Re: [cti-stix] Supporting translations in STIX

[Allan Thomson <athomson@lookingglasscyber.com>]

Sighting -> Indicator/Observation.

I define a pattern in an indicator that is looking for specific network aspects (say protocol) and the observation includes the protocol but also other context that includes the payload of the application that may be in a specific language.

The sighting points to an indicator that identifies the pattern, which may be in english. But the sighting also points to the observation of the captured information which is in non-english.

Another example might be a report object where the report title and description are in English but the referenced objects for the content are in non-english.

Allan

On 6/24/16, 8:53 AM, "Back, Greg" <gback@mitre.org> wrote:

Are there specific sub-components where we would potentially want to support a different language from the parent TLO (for now, given that we can always add it later)?

> -----Original Message-----
> From: Allan Thomson [mailto:athomson@lookingglasscyber.com]
> Sent: Friday, June 24, 2016 10:39 AM
> To: Back, Greg <gback@mitre.org>; Wunder, John A. <jwunder@mitre.org>;
> cti-stix@lists.oasis-open.org
> Subject: Re: [cti-stix] Supporting translations in STIX
> 
> Sub-components that are part of a TLO could identify the language if they are
> in a different language from the container object.
> 
> There are multiple cases where there’s an named attribute defined at a
> container level that then is defined for child objects or referenced objects
> from the container.
> 
> All base TLO attributes have this same artifact.
> 
> allan
> 
> On 6/24/16, 8:35 AM, "Back, Greg" <gback@mitre.org> wrote:
> 
> By adding "lang" at the base TLO level, we are essentially saying that we can't
> mix languages in a single TLO (at this point).
> 
> I think I'm OK with that, but just wanted to raise the point.
> 
> > -----Original Message-----
> > From: cti-stix@lists.oasis-open.org
> > [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Allan Thomson
> > Sent: Friday, June 24, 2016 10:33 AM
> > To: Wunder, John A. <jwunder@mitre.org>; cti-stix@lists.oasis-open.org
> > Subject: Re: [cti-stix] Supporting translations in STIX
> >
> > Regardless of the decision on translation objects, I think a lang base
> > TLO attribute to define what language the content is defined in is a good
> idea.
> >
> >
> >
> > Allan
> >
> >
> >
> > From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
> > on behalf of "Wunder, John" <jwunder@mitre.org>
> > Date: Friday, June 24, 2016 at 8:27 AM
> > To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
> > Subject: [cti-stix] Supporting translations in STIX
> >
> >
> >
> > All,
> >
> >
> >
> > You’re probably aware that we’ve had a bit of work over the past
> > couple months on the best approach to support translations in STIX. As
> > I alluded to in the prioritization e-mail, it’s getting to the point
> > where we need to decide on an approach or we’re at risk of not making
> > the July release date and having to postpone until Winter. As I see it, we
> have a couple options.
> >
> >
> >
> > 1.      We can decide on a general approach and try to prove that it will work
> > for MVP. Ideally, it would be a fairly minimalist approach so that we
> > can be confident in the flows.
> >
> > a.      Along those lines, I wrote up some normative text on an approach we
> > discussed on Slack. Translations are very minimal objects (not
> > standard TLOs) and refer to other TLOs to translate their titles and
> descriptions. It’s here:
> >
> https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q
> > 0b5OxXCaCV14/edit#heading=h.aq3spklsm9m6
> >
> <https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2
> > q0b5OxXCaCV14/edit#heading=h.aq3spklsm9m6>
> >
> > b.      If we think that approach is close enough to agree on by MVP we can
> > continue to evolve that.
> >
> > c.       If you have a different approach that you think we can agree on,
> please
> > write up some normative text and submit it to the full list.
> >
> > 2.      Alternatively, we can implement something super minimalist now and
> > delay until winter (6 months) to make sure we get this right
> >
> > a.      IMO if we add a “lang” property to all TLOs we can provide some
> > immediate capability and build on it in the winter.
> >
> >
> >
> > My preference at this point is #2a. Let’s just add a “lang” tag to TLO
> > common properties, put the discussion on hold while we finish MVP, and
> > then resume in August. Then we can spend the fall making sure we get
> > it right. At the same time, we enable an ecosystem where TLOs are in
> > specific languages and so people can innovate and try out different
> > approaches. That said, if people think #1 is close, I’m happy to continue
> trying to push that forward.
> >
> >
> >
> > What do you think?
> >
> >
> >
> > John
> 
>

<<attachment: winmail.dat>>