Ever heard someone use phrases like “I put two and two together,” or “I started to connect the dots?” What is usually meant is that in the examination of the facts at hand an understanding of a feasible explanation is forming. By considering details, a bigger picture can be formed.
Belief Propagation Network
A belief propagation network (BPN) is a network where messages are passed through a series of nodes in a graph. The nodes are arranged in a directed acyclic graph, where information passes from one node to another and they don't form a circle.Usually, there is a hierarchy of nodes with many base nodes passing messages up to fewer upper level nodes.
Messages store information and typically have a purpose. For example, I may wish to send a congratulatory message, or an itinerary message, or a warning message. So, we can see there are different types of messages. Considering these different types of messages we can create an encompassing set of all messages called the Message class.
Additionally, we can create subsets called; CongratsMessage, ItineraryMessage, and WarningMessage. By structuring these sets in this way we have created a conceptual model of messages (also known as object modeling). There is a base class of Message, and the three subclasses. These class definitions are our object model of messages.
Classifiers in Automated Security
The nodes in DarkLight’s belief propagation network can be considered classifiers. By classifier, I mean a software module that receives a message, analyzes the message, and based on the analysis, potentially alters the message.
As the name implies, a classifier’s analysis is done to properly sort the message into the appropriate class. This is called classification or typing, meaning to tag the message with the name of the class to which it belongs. The instance of a class is called an object. The classifier tags the object with the name of the class to which it has classified it.
All individual messages belong to the Message class. We can pass a Message object on to a higher level classifier for classification. If we want to know if the message object is a WarningMessage, the classifier will need to examine the state of the Message object to see if it fits the criteria. The examination of the state of the message may be as simple as checking the contents of the message object for cautionary words such as; warning, caution, attention, etc.
Once the classifier has verified that the criteria for being a WarningMessage is true, it can add the additional information to the object by tagging the object with the class name (type) of WarningMessage. This is the essence of a BPN, as we can now say “this message is not just a Message, we believe it is a WarningMessage as well.”
In automated security, there are many “messages” being passed around. We have a myriad of names for them: Indicator of Compromise (IoC), events, alerts, flags, concerns, etc.
Some well-known and respected groups have provided us with conceptual models (ontologies) used in almost every domain you can imagine.
For example, in the cybersecurity domain the STIX, CybOX, and TAXII models have been created to give us a common model about cybersecurity observables.
Another example is the Insider Threat Indicators (ITI) ontology created by CMU/SEI/CERT. These are models that we can use instead of creating them from scratch. This is very valuable in multiple ways:
- We can focus on creating classifiers that classify our messages into STIX or ITI and not focus on creating the conceptual models from scratch.
- We can share our messages with others once they have been classified into the common language of the ontologies created by the experts.
The cybersecurity sector is moving away from data modeling techniques and toward object modeling techniques. If the cybersecurity sector adopts a common object model the communication between entities (enterprises and devices) is greatly enhanced. The sharing of information is possible because there is a common model to use as a language.
If your Security Operations Center (SOC) is not adopting software that uses commonly shared object models such as STIX, your enterprise is going to be falling behind and it will be at higher risk.
Does YOUR SOC use conceptual models?
Deviation from Normal Does Not Always Mean Malicious Intent
An approach to solving cybersecurity problems is to use machine learning to baseline normal behaviors so that deviations from normal can be identified. This, at first glance makes perfect sense. However...