OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions


1) We should establish a review/enhancement/update process for the
default controlled vocabularies.
(reuse was good but needs to evolve)

2) Tools should not cry, but 'Other' in general will lead to bad
scenarios (bad statistics/metrics and automation...)

Note that use of an Ontology (where 'synonyms' are defined) would help
solving this issue.







2015-10-22 18:18 GMT+03:00 Jason Keirstead <Jason.Keirstead@ca.ibm.com>:
> HI all, I am producing some new STIX content in an automated fashion, and am
> looking for feedback on my planned usage of indicator types:
>
> As with many things STIX, the way you do this is so wide open, it makes
> implementation decisions difficult
>
>
> "The default vocabulary type is IndicatorTypeVocab-1.1 in the
> http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined
> in the stix_default_vocabularies.xsd file or at the URL
> http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
> Users may also define their own vocabulary using the type extension
> mechanism, specify a vocabulary name and reference using the attributes, or
> simply use this as a string field."
>
>
> @see
> http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/
>
> So essentially, I can stick to the default vocabulary, *OR* I can define my
> own vocabulary, *OR* I can use it as a free-form string.
>
> The problem i have with the default vocabulary, is this list is very
> restrictive, and there is no "Other" type.
>
> First question - Has there ever been thought to extending this vocabulary,
> or adding an "Other" type that one could then annotate in some way? I
> haven't seen this question come up on the STIX list.
>
> Second question - My other problem is, I can't define a new fixed vocabulary
> because this is user-generated stuff. I pretty much am stuck with either
> using the fixed vocabulary, or letting the user type in whatever they want.
> How many people are sticking to the controlled vocabulary here? If I use
> this as a free-form string, will it cause some tools to blow up? Anyone have
> experience here?
>
>
>
> -
> Jason Keirstead
> Product Architect, Security Intelligence, IBM Security Systems
> www.ibm.com/security | www.securityintelligence.com
>
> Without data, all you are is just another person with an opinion - Unknown
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]