#
# 12/01/2024
This directory contains key code and data elements created and used in
#   the creation of PhD Thesis "MITRE Open CTI Contribution to Cyber Situational Awareness"
# For additional information you may contact Chris Maidens at c.j.maidens@soton.ac.uk or cmlg314@gmail.com
# 
# This file contains a brief summary of the key items
#

###########################################################
# Used in Preparation

# Code to download ATT&CK data (from MITRE TAXII service)
#     The data used for this work was downloaded on 29/05/22
#     The code converts the MITRE data into a relational database model 
#         implemented as .csv files and loaded into dataframes within the code.
#     These .csv files can be recreated by rerunning this code against the MITRE data (TAXII service)
#         as at above date
MAFpt_ATTACK_DB_v2.py

# A simple confidence test rig
MAFpt_ATTACK_DB_TEST.py

# Parameter reading code (yaml file)
MAFpt_r_params.py

# Parameter file
#   Key params
#       RUN_DOWNLOAD_ATTACK: N   ---> Both set to N to use .csv files
#       RUN_REINDEX_ATTACK: N    ---> BEST NOT USE AS ATT&CK VERSION MOVED ON - Both set to Y to download from TAXII service (see param below)-
#       RUN_ATTACK_TAXII_SERVER: "https://cti-taxii.mitre.org/taxii/"
#       RUN_ATTACK_LOCAL_FILE_ROOT: "C:/Users/...../ATTACK_DB_TEST/"  ---> Where to find/write .csv files
MAFpt_ATTACK_DB_TEST_Runparams.yaml


###########################################################
# Used in Chapter 5

AttackClusterReview_v2.R

# Create Basic Counts (Chapter 5)
MAFpt_ATTACK_DB_BASIC_COUNTS_v2.py

# Hopkins test analysis
MAFpt_TACTIC_CLUSTERS.py



###########################################################
# Used in Chapter 6


# Data for attack sequences
ATT&CKAttackFragments_1_0d_SHRINK.docx  # Analysis of reports used to define sequences
                                        # All source reports are publically available and referenced
										# This report can be found References.zip
										
AttackModels # Directory with reports converted into .csv files
             # The IDs of the attacks match those in the Attack Fragments document above

MAFpt_ATTACK_DB_ATTACK_GRAPH_BUILDER.py     # Convert .csv files to .py file (used to import as base data)

MAFpt_ATTACK_DB_ATTACK_GRAPHS_DATA_AUTO.py  # Built by above, this is then 'included' in python scripts 
                                            # wishing to process the attacks
MAFpt_ATTACK_DB_ATTACK_GRAPHS_DATA_AUTO  - Pre HMM.py  # Just used to checkpoint content prior 
                                                       #   to adding new attacks when exploring Markov Models in Ch 7.


MAFpt_ATTACK_DB_ATTACK_GRAPHS_v6.py  # Convert data into networkx graph form
MAFpt_ATTACKS_GRAPH_v5.gexf  # Networkx data (XML form) used in this work
MAFpt_ATTACKS_GRAPH_v5 - PreHMM.gexf  # Just used to checkpoint content prior 
                                      #   to adding new attacks when exploring Markov Models in Ch 7.


###########################################################
# Used in Chapter 7

# Using the Attack Model – LCSS Fragment Matching
MAFpt_ATTACK_DB_GRAPH_WALKER_v2_LCSS.py

# Using the Attack Model – Hidden Markov Model
# PREFER USE OF LATER DB_DICTS version
MAFpt_ATTACK_DB_GRAPH_WALKER_HMM_TEST.py
MAFpt_ATTACK_DB_Dicts_HMM.py

# Using the Attack Model – Markov Model
# PREFER USE OF LATER DB_DICTS version
MAFpt_ATTACK_DB_GRAPH_WALKER_v2_MC.py
MAFpt_ATTACK_DB_Dicts_MC_v2.py

# Using the Attack Model – Unified Kill Chain
MAFpt_ATTACK_DB_GRAPH_UKC.py


# Draft utilities, used to investigate internal consistency of data for Markov analysis
ThrowMeAway.py
ThrowMeAway_2.py







