skip to main content
research-article

Model-Based Response Planning Strategies for Autonomic Intrusion Protection

Published:16 April 2018Publication History
Skip Abstract Section

Abstract

The continuous increase in the quantity and sophistication of cyberattacks is making it more difficult and error prone for system administrators to handle the alerts generated by intrusion detection systems (IDSs). To deal with this problem, several intrusion response systems (IRSs) have been proposed lately. IRSs extend the IDSs by providing an automatic response to the detected attack. Such a response is usually selected either with a static attack-response mapping or by quantitatively evaluating all available responses, given a set of predefined criteria. In this article, we introduce a probabilistic model-based IRS built on the Markov decision process (MDP) framework. In contrast to most existing approaches to intrusion response, the proposed IRS effectively captures the dynamics of both the defended system and the attacker and is able to compose atomic response actions to plan optimal multiobjective long-term response policies to protect the system. We evaluate the effectiveness of the proposed IRS by showing that long-term response planning always outperforms short-term planning, and we conduct a thorough performance assessment to show that the proposed IRS can be adopted to protect large distributed systems at runtime.

References

  1. Sherif Abdelwahed, Jia Bai, Rong Su, and Nagarajan Kandasamy. 2009. On the application of predictive control techniques for adaptive performance management of computing systems. IEEE Transactions on Network and Service Management 6, 4, 212--225 Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Akamai. 2015. Akamai’s State of the Internet: Q3 2015 Report. Retrieved March 2, 2018, from https://www.stateoftheinternet.com/resources-cloud-security-2015-q3-web-security-report.html.Google ScholarGoogle Scholar
  3. R. E. Bellman. 1957. Dynamic Programming. Princeton University Press, Princeton, NJ. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Yoshua Bengio. 2009. Learning deep architectures for AI. Foundations and Trends® in Machine Learning 2, 1, 1--127. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Monowar H. Bhuyan, Dhruba Kumar Bhattacharyya, and Jugal Kumar Kalita. 2014. Network anomaly detection: Methods, systems and tools. IEEE Communications Surveys and Tutorials 16, 1, 303--336.Google ScholarGoogle ScholarCross RefCross Ref
  6. Craig Boutilier. 1996. Planning, learning and coordination in multiagent decision processes. In Proceedings of the 6th Conference on Theoretical Aspects of Rationality and Knowledge. 195--210. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Lucian Busoniu, Robert Babuska, and Bart De Schutter. 2008. A comprehensive survey of multiagent reinforcement learning. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews 38, 2, 156--172. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Valeria Cardellini, Emiliano Casalicchio, Vincenzo Grassi, Stefano Iannucci, Francesco Lo Presti, and Raffaela Mirandola. 2012. Moses: A framework for QoS driven runtime adaptation of service-oriented systems. IEEE Transactions on Software Engineering 38, 5, 1138--1159. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Qian Chen, Sherif Abdelwahed, and Abdelkarim Erradi. 2014. A model-based validated autonomic approach to self-protect computing systems. IEEE Internet of Things Journal 1, 5, 446--460.Google ScholarGoogle ScholarCross RefCross Ref
  10. Yulia Cherdantseva and Jeremy Hilton. 2013. A reference model of information assurance and security. In Proceedings of the 2013 8th International Conference on Availability, Reliability, and Security (ARES’13). IEEE, Los Alamitos, CA, 546--555. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. 2013. NICE: Network intrusion detection and countermeasure selection in virtual network systems. IEEE Transactions on Dependable and Secure Computing 10, 4, 198--211. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Carlos Diuk, Andre Cohen, and Michael L. Littman. 2008. An object-oriented representation for efficient reinforcement learning. In Proceedings of the 25th International Conference on Machine Learning. ACM, New York, NY, 240--247. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Jianbin Fang, Henk Sips, Lilun Zhang, Chuanfu Xu, Yonggang Che, and Ana Lucia Varbanescu. 2014. Test-driving Intel Xeon Phi. In Proceedings of the 5th ACM/SPEC International Conference on Performance Engineering. ACM, New York, NY, 137--148. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Mahdi Milani Fard and Joelle Pineau. 2011. Non-deterministic policies in Markovian decision processes. Journal of Artificial Intelligence Research 40, 1--24. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Ahmed Fawaz, Robin Berthier, and William H. Sanders. 2016. A response cost model for advanced metering infrastructures. IEEE Transactions on Smart Grid 7, 2, 543--553.Google ScholarGoogle ScholarCross RefCross Ref
  16. B. A. Fessi, S. Benabdallah, N. Boudriga, and M. Hamdi. 2014. A multi-attribute decision model for intrusion response system. Information Sciences 270, 237--254.Google ScholarGoogle ScholarCross RefCross Ref
  17. Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, and Eugene Spafford. 2005. ADEPTS: Adaptive intrusion response using attack graphs in an e-commerce environment. In Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05). IEEE, Los Alamitos, CA, 508--517. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Mansoureh Ghasemi, Hassan Asgharian, and Ahmad Akbari. 2016. A cost-sensitive automated response system for SIP-based applications. In Proceedings of the 2016 24th Iranian Conference onElectrical Engineering (ICEE’16). IEEE, Los Alamitos, CA, 1142--1147.Google ScholarGoogle ScholarCross RefCross Ref
  19. Salim Hariri, Bithika Khargharia, Houping Chen, Jingmei Yang, Yeliang Zhang, Manish Parashar, and Hua Liu. 2006. The autonomic computing paradigm. Cluster Computing 9, 1, 5--17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. C. L. Hwang and K. Yoon. 1981. Multiple Criteria Decision Making. Lecture Notes in Economics and Mathematical Systems. Springer.Google ScholarGoogle Scholar
  21. Stefano Iannucci and Sherif Abdelwahed. 2016. A probabilistic approach to autonomic security management. In Proceedings of the 13th IEEE International Conference on Autonomic Computing (ICAC’16).Google ScholarGoogle ScholarCross RefCross Ref
  22. Stefano Iannucci and Sherif Abdelwahed. 2016. Towards autonomic intrusion response systems. In Proceedings of the 2016 IEEE International Conference on Autonomic Computing (ICAC’16).Google ScholarGoogle ScholarCross RefCross Ref
  23. Stefano Iannucci, Qian Chen, and Sherif Abdelwahed. 2016. High-performance intrusion response planning on many-core architectures. In Proceedings of the 2016 25th International Conference on Computer Communication and Networks (ICCCN’16).Google ScholarGoogle ScholarCross RefCross Ref
  24. Zakira Inayat, Abdullah Gani, Nor Badrul Anuar, Muhammad Khuram Khan, and Shahid Anwar. 2016. Intrusion response systems: Foundations, design, and challenges. Journal of Network and Computer Applications 62, 53--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Finn V. Jensen. 1996. An Introduction to Bayesian Networks. Vol. 210. UCL Press, London, England. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Leslie Pack Kaelbling, Michael L. Littman, and Andrew W. Moore. 1996. Reinforcement learning: A survey. Journal of Artificial Intelligence Research 4, 237--285. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Michael Kearns, Yishay Mansour, and Andrew Y. Ng. 2002. A sparse sampling algorithm for near-optimal planning in large Markov decision processes. Machine Learning 49, 2--3, 193--208. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. J. O. Kephart and D. M. Chess. 2003. The vision of autonomic computing. IEEE Computer 36, 1, 41--50. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Levente Kocsis and Csaba Szepesvári. 2006. Bandit based Monte-Carlo planning. In Machine Learning: ECML 2006. Springer, 282--293. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Wenke Lee, Wei Fan, Matthew Miller, Salvatore J. Stolfo, and Erez Zadok. 2002. Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10, 1--2, 5--22. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. L. Li, M. L. Littman, and L. Littman. 2008. Prioritized Sweeping Converges to the Optimal Value Function. Technical Report DCS-TR-631. Rutgers University.Google ScholarGoogle Scholar
  32. Carlos Joshua Marquez. 2010. An Analysis of the IDS Penetration Tool: Metasploit. Retrieved March 2, 2018, from https://www.infosecwriters.com/text_resources/pdf/jmarquez_Metasploit.pdf.Google ScholarGoogle Scholar
  33. Peter Mell, Karen Scarfone, and Sasha Romanosky. 2007. A Complete Guide to the Common Vulnerability Scoring System: Version 2.0. Retrieved March 2, 2018, from https://www.first.org/cvss/v2/guide.Google ScholarGoogle Scholar
  34. Daniel A. Menascé. 2002. QoS issues in Web services. IEEE Internet Computing 6, 6, 72--75. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Erik Miehling, Mohammad Rasouli, and Demosthenis Teneketzis. 2015. Optimal defense policies for partially observable spreading processes on Bayesian attack graphs. In Proceedings of the 2nd ACM Workshop on Moving Target Defense. ACM, New York, NY, 67--76. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Chengpo Mu and Yingjiu Li. 2010. An intrusion response decision-making model based on hierarchical task network planning. Expert Systems with Applications 37, 3, 2465--2472. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Sven Ossenbuhl, Jessica Steinberger, and Harald Baier. 2015. Towards automated incident handling: How to select an appropriate response against a network-based attack? In Proceedings of the 2015 9th International Conference on IT Security Incident Management and IT Forensics (IMF’15). IEEE, Los Alamitos, CA, 51--67. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Martin L. Puterman and Moon Chirl Shin. 1978. Modified policy iteration algorithms for discounted Markov decision problems. Management Science 24, 11, 1127--1137. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Martin Roesch. 1999. Snort—lightweight intrusion detection for networks. In Proceedings of the 13th USENIX Conference on System Administration (LISA’99). 229--238. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proceedings of the IEEE 63, 9, 1278--1308.Google ScholarGoogle ScholarCross RefCross Ref
  41. Alireza Shameli-Sendi and Michel Dagenais. 2015. ORCEF: Online response cost evaluation framework for intrusion response system. Journal of Network and Computer Applications 55, 89--107.Google ScholarGoogle ScholarCross RefCross Ref
  42. Natalia Stakhanova, Samik Basu, and Johnny Wong. 2007. A cost-sensitive model for preemptive intrusion response systems. In Proceedings of the 21st International Conference on Advanced Information Networking and Applications (AINA’07). 428--435. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Christopher Roy Strasburg, Natalia Stakhanova, Samik Basu, and Johnny S. Wong. 2008. The methodology for evaluating response cost for intrusion response systems. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 5230. Springer, 390--391. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Thomas Toth and Christopher Kruegel. 2002. Evaluating the impact of automated intrusion response mechanisms. In Proceedings of the 2002 18th Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA, 301--310. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Eric Yuan, Naeem Esfahani, and Sam Malek. 2014. A systematic survey of self-protecting software systems. ACM Transactions on Autonomous and Adaptive Systems 8, 4, 17. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Xin Zan, Feng Gao, Jiuqiang Han, Xiaoyong Liu, and Jiaping Zhou. 2010. A hierarchical and factored POMDP based automated intrusion response framework. In Proceedings of the 2010 2nd International Conference on Software Technology and Engineering (ICSTE’10). IEEE, Los Alamitos, CA, 410.Google ScholarGoogle ScholarCross RefCross Ref
  47. Saman A. Zonouz, Himanshu Khurana, William H. Sanders, and Timothy M. Yardley. 2014. RRE: A game-theoretic intrusion response and recovery engine. IEEE Transactions on Parallel and Distributed Systems 25, 2, 395--406. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Model-Based Response Planning Strategies for Autonomic Intrusion Protection

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Autonomous and Adaptive Systems
      ACM Transactions on Autonomous and Adaptive Systems  Volume 13, Issue 1
      March 2018
      184 pages
      ISSN:1556-4665
      EISSN:1556-4703
      DOI:10.1145/3208359
      Issue’s Table of Contents

      Copyright © 2018 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 16 April 2018
      • Accepted: 1 November 2017
      • Revised: 1 April 2017
      • Received: 1 September 2016
      Published in taas Volume 13, Issue 1

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!