hvnbnd

DICTIONARY Feature Request Two examples of dictionary capabilities are associated with Proofpoint Regulatory Compliance and Forcepoint Data Loss Prevention. The primary difference between the "Keyword List" functionality and a dictionary is "match unique" or "single instance". If you define a key word list of: A B C D E F G Example: True positive requires a score of 5. Any combination of "unique" matches would generate a match. ABDEG ADEFG but the following would not generate a match. AAAAG or CCDDG The key is that the dictionary is defined by the relationship of one feature with other features and not the mere existence of a single feature multiple times. The is the key difference between a keyword list and a dictionary. The better model used by Proofpoint and Forcepoint is not only the above but the ability to configure a more robust weighted dictionary. Proofpoint also allows regex to be included as a feature within a dictionary. Forcepoint uses regex similarly as Intella. The following is an example of a weighted dictionary. A 10/1 B 1/10 C~1/10 D -10/1 E 10/1 F 1/1 G 1/10 A scores 10 but only count a single match. B scores 1 but only count a single match C is a regular expression, scores 1, count up to 10 matches D scores negative 10, only count 1 match E scores 10 but only count a single match. F scores 1, only count one match G scores 1 count up to 10 matches. In the above example a score of 23 might be the perfect score to identify a true positive. We use negative weighting in dictionaries and that way we do not have to use a Boolean NOT or exclusions. A specific example is to ignore all invoices or purchase orders, so in the above example I might do a negative -100. That way it is never possible to trigger the dictionary. My experience in the use of Intella is that I have to convert my Proofpoint or Forcepoint to Intella keyword lists. Since it is not one for one there is a lot of subjective work still needed. It would be nice to determine if keyword lists or content analysis (regex) could be used in all cases. Perhaps Global Keyword Lists. Global keyword lists (dictionaries preferred of course). It is frustrating to always have to load these items into every case. Last but not least is to use standard TF/IDF and when necessary stopwords to create the TagCloud, and then select items to go into the dictionaries. Hopefully this describes to some detail what sort of features would be useful, useful at least to someone who has been doing information security a long time. We are using Intella both before and after we define policies/rules in our other environments. It is difficult sometimes to convert search criteria or detection methods because certain regex's can't be used in one platform that is used in another, or case sensitivity is not supported which is a major issue for us (confidential vs CONFIDENTIAL). Intella is a great solution that can be made better, and all of the recommendations above I think will make for a Killer App. I'd sell it to Symantec or Forcepoint as the tool to build rules and policies. Comments desired.