Behavioral Intrusion Detection Indicators

Monitoring and analysing Information system(IS)’s security events has become more and more difficult in the last few years. As IS complexity rises, the number of mandatory monitoring points has increased along with the number of deployed probes. Consequently, a huge amount of information is reported to the analyst which subsequently floods him and implies the implementation of very complex event analysis engines. In the behaviour analysis context in which sequences of events are studied, this information quantity issue makes it difficult to build automatable not too complex models. In order to cope with this increasing amount of information, we will describe a method to reduce the observation perimeter through the selection of most relevant indicators. Such indicators, which are defined thanks to users and attackers behaviour analysis, represent different actions that users or attackers perform in the IS. This method implies neither information loss nor significant detection rate decline. We experienced this indicators selection with a behaviour anomaly detection engines injecting few days of events. Results show that model complexity issues are significantly reduced while keeping detection rate almost the same. Jacques Saraydaryan ARES INRIA / CITI, INSA Lyon, F69621, France, Exaprotect, 149 bd Stalingrad 69100 Villeurbanne France e-mail: [email protected] Luc Paffumi Exaprotect, 149 bd Stalingrad 69100 Villeurbanne France e-mail: [email protected] Veronique Legrand ARES INRIA / CITI, INSA Lyon, F69621, France, Exaprotect, 149 bd Stalingrad 69100 Villeurbanne France e-mail: [email protected] Stephane Ubeda ARES INRIA / CITI, INSA Lyon, F69621, France e-mail: [email protected]