diff --git a/20230930-cakefest/attack-screenshot.png b/20230930-cakefest/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20230930-cakefest/attack-screenshot.png differ diff --git a/20230930-cakefest/bankaccount.png b/20230930-cakefest/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/20230930-cakefest/bankaccount.png differ diff --git a/20230930-cakefest/bankview.png b/20230930-cakefest/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/20230930-cakefest/bankview.png differ diff --git a/20230930-cakefest/blueprint.png b/20230930-cakefest/blueprint.png new file mode 100644 index 0000000..ac96976 Binary files /dev/null and b/20230930-cakefest/blueprint.png differ diff --git a/20230930-cakefest/circl.png b/20230930-cakefest/circl.png new file mode 100644 index 0000000..c570ff2 Binary files /dev/null and b/20230930-cakefest/circl.png differ diff --git a/20230930-cakefest/content.tex b/20230930-cakefest/content.tex new file mode 100755 index 0000000..fa084e6 --- /dev/null +++ b/20230930-cakefest/content.tex @@ -0,0 +1,245 @@ +% DO NOT COMPILE THIS FILE DIRECTLY! +% This is included by the other .tex files. + +\begin{frame}[t,plain] +\titlepage +\end{frame} + +\section{MISP} + +\begin{frame} + \frametitle{about CIRCL and MISP} + \begin{itemize} + \item CIRCL + \begin{itemize} + \item National CERT for the private sector, communes, non-govermental entities in Luxembourg + \item Government-driven initiative, funded by the Ministry of Economy + \item Mission is to provide a systematic response to computer security threats and incidents + \item Open Source toolsmiths + \end{itemize} + \item Our relationship with MISP has two sides + \begin{itemize} + \item We {\bf lead the development} of the MISP platform + \item We are also involved with and {\bf run several communities} + \end{itemize} + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What is MISP?} +\begin{itemize} + \item MISP is a {\bf threat information sharing} platform (TISP) built using CakePHP + \item A tool used and deployed by CSIRTs, SOCs, Cyber threat researchers around the world + \item Users can either deploy their own MISPs or can become users of an existing MISP instance hosted by someone else + \item MISP instances can be interconnected, creating large exchange networks with different topologies (mesh, hub/spoke, hybrid) +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What is the MISP-project?} +\begin{itemize} + \item Besides being a a web application, the MISP-project also contains the following: + \begin{itemize} + \item A set of {\bf open standards} (implemented by MISP and other tools) + \item An {\bf ecosystem} of libraries, supporting tools + \item A collection of guidance and best practice documentation by practitioners + \end{itemize} + \item All of these are free \& open source +\end{itemize} +\end{frame} + +\begin{frame} +\frametitle{What are the objectives of a modern TISP?} +\begin{itemize} + \item A tool that {\bf collects threat information} from partners, your analysts, your tools, sensors, feeds + \item Normalises, {\bf correlates}, {\bf enriches} the data + \item Manages your processes and automates tasks such as {\bf notifications}, {\bf data flow management}, {\bf triaging} and so on + \item Allows teams and communities to {\bf collaborate} and rapidly {\bf exchange knowledge} + \item {\bf Feeds} automated protective tools and analyst tools with the output + \item {\bf Presents} both individualised and community centric facts, trends, reports of the intelligence +\end{itemize} +\end{frame} + + +\begin{frame} + \frametitle{MISP: Started from a practical use-case} + \begin{itemize} + \item During a malware analysis workgroup in 2012, we discovered that we worked on the analysis of the same malware. + \item We wanted to share information in an easy and automated way {\bf to avoid duplication of work}. + \item Christophe Vandeplas (then working at the CERT for the Belgian MoD) showed us his work on a platform that later became MISP. + \item A first version of the MISP Platform was used by the MALWG and {\bf the increasing feedback of users} helped us to build an improved platform. + \item MISP is now {\bf a community-driven development} supporting different intelligence communities. + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Development based on practical user feedback} +\begin{itemize} + \item Organic growth over time within security teams: + \begin{itemize} + \item {\bf Malware reversers}: share indicators of analysis with colleagues. + \item {\bf Security analysts} searching, validating and using indicators in ops. + \item {\bf Intelligence analysts} researching adversary groups. + \item {\bf Risk analysis teams} monitoring trends, threats, remediations. + \end{itemize} + \item Some examples of other communities picking up MISP: + \begin{itemize} + \item {\bf Financial sector}: sharing financial indicators, fraud information. + \item {\bf Law-enforcement}: bootstrapping DFIR cases, non-cyber-threats, border control, etc + \item {\bf Military} sharing highly specialised information. + \item {\bf Disinformation research}: Election interference, disinfo campaigns, etc. + \end{itemize} +\end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Why do we develop all of this?} +\begin{itemize} + \item {\bf Main goal}: Make our own lives and the lives of our constituency easier + \begin{itemize} + \item Our central tool for ingesting, storing and disseminating information... + \item ...as well as to interact with organisations + \item By solving issues of other communities, we already have them prepared for information sharing with us when needed + \end{itemize} + \item {\bf Secondary}: Democratise threat intelligence for all + \item {\bf Stretch goal}: Build a full open-source tool-chain for CSIRTs / SoCs / etc +\end{itemize} +\end{frame} + +\begin{frame} + \frametitle{Communities using MISP} + \begin{itemize} + \item Communities are groups of users sharing within a set of common objectives/values. + \item CIRCL operates multiple MISP instances with a significant user base (more than 2k organizations with close to 5k users). + \item {\bf Trust groups} running MISP communities in island mode (air gapped system) or partially connected mode. + \item {\bf Financial sector} (banks, ISACs, payment processing organizations) use MISP as a sharing mechanism. + \item {\bf Military and international organizations} (NATO, military CSIRTs, n/g CERTs,...). + \item {\bf Security vendors} running their own communities. + \item {\bf Sectorial communities} Telcoes, ISPs, Medical, ATF, ... + \item {\bf Topical communities} set up to tackle individual specific issues (disinformation, SIGINT, COVID-19, ...) + \end{itemize} +\end{frame} + + +\begin{frame} +\frametitle{Information pipeline} + \includegraphics[width=0.75\linewidth]{misp_data_flow.png} +\end{frame} + + +\section{How can this be relevant to you?} + +\begin{frame} +\frametitle{Why should you care?} + \begin{itemize} + \item Due to Security + \begin{itemize} + \item If you have a security team / operations team looking for threat intel + \item If you would like to automate your security processes + \item If you are dealing with security incidents and would like to collaborate + \end{itemize} + \item If you're looking for ways to overcome development challenges + \begin{itemize} + \item We've been building this by now rather complex application since 2012 + \item Long list of libraries, techniques, ideas that can be reused + \end{itemize} + \item Let's dive a bit into the second option and what you'd find in the codebase + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Our tech stack} + \begin{itemize} + \item Based on CakePHP 2.x, currently being ported to 4.x (5.x once it's out) + \begin{itemize} + \item We have a sister project called Cerebrate, which prepared the grounds + \item CakePHP 4.x based contact management and orchestration platform + \end{itemize} + \item MySQL + Redis back-end + \item Custom front-end using a variety of JS libraries + \item Different interconnection libraries (Custom, ZMQ, Kafka) + \item Python module micro-service system built on tornado + \item Background processing based on Supervisord (previously CakeResque) + \end{itemize} +\end{frame} + +\begin{frame} +\frametitle{Looking for solutions? Some of the issues tackled by MISP:} + \begin{itemize} + \item Reusable {\bf libraries} to ease the development (ACL, CRUD, Correlation, etc) + \item Extensible / customisable data model + \item Visualisation solutions and dashboarding + \end{itemize} + \includegraphics[width=1.00\linewidth]{dashboard.png} +\end{frame} + + +\begin{frame} +\frametitle{Looking for solutions? Some of the issues tackled by MISP:} + \begin{itemize} + \item {\bf UI/API parity} across the entire application + \item Tight {\bf access control over both data and functionalities} + \item {\bf Secure information exchange} in adversial conditions + \begin{itemize} + \item Cross instance {\bf distribution model} + \item {\bf Trust group management} + \item Optional {\bf cryptographic tamper proofing} of data in large mesh networks + \end{itemize} + \end{itemize} + \includegraphics[width=1.00\linewidth]{signed-sync.png} +\end{frame} + +\begin{frame} +\frametitle{Looking for solutions? Some of the issues tackled by MISP:} + \begin{itemize} + \item Heavy {\bf background processing} and its management + \item {\bf Communication} via different channels (mailing, different MQs, APIs) + \item Interactive workflow management + \end{itemize} + \includegraphics[width=1.00\linewidth]{workflow.png} +\end{frame} + +\begin{frame} +\frametitle{Looking for solutions? Some of the issues tackled by MISP:} + \begin{itemize} + \item Modular design + \item Data quality management + \begin{itemize} + \item User defined decaying model + \item False positive management + \end{itemize} + \end{itemize} + \includegraphics[width=1.00\linewidth]{decaying.png} +\end{frame} + +\begin{frame} +\frametitle{Quick note about Cerebrate} + \begin{itemize} + \item Our CakePHP 4.x based Contact management and Orchestration tool + \item Large code overlap with MISP (same modular libraries) + \item Similar design principles + \item Currently in use at the European CSIRT-Network + \item Similarly to MISP, OSS + \end{itemize} + \includegraphics[width=1.00\linewidth]{cerebrate.png} +\end{frame} + + +\begin{frame} + \frametitle{Get in touch if you have any questions} + \begin{itemize} + \item Contact me: + \begin{itemize} + \item andras.iklody@circl.lu \url{https://twitter.com/iglocska} \url{https://infosec.exchange/@iglocska} + \end{itemize} + \item Contact us: + \begin{itemize} + \item info@circl.lu \url{https://twitter.com/circl_lu} \url{https://www.circl.lu/} + \item \url{https://github.com/MISP} \url{https://www.misp-project.org/} + \item \url{https://twitter.com/MISPProject} \url{https://misp-community.org/@misp} + \item \url{https://github.com/cerebrate-project} \url{https://www.cerebrate-project.org/} + \end{itemize} + \end{itemize} +\end{frame} + diff --git a/20230930-cakefest/creativity.png b/20230930-cakefest/creativity.png new file mode 100644 index 0000000..d9878e2 Binary files /dev/null and b/20230930-cakefest/creativity.png differ diff --git a/20230930-cakefest/dashboard-new.png b/20230930-cakefest/dashboard-new.png new file mode 100644 index 0000000..24cb024 Binary files /dev/null and b/20230930-cakefest/dashboard-new.png differ diff --git a/20230930-cakefest/dashboard-trendings.png b/20230930-cakefest/dashboard-trendings.png new file mode 100644 index 0000000..e8937e4 Binary files /dev/null and b/20230930-cakefest/dashboard-trendings.png differ diff --git a/20230930-cakefest/decaying-basescore.png b/20230930-cakefest/decaying-basescore.png new file mode 100644 index 0000000..d21e261 Binary files /dev/null and b/20230930-cakefest/decaying-basescore.png differ diff --git a/20230930-cakefest/decaying-event.png b/20230930-cakefest/decaying-event.png new file mode 100644 index 0000000..553b9e7 Binary files /dev/null and b/20230930-cakefest/decaying-event.png differ diff --git a/20230930-cakefest/decaying-index.png b/20230930-cakefest/decaying-index.png new file mode 100644 index 0000000..c8c9754 Binary files /dev/null and b/20230930-cakefest/decaying-index.png differ diff --git a/20230930-cakefest/decaying-simulation.png b/20230930-cakefest/decaying-simulation.png new file mode 100644 index 0000000..8252a09 Binary files /dev/null and b/20230930-cakefest/decaying-simulation.png differ diff --git a/20230930-cakefest/decaying-tool.png b/20230930-cakefest/decaying-tool.png new file mode 100644 index 0000000..ff8c298 Binary files /dev/null and b/20230930-cakefest/decaying-tool.png differ diff --git a/20230930-cakefest/en_cef.png b/20230930-cakefest/en_cef.png new file mode 100644 index 0000000..5fed070 Binary files /dev/null and b/20230930-cakefest/en_cef.png differ diff --git a/20230930-cakefest/galaxy-ransomware.png b/20230930-cakefest/galaxy-ransomware.png new file mode 100644 index 0000000..5cf42cc Binary files /dev/null and b/20230930-cakefest/galaxy-ransomware.png differ diff --git a/20230930-cakefest/governance.png b/20230930-cakefest/governance.png new file mode 100644 index 0000000..389d250 Binary files /dev/null and b/20230930-cakefest/governance.png differ diff --git a/20230930-cakefest/misp-distributed.pdf b/20230930-cakefest/misp-distributed.pdf new file mode 100644 index 0000000..9bacba7 Binary files /dev/null and b/20230930-cakefest/misp-distributed.pdf differ diff --git a/20230930-cakefest/misp-overview-simplified.pdf b/20230930-cakefest/misp-overview-simplified.pdf new file mode 100644 index 0000000..021b252 Binary files /dev/null and b/20230930-cakefest/misp-overview-simplified.pdf differ diff --git a/20230930-cakefest/misp-overview.pdf b/20230930-cakefest/misp-overview.pdf new file mode 100644 index 0000000..b1d92c8 Binary files /dev/null and b/20230930-cakefest/misp-overview.pdf differ diff --git a/20230930-cakefest/misp.pdf b/20230930-cakefest/misp.pdf new file mode 100644 index 0000000..f7a3f9d Binary files /dev/null and b/20230930-cakefest/misp.pdf differ diff --git a/20230930-cakefest/misp_data_flow.png b/20230930-cakefest/misp_data_flow.png new file mode 100644 index 0000000..88a3ff0 Binary files /dev/null and b/20230930-cakefest/misp_data_flow.png differ diff --git a/20230930-cakefest/misplogo.pdf b/20230930-cakefest/misplogo.pdf new file mode 100644 index 0000000..60da568 Binary files /dev/null and b/20230930-cakefest/misplogo.pdf differ diff --git a/20230930-cakefest/notes.txt b/20230930-cakefest/notes.txt new file mode 100644 index 0000000..6dad91d --- /dev/null +++ b/20230930-cakefest/notes.txt @@ -0,0 +1,50 @@ +What is MISP? + +# SUBSECTION 1: intro + +## what is MISP? +- tisp +- oss +- ecosystem of tools and libraries +- a set of formats + +## Who are we and why does CIRCL develop it? +- national CSIRT +- central tool for our activities + - information dissemination + - incident handling + - collaboration + - data fusion + +## How does a TISP such as MISP do? +- graph showing the main functionalities + + +# SUBSECTION 2: ingestion + +## Manual data creation + +## Synchronisation from other communities + +## Feed ingestion + +## Ingestion from tools / sensors + + +# SUBSECTION 3: managing data and collaboration + +## + + +# SUBSECTION 4: Dissemination + +## Synchronisation +## Feed generation +## Automation +## dashboarding +## Reporting + + + + +# diff --git a/20230930-cakefest/object.png b/20230930-cakefest/object.png new file mode 100644 index 0000000..acebf04 Binary files /dev/null and b/20230930-cakefest/object.png differ diff --git a/20230930-cakefest/pipeline_chart.md b/20230930-cakefest/pipeline_chart.md new file mode 100644 index 0000000..bacb0f5 --- /dev/null +++ b/20230930-cakefest/pipeline_chart.md @@ -0,0 +1,31 @@ +```mermaid +flowchart + A[Analysts] --> MI[(MISP ingestion)] + S[Sensors] --> MI + OM[Other Communities] --> MI + F[Feeds] --> MI + IT[Internal tools] --> MI + MI --> IF[Input filters] + IF --> MP[(MISP processing)] + MP <--> E[Enrichment] + MP <--> Col[Collaboration] + MP --> MD[(MISP dissemination)] + MP <--> C[Correlation] + MP <--> Wo[Workflows] + MD --> W[Warninglists] + W --> APIs + W --> Ex[Export tools] + MD --> SF[Sync filtering] + SF --> MG[MISP Guard] + MG --> OM2[Other Communities] + MD ---> Analyst[Analyst tools] + MD --> UF[User filters] + UF --> Dashboard + UF --> Reporting + + + + style MI fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff + style MP fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff + style MD fill:#00a1e0,stroke:#333,stroke-width:1px,color:#fff +``` diff --git a/20230930-cakefest/screenshots/Sightings1.PNG b/20230930-cakefest/screenshots/Sightings1.PNG new file mode 100644 index 0000000..5546cf3 Binary files /dev/null and b/20230930-cakefest/screenshots/Sightings1.PNG differ diff --git a/20230930-cakefest/screenshots/Sightings2.PNG b/20230930-cakefest/screenshots/Sightings2.PNG new file mode 100644 index 0000000..cd35990 Binary files /dev/null and b/20230930-cakefest/screenshots/Sightings2.PNG differ diff --git a/20230930-cakefest/screenshots/attack-screenshot.png b/20230930-cakefest/screenshots/attack-screenshot.png new file mode 100644 index 0000000..44cf2ff Binary files /dev/null and b/20230930-cakefest/screenshots/attack-screenshot.png differ diff --git a/20230930-cakefest/screenshots/bankaccount.png b/20230930-cakefest/screenshots/bankaccount.png new file mode 100644 index 0000000..94eb5cc Binary files /dev/null and b/20230930-cakefest/screenshots/bankaccount.png differ diff --git a/20230930-cakefest/screenshots/bankview.png b/20230930-cakefest/screenshots/bankview.png new file mode 100644 index 0000000..ce629c1 Binary files /dev/null and b/20230930-cakefest/screenshots/bankview.png differ diff --git a/20230930-cakefest/screenshots/bhadra-matrix.png b/20230930-cakefest/screenshots/bhadra-matrix.png new file mode 100644 index 0000000..74cfc4e Binary files /dev/null and b/20230930-cakefest/screenshots/bhadra-matrix.png differ diff --git a/20230930-cakefest/screenshots/campaign.png b/20230930-cakefest/screenshots/campaign.png new file mode 100644 index 0000000..df5b653 Binary files /dev/null and b/20230930-cakefest/screenshots/campaign.png differ diff --git a/20230930-cakefest/screenshots/enrichment1.PNG b/20230930-cakefest/screenshots/enrichment1.PNG new file mode 100644 index 0000000..4e7df5d Binary files /dev/null and b/20230930-cakefest/screenshots/enrichment1.PNG differ diff --git a/20230930-cakefest/screenshots/enrichment2.PNG b/20230930-cakefest/screenshots/enrichment2.PNG new file mode 100644 index 0000000..5d1c4c4 Binary files /dev/null and b/20230930-cakefest/screenshots/enrichment2.PNG differ diff --git a/20230930-cakefest/screenshots/enrichment3.PNG b/20230930-cakefest/screenshots/enrichment3.PNG new file mode 100644 index 0000000..e785f2c Binary files /dev/null and b/20230930-cakefest/screenshots/enrichment3.PNG differ diff --git a/20230930-cakefest/screenshots/enrichment4.PNG b/20230930-cakefest/screenshots/enrichment4.PNG new file mode 100644 index 0000000..5f01cd9 Binary files /dev/null and b/20230930-cakefest/screenshots/enrichment4.PNG differ diff --git a/20230930-cakefest/screenshots/false-positive.png b/20230930-cakefest/screenshots/false-positive.png new file mode 100644 index 0000000..7dd3dea Binary files /dev/null and b/20230930-cakefest/screenshots/false-positive.png differ diff --git a/20230930-cakefest/screenshots/freetext1.PNG b/20230930-cakefest/screenshots/freetext1.PNG new file mode 100644 index 0000000..cb17c4c Binary files /dev/null and b/20230930-cakefest/screenshots/freetext1.PNG differ diff --git a/20230930-cakefest/screenshots/freetxt2.PNG b/20230930-cakefest/screenshots/freetxt2.PNG new file mode 100644 index 0000000..4bfb092 Binary files /dev/null and b/20230930-cakefest/screenshots/freetxt2.PNG differ diff --git a/20230930-cakefest/screenshots/freetxt3.PNG b/20230930-cakefest/screenshots/freetxt3.PNG new file mode 100644 index 0000000..6d348ee Binary files /dev/null and b/20230930-cakefest/screenshots/freetxt3.PNG differ diff --git a/20230930-cakefest/screenshots/normaltag.png b/20230930-cakefest/screenshots/normaltag.png new file mode 100644 index 0000000..781182c Binary files /dev/null and b/20230930-cakefest/screenshots/normaltag.png differ diff --git a/20230930-cakefest/screenshots/sg-example.png b/20230930-cakefest/screenshots/sg-example.png new file mode 100644 index 0000000..ade1252 Binary files /dev/null and b/20230930-cakefest/screenshots/sg-example.png differ diff --git a/20230930-cakefest/screenshots/sighting-n.png b/20230930-cakefest/screenshots/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/20230930-cakefest/screenshots/sighting-n.png differ diff --git a/20230930-cakefest/sighting-n.png b/20230930-cakefest/sighting-n.png new file mode 100644 index 0000000..f9ec127 Binary files /dev/null and b/20230930-cakefest/sighting-n.png differ diff --git a/20230930-cakefest/sigint.png b/20230930-cakefest/sigint.png new file mode 100644 index 0000000..560f5ed Binary files /dev/null and b/20230930-cakefest/sigint.png differ diff --git a/20230930-cakefest/slide.tex b/20230930-cakefest/slide.tex new file mode 100644 index 0000000..9686845 --- /dev/null +++ b/20230930-cakefest/slide.tex @@ -0,0 +1,23 @@ +\documentclass{beamer} +\usetheme[numbering=progressbar]{focus} +\definecolor{main}{RGB}{47, 161, 219} +\definecolor{textcolor}{RGB}{128, 128, 128} +\definecolor{background}{RGB}{240, 247, 255} + +\usepackage[utf8]{inputenc} +\usepackage{tikz} +\usepackage{listings} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes,arrows} + + +\title{Open Source Threat Intelligence @ MISP using CakePHP} +\author{\small{\input{../includes/authors.txt}}} +\date{\input{../includes/location.txt}} +\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}} +\institute{MISP Project \\ \url{https://www.misp-project.org/}} + +\begin{document} +\include{content} +\end{document} + diff --git a/20230930-cakefest/tags-2-4-70.png b/20230930-cakefest/tags-2-4-70.png new file mode 100644 index 0000000..e1c6fbd Binary files /dev/null and b/20230930-cakefest/tags-2-4-70.png differ diff --git a/20230930-cakefest/taxonomy-workflow.png b/20230930-cakefest/taxonomy-workflow.png new file mode 100644 index 0000000..f4789ad Binary files /dev/null and b/20230930-cakefest/taxonomy-workflow.png differ diff --git a/20230930-cakefest/timeline-misp-overview.png b/20230930-cakefest/timeline-misp-overview.png new file mode 100644 index 0000000..23ff19b Binary files /dev/null and b/20230930-cakefest/timeline-misp-overview.png differ diff --git a/20230930-cakefest/warning-list-event.png b/20230930-cakefest/warning-list-event.png new file mode 100644 index 0000000..22c6423 Binary files /dev/null and b/20230930-cakefest/warning-list-event.png differ diff --git a/20230930-cakefest/warning-list.png b/20230930-cakefest/warning-list.png new file mode 100644 index 0000000..f151ded Binary files /dev/null and b/20230930-cakefest/warning-list.png differ diff --git a/20230930-cakefest/workflow_initial.png b/20230930-cakefest/workflow_initial.png new file mode 100644 index 0000000..7c6b54c Binary files /dev/null and b/20230930-cakefest/workflow_initial.png differ diff --git a/20230930-cakefest/workflow_initial2.png b/20230930-cakefest/workflow_initial2.png new file mode 100644 index 0000000..d384c34 Binary files /dev/null and b/20230930-cakefest/workflow_initial2.png differ diff --git a/20230930-cakefest/x-isac-logo.png b/20230930-cakefest/x-isac-logo.png new file mode 100755 index 0000000..21c68bc Binary files /dev/null and b/20230930-cakefest/x-isac-logo.png differ