État académique
Thèse soutenue le 2015-04-30
Sujet: Application of visual analytics techniques for network traces analysis and alert correlation
Direction de thèse:
Ellipse bleue: doctorant, ellipse jaune: docteur, rectangle vert: permanent, rectangle jaune: HDR. Trait vert: encadrant de thèse, trait bleu: directeur de thèse, pointillé: jury d'évaluation à mi-parcours ou jury de thèse.
Productions scientifiques
Limitation of Honeypot/Honeynet Databases to Enhance Alert Correlation
In SIEM environments, security analysts process massive amount of alerts often imprecise. Alert correlation has been designed to efficiently analyze this large volume of alerts. However, a major limitation of existing correlation techniques is that they focus on the local knowledge of alerts and ignore the global view of the threat landscape. In this paper, we introduce an alert enrichment strategy that aims at improving the local domain knowledge about the event with relevant global information about the threat in order to enhance the security event correlation process. Today, the most prominent sources of information about the global threat landscape are the large honeypot/honeynet infrastructures which allow us to gather more in-depth insights on the modus operandi of attackers by looking at the threat dynamics. In this paper, we explore four honeypot databases that collect information about malware propagation and security information about web-based server profile. We evaluate the use of these databases to correlate local alerts with global knowledge. Our experiments show that the information stored in current honeypot databases suffers from several limitations related to: the interaction level of honeypots that influences their coverage and their analysis of the attacker's activities, collection of raw data which may include imprecise or voluminous information, the lack of standardization in the information representation which hinder cross-references between different databases, the lack of documentation describing the available information.
International Conference Mathematical Methods, Models and Architectures for Computer Network Securityarticle in peer-reviewed journal 2012-10
Service Dependencies-Aware Policy Enforcement Framework Based on Hierarchical Colored Petri Net
As computer and network security threats become more sophisticated and the number of service dependencies is increasing, optimal response decision is becoming a challenging task for security administrators. They should deploy and implement proper network security policy enforcement mechanisms in order to apply the appropriate countermeasures and defense strategy. In this paper, we propose a novel modeling framework which considers the service dependencies while identifying and selecting the appropriate Policy Enforcement Points during an intrusion response process. First, we present the security implications of the service dependencies that have been developed in the literature. Second, we give an overview of Colored Petri Nets (CPN) and Hierarchical CPN (HCPN) and its application on network security. Third, we specify our Service Dependencies-aware Policy Enforcement Framework which is based on the application of HCPN. Finally and to illustrate the advantage of our approach, we present a webmail application use case with the integration of different Policy Enforcement Points.
International Symposium on Security in Computing and Communications Security in Computing and Communicationsarticle in peer-reviewed journal 2013-08-24
Thèse: Correlation d'alertes un outil plus efficace d'aide a la decision pour repondre aux intrusions
Soutenance: 2015-04-30
Rapporteurs: Isabelle CHRISMENT    Eric TOTEL