Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.

Slides:



Advertisements
Similar presentations
The International Security Standard
Advertisements

1 CIS224 Software Projects: Software Engineering and Research Methods Lecture 11 Brief introduction to the UML Specification (Based on UML Superstructure.
Clearinghouse for Incident Handling Tools TF-CSIRT Seminar January 18, 2001 Barcelona Yuri Demchenko.
Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.
INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.
Collaborative Intrusion Detection and Response. Limitations of Monolithic ID Single point of failure Limited access to data sources Only one perspective.
Maintaining and Updating Windows Server 2008
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
What is so good about Archie and RevMan 5
TERENA News Update TERENA User Services related Activity IETF50, Minneapolis IETF User Services WG Yuri Demchenko, TERENA
EGEE is a project funded by the European Union under contract IST JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.
MWSG3 August 25, 2004 JRA3 - Incident Response Issues to decide on and next steps Yuri Demchenko EGEE is a project.
CCIRN meeting, Cairns, 3 July 2004 Computer security co-operation in Europe Karel Vietsch Based on materials provided by TERENA TF-CSIRT.
S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.
A Taxonomy of Network and Computer Attacks Simon Hansman & Ray Hunt Computers & Security (2005) Present by Mike Hsiao, S. Hansman and R. Hunt,
Systems Analysis – Analyzing Requirements.  Analyzing requirement stage identifies user information needs and new systems requirements  IS dev team.
A Framework for Automated Web Application Security Evaluation
Setting up a Grid-CERT Experiences of an academic CSIRT TERENA Networking Conference May, Lyngby, Denmark Klaus Möller DFN-CERT Services GmbH.
State of Kansas INF50 Excel Voucher Upload Statewide Management, Accounting and Reporting Tool The following Desk Aid instructs users on overall functionality.
IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.
Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
State of Kansas INF50 Excel Voucher Upload Statewide Management, Accounting and Reporting Tool The following Desk Aid instructs users on overall functionality.
1 WS-Privacy Paul Bui Ryan Dickey. 2 Agenda  WS-Privacy  Introduction to P3P  How P3P Works  P3P Details  A P3P Scenario  Conclusion  References.
TCP/IP fundamentals Unit objectives Discuss the evolution of TCP/IP Discuss TCP/IP fundamentals.
Copyrighted material John Tullis 10/17/2015 page 1 04/15/00 XML Part 3 John Tullis DePaul Instructor
Computer Emergency Notification System (CENS)
IODEF and Extended Incident Handling Framework TF-CSIRT Seminar May 31, 2001 Ljubljana.
1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.
Incident Object Description and Exchange Format
Microsoft Office Outlook 2013 Microsoft Office Outlook 2013 Courseware # 3252 Lesson 6: Organizing Information.
Chapter 5: Implementing Intrusion Prevention
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.
EGEE is a project funded by the European Union under contract IST Grid Security Incident definition and format Yuri Demchenko, AIRG UvA JSG.
NON-COMPULSORY BRIEFING SESSION REQUEST FOR INFORMATION: ICT SECURITY SOLUTIONS RAF /2015/00019 Date: 29 September 2015 Time: 10:00.
Alternative Architecture for Information in Digital Libraries Onno W. Purbo
ITEM #1 reference to retrieval and archiving is removed.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Analyzing Systems Using Data Dictionaries Systems Analysis and Design, 8e Kendall & Kendall 8.
Enterprise Service Desk (ESD) Enterprise Service Desk for Notification / Knowledge Article Authors.
10/1/20071 Automatic Evaluation of Intrusion Detection Systems F. Massicotte, F. Gagnon, Y. Labich, L. Briand, Computer Security Applications Conference,
SIP PUBLISH draft-ietf-simple-publish-01 Aki Niemi
Christian Groves Describing Captures in CLUE and relation to multipoint conferencing draft-groves-clue-multi-content-00 CLUE Interim meeting (09/13)
Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
SonOf3039 Status Russ Housley Security Area Director.
Optimising XML Schema for IODEF Data model INCH WG, IETF57 July 16, 2003 Yuri Demchenko.
Slide #1 Nov 6 – 11, 2005XCON WG IETF54 Conference Package Extensions draft-levin-xcon-conference-package-ext-00 by Orit Levin The Discussion Starter.
CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working.
INCident Handling BOF (INCH) Thursday, March IETF 53.
Gasunie is one of the biggest gas infrastructure companies in Europe. Within the company, we give safety the highest priority; it forms the basis of our.
Maintaining and Updating Windows Server 2008 Lesson 8.
Stephen Banghart Dave Waltermire
Building Global CSIRT Capabilities Barbara Laswell, Ph. D
Incident Object Description and Exchange Format
WEB SERVICES From Chapter 19 of Distributed Systems Concepts and Design,4th Edition, By G. Coulouris, J. Dollimore and T. Kindberg Published by Addison.
INCH Requirements Glenn Mansfield Keeni Cyber Solutions Inc
draft-ipdvb-sec-01.txt ULE Security Requirements
CVE.
Metadata The metadata contains
Proposed Alert Table Extension For Multi-Function Printers
WEB SERVICES From Chapter 19, Distributed Systems
Optimising XML Schema for IODEF Data model
Computer Security Cooperation in Europe
Web-based Imaging Management System Working Group - WIMS
Incident Object Description and Exchange Format
Presentation transcript:

Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _2 Outline  TERENA Incident Taxonomy and Description WG u History and next steps  IODEF Documents  Relation between IDMEF and IODEF

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _3 Incident Taxonomy and Description WG at TERENA TF-CSIRT - History  Incident Taxonomy and Description WG u Webpage and charter - u mailing list and archive - u Mailing list and archive - list/mail-archive/ u Next meeting – May 31-June 1, 2001, Ljubljana, Slovenia  Next steps u Pilot implementation among few CSIRTs in Europe –TERENA funded Pilot Project –IHS Platforms: Remedy ARS, Magic TSD, Nortel Clarify u Next BoF – at 13 th FIRST Conference in Toulouse, France u BoF at IETF51??

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _4 IODEF Documents Incident Object Description and Exchange Format Requirements  Published as RFC Incident Object Elements Description and XML Data Type Description (XML DTD)  Pre-project draft is available  Document (I-draft) to be drafted before May 31, 2001  Problem with name space sharing with IDMEF Incident Object Data Model  To be drafted before May 31, 2001

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _5 Other and external IODEF Documents Best Current Practice on Incident classification and reporting schemes.  Version Taxonomy of the Computer Security Incident related terminology Other documents/areas of interest  Evidence Collection and Archiving (current i-d raft expired)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _6 IODEF purposes A uniform incident classification enables applications such as:  uniform internal incident storage  incident handling between teams made easier (only one team needs to classify and analyze the complete incident, the other team can re-use this data)  uniform incident reporting by victims to CSIRTs  uniform statistic generation and exchange, for both domestic use and exchange of data between teams. Over time a distributed incident statistics infrastructure can evolve  trend-analyses for reoccurrence of incidents, victims, attackers, etc.  trend-analyses for relations between scans and attacks and thus begin working on pro-active incident response Main IODEF actors are CSIRTs – not IDS

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _7 Extended Incident Handling – Information flow Courtesy of William Rice (former Litton-TASC)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _8 Interaction between IDS, IHS and Vulnerability Reports (Security Alerts) Yet To Be Described (including Attack/Incident History)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _9 Relation between IDMEF and IODEF Initial requirements/suggestions: 1. IODEF should be compatible with IDMEF and be capable to use/include IDMEF message into IO, e.g. as or inside of IncidentAlert IO class. However, backward compatibility is not required, i.e. it’s not necessary that IODEF message is understood by IDS (or other automatic system?) 2. If some elements or attributes intersect, options should be considered:  change name in IODEF or  ask IDWG to consider changing name in IDMEF Request for comments to ITDWG and IODEF

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _10 1. Reuse (confirmed) IDMEF to generate in a simplest way IncidentAlert (message)? Possible format for IODEF IncidentAlert: Some Data Authority created IO AdditionalData containing IDMEF To Be Considered. Ask IDWG about lifetime of IDMEF: What happen with confirmed Intrusion? IDMEF vs IODEF: (1)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _11 IDMEF vs IODEF: (2) 4. Compare (target, source)/IDMEF and (target, source)/IODEF. Does source/IDMEF cover/equal to Attacker/IODEF? The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep). The Target class is composed of four aggregate classes: Node, User, Process, Service The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial of service attack). The Source class is composed of four aggregate classes: Node, User, Process, Service O.K. to reuse

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _12 IDMEF vs IODEF: (3) 5. Definition of impact/IDMEF Impact (Optional). The evaluated impact of the event(s) leading up to the alert on the target. The permitted values for this attribute are shown below. The default value is "unknown". O.K. to reuse.

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _13 IDMEF vs IODEF: (4) 6. IDMEF uses detectTime/IDMEF. The DetectTime class is used to indicate the date and time the event(s) producing an alert was detected by the analyzer. In the case of more than one event, the time the first event was detected. (This may or may not be the same time as CreateTime; analyzers are not required to send alerts immediately upon detection). The DetectTime class has one attribute: ntpstamp representing the same date and time as the element content. Can be adopted. TBC. Consider including element registrationTime/IODEF

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _14 IDMEF vs IODEF: (5) 7. It seems that name “datetime” is commonly used in XML world but IDMEF use “date-time” with dash. Date-time strings are represented by the DATETIME data type. Each date- time string identifies a particular instant in time; ranges are not supported. Date-time strings are formatted according to a subset of ISO 8601:2000, as show below. Section references in parentheses refer to sections of the ISO 8601:2000 standard. O.K. to adopt. Comment to IDWG to change to datetime.

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _15 IDMEF vs IODEF: (6) 8. IDMEF intends to define tool of the attack by element ToolAlert ToolAlert is subclass of Alert. The ToolAlert class carries additional information related to the use of attack tools or malevolent programs such as Trojan horses, and can be used by the analyzer when it is able to identify these tools. It is intended to group one or more previously-sent alerts together, to say "these alerts were all the result of someone using this tool." The ToolAlert class is composed of three aggregate classes: name, command, alertident. No suggestions (Not applicable for IODEF?)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _16 IDMEF vs IODEF: (7) 9. Reuse definition of “Alertident” for extended identification of Incidents. AlertIdent - the list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert. Not applicable for IODEF?

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _17 IDMEF vs IODEF: (8) 10. Check definition of “user” and “userId” in IDMEF. The User class is used to describe user that is receiving the event(s). It is primarily used as a "container" class for the UserId aggregate class. The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. The UserId class is composed of two aggregate classes: name, number. User class in IDMEF is not clearly defined. Comment to IDWG. Do we have/need “user*” element in IODEF?

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _18 IDMEF vs IODEF: (9) 11. IDMEF doesn’t contain elements Attack and Vulnerability because Attack is a confirmed Intrusion that is being handled by CSIRT/humans Vulnerability is covered by Classification element. However, it looks a bit indefinite as sub-element of <!ELEMENT Alert ( Analyzer, CreateTime, DetectTime?, AnalyzerTime?, Source*, Target*, Classification+, ToolAlert?, OverflowAlert?, CorrelationAlert?, AdditionalData*)> The Classification class provides the "name" of an alert, or other information allowing the manager to determine what it is (for example, to decide whether or not to display the alert on-screen, what color to display it in, etc.). The Classification class is composed of two aggregate classes: name (of vulnerability), url. TBC: What’s the relation between Alert and Attack?

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _19 IDMEF vs IODEF: (10) 13. Check definition of “classification” in IDMEF. Does it mean known/registered vulnerability? Classification class is not clearly defined. Is it related to Vulnerabilities, Exposure or Attacks? If latter, what’s the definition of attack?

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _20 IDMEF vs IODEF: (11) 14. Check definition of method/IDMEF IDMEF: Service>webservice>method The HTTP method (PUT, GET) used in the request Contact IDWG to change method to httpmethod. Using generic term method is not good in general. Otherwise: Consider changing/redefining Method/IODEF and/or moving:  Vulnerability to Attack and  Evidence to Top level elements/classes or to AdditionalData

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _21 IDMEF vs IODEF: (12) 15. Consider reusing the following terms from IDMEF: size - sub-element of OverflowAlert - N/A number - sub-element of userId - url - (exactly one string)– used in classification, WebService - O.K. location – sub-element of node (location, name address) - Not clearly defined. name – has diverse number of definitions:  name of a particular tool in ToolAlert, name of equipment in node, name of the alert in Classification from one of the known origins, etc. Meaning depends on place in IDMEF hierarchy. - Not clearly defined.

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _22 Extended Incident Handling  Previous Projects and Activities  IODEF and Extended Incident Handling issues in TERENA TF- CSIRT activity  Interaction between IDS, IHS and Vulnerability Reports (Security Alerts)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _23 Extended Incident Handling – Previous Project, Activities and liaisons Litton-TASC (William Rice and Katarina Auer) CERT/CC (Jed Pickel) IETF GRIP WG  I-draft on Evidence Collection Guidance – expired Local copy – evidence-01.txt evidence-01.txt IODEF and eXtended Incident Handling at TERENA TF-CSIRT  Current activity -

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _24 Extended Incident Handling – Information flow Courtesy of William Rice (former Litton-TASC)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _25 Interaction between IDS, IHS and Vulnerability Reports (Security Alerts) Yet To Be Described (including Attack/Incident History)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _26 IODEF and Extended Incident Handling at TERENA TF-CSIRT Incident Taxonomy and Description WG –  IODEF development  Pilot implementation between few European CSIRTs (e.g., CERT-NL, CERT- UK, Telia CERT, BT-CERT) – late 2001 TF-CSIRT ( deliverables:  D. Security Contact entry in the RIPE database u New RIPE Database Object profile  E. Clearing House for Incident Handling Tools u Taxonomy of Incident Handling tools and pro-active tools used by CSIRTs  F. Training of new (staff of) CSIRTs u Extended Training Programme and Basic modules

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _27 Litton-TASC: Incident Response Use Case Courtesy of William Rice (former Litton-TASC)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _28 Litton-TASC: Incident Reporting Use Case Courtesy of William Rice (former Litton-TASC)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _29 Litton-TASC: Analyze Incidents Use Case Courtesy of William Rice (former Litton-TASC)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _30 Litton-TASC: Detect Events Use Case Courtesy of William Rice (former Litton-TASC)

©2001. Yu.Demchenko. TERENA IETF50: IODEF and IDMEF Slide2 _31 Incident Object Data Model csirt/i-taxonomy/docs/iodef- datamodelv01.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.