Expression and deployment of reaction policies

International audienceCurrent prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this paper, an in depth and comprehensive approach is introduced for responding to intrusions in an efficient way. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms, including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels, it then reacts against threats with appropriate counter measures in each level accordingly

Formal framework to specify and deploy reaction policies

International audienceNowadays, intrusion detection systems are able to react to the attacks rather than only raising alerts. Unfortunately, current prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this chapter, we introduce a new comprehensive and efficient approach for responding to intrusions. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy which formally specifies security requirements that are activated when an intrusion is detected. In particular, some of the security policy rules are obligations that can be enforced as countermeasures. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms, including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels; it then reacts against threats with appropriate counter measures in each level accordingly

Formal framework to specify and deploy reaction policies

International audienceNowadays, intrusion detection systems are able to react to the attacks rather than only raising alerts. Unfortunately, current prevention techniques provide restrictive responses that may take a local reaction in a limited information system infrastructure. In this chapter, we introduce a new comprehensive and efficient approach for responding to intrusions. This approach considers not only the threat and the architecture of the monitored information system, but also the security policy which formally specifies security requirements that are activated when an intrusion is detected. In particular, some of the security policy rules are obligations that can be enforced as countermeasures. The proposed reaction workflow links the lowest level of the information system corresponding to intrusion detection mechanisms, including misuse and anomaly techniques, and access control techniques with the higher level of the security policy. This reaction workflow evaluates the intrusion alerts at three different levels; it then reacts against threats with appropriate counter measures in each level accordingly