diff --git a/a.5-bis-decaying-indicators-light-version/content.tex b/a.5-bis-decaying-indicators-light-version/content.tex new file mode 100644 index 0000000..5841f34 --- /dev/null +++ b/a.5-bis-decaying-indicators-light-version/content.tex @@ -0,0 +1,325 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\section{Expiring IOCs: Why and How?} +\begin{frame}[fragile] +\frametitle{Indicators - Problem Statement} + \begin{itemize} + \item {\bf Sharing information} about threats {\bf is crucial} + \item Organisations are sharing more and more + \end{itemize} + \vspace{1em} + + Contribution by {\bf unique organisation} (\texttt{Orgc.name}) on MISPPriv:\\ + \vspace{1em} + \begin{minipage}{0.45\textwidth} + \begin{tabular}{ll} + \hline + Date & Unique Org \\ + \hline + 2013 & 17 \\ + 2014 & 43 \\ + 2015 & 82 \\ + 2016 & 105 \\ + 2017 & 118 \\ + 2018 & 125 \\ + 2019-10 & 135 \\ + \hline + \end{tabular} + \vspace{0.5em} + \end{minipage} + \begin{minipage}{0.5\textwidth} + \begin{lstlisting} +{ + "distribution": [1, 2, 3] +}\end{lstlisting} + \end{minipage} + +\end{frame} + +\begin{frame} +\frametitle{Indicators - Problem Statement} + \begin{itemize} + \item Various users and organisations can share data via MISP, multiple parties can be involved + \begin{itemize} + \item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues + \item Each user/organisation has \textbf{different use-cases} and interests + \begin{itemize} + \item Conflicting interests such as operational security, attribution,... (depends on the user) + \end{itemize} + \end{itemize} + \item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies} + \pause + \vspace{0.5cm} + \item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV}) + \begin{itemize} + \item Partial info about their \textbf{freshness} (\textit{Sightings}) + \item Partial info about their \textbf{validity} (last update) + \end{itemize} + \item[] $\rightarrow$ Can be partially solved with our \textit{Decaying model} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Requirements to enjoy the decaying feature in MISP} + \begin{itemize} + \item Starting from \textbf{MISP 2.4.116}, the decaying feature is available + \item Don't forget to update the decay models and enable the ones you want + \item The decaying feature has no impact on the information in MISP, it's just an overlay to be used in the user-interface and API + \item Decay strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{\textit{Sightings} - Refresher} + \textit{Sightings} add temporal context to indicators. + A user, script or an IDS can extend the information related to indicators by reporting back to MISP that + an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive} + \vspace{0.5cm} + \begin{itemize} + \item \textit{Sightings} give more credibility/visibility to indicators + \item This information can be used to {\bf prioritise and decay indicators} + \end{itemize} + \begin{center} + \includegraphics[scale=1.00]{pics/sightings.png} + \end{center} +\end{frame} + +\begin{frame} +\frametitle{Organisations opt-in - setting a level of confidence} + MISP is a peer-to-peer system, information passes through multiple instances. + \begin{itemize} + \item \textbf{Producers can add context} (such as tags from \textit{Taxonomies}, \textit{Galaxies}) about their asserted confidence or the reliability of the data + \item Consumers can have \textbf{different levels of trust} in the producers and/or analysts themselves + \item Users might have other contextual needs + \end{itemize} + \begin{center} + $\rightarrow$ Achieved thanks to \textit{Taxonomies} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Taxonomies - Refresher (1)} + \includegraphics[width=1.00\linewidth]{pics/taxonomies.png} + \begin{itemize} + \item Tagging is a simple way to attach a classification to an \textit{Event} or an \textit{Attribute} + \item Classification must be globally used to be efficient + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Taxonomies - Refresher (2)} + \includegraphics[width=1.00\linewidth]{pics/taxonomy-admiralty-scale.png} + \begin{center} + $\rightarrow$ Cherry-pick allowed \textit{Tags} + \end{center} +\end{frame} + +\begin{frame} + \frametitle{Taxonomies - Refresher (3)} + \begin{itemize} + \item Some taxonomies have \texttt{numerical\_value} + \begin{itemize} + \item[$\rightarrow$] Can be used to prioritise \textit{Attributes} + \end{itemize} + \end{itemize} + \vspace{1cm} + + \begin{footnotesize} + \begin{columns}[T] % align columns + \begin{column}{.40\textwidth} + \begin{tabular}{|ll|} + \hline + \textbf{Description} & \textbf{Value}\\ + \hline + Completely reliable & 100\\ + Usually reliable & 75\\ + Fairly reliable & 50\\ + Not usually reliable & 25\\ + Unreliable & 0\\ + Reliability cannot be judged & 50 \textbf{\color{red}?}\\ + Deliberatly deceptive & 0 \textbf{\color{red}?}\\ + \hline + \end{tabular} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + \begin{tabular}{|ll|} + \hline + \textbf{Description} & \textbf{Value}\\ + \hline + Confirmed by other sources & 100\\ + Probably true & 75\\ + Possibly true & 50\\ + Doubtful & 25\\ + Improbable & 0\\ + Truth cannot be judged & 50 \textbf{\color{red}?}\\ + \hline + \end{tabular} + \end{column}% + \end{columns} + \end{footnotesize} +\end{frame} + +\begin{frame} + \frametitle{Scoring Indicators: Our solution} + $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$ + Where,\vspace{0.5cm} + \begin{itemize} + \item \texttt{score} $ \in [0, +\infty $ + \item \texttt{base\_score} $ \in [0, 100] $ + \item \texttt{decay} is a function defined by model's parameters controlling decay speed + \item \texttt{Attribute} Contains \textit{Attribute}'s values and metadata {\scriptsize (\textit{Taxonomies}, \textit{Galaxies}, ...)} + \item \texttt{Model} Contains the \textit{Model}'s configuration + \end{itemize} + +\end{frame} + +\section{Current implementation in MISP} +\begin{frame} + \frametitle{Implementation in MISP: \texttt{Event/view}} + \includegraphics[width=1.00\linewidth]{pics/decaying-event.png} + \begin{itemize} + \item \texttt{Decay score} toggle button + \begin{itemize} + \item Shows Score for each \textit{Models} associated to the \textit{Attribute} type + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Implementation in MISP: API result} + \texttt{/attributes/restSearch} + \begin{lstlisting} +"Attribute": [ + { + "category": "Network activity", + "type": "ip-src", + "to_ids": true, + "timestamp": "1565703507", + [...] + "value": "8.8.8.8", + "decay_score": [ + { + "score": 54.475223849544456, + "decayed": false, + "DecayingModel": { + "id": "85", + "name": "NIDS Simple Decaying Model" + } + } + ], +[...] + \end{lstlisting} +\end{frame} + +\begin{frame} +\frametitle{Implementation in MISP: Objectives} + \begin{itemize} + \item \textbf{Automatic scoring} based on default values + \item \textbf{User-friendly UI} to manually set \textit{Model} configuration (lifetime, decay, etc.) + \item \textbf{Simulation} tool + \item Interaction through the \textbf{API} + \item Opportunity to create your \textbf{own} formula or algorythm + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Models definition} + \hspace{190pt} + \raisebox{-1.0ex}{\Large $\Rsh$} {\tiny $score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $} + \textit{Models} are an instanciation of the formula where elements can be defined: + \begin{itemize} + \item Parameters: \texttt{lifetime, decay\_rate, threshold} + \item \texttt{base\_score} + \item \texttt{default base\_score} + \item formula + \item associate \textit{Attribute} types + \item creator organisation + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Models Types} + Multiple model types are available + \begin{itemize} + \item \textbf{Default Models}: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}. + \begin{itemize} + \item $\rightarrow$ Not editable + \end{itemize} + \item \textbf{Organisation Models}: Models created by a user belonging to an organisation + \begin{itemize} + \item These models can be hidden or shared to other organisation + \item $\rightarrow$ Editable + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Index} + \includegraphics[width=1.00\linewidth]{pics/decaying-index.png} + View, update, add, create, delete, enable, export, import +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Fine tuning tool} + \includegraphics[width=1.00\linewidth]{pics/decaying-tool.png} + Create, modify, visualise, perform mapping +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: \texttt{base\_score} tool} + \includegraphics[width=1.00\linewidth]{pics/decaying-basescore.png} + Adjust Taxonomies relative weights +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: simulation tool} + \includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png} + Simulate \textit{Attributes} with different \textit{Models} +\end{frame} + +\begin{frame}[fragile] + \frametitle{Implementation in MISP: API query body} + \texttt{/attributes/restSearch} + \begin{lstlisting} +{ + "includeDecayScore": 1, + "includeFullModel": 0, + "excludeDecayed": 0, + "decayingModel": [85], + "modelOverrides": { + "threshold": 30 + } + "score": 30, +} + \end{lstlisting} +\end{frame} + +\begin{frame} + \frametitle{Decaying Models 2.0} + \begin{itemize} + \item Improved support of \textit{Sightings} + \begin{itemize} + \item \texttt{False positive} \textit{Sightings} should somehow reduce the score + \item \texttt{Expiration} \textit{Sightings} should mark the attribute as decayed + \end{itemize} + \item Potential \textit{Model} improvements + \begin{itemize} + \item Instead of resetting the score to \texttt{base\_score} once a \textit{Sighting} is set, the score should be increased additively (based on a defined coefficient); thus \textbf{prioritizing surges} rather than infrequent \textit{Sightings} + \item Take into account related \textit{Tags} or \textit{Correlations} when computing score + \end{itemize} + \item Increase \textit{Taxonomy} coverage + \begin{itemize} + \item Users should be able to manually override the \texttt{numerical\_value} of \textit{Tags} + \end{itemize} + \item For specific type, take into account data from other services + \begin{itemize} + \item Could fetch data from \textit{BGP ranking}, \textit{Virus Total}, \textit{Passive X} for IP/domain/... and adapt the score + \end{itemize} + \end{itemize} +\end{frame} diff --git a/a.5-bis-decaying-indicators-light-version/makefile b/a.5-bis-decaying-indicators-light-version/makefile new file mode 100644 index 0000000..7d859a1 --- /dev/null +++ b/a.5-bis-decaying-indicators-light-version/makefile @@ -0,0 +1,2 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error circl-introduction.tex diff --git a/a.5-bis-decaying-indicators-light-version/misp.pdf b/a.5-bis-decaying-indicators-light-version/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/misp.pdf differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/bs-computation-steps.png b/a.5-bis-decaying-indicators-light-version/pics/bs-computation-steps.png new file mode 100644 index 0000000..1348f49 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/bs-computation-steps.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/decaying-basescore.png b/a.5-bis-decaying-indicators-light-version/pics/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/decaying-basescore.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/decaying-event.png b/a.5-bis-decaying-indicators-light-version/pics/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/decaying-event.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/decaying-index.png b/a.5-bis-decaying-indicators-light-version/pics/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/decaying-index.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/decaying-simulation.png b/a.5-bis-decaying-indicators-light-version/pics/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/decaying-simulation.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/decaying-tool.png b/a.5-bis-decaying-indicators-light-version/pics/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/decaying-tool.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/param-ui.png b/a.5-bis-decaying-indicators-light-version/pics/param-ui.png new file mode 100644 index 0000000..7c5ff8a Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/param-ui.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/sightings.png b/a.5-bis-decaying-indicators-light-version/pics/sightings.png new file mode 100644 index 0000000..6755a72 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/sightings.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/taxonomies.png b/a.5-bis-decaying-indicators-light-version/pics/taxonomies.png new file mode 100644 index 0000000..e4ae126 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/taxonomies.png differ diff --git a/a.5-bis-decaying-indicators-light-version/pics/taxonomy-admiralty-scale.png b/a.5-bis-decaying-indicators-light-version/pics/taxonomy-admiralty-scale.png new file mode 100644 index 0000000..f243528 Binary files /dev/null and b/a.5-bis-decaying-indicators-light-version/pics/taxonomy-admiralty-scale.png differ diff --git a/a.5-bis-decaying-indicators-light-version/slide.tex b/a.5-bis-decaying-indicators-light-version/slide.tex new file mode 100644 index 0000000..dda0832 --- /dev/null +++ b/a.5-bis-decaying-indicators-light-version/slide.tex @@ -0,0 +1,143 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8x]{inputenc} +\usepackage{listings} +\usepackage{soul} +\usepackage{siunitx} +\usepackage{booktabs} +%\lstset{ +% backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor} +% basicstyle=\footnotesize, % the size of the fonts that are used for the code +% breakatwhitespace=false +%} + +\usepackage{tikz} +\usetikzlibrary{shapes,snakes,automata,positioning} + +\usepackage{xcolor} +\usepackage{colortbl} +\definecolor{mygreen}{rgb}{0,0.6,0} +\definecolor{mygreen2}{rgb}{0,0.56,0.16} +\definecolor{myred}{rgb}{0.6,0.066,0.066} +\definecolor{redCIRCL}{RGB}{213,43,30} +\definecolor{mygray}{rgb}{0.5,0.5,0.5} +\definecolor{mymauve}{rgb}{0.58,0,0.82} +\definecolor{mygray}{gray}{0.9} +\definecolor{mywhite}{rgb}{1,1,1} +\definecolor{myblack}{rgb}{0,0,0} +\definecolor{mybeige}{HTML}{eeeeee} +%\usepackage{tcolorbox} +\usepackage[listings]{tcolorbox} +\tcbuselibrary{listings} + +\lstdefinestyle{code}{ % + backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single, % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{blue}, % keyword style + language=Python, % the language of the code + morekeywords={*,...}, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstdefinestyle{bash}{ % + backgroundcolor=\color{black!85}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\color{mywhite}, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{white}\bfseries, % keyword style + language=bash, % the language of the code + morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{mywhite}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstdefinestyle{default}{ % + backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\color{black}, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{white}\bfseries, % keyword style + language=bash, % the language of the code + morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{black}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstset{style=code} + + +\AtBeginSection[]{ + \begin{frame} + \vfill + \centering + \begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title} + {\color{white} \usebeamerfont{title}\insertsectionhead}\par% + \end{beamercolorbox} + \vfill + \end{frame} +} + +\author{\small{Team CIRCL}} + +\title{MISP and Decaying of Indicators} +\subtitle{Primer for indicator scoring in MISP} +\institute{info@circl.lu} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} +\date{\today} + +\begin{document} +\include{content} +\end{document} + diff --git a/a.5-decaying-indicators/content.tex b/a.5-decaying-indicators/content.tex index 0293fa7..815d0b0 100644 --- a/a.5-decaying-indicators/content.tex +++ b/a.5-decaying-indicators/content.tex @@ -6,6 +6,41 @@ \end{frame} \section{Expiring IOCs: Why and How?} +\begin{frame}[fragile] +\frametitle{Indicators - Problem Statement} + \begin{itemize} + \item {\bf Sharing information} about threats {\bf is crucial} + \item Organisations are sharing more and more + \end{itemize} + \vspace{1em} + + Contribution by {\bf unique organisation} (\texttt{Orgc.name}) on MISPPriv:\\ + \vspace{1em} + \begin{minipage}{0.45\textwidth} + \begin{tabular}{ll} + \hline + Date & Unique Org \\ + \hline + 2013 & 17 \\ + 2014 & 43 \\ + 2015 & 82 \\ + 2016 & 105 \\ + 2017 & 118 \\ + 2018 & 125 \\ + 2019-10 & 135 \\ + \hline + \end{tabular} + \vspace{0.5em} + \end{minipage} + \begin{minipage}{0.5\textwidth} + \begin{lstlisting} +{ + "distribution": [1, 2, 3] +}\end{lstlisting} + \end{minipage} + +\end{frame} + \begin{frame} \frametitle{Indicators - Problem Statement} \begin{itemize} @@ -215,6 +250,7 @@ Current implentation ignores \texttt{source\_confidence}: $$\rightarrow \texttt{base\_score} = tags$$ \includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png} + $\rightarrow$ The \texttt{base\_score} can be use to prioritize attribute based on their attached context and source \end{frame} \begin{frame} diff --git a/build.sh b/build.sh index 9169e57..bd8d32a 100755 --- a/build.sh +++ b/build.sh @@ -1,7 +1,7 @@ #!/bin/bash # -slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on") +slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.5-bis-decaying-indicators-light-version" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on") mkdir output export TEXINPUTS=::`pwd`/themes/ echo ${TEXINPUTS}