Abstract
Nowadays, intrusion detection systems are able to react to the attacks rather than only raising alerts. Unfortunately, current prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this chapter, we introduce a new comprehensive and efficient approach for responding to intrusions. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy which formally specifies security requirements that are activated when an intrusion is detected. In particular, some of the security policy rules are obligations that can be enforced as countermeasures. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms, including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels; it then reacts against threats with appropriate counter measures in each level accordingly.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Bibliography
H. Debar, Y. Thomas, N. Boulahia-Cuppens, and F. Cuppens, Enabling automated threat response through the use of a dynamic security policy, Journal in Computer Virology, 3(3), (2007).
F. Cuppens, F. Autrel, Y. Bouzida, J. Garcia, S. Gombault, and T. Sans, Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework, Annales des t´el´ecommunications, 61(1-2) (March, 2006).
N. Stakhanova, S. Basu, and J.Wong, A taxonomy of intrusion response systems, International Journal of Information and Computer Security, 1(1/2) (March, 2007).
T. Toth and C. Kruegel, Evaluating the impact of automated intrusion response mechanisms. In ACSAC ’02: Proceedings of the 18th Annual Computer Security Applications Conference, p. 301, Las Vegas, Nevada, USA, (2002), IEEE Computer Society.
W. Lee, W. Fan, M. Miller, S. J. Stolfo, and E. Zadok, Toward cost-sensitive modeling for intrusion detection and response, Journal of Computer Security, 10(1/2), 5–22, (2002).
Snort, Snort official website, available at: www.snort.org, (2008).
R. P. Lippmann and R. K. Cunningham, Using key-string selection and neural networks to reduce false alarms and detect new attacks with sniffer-based intrusion detection systems, In International Symposium On Recent Advances In Intrusion Detection (RAID 1999), West Lafayette, Indiana, USA (September, 1999).
J. Jung, V. Paxson, A.W. Berger, and H. Balakrishnan, Fast portscan detection using sequentialhypothesis testing. In In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, USA, (2004).
M.-Y. Huang, R. J. Jasper, and T. M. Wicks, A large scale distributed intrusion detection framework based on attack strategy analysis, Comput. Networks, 31(23-24), 2465–2475, (1999). ISSN 1389-1286.
B. Morin and H. Debar. Correlation of intrusion symptoms: an application of chronicles, In Proceedings of the Sixth International Symposium on the Recent Advances in Intrusion Detection (RAID’02), Pittsburg, USA (September, 2003).
F. Cuppens and R. Ortalo, LAMBDA: A Language to Model a Database for Detection of Attacks, In Third International Workshop on the Recent Advances in Intrusion Detection (RAID’2000), Toulouse, France (October, 2000).
F. Cuppens and A. Mi`ege, Alert correlation in a cooperative intrusion detection framework, In SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 202, Washington, DC, USA, (2002). IEEE Computer Society. ISBN 0-7695-1543-6.
F. Cuppens, F. Autrel, and A. M. et S. Benferhat, Recognizing malicious intention in an intrusion detection process, In Second International Conference on Hybrid Intelligent Systems, pp. 806–817, Santiago, Chili (December, 2002).
P. Ning, Y. Cui, and D. Reeves, Constructing Attack Scenarios Through Correlation of Intrusion Alerts, In Proceedings of the 9th ACM Conference on Computer and communication security, pp. 245–254, Washington DC, USA, (2002).
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M.Wing, Automated generation and analysis of attack graphs, In SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 273–284, Washington, DC, USA, (2002), IEEE Computer Society.
W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, and J. Araujo, Automated reaction based on risk analysis and attackers skills in intrusion detection systems, In Risks and Security of Internet and Systems, 2008. CRiSIS ’08. Third International Conference on, pp. 117–124, Toezer, Tunisia (October, 2008).
H. Debar, D. Curry, and B. Feinstein, The Intrusion Detection Message Exchange Format (IDMEF), RFC 4765 (Experimental) (Mar., 2007), URL http://www.ietf.org/rfc/rfc4765.txt.
F. Cuppens and A. Mi`ege, Modelling contexts in the or-bac model, In ACSAC ’03: Proceedings of the 19th Annual Computer Security Applications Conference, p. 416, Las Vegas, USA, (2003), ISBN 0-7695-2041-3.
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, Role-based access control models, IEEE Computer. 29(2), 38–47 (February, 2006).
F. Autrel, N. Cuppens-Boulahia, and F. Cuppens, Reaction policy model based on dynamic organizations and threat context, In 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security DBSec’09, Concordia University, Montreal, Canada (July, 2009).
F. Cuppens, N. Cuppens-Boulahia, and T. Sans, Nomad: A Security Model with Non Atomic Actions and Deadlines, In 18th IEEE CSFW, pp. 186–196, Aix-en-Provence, France (June, 2005).
P. Gama and P. Ferreira, Obligation Policies: An Enforcement Platform, In IEEE 6th International Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden (June, 2005).
F. Cuppens, N. Cuppens-Boulahia, andM. B. Ghorbel, High Level ConflictManagement Strategies in Advanced Access ControlModels, Electronic Notes in Theoretical Computer Science, 186, 3–26, (2007).
F. Cuppens and F. Autrel, CRIM: un module de corr´elation d’alertes et de r´eaction aux attaques, Ann. of Telecom., 61(9-10) (March, 2006).
F. Autrel, F. Cuppens, N. Cuppens, and C. Coma-Brebel, Motorbac 2: a security policy tool, In SARSSI’08 : 3`eme conf´erence sur la S´ecurit´e des Architectures R´eseaux et des Syst`emes d’Information, Loctudy, France (October, 2008).
F. Cuppens, N. Cuppens, T. Sans, and A. Mi`ege, A formal approach to specify and deploy a network security policy, In Formal Aspects in Security and Trust FAST, Toulouse, France (August, 2004).
S. Preda, F. Cuppens, N. Cuppens-Boulahia, J. G. Alfaro, L. Toutain, and Y. Elrakaiby, Semantic context aware security policy deployment, In ASIACCS ’09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 251–261, New York, NY, USA, (2009), ACM.
W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, and F. Autrel, Advanced reaction using risk assessment in intrusion detection systems, In ed. Springer, Second International Workshop on Critical Information Infrastructures Security (CRITIS07), Malaga, Spain, (2007).
Y. Bouzida, F. Cuppens, and S. Gombault, Detecting and Reacting Against Distributed Denial of Service Attacks using Alert Correlation, In IEEE Intenational Conference on Communications, Istanbul, Turkey, (2006).
M. Petkac and L. Badger, Security agility in response to intrusion detection, In ACSAC ’00: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 11–20, New Orleans, Louisiana, USA (December, 2000).
J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler, SIP: Session Initiation Protocol, RFC 3261. Available at: http://www.ietf.org/rfc/rfc3261.txt (June, 2002).
3GPP, The 3rd Generation Partnership Project, Available at: http://www.3gpp.org/, (2007).
Y. Bouzida and C. Mangin, Detecting anomalies in VoIP networks, In 3rd International Conference on Avilability, Reliability and Security ARES08, Barcelona, Spain, (2008).
H. Sengar, D.Wijesekera, H.Wang, and S. Jajodia, VoIP Intrusion Detection Through Interacting Protocol State Machines, In DSN ’06: Proceedings of the International Conference on Dependable Systems and Networks, pp. 393–402, Philadelphia, PA, USA, (2006).
F. Vigna and R. A. Kemmerer, Netstat: A network based intrusion detection system, Journal of Computer Security. 7(1), 37–71, (1999).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2010 Atlantis Press/World Scientific
About this chapter
Cite this chapter
Cuppens, F., Cuppens-Boulahia, N., Kanoun, W., Croissant, A. (2010). A Formal Framework to Specify and Deploy Reaction Policies. In: Web-Based Information Technologies and Distributed Systems. Atlantis Ambient and Pervasive Intelligence, vol 2. Atlantis Press. https://doi.org/10.2991/978-94-91216-32-9_8
Download citation
DOI: https://doi.org/10.2991/978-94-91216-32-9_8
Publisher Name: Atlantis Press
Online ISBN: 978-94-91216-32-9
eBook Packages: Computer ScienceComputer Science (R0)