Enabling automated threat response through the use of a dynamic security policy

Information systems security issues are currently being addressed using different techniques, such as authentication, encryption and access control, through the definition of security policies, but also using monitoring techniques, in particular intrusion detection systems. We can observe that security monitoring is currently totally decorrelated from security policies, that is security requirements are not linked with the means used to control their fulfillment. Most of the time, security operators have to analyze monitoring results and manually react to provide countermeasures to threats compromising the security policy. The response process is far from trivial, since it both relies on the relevance of the threat analysis and on the adequacy of the selected countermeasures. In this paper, we present an approach aiming at connecting monitoring techniques with security policy management in order to provide response to threat. We propose an architecture allowing to dynamically and automatically deploy a generic security policy into concrete policy instances taking into account the threat level characterized thanks to intrusion detection systems. Such an approach provides means to bridge the gap between existing detection approaches and new requirements, which clearly deal with the development of intrusion prevention systems, enabling a better protection of the resources and services.

[1]  Robert K. Cunningham,et al.  Fusing A Heterogeneous Alert Stream Into Scenarios , 2002, Applications of Data Mining in Computer Security.

[2]  Baudouin Le Charlier,et al.  Continuous assessment of a Unix configuration: integrating intrusion detection and configuration analysis , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[3]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[4]  Nora Cuppens-Boulahia,et al.  Using Contextual Security Policies for Threat Response , 2006, DIMVA.

[5]  Hervé Debar,et al.  Improving security management through passive network observation , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[6]  Udo W. Pooch,et al.  Adaptation techniques for intrusion detection and intrusion response systems , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[7]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[8]  Lee Badger,et al.  Security agility in response to intrusion detection , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[9]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[10]  Jeffrey D. Uuman Principles of database and knowledge- base systems , 1989 .

[11]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[12]  Sally Floyd,et al.  Inappropriate TCP Resets Considered Harmful , 2002, RFC.

[13]  Alexandre Miège,et al.  Definition of a formal framework for specifying security policies. The Or-BAC model and extensions. , 2005 .

[14]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[15]  F. Cuppens,et al.  Inheritance hierarchies in the Or-BAC model and application in a network environment , 2022 .

[16]  Richard Brackney Cyber-intrusion response , 1998, Proceedings Seventeenth IEEE Symposium on Reliable Distributed Systems (Cat. No.98CB36281).

[17]  Frédéric Cuppens,et al.  Administration Model for Or-BAC , 2003, OTM Workshops.

[18]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[19]  Nora Cuppens-Boulahia,et al.  High Level Conflict Management Strategies in Advanced Access Control Models , 2007, ICS@SYNASC.

[20]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[21]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[22]  Frédéric Cuppens,et al.  Selecting appropriate counter-measures in an intrusion detection framework , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[23]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[24]  Frédéric Cuppens,et al.  Modelling contexts in the Or-BAC model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[25]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.