Success Likelihood of Ongoing Attacks for Intrusion Detection and Response Systems

Intrusion Detection and Response Systems have become a core component in modern security architectures. Current researches are combining intrusion detection and response systems with risk analysis or cost-sensitive approaches to enhance the detection and the response procedure, by assessing the risk of detected attacks and candidate countermeasures. The Risk has two primary dimensions: (i) the likelihood of success of the attack(s), and (ii) the impact of the attack(s) and the countermeasure(s).In this paper, we present a model to assess the success likelihood of attack objectives. This model can be used by intrusion detection and response systems to identify candidate ongoing scenarios, calculate dynamically the likelihood of success for each of them considering the progress of the attack and the state of the target system, and finally prioritize candidate intrusion objectives and associated countermeasures.

[1]  Frédéric Cuppens,et al.  Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework , 2006, Ann. des Télécommunications.

[2]  Nora Cuppens-Boulahia,et al.  Automated reaction based on risk analysis and attackers skills in intrusion detection systems , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[3]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[4]  Marc Dacier,et al.  Quantitative Assessment of Operational Security: Models and Tools * , 1996 .

[5]  Bharat B. Madan,et al.  A method for modeling and quantifying the security attributes of intrusion tolerant systems , 2004, Perform. Evaluation.

[6]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Nora Cuppens-Boulahia,et al.  Advanced Reaction Using Risk Assessment in Intrusion Detection Systems , 2007, CRITIS.

[8]  Johnny S. Wong,et al.  A Cost-Sensitive Model for Preemptive Intrusion Response Systems , 2007, 21st International Conference on Advanced Information Networking and Applications (AINA '07).

[9]  Nora Cuppens-Boulahia,et al.  Enabling automated threat response through the use of a dynamic security policy , 2007, Journal in Computer Virology.

[10]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[11]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[12]  Mark Collier,et al.  Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions , 2006 .

[13]  Ming-Yuh Huang,et al.  A large scale distributed intrusion detection framework based on attack strategy analysis , 1999, Comput. Networks.

[14]  LeeWenke,et al.  Toward cost-sensitive modeling for intrusion detection and response , 2002 .

[15]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[16]  Frédéric Cuppens,et al.  CRIM: un module de corrélation d’alertes et de réaction aux attaques , 2006, Ann. des Télécommunications.

[17]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[18]  Frédéric Cuppens,et al.  Recognizing Malicious Intention in an Intrusion Detection Process , 2002, HIS.

[19]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[20]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[21]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[22]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.