Hi Tony,
thanks for your question. You are not the first one who ask in context
to STIX or CybOX. So this seems to be an important point, which I have
to take care about.
The STIX project is very interesting and covers a wide field of cyber
security. Currently I make me still familiarise with STIX and CybOX with
special focus on interoperability with and provisions by IDPEF. My work
is close to the IDMEF and IDXP of the IETF and is focused on IDS
federation and interoperability only. So I decide at the start of IDPEF
to be close to IDMEF and IDXP.
By my point of view the STIX project is more focussed on communication
of standardized cyber threat information (reporting). The focus of IDPEF
is to improve the management of IDS under one independent central
management system for all operated IDS Anlayzers. So IDPEF customizes
the Analyzer to the individual environment and implementation of the IDS
entity.
So STIX is more the output of an IDS and IDPEF more the interoperability
and combination between IDS Analyzers under one independent central
Manager. For me this are two separate working focus. I am open to align
IDPEF closer to other frameworks like STIX, CybOX, etc. but by now the
structure and notation of IDPEF is close to IODEF and IDMEF.
Currently all standardization is focussed on reporting and alerting to
exchange threat and incident information structured and in a secure
manner (STIX, IODEF, IDMEF, etc.). IDPEF intended usage is to operate
all IDS Analyzers under a independent management system. So IDPEF focus
is more the interoperability and combination between IDS Analyzers under
one independent central Manager. For me this are two separate working
focus.
Did you have an other point of view, please let us discus so that I have
the chance to adjust IDPEF closer to STIX. A small STIX notation based
on an example of Appendix A will be great and very helpful for me.
Thanks.
Kind regards
Bjoern-C.
Am 30.04.2015 um 22:57 schrieb Tony Rutkowski:
How is this not like STIX?
-t
On 2015-04-29 10:41 AM, B.-C. Boesch wrote:
Abstract
The Intrusion Detection Parametrization Exchange Format (IDPEF)
defines data formats and exchange procedures to standardize
parametrization information exchange into intrusion detection and
response systems from an independent central Manager to any Analyzer.
The IDPEF enables a combination of different (vendor and analyzing
technique) IDS Analyzers under one independent central Manager. A
separate operations of IDS is not longer needed. Base is a new
parametrization methodology where IDS operating parameters
(configurations) are separated in an environmental parametrization
part and a vendor-specific analyzing part.
This Internet-Draft describes a data model to represent
parametrization information of intrusion detection system entities,
and explains the rationale for using this model. An implementation of
the data model in the Extensible Markup Language (XML) is presented,
a XML Document Type Definition is developed, and parametrization
examples are provided.