Résumé
En général un attaquant doit réaliser plusieurs actions, organisées en un scénario d’intrusions, afin d’arriver à atteindre ses objectifs. Nous représentons ces actions par leurs préconditions et postconditions qui correspondent à un ensemble de prédicats logiques ou de négation de prédicats. La précondition d’une action représente l’état dans lequel doit être le système afin de pouvoir exécuter l’action. La postcondition correspond aux effets de l’exécution de l’action sur l’état du système.
Quand un attaquant commence son intrusion, nous pouvons déduire, de l’observation des alertes générées par lessdi (Systèmes de Détection d’Intrusions), plusieurs scénarios d’intrusions possibles en corrélant les actions. Cependant nous ne pouvons pas déterminer quel est le scénario le plus plausible dans l’ensemble des scénarios générés sans une analyse plus poussée. Dans cet article nous proposons de définir une relation d’ordre sur l’ensemble des scénarios générés en pondérant les actions composant un scénario d’attaque.
Abstract
Generally, an intruder must perform several actions, organized in an intrusion scenario, to achieve his or her malicious objectives. Actions are modeled by their pre and post conditions, which are a set of logical predicates or negations of predicates. Pre conditions of an action correspond to conditions the system’s state must satisfy to perform the action. Post conditions correspond to the effects of executing the action on the system’s state.
When an intruder begins his intrusion, we can deduce, from the alerts generated byidss (Intrusion Detection Systems), several possible scenarios, by correlating attacks, that lead to multiple intrusion objectives. However, with no further analysis, we are not able to decide which are the most plausible ones among the possible scenarios. We propose in this paper to define an order over the possible scenarios by weighting the correlation relations between successive attacks composing the scenarios. These weights reflect to what level executing some actions are necessary to execute some action B. We will see that to be satisfactory, the comparison operator between two scenarios must satisfy some properties.
This is a preview of subscription content, log in via an institution to check access.
Bibliographie
Moulin (H.), Axioms of Cooperative Decision Making,Cambridge University Press, Cambridge, 1988.
Hung (M.), A Large-scale Distributed Intrusion Detection Frame-work Based on Attack Strategy Analysis,Proceedings of the First International Workshop on the Recent Advances in Intrusion Detection (raid’98), Louvain-La-Neuve, Belgium, 1998.
Mé (L.),Marrakchi (Z.),Michel (C.),Debar (H.),Cuppens (F.), La détection d’intrusion: les outils doivent coopérer,revue de l’électricité et de l’électronique, no 5, pp. 50–55, mai 2001.
Cuppens (F.),Ortalo (R.),Lambda: A language to model a database for detection of attacks,Third International Workshop on the Recent Advances in Intrusion Detection (RAID’2000), pp. 197–206, Toulouse, France, October 2000.
Valdes (A.) andSkinner (K.), Probabilistic Alert Correlation,Fourth International Workshop on the Recent Advances in Intrusion Detection (raid’2001), pp. 54–68, Davis,usa, October 2001.
Dam (O.)and Cunningham (R.), Building Scenarios from a Heterogeneous Alert Stream,proceedings of the 2001 ieee, Workshop on Information Assurance and Security, pp. 85–103, United States Military Academy, West Point, NY, 5–6 June 2001.
Debar (H.) andWespi (A.), The Intrusion Detection Console Correlation Mechanism,Workshop on the Recent Advances in Intrusion Detection (raid’2001), Davis,usa, October 2001.
Geib (C.) andGoldman (R.), Plan Recognition in Intrusion Detection Systems,darpa Information Survivability Conference and Exposition (discex), pp. 46–55, Anaheim,usa, June 2001.
Geib (C.) andGoldman (R.), Probabilistic Plan Recognition for Hostile Agents,Florida ai Research Symposium (flair), Key-West,usa, 2001.
Cuppens (F.), Managing alerts in a multi-intrusion detection detection environment,17th Annual Computer Security Applications Conference, pp. 22–32, New Orleans, Louisiana, December 10–14, 2001.
Morin (B.),Mé (L.),Debar (H.),Ducassé (M.),m2d2: A Formal Data Model forids Alert Correlation,Recent Advances in Intrusion Detection, 5th International Symposium, raid 2002, pp. 115–127, Zurich, Switzerland, October 16–18, 2002.
Cuppens (F.) and Miège(A.), Alert Correlation in a Cooperative Intrusion Detection Framework,ieee Symposium on Security and Privacy, pp. 202–215, Oakland,usa, 2002.
Cuppens (F.),Autrel (F.),Miège (A.),Benferliat (S.), Recognizing malicious intention in an intrusion detection process,Second International Conference on Hybrid Intelligent Systems (his’2002),87, pp. 806–817, Santiago, Chile, October 2002.
Sheyner (O.), Haines (J.), Jha (S.), Lippmann (R.) and Wing (J.), Automated Generation and Analysis of Attack Graphs,2002 ieee Symposium on Security and Privacy, page 273, Berkeley, California, May 2002.
Ning (P.),Cui (Y.) andReeves (D.), Constructing Attack Scenarios Through Correlation of Intrusion Alerts,proceedings of the 9th acm conference on Computer and communication security, pp. 245–254, Washingtondc, usa, 2002.
Ning (P.),Xu (D.), Learning Attack Strategies from Intrusion Alerts,proceedings of the 10th acm conference on Computer and communication security, pp. 200–209, Washingtondc, usa, 2003.
Debar (H.),Morin (B.),Cuppens (F.),Autrel (F.),Mé (L.),Vivinis (B.),Benferhat (S.),Ducassé (M.),Ortalo (R.), Détection d’intrusions: corrélation d’alertes,Revue tsi, Sécurité informatique,23, pp. 359–390, 2004.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Autrel, F., Benferhat, S. & Cuppens, F. Utilisation de la corrélation pondérée dans un processus de détection d’intrusions. Ann. Télécommun. 59, 1072–1091 (2004). https://doi.org/10.1007/BF03179711
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/BF03179711