Intrusion detection and security policy framework for distributed environments

This paper presents a novel intrusion detection approach and a new infrastructure to enforce the security policy within a distributed system. The solution guarantees the consistency of the security policy and prevents any accidental or malicious update (of the local policies). The control is carried out locally (in each host) in accordance with a meta-policy that enables a distributed control to update a global security policy while satisfying global security properties. The solution is more robust in terms of fault-tolerance and resists to denial of service attacks since the solutions carries out all the control locally. Two levels of intrusion detection are proposed to guaranty the integrity and the consistency of the distributed policy. The first level (meta-level, or administration level) guarantees that each local policy evolves according to the global security properties. This level detects attacks trying inadequate alterations of the local security policies. The second level corresponds to a classical intrusion detection system. But, it can take advantages of the local policy to detect attacks that violate the security objectives. That second level enables to integrate and to adjust various classical IDS. Our approach enforces the security of large scale systems

[1]  Peter Mell,et al.  Intrusion Detection Systems , 2001 .

[2]  Mark E. Segal,et al.  A Specification-Based Approach for Building Survivable Systems , 1998 .

[3]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[4]  Jakub Zimmermann Détection d'intrusions paramétrée par la politique par contrôle de flux de références , 2003 .

[5]  Peng Ning,et al.  An Intrusion Alert Correlator Based on Prerequisites of Intrusions , 2002 .

[6]  Pierre Courtieu,et al.  Hardening large-scale networks security through a meta-policy framework , 2004 .

[7]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.

[8]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[9]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[10]  T. Redmond,et al.  Noninterference and intrusion detection , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[11]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[12]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[13]  Goto Shigeki,et al.  An Improved Intrusion Detecting Method Based on Process Profiling , 2002 .

[14]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.