An ontology-based approach to react to network attacks

Nora Cuppens-Boulahia; Frédéric Cuppens; Fabien Autrel; Hervé Debar

doi:10.1504/IJICS.2009.031041

An ontology-based approach to react to network attacks

Nora Cuppens-Boulahia
, Frédéric Cuppens
, Fabien Autrel
, Hervé Debar

Research output: Contribution to journal › Article › peer-review

Abstract

Intrusion detection requirements enforced by Intrusions Detection Systems (IDSs) are generally considered independently from the remainder of the security policy. Our approach is to consider that intrusion detection requirements are actually a part of the access control policy. This provides means to formally specify in a reaction policy what should happen in case of intrusion. It is then possible to integrate these requirements into a deploying process in order to automatically configure security components. In this paper, we propose a contextual and ontology-based approach to express and instantiate this reaction policy. We then define a reaction process based on the concepts of dynamic threat organisation and threat contexts and a set of rules used to map alerts onto threat contexts to perform the instantiation of the policy-based reaction in response to the detected intrusion.

Original language	English
Pages (from-to)	280-305
Number of pages	26
Journal	International Journal of Information and Computer Security
Volume	3
Issue number	3-4
DOIs	https://doi.org/10.1504/IJICS.2009.031041
Publication status	Published - 1 Jan 2009

Keywords

Attack reaction
IDS
Intrusions detection systems
Ontology
OrBAC
Organisation based access controlled
Policy instantiation

Access to Document

10.1504/IJICS.2009.031041

Cite this

@article{f5c04f16b8a84855a4bf7d0f4a39f864,

title = "An ontology-based approach to react to network attacks",

abstract = "Intrusion detection requirements enforced by Intrusions Detection Systems (IDSs) are generally considered independently from the remainder of the security policy. Our approach is to consider that intrusion detection requirements are actually a part of the access control policy. This provides means to formally specify in a reaction policy what should happen in case of intrusion. It is then possible to integrate these requirements into a deploying process in order to automatically configure security components. In this paper, we propose a contextual and ontology-based approach to express and instantiate this reaction policy. We then define a reaction process based on the concepts of dynamic threat organisation and threat contexts and a set of rules used to map alerts onto threat contexts to perform the instantiation of the policy-based reaction in response to the detected intrusion.",

keywords = "Attack reaction, IDS, Intrusions detection systems, Ontology, OrBAC, Organisation based access controlled, Policy instantiation",

author = "Nora Cuppens-Boulahia and Fr{\'e}d{\'e}ric Cuppens and Fabien Autrel and Herv{\'e} Debar",

year = "2009",

month = jan,

day = "1",

doi = "10.1504/IJICS.2009.031041",

language = "English",

volume = "3",

pages = "280--305",

journal = "International Journal of Information and Computer Security",

issn = "1744-1765",

number = "3-4",

}

TY - JOUR

T1 - An ontology-based approach to react to network attacks

AU - Cuppens-Boulahia, Nora

AU - Cuppens, Frédéric

AU - Autrel, Fabien

AU - Debar, Hervé

PY - 2009/1/1

Y1 - 2009/1/1

N2 - Intrusion detection requirements enforced by Intrusions Detection Systems (IDSs) are generally considered independently from the remainder of the security policy. Our approach is to consider that intrusion detection requirements are actually a part of the access control policy. This provides means to formally specify in a reaction policy what should happen in case of intrusion. It is then possible to integrate these requirements into a deploying process in order to automatically configure security components. In this paper, we propose a contextual and ontology-based approach to express and instantiate this reaction policy. We then define a reaction process based on the concepts of dynamic threat organisation and threat contexts and a set of rules used to map alerts onto threat contexts to perform the instantiation of the policy-based reaction in response to the detected intrusion.

AB - Intrusion detection requirements enforced by Intrusions Detection Systems (IDSs) are generally considered independently from the remainder of the security policy. Our approach is to consider that intrusion detection requirements are actually a part of the access control policy. This provides means to formally specify in a reaction policy what should happen in case of intrusion. It is then possible to integrate these requirements into a deploying process in order to automatically configure security components. In this paper, we propose a contextual and ontology-based approach to express and instantiate this reaction policy. We then define a reaction process based on the concepts of dynamic threat organisation and threat contexts and a set of rules used to map alerts onto threat contexts to perform the instantiation of the policy-based reaction in response to the detected intrusion.

KW - Attack reaction

KW - IDS

KW - Intrusions detection systems

KW - Ontology

KW - OrBAC

KW - Organisation based access controlled

KW - Policy instantiation

U2 - 10.1504/IJICS.2009.031041

DO - 10.1504/IJICS.2009.031041

M3 - Article

AN - SCOPUS:77149168757

SN - 1744-1765

VL - 3

SP - 280

EP - 305

JO - International Journal of Information and Computer Security

JF - International Journal of Information and Computer Security

IS - 3-4

ER -

An ontology-based approach to react to network attacks

Abstract

Keywords

Access to Document

Fingerprint

Cite this