mirror of https://github.com/MISP/misp-training
add: [a.5] decaying indicators added
parent
3099cdbd33
commit
e17e107293
|
@ -0,0 +1,117 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Indicators - Problem Statement}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Various users and organisations can share data via MISP, multiple parties can be involved
|
||||||
|
\begin{itemize}
|
||||||
|
\item Trust, data quality and time-to-live issues
|
||||||
|
\item Each user/organisation has different use-cases and interests
|
||||||
|
\end{itemize}
|
||||||
|
\vspace{0.5cm}
|
||||||
|
\item Attributes can be shared in large quantities (more than 1.3 million on \texttt{MISPPRIV})
|
||||||
|
\begin{itemize}
|
||||||
|
\item Partial info about their validity (sightings)
|
||||||
|
\item Partial info about their freshness (last update)
|
||||||
|
\item Varius conflicting interests such as operational security, attribution, source reliability evaluation...
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Sightings - Refresher}
|
||||||
|
Sightings add temporal context to indicators.
|
||||||
|
A user, script or an IDS can extend the information related to indicators by reporting back to MISP that
|
||||||
|
an indicator has been \texttt{seen}, or that an indicator can be considered as a \texttt{false-positive}
|
||||||
|
\vspace{0.5cm}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Sightings give more credibility/visibility to indicators
|
||||||
|
\item This information can be used to {\bf prioritise and decay indicators}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Organisations opt-in - setting a level of confidence}
|
||||||
|
MISP is a peer-to-peer system, information passes through multiple instances.
|
||||||
|
\begin{itemize}
|
||||||
|
\item Producers can add context (such as tags from taxonomies, galaxies) about their asserted confidence or the reliability of the data
|
||||||
|
\item Consumers can have different levels of trust in the producers and/or analysts themselves
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\begin{small}
|
||||||
|
\begin{columns}[T] % align columns
|
||||||
|
\begin{column}{.40\textwidth}
|
||||||
|
\begin{tabular}{|ll|}
|
||||||
|
\hline
|
||||||
|
\textbf{Description} & \textbf{Value}\\
|
||||||
|
\hline
|
||||||
|
Completely reliable & 100\\
|
||||||
|
Usually reliable & 75\\
|
||||||
|
Fairly reliable & 50\\
|
||||||
|
Not usually reliable & 25\\
|
||||||
|
Unreliable & 0\\
|
||||||
|
Reliability cannot be judged & 50\\
|
||||||
|
Deliberatly deceptive & 0\\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\end{column}%
|
||||||
|
\hfill%
|
||||||
|
\begin{column}{.48\textwidth}
|
||||||
|
\begin{tabular}{|ll|}
|
||||||
|
\hline
|
||||||
|
\textbf{Description} & \textbf{Value}\\
|
||||||
|
\hline
|
||||||
|
Confirmed by other sources & 100\\
|
||||||
|
Probably true & 75\\
|
||||||
|
Possibly true & 50\\
|
||||||
|
Doubtful & 25\\
|
||||||
|
Improbable & 0\\
|
||||||
|
Truth cannot be judged & 50\\
|
||||||
|
\hline
|
||||||
|
\end{tabular}
|
||||||
|
\end{column}%
|
||||||
|
\end{columns}
|
||||||
|
\end{small}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Scoring Indicators 1/2}
|
||||||
|
When scoring indicators\footnote{Paper available: \url{https://arxiv.org/pdf/1803.11052}}, multiple parameters\footnote{at a variable extent as required} can be taken into account. The {\bf base score} is calculated with the following in mind:
|
||||||
|
\begin{itemize}
|
||||||
|
\item The reliability in the producer
|
||||||
|
\item The trust in the data as signaled by the producer
|
||||||
|
$$base\_score = weigth_{tg} \cdot tags + \omega_{sc} \cdot source\_confidence$$
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Scoring Indicators 2/2}
|
||||||
|
The weighted score is calculated using:
|
||||||
|
\begin{itemize}
|
||||||
|
\item The lifetime of the indicator (e.g. IP address vs hash value of a file)
|
||||||
|
\begin{itemize}
|
||||||
|
\item The lifespan of the indicator (short for an IP - long for an hash): $\tau$
|
||||||
|
\item The decay rate $\rightarrow$ Speed at which an attribute loses value: $\delta$
|
||||||
|
\item Weigthed score is reset to its base score as new \texttt{sightings} are received
|
||||||
|
\end{itemize}
|
||||||
|
$$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Ongoing Implementation in MISP}
|
||||||
|
Setting thresholds and retrieving the information should be simple and straightforward for the user:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Automatic scoring based on default values
|
||||||
|
\item User-friendly UI to manually set lifetime parameters
|
||||||
|
\item Interaction through the API
|
||||||
|
\end{itemize}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.15]{pics/param-ui.png}
|
||||||
|
\end{center}
|
||||||
|
\end{frame}
|
Binary file not shown.
|
@ -0,0 +1,2 @@
|
||||||
|
all:
|
||||||
|
pdflatex -interaction nonstopmode -halt-on-error -file-line-error circl-introduction.tex
|
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 49 KiB |
|
@ -0,0 +1,143 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
\usepackage[utf8x]{inputenc}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usepackage{soul}
|
||||||
|
\usepackage{siunitx}
|
||||||
|
\usepackage{booktabs}
|
||||||
|
%\lstset{
|
||||||
|
% backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}
|
||||||
|
% basicstyle=\footnotesize, % the size of the fonts that are used for the code
|
||||||
|
% breakatwhitespace=false
|
||||||
|
%}
|
||||||
|
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usetikzlibrary{shapes,snakes,automata,positioning}
|
||||||
|
|
||||||
|
\usepackage{xcolor}
|
||||||
|
\usepackage{colortbl}
|
||||||
|
\definecolor{mygreen}{rgb}{0,0.6,0}
|
||||||
|
\definecolor{mygreen2}{rgb}{0,0.56,0.16}
|
||||||
|
\definecolor{myred}{rgb}{0.6,0.066,0.066}
|
||||||
|
\definecolor{redCIRCL}{RGB}{213,43,30}
|
||||||
|
\definecolor{mygray}{rgb}{0.5,0.5,0.5}
|
||||||
|
\definecolor{mymauve}{rgb}{0.58,0,0.82}
|
||||||
|
\definecolor{mygray}{gray}{0.9}
|
||||||
|
\definecolor{mywhite}{rgb}{1,1,1}
|
||||||
|
\definecolor{myblack}{rgb}{0,0,0}
|
||||||
|
\definecolor{mybeige}{HTML}{eeeeee}
|
||||||
|
%\usepackage{tcolorbox}
|
||||||
|
\usepackage[listings]{tcolorbox}
|
||||||
|
\tcbuselibrary{listings}
|
||||||
|
|
||||||
|
\lstdefinestyle{code}{ %
|
||||||
|
backgroundcolor=\color{mybeige}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\ttfamily, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single, % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{blue}, % keyword style
|
||||||
|
language=Python, % the language of the code
|
||||||
|
morekeywords={*,...}, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{myblack}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstdefinestyle{bash}{ %
|
||||||
|
backgroundcolor=\color{black!85}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\color{mywhite}, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{white}\bfseries, % keyword style
|
||||||
|
language=bash, % the language of the code
|
||||||
|
morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{mywhite}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstdefinestyle{default}{ %
|
||||||
|
backgroundcolor=\color{white}, % choose the background color; you must add \usepackage{color} or \usepackage{xcolor}; should come as last argument
|
||||||
|
basicstyle=\footnotesize\color{black}, % the size of the fonts that are used for the code
|
||||||
|
breakatwhitespace=false, % sets if automatic breaks should only happen at whitespace
|
||||||
|
breaklines=true, % sets automatic line breaking
|
||||||
|
captionpos=b, % sets the caption-position to bottom
|
||||||
|
commentstyle=\color{mygreen}, % comment style
|
||||||
|
deletekeywords={...}, % if you want to delete keywords from the given language
|
||||||
|
escapeinside={\%*}{*)}, % if you want to add LaTeX within your code
|
||||||
|
extendedchars=true, % lets you use non-ASCII characters; for 8-bits encodings only, does not work with UTF-8
|
||||||
|
frame=single % adds a frame around the code
|
||||||
|
keepspaces=true, % keeps spaces in text, useful for keeping indentation of code (possibly needs columns=flexible)
|
||||||
|
keywordstyle=\color{white}\bfseries, % keyword style
|
||||||
|
language=bash, % the language of the code
|
||||||
|
morekeywords={*,$,git, clone,... }, % if you want to add more keywords to the set
|
||||||
|
numbers=left, % where to put the line-numbers; possible values are (none, left, right)
|
||||||
|
numbersep=5pt, % how far the line-numbers are from the code
|
||||||
|
numberstyle=\tiny\color{black}, % the style that is used for the line-numbers
|
||||||
|
rulecolor=\color{black}, % if not set, the frame-color may be changed on line-breaks within not-black text (e.g. comments (green here))
|
||||||
|
showspaces=false, % show spaces everywhere adding particular underscores; it overrides 'showstringspaces'
|
||||||
|
showstringspaces=false, % underline spaces within strings only
|
||||||
|
showtabs=false, % show tabs within strings adding particular underscores
|
||||||
|
stepnumber=1, % the step between two line-numbers. If it's 1, each line will be numbered
|
||||||
|
stringstyle=\color{mymauve}, % string literal style
|
||||||
|
tabsize=2, % sets default tabsize to 2 spaces
|
||||||
|
title=\lstname % show the filename of files included with \lstinputlisting; also try caption instead of title
|
||||||
|
}
|
||||||
|
\lstset{style=code}
|
||||||
|
|
||||||
|
|
||||||
|
\AtBeginSection[]{
|
||||||
|
\begin{frame}
|
||||||
|
\vfill
|
||||||
|
\centering
|
||||||
|
\begin{beamercolorbox}[sep=8pt,center,shadow=true,rounded=true]{title}
|
||||||
|
{\color{white} \usebeamerfont{title}\insertsectionhead}\par%
|
||||||
|
\end{beamercolorbox}
|
||||||
|
\vfill
|
||||||
|
\end{frame}
|
||||||
|
}
|
||||||
|
|
||||||
|
\author{\small{Team CIRCL}}
|
||||||
|
|
||||||
|
\title{MISP and Decaying of Indicators}
|
||||||
|
\subtitle{An indicator scoring method and ongoing implementation in MISP}
|
||||||
|
\institute{info@circl.lu}
|
||||||
|
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
|
||||||
|
\date{\today}
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|
Loading…
Reference in New Issue