Skip to main content
SpringerLink
Log in

A Formal Framework to Specify and Deploy Reaction Policies

  • Chapter
Web-Based Information Technologies and Distributed Systems

Part of the book series: Atlantis Ambient and Pervasive Intelligence ((ATLANTISAPI,volume 2))

Abstract

Nowadays, intrusion detection systems are able to react to the attacks rather than only raising alerts. Unfortunately, current prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this chapter, we introduce a new comprehensive and efficient approach for responding to intrusions. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy which formally specifies security requirements that are activated when an intrusion is detected. In particular, some of the security policy rules are obligations that can be enforced as countermeasures. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms, including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels; it then reacts against threats with appropriate counter measures in each level accordingly.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 119.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Bibliography

  1. H. Debar, Y. Thomas, N. Boulahia-Cuppens, and F. Cuppens, Enabling automated threat response through the use of a dynamic security policy, Journal in Computer Virology, 3(3), (2007).

    Google Scholar 

  2. F. Cuppens, F. Autrel, Y. Bouzida, J. Garcia, S. Gombault, and T. Sans, Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework, Annales des t´el´ecommunications, 61(1-2) (March, 2006).

    Google Scholar 

  3. N. Stakhanova, S. Basu, and J.Wong, A taxonomy of intrusion response systems, International Journal of Information and Computer Security, 1(1/2) (March, 2007).

    Google Scholar 

  4. T. Toth and C. Kruegel, Evaluating the impact of automated intrusion response mechanisms. In ACSAC ’02: Proceedings of the 18th Annual Computer Security Applications Conference, p. 301, Las Vegas, Nevada, USA, (2002), IEEE Computer Society.

    Google Scholar 

  5. W. Lee, W. Fan, M. Miller, S. J. Stolfo, and E. Zadok, Toward cost-sensitive modeling for intrusion detection and response, Journal of Computer Security, 10(1/2), 5–22, (2002).

    Google Scholar 

  6. Snort, Snort official website, available at: www.snort.org, (2008).

  7. R. P. Lippmann and R. K. Cunningham, Using key-string selection and neural networks to reduce false alarms and detect new attacks with sniffer-based intrusion detection systems, In International Symposium On Recent Advances In Intrusion Detection (RAID 1999), West Lafayette, Indiana, USA (September, 1999).

    Google Scholar 

  8. J. Jung, V. Paxson, A.W. Berger, and H. Balakrishnan, Fast portscan detection using sequentialhypothesis testing. In In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, USA, (2004).

    Google Scholar 

  9. M.-Y. Huang, R. J. Jasper, and T. M. Wicks, A large scale distributed intrusion detection framework based on attack strategy analysis, Comput. Networks, 31(23-24), 2465–2475, (1999). ISSN 1389-1286.

    Google Scholar 

  10. B. Morin and H. Debar. Correlation of intrusion symptoms: an application of chronicles, In Proceedings of the Sixth International Symposium on the Recent Advances in Intrusion Detection (RAID’02), Pittsburg, USA (September, 2003).

    Google Scholar 

  11. F. Cuppens and R. Ortalo, LAMBDA: A Language to Model a Database for Detection of Attacks, In Third International Workshop on the Recent Advances in Intrusion Detection (RAID’2000), Toulouse, France (October, 2000).

    Google Scholar 

  12. F. Cuppens and A. Mi`ege, Alert correlation in a cooperative intrusion detection framework, In SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, p. 202, Washington, DC, USA, (2002). IEEE Computer Society. ISBN 0-7695-1543-6.

    Google Scholar 

  13. F. Cuppens, F. Autrel, and A. M. et S. Benferhat, Recognizing malicious intention in an intrusion detection process, In Second International Conference on Hybrid Intelligent Systems, pp. 806–817, Santiago, Chili (December, 2002).

    Google Scholar 

  14. P. Ning, Y. Cui, and D. Reeves, Constructing Attack Scenarios Through Correlation of Intrusion Alerts, In Proceedings of the 9th ACM Conference on Computer and communication security, pp. 245–254, Washington DC, USA, (2002).

    Google Scholar 

  15. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M.Wing, Automated generation and analysis of attack graphs, In SP ’02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 273–284, Washington, DC, USA, (2002), IEEE Computer Society.

    Google Scholar 

  16. W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, and J. Araujo, Automated reaction based on risk analysis and attackers skills in intrusion detection systems, In Risks and Security of Internet and Systems, 2008. CRiSIS ’08. Third International Conference on, pp. 117–124, Toezer, Tunisia (October, 2008).

    Google Scholar 

  17. H. Debar, D. Curry, and B. Feinstein, The Intrusion Detection Message Exchange Format (IDMEF), RFC 4765 (Experimental) (Mar., 2007), URL http://www.ietf.org/rfc/rfc4765.txt.

  18. F. Cuppens and A. Mi`ege, Modelling contexts in the or-bac model, In ACSAC ’03: Proceedings of the 19th Annual Computer Security Applications Conference, p. 416, Las Vegas, USA, (2003), ISBN 0-7695-2041-3.

    Google Scholar 

  19. R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, Role-based access control models, IEEE Computer. 29(2), 38–47 (February, 2006).

    Google Scholar 

  20. F. Autrel, N. Cuppens-Boulahia, and F. Cuppens, Reaction policy model based on dynamic organizations and threat context, In 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security DBSec’09, Concordia University, Montreal, Canada (July, 2009).

    Google Scholar 

  21. F. Cuppens, N. Cuppens-Boulahia, and T. Sans, Nomad: A Security Model with Non Atomic Actions and Deadlines, In 18th IEEE CSFW, pp. 186–196, Aix-en-Provence, France (June, 2005).

    Google Scholar 

  22. P. Gama and P. Ferreira, Obligation Policies: An Enforcement Platform, In IEEE 6th International Workshop on Policies for Distributed Systems and Networks, Stockholm, Sweden (June, 2005).

    Google Scholar 

  23. F. Cuppens, N. Cuppens-Boulahia, andM. B. Ghorbel, High Level ConflictManagement Strategies in Advanced Access ControlModels, Electronic Notes in Theoretical Computer Science, 186, 3–26, (2007).

    Google Scholar 

  24. F. Cuppens and F. Autrel, CRIM: un module de corr´elation d’alertes et de r´eaction aux attaques, Ann. of Telecom., 61(9-10) (March, 2006).

    Google Scholar 

  25. F. Autrel, F. Cuppens, N. Cuppens, and C. Coma-Brebel, Motorbac 2: a security policy tool, In SARSSI’08 : 3`eme conf´erence sur la S´ecurit´e des Architectures R´eseaux et des Syst`emes d’Information, Loctudy, France (October, 2008).

    Google Scholar 

  26. F. Cuppens, N. Cuppens, T. Sans, and A. Mi`ege, A formal approach to specify and deploy a network security policy, In Formal Aspects in Security and Trust FAST, Toulouse, France (August, 2004).

    Google Scholar 

  27. S. Preda, F. Cuppens, N. Cuppens-Boulahia, J. G. Alfaro, L. Toutain, and Y. Elrakaiby, Semantic context aware security policy deployment, In ASIACCS ’09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 251–261, New York, NY, USA, (2009), ACM.

    Google Scholar 

  28. W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, and F. Autrel, Advanced reaction using risk assessment in intrusion detection systems, In ed. Springer, Second International Workshop on Critical Information Infrastructures Security (CRITIS07), Malaga, Spain, (2007).

    Google Scholar 

  29. Y. Bouzida, F. Cuppens, and S. Gombault, Detecting and Reacting Against Distributed Denial of Service Attacks using Alert Correlation, In IEEE Intenational Conference on Communications, Istanbul, Turkey, (2006).

    Google Scholar 

  30. M. Petkac and L. Badger, Security agility in response to intrusion detection, In ACSAC ’00: Proceedings of the 16th Annual Computer Security Applications Conference, pp. 11–20, New Orleans, Louisiana, USA (December, 2000).

    Google Scholar 

  31. J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler, SIP: Session Initiation Protocol, RFC 3261. Available at: http://www.ietf.org/rfc/rfc3261.txt (June, 2002).

  32. 3GPP, The 3rd Generation Partnership Project, Available at: http://www.3gpp.org/, (2007).

  33. Y. Bouzida and C. Mangin, Detecting anomalies in VoIP networks, In 3rd International Conference on Avilability, Reliability and Security ARES08, Barcelona, Spain, (2008).

    Google Scholar 

  34. H. Sengar, D.Wijesekera, H.Wang, and S. Jajodia, VoIP Intrusion Detection Through Interacting Protocol State Machines, In DSN ’06: Proceedings of the International Conference on Dependable Systems and Networks, pp. 393–402, Philadelphia, PA, USA, (2006).

    Google Scholar 

  35. F. Vigna and R. A. Kemmerer, Netstat: A network based intrusion detection system, Journal of Computer Security. 7(1), 37–71, (1999).

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IT/Telecom Bretagne, 35576, Cesson Sévigné, France

    Frédéric Cuppens, Nora Cuppens-Boulahia, Wael Kanoun & Aurélien Croissant

  2. Bell Labs, Alcatel-Lucent, 91620, Nozay, France

    Wael Kanoun

Authors
  1. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nora Cuppens-Boulahia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wael Kanoun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Aurélien Croissant
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Frédéric Cuppens .

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Atlantis Press/World Scientific

About this chapter

Cite this chapter

Cuppens, F., Cuppens-Boulahia, N., Kanoun, W., Croissant, A. (2010). A Formal Framework to Specify and Deploy Reaction Policies. In: Web-Based Information Technologies and Distributed Systems. Atlantis Ambient and Pervasive Intelligence, vol 2. Atlantis Press. https://doi.org/10.2991/978-94-91216-32-9_8

Download citation

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation