A Service Dependency Modeling Framework for Policy-Based Response Enforcement

Authors:
Nizar Kheir;Hervé Debar;Frédéric Cuppens;Nora Cuppens-Boulahia;Jouni Viinikka
Affiliations:
France Télécom R&D Caen, CAEN, France 14066 and Tééélécom Bretagne, Cesson Sévigné Cedex, France 35512;France Télécom R&D Caen, CAEN, France 14066;Télécom Bretagne, Cesson Sévigné Cedex, France 35512;Télécom Bretagne, Cesson Sévigné Cedex, France 35512;France Télécom R&D Caen, CAEN, France 14066
Venue:
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2009

Citing 10
Cited 1

Role-Based Access Control Models

Computer
Evaluating the Impact of Automated Intrusion Response Mechanisms

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Organization based access control

POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Modelling Contexts in the Or-BAC Model

ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Dependency Algebra: A Tool for Designing Robust Real-Time Systems

RTSS '05 Proceedings of the 26th IEEE International Real-Time Systems Symposium
Graph based Metrics for Intrusion Response Measures in Computer Networks

LCN '07 Proceedings of the 32nd IEEE Conference on Local Computer Networks
A taxonomy of intrusion response systems

International Journal of Information and Computer Security
Expression and Deployment of Reaction Policies

SITIS '08 Proceedings of the 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems
Informing the decision process in an automated intrusion response system

Information Security Tech. Report
A system dependability modeling framework using AADL and GSPNs

Architecting dependable systems IV

A service dependency model for cost-sensitive intrusion response

ESORICS'10 Proceedings of the 15th European conference on Research in computer security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The use of dynamic access control policies for threat response adapts local response decisions to high level system constraints. However, security policies are often carefully tightened during system design-time, and the large number of service dependencies in a system architecture makes their dynamic adaptation difficult. The enforcement of a single response rule requires performing multiple configuration changes on multiple services. This paper formally describes a Service Dependency Framework (SDF) in order to assist the response process in selecting the policy enforcement points (PEPs) capable of applying a dynamic response rule. It automatically derives elementary access rules from the generic access control, either allowed or denied by the dynamic response policy, so they can be locally managed by local PEPs. SDF introduces a requires /provides model of service dependencies. It models the service architecture in a modular way, and thus provides both extensibility and reusability of model components. SDF is defined using the Architecture Analysis and Design Language, which provides formal concepts for modeling system architectures. This paper presents a systematic treatment of the dependency model which aims to apply policy rules while minimizing configuration changes and reducing resource consumption.