Presentation is loading. Please wait.

Presentation is loading. Please wait.

OASIS CTI Face-to-face May 16-17

Published byEdward Morgan Modified over 5 years ago

Similar presentations

Presentation on theme: "OASIS CTI Face-to-face May 16-17"— Presentation transcript:

1 OASIS CTI Face-to-face May 16-17
Echo Detection OASIS CTI Face-to-face May 16-17

2 Background: Echo Detection
CTI is generated and sent out to the “CTI community body” That CTI gets anonymized, augmented, and aggregated within this body How does the producer recognize their own content? How does a consumer recognize the same content via different paths? CTI A CTI C CTI Community Body A ≡ B? C ≡ D? CTI B CTI D

3 Four Outcomes of Content Comparison
When comparing a new piece of CTI against the body of previously generated/received CTI, there are four possible determinations: Duplication The new CTI content is the same content seen before (possibly anonymized). Derivation The new CTI content is based on previously seen content, but the technical details have been modified in some way (e.g. through aggregation or augmentation). Independently Generated The new CTI content is about the same thing as previously seen content, but was created independently of that content. Novel Content The new CTI content is about a topic not previously seen.

4 Two Tests Needed to Determine Outcome
Semantic Equivalence – Same thing? History Check – Historically related? Semantic Equivalence Negative Neutral Positive History check In history 1 ??? Derivation 2 3 Duplication Not in history 4 Novel Content 5 ??? Independently Generated or Novel Content 6 Independently Generated

5 Semantic Equivalence Are two pieces of CTI are about the same “thing”?
Values range from “Almost certainly about different things” to “Almost certainly about the same thing” (negative to positive match) Values on a spectrum rather than Boolean Need to standardize this comparison is questionable Internal consistency is important E.g., if organization publishes its judgements about equivalence Global consistency may not be as important Organizations might disagree about whether two pieces of CTI are about the same thing Do people feel there is a need for a standard semantic equivalence test?

6 History Check Is one piece of CTI derived from another?
Nominally, derivation should imply strong semantic equivalence One exception: Correcting errors in previous CTI However, semantic equivalence does not imply historic relation Relies on globally adopted standard procedures

7 Two use cases: Which matches reality?
Single Path Multi-Path Are all cases of interest, or can we focus on single path scenarios for now?

8 Single Path: Proposed Solution
Derivation Receipt Any party that creates new content that is derived from prior content MUST send the source of that prior content a derivation receipt with the IDs of the original and derived content Any party that receives a derivation receipt MUST forward that receipt to the source from which it received the original content, if the party did not generate that content itself Parties send an explicit message down the source chain linking original and derived content.

9 Single Path: Proposed Solution (2)
Advantages: No additional data in the CTI itself Already in STIX via Relationship object – just need to codify meaning of “derived from” Disadvantages: Extra network traffic (but not too much – receipts only go to sources and could be very small) All CTI distributors need to track CTI sources so receipts can be forwarded Does not help multi-path scenarios

10 B is “Derived” from A if and only if:
B and A are both the same type of CTI (both Indicators, both Threat Actors, etc.) B is created after A The authors of B believe that B is about the same issue that is the topic of A One or more fields of A are “incorporated into” the corresponding field of B. (Direct copy, paraphrasing, subsumption, etc. all count)

11 Single Path: Proposed Solution (3)
Full STIX CTI object (with its own unique ID, creation timestamp, etc.) or something simpler? If full CTI object, use a Relationship? Differs from most CTI in that it is only of interest to one party – original content creator If a simple message, do we need a new protocol? (TAXII assumes IDs in all content) { “type”: “relationship”, "id": "relationship c99-fe19-49fe-91ff-467c183f1964", "created": " T11:16: Z", "modified": " T11:16: Z", "relationship_type": "derived-from", "source_ref": "indicator--3b5146e4-02e e00-962c230da925", "target_ref": "indicator cf2-5b34-47f7-aada-b97609c4beff“ }

12 Multi-Path: Proposed Solution
Include a history field for all derived CTI content Any party that creates new content that is derived from prior content MUST include the ID of the source content in the history of the new content. If the source content has a history, all entries from that history MUST also be added to the history of the new content (removing duplicates).

13 Multi-Path: Proposed Solution (2)
Advantages All recipients (including via multi-path scenarios) can derive history Disadvantages Long derivation chains could lead to large history fields What is a reasonable derivation chain length? Order of derivation chain is obscured Is this something we care about? Question: would it be reasonable for history to be kept in a separate, referenced piece of content (i.e., external Relationship)

14 Multi-Path: Proposed Solution (3)
Embed in CTI or record in external object (probably a modified Relationship)?

15 Multi-Path: Proposed Solution (Source 1)
{ “type”: “relationship”, "id": "relationship--fed7f04c-49e3-4c5c-a5ca-faa0fdd11509", "created": " T11:16: Z", "modified": " T11:16: Z", "relationship_type": "derived-from", "source_refs": [ "indicator e4-02e e00-962c230da925", "indicator--222ffa65-ce fe-af6ebd328f59", "indicator e-3a47-4b91-8fd7-116c02c626f5" ], "target_ref": "indicator--555a2695-eef b-a6fe4762ae34" }

16 Multi-Path: Proposed Solution (Source 2)
{ “type”: “relationship”, "id": "relationship--8d258af fe1-b4db c06c", "created": " T11:16: Z", "modified": " T11:16: Z", "relationship_type": "derived-from", "source_refs": [ "indicator--444a2cc5-738d-4066-aab9-0e65de6fbbaa", "indicator e-3a47-4b91-8fd7-116c02c626f5" ], "target_ref": "indicator dd-ed92-4bfb-a163-f700be7be063" }

17 Multi-Path: Proposed Solution (Target)
{ “type”: “relationship”, "id": "relationship--ad67d c-93b7-50e10ad1be71" "created": " T11:16: Z", "modified": " T11:16: Z", "relationship_type": "derived-from", "source_refs": [ "indicator e4-02e e00-962c230da925", "indicator--222ffa65-ce fe-af6ebd328f59", "indicator e-3a47-4b91-8fd7-116c02c626f5", "indicator--444a2cc5-738d-4066-aab9-0e65de6fbbaa", "indicator--555a2695-eef b-a6fe4762ae34", "indicator dd-ed92-4bfb-a163-f700be7be063" ], "target_ref": "indicator--777a2695-eef b-a6fe4762ae34" }

Download ppt "OASIS CTI Face-to-face May 16-17"

Similar presentations

Interest NACK Junxiao Shi, 2014-07-18. Introduction Interest NACK, aka negative acknowledgement, is sent from upstream to downstream to inform that.

Interest NACK Junxiao Shi, Introduction Interest NACK, aka "negative acknowledgement", is sent from upstream to downstream to inform that.
Cross-Jurisdictional Immunization Data Exchange Project Updated 4/29/14.

Cross-Jurisdictional Immunization Data Exchange Project Updated 4/29/14.
NETWORKING CONCEPTS. ERROR DETECTION Error occures when a bit is altered between transmission& reception ie. Binary 1 is transmitted but received is binary.

NETWORKING CONCEPTS. ERROR DETECTION Error occures when a bit is altered between transmission& reception ie. Binary 1 is transmitted but received is binary.
LEARNING OBJECTIVES Index files.

LEARNING OBJECTIVES Index files.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Delivery, Forwarding, and Routing

Delivery, Forwarding, and Routing
® IBM Software Group © 2009 IBM Corporation Rational Publishing Engine RQM Multi Level Report Tutorial David Rennie, IBM Rational Services A/NZ

® IBM Software Group © 2009 IBM Corporation Rational Publishing Engine RQM Multi Level Report Tutorial David Rennie, IBM Rational Services A/NZ
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.
March 7, 2012 1 Trade Software Developer Technical Seminar March 7, 2012 Cargo Release Scope and Functionality  Steven Lubel, CBP, ACE Program, Technical.

March 7, Trade Software Developer Technical Seminar March 7, 2012 Cargo Release Scope and Functionality  Steven Lubel, CBP, ACE Program, Technical.
Interest NACK Junxiao Shi, 2014-07-27. Introduction Interest NACK, aka negative acknowledgement, is sent from upstream to downstream to inform that.

Interest NACK Junxiao Shi, Introduction Interest NACK, aka "negative acknowledgement", is sent from upstream to downstream to inform that.
(Business) Process Centric Exchanges

(Business) Process Centric Exchanges
Interest NACK Junxiao Shi, 2014-07-31 1. Introduction Interest NACK, aka negative acknowledgement, is sent from upstream to downstream to inform that.

Interest NACK Junxiao Shi, Introduction Interest NACK, aka "negative acknowledgement", is sent from upstream to downstream to inform that.
Data Link Layer. Data Link Layer Topics to Cover Error Detection and Correction Data Link Control and Protocols Multiple Access Local Area Networks Wireless.

Data Link Layer. Data Link Layer Topics to Cover Error Detection and Correction Data Link Control and Protocols Multiple Access Local Area Networks Wireless.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 PART III: DATA LINK LAYER ERROR DETECTION AND CORRECTION 7.1 Chapter 10.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 PART III: DATA LINK LAYER ERROR DETECTION AND CORRECTION 7.1 Chapter 10.
SIP PUBLISH Method Jonathan Rosenberg dynamicsoft.

SIP PUBLISH Method Jonathan Rosenberg dynamicsoft.
CTI STIX SC Monthly Meeting www.oasis-open.org December 23, 2015.

CTI STIX SC Monthly Meeting December 23, 2015.
ISA 95 Working Group (Business) Process Centric Exchanges Dennis Brandl A Modest Proposal July 22, 2015.

ISA 95 Working Group (Business) Process Centric Exchanges Dennis Brandl A Modest Proposal July 22, 2015.
Part III: Data Link Layer Error Detection and Correction

Part III: Data Link Layer Error Detection and Correction
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.
1 B300 B Fall Semester 2009 Chapter Seven & Chapter Eight.

1 B300 B Fall Semester 2009 Chapter Seven & Chapter Eight.

Similar presentations

Ads by Google