• DocumentCode
    2409012
  • Title

    Information Flow Control for Intrusion Detection Derived from MAC Policy

  • Author

    Geller, Stéphane ; Hauser, Christophe ; Tronel, Frédéric ; Tong, Valérie Viet Triem

  • Author_Institution
    SSIR Group (EA 4039), SUPELEC, Rennes, France
  • fYear
    2011
  • fDate
    5-9 June 2011
  • Firstpage
    1
  • Lastpage
    6
  • Abstract
    Most of today´s MAC implementations can be turned into permissive mode, where no enforcement is performed but alerts are raised instead. This behavior is very close to an anomaly IDS except that the system is configured through a MAC policy. MAC implementations such as SELinux and AppArmor come with a default policy including real life and practical rules ready to be used as is or as a basis for a custom policy. In this paper, we first propose an extension of an IDS based on information flow control. We address issues concerning programs execution and improve its expressiveness in terms of security policy. This extended model can be configured to reach a wide variety of different security goals. Particularly, it allows for information flow checking based on users and/or programs dependent policy rules. Furthermore, suspicious modification of binary programs can be detected to avoid malware execution. We also propose an algorithm for deriving an AppArmor MAC policy into an information flow policy, and thus get the advantage of having a ready to use policy offering good security. We finally show a practical example of deriving such a policy in order to configure our IDS.
  • Keywords
    access protocols; invasive software; security of data; telecommunication congestion control; IDS; MAC implementation; MAC policy; binary program; custom policy; information flow checking; information flow control; information flow policy; intrusion detection; malware execution; program dependent policy rule; security goal; security policy; Access control; Containers; Law; Linux; Operating systems;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Communications (ICC), 2011 IEEE International Conference on
  • Conference_Location
    Kyoto
  • ISSN
    1550-3607
  • Print_ISBN
    978-1-61284-232-5
  • Electronic_ISBN
    1550-3607
  • Type

    conf

  • DOI
    10.1109/icc.2011.5962660
  • Filename
    5962660