A Formal Framework to Specify and Deploy Reaction Policies

Detection Systems (IDSs) are widely used to secure information systems, and became a primary component in modern security architecture solutions. Different intrusion detection techniques have been introduced and implemented in the governmental, academic and commercial information systems. Moreover, Intrusion Prevention Systems (IPSs) are highly used along with the IDSs to counter the detected threats. However, current intrusion prevention devices act only as conventional firewalls with the ability to block, terminate or redirect the traffic when the corresponding intrusion event is triggered. In other words, the intrusion response is statically associated with one (or several) intrusion event(s). Nevertheless, in [1] a policy reaction formalism was defined as part of a contextual security policy. This reaction is performed globally allowing a global access control modification in an organization. However, scalability remains an open issue that was not addressed in [1]. The threat context mechanism was implemented as a set of contextual rules that are triggered when the corresponding threat contexts become active. Only access