Standardization of IDS reporting protocols will benefit everyone
There's a problem hampering the effectiveness of IDSes. Simply put, there are as many different IDS applications as there are attack vectors (figuratively speaking, of course). As many organizations have discovered, multiple IDS solutions are needed to monitor different platforms and networks. This diversity inhibits enterprise-wide pooling and correlation of attack data.
Although its work is far from complete, the Intrusion Detection Exchange Format working group (IDWG) in April released a revised draft of its Intrusion Alert Protocol (IAP). The group eventually hopes to create a protocol that will enable the easy exchange and analysis of attack data from multiple IDSes....
ELIMINATING IDS BABBLE
BY PETE LOSHIN
The Intrusion Detection Exchange Format working group is developing a lingua franca protocol for all IDSes.
A recent International Data Corp. (IDC) survey predicts spending on intrusion detection systems will jump nearly 40 percent over the next two years.
The specification authors write that IAP will support "the transmission of alert data from an intrusion detection sensor/analyzer, which detects a potential intrusion, to a manager, that displays the alert to a human, logs it to a database or takes appropriate action."
Combined with two other works in progress, the Intrusion Detection Exchange Protocol (IDXP) and the Intrusion Detection Message Exchange Format (IDMEF), the intrusion alert protocols and alert format should improve the effectiveness of all types of IDSes.
<
Why?
The many different types of IDSes and attacks make it so organizations can't afford to rely on a single IDS solution. Some IDSes sniff network traffic, looking for suspicious packets. Others track suspicious activity on individual hosts. Yet others observe interactions at the application level. Some IDSes are better at detecting certain kinds of attacks than others, while others detect the same kinds of attacks using different mechanisms.
Having a management system--a meta-IDS--capable of collecting alerts across an entire organization is clearly superior to attempting to collect and analyze intrusion data one system or network at a time.
IDMEF provides a universal language that can exchange information about any kind of attack (even ones that have yet to be imagined), giving security managers a powerful new tool in the fight against intruders. IDXP provides a universal protocol that can be used to exchange intrusion alerts, making it much simpler for IDSes to communicate with meta-IDSes.
Individual vendors may use proprietary formats for IDS information. With IDMEF, any product can use intrusion information from any other product. Until a standard can be set, a meta-IDS must specifically support the IDS alert formats from any and all vendors. If a new format is introduced, the meta-IDS must be upgraded. With a standard format (à la IDMEF), and a standard mechanism for transmitting IDS data (à la IDXP), all IDS/meta-IDS systems can seamlessly communicate with each other.
For all these reasons, standards for inter-IDS communications will prove invaluable for more than simplifying the network manager's task. These protocols will enable IDSes to exchange alerts with each other and with meta-IDSes, which will be capable of analyzing results from individual and network IDSes. The result will be a network management system capable of differentiating an isolated and harmless incident from a systematic attack against the organization.
SNP.
