publications-hd-1990-1999.bib
@misc{abad1999plas,
title = {{PLAS}-{P}olicy {L}anguage for {A}uthorizations},
author = {Abad-Peiro, Jos{\'e} L and Debar, Herv{\'e} and
Schweinberger, Thomas and Trommler, Peter},
year = 1999,
publisher = {IBM TJ Watson Research Center},
institution = {IBM Zurich Research Laboratory},
url = {http://www.zurich.ibm.com/security/publications/1999/ADST99-rz3126.ps.gz},
month = {March},
howpublished = {IBM Technical Report RZ3126},
keywords = {policy language, intrusion detection},
abstract = {A key issue in authorization services and computer
security in general is the definition of security
policies [1]. To help define security policies we
have developed a new policy language for
authorization systems (PLAS), and a framework in
which to apply it. This paper describes the PLAS
framework and shows how can it be used within
current fields of research in IT security such as
protection against downloadable code and in
intrusion-detection systems.}
}
@article{asokan1999authenticating,
title = {Authenticating public terminals},
author = {Asokan, N and Debar, Herv{\'e} and Steiner, Michael
and Waidner, Michael},
journal = {Computer Networks},
volume = 31,
number = 8,
pages = {861--870},
year = 1999,
issue_date = {April 23, 1999},
month = {April},
issn = {1389-1286},
numpages = 10,
url = {http://dl.acm.org/citation.cfm?id=324119.324129},
acmid = 324129,
publisher = {Elsevier North-Holland, Inc.},
address = {New York, NY, USA},
keywords = {Internet kiosks, authentication, fake terminal
attack, mobility},
abstract = {Automatic teller machines, Internet kiosks etc. are
examples of public untrusted terminals which are
used to access computer systems. One of the security
concerns in such systems is the so called fake
terminal attack: the attacker sets up a fake
terminal and fools unsuspecting users into revealing
sensitive information, such as PINs or private
e-mail, in their attempt to use these terminals. In
this paper, we examine this problem in different
scenarios and propose appropriate solutions. Our
basic approach is to find ways for a user to
authenticate a public terminal before using it to
process sensitive information.}
}
@inproceedings{debar1992application,
title = {An application of a recurrent network to an
intrusion detection system},
author = {Debar, Herv{\'e} and Dorizzi, Bernadette},
booktitle = {Proceedings of the International Joint Conference on
Neural Networks (IJCNN 1992)},
volume = 2,
pages = {478--483},
year = 1992,
publisher = {IEEE Computer Society Press},
organization = {IEEE},
doi = {10.1109/IJCNN.1992.226942},
keywords = {access control, recurrent neural nets, safety
systems, security of data, Access control,
Application software, Computer hacking, Computer
security, Cryptography, Intrusion detection, Neural
networks, Operating systems, Prototypes, Recurrent
neural networks, anomaly detection, user behavior
model },
abstract = {We present an application of recurrent neural
networks for intrusion detection. Such algorithms
have been widely studied for time series prediction.
Due to the characteristics of the temporal series
that we consider, we have chosen a partially
recurrent network for our application. After a
description of the reactions of the network on
classical problems, we present a prototype that we
use to demonstrate the capability of neural nets in
the field of intrusion detection. },
month = {June},
address = {Baltimore, MD, USA},
isbn = {0-7803-0559-0},
url = {http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=226942}
}
@inproceedings{debar1992neural,
title = {A neural network component for an intrusion
detection system},
author = {Debar, Herve and Becker, Monique and Siboni, Didier},
booktitle = {Proceedings of the 1992 IEEE Computer Society
Symposium on Research in Security and Privacy},
pages = {240--250},
year = 1992,
organization = {IEEE},
month = {May},
address = {Oackland, CA},
publisher = {IEEE Computer Society Press},
doi = {10.1109/RISP.1992.213257},
isbn = {0-8186-2825-1},
abstract = {In this paper, we present a possible application of
neural networks as a component of an intrusion
detection system. Neural network algorithms are
emerging nowadays as a new artificial intelligence
technique that can be applied to real-life
problems. We present an approach of user behavior
modeling that takes advantage of the properties of
neural algorithms and display results obtained on
preliminary testing of our approach.},
keywords = {expert systems, neural nets, security of data, time
series, user modelling, Adaptive systems, Artificial
intelligence, Artificial neural networks, Computer
displays, Computer hacking, Expert systems,
Hardware, Intrusion detection, neural networks,
System testing},
url = {http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=213257}
}
@phdthesis{debar1993application,
title = {Application des reseaux de neurones a la detection
d'intrusions sur les systemes informatiques},
author = {Debar, Herv{\'e}},
year = 1993,
school = {Universit{\'e} Pierre et Marie Curie},
address = {Paris, France},
month = {June},
keywords = {intrusion detection, anomaly detection, intrusion
detection systems, user models, neural networks},
abstract = {La detection d'intrusions sur les systemes
d'information est une partie de la securite
informatique qui se developpe de maniere importante
en france. C'est une voie nouvelle de recherche qui
a commence aux etats-unis. Un projet de conception
d'un systeme de detection d'intrusions mene a la
csee a permis de construire un prototype et
d'explorer une voie de recherche qui est
l'utilisation des algorithmes dits reseaux de
neurones a l'interieur d'un tel systeme. Nous
presentons d'abord une possibilite d'utilisation des
reseaux de neurones pour modeliser le comportement
habituel des utilisateurs d'un systeme
informatique. Ce modele s'appuie sur une
architecture de reseaux de neurones relativement peu
etudiee mais qui permet de faire de la prediction
avec des taux de succes importants. Ce modele est
ensuite etudie pour l'application plus particuliere
a la detection d'intrusion. Nous nous interesserons
a la comparaison de ce modele avec des techniques
statistiques tres simples et a l'etude de sa
stabilite et de l'amelioration de ces
performances. Dans un deuxieme temps, nous nous
interesserons a sa reaction lors d'une situation
d'intrusion simulee. Ce modele reagit de maniere
forte lorsque l'utilisateur sur lequel il a ete
entraine est remplace par un autre utilisateur.},
url = {http://www.theses.fr/1993PA066064}
}
@techreport{debar1998experimentation,
title = {An experimentation workbench for intrusion detection
systems},
author = {Debar, Herv{\'e} and Dacier, Marc and Wespi, Andreas
and Lampart, Stefan},
year = 1998,
publisher = {IBM TJ Watson Research Center},
institution = {IBM Zurich Research Laboratory},
howpublished = {IBM Technical Report RZ2998},
url = {http://domino.watson.ibm.com/library/cyberdig.nsf/papers/647AA2A69BCC8FF2852565E6004D3897/\$File/rz2998.ps}
}
@inproceedings{debar1998fixed,
title = {Fixed vs. variable-length patterns for detecting
suspicious process behavior},
author = {Debar, Herv{\'e} and Dacier, Marc and Nassehi, Mehdi
and Wespi, Andreas},
booktitle = { Proceedings of the 5th European Symposium on
Research in Computer Security (ESORICS 98)},
pages = {1--15},
year = 1998,
publisher = {Springer Verlag},
isbn = {978-3-540-65004-1},
doi = {10.1007/BFb0055852},
url = {http://link.springer.com/content/pdf/10.1007\%2FBFb0055852.pdf},
abstract = {This paper addresses the problem of creating
patterns that can be used to model the normal
behavior of a given process. These models can be
used for intrusion detection purposes. In a previous
work, we presented a novel method to generate input
data sets that enable us to observe the normal
behavior of a process in a secure environment. Using
this method, we propose various techniques to
generate either fixed-length of variable-length
patterns. We show the advantages and drawbacks of
each technique, based on results of the experiments
we have run on our testbed.},
editor = {Jean-Jacques Quisquater and Yves Deswarte and
Catherine Meadows and Dieter GollMann},
number = 1485,
series = {Lecture Notes in Computer Science},
month = {September},
address = {Louvain-La-Neuve, Belgium}
}
@inproceedings{debar1998reference,
title = {Reference audit information generation for intrusion
detection systems},
author = {Debar, Herv{\'e} and Dacier, Marc and Wespi,
Andreas},
year = 1998,
isbn = {3-85403-116-5},
abstract = {This paper addresses the problem of generating
reference audit information used in the
intrusion-detection technique proposed by Forrest et
al. (1996). This technique uses a model of normal
behavior of the information system being monitored
to detect attacks against it. We present a novel
approach to collect the reference behavior
information used by the intrusion-detection system
to solve the problem identified by Forrest et
al. (1997). The model of normal behavior is
extracted from this reference information, and then
tested against real user activity and attacks.},
booktitle = {Proceedings of IFIP SEC'98, 14th IFIP TC11
international information security conference},
month = {August},
address = {Vienna, Austria and Budapest, Hungary},
url = {http://www.syros.aegean.gr/users/tsp/citations_dnl/DebDacWes98a.pdf}
}
@article{debar1999towards,
title = {Towards a taxonomy of intrusion-detection systems},
author = {Debar, Herv{\'e} and Dacier, Marc and Wespi,
Andreas},
journal = {Computer Networks},
volume = 31,
number = 8,
pages = {805--822},
year = 1999,
month = {April},
issn = {1389-1286},
numpages = 18,
url = {http://dl.acm.org/citation.cfm?id=324119.324126},
doi = {10.1016/S1389-1286(98)00017-6},
acmid = 324126,
publisher = {Elsevier North-Holland, Inc.},
address = {New York, NY, USA},
keywords = {intrusion-detection, security, taxonomy},
abstract = {Intrusion-detection systems aim at detecting attacks
against computer systems and networks, or against
information systems in general, as it is difficult
to provide provably secure information systems and
maintain them in such a secure state for their
entire lifetime and for every
utilization. Sometimes, legacy or operational
constraints do not even allow a fully secure
information system to be realized at all. Therefore,
the task of intrusion-detection systems is to
monitor the usage of such systems and to detect the
apparition of insecure states. They detect attempts
and active misuse by legitimate users of the
information systems or external parties to abuse
their privileges or exploit security
vulnerabilities. In this paper, we introduce a
taxonomy of intrusion-detection systems that
highlights the various aspects of this area. This
taxonomy defines families of intrusion-detection
systems according to their properties. It is
illustrated by numerous examples from past and
current projects.}
}
@inproceedings{wespi1999intrusion,
title = {An intrusion-detection system based on the Teiresias
pattern-discovery algorithm},
author = {Wespi, Andreas and Dacier, Marc and Debar,
Herv{\'e}},
year = 1999,
booktitle = {Proceedings of EICAR 1999},
editor = {U.E. Gattiker and P. Pedersen and K. Petersen},
organization = {European Institute for Computer Antivirus Research
(EICAR)},
doi = {10.1.1.23.6768},
abstract = {This paper addresses the problem of creating a
pattern table that can be used to model the normal
behavior of a given process. The model can be used
for intrusion-detection purposes. So far, most of
the approaches proposed have been based on
fixed-length patterns, although variable-length
patterns seem to be more naturally suited to model
the normal process behavior. We have developed a
technique to build tables of variable-length
patterns. This technique is based on Teiresias, an
algorithm initially developed for the discovery of
rigid patterns in unaligned biological sequences. We
evaluate the quality of our technique in a testbed
environment and compare it with techniques based on
fixed-length patterns.}
}