Tuesday, October 19, 2004
Previous beads in this thread are about algorithm using Orbs
à [63]
Algorithm development using Orbs
Peter (Stephenson)
Your have communicated a number of message to the BCNGroup during the past several days. The following is a constructed, edited, review of what you have said to us.
I have been taking that approach for about 5 years
through my PhD research. For me, it is obvious because creates levels of abstraction
is the only way I know of to “predict” unknown attacks and vulnerabilities
Using categoricalAbstractions (cA) one simply
protects against the class (by knowing the eventChemistry (eC) and then you
don’t have to predict specifics, nor would it be particularly useful. However, to the lay person it looks as if
that’s what you’re doing. The cA
and the non-formal aspects of the eC become apparent to the human, IN A
SPECIFIC SITUATION, and triggers the human’s tacit knowledge. An observe sees specific knowledge about a
specific situation that matters to them, in that enterprise.
I have used the approach informally in some of my
research and in actual investigations and it seems to hold up. What I
started today was to explain it formally.
Attached… One column is the
CVE entry (to translate go to http://cve.mitre.org) and the other is the
destination port number that was attacked using an exploit against the
vulnerability or exposure described in the CVE entry. It occurred to me
that the relation was the port (which translates to one or more
services). If you look at the graphs you find that there are definite
relationships emerging and that some of them are quite interesting. For
example, if you examine port 80 (web) you’ll find a relationship to port
zero.
Port zero as a destination
port indicates a port scan or other vulnerability sweep. The implication
is that attackers sweep the ports and then settle on port 80 to attack.
This shows up on other ports but not with the consistency of port
80. The implication is that if we harden port 80 so that it does not
respond to a vulnerability scan, we stop a huge number of attack attempts
resulting in lower vulnerability.
That’s just one of the
insights from this. Is this obvious? The dots are connected. Of course, but you address that in this
message. And I would argue, if it’s so
obvious, why is it rarely done?
By looking at the SLIP
structures you were able to see some information that you could act on as a
means to help protect enterprises. Once the insight is expressed, there
is a "of course" experience. This is the "connection of
the dots" quite literally. The important of HIP is that no
algorithm would have "discovered" the specific insight that you are
revealing, unless one already had insights into how to mine the data so as to
produce this specific insight.
What we have here is a
connection between vulnerable services and specific attacks.
I tested against specific
attacks knowing that I could abstract up a layer for the general case
(categoricalAbstraction). The insight is that it is the service that we
must address, not the attack or the vulnerability/exposure. But hardening
the service, we defeat multiple types of attacks. By understanding the
nature of the specific attacks/vulnerabilities/exposures, we extrapolate to a
higher level of abstraction and protect against the class rather than against
the object. That remains to be proven, but it seems like a logical
extension to me.
The insight is inducing and
experience in what we call “mutual induction” between the human and the display
of the Orb constructions. Knowledge is
created and experienced. Moreover this
same knowledge can be easily communicated to someone who needs only to
understand the relevant and function.
The graph constructions
allows you to take the picture to someone and say, see here:
Peter,
Your thoughts are consistent with how Dean Rich, who knows IA and cyber security well also, and I thought about the event co-occurrences, as a higher level of abstraction, but no one really thought those words precisely. You are making a unique contribution to our thought about this.
I am hopeful that you are seeing a way to finally bring this technology to the market. The "entire" story of the development of SLIP is at:
http://www.ontologystream.com/aSLIP/index1.htm
with perhaps to best summary at:
http://www.ontologystream.com/aSLIP/files/OSISummary.htm
Perhaps we should develop a tutorial on what you have figured out.
see: Figure 22
http://www.ontologystream.com/cA/tutorials/pre-CDKB.htm