Since current computer infrastructures are increasingly vulnerable to malicious activities, intrusion detection is necessary but unfortunately not sufficient. We need to design effective response techniques to circumvent intrusions when they are detected. Our approach is based on a library that implements different types of counter-measures. The idea is to design a decision support tool to help the administrator to choose, in this library, the appropriate counter-measure when a given intrusion occurs. For this purpose, we formally define the notion of anti-correlation which is used to determine the counter-measures that are effective to stop the intrusion. Finally, we present a pla!form of intrusion detection that implements the response mechanisms presented in this paper.
R~sum~Etant donn6 que les systbmes informatiques sont de plus en plus vuln6rables aux activit(s malveillantes, l' utilisation de la d6tection d'intrusion est n(cessaire mais ne suffit pas. Nous devons (laborer des m6thodes efficaces de r(action aux intrusions afin d'arr~ter les intrusions d(tect~es. Notre approche est bas6e sur une biblioth~que de diff(rents types de contremesures. L'objectif est d'aider l'administrateur & choisir dans cette bibliothkque la contre-mesure la mieux adapt~e quand une intrusion est d(tect~e. Pour ce faire nous d~finis-sons formellement la notion d'anti-corr6lation qui est utilis6e pour s6lectionner les contremesures permettant d'arr6ter l'intrusion. Nous finissons par la presentation d'une plateforme de d(tection d'intrusion mettant en ~euvre les m(canismes pr(sent6s dans cet article. Mots cl6s : S6curit~ informatique, D6tecteur intrus, Protection information. Corr61ation, Mod~lisation, ModUle logique.
We present in this paper a decentralized architecture to correlate alerts between cooperative nodes in a secure multicast infrastructure. The purpose of this architecture is to detect and prevent the use of network resources to perform coordinated attacks against third party networks. By means of a cooperative scheme based on message passing, the different nodes of this system will collaborate to detect its participation on a coordinated attack and will react to avoid it. An overview of the implementation of this architecture for GNU/Linux systems will demonstrate the practicability of the system.
Current intrusion detection systems go beyond the detection of attacks and provide reaction mechanisms to cope with detected attacks or at least reduce their effect. Previous research works have proposed methods to automatically select possible countermeasures capable of ending the detected attack. But actually, countermeasures have side effects and can be as harmful as the detected attack. In this paper, we propose to improve the reaction selection process by giving means to quantify the effectiveness and select the countermeasure that has the minimum negative side effect on the information system. To achieve this goal, we adopt a risk assessment and analysis approach.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.