DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

More documents

Recommendations

Info

inside the corresponding detection rulesignature managed by some IntrusionDetection System. We should note here thatthe reaction must be consistent with theminimal security policy. As a matter of fact, if aservice should be active for any circumstancethen a reaction, which consists in stopping thisservice, should not be launched.The intermediate level of reaction is based ona diagnosis of the intrusion process (forinstance provided by CRIM) and used toimprove the reaction process. Activating anautomatic or a manual response depends onthe confidence level of the diagnosis and theautomatic choice may be performed bymeasuring the impact of the correspondingreaction. At the intermediate level, anticorrelation[10] may be used as a way to findautomatically a set of reactions in order to stopa global attack scenario. Some correlation andfusion tools, implemented during the lastdecade, provide a set of counter measures thatmay be either activated automatically or let theadministrator choose the appropriate ones forsecurity agility considerations.Finally, the global level reaction aims todynamivally trigger new rules of the securitypolicy according to the current threat. For thisgoal, contexts are used for renewing thesecurity policy according to the detectedthreat. Three steps are performed at this level;activating contexts, triggering generic policyrules accordingly and producing a coherent setof rules to deploy while ensuring conflictresolution with the minimal securityrequirements. As a result of this level, a newpolicy security is redeployed as long as thethreat or its consequences remain present. Areturn to a non threat situation is thenperformed by the threat context deactivationoperation.ConclusionIn this work, we aim at connecting monitoringsystems (intrusion detection) with securitypolicies in order to provide response to threat.The OrBAC formalism is used to accomplishthis task. A prototype of the threat responsesystem is developed [2] to dynamicallyactivate security rules in response to alertsthanks to a mapping strategy which providesmeans not only to react specifically to aconsidered intrusion, but also to goballyprotect other threatened entities of theinformation system.References[1] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Using contextualsecurity policies for threat response . ThirdInternational Conference on Detection ofIntrusions & Malware, and VulnerabilityAssessment (DIMVA). Berlin, Germany. Juillet2006.[2] H. Debar, Y. Thomas, N. Boulahia-Cuppens, F. Cuppens. Threat response throughthe use of a dynamic security policy. Journal ofComputer Virology, Springer, 2007.44 Extract of Pracom’s Annual Report 2008
Dependable Anomaly Detection with DiagnosisResearch Staff : Frédéric Cuppens, Sylvain Gombault, Jean-Pierre Le Narzul –Post. Doc.: Wei WangKeywords : Dependability, Agreement Services, Intrusion detection, Anomaly detectionApplications : Dependable Web Servers, Anomaly Detection SystemPartners & Funding : partially funded by ANR in the framework of the ACI DADDi (Action ConcertéeIncitative)IntroductionMost current intrusion detection systems aresignature-based. The major limitation of thistechnique is its incapacity to detect newattacks, which by definition cannot be in thedatabase of signatures. Facing this problem,anomaly detection is particularly interesting.The main principle of anomaly detection is tobuild a reference model of a given entitybehavior (user, machine, service, orapplication). A deviation from this model isconsidered as an attack attempt.DADDi (Dependable Anomaly Detection withDiagnosis) is an ACI project funded by theANR (2004-2007) that deals with intrusiondetection techniques. The project consortiumincludes 4 academic institutes (Supélec, CRIL,TELECOM Bretagne, IRISA) and one industrialpartner (Orange Labs).The first objective of this ACI is to proposenew anomaly detection explicit approaches.Such approach exhibits several problems. First,it is difficult to define what is explicitlysignificant in the modeled behavior. Then, it isnecessary to take into account the normalevolutions of the observed behavior.Enhancing the explicit approach is thus a firstobjective of this project.As a second objective, DADDi suggests tointroduce an implicit approach based on aclassical approach of the dependabilitydomain: the design diversity. The goal is toforward any request to several modulesimplementing the same functionality, butthrough diverse designs (diversified COTSservers). Any difference between the resultsobtained can be interpreted as a possiblecorruption of one or several modules. In bothcases (explicit and implicit), the dependabilityproperties of the Intrusion Detection System(IDS) are also a main concern. Studying theseproperties is the third objective of this project,in order to bring intrusion tolerance propertiesto the anomaly detector.RealizationFig 1: New attack detection with explicit approachA first part of our work focused on anomalydetection with explicit reference model. Wehave investigated new methods and testedthem over the DARPA 98 traffic database. Wehave proven their efficiency and theirapplication have exceeded the wining entry ofthe KDD 99 data intrusion detection contest.Our contribution in this project is threefold.The first is the necessity to improve machinelearningmethods by adding a new class. Newinstances should be classified since theyshould not be classified as any of the knownclasses present in the learning data set [2].The second contribution consists in introducingsome necessary conditions that should beverified by a rich transformation function. Thislast point was not taken into account duringthe transformation of the DARPA98 into KDD99data sets. As a result, many attacks trafficbecame identical to normal traffic aftertransformation. We have shown that SNMPattacks were classified as normal traffic for thisreason [2]. We have then modified thetransformation function to detect attacks onSNMP traffic, to match the necessaryconditions for this service. By modifying onlythe method of calculation of two attributes, weimproved in a considerable way the rate ofdetection of the attacks on this service. But inspite of these good results the transformationPracom’s Annual Report 2008 45
Page 2 and 3:
Présentation générale...........
Page 4 and 5:
Activités d’enseignementLe dépa
Page 6 and 7:
Activités de rechercheLe départem
Page 8 and 9:
Notre implication dans les organism
Page 10 and 11:
le cadre du projet NextTV4all où l
Page 12 and 13:
cloisonnement par domaine tels qu
Page 14 and 15:
- le GIS ITS (Intelligent Transport
Page 16 and 17:
Twente aux Pays Bas, Université de
Page 18 and 19:
Liste des doctorants présents en 2
Page 20 and 21: Annexe 2 : liste des publicationsAr
Page 22 and 23: COMA-BREBEL Céline, CUPPENS Nora,
Page 24 and 25: PHAN LE Cam Tu, CUPPENS Frédéric,
Page 26 and 27: Annexe 3 : description détaillée
Page 28 and 29: Access Control ....................
Page 30 and 31: schemes specifically suitable for l
Page 32 and 33: An easy-to-use solution for IPv6 co
Page 34 and 35: Loss Synchronization and Router Buf
Page 36 and 37: Sensor NetworksRandom Walk Techniqu
Page 38 and 39: Suppressing Neighbor Discovery in W
Page 40 and 41: Media and NetworksIP-based transmis
Page 42 and 43: One of the most difficult aspects o
Page 44 and 45: Another direction is the associatio
Page 46 and 47: classes. In our simple study case,
Page 48 and 49: Management of Multiple Access Netwo
Page 50 and 51: Adaptation of Multimedia Flows in a
Page 52 and 53: Optimized mobility management in he
Page 54 and 55: ecause it offers a generic framewor
Page 56 and 57: Future workOur next step is to fina
Page 58 and 59: Security Analysis and ValidationAna
Page 60 and 61: RealizationFigure 1 shows a classif
Page 62 and 63: Policy AdministrationResearch Staff
Page 64 and 65: execution in a distributed manner.
Page 66 and 67: Intrusion DetectionDetection and co
Page 68 and 69: eported alerts have to be managed b
Page 72 and 73: function has a limitation that it d
Page 74 and 75: 1) Normal Node behavior simulation:
Page 76 and 77: negotiation. These strategies speci
Page 78 and 79: A Fast Adaptative Secure Technology
Page 80 and 81: estricted to the organization to wh
Page 82 and 83: ights and external identities, and
Page 84 and 85: Peer 2 peerP2PIm@gesResearch Staff
Page 86 and 87: Managing a Peer-to-Peer Storage Sys
Page 88 and 89: Applications of networks to transpo
Page 90 and 91: Adaptive Application Support in Mob
Page 92 and 93: Wireless Mesh NetworksResearch Staf
Page 94 and 95: TestbedsA showroom for practical IP
Page 96 and 97: egistrar and proxies, video streami
show all

DÃ©partement RÃ©seau, SÃ©curitÃ© et MultimÃ©dia Rapport d'ActivitÃ©s 2008

Create successful ePaper yourself

Delete template?

Save as template?