Skip to main content
SpringerLink
Log in

Enabling automated threat response through the use of a dynamic security policy

  • Invited Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Information systems security issues are currently being addressed using different techniques, such as authentication, encryption and access control, through the definition of security policies, but also using monitoring techniques, in particular intrusion detection systems. We can observe that security monitoring is currently totally decorrelated from security policies, that is security requirements are not linked with the means used to control their fulfillment. Most of the time, security operators have to analyze monitoring results and manually react to provide countermeasures to threats compromising the security policy. The response process is far from trivial, since it both relies on the relevance of the threat analysis and on the adequacy of the selected countermeasures. In this paper, we present an approach aiming at connecting monitoring techniques with security policy management in order to provide response to threat. We propose an architecture allowing to dynamically and automatically deploy a generic security policy into concrete policy instances taking into account the threat level characterized thanks to intrusion detection systems. Such an approach provides means to bridge the gap between existing detection approaches and new requirements, which clearly deal with the development of intrusion prevention systems, enabling a better protection of the resources and services.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Thomas, Y., Debar, H., Morin, B.: Improving security management through passive network observation. In: ARES ’06: Proceedings of the 1st International Conference on Availability, Reliability and Security (ARES’06), pp. 382–389. IEEE Computer Society, USA (2006)

  2. Brackney, R.: Cyber-intrusion response. In: Proceedings of the 17th IEEE Symposium on Reliable Distributed Systems, West Lafayette, IN, p. 413 (1998)

  3. Petkac, M., Badger, L.: Security agility in response to intrusion detection. In: Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC’00), New Orleans, LO, USA, p. 11 (2000)

  4. Toth, T., Kruegel, C.: Evaluating the impact of automated intrusion response mechanisms. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society Press, Las Vegas, NV, USA (2002)

  5. Floyd, S.: Inappropriate TCP Resets Considered Harmful. RFC 3360 http://www.ietf.org/rfc/rfc3360.txt. (2002)

  6. Cuppens, F., Gombault, S., Sans, T.: Selecting appropriate counter-measures in an intrusion detection framework. In: 17th IEEE Computer Security Foundations Workshop (CSFW), Pacific Grove, CA, USA (2004)

  7. Mounji, A., Charlier, B.L.: Continuous assessment of a unix configuration integrating intrusion detection and configuration analysis (1997)

  8. Ragsdale, D.J., Carver, C.A., Humphries, J.W., Pooch, U.W.: Adaptation techniques for intrusion detection and intrusion response system. In: Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, Nashville, TN, IEEE Computer Society Press, pp. 2344–2349 (2000)

  9. Carver, C.A., Hill, J.M., Pooch, U.W.: Limiting uncertainty in intrusion response. In: Proceedings of the 2001 IEEE workshop on Systems, Man, and Cybernetics Information Assurance and Security, United States Military Academy, West Point, NY, pp. 142–147 (2001)

  10. Debar, H., Thomas, Y., Cuppens-Boulahia, N., Cuppens, F.: Using contextual security policies for threat response. In: Bueschkes, R., Laskov, P. (eds.) Proceedings of the 3rd Conference on Detection of Intrusions and Malware, Vulnerability Assessment (DIMVA 06). Springer, Berlin (2006)

  11. Harrison M.A., Ruzzo W.L., Ullman J.D. (1976). Protection in operating systems. Commun. ACM 19(8): 461–471

    Article  MATH  Google Scholar 

  12. Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E. (1996). Role-based access control models. IEEE Comput. 29(2): 38–47

    Google Scholar 

  13. Kudo, M., Hada, S.: XML document security based on provisional authorization. In: CCS ’00: Proceedings of the 7th ACM Conference on Computer and Communications Security, pp. 87–96. ACM Press, New York (2000)

  14. Cuppens, F., Cuppens-Boulahia, N., Ghorbel, M.B.: High-level conflict management strategies in advanced access control models. In: Workshop on Information and Computer Security (ICS), Timisoara, Roumania (2006)

  15. Miège, A.: Definition of a formal framework for specifying security policies. The Or-BAC model and extensions. PhD Thesis, ENST (2005)

  16. Kalam, A.A.E., Benferhat, S., Miège, A., Baida, R.E., Cuppens, F., Saurel, C., Balbiani, P., Deswarte, Y., Trouessin, G.: Organization based access control. In: Proceedings of IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), Lake Como, Italy (2003)

  17. Cuppens, F., Cuppens-Boulahia, N., Miège, A.: Inheritance hierarchies in the Or-BAC Model and application in a network environment. In: Sabelfeld, A. (ed.) FCS’04, vol. 31, pp. 41–59 (2004)

  18. Ullman J.D. (1989). Principles of Database and Knowledge Base Systems. Computer Science Press, New York

    Google Scholar 

  19. Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A formal approach to specify and deploy a network security policy. In: 2nd Workshop on Formal Aspects of Security and Trust (FAST), Toulouse, France (2004)

  20. Cuppens, F., Miège, A.: Modelling contexts in the Or-BAC model. In: ACSAC ’03: Proceedings of the 19th Annual Computer Security Applications Conference, vol. 416. IEEE Computer Society, (2003)

  21. Debar, H., Curry, D., Feinstein, B.: The Intrusion Detection Message Exchange Format. RFC 4765 (2006)

  22. Cuppens, F., Miège, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings of the IEEE Symposium on Security and Privacy (2002)

  23. Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)

  24. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID) (2002)

  25. Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th Conference on Computer and Communication Security (2002)

  26. Cuppens, F., Miège, A.: Administration model for Or-BAC. In: On The Move Federated Conferences (OTM’03), Workshop on Metadata for Security, Catania, Sicily, Italy (2003)

Download references

Author information

Authors and Affiliations

  1. France Télécom R&D, 42 rue des Coutures, 14066, Caen, France

    Hervé Debar & Yohann Thomas

  2. GET/ENST Bretagne, 2 rue de la Châtaigneraie, 35512, Cesson-Sévigné, France

    Yohann Thomas, Frédéric Cuppens & Nora Cuppens-Boulahia

Authors
  1. Hervé Debar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yohann Thomas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nora Cuppens-Boulahia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yohann Thomas.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Debar, H., Thomas, Y., Cuppens, F. et al. Enabling automated threat response through the use of a dynamic security policy. J Comput Virol 3, 195–210 (2007). https://doi.org/10.1007/s11416-007-0039-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0039-z

Keywords

Search

Navigation