Cybex Information Exchange Tool (cybiet) -- A Cybex Discovery and Cybex BEEP profile implementation

October 2010

Background

The Cybersecurity Information Exchange Framework (CYBEX) will radically change the way cybersecurity entities interact with each other.  In order to elaborate in more technical detail, designers and practitioners of CYBEX will have to explore design space in sufficient detail, while at the same time benchmarking the usefulness of proposed framework in particular scenarios.  Because of this, NICT implemented cybersecurity information exchange tool (tentatively named Cybiet) that provides discovery and exchange functions, corresponding to standards development of Cybex Discovery and Cybex BEEP profile.  Please note that this is an initial "proof of concept" implementation for exploration of both ideas and design space.  As such, the breath and depth of supported cybersecurity information elements are deliberately kept minimal.

Usage scenarios of Cybex Discovery

Cybex Discovery enables discovery of cybersecurity entities -- that is, mapping resource identifier to endpoint and capabilties.  We envision a better connected world where cybersecurity entitites of various scale and diverse capabilities are registered to one of the registries -- either global, regional or private.  Cybersecurity entities are enumerated in RDF/OWL format, and each cybersecurity organization aggregates such structured resource descriptions from accessible registries.  Aggregated cybersecurity information is made discoverable through Cybex Discovery server, which responds to discovery requests from clients by considering name, country and/or capability.

Consider a situation where you have an ICT asset from distant country whose vulnerability database is not widely known around you.  With Cybex Discovery, you can discover vulnerability database and make sure your ICT asset receive appropriate remediation.

Technical details of Cybex Discovery

This Cybex Discovery implementation focuses on RDF/OWL decentralized mode of discovery; for this purpose, Raptor RDF syntax library and Rasqal RDF query library are used.  A very simple registry-server implementation is provided for demonstration purposes, which stores RDF/OWL-based enumeration of cybersecurity entities.

Usage scenarios of Cybiet BEEP

Here we consider the scenario of information feed from security information service provider to several customers.  Each customer, running the Cybex BEEP client, registers for an update feed from security service information provider running the Cybex BEEP server; the Cybex BEEP server responds immediately with current list of incident objects represented in IODEF.  Cybex BEEP server can periodically send updates to clients with latest list of incident objects.  It can also send urgent notification to specfic customer at any point, if such need arises.

The Cybex BEEP client may request SPAM hosts, SPAM server, Fast Flux hosts or Phishing hosts by specifying information type.  There are of course many other scenarios where this kind of flexible information feed is useful; these four types of information are defined in advance just to show some usage scenarios.

Technical detail of Cybiet BEEP

Cybex BEEP profile enables bidirectional exchange of structured cybersecurity information between BEEP client and BEEP server.  Two or more cybersecurity entities are assumed to be connected by Cybiet BEEP client/server.  One end of the communicating peer may choose to become BEEP client (connection initiator), and another end may become BEEP server (responder).  We assume that existing cybersecurity data-sources act as HTTP server; asynchronous notification, if need arises, may be sent to BEEP server (and then to BEEP client) directly.

Cybiet BEEP is intended to be a "skinny, lightweight" implementation; it consists of XML data-binding, prototypical BEEP profile, and interface to HTTP server.  Most of XML data-binding code is generated from IODEF XML schema using Codesynthesis XSD.  Basic BEEP protocol stack is provided by Vortex BEEP library from ASPL.  HTTP interface simply uses libcurl HTTP library.

Currently, only IODEF XML schema (with CAPEC attack pattern ID) is supported in this implementation.  With XML namespace, it becomes feasible to incorporate part of XML-based enumeration standards into application-oriented standards like IODEF.  In this implementation, we were interested in implementation-level feasibility of exploiting XML namespace capability.

BEEP profile implementation is also minimal.  Through the implementation of prototype BEEP profile, we were interested in the implementation-level feasibility of rich mode of interaction that BEEP enables -- push mode as well as pull mode.

Source code

Cybiet is written in C++ and it can be downloaded from Sourceforge.  It should run on modern Linux distributions.


SourceFo
rge.net Logo