diff --git a/a.5-decaying-indicators/content.tex b/a.5-decaying-indicators/content.tex new file mode 100644 index 0000000..75d9952 --- /dev/null +++ b/a.5-decaying-indicators/content.tex @@ -0,0 +1,117 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\begin{frame} +\frametitle{Indicators - Problem Statement} + \begin{itemize} + \item Various users and organisations can share data via MISP, multiple parties can be involved + \begin{itemize} + \item Trust, data quality and time-to-live issues + \item Each user/organisation has different use-cases and interests + \end{itemize} + \vspace{0.5cm} + \item Attributes can be shared in large quantities (more than 1.3 million on \texttt{MISPPRIV}) + \begin{itemize} + \item Partial info about their validity (sightings) + \item Partial info about their freshness (last update) + \item Varius conflicting interests such as operational security, attribution, source reliability evaluation... + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Sightings - Refresher} + Sightings add temporal context to indicators. + A user, script or an IDS can extend the information related to indicators by reporting back to MISP that + an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive} + \vspace{0.5cm} + \begin{itemize} + \item Sightings give more credibility/visibility to indicators + \item This information can be used to {\bf prioritise and decay indicators} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Organisations opt-in - setting a level of confidence} + MISP is a peer-to-peer system, information passes through multiple instances. + \begin{itemize} + \item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data + \item Consumers can have different levels of trust in the producers and/or analysts themselves + \end{itemize} + + \begin{small} + \begin{columns}[T] % align columns + \begin{column}{.40\textwidth} + \begin{tabular}{|ll|} + \hline + \textbf{Description} & \textbf{Value}\\ + \hline + Completely reliable & 100\\ + Usually reliable & 75\\ + Fairly reliable & 50\\ + Not usually reliable & 25\\ + Unreliable & 0\\ + Reliability cannot be judged & 50\\ + Deliberatly deceptive & 0\\ + \hline + \end{tabular} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + \begin{tabular}{|ll|} + \hline + \textbf{Description} & \textbf{Value}\\ + \hline + Confirmed by other sources & 100\\ + Probably true & 75\\ + Possibly true & 50\\ + Doubtful & 25\\ + Improbable & 0\\ + Truth cannot be judged & 50\\ + \hline + \end{tabular} + \end{column}% + \end{columns} + \end{small} +\end{frame} + +\begin{frame} + \frametitle{Scoring Indicators 1/2} + When scoring indicators\footnote{Paper available: \url{https://arxiv.org/pdf/1803.11052}}, multiple parameters\footnote{at a variable extent as required} can be taken into account. The {\bf base score} is calculated with the following in mind: + \begin{itemize} + \item The reliability in the producer + \item The trust in the data as signaled by the producer + $$base\_score = weigth_{tg} \cdot tags + \omega_{sc} \cdot source\_confidence$$ + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Scoring Indicators 2/2} + The weighted score is calculated using: + \begin{itemize} + \item The lifetime of the indicator (e.g. IP address vs hash value of a file) + \begin{itemize} + \item The lifespan of the indicator (short for an IP - long for an hash): $\tau$ + \item The decay rate $\rightarrow$ Speed at which an attribute loses value: $\delta$ + \item Weigthed score is reset to its base score as new \texttt{sightings} are received + \end{itemize} + $$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$ + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Ongoing Implementation in MISP} + Setting thresholds and retrieving the information should be simple and straightforward for the user: + \begin{itemize} + \item Automatic scoring based on default values + \item User-friendly UI to manually set lifetime parameters + \item Interaction through the API + \end{itemize} + \begin{center} + \includegraphics[scale=0.15]{pics/param-ui.png} + \end{center} +\end{frame} diff --git a/a.5-decaying-indicators/logo-circl.pdf b/a.5-decaying-indicators/logo-circl.pdf new file mode 100644 index 0000000..62c9239 Binary files /dev/null and b/a.5-decaying-indicators/logo-circl.pdf differ diff --git a/a.5-decaying-indicators/makefile b/a.5-decaying-indicators/makefile new file mode 100644 index 0000000..7d859a1 --- /dev/null +++ b/a.5-decaying-indicators/makefile @@ -0,0 +1,2 @@ +all: + pdflatex -interaction nonstopmode -halt-on-error -file-line-error circl-introduction.tex diff --git a/a.5-decaying-indicators/misp.pdf b/a.5-decaying-indicators/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/a.5-decaying-indicators/misp.pdf differ diff --git a/a.5-decaying-indicators/pics/param-ui.png b/a.5-decaying-indicators/pics/param-ui.png new file mode 100644 index 0000000..7c5ff8a Binary files /dev/null and b/a.5-decaying-indicators/pics/param-ui.png differ diff --git a/a.5-decaying-indicators/slide.tex b/a.5-decaying-indicators/slide.tex new file mode 100644 index 0000000..c951310 --- /dev/null +++ b/a.5-decaying-indicators/slide.tex @@ -0,0 +1,143 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8x]{inputenc} +\usepackage{listings} +\usepackage{soul} +\usepackage{siunitx} +\usepackage{booktabs} +%\lstset{ +% backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor} +% basicstyle=\footnotesize, % the size of the fonts that are used for the code +% breakatwhitespace=false +%} + +\usepackage{tikz} +\usetikzlibrary{shapes,snakes,automata,positioning} + +\usepackage{xcolor} +\usepackage{colortbl} +\definecolor{mygreen}{rgb}{0,0.6,0} +\definecolor{mygreen2}{rgb}{0,0.56,0.16} +\definecolor{myred}{rgb}{0.6,0.066,0.066} +\definecolor{redCIRCL}{RGB}{213,43,30} +\definecolor{mygray}{rgb}{0.5,0.5,0.5} +\definecolor{mymauve}{rgb}{0.58,0,0.82} +\definecolor{mygray}{gray}{0.9} +\definecolor{mywhite}{rgb}{1,1,1} +\definecolor{myblack}{rgb}{0,0,0} +\definecolor{mybeige}{HTML}{eeeeee} +%\usepackage{tcolorbox} +\usepackage[listings]{tcolorbox} +\tcbuselibrary{listings} + +\lstdefinestyle{code}{ % + backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single, % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{blue}, % keyword style + language=Python, % the language of the code + morekeywords={*,...}, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstdefinestyle{bash}{ % + backgroundcolor=\color{black!85}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\color{mywhite}, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{white}\bfseries, % keyword style + language=bash, % the language of the code + morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{mywhite}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstdefinestyle{default}{ % + backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument + basicstyle=\footnotesize\color{black}, % the size of the fonts that are used for the code + breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace + breaklines=true, % sets automatic line breaking + captionpos=b, % sets the caption-position to bottom + commentstyle=\color{mygreen}, % comment style + deletekeywords={...}, % if you want to delete keywords from the given language + escapeinside={\%*}{*)}, % if you want to add LaTeX within your code + extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8 + frame=single % adds a frame around the code + keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible) + keywordstyle=\color{white}\bfseries, % keyword style + language=bash, % the language of the code + morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set + numbers=left, % where to put the line-numbers; possible values are (none, left, right) + numbersep=5pt, % how far the line-numbers are from the code + numberstyle=\tiny\color{black}, % the style that is used for the line-numbers + rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here)) + showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces' + showstringspaces=false, % underline spaces within strings only + showtabs=false, % show tabs within strings adding particular underscores + stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered + stringstyle=\color{mymauve}, % string literal style + tabsize=2, % sets default tabsize to 2 spaces + title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title +} +\lstset{style=code} + + +\AtBeginSection[]{ + \begin{frame} + \vfill + \centering + \begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title} + {\color{white} \usebeamerfont{title}\insertsectionhead}\par% + \end{beamercolorbox} + \vfill + \end{frame} +} + +\author{\small{Team CIRCL}} + +\title{MISP and Decaying of Indicators} +\subtitle{An indicator scoring method and ongoing implementation in MISP} +\institute{info@circl.lu} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} +\date{\today} + +\begin{document} +\include{content} +\end{document} +