{"id":526,"date":"2015-04-16T13:24:00","date_gmt":"2015-04-16T11:24:00","guid":{"rendered":"https:\/\/samovar2022.int-evry.fr\/index.php\/2015\/04\/16\/correlation-dalertes-un-outil-plus-efficace-daide-a-la-decision-pour-repondre-aux-intrusions\/"},"modified":"2020-09-04T18:46:35","modified_gmt":"2020-09-04T16:46:35","slug":"correlation-dalertes-un-outil-plus-efficace-daide-a-la-decision-pour-repondre-aux-intrusions","status":"publish","type":"post","link":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/2015\/04\/16\/correlation-dalertes-un-outil-plus-efficace-daide-a-la-decision-pour-repondre-aux-intrusions\/","title":{"rendered":"\u00a0\u00bb Corr\u00e9lation d&rsquo;alertes: un outil plus efficace d&rsquo;aide \u00e0 la d\u00e9cision pour r\u00e9pondre aux intrusions.\u00a0\u00bb"},"content":{"rendered":"<p><strong>Jeudi 30 Avril 2015 \u00e0 10h00 Salle A003<\/strong><\/p>\n<p><strong>Le jury sera compos\u00e9 de :<\/strong><\/p>\n<p>M. Eric TOTEL, Professeur \u00e0 Sup\u00e9l\u00e9c, France &#8211; Rapporteur<br \/>\nMme. Isabelle CHRISMENT, Professeur \u00e0 LORIA, France &#8211; Rapporteur<br \/>\nM. Olivier BETTAN, Directeur du laboratoire Cyber-S\u00e9curit\u00e9, Thales Services, Examinateur<br \/>\nMme. Maryline LAURENT, Professeur \u00e0 T\u00e9l\u00e9com SudParis, France &#8211; Examinateur<br \/>\nM. Bruno DEFUDE, Professeur \u00e0 T\u00e9l\u00e9com SudParis, France &#8211; Examinateur<br \/>\nM. Gr\u00e9goire JACOB, ing\u00e9nieur de recherche \u00e0 Lastline, Inc., USA &#8211; Examinateur<br \/>\nM. Gregory BLANC, ing\u00e9nieur de recherche \u00e0 T\u00e9l\u00e9com SudParis, Examinateur<br \/>\nM. Herv\u00e9 DEBAR, Professeur \u00e0 T\u00e9l\u00e9com SudParis, France &#8211; Directeur de th\u00e8se<\/p>\n<p>La soutenance sera suivie d\u2019un pot, en A009, auquel vous \u00eates chaleureusement invit\u00e9s.<\/p>\n<p><strong>R\u00e9sum\u00e9 :<\/strong><\/p>\n<p>Les SIEMs (syst\u00e8mes pour la S\u00e9curit\u00e9 de l\u2019Information et la Gestion des Ev\u00e9nements) sont les c\u0153urs des centres op\u00e9rationnels de la s\u00e9curit\u00e9. Ils corr\u00e8lent un nombre important d\u2019\u00e9v\u00e9nements en provenance de diff\u00e9rents capteurs (anti-virus, pare-feux, syst\u00e8mes de d\u00e9tection d\u2019intrusion, etc), et offrent des vues synth\u00e9tiques pour la gestion des menaces ainsi que des rapports de s\u00e9curit\u00e9. La gestion et l\u2019analyse de ce grand nombre d\u2019alertes est une t\u00e2che difficile pour l\u2019administrateur de s\u00e9curit\u00e9. La corr\u00e9lation d\u2019alertes a \u00e9t\u00e9 con\u00e7ue afin de rem\u00e9dier \u00e0 ce probl\u00e8me.<\/p>\n<p>Des solutions de corr\u00e9lation ont \u00e9t\u00e9 d\u00e9velopp\u00e9es pour obtenir une vue plus concise des alertes g\u00e9n\u00e9r\u00e9es et une meilleure description de l\u2019attaque d\u00e9tect\u00e9e. Elles permettent de r\u00e9duire consid\u00e9rablement le volume des alertes remont\u00e9es afin de soutenir l\u2019administrateur dans le traitement de ce grand nombre d\u2019alertes. Malheureusement, ces techniques ne prennent pas en compte les connaissances sur le comportement de l\u2019attaquant, les fonctionnalit\u00e9s de l\u2019application et le p\u00e9rim\u00e8tre de d\u00e9fense du r\u00e9seau supervis\u00e9 (pare-feu, serveurs mandataires, Syst\u00e8mes de d\u00e9tection d\u2019intrusions, etc).<\/p>\n<p>Dans cette th\u00e8se, nous proposons deux nouvelles approches de corr\u00e9lation d\u2019alertes. La premi\u00e8re approche que nous appelons corr\u00e9lation d\u2019alertes bas\u00e9e sur les pots de miel utilise des connaissances sur les attaquants recueillies par le biais des pots de miel. La deuxi\u00e8me approche de corr\u00e9lation est bas\u00e9e sur une mod\u00e9lisation des points d\u2019application de politique de s\u00e9curit\u00e9.<\/p>\n<p><strong>Abstract:<\/strong><\/p>\n<p>Security Information and Event Management (SIEM) systems provide the security analysts with a huge amount of alerts. Managing and analyzing such tremendous number of alerts is a challenging task for the security administrator. Alert correlation has been designed in order to alleviate this problem. Current alert correlation techniques provide the security administrator with a better description of the detected attack and a more concise view of the generated alerts. That way, it usually reduces the volume of alerts in order to support the administrator in tackling the amount of generated alerts. Unfortunately, none of these techniques consider neither the knowledge about the attacker\u2019s behavior nor the enforcement functionalities and the defense perimeter of the protected network (Firewalls, Proxies, Intrusion Detection Systems, etc). It is still challenging to first improve the knowledge about the attacker and second to identify the policy enforcement mechanisms that are capable to process generated alerts.<\/p>\n<p>Several authors have proposed different alert correlation methods and techniques. Although these approaches support the administrator in processing the huge number of generated alerts, they remain limited since these solutions do not provide us with more information about the attackers\u2019 behavior and the defender\u2019s capability in reacting to detected attacks.<\/p>\n<p>In this dissertation, we propose two novel alert correlation approaches. The first approach, which we call honeypot-based alert correlation, is based on the use of knowledge about attackers collected through honeypots. The second approach, which we call enforcement-based alert correlation, is based on a policy enforcement and defender capabilities\u2019 model.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Jeudi 30 Avril 2015 \u00e0 10h00 Salle A003 Le jury sera compos\u00e9 de : M. Eric TOTEL, Professeur \u00e0 Sup\u00e9l\u00e9c, France &#8211; Rapporteur Mme. Isabelle CHRISMENT, Professeur \u00e0 LORIA, France &#8211; Rapporteur M. Olivier BETTAN, Directeur du laboratoire Cyber-S\u00e9curit\u00e9, Thales Services, Examinateur Mme. Maryline LAURENT, Professeur \u00e0 T\u00e9l\u00e9com SudParis, France &#8211; Examinateur M. Bruno DEFUDE, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":525,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[376],"tags":[],"class_list":["post-526","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-theses-2015-fr","entry","has-media"],"_links":{"self":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/comments?post=526"}],"version-history":[{"count":1,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/526\/revisions"}],"predecessor-version":[{"id":1786,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/526\/revisions\/1786"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/media\/525"}],"wp:attachment":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/media?parent=526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/categories?post=526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/tags?post=526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}