Taxonomy driven indicator scoring in MISP threat intelligence platforms

IT security community is recently facing a change of trend from closed to open working groups and from restrictive information to full information disclosure and sharing. One major feature for this trend change is the number of incidents and various Indicators of compromise (IoC) that appear on a daily base, which can only be faced and solved in a collaborative way. Sharing information is key to stay on top of the threats. To cover the needs of having a medium for information sharing, different initiatives were taken such as the Open Source Threat Intelligence and Sharing Platform called MISP. At current state, this sharing and collection platform has become far more than a malware information sharing platform. It includes all kind of IoCs, malware and vulnerabilities, but also financial threat or fraud information. Hence, the volume of information is increasing and evolving. In this paper we present implemented distributed data interaction methods for MISP followed by a generic scoring model for decaying information that is shared within MISP communities. As the MISP community members do not have the same objectives, use cases and implementations of the scoring model are discussed. A commonly encountered use case in practice is the detection of indicators of compromise in operational networks.

[1]  Nicole Beebe,et al.  Exploring a Systematic Approach to Malware Threat Assessment , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[2]  Xiaojun Nie,et al.  IP address lookup using a dynamic hash function , 2005, Canadian Conference on Electrical and Computer Engineering, 2005..

[3]  Vladimir Nikulin,et al.  Threshold-based clustering for intrusion detection systems , 2006, SPIE Defense + Commercial Sensing.

[4]  Veeramreddy Jyothsna,et al.  Anomaly-Based Intrusion Detection System , 2019, Computer and Network Security.

[5]  Anja Feldmann,et al.  NetFlow: information loss or win? , 2002, IMW '02.

[6]  Cynthia Wagner,et al.  MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform , 2016, WISCS@CCS.

[7]  Gail-Joon Ahn,et al.  ACTRA: A Case Study for Threat Information Sharing , 2015, WISCS@CCS.

[8]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[9]  L. Dandurand,et al.  Towards improved cyber security information sharing , 2013, 2013 5th International Conference on Cyber Conflict (CYCON 2013).

[10]  Yevgeniy Vorobeychik,et al.  Optimal Thresholds for Anomaly-Based Intrusion Detection in Dynamical Environments , 2016, GameSec.

[11]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[12]  Bernhard Plattner,et al.  Scalable high speed IP routing lookups , 1997, SIGCOMM '97.

[13]  Sartaj Sahni,et al.  Efficient construction of multibit tries for IP lookup , 2003, TNET.

[14]  Svetha Venkatesh,et al.  Eventscapes: visualizing events over time with emotive facets , 2011, ACM Multimedia.

[15]  Stuart Murdoch,et al.  Anonymity vs. Trust in Cyber-Security Collaboration , 2015, WISCS@CCS.

[16]  Oscar Serrano Serrano,et al.  From Cyber Security Information Sharing to Threat Management , 2015, WISCS@CCS.

[17]  Ing-Ray Chen,et al.  A survey of intrusion detection techniques for cyber-physical systems , 2014, ACM Comput. Surv..

[18]  Alexandre Dulaunoy,et al.  MISP taxonomy format , 2019 .

[19]  Hyesook Lim,et al.  New Approach for Efficient IP Address Lookup Using a Bloom Filter in Trie-Based Algorithms , 2016, IEEE Transactions on Computers.

[20]  D. Morato,et al.  IP addresses distribution in Internet and its application on reduction methods for IP alias resolution , 2009, 2009 IEEE 34th Conference on Local Computer Networks.

[21]  Bronwyn Woods,et al.  Data Mining for Efficient Collaborative Information Discovery , 2015, WISCS@CCS.