Definition of response metrics for an ontology-based Automated Intrusion Response Systems

The main purpose of an AIRS (Automated Intrusion Response System) is to choose and execute the optimum response when the different security-event network detection sources detect security intrusions. The inference of the most suitable response should be made according to a set of response metrics that specify different rules for selecting a specific response according to some context and input parameters and the weight associated with each of them. Furthermore, the Semantic Web Rule Language (SWRL) can be used to specify these response metrics, providing an open and extensible framework for the behavior description of an AIRS, able to be integrated with the increasing number of Semantic Web tools. The aim of this paper is to study and characterize these metrics, as well as defining a set of response metrics for an AIRS, specifying these metrics with SWRL rules and testing their execution with Semantic Web current technologies. Finally, some results are shown concerning the inferred responses and performance of this SWRL-based reasoning.

[1]  Johnny S. Wong,et al.  A Framework for Cost Sensitive Assessment of Intrusion Response Selection , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[2]  Johnny S. Wong,et al.  A Cost-Sensitive Model for Preemptive Intrusion Response Systems , 2007, 21st International Conference on Advanced Information Networking and Applications (AINA '07).

[3]  Steffen Staab,et al.  International Handbooks on Information Systems , 2013 .

[4]  H. Lan,et al.  SWRL : A semantic Web rule language combining OWL and ruleML , 2004 .

[5]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[6]  Udo W. Pooch,et al.  Adaptive agent-based intrusion response , 2001 .

[7]  Jorge E. López de Vergara,et al.  Use of Ontologies for the Definition of Alerts and Policies in a Network Security Platform , 2009, J. Networks.

[8]  Michel Dagenais,et al.  Intrusion Response Systems: Survey and Taxonomy , 2012 .

[9]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[10]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[11]  Steven Furnell,et al.  Achieving automated intrusion response: a prototype implementation , 2006, Inf. Manag. Comput. Secur..

[12]  Mariano Fernández-López,et al.  Ontological Engineering , 2003, Encyclopedia of Database Systems.

[13]  Eugene H. Spafford,et al.  Automated adaptive intrusion containment in systems of interacting services , 2007, Comput. Networks.

[14]  Pin-Han Ho,et al.  Measuring Intrusion Impacts for Rational Response: A State-based Approach , 2007, 2007 Second International Conference on Communications and Networking in China.

[15]  Yingjiu Li,et al.  An intrusion response decision-making model based on hierarchical task network planning , 2010, Expert Syst. Appl..

[16]  Julio Berrocal,et al.  Ontology-Based Network Management: Study Cases and Lessons Learned , 2009, Journal of Network and Systems Management.

[17]  A. Halim Zaim,et al.  A hybrid intrusion detection system design for computer network security , 2009, Comput. Electr. Eng..

[18]  Johnny S. Wong,et al.  A taxonomy of intrusion response systems , 2007, Int. J. Inf. Comput. Secur..

[19]  Víctor A. Villagrá,et al.  Ontologies-Based Automated Intrusion Response System , 2010, CISIS.

[20]  Eugene H. Spafford,et al.  ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[21]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.