I agree with Jason’s arguments. Both on mapping and how the numbers will be assigned by machines & humans.
STIX should focus on exchanging a ‘value’ for machine-to-machine. It’s a data exchange format not a UI exchange. How this information is relayed to a human or entered by a human can and
may be different.
If a number of 0-100 is chosen then that can be mapped by products to something a human may more easily assign such as admiralty.
allan
From:
"cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, September 13, 2016 at 7:58 AM
To: "Wunder, John" <jwunder@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
There is another reason that a numerical scale should be used, that I haven't yet mentioned as I didn't want to conflate the whole "confidence" problem - but I also didn't expect it to be so controversial, so here we go...
The problem with the admiralty scale is it is very human-focused, but in the current world of CTI you can't make the assumption that the confidence value is being assigned by humans. It will also be assigned by machines as a result of algorithmic and analytical
processes on the underlying data. When a product produces an intelligent feed of data based on analytics, it will be able to figure out and assign its own confidence metric, that will be calculated based on the confidence levels it has on all of the other
pieces of data that were factors in the decision. IE, when I am taking 100 pieces of data - each of which has its own confidence value - and producing this other derived piece of data, it's confidence is derived based on all of the other confidence (in the
simplest scenario, it might be thought of as the simple weighted average of all of the other confidences). You can't do this type of thing with something as simple as the admiralty scale.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Wunder, John A." ---09/13/2016 09:34:38 AM---The wider scale
certainly seems like the path of least resistance. Tools get to do what they want an
From: "Wunder, John A." <jwunder@mitre.org>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 09/13/2016 09:34 AM
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>
The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have:
1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed
by ToolB. But was it actually confirmed by other sources?
2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then
you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……”
I’m not totally opposed btw, just wanted to point out some of these issues.
John
On 9/13/16, 7:42 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:
On 13/09/16 12:31, Jason Keirstead wrote:
> Yes, exactly.
>
> The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.
Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly
for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.
Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale
and a clear description for analysts.
[1]
http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/
[2]
https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31
--
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php