PLACID - Projet ANR SETIN 2006

People and organizations increasingly rely on networks and computer systems, whose complexity is growing fast, thus bringing new social, economic, strategic threats which are actively exploited by individuals with various objectives.

Intrusion detection is a field of computer security whose goal is to monitor the activity of an information system for the occurrence of malicious activities, i.e. actions intended to violate the security policy governing confidentiality, integrity and availability of services and data. Intrusion detection has been a very active research area for the past few years, and several complementary solutions have been proposed to protect networks against attacks of all forms and origins.

Despite these efforts, intrusion detection systems (IDS) still suffer from several drawbacks. Firstly, IDS trigger too many alerts, a large proportion of which turn out to be false positives. Security operators are consequently overwhelmed with alerts, the analysis of which is time consuming and incompatible with the alert rate. Secondly, the detection is still incomplete, that is to say attacks are still missed by IDS (also known as false negatives). Improving the detection rate requires the multiplication of heterogeneous sensors, so as to enhance the monitoring coverage and benefit from complementary detection techniques. However, multiplying sensors also multiplies the number of alerts received by security operators.

Alarm correlation is a subfield of intrusion detection, whose goal is to make heterogeneous IDS sensors cooperate, in order to improve the attack detection rate, enrich the semantics of alerts and reduce the overall number of alerts. Several solutions have been proposed in the literature, all of which require knowledge about the attacks and the context in which they occur. At the same time, complementary tools have appeared to support alarm correlation by providing knowledge databases about attacks, as well as local and global contextual observations. However, none of these correlation solutions received a wide acceptance.

We believe that one of the reason for this is that the intrusion detection domain lacks a common logic that would allow security systems to reason about complementary evidences and security operators to interact with these systems efficiently.

5-7 janvier 2010 - Colloque STIC organisé par l'ANR Poster PLACID	PLACID is a scientific project funded by the ANR, within SETIN 2006 computer science and security call for project. This project is an interdisciplinary project that combines expertise in artificial intelligence and computer security from three academic institutions : Supélec Rennes, SSIR team (Sécurité des Réseaux et des Systèmes d’Information) CRIL (Centre de Recherche en Informatique de Lens) lab, Université d'Artois / CNRS (FRE 2499), LITIS (Laboratoire d’Informatique, Traitement de l’Information et des Systèmes) lab, Institut National des Sciences Appliquées (INSA) de Rouen / Universités de Rouen et du Havre. The scientific coordinators are : Philippe Leray, Professeur des Universités, LINA, Université de Nantes (previously member of LITIS lab), coordinator of the project since Sept. 2008 Ludovic Mé, Enseignant-chercheur, Supélec Rennes, Salem Benferhat, Professeur des Universités, CRIL, Université d'Artois-CNRS,
Links Intranet Placid	Non-permanent members of this project : Sourour Ammar, research engineer in LITIS lab, PhD student in LINA lab bayesian networks, ProBT development referee Tayeb Kenaza, PhD student in CRIL lab bayesian networks Karima Sedki, PhD student in CRIL lab qualitative logic Karim Tabia, postdoc LITIS & LINA lab bayesian networks structure learning for alarm correlation Safa Yahi, PhD student in CRIL lab qualitative logic Lydia Bouzar, Research master in CRIL lab Ghouali Abd El Badie, master student, training period in CRIL lab Ikram El-Hassani, master student, training period in CRIL lab Past members of this project : Nicolas Chartier, former master student, training period in LINA lab development of bayesian network structure learning into ProBT platform Ahmad Faour, former PhD student in LITIS lab bayesian networks for intrusion detection Stijn Meganck, former PhD student in co-supervision LITIS lab - CoMo lab (VUB, Belgium) causal bayesian network learning Benjamin Morin, former assistant professor in Supélec, project coordinator until august 2008 computer science and security, alarm correlation Quoc Dung Ngo, master student, training period in LINA lab development of new bayesian network structure learning into ProBT platform Khadidiatou Sar, student, training period in LINA lab anonymization and mining of an alarm database Amanullah Yasin, master student, training period in LINA lab development of new bayesian network structure learning into ProBT platform
	Context and motivation People and organizations increasingly rely on networks and computer systems, whose complexity is growing fast, thus bringing new social, economic, strategic threats which are actively exploited by individuals with various objectives. Intrusion detection is a field of computer security whose goal is to monitor the activity of an information system for the occurrence of malicious activities, i.e. actions intended to violate the security policy governing confidentiality, integrity and availability of services and data. Intrusion detection has been a very active research area for the past few years, and several complementary solutions have been proposed to protect networks against attacks of all forms and origins. Despite these efforts, intrusion detection systems (IDS) still suffer from several drawbacks. Firstly, IDS trigger too many alerts, a large proportion of which turn out to be false positives. Security operators are consequently overwhelmed with alerts, the analysis of which is time consuming and incompatible with the alert rate. Secondly, the detection is still incomplete, that is to say attacks are still missed by IDS (also known as false negatives). Improving the detection rate requires the multiplication of heterogeneous sensors, so as to enhance the monitoring coverage and benefit from complementary detection techniques. However, multiplying sensors also multiplies the number of alerts received by security operators. Alarm correlation is a subfield of intrusion detection, whose goal is to make heterogeneous IDS sensors cooperate, in order to improve the attack detection rate, enrich the semantics of alerts and reduce the overall number of alerts. Several solutions have been proposed in the literature, all of which require knowledge about the attacks and the context in which they occur. At the same time, complementary tools have appeared to support alarm correlation by providing knowledge databases about attacks, as well as local and global contextual observations. However, none of these correlation solutions received a wide acceptance. We believe that one of the reason for this is that the intrusion detection domain lacks a common logic that would allow security systems to reason about complementary evidences and security operators to interact with these systems efficiently. Objectives As a summary, the objectives of the PLACID project include the realization of : A formal description logic for intrusion detection, called IDDL, which stands for Intrusion Detection Description Logic. IDDL will provide security components with a formal framework to characterize their observation, share their knowledge with third-party components and reason about complementary evidence information. Bayesian-based approaches for alert correlation. Our aim is to model uncertainty associated with alerts, to represent malicious actions, and to model correlation relations between alerts. The use of bayesian networks has several advantages such that evaluating the success of attacks, reducing the set of possible attacks scenarios, learning correlation relations, or finding the root cause of alerts. Software component for alerts correlation. This project will include the development of software implementing bayesian-based correlation approach and IDDL reasoning tools, integrated in a global solution for alert handling.
	Délivrables Description Logic for Intrusion Detection 01 - Représentation en logiques de description des alertes et des informations contextuelles 02 - IDDL Formal Specifications Un état de l’art sur les logiques de description 03 - Gestion de l’incohérence en détection d’intrusions 04 - Towards a new correlation approach in cooperative intrusion detection 05 - 06 - Probabilistic Graphical and logical Models for Alarm Correlation 07 - Étude Comparative des outils manipulant les Réseaux Bayésiens 08 - Causality and intervention for alarm correlation : A Naive Bayes approach for detecting coordinated attacks 09 - Causal Graphical Models with Latent Variables: Learning and Inference 10 - 11 - Implémentation d'algorithmes d'apprentissage de structure dans ProBT 12 - Réseaux Bayésiens naïfs augmentés pour la détection des attaques coordonnées 13 - A Revised Qualitative Choice Logic for Handling Prioritized Preferences 14 - Implémentation de nouveaux algorithmes d'apprentissage de structure sur la plateforme ProBT 15 - Data Mining and Detecting Complex Attacks 16 - Corrélation d’alertes basée sur les connaissances et les préférences d’un opérateur de sécurité 17 -
	Publications 2010 R. Ayachi, N. Ben Amor, S. Benferhat and R. Haenni, Compiling Possibilistic Networks : Alternative Approaches to Possibilistic Inference, 26th Conference on Uncertainty in Artificial Intelligence (UAI'10), Juillet 2010. S. Benferhat and K. Sedki A preference logic-based approach for alert correlation. A paraître dans Logics in Security 2010, Copenhague. S. Benferhat and K. Tabia: Belief Revision of Product-Based Causal Possibilistic Networks. Canadian Conference on AI 2010: 244-255, Springer. T. Kenaza, K. Tabia et S. Benferhat On the use of Bayesian network-based classifiers for detecting elementary and coordinated attacks. A paraître dans la revue internationale Fundamentae Informatica. K. Tabia. and P. Leray. Bayesian network-based approaches for severe attack prediction and handling idss' reliability. In Proceedings of the International Conference on Information Processing and Management of Uncertainty in Knowledge-Based Systems (IPMU 2010), pages 632-642, Dortmund, Germany. K. Tabia. and P. Leray. Handling idss' reliability in alert correlation: A bayesian network-based model for handling ids's reliability and controlling prediction/false alarm rate tradeoffs. In Proceedings of the International Conference on Security and Cryptography (SECRYPT'2010), pages ??-??, Athens, Greece. K. Tabia, P. Lerayand L. Mé. From redundant/irrelevant alert elimination to handling idss' reliability and controlling severe attack prediction/false alarm rate tradeoffs. In Proceedings of the Fifth Conference on Network and Information Systems Security (SAR/SSI 2010), pages ??-??, Rocquebrune Cap-Martin, France. S. Yahi, S. Benferhat and T. Kenaza De l’utilisation des logiques de description à la gestion d’incohérences en détection d’intrusion coopérative. workshop SEC-SY (Sécurité des Systèmes d’Information et les Environnements Collaboratifs), Marseille. 2009 S. Ammar, P. Leray, B. Defoumy, and L. Wehenkel. Perturbation et combinaison d'arbres de Markov pour l'estimation de densité. In Proceedings of Conférence Francophone sur l'Apprentissage Automatique (CAp 2009), pages 65-79, Hammanet, Tunisia. S. Ammar, P. Leray, B. Defoumy, and L. Wehenkel. Probability density estimation by perturbing and combining tree structured markov networks. In Proceedings of the 10th European Conference on Symbolic and Quantitative Approaches to Reasoning with Uncertainty (ECSQARU 2009), pages 156-167, Verona, Italy. S. Benferhat, D. Dubois, H. Prade, Interventions in Possibilistic Logic. SUM 2009, Washington, DC, Lecture Notes in Computer Science, Springer 40-54, Septembre 28-30, 2009 S. Benferhat, T. Kenaza, P. Leray, Data Mining and Detecting Complex Attacks. Dans Salford Data Mining Conference, San Diego, Août 2009 S. Benferhat, K. Sedki. Corrélation d’alertes basée sur les connaissances et les préférences d’un opérateur de sécurité. 4ème conférence sur la Sécurité des Architecture Réseaux et des Systèmes d’Information (SARSSI’2009), Luchon, Juin 2009 S. Benferhat, K. Tabia, An efficient algorithm for naive possibilistic classifiers with uncertain inputs, dans International Journal of Intelligent systems (IJIS), vol. 24, n° 12, Wiley, pp. 1203 - 1229, décembre 2009. S. Benferhat, K. Tabia, On the use of min-based revision under uncertain evidence for possibilistic classifiers, In International Fuzzy Systems Association World Congress (IFSA'09), Springer, Lisbonne, juillet 2009. S. Benferhat, K. Tabia, Classification with uncertain observations using possibilistic networks, dans 21st International Conference on Tools with Artificial Intelligence (ICTAI'09), Newark, IEEE, novembre 2009. S. Benferhat, S. Yahi. Complexity and Cautiousness Results for Reasoning from Partially Preordered Belief Bases.In Proceedings of the 10th European Conference on Symbolic and Quantitative Approaches to Reasoning with Uncertainty (ECSQARU 2009), pages 817-828, Verona, Italy. T. Kenaza, K. Tabia, A. Mokhtari. Détection d'attaques élémentaires et coordonnées à base de réseaux Bayésiens naïfs. Dans la revue Information - Interaction – Intelligence, Cépadues, 2009 S. Yahi, Raisonnement en présence d'incohérence : de la compilation de bases de croyances stratifiées à l'inférence à partir de bases de croyances partiellement préordonnées. Thèse de l'Université d'Artois, décembre 2009 2008 S. Ammar, P. Leray and L. Wehenkel. Estimation de densité par ensembles aléatoires de poly-arbres. In Proceedings of 4èmes journées francophones de réseaux bayésiens JFRB 2008, pages 69-79, Lyon, France. S. Ammar, P. Leray, B. Defoumy and L. Wehenkel. High-dimensional probability density estimation with randomized ensembles of tree structured bayesian networks. In Proceedings of the fourth European Workshop on Probabilistic Graphical Models (PGM'08), pages 9-16, Hirtshals, Denmark. S. Benferhat, T. Kenaza and A. Mokhtari. Réseaux Bayésiens Naïfs pour la détection des attaques coordonnées, . In Proceedings of 4èmes journées francophones de réseaux bayésiens JFRB 2008, pages 177-194, Lyon, France. S. Benferhat, K. Sedki. Two alternatives for handling preferences in qualitative choice logic. Fuzzy Sets and Systems (FSS’08), vol. 159, no 15, pp. 1889-1912, août 2008. S. Benferhat and K. Sedki. Alert correlation based on a logical handling of administrator preferences and knowledge. In Proceedings of International Conference on Security and Cryptography SECRYPT 08, Porto, Portugal. S. Benferhat, T. Kenaza and A. Mokhtari. A Naive Bayes approach for detecting coordinated attacks. 3rd IEEE International Workshop COMPSAC on Security, Trust, and Privacy for Software Applications (STPSA 2008), Juillet 2008. S. Meganck, P. Leray and B. Manderick, B. Uncado: Unsure causal discovery. In Proceedings of 4èmes journées francophones de réseaux bayésiens JFRB 2008, pages 94-104, Lyon, France. K. Sedki Raisonnement sous incertitude et en présence des préférences : Application à la détection d’intrusions et à la corrélation d’alertes. Thèse de l’Université d’Artois, décembre 2008. 2007 S. Benferhat and K. Sedki: A Revised Qualitative Choice Logic for Handling Prioritized Preferences. In Ninth European Conference on Symbolic and Quantitative Approaches to Reasoning with Uncertainty ECSQARU 2007, pages 635-647. A. Faour, Une approche semi-supervisée et adaptative pour le filtrage des alarmes dans les systèmes de détection d'intrusions sur les réseaux, Thèse de Doctorat, Institut National des Sciences Appliquées de Rouen, juillet 2007. S. Meganck, P. Leray and B. Manderick. Causal graphical models with latent variables: Learning and inference. In Ninth European Conference on Symbolic and Quantitative Approaches to Reasoning with Uncertainty ECSQARU 2007, pages 5-16.

Probabilistic graphical models and Logics for Alarm Correlation in Intrusion Detection