Présentation de Nizar Kheir (TSP RST) : Response policies and counter-measures : Management of service dependencies and intrusion and reaction impacts
Nowadays, intrusion response is challenged by both attack sophistication and the complexity of target systems. In fact, Internet currently provides an exceptional facility to share resources and exploits between novice and skilled attackers. As a matter of fact, simply detecting or locally responding against attacks has proven to be insufficient.
On the other hand, in order to keep pace with the growing need for more interactive and dynamic services, information systems are getting increasingly dependent upon modular and interdependent service architectures.
In consequence, intrusions and responses often have drastic effects as their impacts spread through service dependencies. We argue in this thesis that service dependencies have multiple security implications.
In the context of intrusion response, service dependencies can be used to find the proper enforcement points which are capable to support a specific response strategy. They can be also used in order to compute the impact of such responses in order to select the least costly response.
In a first attempt to realize the thesis objectives, we explore graph-based service dependency models. We implement intrusion and response impacts as security flows that propagate within a directed graph. We introduce countermeasures as transformations to the dependency graph, and which have direct implications on the impact flows triggered by an intrusion.
In a second step, we replace the analytic graph-based approach with a simulation-based approach using colored Petri nets. We develop for this purpose a new service dependency model that outperforms the initial graph-based models.
It represents access permissions that apply to service dependencies. Attacker permissions are also implemented in this model by interfacing with attack graphs.
We develop a simulation platform that tracks the propagation of intrusion impacts, response impacts, and the combined impacts for intrusion and response. We define a new response index, the return on response investment (RORI), that we evaluate for each response candidate with the aim to select the one that provides a maximal positive RORI index.