Using Contextual Security Policies for Threat Response

  • Hervé Debar
  • Yohann Thomas
  • Nora Boulahia-Cuppens
  • Frédéric Cuppens
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4064)


With the apparition of accurate security monitoring tools, the gathered alerts are requiring operators to take action to prevent damage from attackers. Intrusion prevention currently provides isolated response mechanisms that may take a local action upon an attack. While this approach has been taken to enhance the security of particular network access control points, it does not constitute a comprehensive approach to threat response. In this paper, we will examine a new mechanism for adapting the security policy of an information system according to the threat it receives, and hence its behaviour and the services it offers. This mechanism takes into account not only threats, but also legal constraints and other objectives of the organization operating this information system, taking into account multiple security objectives and providing several trade-off options between security objectives, performance objectives, and other operational constraints. The proposed mechanism bridges the gap between preventive security technologies and intrusion detection, and builds upon existing technologies to facilitate formalization on one hand, and deployment on the other hand.


Intrusion Detection Security Policy Intrusion Detection System Policy Rule Policy Decision Point 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Brackney, R.: Cyber-intrusion response. In: Proceedings of the 17th IEEE Symposium on Reliable Distributed Systems, West Lafayette, IN, p. 413 (1998)Google Scholar
  2. 2.
    Toth, T., Kruegel, C.: Evaluating the impact of automated intrusion response mechanisms. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV. IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  3. 3.
    Petkac, M., Badger, L.: Security agility in response to intrusion detection. In: 16th Annual Computer Security Applications Conference (ACSAC 2000), New Orleans, LO, p. 11 (2000)Google Scholar
  4. 4.
    rfc3360: Inappropriate tcp resets considered harmful. RFC 3360 (2002),
  5. 5.
    Cuppens, F., Gombault, S., Sans, T.: Selecting Appropriate Counter-Measures in an Intrusion Detection Framework. In: 17th IEEE Computer Security Foundations Workshop (CSFW), Pacific Grove, CA (2004)Google Scholar
  6. 6.
    Mounji, A., Charlier, B.L.: Continuous assessment of a unix configuration integrating intrusion detection and configuration analysis (1997)Google Scholar
  7. 7.
    Ragsdale, D., Carver, C., Humphries, J., Pooch, U.: Adaptation techniques for intrusion detection and intrusion response system. In: Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, Nashville, TN, pp. 2344–2349. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  8. 8.
    Carver, C., Hill, J., Pooch, U.: Limiting uncertainty in intrusion response. In: Proceedings of the 2001 IEEE workshop on Information Assurance and Security, United States Military Academy, West Point, NY (2001)Google Scholar
  9. 9.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in Operating Systems. Communication of the ACM 19(8), 461–471 (1976)MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  11. 11.
    Kudo, M., Hada, S.: XML document security based on provisional authorization. In: CCS 2000: Proceedings of the 7th ACM conference on Computer and communications security, pp. 87–96. ACM Press, New York (2000)CrossRefGoogle Scholar
  12. 12.
    Miège, A.: Definition of a formal framework for specifying security policies. The Or-BAC model and extensions. PhD thesis, ENST (2005)Google Scholar
  13. 13.
    Cuppens, F., Cuppens-Boulahia, N., Miège, A.: Inheritance hierarchies in the Or-BAC Model and application in a network environment. In: Second Foundations of Computer Security Workshop (FCS 2004), Turku, Finland (2004)Google Scholar
  14. 14.
    Ullman, J.D.: Principles of Database and Knowledge Base Systems. Computer Science Press (1989)Google Scholar
  15. 15.
    Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A Formal Approach to Specify and Deploy a Network Security Policy. In: Formal Aspects of Security and Trust (FAST), Toulouse, France (2004)Google Scholar
  16. 16.
    Debar, H., Curry, D., Feinstein, B.: The intrusion detection message exchange format. Internet Draft (2005) Work in progress, expires (July 31, 2005)Google Scholar
  17. 17.
    Cuppens, F., Miège, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the IEEE Symposium on Security and Privacy (2002)Google Scholar
  18. 18.
    Dain, O., Cunningham, R.: Fusing a Heterogeneous Alert Stream into Scenarios. In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)Google Scholar
  19. 19.
    Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A Formal Data Model for IDS Alert Correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, p. 115. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios Through Correlation of Intrusion Alerts. In: Proceedings of the 9th Conference on Computer and Communication Security (2002)Google Scholar
  21. 21.
    Cuppens, F., Miège, A.: Administration Model for Or-BAC. In: Meersman, R., Tari, Z. (eds.) OTM-WS 2003. LNCS, vol. 2889, pp. 754–768. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Hervé Debar
    • 1
  • Yohann Thomas
    • 1
  • Nora Boulahia-Cuppens
    • 2
  • Frédéric Cuppens
    • 2
  1. 1.France Télécom R&DCaen
  2. 2.GET/ENST BretagneCesson Sévigné

Personalised recommendations