develop proposal for dealing with IEs

[djhaynes]

The current draft contains a large number of IEs. We should develop a proposal that breaks the IEs into modules. One approach for doing this might be to break the IEs up by platform.

[1] https://www.ietf.org/proceedings/interim-2016-sacm-06/slides/slides-interim-2016-sacm-06-sessa-information-model-00.pdf [2] https://www.ietf.org/proceedings/interim-2016-sacm-06/minutes/minutes-interim-2016-sacm-06-201610131400-00

[djhaynes]

Whether or not we even need to do this will depend on the outcome of the discussion on issue #68.

[djhaynes]

One possible approach to deal with the large number of IEs is to create generic IEs that can be extended on a platform-by-platform basic leveraging the abstract "category" IE datatype which represents a type-choice between a set of IEs. For example, we could create a generic "file" IE where the associated ownerId, creationTime, lastAccessedTime, lastModifiedTime, and filePermission IEs would allow for the selection of the appropriate IE based on the platform in use. For example, on a Windows system, the ownerId IE would be a windowsUserId and the filePermissions would be windowsFilePermissions among other IEs. The attached files provide details on what this might look like for a few existing IEs. From there, the IM would only contain these generic IEs and the platform-specific IEs would be contained in their corresponding platform submodules (i.e. all the Windows IEs would be in one document, the Linux IEs in another, etc.). file example.txt file.xlsx interface example.txt interface.xlsx process example.txt process.xlsx service.xlsx

[athiasjerome]

This is one possible approach (close to the one used in CybOX)

Another possible approach would be a 'layered one', more metaphysical one, using abstraction, and "zoom-in" into a 'hierarchy' (ideally ontology). This would be similar with this type of approach http://dodcio.defense.gov/Library/DoD-Architecture-Framework/dodaf20_dm2/ applied to our domain