Closed hexing2333 closed 11 months ago
Hello,I used this data set(suricata_alert.json) to run your code, and the S-PDFA graph generated is as follows. I would like to know that in the graph generated by Fig.6 in your paper, all circles are IP addresses, but what I generated is similar to "70#1". I would like to know if there is a problem in which step of my experiment?
Hello, the CPTC-2018 dataset in the link is correct, however this is only for team 5. In the experiments, we use all teams (which you can find in the parent directory) and we only use suricata alerts (suricata_alert.json
). So, essentially, you will get six files: suricata_alert_t1.json
, suricata_alert_t2.json
, suricata_alert_t5.json
, suricata_alert_t7.json
, suricata_alert_t8.json
, suricata_alert_t9.json
.
Regarding your second question, which paper do you mean exactly? If you refer to the main paper "Alert-Driven Attack Graph Generation Using S-PDFA", then Figure 6 also has the 70#1
format (see below, showing only a fragment, so that the state names and transitions are also visible):
Note that the figure above shows the entire S-PDFA (i.e. red + blue + white states), while the image that you get does not include white sinks (since they are printed in a separate file, i.e. you have files expName.txt.ff.final.json
and expName.txt.ff.finalsinks.json
).
The reason that the states have 70#1
format is that this is the format used by FlexFringe.
So, I don't see any problem with your experiments. Does that answer your question? If not, feel free to send another comment.
Regarding your second question, which paper do you mean exactly? If you refer to the main paper "Alert-Driven Attack Graph Generation Using S-PDFA", then Figure 6 also has the
70#1
format (see below, showing only a fragment, so that the state names and transitions are also visible):Note that the figure above shows the entire S-PDFA (i.e. red + blue + white states), while the image that you get does not include white sinks (since they are printed in a separate file, i.e. you have files
expName.txt.ff.final.json
andexpName.txt.ff.finalsinks.json
).The reason that the states have
70#1
format is that this is the format used by FlexFringe.So, I don't see any problem with your experiments. Does that answer your question? If not, feel free to send another comment.
Thank you very much for your answer. I have no further questions,currently. Thank you very much. It has been very useful to me
Hi @hexing2333, I will just add that the reason your model looks different is because FlexFringe is constantly getting updated, e.g., when we developed SAGE in 2021, the S-PDFA model never had any colored states (we add colors in SAGE to denote severity). Since the FlexFringe tool uses the red-blue state merging (you can read more about it in the flexfringe paper), now the core states in the model are colored red. I understand it makes it difficult to reproduce the paper's results. If that is indeed what you are after, I can share an older .exe file for FlexFringe that you can use to get the same model, though there are no guarantees that it would still work.
I see. Thank you very much for your reply. I will carefully read the relevant libraries and papers of FlexFringe again. And if quite convenient, I hope to get an old version .exe of FlexFringe. Here is my email address, @.*** Thank you very much for your reply!
---Original--- From: "Azqa @.> Date: Fri, Sep 15, 2023 21:54 PM To: @.>; Cc: @.**@.>; Subject: Re: [tudelft-cda-lab/SAGE] A problem about the dataset (Issue #45)
Hi @hexing2333, I will just add that the reason your model looks different is because FlexFringe is constantly getting updated, e.g., when we developed SAGE in 2021, the S-PDFA model never had any colored states (we add colors in SAGE to denote severity). Since the FlexFringe tool uses the red-blue state merging (you can read more about it in the flexfringe paper), now the core states in the model are colored red. I understand it makes it difficult to reproduce the paper's results. If that is indeed what you are after, I can share an older .exe file for FlexFringe that you can use to get the same model, though there are no guarantees that it would still work.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
Hello, is the cptc data set in this experiment under this link? I wonder which of these files should I download? Just like the sample-input.json you gave. Thanks very much!
http://mirror.rit.edu/cptc/2018/t5/