INTERNET-DRAFT Yixian Yang Expires: April 2006 Jian Li Xinliu Wang Beijing University of Posts and Telecom. Octorber 2005 A Framework for Large-scale Distributed Intrusion Management System(LDIMS) draft-yang-ldims-framework-00.txt Intellectual Property Rights (IPR) statement: By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Copyright (C) The Internet Society (2005). All Rights Reserved. Abstract Network is now developing into large-scale and speedup, meanwhile, intrusion methods become more and more complicated. In this network environment, traditional IDSs can¡¯t insure the security of the protected systems. IMS is the trend of IDSs evolution. IMS is a system that combines intrusion detection with urgent response. In IMS, IDSs associate with other security components, such as Firewalls, Vulnerability Scanning Systems, Virus Prevention Systems and network Management Systems. This document describes a hierarchy framework for Large-scale Distributed Intrusion Management System (LDIMS), with which a Yixian Yang, et al. Expires April, 2006 [Page 1] INTERNET-DRAFT framework for LDIMS Octorber,2005 Large-scale Distributed IMS can be flexibly deployed. layered nodes constitute this framework. Each node is a simple IMS. This document gives a four-layer structure for the simple IMS, the four-layer structure can also be the structure of an independent IMS. Table of Contents Status of This Memo ............................................1 Abstract .......................................................1 1.Introduction .................................................3 2.Glossary .....................................................4 3.Architecture .................................................5 3.1 Entire Design ............................................5 3.2 Features .................................................6 4.Four-layer Structure Model ...................................7 4.1 Functional Modules .......................................7 4.2 Four-layer Structure .....................................9 5.Critical Technologies ........................................9 5.1 Agent and Mobile Agent Technology ........................9 5.2 Information Description Mechanism .......................10 5.2.1 Information Description Standard ....................11 5.2.2 Secure Communication Mechanism .....................13 5.3 Communication Mechanism among Agents ....................14 5.4 Interaction among Secure Components .....................18 6. Acknowledgements ...........................................18 7. Informative References .....................................18 8. Authors'Addresses ..........................................19 Yixian Yang, et al. Expires April, 2006 [Page 2] INTERNET-DRAFT framework for LDIMS Octorber,2005 1. Introduction Following with the progress of network technologies, network is developing into large-scale and speedup. Meanwhile, network intrusions(for example, DDOS) become integrated, automatic and fast. Traditional IDSs are incapable of processing such intrusions, as a result, the trend of future IDSs is IMS. IMS is a system in which IDS can cooperates with other secure components, such as Firewalls, Network Management Systems, etc. Based on the network environment, in this document, a framework of a hierarchy for Large-scale Distributed Intrusion Management Systems is addressed. This framework provides a mechanism, through which distributed IDSs and other security components can cooperate harmoniously. A new four-layer structure of IMS is presented at the same time. The IMSs adapted to this structure could be large-scale distributed intrusion management systems (LDIMS) as well as an independent IMS. There are different functional modules in IMSs, and layered structure shows how the functional modules cooperate in harmony to detect intrusions and make responses. Despite that the forms of IMSs are not always uniform, the operation mechanisms would accord with the four-layer Structure. According to the structure, the functional modules would harmonize properly to complete specific tasks. Yixian Yang, et al. Expires April, 2006 [Page 3] INTERNET-DRAFT framework for LDIMS Octorber,2005 2. Glossary This document uses terminologies that are defined in [DSARCH]. Some of the definitions provided here are taken from other references in order to provide additional detail, along with some new terms specific to this document. IMS Intrusion Management System, which is an integrated security system where IDSs associate with other secure components, such as Firewalls, Vulnerability Scanning Systems, Network Management Systems, etc. LDIMS Large-scale Distributed Intrusion Management System. Distributed The intrusions that take several steps and involve a Intrusion large number of host computers. Functional A basic building of the conceptual IMSs. Module Layer A function combination that comprises of one or more functional modules. The layers are data collection, agent, analysis and management. OWL Web Ontology Language. A knowledge description language that is well in semantic description. KQML Knowledge Query and Manipulation Language. It is a kind of Communication language exploited by Arpa Knowledge Sharing Effort. KQML provides grammar for agents¡¯ communication as well as provides execution command for agents, such as ¡°tell, perform and reply¡±. Yixian Yang, et al. Expires April, 2006 [Page 4] INTERNET-DRAFT framework for LDIMS Octorber,2005 3. Architecture Based on the network environment, in this document, a framework of a hierarchy for Large-scale Distributed Intrusion Management Systems is addressed. The features of this framework is "Distributed collection, Distributed analysis, Dynamic harmonization, Intelligent management". 3.1 Entire Design The framework is based on hierarchy, which is set up according to the network topology. The hierarchy consists of leaf nodes, branch nodes and root nodes. Leaf nodes collect network datagram, system log and alerts from other security components, then analyze these data . Branch nodes monitor and manage each child node network, including detecting distributed intrusions and accomplishing interaction among security components in the system. Root nodes manage and monitor activities of the whole network. Large-scale network often covers several provinces or cities. in this case, the architecture supposed in this document have four levels, including two levels of branch nodes. +---------------+ +-------------+ |root(emergency)| -- | root | state-level +---------------+ +-------------+ nodes - - - - - - - - - - - - - - -- - - - - -- - - - - - - - - - - | | +--------+ +--------+ | branch | ... | branch | provincial-level +--------+ +--------+ nodes - - - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - | | | | +------+ +------+ +------+ +------+ |branch|...|branch| |branch|...|branch| city-level +------+ +------+ +------+ +------+ nodes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | | | | | | +----+ +----+ +----+ +----+ +----+ +----+ county-level |leaf|...|leaf| |leaf| ... |leaf| |leaf|...|leaf| nodes +----+ +----+ +----+ +----+ +----+ +----+ Figure 1: A Sketch Map of the Hierarchy In this tree-like architecture, Networks can be decomposed into several Departments. Each department indicates a security organization and its network. In each department, there is an IMS that is on duty of the security issues of the local networks. The combination of a department and the local IMS is defined as a leaf node of the hierarchy. Leaf nodes firstly collect data such as system log, network datagram and alerts sent from other secure components in the local network, then generate junior alerts by analyzing these collected data. At last, they make relevant responses ,including transferring the data Yixian Yang, et al. Expires April, 2006 [Page 5] INTERNET-DRAFT framework for LDIMS Octorber,2005 or alerts which they can't process to their father nodes for further process. Branch nodes may have one or more child nodes, which can be branch nodes or leaf nodes. Branch nodes receive data and alerts from child nodes. by analyzing these data and alerts, they make higher judgment, detect whether there are distributed intrusions. Meanwhile, branch nodes are in charge of all the child departments, especially manage the interaction among secure equipments in the local department. Root node is the control center of the whole system. In order to prevent the problem of "single node invalidation", there are two root nodes, one is the host, the other is ready for emergency. If the host one broke down, the ready one will take its place. The root node accomplishes control of the whole system by connecting the lower nodes. It has many functions, such as collecting the information from lower nodes, displaying the secure situation of the whole system, making overall situation early-warning. For example, when one of the child nodes suffer serious attack, at once, the root node sends alarm to the lower nodes which it think will suffer attack. As a result, these nodes can take preventive measures to avoid such attack. 3.2 Features This architecture attaches great importance to the suitable organ- ization, components' harmonization, automatization and intelligenti- zation of the whole system. Its features are listed below: o Distributed Allocation In order to find intrusions in the whole network, for example, large-scale distributed intrusions, it is necessary to set IDSs in critical network segments and critical servers, such as routers, Web servers, DNS servers. The allocation of IDSs in the whole network is possible based on different cities, different regions, even different provinces. o Distributed Analysis By analyzing and processing the collected data on the spot, data quantity and network flow can be decreased, so ,the system can avoid the problem of "single node invalidation". o Interaction among secure components Intrusion management technology emphasizes on realizing a integrated security system with its center IDS. In the system, IDSs can communicate with Firewalls, Vulnerability scanning systems, Virus prevention systems and Network Management Systems. Consequently, intrusion detection can combine with urgent response organically. o System Management Platform It realizes the mutual connection of secure equipments, and realizes feedback control by analyzing the information sent by equipments. Meanwhile, the platform supports distributed allocation and rank management. Not only manage the IDSs, but also supervise other kinds of secure equipments. Yixian Yang, et al. Expires April, 2006 [Page 6] INTERNET-DRAFT framework for LDIMS Octorber,2005 o Retractility and Expansibility The system can be arranged smartly based on different network environment, and can detect new kinds of intrusions by extending its detection methods. 4. Four-layer Structure Model In the tree-like architecture designed above, each node is an independent IMS. Of course, because of the levels, their specific functions are different. Leaf nodes' main function is performing collection, pretreatment and analysis of the collected data. Branch nodes are concentrating on further analysis of data, alerts correlation and interaction with local secure components. Root nodes emphasize particularly on the arrangement and management of the whole system, furthermore, they can realize overall situation early- warning. As a whole , each node can match a four-layer model. 4.1 Functional Modules An intact IMS should contains such functional modules as below: o Data Collection Module This module collects data for the whole system by using various sensors. These sensors capture datagram flowing across the network, collect log from critical host computers, and get alerts sent by secure equipments. o Agent Module This module contains many static agents and mobile agents. OS agents, Network agents and Protocol agents are responsible for analyzing the data sent by sensors as well as generating primary alerts. The generated alerts are sent to upper layer for further procession. Controlled by the harmonization, interaction module, other agents such as Firewalls agents, Vulnerability scanning agents realize the interaction among secure components of the whole system. o Analysis Module This module make further analysis of the primary alerts. If they are not intrusions, drop them; if they are intrusions, create alerts and transfer these alerts to the Decision-making module; else if they are suspicious but it can't make decision, submit the alerts and the suspicious value to the correlation, merging module. o Correlation, Merging Module The main function of this module is detecting distributed intrusions. This module correlates and merges the alerts sent by the analysis module, detect whether there are distributed intrusions. If there were, it generates senior alerts, and reports them to the decision-making module. o Control Module It is used to perform the decisions made by the harmonization, interaction module. By Cooperating with the harmonization, interaction module, it accomplishes harmonization and management of all static agents and mobile agents. o Decision-making Module It makes decisions based on the alerts from the analysis module and the correlation, merging module. Yixian Yang, et al. Expires April, 2006 [Page 7] INTERNET-DRAFT framework for LDIMS Octorber,2005 It also selects different response strategies based on different intrusion situations. o Harmonization, Interaction Module The system designed in this document using static agents and mobile agents to realize primary analysis of events and interaction of IDSs with other secure equipments. This module is responsible for managing and distributing the agents, as well as allocating tasks advisably. o Security Response Module Based on the response strategies made by the Decision-making module, this module takes relevant secure measures,including ignore, setting warning to the administrator or stopping the current connect. o Database Module This module stores data such as intrusion features, intrusion events for further analysis or evidence collection. o Human-computer Interface It is the managing interface for administrators. Through this interface, administrators achieve arrangement, authorization of the system, and make some maintenance of the intrusion feature library. +----------------+----------------+----------------+ | Human-computer | | Secure | Management | Interface <--> Decision- <--> Response | Layer +----------------+ Making +----------------+ | database | | Harmonization, | | <--> <--> Interaction | +----------------+----------------+----------------+ ^ | +----------------+ | | | v +----------------+----------------+----------------+ Analysis | Analysis -->Alerts Correla-| Control | Layer | |tion and Merging| | +----------------+----------------+----------------+ ^ +------------+------------+------------+ | | | | +------------+------------+------------+------------+ | OS agents | Network | Protocol | Mobile | Agents | | Agents | Agents | Agents | Layer +------------+------------+------------+------------+ ^ ^ ^ ^ | | | | Data +------------+-----------------------+--------------+ Collection |Log Sensors | Datagram Sensors |Other Sensors | Layer +------------+-----------------------+--------------+ ^ ^ ^ | | | Data Critical Host Critical Network Firewalls Source Computers Segments Figure 2: four-layer structure model Yixian Yang, et al. Expires April, 2006 [Page 8] INTERNET-DRAFT framework for LDIMS Octorber,2005 4.2 Four-layer Structure An intact IMS should be a organic unity that comprises of modules listed above. In this section, a four-layer IMS structure model based on intelligent agents is addressed as figure 2. A layer in this structure is defined as a function combination that is composed of one or more functional modules. The modules in a layer associate with each other and accomplish specific tasks. Data Collection Layer collects data for analysis and receives alerts from secure components, and then filters these raw data. It Consists of different kinds of sensors, such as Log sensors, Datagram sensors, Firewall sensors, etc. Agent Layer have many kinds of agents, including OS agents, Network agents, Protocol agents, Firewall agents, Network agents, etc. OS, Network, Protocol agents make primary analysis of the data from lower layer and produce alerts, then, these alerts are sent to the analysis module for further analysis. Other agents' main function is achieving interaction among IDSs and other secure equipments. For example, when IDSs have detected intrusion events, they associate with Fire- walls through Firewall agents, so Firewalls can update interdiction rules dynamically. Based on the information about IP and ports took by Firewall agents, in a certain period of time, Firewalls can cut off the following intrusion events. Analysis Layer Analysis module analyzes the reported alerts, If they were not intrusions , drop them; If they were intrusions, make alerts and transfer these alerts to the Decision-making module; Else if they were suspicious but it can't make decision, submit these alerts and the suspicious value to the correlation, merging module. correlation, merging module correlates and merges the alerts for the purpose of detecting distributed intrusions. Under the control of the management layer, control module manages and arranges all of the agents to perform specific tasks. Management Layer Besides providing human-computer interface, it makes decisions and responses to intrusions, managing and harmonizing all the modules of the structure is also its function. 5. Critical Technologies Critical technologies used in the LDIMS designed in this document will be discussed in the following segments. 5.1 Agent and Mobile Agent Technology Agent and mobile agent technology is brought to the system, the design of this system is on the basis of "mainly rely on static agents, mobile agent as supplement". The main function of OS, Network, Protocol agents is making primary analysis of the data and produce alerts. So those agents use static agents, of course, mobile agents are the necessary supplement. Not only can mobile agents realize the load balance of the system, but also they can Yixian Yang, et al. Expires April, 2006 [Page 9] INTERNET-DRAFT framework for LDIMS Octorber,2005 accomplish the process of special data in the system. Other agents' main function is to perform interaction among secure equipments. So they are realized mainly by mobile agents. After the lead-in of agent and mobile agent technology, the next step is how to dispatch and allocate the agents, so the system can make good use of the agents. In LDIMS, harmonization, interaction module performs management and utilization of the agents through control module. Administrator is in charge of the harmonization, interaction module and update the agent library. A model of assignments allocation mechanism for agents is described as figure 3. By using this mechanism, static agents cooperate with mobile agents to realize the load balance of the system and accomplish the process of special data in the system. (This model use Aglet as the MA, Aglet will be introduced in detail in the section 4.4.) +----------------------+ | Human-computer | | Interface | +----------------------+ ^ ^ compile and | | update MAs +------+ +---------+ | | v | +------------------------+ v | Harmonization, | 2 find the +------------+ | Interaction | - - - - - -> | MA Library | +------------------------+ suitable MA +------------+ 1:request ^ ^ 6.request | | for help | | for remove | 3.copy and| +---+ +----------+ | 7.remove initialize| | | | the MA the MA | +-----|---------------------|--v-----+ | | +-------+ 5:receive the +-------+ | v | | Static| MA and finish| Mobile| | 4:move +----------+ | | Agent |<- - - - - - ->| Agent | <- - - - - - -| MA | | +-------+ the task +-------+ | the MA +----------+ +------------------------------------+ (MA: Mobile Agent) Figure 3: assignments allocation mechanism model 5.2 Information Description Mechanism The system use different kinds of IDSs, and the IDSs associate with many other secure equipments, such as Firewalls, Vulnerability Scanning Systems, Virus Prevention Systems. Different equipments (IDSs, Firewalls)and same equipments with different types(Snort and Real Secure)use different description languages defined by themselves for network secure information. As a result, it has difficulty in realizing communication and harmonization among them. Based on the designed system, a settlement that use OWL as the description language for network secure information is proposed in this document. Yixian Yang, et al. Expires April, 2006 [Page 10] INTERNET-DRAFT framework for LDIMS Octorber,2005 5.2.1 Information Description Standard Due to the difference among information description languages, we can't achieve centralized management, centralized monitoring and dynamic interaction among secure equipments with different types. In order to solve such problem, the system use OWL language to achieve communication among secure components. The well-known information description standard is IDMEF put forward by IDWG. IDMEF use XML as its description language, but XML is short in semantic expression, so this document improves IDMEF by using OWL as its description language. In the distributed network environment, the uniform expression of network alarm information based on OWL provides a semantic bridge for the interaction among secure components. When the system detected an intrusion, OWL is used to express the alerts. An example of IDMEF description based on OWL for the DOS intrusion ¡±Teardrop¡± is listed as below: $Id:v 1.0 2004/03/08 14:00:00 $ < owl:Class rdf:ID="Alert"> Yixian Yang, et al. Expires April, 2006 [Page 11] INTERNET-DRAFT framework for LDIMS Octorber,2005 < owl:ObjectProperty rdf:ID="name"> analyzer01.bigcompany.com < owl:ObjectProperty rdf:ID="time"> < owl:ObjectProperty rdf:ID="name"> < owl:ObjectProperty rdf:ID="address"> < owl:ObjectProperty rdf: ID="netmask"> Yixian Yang, et al. Expires April, 2006 [Page 12] INTERNET-DRAFT framework for LDIMS Octorber,2005 badguy.hacker.net
202.214.231.121
255.255.254.0 < owl:ObjectProperty rdf:ID="Address">
0xde796f70
 5.2.2 Secure Communication Mechanism Considering components' isomerism, communication security and the system's efficiency, a good communication mechanism should accord with two requirements: 1. Uniform data format for information description.(The LDIMS system designed in this document uses OWL as its language.) 2. Secure Communication. An example of secure communication is listed below: +-------------------+ | Events Analyzer | +-------------------+ ^ ^ | | +--------------+ +--------------+ | Sensor A | | Sensor B | | +----------+ | | +----------+ | | | SSL | | | | SSL | | | | +------+ | | | | +------+ | | | | | OWL | | | | | | OWL | | | | | +------+ | | | | +------+ | | | +----------+ | | +----------+ | +--------------+ +--------------+ Figure 4: secure communication principle based on OWL Yixian Yang, et al. Expires April, 2006 [Page 13] INTERNET-DRAFT framework for LDIMS Octorber,2005 Communication between sensors and events analyzer is divided into Two layers: OWL layer and SSL layer. OWL layer is responsible for the diversion from data collected by sensors to uniform OWL character string. SSL layer introduces SSL protocol to the communication. In the course of communication, first, sensors build SSL secure conver- sation with analyzer after the identification of both sides. Secondly, after the RSA encryption of the message in OWL layer, sens- ors transfer the message to event analyzers through SSL layer. After receiving the encrypted message, event analyzers decrypt and analyze the received message, in order to get the raw information. By the adoption of OWL, the system realizes semantic communication among secure components. As a result, the whole system becomes an integrated secure system. 5.3 Communication Mechanism among Agents Semantic communication among agents is a critical problem for the realization of LDIMS. With the use of KQML standard whose content layer select OWL as it¡¯s language, the system realize semantic communication among intelligent agents. Bottom layer communication among intelligent agents in the system is realized by using TCP/IP and UDP Socket. TCP/IP and UDP socket adopt network unicast, multicast and broadcast to achieve physical communication among agents. The name service of agents isolates agent's name from its physical address. so the orientation and management of agents become simple and reliable. The three-layer structure of KQML is listed below: +--------------------------+ +-----------------------+ | Communication Layer |<----|Communication Mechanism| | | +-----------------------+ | +--------------------+ | +-----------------------+ | | Message Layer |<-------| Communication Logic | | | | | +-----------------------+ | | +--------------+ | | +-----------------------+ | | |Content Layer|<----------| Communication Content| | | +--------------+ | | +-----------------------+ | +--------------------+ | +--------------------------+ Figure 5: three-layer structure of KQML KQML is divided into three layers: communication layer, message layer and content layer. The communication layer is responsible for the coding of lower layer's communication properties. In this layer, message senders or receivers assign the label for the communication process. Message layer is the core of KQML. In order to make sure that agents can response to the message, it defines the protocols for message transmission as well as the performative embodied in content layer's massage. The content layer use OWL as its language, its KQML activity is listed as below: Yixian Yang, et al. Expires April, 2006 [Page 14] INTERNET-DRAFT framework for LDIMS Octorber,2005 (performative :sender //message sender :receiver //massage receiver :from //the raw sender recorded in content when using forward request :to //the raw receiver recorded in content when using forward request :language //language used in content :reply-with //the label of this message :in-reply-to //the label of the raw message that triggers this message :ontology //entities used in this message :content //massage's content ) An alert message of DOS intrusion "Teardrop" sent from agent1 to agent2 is list as below, the message is based on KQML/OWL. ( Alert: :sender Agent1 :receiver Agent2 :language OWL :ontology local host :content ( Yixian Yang, et al. Expires April, 2006 [Page 15] INTERNET-DRAFT framework for LDIMS Octorber,2005 $Id:v 1.0 2004/03/08 14:00:00 $ < owl:Class rdf:ID="Alert"> < owl:ObjectProperty rdf:ID="name"> analyzer01.bigcompany.com < owl:ObjectProperty rdf:ID="time"> Yixian Yang, et al. Expires April, 2006 [Page 16] INTERNET-DRAFT framework for LDIMS Octorber,2005 < owl:ObjectProperty rdf:ID="name"> < owl:ObjectProperty rdf:ID="address"> < owl:ObjectProperty rdf:ID="netmask"> badguy.hacker.net
202.214.231.121
255.255.254.0 < owl:ObjectProperty rdf:ID="Address">
0xde796f70
 ) ) We can see from this massage easily that the sender is agent1, the receiver is agent2, and the content description language is OWL. Yixian Yang, et al. Expires April, 2006 [Page 17] INTERNET-DRAFT framework for LDIMS Octorber,2005 KQML based on OWL can express the properties, relationship among properties of things clearly,which greatly facilitates the semantic communication among agents. 5.4 Interaction among secure components In order to realize the interaction among IDSs and other secure components, Aglet is brought to the system. Aglet is an MA designed By IBM. It is developed by using JAVA technology. Aglet comprises of core, proxy, itinerary, identifier. core have all the internal variables and methods of the agent, and provides uniform interface function. Proxy encapsulates the core, prevents the read of Aglet's private methods. Identifier is the uniform label of that. +-------------------------------------------------------------+ | +------------------+ +---------------------------+ | | |IDS +--------+ | Dispatch | +---------+ Dispose | | | | | MA | ---------------> | MA |-----------> | | | | |(clone) | <--------------- | | | | | | +--------+ | Retract | +---------+ | | | | ^ | | ^ | | | | | Create | | | | v | | | | +--------+ | | +---------+ Other Secure| | | | | class | | | |Secondary| Components | | | | +--------+ | | | Storage | ( Firewalls,| | | | | | +---------+ etc) | | | +------------------+ IMS +---------------------------+ | +-------------------------------------------------------------+ (note: MA (Mobile Agents) Figure 6: state diversion fig of MAs Aglets' activities include Create, Clone, Dispatch, Retract, Deact- ivate, Activate, Dispose and Messaging. Clone produces an agent equal to the raw one except the identifier. Aglet model adopts the methods of event-driving. When one agent want to move, it will call the Dispatch method, so agent can be sent to the target through ATP(Agent Transfer Protocol). Each agent has an uniform name. In a word, Aglet provides a method about how to realize MA with JAVA technology besides offers API. With the introduction of Aglet, the system realizes the interaction among IDSs and other secure components effectively. 6. Acknowledgement The authors wish to thank Xu Zhu, Huayi Rao, Xiuling Zhu, Shuai Zeng and Ming Cao, for their detailed inputs. 7. Informative References [1] RFC-Draft-IDMEF-XML-10. http://www.ietf.org. Yixian Yang, et al. Expires April, 2006 [Page 18] INTERNET-DRAFT framework for LDIMS Octorber,2005 [2] H. Debar, D. Curry, B. Feinstein. The Intrusion Detection Message Exchange Format£¬draft-ietf-idwg-idmef-xml-14.txt, January 2005, expires July 31, 2005 [3] M. Roesch. Snort-lightweight intrusion detection for networks[C]. In proceedings of the USENIX LISA'99 conference. 1999. [4] Steven R. Snapp, James Brentano, and Gihan V. Dias et al., ¡°DIDS- Motivation, Architecture, and an Early Prototype¡± Proceeding 14th National Computer Security Conference, Washington D.C., pages 167-176,October 1991. [5] D. Curry, H. Debar. Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition[EB/OL]. [6] Kumar Das, "Protocol Anomaly Detection for Network-based Intrusion Detection", GSEC Practical Assignment Version 1.2f, August,13, 2001. 8. Authors' Addresses Yixian Yang Information Security Center, Beijing University of posts and telecom.(BUPT), Beijing, China,100876 Phone:8610-62283366 Email:yxyang@bupt.edu.cn Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Yixian Yang, et al. Expires April, 2006 [Page 19] INTERNET-DRAFT framework for LDIMS Octorber,2005 Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Yixian Yang, et al. Expires April, 2006 [Page 20]