Skip to content
Home ยป IDMEFv2 in a nutshell

IDMEFv2 in a nutshell

Introduction

IDMEFv2 stands for Incident Detection Message Exchange Format.

IDMEFv2 defines a format to describe cyber and/or physical incidents or events suspected to participate to an incident (events of interest).

Here are few examples of IDMEFv2 use case:

  • a virus has been detected in a mail,
  • an intruder is trying to enter a building,
  • a server is not responding probably down,
  • a recon scan has been detected on the web server,
  • an abnormal temperature has been detected in the datacenter and server might have stopped,
  • multiple failed authentication on the financial server in the middle of the night,
  • a drone has been detected flying around the building,
  • a high temperature wave is predicted next week which might cause power outage,
  • etc.

An IDMEFv2 message is composed of classes (Alert, Analyzer, Sensor, Source, Target, โ€ฆ) and attributes ( CreateTime, StartTime, ID, IP, user, protocol, Location, GeoLocation, โ€ฆ)

IDMEFv2 can be used in cyber detection management system (Anti-virus, Firewall, SIEM (Security Information & Event Management), ..) and in physical detection management system (CCTV, Badger, movement sensor, PSIM (Physical Security Information Management), โ€ฆ). It can also be used in combined environment with cyber and physical detection.

This universal and unique format allows to analyse and correlate multiple types of incidents together and detect complex and/or combined incidents and/or attacks. IDMEFv2 is a response to the security of IoT(Internet of Things) and IIoT (Industrial IoT) and all type of โ€œSmartโ€ Architectures.

IDMEFv2 can be describe in JSON and transported over HTTPs

Examples

Cyber Incident

A brute force attack has been detected by the SIEM server (siem.acme.com) on root account of www.acme.com server located rack 10 in Server Room A106 starting at 16h55 the 10th of May 2021.

{
     "Version": "2.D.V01",
     "ID": "819df7bc-35ef-40d8-bbee-1901117370b2",
     "Description": "Potential bruteforce attack on root user account",
     "Priority": "Medium",
     "CreateTime": "2021-05-10T16:55:29.196408+00:00",
     "StartTime": "2021-05-10T16:55:29+00:00",
     "Category": [
       "Attempt.Login"
     ],
     "Analyzer": {
       "Name": "SIEM",
       "Hostname": "siem.acme.com",
       "Type": "Cyber",
       "Model": "K Radar 5.2",
       "Category": [
         "SIEM",
       ],
       "IP": "192.0.2.1"
     },
     "Sensor": [
       {
         "IP": "192.0.2.5",
         "Name": "syslog",
         "Hostname": "www.acme.com",
         "Model": "rsyslog 8.2110",
       }
     ],
     "Target": [
       {
         "IP": "192.0.2.2",
         "Hostname": "www.acme.com",
         "GeoLocation": "+48.75726,+2.299528,+65.1",
         "Location": "Server room A106, rack 10",
         "User": "root"
       },
     ]
   }

Physical incident

An intruder, looking like John Doe, has been detected and recognized (through biometric and AI method) by the camera placed in the hallway to server room B24 at 16h52 the 10th of May 2021. A picture captured by the camera is joint to the message.

{
     "Version": "2.D.V01",
     "ID": "819df7bc-35ef-40d8-bbee-1901117370b1",
     "Description": "Potential intruder detected",
     "Priority": "Low",
     "Status": "Incident",
     "Cause": "Malicious",
     "CreateTime": "2021-05-10T16:52:13.075994+00:00",
     "StartTime": "2021-05-10T16:52:13+00:00",
     "Category": [
       "Intrusion.Burglary"
     ],
     "Analyzer": {
       "Name": "CCTV Console",
       "Hostname": "cctv.acme.com",
       "Type": "Physical",
       "Model": "Gemetec Security Center 5.1",
       "Category": [
         "HAR",
         "FRC"
       ],
       "Data": [
         "Images"
       ],
       "Method": [
         "Movement",
         "Biometric",
         "AI"
       ],
       "IP": "192.0.2.1"
     },
     "Sensor": [
       {
         "IP": "192.0.2.2",
         "Name": "Camera #23",
         "Model": "Somy SNC-P5",
         "Location": "Hallway to server room B24"
       }
     ],
     "Vector": [
       {
         "Category": ["Man"],
         "Name": "John Doe",
         "Location": "Hallway to server room B24",
         "GeoLocation": "+48.75726,+2.299528,+65.1",
         "Attachment": ["pic01"]
       }
     ],
     "Attachment": [
       {
         "Name": "pic01",
         "Note": "Hi-res picture showing intruder near server room B24",
         "ExternalURI": ["ftps://192.0.2.1/cam23/20210510165211.jpg"],
         "ContentType": "image/jpg"
       }
     ]
   }

IDMEFv2 Use case

IDMEFv2 is a universal format for cyber and physical systems.

It has been defined in a consortium composed of academic and industrial incident detection experts. The first draft has been deployed and tested in real scale on ground segment infrastructure on a large international research project during two years, the 7Shield project. IDMEFv2 is well fitted for critical infrastructure and sensitive site.

By combining cyber and physical incidents as well as natural hazards, IDMEFv2 shoud also be a good choice for smart systems and particularly for autonomous vehicles.

IDMEFv2 evolution

The first IDMEFv2 Draft V01 has been submitted to the IETF the 16th of april 2023 with the aim to start a standardization process. The consortium is now opened to external contribution and comments. Please see how to join the project :