Advanced Reaction Using Risk Assessment in Intrusion Detection Systems

Kanoun, Waël; Cuppens-Boulahia, Nora; Cuppens, Frédéric; Autrel, Fabien

doi:10.1007/978-3-540-89173-4_6

Cited by 14 publications

(6 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, this reaction approach can be refined by combining it with the risk analysis model proposed in [19]. This model is used to evaluate the total risk gravity of the IS once an attack is detected and after simulating the execution of the candidate countermeasure.…”

Section: Risk Assessment Modelmentioning

confidence: 99%

See 1 more Smart Citation

Automated reaction based on risk analysis and attackers skills in intrusion detection systems

Kanoun¹,

Cuppens-Boulahia²,

Cuppens³

et al. 2008

2008 Third International Conference on Risks and Security of Internet and Systems

Self Cite

View full text Add to dashboard Cite

International audienceNowadays, intrusion detection systems do not only aim to detect attacks; but they go beyond by providing reaction mechanisms to cope with detected attacks, or at least reduce their effects. Previous research works have proposed several methods to automatically select possible countermeasures capable of ending the detected attack, but without taking into account their side effects. In fact, countermeasures can be as harmful as the detected attack. Moreover, sometimes selected countermeasures are not adapted to the attackers actions and/or knowledge. In this paper, we propose to turn the reaction selection process intelligent by giving means to (i) quantify the effectiveness and select the countermeasure that has the minimum negative side effect on the information system by adopting a risk assessment and analysis approach, and (ii) assess the skill and knowledge level of the attacker from a defensive point of view

show abstract

Section: Risk Assessment Modelmentioning

confidence: 99%

“…Each scenario risk gravity depends on its potentiality and impact factors. Interested readers can refer to [19] for more details.…”

Section: Risk Assessment Modelmentioning

confidence: 99%

Automated reaction based on risk analysis and attackers skills in intrusion detection systems

Kanoun¹,

Cuppens-Boulahia²,

Cuppens³

et al. 2008

2008 Third International Conference on Risks and Security of Internet and Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…Many attack graph based alert correlation techniques have been proposed recently. The correlation methods proposed in the last decade can be classified into three categories [43], [45]: implicit, semiexplicit, and explicit correlations.…”

Section: A Attack Modelingmentioning

confidence: 99%

Realtime intrusion risk assessment model based on attack and service dependency graphs

Shameli‐Sendi

Dagenais

Wang

2018

Computer Communications

View full text Add to dashboard Cite

Network services are becoming larger and increasingly complex to manage. It is extremely critical to maintain the users QoS, the response time of applications, and critical services in high demand. On the other hand, we see impressive changes in the ways in which attackers gain access to systems and infect services. When an attack is detected, an Intrusion Response System (IRS) is responsible to accurately assess the value of the loss incurred by a compromised resource and apply the proper responses to mitigate attack. Without having a proper risk assessment, our automated IRS will reduce network performance, wrongly disconnect users from the network, or result in high costs for administrators reestablishing services, and become a DoS attack for our network, which will eventually have to be disabled. In this paper, we address these challenges and we propose a new model to combine the Attack Graph and Service Dependency Graph approaches to calculate the impact of an attack more accurately compared to other existing solutions. To show the effectiveness of our model, a sophisticated multi-step attack was designed to compromise a web server, as well as to acquire root privilege. Our results illustrate the efficiency of the proposed model and confirm the feasibility of the approach in real-time.

show abstract

“…The obligations are expressed as OrBAC concrete rules. The reaction decision is taken by considering the topology information of the monitored system, the reaction obligations and the impact of the elected reactions [13]. A diagnosis is also sent by the RDP to the PIE and handled at the high reaction level.…”

Section: Reaction Decision Point (Rdp)mentioning

confidence: 99%

“…Notice that a diagnosis is derived within this step for improving the reaction process. Activating an automatic or a manual response depends on the confidence level of the diagnosis and the automatic choice may be performed by measuring the impact of the corresponding reaction [13].…”

Section: Mid Level Reactionmentioning

confidence: 99%

Expression and Deployment of Reaction Policies

Cuppens¹,

Cuppens-Boulahia²,

Bouzida³

et al. 2008

2008 IEEE International Conference on Signal Image Technology and Internet Based Systems

Self Cite

View full text Add to dashboard Cite

Current prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this paper, an in depth and comprehensive approach is introduced for responding to intrusions in an efficient way. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms, including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels, it then reacts against threats with appropriate counter measures in each level accordingly.

show abstract

Advanced Reaction Using Risk Assessment in Intrusion Detection Systems

Cited by 14 publications

References 10 publications

Automated reaction based on risk analysis and attackers skills in intrusion detection systems

Automated reaction based on risk analysis and attackers skills in intrusion detection systems

Realtime intrusion risk assessment model based on attack and service dependency graphs

Expression and Deployment of Reaction Policies

Contact Info

Product

Resources

About