Embed Size (px)
DESCRIPTION
INC 2010 _ Conceptual Trusted Incident-Reaction Architecture
Citation preview
Tuesday, 6th July 2010 Eighth International Network Conference (INC2010) 1
Conceptual Trusted Incident-Reaction
Architecture
Christophe Feltus
TITAN project financed by the FNR
2
Motivations
Corporate networks : open, mobile and flexible
more facilities
more risks
Solution is the IDS
Research in that field concern
Detection of attacks
Automated solutions
Perfomrance
Quid global reaction and deployment of the appropriate
solution
Importance to include business constraints…
… and utility value
3
Motivations
The approach that we target :
Is adapted to react quickly to simple and complexe attack
Ensure homogenueous communication between composing
nodes
Open to a wide range of technology
+ make decision on a business based approach
+ include the concept of trust
3 phases approach:
MAS architecture
Decision mechanism
Consideratipon of the mutual trust
Outline of the presentation
Presentation of the MAS architecture
Presentation of the decision support system
Presentation of the approach to consider the trust
Conclusions and future works
4
Based on the requirement :
selected approach …
MAS
Advantages :
- reactivity and pro-activity
- cooperation
- autonomous
XACML architecture
A policy language implemented in
XML
A processing model, describing how to interpret the policies
About the architecture
The architecture strongly influenced by XACML
Similitude :
XACML : access request, which policy apply ?, deployment
MAS : Incident detection, which reaction apply ?, deployment
Difference :
XACML : PEP receive the request and provide the response
MAS : IDS and ACE receive and analyse the request
PEP provide the response
6
Concepts of the MAS architecture
7
Concepts of the MAS architecture
8
Concepts of the MAS architecture
9
JADE
Java Agent DEvelopment framework
Software framework fully implemented in JAVA
Simplifies the implementation of multi-agent systems through a middleware
The agent platform can be distributed across machines
Configuration can be controlled via a remote GUI
Set of system services : Naming services, yellow pages services, message transport
and parsing services
Detailed data flow
11
Decision support system
Agents make decisions at differents level : When contradiction between information…
When they decide or not to escalade an information...
Different type of information : Severity, duration and frequency of the alert
Contribution of the system for the medical rescue
Criticity of the rescue operation
On challenge is to manage the uncertainty of the information received by the agent
Ontology, Bayesian network and Influence diagrams
Ontology
permits to formalize the conceptual architecture
permit to support the raisoning at the BN and ID pillar
Ovals = OWL class
Solid arrows = RDF predicate
+ Dash arrows = influence rel.
+ Rounded rectangles =
Domain value
BN extension
Permits to calculate conditional probabilities
Based on uncertain prior knowledge
Parameters of the probability: qualitative and quantitative
OWL:ObjectProperty
“dependsOn”
Ovals = Bayesian variables
Dash arrows = relation between Bayesian variables.
I.e. 1.: The alert that is forwarded from the BuildingB_ACE to the network upper ACE has influence
on the confirmation of the alert that is send from the Campus-Area_ACE to the Campus-Ares_PIE.
I.e. 2.: The severity of the alert has influence on the action to send an alert to the BuildingA_ACE.
ID extension
3 types of relation isKnownBy
influenceOn
attributeOf
Utility node associated to a utility table
Sequential path between decision exist
Ovals = Chance nodes
Rectangle = Decision nodes
Diamonds = Utility nodes.
This figure illustrates that send (alert.BuildingA_ACE) is at the same time a decision node and a chance
node that is known to be the decision node alertForward2 (BuildingA_ACE,Campus-AreaACE)
Trust extension : FUTURE WORKS
Input of the decision process : Chance nodes et
data value
Trust in chance nodes
Decision made based on the function(utility, trust)
Architecture agents
Dash and solid arrows = trust value
I.e. - A send « message 1 » to B if C is high has a high utility but A has a low level of truct in C
- A send « message 2 » to B if D is high has a lôw utility but A has a high level of truct in D
A send « message 1 » or « message 2 » ?
Conclusions
Corporate networks : open, mobile and flexible
Solution based on
MAS architecture Based on a policy regulation approach
Aligned with XACML architecture
Decision Support System Ontology
BN
ID
Utility and trust value inputs at the decision making level (PhD subject)
Prototype under-construction (Master thesis)
