Authors: Nora Cuppens-Boulahia, Frederic Cuppens, Fabien Autrel, Herve Debar
Addresses: Institut TELECOM/TELECOM Bretagne, 2 rue de la chataigneraie, F-35576 Cesson Sevigne, France. ' Institut TELECOM/TELECOM Bretagne, 2 rue de la chataigneraie, F-35576 Cesson Sevigne, France. ' Institut TELECOM/TELECOM Bretagne, 2 rue de la chataigneraie, F-35576 Cesson Sevigne, France. ' Institut TELECOM/Telecom SudParis, 9 rue Charles Fourier, F-91011 Evry Cedex, France
Abstract: Intrusion detection requirements enforced by Intrusions Detection Systems (IDSs) are generally considered independently from the remainder of the security policy. Our approach is to consider that intrusion detection requirements are actually a part of the access control policy. This provides means to formally specify in a reaction policy what should happen in case of intrusion. It is then possible to integrate these requirements into a deploying process in order to automatically configure security components. In this paper, we propose a contextual and ontology-based approach to express and instantiate this reaction policy. We then define a reaction process based on the concepts of dynamic threat organisation and threat contexts and a set of rules used to map alerts onto threat contexts to perform the instantiation of the policy-based reaction in response to the detected intrusion.
Keywords: IDS; intrusions detection systems; attack reaction; policy instantiation; ontology; OrBAC; organisation based access control; network attacks; access control policy; threat organisation; threat context.
International Journal of Information and Computer Security, 2009 Vol.3 No.3/4, pp.280 - 305
Published online: 18 Jan 2010 *Full-text access for editors Access for subscribers Purchase this article Comment on this article