MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [decaying] Improved slides

changes-actionable
mokaddem 2019-09-18 15:49:00 +02:00
parent 84117eade4
commit ee5b300ed0
1 changed files with 43 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
a.5-decaying-indicators/content.tex
View File

@ -106,7 +106,7 @@
\begin{frame}
\frametitle{Scoring Indicators: Our solution}
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model}) $$
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
Where,\vspace{0.5cm}
\begin{itemize}
\item \texttt{score} $ \in [0, +\infty $
@ -118,35 +118,45 @@
\begin{frame}
\frametitle{Scoring Indicators: \texttt{base\_score} (1)}
$$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; {\color{gray}\texttt{decay}(\texttt{\tiny Model, time})} $$
When scoring indicators\footnote{Paper available: \url{https://arxiv.org/pdf/1803.11052}}, multiple parameters\footnote{at a variable extent as required} can be taken into account. The {\bf base score} is calculated with the following in mind:
\begin{itemize}
\item {\color{purple}Data reliability, credibility, analyst skills, custom prioritisation tags (economical-impact), etc.}
\item {\color{orange}Trust in the source}
\end{itemize}
\vspace{0.5cm}
\vspace{0.3cm}
$$\texttt{base\_score} = \omega_{tg} \cdot {\color{purple}tags} + \omega_{sc} \cdot {\color{orange}source\_confidence}$$
Where,
\begin{itemize}
\item[] $\omega_{sc} + \omega_{tg} = 1$
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Scoring Indicators: \texttt{base\_score} (2)}
Current implentation ignore \texttt{source\_confidence}:
$$\rightarrow \texttt{base\_score} = tags$$
\includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png}
\end{frame}
\begin{frame}
\frametitle{Scoring Indicators: decay speed (1)}
The \texttt{score} is calculated using:
$$ \texttt{score}(\texttt{\tiny Attribute}) = {\color{gray}\texttt{base\_score}(\texttt{\tiny Attribute, Model})} \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$
The \texttt{decay} is calculated using:
\begin{itemize}
\item The \texttt{lifetime} of the indicator (e.g. IP address vs hash value of a file)
\item The \texttt{lifetime} of the indicator
\begin{itemize}
\item The lifespan of the indicator (short for an IP - long for an hash)
\item May vary depending on the indicator type
\item short for an IP, long for an hash
\end{itemize}
\item The \texttt{decay rate}, or speed at which an attribute loses value over time
\item The time elapsed since the latest update or sighting
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Scoring Indicators: putting it all toghether}
$\rightarrow$ \texttt{decayin rate} is re-initialized upon sighting addition, or said differently, the \texttt{score} is reset to its base score as new \texttt{sightings} are received.
$\rightarrow$ \texttt{decay rate} is \textbf{re-initialized upon sighting} addition, or said differently, the \texttt{score} is reset to its base score as new \texttt{sightings} are applied.
$$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$
\end{frame}
@ -154,7 +164,7 @@
\frametitle{Implementation in MISP: Playing with Models}
\begin{itemize}
\item \textbf{Automatic scoring} based on default values
\item \textbf{User-friendly UI} to manually set lifetime parameters
\item \textbf{User-friendly UI} to manually set lifetime and decay parameters
\item \textbf{Simulation} tool
\item Interaction through the \textbf{API}
\item Opportunity to create your \textbf{own} formula or algorythm
@ -162,7 +172,20 @@
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Model Types}
\frametitle{Implementation in MISP: Models definition}
Models are an instanciation of the formula where elements can be defined:
\begin{itemize}
\item Parameters: \texttt{lifetime, decay\_rate, threshold}
\item \texttt{base\_score}
\item \texttt{default base\_score}
\item formula
\item associate \textit{Attribute} types
\item creator organisation
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Implementation in MISP: Models Types}
Multiple model types are available
\begin{itemize}
\item Default models: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}.
@ -203,7 +226,7 @@
\end{frame}
\begin{frame}[fragile]
\frametitle{Implementation in MISP: API (1)}
\frametitle{Implementation in MISP: API query body}
\texttt{/attributes/restSearch}
\begin{lstlisting}
{
@ -220,7 +243,7 @@
\end{frame}
\begin{frame}[fragile]
\frametitle{Implementation in MISP: API (2)}
\frametitle{Implementation in MISP: API result}
\texttt{/attributes/restSearch}
\begin{lstlisting}
"Attribute": [
@ -255,9 +278,18 @@
\item Implement the two mandatory functions \texttt{computeScore} and \texttt{isDecayed} using your own formula/algorithm
\item Create a Model and set the formula field to \texttt{{\$}filename}
\end{itemize}
Use cases:
\begin{itemize}
\item Add support for \textbf{more feature} (expiration taxonomy)
\item \textbf{Query external services} then influence the score
\item Completely \textbf{different approach} (i.e streaming algorithm)
\item ...
\end{itemize}
\end{frame}
\lstset{language=PHP}
\begin{frame}[fragile]
\frametitle{Creating a new decay algorithm (2)}
\lstset{basicstyle=\scriptsize}