Article

Using contextual security policies for threat response

Authors:

Nora Boulahia-Cuppens,

Frédéric CuppensAuthors Info & Claims

DIMVA'06: Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment

Pages 109 - 128

https://doi.org/10.1007/11790754_7

Published: 13 July 2006 Publication History

Abstract

With the apparition of accurate security monitoring tools, the gathered alerts are requiring operators to take action to prevent damage from attackers. Intrusion prevention currently provides isolated response mechanisms that may take a local action upon an attack. While this approach has been taken to enhance the security of particular network access control points, it does not constitute a comprehensive approach to threat response. In this paper, we will examine a new mechanism for adapting the security policy of an information system according to the threat it receives, and hence its behaviour and the services it offers. This mechanism takes into account not only threats, but also legal constraints and other objectives of the organization operating this information system, taking into account multiple security objectives and providing several trade-off options between security objectives, performance objectives, and other operational constraints. The proposed mechanism bridges the gap between preventive security technologies and intrusion detection, and builds upon existing technologies to facilitate formalization on one hand, and deployment on the other hand

References

[1]

Brackney, R.: Cyber-intrusion response. In: Proceedings of the 17th IEEE Symposium on Reliable Distributed Systems, West Lafayette, IN (1998) 413

Digital Library

[2]

Toth, T., Kruegel, C.: Evaluating the impact of automated intrusion response mechanisms. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV, IEEE Computer Society Press (2002)

Digital Library

[3]

Petkac, M., Badger, L.: Security agility in response to intrusion detection. In: 16th Annual Computer Security Applications Conference (ACSAC'00), New Orleans, LO (2000) 11

Digital Library

[4]

rfc3360: Inappropriate tcp resets considered harmful. RFC 3360 (2002) http://www.ietf.org/rfc/rfc3360.txt

[5]

Cuppens, F., Gombault, S., Sans, T.: Selecting Appropriate Counter-Measures in an Intrusion Detection Framework. In: 17th IEEE Computer Security Foundations Workshop (CSFW), Pacific Grove, CA (2004)

Digital Library

[6]

Mounji, A., Charlier, B.L.: Continuous assessment of a unix configuration integrating intrusion detection and configuration analysis (1997)

Digital Library

[7]

Ragsdale, D., Carver, C., Humphries, J., Pooch, U.: Adaptation techniques for intrusion detection and intrusion response system. In: Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, Nashville, TN, IEEE Computer Society Press (2000) 2344-2349

[8]

Carver, C., Hill, J., Pooch, U.: Limiting uncertainty in intrusion response. In: Proceedings of the 2001 IEEE workshop on Information Assurance and Security, United States Military Academy, West Point, NY (2001)

[9]

Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in Operating Systems. Communication of the ACM 19(8) (1976) 461-471

Digital Library

[10]

Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Computer 29(2) (1996) 38-47

Digital Library

[11]

Kudo, M., Hada, S.: XML document security based on provisional authorization. In: CCS '00: Proceedings of the 7th ACM conference on Computer and communications security, ACM Press (2000) 87-96

Digital Library

[12]

Miège, A.: Definition of a formal framework for specifying security policies. The Or-BAC model and extensions. PhD thesis, ENST (2005)

[13]

Cuppens, F., Cuppens-Boulahia, N., Miège, A.: Inheritance hierarchies in the Or-BAC Model and application in a network environment. In: Second Foundations of Computer Security Workshop (FCS'04), Turku, Finland (2004)

[14]

Ullman, J.D.: Principles of Database and Knowledge Base Systems. Computer Science Press (1989)

Digital Library

[15]

Cuppens, F., Cuppens-Boulahia, N., Sans, T., Miège, A.: A Formal Approach to Specify and Deploy a Network Security Policy. In: Formal Aspects of Security and Trust (FAST), Toulouse, France (2004)

[16]

Debar, H., Curry, D., Feinstein, B.: The intrusion detection message exchange format. Internet Draft (2005) Work in progress, expires July 31st, 2005

[17]

Cuppens, F., Miège, A.: Alert Correlation in a Cooperative Intrusion Detection Framework. In: Proceedings of the IEEE Symposium on Security and Privacy. (2002)

Digital Library

[18]

Dain, O., Cunningham, R.: Fusing a Heterogeneous Alert Stream into Scenarios. In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications. (2001) 1-13

[19]

Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2 : A Formal Data Model for IDS Alert Correlation. In: Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection (RAID). (2002)

Digital Library

[20]

Ning, P., Cui, Y., Reeves, D.S.: Constructing Attack Scenarios Through Correlation of Intrusion Alerts. In: Proceedings of the 9th Conference on Computer and Communication Security. (2002)

Digital Library

[21]

Cuppens, F., Miège, A.: Administration Model for Or-BAC. In: International Federated Conferences (OTM'03), Workshop on Metadata for Security, Catania, Sicily, Italy (2003)

Cited By

Hachem NGarcia-Alfaro JDebar H(2013)An Adaptive Mitigation Framework for Handling Suspicious Network Flows via MPLS PoliciesProceedings of the 18th Nordic Conference on Secure IT Systems - Volume 820810.1007/978-3-642-41488-6_20(297-312)Online publication date: 18-Oct-2013
https://dl.acm.org/doi/10.1007/978-3-642-41488-6_20
He RLacoste MPulou JLeneutre J(2010)A DSL for specifying autonomic security management strategiesProceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security10.5555/1964419.1964438(216-230)Online publication date: 23-Sep-2010
https://dl.acm.org/doi/10.5555/1964419.1964438
Gâteau BKhadraoui DFeltus C(2009)Multi-agents system service based platform in telecommunication security incident reactionProceedings of the Second international conference on Global Information Infrastructure Symposium10.5555/1719570.1719580(63-68)Online publication date: 22-Jun-2009
https://dl.acm.org/doi/10.5555/1719570.1719580
Show More Cited By

Using contextual security policies for threat response
1. Security and privacy
  1. Systems security
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Security Threat Mitigation and Response: Understanding Cisco Security MARS
The Insider Threat Security Architecture: A Framework for an Integrated, Inseparable, and Uninterrupted Self-Protection Mechanism
CSE '09: Proceedings of the 2009 International Conference on Computational Science and Engineering - Volume 03

Providing an uninterruptable self-protection mechanism that is totally integrated into and inseparable from the computing system that is being protected ensures a complete, affordable, and assured compliance with system security audits. This paper ...
Towards Countermeasure of Insider Threat in Network Security
INCOS '11: Proceedings of the 2011 Third International Conference on Intelligent Networking and Collaborative Systems

We discuss countermeasure against insider threats in network security aspect. In the context of countermeasure against insider threats, there is no perimeter for access control in a network. A traditional access control process by using a firewall on a ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

DIMVA'06: Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment

July 2006

194 pages

ISBN:354036014X

Editors:
Roland Büschkes
RWE AG, Opernplatz 1, Essen, Germany
,
Pavel Laskov
Wilhelm-Schickard-Institute for Computer Science, University of Tübingen, Opernplatz 1, Tübingen, Germany

Sponsors

Runs: Runs
McAfee: McAfee
Symantec: Symantec
Techonologiestiftung Berlin: Techonologiestiftung Berlin

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 13 July 2006

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hachem NGarcia-Alfaro JDebar H(2013)An Adaptive Mitigation Framework for Handling Suspicious Network Flows via MPLS PoliciesProceedings of the 18th Nordic Conference on Secure IT Systems - Volume 820810.1007/978-3-642-41488-6_20(297-312)Online publication date: 18-Oct-2013
https://dl.acm.org/doi/10.1007/978-3-642-41488-6_20
He RLacoste MPulou JLeneutre J(2010)A DSL for specifying autonomic security management strategiesProceedings of the 5th international Workshop on data privacy management, and 3rd international conference on Autonomous spontaneous security10.5555/1964419.1964438(216-230)Online publication date: 23-Sep-2010
https://dl.acm.org/doi/10.5555/1964419.1964438
Gâteau BKhadraoui DFeltus C(2009)Multi-agents system service based platform in telecommunication security incident reactionProceedings of the Second international conference on Global Information Infrastructure Symposium10.5555/1719570.1719580(63-68)Online publication date: 22-Jun-2009
https://dl.acm.org/doi/10.5555/1719570.1719580
Cuppens-Boulahia NCuppens FAutrel FDebar H(2009)An ontology-based approach to react to network attacksInternational Journal of Information and Computer Security10.1504/IJICS.2009.0310413:3/4(280-305)Online publication date: 1-Jan-2009
https://dl.acm.org/doi/10.1504/IJICS.2009.031041
Preda SCuppens FCuppens-Boulahia NAlfaro JToutain LElrakaiby YLi WSusilo WTupakula USafavi-Naini RVaradharajan V(2009)Semantic context aware security policy deploymentProceedings of the 4th International Symposium on Information, Computer, and Communications Security10.1145/1533057.1533092(251-261)Online publication date: 10-Mar-2009
https://dl.acm.org/doi/10.1145/1533057.1533092

View Options

View options

Media

Figures

Other

Tables

View Table of Contents