There are various algorithms in Machine learning. Pruning - is nothing but cutting down some nodes to stop overfitting. Leaf Nodes - the nodes where further splitting is not possible are called leaf nodes or terminal nodesīranch /Sub-tree - just like a small portion of a graph is called sub-graph similarly a sub-section of this decision tree is called sub-tree. Root Nodes - It is the node present at the beginning of a decision tree from this node the population starts dividing according to various features.ĭecision Nodes - the nodes we get after splitting the root nodes are called Decision Node ID3 (Iterative Dichotomiser 3) → uses Entropy function and Information gain as metrics.īefore learning more about decision trees let’s get familiar with some of the terminologies.CART (Classification and Regression Trees) → uses Gini Index(Classification) as metric.His idea was to represent data as a tree where each internal node denotes a test on an attribute (basically a condition), each branch represents an outcome of the test, and each leaf node (terminal node) holds a class label. It has a hierarchical, tree structure, which consists of a root node, branches, internal nodes and leaf nodes.ĭecision Trees are the foundation for many classical machine learning algorithms like Random Forests, Bagging, and Boosted Decision Trees. We’re going to be using a digraph, which is short for “directed graph.” Directed graphs show one-way relationships, whereas undirected graphs show symmetrical relationships.A decision tree is a non-parametric supervised learning algorithm. 5Īll the branches on the tree – reflecting different cost paths – will end up connecting the Reality and Attackers Win nodes in some fashion. The most basic security decision tree will have two common states: Reality (the starting node from which all others descend) 4 and Attackers Win (the ending node reflecting attackers accomplishing their goal). If you want to understand more about the decision tree architecture, I entreat you yet again to download the Security Chaos Engineering report. The lowest cost path for attackers is generally the one with zero defensive mitigations in place, what I affectionately call “yolosec.” The highest cost path for attackers usually involves finding and exploiting zero day vulnerabilities or performing upstream supply chain attacks 3. The branches of the tree are oriented from the lowest cost paths to attackers (on the left) to the most expensive attacker paths (on the right). Thus, the decision tree shows the potential paths attackers can take, including attacker actions performed in response to defensive actions or mitigations, to reach the goal of accessing that S3 bucket. The (rather obvious) way attackers win is by successfully accessing the video recordings in the S3 bucket. As the product and engineering teams think through the design of this project, they want to avoid bad things happening to the project that could cost money (whether via downtime or compliance fines) or time (which is also money) 2. In this example, our imaginary organization wants to store customer video recordings in an S3 bucket. Organizations often store important content in cloud storage buckets. Building the decision treeįor those of you who haven’t read the report yet (reminder: it’s free), let’s set some background context on this example. I personally found it quite intuitive, though, as always, your mileage may vary. The textual descriptions of the graph are written using the DOT language (and thereby saved as a. However, these style deficiencies are balanced by the ease of editing the relationships represented in the graph – an issue I previously found tedious when using GUI-based tools. I found that the default styling options for Graphviz can quickly look like a hybrid of the infamous defense charts or the “graphic design is my passion” meme. Graphviz takes descriptions of graphs in text form and converts them into a visual (like an image or PDF). It is open source, which was especially compelling as I tried out various graphing tools for the decision tree use case because I am a ho for not spending money. I won’t cover how to populate your own decision tree in this post since that is already covered in the e-book, which is immediately available at your fingertips for the delectable price of free.Īs an apéritif, here’s the end result towards which we’ll be building:Īs the name suggests, Graphviz is a graph visualization tool. Using this as a reference, you can extrapolate this process into a pattern to inform saner security prioritization during the design phase of the product lifecycle. This post will walk through creating the example decision tree from the e-book using Graphviz and a. In the recently published “Security Chaos Engineering” e-book, one of the chapters I wrote covers attacker math and the power of decision trees to guide more pragmatic threat modelling.
0 Comments
Leave a Reply. |