Véronique Legrand

A History-Based Framework to Build Trust Management Systems

In the context of ambient networks where each small device must trust its neighborhood rather than a fixed network, we propose in this paper a trust management framework based upon social patterns. As in human interactions model, our proposal build trust using history elements of past interactions with a local reputation model. The main features of our framework is the non transitivity of the trust bond and the non transferability of the history. The elements of history are also cryptographically proved as a criterion to enforce the trust notion. This gives a general framework that permits the implementation of various trust models

Collaborative Approach to Automatic Classification of Heterogeneous Information Security

The messages generated by the security devices represent the necessary data for the detection of the malicious activities in an information system. The heterogeneity of the devices and the lack of a standard for the security messages make the automatic processing of the messages difficult. The messages are short, use a very wide vocabulary and have different formats. We propose in this article the collaboration between classifiers to increase the accuracy of the classification. We apply the text categorization technics for the automatic classification of security log files messages, in categories defined by an ontology. We develop an extraction module for the message attributes to reduce the vocabulary size. Then we apply two training algorithms: the k-nearest neighbour algorithm and the naive Bayes, on two corpus of security log messages. Finally we propose to collaborate the classifiers to produce a single classifier with better accuracy.

Modeling of information system correlated events time dependencies

Many works have been carried out in events correlation and intrusion detection. Although they use different methods or correlation approaches, they all highlight the importance of time in their modeling process. In this paper, we suggest a new time consideration for our previous works Bayesian behavior intrusion detection. Using a probabilistic approach, we introduce time consideration in the profile of user/system interactions. This enriched profile will integrate all time dependencies among correlated alerts. Some works provide attack graphs scenarios where time dependencies are explicitly defined. In our case, they are learnt during a training period.

Enriched Diagnosis and Investigation Models for Security Event Correlation

This paper describes a diagnosis model and architecture for enterprise level security event correlation called DIM (Diagnostic and Investigation Models). Our work is motivated by the existing limits of holistic Information System security surveillance solutions suited to monitoring information systems. We address this issue in this paper and propose an architectural foundation. Our approach is based on an ontology-driven diagnosis process coupled with enriched CIM (Common Information Model) derived information model and a policy model.

A Dangerousness-Based Investigation Model for Security Event Management

The current landscape of security management solutions for large scale networks is limited by the lack of supporting approaches capable to deal with the huge number of alarms and events that are generated on current networks. In this paper we propose a security management architecture, capable to reconstruct causal dependencies from captured network and service alarms. The key idea is based on mapping events in semantic spaces, where a novel algorithm can determine such dependencies. We have implemented a prototype and tested it on a operational network within an outsourced security management suite protecting multiple networks.

Behavioral Intrusion Detection Indicators

Monitoring and analysing Information system(IS)’s security events has become more and more difficult in the last few years. As IS complexity rises, the number of mandatory monitoring points has increased along with the number of deployed probes. Consequently, a huge amount of information is reported to the analyst which subsequently floods him and implies the implementation of very complex event analysis engines. In the behaviour analysis context in which sequences of events are studied, this information quantity issue makes it difficult to build automatable - not too complex - models. In order to cope with this increasing amount of information, we will describe a method to reduce the observation perimeter through the selection of most relevant indicators. Such indicators, which are defined thanks to users and attackers behaviour analysis, represent different actions that users or attackers perform in the IS. This method implies neither information loss nor significant detection rate decline. We experienced this indicators selection with a behaviour anomaly detection engines injecting few days of events. Results show that model complexity issues are significantly reduced while keeping detection rate almost the same.

Automatic classification of security messages based on text categorization

The generated messages by the security devices are the necessary data for the detection of the malicious activities in an information system. The heterogeneity of the devices and the lack of a standard for the security messages make the automatic processing of the messages difficult. The messages are short, use a very wide vocabulary and have different formats. We propose in this article the application of the text categorization technics for the automatic classification of security log files messages, in categories defined by an ontology. We develop an extraction module for the message attributes to reduce the vocabulary size. Then we apply two training algorithms: the k-nearest neighbour algorithm and the naive bayes, on two corpus of security log messages.

Evaluation of Deviating Alerts coming from Behavioral Intrusion Detection System

The growth of behavioral intrusion detection solutions raises a new issue. The update of normal references is necessary and determines the flexibility and accuracy of the detection. This paper describes a decision block function used to update a behavioral intrusion detection method. Based on a risk analysis and support vector machines, our approach completes the behavioral anomaly detection using Bayesian modeling based on a global vision of the system approach.