DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

More documents

Recommendations

Info

eported alerts have to be managed by thesecurity administrator, which has to manuallylaunch countermeasures ensuring that thesecurity policy is no longer violated. However,triggering the most adequate countermeasureis far from being trivial, for at least tworeasons: (1) the security administrator requiresa strong expertise of the information systemconfiguration, and (2) he has to analyze ahuge number of alerts to select acountermeasure. This opens a time window ofopportunity for an attacker to successfullyexploit its advantage. Consequently, we arguethat one should focus on automated reactiontowards threat. Our work is based on the factthat a lot of work has been done both in thefields of intrusion detection and securitypolicies formalization. We assume thatintrusion detection diagnosis is reliable enoughto provide dynamic reconfiguration of thesecurity policy in order to respond to threat.This work is realized between InstitutTELECOM/TELECOM Bretagne and FranceTelecom R&D, through the PhD thesis ofYohann Thomas. It is also supported by ANRT(CIFRE convention).RealizationWe propose to make use of OrBAC(Organization-based Access Control) to definea security policy that dynamically adapts tocurrent threats. Threat is characterizedthrough intrusion detection diagnoses. Oursystem triggers threat contexts whichdynamically activate security policy rulesensuring response [2]. In addition, OrBACprovides means to define a generic policy atthe abstract level, which is locally enforced atthe concrete level. This methodology facilitatesthe deployment of the policy at a large scale,and ensures to take local countermeasures,which are well-suited to face the detectedthreat.Figure 1. Threat response system architectureFigure 1 shows the proposed architecture for athreat response system. An Alert CorrelationEngine (ACE) is due to collect events fromvarious sensors on the network and to providerelevant alerts as an input for the system. APolicy Instantiation Engine (PIE) is in charge oftriggering threat contexts considering alertsand activating new policy rules ensuringresponse to threat. Policy rules instantiated atthe PIE level are then processed by a PolicyDecision Point (PDP), which is able to decidehow to manage enforcement. Thus, asopposed to the PIE, the PDP is a localdecisional entity, aware of the PolicyEnforcement Points (PEPs) capabilities. ThePDP decides what configurations are to beactually pushed to the PEPs to effectively applythe new policy rules. Note that PEPs may be ofvarious kinds: a firewall, an authenticationserver, a mailserver, a router, a quarantinesystem, etc.ConclusionIn this work, we aim at connecting monitoringsystems (intrusion detection) with securitypolicies in order to provide response to threat.We show that the OrBAC formalism allows toaccomplish this task. A prototype of the threatresponse system is developed [3] todynamically activate security rules in responseto alerts thanks to a mapping strategy whichprovides means not only to react specifically toa considered intrusion, but also to protectother threatened entities of the informationsystem.References[1] H. Debar, B. Morin, F. Cuppens, F. Autrel,L. Mé, B. Vivinis, S. Benferhat, M. Ducassé etR. Ortalo. Corrélation d'alertes en détectiond'intrusions . TSI, éditions Hermes. June 2004.[2] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Using contextualsecurity policies for threat response . ThirdInternational Conference on Detection ofIntrusions & Malware, and VulnerabilityAssessment (DIMVA). Berlin, Germany. Juillet2006.[3] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Threat response throughthe use of a dynamic security policy. Journal ofComputer Virology, Srpinger, 2007.42 Extract of Pracom’s Annual Report 2008
Reaction after detectionResearch Staff : Frédéric Cuppens, Nora Cuppens-Boulahia, Yacine Bouzida, Aurélien CroissantKeywords : Alert management, attack response, security policy, OrBACApplications : Security Information Management (SIM), Intrusion Detection System (IDS)Partners & Funding : funded by European RED (Reaction After Detection) Celtic project.IntroductionRecent advances in intrusion detection havemade it possible to assess the different alertsgenerated from heterogeneous IDSs and reactefficiently against some a priori known threats.However, current prevention techniquesprovide restrictive responses that apply a localaction in a limited information systeminfrastructure.RED (Reaction After Detection) is a CELTICproject that aims to define an in depth andcomprehensive approach for responding tointrusions in a precise and efficient way. Thisnew direction considers not only the threat andthe architecture of the monitored informationsystem, but also the security policy; thecorresponding security objectives, thecontextal data and the different operationalconstraints. The proposed reaction workflowlinks the lowest level of the information systemcorresponding to intrusion detectionmechanisms, including misuse and anomalytechniques, and access control machanismswith the higher level of the security policy. Theproposed reaction workflow evaluates theintrusion alerts in three different levels: thelocal, intermediate and global levels. It thenreacts against threats with appropriate countermeasures in each level accordingly.This research work is funded by the EuropeanCELTIC project RED (Reaction After Detection).RealizationThe reaction mechanisms may be seen indifferent ways. One may react directly andlocally but the threat may propagate due tothe malicious strategy followed by the intruder.The second idea consists in considering thesecurity policy of the monitored informationsystem and reacting against the threats bytaking advantage of the security policy and itsflexibility to adapt the current specificationwith the detected threat.In RED, we suggest a mechanism that may beseen as an auto adaptive model that startsfrom the security policy management of themonitored information system. The differentspecifications of this information system areexpressed using the different securityobjectives and requirements in addition to thedifferent security rules that are expressed aspermissions, prohibitions and obligations.We suggest using the OrBAC (OrganizationbasedAccess Control) model to define asecurity policy that dynamically adapts tocurrent threats. Threat is characterizedthrough intrusion detection diagnoses. Oursystem triggers threat contexts whichdynamically activate security policy rulesensuring response [1]. In addition, OrBACprovides means to define a generic policy atthe abstract level, which is locally enforced atthe concrete level. This methodology facilitatesthe deployment of the policy at a large scale,and ensures to trigger different levels ofreactions, which are well-suited to face thedetected threat.The low level tools include intrusion detectionand access control mechanisms that areimplemented locally to monitor the informationsystem are configured according to the highlevel security specifications. Then, according tothe different alerts generated, the alerts areforwarded to the upper level whenever it isnecessary, after traversing the differentreaction levels, to evaluate the current systemstate where either direct responses arelaunched or the whole security policy ischanged according to the detected threat.We define three levels of reaction; (1) lowlevel reaction, (2) intermediate level reaction,and (3) high level reaction. Each levelconsiders particular security requirements anddeploys appropriate security components andmechanisms to react against the detectedthreats.The low level reaction corresponds to actionsthat are executed automatically just after anintrusion is detected. Therefore, it is possibleto immediately respond to an attack. This maybe done, for example, by adding a reaction tagPracom’s Annual Report 2008 43
Page 2 and 3:
Présentation générale...........
Page 4 and 5:
Activités d’enseignementLe dépa
Page 6 and 7:
Activités de rechercheLe départem
Page 8 and 9:
Notre implication dans les organism
Page 10 and 11:
le cadre du projet NextTV4all où l
Page 12 and 13:
cloisonnement par domaine tels qu
Page 14 and 15:
- le GIS ITS (Intelligent Transport
Page 16 and 17:
Twente aux Pays Bas, Université de
Page 18 and 19: Liste des doctorants présents en 2
Page 20 and 21: Annexe 2 : liste des publicationsAr
Page 22 and 23: COMA-BREBEL Céline, CUPPENS Nora,
Page 24 and 25: PHAN LE Cam Tu, CUPPENS Frédéric,
Page 26 and 27: Annexe 3 : description détaillée
Page 28 and 29: Access Control ....................
Page 30 and 31: schemes specifically suitable for l
Page 32 and 33: An easy-to-use solution for IPv6 co
Page 34 and 35: Loss Synchronization and Router Buf
Page 36 and 37: Sensor NetworksRandom Walk Techniqu
Page 38 and 39: Suppressing Neighbor Discovery in W
Page 40 and 41: Media and NetworksIP-based transmis
Page 42 and 43: One of the most difficult aspects o
Page 44 and 45: Another direction is the associatio
Page 46 and 47: classes. In our simple study case,
Page 48 and 49: Management of Multiple Access Netwo
Page 50 and 51: Adaptation of Multimedia Flows in a
Page 52 and 53: Optimized mobility management in he
Page 54 and 55: ecause it offers a generic framewor
Page 56 and 57: Future workOur next step is to fina
Page 58 and 59: Security Analysis and ValidationAna
Page 60 and 61: RealizationFigure 1 shows a classif
Page 62 and 63: Policy AdministrationResearch Staff
Page 64 and 65: execution in a distributed manner.
Page 66 and 67: Intrusion DetectionDetection and co
Page 70 and 71: inside the corresponding detection
Page 72 and 73: function has a limitation that it d
Page 74 and 75: 1) Normal Node behavior simulation:
Page 76 and 77: negotiation. These strategies speci
Page 78 and 79: A Fast Adaptative Secure Technology
Page 80 and 81: estricted to the organization to wh
Page 82 and 83: ights and external identities, and
Page 84 and 85: Peer 2 peerP2PIm@gesResearch Staff
Page 86 and 87: Managing a Peer-to-Peer Storage Sys
Page 88 and 89: Applications of networks to transpo
Page 90 and 91: Adaptive Application Support in Mob
Page 92 and 93: Wireless Mesh NetworksResearch Staf
Page 94 and 95: TestbedsA showroom for practical IP
Page 96 and 97: egistrar and proxies, video streami
show all

DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?