Information Flow Control for Intrusion Detection derived from MAC Policy

Stéphane Geller 1, 2 Christophe Hauser 1, 2 Frédéric Tronel 1, 3 Valérie Viet Triem Tong 1, 3
1 CIDRE - Confidentialité, Intégrité, Disponibilité et Répartition
CentraleSupélec, Inria Rennes – Bretagne Atlantique , IRISA-D1 - SYSTÈMES LARGE ÉCHELLE
2 SSIR - Equipe Sécurité des Systèmes dÍnformation et Réseaux - EA 4039
SUPELEC-Campus Rennes
3 SSIR - Equipe Sécurité des Systèmes d'Information et Réseaux - EA 4039
SUPELEC-Campus Rennes
Abstract : Most of today's MAC implementations can be turned into permissive mode, where no enforcement is performed but alerts are raised instead. This behavior is very close to an anomaly IDS except that the system is configured through a MAC policy. MAC implementations such as SELinux and AppArmor come with a default policy including real life and practical rules ready to be used as is or as a basis for a custom policy. In this paper, we first propose an extension of an IDS based on information flow control. We address issues concerning programs execution and improve its expressiveness in terms of security policy. This extended model can be configured to reach a wide variety of different security goals. Particularly, it allows for information flow checking based on users and/or programs dependent policy rules. Furthermore, suspicious modification of binary programs can be detected to avoid malware execution. We also propose an algorithm for deriving an AppArmor MAC policy into an information flow policy, and thus get the advantage of having a ready to use policy offering good security. We finally show a practical example of deriving such a policy in order to configure our IDS.
Keywords : Intrusion detection Information flow control Mandatory Access Control
Document type :
Conference papers
Complete list of metadatas

Cited literature [16 references]  Display  Hide  Download
https://hal-supelec.archives-ouvertes.fr/hal-00647116
Contributor : Anne Cloirec <>
Submitted on : Thursday, December 1, 2011 - 3:04:36 PM
Last modification on : Thursday, December 13, 2018 - 8:06:02 PM
Long-term archiving on : Friday, November 16, 2012 - 12:40:15 PM

File

icc-2.pdf
Files produced by the author(s)

Identifiers

Collections

SUP_SSIR | SUP_CIDRE | SUPELEC | INRIA | INSTITUT-TELECOM | UNIV-RENNES1 | IRISA-D1 | IRISA | UR1-UFR-ISTIC | UNIV-RENNES

Citation

Stéphane Geller, Christophe Hauser, Frédéric Tronel, Valérie Viet Triem Tong. Information Flow Control for Intrusion Detection derived from MAC Policy. 2011 IEEE International Conference on Communications (ICC), Jun 2011, Kyoto, Japan. 6 p., ⟨10.1109/icc.2011.5962660⟩. ⟨hal-00647116⟩

Export

BibTeX TEI DC DCterms EndNote

Share

Metrics

Record views

792

Files downloads

471

Contact

CCSD