DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

More documents

Recommendations

Info

Intrusion DetectionDetection and correlation of intrusionsResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia, Fabien Autrel, Yacine Bouzida, AurélienCroissantPh.D. Students: Wael KanounKeywords : Intrusion detection, alert correlation, attack response and correlation, CRIMApplications : Security Information Management (SIM)Partners & Funding : partially funded by the European programme CELTIC in the RED project(Reaction after Detection). partially funded by Alcatel-Lucent, ANRT through a CIFRE grant.IntroductionIntrusion detection is achieved through the useof network probes and host-based probeswhich detect suspicious or malicious actions.Those probes generate messages upon thedetection of such actions. Such messages arecalled intrusion detection alerts and must beprocessed by the system administrator tomonitor attempts to violate the security policy.However, this task becomes almost impossibledue to the high number of alerts generated perday (up to several thousands), most of thembeing false positives, i.e alerts not related toreal attacks. Intrusions can be very complexand detecting them involves the correlation ofseveral alerts.• alert correlation: alerts related to the sameintrusion are linked and ponderated topresent a comprehensible scenario to thesystem administrator• attack anticipation: this module generatesvirtual alerts to anticipate the evolution ofincomplete scenarios of attacks• response to scenarios: this module findsthe most effective responses to block ascenario or cancel the effects of an attackscenarioIn this context we have designed the CRIMmodule (Correlation and Reaction to MaliciousIntrusion) to help the system administratormanage the intrusion detection alerts.This research work is partially funded by theEuropean CELTIC project RED (Reaction AfterDetection). It is also part of a thesis supportedby ANRT through a CIFRE grant andundertaken within a collaboration betweenTELECOM Bretagne and ALCATEL-LUCENT.RealizationThe CRIM module [1] is composed of severalmodules which accomplish the following tasks(see figure 1):• alert management: alerts generated byseveral probes are centralized in adatabase for further processing• alert aggregation and fusion: similar alertsare grouped and then merged to lower thenumber of alerts to processFigure 1: The CRIM architectureThe aggregation/fusion module uses similarityfunctions between alert attributes and asimilarity threshold to aggregate similar alerts.Weights are defined over alert attributes tocomply with the fact that some attributes havedifferent meanings. Compared to other rulebasedaggregation systems, this module canprocess previously unseen alerts.The correlation and response modules rely ona semi-explicit approach based on thedescription of elementary attacks instead ofcomplete scenarios of attacks [2]. Elementaryattacks are described through the expressionof their pre-condition and post-condition. Firstorder logic is used to describe those conditionsand we have already identified a set ofpredicates allowing us to describe several40 Extract of Pracom’s Annual Report 2008
attacks. This approach automatically discoversbased on the description of elementaryattacks. In order to describe the attacks andthe counter-measures available to theresponse module, we have designed theLAMBDA language.We have defined a set of predicates to specifyboth network and system attacks in LAMBDAand developed a CRIM module that provides afriendly interface to specify attacks in LAMBDA.This module is currently being tested in thecontext of ad-networks and VOIP (Voice OverIP) intrusions.The response functionality implemented inCRIM is based on the anti-correlation principlewhich provides means to automatically selectpossible counter-measures capable of endingthe detected intrusion [3]. This approach usesa library of counter-measures also specified inthe LAMBDA language. However, countermeasuresmay actually have side effects andcan be as harmful as the detected attack. Todeal with this issue, we improve the reactionselection process by giving means to quantifythe effectiveness and select the countermeasurethat has the minimum negative sideeffect on the information system. To achievethis goal, we adopt a risk assessment andanalysis approach [4].The various CRIM modules presented abovehave been implemented in C++ and tested onseveral realistic scenarios. The software isregistered at the APP (Agence pour laProtection des Programmes) with referenceIDDN.FR.001.250007.000.R.P.2005.000.10000.ConclusionThe CRIM modules have all been implementedand tested on alerts generated by open sourceprobe, especially Snort and Bro. Researchesare still ongoing in the RED project to testCRIM and enhance the response function.References[1] F. Autrel, F. Cuppens. CRIM: un module decorrélation d'alertes et de réaction auxattaques. Annals of Telecommunications. Vol.61, no. 9-10. September-October 2006.[2] F. Cuppens et A. Miège. Alert correlation ina cooperative intrusion detection framework.IEEE Symposium on Research in Security andPrivacy, Oakland, May 2002.[3] F. Cuppens, F. Autrel, Y. Bouzida, J. García,S. Gombault, and T. Sans. Anti-correlation as acriterion to select appropriate countermeasuresin an intrusion detection framework.Annals of Telecommunications. Vol. 61, no. 1-2. January-February 2006.[4] W. Kanoun, N. Cuppens-Boulahia, F.Cuppens, F. Autrel. Advanced Reaction usingRisk Assessment in Intrusion DetectionSystems. 2nd International Workshop onCritical Information Infrastructures Security(CRITIS), Malaga, Spain, October, 2007.Threat response by policy revisionResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia – Ph.D. Students: Yohann ThomasKeywords : Alert management, attack response, security policy, OrBACApplications : Security Information Management (SIM), Intrusion Detection System (IDS)Partners & Funding : partially funded by France Telecom R&D and ANRT through CIFRE conventionIntroductionInformation systems security is realizedthrough the use of different technologies,some of them being preventive, such asauthentication, encryption and access control,and others being corrective, such as antivirusesand intrusion detection systems. Thesedifferent tools are deployed with respect to apredefined security policy, which aims atdescribing what should be done to preserveconfidentiality, integrity and availability of theresources and services.Intrusion detection aims at reporting alertscharacterizing violations of the security policy,in particular linked with malicious activity(attacks) [1]. However, most of the time,Pracom’s report 2008 41
Page 2 and 3:
Présentation générale...........
Page 4 and 5:
Activités d’enseignementLe dépa
Page 6 and 7:
Activités de rechercheLe départem
Page 8 and 9:
Notre implication dans les organism
Page 10 and 11:
le cadre du projet NextTV4all où l
Page 12 and 13:
cloisonnement par domaine tels qu
Page 14 and 15:
- le GIS ITS (Intelligent Transport
Page 16 and 17: Twente aux Pays Bas, Université de
Page 18 and 19: Liste des doctorants présents en 2
Page 20 and 21: Annexe 2 : liste des publicationsAr
Page 22 and 23: COMA-BREBEL Céline, CUPPENS Nora,
Page 24 and 25: PHAN LE Cam Tu, CUPPENS Frédéric,
Page 26 and 27: Annexe 3 : description détaillée
Page 28 and 29: Access Control ....................
Page 30 and 31: schemes specifically suitable for l
Page 32 and 33: An easy-to-use solution for IPv6 co
Page 34 and 35: Loss Synchronization and Router Buf
Page 36 and 37: Sensor NetworksRandom Walk Techniqu
Page 38 and 39: Suppressing Neighbor Discovery in W
Page 40 and 41: Media and NetworksIP-based transmis
Page 42 and 43: One of the most difficult aspects o
Page 44 and 45: Another direction is the associatio
Page 46 and 47: classes. In our simple study case,
Page 48 and 49: Management of Multiple Access Netwo
Page 50 and 51: Adaptation of Multimedia Flows in a
Page 52 and 53: Optimized mobility management in he
Page 54 and 55: ecause it offers a generic framewor
Page 56 and 57: Future workOur next step is to fina
Page 58 and 59: Security Analysis and ValidationAna
Page 60 and 61: RealizationFigure 1 shows a classif
Page 62 and 63: Policy AdministrationResearch Staff
Page 64 and 65: execution in a distributed manner.
Page 68 and 69: eported alerts have to be managed b
Page 70 and 71: inside the corresponding detection
Page 72 and 73: function has a limitation that it d
Page 74 and 75: 1) Normal Node behavior simulation:
Page 76 and 77: negotiation. These strategies speci
Page 78 and 79: A Fast Adaptative Secure Technology
Page 80 and 81: estricted to the organization to wh
Page 82 and 83: ights and external identities, and
Page 84 and 85: Peer 2 peerP2PIm@gesResearch Staff
Page 86 and 87: Managing a Peer-to-Peer Storage Sys
Page 88 and 89: Applications of networks to transpo
Page 90 and 91: Adaptive Application Support in Mob
Page 92 and 93: Wireless Mesh NetworksResearch Staf
Page 94 and 95: TestbedsA showroom for practical IP
Page 96 and 97: egistrar and proxies, video streami
show all

DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

Create successful ePaper yourself

Delete template?

Save as template?