Project

General

Profile

IDMEF Assessment Zoom

Whole Diagram

Alert


The Assessment Class

The Assessment class is used to provide the analyzer's assessment of an event -- its impact, actions taken in response, and confidence.

The Assessment class is composed of three aggregate classes:

  • Impact

Zero or one. The analyzer's assessment of the impact of the event on the target(s).

  • Action

Zero or more. The action(s) taken by the analyzer in response to the event.

  • Confidence

Zero or one. A measurement of the confidence the analyzer has in its evaluation of the event.

The Impact Class

The Impact class is used to provide the analyzer's assessment of the impact of the event on the target(s).

The Impact class has three attributes:

  • severity

An estimate of the relative severity of the event. The permitted values are shown below. There is no default value.

Rank Keyword Description
0 info Alert represents informational activity
1 low Low severity
2 medium Medium severity
3 high High severity
  • completion

An indication of whether the analyzer believes the attempt that the event describes was successful or not. The permitted values are shown below. There is no default value.

Rank Keyword Description
0 failed The attempt was not successful
1 succeeded The attempt succeeded
  • type

The type of attempt represented by this event, in relatively broad categories. The permitted values are shown below. The default value is "other".

Rank Keyword Description
0 admin Administrative privileges were attempted or obtained
1 dos A denial of service was attempted or completed
2 file An action on a file was attempted or completed
3 recon A reconnaissance probe was attempted or completed
4 user User privileges were attempted or obtained
5 other Anything not in one of the above categories

All three attributes are optional. The element itself may be empty, or may contain a textual description of the impact, if the analyzer is able to provide additional details.

The Action Class

The Action class is used to describe any actions taken by the analyzer in response to the event.

Action has one attribute:

  • category

The type of action taken. The permitted values are shown below. The default value is "other".

Rank Keyword Description
0 block-installed A block of some sort was installed to prevent an attack from reaching its destination. The block could be a port block, address block, etc., or disabling a user account.
1 notification-sent A notification message of some sort was sent out-of-band (via pager, e-mail, etc.). Does not include the transmission of this alert.
2 taken-offline A system, computer, or user was taken offline, as when the computer is shut down or a user is logged off.
3 other Anything not in one of the above categories.

The element itself may be empty, or may contain a textual description of the action, if the analyzer is able to provide additional details.

The Confidence Class

The Confidence class is used to represent the analyzer's best estimate of the validity of its analysis.

The Confidence class has one attribute:

  • rating

The analyzer's rating of its analytical validity. The permitted values are shown below. The default value is "numeric".

Rank Keyword Description
0 low The analyzer has little confidence in its validity
1 medium The analyzer has average confidence in its validity
2 high The analyzer has high confidence in its validity
3 numeric The analyzer has provided a posterior
probability value indicating its confidence in its validity

This element should be used only when the analyzer can produce meaningful information. Systems that can output only a rough heuristic should use "low", "medium", or "high" as the rating value. In this case, the element content should be omitted.

Systems capable of producing reasonable probability estimates should use "numeric" as the rating value and include a numeric confidence value in the element content. This numeric value should reflect a posterior probability (the probability that an attack has occurred given the data seen by the detection system and the model used by the system). It is a floating point number between 0.0 and 1.0, inclusive. The number of digits should be limited to those representable by a single precision floating point value.

NOTE: It should be noted that different types of analyzers may compute confidence values in different ways and that in many cases, confidence values from different analyzers should not be compared (for example, if the analyzers use different methods of computing or representing confidence, or are of different types or configurations). Care should be taken when implementing systems that process confidence values (such as event correlators) not to make comparisons or assumptions that cannot be supported by the system's knowledge of the environment in which it is working.

Assessment Zoom.svg View - IDMEF UML Diagram Assessment Zoom (40 KB) Vérène Houdebine, 05/07/2015 11:20 AM

Assessment Zoom.svg View - IDMEF UML Diagram Assessment Zoom (43.9 KB) Sélim Menouar, 06/04/2015 12:04 PM