Tuesday, October 19, 2004
Previous beads in this thread are about algorithm using Orbs à 
Algorithm development using Orbs
Your have communicated a number of message to the BCNGroup during the past several days. The following is a constructed, edited, review of what you have said to us.
I have been taking that approach for about 5 years through my PhD research. For me, it is obvious because creates levels of abstraction is the only way I know of to “predict” unknown attacks and vulnerabilities
Using categoricalAbstractions (cA) one simply protects against the class (by knowing the eventChemistry (eC) and then you don’t have to predict specifics, nor would it be particularly useful. However, to the lay person it looks as if that’s what you’re doing. The cA and the non-formal aspects of the eC become apparent to the human, IN A SPECIFIC SITUATION, and triggers the human’s tacit knowledge. An observe sees specific knowledge about a specific situation that matters to them, in that enterprise.
I have used the approach informally in some of my research and in actual investigations and it seems to hold up. What I started today was to explain it formally.
Attached… One column is the CVE entry (to translate go to http://cve.mitre.org) and the other is the destination port number that was attacked using an exploit against the vulnerability or exposure described in the CVE entry. It occurred to me that the relation was the port (which translates to one or more services). If you look at the graphs you find that there are definite relationships emerging and that some of them are quite interesting. For example, if you examine port 80 (web) you’ll find a relationship to port zero.
Port zero as a destination port indicates a port scan or other vulnerability sweep. The implication is that attackers sweep the ports and then settle on port 80 to attack. This shows up on other ports but not with the consistency of port 80. The implication is that if we harden port 80 so that it does not respond to a vulnerability scan, we stop a huge number of attack attempts resulting in lower vulnerability.
That’s just one of the insights from this. Is this obvious? The dots are connected. Of course, but you address that in this message. And I would argue, if it’s so obvious, why is it rarely done?
By looking at the SLIP structures you were able to see some information that you could act on as a means to help protect enterprises. Once the insight is expressed, there is a "of course" experience. This is the "connection of the dots" quite literally. The important of HIP is that no algorithm would have "discovered" the specific insight that you are revealing, unless one already had insights into how to mine the data so as to produce this specific insight.
What we have here is a connection between vulnerable services and specific attacks.
I tested against specific attacks knowing that I could abstract up a layer for the general case (categoricalAbstraction). The insight is that it is the service that we must address, not the attack or the vulnerability/exposure. But hardening the service, we defeat multiple types of attacks. By understanding the nature of the specific attacks/vulnerabilities/exposures, we extrapolate to a higher level of abstraction and protect against the class rather than against the object. That remains to be proven, but it seems like a logical extension to me.
The insight is inducing and experience in what we call “mutual induction” between the human and the display of the Orb constructions. Knowledge is created and experienced. Moreover this same knowledge can be easily communicated to someone who needs only to understand the relevant and function.
The graph constructions allows you to take the picture to someone and say, see here:
Your thoughts are consistent with how Dean Rich, who knows IA and cyber security well also, and I thought about the event co-occurrences, as a higher level of abstraction, but no one really thought those words precisely. You are making a unique contribution to our thought about this.
I am hopeful that you are seeing a way to finally bring this technology to the market. The "entire" story of the development of SLIP is at:
with perhaps to best summary at:
Perhaps we should develop a tutorial on what you have figured out.
see: Figure 22