1 / 1

9 Sept 1998

A | |B. C | |D. The Discovery Coordinator External Interface requires a Language that will support this level of richness:. (1). HeartBeat Command:. I’m OK Response:. Set InfoCon = <i>, i element of [1.. 5]. InfoCon = <i>, i element of [1..5].

gayora
Download Presentation

9 Sept 1998

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A | |B C | |D The Discovery Coordinator External Interface requires a Language that will support this level of richness: (1) HeartBeat Command: I’m OK Response: Set InfoCon = <i>, i element of [1.. 5] InfoCon = <i>, i element of [1..5] Set DetectionSensitivity = <j>, j element of [1.. 9] DetectionSensitivity = <j>, j element of [1..9] (2) Identify Capabilities Response: My_Capabilities_Are {Detect || Respond} For {{<Intrusion_Intent_Class> || <Intrusion_Response_Action_Class>}}*, where ||Are_Ganged Identify Capabilities Command (3) Set Relationships Command: Notes: DC_Reports_To <Asset> Summarize_Info_For <Asset> = GUI, Host_ID, . . .IP_Addr, Service, Comm_Channel, Client, Source_List, Destination_List, Host_List, UserFile, DC_Backup_Reports_To <Asset> DC_DownLoads_Policy_To {Detection_Engine, Response_Engine}* DC_Has_Peer_DC {<Asset>}* <Frequency> = Time Interval, Units in Seconds (4) Identify Information Resources Command: <Period> =From <Start Time> Through <End Time>, and * can be substituted for <Start Time> and/or <End Time> <Mission_Name> Supports <Operation_Name> and {{Critically_Requires | Requires | Uses} <Asset> { (from <Source_List> to <Destination_List>) | (on <Host_List>)}}* <Source_List> := a set of IP Address, a subnet, ... (5) Policy Command: <Destination_List> := a set of IP Address, a subnet, ... <Policy_Id>: For_InfoCon = <i> And {Target = <Asset>, Source = <Asset>}, upon_detection_of <Intrusion_Intent_Class> with Certainty >= Y% And Severity >= Z, Perform <Intrusion_Response_Action_Class>; where Z e [1..5] <Host_List> := a set of IP Address, a subnet, ... {A, B} can be one instance of: A, B, or A&B A&B means one instance of A AND one instance of B (6) A |B means one instance of A OR one instance of B Policy Constraints: { } <Contraint_Id>: For InfoCon = <i> And {Target = Destination_List | Host_List, Source = Source_List | Host_List }*, And <Period> {Maintain _Use_Of | Preclude_Use_Of} Host_ID | IP_Addr| Service | Comm_Channel means {A&C | B&D} The DC External Interface Protocol includes the notions of: Load, Display, Enable and Delete for most commands. (7) Event Trigger Commands: <Trigger_Id>: For InfoCon = <i>, upon detection of: {<Intrusion_Intent_Class>, <Intrusion_Response_Action_Class>} Send_Notification_To <Device>. (3) and (4) together are known as “Configuration Commands” (8) (10) Intrusion Response Analysis and Report Commands: <Intrusion_Id>: At_InfoCon = <i> For {Target = <Asset>, Source = <Asset>}, Detected <Intrusion_Intent_Class> with Certainty = Y% And Severity = Z, {Responded With, Request_Authorization_to_Respond_With} <Intrusion_Response_Action_Class> With <Frequency>, Report_On {<Intrusion_Intent_Class>, <Intrusion_Response_Action_Class>} To <Asset>. (9) Examine Log Commands: Examine_Log_For <Period> Where Criteria = {<Asset>, <Intrusion_Intent_Class>, <Intrusion_Response_Action_Class>} And Detail = {Verbose |Summary} (11) Response Authorization Recommended Response For <Intrusion_Id> is {Authorized, Not_Authorized} Discovery Coordinator External Interface “Language” 9 Sept 1998

More Related