Hervé Debar

Bio: Hervé Debar is an academic researcher from Telecom SudParis. The author has contributed to research in topics: Intrusion detection system & Security policy. The author has an hindex of 36, co-authored 148 publications receiving 6717 citations. Previous affiliations of Hervé Debar include Université Paris-Saclay & IBM.

Aggregation and Correlation of Intrusion-Detection Alerts

Abstract: This paper describes an aggregation and correlation algorithm used in the design and implementation of an intrusion-detection console built on top of the Tivoli Enterprise Console (TEC). The aggregation and correlation algorithm aims at acquiring intrusion-detection alerts and relating them together to expose a more condensed view of the security issues raised by intrusion-detection systems.

A neural network component for an intrusion detection system

Abstract: An approach toward user behavior modeling that takes advantage of the properties of neural algorithms is described, and results obtained on preliminary testing of the approach are presented. The basis of the approach is the IDES (Intruder Detection Expert System) which has two components, an expert system looking for evidence of attacks on known vulnerabilities of the system and a statistical model of the behavior of a user on the computer system under surveillance. This model learns the habits a user has when he works with the computer, and raises warnings when the current behavior is not consistent with the previously learned patterns. The authors suggest the time series approach to add broader scope to the model. They therefore feel the need for alternative techniques and introduce the use of a neural network component for modeling user's behavior as a component for the intrusion detection system. >

The Intrusion Detection Message Exchange Format (IDMEF)

Abstract: The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. This document describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided. This memo defines an Experimental Protocol for the Internet community.

A revised taxonomy for intrusion-detection systems

Abstract: Intrusion-detection systems aim at detecting attacks against computer systems and networks, or in general against information systems Indeed, it is difficult to provide provably secure information systems and to maintain them in such a secure state during their lifetime and utilization Sometimes, legacy or operational constraints do not even allow the definition of a fully secure information system Therefore, intrusion- detection systems have the task of monitoring the usage of such systems to detect apparition of insecure states They detect attempts and active misuse, either by legitimate users of the information systems or by external parties, to abuse their privileges or exploit security vulnerabilities In a previous paper [Computer networks 31, 805–822 (1999)], we introduced a taxonomy of intrusion- detection systems that highlights the various aspects of this area This paper extends the taxonomy beyond real- time intrusion detection to include additional aspects of security monitoring, such as vulnerability assessment

Anomaly detection: A survey

Abstract: Anomaly detection is an important problem that has been researched within diverse research areas and application domains. Many anomaly detection techniques have been specifically developed for certain application domains, while others are more generic. This survey tries to provide a structured and comprehensive overview of the research on anomaly detection. We have grouped existing techniques into different categories based on the underlying approach adopted by each technique. For each category we have identified key assumptions, which are used by the techniques to differentiate between normal and anomalous behavior. When applying a given technique to a particular domain, these assumptions can be used as guidelines to assess the effectiveness of the technique in that domain. For each category, we provide a basic anomaly detection technique, and then show how the different existing techniques in that category are variants of the basic technique. This template provides an easier and more succinct understanding of the techniques belonging to each category. Further, for each category, we identify the advantages and disadvantages of the techniques in that category. We also provide a discussion on the computational complexity of the techniques since it is an important issue in real application domains. We hope that this survey will provide a better understanding of the different directions in which research has been done on this topic, and how techniques developed in one area can be applied in domains for which they were not intended to begin with.

Basic concepts and taxonomy of dependable and secure computing

Abstract: This paper gives the main definitions relating to dependability, a generic concept including a special case of such attributes as reliability, availability, safety, integrity, maintainability, etc. Security brings in concerns for confidentiality, in addition to availability and integrity. Basic definitions are given first. They are then commented upon, and supplemented by additional definitions, which address the threats to dependability and security (faults, errors, failures), their attributes, and the means for their achievement (fault prevention, fault tolerance, fault removal, fault forecasting). The aim is to explicate a set of general concepts, of relevance across a wide range of situations and, therefore, helping communication and cooperation among a number of scientific and technical communities, including ones that are concentrating on particular types of system, of system failures, or of causes of system failures.

Basic Concepts and Taxonomy of Dependable and Secure Computing

Abstract: This paper gives the main definitions relating to dependability, a generic concept including a special case of such attributes as reliability, availability, safety, integrity, maintainability, etc. Security brings in concerns for confidentiality, in addition to availability and integrity. Basic definitions are given first. They are then commented upon, and supplemented by additional definitions, which address the threats to dependability and security (faults, errors, failures), their attributes, and the means for their achievement (fault prevention, fault tolerance, fault removal, fault forecasting). The aim is to explicate a set of general concepts, of relevance across a wide range of situations and, therefore, helping communication and cooperation among a number of scientific and technical communities, including ones that are concentrating on particular types of system, of system failures, or of causes of system failures.

A taxonomy of DDoS attack and DDoS defense mechanisms

Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.