Network Connection Object Enhancement

[ikiril01]

As suggested by a community member, we should consider updating the existing Network Connection Object so that it is able to characterize properties common to all network connections, including the following:

• Start time
• End time
• Duration = 13.293994
• Protocol/Service = teredo
• Src Hostname
• Dst Hostname
• Src IP address
• Src port
• Dst IP address
• Dst port
• Tx_bytes = 2359
• Rx_bytes = 11243
• Connection State = SF
• Overall state
• History = Dd
• Tx_pkts = 12
• Rx_pkts = 13
• Tx_ip_bytes = 2695
• Rx_ip_bytes = 11607
• Source_ASN
• Destination ASN
• Source Country Code
• Destination Country Code

Note: Do not specify Layer7_Connections within the Network_Connection object. Instead, use a "Contains" relationship (or extension) to represent encapsulated protocols such as HTTP. With this approach, any network protocol can be added to CybOX without having to update the Network_Connection object to specifically reference each new protocol.

In addition, it would be possible to represent SSL/TLS independently, without being concerned with the duality of its operation at both layer 5 (session) and layer 6 (presentation). An added advantage of this approach is that application protocols defined in CybOX such as HTTP can inherit general network connection properties (IP address and port, etc). In addition, this Network_Connection object can represent both bi-directional and uni-directional connections.

Also, to avoid inconsistency and confusion, the application layer should be represented in one location, preferably as a field in the Network_Connection object (Layer7_Protocol) rather than in the Network_Flow object (SiLKRecordType:Flow_Application).