Internet Engineering Task Force (IETF) C. Inacio Request for Comments: 8134 CMU Category: Informational D. Miyamoto ISSN: 2070-1721 UTokyo May 2017
Internet Engineering Task Force (IETF) C. Inacio Request for Comments: 8134 CMU Category: Informational D. Miyamoto ISSN: 2070-1721 UTokyo May 2017
Management Incident Lightweight Exchange (MILE) Implementation Report
管理事件轻型Exchange(MILE)实施报告
Abstract
摘要
This document is a collection of implementation reports from vendors, consortiums, and researchers who have implemented one or more of the standards published from the IETF INCident Handling (INCH) and Management Incident Lightweight Exchange (MILE) working groups.
本文档收集了供应商、联盟和研究人员的实施报告,这些供应商、联盟和研究人员实施了IETF事件处理(INCH)和管理事件轻型交换(MILE)工作组发布的一个或多个标准。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8134.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8134.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Consortiums and Information Sharing and Analysis Centers (ISACs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Anti-Phishing Working Group . . . . . . . . . . . . . . . 4 2.2. Advanced Cyber Defence Centre . . . . . . . . . . . . . . 4 2.3. Research and Education Networking Information Sharing and Analysis Center . . . . . . . . . . . . . . . . . . . . . 4 3. Open Source Implementations . . . . . . . . . . . . . . . . . 4 3.1. EMC/RSA RID Agent . . . . . . . . . . . . . . . . . . . . 4 3.2. NICT IODEF-SCI implementation . . . . . . . . . . . . . . 5 3.3. n6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Vendor Implementations . . . . . . . . . . . . . . . . . . . 6 4.1. Deep Secure . . . . . . . . . . . . . . . . . . . . . . . 6 4.2. IncMan Suite, DFLabs . . . . . . . . . . . . . . . . . . 7 4.3. Surevine Proof of Concept . . . . . . . . . . . . . . . . 8 4.4. MANTIS Cyber-Intelligence Management Framework . . . . . 8 5. Vendors with Planned Support . . . . . . . . . . . . . . . . 9 5.1. Threat Central, HP . . . . . . . . . . . . . . . . . . . 9 5.2. DAEDALUS, NICT . . . . . . . . . . . . . . . . . . . . . 9 6. Other Implementations . . . . . . . . . . . . . . . . . . . . 10 6.1. Collaborative Incident Management System . . . . . . . . 10 6.2. Automated Incident Reporting - AirCERT . . . . . . . . . 10 6.3. US Department of Energy CyberFed . . . . . . . . . . . . 11 7. Implementation Guide . . . . . . . . . . . . . . . . . . . . 11 7.1. Code Generators . . . . . . . . . . . . . . . . . . . . . 11 7.2. iodeflib . . . . . . . . . . . . . . . . . . . . . . . . 13 7.3. iodefpm . . . . . . . . . . . . . . . . . . . . . . . . . 13 7.4. Usability . . . . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 10. Informative References . . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Consortiums and Information Sharing and Analysis Centers (ISACs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Anti-Phishing Working Group . . . . . . . . . . . . . . . 4 2.2. Advanced Cyber Defence Centre . . . . . . . . . . . . . . 4 2.3. Research and Education Networking Information Sharing and Analysis Center . . . . . . . . . . . . . . . . . . . . . 4 3. Open Source Implementations . . . . . . . . . . . . . . . . . 4 3.1. EMC/RSA RID Agent . . . . . . . . . . . . . . . . . . . . 4 3.2. NICT IODEF-SCI implementation . . . . . . . . . . . . . . 5 3.3. n6 . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Vendor Implementations . . . . . . . . . . . . . . . . . . . 6 4.1. Deep Secure . . . . . . . . . . . . . . . . . . . . . . . 6 4.2. IncMan Suite, DFLabs . . . . . . . . . . . . . . . . . . 7 4.3. Surevine Proof of Concept . . . . . . . . . . . . . . . . 8 4.4. MANTIS Cyber-Intelligence Management Framework . . . . . 8 5. Vendors with Planned Support . . . . . . . . . . . . . . . . 9 5.1. Threat Central, HP . . . . . . . . . . . . . . . . . . . 9 5.2. DAEDALUS, NICT . . . . . . . . . . . . . . . . . . . . . 9 6. Other Implementations . . . . . . . . . . . . . . . . . . . . 10 6.1. Collaborative Incident Management System . . . . . . . . 10 6.2. Automated Incident Reporting - AirCERT . . . . . . . . . 10 6.3. US Department of Energy CyberFed . . . . . . . . . . . . 11 7. Implementation Guide . . . . . . . . . . . . . . . . . . . . 11 7.1. Code Generators . . . . . . . . . . . . . . . . . . . . . 11 7.2. iodeflib . . . . . . . . . . . . . . . . . . . . . . . . 13 7.3. iodefpm . . . . . . . . . . . . . . . . . . . . . . . . . 13 7.4. Usability . . . . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 10. Informative References . . . . . . . . . . . . . . . . . . . 14 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
This document is a collection of information about security incident reporting protocols and the implementation of systems that use them to share such information. It is simply a collection of information, and it makes no attempt to compare the various standards or implementations. As such, it will be of interest to network operators who wish to collect and share such data.
本文档收集了有关安全事件报告协议以及使用这些协议共享此类信息的系统实现的信息。它只是一个信息的集合,并不试图比较各种标准或实现。因此,希望收集和共享此类数据的网络运营商将感兴趣。
Operationally, operators would need to decide which incident data collection group they want to be part of, and that choice will strongly influence their choice of reporting protocol and applications used to gather and distribute the data.
在操作上,运营商需要决定他们想要加入哪个事故数据收集组,而这一选择将极大地影响他们对报告协议和用于收集和分发数据的应用程序的选择。
This document is a collection of implementation reports from vendors and researchers who have implemented one or more of the standards published from the INCH and MILE working groups. The standards include:
本文件收集了供应商和研究人员的实施报告,这些供应商和研究人员已经实施了英寸和英里工作组发布的一个或多个标准。这些标准包括:
o Incident Object Description Exchange Format (IODEF) v1 [RFC5070]
o 事件对象描述交换格式(IODEF)v1[RFC5070]
o Incident Object Description Exchange Format (IODEF) v2 [RFC7970]
o 事件对象描述交换格式(IODEF)v2[RFC7970]
o Extensions to the IODEF-Document Class for Reporting Phishing [RFC5901]
o 用于报告网络钓鱼的IODEF文档类的扩展[RFC5901]
o Sharing Transaction Fraud Data [RFC5941]
o 共享交易欺诈数据[RFC5941]
o Real-time Inter-network Defense (RID) [RFC6545]
o 实时网络间防御(RID)[RFC6545]
o Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS [RFC6546]
o 通过HTTP/TLS传输实时网络间防御(RID)消息[RFC6546]
o Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information (SCI) [RFC7203]
o 结构化网络安全信息(SCI)的事件对象描述交换格式(IODEF)扩展[RFC7203]
The implementation reports included in this document have been provided by the team or product responsible for the implementations of the mentioned RFCs. A more complete list of implementations, including open source efforts and vendor products, can also be found at the following location:
本文件中包含的实施报告由负责实施上述RFC的团队或产品提供。还可以在以下位置找到更完整的实现列表,包括开源成果和供应商产品:
<http://siis.realmv6.org/implementations/>
<http://siis.realmv6.org/implementations/>
The Anti-Phishing Working Group (APWG) is one of the biggest coalitions against cybercrime, especially phishing. In order to collect threat information in a structured format, APWG provides a phishing and cybercrime reporting tool that sends threat information to APWG by tailoring information with the IODEF format, based on RFC 5070 [RFC5070] and RFC 5901 [RFC5901].
反网络钓鱼工作组(APWG)是打击网络犯罪,特别是网络钓鱼的最大联盟之一。为了以结构化格式收集威胁信息,APWG提供了一个网络钓鱼和网络犯罪报告工具,该工具根据RFC 5070[RFC5070]和RFC 5901[RFC5901]使用IODEF格式定制信息,从而向APWG发送威胁信息。
The Advanced Cyber Defence Centre (ACDC) is a Europe-wide activity to fight against botnets. ACDC provides solutions to mitigate on-going attacks and consolidates information provided by various stakeholders into a pool of knowledge. Within ACDC, IODEF is one of the supported schemas for exchanging the information.
先进网络防御中心(ACDC)是一项全欧洲范围内打击僵尸网络的活动。ACDC提供了缓解持续攻击的解决方案,并将各利益相关者提供的信息整合到知识库中。在ACDC中,IODEF是用于交换信息的受支持模式之一。
2.3. Research and Education Networking Information Sharing and Analysis Center
2.3. 研究与教育网络信息共享与分析中心
The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) is a private community of researchers and higher-education members that share threat information and employs IODEF formatted-messages to exchange information.
研究和教育网络信息共享和分析中心(REN-ISAC)是一个由研究人员和高等教育成员组成的私人社区,他们共享威胁信息,并使用IODEF格式的消息交换信息。
REN-ISAC also recommends using an IODEF attachment provided with a notification email for processing rather than relying on parsing of the body text of email. The tools provided by REN-ISAC are designed to handle such email.
REN-ISAC还建议使用附带通知电子邮件的IODEF附件进行处理,而不是依赖电子邮件正文的解析。REN-ISAC提供的工具旨在处理此类电子邮件。
<http://www.ren-isac.net/notifications/using_iodef.html>
<http://www.ren-isac.net/notifications/using_iodef.html>
The EMC/RSA RID agent is an open source implementation of the IETF standards for the exchange of incident and indicator data. The code has been released under an MIT license, and development will continue with the open source community at the GitHub site for RSA Intelligence Sharing:
EMC/RSA RID代理是IETF标准的开源实现,用于事件和指标数据的交换。该代码已在麻省理工学院许可下发布,并将继续与GitHub站点上的开源社区一起开发RSA智能共享:
<https://github.com/RSAIntelShare/RID-Server.git>
<https://github.com/RSAIntelShare/RID-Server.git>
The code implements the Real-time Inter-network Defense (RID) described in RFC 6545 [RFC6545] and the Transport of RID over HTTP/ TLS protocol described in [RFC6546]. The code supports the evolving Incident Object Description Exchange Format (IODEF) data model [RFC7970] from the work in the IETF Managed Incident Lightweight Exchange (MILE) working group.
代码实现了RFC 6545[RFC6545]中描述的实时网络间防御(RID)和[RFC6546]中描述的通过HTTP/TLS协议传输RID。该代码支持IETF管理的事件轻量级交换(MILE)工作组工作中不断发展的事件对象描述交换格式(IODEF)数据模型[RFC7970]。
Japan's National Institute of Information and Communications Technology (NICT) Network Security Research Institute implemented open source tools for exchanging, accumulating, and locating IODEF-SCI [RFC7203] documents.
日本国家信息和通信技术研究所(NICT)网络安全研究所实施了用于交换、积累和定位IODEF-SCI[RFC7203]文档的开放源码工具。
Three tools are available from GitHub. These tools assist the exchange of IODEF-SCI documents between parties. IODEF-SCI [RFC7203] extends IODEF so that an IODEF document can embed Structured Cybersecurity Information (SCI). For instance, it can embed Malware Metadata Exchange Format (MMDEF), Common Event Expression (CEE), Malware Attribute Enumeration and Characterization (MAEC) in XML, and Common Vulnerabilities and Exposures (CVE) identifiers.
GitHub提供了三种工具。这些工具有助于各方之间交换IODEF-SCI文件。IODEF-SCI[RFC7203]扩展了IODEF,以便IODEF文档可以嵌入结构化网络安全信息(SCI)。例如,它可以在XML中嵌入恶意软件元数据交换格式(MMDEF)、公共事件表达式(CEE)、恶意软件属性枚举和表征(MAEC)以及公共漏洞和暴露(CVE)标识符。
The three tools are generator, exchanger, and parser. The generator generates IODEF-SCI documents or appends XML to an existing IODEF document. The exchanger sends the IODEF document to a specified correspondent node. The parser receives, parses, and stores the IODEF-SCI document. The parser also creates an interface that enables users to locate IODEF-SCI documents that have previously been received. The code has been released under an MIT license and development will continue on GitHub.
这三个工具是生成器、交换器和解析器。生成器生成IODEF-SCI文档或将XML附加到现有IODEF文档。交换器将IODEF文档发送到指定的对应节点。解析器接收、解析和存储IODEF-SCI文档。解析器还创建了一个接口,使用户能够定位以前收到的IODEF-SCI文档。该代码已在麻省理工学院许可下发布,开发将在GitHub上继续。
Note that users can enjoy using this software at their own risk.
请注意,用户可以自行承担使用此软件的风险。
Available Online:
网上提供:
<https://github.com/TakeshiTakahashi/IODEF-SCI>
<https://github.com/TakeshiTakahashi/IODEF-SCI>
n6 is a platform for processing security-related information; it was developed by the Poland Research and Academic Computer Network (NASK) Computer Emergency Response Team (CERT) Polska. The n6 API provides a common and unified way of representing data across the different sources that participate in knowledge management.
n6是处理安全相关信息的平台;它由波兰研究和学术计算机网络(NASK)计算机应急响应小组(CERT)Polska开发。n6 API提供了跨参与知识管理的不同来源表示数据的通用统一方式。
n6 exposes a REST-ful (Representational State Transfer) API over HTTPS with mandatory authentication via Transport Layer Security (TLS) client certificates to ensure confidential and trustworthy
n6通过HTTPS公开REST-ful(代表性状态传输)API,并通过传输层安全(TLS)客户端证书进行强制身份验证,以确保机密和可信
communications. Moreover, it uses an event-based data model for representation of all types of security information.
通讯。此外,它使用基于事件的数据模型来表示所有类型的安全信息。
Each event is represented as a JSON object with a set of mandatory and optional attributes. n6 also supports alternative output data formats for keeping compatibility with existing systems - IODEF and CSV - although these formats lack some of the attributes that may be present in the native JSON format.
每个事件都表示为一个JSON对象,带有一组强制和可选属性。n6还支持替代的输出数据格式,以保持与现有系统的兼容性—IODEF和CSV—尽管这些格式缺少本机JSON格式中可能存在的一些属性。
Available Online:
网上提供:
<https://github.com/CERT-Polska/n6sdk>
<https://github.com/CERT-Polska/n6sdk>
Deep-Secure Guards are built to protect a trusted domain from:
深度安全防护旨在保护受信任域免受以下攻击:
o releasing sensitive data that does not meet the organizational security policy, and
o 释放不符合组织安全策略的敏感数据,以及
o applications receiving badly constructed or malicious data that could exploit a vulnerability (known or unknown).
o 应用程序接收的数据结构错误或恶意,可能会利用漏洞(已知或未知)进行攻击。
Deep-Secure Guards support HTTPS and the Extensible Messaging and Presence Protocol (XMPP -- optimized server-to-server protocol), transports. The Deep-Secure Guards support transfer of XML-based business content by creating a schema to translate the known good content to and from the intermediate format. This means that the Deep-Secure Guards can be used to protect:
Deep Secure Guards支持HTTPS和可扩展的消息和状态协议(XMPP——优化的服务器到服务器协议)传输。deepsecureguards通过创建一个模式来将已知的良好内容转换为中间格式,从而支持基于XML的业务内容的传输。这意味着可以使用深层安全防护装置来保护:
o IODEF/RID using the HTTPS transport binding [RFC6546]
o 使用HTTPS传输绑定的IODEF/RID[RFC6546]
o IODEF/RID using an XMPP binding
o 使用XMPP绑定的IODEF/RID
o Resource-Oriented Lightweight Indicator Exchange (ROLIE) using HTTPS transport binding [XEP-0268]
o 使用HTTPS传输绑定的面向资源的轻量级指示符交换(ROLIE)[XEP-0268]
o Structured Threat Information Expression (STIX) / Trusted Automated Exchange of Indicator Information (TAXII) using the HTTPS transport binding
o 结构化威胁信息表达(STIX)/使用HTTPS传输绑定的可信指标信息自动交换(TAXI)
Deep-Secure Guards also support the SMTP transport and perform deep content inspection of content including XML attachments. The Mail Guard supports S/MIME, and Deep Secure is working on support for the upcoming PLASMA standard, which enables an information-centric policy enforcement of data use.
深度安全防护还支持SMTP传输,并对包括XML附件在内的内容执行深度内容检查。Mail Guard支持S/MIME,而Deep Secure正致力于支持即将推出的PLASMA标准,该标准支持以信息为中心的数据使用策略实施。
The Incident Object Description Exchange Format, documented in RFC 5070 [RFC5070], defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. IncMan Suite implements the IODEF standard for exchanging details about incidents, either for exporting or importing activities. This has been introduced to enhance the capabilities of the various CSIRTs to facilitate collaboration and sharing of useful experiences (sharing awareness on specific cases).
RFC 5070[RFC5070]中记录的事件对象描述交换格式定义了一种数据表示,该数据表示提供了一个框架,用于共享计算机安全事件响应团队(CSIRT)通常交换的有关计算机安全事件的信息。IncMan Suite实现了IODEF标准,用于交换事件的详细信息,用于导出或导入活动。这是为了增强各种CSIRT的能力,以促进协作和分享有用的经验(分享对特定案例的认识)。
The IODEF implementation is specified as an XML schema; therefore all data are stored in an XML file. In this file, all the data of an incident are organized in a hierarchical structure to describe the various objects and their relationships.
IODEF实现被指定为XML模式;因此,所有数据都存储在XML文件中。在此文件中,事件的所有数据都以层次结构进行组织,以描述各种对象及其关系。
The IncMan Suite relies on IODEF as a transport format, which is composed by various classes for describing the entities that are part of the incident description. For instance, the various relevant timestamps (detection time, start time, end time, and report time), the techniques used by the intruders to perpetrate the incident, the impact of the incident, technical and non-technical (time and monetary), and obviously all systems involved in the incident.
IncMan套件依赖IODEF作为传输格式,它由各种类组成,用于描述作为事件描述一部分的实体。例如,各种相关时间戳(检测时间、开始时间、结束时间和报告时间)、入侵者实施事件所使用的技术、事件的影响、技术和非技术(时间和金钱)以及显然涉及事件的所有系统。
Each incident defined in the IncMan Suite can be exported via a user interface feature, and it will create an XML document. Due to the nature of the data processed, the IODEF extraction might be considered privacy sensitive by the parties exchanging the information or by those described by it. For this reason, specific care needs to be taken in ensuring the distribution to an appropriate audience or third party, either during the document exchange or the subsequent processing.
IncMan套件中定义的每个事件都可以通过用户界面功能导出,它将创建一个XML文档。由于所处理数据的性质,交换信息的各方或其描述的各方可能认为IODEF提取对隐私敏感。因此,在文件交换或后续处理过程中,需要特别注意确保将文件分发给适当的受众或第三方。
The XML document generated will include a description and details of the incident along with all the systems involved and the related information. At this stage, it can be distributed for import into a remote system.
生成的XML文档将包括事件的描述和详细信息,以及所有涉及的系统和相关信息。在此阶段,可以将其分发以导入远程系统。
The IncMan Suite provides the functionality to import incidents stored in files and transported via IODEF-compliant XML documents. The importing process is comprised of two steps: first, the file is inspected to validate if it is well formed; second, all data are uploaded inside the system.
IncMan套件提供导入存储在文件中并通过符合IODEF的XML文档传输的事件的功能。导入过程包括两个步骤:首先,检查文件以验证其格式是否正确;第二,所有数据都上传到系统内部。
If the incident already exists in the system with the same incident ID, the new one being imported will be created under a new ID. This approach prevents accidentally overwriting existing information or merging inconsistent data.
如果系统中已存在具有相同事件ID的事件,则将在新ID下创建正在导入的新事件。此方法可防止意外覆盖现有信息或合并不一致的数据。
The IncMan Suite also includes a feature to upload incidents from emails.
IncMan套件还包括从电子邮件上传事件的功能。
The incident, described in XML format, can be stored directly into the body of the email message or transported as an attachment of the email. At regular intervals that are customizable by the user, the IncMan Suite monitors for incoming emails, which are filtered by a configurable white-list and black-list mechanism on the sender's email account. Then, a parser processes the received email and a new incident is created automatically after having validated the email body or the attachment to ensure the format is well formed.
事件以XML格式描述,可以直接存储到电子邮件正文中,也可以作为电子邮件附件传输。IncMan套件会按用户自定义的固定时间间隔监视传入的电子邮件,这些电子邮件通过发件人电子邮件帐户上可配置的白名单和黑名单机制进行过滤。然后,解析器处理收到的电子邮件,并在验证电子邮件正文或附件后自动创建新事件,以确保格式正确。
XMPP is enhanced and extended through the XMPP Extension Protocols (XEPs). XEP-0268 [XEP-0268] describes incident management (using IODEF) of the XMPP network itself, effectively supporting self-healing the XMPP network. In order to more generically cover the incident management of a network over the same network, XEP-0268 requires some updates. We are working on these changes together with a new XEP that supports "social networking" over XMPP, which enhances the publish-and-subscribe XEP [XEP-0060]. This now allows nodes to publish and subscribe to any type of content and therefore receive the content. XEP-0060 will be used to describe IODEF content. We now have an alpha version of the server-side software and client-side software required to demonstrate the "social networking" capability and are currently enhancing this to support cyber incident management in real time.
XMPP通过XMPP扩展协议(XEP)进行了增强和扩展。XEP-0268[XEP-0268]描述了XMPP网络本身的事件管理(使用IODEF),有效地支持XMPP网络的自愈。为了更全面地涵盖同一网络上网络的事件管理,XEP-0268需要一些更新。我们正在与支持XMPP上“社交网络”的新XEP一起进行这些更改,它增强了发布和订阅XEP[XEP-0060]。这现在允许节点发布和订阅任何类型的内容,从而接收内容。XEP-0060将用于描述IODEF内容。我们现在有一个阿尔法版本的服务器端软件和客户端软件,用于演示“社交网络”功能,目前正在对此进行增强,以支持实时网络事件管理。
Model-based Analysis of Threat Intelligence Sources (MANTIS) provides an example implementation of a framework for managing cyber threat intelligence expressed in standards such as STIX, Cyber Observable Expression (CybOX), IODEF, etc. The aims of providing such an example implementation are as follows:
基于模型的威胁情报源分析(MANTIS)提供了一个管理网络威胁情报框架的示例实现,该框架以标准表示,如STIX、网络可观测表达式(CybOX)、IODEF等。提供此类示例实现的目的如下:
o To facilitate discussions about emerging standards such as STIX, CybOX, et al., with respect to questions regarding tooling: how would a certain aspect be implemented, and how do changes affect an implementation? Such discussions become much easier and have a better basis if they can be lead in the context of example tooling that is known to the community.
o 促进关于工具相关问题的新兴标准(如STIX、CybOX等)的讨论:如何实现特定方面,以及更改如何影响实现?如果能够在社区已知的示例工具的上下文中引导这些讨论,那么这些讨论将变得更加容易,并且有更好的基础。
o To lower the barrier of entry for organizations and teams (especially CSIRT/CERT teams) in using emerging standards for cyber-threat-intelligence management and exchange.
o 降低组织和团队(尤其是CSIRT/CERT团队)使用新兴网络威胁情报管理和交换标准的进入壁垒。
o To provide a platform on the basis of which research and community-driven development in the area of cyber-threat-intelligence management can occur.
o 为网络威胁情报管理领域的研究和社区驱动开发提供一个平台。
HP has developed HP Threat Central, a security intelligence platform that enables automated, real-time collaboration between organizations to combat today's increasingly sophisticated cyber attacks. One way automated sharing of threat indicators is achieved is through close integration with the HP ArcSight Security Information and Event Management (SIEM) for automated upload and consumption of information from the Threat Central Server. In addition, HP Threat Central supports open standards for sharing threat information so that participants who do not use HP Security Products can participate in the sharing ecosystem. It is planned that future versions will also support IODEF for the automated upload and download of threat information.
HP已开发了HP威胁中心,这是一个安全情报平台,可实现组织间的自动化实时协作,以应对当今日益复杂的网络攻击。实现威胁指标自动共享的一种方法是与HP ArcSight安全信息和事件管理(SIEM)紧密集成,以自动上传和使用来自威胁中心服务器的信息。此外,HP威胁中心支持共享威胁信息的开放标准,以便不使用HP安全产品的参与者可以参与共享生态系统。计划未来版本还将支持IODEF,以自动上传和下载威胁信息。
DAEDALUS is a real-time alert system based on a large-scale darknet monitoring facility that has been deployed as a part of the Network Incident analysis Center for Tactical Emergency Response (nicter) system of NICT, which is based in Japan. DAEDALUS consists of an analysis center (i.e., nicter) and several cooperative organizations. Each organization installs a darknet sensor and establishes a secure channel between it and the analysis center, and it continuously forwards darknet traffic toward the center. In addition, each organization registers the IP address range of its livenet at the center in advance. When these distributed darknet sensors observe malware activities from the IP address of a cooperating organization, then the analysis center sends an alert to the organization. The future version of DAEDALUS will support IODEF for sending alert messages to the users.
DAEDALUS是一个基于大规模darknet监测设施的实时警报系统,该设施已作为位于日本的NICT战术应急响应网络事故分析中心(nicter)系统的一部分部署。代达罗斯由一个分析中心(即nicter)和几个合作组织组成。每个组织都安装了一个暗网传感器,并在它和分析中心之间建立了一个安全通道,它不断地向中心转发暗网流量。此外,各机构提前在中心注册其livenet的IP地址范围。当这些分布式黑暗传感器从合作组织的IP地址观察到恶意软件活动时,分析中心会向该组织发送警报。DAEDALUS的未来版本将支持IODEF向用户发送警报消息。
A Collaborative Incident Management System (CIMS) is a proof-of-concept system for collaborative incident handling and for the sharing of information about cyber defense situational awareness between the participants; it was developed for the Cyber Coalition 2013 (CC13) exercise organized by the North Atlantic Treaty Organization (NATO). CIMS was implemented based on Request Tracker (RT), an open source software widely used for handling incident responses by many CERTs and CSIRTs.
协同事件管理系统(CIMS)是一个概念验证系统,用于协同事件处理和参与者之间共享有关网络防御态势感知的信息;它是为北大西洋公约组织(北约)组织的2013年网络联盟(CC13)演习而开发的。CIMS是基于请求跟踪器(RT)实现的,RT是一种开源软件,广泛用于处理许多CERT和CSIRT的事件响应。
One of the functionalities implemented in CIMS was the ability to import and export IODEF messages in the body of emails. The intent was to verify the suitability of IODEF to achieve the objective of collaborative incident handling. The customized version of RT could be configured to send an email message containing an IODEF message whenever an incident ticket was created, modified, or deleted. These IODEF messages would then be imported into other incident handling systems in order to allow participating CSIRTs to use their usual means for incident handling while still interacting with those using the proof-of-concept CIMS. Having an IODEF message generated for every change made to the incident information in RT (and for the system to allow incoming IODEF email messages to be associated to an existing incident) would in some way allow all participating CSIRTs to actually work on a "common incident ticket", at least at the conceptual level. Of particular importance was the ability for users to exchange information between each other concerning actions taken in the handling of a particular incident, thus creating a sort of common action log as well as requesting/tasking others to provide information or perform a specified action and correlating received responses to the original request or task. As well, a specific "profile" was developed to identify a subset of the IODEF classes that would be used during the exercise in an attempt to channel all users into a common usage pattern of the otherwise flexible IODEF standard.
CIMS中实现的功能之一是能够在电子邮件正文中导入和导出IODEF消息。目的是验证IODEF是否适合实现协同事件处理的目标。定制版本的RT可以配置为在创建、修改或删除事件记录单时发送包含IODEF消息的电子邮件消息。然后将这些IODEF消息导入其他事件处理系统,以便允许参与的CSIRT使用其通常的事件处理方法,同时仍与使用概念验证CIMS的CSIRT进行交互。对于RT中对事件信息的每次更改(以及允许系统将传入的IODEF电子邮件消息与现有事件关联)生成IODEF消息,将在某种程度上允许所有参与的CSIRT实际处理“公共事件通知单”,至少在概念层面上如此。特别重要的是,用户之间能够就处理特定事件所采取的行动交换信息,因此,可以创建一种常见的操作日志,请求/指派其他人提供信息或执行指定的操作,并将收到的响应与原始请求或任务关联起来。此外,还开发了一个特定的“概要文件”,以确定在练习期间将使用的IODEF类的子集,试图将所有用户引导到其他灵活的IODEF标准的通用使用模式中。
AirCERT was implemented by the CERT / Coordination Center (CC) of Carnegie Mellon's Software Engineering Institute CERT division. AirCERT was designed to be an Internet-scalable distributed system for sharing security event data. The AirCERT system was designed to be an automated collector of flow and Intrusion Detection System (IDS) alerts. AirCERT would collect that information into a relational database and be able to share reporting using IODEF and the Intrusion Detection Message Exchange Format [RFC4765]. AirCERT
AirCERT由卡内基梅隆大学软件工程研究所CERT部门的CERT/协调中心(CC)实施。AirCERT被设计成一个互联网可扩展的分布式系统,用于共享安全事件数据。AirCERT系统旨在成为流量和入侵检测系统(IDS)警报的自动收集器。AirCERT将这些信息收集到关系数据库中,并能够使用IODEF和入侵检测消息交换格式[RFC4765]共享报告。航空证书
additionally used SNML [SNML] to exchange information about the network. AirCERT was implemented in a combination of C and Perl modules and included periodic graphing capabilities leveraging the Round-Robin Database Tool (RRDTool).
另外还使用SNML[SNML]来交换有关网络的信息。AirCERT是在C和Perl模块的组合中实现的,包括利用循环数据库工具(RRDTool)的周期性绘图功能。
AirCERT was intended for large-scale distributed deployment and, eventually, the ability to sanitize data to be shared across administrative domains. The architecture was designed to allow collection of data on a per-site basis and to allow each site to create data sharing based on its own particular trust relationships.
AirCERT旨在进行大规模分布式部署,并最终能够清理跨管理域共享的数据。该体系结构旨在允许在每个站点的基础上收集数据,并允许每个站点基于其自身的特定信任关系创建数据共享。
The CyberFed system was implemented and deployed by Argonne National Laboratory to automate the detection and response of attack activity against Department of Energy (DoE) computer networks. CyberFed automates the collection of network alerting activity from various perimeter network defenses and logs those events into its database. CyberFed then automatically converts that information into blocking information transmitted to all participants. The original implementation used IODEF messages wrapped in an XML extension to manage a large array of indicators. The CyberFed system was not designed to describe a particular incident as much as to describe a set of current network-blocking indicators that can be generated and deployed machine to machine.
CyberFed系统由阿贡国家实验室实施和部署,用于自动检测和响应针对能源部(DoE)计算机网络的攻击活动。CyberFed自动收集来自各种外围网络防御的网络警报活动,并将这些事件记录到其数据库中。CyberFed然后自动将该信息转换为发送给所有参与者的阻止信息。最初的实现使用封装在XML扩展中的IODEF消息来管理大量的指示符。CyberFed系统的设计目的不是为了描述特定事件,而是为了描述一组可以生成并部署到机器之间的当前网络阻塞指示器。
CyberFed is primarily implemented in Perl. Included as part of the CyberFed system are scripts that interact with a large number of firewalls, IDS / Intrusion Prevention System (IPS) devices, DNS systems, and proxies that operate to implement both the automated collection of events as well as the automated deployment of black listing.
CyberFed主要是用Perl实现的。CyberFed系统中包括与大量防火墙、IDS/入侵预防系统(IPS)设备、DNS系统和代理交互的脚本,这些脚本可实现事件的自动收集以及黑名单的自动部署。
Currently, CyberFed supports multiple exchange formats including IODEF and STIX. Open Indicators of Compromise (OpenIOC) is also a potential exchange format that the US DoE is considering.
目前,CyberFed支持多种交换格式,包括IODEF和STIX。开放折衷指标(OpenIOC)也是美国能源部正在考虑的一种潜在交换格式。
The section aims at sharing tips for development of IODEF-capable systems.
本节旨在分享开发支持IODEF的系统的技巧。
For implementing IODEF-capable systems, it is feasible to employ code generators for the XML Schema Definition (XSD). The generators are used to save development costs since they automatically create useful libraries for accessing XML attributes, composing messages, and/or
为了实现支持IODEF的系统,可以为XML模式定义(XSD)使用代码生成器。生成器用于节省开发成本,因为它们自动创建有用的库,用于访问XML属性、编写消息和/或
validating XML objects. The IODEF XSD was defined in Section 8 of RFC 5070 [RFC5070] and is available from the "ns" registry <https://www.iana.org/assignments/xml-registry>.
验证XML对象。IODEF XSD在RFC 5070[RFC5070]的第8节中定义,可从“ns”注册表获得<https://www.iana.org/assignments/xml-registry>.
However, some issues remain. Due to the complexity of the IODEF XSD, some code generators could not generate code from the XSD file. The tested code generators are as follows.
然而,仍然存在一些问题。由于IODEF XSD的复杂性,一些代码生成器无法从XSD文件生成代码。测试的代码生成器如下所示。
o XML::Pastor [XSD:Perl] (Perl)
o Pastor[XSD:Perl](Perl)
o RXSD [XSD:Ruby] (Ruby)
o RXSD[XSD:Ruby](Ruby)
o PyXB [XSD:Python] (Python)
o PyXB[XSD:Python](Python)
o JAXB [XSD:Java] (Java)
o JAXB[XSD:Java](Java)
o CodeSynthesis XSD [XSD:Cxx] (C++)
o 代码合成XSD[XSD:Cxx](C++)
o Xsd.exe [XSD:CS] (C#)
o Xsd.exe[Xsd:CS](C#)
For instance, we have tried to use XML::Pastor, but it could not properly understand its schema due to the complexity of IODEF XSD. The same applies to Ruby XSD (RXSD) and Java Architecture for XML Binding (JAXB). Only Python XML Schema Bindings (PyXB), CodeSynthesis XSD, and Xsd.exe were able to understand the complex schema.
例如,我们尝试使用XML::Pastor,但由于IODEF XSD的复杂性,它无法正确理解其模式。这同样适用于Ruby XSD(RXSD)和Java架构XML绑定(JAXB)。只有Python XML模式绑定(PyXB)、CodeSynthesis XSD和XSD.exe能够理解复杂的模式。
Unfortunately, there is no recommended workaround. A possible workaround is a double conversion of the XSD file. This entails the XSD being serialized into XML; afterwards, the resulting XML is converted back into an XSD. The resultant XSD was successfully processed by all the tools listed above.
不幸的是,没有推荐的解决方法。一种可能的解决方法是对XSD文件进行双重转换。这需要将XSD序列化为XML;之后,生成的XML被转换回XSD。上面列出的所有工具都成功地处理了生成的XSD。
It should be noted that IODEF uses '-' (hyphen) symbols in its classes or attributes, which are listed as follows:
应注意,IODEF在其类或属性中使用“-”(连字符)符号,如下所示:
o IODEF-Document Class: It is the top-level class in the IODEF data model described in Section 3.1 of RFC 5070 [RFC5070].
o IODEF文档类:它是RFC 5070[RFC5070]第3.1节中描述的IODEF数据模型中的顶级类。
o The vlan-name and vlan-num Attributes: According to Section 3.16.2 of RFC 5070 [RFC5070], they are the name and number of Virtual LAN and are the attributes for Address class.
o vlan名称和vlan num属性:根据RFC 5070[RFC5070]第3.16.2节,它们是虚拟LAN的名称和编号,是地址类的属性。
o Extending the Enumerated Values of Attribute: According to Section 5.1 of RFC 5070 [RFC5070], this is an extension technique to add new enumerated values to an attribute, and it has a prefix of "ext-", e.g., ext-value, ext-category, ext-type, and so on.
o 扩展属性的枚举值:根据RFC 5070[RFC5070]第5.1节,这是一种向属性添加新枚举值的扩展技术,它的前缀为“ext-”,例如,ext值、ext类别、ext类型等。
According to the language specification, many programming languages prohibit having '-' symbols in the name of class. The code generators must replace or remove the '-' when building the libraries. They should have the name space restore the '-' when outputting the XML along with IODEF XSD.
根据语言规范,许多编程语言禁止在类的名称中使用“-”符号。构建库时,代码生成器必须替换或删除“-”。当输出XML和IODEF XSD时,它们应该让名称空间还原“-”。
iodeflib is an open source implementation written in Python. This provides simple but powerful APIs to create, parse, and edit IODEF documents. It was designed in order to keep its interface as simple as possible, whereas generated libraries tend to inherit the complexity of IODEF XSD. In addition, the iodeflib interface includes functions to hide some unnecessarily nested structures of the IODEF schema and add more convenient shortcuts.
iodeflib是一个用Python编写的开源实现。这提供了简单但功能强大的API来创建、解析和编辑IODEF文档。它的设计目的是使其接口尽可能简单,而生成的库往往继承IODEF XSD的复杂性。此外,iodeflib接口还包含一些函数,用于隐藏IODEF模式的一些不必要的嵌套结构,并添加更方便的快捷方式。
This tool is available through the following link:
此工具可通过以下链接获得:
<http://www.decalage.info/python/iodeflib>
<http://www.decalage.info/python/iodeflib>
IODEF.pm is an open source implementation written in Perl. This also provides a simple interface for creating and parsing IODEF documents in order to facilitate the translation of the key-value-based format to the IODEF representation. The module contains a generic XML DTD parser and includes a simplified node-based representation of the IODEF DTD. Hence, it can easily be upgraded or extended to support new XML nodes or other DTDs.
pm是一个用Perl编写的开源实现。这还为创建和解析IODEF文档提供了一个简单的接口,以便于将基于键值的格式转换为IODEF表示。该模块包含一个通用XML DTD解析器,并包含一个简化的基于节点的IODEF DTD表示。因此,它可以轻松升级或扩展以支持新的XML节点或其他DTD。
This tool is available through the following link:
此工具可通过以下链接获得:
<http://search.cpan.org/~saxjazman/>
<http://search.cpan.org/~saxjazman/>
Some tips to avoid problems are noted here:
以下是一些避免问题的提示:
o IODEF has a category attribute for the NodeRole class. Though various categories are described, they are not sufficient. For example, in the case of webmail servers, should the user choose "www" or "mail"? One suggestion is to select "mail" as the category attribute and add "www" for another attribute.
o IODEF具有NodeRole类的category属性。虽然描述了各种类别,但还不够。例如,对于webmail服务器,用户应该选择“www”还是“mail”?一个建议是选择“邮件”作为类别属性,并添加“www”作为另一个属性。
o The numbering of incident IDs needs to be considered. Otherwise, information, such as the number of incidents within a certain period, could be observed by document receivers. This is easily mitigated by randomizing the assignment of incident IDs.
o 需要考虑事件ID的编号。否则,文档接收者可能会观察到信息,例如某个时期内的事件数量。这可以通过随机分配事件ID轻松缓解。
This memo does not require any IANA actions.
本备忘录不要求IANA采取任何行动。
This document provides a summary of implementation reports from researchers and vendors who have implemented RFCs and drafts from the MILE and INCH working groups. There are no security considerations added because of the nature of the document.
本文件概述了已实施RFC的研究人员和供应商的实施报告以及英里和英寸工作组的草案。由于文档的性质,没有添加任何安全注意事项。
[RFC4765] Debar, H., Curry, D., and B. Feinstein, "The Intrusion Detection Message Exchange Format (IDMEF)", RFC 4765, DOI 10.17487/RFC4765, March 2007, <http://www.rfc-editor.org/info/rfc4765>.
[RFC4765]Debar,H.,Curry,D.,和B.Feinstein,“入侵检测消息交换格式(IDMEF)”,RFC 4765,DOI 10.17487/RFC4765,2007年3月<http://www.rfc-editor.org/info/rfc4765>.
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident Object Description Exchange Format", RFC 5070, DOI 10.17487/RFC5070, December 2007, <http://www.rfc-editor.org/info/rfc5070>.
[RFC5070]Danyliw,R.,Meijer,J.,和Y.Demchenko,“事故对象描述交换格式”,RFC 5070,DOI 10.17487/RFC5070,2007年12月<http://www.rfc-editor.org/info/rfc5070>.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document Class for Reporting Phishing", RFC 5901, DOI 10.17487/RFC5901, July 2010, <http://www.rfc-editor.org/info/rfc5901>.
[RFC5901]Cain,P.和D.Jevans,“用于报告网络钓鱼的IODEF文档类的扩展”,RFC 5901,DOI 10.17487/RFC5901,2010年7月<http://www.rfc-editor.org/info/rfc5901>.
[RFC5941] M'Raihi, D., Boeyen, S., Grandcolas, M., and S. Bajaj, "Sharing Transaction Fraud Data", RFC 5941, DOI 10.17487/RFC5941, August 2010, <http://www.rfc-editor.org/info/rfc5941>.
[RFC5941]M'Raihi,D.,Boeyen,S.,Grandcolas,M.,和S.Bajaj,“共享交易欺诈数据”,RFC 5941,DOI 10.17487/RFC594112010年8月<http://www.rfc-editor.org/info/rfc5941>.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6545, DOI 10.17487/RFC6545, April 2012, <http://www.rfc-editor.org/info/rfc6545>.
[RFC6545]Moriarty,K.,“实时网络间防御(RID)”,RFC 6545,DOI 10.17487/RFC65452012年4月<http://www.rfc-editor.org/info/rfc6545>.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS", RFC 6546, DOI 10.17487/RFC6546, April 2012, <http://www.rfc-editor.org/info/rfc6546>.
[RFC6546]特拉梅尔,B.,“通过HTTP/TLS传输实时网络间防御(RID)消息”,RFC 6546,DOI 10.17487/RFC6546,2012年4月<http://www.rfc-editor.org/info/rfc6546>.
[RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information", RFC 7203, DOI 10.17487/RFC7203, April 2014, <http://www.rfc-editor.org/info/rfc7203>.
[RFC7203]Takahashi,T.,Landfield,K.,和Y.Kadobayashi,“结构化网络安全信息的事件对象描述交换格式(IODEF)扩展”,RFC 7203,DOI 10.17487/RFC7203,2014年4月<http://www.rfc-editor.org/info/rfc7203>.
[RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, <http://www.rfc-editor.org/info/rfc7970>.
[RFC7970]Danyliw,R.,“事件对象描述交换格式版本2”,RFC 7970,DOI 10.17487/RFC7970,2016年11月<http://www.rfc-editor.org/info/rfc7970>.
[SNML] Trammell, B., Danyliw, R., Levy, S., and A. Kompanek, "AirCERT: The Definitive Guide", 2005, <http://aircert.sourceforge.net/docs/ aircert_manual-06_2005.pdf>.
[SNML]Trammell,B.,Danyliw,R.,Levy,S.,和A.Kompanek,“AirCERT:最终指南”,2005年<http://aircert.sourceforge.net/docs/ aircert_手册-06_2005.pdf>。
[XEP-0060] Millard, P., Saint-Andre, P., and R. Meijer, "XEP-0060: Publish-Subscribe", December 2016, <http://www.xmpp.org/extensions/xep-0060.html>.
[XEP-0060]Millard,P.,Saint Andre,P.,和R.Meijer,“XEP-0060:发布-订阅”,2016年12月<http://www.xmpp.org/extensions/xep-0060.html>.
[XEP-0268] Hefczy, A., Jensen, F., Remond, M., Saint-Andre, P., and M. Wild, "XEP-0268: Incident Handling", May 2012, <http://xmpp.org/extensions/xep-0268.html>.
[XEP-0268]Hefczy,A.,Jensen,F.,Remond,M.,Saint Andre,P.,和M.Wild,“XEP-0268:事件处理”,2012年5月<http://xmpp.org/extensions/xep-0268.html>.
[XSD:CS] Microsoft, "XML Schema Definition Tool (Xsd.exe)", <http://www.microsoft.com/>.
[XSD:CS]Microsoft,“XML模式定义工具(XSD.exe)”<http://www.microsoft.com/>.
[XSD:Cxx] CodeSynthesis, "XSD: XML Data Binding for C++", <http://www.codesynthesis.com/>.
[XSD:Cxx]代码合成,“用于C++的XSD:XML数据绑定”<http://www.codesynthesis.com/>.
[XSD:Java] Project Kenai, "Project JAXB", <https://jaxb.java.net/>.
[XSD:Java]基奈项目,“JAXB项目”<https://jaxb.java.net/>.
[XSD:Perl] Ulsoy, A., "XML-Pastor-1.0.4", <http://search.cpan.org/~aulusoy/XML-Pastor-1.0.4/>.
[XSD:Perl]Ulsoy,A.,“XML-Pastor-1.0.4”<http://search.cpan.org/~aulusoy/XML-Pastor-1.0.4/>。
[XSD:Python] Bigot, P., "PyXB 1.2.5: Python XML Schema Bindings", <https://pypi.python.org/pypi/PyXB>.
[XSD:Python]Bigot,P.,“PyXB 1.2.5:Python XML模式绑定”<https://pypi.python.org/pypi/PyXB>.
[XSD:Ruby] Morsi, M., "XSD / Ruby Translator", <https://github.com/movitto/RXSD>.
[XSD:Ruby]Morsi,M.,“XSD/Ruby翻译程序”<https://github.com/movitto/RXSD>.
Acknowledgements
致谢
The MILE implementation report has been compiled through the submissions of implementers of INCH and MILE working group standards. A special note of thanks to the following contributors:
MILE实施报告是通过英吋和MILE工作组标准实施者提交的文件编制的。特别感谢以下撰稿人:
John Atherton, Surevine
约翰·阿瑟顿
Humphrey Browning, Deep-Secure
汉弗莱·勃朗宁,深安全
Dario Forte, DFLabs
达里奥·福特,DFLabs
Tomas Sander, HP
托马斯·桑德,惠普
Ulrich Seldeslachts, ACDC
乌尔里希·塞尔德斯拉赫茨,ACDC
Takeshi Takahashi, National Institute of Information and Communications Technology Network Security Research Institute
Takeshi Takahashi,国家信息和通信技术研究所网络安全研究所
Kathleen Moriarty, EMC
Kathleen Moriarty,EMC
Bernd Grobauer, Siemens
伯纳德·格罗鲍尔,西门子
Dandurand Luc, NATO
Dandurand Luc,北约
Pawel Pawlinski, NASK
波厄尔·波林斯基,纳斯克
Authors' Addresses
作者地址
Chris Inacio Carnegie Mellon University 4500 5th Ave., SEI 4108 Pittsburgh, PA 15213 United States of America
美国宾夕法尼亚州匹兹堡SEI 4108第五大道4500号克里斯·伊纳西奥·卡内基梅隆大学15213
Email: inacio@andrew.cmu.edu
Email: inacio@andrew.cmu.edu
Daisuke Miyamoto The University of Tokyo 2-11-16 Yayoi, Bunkyo Tokyo 113-8658 Japan
大辅宫本东京大学2-11-16 Yayoi,班京东京113-865日本
Email: daisu-mi@nc.u-tokyo.ac.jp
Email: daisu-mi@nc.u-tokyo.ac.jp