Requirement For Intrusion Detection Message Exchange Format (IDMEF) - Defined And Specified

IDMEF General requirements

Define a data formats and exchange the procedures for sharing information between the Intrusion detection and response systems.

Main objective of this project is to define requirement for Intrusion Detection Message Exchange format (IDMEF). The IDEMF was decided to uses the standard format for automated intrusion detection systems. This project also defines and specifies the requirement for communication protocol for communicating the IDMEF and it used to evaluate the existing communication protocols. The IDMEF is a product of IDMEF working group. It is used to determine the new communication protocol. This project is also analysis the general requirement message format requirement communication protocol requirements and message content requirements for IDMEF. To communicate the IDMEF to protocol by uses the IDMEF communication protocol (Wood and Erlinger, 2018). So, IDWG is decided to define the requirement for IDMEF communication protocol and also defines the message content requirement to analysis the IDMEF. It also analysis and describes the security considerations for IDMEF. The IDMEF is useful for,

• It is useful for commercial IDS and free IDS because it detecting the intrusion on the network and it has the very different weakness and strengths. It greatly simplifies the task on network.
• It frequently involves the various organizations as victims or various sites within same organizations. Also, these sites are using the different IDSs.
• It is very useful to correlate the distributed intrusions across the various sites and administrative domains.
• It easily enabling the communication from an ID analyzer to an ID manager.
• It has IDMEF notification system to enable the communication between the varieties of IDS components.

To make the rest of intrusion detection system requirements is clearer, after we define the some terms about the typical of IDS. The below diagram is used to shown the Intrusion detection terms (Feinstein and Matthews, 2018)

The above diagram is illustrated the intrusion detection systems teams and their relationships.

The General requirements for IDMEF are listed below.

• IPv4
• IPv6

These two Internet protocols are used to operate the Intrusion detection system in network environments. Generally, IDS contain the IPv4 and IPv6 implementations that should be able to operate in environments. It uses the pure IPv4, pure IPv6 and hybrid IPv4/IPv6 and thee are expected to exist the time frame of IDMEF implementation. The specification of Intrusion detection message exchange format should be support the IPv6 and IPv4 environments.

The requirement of message format uses the IDMEF communication protocol. It is intended to be independent of the Intrusion detection message exchange format. It also uses the completed different transport mechanisms to ensure the clean separation between the mechanisms of communications and semantics. The IDMEF communication protocol is recommended for Intrusion Detection systems. It must be support the localization and internationalization message formats and Message Filtering and Aggregation (Debar, Curry and Feinstein, 2018).

Basically, the network security and intrusion detections are cross the cultural boundaries. Political and geographical areas but, the IDMEF messages are should be formatted in a local language lo local presentation customs. Because specification of IDMEF is include the numeric event identifiers. The implementation of IDMEF is translating the numeric event identifiers to descriptions of local language. In some case, the messages are contains the string the IDMEF uses the ISO/IEC IS 10646-1 character set to facilitate the internationalization.

IDMEF communication protocols requirement

The IDMEF message format should be support the data filtering and aggregation by the manager. Because the IDMEF messages are must be structured to facilitate the data filtering and aggregation operations. To perform a high performance of data aggregation and filtering is used to provide the fixed format messages with strong numerical semantics.

Requirement of IDMEF communication protocols is listed in below

Reliable Message Transmission

The intrusion detection systems must be support the reliable message transmission. So, the IDS managers are effectively do their job to provide the receipt of data from the IDS analyzers. This process is used to deliver the IDMEF messages are reliably (heise online, 2018).

Interaction with firewall

The Intrusion detection systems should support the reliable message transmission between the components of ID across the firewall without compromising the security. The firewall is used to deploy between the IDMEF capable analyzers and respective managers. It creates the ability to relay messages through the proxy by using the required mechanisms. The firewall design is uses the TCP to convey the messages of IDMEF because it used to avoid the dangerous inbound holes in the firewall. It provides the monitoring services to a users and maximum flexibility in analyzer and manager deployment.

Message Confidentiality

During the Message exchange, the IDP protocol must be support the message confidentiality of the message content. Because, the message confidentiality is must be capable of supporting the variety of encryption algorithms and their environments. Generally, the IDMEF messages contain the extremely sensitive information and these messages are transmitted across the uncontrolled network segments. So, important content should be shielded by using the various encryption options (Stallings, 2017).

Mutual Authentication

The Intrusion detection protocol is support the analyzer and manager mutual authentication. The IDP requires the application layer authentication to investigate the security of an enterprise network. It is limited of underlying the mechanism of communication protocols.

Message Integrity

The Intrusion detection protocol is used to ensure the integrity of the message content because it supports the various integrity mechanisms. The integrity mechanisms are adaptable to a variety of environments. The message integrity is also used to protect the enterprise network (Lin, Tsudik and Wang, 2011).

Denial of Service

The Denial of service attacks are resists the protocol by using the Intrusion detection protocol. It is general way to defect the secure communications systems. The denial of service attack is does not corrupt the valid messages and it can prevent the any communications (Huang, 2014).

IDMEF message content requirement

Per-source Authentication

The intrusion detection protocol is also support the separate authentication key for every sender by using the symmetric algorithm. These keys are needs to be known to the manager. The sensitive security information is exchanged through the IDMEF.

The message duplication requirement is used to resist the malicious duplication messages on IDMEF. It is general way to impair the mechanism of secure communication performance is to send the duplicate messages to the attacker.

The message content requirements are listed in below.

Data Detection

The Intrusion detection system uses the many types of data detection based on network monitoring, application monitoring, correlation, signatures, anomalies and host monitoring. The IDS is used to analyzing the variety of data sources to define the normal behavior and detect the system deviations. These are used to establish the baseline of the network (Peterson and Davie, 2012).

Identity of Event

Basically, the IDMEF messages are contains the identified event name. The event identity in IDMEF is able to receive the alert from analyzer for multiple implementations.

Background information of Event

The IDS message content provides the background information of event and it used to include the information about the sender and receiver locate background information on the variety of event. This information is only accessed by the administrators.

Target Identity and Event Source

The IDMEF also contains the identified event sources and target component ID. It is useful to addresses and identifies the target and source of event.

Types of Device Address

The message of IDMEF is should be support the representation of devices name with different types. It is sued to recognize the Intrusion on devices and includes the device MAC and IP address in the IDMEF messages.

Analyzer Location

The analyzer location requirement is used to provide the information about the identified event and locate the Intrusion detection analyzer. It is used to prove to be a valuable data to determine the particular event.

Automatic Response

The automatic response is used to provide the information based on analyzer activity that is automatic actions taken by the analyzer in the event.

Identity of Analyzer

The analyzer identity is used to contain the identity of analyzer and implementer. This requirement is helpful for system administrator because it determine the implementer and analyzer in the event.

Alert Identification

The alert identification is used to identify the unique IDMEF messages from other Messages of IDMEF. It is used for processes of data correlation and reduction.

Message Extensions

The IDMEF messages use the mechanism of Extensions that is used to define the implementation of specific data.

Message Semantics

The IDMEF is should be extensible itself by using the message extensibility requirements. It uses the new ID technologies and information to extensible the messages.

The current security practices are uses the Holistic approach to secure a network. It is beginning of a larger process to secure an enterprise network. It creates the best plan to identify and evaluated the vulnerability assessment. It accomplish the existing countermeasures to analysis the threats on the network. The current security and best practices guidelines for business. They are,

• Data encryption
• Implement the auditing and DLP
• Use digital certificates
• Use a spam filter on email server
• Secure websites against the malware infections and MITM
• Implement removable media policy
• Maintain the security patches
• Use the network based security software and hardware
• Also use the comprehensive end point security solution
• Uses the lowest privileged user
• Disconnect the mapped devices
• Disable auto run functionality
• Educate users about network security
• Use vulnerable management tools

 Conclusion

This project is used to define the requirement for IDMEF. The product of IDMEF is provided by intrusion detection working group. It also specifies and defines the requirement for intrusion communication protocol for communicating the IDMEF and it used to evaluate the existing communication protocols. So, IDWG is decided to define the requirement for IDMEF communication protocol to analysis the IDMEF. It also analysis and describes the security considerations for IDMEF. This project is successfully analyzed the General requirement, message format requirement communication protocol requirements and message content requirements in detail

References

Debar, H., Curry, D. and Feinstein, B. (2018). The Intrusion Detection Message Exchange Format (IDMEF). [online] Ietf.org. Available at: https://www.ietf.org/rfc/rfc4765.txt [Accessed 19 Mar. 2007].

Feinstein, B. and Matthews, G. (2018). The Intrusion Detection Exchange Protocol (IDXP). [online] Ietf.org. Available at: https://www.ietf.org/rfc/rfc4767.txt [Accessed 9 Mar. 2007].

heise online. (2018). heise online. [online] Available at: https://www.heise.de/netze/rfc/rfcs/rfc4766.shtml [Accessed 13 Apr. 2018].

Huang, S. (2014). Network security. [Place of publication not identified]: Springer.

Lin, D., Tsudik, G. and Wang, X. (2011). Cryptology and network security. Berlin: Springer.

Peterson, L. and Davie, B. (2012). Computer networks. Amsterdam: Elsevier/Morgan Kaufmann.

Stallings, W. (2017). Cryptography and network security. Boston: Pearson.

Wood, M. and Erlinger, M. (2018). Intrusion Detection Message Exchange Requirements. [online] Ietf.org. Available at: https://www.ietf.org/rfc/rfc4766.txt [Accessed 13 Mar. 2007