new: [decaying] Improved full deck and added a lightweigth slide deck
|
@ -0,0 +1,325 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Expiring IOCs: Why and How?}
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Indicators - Problem Statement}
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Sharing information} about threats {\bf is crucial}
|
||||||
|
\item Organisations are sharing more and more
|
||||||
|
\end{itemize}
|
||||||
|
\vspace{1em}
|
||||||
|
|
||||||
|
Contribution by {\bf unique organisation} (\texttt{Orgc.name}) on MISPPriv:\\
|
||||||
|
\vspace{1em}
|
||||||
|
\begin{minipage}{0.45\textwidth}
|
||||||
|
\begin{tabular}{ll}
|
||||||
|
\hline
|
||||||
|
Date & Unique Org \\
|
||||||
|
\hline
|
||||||
|
2013 & 17 \\
|
||||||
|
2014 & 43 \\
|
||||||
|
2015 & 82 \\
|
||||||
|
2016 & 105 \\
|
||||||
|
2017 & 118 \\
|
||||||
|
2018 & 125 \\
|
||||||
|
2019-10 & 135 \\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\vspace{0.5em}
|
||||||
|
\end{minipage}
|
||||||
|
\begin{minipage}{0.5\textwidth}
|
||||||
|
\begin{lstlisting}
|
||||||
|
{
|
||||||
|
"distribution": [1, 2, 3]
|
||||||
|
}\end{lstlisting}
|
||||||
|
\end{minipage}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Indicators - Problem Statement}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Various users and organisations can share data via MISP, multiple parties can be involved
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Trust}, \textbf{data quality} and \textbf{time-to-live} issues
|
||||||
|
\item Each user/organisation has \textbf{different use-cases} and interests
|
||||||
|
\begin{itemize}
|
||||||
|
\item Conflicting interests such as operational security, attribution,... (depends on the user)
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\item[] $\rightarrow$ Can be partially solved with \textit{Taxonomies}
|
||||||
|
\pause
|
||||||
|
\vspace{0.5cm}
|
||||||
|
\item Attributes can be shared in large quantities (more than 7.3 million on \texttt{MISPPRIV})
|
||||||
|
\begin{itemize}
|
||||||
|
\item Partial info about their \textbf{freshness} (\textit{Sightings})
|
||||||
|
\item Partial info about their \textbf{validity} (last update)
|
||||||
|
\end{itemize}
|
||||||
|
\item[] $\rightarrow$ Can be partially solved with our \textit{Decaying model}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Requirements to enjoy the decaying feature in MISP}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Starting from \textbf{MISP 2.4.116}, the decaying feature is available
|
||||||
|
\item Don't forget to update the decay models and enable the ones you want
|
||||||
|
\item The decaying feature has no impact on the information in MISP, it's just an overlay to be used in the user-interface and API
|
||||||
|
\item Decay strongly relies on \textit{Taxonomies} and \textit{Sightings}, don't forget to review their configuration
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{\textit{Sightings} - Refresher}
|
||||||
|
\textit{Sightings} add temporal context to indicators.
|
||||||
|
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that
|
||||||
|
an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive}
|
||||||
|
\vspace{0.5cm}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textit{Sightings} give more credibility/visibility to indicators
|
||||||
|
\item This information can be used to {\bf prioritise and decay indicators}
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=1.00]{pics/sightings.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Organisations opt-in - setting a level of confidence}
|
||||||
|
MISP is a peer-to-peer system, information passes through multiple instances.
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Producers can add context} (such as tags from \textit{Taxonomies}, \textit{Galaxies}) about their asserted confidence or the reliability of the data
|
||||||
|
\item Consumers can have \textbf{different levels of trust} in the producers and/or analysts themselves
|
||||||
|
\item Users might have other contextual needs
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
$\rightarrow$ Achieved thanks to \textit{Taxonomies}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Taxonomies - Refresher (1)}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/taxonomies.png}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Tagging is a simple way to attach a classification to an \textit{Event} or an \textit{Attribute}
|
||||||
|
\item Classification must be globally used to be efficient
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Taxonomies - Refresher (2)}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/taxonomy-admiralty-scale.png}
|
||||||
|
\begin{center}
|
||||||
|
$\rightarrow$ Cherry-pick allowed \textit{Tags}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Taxonomies - Refresher (3)}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Some taxonomies have \texttt{numerical\_value}
|
||||||
|
\begin{itemize}
|
||||||
|
\item[$\rightarrow$] Can be used to prioritise \textit{Attributes}
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\vspace{1cm}
|
||||||
|
|
||||||
|
\begin{footnotesize}
|
||||||
|
\begin{columns}[T] % align columns
|
||||||
|
\begin{column}{.40\textwidth}
|
||||||
|
\begin{tabular}{|ll|}
|
||||||
|
\hline
|
||||||
|
\textbf{Description} & \textbf{Value}\\
|
||||||
|
\hline
|
||||||
|
Completely reliable & 100\\
|
||||||
|
Usually reliable & 75\\
|
||||||
|
Fairly reliable & 50\\
|
||||||
|
Not usually reliable & 25\\
|
||||||
|
Unreliable & 0\\
|
||||||
|
Reliability cannot be judged & 50 \textbf{\color{red}?}\\
|
||||||
|
Deliberatly deceptive & 0 \textbf{\color{red}?}\\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\end{column}%
|
||||||
|
\hfill%
|
||||||
|
\begin{column}{.48\textwidth}
|
||||||
|
\begin{tabular}{|ll|}
|
||||||
|
\hline
|
||||||
|
\textbf{Description} & \textbf{Value}\\
|
||||||
|
\hline
|
||||||
|
Confirmed by other sources & 100\\
|
||||||
|
Probably true & 75\\
|
||||||
|
Possibly true & 50\\
|
||||||
|
Doubtful & 25\\
|
||||||
|
Improbable & 0\\
|
||||||
|
Truth cannot be judged & 50 \textbf{\color{red}?}\\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\end{column}%
|
||||||
|
\end{columns}
|
||||||
|
\end{footnotesize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Scoring Indicators: Our solution}
|
||||||
|
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
|
||||||
|
Where,\vspace{0.5cm}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \texttt{score} $ \in [0, +\infty $
|
||||||
|
\item \texttt{base\_score} $ \in [0, 100] $
|
||||||
|
\item \texttt{decay} is a function defined by model's parameters controlling decay speed
|
||||||
|
\item \texttt{Attribute} Contains \textit{Attribute}'s values and metadata {\scriptsize (\textit{Taxonomies}, \textit{Galaxies}, ...)}
|
||||||
|
\item \texttt{Model} Contains the \textit{Model}'s configuration
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\section{Current implementation in MISP}
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: \texttt{Event/view}}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-event.png}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \texttt{Decay score} toggle button
|
||||||
|
\begin{itemize}
|
||||||
|
\item Shows Score for each \textit{Models} associated to the \textit{Attribute} type
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Implementation in MISP: API result}
|
||||||
|
\texttt{/attributes/restSearch}
|
||||||
|
\begin{lstlisting}
|
||||||
|
"Attribute": [
|
||||||
|
{
|
||||||
|
"category": "Network activity",
|
||||||
|
"type": "ip-src",
|
||||||
|
"to_ids": true,
|
||||||
|
"timestamp": "1565703507",
|
||||||
|
[...]
|
||||||
|
"value": "8.8.8.8",
|
||||||
|
"decay_score": [
|
||||||
|
{
|
||||||
|
"score": 54.475223849544456,
|
||||||
|
"decayed": false,
|
||||||
|
"DecayingModel": {
|
||||||
|
"id": "85",
|
||||||
|
"name": "NIDS Simple Decaying Model"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[...]
|
||||||
|
\end{lstlisting}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Objectives}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Automatic scoring} based on default values
|
||||||
|
\item \textbf{User-friendly UI} to manually set \textit{Model} configuration (lifetime, decay, etc.)
|
||||||
|
\item \textbf{Simulation} tool
|
||||||
|
\item Interaction through the \textbf{API}
|
||||||
|
\item Opportunity to create your \textbf{own} formula or algorythm
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Models definition}
|
||||||
|
\hspace{190pt}
|
||||||
|
\raisebox{-1.0ex}{\Large $\Rsh$} {\tiny $score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau} \right)^{\frac{1}{\delta}} \right) $}
|
||||||
|
\textit{Models} are an instanciation of the formula where elements can be defined:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Parameters: \texttt{lifetime, decay\_rate, threshold}
|
||||||
|
\item \texttt{base\_score}
|
||||||
|
\item \texttt{default base\_score}
|
||||||
|
\item formula
|
||||||
|
\item associate \textit{Attribute} types
|
||||||
|
\item creator organisation
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Models Types}
|
||||||
|
Multiple model types are available
|
||||||
|
\begin{itemize}
|
||||||
|
\item \textbf{Default Models}: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
|
||||||
|
\begin{itemize}
|
||||||
|
\item $\rightarrow$ Not editable
|
||||||
|
\end{itemize}
|
||||||
|
\item \textbf{Organisation Models}: Models created by a user belonging to an organisation
|
||||||
|
\begin{itemize}
|
||||||
|
\item These models can be hidden or shared to other organisation
|
||||||
|
\item $\rightarrow$ Editable
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Index}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-index.png}
|
||||||
|
View, update, add, create, delete, enable, export, import
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: Fine tuning tool}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-tool.png}
|
||||||
|
Create, modify, visualise, perform mapping
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: \texttt{base\_score} tool}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-basescore.png}
|
||||||
|
Adjust Taxonomies relative weights
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Implementation in MISP: simulation tool}
|
||||||
|
\includegraphics[width=1.00\linewidth]{pics/decaying-simulation.png}
|
||||||
|
Simulate \textit{Attributes} with different \textit{Models}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Implementation in MISP: API query body}
|
||||||
|
\texttt{/attributes/restSearch}
|
||||||
|
\begin{lstlisting}
|
||||||
|
{
|
||||||
|
"includeDecayScore": 1,
|
||||||
|
"includeFullModel": 0,
|
||||||
|
"excludeDecayed": 0,
|
||||||
|
"decayingModel": [85],
|
||||||
|
"modelOverrides": {
|
||||||
|
"threshold": 30
|
||||||
|
}
|
||||||
|
"score": 30,
|
||||||
|
}
|
||||||
|
\end{lstlisting}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Decaying Models 2.0}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Improved support of \textit{Sightings}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \texttt{False positive} \textit{Sightings} should somehow reduce the score
|
||||||
|
\item \texttt{Expiration} \textit{Sightings} should mark the attribute as decayed
|
||||||
|
\end{itemize}
|
||||||
|
\item Potential \textit{Model} improvements
|
||||||
|
\begin{itemize}
|
||||||
|
\item Instead of resetting the score to \texttt{base\_score} once a \textit{Sighting} is set, the score should be increased additively (based on a defined coefficient); thus \textbf{prioritizing surges} rather than infrequent \textit{Sightings}
|
||||||
|
\item Take into account related \textit{Tags} or \textit{Correlations} when computing score
|
||||||
|
\end{itemize}
|
||||||
|
\item Increase \textit{Taxonomy} coverage
|
||||||
|
\begin{itemize}
|
||||||
|
\item Users should be able to manually override the \texttt{numerical\_value} of \textit{Tags}
|
||||||
|
\end{itemize}
|
||||||
|
\item For specific type, take into account data from other services
|
||||||
|
\begin{itemize}
|
||||||
|
\item Could fetch data from \textit{BGP ranking}, \textit{Virus Total}, \textit{Passive X} for IP/domain/... and adapt the score
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
|
@ -0,0 +1,2 @@
|
||||||
|
all:
|
||||||
|
pdflatex -interaction nonstopmode -halt-on-error -file-line-error circl-introduction.tex
|
After Width: | Height: | Size: 24 KiB |
After Width: | Height: | Size: 119 KiB |
After Width: | Height: | Size: 155 KiB |
After Width: | Height: | Size: 98 KiB |
After Width: | Height: | Size: 148 KiB |
After Width: | Height: | Size: 166 KiB |
After Width: | Height: | Size: 49 KiB |
After Width: | Height: | Size: 2.2 KiB |
After Width: | Height: | Size: 58 KiB |
After Width: | Height: | Size: 128 KiB |
|
@ -0,0 +1,143 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
\usepackage[utf8x]{inputenc}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usepackage{soul}
|
||||||
|
\usepackage{siunitx}
|
||||||
|
\usepackage{booktabs}
|
||||||
|
%\lstset{
|
||||||
|
% backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}
|
||||||
|
% basicstyle=\footnotesize, % the size of the fonts that are used for the code
|
||||||
|
% breakatwhitespace=false
|
||||||
|
%}
|
||||||
|
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usetikzlibrary{shapes,snakes,automata,positioning}
|
||||||
|
|
||||||
|
\usepackage{xcolor}
|
||||||
|
\usepackage{colortbl}
|
||||||
|
\definecolor{mygreen}{rgb}{0,0.6,0}
|
||||||
|
\definecolor{mygreen2}{rgb}{0,0.56,0.16}
|
||||||
|
\definecolor{myred}{rgb}{0.6,0.066,0.066}
|
||||||
|
\definecolor{redCIRCL}{RGB}{213,43,30}
|
||||||
|
\definecolor{mygray}{rgb}{0.5,0.5,0.5}
|
||||||
|
\definecolor{mymauve}{rgb}{0.58,0,0.82}
|
||||||
|
\definecolor{mygray}{gray}{0.9}
|
||||||
|
\definecolor{mywhite}{rgb}{1,1,1}
|
||||||
|
\definecolor{myblack}{rgb}{0,0,0}
|
||||||
|
\definecolor{mybeige}{HTML}{eeeeee}
|
||||||
|
%\usepackage{tcolorbox}
|
||||||
|
\usepackage[listings]{tcolorbox}
|
||||||
|
\tcbuselibrary{listings}
|
||||||
|
|
||||||
|
\lstdefinestyle{code}{ %
|
||||||
|
backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single, % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{blue}, % keyword style
|
||||||
|
language=Python, % the language of the code
|
||||||
|
morekeywords={*,...}, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstdefinestyle{bash}{ %
|
||||||
|
backgroundcolor=\color{black!85}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\color{mywhite}, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{white}\bfseries, % keyword style
|
||||||
|
language=bash, % the language of the code
|
||||||
|
morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{mywhite}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstdefinestyle{default}{ %
|
||||||
|
backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\color{black}, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{white}\bfseries, % keyword style
|
||||||
|
language=bash, % the language of the code
|
||||||
|
morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{black}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstset{style=code}
|
||||||
|
|
||||||
|
|
||||||
|
\AtBeginSection[]{
|
||||||
|
\begin{frame}
|
||||||
|
\vfill
|
||||||
|
\centering
|
||||||
|
\begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title}
|
||||||
|
{\color{white} \usebeamerfont{title}\insertsectionhead}\par%
|
||||||
|
\end{beamercolorbox}
|
||||||
|
\vfill
|
||||||
|
\end{frame}
|
||||||
|
}
|
||||||
|
|
||||||
|
\author{\small{Team CIRCL}}
|
||||||
|
|
||||||
|
\title{MISP and Decaying of Indicators}
|
||||||
|
\subtitle{Primer for indicator scoring in MISP}
|
||||||
|
\institute{info@circl.lu}
|
||||||
|
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
|
||||||
|
\date{\today}
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|
|
@ -6,6 +6,41 @@
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\section{Expiring IOCs: Why and How?}
|
\section{Expiring IOCs: Why and How?}
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Indicators - Problem Statement}
|
||||||
|
\begin{itemize}
|
||||||
|
\item {\bf Sharing information} about threats {\bf is crucial}
|
||||||
|
\item Organisations are sharing more and more
|
||||||
|
\end{itemize}
|
||||||
|
\vspace{1em}
|
||||||
|
|
||||||
|
Contribution by {\bf unique organisation} (\texttt{Orgc.name}) on MISPPriv:\\
|
||||||
|
\vspace{1em}
|
||||||
|
\begin{minipage}{0.45\textwidth}
|
||||||
|
\begin{tabular}{ll}
|
||||||
|
\hline
|
||||||
|
Date & Unique Org \\
|
||||||
|
\hline
|
||||||
|
2013 & 17 \\
|
||||||
|
2014 & 43 \\
|
||||||
|
2015 & 82 \\
|
||||||
|
2016 & 105 \\
|
||||||
|
2017 & 118 \\
|
||||||
|
2018 & 125 \\
|
||||||
|
2019-10 & 135 \\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\vspace{0.5em}
|
||||||
|
\end{minipage}
|
||||||
|
\begin{minipage}{0.5\textwidth}
|
||||||
|
\begin{lstlisting}
|
||||||
|
{
|
||||||
|
"distribution": [1, 2, 3]
|
||||||
|
}\end{lstlisting}
|
||||||
|
\end{minipage}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
\frametitle{Indicators - Problem Statement}
|
\frametitle{Indicators - Problem Statement}
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
|
@ -215,6 +250,7 @@
|
||||||
Current implentation ignores \texttt{source\_confidence}:
|
Current implentation ignores \texttt{source\_confidence}:
|
||||||
$$\rightarrow \texttt{base\_score} = tags$$
|
$$\rightarrow \texttt{base\_score} = tags$$
|
||||||
\includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png}
|
\includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png}
|
||||||
|
$\rightarrow$ The \texttt{base\_score} can be use to prioritize attribute based on their attached context and source
|
||||||
\end{frame}
|
\end{frame}
|
||||||
|
|
||||||
\begin{frame}
|
\begin{frame}
|
||||||
|
|
2
build.sh
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
|
|
||||||
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on")
|
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.2-misp-integration" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template" "6.0-misp-dashboard" "a.0-contributing" "a.1-devintro" "a.2-pymisp" "a.3-misp-feed" "a.4-best-practices" "a.5-decaying-indicators" "a.5-bis-decaying-indicators-light-version" "a.6-forensic" "a.7-rest-API" "b.1-best-practices-in-threat-intelligence" "a.8-dev-hands-on")
|
||||||
mkdir output
|
mkdir output
|
||||||
export TEXINPUTS=::`pwd`/themes/
|
export TEXINPUTS=::`pwd`/themes/
|
||||||
echo ${TEXINPUTS}
|
echo ${TEXINPUTS}
|
||||||
|
|