Patents by Inventor Herve Debar
Herve Debar has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10419474Abstract: A method of selecting, for at least one service of an information system and depending service(s), at least one countermeasure to be implemented against at least one cyber attack, the method includes: identifying elements of the service exposed to the cyber attack(s), calculating a risk mitigation level of each countermeasure with respect to the cyber attack(s), ranking the countermeasure(s) on the basis of a parameter which is at least a function of the risk mitigation level, simulating the impact of the countermeasure(s) on the service and the depending service(s), the countermeasure to be implemented being selected at least as a function of result of the simulation.Type: GrantFiled: November 10, 2015Date of Patent: September 17, 2019Assignee: INSTITUT MINES-TELECOM/TELECOM SUDPARISInventors: Gustavo Gonzalez Granadillo, Hervé Debar
-
Publication number: 20170324766Abstract: A method of selecting, for at least one service of an information system and depending service(s), at least one countermeasure to be implemented against at least one cyber attack, the method includes: identifying elements of the service exposed to the cyber attack(s), calculating a risk mitigation level of each countermeasure with respect to the cyber attack(s), ranking the countermeasure(s) on the basis of a parameter which is at least a function of the risk mitigation level, simulating the impact of the countermeasure(s) on the service and the depending service(s), the countermeasure to be implemented being selected at least as a function of result of the simulation.Type: ApplicationFiled: November 10, 2015Publication date: November 9, 2017Applicant: INSTITUT MINES-TELECOM/TELECOM SUDPARISInventors: Gustavo GONZALEZ GRANADILLO, Hervé DEBAR
-
Patent number: 7891002Abstract: This invention concerns a method for processing computer system input data including at least one detection step for a specific word INSTR present among said data. In the method according to the invention, the specific word to be detected represents an instruction necessary for the execution of a program present among said data. Because it focuses detection on the means necessary for the execution of an attack program that thus reveal the presence of said program, the invention can be used to simply and effectively detect different types of attacks.Type: GrantFiled: September 20, 2002Date of Patent: February 15, 2011Assignee: France Telecom SAInventors: Herve Debar, Dominique Assing, Benjamin Morin
-
Patent number: 7810157Abstract: A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.Type: GrantFiled: December 16, 2004Date of Patent: October 5, 2010Assignee: France TelecomInventors: Benjamin Morin, Hervé Debar
-
Patent number: 7571480Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.Type: GrantFiled: May 3, 2007Date of Patent: August 4, 2009Assignee: International Business Machines CorporationInventors: Steven Black, Herve Debar, John Michael Garrison
-
Publication number: 20090138970Abstract: A method of automatically detecting intrusions among events under surveillance. The method comprises comparing an event under surveillance to a set of patterns, each pattern being associated with a predetermined intrusion signature from a set of intrusion signatures, determining among said set of intrusion signatures a subset of intrusion signatures revealing a particular intrusion in said event under surveillance, and dynamically generating a new signature corresponding to said subset of intrusion signatures, said new signature being dedicated to recognizing said particular intrusion.Type: ApplicationFiled: July 6, 2006Publication date: May 28, 2009Applicant: FRANCE TELECOMInventors: Elvis Tombini, Herve Debar
-
Patent number: 7506373Abstract: A method of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).Type: GrantFiled: December 16, 2004Date of Patent: March 17, 2009Assignee: France TelecomInventors: Benjamin Morin, Hervé Debar, Elvis Tombini
-
Publication number: 20080165000Abstract: The invention relates to a system and a method of suppressing false alarms among alarms issued by intrusion detection sensors (13a, 13b, 13c) of a protected information system (1) including entities (9, 11a, 11b) generating attacks associated with the alarms and an alarm management system (15), the method comprising the following steps: using a false alarm suppression module (23) to define qualitative relationships between the entities (9, 11a, 11b) and a set of profiles; using the false alarm suppression module (23) to define nominative relationships between the set of profiles and a set of names of attacks which that set of profiles is recognized as generating; and using the false alarm suppression module (23) to qualify a given alarm as a false alarm if the entity (9, 11a, 11b) implicated in the given alarm has a profile recognized as generating the attack associated with that given alarm.Type: ApplicationFiled: May 9, 2005Publication date: July 10, 2008Applicant: FRANCE TELECOMInventors: Benjamin Morin, Herve Debar
-
Patent number: 7308689Abstract: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.Type: GrantFiled: December 18, 2002Date of Patent: December 11, 2007Assignee: International Business Machines CorporationInventors: Steven Black, Herve Debar, John Michael Garrison, Andreas Wespi
-
Patent number: 7278160Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.Type: GrantFiled: August 16, 2001Date of Patent: October 2, 2007Assignee: International Business Machines CorporationInventors: Steven Black, Herve Debar, John Michael Garrison
-
Publication number: 20070204343Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.Type: ApplicationFiled: May 3, 2007Publication date: August 30, 2007Inventors: Steven Black, Herve Debar, John Garrison
-
Publication number: 20070150579Abstract: A method of managing alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) including an alert management system (13), each alert being defined by an alert identifier and an alert content. Each of the alerts issued by the intrusion detection sensors (11a, 11b, 11c) is associated with a description including a conjunction of valued attributes belonging to attribute domains. The valued attributes belonging to each attribute domain are organized into a taxonomic structure defining generalization relationships between said valued attributes, the plurality of attribute domains thus forming a plurality of taxonomic structures. The description of each of said alerts is completed with sets of values induced by the taxonomic structures on the basis of the valued attributes of said alerts to form complete alerts. The complete alerts are stored in a logic file system (21) to enable them to be consulted.Type: ApplicationFiled: December 16, 2004Publication date: June 28, 2007Inventors: Benjamin Morin, Herve Debar
-
Publication number: 20070118905Abstract: A of automatically classifying alerts issued by intrusion detection sensors (11a, 11b, 11c) of an information security system (1) for producing collated alerts, each alert being defined by a plurality of qualitative attributes (a1, . . . , an) belonging to a plurality of attribute domains (A1, . . . , An). Attributes belonging to each attribute domain are organized into a hierarchical structure. For each alert issued by the intrusion detection sensors (11a, 11b, 11c), a trellis specific to that alert is constructed by generalizing each alert in accordance with each of its attributes and at all the levels of the hierarchical structure. Each specific trellis is iteratively merged into a general trellis. Collated alerts in the general trellis are identified by selecting the alerts that are simultaneously the most pertinent and the most general. The collated alerts are supplied to an output unit (23) of an alert management system (13).Type: ApplicationFiled: December 16, 2004Publication date: May 24, 2007Applicant: France TelecomInventors: Benjamin Morin, Herve Debar, Elvis Tombini
-
Patent number: 7039953Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations” are established from groups whose severity exceeds a threshold value. These groups and situations are then propagated up a hierarchical arrangement of systems and further aggregated so as to provide summary information over a larger group of systems. This hierarchical scheme allows for scalability of the event correlation process across larger networks of systems.Type: GrantFiled: August 30, 2001Date of Patent: May 2, 2006Assignee: International Business Machines CorporationInventors: Steven Black, Herve Debar, John Michael Garrison, Andreas Wespi
-
Patent number: 6928556Abstract: A method, apparatus, and computer implemented instructions for handling a situation in a data processing system. In response to detecting a situation, an aging function is applied to the situation. Alerts regarding the situation based on the aging function are presented.Type: GrantFiled: August 30, 2001Date of Patent: August 9, 2005Assignee: International Business Machines CorporationInventors: Steven C. Black, Herve Debar, John Michael Garrison, RoseAnne Swart
-
Publication number: 20050091528Abstract: This invention concerns a method for processing computer system input data including at least one detection step for a specific word INSTR present among said data. In the method according to the invention, the specific word to be detected represents an instruction necessary for the execution of a program present among said data. Because it focuses detection the means necessary for the execution of an attack program that thus reveal the presence of said program, the invention can be used to simply and effectively detect different types of attacks.Type: ApplicationFiled: September 20, 2002Publication date: April 28, 2005Inventors: Herve Debar, Dominique Assing, Benjamin Morin
-
Publication number: 20040123304Abstract: An event handler is provided that associates events from heterogeneous data sources. In a first phase, incoming events are translated to vectors of event attributes. Based on the data source, implicit information about the event and its attributes may be available. This information is used to normalize the information provided by the event. Normalization actions may include renaming the attributes, deriving new attributes from given attributes, and transforming attribute value ranges. In a second phase, a determination is made as to whether two or more events are considered to be associated based on the vectors. Different vectors of core attributes may be created in order to create associations with different semantics.Type: ApplicationFiled: December 18, 2002Publication date: June 24, 2004Applicant: INTERNATIONAL BUSINESS MACHINES CORPORATIONInventors: Steven Black, Herve Debar, John Michael Garrison, Andreas Wespi
-
Publication number: 20030051184Abstract: A method, apparatus, and computer implemented instructions for handling a situation in a data processing system. In response to detecting a situation, an aging function is applied to the situation. Alerts regarding the situation based on the aging function are presented.Type: ApplicationFiled: August 30, 2001Publication date: March 13, 2003Applicant: International Business Machines CorporationInventors: Steven C. Black, Herve Debar, John Michael Garrison, RoseAnne Swart
-
Publication number: 20030046582Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations” are established from groups whose severity exceeds a threshold value. These groups and situations are then propagated up a hierarchical arrangement of systems and further aggregated so as to provide summary information over a larger group of systems. This hierarchical scheme allows for scalability of the event correlation process across larger networks of systems.Type: ApplicationFiled: August 30, 2001Publication date: March 6, 2003Applicant: International Business Machines CorporationInventors: Steven Black, Herve Debar, John Michael Garrison, Andreas Wespi
-
Publication number: 20030041264Abstract: A method, computer program product, and apparatus for presenting data about security-related events that puts the data into a concise form is disclosed. Events are abstracted into a set data-type. Sets with common elements are grouped together, and summaries of the groups—“situations”—are presented to a user or administrator.Type: ApplicationFiled: August 16, 2001Publication date: February 27, 2003Applicant: International Business Machines CorporationInventors: Steven Black, Herve Debar, John Michael Garrison