"type": "ip-src",
"to_ids": true,
"timestamp": "1565703507",
[...]
"value": "8.8.8.8",
"decay_score": [
{
"score": 54.475223849544456,
"decayed": false,
"DecayingModel": {
"id": "85",
"name": "NIDS Simple Decaying Model"
}
}
],
[...]
\end{lstlisting}
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Playing with Models}
\begin{itemize}
\item \textbf{Automatic scoring} based on default values
2019-09-25 12:17:58 +02:00
\item \textbf{User-friendly UI} to manually set \textit{Model} configuration (lifetime, decay, etc.)
\item \textbf{Simulation} tool
\item Interaction through the \textbf{API}
\item Opportunity to create your \textbf{own} formula or algorythm
\end{itemize}
\end{frame}
2019-09-25 12:17:58 +02:00
\section{Decaying Models in Depth}
\begin{frame}
\frametitle{Scoring Indicators: \texttt{base\_score} (1)}
2019-09-18 15:49:00 +02:00
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; {\color{gray}\texttt{decay}(\texttt{\tiny Model, time})} $$
2018-12-29 23:18:21 +01:00
When scoring indicators\footnote{Paper available: \url{https://arxiv.org/pdf/1803.11052}}, multiple parameters\footnote{at a variable extent as required} can be taken into account. The {\bf base score} is calculated with the following in mind:
\begin{itemize}
\item {\color{purple}Data reliability, credibility, analyst skills, custom prioritisation tags (economical-impact), etc.}
\item {\color{orange}Trust in the source}
2018-12-29 23:18:21 +01:00
\end{itemize}
2019-09-18 15:49:00 +02:00
\vspace{0.3cm}
$$\texttt{base\_score} = \omega_{tg} \cdot {\color{purple}tags} + \omega_{sc} \cdot {\color{orange}source\_confidence}$$
2019-09-18 15:49:00 +02:00
Where,
\begin{itemize}
\item[] $\omega_{sc} + \omega_{tg} = 1$
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Scoring Indicators: \texttt{base\_score} (2)}
2019-09-25 12:17:58 +02:00
Current implentation ignores \texttt{source\_confidence}:
2019-09-18 15:49:00 +02:00
$$\rightarrow \texttt{base\_score} = tags$$
\includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png}
$\rightarrow$ The \texttt{base\_score} can be use to prioritize attribute based on their attached context and source
2018-12-29 23:18:21 +01:00
\end{frame}
\begin{frame}
\frametitle{Scoring Indicators: decay speed (1)}
2019-09-18 15:49:00 +02:00
$$ \texttt{score}(\texttt{\tiny Attribute}) = {\color{gray}\texttt{base\_score}(\texttt{\tiny Attribute, Model})} \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
The \texttt{decay} is calculated using:
\begin{itemize}
2019-09-18 15:49:00 +02:00
\item The \texttt{lifetime} of the indicator
\begin{itemize}
2019-09-18 15:49:00 +02:00
\item May vary depending on the indicator type
\item short for an IP, long for an hash
\end{itemize}
2019-09-25 12:17:58 +02:00
\item The \texttt{decay rate}, or speed at which an attribute loses score over time
\item The \texttt{time} elapsed since the latest update or sighting
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Scoring Indicators: putting it all toghether}
$\rightarrow$ \texttt{decay rate} is \textbf{re-initialized upon sighting} addition, or said differently, the \texttt{score} is reset to its base score as new \textit{sightings} are applied.
2019-09-25 12:17:58 +02:00
$$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $$
\begin{itemize}
2019-09-25 12:17:58 +02:00
\item $\tau = $ \texttt{lifetime}
\item $\delta = $ \texttt{decay speed}
\end{itemize}
\end{frame}
\begin{frame}
2019-09-18 15:49:00 +02:00
\frametitle{Implementation in MISP: Models definition}
2019-09-25 12:17:58 +02:00
\hspace{190pt}
\raisebox{-1.0ex}{\Large $\Rsh$} {\tiny $score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $}
\textit{Models} are an instanciation of the formula where elements can be defined:
2019-09-18 15:49:00 +02:00
\begin{itemize}
\item Parameters: \texttt{lifetime, decay\_rate, threshold}
\item \texttt{base\_score}
\item \texttt{default base\_score}
\item formula
\item associate \textit{Attribute} types
\item creator organisation
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Models Types}
Multiple model types are available
\begin{itemize}
2019-09-25 12:17:58 +02:00
\item \textbf{Default Models}: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
2018-12-29 23:18:21 +01:00
\begin{itemize}
\item $\rightarrow$ Not editable
2018-12-29 23:18:21 +01:00
\end{itemize}
2019-09-25 12:17:58 +02:00
\item \textbf{Organisation Models}: Models created by a user belonging to an organisation
\begin{itemize}
\item These models can be hidden or shared to other organisation
\item $\rightarrow$ Editable
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Index}
\includegraphics[width=1.00\linewidth]{pics/decaying-index.png}
2019-09-25 12:17:58 +02:00
View, update, add, create, delete, enable, export, import
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Fine tuning tool}
\includegraphics[width=1.00\linewidth]{pics/decaying-tool.png}
2019-09-25 12:17:58 +02:00
Create, modify, visualise, perform mapping
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: \texttt{base\_score} tool}
\includegraphics[width=1.00\linewidth]{pics/decaying-basescore.png}
2019-09-25 12:17:58 +02:00
Adjust Taxonomies relative weights
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: simulation tool}
\includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png}
2019-09-25 12:17:58 +02:00
Simulate \textit{Attributes} with different \textit{Models}
\end{frame}
\begin{frame}[fragile]
2019-09-18 15:49:00 +02:00
\frametitle{Implementation in MISP: API query body}
\texttt{/attributes/restSearch}
\begin{lstlisting}
{
"includeDecayScore": 1,
"includeFullModel": 0,
"excludeDecayed": 0,
"decayingModel": [85],
"modelOverrides": {
"threshold": 30
}
"score": 30,
}
\end{lstlisting}
\end{frame}
2018-12-29 23:18:21 +01:00
\begin{frame}
\frametitle{Creating a new decay algorithm (1)}
The current architecture allows users to create their \textbf{own} formulae.
\begin{enumerate}
\item Create a new file \texttt{{\$}filename} in \texttt{app/Model/DecayingModelsFormulas/}
\item Extend the Base class as defined in \texttt{DecayingModelBase}
\item Implement the two mandatory functions \texttt{computeScore} and \texttt{isDecayed} using your own formula/algorithm
\item Create a Model and set the formula field to \texttt{{\$}filename}
\end{enumerate}
2019-09-18 15:49:00 +02:00
Use cases:
\begin{itemize}
\item Add support for \textbf{more feature} (expiration taxonomy)
\item \textbf{Query external services} then influence the score
\item Completely \textbf{different approach} (i.e streaming algorithm)
\item ...
\end{itemize}
\end{frame}
2019-09-18 15:49:00 +02:00
\lstset{language=PHP}
\begin{frame}[fragile]
\frametitle{Creating a new decay algorithm (2)}
\lstset{basicstyle=\scriptsize}
\begin{lstlisting}
<?php
include_once 'Base.php';
class Polynomial extends DecayingModelBase
{
public const DESCRIPTION = 'The description of your new decaying algorithm';
public function computeScore($model, $attribute, $base_score, $elapsed_time)
{
// algorithm returning a numerical score
}
public function isDecayed($model, $attribute, $score)
{
// algorithm returning a boolean stating
// if the attribute is expired or not
}
}
?>
\end{lstlisting}
2018-12-29 23:18:21 +01:00
\end{frame}
\begin{frame}
\frametitle{Decaying Models 2.0}
\begin{itemize}
\item Improved support of \textit{Sightings}
\begin{itemize}
\item \texttt{False positive} \textit{Sightings} should somehow reduce the score
\item \texttt{Expiration} \textit{Sightings} should mark the attribute as decayed
\end{itemize}
\item Potential \textit{Model} improvements
\begin{itemize}
\item Instead of resetting the score to \texttt{base\_score} once a \textit{Sighting} is set, the score should be increased additively (based on a defined coefficient); thus \textbf{prioritizing surges} rather than infrequent \textit{Sightings}
\item Take into account related \textit{Tags} or \textit{Correlations} when computing score
\end{itemize}
\item Increase \textit{Taxonomy} coverage
\begin{itemize}
\item Users should be able to manually override the \texttt{numerical\_value} of \textit{Tags}
\end{itemize}
\item For specific type, take into account data from other services
\begin{itemize}
\item Could fetch data from \textit{BGP ranking}, \textit{Virus Total}, \textit{Passive X} for IP/domain/... and adapt the score
\end{itemize}
\end{itemize}
\end{frame}