PLACID - Projet ANR SETIN 2006

People and organizations increasingly rely on networks and computer systems, whose complexity is growing fast, thus bringing new social, economic, strategic threats which are actively exploited by individuals with various objectives.

Intrusion detection is a field of computer security whose goal is to monitor the activity of an information system for the occurrence of malicious activities, i.e. actions intended to violate the security policy governing confidentiality, integrity and availability of services and data. Intrusion detection has been a very active research area for the past few years, and several complementary solutions have been proposed to protect networks against attacks of all forms and origins.

Despite these efforts, intrusion detection systems (IDS) still suffer from several drawbacks. Firstly, IDS trigger too many alerts, a large proportion of which turn out to be false positives. Security operators are consequently overwhelmed with alerts, the analysis of which is time consuming and incompatible with the alert rate. Secondly, the detection is still incomplete, that is to say attacks are still missed by IDS (also known as false negatives). Improving the detection rate requires the multiplication of heterogeneous sensors, so as to enhance the monitoring coverage and benefit from complementary detection techniques. However, multiplying sensors also multiplies the number of alerts received by security operators.

Alarm correlation is a subfield of intrusion detection, whose goal is to make heterogeneous IDS sensors cooperate, in order to improve the attack detection rate, enrich the semantics of alerts and reduce the overall number of alerts. Several solutions have been proposed in the literature, all of which require knowledge about the attacks and the context in which they occur. At the same time, complementary tools have appeared to support alarm correlation by providing knowledge databases about attacks, as well as local and global contextual observations. However, none of these correlation solutions received a wide acceptance.

We believe that one of the reason for this is that the intrusion detection domain lacks a common logic that would allow security systems to reason about complementary evidences and security operators to interact with these systems efficiently.

5-7 janvier 2010 - Colloque STIC organisé par l'ANR Poster PLACID	PLACID is a scientific project funded by the ANR, within SETIN 2006 computer science and security call for project and closed in december 2010. This project is an interdisciplinary project that combines expertise in artificial intelligence and computer security from three academic institutions : Supélec Rennes, SSIR team (Sécurité des Réseaux et des Systèmes d’Information) CRIL (Centre de Recherche en Informatique de Lens) lab, Université d'Artois / CNRS (FRE 2499), LITIS (Laboratoire d’Informatique, Traitement de l’Information et des Systèmes) lab, Institut National des Sciences Appliquées (INSA) de Rouen / Universités de Rouen et du Havre. The scientific coordinators are : Philippe Leray, Professeur des Universités, LINA, Université de Nantes (previously member of LITIS lab), coordinator of the project since Sept. 2008 Ludovic Mé, Enseignant-chercheur, Supélec Rennes, Salem Benferhat, Professeur des Universités, CRIL, Université d'Artois-CNRS,
13-14 décembre 2010 - Colloque "Systèmes embarqués, sécurité et sûreté de fonctionnement" organisé par l'ANR Présentation PLACID Placid tools Research propotype, not directly operational. Available on demand (Philippe Leray) Alert correlation tool based on QCL IDMEF to DL translation and reasoning from alerts Bayesian networks for detecting complex attacks Bayesian network structure learning tools for ProBT C++ library PLACID benchmark	Non-permanent members of this project : Sourour Ammar, research engineer in LITIS lab, PhD student in LINA lab bayesian networks, ProBT development referee Tayeb Kenaza, PhD student in CRIL lab bayesian networks Karima Sedki, PhD student in CRIL lab qualitative logic Karim Tabia, Associate professor in CRIL lab, previously postdoc LITIS & LINA lab bayesian networks structure learning for alarm correlation Safa Yahi, PhD student in CRIL lab qualitative logic Lydia Bouzar, Research master in CRIL lab Ghouali Abd El Badie, master student, training period in CRIL lab Ikram El-Hassani, master student, training period in CRIL lab Adel Bouridah, training period in CRIL lab Past members of this project : Nicolas Chartier, former master student, training period in LINA lab development of bayesian network structure learning into ProBT platform Ahmad Faour, former PhD student in LITIS lab bayesian networks for intrusion detection Stijn Meganck, former PhD student in co-supervision LITIS lab - CoMo lab (VUB, Belgium) causal bayesian network learning Benjamin Morin, former assistant professor in Supélec, project coordinator until august 2008 computer science and security, alarm correlation Quoc Dung Ngo, master student, training period in LINA lab development of new bayesian network structure learning into ProBT platform Khadidiatou Sar, student, training period in LINA lab anonymization and mining of an alarm database Amanullah Yasin, master student, training period in LINA lab development of new bayesian network structure learning into ProBT platform
	Context and motivation People and organizations increasingly rely on networks and computer systems, whose complexity is growing fast, thus bringing new social, economic, strategic threats which are actively exploited by individuals with various objectives. Intrusion detection is a field of computer security whose goal is to monitor the activity of an information system for the occurrence of malicious activities, i.e. actions intended to violate the security policy governing confidentiality, integrity and availability of services and data. Intrusion detection has been a very active research area for the past few years, and several complementary solutions have been proposed to protect networks against attacks of all forms and origins. Despite these efforts, intrusion detection systems (IDS) still suffer from several drawbacks. Firstly, IDS trigger too many alerts, a large proportion of which turn out to be false positives. Security operators are consequently overwhelmed with alerts, the analysis of which is time consuming and incompatible with the alert rate. Secondly, the detection is still incomplete, that is to say attacks are still missed by IDS (also known as false negatives). Improving the detection rate requires the multiplication of heterogeneous sensors, so as to enhance the monitoring coverage and benefit from complementary detection techniques. However, multiplying sensors also multiplies the number of alerts received by security operators. Alarm correlation is a subfield of intrusion detection, whose goal is to make heterogeneous IDS sensors cooperate, in order to improve the attack detection rate, enrich the semantics of alerts and reduce the overall number of alerts. Several solutions have been proposed in the literature, all of which require knowledge about the attacks and the context in which they occur. At the same time, complementary tools have appeared to support alarm correlation by providing knowledge databases about attacks, as well as local and global contextual observations. However, none of these correlation solutions received a wide acceptance. We believe that one of the reason for this is that the intrusion detection domain lacks a common logic that would allow security systems to reason about complementary evidences and security operators to interact with these systems efficiently. Objectives As a summary, the objectives of the PLACID project include the realization of : A formal description logic for intrusion detection, called IDDL, which stands for Intrusion Detection Description Logic. IDDL will provide security components with a formal framework to characterize their observation, share their knowledge with third-party components and reason about complementary evidence information. Bayesian-based approaches for alert correlation. Our aim is to model uncertainty associated with alerts, to represent malicious actions, and to model correlation relations between alerts. The use of bayesian networks has several advantages such that evaluating the success of attacks, reducing the set of possible attacks scenarios, learning correlation relations, or finding the root cause of alerts. Software component for alerts correlation. This project will include the development of software implementing bayesian-based correlation approach and IDDL reasoning tools, integrated in a global solution for alert handling.
	Délivrables Description Logic for Intrusion Detection 01 - Représentation en logiques de description des alertes et des informations contextuelles 02 - IDDL Formal Specifications Un état de l’art sur les logiques de description 03 - Gestion de l’incohérence en détection d’intrusions 04 - Towards a new correlation approach in cooperative intrusion detection 05 - QCL-CA : Outil de corrélation d’alertes basé sur les logiques QCL -- Manuel d'utilisation 06 - Outil de traduction et de raisonnement avec des alertes IDMEF -- Manuel d'utilisation Probabilistic Graphical and logical Models for Alarm Correlation 07 - Étude Comparative des outils manipulant les Réseaux Bayésiens 08 - Causality and intervention for alarm correlation : A Naive Bayes approach for detecting coordinated attacks 09 - Causal Graphical Models with Latent Variables: Learning and Inference 10 - From representing contextual intrusion detection information in description logics to monitoring target events 11 - Implémentation d'algorithmes d'apprentissage de structure dans ProBT 12 - Réseaux Bayésiens naïfs augmentés pour la détection des attaques coordonnées 13 - A Revised Qualitative Choice Logic for Handling Prioritized Preferences 14 - Implémentation de nouveaux algorithmes d'apprentissage de structure sur la plateforme ProBT 15 - Data Mining and Detecting Complex Attacks 16 - Corrélation d’alertes basée sur les connaissances et les préférences d’un opérateur de sécurité 17 - Données PLACID
	Publications International Journals K. Tabia and P. Leray, Alert correlation: Severe attack prediction and controlling false alarm rate tradeoffs. Intelligent Data Analysis Journal (à paraitre), 15(6). 2011 T. Kenaza, K. Tabia et S. Benferhat On the use of Bayesian network-based classifiers for detecting elementary and coordinated attacks. A paraître dans la revue internationale Fundamentae Informatica.2010 S. Benferhat and K. Sedki. An alert correlation approach based on knowledge and preferences of security operator,dans Journal of Applied Non-Classical Logics (JANCL), 2010, pp. pp.7-37. S. Benferhat and K. Tabia, An efficient algorithm for naive possibilistic classifiers with uncertain inputs, dans International Journal of Intelligent systems (IJIS), vol. 24, n° 12, Wiley, pp. 1203 - 1229, décembre 2009. International Conferences S. Benferhat and K. Sedki A preference logic-based approach for alert correlation. dans Logics in Security 2010, Copenhague. L. Bouzar-Benlabiod, S. Benferhat and T. Boubana-Tebibel, Integrating security operator knowledge and preferences to the alert correlation process. In International IEEE Conference on Machine and Web Intelligence – ICMW2010- Algiers, 2010, pp. 416 – 420. S. Benferhat and K. Tabia: Belief Revision of Product-Based Causal Possibilistic Networks. Canadian Conference on AI 2010: 244-255, Springer. K. Tabia. and P. Leray. Bayesian network-based approaches for severe attack prediction and handling idss' reliability. In Proceedings of the International Conference on Information Processing and Management of Uncertainty in Knowledge-Based Systems (IPMU 2010), pages 632-642, Dortmund, Germany. K. Tabia. and P. Leray. Handling idss' reliability in alert correlation: A bayesian network-based model for handling ids's reliability and controlling prediction/false alarm rate tradeoffs. In Proceedings of the International Conference on Security and Cryptography (SECRYPT'2010), pages ??-??, Athens, Greece. S. Benferhat, T. Kenaza and P. Leray, Data Mining and Detecting Complex Attacks. Dans Salford Data Mining Conference, San Diego, Août 2009 S. Benferhat and S. Yahi. Complexity and Cautiousness Results for Reasoning from Partially Preordered Belief Bases.In Proceedings of the 10th European Conference on Symbolic and Quantitative Approaches to Reasoning with Uncertainty (ECSQARU 2009), pages 817-828, Verona, Italy. S. Benferhat and K. Sedki. Two alternatives for handling preferences in qualitative choice logic. Fuzzy Sets and Systems (FSS’08), vol. 159, no 15, pp. 1889-1912, août 2008. S. Benferhat and K. Sedki. Alert correlation based on a logical handling of administrator preferences and knowledge. In Proceedings of International Conference on Security and Cryptography SECRYPT 08, Porto, Portugal. S. Benferhat, T. Kenaza and A. Mokhtari. A Naive Bayes approach for detecting coordinated attacks. 3rd IEEE International Workshop COMPSAC on Security, Trust, and Privacy for Software Applications (STPSA 2008), Juillet 2008. S. Benferhat and K. Sedki: A Revised Qualitative Choice Logic for Handling Prioritized Preferences. In Ninth European Conference on Symbolic and Quantitative Approaches to Reasoning with Uncertainty ECSQARU 2007, pages 635-647. S. Yahi, S. Benferhat and T. Kenaza: Conflicts Handling in Cooperative Intrusion Detection: A Description Logic Approach. 22nd IEEE International Conference on Tools with Artificial Intelligence, ICTAI 2010, Arras, pp 360-362, 2010. National Journals T. Kenaza, K. Tabia and A. Mokhtari. Détection d'attaques élémentaires et coordonnées à base de réseaux Bayésiens naïfs. Dans la revue Information - Interaction – Intelligence, Cépadues, 2009 S. Yahi, T. Kenaza and S. Benferhat, De l’utilisation des logiques de description à la gestion des incohérences en détection d’intrusion coopérative. Dans la revue de Génie Logiciel, Volume 94, pp. (sélection de INFORSID'10), 2010. National Conferences K. Tabia, P. Leray and L. Mé. From redundant/irrelevant alert elimination to handling idss' reliability and controlling severe attack prediction/false alarm rate tradeoffs. In Proceedings of the Fifth Conference on Network and Information Systems Security (SAR/SSI 2010), pages ??-??, Rocquebrune Cap-Martin, France. S. Yahi, S. Benferhat and T. Kenaza De l’utilisation des logiques de description à la gestion d’incohérences en détection d’intrusion coopérative. workshop SEC-SY (Sécurité des Systèmes d’Information et les Environnements Collaboratifs), Marseille, 2009. S. Benferhat and K. Sedki. Corrélation d’alertes basée sur les connaissances et les préférences d’un opérateur de sécurité. 4ème conférence sur la Sécurité des Architecture Réseaux et des Systèmes d’Information (SARSSI’2009), Luchon, Juin 2009 S. Benferhat and T. Kenaza, Vers une évaluation globale des classifieurs Bayésiens pour la détection d'intrusions, in 4èmes Journées Francophones sur les Réseaux Bayésiens (JFRB10), mai 2010, Nantes. Misc. Colloque Quelle Recherche pour les STIC de demain ? 5-7 janvier 2010, Paris. Colloque "Systèmes embarqués, sécurité et sûreté de fonctionnement", 13-14 décembre 2010, Toulouse T. Kenaza, modèles graphiques probabilistes pour la corrélation d’alertes en détection d'intrusions. Thèse de l'Université d'Artois et de l'Université des Sciences et de la Technologie Houari Boumediene (Algérie), soutenance prévue début 2011. S. Yahi, Raisonnement en présence d'incohérence : de la compilation de bases de croyances stratifiées à l'inférence à partir de bases de croyances partiellement préordonnées. Thèse de l'Université d'Artois, décembre 2009 K. Sedki Raisonnement sous incertitude et en présence des préférences : Application à la détection d’intrusions et à la corrélation d’alerte. Thèse de l’Université d’Artois, décembre 2008.

Probabilistic graphical models and Logics for Alarm Correlation in Intrusion Detection