Defining categories to select representative attack test-cases

7 pagesRapport LAAS-CNRSTo ameliorate the quality of protection provided by intrusion detection systems (IDS) we strongly need more effective evaluation and testing procedures. Evaluating an IDS against all known and unknown attacks is probably impossible. Nevertheless, a sensible selection of representative attacks is necessary to obtain an unbiased evaluation of such systems. To help in this selection, this paper suggests applying the same approach as in software testing: to overcome the problem of an unmanageably large set of possible inputs, software testers usually divide the data input domain into categories (or equivalence classes), and select representative instances from each category as test cases. We believe that the same principle could be applied to IDS testing if we have a reasonable classification. In this paper we make a thorough analysis of existing attack classifications in order to determine whether they could be helpful in selecting attack test cases. Based on our analysis, we construct a new scheme to classify attacks relying on those attributes that appear to be the best classification criteria. The proposed classification is mainly intended to be used for testing and evaluating IDS although it can be used for other purposes such as incident handling and intrusion reporting. We also apply the Classification Tree Method (CTM) to select attack test cases. As far as we know, this is the first time that this method is applied for this purpose

PolyOrBAC: a security framework for critical infrastructures

International audienceDue to physical and logical vulnerabilities, a critical infrastructure (CI) can encounter failures of various degrees of severity, and since there are many interdependencies between CIs, simple failures can have dramatic consequences on the users. In this paper, we mainly focus on malicious threats that might affect the information and communication system that controls the Critical Infrastructure, i.e., the Critical Information Infrastructure (CII). To address the security challenges that are specific of CIIs, we propose a collaborative access control framework called PolyOrBAC. This approach offers each organization taking part in the CII the capacity of collaborating with the other ones, while maintaining a control on its resources and on its internal security policy. The interactions between organizations participating in the CII are implemented through web services (WS), and for each WS a contract is signed between the service-provider organization and the service-user organization. The contract describes the WS functions and parameters, the liability of each party and the security rules controlling the interactions. At runtime, the compliance of all interactions with these security rules is checked. Every deviation from the signed contracts triggers an alarm, the concerned parties are notified and audits can be used as evidence for sanctioning the party responsible for the deviation. Our approach is illustrated by a practical scenario, based on real emergency actions in an electric power grid infrastructure, and a simulation test bed has been implemented to animate this scenario and experiment with its security issues

Architecture, Services and Protocols for CRUTIAL

This document describes the complete specification of the architecture, services and protocols of the project CRUTIAL. The CRUTIAL Architecture intends to reply to a grand challenge of computer science and control engineering: how to achieve resilience of critical information infrastructures (CII), in particular in the electrical sector. In general lines, the document starts by presenting the main architectural options and components of the architecture, with a special emphasis on a protection device called the CRUTIAL Information Switch (CIS). Given the various criticality levels of the equipments that have to be protected, and the cost of using a replicated device, we define a hierarchy of CIS designs incrementally more resilient. The different CIS designs offer various trade offs in terms of capabilities to prevent and tolerate intrusions, both in the device itself and in the information infrastructure. The Middleware Services, APIs and Protocols chapter describes our approach to intrusion tolerant middleware. The CRUTIAL middleware comprises several building blocks that are organized on a set of layers. The Multipoint Network layer is the lowest layer of the middleware, and features an abstraction of basic communication services, such as provided by standard protocols, like IP, IPsec, UDP, TCP and SSL/TLS. The Communication Support layer features three important building blocks: the Randomized Intrusion-Tolerant Services (RITAS), the CIS Communication service and the Fosel service for mitigating DoS attacks. The Activity Support layer comprises the CIS Protection service, and the Access Control and Authorization service. The Access Control and Authorization service is implemented through PolyOrBAC, which defines the rules for information exchange and collaboration between sub-modules of the architecture, corresponding in fact to different facilities of the CII’s organizations. The Monitoring and Failure Detection layer contains a definition of the services devoted to monitoring and failure detection activities. The Runtime Support Services, APIs, and Protocols chapter features as a main component the Proactive-Reactive Recovery service, whose aim is to guarantee perpetual correct execution of any components it protects.Project co-funded by the European Commission within the Sixth Frame-work Programme (2002-2006

Internet security: an intrusion-tolerance approach

The Internet has become essential to most enterprises and many private individuals. However, both the network and computer systems connected to it are still too vulnerable and attacks are becoming evermore frequent. To face this situation, traditional security techniques are insufficient and fault-tolerance techniques are becoming increasingly cost-effective. Nevertheless, intrusions are very special faults, and this has to be taken into account when selecting the fault-tolerance techniques. Keywords—Computer security, dependability, fault tolerance, Internet, intrusion tolerance. I

Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security

: This paper presents the results of an experiment of security evaluation. The evaluation method used is based on previous work involving modeling the system as a privilege graph exhibiting the security vulnerabilities and on the computation of measures representing the difficulty for a possible attacker to exploit these vulnerabilities and defeat the security objectives of the system. A set of tools has been developed to compute such measures and has been experimented to monitor a large real system during more than a year. The experiment results are presented and the validity of the measures is discussed. Finally, the practical usefulness of such tools for operational security monitoring is shown and a comparison with other existing approaches is given. 1 Introduction Security is an increasing worry for most computing system administrators: computing systems are more and more vital for most companies and organizations, while these systems are made more and more vulnerable by new user..

The challenges raised by the privacy-preserving identity card

International audienceA privacy-preserving identity card is a personal device device that allows its owner to prove some binary statements about himself (such as his right of access to some resources or a property linked to his identity) while minimizing personal information leakage. After introducing the desirable properties that a privacy-preserving identity card should fulfill and describing two proposals of implementations, we discuss a taxonomy of threats against the card. Finally, we also propose for security and cryptography experts some novel challenges and research directions raised by the privacy-preserving identity card

Towards a Privacy-preserving National Identity Card

20 pages. Extended version of an article by the same authors with the same title, presented at the 4th International Workshop on Data Privacy Management (DPM'09), Saint Malo (France), 24 September 2009, proceedings to be published by Springer in LNCS Series.International audienceIn this paper, we propose to replace the national identity card, currently used in many countries, by a personal device that allows its user to prove some binary statements about himself while minimiz- ing personal information leakage. The privacy of the user is protected through the use of anonymous credentials which allows him to prove bi- nary statements about himself to another entity without having to dis- close his identity or any unnecessary information. The proposed scheme also prevents the possibility of tracing the user, even if he proves sev- eral times the same statement (unlinkability property). A tamper-proof smartcard is used to store the personal information of the user thus pro- tecting his privacy and preventing the risks of forgery at the same time. The user identifies himself to the card via biometrics thus forbidding an unauthorized use in the situation where the card is stolen or lost. Two practical implementations of the privacy-preserving identity card are described and discussed