Wael Kanoun

Automated reaction based on risk analysis and attackers skills in intrusion detection systems

Nowadays, intrusion detection systems do not only aim to detect attacks; but they go beyond by providing reaction mechanisms to cope with detected attacks, or at least reduce their effects. Previous research works have proposed several methods to automatically select possible countermeasures capable of ending the detected attack, but without taking into account their side effects. In fact, countermeasures can be as harmful as the detected attack. Moreover, sometimes selected countermeasures are not adapted to the attackerpsilas actions and/or knowledge. In this paper, we propose to turn the reaction selection process intelligent by giving means to (i) quantify the effectiveness and select the countermeasure that has the minimum negative side effect on the information system by adopting a risk assessment and analysis approach, and (ii) assess the skill and knowledge level of the attacker from a defensive point of view.

Risk-Aware Framework for Activating and Deactivating Policy-Based Response

With the growth of modern systems and infrastructures, automated and intelligent response systems become the holy grail of the security community. An interesting approach proposes to use dynamic access control policies to specify response policies for such systems. These policies should been forced when an ongoing attack, that threatens the monitored system, is detected. However, existing work do not present a clear methodology to specify the Response policies. In particular, the deactivation issue is not yet tackled. In this paper, we first present how to specify response policies. Second, a risk-aware framework is proposed to activate and deactivate response policies. Hence, the success likelihood of the threat, and the cumulative impact of both of the threat and the response, are all considered.

Advanced reaction using risk assessment in intrusion detection systems

Current intrusion detection systems go beyond the detection of attacks and provide reaction mechanisms to cope with detected attacks or at least reduce their effect. Previous research works have proposed methods to automatically select possible countermeasures capable of ending the detected attack. But actually, countermeasures have side effects and can be as harmful as the detected attack. In this paper, we propose to improve the reaction selection process by giving means to quantify the effectiveness and select the countermeasure that has the minimum negative side effect on the information system. To achieve this goal, we adopt a risk assessment and analysis approach.

Situation Calculus and Graph Based Defensive Modeling of Simultaneous Attacks

Recent attacks are better coordinated, difficult to discover, and inflict severe damages to networks. However, existing response systems handle the case of a single ongoing attack. This limitation is due to the lack of an appropriate model that describes coordinated attacks. In this paper, we address this limitation by presenting a new formal description of individual, coordinated, and concurrent attacks. Afterwards, we combine Graph Theory and our attack description in order to model attack graphs that cover the three attacks types. Finally, we show how to automatically generate these attack graphs using a logical approach based on Situation Calculus.

Expression and Deployment of Reaction Policies

Current prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this paper, an in depth and comprehensive approach is introduced for responding to intrusions in an efficient way. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms,including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels, it then reacts against threats with appropriate counter measures in each level accordingly.

Towards dynamic risk management: Success likelihood of ongoing attacks

The proliferation of sophisticated cyberattacks, coupled with the steady growth of information and communication technology (ICT) systems in size and complexity, provides motivation for continuous improvements in security management. For day-to-day operation, security officers and administrators need an effective response (or decision aid) system to handle ongoing cyberattacks. Effective countermeasures must minimize the risks induced by these attacks, noting that the risk is evaluated as a function of the success likelihood and the impact of an attack. In this paper, we demonstrate how to dynamically calculate the success likelihood (SL) for an ongoing attack by considering the progress of an attacker towards his objective. Afterwards, we present a response/decision aid system based on the SL metric. Finally, we present the Success Likelihood Assessment Module (SLAM), which implements and highlights the relevance of our work for real time security management. This paper focuses on the operational aspects of a security by design approach.

Intelligent response system to mitigate the success likelihood of ongoing attacks

Intrusion response models and systems have been recently an active field in the security research. These systems rely on a fine diagnosis to perform and optimize their response. In particular, previous papers focus on balancing the cost of the response with the impact of the attack. In this paper, we present a novel attack response system, based on the assessment of the likelihood of success of attack objectives. First, the ongoing potential attacks are identified, and their success likelihood are calculated dynamically. The success likelihood depends mainly on the progress of the attack and the state of the monitored system. Second, candidate countermeasures are identified, and their effectiveness in reducing the pre-calculated success likelihood are assessed. Finally, the candidate countermeasures are prioritized.

Towards a Temporal Response Taxonomy

Response systems play a growing role in modern security architectures. In order to select the most effective countermeasure, they adopt a dynamic and situation-aware approach. However, today’s response systems are limited to the selection procedure. In other words, the follow-up and the deactivation phases are still performed manually. Consequently, existing response taxonomies failed to provide an appropriate set of requirements that covers the deactivation feature. In this paper, we tackle this issue by proposing a formal temporal taxonomy for response measures. Furthermore, we present an application of our work in the context of simultaneous attacks. This work provides a first step towards the deactivation and the transactional management of response measures.

A Formal Framework to Specify and Deploy Reaction Policies

Nowadays, intrusion detection systems are able to react to the attacks rather than only raising alerts. Unfortunately, current prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this chapter, we introduce a new comprehensive and efficient approach for responding to intrusions. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy which formally specifies security requirements that are activated when an intrusion is detected. In particular, some of the security policy rules are obligations that can be enforced as countermeasures. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms, including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels; it then reacts against threats with appropriate counter measures in each level accordingly.

Elementary Risks: Bridging Operational and Strategic Security Realms

Risk management is widely used in order to evaluate and treat prominent risks for organizations. Such models are rather organizational (business-aware) than technical, and enable security officers to manage risks on the long run. However, both ICT systems and threat landscape do not cease to evolve, and dynamic cyber security management becomes paramount to address potential breaches. The operational security management is based on technical processes, executed by administrators who are not necessarily aware of organizations business and strategic aspects. This gap between technical and organizational levels renders traditional risks assessment methods cumbersome and obsolete. In this paper, we propose a novel concept of Elementary Risk (ER) that represents a quantum of risk for an organization. Composite Risks (CRs) are then calculated and presented for the security officer. CR enables dynamic calculation of organizational risk posture while considering the systems state. Moreover, ER and CR enable capture the contribution of technical elements (e.g. vulnerability, server) or security measures (e.g. patch, firewall rule) to the overall risk profile of the organization.