A Query Facility for Common Intrusion Detection Framework

It is essential for intrusion detection systems to share information in order to discover attacks involving multiple sites Common Intrusion Detection Framework CIDF is an important step towards enabling di erent intrusion detection and response IDR components to interoperate with each other Although CIDF provides an infrastructure and language support that allows an IDR component to understand the information sent by another component it does not contain a facility for a component to request speci c information from other components The lack of such a facility may result in a waste of processing time storage capacity and network bandwidth This paper proposes an extension to the Common Intrusion Speci cation Language CISL the language adopted by CIDF to model requests among CIDF components The extension is simple and consistent with the original CISL Each request for information is described as a pattern for relevant information and an optional format speci cation for the responding message The use of pattern in modeling requests not only provides a way to represent queries but also leads to a potential reuse of signature based intrusion detection software