Using Contextual Security Policies for Threat Response

With the apparition of accurate security monitoring tools, the gathered alerts are requiring operators to take action to prevent damage from attackers. Intrusion prevention currently provides isolated response mechanisms that may take a local action upon an attack. While this approach has been taken to enhance the security of particular network access control points, it does not constitute a comprehensive approach to threat response. In this paper, we will examine a new mechanism for adapting the security policy of an information system according to the threat it receives, and hence its behaviour and the services it offers. This mechanism takes into account not only threats, but also legal constraints and other objectives of the organization operating this information system, taking into account multiple security objectives and providing several trade-off options between security objectives, performance objectives, and other operational constraints. The proposed mechanism bridges the gap between preventive security technologies and intrusion detection, and builds upon existing technologies to facilitate formalization on one hand, and deployment on the other hand.

[1]  Sally Floyd,et al.  Inappropriate TCP Resets Considered Harmful , 2002, RFC.

[2]  Alexandre Miège,et al.  Definition of a formal framework for specifying security policies. The Or-BAC model and extensions. , 2005 .

[3]  Frédéric Cuppens,et al.  Selecting appropriate counter-measures in an intrusion detection framework , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[4]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[5]  F. Cuppens,et al.  Inheritance hierarchies in the Or-BAC model and application in a network environment , 2022 .

[6]  Richard Brackney Cyber-intrusion response , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[7]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[8]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[9]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[10]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[11]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[12]  Lee Badger,et al.  Security agility in response to intrusion detection , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[13]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[14]  Frédéric Cuppens,et al.  Administration Model for Or-BAC , 2003, OTM Workshops.

[15]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[16]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[17]  Udo W. Pooch,et al.  Adaptation techniques for intrusion detection and intrusion response systems , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[18]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[19]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[20]  Baudouin Le Charlier,et al.  Continuous assessment of a Unix configuration: integrating intrusion detection and configuration analysis , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[21]  Jeffrey D. Uuman Principles of database and knowledge- base systems , 1989 .