Résumé
Avec le besoin grandissant de protéger les systèmes d’informations, la détection d’intrusion constitue une démarche intéressante mais encore très imparfaite. Il y a actuellement deux approches principales de la détection d’intrusion : l’approche comportementale et l’approche par détection de scénarios. Aucune de ces approches n ’est complètement satisfaisante. Elles génèrent souvent de trop nombreux faux positifs et les alertes sont trop élémentaires et insuffisamment précises pour être directement exploitables par un administrateur de sécurité. Une approche intéressante consiste à développer un module de coopération pour analyser et corréler les alertes, générer un diagnostic plus global et synthétique, et aider l’administrateur de sécurité dans le choix d’une contre-mesure adaptée à l’attaque détectée. Cet article présente les travaux que nous avons réalisés, dans ce contexte, pour concevoir le moduleRim (Coopération de Reconnaissance d’Intentions Malveillantes).
Abstract
With the growing need for protection of informations systems, the intrusion detection approach is interesting but still imperfect. At the moment two main approaches exist: the behaviour based approach and the scenario detection approach. None of those two approaches is fully satisfactory. They often generate two many false positives and the generated alerts are generally too elementary and imprecise to be efficiently processed by a system administrator. An interesting approach consists in developing a cooperation module to analyze and correlate alerts, to generate a more global and synthetic diagnostic, and help the system administrator to choose the best counter-measure given a detected attack. This article presents the work we have achieved in this context to create theRim module (Cooperation and Recognition of Malevolent Intentions).
This is a preview of subscription content, log in via an institution to check access.
Bibliographie
Autrel (F.), Benferhat (S.), Cuppens (F.), Utilisation de la corrélation pondérée dans un processus de détection d’intrusion.Annales des Télécommunications,59, no 9–10, pp. 1072–1091, 2004.
Autrel (F.),Cuppens (F.), Using an Intrusion Detection Alert Similarity Operator to Aggregate and Fuse Alerts.In the 4th Conference on Security and Network Architectures, 6–10 June 2005, Batz sur Mer (France).
Cuppens (F.), Autrel (F.), Bouzida (Y.), Garcia (J.), Gombault (S.), Sans (T.), Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework.Annales des Telecommunications,61, no 1–2, pp. 197–217, 2006.
Bace (R.), Intrusion Detection.McMillan Technical Publishing, 2000.
Benferhat (S.),Autrel (F.),Cuppens (F.), Enhanced Correlation in an Intrusion Detection Process.Second International Workshop Mathematical Methods, Models and Architectures for Computer Networks Security, St. Petersburg, Russia, September 2003.
Ben Amor (N.),Benferhat (S.),Elouedi (Z.), Naive Bayesian Networks in Intrusion Detection Systems.Workshop on Probabilistic Graphical Models for Classification, Cavtat-Dubrovnik, Croatia, September 2003.
Bouzida (Y.),Gombault (S.), Profils propres pour la détection d’intrusion.Symposium sur la Sécurité des Technologies de l’Information et de la Communication, Rennes, France, June 2003.
Cuppens (F.),Autrel (F),Miège (A.),Benferhat (S.), Recognizing Malicious Intention in an Intrusion Detection Process.Second International Conference on Hybrid Intelligent Systems, Santiago, Chile, December 2002.
Curry (D.),Debar (H.), Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (Xml) Document Type Definition, draft-itetf-idwg-idmef-xml-14.txt, Janvier 2005.
Cuppens (F.),Miège (A.), Alert correlation in a cooperative intrusion detection framework.IEEE Symposium on Research in Security and Privacy, Oakland, May 2002.
Cuppens (F.),Ortalo (R.),Lambda : A Language to Model a Database for Detection of Attacks. Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (Raid ’2000), Toulouse, France, October 2000.
Cuppens (F), Cooperative intrusion detection.International Symposium on Information Superiority : tools for crisis and conflict management, Paris, France, September 2001.
Cuppens (F), Managing alerts in a multi-intrusion detection environment. 17thAcsac conference, New Orleans, December 2001.
Site web deRim.http://crim-platinum.org/crim/.
Debar (H.),Wespi (A.), Aggregation and Correlation of Intrusion Detection Alerts. Workshop on the Recent Advances in Intrusion Detection (Raid’2001), Davis, USA, October 2001.
Geib (C),Goldman (R.), Plan Recognition in Intrusion Detection Systems,Darpa Information Survivability Conference and Exposition (DIScEX), pp. 46–55, Anaheim, USA, June 2001.
Huang (M. -Y.), A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. Proceedings of the First International Workshop on the Recent Advances in Intrusion Detection (Raid ’98), Louvain-La-Neuve, Belgium, 1998.
Garcia (J.),Autrel (F.),Borrell (J.),Castillo (S.),Cuppens (F.),Navarro (G.), Decentralized publish-subscribe system to prevent coordinated attacks via alert correlation. Proceedings of the Sixth International Conference on Information and Communications Security (Icics’2004), number 3269 illLncs, October 2004.
Garcia (J.),Autrel (F.),Borrell (J.),Castillo (S.),Cuppens (F),Navarro (G.), Preventing coordinated attacks via alert correlation. Proceedings of the Ninth Nordic Workshop on Secure it Systems Encouraging Cooperation (Nordsec’2004), November 2004.
Gombault (S.),Diop (M.), Response function. FirstNato Symposium on Real Time Intrusion Detection, Lisbonne, Portugal. May 2002.
Julisch (K.), Clustering Intrusion Detection Alarms to Support Root Cause Analysis.Acm Transactions on Information and System Security, Novembre 2003.
Ilgun (K.),Ustat: A real-time intrusion detection system for Unix. IEEE Symposium on Security and Privacy, 1993.
Jackson (K.),Dubois (D.),Stalling (C.), An Expert System Application for Network Intrusion Detection.14th National Computer Security Conference, October 1991.
Kleinwaechter (J.), The Limitations of Intrusion Detection on High Speed Networks. Proceedings of the First International Workshop on the Recent Advances in Intrusion Detection (Raid’98), Louvain-LaNeuve, Belgium, 1998.
Lee (W.), Combining Knowledge Discovery and Knowledge Engineering to BuildIdss. Proceedings of the Second International Workshop on the Recent Advances in Intrusion Detection (Raid ’99, Purdue, USA, October 1999.
Lippmann (R.), Using Key String and Neural Networks to Reduce False Alarms and Detect New Attacks with Sniffer-Based Intrusion Detection Systems. Proceedings of the Second International Work-shop on the Recent Advances in Intrusion Detection (Raid’99), Purdue, USA, October 1999.
Lunt (T.),Ides: An Intelligent System for Detecting Intruders.Computer Security, Threats and Counter-measures, November 1990.
Mounji (A.), LeCharlier (B.), Continuous Assessment of a Unix Configuration: Integrating Intrusion Detection and Configuration Analysis. Proceedings of theIso C’97 Symposium on Network and Distributed System Security, San Diego, USA, February 1997.
Mann (D.), Christey (S.), Towards a Common Enumeration of Vulnerabilities.2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana, January 1999.
Morin (B.),Debar (H.), Correlation of Intrusion Symptoms : an Application of Chronicles. Proceedings of the Sixth International Symposium on the Recent Advances in Intrusion Detection (Raid’02), Pittsburg, USA, September 2003.
Mé (L.),Marakchi (Z.),Michel (C),Debar (H.),Cuppens (F), La détection d’intrusions: les outils doivent coopérer. Revue de laRee, 2001.
Morin (B.),Mé (L.),Debar (H.),Ducassé (M.) M2D2: A Formal Data Model for ids Alert Correlation. Fifth International Conference on Recent Advances in Intrusion Detection (Raid ’02), Zurich, Switzerland, October 2002.
Nino (P.),Cui (V.),Reeves (R. S.), Constructing attack scenarios through correlation of intrusion alerts. NinthAcm Conference on Computer and Communications Security, Washington, D.C., November 2002.
Fyodor, Nmap (Network Mapper) free open source security scanner. http ://www.insecure.org/nmap/
Karg (D.),Gil (D.),Casai, (J.),Ospitia (F.),Roman (A.),Fournier (S.),Lorenzo (J.M.), Open Source Security Information Management.http://www.ossim.net
Porras (P.),Neumann (P.), Emerald : Event Monitoring Enabling Responses to Anomalous Live Disturbances.National Security Conference, 1997.
Roescli (M.), Snort-Lightweight Intrusion Detection for Networks. Proceedings ofUsenix lisa’99, November 1999.
Valdes (A.),Anderson (D.), Statistical Methods for Computer Usage Anomaly Detection.Third International Workshop on Rough Sets and Soft Computing, San Jose, USA, 1995.
Valdes (A.),Skinner (K.), Adaptive, Model-Based Monitoring for Cyber Attack Detection. Proceedings of the Third International Workshop on the Recent Advances in Intrusion Detection (Raid’2000), Toulouse, France, October 2000.
Valdes (A.),Skinner (K.), Probabilistic Alert Correlation. Proceedings of the Fourth International Workshop on the Recent Advances in Intrusion Detection (Raid’2001), Davis, USA, October 2001.
Zerkle (D.), A Data-Mining Analysis ofRtid, Proceedings of the Second International Workshop on the Recent Advances in Intrusion Detection (Raid’99), Purdue, USA, October 1999.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Autrel, F., Cuppens, F. CRIM: un module de corrélation d’alertes et de réaction aux attaques. Ann. Télécommun. 61, 1172–1192 (2006). https://doi.org/10.1007/BF03219887
Received:
Accepted:
Issue Date:
DOI: https://doi.org/10.1007/BF03219887
Mots clés
- Sécurité informatique
- Détection intrusion
- Système d’information
- Sécurité Internet
- Comportement utilisateur
- Scénario
- Coopération