chg: [decaying] Improved slides and changed slide order

changes-actionable
mokaddem 2019-09-24 08:32:32 +02:00
parent ee5b300ed0
commit 740e562506
1 changed files with 64 additions and 55 deletions

View File

@ -8,29 +8,34 @@
\begin{frame} \begin{frame}
\frametitle{Indicators - Problem Statement} \frametitle{Indicators - Problem Statement}
\begin{itemize} \begin{itemize}
\item Various users and organisations can share data via MISP, multiple parties can be involved \item Various users and organisations can share data via MISP, multiple parties can be involved
\begin{itemize} \begin{itemize}
\item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues \item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues
\item Each user/organisation has \textbf{different use-cases} and interests \item Each user/organisation has \textbf{different use-cases} and interests
\end{itemize} \begin{itemize}
\item Conflicting interests such as operational security, attribution,... (depends on the user)
\end{itemize}
\end{itemize}
\item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies}
\pause
\vspace{0.5cm} \vspace{0.5cm}
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV}) \item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV})
\begin{itemize} \begin{itemize}
\item Partial info about their validity (sightings) \item Partial info about their \textbf{freshness} (\textit{sightings})
\item Partial info about their freshness (last update) \item Partial info about their \textbf{validity} (last update)
\item Varius conflicting interests such as operational security, attribution, source reliability evaluation... (depends on the user)
\end{itemize} \end{itemize}
\item[] $\rightarrow$ Can be partially solved with our \textit{Decaying model}
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Sightings - Refresher} \frametitle{\textit{Sightings} - Refresher}
Sightings add temporal context to indicators. \textit{Sightings} add temporal context to indicators.
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that A user, script or an IDS can extend the information related to indicators by reporting back to MISP that
an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive} an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive}
\vspace{0.5cm} \vspace{0.5cm}
\begin{itemize} \begin{itemize}
\item Sightings give more credibility/visibility to indicators \item \textit{Sightings} give more credibility/visibility to indicators
\item This information can be used to {\bf prioritise and decay indicators} \item This information can be used to {\bf prioritise and decay indicators}
\end{itemize} \end{itemize}
\begin{center} \begin{center}
@ -42,7 +47,7 @@
\frametitle{Organisations opt-in - setting a level of confidence} \frametitle{Organisations opt-in - setting a level of confidence}
MISP is a peer-to-peer system, information passes through multiple instances. MISP is a peer-to-peer system, information passes through multiple instances.
\begin{itemize} \begin{itemize}
\item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data \item Producers can add context (such as tags from \textit{taxonomies}, \textit{galaxies}) about their asserted confidence or the reliability of the data
\item Consumers can have different levels of trust in the producers and/or analysts themselves \item Consumers can have different levels of trust in the producers and/or analysts themselves
\item Users might have other contextual needs \item Users might have other contextual needs
\end{itemize} \end{itemize}
@ -80,7 +85,7 @@
Fairly reliable & 50\\ Fairly reliable & 50\\
Not usually reliable & 25\\ Not usually reliable & 25\\
Unreliable & 0\\ Unreliable & 0\\
Reliability cannot be judged & 50\\ Reliability cannot be judged & 50 \textbf{\color{red}?}\\
Deliberatly deceptive & 0 \textbf{\color{red}?}\\ Deliberatly deceptive & 0 \textbf{\color{red}?}\\
\hline \hline
\end{tabular} \end{tabular}
@ -116,6 +121,48 @@
\end{frame} \end{frame}
\begin{frame}
\frametitle{Implementation in MISP: \texttt{Event/view}}
\includegraphics[width=1.00\linewidth]{pics/decaying-event.png}
\end{frame}
\begin{frame}[fragile]
\frametitle{Implementation in MISP: API result}
\texttt{/attributes/restSearch}
\begin{lstlisting}
"Attribute": [
{
"category": "Network activity",
"type": "ip-src",
"to_ids": true,
"timestamp": "1565703507",
[...]
"value": "8.8.8.8",
"decay_score": [
{
"score": 54.475223849544456,
"decayed": false,
"DecayingModel": {
"id": "85",
"name": "NIDS Simple Decaying Model"
}
}
],
[...]
\end{lstlisting}
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Playing with Models}
\begin{itemize}
\item \textbf{Automatic scoring} based on default values
\item \textbf{User-friendly UI} to manually set lifetime and decay parameters
\item \textbf{Simulation} tool
\item Interaction through the \textbf{API}
\item Opportunity to create your \textbf{own} formula or algorythm
\end{itemize}
\end{frame}
\begin{frame} \begin{frame}
\frametitle{Scoring Indicators: \texttt{base\_score} (1)} \frametitle{Scoring Indicators: \texttt{base\_score} (1)}
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; {\color{gray}\texttt{decay}(\texttt{\tiny Model, time})} $$ $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; {\color{gray}\texttt{decay}(\texttt{\tiny Model, time})} $$
@ -156,24 +203,17 @@
\begin{frame} \begin{frame}
\frametitle{Scoring Indicators: putting it all toghether} \frametitle{Scoring Indicators: putting it all toghether}
$\rightarrow$ \texttt{decay rate} is \textbf{re-initialized upon sighting} addition, or said differently, the \texttt{score} is reset to its base score as new \texttt{sightings} are applied. $\rightarrow$ \texttt{decay rate} is \textbf{re-initialized upon sighting} addition, or said differently, the \texttt{score} is reset to its base score as new \textit{sightings} are applied.
$$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$ $$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Playing with Models}
\begin{itemize} \begin{itemize}
\item \textbf{Automatic scoring} based on default values \item $\tau_a = $ \texttt{lifetime}
\item \textbf{User-friendly UI} to manually set lifetime and decay parameters \item $\delta_a = $ \texttt{decay speed}
\item \textbf{Simulation} tool
\item Interaction through the \textbf{API}
\item Opportunity to create your \textbf{own} formula or algorythm
\end{itemize} \end{itemize}
\end{frame} \end{frame}
\begin{frame} \begin{frame}
\frametitle{Implementation in MISP: Models definition} \frametitle{Implementation in MISP: Models definition}
Models are an instanciation of the formula where elements can be defined: \textit{Models} are an instanciation of the formula where elements can be defined:
\begin{itemize} \begin{itemize}
\item Parameters: \texttt{lifetime, decay\_rate, threshold} \item Parameters: \texttt{lifetime, decay\_rate, threshold}
\item \texttt{base\_score} \item \texttt{base\_score}
@ -220,11 +260,6 @@
\includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png} \includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png}
\end{frame} \end{frame}
\begin{frame}
\frametitle{Implementation in MISP: \texttt{Event/view}}
\includegraphics[width=1.00\linewidth]{pics/decaying-event.png}
\end{frame}
\begin{frame}[fragile] \begin{frame}[fragile]
\frametitle{Implementation in MISP: API query body} \frametitle{Implementation in MISP: API query body}
\texttt{/attributes/restSearch} \texttt{/attributes/restSearch}
@ -242,32 +277,6 @@
\end{lstlisting} \end{lstlisting}
\end{frame} \end{frame}
\begin{frame}[fragile]
\frametitle{Implementation in MISP: API result}
\texttt{/attributes/restSearch}
\begin{lstlisting}
"Attribute": [
{
"category": "Network activity",
"type": "ip-src",
"to_ids": true,
"timestamp": "1565703507",
[...]
"value": "8.8.8.8",
"decay_score": [
{
"score": 54.475223849544456,
"decayed": false,
"DecayingModel": {
"id": "85",
"name": "NIDS Simple Decaying Model"
}
}
],
[...]
\end{lstlisting}
\end{frame}
\begin{frame} \begin{frame}
\frametitle{Creating a new decay algorithm (1)} \frametitle{Creating a new decay algorithm (1)}
The current architecture allows users to create their \textbf{own} formulae. The current architecture allows users to create their \textbf{own} formulae.