Multisensor Message Exchange Mechanism
With the recent advances on data fusion as a step in the right direction for combining, correlating and fusing security evidence from myriad heterogeneous sources (such as FW, IDS, AV and Sensor) to create situational awareness. I thought it’s about time to discuss the need for a secure message exchange mechanism that assists various “sources”, such as Sensors, Firewalls, intrusion detection systems (IDSes), etc to connect, contribute and communicate their observations securely. At the International Conference on Global e-Security held in London, UK, on the 23-25 June 2008. I presented a paper on "Multisensor Message Exchange Mechanism." (MEM).
MEM is a mechanism that allows various sources on the network to securely send their observations of the network to a centralised analysis module where these pieces of evidence can be collated, correlated and combined in making decisions about the situational awareness of the network that is not possible with any single source on the network.
Recall that the intrusion detection community proposed the IDMEF - "Intrusion Detection Message Exchange Format" – RFC 4765 that specifies a message format for IDSes required in an exchange. However, the MEM is not another “standard” on how IDSes should format their messages, rather MEM outlines a high-level process for “sources” in general, to communicate and exchange their intelligence. Hence, the MEM can be seen by some as a complementary mechanism to the IDMEF framework, but not solely for intrusion detection systems.
Details of the described mechanism can be found at Springer-Verlag; however, an early version of the paper can be downloaded from my site - www.research-series.com/cyril
Your comments will be highly appreciated.
MEM is a mechanism that allows various sources on the network to securely send their observations of the network to a centralised analysis module where these pieces of evidence can be collated, correlated and combined in making decisions about the situational awareness of the network that is not possible with any single source on the network.
Recall that the intrusion detection community proposed the IDMEF - "Intrusion Detection Message Exchange Format" – RFC 4765 that specifies a message format for IDSes required in an exchange. However, the MEM is not another “standard” on how IDSes should format their messages, rather MEM outlines a high-level process for “sources” in general, to communicate and exchange their intelligence. Hence, the MEM can be seen by some as a complementary mechanism to the IDMEF framework, but not solely for intrusion detection systems.
Details of the described mechanism can be found at Springer-Verlag; however, an early version of the paper can be downloaded from my site - www.research-series.com/cyril
Your comments will be highly appreciated.
posted by Cyril at 10:56 PM
0 Comments:
Post a Comment
<< Home