Project

General

Profile

Actions

Feature #7577

closed

Implement the notion of detector credibility and use it for reporting

Added by Pavel Kácha over 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
Development - Core
Target version:
Start date:
03/23/2022
Due date:
% Done:

90%

Estimated time:
To be discussed:

Description

Some detectors are a bit unreliable and sometimes report false positives. We might consider reporting events from them only if more reliable detector hits, or more of less reliable detectors hit the same IP.
Note that detectors, which produce more types of events, might exhibit different levels of reliability for different types.

Possible solutions:

  • mark the reliability in the inspector
    • pro: allows for high granularity (not only detector)
    • con: not in line with Warden notion of detectors
  • implement db of detectors within Mentat
    • con: needs some (semi)manual means of keeping in line with Warden
  • implement full Warden client management
    • pro: one source of truth
    • con: needs to implement the API on the Warden side
Questions:
  • where and how to store the credibility information (or rules) - Warden or Mentat side? One value or more granular rules?
  • how to combine the values for reporting - two level, linear/nonlinear combination..?
Actions

Also available in: Atom PDF