Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008
Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008 Département Réseau, Sécurité et Multimédia Rapport d'Activités 2008
eported alerts have to be managed by thesecurity administrator, which has to manuallylaunch countermeasures ensuring that thesecurity policy is no longer violated. However,triggering the most adequate countermeasureis far from being trivial, for at least tworeasons: (1) the security administrator requiresa strong expertise of the information systemconfiguration, and (2) he has to analyze ahuge number of alerts to select acountermeasure. This opens a time window ofopportunity for an attacker to successfullyexploit its advantage. Consequently, we arguethat one should focus on automated reactiontowards threat. Our work is based on the factthat a lot of work has been done both in thefields of intrusion detection and securitypolicies formalization. We assume thatintrusion detection diagnosis is reliable enoughto provide dynamic reconfiguration of thesecurity policy in order to respond to threat.This work is realized between InstitutTELECOM/TELECOM Bretagne and FranceTelecom R&D, through the PhD thesis ofYohann Thomas. It is also supported by ANRT(CIFRE convention).RealizationWe propose to make use of OrBAC(Organization-based Access Control) to definea security policy that dynamically adapts tocurrent threats. Threat is characterizedthrough intrusion detection diagnoses. Oursystem triggers threat contexts whichdynamically activate security policy rulesensuring response [2]. In addition, OrBACprovides means to define a generic policy atthe abstract level, which is locally enforced atthe concrete level. This methodology facilitatesthe deployment of the policy at a large scale,and ensures to take local countermeasures,which are well-suited to face the detectedthreat.Figure 1. Threat response system architectureFigure 1 shows the proposed architecture for athreat response system. An Alert CorrelationEngine (ACE) is due to collect events fromvarious sensors on the network and to providerelevant alerts as an input for the system. APolicy Instantiation Engine (PIE) is in charge oftriggering threat contexts considering alertsand activating new policy rules ensuringresponse to threat. Policy rules instantiated atthe PIE level are then processed by a PolicyDecision Point (PDP), which is able to decidehow to manage enforcement. Thus, asopposed to the PIE, the PDP is a localdecisional entity, aware of the PolicyEnforcement Points (PEPs) capabilities. ThePDP decides what configurations are to beactually pushed to the PEPs to effectively applythe new policy rules. Note that PEPs may be ofvarious kinds: a firewall, an authenticationserver, a mailserver, a router, a quarantinesystem, etc.ConclusionIn this work, we aim at connecting monitoringsystems (intrusion detection) with securitypolicies in order to provide response to threat.We show that the OrBAC formalism allows toaccomplish this task. A prototype of the threatresponse system is developed [3] todynamically activate security rules in responseto alerts thanks to a mapping strategy whichprovides means not only to react specifically toa considered intrusion, but also to protectother threatened entities of the informationsystem.References[1] H. Debar, B. Morin, F. Cuppens, F. Autrel,L. Mé, B. Vivinis, S. Benferhat, M. Ducassé etR. Ortalo. Corrélation d'alertes en détectiond'intrusions . TSI, éditions Hermes. June 2004.[2] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Using contextualsecurity policies for threat response . ThirdInternational Conference on Detection ofIntrusions & Malware, and VulnerabilityAssessment (DIMVA). Berlin, Germany. Juillet2006.[3] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Threat response throughthe use of a dynamic security policy. Journal ofComputer Virology, Srpinger, 2007.42 Extract of Pracom’s Annual Report 2008
Reaction after detectionResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia, Yacine Bouzida, Aurélien CroissantKeywords : Alert management, attack response, security policy, OrBACApplications : Security Information Management (SIM), Intrusion Detection System (IDS)Partners & Funding : funded by European RED (Reaction After Detection) Celtic project.IntroductionRecent advances in intrusion detection havemade it possible to assess the different alertsgenerated from heterogeneous IDSs and reactefficiently against some a priori known threats.However, current prevention techniquesprovide restrictive responses that apply a localaction in a limited information systeminfrastructure.RED (Reaction After Detection) is a CELTICproject that aims to define an in depth andcomprehensive approach for responding tointrusions in a precise and efficient way. Thisnew direction considers not only the threat andthe architecture of the monitored informationsystem, but also the security policy; thecorresponding security objectives, thecontextal data and the different operationalconstraints. The proposed reaction workflowlinks the lowest level of the information systemcorresponding to intrusion detectionmechanisms, including misuse and anomalytechniques, and access control machanismswith the higher level of the security policy. Theproposed reaction workflow evaluates theintrusion alerts in three different levels: thelocal, intermediate and global levels. It thenreacts against threats with appropriate countermeasures in each level accordingly.This research work is funded by the EuropeanCELTIC project RED (Reaction After Detection).RealizationThe reaction mechanisms may be seen indifferent ways. One may react directly andlocally but the threat may propagate due tothe malicious strategy followed by the intruder.The second idea consists in considering thesecurity policy of the monitored informationsystem and reacting against the threats bytaking advantage of the security policy and itsflexibility to adapt the current specificationwith the detected threat.In RED, we suggest a mechanism that may beseen as an auto adaptive model that startsfrom the security policy management of themonitored information system. The differentspecifications of this information system areexpressed using the different securityobjectives and requirements in addition to thedifferent security rules that are expressed aspermissions, prohibitions and obligations.We suggest using the OrBAC (OrganizationbasedAccess Control) model to define asecurity policy that dynamically adapts tocurrent threats. Threat is characterizedthrough intrusion detection diagnoses. Oursystem triggers threat contexts whichdynamically activate security policy rulesensuring response [1]. In addition, OrBACprovides means to define a generic policy atthe abstract level, which is locally enforced atthe concrete level. This methodology facilitatesthe deployment of the policy at a large scale,and ensures to trigger different levels ofreactions, which are well-suited to face thedetected threat.The low level tools include intrusion detectionand access control mechanisms that areimplemented locally to monitor the informationsystem are configured according to the highlevel security specifications. Then, according tothe different alerts generated, the alerts areforwarded to the upper level whenever it isnecessary, after traversing the differentreaction levels, to evaluate the current systemstate where either direct responses arelaunched or the whole security policy ischanged according to the detected threat.We define three levels of reaction; (1) lowlevel reaction, (2) intermediate level reaction,and (3) high level reaction. Each levelconsiders particular security requirements anddeploys appropriate security components andmechanisms to react against the detectedthreats.The low level reaction corresponds to actionsthat are executed automatically just after anintrusion is detected. Therefore, it is possibleto immediately respond to an attack. This maybe done, for example, by adding a reaction tagPracom’s Annual Report 2008 43
- Page 18 and 19: Liste des doctorants présents en 2
- Page 20 and 21: Annexe 2 : liste des publicationsAr
- Page 22 and 23: COMA-BREBEL Céline, CUPPENS Nora,
- Page 24 and 25: PHAN LE Cam Tu, CUPPENS Frédéric,
- Page 26 and 27: Annexe 3 : description détaillée
- Page 28 and 29: Access Control ....................
- Page 30 and 31: schemes specifically suitable for l
- Page 32 and 33: An easy-to-use solution for IPv6 co
- Page 34 and 35: Loss Synchronization and Router Buf
- Page 36 and 37: Sensor NetworksRandom Walk Techniqu
- Page 38 and 39: Suppressing Neighbor Discovery in W
- Page 40 and 41: Media and NetworksIP-based transmis
- Page 42 and 43: One of the most difficult aspects o
- Page 44 and 45: Another direction is the associatio
- Page 46 and 47: classes. In our simple study case,
- Page 48 and 49: Management of Multiple Access Netwo
- Page 50 and 51: Adaptation of Multimedia Flows in a
- Page 52 and 53: Optimized mobility management in he
- Page 54 and 55: ecause it offers a generic framewor
- Page 56 and 57: Future workOur next step is to fina
- Page 58 and 59: Security Analysis and ValidationAna
- Page 60 and 61: RealizationFigure 1 shows a classif
- Page 62 and 63: Policy AdministrationResearch Staff
- Page 64 and 65: execution in a distributed manner.
- Page 66 and 67: Intrusion DetectionDetection and co
- Page 70 and 71: inside the corresponding detection
- Page 72 and 73: function has a limitation that it d
- Page 74 and 75: 1) Normal Node behavior simulation:
- Page 76 and 77: negotiation. These strategies speci
- Page 78 and 79: A Fast Adaptative Secure Technology
- Page 80 and 81: estricted to the organization to wh
- Page 82 and 83: ights and external identities, and
- Page 84 and 85: Peer 2 peerP2PIm@gesResearch Staff
- Page 86 and 87: Managing a Peer-to-Peer Storage Sys
- Page 88 and 89: Applications of networks to transpo
- Page 90 and 91: Adaptive Application Support in Mob
- Page 92 and 93: Wireless Mesh NetworksResearch Staf
- Page 94 and 95: TestbedsA showroom for practical IP
- Page 96 and 97: egistrar and proxies, video streami
eported alerts have to be managed by thesecurity administrator, which has to manuallylaunch countermeasures ensuring that thesecurity policy is no longer violated. However,triggering the most adequate countermeasureis far from being trivial, for at least tworeasons: (1) the security administrator requiresa strong expertise of the information systemconfiguration, and (2) he has to analyze ahuge number of alerts to select acountermeasure. This opens a time window ofopportunity for an attacker to successfullyexploit its advantage. Consequently, we argu<strong>et</strong>hat one should focus on automated reactiontowards threat. Our work is based on the factthat a lot of work has been done both in thefields of intrusion d<strong>et</strong>ection and securitypolicies formalization. We assume thatintrusion d<strong>et</strong>ection diagnosis is reliable enoughto provide dynamic reconfiguration of thesecurity policy in order to respond to threat.This work is realized b<strong>et</strong>ween InstitutTELECOM/TELECOM Br<strong>et</strong>agne and FranceTelecom R&D, through the PhD thesis ofYohann Thomas. It is also supported by ANRT(CIFRE convention).RealizationWe propose to make use of OrBAC(Organization-based Access Control) to definea security policy that dynamically adapts tocurrent threats. Threat is characterizedthrough intrusion d<strong>et</strong>ection diagnoses. Oursystem triggers threat contexts whichdynamically activate security policy rulesensuring response [2]. In addition, OrBACprovides means to define a generic policy atthe abstract level, which is locally enforced atthe concr<strong>et</strong>e level. This m<strong>et</strong>hodology facilitatesthe deployment of the policy at a large scale,and ensures to take local countermeasures,which are well-suited to face the d<strong>et</strong>ectedthreat.Figure 1. Threat response system architectureFigure 1 shows the proposed architecture for athreat response system. An Alert CorrelationEngine (ACE) is due to collect events fromvarious sensors on the n<strong>et</strong>work and to providerelevant alerts as an input for the system. APolicy Instantiation Engine (PIE) is in charge oftriggering threat contexts considering alertsand activating new policy rules ensuringresponse to threat. Policy rules instantiated atthe PIE level are then processed by a PolicyDecision Point (PDP), which is able to decidehow to manage enforcement. Thus, asopposed to the PIE, the PDP is a localdecisional entity, aware of the PolicyEnforcement Points (PEPs) capabilities. ThePDP decides what configurations are to beactually pushed to the PEPs to effectively applythe new policy rules. Note that PEPs may be ofvarious kinds: a firewall, an authenticationserver, a mailserver, a router, a quarantinesystem, <strong>et</strong>c.ConclusionIn this work, we aim at connecting monitoringsystems (intrusion d<strong>et</strong>ection) with securitypolicies in order to provide response to threat.We show that the OrBAC formalism allows toaccomplish this task. A prototype of the threatresponse system is developed [3] todynamically activate security rules in respons<strong>et</strong>o alerts thanks to a mapping strategy whichprovides means not only to react specifically toa considered intrusion, but also to protectother threatened entities of the informationsystem.References[1] H. Debar, B. Morin, F. Cuppens, F. Autrel,L. Mé, B. Vivinis, S. Benferhat, M. Ducassé <strong>et</strong>R. Ortalo. Corrélation d'alertes en détectiond'intrusions . TSI, éditions Hermes. June 2004.[2] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Using contextualsecurity policies for threat response . ThirdInternational Conference on D<strong>et</strong>ection ofIntrusions & Malware, and VulnerabilityAssessment (DIMVA). Berlin, Germany. Juill<strong>et</strong>2006.[3] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Threat response throughthe use of a dynamic security policy. Journal ofComputer Virology, Srpinger, 2007.42 Extract of Pracom’s Annual Report <strong>2008</strong>