diff --git a/a.5-decaying-indicators/content.tex b/a.5-decaying-indicators/content.tex index 75d9952..dbb1967 100644 --- a/a.5-decaying-indicators/content.tex +++ b/a.5-decaying-indicators/content.tex @@ -9,16 +9,16 @@ \frametitle{Indicators - Problem Statement} \begin{itemize} \item Various users and organisations can share data via MISP, multiple parties can be involved - \begin{itemize} - \item Trust, data quality and time-to-live issues - \item Each user/organisation has different use-cases and interests - \end{itemize} + \begin{itemize} + \item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues + \item Each user/organisation has \textbf{different use-cases} and interests + \end{itemize} \vspace{0.5cm} - \item Attributes can be shared in large quantities (more than 1.3 million on \texttt{MISPPRIV}) + \item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV}) \begin{itemize} \item Partial info about their validity (sightings) \item Partial info about their freshness (last update) - \item Varius conflicting interests such as operational security, attribution, source reliability evaluation... + \item Varius conflicting interests such as operational security, attribution, source reliability evaluation... (depends on the user) \end{itemize} \end{itemize} \end{frame} @@ -33,17 +33,42 @@ \item Sightings give more credibility/visibility to indicators \item This information can be used to {\bf prioritise and decay indicators} \end{itemize} + \begin{center} + \includegraphics[scale=1.00]{pics/sightings.png} + \end{center} \end{frame} \begin{frame} \frametitle{Organisations opt-in - setting a level of confidence} MISP is a peer-to-peer system, information passes through multiple instances. \begin{itemize} - \item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data + \item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data \item Consumers can have different levels of trust in the producers and/or analysts themselves + \item Users might have other contextual needs \end{itemize} +\end{frame} - \begin{small} +\begin{frame} + \frametitle{Taxonomies - Refresher (1)} + \includegraphics[width=1.00\linewidth]{pics/taxonomies.png} +\end{frame} + +\begin{frame} + \frametitle{Taxonomies - Refresher (2)} + \includegraphics[width=1.00\linewidth]{pics/taxonomy-admiralty-scale.png} +\end{frame} + +\begin{frame} + \frametitle{Taxonomies - Refresher (3)} + \begin{itemize} + \item Some taxonomies have \texttt{numerical\_value} + \begin{itemize} + \item[$\rightarrow$] Can be used to prioritise \textit{Attributes} + \end{itemize} + \end{itemize} + \vspace{1cm} + + \begin{footnotesize} \begin{columns}[T] % align columns \begin{column}{.40\textwidth} \begin{tabular}{|ll|} @@ -56,7 +81,7 @@ Not usually reliable & 25\\ Unreliable & 0\\ Reliability cannot be judged & 50\\ - Deliberatly deceptive & 0\\ + Deliberatly deceptive & 0 \textbf{\color{red}?}\\ \hline \end{tabular} \end{column}% @@ -71,47 +96,190 @@ Possibly true & 50\\ Doubtful & 25\\ Improbable & 0\\ - Truth cannot be judged & 50\\ + Truth cannot be judged & 50 \textbf{\color{red}?}\\ \hline \end{tabular} \end{column}% \end{columns} - \end{small} + \end{footnotesize} \end{frame} \begin{frame} - \frametitle{Scoring Indicators 1/2} + \frametitle{Scoring Indicators: Our solution} + $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model}) $$ + Where,\vspace{0.5cm} + \begin{itemize} + \item \texttt{score} $ \in [0, +\infty $ + \item \texttt{base\_score} $ \in [0, 100] $ + \item \texttt{decay} is a function defined by model's parameters controlling decay speed + \end{itemize} + +\end{frame} + +\begin{frame} + \frametitle{Scoring Indicators: \texttt{base\_score} (1)} When scoring indicators\footnote{Paper available: \url{https://arxiv.org/pdf/1803.11052}}, multiple parameters\footnote{at a variable extent as required} can be taken into account. The {\bf base score} is calculated with the following in mind: \begin{itemize} - \item The reliability in the producer - \item The trust in the data as signaled by the producer - $$base\_score = weigth_{tg} \cdot tags + \omega_{sc} \cdot source\_confidence$$ + \item {\color{purple}Data reliability, credibility, analyst skills, custom prioritisation tags (economical-impact), etc.} + \item {\color{orange}Trust in the source} \end{itemize} + \vspace{0.5cm} + $$\texttt{base\_score} = \omega_{tg} \cdot {\color{purple}tags} + \omega_{sc} \cdot {\color{orange}source\_confidence}$$ \end{frame} \begin{frame} - \frametitle{Scoring Indicators 2/2} - The weighted score is calculated using: - \begin{itemize} - \item The lifetime of the indicator (e.g. IP address vs hash value of a file) - \begin{itemize} - \item The lifespan of the indicator (short for an IP - long for an hash): $\tau$ - \item The decay rate $\rightarrow$ Speed at which an attribute loses value: $\delta$ - \item Weigthed score is reset to its base score as new \texttt{sightings} are received - \end{itemize} - $$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$ - \end{itemize} + \frametitle{Scoring Indicators: \texttt{base\_score} (2)} + \includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png} \end{frame} \begin{frame} -\frametitle{Ongoing Implementation in MISP} - Setting thresholds and retrieving the information should be simple and straightforward for the user: + \frametitle{Scoring Indicators: decay speed (1)} + The \texttt{score} is calculated using: + \begin{itemize} + \item The \texttt{lifetime} of the indicator (e.g. IP address vs hash value of a file) + \begin{itemize} + \item The lifespan of the indicator (short for an IP - long for an hash) + \end{itemize} + \item The \texttt{decay rate}, or speed at which an attribute loses value over time + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Scoring Indicators: putting it all toghether} + $\rightarrow$ \texttt{decayin rate} is re-initialized upon sighting addition, or said differently, the \texttt{score} is reset to its base score as new \texttt{sightings} are received. + $$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$ +\end{frame} + +\begin{frame} +\frametitle{Implementation in MISP: Playing with Models} \begin{itemize} - \item Automatic scoring based on default values - \item User-friendly UI to manually set lifetime parameters - \item Interaction through the API + \item \textbf{Automatic scoring} based on default values + \item \textbf{User-friendly UI} to manually set lifetime parameters + \item \textbf{Simulation} tool + \item Interaction through the \textbf{API} + \item Opportunity to create your \textbf{own} formula or algorythm \end{itemize} - \begin{center} - \includegraphics[scale=0.15]{pics/param-ui.png} - \end{center} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Model Types} + Multiple model types are available + \begin{itemize} + \item Default models: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}. + \begin{itemize} + \item $\rightarrow$ Not editable + \end{itemize} + \item Organisation models: Models created by a user belonging to an organisation + \begin{itemize} + \item These models can be hidden or shared to other organisation + \item $\rightarrow$ Editable + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Index} + \includegraphics[width=1.00\linewidth]{pics/decaying-index.png} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Fine tuning tool} + \includegraphics[width=1.00\linewidth]{pics/decaying-tool.png} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: \texttt{base\_score} tool} + \includegraphics[width=1.00\linewidth]{pics/decaying-basescore.png} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: simulation tool} + \includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: \texttt{Event/view}} + \includegraphics[width=1.00\linewidth]{pics/decaying-event.png} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Implementation in MISP: API (1)} + \texttt{/attributes/restSearch} + \begin{lstlisting} +{ + "includeDecayScore": 1, + "includeFullModel": 0, + "excludeDecayed": 0, + "decayingModel": [85], + "modelOverrides": { + "threshold": 30 + } + "score": 30, +} + \end{lstlisting} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Implementation in MISP: API (2)} + \texttt{/attributes/restSearch} + \begin{lstlisting} +"Attribute": [ + { + "category": "Network activity", + "type": "ip-src", + "to_ids": true, + "timestamp": "1565703507", + [...] + "value": "8.8.8.8", + "decay_score": [ + { + "score": 54.475223849544456, + "decayed": false, + "DecayingModel": { + "id": "85", + "name": "NIDS Simple Decaying Model" + } + } + ], +[...] + \end{lstlisting} +\end{frame} + +\begin{frame} + \frametitle{Creating a new decay algorithm (1)} + The current architecture allows users to create their \textbf{own} formulae. + + \begin{itemize} + \item Create a new file \texttt{{\$}filename} in \texttt{app/Model/DecayingModelsFormulas/} + \item Extend the Base class as defined in \texttt{DecayingModelBase} + \item Implement the two mandatory functions \texttt{computeScore} and \texttt{isDecayed} using your own formula/algorithm + \item Create a Model and set the formula field to \texttt{{\$}filename} + \end{itemize} +\end{frame} + + +\begin{frame}[fragile] + \frametitle{Creating a new decay algorithm (2)} + \lstset{basicstyle=\scriptsize} + \begin{lstlisting} + + \end{lstlisting} \end{frame} diff --git a/a.5-decaying-indicators/pics/bs-computation-steps.png b/a.5-decaying-indicators/pics/bs-computation-steps.png new file mode 100644 index 0000000..1348f49 Binary files /dev/null and b/a.5-decaying-indicators/pics/bs-computation-steps.png differ diff --git a/a.5-decaying-indicators/pics/decaying-basescore.png b/a.5-decaying-indicators/pics/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/a.5-decaying-indicators/pics/decaying-basescore.png differ diff --git a/a.5-decaying-indicators/pics/decaying-event.png b/a.5-decaying-indicators/pics/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/a.5-decaying-indicators/pics/decaying-event.png differ diff --git a/a.5-decaying-indicators/pics/decaying-index.png b/a.5-decaying-indicators/pics/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/a.5-decaying-indicators/pics/decaying-index.png differ diff --git a/a.5-decaying-indicators/pics/decaying-simulation.png b/a.5-decaying-indicators/pics/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/a.5-decaying-indicators/pics/decaying-simulation.png differ diff --git a/a.5-decaying-indicators/pics/decaying-tool.png b/a.5-decaying-indicators/pics/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/a.5-decaying-indicators/pics/decaying-tool.png differ diff --git a/a.5-decaying-indicators/pics/sightings.png b/a.5-decaying-indicators/pics/sightings.png new file mode 100644 index 0000000..6755a72 Binary files /dev/null and b/a.5-decaying-indicators/pics/sightings.png differ diff --git a/a.5-decaying-indicators/pics/taxonomies.png b/a.5-decaying-indicators/pics/taxonomies.png new file mode 100644 index 0000000..e4ae126 Binary files /dev/null and b/a.5-decaying-indicators/pics/taxonomies.png differ diff --git a/a.5-decaying-indicators/pics/taxonomy-admiralty-scale.png b/a.5-decaying-indicators/pics/taxonomy-admiralty-scale.png new file mode 100644 index 0000000..f243528 Binary files /dev/null and b/a.5-decaying-indicators/pics/taxonomy-admiralty-scale.png differ diff --git a/includes/agenda.txt b/includes/agenda.txt index 9192c0e..0cd55e0 100644 --- a/includes/agenda.txt +++ b/includes/agenda.txt @@ -1,8 +1,6 @@ \begin{itemize} - \item (11:45 - 12:45) Introduction to Information Sharing with MISP - \item (12:45 - 13:15) User perspective - diving into MISP functionalities and integration - \item (13:15 - 14:30) Lunch Break - \item (14:30 - 16:00) Admin perspective - Figuring out the health of your MISP instance. - \item (16:45 - 17:45) Building your information sharing communities - \item (17:45 - 18:15) Future - Sharing Ideas + \item (10:00 - 12:30) Introduction to Information Sharing with MISP + \item (12:30 - 13:30) Lunch Break + \item (13:30 - 15:30) User perspective - diving into MISP functionalities and integration + \item (15:45 - 17:00) Admin perspective - Figuring out the health of your MISP instance. \end{itemize} diff --git a/includes/location.txt b/includes/location.txt index f2e9398..15c94fa 100644 --- a/includes/location.txt +++ b/includes/location.txt @@ -1 +1 @@ -MISP Training @ FIRST.org 2019 \\ \small{20190617} +MISP Training @ SPCSS - Prague 2019 \\ \small{20190917}