Get a MacBook Air with Online Courses Now

Intrusion Detection FAQ: What open standards exist for Intrusion Detection?

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >
Last updated 2/18/2008

There are no fully mature open standards for ID at present. However, we are getting close.

The Internet Engineering Task Force (IETF) is the body which develops new Internet standards. They have a working group to develop a common format for IDS alerts. The group has worked through the requirements phase, and the design is substantially fleshed out, though details continue to change. Preliminary implementation work is probably possible, though implementations would have to change as the standard is finalized. The design involves sending XML based alerts over an HTTP like communications format. A lot of attention has been paid to the needs of IDS analysis, and to making the protocol work through firewalls in a straightforward way.

More contributors are always welcome. IETF working groups are open to any technically competent individual who wishes to contribute. Individuals represent their own views on the best way to solve the problem, rather than the agenda of their employer.

The overview of the working group is at http://www.ietf.org/overview.html and the mailing list archive is at http://www.ietf.org/maillist.html.

All the working group's documents can be reached via http://www.ietf.org/html.charters/wg-dir.html.

There is also an effort by the ISO's T4 committee to develop an Intrusion Detection Framework. The status of that effort is presently unknown, and attempts by the FAQ item author to reach prominent figures in that effort were unsuccessful.

The Common Intrusion Detection Framework (CIDF) was an attempt by the US govt's Defense Advanced Research Projects Agency (DARPA) to develop an IDS interchange format for use by DARPA researchers. CIDF was not intended as a standard that would influence the commercial marketplace; it was a research project. CIDF development is presently dormant. CIDF used a Lisp like format to exchange information about intrusion related events, and defined a large set of primitives for use in those messages. More information can be found at the CIDF web site at http://gost.isi.edu/cidf/.

Stuart Staniford-Chen
President, Silicon Defense
stuart@silicondefense.com
(707) 822-4588, fax(707) 826-7571

< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >