IDMEFv2

IDMEFv2

Official IDMEFv2 website: https://www.idmefv2.org

About IDMEFv2

IDMEFv2 stands for Incident Detection Message Exchange Format.

IDMEFv2 defines a format to describe cyber and/or physical incidents or events suspected to participate to an incident (events of interest).

Here are few examples of IDMEFv2 use case:

a virus has been detected in a mail,
an intruder is trying to enter a building,
a server is not responding probably down,
a recon scan has been detected on the web server,
an abnormal temperature has been detected in the data center and server might have stopped,
multiple failed authentication on the financial server in the middle of the night,
a drone has been detected flying around the building,
a high temperature wave is predicted next week which might cause power outage, etc.

An IDMEFv2 message is composed of classes (Alert, Analyzer, Sensor, Source, Target, …) and attributes (CreateTime, StartTime, ID, IP, user, protocol, Location, GeoLocation, …)

IDMEFv2 can be used in cyber detection management system (Anti-virus, Firewall, SIEM (Security Information & Event Management), ..) and in physical detection management system (CCTV, Badger, movement sensor, PSIM (Physical Security Information Management), …). It can also be used in combined environment with cyber and physical detection.

This universal and unique format allows to analyse and correlate multiple types of incidents together and detect complex and/or combined incidents and/or attacks. IDMEFv2 is a response to the security of IoT (Internet of Things) and IIoT (Industrial IoT) and all type of “Smart” Architectures.

IDMEFv2 can be described in JSON and transported over HTTPs.

IDMEFv2 code repository

https://github.com/IDMEFv2

Documentation, tutorials, etc.
Python and java IDMEFv2 library
IDMEFv2 full prototype
complete open-source IDMEFv2 detection system

IDMEFv2 examples

Cyber Incident

A brute force attack has been detected by the SIEM server (siem.acme.com) on root account of www.acme.com server located rack 10 in Server Room A106 starting at 16h55 the 10th of May 2021.

{

"Version": "2.D.V01",

"ID": "819df7bc-35ef-40d8-bbee-1901117370b2",

"Description": "Potential bruteforce attack on root user account",

"Priority": "Medium",

"CreateTime": "2021-05-10T16:55:29.196408+00:00",

"StartTime": "2021-05-10T16:55:29+00:00",

"Category": [

"Attempt.Login"

"Analyzer": {

"Name": "SIEM",

"Hostname": "siem.acme.com",

"Type": "Cyber",

"Model": "K Radar 5.2",

"Category": [

"SIEM",

"IP": "192.0.2.1"

"Sensor": [

{

"IP": "192.0.2.5",

"Name": "syslog",

"Hostname": "www.acme.com",

"Model": "rsyslog 8.2110",

}

"Target": [

{

"IP": "192.0.2.2",

"Hostname": "www.acme.com",

"GeoLocation": "+48.75726,+2.299528,+65.1",

"Location": "Server room A106, rack 10",

"User": "root"

]

}

Physical incident

An intruder, looking like John Doe, has been detected and recognized (through biometric and AI method) by the camera placed in the hallway to server room B24 at 16h52 the 10th of May 2021. A picture captured by the camera is joint to the message.

{

"Version": "2.D.V01",

"ID": "819df7bc-35ef-40d8-bbee-1901117370b1",

"Description": "Potential intruder detected",

"Priority": "Low",

"Status": "Incident",

"Cause": "Malicious",

"CreateTime": "2021-05-10T16:52:13.075994+00:00",

"StartTime": "2021-05-10T16:52:13+00:00",

"Category": [

"Intrusion.Burglary"

"Analyzer": {

"Name": "CCTV Console",

"Hostname": "cctv.acme.com",

"Type": "Physical",

"Model": "Gemetec Security Center 5.1",

"Category": [

"HAR",

"FRC"

"Data": [

"Images"

"Method": [

"Movement",

"Biometric",

"AI"

"IP": "192.0.2.1"

"Sensor": [

{

"IP": "192.0.2.2",

"Name": "Camera #23",

"Model": "Somy SNC-P5",

"Location": "Hallway to server room B24"

}

"Vector": [

{

"Category": ["Man"],

"Name": "John Doe",

"Location": "Hallway to server room B24",

"GeoLocation": "+48.75726,+2.299528,+65.1",

"Attachment": ["pic01"]

}

"Attachment": [

{

"Name": "pic01",

"Note": "Hi-res picture showing intruder near server room B24",

"ExternalURI": ["ftps://192.0.2.1/cam23/20210510165211.jpg"],

"ContentType": "image/jpg"

}

]

}

IDMEFv2 and SAFE4SOC

The first version of IDMEFv2 is the result of a long process:

The IDMEFv1 format (RFC 4965) has been defined in a IETF working group between 1998 and 2006 and published in 2007.
In 2014-2015 a first research project (SECEF1 – Security Exchange Format) was sponsored by French Ministry of Defense, with collaboration of ANSSI (French national Security Agency) to promote the use of IDMEFv1.
In 2017, ANSSI encouraged and sponsored a new project SECEF2 to start a standardization process of IDMEFv2.

The SECEF2 team were working at the same time on the H2020 7shield project (Cyber and Physical Threat Detection) so the very first version of IDMEFv2 (aka UAF Universal Alert Format in 7Shield) has been created during the 7Shield H2020 project and tested in real scale in 5 different pilots in Europe. About thirty technical modules (detection, correlation, display, etc.) of the 7shield system architecture were able to communicate each other thanks to this format in a very effective and seamless way. This experimentation has proven the maturity of the format.

First drafts of IDMEFv2 have then been submitted to IETF. IDMEFv2 is based on mature concepts: IDMEFv1, ENISA Threat classification, IDEA format, etc. IDMEFv2 needs more experiment and tuning but it is ready to start real life implementation. To achieve an official “RFC” (Request For Comments), the IDMEFv2 draft has now to enter an official standardization process through the creation of a dedicated Working Group. To obtain this creation, the Safe4Soc consortium must prove that the format is running in at least two implementations and that there is a sufficient team and resource to go all way to standardization.

IDMEFv2 whitepaper

IDMEFv2-CriticalInfrastructure-fr-2a

IDMEFv2-Defence-en-2a

IDMEFv2-Défense-fr-2a

IDMEFv2-InfrastructureCritique-fr-2a