Advanced Reaction Using Risk Assessment in Intrusion Detection Systems

  • Wael Kanoun
  • Nora Cuppens-Boulahia
  • Frédéric Cuppens
  • Fabien Autrel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5141)


Current intrusion detection systems go beyond the detection of attacks and provide reaction mechanisms to cope with detected attacks or at least reduce their effect. Previous research works have proposed methods to automatically select possible countermeasures capable of ending the detected attack. But actually, countermeasures have side effects and can be as harmful as the detected attack. In this paper, we propose to improve the reaction selection process by giving means to quantify the effectiveness and select the countermeasure that has the minimum negative side effect on the information system. To achieve this goal, we adopt a risk assessment and analysis approach.


Intrusion detection system attack scenario countermeasure risk analysis potentiality impact 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bace, R.: Intrusion Detection. McMillan Technical Publishing (2000)Google Scholar
  2. 2.
    Cuppens, F.: Managing Alerts in a Multi-Intrusion Detection Environment. In: 17th Annual Computer Security Applications Conference New-Orleans (December 2001)Google Scholar
  3. 3.
    Cuppens, F., Autrel, F., Miege, A., Benferhat, S., et al.: Correlation in an intrusion detection process. In: Internet Security Communication Workshop (SECI 2002), Tunis, Septembre (2002)Google Scholar
  4. 4.
    Lippmann, R.: Using Key String and Neural Networks to Reduce False Alarms and Detect New Attacks with Sniffer-Based Intrusion Detection Systems. In: Proceedings of the Second International Workshop on the Recent Advances in Intrusion Detection (RAID 1999), Purdue, USA (October 1999)Google Scholar
  5. 5.
    Huang, M.: A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis. Louvain-La-Neuve, Belgium (1998)Google Scholar
  6. 6.
    Morin, B., Debar, H.: Correlation of Intrusion Symptoms: an Application of Chronicles. In: Proceedings of the Sixth International Symposium on the Recent Advances in Intrusion Detection (RAID 2002), Pittsburg, USA (September 2003)Google Scholar
  7. 7.
    Cuppens, F., Autrel, F., Miege, A., Benferhat, S., et al.: Recognizing Malicious Intention in an Intrusion Detection Process. In: Second International Conference on Hybrid Intelligent Systems, Santiago, Chili (December 2002)Google Scholar
  8. 8.
    Ning, P., Cui, Y., Reeves, D.S.: Constructing attack scenarios through correlation of intrusion alerts. In: ACM Conference on Computer and Communications Security (2002)Google Scholar
  9. 9.
    Cuppens, F., Autrel, F., Bouzida, Y., Garcia, J., Gombault, S., Sans, T.: Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework. Annals of Telecommunications 61(1-2) (January-February 2006)Google Scholar
  10. 10.
    Debar, H., Thomas, Y., Boulahia-Cuppens, N., Cuppens, F.: Using contextual security policies for threat response. In: Third, G.I. (ed.) International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment (DIMVA), Germany (July 2006)Google Scholar
  11. 11.
  12. 12.
  13. 13.
  14. 14.
  15. 15.
    Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Third International Workshop on Recent Advances in Intrusion Detection (RAID 2000), Toulouse (October 2000)Google Scholar
  16. 16.
    Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Massachusetts Institute of Technology (June 1999)Google Scholar
  17. 17.
    Mirkivich, J., Martin, J., Reiher, P.: Towards a Taxonomy of Intrusion Detection Systems and Attacks. Project IST-1999-11583, MAFTIA deliverable D3 (September 2001)Google Scholar
  18. 18.
    Autrel, F., Cuppens, F.: CRIM: un module de corrélation d’alertes et de réaction aux attaques. Annals of Telecommunications 61(9-10) (September-October 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Wael Kanoun
    • 1
  • Nora Cuppens-Boulahia
    • 1
  • Frédéric Cuppens
    • 1
  • Fabien Autrel
    • 2
  1. 1.ENST-Bretagne, Cesson SévignéFrance
  2. 2.SWID, Cesson SévignéFrance

Personalised recommendations