ADEPTS : Adaptive Intrusion Containment and Response using Attack Graphs in an E-Commerce Environment

Distributed e-commerce systems are suitable targets for malicious attacks because of the potential financial impact. Intrusion detection in such systems has been an active area of research. Once an intrusion is detected, it is important to contain the effect of the intrusion to some parts of the system while allowing the other parts to continue to provide service. It is also important to take preventive or reactive response to reduce the likelihood of the system being compromised through a future attack. In this paper, we present the design and implementation of an Adaptive Intrusion Tolerant System, ADEPTS, for automatically containing and responding to intrusions in a distributed e-commerce system. We use a directed acyclic graph (DAG) of intrusion goals as the underlying representation in the system. In an I-DAG, the nodes are sub-goals of an attack and to reach a particular node, goals corresponding to its child nodes have to be achieved first. We assume an intrusion detection framework which provides alerts to ADEPTS. In response, a parallel algorithm is executed to compute the likelihood that one or more goals in the DAG have been achieved. Next, a response measure computation algorithm is executed to determine the appropriate response action. There is also a feedback mechanism which estimates the success or failure of a deployed response and uses that in adjusting the system weights to guide future choices. ADEPTS is implemented on a distributed e-commerce system that comprises services including, web server, application server, database server, directory server. Alerts are simulated corresponding to different attack types, the algorithms executed and response actions deployed. The experiments bring out the latency of the infrastructure, and the effectiveness in dealing with failed responses through escalation compared to statically mapped Intrusion Response Systems (IRS).

[1]  Robert S. Swarz,et al.  Reliable Computer Systems: Design and Evaluation , 1992 .

[2]  Udo W. Pooch,et al.  Cooperating security managers: a peer-based intrusion detection system , 1996, IEEE Netw..

[3]  Udo W. Pooch,et al.  Intrusion damage control and assessment: a taxonomy and implementation of automated responses to intrusive behavior , 1996 .

[4]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[5]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[6]  Lincoln D. Stein Web Security: A Step-by-Step Reference Guide , 1998 .

[7]  Melanie J. Norton Web security & commerce , 1998 .

[8]  Fred Cohen,et al.  Simulating cyber attacks, defences, and consequences , 1999, Comput. Secur..

[9]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[10]  Udo W. Pooch,et al.  Adaptation techniques for intrusion detection and intrusion response systems , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[11]  Vesna Hassler Security Fundamentals for E-Commerce , 2000 .

[12]  Dieter Gollmann E-commerce security , 2000 .

[13]  Brett Wilson,et al.  Autonomic Response to Distributed Denial of Service Attacks , 2001, Recent Advances in Intrusion Detection.

[14]  D. Sterne,et al.  Cooperative Intrusion Traceback and Response Architecture (CITRA) , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[15]  Vasant Honavar,et al.  A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System , 2002, Requirements Engineering.

[16]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[17]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[18]  Saurabh Bagchi,et al.  Collaborative intrusion detection system (CIDS): a framework for accurate and efficient IDS , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..