Measuring Intrusion Impacts for Rational Response: A State-based Approach

Although intrusion detection systems (IDSs) are playing significant roles in defending information systems against attacks, they can only partially reflect the true system states due to false alarms, low detection rate, inaccurate reports, and inappropriate responses. Automated response component built upon such systems therefore must consider the imperfect picture inferred from them and take actions accordingly. This paper presents a stat- based approach to measuring intrusion impacts on the basis of IDS reports, and analyzing costs and benefits of response polices supposed to be taken. Specifically, assuming the system evolves as a Markov process conditioned upon the current system state, imperfect observation and action, a partially observable Markov decision process to model the efficacy of IDSs (as well as alert correlation technology) as providing a probabilistic assessment of the state of system assets, and to maximize rewards (cost and benefit) by taking appropriate actions in response to the estimated states. The objective is to move the system towards more secure states with respect to particular security metrics. We use a real trace benchmark data to evaluate our approach, and demonstrate its promising performance.

[1]  Giovanni Vigna,et al.  Using hidden markov models to evaluate the risks of intrusions : System architecture and model validation , 2006 .

[2]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[3]  Pin-Han Ho,et al.  Janus: A Two-Sided Analytical Model for Multi-Stage Coordinated Attacks , 2006, ICISC.

[4]  John McHugh,et al.  Intrusion and intrusion detection , 2001, International Journal of Information Security.

[5]  Joost-Pieter Katoen,et al.  Model checking Markov reward models with impulse rewards , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[6]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  O. Patrick Kreidl,et al.  Feedback control applied to survivability: a host-based autonomic defense system , 2004, IEEE Transactions on Reliability.

[8]  Hong Shen,et al.  Constructing multi-layered boundary to defend against intrusive anomalies: an autonomic detection coordinator , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[9]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[10]  D. Aberdeen,et al.  A ( Revised ) Survey of Approximate Methods for Solving Partially Observable Markov Decision Processes , 2003 .

[11]  Christopher Krügel,et al.  Comprehensive approach to intrusion detection alert correlation , 2004, IEEE Transactions on Dependable and Secure Computing.

[12]  Peng Ning,et al.  Techniques and tools for analyzing intrusion alerts , 2004, TSEC.

[13]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.