Détection et prévention d'intrusion : présentation et limites

Ce rapport de recherche a pour objectif de fournir (i) une présentation générale des techniques et familles de détection et de prévention d'intrusion, ainsi que (ii) une description pertinente des limites technologiques de chacune des solutions présentées. Les résultats de cette recherche (limites et fonctionnalités des outils évoqués) sont issus à la fois d'une analyse scrupuleuse de la littérature spécifique récente et de retours d'expérience d'administrateurs système

An approach towards anomaly based detection and profiling covert TCP/IP channels

Firewalls and detection systems have been used for preventing and detecting attacks by a wide variety of mechanisms. A problem has arisen where users and applications can circumvent security policies because of the particularities in the TCP/IP protocol, the ability to obfuscate the data payload, tunnel protocols, and covertly simulate a permitted communication. It has been shown that unusual traffic patterns may lead to discovery of covert channels that employ packet headers. In addition, covert channels can be detected by observing an anomaly in unused packet header fields. Presently, we are not aware of any schemes that address detecting anomalous traffic patterns that can potentially be created by a covert channel. In this work, we will explore the approach of combining anomaly based detection and covert channel profiling to be used for detecting a very precise subset of covert storage channels in network protocols. We shall also discuss why this method is more practical and industry-ready compared to the present research on how to profile and mitigate these types of attacks. Finally, we shall describe a specialized tool to passively monitor networks for these types of attacks and show how it can be used to build an efficient hybrid covert channel and anomaly based detection system

An Improved Reference Flow Control Model for Policy-Based Intrusion Detection

Abstract. In this paper, we describe a novel approach to policy-based intrusion detection. The model we propose checks legality of information flows between objects in the system, according to an existing security policy specification. These flows are generated by executed system operations. Illegal flows, i.e., not authorized by the security policy, are signaled and considered as intrusion symptoms. This model is able to detect a large class of attacks, referred to as “attacks by delegation ” in this paper. Since the approach focuses really on attack effects instead of attack scenarii, unknown attacks by delegation can be detected. Keywords: Policy-based intrusion detection, information flow control, access control