scoring model for iocs by combining open intelligence
play

Scoring model for IoCs by combining open intelligence feeds to - PowerPoint PPT Presentation

Dec 27, 2023 •49 likes •349 views

Scoring model for IoCs by combining open intelligence feeds to reduce false positives Authors: Supervisors: Joao de Novais Marques Jelle Ermerins Leandro Velasco Niek van Noort 1 Introduction Indicators of Compromise (IoCs) identify

  1. Scoring model for IoCs by combining open intelligence feeds to reduce false positives Authors: Supervisors: Joao de Novais Marques Jelle Ermerins Leandro Velasco Niek van Noort 1

  2. Introduction Indicators of Compromise (IoCs) identify possible threats The problem is false positives Several intelligence feeds available online Design a scoring model to reduce false positives Example of an indicator of compromise (source: AbuseIPDB) 2

  3. Example of an intelligence feed 3

  4. 4

  5. Related work A scoring model was designed by researchers from CIRCL (Luxembourg) ● Using a decay rate ● The score of an IoC decays over time T. Schaberreiter et al. designed another scoring model ● Comparing different sources ● Using features like extensiveness, timeliness, completeness No research on dependency between intelligence feeds No practical research 5

  6. Research questions (Challenges of designing the scoring model) How can we use multiple open intelligence feeds in a scoring model to determine the quality of IoCs? How independent are different intelligence feeds from each other? How do we make the model time dependent? How do we decide if we can trust an intelligence feed? How do we calculate one score from multiple feeds with different levels of trust? 6

  7. How independent are different intelligence feeds from each other? 7

  8. Independence and overlap of feeds Overlap is important But intelligence feeds need to be independent Used intelligence feeds: ● AbuseIPDB ● Binary Defense Banlist ● C&C Tracker ● Cyber Cure 8

  9. Overlap matrix of the intelligence feeds 9

  10. Overlap matrix, where difference in first sighting is smaller than a day 10

  11. How do we make the model time dependent? 11

  12. Decay time IoC will lose value over time when it hasn’t been seen Decay function with different 𝛆 parameter values and a fixed 𝛖 value of 100 12

  13. How do we decide if we can trust an intelligence feed? 13

  14. Source confidence Quality of the source based on some features Extensiveness Timeliness Completeness Whitelist Overlap Score 14

  15. Extensiveness How many properties does the intelligence feed provide? Feed A: - IP: 5.79.79.212 High Extensiveness - Last seen: 2020-02-01 11:03 - Extra info: IP used by banjori C&C Feed B: - IP: 1.1.209.45 Low Extensiveness 15

  16. Timeliness How fast is the intelligence feed? IoC in fastest feed IoC in feed S 16

  17. Completeness How many IoCs does the feed provide? Trustworthy small scale feeds could be disadvantaged! 17

  18. Whitelist Overlap Score Does the feed have overlap with a whitelist? 18

  19. Whitelist Overlap Score Whitelist overlap score of our feeds. ( ⍴ = 0.1) Whitelist overlap percentage 19

  20. The Source Confidence Weighted mean of: Weight: - Extensiveness 0.8 - Timeliness 0.6 - Completeness 0.0 - Whitelist Overlap Score 1.0 20

  21. How do we calculate one score from multiple feeds with different levels of trust? 21

  22. Final Score Calculation Advantage: The source confidence is still useful when an IoC is found in one feed only. Disadvantage: Each intelligence feed has the same amount of influence on the final score. 22

  23. Final Score Calculation Advantage: The source confidence works as a weight on the final score per feed. Disadvantage: The source confidence is useless when an IoC is found in one feed only: 23

  24. Final Score Calculation A square has been added Solution: Combine the two previous functions: We have both advantages: 24

  25. The scoring model 25

  26. The scoring model 26

  27. How can we use intelligence feeds in a scoring model to determine the quality of IoCs? 27

  28. Conclusion How independent are different intelligence feeds from each other? The feeds are independent We want more independent feeds with overlap How do we make the model time dependent? Decay rate How do we decide if we can trust an intelligence feed? Trust based on extensiveness, timeliness, completeness and whitelist correlation How do we calculate one score from multiple feeds with different levels of trust? Source confidence as weight for the feed And also as part of the IoC score itself 28

  29. Future work Parameter optimization Other characteristics for the source confidence Other intelligence feeds Scoring whitelists 29

  30. Thank you! And special thanks to: Joao de Novais Marques Leandro Velasco 30

Recommend

Advances in Credit Scoring: combining performance and interpretation in Kernel Discriminant

Advances in Credit Scoring: combining performance and interpretation in Kernel Discriminant

Advances in Credit Scoring: combining performance and interpretation in Kernel Discriminant Analysis. Caterina Liberati DEMS Universit degli Studi di Milano-Bicocca, Milan, Italy caterina.liberati@unimib.it November 10 th 2017 Liberati 1 /

564 views • 38 slides
Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring

Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring

Welcome to Scoring the ACIRI a Job Aid. 1 This job aid provides a brief review of the scoring procedure for the Adult-Child Interactive Reading Inventory. For detailed training on administering and scoring the assessment, please speak with

758 views • 40 slides
Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the

Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the

Exercise 8: Scoring Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add scoring cards 2- Practice with AUXSCORE card 3- Plot simulation results 4- Convert results to ASCII 2 Exercise 8: Scoring

501 views • 4 slides
Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source Software Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2018 Agenda Home automation and smart lightning Open

422 views • 30 slides
Automated Scoring of Written Open Responses John H.A.L. de Jong Language Testing Peter W.

Automated Scoring of Written Open Responses John H.A.L. de Jong Language Testing Peter W.

Automated Scoring of Written Open Responses John H.A.L. de Jong Language Testing Peter W. Foltz Knowledge Technologies Ying Zheng Language Testing Click here Talk Overview How written item scoring works How well it works Some existing

540 views • 28 slides
Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add

Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add

Exercise 8: Scoring FLUKA Beginners Course Exercise 8: Scoring Aim of the exercise: 1- Add scoring cards 2- Practice with AUXSCORE card 3- Plot simulation results 4- Convert results to ASCII 2 Exercise 8: Scoring Start from the

724 views • 4 slides
Open Source Business Intelligence Open Source Business Intelligence Produkte, Anbieter,

Open Source Business Intelligence Open Source Business Intelligence Produkte, Anbieter,

Open Source Business Intelligence Open Source Business Intelligence Produkte, Anbieter, Geschftsmodelle Produkte, Anbieter, Geschftsmodelle Workshop Open Source Business Intelligence Prof. Dr. Peter Gluchowski 24. September 2009 -

581 views • 41 slides
Collective Intelligence-Based Quality Assurance: Combining Inspection and Risk Assessment to

Collective Intelligence-Based Quality Assurance: Combining Inspection and Risk Assessment to

Collective Intelligence-Based Quality Assurance: Combining Inspection and Risk Assessment to Support Process Improvement in Multi-Disciplinary Engineering Dietmar Winkler 1,2 , Jrgen Musil 2 , Angelika Musil 2 , Stefan Biffl 2 1 SBA Research

336 views • 11 slides
Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training

Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training

Mountain High Swim League Scoring Presentation 2018 Scoring Committee 1 MHSL Scoring Training 2018 Contact Info Strong Recommendation: use permanent e-mail addresses Meet your Division's Scoring Committee Representative

366 views • 22 slides
Combining judgments with messy data to build Bayesian Network models for improved intelligence

Combining judgments with messy data to build Bayesian Network models for improved intelligence

Combining judgments with messy data to build Bayesian Network models for improved intelligence analysis and decision support SPUDM 2017, Haifa, Israel 22 August 2017 Norman Fenton Queen Mary University of London and Agena Ltd

628 views • 14 slides
Combining Qualitative and Quantitative Analyses to Generate Robust Workforce Intelligence Erin P.

Combining Qualitative and Quantitative Analyses to Generate Robust Workforce Intelligence Erin P.

Combining Qualitative and Quantitative Analyses to Generate Robust Workforce Intelligence Erin P. Fraher, PhD, MPP and Emmanuel Jo with Andy Knapton, MSc and Mark Holmes, PhD Health Workforce New Zealand Workshop Wellington, New Zealand 1 May

731 views • 28 slides
Foresight & Open Innovation at Volkswagen An approach: Combining the Scenario &

Foresight & Open Innovation at Volkswagen An approach: Combining the Scenario &

Foresight & Open Innovation at Volkswagen An approach: Combining the Scenario & Information Market Methods Caroline V. Rudzinski, AutoUni Volkswagen AG FRAMING Theoretical approach and understanding INSIGHTS Volkswagen project 2

414 views • 37 slides
Data Dependence in Data Dependence in Combining Classifiers Combining Classifiers Mohamed

Data Dependence in Data Dependence in Combining Classifiers Combining Classifiers Mohamed

Data Dependence in Data Dependence in Combining Classifiers Combining Classifiers Mohamed Kamel, Nayer Wanas Mohamed Kamel, Nayer Wanas Pattern Analysis and Machine Intelligence Lab Pattern Analysis and Machine Intelligence Lab University of

690 views • 38 slides
Combining Data Assimilation and Machine Learning to emulate a numerical model Julien Brajard,

Combining Data Assimilation and Machine Learning to emulate a numerical model Julien Brajard,

Combining Data Assimilation and Machine Learning to emulate a numerical model Julien Brajard, Alberto Carrassi, Marc Bocquet, Laurent Bertino 05 June 2019 NERSC, LOCEAN-IPSL-Sorbonne Universit, CEREA 1 Motivation Chloropyhll-a (Model) July

937 views • 75 slides
Joint Application of NMR and Scattering Haydyn Mertens PhD Methods combining SAXS with NMR

Joint Application of NMR and Scattering Haydyn Mertens PhD Methods combining SAXS with NMR

Joint Application of NMR and Scattering Haydyn Mertens PhD Methods combining SAXS with NMR Filtering/scoring NMR conformers Direct refinement of structure Refinement of domain/subunit positions Restraints: SAXS & NMR Orientation

658 views • 44 slides
Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen

Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen

Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen Laboratoire Jacques-Louis Lions Universit e Pierre et Marie Curie Paris Joint work with Nira Dyn, Fr ed eric Hecht and Jean-Marie Mirebeau

979 views • 81 slides
Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy:

Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy:

Jasper Bongertz, Airbus CyberSecurity @packetjay Scanning for network IoCs is relatively easy: use an IDS/IPS snort, suricata, commercial appliances Perform live traffic analysis, or from PCAPs @packetjay IDS scan can easily result

380 views • 7 slides
Using Python and SeaDAS for Data Processing, Visualization and Analysis Breakout Workshop on Open

Using Python and SeaDAS for Data Processing, Visualization and Analysis Breakout Workshop on Open

Using Python and SeaDAS for Data Processing, Visualization and Analysis Breakout Workshop on Open Source Computing Tools IOCS Meeting, Busan South Korea, 9 April 2019 Bruce Monger, bcm3@cornell.edu Department of Earth and Atmospheric Sciences

330 views • 18 slides
Open-ended Intelligence Viktoras Veitas The Individuation of Intelligent Agents What is

Open-ended Intelligence Viktoras Veitas The Individuation of Intelligent Agents What is

Open-ended intelligence David Weinbaum (Weaver) & Open-ended Intelligence Viktoras Veitas The Individuation of Intelligent Agents What is Intelligence? Theory of Individuation David Weinbaum (Weaver) Intelligence, Cognition,

384 views • 37 slides
Scoring (Vector Space Model) CE-324: Modern Information Retrieval Sharif University of Technology

Scoring (Vector Space Model) CE-324: Modern Information Retrieval Sharif University of Technology

Scoring (Vector Space Model) CE-324: Modern Information Retrieval Sharif University of Technology M. Soleymani Spring 2020 Most slides have been adapted from: Profs. Manning, Nayak & Raghavan (CS-276, Stanford) Outline } Ranked retrieval

497 views • 49 slides
Scoring (Vector Space Model) CE-324: Modern Information Retrieval Sharif University of Technology

Scoring (Vector Space Model) CE-324: Modern Information Retrieval Sharif University of Technology

Scoring (Vector Space Model) CE-324: Modern Information Retrieval Sharif University of Technology M. Soleymani Fall 2017 Most slides have been adapted from: Profs. Manning, Nayak & Raghavan (CS-276, Stanford) Outline Ranked retrieval

1.49k views • 50 slides
Emotional Awareness: Computer and Hand Scoring of an Open-Ended Test Kimberly A. Barchard a ,

Emotional Awareness: Computer and Hand Scoring of an Open-Ended Test Kimberly A. Barchard a ,

1 Emotional Awareness: Computer and Hand Scoring of an Open-Ended Test Kimberly A. Barchard a , Richard D. Lane b , and Bryan D. Watson a a University of Nevada, Las Vegas b University of Arizona Reference: Barchard, K.A., Lane, R.D. &

59 views • 4 slides
Scoring, term weighting, the vector space model Giorgio Gambosi Course of Information Retrieval

Scoring, term weighting, the vector space model Giorgio Gambosi Course of Information Retrieval

Why ranked retrieval? Term frequency tf-idf weighting The vector space model Scoring, term weighting, the vector space model Giorgio Gambosi Course of Information Retrieval CdLM in Computer Science University of Rome Tor Vergata Derived

769 views • 51 slides
CSE 7/5337: Information Retrieval and Web Search Scoring, term weighting, the vector space model

CSE 7/5337: Information Retrieval and Web Search Scoring, term weighting, the vector space model

CSE 7/5337: Information Retrieval and Web Search Scoring, term weighting, the vector space model (IIR 6) Michael Hahsler Southern Methodist University These slides are largely based on the slides by Hinrich Sch utze Institute for Natural

715 views • 67 slides

More recommend