TY - CHAP
T1 - Response
T2 - Bridging the link between intrusion detection alerts and security policies
AU - Debar, Hervé
AU - Thomas, Yohann
AU - Cuppens, Frédéric
AU - Cuppens-Boulahia, Nora
PY - 2008/12/1
Y1 - 2008/12/1
N2 - With the deployment of intrusion detection systems has come the question of alert usage. The current trend of intrusion prevention systems provides mechanisms for isolated response, suffering from two important drawbacks. First, the response is applied on a single point of the information system. Second, its application is repeated every time an alert condition is raised. Both drawbacks result in a suboptimal response system, where security is improved at these particular network or host access control points, but where service dependancies are not taken into account. In this paper, we examine a new mechanism for adapting the security policy of an information system according to the threat it receives, and hence its behaviour and the services it offers. This mechanism takes into account not only threats, but also legal constraints and other objectives of the organization operating this information system, taking into account multiple security objectives and providing several trade-off options between security objectives, performance objectives, and other operational constraints. The proposed mechanism bridges the gap between preventive security technologies and intrusion detection, and builds upon existing technologies to facilitate formalization on one hand, and deployment on the other hand.
AB - With the deployment of intrusion detection systems has come the question of alert usage. The current trend of intrusion prevention systems provides mechanisms for isolated response, suffering from two important drawbacks. First, the response is applied on a single point of the information system. Second, its application is repeated every time an alert condition is raised. Both drawbacks result in a suboptimal response system, where security is improved at these particular network or host access control points, but where service dependancies are not taken into account. In this paper, we examine a new mechanism for adapting the security policy of an information system according to the threat it receives, and hence its behaviour and the services it offers. This mechanism takes into account not only threats, but also legal constraints and other objectives of the organization operating this information system, taking into account multiple security objectives and providing several trade-off options between security objectives, performance objectives, and other operational constraints. The proposed mechanism bridges the gap between preventive security technologies and intrusion detection, and builds upon existing technologies to facilitate formalization on one hand, and deployment on the other hand.
UR - https://www.scopus.com/pages/publications/84882786692
U2 - 10.1007/978-0-387-77265-3_6
DO - 10.1007/978-0-387-77265-3_6
M3 - Chapter
AN - SCOPUS:84882786692
SN - 9780387772653
T3 - Advances in Information Security
SP - 129
EP - 170
BT - Intrusion Detection Systems
A2 - Di Pietro, Roberto
A2 - Mancini, Luigi
ER -