OASIS CTI Face-to-face May 16-17

Slides:



Advertisements
Similar presentations
Interest NACK Junxiao Shi, Introduction Interest NACK, aka "negative acknowledgement", is sent from upstream to downstream to inform that.
Advertisements

Cross-Jurisdictional Immunization Data Exchange Project Updated 4/29/14.
NETWORKING CONCEPTS. ERROR DETECTION Error occures when a bit is altered between transmission& reception ie. Binary 1 is transmitted but received is binary.
LEARNING OBJECTIVES Index files.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Delivery, Forwarding, and Routing
® IBM Software Group © 2009 IBM Corporation Rational Publishing Engine RQM Multi Level Report Tutorial David Rennie, IBM Rational Services A/NZ
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.
March 7, Trade Software Developer Technical Seminar March 7, 2012 Cargo Release Scope and Functionality  Steven Lubel, CBP, ACE Program, Technical.
Interest NACK Junxiao Shi, Introduction Interest NACK, aka "negative acknowledgement", is sent from upstream to downstream to inform that.
(Business) Process Centric Exchanges
Interest NACK Junxiao Shi, Introduction Interest NACK, aka "negative acknowledgement", is sent from upstream to downstream to inform that.
Data Link Layer. Data Link Layer Topics to Cover Error Detection and Correction Data Link Control and Protocols Multiple Access Local Area Networks Wireless.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 PART III: DATA LINK LAYER ERROR DETECTION AND CORRECTION 7.1 Chapter 10.
SIP PUBLISH Method Jonathan Rosenberg dynamicsoft.
CTI STIX SC Monthly Meeting December 23, 2015.
ISA 95 Working Group (Business) Process Centric Exchanges Dennis Brandl A Modest Proposal July 22, 2015.
Part III: Data Link Layer Error Detection and Correction
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.
1 B300 B Fall Semester 2009 Chapter Seven & Chapter Eight.
Orders – Create Responses Boeing Supply Chain Platform (BSCP) Detailed Training July 2016.
Keys and adding, deleting and modifying records in an array ● Record Keys ● Reading and Adding Records ● Partition or Sentinels Marking Space in Use ●
1 CMPT 471 Networking II OSPF © Janice Regan,
DATA TYPES.
Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.
Tick three features of wikis.
IP: Addressing, ARP, Routing
ID Tracker States: An Internet Draft’s Path Through the IESG
Resource subscription using DDS in oneM2M
Cryptography and Network Security
Creating Clinical Notes in ZIMS R2
e-Health Platform End 2 End encryption
Advanced Computer Networks
Time Features Date: Authors: May 2009 Month Year
Web Caching? Web Caching:.
Introduction to Networks
CIS 321 Data Communications & Networking
任課教授:陳朝鈞 教授 學生:王志嘉、馬敏修
Customization Guidelines for BMC Remedy IT Service Management 7.5
Chapter 10: Process Implementation with Executable Models
Recording and Using Samples in ZIMS
Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity and Identity Management – A Consolidated Proposal for Terminology Authors: Andreas.
BGP update profiles and the implications for secure BGP update validation processing Geoff Huston PAM April 2007.
Cyber Standards User Council CTI-TC STIX Subcommittee Update
Location Recommendation — for Out-of-Town Users in Location-Based Social Network Yina Meng.
Homework #5 Solutions Brian A. LaMacchia
Proposal for IEEE 802.1CQ-LAAP
Top Level Sighting Object
Relational Database Model
Software Engineering System Modeling Chapter 5 (Part 1) Dr.Doaa Sami
Digital Certificates and X.509
Proposal for IEEE 802.1CQ-LAAP
Witness-based Detection of Forwarding Misbehavior in Wireless Networks
Net 323 D: Networks Protocols
Customization Guidelines for BMC Remedy IT Service Management 7.5
Technical Writing Abstract Writing.
CTI STIX SC Monthly Meeting
Tips for Writing Resolutions
How to use hash tables to solve olympiad problems
Error Detection and Correction
Reliability and Channel Coding
Rational Publishing Engine RQM Multi Level Report Tutorial
CTI STIX SC Monthly Meeting
WebDAV Advanced Collection Requirements
Should WSRP Leverage WSN?
Resolutions SOS Geoffrey Dyer, Resolutions Committee Chair Eric Narveson, Evergreen Valley College.
Cryptography and Network Security
Purchase Document Management
Reducing Overhead in Active Scanning
Introduction to Network
Presentation transcript:

OASIS CTI Face-to-face May 16-17 Echo Detection OASIS CTI Face-to-face May 16-17

Background: Echo Detection CTI is generated and sent out to the “CTI community body” That CTI gets anonymized, augmented, and aggregated within this body How does the producer recognize their own content? How does a consumer recognize the same content via different paths? CTI A CTI C CTI Community Body A ≡ B? C ≡ D? CTI B CTI D

Four Outcomes of Content Comparison When comparing a new piece of CTI against the body of previously generated/received CTI, there are four possible determinations: Duplication The new CTI content is the same content seen before (possibly anonymized). Derivation The new CTI content is based on previously seen content, but the technical details have been modified in some way (e.g. through aggregation or augmentation). Independently Generated The new CTI content is about the same thing as previously seen content, but was created independently of that content. Novel Content The new CTI content is about a topic not previously seen.

Two Tests Needed to Determine Outcome Semantic Equivalence – Same thing? History Check – Historically related?   Semantic Equivalence Negative Neutral Positive History check In history 1 ??? Derivation 2 3 Duplication Not in history 4 Novel Content 5 ??? Independently Generated or Novel Content 6 Independently Generated

Semantic Equivalence Are two pieces of CTI are about the same “thing”? Values range from “Almost certainly about different things” to “Almost certainly about the same thing” (negative to positive match) Values on a spectrum rather than Boolean Need to standardize this comparison is questionable Internal consistency is important E.g., if organization publishes its judgements about equivalence Global consistency may not be as important Organizations might disagree about whether two pieces of CTI are about the same thing Do people feel there is a need for a standard semantic equivalence test?

History Check Is one piece of CTI derived from another? Nominally, derivation should imply strong semantic equivalence One exception: Correcting errors in previous CTI However, semantic equivalence does not imply historic relation Relies on globally adopted standard procedures

Two use cases: Which matches reality? Single Path Multi-Path Are all cases of interest, or can we focus on single path scenarios for now?

Single Path: Proposed Solution Derivation Receipt Any party that creates new content that is derived from prior content MUST send the source of that prior content a derivation receipt with the IDs of the original and derived content Any party that receives a derivation receipt MUST forward that receipt to the source from which it received the original content, if the party did not generate that content itself Parties send an explicit message down the source chain linking original and derived content.

Single Path: Proposed Solution (2) Advantages: No additional data in the CTI itself Already in STIX via Relationship object – just need to codify meaning of “derived from” Disadvantages: Extra network traffic (but not too much – receipts only go to sources and could be very small) All CTI distributors need to track CTI sources so receipts can be forwarded Does not help multi-path scenarios

B is “Derived” from A if and only if: B and A are both the same type of CTI (both Indicators, both Threat Actors, etc.) B is created after A The authors of B believe that B is about the same issue that is the topic of A One or more fields of A are “incorporated into” the corresponding field of B. (Direct copy, paraphrasing, subsumption, etc. all count)

Single Path: Proposed Solution (3) Full STIX CTI object (with its own unique ID, creation timestamp, etc.) or something simpler? If full CTI object, use a Relationship? Differs from most CTI in that it is only of interest to one party – original content creator If a simple message, do we need a new protocol? (TAXII assumes IDs in all content) { “type”: “relationship”, "id": "relationship--94726c99-fe19-49fe-91ff-467c183f1964", "created": "2017-05-18T11:16:08.989000Z", "modified": "2017-05-18T11:16:08.989000Z", "relationship_type": "derived-from", "source_ref": "indicator--3b5146e4-02e8-4317-8e00-962c230da925", "target_ref": "indicator--25983cf2-5b34-47f7-aada-b97609c4beff“ }

Multi-Path: Proposed Solution Include a history field for all derived CTI content Any party that creates new content that is derived from prior content MUST include the ID of the source content in the history of the new content. If the source content has a history, all entries from that history MUST also be added to the history of the new content (removing duplicates).

Multi-Path: Proposed Solution (2) Advantages All recipients (including via multi-path scenarios) can derive history Disadvantages Long derivation chains could lead to large history fields What is a reasonable derivation chain length? Order of derivation chain is obscured Is this something we care about? Question: would it be reasonable for history to be kept in a separate, referenced piece of content (i.e., external Relationship)

Multi-Path: Proposed Solution (3) Embed in CTI or record in external object (probably a modified Relationship)?

Multi-Path: Proposed Solution (Source 1) { “type”: “relationship”, "id": "relationship--fed7f04c-49e3-4c5c-a5ca-faa0fdd11509", "created": "2017-05-18T11:16:08.989000Z", "modified": "2017-05-18T11:16:08.989000Z", "relationship_type": "derived-from", "source_refs": [ "indicator--111546e4-02e8-4317-8e00-962c230da925", "indicator--222ffa65-ce77-4318-87fe-af6ebd328f59", "indicator--3338593e-3a47-4b91-8fd7-116c02c626f5" ], "target_ref": "indicator--555a2695-eef4-4968-854b-a6fe4762ae34" }

Multi-Path: Proposed Solution (Source 2) { “type”: “relationship”, "id": "relationship--8d258af0-1582-4fe1-b4db-16277332c06c", "created": "2017-05-18T11:16:08.989000Z", "modified": "2017-05-18T11:16:08.989000Z", "relationship_type": "derived-from", "source_refs": [ "indicator--444a2cc5-738d-4066-aab9-0e65de6fbbaa", "indicator--3338593e-3a47-4b91-8fd7-116c02c626f5" ], "target_ref": "indicator-- 666899dd-ed92-4bfb-a163-f700be7be063" }

Multi-Path: Proposed Solution (Target) { “type”: “relationship”, "id": "relationship--ad67d195-7539-498c-93b7-50e10ad1be71" "created": "2017-05-18T11:16:08.989000Z", "modified": "2017-05-18T11:16:08.989000Z", "relationship_type": "derived-from", "source_refs": [ "indicator--111546e4-02e8-4317-8e00-962c230da925", "indicator--222ffa65-ce77-4318-87fe-af6ebd328f59", "indicator--3338593e-3a47-4b91-8fd7-116c02c626f5", "indicator--444a2cc5-738d-4066-aab9-0e65de6fbbaa", "indicator--555a2695-eef4-4968-854b-a6fe4762ae34", "indicator-- 666899dd-ed92-4bfb-a163-f700be7be063" ], "target_ref": "indicator--777a2695-eef4-4968-854b-a6fe4762ae34" }