MILE T. Takahashi Internet-Draft NICT Intended status: Standards Track R. Danyliw Expires:July 15,September 19, 2018 CERT M. Suzuki NICTJanuary 11,March 18, 2018 JSON binding of IODEFdraft-ietf-mile-jsoniodef-02draft-ietf-mile-jsoniodef-03 AbstractRFC 7970 [RFC7970] provides XML-based data representation on incident information, but the use of the IODEFRFC7970 specified an information model and a corresponding XML data modelis not limited to XML. JSON representation is sometimes preferred since it is easy to handle from certain programming environments.for exchanging incident and indicator information. This draftrepresents the IODEFprovides an alternative data model implementation in JSON. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onJuly 15,September 19, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . .42 1.1. Requirements Language . . . . . . . . . . . . . . . . . .43 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . .43 2.1.Integers . . . . . . . . . . . . . . . . . .Abstract Data Type to JSON Data Type Mapping . . . . . .43 2.2.Real Numbers . . . . . . . . . . . . . . . . . . . .Complex JSON Types . .4 2.3. Characters and Strings. . . . . . . . . . . . . . . . . 42.4.2.2.1. Multilingual Strings . . . . . . . . . . . . . . . . 4 2.2.2. Software . .5 2.5. Binary Strings .. . . . . . . . . . . . . . . . . . . . 52.5.1. Base64 Bytes .2.2.3. StructuredInfo . . . . . . . . . . . . . . . . . . . 52.5.2. Hexadecimal Bytes3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . .5 2.6. Enumerated Types. . 5 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 52.7. Date-Time String . . .3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 16 4. Examples . . . . . .5 2.8. Timezone String. . . . . . . . . . . . . . . . . . . . 16 4.1. Minimal Example .6 2.9. Port Lists. . . . . . . . . . . . . . . . . . . . 17 4.2. Indicators from a Campaign . . .6 2.10. Postal Address. . . . . . . . . . . . 17 5. The IODEF Data Model (JSON Schema) . . . . . . . . .6 2.11. Telephone Number. . . . 19 6. Acknowledgements . . . . . . . . . . . . . . . .6 2.12. Email String. . . . . . 38 7. IANA Considerations . . . . . . . . . . . . . . . .6 2.13. Uniform Resource Locator Strings. . . . . 38 8. Security Considerations . . . . . . .6 2.14. Identifiers and Identifier References. . . . . . . . . .7 2.15. Software. . 38 9. Normative References . . . . . . . . . . . . . . . . . . . . 38 Authors' Addresses . .7 2.16. StructuredInfo. . . . . . . . . . . . . . . . . . . . .7 3. The38 1. Introduction [RFC7970] defines a data representation for security incident reports and indicators commonly exchanged by operational security teams. It facilitates the automated exchange of this information to enable mitigation and watch-and-warning. Section 3 of [RFC7970] defined an information model using Unified Modeling Language (UML) and a corresponding Extensible Markup Language (XML) schema data model in Section 8. This UML-based information model and XML-based data model are referred to as IODEFInformation ModelUML and IODEF XML, respectively in this document. This document defines an alternate implementation of the IODEF UML information model by specifying a JavaScript Object Notation (JSON) data model using JSON. . . . . . . . . . . . . 8 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 8 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 8 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 9 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 9 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 9 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 9 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 10 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 10 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 11 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 11 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 11 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 12 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 12 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 12 3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 13 3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 13 3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 14 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 14 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 15 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 15 3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 15 3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 16 3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 16 3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 17 3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 17 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 17 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 18 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 18 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 19 3.16. System Class . . . . . . . . . . . . . . . . . . . . . . 19 3.17. Node Class . . . . . . . . . . . . . . . . . . . . . . . 20 3.17.1. Address Class . . . . . . . . . . . . . . . . . . . 20 3.17.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 20 3.17.3. Counter Class . . . . . . . . . . . . . . . . . . . 21 3.18. DomainData Class . . . . . . . . . . . . . . . . . . . . 21 3.18.1. Nameserver Class . . . . . . . . . . . . . . . . . . 22 3.18.2. DomainContacts Class . . . . . . . . . . . . . . . . 22 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 22 3.19.1. ServiceName Class . . . . . . . . . . . . . . . . . 23 3.19.2. EmailData Class . . . . . . . . . . . . . . . . . . 23 3.19.3. RecordData Class . . . . . . . . . . . . . . . . . . 24 3.19.4. RecordPattern Class . . . . . . . . . . . . . . . . 24 3.20. WindowsRegistryKeysModified Class . . . . . . . . . . . . 24 3.20.1. Key Class . . . . . . . . . . . . . . . . . . . . . 25 3.21. CertificateData Class . . . . . . . . . . . . . . . . . . 25 3.21.1. Certificate Class . . . . . . . . . . . . . . . . . 26 3.22. FileData Class . . . . . . . . . . . . . . . . . . . . . 26 3.22.1. File Class . . . . . . . . . . . . . . . . . . . . . 26 3.23. HashData Class . . . . . . . . . . . . . . . . . . . . . 27 3.23.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 27 3.23.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 27 3.24. Indicator Class . . . . . . . . . . . . . . . . . . . . . 28 3.24.1. IndicatorID Class . . . . . . . . . . . . . . . . . 29 3.24.2. AlternativeIndicatorID Class . . . . . . . . . . . . 29 3.24.3. Observable Class . . . . . . . . . . . . . . . . . . 29 3.24.4. BulkObservable Class . . . . . . . . . . . . . . . . 30 3.24.5. BulkObservableFormat Class . . . . . . . . . . . . . 30 3.24.6. IndicatorExpression Class . . . . . . . . . . . . . 31 3.24.7. IndicatorReference Class . . . . . . . . . . . . . . 31 3.24.8. AttackPhase Class . . . . . . . . . . . . . . . . . 31 4. Notable differences from RFC 7970 . . . . . . . . . . . . . . 32 5. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 32 5.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 33 5.2. Indicators from a Campaign . . . . . . . . . . . . . . . 33 6. The IODEF Data Model (JSON Schema) . . . . . . . . . . . . . 35 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 54 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54 9. Security Considerations . . . . . . . . . . . . . . . . . . . 54 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 54 10.1. Normative References . . . . . . . . . . . . . . . . . . 54 10.2. Informative References . . . . . . . . . . . . . . . . . 54 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 55 1. Introduction RFC 7970 [RFC7970] defines an data model for sharing incident information. It facilitates automated exchange of information among parties over networks. The data model can be implemented in a form of XML, but it is not always suitable for implementation. JSON-based representation is often useful. Therefore, in this document, we provide a means to represent IODEF data model in JSON. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. IODEF Data Types The IODEF Data Types, defined in RFC 7970 [RFC7970]are used for the JSON IODEF, with some syntax changes for some of the types. 2.1. Integers An integer is represented in the information model by the INTEGER data type. Integer data MUST be encoded in Base 10, and is implemented as an "integer" type per JSON schema [jsonschema]. 2.2. Real Numbers A real (floating-point) number is represented in the information model by the REAL data type. Real data MUST be encoded in Base 10, and is implemented in the data model as an "number" type per JSON schema [jsonschema]. 2.3. Characters and Strings A single character is represented in the information model by the CHARACTER data type. A string is represented by the STRING data type. Special characters MUST be encoded using entity references.The CHARACTER and STRING data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.4. Multilingual Strings A string that needs to be represented in a human-readable language different than the default encoding of the document is represented in the information model by the ML_STRING data type. This data type is implemented as an object with "value", "lang", and "translation-id" elements as defined in Section 6. Examples are shown below. "MLStringType": { "value": "free-form text", //STRING "lang": "en", //ENUM "translation-id": "jp2en0023" //STRING } 2.5. Binary Strings 2.5.1. Base64 Bytes A binary octet encoded with base64 is represented in the information model by the BYTE data type. A sequence of these octets is of the BYTE[] data type. The BYTE and BYTE[] data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.5.2. Hexadecimal Bytes A binary octet encoded as a character tuple consistent of two hexadecimal digits is represented in the information model by the HEXBIN data type. A sequence of these octets is of the HEXBIN[] data type. The HEXBIN and HEXBIN[] data types are implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.6. Enumerated Types An enumerated type is represented in the information model by the ENUM data type. It is an ordered list of acceptable string values. Each value has a representative keyword. The ENUM data type is implemented in the data model as values of an enum array per JSON schema [jsonschema]. 2.7. Date-Time String A date-time string that describes a particular instant in time is represented in the information model by the DATETIME data type. Ranges are not supported. The DATETIME data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.8. Timezone String A timezone offset from UTC is represented in the information model by the TIMEZONE data type. It is formatted according to the following regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". The TIMEZONE data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.9. Port Lists A list of network ports is represented in the information model by the PORTLIST data type. A PORTLIST consists of a comma-separated list of numbers and ranges (N-M means ports N through M, inclusive). It is formatted according to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, "2,5-15,30,32,40-50,55-60". The PORTLIST data type is implemented in the data model as an "string" type per JSON schema [jsonschema] 2.10. Postal Address A postal address is represented in the information model by the POSTAL data type. The format of the POSTAL data type is documented in Section 2.23 of [RFC4519] as a free-form multi-line string separated by the "$" character. The POSTAL data type is implemented in the data model as the aforementioned ML_STRING type. 2.11. Telephone Number A telephone number is represented in the information model by the PHONE data type. The format of the PHONE data type is documented in [E.164]. The PHONE data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.12. Email String An email address is represented in the information model by the EMAIL data type. The format of the EMAIL data type is documented in Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531]. The EMAIL data type is implemented in the data model as an "string" type per JSON schema [jsonschema]. 2.13. Uniform Resource Locator Strings A uniform resource locator (URL) is represented in the information model by the URL data type. The format of the URL data type is documented in [RFC3986]. The URL data type is implemented as an "string" type per JSON schema [jsonschema]. 2.14. Identifiers and Identifier References An identifier unique to the IODEF document is represented in the information model by the ID data type. A reference to this identifier is represented by the IDREF data type. These data types are implemented in the model as an "string" type per JSON schema [jsonschema]. 2.15. Software A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a URL, or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", "Description", and "Description_ML" elements as defined in Section 6. Examples are shown below. "SoftwareType": { "SoftwareReference": {...}, //SoftwareReference "Description": ["MS Windows"], //STRING } 2.16. StructuredInfo Information provided in a form of structured string, such as ID, or structured information, such as XML documents, is represented in the information model by the StructuredInfo data type. Note that this type was originally specified in RFC7203. The StructuredInfo data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", "Reference" elements. An example for embedding a structured ID is shown below. "StructuredInformation": { "SpecID": "cve", //ENUM "ContentID": "CVE-2007-5000", //STRING } When embedding the raw data, base64 conversion should be used for encoding the data, as shown below. "StructuredInformation": { "SpecID": "oval", //ENUM "RawData": "<<<strings encoded with base64>>>", //BYTE } 3. The IODEF Information Model in JSON The data model of IODEF is defined in RFC 7970 [RFC7970], and this section illustrates their representations in JSON. Note that the complete JSON schema is defined in Section 6. 3.1. IODEF-Document Class This class is the top level class in the IODEF data model. Its class elements and an example are shown below. See Section 3.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: version, lang?, format-id?, private-enum-name?, private-enum-id?, Incident+, AdditionalData* Example: "IODEF-Document": { "version": "2.1", //STRING "lang": "en", //ENUM "format-id": "RFC7970-json", //STRING "Incident": [ ... ] //Incident } 3.2. Incident Class The Incident class describes commonly exchanged information when reporting or sharing derived analysis from security incidents. Its class elements and an example are shown below. See Section 3.2 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: purpose, ext-purpose?, status?, ext-status?, lang?, restriction?, ext-restriction?, observable-id?, IncidentID, AlternativeID?, RelatedActivity*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?, GenrationTime?, Description*, Description_ML*, Discovery*, Assessment*, Method*, Contact+, EventData*, Indicator*, History?, AdditionalData* Example: "Incident": { "purpose": "reporting", //ENUM "lang": "en", //STRING "restriction": "green", //ENUM "IncidentID": { ... }, //IncidentID Class "RelatedActivity": [ ... ], //RelatedActivity Class "GenerationTime": "2015-10-02T11:18:00-05:00", //DateTime "Description": ["Incident in the HQ"], //STRING "Assessment": [ ... ], //Assessment "Method": [ ... ], //Method "Contact": [ ... ] //Contact "EventData": [ ... ], //EventData "Indicator": { ... } //Indicator "History": { ... }, //History "AdditionalData": [ ... ], //AdditionalData } 3.3. Common Attributes There are a number of recurring attributes used in the information model. They are documented in this section. 3.3.1. restriction Attribute RFC 7970 [RFC7970] defines the restriction Attribute as one of common attributes. It is defined as below: "restriction":{"enum": ["public", "partner", "need-to-know", "private", "default", "white", "green", "amber", "red", "ext-value"]} Note that you must use "ext-restriction" field (STRING type) when the value of "restriction" field is set to "ext-value". 3.3.2. observable-id Attribute RFC 7970 [RFC7970] defines the observable-id attribute as one of common attributes. The value of this attribute is a unique identifier, in string type, in the scope of the document.It is defined as below: 3.4. IncidentID Class The class elements and an example are shown below. See Section 3.4 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: id, name, instance?, restriction?, ext-restriction? Example: "IncidentID": { "id": "nict20150518-0001", // STRING "name": "NICT_cert", // STRING "instance": "cyberlab" // STRING "restriction": "ext-value" // ENUM "ext-restriction": "registration required" // STRING } 3.5. AlternativeID Class The class elements and an example are shown below. See Section 3.5 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, IncidentID+ Example: "AltervativeID": { "restriction": "private", //ENUM "IncidentID": [<<<omitted>>>] //IncidentID } 3.6. RelatedActivity Class The class elements and an example are shown below. See Section 3.6 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, IncidentID*, URL*, ThreatActor*, Campaign*, IndicatorID*, Confidence?, Description*, AdditionalData* Example: "RelatedActivity": { "restriction": "private", //ENUM "ThreatActor": [{...}], //ThreatActor class "Campaign": [{...}] //Campaign class } 3.7. ThreatActor Class The class elements and an example are shown below. See Section 3.7 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, ThreatActorID*, URL*, Description*, Description_ML*, AdditionalData* Example: "ThreatActor": { "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", //STRING "Description": ["Aggressive Butterfly"] //STRING } 3.8. Campaign Class The class elements and an example are shown below. See Section 3.8 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, CampaignID*, URL*, Description*, Description_ML*, AdditionalData* Example: "Campaign": { "CampaignID": "C-2015-59405", //STRING "Description": ["Orange Giraffe"] //STRING } 3.9. Contact Class The class elements and an example are shown below. See Section 3.9 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: role, ext-role?, type, ext-type?, restriction?, ext-restriction?, ContactName*,ContactName_ML*, ContactTitle*, ContactTitle_ML*, Description*, Description_ML*, RegistryHandle*, PostalAddress*, Email*, Telephone*, Timezone?, Contact*, AdditionalData* Example: "Contact": { "role": "creator", //ENUM "type": "organization", //ENUM "ContactName": {"value":"CSIRT for example.com"}, //STRING "ContactTitle": {"value":"Senior Research Engineer"} //STRING "email": {...}, //Email Class "Telephone": {...}, //Telephone Class "Timezone": "+09:00" //TIMEZONE } 3.9.1. RegistryHandle Class The class elements and an example are shown below. See Section 3.9.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: handle, registry, ext-registry? Example: "RegistryHandle": { "handle": "MyAPNIC", //STRING "registry": "apnic", //ENUM } 3.9.2. PostalAddress Class The class elements and an example are shown below. See Section 3.9.2 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: type?, ext-type?, PAddress, Description*, Description_ML* Example: "PostalAddress": { "type": "mailing", //ENUM "PAddress": "1-2-3 Kitamachi Koganei Tokyo, Japan", //POSTAL "Description": ["Office address"] //STRING }, 3.9.3. Email Class The class elements and an example are shown below. See Section 3.9.3 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: type?, ext-type?, EmailTo, Description*, Description_ML* Example: "Email": { "type": "direct", //ENUM "emailTo": "contact@csirt.example.com", //EMAIL "Description": ["Administrator's address"] //STRING }, 3.9.4. Telephone Class The class elements and an example are shown below. See Section 3.9.4 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: type?, ext-type?, TelephoneNumber, Description*, Description_ML* Example: "Telephone": { "type": "wired", //ENUM "TelephoneNumber": "+818012345678", //PHONE "Description": ["Admin's moble"] //STRING }, 3.10. Discovery Class The class elements and an example are shown below. See Section 3.10 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: source?, ext-source?, restriction?, ext-restriction?, Description*, Description_ML*, Contact*, DetectionPattern* Example: "Discovery": { "source": "nidps", //ENUM "restriction": "need-to-know" //ENUM "Contact": {...}, //Contact class "DetectionPattern": {...}, //DetectionPattern class "Description":["IDS provided an alert"] //STRING } } 3.10.1. DetectionPattern Class The class elements and an example are shown below. See Section 3.10.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, observable-id?, Application, Description*, Description_ML*, DetectionConfiguration* Example: "DetectionPattern": { "Application": {...}, //SOFTWARE "Description": ["The specified application needs to be reviewed"], //STRING } } 3.11. Method Class The class elements and an example are shown below. See Section 3.11 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, Reference*, Description*, Description_ML*, AttackPattern*, Vulnerability*, Weakness* Example: "Method": { "AttackPattern": {...} //StructuredInfo "Vulnerability": {...} //StructuredInfo } 3.11.1. Reference Class The class elements and an example are shown below. See Section 3.11.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: observable-id?, ReferenceName?, URL*, Description*, Description_ML* Example: "Reference":{ "URL":"http://www.nict.go.jp" //URL } 3.12. Assessment Class The class elements and an example are shown below. See Section 3.12 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: occurence?, restriction?, ext-restriction?, observable-id?, IncidentCategory*, SystemImpact*, BusinessImpact*, TimeImpact*, MonetaryImpact*, IntendedImpact*, Counter*, MitigationFactor*, MitigationFactor_ML*, Cause*, Cause_ML*, Confidence?, AdditionalData* Example: "Assessment": { "SystemImpact": {...}, //SystemImpact class "BusinessImpact": {...}, //BusinessImpact class "TimeImpact": {...}, //TimeImpact class "MonetaryImpact": {...}, //MonetaryImpact class "IntendedImpact": {...}, //IntendedImpact class "Counter": "5", //Counter class "MitigationFactor": ["Rebooting is required"] //STRING "Cause": ["Malware Infection"] //STRING } } 3.12.1. SystemImpact Class The class elements and an example are shown below. See Section 3.12.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: severity?, completion?, type, ext-type?, Description*, Description_ML* Example: "SystemImpact":{ "severity":"high", //ENUM "completion": "successful" //ENUM "type":"integrity-data" //ENUM "Description": ["The web page was falsified"] //STRING }, 3.12.2. BusinessImpact Class The class elements and an example are shown below. See Section 3.12.2 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: severity?, ext-severity?, type, ext-type?, Description*, Description_ML* Example: "BusinessImpact": { "severity":"medium", //ENUM "completion": "successful" //ENUM "type": "degraded-reputation" //ENUM "Description": ["The web page was falsified"] //STRING } 3.12.3. TimeImpact Class The class elements and an example are shown below. See Section 3.12.3 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, severity?, metric, ext-metric?, duration?, ext-duration? Example: "TimeImpact":{ "time": "240" //REAL "metric": "elapsed" //ENUM "duration": "minutes" //ENUM } 3.12.4. MonetaryImpact Class The class elements and an example are shown below. See Section 3.12.4 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, severity?, currency? Example: "MonetaryImpact":{ "money": "10000", //REAL "severity": "medium", //ENUM "currency": "USD", //STRING } 3.12.5. Confidence Class The class elements and an example are shown below. See Section 3.12.5 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, rating, ext-rating? Example: "Confidence": { "value": "5" //REAL "rating": "medium" //ENUM } 3.13. History Class The class elements and an example are shown below. See Section 3.13 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, HistoryItem+ Example: "History": { "restriction": "need-to-know" //ENUM "HistoryItem": { ... } //HistoryItem class }, 3.13.1. HistoryItem Class The class elements and an example are shown below. See Section 3.13.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: action, ext-action?, restriction?, ext-restriction?, observable-id?, DateTime, IncidentID?, Contact?, Description*, Description_ML*, DefinedCOA*, AdditionalData* Example: "HistoryItem": { "action": "investigate" //ENUM "restriction": "need-to-know" //ENUM "DateTime": "2015-10-15T11:18:00-05:00", //DateTime "IncidentID" { ...}, //IncidentID class } 3.14. EventData Class The class elements and an example are shown below. See Section 3.14 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: restriction?, ext-restriction?, observable-id?, Description*, Description_ML*, DetectTime?, StartTime?, EndTime?, RecoveryTime?, ReportTime?, Contact*, Discovery*, Assessment?, Method*, Expectation*, RecordData*, EventData*, AdditionalData* Example: "EventData": { "ReportTime": "2016-06-01 18:05:33", "Contact": { ...}, //Contact class "Assessment": { ...}, //Assessment class "Method": { ...}, //Method class "System": { ... }, //System class "Expectation": { ...}, //Expectation class 3.15. Expectation Class The class elements and an example are shown below. See Section 3.15 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: action?, ext-action?, severity?, restriction?, ext-restriction?, Description*, Description_ML*, DefinedCOA*, StartTime?, EndTime?, Contact? Example: "Expectation": { "action": "investigate" //ENUM "severity": "medium" //ENUM "restriction": "need-to-know" //ENUM }, 3.16. System Class The class elements and an example are shown below. See Section 3.17 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: category?, ext-category?, interface?, spoofed?, virtual?, ownership?, ext-ownership?, restriction?, ext-restriction?, Node, NodeRole*, Service*, OperatingSystem*, Counter*, AssetID*, Description*, Description_ML*, AdditionalData* Example: "System": { "category": "source", //ENUM "Node": { ... }, //Node class "Service": { ... }, //Service class }, 3.17. Node Class The class elements and an example are shown below. See Section 3.18 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: DomainData*, Address*, PostalAddress?, Location*, Location_ML*, Counter* Example: "Node": { "Address": { ... }, //Address class "Location": ["OrgID=7"] //STRING } 3.17.1. Address Class The class elements and an example are shown below. See Section 3.18.1 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, category, ext-category?, vlan-name?, vlan-num?, observable-id? Example: "Address": { "value": """192.228.139.118", //STRING "category": "ipv4-addr", //ENUM }, 3.17.2. NodeRole Class The class elements and an example are shown below. See Section 3.18.2 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: category, ext-category?, Description*, Description_ML* Example: "NodeRole": { "category": "client" //ENUM "Description": ["The computer at room A"] //STRING }, 3.17.3. Counter Class The class elements and an example are shown below. See Section 3.18.3 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: value, type, ext-type?, unit, ext-unit?, meaning?, meaning_ML?, duration?, ext-duration? Example: "Counter": { "value": "3", //REAL "type": "count", //ENUM "unit": "packet", //ENUM "meaning": "The number of scan packets are counted" //STRING } 3.18. DomainData Class The class elements and an example are shown below. See Section 3.19 of RFC 7970 [RFC7970] for the intended meanings of these elements. Class elements: system-status, ext-system-status?, domain-status, ext-domain-status?, observable-id?, Name, DateDomainWasChecked?, RegistrationDate?, ExpirationDate?, RelatedDNS*, Nameservers*, DomainContacts? Example: "DomainData": { "system-status": "innocent-hacked", //ENUM "domain-status": "assignedAndInactive", //STRING "Name": "temp1.nict.go.jp" //STRING }, 3.18.1. Nameserver Class This class is defined in Section 3.19.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Server, Address* Example: "NameServers": { "Server": "vgw.nict.go.jp", //STRING "Address": { "AddressValue": "133.243.18.5", //STRING "category": "ipv4-addr" //ENUM } } 3.18.2. DomainContacts Class This class is defined in Section 3.19.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: SameDomainContact?, Contact+ Example: "DomainContacts": { "Contact": { "role": "user", //ENUM "type": "organization" //ENUM } } 3.19. Service Class This class is defined in Section 3.20 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: ip-protocol?, observable-id?, ServiceName?, Port?, Portlist?, ProtoCode?, ProtoType?, ProtoField?, ApplicationHeaderField+, EmailData?, Application? Example: "Service": { "ServiceName": { "Description": ["It seems to be a scan from an infected machine."] }, "ip-protocol": 6, //INTEGER "Port": 49183 //INTEGER } 3.19.1. ServiceName Class This class is defined in Section 3.20.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: IANAService?, URL*, Description*, Description_ML* Example: "ServiceName": { "IANAService": "telnet" //STRING "URL": "https://en.wikipedia.org/wiki/Telnet" //STRING "Description":["It is a scan from an infected machine."]//STRING }, 3.19.2. EmailData Class This class is defined in Section 3.21 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: observable-id?, EmailTo*, EmailFrom?, EmailSubject?, EmailX-Mailer?, EmailHeaderField*, EmailHeaders?, EmailBody?, EmailMessage?, HashData*, Signature* Example: "EmailData":{ "EmailTo": "user1@example.org" //EMAIL "EmailFrom": "user2@example.com" //EMAIL "EmailSubject": "example email" //STRING "EmailX-Mailer": "example mailer v1.1.0" //STRING "EmailBody": "example email" //STRING } Note that Signature element in this class contains base64 encoded form of signature as described in Section 4.2 of [W3C.XMLSIG]. 3.19.3. RecordData Class This class is defined in Section 3.22.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, observable-id?, DateTime?, Description*, Description_ML*, Application?, RecordPattern*, RecordItem*, URL*, FileData*, WindowsRegistryKeysModified*, CertificateData*, AdditionalData* Example: "RecordData": { "RecordPattern": { "type": "regex", "value": "[0-9][A-Z]" } }, 3.19.4. RecordPattern ClassSchema [jsonschema]. ThisclassJSON data model isdefined in Section 3.22.2 of RFC 7970 [RFC7970]. The example below represents howreferred todescribe this class in JSON. Class elements: type, ext-type?, offset?, offsetunit?, ext-offsetunit?, instance?, value Example: "RecordPattern": { "type": "regex", "value": "[0-9][A-Z]" }, 3.20. WindowsRegistryKeysModified Class This class is definedas IODEF JSON inSection 3.23 of RFC 7970 [RFC7970]. The example below represents how to describethisclass in JSON. Class elements: observable-id?, Key+ Example: "WindowsRegistryKeysModified": { "Key": { "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING } } 3.20.1. Key Class This class is defined in Section 3.23.1document. IODEF JSON provides all ofRFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: registryaction?, ext-registryaction?, observable-id?, KeyName, KeyValue? Example: "Key": { "KeyValue": "xxxxxxxxxxxxxxxxxxxxxxx", //STRING "KeyName":"HKEY_LOCAL_MACHINExxxxxxx", //STRING } 3.21. CertificateData Class This class is defined in Section 3.24the expressivity ofRFC 7970 [RFC7970]. The example below represents howIODEF XML. It gives implementers and operators an alternative format todescribe this class in JSON. Class elements: restriction?, ext-restriction?, observable-id?, Certificate+ Example: "CertificateData": { "Certificate": { "X509Data": "xxxxxxxx" //STRING } } 3.21.1. Certificate Class This classexchange the same information. The normative IODEF JSON data model isdefinedfound in Section3.24.1 of RFC 7970 [RFC7970]. The X509Data class contains base64 encoded form of X.509 certificate or chain as described in5. Section4.4.4 of [W3C.XMLSIG]. The example below represents how to describe this class in JSON. Class elements: observable-id?, X509Data, Description*, Description_ML* Example: "Certificate": { "X509Data": "xxxxxxxx" //STRING } 3.22. FileData Class This class is defined in2 and Section3.25 of RFC 7970 [RFC7970]. The example below represents how to3 describethis class in JSON. Class elements: restriction?, ext-restriction?, observable-id?, File+ Example: "FileData": { "File": { "FileName": "dummy.exe" //STRING } }, 3.22.1. File Class This class is defined in Section 3.25.1the data types and elements ofRFC 7970 [RFC7970]. The example below represents how to describethisclass in JSON. Class elements: observable-id?, FileName?, FileSize?, FileType?, URL*, HashData?, Signature*, AssociatedSoftware?, FileProperties* Example: "File": { "FileName": "dummy.exe" //STRING } Note that Signature elementdata model. Section 4 provides examples. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in thisclass contains base64 encoded form of signaturedocument are to be interpreted as described inSection 4.2 of [W3C.XMLSIG]. 3.23. HashData Class This class is definedRFC 2119 [RFC2119]. 2. IODEF Data Types The abstract IODEF JSON implements the abstract data types specified in Section3.262 ofRFC 7970[RFC7970].The example below represents how2.1. Abstract Data Type todescribe this classJSON Data Type Mapping IODEF JSON uses native and derived JSON data types. Figure 1 describes the mapping between the abstract data types in Section 2 of [RFC7970] and their corresponding implementations in IODEF JSON.Class elements: scope, HashTargetID?, Hash*, FuzzyHash* Example: "HashData": { "scope": "file-contents", //ENUM "Hash": { "DigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1", //STRING "DigestValue": "xxxxxxxxxxx" //STRING } } 3.23.1. Hash Class+-----------------+-------------------+-------------------------------+ | IODEF Data Type | [RFC7970] | JSON Data Type | | | Reference | | +-----------------+-------------------+-------------------------------+ | INTEGER | Section 2.1 | "integer" per [jsonschema] | | REAL | Section 2.2 | "number" per [jsonschema] | | CHARACTER | Section 2.3 | "string" per [jsonschema] | | STRING | Section 2.3 | "string" per [jsonschema] | | ML_STRING | Section 2.4 | see Section 2.2.1 | | BYTE | Section 2.5.1 | "string" per [jsonschema] | | BYTE[] | Section 2.5.1 | "string" per [jsonschema] | | HEXBIN | Section 2.5.2 | "string" per [jsonschema] | | HEXBIN[] | Section 2.5.2 | "string" per [jsonschema] | | ENUM | Section 2.6 | "enum" array per [jsonschema] | | DATETIME | Section 2.7 | "string" per [jsonschema] | | TIMEZONE | Section 2.8 | "string" per [jsonschema] | | PORTLIST | Section 2.9 | "string" per [jsonschema] | | POSTAL | Section 2.10 | "string" per [jsonschema] | | POSTAL_ML | Section 2.10 | see ML_STRING, Section 2.2.1 | | PHONE | Section 2.11 | "string" per [jsonschema] | | EMAIL | Section 2.12 | "string" per [jsonschema] | | URL | Section 2.13 | "string" per [jsonschema] | | IDREF | Section 2.14 | "string" per [jsonschema] | | SOFTWARE | Section 2.15 | see Section 2.2.2 | | STRUCTURED | N/A | see Section 2.2.3 | +-----------------+-------------------+-------------------------------+ Figure 1 2.2. Complex JSON Types 2.2.1. Multilingual Strings A string that needs to be represented in a human-readable language different than the default encoding of the document is represented in the information model by the ML_STRING data type. Thisclassdata type is implemented as an object with "value", "lang", and "translation-id" elements as defined in Section3.26.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: DigestMethod, DigestValue, CanonicalizationMethod?, Application? Example: "Hash":5. Examples are shown below. "MLStringType": {"DigestMethod": "http://www.w3.org/2000/09/xmldsig#sha1","value": "free-form text", //STRING"DigestValue": "xxxxxxxxxxx""lang": "en", //ENUM "translation-id": "jp2en0023" //STRING }3.23.2. FuzzyHash Class2.2.2. Software A particular version of software is represented in the information model by the SOFTWARE data type. Thisclasssoftware can be described by using a reference, a URL, or with free-form text. The SOFTWARE data type is implemented as an object with "SoftwareReference", "URL", "Description", and "Description_ML" elements as defined in Section3.26.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: FuzzyHashValue+, Application?, AdditionalData? Example: "FuzzyHash":5. Examples are shown below. "SoftwareType": {"FuzzyHashValue": {}"SoftwareReference": {...}, //SoftwareReference "Description": ["MS Windows"] //STRING }3.24. Indicator Class This class is defined2.2.3. StructuredInfo Information provided inSection 3.29a form ofRFC 7970 [RFC7970]. The example below represents how to describestructured string, such as ID, or structured information, such as XML documents, is represented in the information model by the StructuredInfo data type. Note that thisclasstype was originally specified inJSON. Class elements: restriction?, ext-restriction?, IndicatorID, AlternativeIndicatorID*, Description*, Description_ML*, StartTime?, EndTime?, Confidence?, Contact*, Observable?, uid-ref?, IndicatorExpression?, IndicatorReference?, NodeRole*, AttackPhase*, Reference*, AdditionalData* Example: "Indicator": { "IndicatorID": { "id": "G90823490", //STRING "name": "csirt.example.com", //STRING "version": "1" //STRING }, "Description": ["C2 domains"], //STRING "StartTime": "2014-12-02T11:18:00-05:00", //Datetime "Observable": { "BulkObservable":RFC7203. The StructuredInfo data type is implemented as an object with "SpecID", "ext-SpecID", "ContentID", "RawData", "Reference" elements. An example for embedding a structured ID is shown below. "StructuredInformation": {"type": "fqdn""SpecID": "cve", //ENUM}, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org""ContentID": "CVE-2007-5000" //STRING]} When embedding the raw data, base64 conversion should be used for encoding the data, as shown below. "StructuredInformation": { "SpecID": "oval", //ENUM "RawData": "<<<strings encoded with base64>>>" //BYTE }3.24.1. IndicatorID Class This class is defined in Section 3.29.1 of RFC 7970 [RFC7970].3. IODEF JSON Data Model 3.1. Classes and Elements Theexample below represents how to describe this classfollowing table shows the list of IODEF Classes, their elements, and the corresponding section inJSON. Class elements: id, name, version Example: "IndicatorID": { "id": "G90823490", //STRING "name": "csirt.example.com", //STRING "version": "1" //STRING } 3.24.2. AlternativeIndicatorID Class This class[RFC7970]. Note that the complete JSON schema is defined in Section3.29.2 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON.5. +-----------------------------+--------------------+---------------+ | IODEF Classelements: restriction?, ext-restriction?, IndicatorReference+ Example: "AlternativeIndicatorID": { "IndicatorReference": { "uid-ref": "xxxxx" } }, 3.24.3.| Class | Corresponding | | | Elements and | Section | | | Attribute | in [RFC7970] | +-----------------------------+--------------------+---------------+ | IODEF-Document | version | 3.1 | | | lang? | | | | format-id? | | | | private-enum-name? | | | | private-enum-id? | | | | Incident+ | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Incident | purpose | 3.2 | | | ext-purpose? | | | | status? | | | | ext-status? | | | | lang? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentID | | | | AlternativeID? | | | | RelatedActivity* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | GenrationTime? | | | | Description* | | | | Description_ML* | | | | Discovery* | | | | Assessment* | | | | Method* | | | | Contact+ | | | | EventData* | | | | Indicator* | | | | History? | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | IncidentID | id | 3.4 | | | name | | | | instance? | | | | restriction? | | | | ext-restriction? | | +-----------------------------+--------------------+---------------+ | AlternativeID | restriction? | 3.5 | | | ext-restriction? | | | | IncidentID+ | | +-----------------------------+--------------------+---------------+ | RelatedActivity | restriction? | 3.6 | | | ext-restriction? | | | | IncidentID* | | | | URL* | | | | ThreatActor* | | | | Campaign* | | | | IndicatorID* | | | | Confidence? | | | | Description* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | ThreatActor | restriction? | 3.7 | | | ext-restriction? | | | | ThreatActorID* | | | | URL* | | | | Description* | | | | Description_ML* | | | | AdditionalData* | | +-----------------------------+--------------------+---------------+ | Campaign | restriction? | | | | ext-restriction? | | | | CampaignID* | | | | URL* | | | | Description* | | | | Description_ML* | | | | AdditionalData* | 3.8 | +-----------------------------+--------------------+---------------+ | Contact | role | | | | ext-role? | | | | type | | | | ext-type? | | | | restriction? | | | | ext-restriction? | | | | ContactName*,ContactName_ML* | | | | ContactTitle* | | | | ContactTitle_ML* | | | | Description* | | | | Description_ML* | | | | RegistryHandle* | | | | PostalAddress* | | | | Email* | | | | Telephone* | | | | Timezone? | | | | Contact* | | | | AdditionalData* | 3.9 | +-----------------------------+--------------------+---------------+ | RegistryHandle | handle| | | | | registry| | | | | ext-registry? | 3.9.1 | +-----------------------------+--------------------+---------------+ | PostalAddress | type?| | | | | ext-type?| | | | | PAddress| | | | | Description*| | | | | Description_ML* | 3.9.2 | +-----------------------------+--------------------+---------------+ | Email | type? | | | | ext-type? | | | | EmailTo | | | | Description* | | | | Description_ML* | 3.9.3 | +-----------------------------+--------------------+---------------+ | Telephone | type? | | | | ext-type? | | | | TelephoneNumber | | | | Description* | | | | Description_ML* | 3.9.4 | +-----------------------------+--------------------+---------------+ | Discovery | source? | | | | ext-source? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | Description_ML* | | | | Contact* | | | | DetectionPattern* | 3.10 | +-----------------------------+--------------------+---------------+ | DetectionPattern | restriction? | 3.10.1 | | | ext-restriction? | | | | observable-id? | | | | Application | | | | Description* | | | | Description_ML* | | | | DetectionConfiguration* | | +-----------------------------+--------------------+---------------+ | Method | restriction? | | | | ext-restriction? | | | | Reference* | | | | Description* | | | | Description_ML* | | | | AttackPattern* | | | | Vulnerability* | | | | Weakness* | 3.11 | +-----------------------------+--------------------+---------------+ | Reference | observable-id? | | | | ReferenceName? | | | | URL* | | | | Description* | | | | Description_ML* | 3.11.1 | +-----------------------------+--------------------+---------------+ | Assessment | occurence? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | IncidentCategory* | | | | SystemImpact* | | | | BusinessImpact* | | | | TimeImpact* | | | | MonetaryImpact* | | | | IntendedImpact* | | | | Counter* | | | | MitigationFactor* | | | | MitigationFactor_ML*| | | | Cause* | | | | Cause_ML* | | | | Confidence? | | | | AdditionalData* | 3.12 | +-----------------------------+--------------------+---------------+ | SystemImpact | severity? | | | | completion? | | | | type | | | | ext-type? | | | | Description* | | | | Description_ML* | 3.12.1 | +-----------------------------+--------------------+---------------+ | BusinessImpact | severity? | | | | ext-severity? | | | | type | | | | ext-type? | | | | Description* | | | | Description_ML* | 3.12.2 | +-----------------------------+--------------------+---------------+ | TimeImpact | value | | | | severity? | | | | metric | | | | ext-metric? | | | | duration? | | | | ext-duration? | 3.12.3 | +-----------------------------+--------------------+---------------+ | MonetaryImpact | value | | | | severity? | | | | currency? | 3.12.4 | +-----------------------------+--------------------+---------------+ | Confidence | value | | | | rating | | | | ext-rating? | 3.12.5 | +-----------------------------+--------------------+---------------+ | History | restriction? | | | | ext-restriction? | | | | HistoryItem+ | 3.13 | +-----------------------------+--------------------+---------------+ | HistoryItem | action | | | | ext-action? | | | | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime | | | | IncidentID? | | | | Contact? | | | | Description* | | | | Description_ML* | | | | DefinedCOA* | | | | AdditionalData* | 3.13.1 | +-----------------------------+--------------------+---------------+ | EventData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Description* | | | | Description_ML* | | | | DetectTime? | | | | StartTime? | | | | EndTime? | | | | RecoveryTime? | | | | ReportTime? | | | | Contact* | | | | Discovery* | | | | Assessment? | | | | Method* | | | | Expectation* | | | | RecordData* | | | | EventData* | | | | AdditionalData* | 3.14 | +-----------------------------+--------------------+---------------+ | Expectation | action? | | | | ext-action? | | | | severity? | | | | restriction? | | | | ext-restriction? | | | | Description* | | | | Description_ML* | | | | DefinedCOA* | | | | StartTime? | | | | EndTime? | | | | Contact? | 3.15 | +-----------------------------+--------------------+---------------+ | System | category? | | | | ext-category? | | | | interface? | | | | spoofed? | | | | virtual? | | | | ownership? | | | | ext-ownership? | | | | restriction? | | | | ext-restriction? | | | | Node | | | | NodeRole* | | | | Service* | | | | OperatingSystem* | | | | Counter* | | | | AssetID* | | | | Description* | | | | Description_ML* | | | | AdditionalData* | 3.16 | +-----------------------------+--------------------+---------------+ | Node | DomainData* | | | | Address* | | | | PostalAddress? | | | | Location* | | | | Location_ML* | | | | Counter* | 3.17 | +-----------------------------+--------------------+---------------+ | Address | value | | | | category | | | | ext-category? | | | | vlan-name? | | | | vlan-num? | | | | observable-id? | 3.17.1 | +-----------------------------+--------------------+---------------+ | NodeRole | category | | | | ext-category? | | | | Description* | | | | Description_ML* | 3.17.2 | +-----------------------------+--------------------+---------------+ | Counter | value | | | | type | | | | ext-type? | | | | unit | | | | ext-unit? | | | | meaning? | | | | meaning_ML? | | | | duration? | | | | ext-duration? | 3.17.3 | +-----------------------------+--------------------+---------------+ | DomainData | system-status | | | | ext-system-status? | | | | domain-status | | | | ext-domain-status? | | | | observable-id? | | | | Name | | | | DateDomainWasChecked?| | | | RegistrationDate? | | | | ExpirationDate ?| | | | RelatedDNS* | | | | Nameservers* | | | | DomainContacts? | 3.18 | +-----------------------------+--------------------+---------------+ | Nameserver | Server | | | | Address* | 3.18.1 | +-----------------------------+--------------------+---------------+ | DomainContacts | SameDomainContact? | | | | Contact+ | 3.18.2 | +-----------------------------+--------------------+---------------+ | Service | ip-protocol? | | | | observable-id? | | | | ServiceName? | | | | Port? | | | | Portlist? | | | | ProtoCode? | | | | ProtoType? | | | | ProtoField? | | | | ApplicationHeaderField+| | | | EmailData? | | | | Application? | 3.19 | +-----------------------------+--------------------+---------------+ | ServiceName | IANAService? | | | | URL* | | | | Description* | | | | Description_ML* | 3.19.1 | +-----------------------------+--------------------+---------------+ | EmailData | observable-id? | | | | EmailTo* | | | | EmailFrom? | | | | EmailSubject? | | | | EmailX-Mailer? | | | | EmailHeaderField* | | | | EmailHeaders? | | | | EmailBody? | | | | EmailMessage? | | | | HashData* | | | | Signature* | 3.19.2 | +-----------------------------+--------------------+---------------+ | RecordData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | DateTime? | | | | Description* | | | | Description_ML* | | | | Application? | | | | RecordPattern* | | | | RecordItem* | | | | URL* | | | | FileData* | | | | WindowsRegistryKeysModified*| | | | CertificateData* | | | | AdditionalData* | 3.19.3 | +-----------------------------+--------------------+---------------+ | RecordPattern | type | | | | ext-type? | | | | offset? | | | | offsetunit? | | | | ext-offsetunit? | | | | instance? | | | | value | 3.19.4 | +-----------------------------+--------------------+---------------+ | WindowsRegistryKeysModified | observable-id? | 3.20 | | | Key+ | | +-----------------------------+--------------------+---------------+ | Key | registryaction? | | | | ext-registryaction?| | | | observable-id? | | | | KeyName | | | | KeyValue? | 3.20.1 | +-----------------------------+--------------------+---------------+ | CertificateData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | Certificate+ | 3.21 | +-----------------------------+--------------------+---------------+ | Certificate | observable-id? | | | | X509Data | | | | Description* | | | | Description_ML* | 3.21.1 | +-----------------------------+--------------------+---------------+ | FileData | restriction? | | | | ext-restriction? | | | | observable-id? | | | | File+ | 3.22 | +-----------------------------+--------------------+---------------+ | File | observable-id? | | | | FileName? | | | | FileSize? | | | | FileType? | | | | URL* | | | | HashData? | | | | Signature* | | | | AssociatedSoftware?| | | | FileProperties* | 3.22.1 | +-----------------------------+--------------------+---------------+ | HashData | scope | | | | HashTargetID? | | | | Hash* | | | | FuzzyHash* | 3.23 | +-----------------------------+--------------------+---------------+ | Hash | DigestMethod | | | | DigestValue | | | | CanonicalizationMethod?| | | | Application? | 3.23.1 | +-----------------------------+--------------------+---------------+ | FuzzyHash | FuzzyHashValue+ | | | | Application? | | | | AdditionalData? | 3.23.2 | +-----------------------------+--------------------+---------------+ | Indicator | restriction? | | | | ext-restriction? | | | | IndicatorID | | | | AlternativeIndicatorID*| | | | Description* | | | | Description_ML* | | | | StartTime? | | | | EndTime? | | | | Confidence? | | | | Contact* | | | | Observable? | | | | uid-ref? | | | | IndicatorExpression?| | | | IndicatorReference?| | | | NodeRole* | | | | AttackPhase* | | | | Reference* | | | | AdditionalData* | 3.24 | +-----------------------------+--------------------+---------------+ | IndicatorID | id | | | | name | | | | version | 3.24.1 | +-----------------------------+--------------------+---------------+ | AlternativeIndicatorID | restriction? | | | | ext-restriction? | | | | IndicatorReference+| 3.24.2 | +-----------------------------+--------------------+---------------+ | ObservableClass This class is defined in Section 3.29.3 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: restriction?, ext-restriction?, System?, Address?, DomainData?, Service?, EmailData?, WindowsRegistryKeysModified?, FileData?, CertificateData?, RegistryHandle?, RecordData?, EventData?, Incident?, Expectation?, Reference?, Assessment?, DetectionPattern?, HistoryItem?, BulkObservable?,| restriction? | | | | ext-restriction? | | | | System? | | | | Address? | | | | DomainData? | | | | Service? | | | | EmailData? | | | | WindowsRegistryKeysModified?| | | | FileData? | | | | CertificateData? | | | | RegistryHandle? | | | | RecordData? | | | | EventData? | | | | Incident? | | | | Expectation? | | | | Reference? | | | | Assessment? | | | | DetectionPattern? | | | | HistoryItem? | | | | BulkObservable? | | | | AdditionalData*Example: "Observable": { "BulkObservable": { "type": "fqdn" //ENUM }, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org" //STRING ] } 3.24.4.| 3.24.3 | +-----------------------------+--------------------+---------------+ | BulkObservableClass This class is defined in Section 3.29.3.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: type?, ext-type?, BulkObservableFormat?, BulkObservableList,| type? | | | | ext-type? | | | | BulkObservableFormat?| | | | BulkObservableList | | | | AdditionalData*Example: "BulkObservable": { "type": "fqdn" //ENUM }, "BulkObservableList": [ "kj290023j09r34.example.com", //STRING "09ijk23jfj0k8.example.net", //STRING "klknjwfjiowjefr923.example.org", //STRING "oimireik79msd.example.org" //STRING ] 3.24.5.| 3.24.4 | +-----------------------------+--------------------+---------------+ | BulkObservableFormatClass This class is defined in Section 3.29.3.1.1 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: Hash?,| Hash? | | | | AdditionalData*Example: "BulkObservableFormat": { "Hash": { "DigestMethod":"http://www.w3.org/2000/09/xmldsig#sha1",//STRING "DigestValue": "xxxxxxxxxxx" //STRING } } 3.24.6.| 3.24.5 | +-----------------------------+--------------------+---------------+ | IndicatorExpressionClass This class is defined in Section 3.29.4 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: operator?, ext-operator?, IndicatorExpression*, Observable*, uid- ref*, IndicatorReference*, Confidence?,| operator? | | | | ext-operator? | | | | IndicatorExpression*| | | | Observable* | | | | uid-ref* | | | | IndicatorReference*| | | | Confidence? | | | | AdditionalData*Example: "IndicatorExpression": { "uid-ref": "xxxxx" } 3.24.7.| 3.24.6 | +-----------------------------+--------------------+---------------+ | IndicatorReferenceClass This class is defined in Section 3.29.7 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: uid-ref?, euid-ref?,| uid-ref? | | | | euid-ref? | | | | version?Example: "IndicatorReference": { "uid-ref": "xxxxx" } 3.24.8.| 3.24.7 | +-----------------------------+--------------------+---------------+ | AttackPhaseClass This class is defined in Section 3.29.8 of RFC 7970 [RFC7970]. The example below represents how to describe this class in JSON. Class elements: AttackPhaseID*, URL*, Description*, Description_ML*,| AttackPhaseID* | | | | URL* | | | | Description* | | | | Description_ML* | | | | AdditionalData*Example: "AttackPhase": { "Description": ["Currently, the infected host is scanning arbitrary hosts to find next targets."] //STRING } 4. Notable differences from RFC 7970| 3.24.8 | +-----------------------------+--------------------+---------------+ 3.2. Mapping between JSON and XML IODEF o This document treats attributes and elements of each class defined inRFC 7970[RFC7970] equally and is agnostic on the order of their appearances. o Flow class is deleted, and classes with its instances now directly have instances of EventData class that used to belong to the Flow classs. o ApplicationHeader class is deleted, and classes with its instances now directly have instances of ApplicationHeaderField class that used to belong to the ApplicationHeader class. o SignatureData class is deleted, and classes with its instances now directly have instance of Signature class that used to belong to the SignatureData class. o IndicatorData class is deleted, and classes with its instances now directly have the instances of Indicator class that used to belong to the IndicatorData class. o ObservableReference class is deleted, and classes with its instances now directly have uid-ref as an element. o Record class is deleted, and classes with its instances now directly have the instances of RecordData class that used to belong to the Record class. o The elements of ML_STRING type are prepared as twoseparatemseparate elements: one of STRING type and another of ML_STRING type, in order to maintain the simplicity of IODEFdocuemntsdocuments when writing with only STRING type characters.5.4. Examples This section provides example of IODEF documents. These examples do not represent the full capabilities of the data model or the the only way to encode particular information.5.1.4.1. Minimal Example A document containing only the mandatory elements and attributes. { "version": "2.0", "lang": "en", "Incident": [ { "purpose": "reporting", "restriction": "private", "IncidentID": { "id": 492382, "name": "csirt.example.com" }, "GenerationTime": "2015-07-18T09:00:00-05:00", "Contact": [ { "type": "organization", "role": "creator", "email": { "emailTo": "contact@csirt.example.com" } } ] } ] }5.2.4.2. Indicators from a Campaign An example of C2 domains from a given campaign. { "version": "2.0", "lang": "en", "Incidents": [ { "purpose": "watch", "restriction": "green", "IncidentID": { "id": "897923", "name": "csirt.example.com" }, "RelatedActivity": [ { "ThreatActor": [ { "ThreatActorID": "TA-12-AGGRESSIVE-BUTTERFLY", "Description": "Aggressive Butterfly" } ], "Campaign": [ { "CampaignID": "C-2015-59405", "Description": "Orange Giraffe" } ] } ], "GenerationTime": "2015-10-02T11:18:00-05:00", "Description": [ "Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang." ], "Assessment": [ { "BusinessImpact": { "type": "breach-proprietary" } } ], "Contacts": [ { "type": "organization", "role": "creator", "ContactName": "CSIRT for example.com", "Email": { "emailTo": "contact@csirt.example.com" } } ], "IndicatorList": [ { "IndicatorID": { "id": "G90823490", "name": "csirt.example.com", "version": "1" }, "Description": "C2 domains", "StartTime": "2014-12-02T11:18:00-05:00", "Observable": { "BulkObservable": { "type": "fqdn" }, "BulkObservableList": [ "kj290023j09r34.example.com", "09ijk23jfj0k8.example.net", "klknjwfjiowjefr923.example.org", "oimireik79msd.example.org" ] } } ] } ] }6.5. The IODEF Data Model (JSON Schema) { "$schema": "http://json-schema.org/draft-04/schema#", "definitions": { "action": {"enum": ["nothing","contact-source-site","contact-target-site", "contact-sender", "investigate","block-host","block-network", "block-port","rate-limit-host","rate-limit-network", "rate-limit-port","redirect-traffic","honeypot", "upgrade-software","rebuild-asset","harden-asset", "remediate-other","status-triage","status-new-info", "watch-and-report","training","defined-coa","ext-value"]}, "duration": {"enum": ["second","minute","hour","day","month","quarter", "year","ext-value"]}, "lang": {"enum": ["en","jp"]}, "purpose": {"enum": ["traceback","mitigation","reporting","watch","other", "ext-value"]}, "restriction": {"enum": ["public","partner","need-to-know","private", "default","white","green","amber","red","ext-value"]}, "status": {"enum": ["new","in-progress","forwarded","resolved","future", "ext-value"]}, "DATETIME": {"type": "string"}, "PORTLIST": {"type": "string"}, "URLtype": {"type": "string"}, "IDtype": {"type": "string"}, "ExtensionType": { "type": "object", "properties": { "name": {"type": "string"}, "dtype": {"enum": ["boolean","byte","bytes","character","date-time", "ntpstamp","integer","portlist","real","string","file", "path","frame","packet","ipv4-packet","ipv6-packet","url", "csv","winreg","xml","ext-value"]}, "ext-dtype": {"type": "string"}, "meaning": {"type": "string"}, "formatid": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}}}, "ExtensionTypeList": { "type": "array", "items": {"$ref": "#/definitions/ExtensionType"}}, "SoftwareType": { "type": "object", "properties": { "SoftwareReference": {"$ref": "#/definitions/SoftwareReference"}, "URL": {"$ref": "#/definitions/URLtype"}, "Description": {"type": "array", "items": {"type":"string"}}}, "required": [], "additionalProperties": false}, "SoftwareReference": { "type": "object", "properties": { "value": {"type": "string"}, "spec-name": {"type": "string"}, "ext-spec-name": {"type": "string"}, "dtype": {"type": "string"}, "ext-dtype": {"type": "string"}}, "required": ["spec-name"], "additionalProperties": false}, "StructuredInfo": { "type": "object", "properties": { "specID": {"type": "string"}, "ext-specID": {"type": "string"}, "contentID": {"type": "string"}, "RawData": {"type": "string"}, "URL": {"$ref": "#/definitions/URLtype"}}, "required": ["specID"], "additionalProperties": false}, "Incident": { "title": "Incident", "description": "JSON schema for Incident class", "type": "object", "properties": { "purpose": {"$ref": "#/definitions/purpose"}, "ext-purpose": {"type": "string"}, "status": {"$ref": "#/definitions/status"}, "ext-status": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "AlternativeID": {"$ref": "#/definitions/AlternativeID"}, "RelatedActivity": { "type": "array","items": {"$ref": "#/definitions/RelatedActivity"}}, "DetectTime": {"type": "string"}, "StartTime": {"type": "string"}, "EndTime": {"type": "string"}, "RecoveryTime": {"type": "string"}, "ReportTime": {"type": "string"}, "GenerationTime": {"type": "string"}, "Description": {"type": "array","items": {"type": "string"}}, "Discovery": { "type": "array","items": {"$ref": "#/definitions/Discovery"}}, "Assessment": { "type": "array","items": {"$ref": "#/definitions/Assessment"}}, "Methods": { "type": "array","items": {"$ref": "#/definitions/Method"}}, "Contacts": { "type": "array","items": {"$ref": "#/definitions/Contact"}}, "EventData": { "type": "array","items": {"$ref": "#/definitions/EventData"}}, "IndicatorList": { "type": "array","items": {"$ref": "#/definitions/Indicator"}}, "History": {"$ref": "#/definitions/History"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IncidentID","GenerationTime","Contacts","purpose"], "additionalProperties": false}, "IncidentID": { "title": "IncidentID", "description": "JSON schema for IncidentID class", "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "instance": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}}, "required": ["name"], "additionalProperties": false}, "AlternativeID": { "title": "AlternativeID", "description": "JSON schema for AlternativeID class", "type": "object", "properties": { "IncidentID": { "type": "array","items":{"$ref": "#/definitions/IncidentID"}}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}}, "required": ["IncidentID"], "additionalProperties": false}, "RelatedActivity": { "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "IncidentID": { "type": "array","items": {"$ref": "#/definitions/IncidentID"}}, "URL": { "type": "array","items": {"$ref": "#/definitions/URLtype"}}, "ThreatActor": { "type": "array","items": {"$ref": "#/definitions/ThreatActor"}}, "Campaign": { "type": "array","items": {"$ref": "#/definitions/Campaign"}}, "IndicatorID": { "type": "array","items": {"$ref": "#/definitions/IndicatorID"}}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Description": { "type": "array","items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "ThreatActor": { "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "ThreatActorID": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "additionalProperties": false}, "Campaign": { "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "CampaignID": {"type": "array", "items": {"type": "string"}}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "Description": {"type": "array", "items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}}, "Contact": { "type": "object", "properties": { "role": { "enum": ["creator","reporter","admin","tech","provider","user", "billing","legal","irt","abuse","cc","cc-irt","leo", "vendor","vendor-support","victim","victim-notified", "ext-value"]}, "ext-role": {"type": "string"}, "type": {"enum": ["person","organization","ext-value"]}, "ext-type": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "ContactName": {"type": "array", "items": {"type": "string"}}, "ContactTitle": {"type": "array", "items": {"type": "string"}}, "Description": {"type": "array", "items": {"type": "string"}}, "RegistryHandle": { "type": "array", "items": {"$ref": "#/definitions/RegistryHandle"}}, "PostalAddress": { "type": "array", "items": {"$ref": "#/definitions/PostalAddress"}}, "Email": {"type": "array", "items": {"$ref": "#/definitions/Email"}}, "Telephone": { "type": "array", "items": {"$ref": "#/definitions/Telephone"}}, "Timezone": {"type": "string"}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["role","type"], "additionalProperties": false}, "RegistryHandle": { "type": "object", "properties": { "handle": {"type": "string"}, "registry": { "enum": ["internic","apnic","arin","lacnic","ripe","afrinic","local", "ext-value"]}, "ext-registry": {"type": "string"}}, "required": ["registry"], "additionalProperties": false}, "PostalAddress": { "type": "object", "properties": { "type": {"type": "string"}, "ext-type": {"type": "string"}, "PAddress": {"type": "string"}, "Description": {"type": "array", "items": {"type": "string"}}}, "required": ["PAddress"], "additionalProperties": false}, "Email": { "type": "object", "properties": { "type": { "enum":["direct","hotline","ext-value"]}, "ext-type": {"type": "string"}, "EmailTo": {"type": "string"}, "Description": {"type": "array", "items": {"type": "string"}}}, "required": ["EmailTo"], "additionalProperties": false}, "Telephone": { "type": "object", "properties": { "type": { "enum":["wired","mobile","fax","hotline","ext-value"]}, "ext-type": {"type": "string"}, "TelephoneNumber": {"type": "string"}, "Description": {"type": "array", "items": {"type": "string"}}}, "required": ["TelephoneNumber"], "additionalProperties": false}, "Discovery": { "type": "object", "properties": { "source": { "enum":["nidps","hips","siem","av","third-party-monitoring", "incident","os-log","application-log","device-log", "network-flow","passive-dns","investigation","audit", "internal-notification","external-notification","leo", "partner","actor","unknown","ext-value"]}, "ext-source": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "Description": {"type": "array", "items": {"type": "string"}}, "Contact": { "type": "array", "items": {"$ref": "#/definitions/Contact"}}, "DetectionPattern": { "type": "array", "items":{"$ref":"#/definitions/DetectionPattern"}}}, "required": [], "additionalProperties": false}, "DetectionPattern": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Application": {"$ref": "#/definitions/SoftwareType"}, "Description": {"type": "array", "items": {"type": "string"}}, "DetectionConfiguration": { "type": "array", "items": {"type": "string"}}}, "required": ["Application"], "additionalProperties": false}, "Method": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "References": { "type": "array","items": {"$ref": "#/definitions/Reference"}}, "Description": {"type": "array", "items": {"type": "string"}}, "AttackPattern": { "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "Vulnerability": { "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "Weakness": { "type": "array", "items": {"$ref": "#/definitions/StructuredInfo"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "Reference": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "ReferenceName": {"type": "string"}, "URL": {"type": "array", "items": {"$ref": "#/definitions/URLtype"}}, "Description": {"type": "array", "items": {"type": "string"}}}, "required": [], "additionalProperties": false}, "Assessment": { "type": "object", "properties": { "occurrence": {"enum":["actual","potential"]}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "IncidentCategory": {"type": "array", "items": {"type": "string"}}, "SystemImpact": { "type": "array", "items": {"$ref": "#/definitions/SystemImpact"}}, "BusinessImpact": { "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, "TimeImpact": { "type": "array", "items": {"$ref": "#/definitions/TimeImpact"}}, "MonetaryImpact": { "type": "array", "items": {"$ref": "#/definitions/MonetaryImpact"}}, "IntendedImpact": { "type": "array", "items": {"$ref": "#/definitions/BusinessImpact"}}, "Counter": { "type": "array", "items": {"$ref": "#/definitions/Counter"}}, "MitigatingFactor": { "type": "array", "items": {"$type": "string"}}, "Cause": {"type": "array", "items": {"$type": "string"}}, "Confidence": {"$ref": "#/definitions/Confidence"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "SystemImpact": { "type": "object", "properties": { "severity": { "enum":["low","medium","high"]}, "completion": {"enum":["failed","succeeded"]}, "type": { "enum":["takeover-account","takeover-service","takeover-system", "cps-manipulation","cps-damage","availability-data", "availability-account","availability-service", "availability-system","damaged-system","damaged-data", "breach-proprietary","breach-privacy","breach-credential", "breach-configuration","integrity-data", "integrity-configuration","integrity-hardware", "traffic-redirection","monitoring-traffic","monitoring-host", "policy","unknown","ext-value"]}, "ext-type": {"type": "string"}, "Description": {"type": "array","items": {"type": "string"}}}, "required": ["type"], "additionalProperties": false}, "BusinessImpact": { "type": "object", "properties": { "severity": { "enum":["none","low","medium","high","unknown","ext-value"]}, "ext-severity": {"type":"string"}, "type": { "enum":["breach-proprietary","breach-privacy","breach-credential", "loss-of-integrity","loss-of-service","theft-financial", "theft-service","degraded-reputation","asset-damage", "asset-manipulation","legal","extortion","unknown", "ext-value"]}, "ext-type": {"type": "string"}, "Description": {"type": "array","items": {"type": "string"}}}, "required": ["type"], "additionalProperties": false}, "TimeImpact": { "type": "object", "properties": { "value": {"type": "number"}, "severity": {"enum": ["low","medium","high"]}, "metric": {"enum": ["labor","elapsed","downtime","ext-value"]}, "ext-metric": {"type": "string"}, "duration": {"$ref":"#/definitions/duration"}, "ext-duration": {"type": "string"}}, "required": ["metric"], "additionalProperties": false}, "MonetaryImpact": { "type": "object", "properties": { "value": {"type": "number"}, "severity": {"enum":["low","medium","high"]}, "currency": {"type": "string"}}, "required": [], "additionalProperties": false}, "Confidence": { "type": "object", "properties": { "value": {"type": "number"}, "rating": { "enum": ["low","medium","high","numeric","unknown","ext-value"]}, "ext-rating": {"type":"string"}}, "required": ["rating"], "additionalProperties": false}, "History": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "HistoryItem": { "type": "array","items": {"$ref": "#/definitions/HistoryItem"}}}, "required": ["HistoryItem"], "additionalProperties": false}, "HistoryItem": { "type": "object", "properties": { "action": {"$ref": "#/definitions/action"}, "ext-action": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "IncidentID": {"$ref": "#/definitions/IncidentID"}, "Contact": {"$ref": "#/definitions/Contact"}, "Description": {"type": "array","items": {"type": "string"}}, "DefinedCOA": {"type": "array","items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["DateTime","action"], "additionalProperties": false}, "EventData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": {"type": "array","items": {"type": "string"}}, "DetectTime": {"type": "string"}, "StartTime": {"type": "string"}, "EndTime": {"type": "string"}, "RecoveryTime": {"type": "string"}, "ReportTime": {"type": "string"}, "Contact": { "type": "array","items": {"$ref": "#/definitions/Contact"}}, "Discovery": { "type": "array","items": {"$ref": "#/definitions/Discovery"}}, "Assessment": {"$ref": "#/definitions/Assessment"}, "Method": { "type": "array","items": {"$ref": "#/definitions/Method"}}, "System": { "type": "array","items": {"$ref": "#/definitions/System"}}, "Expectation": { "type": "array","items": {"$ref": "#/definitions/Expectation"}}, "RecordData": {"type": "array", "items": {"$ref": "#/definitions/RecordData"}}, "EventData": { "type": "array","items": {"$ref": "#/definitions/EventData"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["ReportTime"], "additionalProperties": false}, "Expectation": { "type": "object", "properties": { "action": {"$ref":"#/definitions/action"}, "ext-action": {"type": "string"}, "severity": {"enum": ["low","medium","high"]}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Description": {"type": "array","items": {"type": "string"}}, "DefinedCOA": {"type": "array","items": {"type": "string"}}, "StartTime": {"type": "string"}, "EndTime": {"type": "string"}, "Contact": {"$ref": "#/definitions/Contact"}}, "required": [], "additionalProperties": false}, "System": { "type": "object", "properties": { "category": { "enum": ["source","target","intermediate","sensor","infrastructure", "ext-value"]}, "ext-category": {"type": "string"}, "interface": {"type": "string"}, "spoofed": {"enum": ["unknown","yes","no"]}, "virtual": {"enum": ["yes","no","unknown"]}, "ownership": { "enum":["organization","personal","partner","customer", "no-relationship","unknown","ext-value"]}, "ext-ownership": {"type": "string"}, "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Node": {"$ref": "#/definitions/Node"}, "NodeRole": { "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "Service": { "type": "array","items": {"$ref": "#/definitions/Service"}}, "OperatingSystem": { "type": "array","items": {"$ref": "#/definitions/SoftwareType"}}, "Counter": { "type": "array","items": {"$ref": "#/definitions/Counter"}}, "AssetID": {"type": "array","items": {"type": "string"}}, "Description": {"type": "array","items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["Node"], "additionalProperties": false}, "Node": { "type": "object", "properties": { "DomainData": { "type": "array","items": {"$ref": "#/definitions/DomainData"}}, "Address": { "type": "array","items": {"$ref": "#/definitions/Address"}}, "PostalAddress": {"type": "string"}, "Location": {"type": "array","items": {"type": "string"}}, "Counter": {"type": "array","items":{"$ref":"#/definitions/Counter"}}}, "required": [], "additionalProperties": false}, "Address": { "type": "object", "properties": { "value": {"type": "string"}, "category": { "enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-masked","ipv4-net-mask","ipv6-addr","ipv6-net", "ipv6-net-masked","mac","site-url","ext-value"]}, "ext-category": {"type": "string"}, "vlan-name": {"type": "string"}, "vlan-num": {"type": "integer"}, "observable-id": {"$ref": "#/definitions/IDtype"}}, "required": ["category"], "additionalProperties": false}, "NodeRole": { "type": "object", "properties": { "category": { "enum":["client","client-enterprise","clent-partner","client-remote", "client-kiosk","client-mobile","server-internal", "server-public","www","mail","webmail","messaging", "streaming","voice","file","ftp","p2p","name","directory", "credential","print","application","database","backup", "dhcp","assessment","source-control","config-management", "monitoring","infra","infra-firewall","infra-router", "infra-switch","camera","proxy","remote-access","log", "virtualization","pos", "scada", "scada-supervisory", "sinkhole","honeypot","anomyzation","c2-server", "malware-distribution","drop-server","hot-point","reflector", "phishing-site","spear-phishing-site","recruiting-site", "fraudulent-site","ext-value"]}, "ext-category": {"type": "string"}, "Description": {"type": "array","items": {"type": "string"}}}, "required": ["category"], "additionalProperties": false}, "Counter": { "type": "object", "properties": { "value": {"type": "string"}, "type": {"enum": ["count","peak","average","ext-value"]}, "ext-type": {"type": "string"}, "unit": {"enum": ["byte","mbit","packet","flow","session","alert", "message","event","host","site","organization","ext-value"]}, "ext-unit": {"type": "string"}, "meaning": {"type": "string"}, "duration": {"$ref":"#/definitions/duration"}, "ext-duration": {"type": "string"}}, "required": ["type","unit"], "additionalProperties": false}, "DomainData": { "type": "object", "properties": { "system-status": { "enum": ["spoofed","fraudulent","innocent-hacked", "innocent-hijacked","unknown","ext-value"]}, "ext-system-status": {"type": "string"}, "domain-status": { "enum": [ "reservedDelegation","assignedAndActive","assignedAndInactive", "assignedAndOnHold","revoked","transferPending","registryLock", "registrarLock","other","unknown","ext-value"]}, "ext-domain-status": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Name": {"type": "string"}, "DateDomainWasChecked": {"$ref": "#/definitions/DATETIME"}, "RegistrationDate": {"$ref": "#/definitions/DATETIME"}, "ExpirationDate": {"$ref": "#/definitions/DATETIME"}, "RelatedDNS": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "NameServers": { "type": "array","items": {"$ref": "#/definitions/NameServers"}}, "DomainContacts": { "$ref": "#/definitions/DomainContacts"}}, "required": ["Name","system-status","domain-status"], "additionalProperties": false}, "NameServers": { "type": "object", "properties": { "Server": {"type": "string"}, "Address": {"type": "array","items":{"$ref":"#/definitions/Address"}}}, "required": ["Server","Address"], "additionalProperties": false}, "DomainContacts": { "type": "object", "properties": { "SameDomainContact": {"type": "string"}, "Contact": {"type": "array","items":{"$ref":"#/definitions/Contact"}}}, "required": ["Contact"], "additionalProperties": false}, "Service": { "type": "object", "properties": { "ip-protocol": {"type": "integer"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "ServiceName": {"$ref": "#/definitions/ServiceName"}, "Port": {"type": "integer"}, "Portlist": {"$ref": "#/definitions/PORTLIST"}, "ProtoCode": {"type": "integer"}, "ProtoType": {"type": "integer"}, "ProtoField": {"type": "integer"}, "ApplicationHeaderField": {"$ref":"#/definitions/ExtensionTypeList"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": [], "additionalProperties": false}, "ServiceName": { "type": "object", "properties": { "IANAService": {"type": "string"}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "Description": {"type": "array","items": {"type": "string"}}}, "required": [], "additionalProperties": false}, "EmailData": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "EmailTo": {"type": "array","items": {"type": "string"}}, "EmailFrom": {"type": "string"}, "EmailSubject": {"type": "string"}, "EmailX-Mailer": {"type": "string"}, "EmailHeaderField": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "EmailHeaders": {"type": "string"}, "EmailBody": {"type": "string"}, "EmailMessage": {"type": "string"}, "HashData": { "type": "array","items": {"$ref": "#/definitions/HashData"}}, "Signature": {"type": "array","items": {"type": "string"}}}, "required": [], "additionalProperties": false}, "RecordData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "DateTime": {"$ref": "#/definitions/DATETIME"}, "Description": {"type": "array","items": {"type": "string"}}, "Applicadtion": {"$ref": "#/definitions/SoftwareType"}, "RecordPattern": { "type": "array","items": {"$ref": "#/definitions/RecordPattern"}}, "RecordItem": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "URL": { "type": "array","items": {"$ref": "#/definitions/URLtype"}}, "FileData": { "type": "array","items": {"$ref": "#/definitions/FileData"}}, "WindowsRegistryKeysModified": { "type": "array", "items": {"$ref": "#/definitions/WindowsRegistryKeysModified"}}, "CertificateData": { "type": "array","items": {"$ref": "#/definitions/CertificateData"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false }, "RecordPattern": { "type": "object", "properties": { "value": {"type": "string"}, "type": {"enum": ["regex","binary","xpath","ext-value"]}, "ext-type": {"type": "string"}, "offset": {"type": "integer"}, "offsetunit": {"enum":["line","byte","ext-value"]}, "ext-offsetunit": {"type": "string"}, "instance": {"type": "integer"}}, "required": ["type"], "additionalProperties": false}, "WindowsRegistryKeysModified": { "type": "object", "properties": { "observabile-id": {"$ref": "#/definitions/IDtype"}, "Key": {"type": "array","items": {"$ref": "#/definitions/Key"}}}, "required": ["Key"], "additionalProperties": false}, "Key": { "type": "object", "properties": { "registryaction": {"enum": ["add-key","add-value","delete-key", "delete-value","modify-key","modify-value", "ext-value"]}, "ext-registryaction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "KeyName": {"type":"string"}, "KeyValue": {"type": "string"}}, "required": ["KeyName"], "additionalProperties": false}, "CertificateData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "Certificate": { "type": "array","items": {"$ref": "#/definitions/Certificate"}}}, "required": ["Certificate"], "additionalProperties": false}, "Certificate": { "type": "object", "properties": { "observable-id": {"$ref": "#/definitions/IDtype"}, "X509Data": {type: "string"}, "Description": {"type": "array","items": {"type": "string"}}}, "required": ["X509Data"], "additionalProperties": false}, "FileData": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "observable-id": {"$ref": "#/definitions/IDtype"}, "File": {"type": "array","items": {"$ref": "#/definitions/File"}}}, "required": ["File"], "additionalProperties": false}, "File": { "type": "object", "properties": { "FileName": {"type": "string"}, "FileSize": {"type": "integer"}, "FileType": {"type": "string"}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "HashData": {"$ref": "#/definitions/HashData"}, "Signature": {"type": "array","items": {"type": "string"}}, "AssociatedSoftware": {"$ref": "#/definitions/SoftwareType"}, "FileProperties": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}}, "required": [], "additionalProperties": false}, "HashData": { "type": "object", "properties": { "scope": {"enum": ["file-contents","file-pe-section","file-pe-iat", "file-pe-resource","file-pdf-object","email-hash", "email-hash-header","email-hash-body"]}, "HashTargetID": {"type": "string"}, "Hash": {"type": "array","items": {"$ref": "#/definitions/Hash"}}, "FuzzyHash": { "type": "array","items": {"$ref": "#/definitions/FuzzyHash"}}}, "required": ["scope"], "additionalProperties": false}, "Hash": { "type": "object", "properties": { "DigestMethod": {"type": "string"}, "DigestValue": {"type": "string"}, "CanonicalizationMethod": {}, "Application": {"$ref": "#/definitions/SoftwareType"}}, "required": ["DigestMethod","DigestValue"], "additionalProperties": false}, "FuzzyHash": { "type": "object", "properties": { "FuzzyHashValue": { "type": "array","items": {"$ref": "#/definitions/ExtensionType"}}, "Application": {"$ref": "#/definitions/SoftwareType"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["FuzzyHashValue"], "additionalProperties": false}, "Indicator": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "IndicatorID": {"$ref": "#/definitions/IndicatorID"}, "AlternativeIndicatorID": { "type": "array", "items": {"$ref": "#/definitions/AlternativeIndicatorID"}}, "Description": {"type": "array","items": {"type": "string"}}, "StartTime": {"$ref": "#/definitions/DATETIME"}, "EndTime": {"$ref": "#/definitions/DATETIME"}, "Confidence": {"$ref": "#/definitions/Confidence"}, "Contact": { "type": "array","items": {"$ref": "#/definitions/Contact"}}, "Observable": {"$ref": "#/definitions/Observable"}, "uid-ref": {"type": "string"}, "IndicatorExpression": {"$ref": "#/definitions/IndicatorExpression"}, "IndicatorReference": {"$ref": "#/definitions/IndicatorReference"}, "NodeRole": { "type": "array","items": {"$ref": "#/definitions/NodeRole"}}, "AttackPhase": { "type": "array","items": {"$ref": "#/definitions/AttackPhase"}}, "Reference": { "type": "array","items": {"$ref": "#/definitions/Reference"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["IndicatorID"], "additionalProperties": false}, "IndicatorID": { "type": "object", "properties": { "id": {"type": "string"}, "name": {"type": "string"}, "version": {"type": "string"}}, "required": ["name","version"], "additionalProperties": false}, "AlternativeIndicatorID": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "IndicatorReference": { "type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}}}, "required": ["IndicatorReference"], "additionalProperties": false}, "Observable": { "type": "object", "properties": { "restriction": {"$ref": "#/definitions/restriction"}, "ext-restriction": {"type": "string"}, "System": {"$ref": "#/definitions/System"}, "Address": {"$ref": "#/definitions/Address"}, "DomainData": {"$ref": "#/definitions/DomainData"}, "EmailData": {"$ref": "#/definitions/EmailData"}, "Service": {"$ref": "#/definitions/Service"}, "WindowsRegistryKeysModified": { "$ref": "#/definitions/WindowsRegistryKeysModified"}, "FileData": {"$ref": "#/definitions/FileData"}, "CertificateData": {"$ref": "#/definitions/CertificateData"}, "RegistryHandle": {"$ref": "#/definitions/RegistryHandle"}, "RecordData": {"type": "array", "item": {"$ref": "#/definitions/Record"}}, "EventData": {"$ref": "#/definitions/EventData"}, "Incident": {"$ref": "#/definitions/Incident"}, "Expectation": {"$ref": "#/definitions/Expectation"}, "Reference": {"$ref": "#/definitions/Reference"}, "Assessment": {"$ref": "#/definitions/Assessment"}, "DetectionPattern": {"$ref": "#/definitions/DetectionPattern"}, "HistoryItem": {"$ref": "#/definitions/HistoryItem"}, "BulkObservable": {"$ref": "#/definitions/BulkObservable"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "BulkObservable": { "type": "object", "properties": { "type": {"enum": ["asn","atm","e-mail","ipv4-addr","ipv4-net", "ipv4-net-mask","ipv6-addr","ipv6-net","ipv6-net-mask","mac", "site-url","domain-name","domain-to-ipv4","domain-to-ipv6", "domain-to-ipv4-timestamp","domain-to-ipv6-timestamp", "ipv4-port","ipv6-port","windows-reg-key","file-hash", "email-x-mailer","email-subject","http-user-agent", "http-request-url","mutex","file-path","user-name", "ext-value"]}, "ext-type": {"type": "string"}, "BulkObservableFormant":{"$ref": "#/definitions/BulkObservableFormat"}, "BulkObservableList": {"type": "array", "item":{"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "BulkObservableFormat": { "type": "object", "properties": { "Hash": {"$ref": "#/definitions/Hash"}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorExpression": { "type": "object", "properties": { "operator": {"enum": ["not","and","or","xor"]}, "ext-operator": {"type": "string"}, "IndicatorExpression": { "type": "array", "items": {"$ref": "#/definitions/IndicatorExpression"}}, "Observable": { "type": "array","items": {"$ref": "#/definitions/Observable"}}, "uid-ref": {"type": "string"}, "IndicatorReference": { "type": "array", "items": {"$ref": "#/definitions/IndicatorReference"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}, "IndicatorReference": { "type": "object", "properties": { "uid-ref": {"type": "string"}, "euid-ref": {"type": "string"}, "version": {"type": "string"}}, "required": [], "additionalProperties": false}, "AttackPhase": { "type": "object", "properties": { "AttackPhaseID": {"type": "array","items": {"type": "string"}}, "URL": {"type": "array","items": {"$ref": "#/definitions/URLtype"}}, "Description": {"type": "array","items": {"type": "string"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": [], "additionalProperties": false}}, "title": "IODEF-Document", "description": "JSON schema for IODEF-Document class", "type": "object", "properties": { "version": {"type": "string"}, "lang": {"$ref": "#/definitions/lang"}, "format-id": {"type": "string"}, "private-enum-name": {"type": "string"}, "private-enum-id": {"type": "string"}, "Incident": { "type": "array","items": {"$ref": "#/definitions/Incident"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "required": ["version","Incident"], "additionalProperties": false} Figure1:2: JSON schema7.6. Acknowledgements TBD.8.7. IANA Considerations This memo includes no request to IANA.9.8. Security Considerations This memo does not provide any further security considerations than the one described inRFC 7970[RFC7970].10. References 10.1.9. Normative References [jsonschema] "JSON Schema", 2006. http://json-schema.org/ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>. [RFC7970] Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10.17487/RFC7970, November 2016, <https://www.rfc-editor.org/info/rfc7970>.10.2. Informative References [DOMINATION] Mad Dominators, Inc., "Ultimate Plan for Taking Over the World", 1984, <http://www.example.com/dominator.html>. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, DOI 10.17487/RFC2629, June 1999, <https://www.rfc-editor.org/info/rfc2629>. [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, DOI 10.17487/RFC3552, July 2003, <https://www.rfc-editor.org/info/rfc3552>. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 5226, DOI 10.17487/RFC5226, May 2008, <https://www.rfc-editor.org/info/rfc5226>.Authors' Addresses Takeshi Takahashi National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Phone: +81 42 327 5862 Email: takeshi_takahashi@nict.go.jp Roman Danyliw CERT, Software Engineering Institute, Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA USA Email: rdd@cert.org Mio Suzuki National Institute of Information and Communications Technology 4-2-1 Nukui-Kitamachi Koganei, Tokyo 184-8795 Japan Email: mio@nict.go.jp