Abstract
The continuous increase in the quantity and sophistication of cyberattacks is making it more difficult and error prone for system administrators to handle the alerts generated by intrusion detection systems (IDSs). To deal with this problem, several intrusion response systems (IRSs) have been proposed lately. IRSs extend the IDSs by providing an automatic response to the detected attack. Such a response is usually selected either with a static attack-response mapping or by quantitatively evaluating all available responses, given a set of predefined criteria. In this article, we introduce a probabilistic model-based IRS built on the Markov decision process (MDP) framework. In contrast to most existing approaches to intrusion response, the proposed IRS effectively captures the dynamics of both the defended system and the attacker and is able to compose atomic response actions to plan optimal multiobjective long-term response policies to protect the system. We evaluate the effectiveness of the proposed IRS by showing that long-term response planning always outperforms short-term planning, and we conduct a thorough performance assessment to show that the proposed IRS can be adopted to protect large distributed systems at runtime.
- Sherif Abdelwahed, Jia Bai, Rong Su, and Nagarajan Kandasamy. 2009. On the application of predictive control techniques for adaptive performance management of computing systems. IEEE Transactions on Network and Service Management 6, 4, 212--225 Google Scholar
Digital Library
- Akamai. 2015. Akamai’s State of the Internet: Q3 2015 Report. Retrieved March 2, 2018, from https://www.stateoftheinternet.com/resources-cloud-security-2015-q3-web-security-report.html.Google Scholar
- R. E. Bellman. 1957. Dynamic Programming. Princeton University Press, Princeton, NJ. Google Scholar
Digital Library
- Yoshua Bengio. 2009. Learning deep architectures for AI. Foundations and Trends® in Machine Learning 2, 1, 1--127. Google Scholar
Digital Library
- Monowar H. Bhuyan, Dhruba Kumar Bhattacharyya, and Jugal Kumar Kalita. 2014. Network anomaly detection: Methods, systems and tools. IEEE Communications Surveys and Tutorials 16, 1, 303--336.Google Scholar
Cross Ref
- Craig Boutilier. 1996. Planning, learning and coordination in multiagent decision processes. In Proceedings of the 6th Conference on Theoretical Aspects of Rationality and Knowledge. 195--210. Google Scholar
Digital Library
- Lucian Busoniu, Robert Babuska, and Bart De Schutter. 2008. A comprehensive survey of multiagent reinforcement learning. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews 38, 2, 156--172. Google Scholar
Digital Library
- Valeria Cardellini, Emiliano Casalicchio, Vincenzo Grassi, Stefano Iannucci, Francesco Lo Presti, and Raffaela Mirandola. 2012. Moses: A framework for QoS driven runtime adaptation of service-oriented systems. IEEE Transactions on Software Engineering 38, 5, 1138--1159. Google Scholar
Digital Library
- Qian Chen, Sherif Abdelwahed, and Abdelkarim Erradi. 2014. A model-based validated autonomic approach to self-protect computing systems. IEEE Internet of Things Journal 1, 5, 446--460.Google Scholar
Cross Ref
- Yulia Cherdantseva and Jeremy Hilton. 2013. A reference model of information assurance and security. In Proceedings of the 2013 8th International Conference on Availability, Reliability, and Security (ARES’13). IEEE, Los Alamitos, CA, 546--555. Google Scholar
Digital Library
- Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. 2013. NICE: Network intrusion detection and countermeasure selection in virtual network systems. IEEE Transactions on Dependable and Secure Computing 10, 4, 198--211. Google Scholar
Digital Library
- Carlos Diuk, Andre Cohen, and Michael L. Littman. 2008. An object-oriented representation for efficient reinforcement learning. In Proceedings of the 25th International Conference on Machine Learning. ACM, New York, NY, 240--247. Google Scholar
Digital Library
- Jianbin Fang, Henk Sips, Lilun Zhang, Chuanfu Xu, Yonggang Che, and Ana Lucia Varbanescu. 2014. Test-driving Intel Xeon Phi. In Proceedings of the 5th ACM/SPEC International Conference on Performance Engineering. ACM, New York, NY, 137--148. Google Scholar
Digital Library
- Mahdi Milani Fard and Joelle Pineau. 2011. Non-deterministic policies in Markovian decision processes. Journal of Artificial Intelligence Research 40, 1--24. Google Scholar
Digital Library
- Ahmed Fawaz, Robin Berthier, and William H. Sanders. 2016. A response cost model for advanced metering infrastructures. IEEE Transactions on Smart Grid 7, 2, 543--553.Google Scholar
Cross Ref
- B. A. Fessi, S. Benabdallah, N. Boudriga, and M. Hamdi. 2014. A multi-attribute decision model for intrusion response system. Information Sciences 270, 237--254.Google Scholar
Cross Ref
- Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, and Eugene Spafford. 2005. ADEPTS: Adaptive intrusion response using attack graphs in an e-commerce environment. In Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05). IEEE, Los Alamitos, CA, 508--517. Google Scholar
Digital Library
- Mansoureh Ghasemi, Hassan Asgharian, and Ahmad Akbari. 2016. A cost-sensitive automated response system for SIP-based applications. In Proceedings of the 2016 24th Iranian Conference onElectrical Engineering (ICEE’16). IEEE, Los Alamitos, CA, 1142--1147.Google Scholar
Cross Ref
- Salim Hariri, Bithika Khargharia, Houping Chen, Jingmei Yang, Yeliang Zhang, Manish Parashar, and Hua Liu. 2006. The autonomic computing paradigm. Cluster Computing 9, 1, 5--17. Google Scholar
Digital Library
- C. L. Hwang and K. Yoon. 1981. Multiple Criteria Decision Making. Lecture Notes in Economics and Mathematical Systems. Springer.Google Scholar
- Stefano Iannucci and Sherif Abdelwahed. 2016. A probabilistic approach to autonomic security management. In Proceedings of the 13th IEEE International Conference on Autonomic Computing (ICAC’16).Google Scholar
Cross Ref
- Stefano Iannucci and Sherif Abdelwahed. 2016. Towards autonomic intrusion response systems. In Proceedings of the 2016 IEEE International Conference on Autonomic Computing (ICAC’16).Google Scholar
Cross Ref
- Stefano Iannucci, Qian Chen, and Sherif Abdelwahed. 2016. High-performance intrusion response planning on many-core architectures. In Proceedings of the 2016 25th International Conference on Computer Communication and Networks (ICCCN’16).Google Scholar
Cross Ref
- Zakira Inayat, Abdullah Gani, Nor Badrul Anuar, Muhammad Khuram Khan, and Shahid Anwar. 2016. Intrusion response systems: Foundations, design, and challenges. Journal of Network and Computer Applications 62, 53--74. Google Scholar
Digital Library
- Finn V. Jensen. 1996. An Introduction to Bayesian Networks. Vol. 210. UCL Press, London, England. Google Scholar
Digital Library
- Leslie Pack Kaelbling, Michael L. Littman, and Andrew W. Moore. 1996. Reinforcement learning: A survey. Journal of Artificial Intelligence Research 4, 237--285. Google Scholar
Digital Library
- Michael Kearns, Yishay Mansour, and Andrew Y. Ng. 2002. A sparse sampling algorithm for near-optimal planning in large Markov decision processes. Machine Learning 49, 2--3, 193--208. Google Scholar
Digital Library
- J. O. Kephart and D. M. Chess. 2003. The vision of autonomic computing. IEEE Computer 36, 1, 41--50. Google Scholar
Digital Library
- Levente Kocsis and Csaba Szepesvári. 2006. Bandit based Monte-Carlo planning. In Machine Learning: ECML 2006. Springer, 282--293. Google Scholar
Digital Library
- Wenke Lee, Wei Fan, Matthew Miller, Salvatore J. Stolfo, and Erez Zadok. 2002. Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10, 1--2, 5--22. Google Scholar
Digital Library
- L. Li, M. L. Littman, and L. Littman. 2008. Prioritized Sweeping Converges to the Optimal Value Function. Technical Report DCS-TR-631. Rutgers University.Google Scholar
- Carlos Joshua Marquez. 2010. An Analysis of the IDS Penetration Tool: Metasploit. Retrieved March 2, 2018, from https://www.infosecwriters.com/text_resources/pdf/jmarquez_Metasploit.pdf.Google Scholar
- Peter Mell, Karen Scarfone, and Sasha Romanosky. 2007. A Complete Guide to the Common Vulnerability Scoring System: Version 2.0. Retrieved March 2, 2018, from https://www.first.org/cvss/v2/guide.Google Scholar
- Daniel A. Menascé. 2002. QoS issues in Web services. IEEE Internet Computing 6, 6, 72--75. Google Scholar
Digital Library
- Erik Miehling, Mohammad Rasouli, and Demosthenis Teneketzis. 2015. Optimal defense policies for partially observable spreading processes on Bayesian attack graphs. In Proceedings of the 2nd ACM Workshop on Moving Target Defense. ACM, New York, NY, 67--76. Google Scholar
Digital Library
- Chengpo Mu and Yingjiu Li. 2010. An intrusion response decision-making model based on hierarchical task network planning. Expert Systems with Applications 37, 3, 2465--2472. Google Scholar
Digital Library
- Sven Ossenbuhl, Jessica Steinberger, and Harald Baier. 2015. Towards automated incident handling: How to select an appropriate response against a network-based attack? In Proceedings of the 2015 9th International Conference on IT Security Incident Management and IT Forensics (IMF’15). IEEE, Los Alamitos, CA, 51--67. Google Scholar
Digital Library
- Martin L. Puterman and Moon Chirl Shin. 1978. Modified policy iteration algorithms for discounted Markov decision problems. Management Science 24, 11, 1127--1137. Google Scholar
Digital Library
- Martin Roesch. 1999. Snort—lightweight intrusion detection for networks. In Proceedings of the 13th USENIX Conference on System Administration (LISA’99). 229--238. Google Scholar
Digital Library
- Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proceedings of the IEEE 63, 9, 1278--1308.Google Scholar
Cross Ref
- Alireza Shameli-Sendi and Michel Dagenais. 2015. ORCEF: Online response cost evaluation framework for intrusion response system. Journal of Network and Computer Applications 55, 89--107.Google Scholar
Cross Ref
- Natalia Stakhanova, Samik Basu, and Johnny Wong. 2007. A cost-sensitive model for preemptive intrusion response systems. In Proceedings of the 21st International Conference on Advanced Information Networking and Applications (AINA’07). 428--435. Google Scholar
Digital Library
- Christopher Roy Strasburg, Natalia Stakhanova, Samik Basu, and Johnny S. Wong. 2008. The methodology for evaluating response cost for intrusion response systems. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 5230. Springer, 390--391. Google Scholar
Digital Library
- Thomas Toth and Christopher Kruegel. 2002. Evaluating the impact of automated intrusion response mechanisms. In Proceedings of the 2002 18th Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA, 301--310. Google Scholar
Digital Library
- Eric Yuan, Naeem Esfahani, and Sam Malek. 2014. A systematic survey of self-protecting software systems. ACM Transactions on Autonomous and Adaptive Systems 8, 4, 17. Google Scholar
Digital Library
- Xin Zan, Feng Gao, Jiuqiang Han, Xiaoyong Liu, and Jiaping Zhou. 2010. A hierarchical and factored POMDP based automated intrusion response framework. In Proceedings of the 2010 2nd International Conference on Software Technology and Engineering (ICSTE’10). IEEE, Los Alamitos, CA, 410.Google Scholar
Cross Ref
- Saman A. Zonouz, Himanshu Khurana, William H. Sanders, and Timothy M. Yardley. 2014. RRE: A game-theoretic intrusion response and recovery engine. IEEE Transactions on Parallel and Distributed Systems 25, 2, 395--406. Google Scholar
Digital Library
Index Terms
Model-Based Response Planning Strategies for Autonomic Intrusion Protection
Recommendations
Research on automated rollbackability of intrusion response
The rollbackable automated intrusion response mechanism, a method whereby an intrusion response can be treated by in the context of the detection/response life-cycle. The idea derives from the observation that most intrusion responses have negative ...
Intelligent Autonomic Strategy to Attacks in Network Infrastructure Protection: Feedback Methods to IDS, Using Policies, Alert Filters and Firewall Packet Filters for Multiple Protocols
DASC '06: Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure ComputingThe Intrusion Detection Systems (IDSs) currently in use are designed to monitor potential attacks in networks by triggering alerts. However these alerts consist of high volumes of false positives, triggered by suspicious but normal, benign connections. ...
Taxonomy of intrusion risk assessment and response system
In recent years, we have seen notable changes in the way attackers infiltrate computer systems compromising their functionality. Research in intrusion detection systems aims to reduce the impact of these attacks. In this paper, we present a taxonomy of ...






Comments