Re: [cti] Timestamps and Temporal Intervals

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

There were a couple of proposals presented at the F2F regarding composition / sequencing and temporal intervals.

This was my proposal, something like this below. The proposal was a "sequence" pattern composition could consist either of a duration in milliseconds, or an absolute start_time and stop_time, which would be whatever our datetime type is.


{
"type": "indicator",
"id": "example.com:628a75ab-7b63-4e88-9175-2c190e38233c",
"created_at": "2016-01-06T19:13:17.778545-05:00",
"producer_ref": "example.com:example",
"pattern": {
"type": "sequence",
"duration": 60000,
"expressions: [
{
"type":”or-composition",
"expressions":[
{
"type":"cybox",
"key": "File_Hash:SHA256",
"condition": "equals",
"value": "730f75dafd73e047b86acb2dbd74e75dcb93272fa084a9082848f2341aa1abb60"
},
{
"type":"yara",
"value":{ ... yara stuffs... }
}
]
},
{
"type":"cybox"
"key":"Windows_Registry",
"condition":"equals",
"value":"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce"
}
]
}
}


-
Jason Keirstead
IBM STSM - Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Patrick Maroney ---01/18/2016 01:04:42 PM---I want to help drive closure on Timestamps and breach the topic of Temporal Intervals* for the next

From: Patrick Maroney <Pmaroney@Specere.org>
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 01/18/2016 01:04 PM
Subject: [cti] Timestamps and Temporal Intervals
Sent by: <cti@lists.oasis-open.org>

---

I want to help drive closure on Timestamps and breach the topic of Temporal Intervals* for the next major version.

I posit there are two distinct temporal aspects to the _expression_ of "things" and their relationships to other "things" in the CTI Domain.

(1) Absolute: "Event x" happened at absolute Time "T1".

(2) Relative Intervals: "Event x" happened "Relative To(Rn**)" "Event y" [at relative interval "Interval In"]
**Where Rn = [Before, During, After, At_Start_Of, At_End_Of, ...]
Therefore, we need to represent these temporal concepts in different forms (breaking the "One way to do Things" rule on the basis that these are two different "Things").

I believe we are very close to reaching consensus on Absolute Timestamps.  I propose that we should specifically identify and treat Temporal Intervals as a separate requirement and topic for discussion somewhere in the Road Map.  (IF there is consensus:  perhaps as part of Relationships and/or Patterning???)

* To set the framework for what is meant by "Temporal Intervals", and some approaches one can consider in their representation, I refer everyone to James Allen's seminal paper from 1983:

http://cse.unl.edu/~choueiry/Documents/Allen-CACM1983.pdf

Patrick Maroney
Office:  (856)983-0001
Cell:      (609)841-5104

President
Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053