Back to bibliography

Publications 1990-1999

Publications published between 1990 and 1999, during my PhD thesis and my stay at IBM Zurich Research Laboratory, in the Global Security Analysis lab

N Asokan, Hervé Debar, Michael Steiner, and Michael Waidner. Authenticating public terminals. Computer Networks, 31(8):861-870, April 1999. [ bib | http ]

Automatic teller machines, Internet kiosks etc. are examples of public untrusted terminals which are used to access computer systems. One of the security concerns in such systems is the so called fake terminal attack: the attacker sets up a fake terminal and fools unsuspecting users into revealing sensitive information, such as PINs or private e-mail, in their attempt to use these terminals. In this paper, we examine this problem in different scenarios and propose appropriate solutions. Our basic approach is to find ways for a user to authenticate a public terminal before using it to process sensitive information.

Keywords: Internet kiosks, authentication, fake terminal attack, mobility

Hervé Debar, Marc Dacier, and Andreas Wespi. Towards a taxonomy of intrusion-detection systems. Computer Networks, 31(8):805-822, April 1999. [ bib | DOI | http ]

Intrusion-detection systems aim at detecting attacks against computer systems and networks, or against information systems in general, as it is difficult to provide provably secure information systems and maintain them in such a secure state for their entire lifetime and for every utilization. Sometimes, legacy or operational constraints do not even allow a fully secure information system to be realized at all. Therefore, the task of intrusion-detection systems is to monitor the usage of such systems and to detect the apparition of insecure states. They detect attempts and active misuse by legitimate users of the information systems or external parties to abuse their privileges or exploit security vulnerabilities. In this paper, we introduce a taxonomy of intrusion-detection systems that highlights the various aspects of this area. This taxonomy defines families of intrusion-detection systems according to their properties. It is illustrated by numerous examples from past and current projects.

Keywords: intrusion-detection, security, taxonomy

José L Abad-Peiro, Hervé Debar, Thomas Schweinberger, and Peter Trommler. PLAS-Policy Language for Authorizations. IBM Technical Report RZ3126, March 1999. [ bib | .ps.gz ]

A key issue in authorization services and computer security in general is the definition of security policies [1]. To help define security policies we have developed a new policy language for authorization systems (PLAS), and a framework in which to apply it. This paper describes the PLAS framework and shows how can it be used within current fields of research in IT security such as protection against downloadable code and in intrusion-detection systems.

Keywords: policy language, intrusion detection

Andreas Wespi, Marc Dacier, and Hervé Debar. An intrusion-detection system based on the teiresias pattern-discovery algorithm. In U.E. Gattiker, P. Pedersen, and K. Petersen, editors, Proceedings of EICAR 1999. European Institute for Computer Antivirus Research (EICAR), 1999. [ bib | DOI ]

This paper addresses the problem of creating a pattern table that can be used to model the normal behavior of a given process. The model can be used for intrusion-detection purposes. So far, most of the approaches proposed have been based on fixed-length patterns, although variable-length patterns seem to be more naturally suited to model the normal process behavior. We have developed a technique to build tables of variable-length patterns. This technique is based on Teiresias, an algorithm initially developed for the discovery of rigid patterns in unaligned biological sequences. We evaluate the quality of our technique in a testbed environment and compare it with techniques based on fixed-length patterns.

Hervé Debar, Marc Dacier, Mehdi Nassehi, and Andreas Wespi. Fixed vs. variable-length patterns for detecting suspicious process behavior. In Jean-Jacques Quisquater, Yves Deswarte, Catherine Meadows, and Dieter GollMann, editors, Proceedings of the 5th European Symposium on Research in Computer Security (ESORICS 98), number 1485 in Lecture Notes in Computer Science, pages 1-15, Louvain-La-Neuve, Belgium, September 1998. Springer Verlag. [ bib | DOI | .pdf ]

This paper addresses the problem of creating patterns that can be used to model the normal behavior of a given process. These models can be used for intrusion detection purposes. In a previous work, we presented a novel method to generate input data sets that enable us to observe the normal behavior of a process in a secure environment. Using this method, we propose various techniques to generate either fixed-length of variable-length patterns. We show the advantages and drawbacks of each technique, based on results of the experiments we have run on our testbed.

Hervé Debar, Marc Dacier, and Andreas Wespi. Reference audit information generation for intrusion detection systems. In Proceedings of IFIP SEC'98, 14th IFIP TC11 international information security conference, Vienna, Austria and Budapest, Hungary, August 1998. [ bib | .pdf ]

This paper addresses the problem of generating reference audit information used in the intrusion-detection technique proposed by Forrest et al. (1996). This technique uses a model of normal behavior of the information system being monitored to detect attacks against it. We present a novel approach to collect the reference behavior information used by the intrusion-detection system to solve the problem identified by Forrest et al. (1997). The model of normal behavior is extracted from this reference information, and then tested against real user activity and attacks.

Hervé Debar, Marc Dacier, Andreas Wespi, and Stefan Lampart. An experimentation workbench for intrusion detection systems. Technical report, IBM Zurich Research Laboratory, 1998. [ bib | .ps ]

Hervé Debar. Application des reseaux de neurones a la detection d'intrusions sur les systemes informatiques. PhD thesis, Université Pierre et Marie Curie, Paris, France, June 1993. [ bib | http ]

La detection d'intrusions sur les systemes d'information est une partie de la securite informatique qui se developpe de maniere importante en france. C'est une voie nouvelle de recherche qui a commence aux etats-unis. Un projet de conception d'un systeme de detection d'intrusions mene a la csee a permis de construire un prototype et d'explorer une voie de recherche qui est l'utilisation des algorithmes dits reseaux de neurones a l'interieur d'un tel systeme. Nous presentons d'abord une possibilite d'utilisation des reseaux de neurones pour modeliser le comportement habituel des utilisateurs d'un systeme informatique. Ce modele s'appuie sur une architecture de reseaux de neurones relativement peu etudiee mais qui permet de faire de la prediction avec des taux de succes importants. Ce modele est ensuite etudie pour l'application plus particuliere a la detection d'intrusion. Nous nous interesserons a la comparaison de ce modele avec des techniques statistiques tres simples et a l'etude de sa stabilite et de l'amelioration de ces performances. Dans un deuxieme temps, nous nous interesserons a sa reaction lors d'une situation d'intrusion simulee. Ce modele reagit de maniere forte lorsque l'utilisateur sur lequel il a ete entraine est remplace par un autre utilisateur.

Keywords: intrusion detection, anomaly detection, intrusion detection systems, user models, neural networks

Hervé Debar and Bernadette Dorizzi. An application of a recurrent network to an intrusion detection system. In Proceedings of the International Joint Conference on Neural Networks (IJCNN 1992), volume 2, pages 478-483, Baltimore, MD, USA, June 1992. IEEE, IEEE Computer Society Press. [ bib | DOI | http ]

We present an application of recurrent neural networks for intrusion detection. Such algorithms have been widely studied for time series prediction. Due to the characteristics of the temporal series that we consider, we have chosen a partially recurrent network for our application. After a description of the reactions of the network on classical problems, we present a prototype that we use to demonstrate the capability of neural nets in the field of intrusion detection.

Keywords: access control, recurrent neural nets, safety systems, security of data, Access control, Application software, Computer hacking, Computer security, Cryptography, Intrusion detection, Neural networks, Operating systems, Prototypes, Recurrent neural networks, anomaly detection, user behavior model

Herve Debar, Monique Becker, and Didier Siboni. A neural network component for an intrusion detection system. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pages 240-250, Oackland, CA, May 1992. IEEE, IEEE Computer Society Press. [ bib | DOI | http ]

In this paper, we present a possible application of neural networks as a component of an intrusion detection system. Neural network algorithms are emerging nowadays as a new artificial intelligence technique that can be applied to real-life problems. We present an approach of user behavior modeling that takes advantage of the properties of neural algorithms and display results obtained on preliminary testing of our approach.

Keywords: expert systems, neural nets, security of data, time series, user modelling, Adaptive systems, Artificial intelligence, Artificial neural networks, Computer displays, Computer hacking, Expert systems, Hardware, Intrusion detection, neural networks, System testing