mirror of https://github.com/MISP/misp-training
chg: [decaying] Updated slides to match the current MISP implementation
mokaddem
parent
9a2bc6c763
commit
84117eade4
|
|
@ -9,16 +9,16 @@
|
|||
\frametitle{Indicators - Problem Statement}
|
||||
\begin{itemize}
|
||||
\item Various users and organisations can share data via MISP, multiple parties can be involved
|
||||
\begin{itemize}
|
||||
\item Trust, data quality and time-to-live issues
|
||||
\item Each user/organisation has different use-cases and interests
|
||||
\end{itemize}
|
||||
\begin{itemize}
|
||||
\item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues
|
||||
\item Each user/organisation has \textbf{different use-cases} and interests
|
||||
\end{itemize}
|
||||
\vspace{0.5cm}
|
||||
\item Attributes can be shared in large quantities (more than 1.3 million on \texttt{MISPPRIV})
|
||||
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV})
|
||||
\begin{itemize}
|
||||
\item Partial info about their validity (sightings)
|
||||
\item Partial info about their freshness (last update)
|
||||
\item Varius conflicting interests such as operational security, attribution, source reliability evaluation...
|
||||
\item Varius conflicting interests such as operational security, attribution, source reliability evaluation... (depends on the user)
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
|
@ -33,17 +33,42 @@
|
|||
\item Sightings give more credibility/visibility to indicators
|
||||
\item This information can be used to {\bf prioritise and decay indicators}
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics[scale=1.00]{pics/sightings.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Organisations opt-in - setting a level of confidence}
|
||||
MISP is a peer-to-peer system, information passes through multiple instances.
|
||||
\begin{itemize}
|
||||
\item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data
|
||||
\item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data
|
||||
\item Consumers can have different levels of trust in the producers and/or analysts themselves
|
||||
\item Users might have other contextual needs
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{small}
|
||||
\begin{frame}
|
||||
\frametitle{Taxonomies - Refresher (1)}
|
||||
\includegraphics[width=1.00\linewidth]{pics/taxonomies.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Taxonomies - Refresher (2)}
|
||||
\includegraphics[width=1.00\linewidth]{pics/taxonomy-admiralty-scale.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Taxonomies - Refresher (3)}
|
||||
\begin{itemize}
|
||||
\item Some taxonomies have \texttt{numerical\_value}
|
||||
\begin{itemize}
|
||||
\item[$\rightarrow$] Can be used to prioritise \textit{Attributes}
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\vspace{1cm}
|
||||
|
||||
\begin{footnotesize}
|
||||
\begin{columns}[T] % align columns
|
||||
\begin{column}{.40\textwidth}
|
||||
\begin{tabular}{|ll|}
|
||||
|
|
@ -56,7 +81,7 @@
|
|||
Not usually reliable & 25\\
|
||||
Unreliable & 0\\
|
||||
Reliability cannot be judged & 50\\
|
||||
Deliberatly deceptive & 0\\
|
||||
Deliberatly deceptive & 0 \textbf{\color{red}?}\\
|
||||
\hline
|
||||
\end{tabular}
|
||||
\end{column}%
|
||||
|
|
@ -71,47 +96,190 @@
|
|||
Possibly true & 50\\
|
||||
Doubtful & 25\\
|
||||
Improbable & 0\\
|
||||
Truth cannot be judged & 50\\
|
||||
Truth cannot be judged & 50 \textbf{\color{red}?}\\
|
||||
\hline
|
||||
\end{tabular}
|
||||
\end{column}%
|
||||
\end{columns}
|
||||
\end{small}
|
||||
\end{footnotesize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Scoring Indicators 1/2}
|
||||
\frametitle{Scoring Indicators: Our solution}
|
||||
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model}) $$
|
||||
Where,\vspace{0.5cm}
|
||||
\begin{itemize}
|
||||
\item \texttt{score} $ \in [0, +\infty $
|
||||
\item \texttt{base\_score} $ \in [0, 100] $
|
||||
\item \texttt{decay} is a function defined by model's parameters controlling decay speed
|
||||
\end{itemize}
|
||||
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Scoring Indicators: \texttt{base\_score} (1)}
|
||||
When scoring indicators\footnote{Paper available: \url{https://arxiv.org/pdf/1803.11052}}, multiple parameters\footnote{at a variable extent as required} can be taken into account. The {\bf base score} is calculated with the following in mind:
|
||||
\begin{itemize}
|
||||
\item The reliability in the producer
|
||||
\item The trust in the data as signaled by the producer
|
||||
$$base\_score = weigth_{tg} \cdot tags + \omega_{sc} \cdot source\_confidence$$
|
||||
\item {\color{purple}Data reliability, credibility, analyst skills, custom prioritisation tags (economical-impact), etc.}
|
||||
\item {\color{orange}Trust in the source}
|
||||
\end{itemize}
|
||||
\vspace{0.5cm}
|
||||
$$\texttt{base\_score} = \omega_{tg} \cdot {\color{purple}tags} + \omega_{sc} \cdot {\color{orange}source\_confidence}$$
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Scoring Indicators 2/2}
|
||||
The weighted score is calculated using:
|
||||
\begin{itemize}
|
||||
\item The lifetime of the indicator (e.g. IP address vs hash value of a file)
|
||||
\begin{itemize}
|
||||
\item The lifespan of the indicator (short for an IP - long for an hash): $\tau$
|
||||
\item The decay rate $\rightarrow$ Speed at which an attribute loses value: $\delta$
|
||||
\item Weigthed score is reset to its base score as new \texttt{sightings} are received
|
||||
\end{itemize}
|
||||
$$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$
|
||||
\end{itemize}
|
||||
\frametitle{Scoring Indicators: \texttt{base\_score} (2)}
|
||||
\includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Ongoing Implementation in MISP}
|
||||
Setting thresholds and retrieving the information should be simple and straightforward for the user:
|
||||
\frametitle{Scoring Indicators: decay speed (1)}
|
||||
The \texttt{score} is calculated using:
|
||||
\begin{itemize}
|
||||
\item The \texttt{lifetime} of the indicator (e.g. IP address vs hash value of a file)
|
||||
\begin{itemize}
|
||||
\item The lifespan of the indicator (short for an IP - long for an hash)
|
||||
\end{itemize}
|
||||
\item The \texttt{decay rate}, or speed at which an attribute loses value over time
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Scoring Indicators: putting it all toghether}
|
||||
$\rightarrow$ \texttt{decayin rate} is re-initialized upon sighting addition, or said differently, the \texttt{score} is reset to its base score as new \texttt{sightings} are received.
|
||||
$$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: Playing with Models}
|
||||
\begin{itemize}
|
||||
\item Automatic scoring based on default values
|
||||
\item User-friendly UI to manually set lifetime parameters
|
||||
\item Interaction through the API
|
||||
\item \textbf{Automatic scoring} based on default values
|
||||
\item \textbf{User-friendly UI} to manually set lifetime parameters
|
||||
\item \textbf{Simulation} tool
|
||||
\item Interaction through the \textbf{API}
|
||||
\item Opportunity to create your \textbf{own} formula or algorythm
|
||||
\end{itemize}
|
||||
\begin{center}
|
||||
\includegraphics[scale=0.15]{pics/param-ui.png}
|
||||
\end{center}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: Model Types}
|
||||
Multiple model types are available
|
||||
\begin{itemize}
|
||||
\item Default models: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
|
||||
\begin{itemize}
|
||||
\item $\rightarrow$ Not editable
|
||||
\end{itemize}
|
||||
\item Organisation models: Models created by a user belonging to an organisation
|
||||
\begin{itemize}
|
||||
\item These models can be hidden or shared to other organisation
|
||||
\item $\rightarrow$ Editable
|
||||
\end{itemize}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: Index}
|
||||
\includegraphics[width=1.00\linewidth]{pics/decaying-index.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: Fine tuning tool}
|
||||
\includegraphics[width=1.00\linewidth]{pics/decaying-tool.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: \texttt{base\_score} tool}
|
||||
\includegraphics[width=1.00\linewidth]{pics/decaying-basescore.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: simulation tool}
|
||||
\includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Implementation in MISP: \texttt{Event/view}}
|
||||
\includegraphics[width=1.00\linewidth]{pics/decaying-event.png}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}[fragile]
|
||||
\frametitle{Implementation in MISP: API (1)}
|
||||
\texttt{/attributes/restSearch}
|
||||
\begin{lstlisting}
|
||||
{
|
||||
"includeDecayScore": 1,
|
||||
"includeFullModel": 0,
|
||||
"excludeDecayed": 0,
|
||||
"decayingModel": [85],
|
||||
"modelOverrides": {
|
||||
"threshold": 30
|
||||
}
|
||||
"score": 30,
|
||||
}
|
||||
\end{lstlisting}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}[fragile]
|
||||
\frametitle{Implementation in MISP: API (2)}
|
||||
\texttt{/attributes/restSearch}
|
||||
\begin{lstlisting}
|
||||
"Attribute": [
|
||||
{
|
||||
"category": "Network activity",
|
||||
"type": "ip-src",
|
||||
"to_ids": true,
|
||||
"timestamp": "1565703507",
|
||||
[...]
|
||||
"value": "8.8.8.8",
|
||||
"decay_score": [
|
||||
{
|
||||
"score": 54.475223849544456,
|
||||
"decayed": false,
|
||||
"DecayingModel": {
|
||||
"id": "85",
|
||||
"name": "NIDS Simple Decaying Model"
|
||||
}
|
||||
}
|
||||
],
|
||||
[...]
|
||||
\end{lstlisting}
|
||||
\end{frame}
|
||||
|
||||
\begin{frame}
|
||||
\frametitle{Creating a new decay algorithm (1)}
|
||||
The current architecture allows users to create their \textbf{own} formulae.
|
||||
|
||||
\begin{itemize}
|
||||
\item Create a new file \texttt{{\$}filename} in \texttt{app/Model/DecayingModelsFormulas/}
|
||||
\item Extend the Base class as defined in \texttt{DecayingModelBase}
|
||||
\item Implement the two mandatory functions \texttt{computeScore} and \texttt{isDecayed} using your own formula/algorithm
|
||||
\item Create a Model and set the formula field to \texttt{{\$}filename}
|
||||
\end{itemize}
|
||||
\end{frame}
|
||||
|
||||
|
||||
\begin{frame}[fragile]
|
||||
\frametitle{Creating a new decay algorithm (2)}
|
||||
\lstset{basicstyle=\scriptsize}
|
||||
\begin{lstlisting}
|
||||
<?php
|
||||
include_once 'Base.php';
|
||||
|
||||
class Polynomial extends DecayingModelBase
|
||||
{
|
||||
public const DESCRIPTION = 'The description of your new decaying algorithm';
|
||||
|
||||
public function computeScore($model, $attribute, $base_score, $elapsed_time)
|
||||
{
|
||||
// algorithm returning a numerical score
|
||||
}
|
||||
|
||||
public function isDecayed($model, $attribute, $score)
|
||||
{
|
||||
// algorithm returning a boolean stating
|
||||
// if the attribute is expired or not
|
||||
}
|
||||
}
|
||||
?>
|
||||
\end{lstlisting}
|
||||
\end{frame}
|
||||
|
|
|
|||
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 119 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 155 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 98 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 148 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 166 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 2.2 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 58 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 128 KiB |
|
|
@ -1,8 +1,6 @@
|
|||
\begin{itemize}
|
||||
\item (11:45 - 12:45) Introduction to Information Sharing with MISP
|
||||
\item (12:45 - 13:15) User perspective - diving into MISP functionalities and integration
|
||||
\item (13:15 - 14:30) Lunch Break
|
||||
\item (14:30 - 16:00) Admin perspective - Figuring out the health of your MISP instance.
|
||||
\item (16:45 - 17:45) Building your information sharing communities
|
||||
\item (17:45 - 18:15) Future - Sharing Ideas
|
||||
\item (10:00 - 12:30) Introduction to Information Sharing with MISP
|
||||
\item (12:30 - 13:30) Lunch Break
|
||||
\item (13:30 - 15:30) User perspective - diving into MISP functionalities and integration
|
||||
\item (15:45 - 17:00) Admin perspective - Figuring out the health of your MISP instance.
|
||||
\end{itemize}
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
MISP Training @ FIRST.org 2019 \\ \small{20190617}
|
||||
MISP Training @ SPCSS - Prague 2019 \\ \small{20190917}
|
||||
|
|
|
|||
Loading…
Reference in New Issue