[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Proposal: Re-occuring values within patterns
Hi everyone, I would like to point to the issue below, since we did not receive any feedback on the proposal, yet. Maybe posting to this list is the wrong approach for a discussion like this? Thank you all for your valuable time. Best regards, Arnold On 27.06.19 09:54, Christian Doll wrote: > Hi everyone, > > While working with STIX patterns, we thought about the possibility to > model randomized values which re-appear across multiple Observable > objects. We would like to present our approach here and propose a small > change for future specifications of STIX. > > Our approach is also currently open for discussion at the > cti-pattern-matcher repository [1], where we also prepared the necessary > code changes for the approach [2]. > > > OVERVIEW > ======== > > We want to model a pattern that describes the behaviour of a malware > sample. The sample is executed multiple times and we get the following > Observables from each execution (for simplicity we only consider the > 'name'-property in the example for each Observable): > > +-----------------+ +-----------------+ +-----------------+ > | RUNTIME 1 | | RUNTIME 2 | | RUNTIME 3 | > |File: foo | |File: bar | |File: baz | > |Mutex: Global\foo| |Mutex: Global\bar| |Mutex: Global\baz| > +-----------------+ +-----------------+ +-----------------+ > > Simplified STIX observed-data notation: > Execution 1: file:name = 'foo', mutex:name = 'Global\foo' > Execution 2: file:name = 'bar', mutex:name = 'Global\bar > Execution 3: file:name = 'baz', mutex:name = 'Global\baz' > > The first step in creating a good pattern is to generelize properties > which change between executions. We chose regular expressions, so the > pattern for our example lools like this: > > +-----------------------+ > | Pattern | > |File: [a-z]{3} | > |Mutex: Global\\[a-z]{3}| > +-----------------------+ > > STIX Pattern notation: > [file:name MATCHES '[a-z]{3}'] AND [mutex:name MATCHES 'Global\\[a-z]{3}'] > > In the next step, we want to express that the value within the file-name > property re-appears within the mutex-name property. The obvious solution > to our problem is the use of variables, which have to be usable at the > property-describtion level of a pattern. Luckily we can do this with > named capture groups from within regular expressions (which are within > the capabilities of PCRE, anyway). For our example, we would wrap each > character class inside a named capture group, acting as a variable: > [file:name MATCHES '(?P<var>[a-z]{3})'] AND [mutex:name MATCHES > 'Global\\(?P<var>[a-z]{3})'] > > During evaluation of the pattern, we test whether each named capture > group with the same name within one pattern (i.e. each variable) matched > on the same strings. We call a pattern with this additional constraint > Inter-Observable Pattern, since we express an additional property which > spans across multiple Observables: > > +--------------------------------+ > | Inter-Observable Pattern | > |File: (?P<var>[a-z]{3}) | > |Mutex: Global\\(?P<var>[a-z]{3})| > +--------------------------------+ > > > Our approach should be fully backwards compatible, as it does not > violate STIX 2.0 specifications, but extends it. Since named matching > groups are a PCRE required capability, any parser should be able to > consume a pattern like that. > However, a matcher capable to evaluate the matching group's names is > able to reduce false positives. Therefore, we propose to include our > approach for the handling of named capture groups within the > MATCHES-operator of patterns. > We are aware of the working concepts and plans for variables and > backreferencing for STIX [3], but believe our approach to be more > elegant for the use case detailed above and use cases that rely on > equality of substrings in general (e.g. multiple login attempts with the > same user name). > > We appreciate your consideration of our proposal. > Please do not hesitate to contact us if any questions come up. > > Best regards, > Christian Doll & Arnold Sykosch > > > [1]: https://github.com/oasis-open/cti-pattern-matcher/issues/57 > [2]: https://github.com/oasis-open/cti-pattern-matcher/pull/58 > [3]: > https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.vw8nwfvm4pvm > > This publicly archived list provides a forum for asking questions, > offering answers, and discussing topics of interest on STIX, > TAXII, and CybOX. Users and developers of solutions that leverage > STIX, TAXII and CybOX are invited to participate. > > In order to verify user consent to OASIS mailing list guidelines > and to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: cti-users-subscribe@lists.oasis-open.org > Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org > Post: cti-users@lists.oasis-open.org > List help: cti-users-help@lists.oasis-open.org > List archive: http://lists.oasis-open.org/archives/cti-users/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > CTI Technical Committee: https://www.oasis-open.org/committees/cti/ > Join OASIS: http://www.oasis-open.org/join/ >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]