Expression and Deployment of Reaction Policies

Current prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this paper, an in depth and comprehensive approach is introduced for responding to intrusions in an efficient way. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms,including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels, it then reacts against threats with appropriate counter measures in each level accordingly.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Giovanni Vigna,et al.  NetSTAT: A Network-based Intrusion Detection System , 1999, J. Comput. Secur..

[3]  Lee Badger,et al.  Security agility in response to intrusion detection , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[4]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[5]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[6]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[7]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[8]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[9]  Frédéric Cuppens,et al.  Modelling contexts in the Or-BAC model , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[10]  Nora Cuppens-Boulahia,et al.  A Formal Approach to Specify and Deploy a Network Security Policy , 2004, Formal Aspects in Security and Trust.

[11]  Nora Cuppens-Boulahia,et al.  Nomad: a security model with non atomic actions and deadlines , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[12]  Paulo Ferreira,et al.  Obligation policies: an enforcement platform , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[13]  Sushil Jajodia,et al.  VoIP Intrusion Detection Through Interacting Protocol State Machines , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[14]  Frédéric Cuppens,et al.  Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework , 2006, Ann. des Télécommunications.

[15]  Frédéric Cuppens,et al.  Detecting and Reacting against Distributed Denial of Service Attacks , 2006, 2006 IEEE International Conference on Communications.

[16]  Nora Cuppens-Boulahia,et al.  High Level Conflict Management Strategies in Advanced Access Control Models , 2007, ICS@SYNASC.

[17]  Johnny S. Wong,et al.  A taxonomy of intrusion response systems , 2007, Int. J. Inf. Comput. Secur..

[18]  Nora Cuppens-Boulahia,et al.  Enabling automated threat response through the use of a dynamic security policy , 2007, Journal in Computer Virology.

[19]  Nora Cuppens-Boulahia,et al.  Advanced Reaction Using Risk Assessment in Intrusion Detection Systems , 2007, CRITIS.

[20]  Yacine Bouzida,et al.  A Framework for Detecting Anomalies in VoIP Networks , 2008, 2008 Third International Conference on Availability, Reliability and Security.