Cybex Information Exchange Tool (cybiet) -- A Cybex Discovery
and Cybex BEEP profile implementation
October 2010
Background
The Cybersecurity Information Exchange Framework (CYBEX) will
radically change the way cybersecurity entities interact with each
other. In order to elaborate in more technical detail,
designers and practitioners of CYBEX will have to explore design
space in sufficient detail, while at the same time benchmarking the
usefulness of proposed framework in particular scenarios.
Because of this, NICT implemented cybersecurity information
exchange tool (tentatively named Cybiet) that provides discovery
and exchange functions, corresponding to standards development of
Cybex Discovery and Cybex BEEP profile. Please note that this
is an initial "proof of concept" implementation for exploration of
both ideas and design space. As such, the breath and depth of
supported cybersecurity information elements are deliberately kept
minimal.
Usage scenarios of Cybex Discovery
Cybex Discovery enables discovery of cybersecurity entities -- that
is, mapping resource identifier to endpoint and capabilties.
We envision a better connected world where cybersecurity
entitites of various scale and diverse capabilities are registered
to one of the registries -- either global, regional or private.
Cybersecurity entities are enumerated in RDF/OWL format, and
each cybersecurity organization aggregates such structured resource
descriptions from accessible registries. Aggregated
cybersecurity information is made discoverable through Cybex
Discovery server, which responds to discovery requests from clients
by considering name, country and/or capability.
Consider a situation where you have an ICT asset from distant
country whose vulnerability database is not widely known around
you. With Cybex Discovery, you can discover vulnerability
database and make sure your ICT asset receive appropriate
remediation.
Technical details of Cybex Discovery
This Cybex Discovery implementation focuses on RDF/OWL
decentralized mode of discovery; for this purpose, Raptor RDF
syntax library and Rasqal RDF query library are used. A
very simple registry-server implementation is provided for
demonstration purposes, which stores RDF/OWL-based enumeration of
cybersecurity entities.
Usage scenarios of Cybiet BEEP
Here we consider the scenario of information feed from security
information service provider to several customers. Each
customer, running the Cybex BEEP client, registers for an update
feed from security service information provider running the Cybex
BEEP server; the Cybex BEEP server responds immediately with
current list of incident objects represented in IODEF. Cybex
BEEP server can periodically send updates to clients with latest
list of incident objects. It can also send urgent
notification to specfic customer at any point, if such need
arises.
The Cybex BEEP client may request SPAM hosts, SPAM server, Fast
Flux hosts or Phishing hosts by specifying information type.
There are of course many other scenarios where this kind of
flexible information feed is useful; these four types of
information are defined in advance just to show some usage
scenarios.
Technical detail of Cybiet BEEP
Cybex BEEP profile enables bidirectional exchange of structured
cybersecurity information between BEEP client and BEEP server.
Two or more cybersecurity entities are assumed to be
connected by Cybiet BEEP client/server. One end of the
communicating peer may choose to become BEEP client (connection
initiator), and another end may become BEEP server (responder).
We assume that existing cybersecurity data-sources act as
HTTP server; asynchronous notification, if need arises, may be sent
to BEEP server (and then to BEEP client) directly.
Cybiet BEEP is intended to be a "skinny, lightweight"
implementation; it consists of XML data-binding, prototypical BEEP
profile, and interface to HTTP server. Most of XML
data-binding code is generated from IODEF XML schema using
Codesynthesis XSD. Basic BEEP protocol stack is provided by
Vortex BEEP library from ASPL. HTTP interface simply uses
libcurl HTTP library.
Currently, only IODEF XML schema (with CAPEC attack pattern
ID) is supported in this implementation. With XML namespace,
it becomes feasible to incorporate part of XML-based enumeration
standards into application-oriented standards like IODEF. In
this implementation, we were interested in implementation-level
feasibility of exploiting XML namespace capability.
BEEP profile implementation is also minimal. Through the
implementation of prototype BEEP profile, we were interested in the
implementation-level feasibility of rich mode of interaction that
BEEP enables -- push mode as well as pull mode.
Source code
Cybiet is written in C++ and it can be downloaded from Sourceforge.
It should run on modern Linux distributions.