Science Hackathons for Cyberphysical System Security Research: Putting CPS testbed platforms to good use

A challenge is to develop cyber-physical system scenarios that reflect the diversity and complexity of real-life cyber-physical systems in the research questions that they address. Time-bounded collaborative events, such as hackathons, jams and sprints, are increasingly used as a means of bringing groups of individuals together, in order to explore challenges and develop solutions. This paper describes our experiences, using a science hackathon to bring individual researchers together, in order to develop a common use-case implemented on a shared CPS testbed platform that embodies the diversity in their own security research questions. A qualitative study of the event was conducted, in order to evaluate the success of the process, with a view to improving future similar events

Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts

An important problem in the field of intrusion detection is the management of alerts. Intrusion Detection Systems tend to produce a high number of alerts, most of them being false positives. But producing a high number of alerts does not mean that the attack detection rate is high. In order to increase the detection rate, the use of multiple IDSs based on heterogeneous detection techniques is a solution but in return it increases the number of alerts to process. Aggregating the alerts coming from multiple heterogeneous IDSs and fusing them is a necessary step before processing the content and the meaning of the alerts. We propose in this paper to define a similarity operator that takes two IDMEF alerts and outputs a similarity value between 0 and 1. We then propose some algorithms to process the alerts in a on-line or off-line approach using this operator. The article ends up with experimentations made with the Nmap tool and th

Fusion, corrélation pondérée et réaction dans un environnement de détection d'intrusions coopérative

Les systèmes informatiques doivent respecter certaines propriétés telles que la con dentialité, l'intégrité et la disponibilité. Cependant, il existe des vulnérabilités qui permettent de violer la politique de sécurité. La détection d intrusions a pour but de détecter l'exploitation de ces vulnérabilités. L'approché consistant à faire coopérer plusieurs sondes de détection d intrusions permet d améliorer le diagnostic fournit. Cette thèse développe les notions de fusion, corrélation pondérée et réaction. La fusion d alerte regroupe les alertes redondantes pour les fusionner. La corrélation pondérée identi e des scénarios d'intrusions et sélectionne le plus plausible. La réaction bloque un scénario d'intrusions en cours d exécution ou modi e l état du système pour éliminer une vulnérabilité ou compenser les effets d une attaque. Des résultats expérimentaux obtenus sur plusieurs scénarios d intrusions à partir d un prototype implantant les notions développées sont présentés.LENS-CRIL (624982203) / SudocTOULOUSE-ISAE (315552318) / SudocSudocFranceF

F.: Reaction Policy Model Based on Dynamic Organizations and Threat Context

Abstract. The tasks a system administrator must fulfill become more and more complex as information systems increase in complexity and connectivity. More specifically, the problem of the expression and update of security requirements is central. Formal models designed to express security policies have proved to be necessary since they provide non ambiguous semantics to analyze them. However, such models as RBAC or OrBAC are not used to express reaction requirements which specify the reaction policy to enforce when intrusions are detected. We present in this article an extension of the OrBAC model by defining dynamic organizations and threat contexts to enable the expression and enforcement of reaction requirements

Reaction policy model based on dynamic organizations and threat context

The tasks a system administrator must fulfill become more and more complex as information systems increase in complexity and connectivity. More specifically, the problem of the expression and update of security requirements is central. Formal models designed to express security policies have proved to be necessary since they provide non ambiguous semantics to analyze them. However, such models as RBAC or OrBAC are not used to express reaction requirements which specify the reaction policy to enforce when intrusions are detected. We present in this article an extension of the OrBAC model by defining dynamic organizations and threat contexts to enable the expression and enforcement of reaction requirements