Presentation is loading. Please wait.

Presentation is loading. Please wait.

IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko.

Published byJocelyn Fox Modified over 9 years ago

Similar presentations

Presentation on theme: "IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko."— Presentation transcript:

1 IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko

2 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _2 Outlines  Current IODEF documents  IODEF Design Principles  Relation between IDMEF and IODEF  IODEF Data Model Overview

3 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _3 Current IODEF documents  Incident Object Description and Exchange Format Requirements u Published as RFC 3067 http://www.ietf.org/rfc/rfc3067.txthttp://www.ietf.org/rfc/rfc3067.txt  IODEF Data Model and XML DTD pre-draft Version 0.03 u http://www.terena.nl/tech/task-forces/tf-csirt/iodef/docs/iodef-datamodel-draft-003.html http://www.terena.nl/tech/task-forces/tf-csirt/iodef/docs/iodef-datamodel-draft-003.html Other documents http://www.terena.nl/tech/task-forces/tf-csirt/iodef/  Taxonomy of the Computer Security Incident related terminology http://www.terena.nl/tech/task-forces/tf-csirt/iodef/docs/i-taxonomy_terms.html http://www.terena.nl/tech/task-forces/tf-csirt/iodef/docs/i-taxonomy_terms.html  Relations between the IODEF Incident handling systems and IDMEF developed by IETF IDWG - Request for comments to IDWG and ITD/IODEF WG – IETF50, March 2001 http://www.terena.nl/tech/task-forces/tf-csirt/iodef/docs/iodef-idmef-xmldtd-00- rfc.html http://www.terena.nl/tech/task-forces/tf-csirt/iodef/docs/iodef-idmef-xmldtd-00- rfc.html

4 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _4 IODEF Design: Problems addressed Problems addressed by IODEF:  Incident data are inherently heterogeneous u May change during lifetime/investigation  Incident information can originate from different sources u Incident Object may be created by CSIRT, reported by community or initially based on IDS Alert  Incident description may contain sensitive information u Sensitive information should be protected u Evidence integrity and in some cases confidentiality should be secured

5 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _5 IODEF Design Principles  Content-driven u Object oriented approach allows simple introduction of new objects to extend new content description u Possibility to apply different attributes to different elements  Unambiguous representation u The same Incident descriptions created by different CSIRTs should be identified as one Incident  Support correlation of related incidents u Provide basis for necessary cooperation between CSIRTs u Principle of Incident Object ownership – key concept for Incidents correlation and unambiguous presentation  XML implementation  Seamless IDMEF integration

6 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _6 XML Implementation  Human readable, but machine parsable u XML DT vs XML Schema  Easily extensible  Tools are widely (and free) available  Internationalisation u Support of CSIRT’s local languages  Significant classes re-use from IDMEF u Open source IDMEF idmeflibxml extension

7 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _7 Relation between IDMEF and IODEF 1. IODEF should be compatible with IDMEF and be capable to use/include IDMEF message into IO  Current IODEF implementation provides two options: u Use IncidentAlert class container to wrap up Alert/IDMEF u Decompose Alert/IDMEF message into Incident/IODEF classes 2. IODEF follows IDMEF development  IDMEF last call draft version 0.6 will be completely incorporated changes into IODEF pre-draft version 0.04 u On request by IODEF WG IDWG made considerable changes to IDMEF elements definition

8 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _8 Differences between IDMEF and IODEF  Main IODEF actors are CSIRTs – not IDS u CSIRT as owner of the IO  IODEF is human (interface/interaction) oriented u Human readable, but machine parsable  Incident Object has longer lifetime compare to one time use of IDMEF message u Incident handling (reporting, investigation, etc.) u Incident storage u Statistics and trend analysis

9 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _9 IODEF vs IDMEF: Top level classes IODEF top level classes: Incident  Attack <- Target  Attacker <- Source  Victim <- Target  Method <- Classification  Evidence <- Analyzer  Assessment  Authority  CorrelationIncident  History  AdditionalData IncidentAlert  Alert IDMEF top level classes: Alert  Source  Target  Classification  CreatTime  DetectTime  AnalyzerTime  Analyzer  Assessment  CorrelationAlert  ToolALert  OverflowAlert  AdditionalData

10 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _10 IODEF Top-Level Classes  IODEF-Description is the root container class  Different types of incident reports derive subclass u Incident: incident report u IncidentAlert: IDMEF Alert u Vulnerability: (proposed) vulnerability report IODEF-Description IncidentAlert IncidentVulnerabilityReport

11 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _11 The Incident Class WHAT/WHERE: Attack WHO: Attacker/Victim: information on source and destination of the incident HOW: Method of attack, analysis of incident, Assessment PROOF: Evidence: support for incident analysis OWNER: Authority: incident creator Log of events/actions: History Extension mechanism: Additional Data Incident AdditionalData Attack Attacker Victim Method Assessment Evidence Authority History

12 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _12 IODEF-003: Full Data Model http://www.terena.nl/tech/task-forces/tf-csirt /iodef/docs/iodef-datamodel-draft-003.html

13 2002. Yu.Demchenko. TERENA 5th TF-CSIRT: IODEF WG Slide2 _13 IODEF Data Model – remaining issues To be solved in IODEF-004 or moved to IETF INCH WG 1. XML DTD YET to BE UPDATED with recent changes 15 and 16 Modify the CorrelateIncident Class (Section 5.2.2.2) 2. Modify Section 7.2 Unrecognized XML Tags to target better IDMEF and IODEF integration 3. How to provide for packet and flow representations in 4. Representing vulnerability data (vul-description) 5. Further discussion and presentation in the IODEF document the issue about reusing IDMEF Classes in the IODEF documents and in guidance for implementers. 6. Granularity of setting restrictions on various elements? 7. Certain identifier attributes may not be necessary

Download ppt "IODEF Design principles and IODEF Data Model Overview IODEF Data Model and XML DTD pre-draft Version 0.03 TERENA IODEF WG Yuri Demchenko."

Similar presentations

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Dynamic Symmetric Key Provisioning Protocol (DSKPP)
XML/EDI Overview West Chester Electronic Commerce Resource Center (ECRC) 888-745-3748.

XML/EDI Overview West Chester Electronic Commerce Resource Center (ECRC)
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.

Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.
IODEF datamodel update. Stability of the datamodel Datamodel stable since Feb 2003 interim meeting Draft stable since publication March 31st.

IODEF datamodel update. Stability of the datamodel Datamodel stable since Feb 2003 interim meeting Draft stable since publication March 31st.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Campinas October 2002 CODATA / TDWG / BioCASE Unit Profile Introduction to The XML Schema Version 1.37 Neil Thomson, The Natural History Museum, London.

Campinas October 2002 CODATA / TDWG / BioCASE Unit Profile Introduction to The XML Schema Version 1.37 Neil Thomson, The Natural History Museum, London.
Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.

Requirements for Format for INcident data Exchange (FINE) draft-ietf-inch-requirements-00.txt INCH WG, IETF56 March 19, 2003 Yuri Demchenko Glenn Mansfield.
Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.

Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.
INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.

INCH Requirements IETF Interim meeting, Uppsala, Feb.2003.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
1 SIPREC Recording Metadata format (draft-ram-siprec-metadata-format- 01) IETF-80 SIPREC MEETING R Parthasarathi On behalf of the team Team: Paul Kyzivat,

1 SIPREC Recording Metadata format (draft-ram-siprec-metadata-format- 01) IETF-80 SIPREC MEETING R Parthasarathi On behalf of the team Team: Paul Kyzivat,
TERENA News Update TERENA User Services related Activity IETF50, Minneapolis IETF User Services WG Yuri Demchenko, TERENA

TERENA News Update TERENA User Services related Activity IETF50, Minneapolis IETF User Services WG Yuri Demchenko, TERENA
EGEE is a project funded by the European Union under contract IST-2003-508833 JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.

EGEE is a project funded by the European Union under contract IST JRA3 - Incident Response General Issues Yuri Demchenko MWSG2 June 16, 2004.
Chapter 9 Web Services Architecture and XML. Objectives By study in the chapter, you will be able to: Describe what is the goal of the Web services architecture.

Chapter 9 Web Services Architecture and XML. Objectives By study in the chapter, you will be able to: Describe what is the goal of the Web services architecture.
S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.
Selective and Authentic Third-Party distribution of XML Documents - Yashaswini Harsha Kumar - Netaji Mandava (Oct 16 th 2006)

Selective and Authentic Third-Party distribution of XML Documents - Yashaswini Harsha Kumar - Netaji Mandava (Oct 16 th 2006)
Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.

Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
Standards Analysis Summary vMR – Pros Designed for computability Compact Wire Format Aligned with HeD Efforts – Cons Limited Vendor Adoption thus far Represents.

Standards Analysis Summary vMR – Pros Designed for computability Compact Wire Format Aligned with HeD Efforts – Cons Limited Vendor Adoption thus far Represents.
SIPREC Conference Recording (draft-kyzivat-siprec-conference-use-cases-01) IETF 89, March 7, 2014 Authors: Michael Yan, Paul Kyzivat, Simon Romano.

SIPREC Conference Recording (draft-kyzivat-siprec-conference-use-cases-01) IETF 89, March 7, 2014 Authors: Michael Yan, Paul Kyzivat, Simon Romano.

Similar presentations

Ads by Google