Publications 2000-2009
Publications published between 2000 and 2009, work performed at Orange Labs
Nora Cuppens-Boulahia, Frédéric Cuppens, Fabien Autrel, and Hervé Debar. An ontology-based approach to react to network attacks. International Journal of Information and Computer Security, 3(3/4):280-305, January 2009. [ bib | DOI | http ]
Intrusion detection requirements enforced by Intrusions Detection Systems (IDSs) are generally considered independently from the remainder of the security policy. Our approach is to consider that intrusion detection requirements are actually a part of the access control policy. This provides means to formally specify in a reaction policy what should happen in case of intrusion. It is then possible to integrate these requirements into a deploying process in order to automatically configure security components. In this paper, we propose a contextual and ontology-based approach to express and instantiate this reaction policy. We then define a reaction process based on the concepts of dynamic threat organisation and threat contexts and a set of rules used to map alerts onto threat contexts to perform the instantiation of the policy-based reaction in response to the detected intrusion.
Keywords: IDS, OrBAC, access control policy, attack reaction, intrusion detection systems, network attacks, ontology, organisation based access control, policy instantiation, threat context, threat organisation
Diala Abi Haidar, Nora Cuppens-Boulahia, Frédéric Cuppens, and Hervé Debar. XeNA: an access negotiation framework using XACML. annals of telecommunications-annales des télécommunications, 64(1-2):155-169, 2009. [ bib ]
Gregoire Jacob, Eric Filiol, and Herve Debar. Formalization of malware through process calculi. Arxiv preprint arXiv:0902.0469, 2009. [ bib ]
Grégoire Jacob, Eric Filiol, and Hervé Debar. Functional polymorphic engines: formalisation, implementation and use cases. Journal in computer virology, 5(3):247-261, 2009. [ bib ]
Grégoire Jacob, Hervé Debar, and Eric Filiol. Malware behavioral detection by attribute-automata using abstraction from platform and language. Recent Advances in Intrusion Detection, pages 81-100, 2009. [ bib ]
Nizar Kheir, Hervé Debar, Nora Cuppens-Boulahia, Frédéric Cuppens, and Jouni Viinikka. Cost evaluation for intrusion response using dependency graphs. In Network and Service Security, 2009. N2S'09. International Conference on, pages 1-6. IEEE, 2009. [ bib ]
Nizar Kheir, Hervé Debar, Frédéric Cuppens, Nora Cuppens-Boulahia, and Jouni Viinikka. A service dependency modeling framework for policy-based response enforcement. In Ulrich Flegel and Danilo Bruschi, editors, Proceedings of DIMVA 2009, Detection of Intrusions and Malware, and Vulnerability Assessment, volume 5587 of Lecture Notes in Computer Science, pages 176-195. Springer Berlin Heidelberg, 2009. [ bib | DOI | http ]
The use of dynamic access control policies for threat response adapts local response decisions to high level system constraints. However, security policies are often carefully tightened during system design-time, and the large number of service dependencies in a system architecture makes their dynamic adaptation difficult. The enforcement of a single response rule requires performing multiple configuration changes on multiple services. This paper formally describes a Service Dependency Framework (SDF) in order to assist the response process in selecting the policy enforcement points (PEPs) capable of applying a dynamic response rule. It automatically derives elementary access rules from the generic access control, either allowed or denied by the dynamic response policy, so they can be locally managed by local PEPs. SDF introduces a requires/provides model of service dependencies. It models the service architecture in a modular way, and thus provides both extensibility and reusability of model components. SDF is defined using the Architecture Analysis and Design Language, which provides formal concepts for modeling system architectures. This paper presents a systematic treatment of the dependency model which aims to apply policy rules while minimizing configuration changes and reducing resource consumption.
Keywords: intrusion detection, intrusion response, counter-measures, service dependencies, OrBAC, security policies, response architecture, counter-measures architecture
Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducassé. A logic-based model to support alert correlation in intrusion detection. Information Fusion, 10(4):285-299, 2009. [ bib | DOI | http ]
Managing and supervising security in large networks has become a challenging task, as new threats and flaws are being discovered on a daily basis. This requires an in depth and up-to-date knowledge of the context in which security-related events occur. Several tools have been proposed to support security operators in this task, each of which focuses on some specific aspects of the monitoring. Many alarm fusion and correlation approaches have also been investigated. However, most of these approaches suffer from two major drawbacks. First, they only take advantage of the information found in alerts, which is not sufficient to achieve the goals of alert correlation, that is to say to reduce the overall amount of alerts, while enhancing their semantics. Second, these techniques have been designed on an ad hoc basis and lack a shared data model that would allow them to reason about events in a cooperative way. In this paper, we propose a federative data model for security systems to query and assert knowledge about security incidents and the context in which they occur. This model constitutes a consistent and formal ground to represent information that is required to reason about complementary evidences, in order to confirm or invalidate alerts raised by intrusion detection systems.
Keywords: intrusion detection, alert correlation, data model
Jouni Viinikka, Hervé Debar, Ludovic Mé, Anssi Lehikoinen, and Mika Tarvainen. Processing intrusion detection alert aggregates with time series modeling. Information Fusion, 10(4):312-324, 2009. [ bib | DOI | http ]
The main use of intrusion detection systems (IDS) is to detect attacks against information systems and networks. Normal use of the network and its functioning can also be monitored with an IDS. It can be used to control, for example, the use of management and signaling protocols, or the network traffic related to some less critical aspects of system policies. These complementary usages can generate large numbers of alerts, but still, in operational environment, the collection of such data may be mandated by the security policy. Processing this type of alerts presents a different problem than correlating alerts directly related to attacks or filtering incorrectly issued alerts. We aggregate individual alerts to alert flows, and then process the flows instead of individual alerts for two reasons. First, this is necessary to cope with the large quantity of alerts – a common problem among all alert correlation approaches. Second, individual alert’s relevancy is often indeterminable, but irrelevant alerts and interesting phenomena can be identified at the flow level. This is the particularity of the alerts created by the complementary uses of IDSes. Flows consisting of alerts related to normal system behavior can contain strong regularities. We propose to model these regularities using non-stationary autoregressive models. Once modeled, the regularities can be filtered out to relieve the security operator from manual analysis of true, but low impact alerts. We present experimental results using these models to process voluminous alert flows from an operational network.
Keywords: network security, intrusion detection, alert correlation, time series modeling, kalman filtering
Nora Cuppens-Boulahia, Frédéric Cuppens, Jorge E. López de Vergara, Enrique Vázquez, Javier Guerra, and Hervé Debar. An ontology-based approach to react to network attacks. In Proceedings of the Third International Conference on Risks and Security of Internet and Systems (CRiSIS '08.), pages 27-35, October 2008. [ bib | DOI | .pdf ]
To address the evolution of security incidents in current communication networks it is important to react quickly and efficiently to an attack. The RED (Reaction after Detection) project is defining and designing solutions to enhance the detection/reaction process, improving the overall resilience of IP networks to attacks and help telecommunication and service providers to maintain sufficient quality of service and respect service level agreements. Within this project, a main component is in charge of instantiating new security policies that counteract the network attacks. This paper proposes an ontology-based approach to instantiate these security policies. This technology provides a way to map alerts into attack contexts, which are used to identify the policies to be applied in the network to solve the threat. For this, ontologies to describe alerts and policies are defined, using inference rules to perform such mappings.
Keywords: ontologies (artificial intelligence), quality of service, telecommunication computing, telecommunication network management, telecommunication security, IP networks, Reaction after Detection project, inference rules, network attacks, ontology-based approach, quality of service, Communication networks, Communication system security, IP networks, OWL, Ontologies, Quality of service, Resilience, TV, Telecommunications, Web and internet services, Attack reaction, IDMEF, OWL, OrBAC, SWRL, ontology, policy instantiation
Yannick Carlinet, Ludovic Mé, Hervé Debar, and Yvon Gourhant. Analysis of computer infection risk factors based on customer network usage. In Proceedings of the Second International Conference on Emerging Security Information, Systems and Technologies (SECURWARE'08), pages 317-325. IEEE, August 2008. [ bib | DOI | .pdf ]
Epidemiology, the science that studies the cause and propagation of diseases, provides us with the concepts and methods to analyze the potential risk factors to which ADSL customers' PCs are exposed, with respect to their usage of network applications. This paper details the analysis of the traffic of a large set of real ADSL customers in the corenet work. We build a profile of network usage for each customer and we detect malicious ones. Based on these data we study the impact of some characteristics in ADSL customer profiles on their likeliness to generate malicious traffic. We find two application types that are risk factors and we also bring evidence that the type of operating system impacts greatly the odds of being infected. Based on these results we build a profile of customers more likely to be infected.
Keywords: digital subscriber lines, operating systems (computers), security of data ,ADSL customer PC, computer infection risk factors, corenet work, customer network usage, disease propagation, epidemiology, malicious traffic, operating system, Computer networks, Computer security, Computer worms, Customer profiles, Diseases, Information analysis, Information security, Personal communication networks, Risk analysis, Telecommunication traffic, epidemiology, malware, risk profile, traffic analysis, user profiling
Nora Cuppens-Boulahia, Frédéric Cuppens, Diala Abi Haidar, and Hervé Debar. Negotiation of prohibition: An approach based on policy rewriting. In Sushil Jajodia, Pierangela Samarati, and Stelvio Cimato, editors, Proceedings of the IFIP TC11 23rd International Information Security Conference (IFIPSEC 2008), volume 278 of IFIP – The International Federation for Information Processing, pages 173-187. Springer, 2008. [ bib | DOI | .pdf ]
In recent security architectures, it is possible that the security policy is not evaluated in a centralized way but requires negotiation between the subject who is requesting the access and the access controller. This negotiation is generally based on exchanging credentials between the parties so that the access controller can decide to accept or deny the requesting access. Previous proposals in this field generally implicitly or explicitly assume that the access control policy only contains permissions. In this paper, we present a new approach of negotiation when the security policy contains both permissions and prohibitions. In this case, we claim that it would not be fair to ask for credentials to directly activate prohibitions. Thus, our approach consists in rewriting the policy into an equivalent one that only contain permissions. Since the rewritten policy specifies negative conditions, we then show how to define strategies to negotiate these negative conditions.
Keywords: security policies, OrBAC, negotiation
Hervé Debar, Yohann Thomas, Frédéric Cuppens, and Nora Cuppens-Boulahia. Response: bridging the link between intrusion detection alerts and security policies. Intrusion Detection Systems, 38:129-170, 2008. [ bib | DOI ]
With the deployment of intrusion detection systems has come the question of alert usage. The current trend of intrusion prevention systems provides mechanisms for isolated response, suffering from two important drawbacks. First, the response is applied on a single point of the information system. Second, its application is repeated every time an alert condition is raised. Both drawbacks result in a suboptimal response system, where security is improved at these particular network or host access control points, but where service dependancies are not taken into account. In this paper, we examine a new mechanism for adapting the security policy of an information system according to the threat it receives, and hence its behaviour and the services it offers. This mechanism takes into account not only threats, but also legal constraints and other objectives of the organization operating this information system, taking into account multiple security objectives and providing several trade-off options between security objectives, performance objectives, and other operational constraints. The proposed mechanism bridges the gap between preventive security technologies and intrusion detection, and builds upon existing technologies to facilitate formalization on one hand, and deployment on the other hand.
Keywords: intrusion detection, intrusion response, threat response, dynamic response, security information and event management, counter-measures, security policies, OrBAC
Grégoire Jacob, Hervé Debar, and Eric Filiol. Behavioral detection of malware: from a survey towards an established taxonomy. Journal in Computer Virology, 4(3):251-266, 2008. [ bib ]
Grégoire Jacob, Eric Filiol, and Hervé Debar. Malware as interaction machines: a new framework for behavior modelling. Journal in Computer Virology, 4(3):235-250, 2008. [ bib ]
Hervé Debar. Cognitive Networks: Towards Self-Aware Networks, chapter Intrusion Detection in Cognitive Networks, pages 293-313. John Wiley & Sons, Ltd, August 2007. [ bib ]
Herve Debar, David A Curry, and Benjamin S Feinstein. Rfc4765: The intrusion detection message exchange format (idmef). RFC 4765, RFC Editor, March 2007. [ bib | .txt ]
The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. This document describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided.
Hervé Debar, Yohann Thomas, Frédéric Cuppens, and Nora Cuppens-Boulahia. Enabling automated threat response through the use of a dynamic security policy. Journal in Computer Virology, 3(3):195-210, 2007. [ bib | DOI | http ]
Information systems security issues are currently being addressed using different techniques, such as authentication, encryption and access control, through the definition of security policies, but also using monitoring techniques, in particular intrusion detection systems. We can observe that security monitoring is currently totally decorrelated from security policies, that is security requirements are not linked with the means used to control their fulfillment. Most of the time, security operators have to analyze monitoring results and manually react to provide countermeasures to threats compromising the security policy. The response process is far from trivial, since it both relies on the relevance of the threat analysis and on the adequacy of the selected countermeasures. In this paper, we present an approach aiming at connecting monitoring techniques with security policy management in order to provide response to threat. We propose an architecture allowing to dynamically and automatically deploy a generic security policy into concrete policy instances taking into account the threat level characterized thanks to intrusion detection systems. Such an approach provides means to bridge the gap between existing detection approaches and new requirements, which clearly deal with the development of intrusion prevention systems, enabling a better protection of the resources and services.
Keywords: intrusion detection, intrusion response, threat response, dynamic response, security information and event management, counter-measures, security policies, OrBAC
Diala Abi Haidar, Nora Cuppens-Boulahia, Frédéric Cuppens, and Hervé Debar. Access negotiation within XACML architecture. Second Joint Conference on Security in Networks Architectures and Security of Information Systems (SARSSI), 2007. [ bib ]
Diala Abi Haidar, Nora Cuppens-Boulahia, Frédéric Cuppens, and Hervé Debar. Resource classification based negotiation in web services. In IAS, pages 313-318, 2007. [ bib ]
Hervé Debar and Elvis Tombini. Webanalyzer: accurate detection of http attack traces in web server logs. Annales des Télécommunications, 61(5-6):682-704, June 2006. [ bib | DOI | http ]
Keywords: Internet security, Web server, Intrusion detection, Data analysis, Sécurité Internet, Serveur web, Détection intrusion, Analyse de données
Yohann Thomas, Hervé Debar, and Benjamin Morin. Improving security management through passive network observation. In Proceedings of the First International Conference on Availability, Reliability and Security (ARES'06), pages 8-pp, Los Alamitos, CA, USA, April 2006. IEEE, IEEE Computer Society. [ bib | DOI | .html ]
Detailed and reliable knowledge of the characteristics of an information system is becoming a very important feature for operational security. Unfortunately, vulnerability assessment tools have important side effects on the monitored information systems. In this paper, we propose an approach to gather or deduce information similar to vulnerability assessment reports, based on passive network observation. Information collected goes beyond classic server vulnerability assessment, enabling compliance verification of desktop clients.
Keywords: client-server systems, computer network management, security of data, compliance verification, desktop clients, information system, passive network observation, security management, server vulnerability assessment reports, databases, information security, information systems, management information systems, monitoring, passive networks, research and development, software agents, system testing
Diala Abi Haidar, Nora Cuppens-Boulahia, Frédéric Cuppens, and Hervé Debar. An extended rbac profile of xacml. In Proceedings of the 3rd ACM workshop on Secure Web Services, SWS '06, pages 13-22, New York, NY, USA, 2006. ACM, ACM. [ bib | DOI | http ]
Nowadays many organizations use security policies to control access to sensitive resources. Moreover, exchanging or sharing services and resources is essential for these organizations to achieve their business objectives. Since the eXtensible Access Control Markup Language (XACML) was standardized by the OASIS community, it has been widely deployed, making it easier to interoperate with other applications using the same standard language. The OASIS has defined an RBAC profile of XACML that illustrates how organizations that would like to use the RBAC model can express their access control policy within this standard language. This work analyzes the RBAC profile of XACML, showing its limitations to respond to all the requirements for access control. We then suggest adding some functionalities within an extended RBAC profile of XACML. This new profile is expected to respond to more advanced access control requirements such as user-user delegation, access elements abstractions and contextual applicability of the policies.
Keywords: OrBAC, RBAC, XACML, access control
Hervé Debar and Jouni Viinikka. Security information management as an outsourced service. Information management & computer security, 14(5):417-435, 2006. [ bib | DOI | http ]
Security information management (SIM) has emerged recently as a strong need to ensure the ongoing security of information systems. However, deploying a SIM and the associated sensors is a challenge in any organization, as the complexity and cost of such a project are difficult to bear. This paper aims to present an architecture for outsourcing a SIM platform, and discuss the issues associated with the deployment of such an environment. The paper explains that the day-to-day operation of a SIM is beyond the financial capabilities of all but the largest organizations, as the SIM must be monitored constantly to ensure timely reaction to alerts. Many managed security services providers (MSSP), therefore, propose outsourcing the alert management activities. Sensors are deployed within the customer's infrastructure, and the alerts are sent to the outsourced SIM along with additional log information.
Keywords: Communication technologies, Data security, Information systems, intrusion detection, security information and event management, SIEM, managed security services, managed security services providers, MSSP
Hervé Debar, Yohann Thomas, Nora Boulahia-Cuppens, and Frédéric Cuppens. Using contextual security policies for threat response. In Roland Büschkes and Pavel Laskov, editors, Detection of Intrusions and Malware & Vulnerability Assessment, volume 4064 of Lecture Notes in Computer Science, pages 109-128. Springer Berlin Heidelberg, 2006. [ bib | DOI | http ]
With the apparition of accurate security monitoring tools, the gathered alerts are requiring operators to take action to prevent damage from attackers. Intrusion prevention currently provides isolated response mechanisms that may take a local action upon an attack. While this approach has been taken to enhance the security of particular network access control points, it does not constitute a comprehensive approach to threat response. In this paper, we will examine a new mechanism for adapting the security policy of an information system according to the threat it receives, and hence its behaviour and the services it offers. This mechanism takes into account not only threats, but also legal constraints and other objectives of the organization operating this information system, taking into account multiple security objectives and providing several trade-off options between security objectives, performance objectives, and other operational constraints. The proposed mechanism bridges the gap between preventive security technologies and intrusion detection, and builds upon existing technologies to facilitate formalization on one hand, and deployment on the other hand.
Keywords: intrusion detection, intrusion response, threat response, dynamic response, security information and event management, counter-measures, security policies, OrBAC
Jouni Viinikka, Hervé Debar, Ludovic Mé, and Renaud Séguier. Time series modeling for ids alert management. In Proceedings of the 2006 ACM Symposium on Information, computer and communications security (ASIACCS'06), pages 102-113, New York, NY, USA, 2006. ACM, ACM. [ bib | DOI | http ]
Intrusion detection systems create large amounts of alerts. Significant part of these alerts can be seen as background noise of an operational information system, and its quantity typically overwhelms the user. In this paper we have three points to make. First, we present our findings regarding the causes of this noise. Second, we provide some reasoning why one would like to keep an eye on the noise despite the large number of alerts. Finally, one approach for monitoring the noise with reasonable user load is proposed. The approach is based on modeling regularities in alert flows with classical time series methods. We present experimentations and results obtained using real world data.
Keywords: intrusion detection, alerts, background noise, time series
Benjamin Morin and Hervé Debar. Conceptual analysis of intrusion alarms. In Fabio Roli and Sergio Vitulano, editors, Proceedings of the 13th International Conference on Image Analysis and Processing (ICIAP 2005), volume 3617 of Lecture Notes in Computer Science, pages 91-98, Cagliari, Italy, September 2005. Springer Berlin Heidelberg. [ bib | DOI | http ]
Security information about information systems provided by current intrusion detection systems (IDS) is spread over numerous similar and fine-grained alerts. Security operators are consequently overwhelmed by alerts whose content is too poor. Alarm correlation techniques are used to reduce the number of alerts and enhance their content. In this paper, we tackle the alert correlation problem as an information retrieval problem in order to make the handling of alert groups easier.
Keywords: intrusion detection, alert correlation
Hervé Debar and Elvis Tombini. Webanalyzer: Détection précise d’attaques contre les serveurs HTTP. In Proceedings of the 4th Conference on Security and Network Architectures (SAR’05), Batz sur Mer, France, June 2005. [ bib ]
Hervé Debar, Benjamin Morin, Vincent Boissée, and Didier Guérin. An infrastructure for distributed event acquisition. In JanuszS. Kowalik, Janusz Gorski, and Anatoly Sachenko, editors, Cyberspace Security and Defense: Research Issues, volume 196 of NATO Science Series II: Mathematics, Physics and Chemistry, pages 349-365. Springer Netherlands, 2005. [ bib | DOI | http ]
This paper describes a distributed application for acquiring events from different equipment in a lightweight fashion. The architecture of the application is fully distributed, and takes advantage of standard tools such as web servers and relational databases. Several prototypes of the application have been deployed in our corporate network to monitor multiple environments. This paper defines the architecture of the distributed application around four axes, ac cording to the interaction they have with the data repository and the outside world. It also defines the kind of information that is stored in the database according to three categories.
Keywords: intrusion detection, alert management, operational security, security information management, alert correlation, security information and event management, SIEM
Hervé Debar and Jouni Viinikka. Intrusion detection: Introduction to intrusion detection and security information management. Foundations of security analysis and design III, 3655:207-236, 2005. [ bib | DOI | http ]
This paper covers intrusion detection and security information management technologies. It presents a primer on intrusion detection, focusing on data sources and analysis techniques. Data sources presented therein are classified according to the capture mechanism and we include an evaluation of the accuracy of these data sources. Analysis techniques are classified into misuse detection, using the explicit body of knowledge about security attacks to generate alerts, and anomaly detection, where the safe or normal operation of the monitored information system is described and alerts generated for anything that does not belong to that model. It then describes security information management and alert correlation technologies that are in use today. We particularly describe statistical modeling of alert flows and explicit correlation between alert information and vulnerability assessment information.
Keywords: intrusion detection, security information management, alert correlation, information security and event management, SIEM
F Pouget, M Dacier, VH Pham, and H Debar. Honeynets: foundations for the development of early warning information systems. In Janusz Kowalik, Janusz Gorski, and Anatoly Sachenko, editors, Cyberspace Security and Defense: Research Issues, volume 196 of NATO Science Series II: Mathematics, Physics and Chemistry, pages 231-257. Springer Netherlands, 2005. [ bib | DOI | http ]
This paper aims at presenting in some depth the “Leurré.com” project and its first results. The project aims at deploying so-called low level interaction honeypot platforms all over the world to collect in a centralized database a set of information amenable to the analysis of today's Internet threats. At the time of this writing, around two dozens platforms have been deployed in the five continents. The paper offers some insight into the findings that can be derived from such data set. More importantly, the design and the structure of the repository are presented and justified by means of several examples that highlight the simplicity and efficiency of extracting useful information out of it. We explain why such low cost, largely distributed system represents an important, foundational element, towards the building of early warning information systems.
Keywords: Honeynet, Internet Attacks, Database, Malware, Cybercrime
Elvis Tombini, Hervé Debar, Ludovic Mé, and Mireille Ducassé. A serial combination of anomaly and misuse idses applied to http traffic. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC '04), pages 428-437, Washington, DC, USA, December 2004. IEEE, IEEE Computer Society. [ bib | DOI | http ]
Combining an "anomaly" and a "misuse" IDSes offers the advantage of separting the monitored events between normal, intrusive or unqualified classes (ie not known as an attack, but not recognize as safe either). In this article, we provide a framework to systematically reason about the combination of anomaly and misuse components.This framework applied to web servers lead us to propose a serial architecture, using a drastic anomaly component with a sensitive misuse component. This architecture provides the operator with better qualification of the detection results, raises lower amount of false alarms and unqualified events.
Keywords: intrusion detection, misuse detection, anomaly detection, combination, resolver, web server
Hervé DEBAR. Analyse et détection d’intrusions, volume H5840. Ed. Techniques Ingénieur, Octobre 2004. [ bib | http ]
Jouni Viinikka and Hervé Debar. Monitoring ids background noise using ewma control charts and alert information. In Erland Jonsson, Alfonso Valdes, and Magnus Almgren, editors, Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), volume 3224 of Lecture Notes in Computer Science, pages 166-187. Springer Berlin Heidelberg, September 2004. [ bib | DOI | http ]
Intrusion detection systems typically create large amounts of alerts, processing of which is a time consuming task for the user. This paper describes an application of exponentially weighted moving average (EWMA) control charts used to help the operator in alert processing. Depending on his objectives, some alerts are individually insignificant, but when aggregated they can provide important information on the monitored system’s state. Thus it is not always the best solution to discard those alerts, for instance, by means of filtering, correlation, or by simply removing the signature. We deploy a widely used EWMA control chart for extracting trends and highlighting anomalies from alert information provided by sensors performing pattern matching. The aim is to make output of verbose signatures more tolerable for the operator and yet allow him to obtain the useful information available. The applied method is described and experimentation along its results with real world data are presented. A test metric is proposed to evaluate the results.
Keywords: intrusion detection, intrusion detection systems, background noise, alert volume reduction, EWMA
Hervé Debar. Détection d'intrusions: vers un usage réel des alertes. PhD thesis, Université de Caen, June 2004. Habilitation à Diriger des Recherches (HDR). [ bib ]
Marc Dacier, Fabien Pouget, and Hervé Debar. Attack processes found on the Internet. In NATO Research and technology symposium IST-041 "Adaptive Defence in Unclassified Networks", 19 April 2004, Toulouse, France, Toulouse, FRANCE, April 2004. [ bib | http ]
In this paper, we show that simple, cheap and easily deployable honeypots can help to get a better understanding of the attack processes that machines in unclassified networks are facing. Acquiring this knowledge is a prerequisite for the sound design and implementation of efficient intrusion tolerant systems. We propose some in depth analyses carried out on data gathered during a 10 months period by several honeypots. We highlight the need for a well defined set up of honeypots, replicated in many diverse locations. Such an environment would enable the scientific community to answer the remaining open issues described here after.
Keywords: honeypots, low interaction honeypots, attack processes
Marc Dacier, Fabien Pouget, and Hervé Debar. Honeypots: Practical means to validate malicious fault assumptions. In Proceedings of the 10th IEEE Pacific Rim International Symposium on Dependable Computing, pages 383-388, Tahiti, French Polynesia, March 2004. IEEE. [ bib | DOI | http ]
We report on an experiment run with several honeypots for 4 months. The motivation of this work resides in our wish to use data collected by honeypots to validate fault assumptions required when designing intrusion-tolerant systems. This work in progress establishes the foundations for a feasibility study into that direction. After a review of the state of the art with respect to honeypots, we present our test bed, discuss results obtained and lessons learned. Avenues for future work are also proposed.
Keywords: fault diagnosis, fault tolerant computing, formal verification, security of data, fault assumption validation, honeypots, intrusion-tolerant systems, malicious fault assumptions, Books, Computer hacking, Fault tolerant systems, Information systems, Research and development, Software tools, Terminology, Testing
Hervé Debar. Security and Privacy in Advanced Networking Technologies, volume 193, chapter Intrusion Detection Systems - Introduction to intrusion detection and analysis, pages 161-177. IOS PRESS, 2004. [ bib ]
Hervé Debar, Benjamin Morin, Frédéric Cuppens, Fabien Autrel, Ludovic Mé, Bernard Vivinis, Salem Benferhat, Mireille Ducassé, and Rodolphe Ortalo. Détection d'intrusions: corrélation d'alertes. TSI. Technique et science informatiques, 23(3):359-390, November 2003. [ bib | DOI | http ]
Current intrusion detection systems generate too many alerts. These alerts are imprecise and partial. Furthermore, they contain low level information. These alerts are therefore of limited interest for a human operator. Alert correlation is a promising technology to reduce the number of alerts, improve the diagnostic and provide a better vision of the security of the system in the case of an intrusion. This paper presents an overview of different alert correlation technologies and shows how these technologies can be applied to intrusion detection.
Keywords: security, intrusion detection, correlation
Fabien Pouget, Marc Dacier, and Hervé Debar. White paper: honeypot, honeynet, honeytoken: terminological issues. Rapport technique EURECOM, 1275, September 2003. [ bib | http ]
Many different terms, definitions and classifications for honeypots, honeynets and other honeytokens have been proposed by several authors during the last 3 years. In this document, we offer a summary of the various proposals and we discuss their advantages and drawbacks. We also offer our own definition at the end of the paper.
Keywords: honeypots, honeypots classification, honeynets, honeytokens
Benjamin Morin and Hervé Debar. Correlation of intrusion symptoms: an application of chronicles. In Giovanni Vigna, Christopher Kruegel, and Erland Jonsson, editors, Proceedings of the 6th International Conference on Recent Advances in Intrusion Detection (RAID'03), volume 2820 of Lecture Notes in Computer Science, pages 94-112, Pittsburg, PA, 2003. Springer Berlin Heidelberg. [ bib | DOI | http ]
In this paper, we propose a multi-alarm misuse correlation component based on the chronicles formalism. Chronicles provide a high level declarative language and a recognition system that is used in other areas where dynamic systems are monitored. This formalism allows us to reduce the number of alarms shipped to the operator and enhances the quality of the diagnosis provided.
Keywords: misuse detection, alert correlation, chronicles, worm detection
Hervé Debar and Benjamin Morin. Evaluation of the diagnostic capabilities of commercial intrusion detection systems. In Andreas Wespi, Giovanni Vigna, and Luca Deri, editors, Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection (RAID'02), volume 2516 of Lecture Notes in Computer Science, pages 177-198, Berlin, Heidelberg, October 2002. Springer-Verlag. [ bib | DOI | http ]
This paper describes a testing environment for commercial intrusion-detection systems, shows results of an actual test run and presents a number of conclusions drawn from the tests. Our test environment currently focuses on IP denial-of-service attacks, Trojan horse traffic and HTTP traffic. The paper focuses on the point of view of an analyst receiving alerts sent by intrusion-detection systems and the quality of the diagnostic provided. While the analysis of test results does not solely targets this point of view, we feel that the diagnostic accuracy issue is extremely relevant for the actual success and usability of intrusion-detection technology. The tests show that the diagnostic proposed by commercial intrusion-detection systems sorely lack in precision and accuracy, lacking the capability to diagnose the multiple facets of the security issues occurring on the test network. In particular, while they are sometimes able to extract multiple pieces of information from a single malicious event, the alerts reported are not related to one another in any way, thus loosing significant background information for an analyst. The paper therefore proposes a solution for improving current intrusion-detection probes to enhance the diagnostic provided in the case of an alert, and qualifying alerts in relation to the intent of the attacker as perceived from the information acquired during analysis.
Keywords: intrusion detection, misuse detection, network intrusion detection, background information, evasion, testing, diagnosis
Benjamin Morin, Ludovic Mé, Hervé Debar, and Mireille Ducassé. M2d2: A formal data model for ids alert correlation. In Andreas Wespi, Giovanni Vigna, and Luca Deri, editors, Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection (RAID'02), volume 2516 of Lecture Notes in Computer Science, pages 115-137, Zurich, Switzerland, 2002. Springer-Verlag. [ bib | DOI | http ]
At present, alert correlation techniques do not make full use of the information that is available. We propose a data model for IDS alert correlation called M2D2. It supplies four information types: information related to the characteristics of the monitored information system, information about the vulnerabilities, information about the security tools used for the monitoring, and information about the events observed. M2D2 is formally defined. As far as we know, no other formal model includes the vulnerability and alert parts of M2D2. Three examples of correlations are given. They are rigorously specified using the formal definition of M2D2. As opposed to already published correlation methods, these examples use more than the events generated by security tools; they make use of many concepts formalized in M2D2.
Keywords: intrusion detection, alert correlation
Hervé Debar and Andreas Wespi. Aggregation and correlation of intrusion-detection alerts. In Wenke Lee, Ludovic Mé, and Andreas Wespi, editors, Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection (RAID 2001), volume 2212 of Lecture Notes in Computer Science, pages 85-103, Davis, CA, October 2001. Springer-Verlag. [ bib | DOI | http ]
This paper describes an aggregation and correlation algorithm used in the design and implementation of an intrusion-detection console built on top of the Tivoli Enterprise Console (TEC). The aggregation and correlation algorithm aims at acquiring intrusion-detection alerts and relating them together to expose a more condensed view of the security issues raised by intrusion-detection systems.
Keywords: alert aggregation, alert correlation, alert data model, intrusion detection
Ludovic Mé, Zakia Marrakchi, Cédric Michel, Hervé Debar, and Frédéric Cuppens. La détection d'intrusions: les outils doivent coopérer. REE. Revue de l'électricité et de l'électronique, pages 56-59, 2001. [ bib ]
La détection d'intrusions a pour objectif de détecter toute violation de la politique de sécurité en vigueur sur un système informatique. Elle est basée sur l'analyse à la volée ou en temps différé de ce qui se passe sur le système. Deux approches sont utilisées à cette fin: l'approche par scénario (misuse detection) et l'approche comportementale (anomaly detection). Chacune des deux présente des points forts, mais aussi des faiblesses. Les outils qui implémentent ces approches présentent également des forces et des faiblesses. L'objectif est de montrer la nécessité de faire coopérer les outils de détection d'intrusions, afin de cumuler les forces et d'éliminer les faiblesses.
Andreas Wespi, Marc Dacier, and Hervé Debar. Intrusion detection using variable-length audit trail patterns. In Hervé Debar, Ludovic Mé, and S.Felix Wu, editors, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection (RAID 2000), volume 1907 of Lecture Notes in Computer Science, pages 110-129. Springer Berlin Heidelberg, October 2000. [ bib | DOI | http ]
Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel technique to build a table of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for discovering rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment, and compare it with the intrusion-detection system proposed by Forrest et al. [8], which is based on fixed-length patterns. The results achieved with our novel method are significantly better than those obtained with the original method based on fixed-length patterns.
Keywords: Intrusion detection; Teiresias; pattern discovery; pattern matching; variable-length patterns; C2 audit trail; functionality verification tests
Andreas Wespi, Hervé Debar, Marc Dacier, and Mehdi Nassehi. Fixed-vs. variable-length patterns for detecting suspicious process behavior. Journal of Computer Security, 8(2, 3):159-181, August 2000. [ bib | http ]
This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. The models can be used for intrusion-detection purposes. First, we present a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Second, we propose various techniques to derive either fixed-length or variable-length patterns from the input data sets. We show the advantages and drawbacks of each technique, based on the results of the experiments we have run on our testbed.
Keywords: intrusion detection, anomaly detection
Magnus Almgren, Hervé Debar, and Marc Dacier. A lightweight tool for detecting web server attacks. In Proceedings of the ISOC Symposium on Network and Distributed Systems Security, pages 157-170, San Diego, CA, January 2000. The Internet Society, ISOC. [ bib | DOI | .pdf ]
We present an intrusion-detection tool focused on web server attacks, and describe why such a tool is needed. Several interesting features will be presented, such as the ability to run in real time and to keep track of suspicious hosts, which simplifies the learning of new attacks. The design is flexible and the signatures used to detect malicious behavior are not limited to simple pattern matching of dangerous cgi scripts, but also considers a history of different types of attacks on a host basis to allow detection of a wide variety of malicious behavior. The tool includes mechanisms for reducing the rate of false alarms. We conclude with a discussion of the information gained from deploying the tool at various site.
Keywords: intrusion detection, misuse detection, anomaly detection, resolver, false alarms reduction, signatures
Hervé Debar. An introduction to intrusion-detection systems. http://www.pcporoje.com/filedata/947354.pdf, 2000. [ bib ]
Intrusion-detection systems aim at detecting attacks against computer systems and networks or, in general, against information systems. Indeed, it is difficult to provide provably secure information systems and to maintain them in such a secure state during their lifetime and utilization. Sometimes, legacy or operational constraints do not even allow the definition of a fully secure information system. Therefore, intrusion–detection systems have the task of monitoring the usage of such systems to detect any apparition of insecure states. They detect attempts and active misuse either by legitimate users of the information systems or by external parties to abuse their privileges or exploit security vulnerabilities. This paper is the first in a two-part series; it introduces the concepts used in intrusion–detection systems around a taxonomy.
Hervé Debar. Intrusion-detection products and trends, 2000. [ bib ]
Intrusion-detection systems aim at detecting attacks against computer systems and networks or, in general, against information systems. Indeed, it is difficult to provide provably secure information systems and to maintain them in such a secure state during their lifetime and utilization. Sometimes legacy or operational constraints do not even allow the definition of a fully secure information system. Therefore, intrusion-detection systems have the task of monitoring the usage of such systems to detect any apparition of insecure states. They detect attempts and active misuse either by legitimate users of the information systems or by external parties to abuse their privileges or exploit security vulnerabilities. This paper is the second in a two-part series; it presents the current state of intrusion-detection products, and the trends we are observing.
Hervé Debar, Marc Dacier, and Andreas Wespi. A revised taxonomy for intrusion-detection systems. Annales des télécommunications, 55(7-8):361-378, 2000. [ bib | DOI | .ps ]
Intrusion-detection systems aim at detecting attacks against computer systems and networks, or in general against information systems. Indeed, it is difficult to provide provably secure information systems and to maintain them in such a secure state during their lifetime and utilization. Sometimes, legacy or operational constraints do not even allow the definition of a fully secure information system. Therefore, intrusion- detection systems have the task of monitoring the usage of such systems to detect apparition of insecure states. They detect attempts and active misuse, either by legitimate users of the information systems or by external parties, to abuse their privileges or exploit security vulnerabilities. In a previous paper [Computer networks 31, 805–822 (1999)], we introduced a taxonomy of intrusion- detection systems that highlights the various aspects of this area. This paper extends the taxonomy beyond real- time intrusion detection to include additional aspects of security monitoring, such as vulnerability assessment.
Keywords: Intruder detector, Taxonomy; System evaluation, Knowledge base, System behavior, Computer system, Telecommunication network, intrusion detection, anomaly detection, misuse detection