diff --git a/a.5-decaying-indicators/content.tex b/a.5-decaying-indicators/content.tex index dbb1967..6506d2e 100644 --- a/a.5-decaying-indicators/content.tex +++ b/a.5-decaying-indicators/content.tex @@ -106,7 +106,7 @@ \begin{frame} \frametitle{Scoring Indicators: Our solution} - $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model}) $$ + $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$ Where,\vspace{0.5cm} \begin{itemize} \item \texttt{score} $ \in [0, +\infty $ @@ -118,35 +118,45 @@ \begin{frame} \frametitle{Scoring Indicators: \texttt{base\_score} (1)} + $$ \texttt{score}(\texttt{\tiny Attribute}) = \texttt{base\_score}(\texttt{\tiny Attribute, Model}) \;\;\bullet\;\; {\color{gray}\texttt{decay}(\texttt{\tiny Model, time})} $$ When scoring indicators\footnote{Paper available: \url{https://arxiv.org/pdf/1803.11052}}, multiple parameters\footnote{at a variable extent as required} can be taken into account. The {\bf base score} is calculated with the following in mind: \begin{itemize} \item {\color{purple}Data reliability, credibility, analyst skills, custom prioritisation tags (economical-impact), etc.} \item {\color{orange}Trust in the source} \end{itemize} - \vspace{0.5cm} + \vspace{0.3cm} $$\texttt{base\_score} = \omega_{tg} \cdot {\color{purple}tags} + \omega_{sc} \cdot {\color{orange}source\_confidence}$$ + Where, + \begin{itemize} + \item[] $\omega_{sc} + \omega_{tg} = 1$ + \end{itemize} \end{frame} \begin{frame} \frametitle{Scoring Indicators: \texttt{base\_score} (2)} + Current implentation ignore \texttt{source\_confidence}: + $$\rightarrow \texttt{base\_score} = tags$$ \includegraphics[width=1.0\linewidth]{pics/bs-computation-steps.png} \end{frame} \begin{frame} \frametitle{Scoring Indicators: decay speed (1)} - The \texttt{score} is calculated using: + $$ \texttt{score}(\texttt{\tiny Attribute}) = {\color{gray}\texttt{base\_score}(\texttt{\tiny Attribute, Model})} \;\;\bullet\;\; \texttt{decay}(\texttt{\tiny Model, time}) $$ + The \texttt{decay} is calculated using: \begin{itemize} - \item The \texttt{lifetime} of the indicator (e.g. IP address vs hash value of a file) + \item The \texttt{lifetime} of the indicator \begin{itemize} - \item The lifespan of the indicator (short for an IP - long for an hash) + \item May vary depending on the indicator type + \item short for an IP, long for an hash \end{itemize} \item The \texttt{decay rate}, or speed at which an attribute loses value over time + \item The time elapsed since the latest update or sighting \end{itemize} \end{frame} \begin{frame} \frametitle{Scoring Indicators: putting it all toghether} - $\rightarrow$ \texttt{decayin rate} is re-initialized upon sighting addition, or said differently, the \texttt{score} is reset to its base score as new \texttt{sightings} are received. + $\rightarrow$ \texttt{decay rate} is \textbf{re-initialized upon sighting} addition, or said differently, the \texttt{score} is reset to its base score as new \texttt{sightings} are applied. $$score = base\_score \cdot \left( 1 - \left( \frac{t}{\tau_a} \right)^{\frac{1}{\delta_a}} \right) $$ \end{frame} @@ -154,7 +164,7 @@ \frametitle{Implementation in MISP: Playing with Models} \begin{itemize} \item \textbf{Automatic scoring} based on default values - \item \textbf{User-friendly UI} to manually set lifetime parameters + \item \textbf{User-friendly UI} to manually set lifetime and decay parameters \item \textbf{Simulation} tool \item Interaction through the \textbf{API} \item Opportunity to create your \textbf{own} formula or algorythm @@ -162,7 +172,20 @@ \end{frame} \begin{frame} - \frametitle{Implementation in MISP: Model Types} + \frametitle{Implementation in MISP: Models definition} + Models are an instanciation of the formula where elements can be defined: + \begin{itemize} + \item Parameters: \texttt{lifetime, decay\_rate, threshold} + \item \texttt{base\_score} + \item \texttt{default base\_score} + \item formula + \item associate \textit{Attribute} types + \item creator organisation + \end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Implementation in MISP: Models Types} Multiple model types are available \begin{itemize} \item Default models: Models created and shared by the community. Available from \texttt{misp-decaying-models} repository\footnote{\url{https://github.com/MISP/misp-decaying-models.git}}. @@ -203,7 +226,7 @@ \end{frame} \begin{frame}[fragile] - \frametitle{Implementation in MISP: API (1)} + \frametitle{Implementation in MISP: API query body} \texttt{/attributes/restSearch} \begin{lstlisting} { @@ -220,7 +243,7 @@ \end{frame} \begin{frame}[fragile] - \frametitle{Implementation in MISP: API (2)} + \frametitle{Implementation in MISP: API result} \texttt{/attributes/restSearch} \begin{lstlisting} "Attribute": [ @@ -255,9 +278,18 @@ \item Implement the two mandatory functions \texttt{computeScore} and \texttt{isDecayed} using your own formula/algorithm \item Create a Model and set the formula field to \texttt{{\$}filename} \end{itemize} + + Use cases: + \begin{itemize} + \item Add support for \textbf{more feature} (expiration taxonomy) + \item \textbf{Query external services} then influence the score + \item Completely \textbf{different approach} (i.e streaming algorithm) + \item ... + \end{itemize} + \end{frame} - +\lstset{language=PHP} \begin{frame}[fragile] \frametitle{Creating a new decay algorithm (2)} \lstset{basicstyle=\scriptsize}