Ieee Transactions on Parallel and Distributed Systems Rre: a Game-theoretic Intrusion Response and Recovery Engine

Preserving the availability and integrity of networked computing systems in the face of fast-spreading intrusions requires advances not only in detection algorithms, but also in automated response techniques. In this paper, we propose a new approach to automated response called the response and recovery engine (RRE). Our engine employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. The RRE applies attack-response trees (ART) to analyze undesired system-level security events within host computers and their countermeasures using Boolean logic to combine lower level attack consequences. In addition, the RRE accounts for uncertainties in intrusion detection alert notifications. The RRE then chooses optimal response actions by solving a partially observable competitive Markov decision process that is automatically derived from attack-response trees. To support network-level multiobjective response selection and consider possibly conflicting network security properties, we employ fuzzy logic theory to calculate the network-level security metric values, i.e., security levels of the system's current and potentially future states in each stage of the game. In particular, inputs to the network-level game-theoretic response selection engine, are first fed into the fuzzy system that is in charge of a nonlinear inference and quantitative ranking of the possible actions using its previously defined fuzzy rule set. Consequently, the optimal network-level response actions are chosen through a game-theoretic optimization process. Experimental results show that the RRE, using Snort's alerts, can protect large networks for which attack-response trees have more than 500 nodes.

[1]  Leslie Pack Kaelbling,et al.  Partially Observable Markov Decision Processes for Artificial Intelligence , 1995, KI.

[2]  Sean R Eddy,et al.  What is dynamic programming? , 2004, Nature Biotechnology.

[3]  Leslie Pack Kaelbling,et al.  Planning under Time Constraints in Stochastic Domains , 1993, Artif. Intell..

[4]  L.M. Rossey,et al.  SARA: Survivable Autonomic Response Architecture , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  Stephanie Forrest,et al.  Automated Response Using System-Call Delay , 2000, USENIX Security Symposium.

[6]  Johnny S. Wong,et al.  A taxonomy of intrusion response systems , 2007, Int. J. Inf. Comput. Secur..

[7]  S. Mnsman,et al.  System or security managers adaptive response tool , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[8]  Christopher Krügel,et al.  Using Alert Verification to Identify Successful Intrusion Attempts , 2004, Prax. Inf.verarb. Kommun..

[9]  Ari Arapostathis,et al.  Competitive Markov decision processes with partial observation , 2004, 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583).

[10]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[11]  J. Filar,et al.  Competitive Markov Decision Processes , 1996 .

[12]  Kevin M. Passino,et al.  An introduction to nonlinear analysis of fuzzy control systems , 1999, J. Intell. Fuzzy Syst..

[13]  nbspRana M Pir Intrusion Detection Systems with Snort , 2015 .

[14]  Leslie Pack Kaelbling,et al.  Partially Observable Markov Decision Processes for Artificial Intelligence , 1995, Reasoning with Uncertainty in Robotics.

[15]  William H. Sanders,et al.  RRE: A Game-Theoretic Intrusion Response and Recovery Engine , 2014, IEEE Trans. Parallel Distributed Syst..

[16]  Shyi-Ming Chen,et al.  Fuzzy risk analysis based on similarity measures of generalized fuzzy numbers , 2003, IEEE Trans. Fuzzy Syst..

[17]  Alfonso Valdes,et al.  Adaptive, Model-Based Monitoring for Cyber Attack Detection , 2000, Recent Advances in Intrusion Detection.

[18]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[19]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[20]  Salvatore J. Stolfo,et al.  FLIPS: Hybrid Adaptive Intrusion Prevention , 2005, RAID.

[21]  A. Cassandra,et al.  Exact and approximate algorithms for partially observable markov decision processes , 1998 .

[22]  O. Patrick Kreidl,et al.  Feedback control applied to survivability: a host-based autonomic defense system , 2004, IEEE Transactions on Reliability.

[23]  Karl N. Levitt,et al.  Using Specification-Based Intrusion Detection for Automated Response , 2003, RAID.

[24]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[25]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[26]  Fred Cohen,et al.  Simulating cyber attacks, defences, and consequences , 1999, Comput. Secur..

[27]  Eugene H. Spafford,et al.  ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[28]  Riza C. Berkan,et al.  Fuzzy System Design Principles , 1997 .

[29]  Edward J. Sondik,et al.  The Optimal Control of Partially Observable Markov Processes over a Finite Horizon , 1973, Oper. Res..

[30]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[31]  Udo W. Pooch,et al.  Adaptation techniques for intrusion detection and intrusion response systems , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[32]  William H. Sanders,et al.  Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE) , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[33]  T. Basar,et al.  Intrusion Response as a Resource Allocation Problem , 2006, Proceedings of the 45th IEEE Conference on Decision and Control.

[34]  Jeannette M. Wing,et al.  Game strategies in network security , 2005, International Journal of Information Security.

[35]  Yi Qian,et al.  Information Assurance : Dependability and Security in Networked Systems , 2007 .

[36]  M. Dufwenberg Game theory. , 2011, Wiley interdisciplinary reviews. Cognitive science.