IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.

Slides:



Advertisements
Similar presentations
Dynamic Symmetric Key Provisioning Protocol (DSKPP)
Advertisements

XML/EDI Overview West Chester Electronic Commerce Resource Center (ECRC)
<<Date>><<SDLC Phase>>
Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.
IODEF datamodel update. Stability of the datamodel Datamodel stable since Feb 2003 interim meeting Draft stable since publication March 31st.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Campinas October 2002 CODATA / TDWG / BioCASE Unit Profile Introduction to The XML Schema Version 1.37 Neil Thomson, The Natural History Museum, London.
Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.
Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.
INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
1 SIPREC Recording Metadata format (draft-ram-siprec-metadata-format- 01) IETF-80 SIPREC MEETING R Parthasarathi On behalf of the team Team: Paul Kyzivat,
TERENA News Update TERENA User Services related Activity IETF50, Minneapolis IETF User Services WG Yuri Demchenko, TERENA
EGEE is a project funded by the European Union under contract IST JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.
Chapter 9 Web Services Architecture and XML. Objectives By study in the chapter, you will be able to: Describe what is the goal of the Web services architecture.
S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.
Selective and Authentic Third-Party distribution of XML Documents - Yashaswini Harsha Kumar - Netaji Mandava (Oct 16 th 2006)
Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
Standards Analysis Summary vMR – Pros Designed for computability Compact Wire Format Aligned with HeD Efforts – Cons Limited Vendor Adoption thus far Represents.
SIPREC Conference Recording (draft-kyzivat-siprec-conference-use-cases-01) IETF 89, March 7, 2014 Authors: Michael Yan, Paul Kyzivat, Simon Romano.
Abierman-nanog-30may03 1 XML Router Configs BOF Operator Involvement Andy Bierman
XML – An Introduction Structured Data Mark-up James McCartney CSCE 590, Cluster and Grid Computing.
IODEF Incident Data Exchange Format Rhodes, 8 June 2004 Jan Meijer.
IODEF and Extended Incident Handling Framework TF-CSIRT Seminar May 31, 2001 Ljubljana.
© GMV S.A., 2004 Property of GMV S.A. All rights reserved 2004/05/13 XML in CCSDS CCSDS Spring Meeting - Montreal Fran Martínez GMVSA 4081/04.
The NMWG Framework A (very) brief introduction Raphael Dourado 13/04/20121.
QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.
Incident Object Description and Exchange Format
0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.
Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.
Standards Analysis Summary vMR –Pros Designed for computability Compact Wire Format Aligned with HeD Efforts –Cons Limited Vendor Adoption thus far Represents.
EGEE is a project funded by the European Union under contract IST Grid Security Incident definition and format Yuri Demchenko, AIRG UvA JSG.
ITEM #1 reference to retrieval and archiving is removed.
Using of XML for object store S. Linev, GSI Using of XML for object store. S.Linev2 Content XML and existing packages XML and existing packages.
Copyright © 2009 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel Education Initiative, and the Intel Teach Program are trademarks.
Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Information Design Trends Unit 4: Sources and Standards Lecture 3: A Brief Introduction to XML.
Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.
Optimising XML Schema for IODEF Data model INCH WG, IETF57 July 16, 2003 Yuri Demchenko.
IETF 54, Yokohama Kutscher/Ott/Bormann 1 SDPng Update Dirk Jörg Carsten draft-ietf-mmusic-sdpng-05.txt.
1 Exchange Network Shared Schema Components. 2 Shared Schema Components Topics: Introduction to Shared Schema Components Purpose/value of using Shared.
1 Agenda What is XML? XML Jargon Why XML? Why Now? Advantages Disadvantages of XML What is FIX? What is FIXML? What other standards are available? How.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
PG 1 Framework for Netconf Data Models Netmod BOF – IETF 60 Sharon Chisholm –
XML Powered Dynamic Web Page Updating Terminologies Why XML Implementation Procedure Introduction Extension Topic Project Proposal By : Xiaogeng Zhao (600Z1423)
Relations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis TERENA ITDWG IODEF Editorial Group Yuri Demchenko.
Portable Symmetric Key Container (PSKC) Mingliang Pei Philip Hoyer Dec. 3, th IETF, Vancouver.
SNOMED CT Vendor Introduction 27 th October :30 (CET) Implementation Special Interest Group Tom Seabury IHTSDO.
Introduction to XML Kanda Runapongsa Dept. of Computer Engineering Khon Kaen University.
IDR WG Document Status Update Sue Hares, Yakov Rekhter November 2005.
Page 1 IETF DRINKS Working Group Data Model and Protocol Requirements for DRINKS IETF 72 - Thursday July Tom Creighton -
INCident Handling BOF (INCH) Thursday, March IETF 53.
XML Extensible Markup Language
A Security Framework for ROLL draft-tsao-roll-security-framework-00.txt T. Tsao R. Alexander M. Dohler V. Daza A. Lozano.
Draft-srinivasan-xcon-eventpkg- extension-01 IETF July 2007 Srivatsa Srinivasan Roni Even
Discovery of CRL Signer Certificate Stefan Santesson Microsoft.
Stephen Banghart Dave Waltermire
Building Global CSIRT Capabilities Barbara Laswell, Ph. D
Incident Object Description and Exchange Format
NACK-Oriented Reliable Multicast (NORM) Update
Dave Iberson-Hurst CDISC VP Technical Strategy
56th IETF syslog WG Chair: Chris Lonvick
INCH Requirements Glenn Mansfield Keeni Cyber Solutions Inc
SysML 2.0 Model Lifecycle Management (MLM) Working Group
STIR WG IETF-100 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-01) November, 2017 Ray P. Singh, Martin Dolly, Subir Das,
Optimising XML Schema for IODEF Data model
draft-ietf-dtn-bpsec-06
Incident Object Description and Exchange Format
Presentation transcript:

IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _2 Outlines  Current IODEF documents  IODEF Design Principles  Relation between IDMEF and IODEF  IODEF Data Model Overview

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _3 Current IODEF documents  Incident Object Description and Exchange Format Requirements u Published as RFC  IODEF Data Model and XML DTD pre-draft Version 0.03 u Other documents  Taxonomy of the Computer Security Incident related terminology  Relations between the IODEF Incident handling systems and IDMEF developed by IETF IDWG - Request for comments to IDWG and ITD/IODEF WG – IETF50, March rfc.html rfc.html

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _4 IODEF Design: Problems addressed Problems addressed by IODEF:  Incident data are inherently heterogeneous u May change during lifetime/investigation  Incident information can originate from different sources u Incident Object may be created by CSIRT, reported by community or initially based on IDS Alert  Incident description may contain sensitive information u Sensitive information should be protected u Evidence integrity and in some cases confidentiality should be secured

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _5 IODEF Design Principles  Content-driven u Object oriented approach allows simple introduction of new objects to extend new content description u Possibility to apply different attributes to different elements  Unambiguous representation u The same Incident descriptions created by different CSIRTs should be identified as one Incident  Support correlation of related incidents u Provide basis for necessary cooperation between CSIRTs u Principle of Incident Object ownership – key concept for Incidents correlation and unambiguous presentation  XML implementation  Seamless IDMEF integration

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _6 XML Implementation  Human readable, but machine parsable u XML DT vs XML Schema  Easily extensible  Tools are widely (and free) available  Internationalisation u Support of CSIRT’s local languages  Significant classes re-use from IDMEF u Open source IDMEF idmeflibxml extension

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _7 Relation between IDMEF and IODEF 1. IODEF should be compatible with IDMEF and be capable to use/include IDMEF message into IO  Current IODEF implementation provides two options: u Use IncidentAlert class container to wrap up Alert/IDMEF u Decompose Alert/IDMEF message into Incident/IODEF classes 2. IODEF follows IDMEF development  IDMEF last call draft version 0.6 will be completely incorporated changes into IODEF pre-draft version 0.04 u On request by IODEF WG IDWG made considerable changes to IDMEF elements definition

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _8 Differences between IDMEF and IODEF  Main IODEF actors are CSIRTs – not IDS u CSIRT as owner of the IO  IODEF is human (interface/interaction) oriented u Human readable, but machine parsable  Incident Object has longer lifetime compare to one time use of IDMEF message u Incident handling (reporting, investigation, etc.) u Incident storage u Statistics and trend analysis

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _9 IODEF vs IDMEF: Top level classes IODEF top level classes: Incident  Attack <- Target  Attacker <- Source  Victim <- Target  Method <- Classification  Evidence <- Analyzer  Assessment  Authority  CorrelationIncident  History  AdditionalData IncidentAlert  Alert IDMEF top level classes: Alert  Source  Target  Classification  CreatTime  DetectTime  AnalyzerTime  Analyzer  Assessment  CorrelationAlert  ToolALert  OverflowAlert  AdditionalData

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _10 IODEF Top-Level Classes  IODEF-Description is the root container class  Different types of incident reports derive subclass u Incident: incident report u IncidentAlert: IDMEF Alert u Vulnerability: (proposed) vulnerability report IODEF-Description IncidentAlert IncidentVulnerabilityReport

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _11 The Incident Class WHAT/WHERE: Attack WHO: Attacker/Victim: information on source and destination of the incident HOW: Method of attack, analysis of incident, Assessment PROOF: Evidence: support for incident analysis OWNER: Authority: incident creator Log of events/actions: History Extension mechanism: Additional Data Incident AdditionalData Attack Attacker Victim Method Assessment Evidence Authority History

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _12 IODEF-003: Full Data Model /iodef/docs/iodef-datamodel-draft-003.html

2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _13 IODEF Data Model – remaining issues To be solved in IODEF-004 or moved to IETF INCH WG 1. XML DTD YET to BE UPDATED with recent changes 15 and 16 Modify the CorrelateIncident Class (Section ) 2. Modify Section 7.2 Unrecognized XML Tags to target better IDMEF and IODEF integration 3. How to provide for packet and flow representations in 4. Representing vulnerability data (vul-description) 5. Further discussion and presentation in the IODEF document the issue about reusing IDMEF Classes in the IODEF documents and in guidance for implementers. 6. Granularity of setting restrictions on various elements? 7. Certain identifier attributes may not be necessary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.