Since current computer infrastructures are increasingly vulnerable to malicious activities, intrusion detection is necessary but unfortunately not sufficient. We need to design effective response techniques to circumvent intrusions when they are detected. Our approach is based on a library that implements different types of counter-measures. The idea is to design a decision support tool to help the administrator to choose, in this library, the appropriate counter-measure when a given intrusion occurs. For this purpose, we formally define the notion of anti-correlation which is used to determine the counter-measures that are effective to stop the intrusion. Finally, we present a pla!form of intrusion detection that implements the response mechanisms presented in this paper.
R~sum~Etant donn6 que les systbmes informatiques sont de plus en plus vuln6rables aux activit(s malveillantes, l' utilisation de la d6tection d'intrusion est n(cessaire mais ne suffit pas. Nous devons (laborer des m6thodes efficaces de r(action aux intrusions afin d'arr~ter les intrusions d(tect~es. Notre approche est bas6e sur une biblioth~que de diff(rents types de contremesures. L'objectif est d'aider l'administrateur & choisir dans cette bibliothkque la contre-mesure la mieux adapt~e quand une intrusion est d(tect~e. Pour ce faire nous d~finis-sons formellement la notion d'anti-corr6lation qui est utilis6e pour s6lectionner les contremesures permettant d'arr6ter l'intrusion. Nous finissons par la presentation d'une plateforme de d(tection d'intrusion mettant en ~euvre les m(canismes pr(sent6s dans cet article. Mots cl6s : S6curit~ informatique, D6tecteur intrus, Protection information. Corr61ation, Mod~lisation, ModUle logique.
We present in this paper a decentralized architecture to correlate alerts between cooperative nodes in a secure multicast infrastructure. The purpose of this architecture is to detect and prevent the use of network resources to perform coordinated attacks against third party networks. By means of a cooperative scheme based on message passing, the different nodes of this system will collaborate to detect its participation on a coordinated attack and will react to avoid it. An overview of the implementation of this architecture for GNU/Linux systems will demonstrate the practicability of the system.
Current intrusion detection systems go beyond the detection of attacks and provide reaction mechanisms to cope with detected attacks or at least reduce their effect. Previous research works have proposed methods to automatically select possible countermeasures capable of ending the detected attack. But actually, countermeasures have side effects and can be as harmful as the detected attack. In this paper, we propose to improve the reaction selection process by giving means to quantify the effectiveness and select the countermeasure that has the minimum negative side effect on the information system. To achieve this goal, we adopt a risk assessment and analysis approach.
Abstract. Recent security concerns related to future embedded systems make enforcement of security requirements one of the most critical phases when designing such systems. This paper introduces an approach for efficient enforcement of security requirements based on argumentative logic, especially reasoning about activation or deactivation of different security mechanisms under certain functional and non-functional requirements. In this paper, the argumentative logic is used to reason about the rationale behind dynamic enforcement of security policies.
In 2016, Google introduced the concept of Federated Learning (FL), enabling collaborative Machine Learning (ML). FL does not share local data but ML models, offering applications in diverse domains. This paper focuses on the application of FL to Intrusion Detection Systems (IDSs). There, common criteria to compare existing solutions are missing. In particular, this survey shows: (i) how FL-based IDSs are used in different domains; (ii) what differences exist between architectures; (iii) the state of the art of FL-based IDS. With a structured literature survey, this work identifies the relevant state of the art in FL-based intrusion detection from its creation in 2016 until 2021. It provides a reference architecture and a taxonomy to serve as guidelines to compare and design FLbased IDSs. Both are validated with the existing works. Finally, it identifies research directions for the application of FL to intrusion detection systems.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.