chg: [decaying] Updated slides to match the current MISP implementation

a.5-decaying-indicators/content.tex

@@ -9,16 +9,16 @@
 \frametitle{Indicators - Problem Statement}
     \begin{itemize}
             \item Various users and organisations can share data via MISP, multiple parties can be involved
-        \begin{itemize}
+            \begin{itemize}
-            \item Trust, data quality and time-to-live issues
+                \item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues
-            \item Each user/organisation has different use-cases and interests
+                \item Each user/organisation has \textbf{different use-cases} and interests
-        \end{itemize}
+            \end{itemize}
         \vspace{0.5cm}
-        \item Attributes can be shared in large quantities (more than 1.3 million on \texttt{MISPPRIV})
+        \item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV})
         \begin{itemize}
             \item Partial info about their validity (sightings)
             \item Partial info about their freshness (last update)
-            \item Varius conflicting interests such as operational security, attribution, source reliability evaluation...
+            \item Varius conflicting interests such as operational security, attribution, source reliability evaluation... (depends on the user)
         \end{itemize}
     \end{itemize}
 \end{frame}
@@ -33,17 +33,42 @@
         \item Sightings give more credibility/visibility to indicators
         \item This information can be used to {\bf prioritise and decay indicators}
     \end{itemize}
+    \begin{center}
+        \includegraphics[scale=1.00]{pics/sightings.png}
+    \end{center}
 \end{frame}
 
 \begin{frame}
 \frametitle{Organisations opt-in - setting a level of confidence}
     MISP is a peer-to-peer system, information passes through multiple instances.
     \begin{itemize}
-            \item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data
+        \item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data
         \item Consumers can have different levels of trust in the producers and/or analysts themselves
+        \item Users might have other contextual needs
     \end{itemize}
+\end{frame}
 
-    \begin{small}
+\begin{frame}
+    \frametitle{Taxonomies - Refresher (1)}
+    \includegraphics[width=1.00\linewidth]{pics/taxonomies.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Taxonomies - Refresher (2)}
+    \includegraphics[width=1.00\linewidth]{pics/taxonomy-admiralty-scale.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Taxonomies - Refresher (3)}
+    \begin{itemize}
+        \item Some taxonomies have \texttt{numerical\_value}
+        \begin{itemize}
+            \item[$\rightarrow$] Can be used to prioritise \textit{Attributes}
+        \end{itemize}
+    \end{itemize}
+    \vspace{1cm}
+
+    \begin{footnotesize}
     \begin{columns}[T] % align columns
     \begin{column}{.40\textwidth}
         \begin{tabular}{|ll|}
@@ -56,7 +81,7 @@
             Not usually reliable & 25\\
             Unreliable & 0\\
             Reliability cannot be judged & 50\\
-            Deliberatly deceptive & 0\\
+            Deliberatly deceptive & 0 \textbf{\color{red}?}\\
             \hline
         \end{tabular}
     \end{column}%
@@ -71,47 +96,190 @@
             Possibly true & 50\\
             Doubtful & 25\\
             Improbable & 0\\
-            Truth cannot be judged & 50\\
+            Truth cannot be judged & 50 \textbf{\color{red}?}\\
             \hline
         \end{tabular}
     \end{column}%
     \end{columns}
-    \end{small}
+    \end{footnotesize}
 \end{frame}
 
 \begin{frame}
-        \frametitle{Scoring Indicators 1/2}
+    \frametitle{Scoring Indicators: Our solution}
+    $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model}) $$
+    Where,\vspace{0.5cm}
+    \begin{itemize}
+        \item \texttt{score} $ \in [0, +\infty $
+        \item \texttt{base\_score} $ \in [0, 100] $
+        \item \texttt{decay} is a function defined by model's parameters controlling decay speed
+    \end{itemize}
+    
+\end{frame}
+
+\begin{frame}
+    \frametitle{Scoring Indicators: \texttt{base\_score} (1)}
         When scoring indicators\footnote{Paper available: \url{https://arxiv.org/pdf/1803.11052}}, multiple parameters\footnote{at a variable extent as required} can be taken into account. The {\bf base score} is calculated with the following in mind:
     \begin{itemize}
-        \item The reliability in the producer
+        \item {\color{purple}Data reliability, credibility, analyst skills, custom prioritisation tags (economical-impact), etc.}
-        \item The trust in the data as signaled by the producer
+        \item {\color{orange}Trust in the source}
-        $$base\_score = weigth_{tg} \cdot tags + \omega_{sc} \cdot source\_confidence$$
     \end{itemize}
+    \vspace{0.5cm}
+    $$\texttt{base\_score} = \omega_{tg} \cdot {\color{purple}tags} + \omega_{sc} \cdot {\color{orange}source\_confidence}$$
 \end{frame}
 
 \begin{frame}
-        \frametitle{Scoring Indicators 2/2}
+    \frametitle{Scoring Indicators: \texttt{base\_score} (2)}
-        The weighted score is calculated using:
+    \includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png}
-        \begin{itemize}
-        \item The lifetime of the indicator (e.g. IP address vs hash value of a file)
-            \begin{itemize}
-                \item The lifespan of the indicator (short for an IP - long for an hash): $\tau$
-                \item The decay rate $\rightarrow$ Speed at which an attribute loses value: $\delta$
-                \item Weigthed score is reset to its base score as new \texttt{sightings} are received
-            \end{itemize}
-            $$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$
-        \end{itemize}
 \end{frame}
 
 \begin{frame}
-\frametitle{Ongoing Implementation in MISP}
+    \frametitle{Scoring Indicators: decay speed (1)}
-    Setting thresholds and retrieving the information should be simple and straightforward for the user:
+    The \texttt{score} is calculated using:
+   \begin{itemize}
+       \item The \texttt{lifetime} of the indicator (e.g. IP address vs hash value of a file)
+       \begin{itemize}
+           \item The lifespan of the indicator (short for an IP - long for an hash)
+       \end{itemize}
+       \item The \texttt{decay rate}, or speed at which an attribute loses value over time
+   \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Scoring Indicators: putting it all toghether}
+    $\rightarrow$ \texttt{decayin rate} is re-initialized upon sighting addition, or said differently, the \texttt{score} is reset to its base score as new \texttt{sightings} are received.
+    $$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$
+\end{frame}
+
+\begin{frame}
+\frametitle{Implementation in MISP: Playing with Models}
     \begin{itemize}
-        \item Automatic scoring based on default values
+        \item \textbf{Automatic scoring} based on default values
-        \item User-friendly UI to manually set lifetime parameters
+        \item \textbf{User-friendly UI} to manually set lifetime parameters
-        \item Interaction through the API
+        \item \textbf{Simulation} tool
+        \item Interaction through the \textbf{API}
+        \item Opportunity to create your \textbf{own} formula or algorythm
     \end{itemize}
-    \begin{center}
+\end{frame}
-        \includegraphics[scale=0.15]{pics/param-ui.png}
+
-    \end{center}
+\begin{frame}
+    \frametitle{Implementation in MISP: Model Types}
+    Multiple model types are available
+    \begin{itemize}
+        \item Default models: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
+        \begin{itemize}
+            \item $\rightarrow$ Not editable
+        \end{itemize}
+        \item Organisation models: Models created by a user belonging to an organisation
+        \begin{itemize}
+            \item These models can be hidden or shared to other organisation 
+            \item $\rightarrow$ Editable
+        \end{itemize}
+    \end{itemize}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Implementation in MISP: Index}
+    \includegraphics[width=1.00\linewidth]{pics/decaying-index.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Implementation in MISP: Fine tuning tool}
+    \includegraphics[width=1.00\linewidth]{pics/decaying-tool.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Implementation in MISP: \texttt{base\_score} tool}
+    \includegraphics[width=1.00\linewidth]{pics/decaying-basescore.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Implementation in MISP: simulation tool}
+    \includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Implementation in MISP: \texttt{Event/view}}
+    \includegraphics[width=1.00\linewidth]{pics/decaying-event.png}
+\end{frame}
+
+\begin{frame}[fragile]
+    \frametitle{Implementation in MISP: API (1)}
+    \texttt{/attributes/restSearch}
+    \begin{lstlisting}
+{
+    "includeDecayScore": 1,
+    "includeFullModel": 0,
+    "excludeDecayed": 0,
+    "decayingModel": [85],
+    "modelOverrides": {
+        "threshold": 30
+    }
+    "score": 30,
+}
+    \end{lstlisting}
+\end{frame}
+
+\begin{frame}[fragile]
+    \frametitle{Implementation in MISP: API (2)}
+    \texttt{/attributes/restSearch}
+    \begin{lstlisting}
+"Attribute": [
+  {
+    "category": "Network activity",
+    "type": "ip-src",
+    "to_ids": true,
+    "timestamp": "1565703507",
+    [...]
+    "value": "8.8.8.8",
+    "decay_score": [
+      {
+        "score": 54.475223849544456,
+        "decayed": false,
+        "DecayingModel": {
+          "id": "85",
+          "name": "NIDS Simple Decaying Model"
+        }
+      }
+    ],
+[...]
+    \end{lstlisting}
+\end{frame}
+
+\begin{frame}
+    \frametitle{Creating a new decay algorithm (1)}
+    The current architecture allows users to create their \textbf{own} formulae.
+
+    \begin{itemize}
+        \item Create a new file \texttt{{\$}filename} in \texttt{app/Model/DecayingModelsFormulas/}
+        \item Extend the Base class as defined in \texttt{DecayingModelBase}
+        \item Implement the two mandatory functions \texttt{computeScore} and \texttt{isDecayed} using your own formula/algorithm
+        \item Create a Model and set the formula field to \texttt{{\$}filename}
+    \end{itemize}
+\end{frame}
+
+
+\begin{frame}[fragile]
+    \frametitle{Creating a new decay algorithm (2)}
+    \lstset{basicstyle=\scriptsize}
+    \begin{lstlisting}
+<?php
+include_once 'Base.php';
+
+class Polynomial extends DecayingModelBase
+{
+    public const DESCRIPTION = 'The description of your new decaying algorithm';
+
+    public function computeScore($model, $attribute, $base_score, $elapsed_time)
+    {
+       // algorithm returning a numerical score
+    }
+
+    public function isDecayed($model, $attribute, $score)
+    {
+        // algorithm returning a boolean stating
+        // if the attribute is expired or not
+    }
+}
+?>
+    \end{lstlisting}
 \end{frame}

includes/agenda.txt

@@ -1,8 +1,6 @@
 \begin{itemize}
-    \item (11:45 - 12:45) Introduction to Information Sharing with MISP
+    \item (10:00 - 12:30) Introduction to Information Sharing with MISP
-    \item (12:45 - 13:15) User perspective - diving into MISP functionalities and integration
+    \item (12:30 - 13:30) Lunch Break
-    \item (13:15 - 14:30) Lunch Break
+    \item (13:30 - 15:30) User perspective - diving into MISP functionalities and integration
-    \item (14:30 - 16:00) Admin perspective - Figuring out the health of your MISP instance.
+    \item (15:45 - 17:00) Admin perspective - Figuring out the health of your MISP instance.
-    \item (16:45 - 17:45) Building your information sharing communities
-    \item (17:45 - 18:15) Future - Sharing Ideas
 \end{itemize}

includes/location.txt

@@ -1 +1 @@
-MISP Training @ FIRST.org 2019 \\ \small{20190617}
+MISP Training @ SPCSS - Prague 2019 \\ \small{20190917}