version française

Yohann THOMAS
About meView Yohann Thomas's profile on LinkedIn
I'm holding a PhD in Computer Science from the French Ecole Nationale Supérieure des Télécommunications de Bretagne (ENSTB), which is the result of three years spent at Orange Labs (Caen, France). My research work has been dealing with intrusion detection, response, security policies and context awareness. You can find more information about me in the following, especially about my research topic, publications and contact information.
Resume: [en][fr]

PhD title: Policy-Based Response to Intrusions Through Context Activation. [ .pdf | slides ]
Supervisor: Frédéric Cuppens
Co-advisor: Hervé Debar
Keywords: Intrusion detection, security policies, threat response, context awareness, Or-BAC

Abstract
We present in this thesis a new approach to respond to malicious events threatening information systems. This approach integrates the notion of response at the security policy level. We build upon the Organization-Based Access Control model (Or-BAC), which distinguishes generic policy definition from its actual instantiation depending on current context. The notion of context allows to assess the current state of the system, and to accordingly express the policy at policy enforcement points level.

Context includes spatial and temporal parameters, as well as parameters especially dealing with operational security, like alerts reported by intrusion detection systems (IDS). Alerts characterize current threat towards the information system. Threat contexts are instantiated by our system, triggering updates of the policy instantiation. Thus, the system is able to dynamically adapt to the threat by adjusting its configuration.

We propose an novel approach to bridge the link between the security policy and one of the tools controlling its fulfillment, that is intrusion detection systems. This link had not been yet established, i.e. violations of the security policy which are detected by IDS do not present any variation of the actual implementation of the security policy at policy enforcement points level. In particular, we show that it is possible to manage dynamic paths to services and resources given the threat.

In addition, this work provides a preliminary answer to the problematic of reactivity and relevancy of response to threat. The security operators dealing with response to attacks suffer from a lack of reactivity. They are overwhelmed through the flow of alerts, and the analysis process is particularly tedious given the number of parameters to consider. In addition, there are more and more attacks, and time required for compromising services or resources has greatly decreased, which may lead to disastrous effects, especially financial losses for corporations, which may rapidly represent million euros. Automating response is therefore a necessity.

The proposed system supports fail-safe dynamic security policies, making the best use of both monitoring and enforcement security components.

Publications
[4] Response: bridging the link between intrusion detection alerts and security policies
Hervé Debar, Yohann Thomas, Frédéric Cuppens, and Nora Cuppens-Boulahia
Book chapter, 2008.
[ bib | .pdf ]
[3] Enabling automated threat response through the use of a dynamic security policy
Hervé Debar, Yohann Thomas, Frédéric Cuppens, and Nora Cuppens-Boulahia
Journal in Computer Virology, 2007.
[ bib | .pdf ]
[2] Using Contextual Security Policies for Threat Response
Hervé Debar, Yohann Thomas, Nora Cuppens-Boulahia, and Frédéric Cuppens
In Roland Bueschkes and Pavel Laskov, editors, Proceedings of the 3rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 06), Berlin, Germany, July 2006. Springer.
[ bib | .pdf | slides]
[1] Improving Security Management through Passive Network Observation
Yohann Thomas, Hervé Debar, and Benjamin Morin
In ARES '06: Proceedings of the First International Conference on Availability, Reliability and Security (ARES'06), pages 382-389. IEEE Computer Society, 2006.
[ bib | .pdf | slides]

Contact
Links
http://perso.orange.fr/yohann.thomas http://pagesperso-orange.fr/yohann.thomas