Risk balance defense approach against intrusions for network server

The paper presents a new defense approach based on risk balance to protect network servers from intrusion activities. We construct and implement a risk balance system, which consists of three modules, including a comprehensive alert processing module, an online risk assessment module, and a risk balance response decision-making module. The alert processing module improves the information quality of intrusion detection system (IDS) raw alerts by reducing false alerts rate, forming alert threads, and computing general parameters from the alert threads. The risk assessment module provides accurate evaluation of risks accordingly to alert threads. Based on the risk assessment, the response decision-making module is able to make right response decisions and perform very well in terms of noise immunization. Having advantages over conventional intrusion response systems, the risk balancer protects network servers not by directly blocking intrusion activities but by redirecting related network traffics and changing service platform. In this way, the system configurations that favor attackers are changed, and attacks are stopped with little impact on services to users. Therefore, the proposed risk balance approach is a good solution to not only the trade-off between the effectiveness and the negative effects of responses but also the false response problems caused by both IDS false-positive alerts and duplicated alerts.

[1]  Udo W. Pooch,et al.  Adaptive agent-based intrusion response , 2001 .

[2]  T. Bass,et al.  Defense-in-depth revisited: qualitative risk analysis methodology for complex network-centric operations , 2001, 2001 MILCOM Proceedings Communications for Network-Centric Operations: Creating the Information Force (Cat. No.01CH37277).

[3]  Chu-Hsing Lin,et al.  Anomaly Detection Using LibSVM Training Tools , 2008, 2008 International Conference on Information Security and Assurance (isa 2008).

[4]  Eugene H. Spafford,et al.  ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[5]  Tao Zhang,et al.  Building intrusion-tolerant secure software , 2005, International Symposium on Code Generation and Optimization.

[6]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[7]  Yingjiu Li,et al.  An intrusion response decision-making model based on hierarchical task network planning , 2010, Expert Syst. Appl..

[8]  Magnus Almgren,et al.  An Architecture for an Adaptive Intrusion-Tolerant Server , 2002, Security Protocols Workshop.

[9]  Rafael R. Obelheiro,et al.  Overlay Network Topology Reconfiguration in Byzantine Settings , 2007 .

[10]  John Swarbrooke,et al.  Case Study 18 – Las Vegas, Nevada, USA , 2007 .

[11]  Ashish Gehani,et al.  RheoStat: Real-Time Risk Management , 2004, RAID.

[12]  Miguel Correia,et al.  Resilient Intrusion Tolerance through Proactive and Reactive Recovery , 2007 .

[13]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[14]  Rüdiger Kapitza,et al.  Hypervisor-Based Efficient Proactive Recovery , 2007, 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007).

[15]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[16]  Tian Shengfeng,et al.  A Survey of Intrusion-Detection Alert Aggregation and Correlation Techniques , 2006 .

[17]  Franklin Webber,et al.  The DPASA Survivable JBI — A High-Water Mark in Intrusion-Tolerant Systems , 2007 .

[18]  Bin-Xing Fang,et al.  A risk assessment approach for network information system , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).

[19]  Arun K. Sood,et al.  A Comparison of Intrusion-Tolerant System Architectures , 2011, IEEE Security & Privacy.

[20]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[21]  Feiyi Wang,et al.  SITAR: a scalable intrusion-tolerant architecture for distributed services - a technology summary , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[22]  William H. Sanders,et al.  An architecture for adaptive intrusion‐tolerant applications , 2006, Softw. Pract. Exp..

[23]  H. K. Huang,et al.  Online Risk Assessment of Intrusion Scenarios Using D-S Evidence Theory , 2008, ESORICS.

[24]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[25]  Magnus Almgren,et al.  Recent Advances in Intrusion Detection , 2004, Lecture Notes in Computer Science.

[26]  Vincent Nicomette,et al.  The Design of a Generic Intrusion-Tolerant Architecture for Web Servers , 2009, IEEE Transactions on Dependable and Secure Computing.

[27]  Johnny S. Wong,et al.  A taxonomy of intrusion response systems , 2007, Int. J. Inf. Comput. Secur..

[28]  Robert H. Deng,et al.  On the Effectiveness of Software Diversity: A Systematic Study on Real-World Vulnerabilities , 2009, DIMVA.

[29]  Jong Sou Park,et al.  A rejuvenation methodology of cluster recovery , 2005, CCGrid 2005. IEEE International Symposium on Cluster Computing and the Grid, 2005..

[30]  D. Sterne,et al.  Cooperative Intrusion Traceback and Response Architecture (CITRA) , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[31]  John R. Vacca Computer and Information Security Handbook , 2009 .

[32]  Arun K. Sood,et al.  Secure, Resilient Computing Clusters: Self-Cleansing Intrusion Tolerance with Hardware Enforced Security (SCIT/HES) , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[33]  V. Ch. Venkaiah,et al.  Intrusion Detection Systems - Analysis and Containment of False Positives Alerts , 2010 .

[34]  Stephen Taylor,et al.  Validation of Sensor Alert Correlators , 2003, IEEE Secur. Priv..

[35]  Paulo Veríssimo,et al.  Intrusion-tolerant middleware: the road to automatic security , 2006, IEEE Security & Privacy.

[36]  Alysson Neves Bessani,et al.  OS diversity for intrusion tolerance: Myth or reality? , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[37]  Karl N. Levitt,et al.  Using Specification-Based Intrusion Detection for Automated Response , 2003, RAID.

[38]  Chengpo Mu,et al.  Research on Preprocessing Technique of Alert Aggregation , 2012, 2012 Fifth International Joint Conference on Computational Sciences and Optimization.

[39]  Ashley Thomas,et al.  RAPID: Reputation based approach for improving intrusion detection effectiveness , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[40]  Houkuan Huang,et al.  Intrusion Detection Alert Verification Based on Multi-level Fuzzy Comprehensive Evaluation , 2005, CIS.

[41]  Alysson Neves Bessani,et al.  The FOREVER service for fault/intrusion removal , 2008, WRAITS '08.

[42]  Robert P. Goldman,et al.  Information modeling for intrusion report aggregation , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[43]  Tian Shengfeng,et al.  Intrusion-Detection Alerts Processing Based on Fuzzy Comprehensive Evaluation , 2005 .