Skip to content

Relationships: Consensus & Open Questions

Jump to bottom Edit New page
Ivan Kirillov edited this page Jan 15, 2016 · 9 revisions

Allow generic

We should allow generic types of relationships, i.e., those that are not constrained by the particular source/target of the relationship, and also relationship type. This would allow users to create any type of arbitrary relationship, and accordingly shoot themselves in the foot if they want to.

{
  "type":"relationship",
  "source_ref":"coa-1",
  "target_ref":"ttp-1",
  "kind":"detected by"
}
Open Questions
  1. Should this generic relationship exist by itself, or be defined in conjunction with other sub-classed relationships?

Help users NOT shoot themselves in the foot

We should help users NOT shoot themselves in the foot with the generic relationship, by defining a set of established relationship types along with their semantics. Both STIX and CybOX already do this to an extent with their various controlled vocabularies.

Open Questions
  1. Where should this set of established relationships be defined?
    • (A) At the data model level?
    • (B) At the specification level?
    • (C) Both?
  2. Should these relationships be validated at the serialization level?
    • If so, which particular mechanism should be used to capture these "default" relationships?
      • (A) A controlled vocabulary?
      • (B) An enumeration?
  3. What language should we use to describe relationships?
    • (A) "Uni-directional" / "Bi-directional"?
    • (B) "Directed" / "Undirected"?

Allow user-defined relationship types

We should allow users to define and use their own custom types of relationships. For instance, a new type of relationship may be discovered between STIX TTPs and Indicators that is not included in the default set of relationships.

Open Questions
  1. Is there an expectation or need for validation based on these custom relationship types?
  2. How should these custom relationships be defined?
    • (A) A free-form string?
    • (B) A value from a custom controlled vocabulary?

Allow bi-directional relationships

We should allow for bi-directional relationships to be expressed and used in STIX. This does not necessarily mean that we define a method for expressing them explicitly, but rather that STIX does not enforce unidirectionality when used to build graph edges.

Open Questions
  1. Do we require the ability to explicitly specify whether a relationship is bidirectional?
    1. If so, how should this be done?
      • (A) Should this be done in a single relationship structure (e.g., is_bidirectional = true)?
      • (B) Should this be done with a separate BidirectionalRelationship structure?
      • (C) Or, should this be done by defining the explicit semantics of each relationship type (e.g., "Contains") and accordingly whether it is bidirectional or unidirectional?
    2. If so, is this something that MUST be defined in STIX 2.0, or can it be added in a point release?
Add a custom footer
Add a custom sidebar
Clone this wiki locally