Automated reaction based on risk analysis and attackers skills in intrusion detection systems

Kanoun, Waël; Cuppens-Boulahia, Nora; Cuppens, Frédéric; Araújo, Jean

doi:10.1109/crisis.2008.4757471

Cited by 31 publications

(17 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The attack graph serves as a correlation mechanism to determine the false negative and positive alarms. It not only correlates the intrusion detection system outputs [30], [31], but also helps the intrusion response system to apply responses in a timely fashion, at the right place, and with the appropriate intensity [32], [33]. Note that our dynamic attack graph is based on service vulnerabilities.…”

Section: E False Alarmsmentioning

confidence: 99%

Realtime intrusion risk assessment model based on attack and service dependency graphs

Shameli‐Sendi

Dagenais

Wang

2018

Computer Communications

View full text Add to dashboard Cite

Network services are becoming larger and increasingly complex to manage. It is extremely critical to maintain the users QoS, the response time of applications, and critical services in high demand. On the other hand, we see impressive changes in the ways in which attackers gain access to systems and infect services. When an attack is detected, an Intrusion Response System (IRS) is responsible to accurately assess the value of the loss incurred by a compromised resource and apply the proper responses to mitigate attack. Without having a proper risk assessment, our automated IRS will reduce network performance, wrongly disconnect users from the network, or result in high costs for administrators reestablishing services, and become a DoS attack for our network, which will eventually have to be disabled. In this paper, we address these challenges and we propose a new model to combine the Attack Graph and Service Dependency Graph approaches to calculate the impact of an attack more accurately compared to other existing solutions. To show the effectiveness of our model, a sophisticated multi-step attack was designed to compromise a web server, as well as to acquire root privilege. Our results illustrate the efficiency of the proposed model and confirm the feasibility of the approach in real-time.

show abstract

Section: E False Alarmsmentioning

confidence: 99%

Realtime intrusion risk assessment model based on attack and service dependency graphs

Shameli‐Sendi

Dagenais

Wang

2018

Computer Communications

View full text Add to dashboard Cite

show abstract

“…The proposed approach systematically integrates attack graphs and Hidden Markov Models together for exploring the probabilistic relation between system observations and state. Kanoun et al [10] presented a risk assessment model based on attack graphs to evaluate the severity of the total risk of the monitored system. The LAMBDA [11] language is used to model attack graphs when an attack is detected.…”

Section: Related Workmentioning

confidence: 99%

A Defense-Centric Model for Multi-step Attack Damage Cost Evaluation

Shameli‐Sendi

Louafi

et al. 2015

2015 3rd International Conference on Future Internet of Things and Cloud

View full text Add to dashboard Cite

Abstract-Measuring the attack damage cost and monitoring the sequence of privilege escalations play a critical role in choosing the right countermeasure by Intrusion Response System (IRS). The existing attack damage cost evaluation approaches inherit some limitations, such as neglecting the dependencies between system assets, ignoring the backward damage of exploited non-goal services, or omitting the potential damage toward the goal service. In this paper, we propose a defense-centric model to calculate the damage cost of a multistep attack. The main advantage of this model is providing an accurate damage cost by considering not only the damaged services (non-goal services) but also the potential damage toward the attacker target (goal service). To track the attacker's progress and find the attack path, an Attack-Defense Tree (ADT) is used. The model has been implemented in, but is not limited to, the cloud environment and tested with a multistep attack scenario.

show abstract

“…This type of evaluation is very limited and is not sufficient. It is used also by Kanoun et al [4], however, the authors are preparing for a more extensive evaluation in a live deployment.…”

Section: Related Workmentioning

confidence: 99%

Network defence strategy evaluation: Simulation vs. live network

Medková

Husák

Drašar

2017

2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)

View full text Add to dashboard Cite

Abstract-A lot of research has been dedicated to finding an optimal strategy to defend network infrastructure. The proposed methods are usually evaluated using simulations, replayed attacks or testbed environments. However, these evaluation methods may give biased results, because in real life, attackers can follow a suboptimal strategy or react to a defence in an unexpected way. In this paper, we use a network of honeypots as a testing environment for evaluating network defence strategies. The honeypot network provides the opportunity to test a defence strategy against real attackers and is not as time and resource consuming as using white hat hackers. In our experiment, we use two different strategies to defend a group of honeypots in a live network and we compare these results to the results of a simulation with replayed attacks. We show that the results of the strategies in the simulation significantly differ from the results on the honeypot network which implies simulations are not sufficient for strategy evaluation. We also investigate how the attacker adapts to the responses taken by a defence strategy and how this change in behaviour affects the evaluation results.

show abstract

Automated reaction based on risk analysis and attackers skills in intrusion detection systems

Cited by 31 publications

References 13 publications

Realtime intrusion risk assessment model based on attack and service dependency graphs

Realtime intrusion risk assessment model based on attack and service dependency graphs

A Defense-Centric Model for Multi-step Attack Damage Cost Evaluation

Network defence strategy evaluation: Simulation vs. live network

Contact Info

Product

Resources

About