publications-hd-2000-2009.bib
@inproceedings{abi2006extended,
title = {An extended RBAC profile of XACML},
author = {{Abi Haidar}, Diala and Cuppens-Boulahia, Nora and
Cuppens, Fr{\'e}d{\'e}ric and Debar, Herv{\'e}},
booktitle = {Proceedings of the 3rd ACM workshop on Secure Web
Services},
pages = {13--22},
year = 2006,
organization = {ACM},
series = {SWS '06},
isbn = {1-59593-546-0},
location = {Alexandria, Virginia, USA},
numpages = 10,
url = {http://doi.acm.org/10.1145/1180367.1180372},
doi = {10.1145/1180367.1180372},
acmid = 1180372,
publisher = {ACM},
address = {New York, NY, USA},
keywords = {OrBAC, RBAC, XACML, access control},
abstract = {Nowadays many organizations use security policies to
control access to sensitive resources. Moreover,
exchanging or sharing services and resources is
essential for these organizations to achieve their
business objectives. Since the eXtensible Access
Control Markup Language (XACML) was standardized by
the OASIS community, it has been widely deployed,
making it easier to interoperate with other
applications using the same standard language. The
OASIS has defined an RBAC profile of XACML that
illustrates how organizations that would like to use
the RBAC model can express their access control
policy within this standard language. This work
analyzes the RBAC profile of XACML, showing its
limitations to respond to all the requirements for
access control. We then suggest adding some
functionalities within an extended RBAC profile of
XACML. This new profile is expected to respond to
more advanced access control requirements such as
user-user delegation, access elements abstractions
and contextual applicability of the policies.}
}
@inproceedings{almgren2000lightweight,
title = {A Lightweight Tool for Detecting Web Server Attacks},
author = {Almgren, Magnus and Debar, Herv{\'e} and Dacier,
Marc},
booktitle = {Proceedings of the ISOC Symposium on Network and
Distributed Systems Security},
year = 2000,
pages = {157-170},
month = {January},
address = {San Diego, CA},
organization = {The Internet Society},
publisher = {ISOC},
isbn = {1-891562-07-X, 1-891562-08-8},
doi = {10.1.1.105.5960},
url = {http://www.isoc.org/isoc/conferences/ndss/2000/proceedings/007.pdf},
keywords = {intrusion detection, misuse detection, anomaly
detection, resolver, false alarms reduction,
signatures},
abstract = {We present an intrusion-detection tool focused on
web server attacks, and describe why such a tool is
needed. Several interesting features will be
presented, such as the ability to run in real time
and to keep track of suspicious hosts, which
simplifies the learning of new attacks. The design
is flexible and the signatures used to detect
malicious behavior are not limited to simple pattern
matching of dangerous cgi scripts, but also
considers a history of different types of attacks on
a host basis to allow detection of a wide variety of
malicious behavior. The tool includes mechanisms for
reducing the rate of false alarms. We conclude with
a discussion of the information gained from
deploying the tool at various site.}
}
@inproceedings{carlinet2008analysis,
title = {Analysis of computer infection risk factors based on
customer network usage},
author = {Carlinet, Yannick and M{\'e}, Ludovic and Debar,
Herv{\'e} and Gourhant, Yvon},
booktitle = {Proceedings of the Second International Conference
on Emerging Security Information, Systems and
Technologies (SECURWARE'08)},
pages = {317--325},
year = 2008,
month = {August},
url = {http://www.computer.org/csdl/proceedings/securware/2008/3329/00/3329a317.pdf},
doi = {10.1109/SECURWARE.2008.30},
organization = {IEEE},
keywords = {digital subscriber lines, operating systems
(computers), security of data ,ADSL customer PC,
computer infection risk factors, corenet work,
customer network usage, disease propagation,
epidemiology, malicious traffic, operating system,
Computer networks, Computer security, Computer
worms, Customer profiles, Diseases, Information
analysis, Information security, Personal
communication networks, Risk analysis,
Telecommunication traffic, epidemiology, malware,
risk profile, traffic analysis, user profiling},
abstract = {Epidemiology, the science that studies the cause and
propagation of diseases, provides us with the
concepts and methods to analyze the potential risk
factors to which ADSL customers' PCs are exposed,
with respect to their usage of network
applications. This paper details the analysis of the
traffic of a large set of real ADSL customers in the
corenet work. We build a profile of network usage
for each customer and we detect malicious
ones. Based on these data we study the impact of
some characteristics in ADSL customer profiles on
their likeliness to generate malicious traffic. We
find two application types that are risk factors and
we also bring evidence that the type of operating
system impacts greatly the odds of being
infected. Based on these results we build a profile
of customers more likely to be infected.}
}
@inproceedings{cuppens2008negotiation,
title = {Negotiation of prohibition: An approach based on
policy rewriting},
author = {Cuppens-Boulahia, Nora and Cuppens, Fr{\'e}d{\'e}ric
and {Abi Haidar}, Diala and Debar, Herv{\'e}},
booktitle = {Proceedings of the {IFIP} {TC11} 23rd International
Information Security Conference (IFIPSEC 2008)},
pages = {173--187},
year = 2008,
publisher = {Springer},
volume = 278,
series = {IFIP – The International Federation for Information
Processing},
editor = {Jajodia, Sushil and Samarati, Pierangela and Cimato,
Stelvio},
doi = {10.1007/978-0-387-09699-5_12},
url = {http://www.rennes.enst-bretagne.fr/~fcuppens/articles/sec08.pdf},
keywords = {security policies, OrBAC, negotiation},
abstract = { In recent security architectures, it is possible
that the security policy is not evaluated in a
centralized way but requires negotiation between the
subject who is requesting the access and the access
controller. This negotiation is generally based on
exchanging credentials between the parties so that
the access controller can decide to accept or deny
the requesting access. Previous proposals in this
field generally implicitly or explicitly assume that
the access control policy only contains
permissions. In this paper, we present a new
approach of negotiation when the security policy
contains both permissions and prohibitions. In this
case, we claim that it would not be fair to ask for
credentials to directly activate prohibitions. Thus,
our approach consists in rewriting the policy into
an equivalent one that only contain
permissions. Since the rewritten policy specifies
negative conditions, we then show how to define
strategies to negotiate these negative conditions.}
}
@inproceedings{cuppens2009ontologyCrisis,
author = {Nora Cuppens-Boulahia and Fr{\'e}d{\'e}ric Cuppens
and Jorge E. L{\'o}pez de Vergara and Enrique
V{\'a}zquez and Javier Guerra and Herv{\'e} Debar},
booktitle = {Proceedings of the Third International Conference on
Risks and Security of Internet and Systems (CRiSIS
'08.) },
title = {An ontology-based approach to react to network
attacks},
year = 2008,
month = {October},
pages = {27-35},
keywords = {ontologies (artificial intelligence), quality of
service, telecommunication computing,
telecommunication network management,
telecommunication security, IP networks, Reaction
after Detection project, inference rules, network
attacks, ontology-based approach, quality of
service, Communication networks, Communication
system security, IP networks, OWL, Ontologies,
Quality of service, Resilience, TV,
Telecommunications, Web and internet services,
Attack reaction, IDMEF, OWL, OrBAC, SWRL, ontology,
policy instantiation},
url = {http://www.researchgate.net/publication/221351551_An_ontology-based_approach_to_react_to_network_attacks/file/9fcfd5087b157cf61c.pdf},
doi = {10.1109/CRISIS.2008.4757461},
abstract = {To address the evolution of security incidents in
current communication networks it is important to
react quickly and efficiently to an attack. The RED
(Reaction after Detection) project is defining and
designing solutions to enhance the
detection/reaction process, improving the overall
resilience of IP networks to attacks and help
telecommunication and service providers to maintain
sufficient quality of service and respect service
level agreements. Within this project, a main
component is in charge of instantiating new security
policies that counteract the network attacks. This
paper proposes an ontology-based approach to
instantiate these security policies. This technology
provides a way to map alerts into attack contexts,
which are used to identify the policies to be
applied in the network to solve the threat. For
this, ontologies to describe alerts and policies are
defined, using inference rules to perform such
mappings.}
}
@article{cuppens2009ontologyIJICS,
title = {An ontology-based approach to react to network
attacks},
author = {Nora Cuppens-Boulahia and Fr{\'e}d{\'e}ric Cuppens
and Fabien Autrel and Herv{\'e} Debar},
journal = {International Journal of Information and Computer
Security},
volume = 3,
number = {3/4},
pages = {280--305},
year = 2009,
issue_date = {January 2009},
month = {January},
issn = {1744-1765},
numpages = 26,
url = {http://dx.doi.org/10.1504/IJICS.2009.031041},
doi = {10.1504/IJICS.2009.031041},
acmid = 1708035,
publisher = {Inderscience Publishers},
address = {Geneva, SWITZERLAND},
keywords = {IDS, OrBAC, access control policy, attack reaction,
intrusion detection systems, network attacks,
ontology, organisation based access control, policy
instantiation, threat context, threat organisation},
abstract = { Intrusion detection requirements enforced by
Intrusions Detection Systems (IDSs) are generally
considered independently from the remainder of the
security policy. Our approach is to consider that
intrusion detection requirements are actually a part
of the access control policy. This provides means to
formally specify in a reaction policy what should
happen in case of intrusion. It is then possible to
integrate these requirements into a deploying
process in order to automatically configure security
components. In this paper, we propose a contextual
and ontology-based approach to express and
instantiate this reaction policy. We then define a
reaction process based on the concepts of dynamic
threat organisation and threat contexts and a set of
rules used to map alerts onto threat contexts to
perform the instantiation of the policy-based
reaction in response to the detected intrusion.}
}
@inproceedings{dacier2004attack,
title = {{A}ttack processes found on the {I}nternet},
author = {Dacier, Marc and Pouget, Fabien and Debar,
Herv{\'e}},
year = 2004,
institution = {DTIC Document},
url = {https://www.eurecom.fr/publication/1415},
booktitle = {{NATO} {R}esearch and technology symposium {IST}-041
"{A}daptive {D}efence in {U}nclassified {N}etworks",
19 {A}pril 2004, {T}oulouse, {F}rance},
address = {{T}oulouse, {FRANCE}},
month = {April},
keywords = {honeypots, low interaction honeypots, attack
processes},
abstract = {In this paper, we show that simple, cheap and easily
deployable honeypots can help to get a better
understanding of the attack processes that machines
in unclassified networks are facing. Acquiring this
knowledge is a prerequisite for the sound design and
implementation of efficient intrusion tolerant
systems. We propose some in depth analyses carried
out on data gathered during a 10 months period by
several honeypots. We highlight the need for a well
defined set up of honeypots, replicated in many
diverse locations. Such an environment would enable
the scientific community to answer the remaining
open issues described here after.}
}
@inproceedings{dacier2004honeypots,
title = {Honeypots: Practical means to validate malicious
fault assumptions},
author = {Dacier, Marc and Pouget, Fabien and Debar,
Herv{\'e}},
booktitle = {Proceedings of the 10th IEEE Pacific Rim
International Symposium on Dependable Computing},
pages = {383--388},
year = 2004,
organization = {IEEE},
address = {{Tahiti, French Polynesia}},
month = {March},
url = {http://www.eurecom.fr/publication/1416},
doi = {10.1109/PRDC.2004.1276594},
keywords = {fault diagnosis, fault tolerant computing, formal
verification, security of data, fault assumption
validation, honeypots, intrusion-tolerant systems,
malicious fault assumptions, Books, Computer
hacking, Fault tolerant systems, Information
systems, Research and development, Software tools,
Terminology, Testing},
abstract = {We report on an experiment run with several
honeypots for 4 months. The motivation of this work
resides in our wish to use data collected by
honeypots to validate fault assumptions required
when designing intrusion-tolerant systems. This work
in progress establishes the foundations for a
feasibility study into that direction. After a
review of the state of the art with respect to
honeypots, we present our test bed, discuss results
obtained and lessons learned. Avenues for future
work are also proposed.}
}
@misc{debar2000introduction,
title = {An introduction to intrusion-detection systems},
author = {Debar, Herv{\'e}},
booktitle = {Proceedings of Connect 2000},
year = 2000,
address = {Doha, Qatar},
abstract = {Intrusion-detection systems aim at detecting attacks
against computer systems and networks or, in
general, against information systems. Indeed, it is
difficult to provide provably secure information
systems and to maintain them in such a secure state
during their lifetime and utilization. Sometimes,
legacy or operational constraints do not even allow
the definition of a fully secure information system.
Therefore, intrusion–detection systems have the task
of monitoring the usage of such systems to detect
any apparition of insecure states. They detect
attempts and active misuse either by legitimate
users of the information systems or by external
parties to abuse their privileges or exploit
security vulnerabilities. This paper is the first in
a two-part series; it introduces the concepts used
in intrusion–detection systems around a taxonomy.},
howpublished = {http://www.pcporoje.com/filedata/947354.pdf}
}
@misc{debar2000intrusion,
title = {Intrusion-Detection Products and Trends},
author = {Debar, Herv{\'e}},
booktitle = {Proceedings of Connect 2000},
year = 2000,
address = {Doha, Qatar},
abstract = {Intrusion-detection systems aim at detecting attacks
against computer systems and networks or, in
general, against information systems. Indeed, it is
difficult to provide provably secure information
systems and to maintain them in such a secure state
during their lifetime and utilization. Sometimes
legacy or operational constraints do not even allow
the definition of a fully secure information
system. Therefore, intrusion-detection systems have
the task of monitoring the usage of such systems to
detect any apparition of insecure states. They
detect attempts and active misuse either by
legitimate users of the information systems or by
external parties to abuse their privileges or
exploit security vulnerabilities. This paper is the
second in a two-part series; it presents the current
state of intrusion-detection products, and the
trends we are observing.}
}
@article{debar2000revised,
title = {A revised taxonomy for intrusion-detection systems},
author = {Debar, Herv{\'e} and Dacier, Marc and Wespi,
Andreas},
journal = {Annales des t{\'e}l{\'e}communications},
volume = 55,
number = {7-8},
pages = {361--378},
year = 2000,
publisher = {Springer-Verlag},
issn = {0003-4347},
doi = {10.1007/BF02994844},
url = {http://wenke.gtisc.gatech.edu/ids-readings/IDS_taxonomy.ps},
keywords = {Intruder detector, Taxonomy; System evaluation,
Knowledge base, System behavior, Computer system,
Telecommunication network, intrusion detection,
anomaly detection, misuse detection},
abstract = {Intrusion-detection systems aim at detecting attacks
against computer systems and networks, or in general
against information systems. Indeed, it is difficult
to provide provably secure information systems and
to maintain them in such a secure state during their
lifetime and utilization. Sometimes, legacy or
operational constraints do not even allow the
definition of a fully secure information
system. Therefore, intrusion- detection systems have
the task of monitoring the usage of such systems to
detect apparition of insecure states. They detect
attempts and active misuse, either by legitimate
users of the information systems or by external
parties, to abuse their privileges or exploit
security vulnerabilities. In a previous paper
[Computer networks 31, 805–822 (1999)], we
introduced a taxonomy of intrusion- detection
systems that highlights the various aspects of this
area. This paper extends the taxonomy beyond real-
time intrusion detection to include additional
aspects of security monitoring, such as
vulnerability assessment.}
}
@inproceedings{debar2001aggregation,
title = {Aggregation and correlation of intrusion-detection
alerts},
author = {Debar, Herv{\'e} and Wespi, Andreas},
pages = {85--103},
year = 2001,
month = {October},
booktitle = {Proceedings of the 4th International Symposium on
Recent Advances in Intrusion Detection (RAID 2001)},
isbn = {978-3-540-42702-5},
volume = 2212,
series = {Lecture Notes in Computer Science},
editor = {Lee, Wenke and M{\'e}, Ludovic and Wespi, Andreas},
doi = {10.1007/3-540-45474-8_6},
numpages = 19,
url = {http://link.springer.com/chapter/10.1007%2F3-540-45474-8_6},
acmid = 670735,
publisher = {Springer-Verlag},
address = {Davis, CA},
keywords = {alert aggregation, alert correlation, alert data
model, intrusion detection},
abstract = {This paper describes an aggregation and correlation
algorithm used in the design and implementation of
an intrusion-detection console built on top of the
Tivoli Enterprise Console (TEC). The aggregation and
correlation algorithm aims at acquiring
intrusion-detection alerts and relating them
together to expose a more condensed view of the
security issues raised by intrusion-detection
systems.}
}
@inproceedings{debar2002evaluation,
title = {Evaluation of the diagnostic capabilities of
commercial intrusion detection systems},
author = {Debar, Herv{\'e} and Morin, Benjamin},
booktitle = {Proceedings of the 5th International Conference on
Recent Advances in Intrusion Detection (RAID'02) },
series = {Lecture Notes in Computer Science},
pages = {177--198},
year = 2002,
isbn = {3-540-00020-8},
location = {Zurich, Switzerland},
numpages = 22,
doi = {10.1007/3-540-36084-0_10},
url = {http://link.springer.com/chapter/10.1007%2F3-540-36084-0_10},
acmid = 1754716,
publisher = {Springer-Verlag},
address = {Berlin, Heidelberg},
abstract = {This paper describes a testing environment for
commercial intrusion-detection systems, shows
results of an actual test run and presents a number
of conclusions drawn from the tests. Our test
environment currently focuses on IP
denial-of-service attacks, Trojan horse traffic and
HTTP traffic. The paper focuses on the point of view
of an analyst receiving alerts sent by
intrusion-detection systems and the quality of the
diagnostic provided. While the analysis of test
results does not solely targets this point of view,
we feel that the diagnostic accuracy issue is
extremely relevant for the actual success and
usability of intrusion-detection technology. The
tests show that the diagnostic proposed by
commercial intrusion-detection systems sorely lack
in precision and accuracy, lacking the capability to
diagnose the multiple facets of the security issues
occurring on the test network. In particular, while
they are sometimes able to extract multiple pieces
of information from a single malicious event, the
alerts reported are not related to one another in
any way, thus loosing significant background
information for an analyst. The paper therefore
proposes a solution for improving current
intrusion-detection probes to enhance the diagnostic
provided in the case of an alert, and qualifying
alerts in relation to the intent of the attacker as
perceived from the information acquired during
analysis.},
editor = {Andreas Wespi and Giovanni Vigna and Luca Deri},
volume = 2516,
month = {October},
keywords = {intrusion detection, misuse detection, network
intrusion detection, background information,
evasion, testing, diagnosis}
}
@book{debar2004analyse,
title = {Analyse et d{\'e}tection d’intrusions},
author = {DEBAR, Herv{\'e}},
year = 2004,
publisher = {Ed. Techniques Ing{\'e}nieur},
volume = {H5840},
month = {Octobre},
url = {http://www.techniques-ingenieur.fr/base-documentaire/technologies-de-l-information-th9/attaques-et-mesures-de-protection-des-si-42313210/analyse-et-detection-d-intrusions-h5840/}
}
@article{debar2004detection,
title = {D{\'e}tection d'intrusions: corr{\'e}lation
d'alertes},
author = {Debar, Herv{\'e} and Morin, Benjamin and Cuppens,
Fr{\'e}d{\'e}ric and Autrel, Fabien and M{\'e},
Ludovic and Vivinis, Bernard and Benferhat, Salem
and Ducass{\'e}, Mireille and Ortalo, Rodolphe},
journal = {TSI. Technique et science informatiques},
volume = 23,
number = 3,
pages = {359--390},
year = 2003,
publisher = {Lavoisier},
month = {November},
url = {http://tsi.revuesonline.com/article.jsp?articleId=3242},
doi = {10.3166/tsi.23.359-390},
keywords = {security, intrusion detection, correlation},
abstract = {Current intrusion detection systems generate too
many alerts. These alerts are imprecise and
partial. Furthermore, they contain low level
information. These alerts are therefore of limited
interest for a human operator. Alert correlation is
a promising technology to reduce the number of
alerts, improve the diagnostic and provide a better
vision of the security of the system in the case of
an intrusion. This paper presents an overview of
different alert correlation technologies and shows
how these technologies can be applied to intrusion
detection. }
}
@phdthesis{debar2004hdr,
title = {D{\'e}tection d'intrusions: vers un usage r{\'e}el
des alertes},
author = {Debar, Herv{\'e}},
year = 2004,
school = {Universit{\'e} de Caen},
month = {June},
note = {{H}abilitation {\`a} {D}iriger des {R}echerches
{(HDR)}}
}
@inbook{debar2004intrusion,
title = {Security and Privacy in Advanced Networking
Technologies},
chapter = {Intrusion Detection Systems -- Introduction to
intrusion detection and analysis},
author = {Herv{\'e} Debar},
journal = {NATO SCIENCE SERIES SUB SERIES III COMPUTER AND
SYSTEMS SCIENCES},
volume = 193,
pages = {161--177},
year = 2004,
publisher = {IOS PRESS}
}
@incollection{debar2005infrastructure,
title = {An infrastructure for distributed event acquisition},
author = {Debar, Herv{\'e} and Morin, Benjamin and
Boiss{\'e}e, Vincent and Gu{\'e}rin, Didier},
booktitle = {Cyberspace Security and Defense: Research Issues},
pages = {349--365},
year = 2005,
isbn = {978-1-4020-3379-7},
volume = 196,
series = {NATO Science Series II: Mathematics, Physics and
Chemistry},
editor = {Kowalik, JanuszS. and Gorski, Janusz and Sachenko,
Anatoly},
doi = {10.1007/1-4020-3381-8_20},
url = {http://link.springer.com/chapter/10.1007%2F1-4020-3381-8_20},
publisher = {Springer Netherlands},
keywords = {intrusion detection, alert management, operational
security, security information management, alert
correlation, security information and event
management, SIEM},
abstract = {This paper describes a distributed application for
acquiring events from different equipment in a
lightweight fashion. The architecture of the
application is fully distributed, and takes
advantage of standard tools such as web servers and
relational databases. Several prototypes of the
application have been deployed in our corporate
network to monitor multiple environments. This paper
defines the architecture of the distributed
application around four axes, ac cording to the
interaction they have with the data repository and
the outside world. It also defines the kind of
information that is stored in the database according
to three categories.}
}
@article{debar2005intrusion,
title = {Intrusion detection: Introduction to intrusion
detection and security information management},
author = {Debar, Herv{\'e} and Viinikka, Jouni},
journal = {Foundations of security analysis and design III},
pages = {207--236},
year = 2005,
isbn = {978-3-540-28955-5},
volume = 3655,
series = {Lecture Notes in Computer Science},
editor = {Aldini, Alessandro and Gorrieri, Roberto and
Martinelli, Fabio},
doi = {10.1007/11554578_7},
url = {http://link.springer.com/chapter/10.1007%2F11554578_7},
publisher = {Springer Berlin Heidelberg},
keywords = {intrusion detection, security information
management, alert correlation, information security
and event management, SIEM},
abstract = {This paper covers intrusion detection and security
information management technologies. It presents a
primer on intrusion detection, focusing on data
sources and analysis techniques. Data sources
presented therein are classified according to the
capture mechanism and we include an evaluation of
the accuracy of these data sources. Analysis
techniques are classified into misuse detection,
using the explicit body of knowledge about security
attacks to generate alerts, and anomaly detection,
where the safe or normal operation of the monitored
information system is described and alerts generated
for anything that does not belong to that model. It
then describes security information management and
alert correlation technologies that are in use
today. We particularly describe statistical modeling
of alert flows and explicit correlation between
alert information and vulnerability assessment
information.}
}
@inproceedings{debar2005webanalyzer,
title = {WebAnalyzer: D{\'e}tection pr{\'e}cise d’attaques
contre les serveurs {HTTP}},
author = {Debar, Herv{\'e} and Tombini, Elvis},
booktitle = {Proceedings of the 4th Conference on Security and
Network Architectures (SAR’05)},
year = 2005,
month = {June},
address = {Batz sur Mer, France}
}
@article{debar2006security,
title = {Security information management as an outsourced
service},
author = {Debar, Herv{\'e} and Viinikka, Jouni},
journal = {Information management & computer security},
volume = 14,
number = 5,
pages = {417--435},
year = 2006,
publisher = {Emerald Group Publishing Limited},
issn = {0968-5227},
doi = {10.1108/09685220610707430},
url = {http://www.emeraldinsight.com/journals.htm?articleid=1575972},
keywords = {Communication technologies, Data security,
Information systems, intrusion detection, security
information and event management, SIEM, managed
security services, managed security services
providers, MSSP},
abstract = {Security information management (SIM) has emerged
recently as a strong need to ensure the ongoing
security of information systems. However, deploying
a SIM and the associated sensors is a challenge in
any organization, as the complexity and cost of such
a project are difficult to bear. This paper aims to
present an architecture for outsourcing a SIM
platform, and discuss the issues associated with the
deployment of such an environment. The paper
explains that the day-to-day operation of a SIM is
beyond the financial capabilities of all but the
largest organizations, as the SIM must be monitored
constantly to ensure timely reaction to alerts. Many
managed security services providers (MSSP),
therefore, propose outsourcing the alert management
activities. Sensors are deployed within the
customer's infrastructure, and the alerts are sent
to the outsourced SIM along with additional log
information.}
}
@inproceedings{debar2006using,
title = {Using contextual security policies for threat
response},
author = {Debar, Herv{\'e} and Thomas, Yohann and
Boulahia-Cuppens, Nora and Cuppens,
Fr{\'e}d{\'e}ric},
booktitle = {Detection of Intrusions and Malware & Vulnerability
Assessment},
pages = {109--128},
year = 2006,
isbn = {978-3-540-36014-8},
volume = 4064,
series = {Lecture Notes in Computer Science},
editor = {B{\"u}schkes, Roland and Laskov, Pavel},
doi = {10.1007/11790754_7},
url = {http://link.springer.com/chapter/10.1007%2F11790754_7},
publisher = {Springer Berlin Heidelberg},
keywords = {intrusion detection, intrusion response, threat
response, dynamic response, security information and
event management, counter-measures, security
policies, OrBAC},
abstract = {With the apparition of accurate security monitoring
tools, the gathered alerts are requiring operators
to take action to prevent damage from
attackers. Intrusion prevention currently provides
isolated response mechanisms that may take a local
action upon an attack. While this approach has been
taken to enhance the security of particular network
access control points, it does not constitute a
comprehensive approach to threat response. In this
paper, we will examine a new mechanism for adapting
the security policy of an information system
according to the threat it receives, and hence its
behaviour and the services it offers. This mechanism
takes into account not only threats, but also legal
constraints and other objectives of the organization
operating this information system, taking into
account multiple security objectives and providing
several trade-off options between security
objectives, performance objectives, and other
operational constraints. The proposed mechanism
bridges the gap between preventive security
technologies and intrusion detection, and builds
upon existing technologies to facilitate
formalization on one hand, and deployment on the
other hand.}
}
@article{debar2006webanalyzer,
title = {WebAnalyzer: accurate detection of HTTP attack
traces in web server logs},
author = {Debar, Herv{\'e} and Tombini, Elvis},
journal = {Annales des T{\'e}l{\'e}communications},
volume = 61,
number = {5-6},
pages = {682--704},
year = 2006,
publisher = {Springer-Verlag},
doi = {10.1007/BF03219929},
url = {http://link.springer.com/article/10.1007%2FBF03219929},
issn = {0003-4347},
keywords = {Internet security, Web server, Intrusion detection,
Data analysis, Sécurité Internet, Serveur web,
Détection intrusion, Analyse de données},
absract = {This paper presents a tool for detecting attacks
against web server, using the analysis of web server
log files. The main characteristic of this tool is
its accuracy, being able to carefully graduate its
analysis according to the actual success of the
attacker. This capability is based on the design of
a simple yet powerful signature definition
language. We demonstrate the accuracy of the tool
using a set of log lines representing several attack
conditions and attack results.},
month = {June}
}
@article{debar2007enabling,
title = {Enabling automated threat response through the use
of a dynamic security policy},
author = {Debar, Herv{\'e} and Thomas, Yohann and Cuppens,
Fr{\'e}d{\'e}ric and Cuppens-Boulahia, Nora},
journal = {Journal in Computer Virology},
volume = 3,
number = 3,
pages = {195--210},
year = 2007,
url = {http://link.springer.com/article/10.1007%2Fs11416-007-0039-z},
issn = {1772-9890},
doi = {10.1007/s11416-007-0039-z},
publisher = {Springer-Verlag},
keywords = {intrusion detection, intrusion response, threat
response, dynamic response, security information and
event management, counter-measures, security
policies, OrBAC},
abstract = {Information systems security issues are currently
being addressed using different techniques, such as
authentication, encryption and access control,
through the definition of security policies, but
also using monitoring techniques, in particular
intrusion detection systems. We can observe that
security monitoring is currently totally
decorrelated from security policies, that is
security requirements are not linked with the means
used to control their fulfillment. Most of the time,
security operators have to analyze monitoring
results and manually react to provide
countermeasures to threats compromising the security
policy. The response process is far from trivial,
since it both relies on the relevance of the threat
analysis and on the adequacy of the selected
countermeasures. In this paper, we present an
approach aiming at connecting monitoring techniques
with security policy management in order to provide
response to threat. We propose an architecture
allowing to dynamically and automatically deploy a
generic security policy into concrete policy
instances taking into account the threat level
characterized thanks to intrusion detection
systems. Such an approach provides means to bridge
the gap between existing detection approaches and
new requirements, which clearly deal with the
development of intrusion prevention systems,
enabling a better protection of the resources and
services.}
}
@inbook{debar2007intrusion,
author = {Herv{\'e} Debar},
pages = {293--313},
year = 2007,
publisher = {John Wiley & Sons, Ltd},
chapter = {Intrusion Detection in Cognitive Networks},
title = {Cognitive Networks: Towards Self-Aware Networks},
month = {August}
}
@article{debar2008response,
title = {Response: bridging the link between intrusion
detection alerts and security policies},
author = {Debar, Herv{\'e} and Thomas, Yohann and Cuppens,
Fr{\'e}d{\'e}ric and Cuppens-Boulahia, Nora},
journal = {Intrusion Detection Systems},
pages = {129-170},
year = 2008,
publisher = {Springer},
volume = 38,
series = {Advances in Information Security},
doi = {10.1007/978-0-387-77265-3_6},
isbn = {978-0-387-77265-3},
keywords = {intrusion detection, intrusion response, threat
response, dynamic response, security information and
event management, counter-measures, security
policies, OrBAC},
abstract = {With the deployment of intrusion detection systems
has come the question of alert usage. The current
trend of intrusion prevention systems provides
mechanisms for isolated response, suffering from two
important drawbacks. First, the response is applied
on a single point of the information system. Second,
its application is repeated every time an alert
condition is raised. Both drawbacks result in a
suboptimal response system, where security is
improved at these particular network or host access
control points, but where service dependancies are
not taken into account. In this paper, we examine a
new mechanism for adapting the security policy of an
information system according to the threat it
receives, and hence its behaviour and the services
it offers. This mechanism takes into account not
only threats, but also legal constraints and other
objectives of the organization operating this
information system, taking into account multiple
security objectives and providing several trade-off
options between security objectives, performance
objectives, and other operational constraints. The
proposed mechanism bridges the gap between
preventive security technologies and intrusion
detection, and builds upon existing technologies to
facilitate formalization on one hand, and deployment
on the other hand.}
}
@article{haidar2007access,
title = {Access negotiation within {XACML} architecture},
author = {{Abi Haidar}, Diala and Cuppens-Boulahia, Nora and
Cuppens, Fr{\'e}d{\'e}ric and Debar, Herv{\'e}},
journal = {Second Joint Conference on Security in Networks
Architectures and Security of Information Systems
(SARSSI)},
year = 2007
}
@inproceedings{haidar2007resource,
title = {Resource Classification Based Negotiation in Web
Services.},
author = {{Abi Haidar}, Diala and Cuppens-Boulahia, Nora and
Cuppens, Fr{\'e}d{\'e}ric and Debar, Herv{\'e}},
booktitle = {IAS},
pages = {313--318},
year = 2007
}
@article{haidar2009xena,
title = {{XeNA}: an access negotiation framework using
{XACML}},
author = {{Abi Haidar}, Diala and Cuppens-Boulahia, Nora and
Cuppens, Fr{\'e}d{\'e}ric and Debar, Herv{\'e}},
journal = {annals of telecommunications-annales des
t{\'e}l{\'e}communications},
volume = 64,
number = {1-2},
pages = {155--169},
year = 2009,
publisher = {Springer-Verlag}
}
@article{jacob2008behavioral,
title = {Behavioral detection of malware: from a survey
towards an established taxonomy},
author = {Jacob, Gr{\'e}goire and Debar, Herv{\'e} and Filiol,
Eric},
journal = {Journal in Computer Virology},
volume = 4,
number = 3,
pages = {251--266},
year = 2008,
publisher = {Springer}
}
@article{jacob2008malware,
title = {Malware as interaction machines: a new framework for
behavior modelling},
author = {Jacob, Gr{\'e}goire and Filiol, Eric and Debar,
Herv{\'e}},
journal = {Journal in Computer Virology},
volume = 4,
number = 3,
pages = {235--250},
year = 2008,
publisher = {Springer}
}
@article{jacob2009formalization,
title = {Formalization of malware through process calculi},
author = {Jacob, Gregoire and Filiol, Eric and Debar, Herve},
journal = {Arxiv preprint arXiv:0902.0469},
year = 2009
}
@article{jacob2009functional,
title = {Functional polymorphic engines: formalisation,
implementation and use cases},
author = {Jacob, Gr{\'e}goire and Filiol, Eric and Debar,
Herv{\'e}},
journal = {Journal in computer virology},
volume = 5,
number = 3,
pages = {247--261},
year = 2009,
publisher = {Springer}
}
@article{jacob2009malware,
title = {Malware behavioral detection by attribute-automata
using abstraction from platform and language},
author = {Jacob, Gr{\'e}goire and Debar, Herv{\'e} and Filiol,
Eric},
journal = {Recent Advances in Intrusion Detection},
pages = {81--100},
year = 2009,
publisher = {Springer}
}
@inproceedings{kheir2009cost,
title = {Cost evaluation for intrusion response using
dependency graphs},
author = {Kheir, Nizar and Debar, Herv{\'e} and
Cuppens-Boulahia, Nora and Cuppens, Fr{\'e}d{\'e}ric
and Viinikka, Jouni},
booktitle = {Network and Service Security,
2009. N2S'09. International Conference on},
pages = {1--6},
year = 2009,
organization = {IEEE}
}
@inproceedings{kheir2009service,
title = {A Service Dependency Modeling Framework for
Policy-based Response Enforcement},
author = {Nizar Kheir and Herv{\'e} Debar and Fr{\'e}d{\'e}ric
Cuppens and Nora Cuppens-Boulahia and Jouni
Viinikka},
year = 2009,
isbn = {978-3-642-02917-2},
booktitle = {Proceedings of DIMVA 2009, Detection of Intrusions
and Malware, and Vulnerability Assessment},
volume = 5587,
series = {Lecture Notes in Computer Science},
editor = {Flegel, Ulrich and Bruschi, Danilo},
doi = {10.1007/978-3-642-02918-9_11},
url = {http://dx.doi.org/10.1007/978-3-642-02918-9_11},
publisher = {Springer Berlin Heidelberg},
pages = {176-195},
keywords = {intrusion detection, intrusion response,
counter-measures, service dependencies, OrBAC,
security policies, response architecture,
counter-measures architecture},
abstract = {The use of dynamic access control policies for
threat response adapts local response decisions to
high level system constraints. However, security
policies are often carefully tightened during system
design-time, and the large number of service
dependencies in a system architecture makes their
dynamic adaptation difficult. The enforcement of a
single response rule requires performing multiple
configuration changes on multiple services. This
paper formally describes a Service Dependency
Framework (SDF) in order to assist the response
process in selecting the policy enforcement points
(PEPs) capable of applying a dynamic response
rule. It automatically derives elementary access
rules from the generic access control, either
allowed or denied by the dynamic response policy, so
they can be locally managed by local PEPs. SDF
introduces a requires/provides model of service
dependencies. It models the service architecture in
a modular way, and thus provides both extensibility
and reusability of model components. SDF is defined
using the Architecture Analysis and Design Language,
which provides formal concepts for modeling system
architectures. This paper presents a systematic
treatment of the dependency model which aims to
apply policy rules while minimizing configuration
changes and reducing resource consumption.}
}
@article{me2001detection,
title = {La d{\'e}tection d'intrusions: les outils doivent
coop{\'e}rer},
author = {M{\'e}, Ludovic and Marrakchi, Zakia and Michel,
C{\'e}dric and Debar, Herv{\'e} and Cuppens,
Fr{\'e}d{\'e}ric},
journal = {REE. Revue de l'{\'e}lectricit{\'e} et de
l'{\'e}lectronique},
pages = {56--59},
year = 2001,
publisher = {Soci{\'e}t{\'e} de l'Electricit{\'e}, de
l'Electronique et des Technologies de l'Information
et de la Communication (SEE)},
abstract = {La d{\'e}tection d'intrusions a pour objectif de
d{\'e}tecter toute violation de la politique de
s{\'e}curit{\'e} en vigueur sur un système
informatique. Elle est bas{\'e}e sur l'analyse à la
vol{\'e}e ou en temps diff{\'e}r{\'e} de ce qui se
passe sur le système. Deux approches sont
utilis{\'e}es à cette fin: l'approche par
sc{\'e}nario (misuse detection) et l'approche
comportementale (anomaly detection). Chacune des
deux pr{\'e}sente des points forts, mais aussi des
faiblesses. Les outils qui impl{\'e}mentent ces
approches pr{\'e}sentent {\'e}galement des forces et
des faiblesses. L'objectif est de montrer la
n{\'e}cessit{\'e} de faire coop{\'e}rer les outils
de d{\'e}tection d'intrusions, afin de cumuler les
forces et d'{\'e}liminer les faiblesses.}
}
@inproceedings{morin2002m2d2,
title = {M2D2: A formal data model for IDS alert correlation},
author = {Morin, Benjamin and M{\'e}, Ludovic and Debar,
Herv{\'e} and Ducass{\'e}, Mireille},
pages = {115--137},
year = 2002,
booktitle = {Proceedings of the 5th International Conference on
Recent Advances in Intrusion Detection (RAID'02)},
isbn = {3-540-00020-8},
address = {Zurich, Switzerland},
numpages = 23,
url = {http://link.springer.com/chapter/10.1007%2F3-540-36084-0_7},
acmid = 1754711,
publisher = {Springer-Verlag},
volume = 2516,
series = {Lecture Notes in Computer Science},
editor = {Wespi, Andreas and Vigna, Giovanni and Deri, Luca},
doi = {10.1007/3-540-36084-0_7},
keywords = {intrusion detection, alert correlation},
abstract = {At present, alert correlation techniques do not make
full use of the information that is available. We
propose a data model for IDS alert correlation
called M2D2. It supplies four information types:
information related to the characteristics of the
monitored information system, information about the
vulnerabilities, information about the security
tools used for the monitoring, and information about
the events observed. M2D2 is formally defined. As
far as we know, no other formal model includes the
vulnerability and alert parts of M2D2. Three
examples of correlations are given. They are
rigorously specified using the formal definition of
M2D2. As opposed to already published correlation
methods, these examples use more than the events
generated by security tools; they make use of many
concepts formalized in M2D2.}
}
@inproceedings{morin2003correlation,
title = {Correlation of intrusion symptoms: an application of
chronicles},
author = {Morin, Benjamin and Debar, Herv{\'e}},
pages = {94--112},
year = 2003,
isbn = {978-3-540-40878-9},
booktitle = {Proceedings of the 6th International Conference on
Recent Advances in Intrusion Detection (RAID'03)},
volume = 2820,
series = {Lecture Notes in Computer Science},
editor = {Vigna, Giovanni and Kruegel, Christopher and
Jonsson, Erland},
doi = {10.1007/978-3-540-45248-5_6},
url = {http://link.springer.com/chapter/10.1007%2F978-3-540-45248-5_6},
publisher = {Springer Berlin Heidelberg},
address = {Pittsburg, PA},
keywords = {misuse detection, alert correlation, chronicles,
worm detection},
abstract = {In this paper, we propose a multi-alarm misuse
correlation component based on the chronicles
formalism. Chronicles provide a high level
declarative language and a recognition system that
is used in other areas where dynamic systems are
monitored. This formalism allows us to reduce the
number of alarms shipped to the operator and
enhances the quality of the diagnosis provided.}
}
@inproceedings{morin2005conceptual,
title = {Conceptual analysis of intrusion alarms},
author = {Morin, Benjamin and Debar, Herv{\'e}},
pages = {91--98},
year = 2005,
address = {Cagliari, Italy},
month = {September},
isbn = {978-3-540-28869-5},
booktitle = {Proceedings of the 13th International Conference on
Image Analysis and Processing (ICIAP 2005)},
volume = 3617,
series = {Lecture Notes in Computer Science},
editor = {Roli, Fabio and Vitulano, Sergio},
doi = {10.1007/11553595_11},
publisher = {Springer Berlin Heidelberg},
url = {http://link.springer.com/chapter/10.1007%2F11553595_11},
keywords = {intrusion detection, alert correlation},
abstract = {Security information about information systems
provided by current intrusion detection systems
(IDS) is spread over numerous similar and
fine-grained alerts. Security operators are
consequently overwhelmed by alerts whose content is
too poor. Alarm correlation techniques are used to
reduce the number of alerts and enhance their
content. In this paper, we tackle the alert
correlation problem as an information retrieval
problem in order to make the handling of alert
groups easier.}
}
@article{morin2009logic,
title = {A logic-based model to support alert correlation in
intrusion detection},
author = {Morin, Benjamin and M{\'e}, Ludovic and Debar,
Herv{\'e} and Ducass{\'e}, Mireille},
journal = {Information Fusion},
volume = 10,
number = 4,
pages = {285--299},
year = 2009,
publisher = {Elsevier},
doi = {10.1016/j.inffus.2009.01.005},
url = {http://www.sciencedirect.com/science/article/pii/S1566253509000177},
keywords = {intrusion detection, alert correlation, data model},
abstract = {Managing and supervising security in large networks
has become a challenging task, as new threats and
flaws are being discovered on a daily basis. This
requires an in depth and up-to-date knowledge of the
context in which security-related events
occur. Several tools have been proposed to support
security operators in this task, each of which
focuses on some specific aspects of the
monitoring. Many alarm fusion and correlation
approaches have also been investigated. However,
most of these approaches suffer from two major
drawbacks. First, they only take advantage of the
information found in alerts, which is not sufficient
to achieve the goals of alert correlation, that is
to say to reduce the overall amount of alerts, while
enhancing their semantics. Second, these techniques
have been designed on an ad hoc basis and lack a
shared data model that would allow them to reason
about events in a cooperative way. In this paper, we
propose a federative data model for security systems
to query and assert knowledge about security
incidents and the context in which they occur. This
model constitutes a consistent and formal ground to
represent information that is required to reason
about complementary evidences, in order to confirm
or invalidate alerts raised by intrusion detection
systems.}
}
@article{pouget2003white,
title = {White paper: honeypot, honeynet, honeytoken:
terminological issues},
author = {Pouget, Fabien and Dacier, Marc and Debar,
Herv{\'e}},
journal = {Rapport technique EURECOM},
volume = 1275,
year = 2003,
month = {September},
url = {http://www.eurecom.fr/publication/1275},
keywords = {honeypots, honeypots classification, honeynets,
honeytokens},
abstract = {Many different terms, definitions and
classifications for honeypots, honeynets and other
honeytokens have been proposed by several authors
during the last 3 years. In this document, we offer
a summary of the various proposals and we discuss
their advantages and drawbacks. We also offer our
own definition at the end of the paper.}
}
@incollection{pouget2005honeynets,
title = {Honeynets: foundations for the development of early
warning information systems},
author = {Pouget, F and Dacier, M and Pham, VH and Debar, H},
booktitle = {Cyberspace Security and Defense: Research Issues},
pages = {231--257},
year = 2005,
publisher = {Springer Netherlands},
isbn = {978-1-4020-3379-7},
volume = 196,
series = {NATO Science Series II: Mathematics, Physics and
Chemistry},
editor = {Kowalik, Janusz and Gorski, Janusz and Sachenko,
Anatoly},
doi = {10.1007/1-4020-3381-8_13},
url = {http://link.springer.com/chapter/10.1007%2F1-4020-3381-8_13},
keywords = {Honeynet, Internet Attacks, Database, Malware,
Cybercrime},
abstract = {This paper aims at presenting in some depth the
“Leurré.com” project and its first results. The
project aims at deploying so-called low level
interaction honeypot platforms all over the world to
collect in a centralized database a set of
information amenable to the analysis of today's
Internet threats. At the time of this writing,
around two dozens platforms have been deployed in
the five continents. The paper offers some insight
into the findings that can be derived from such data
set. More importantly, the design and the structure
of the repository are presented and justified by
means of several examples that highlight the
simplicity and efficiency of extracting useful
information out of it. We explain why such low cost,
largely distributed system represents an important,
foundational element, towards the building of early
warning information systems.}
}
@techreport{rfc4765,
title = {RFC4765: The intrusion detection message exchange
format (IDMEF)},
author = {Debar, Herve and Curry, David A and Feinstein,
Benjamin S},
year = 2007,
url = {https://www.rfc-editor.org/rfc/rfc4765.txt},
abstract = { The purpose of the Intrusion Detection Message
Exchange Format (IDMEF) is to define data formats
and exchange procedures for sharing information of
interest to intrusion detection and response systems
and to the management systems that may need to
interact with them. This document describes a data
model to represent information exported by intrusion
detection systems and explains the rationale for
using this model. An implementation of the data
model in the Extensible Markup Language (XML) is
presented, an XML Document Type Definition is
developed, and examples are provided.},
howpublished = {Internet Requests for Comments},
type = {RFC},
number = 4765,
publisher = {RFC Editor},
institution = {RFC Editor},
month = {March},
pages = {1-157},
issn = {2070-1721}
}
@inproceedings{thomas2006improving,
title = {Improving security management through passive
network observation},
author = {Thomas, Yohann and Debar, Herv{\'e} and Morin,
Benjamin},
booktitle = {Proceedings of the First International Conference on
Availability, Reliability and Security (ARES'06)},
pages = {8--pp},
year = 2006,
location = {Vienna, Austria},
organization = {IEEE},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
isbn = {0-7695-2567-9},
month = {April},
keywords = {client-server systems, computer network management,
security of data, compliance verification, desktop
clients, information system, passive network
observation, security management, server
vulnerability assessment reports, databases,
information security, information systems,
management information systems, monitoring, passive
networks, research and development, software agents,
system testing},
doi = {10.1109/ARES.2006.74},
url = {http://www.computer.org/csdl/proceedings/ares/2006/2567/00/25670382-abs.html},
abstract = {Detailed and reliable knowledge of the
characteristics of an information system is becoming
a very important feature for operational
security. Unfortunately, vulnerability assessment
tools have important side effects on the monitored
information systems. In this paper, we propose an
approach to gather or deduce information similar to
vulnerability assessment reports, based on passive
network observation. Information collected goes
beyond classic server vulnerability assessment,
enabling compliance verification of desktop
clients.}
}
@inproceedings{tombini2004serial,
title = {A serial combination of anomaly and misuse IDSes
applied to HTTP traffic},
author = {Tombini, Elvis and Debar, Herv{\'e} and M{\'e},
Ludovic and Ducass{\'e}, Mireille},
pages = {428--437},
year = 2004,
organization = {IEEE},
booktitle = {Proceedings of the 20th Annual Computer Security
Applications Conference (ACSAC '04)},
isbn = {0-7695-2252-1},
numpages = 10,
url = {http://dx.doi.org/10.1109/CSAC.2004.4},
doi = {10.1109/CSAC.2004.4},
acmid = 1038335,
publisher = {IEEE Computer Society},
address = {Washington, DC, USA},
keywords = {intrusion detection, misuse detection, anomaly
detection, combination, resolver, web server},
abstract = {Combining an "anomaly" and a "misuse" IDSes offers
the advantage of separting the monitored events
between normal, intrusive or unqualified classes (ie
not known as an attack, but not recognize as safe
either). In this article, we provide a framework to
systematically reason about the combination of
anomaly and misuse components.This framework applied
to web servers lead us to propose a serial
architecture, using a drastic anomaly component with
a sensitive misuse component. This architecture
provides the operator with better qualification of
the detection results, raises lower amount of false
alarms and unqualified events.},
month = {December}
}
@inproceedings{viinikka2004monitoring,
title = {Monitoring IDS background noise using EWMA control
charts and alert information},
author = {Viinikka, Jouni and Debar, Herv{\'e}},
pages = {166--187},
year = 2004,
isbn = {978-3-540-23123-3},
booktitle = {Proceedings of the 7th International Symposium on
Recent Advances in Intrusion Detection (RAID 2004)},
location = {Sophia Antipolis, France},
month = {September},
volume = 3224,
series = {Lecture Notes in Computer Science},
editor = {Jonsson, Erland and Valdes, Alfonso and Almgren,
Magnus},
doi = {10.1007/978-3-540-30143-1_9},
url = {http://dx.doi.org/10.1007/978-3-540-30143-1_9},
publisher = {Springer Berlin Heidelberg},
keywords = {intrusion detection, intrusion detection systems,
background noise, alert volume reduction, EWMA},
abstract = {Intrusion detection systems typically create large
amounts of alerts, processing of which is a time
consuming task for the user. This paper describes an
application of exponentially weighted moving average
(EWMA) control charts used to help the operator in
alert processing. Depending on his objectives, some
alerts are individually insignificant, but when
aggregated they can provide important information on
the monitored system’s state. Thus it is not always
the best solution to discard those alerts, for
instance, by means of filtering, correlation, or by
simply removing the signature. We deploy a widely
used EWMA control chart for extracting trends and
highlighting anomalies from alert information
provided by sensors performing pattern matching. The
aim is to make output of verbose signatures more
tolerable for the operator and yet allow him to
obtain the useful information available. The applied
method is described and experimentation along its
results with real world data are presented. A test
metric is proposed to evaluate the results.}
}
@inproceedings{viinikka2006time,
title = {Time series modeling for IDS alert management},
author = {Viinikka, Jouni and Debar, Herv{\'e} and M{\'e},
Ludovic and S{\'e}guier, Renaud},
booktitle = {Proceedings of the 2006 ACM Symposium on
Information, computer and communications security
(ASIACCS'06)},
pages = {102--113},
year = 2006,
organization = {ACM},
isbn = {1-59593-272-0},
location = {Taipei, Taiwan},
numpages = 12,
url = {http://doi.acm.org/10.1145/1128817.1128835},
doi = {10.1145/1128817.1128835},
acmid = 1128835,
publisher = {ACM},
address = {New York, NY, USA},
keywords = {intrusion detection, alerts, background noise, time
series},
abstract = {Intrusion detection systems create large amounts of
alerts. Significant part of these alerts can be seen
as background noise of an operational information
system, and its quantity typically overwhelms the
user. In this paper we have three points to
make. First, we present our findings regarding the
causes of this noise. Second, we provide some
reasoning why one would like to keep an eye on the
noise despite the large number of alerts. Finally,
one approach for monitoring the noise with
reasonable user load is proposed. The approach is
based on modeling regularities in alert flows with
classical time series methods. We present
experimentations and results obtained using real
world data.}
}
@article{viinikka2009processing,
title = {Processing intrusion detection alert aggregates with
time series modeling},
author = {Viinikka, Jouni and Debar, Herv{\'e} and M{\'e},
Ludovic and Lehikoinen, Anssi and Tarvainen, Mika},
journal = {Information Fusion},
volume = 10,
number = 4,
pages = {312--324},
year = 2009,
publisher = {Elsevier},
doi = {10.1016/j.inffus.2009.01.003},
url = {http://www.sciencedirect.com/science/article/pii/S1566253509000189},
keywords = {network security, intrusion detection, alert
correlation, time series modeling, kalman filtering},
abstract = {The main use of intrusion detection systems (IDS) is
to detect attacks against information systems and
networks. Normal use of the network and its
functioning can also be monitored with an IDS. It
can be used to control, for example, the use of
management and signaling protocols, or the network
traffic related to some less critical aspects of
system policies. These complementary usages can
generate large numbers of alerts, but still, in
operational environment, the collection of such data
may be mandated by the security policy. Processing
this type of alerts presents a different problem
than correlating alerts directly related to attacks
or filtering incorrectly issued alerts. We
aggregate individual alerts to alert flows, and then
process the flows instead of individual alerts for
two reasons. First, this is necessary to cope with
the large quantity of alerts – a common problem
among all alert correlation approaches. Second,
individual alert’s relevancy is often
indeterminable, but irrelevant alerts and
interesting phenomena can be identified at the flow
level. This is the particularity of the alerts
created by the complementary uses of IDSes. Flows
consisting of alerts related to normal system
behavior can contain strong regularities. We propose
to model these regularities using non-stationary
autoregressive models. Once modeled, the
regularities can be filtered out to relieve the
security operator from manual analysis of true, but
low impact alerts. We present experimental results
using these models to process voluminous alert flows
from an operational network. }
}
@article{wespi2000fixed,
title = {Fixed-vs. variable-length patterns for detecting
suspicious process behavior},
author = {Wespi, Andreas and Debar, Herv{\'e} and Dacier, Marc
and Nassehi, Mehdi},
journal = {Journal of Computer Security},
volume = 8,
number = {2, 3},
pages = {159--181},
year = 2000,
issue_date = {August 2000},
month = aug,
issn = {0926-227X},
numpages = 23,
url = {http://dl.acm.org/citation.cfm?id=1297828.1297830},
acmid = 1297830,
publisher = {IOS Press},
address = {Amsterdam, The Netherlands, The Netherlands},
keywords = {intrusion detection, anomaly detection},
abstract = {This paper addresses the problem of creating
patterns that can be used to model the normal
behavior of a given process. The models can be used
for intrusion-detection purposes. First, we present
a novel method to generate input data sets that
enable us to observe the normal behavior of a
process in a secure environment. Second, we propose
various techniques to derive either fixed-length or
variable-length patterns from the input data
sets. We show the advantages and drawbacks of each
technique, based on the results of the experiments
we have run on our testbed.}
}
@inproceedings{wespi2000intrusion,
title = {Intrusion detection using variable-length audit
trail patterns},
author = {Wespi, Andreas and Dacier, Marc and Debar,
Herv{\'e}},
pages = {110--129},
year = 2000,
location = {Toulouse, France},
month = {October},
isbn = {978-3-540-41085-0},
booktitle = {Proceedings of the Third International Workshop on
Recent Advances in Intrusion Detection (RAID 2000)},
volume = 1907,
series = {Lecture Notes in Computer Science},
editor = {Debar, Herv{\'e} and M{\'e}, Ludovic and Wu,
S.Felix},
doi = {10.1007/3-540-39945-3_8},
url = {http://dx.doi.org/10.1007/3-540-39945-3_8},
publisher = {Springer Berlin Heidelberg},
keywords = {Intrusion detection; Teiresias; pattern discovery;
pattern matching; variable-length patterns; C2 audit
trail; functionality verification tests},
abstract = {Audit trail patterns generated on behalf of a Unix
process can be used to model the process
behavior. Most of the approaches proposed so far use
a table of fixed-length patterns to represent the
process model. However, variable-length patterns
seem to be more naturally suited to model the
process behavior, but they are also more difficult
to construct. In this paper, we present a novel
technique to build a table of variable-length
patterns. This technique is based on Teiresias, an
algorithm initially developed for discovering rigid
patterns in unaligned biological sequences. We
evaluate the quality of our technique in a testbed
environment, and compare it with the
intrusion-detection system proposed by Forrest et
al. [8], which is based on fixed-length
patterns. The results achieved with our novel method
are significantly better than those obtained with
the original method based on fixed-length patterns.}
}