Decision-Making for Intrusion Response: Which, Where, in What Order, and How Long?

Generating fine-grained response policies is a fundamental problem for Intrusion Response Systems (IRSs). Although existing schemes determine countermeasures and defense points efficiently, they ignore the deployment orders and execution durations of the selected countermeasures, which may impact response performance. To address this problem, by considering four attributes (i.e., attack damage, deployment cost, negative impact on QoS, and security benefit), we propose a decisionmaking framework for IRSs to reach fine-grained decisions to balance attack damage and response cost. We formulate decisionmaking as a single-objective optimization problem. To efficiently solve this problem, a Genetic Algorithm with Three-dimensional Encoding (GATE) is proposed to not only select countermeasures and defense points, but also determine deployment orders and execution durations. Simulation results demonstrate the efficiency of our approach.

[1]  Mohamed Cheriet,et al.  Taxonomy of intrusion risk assessment and response system , 2014, Comput. Secur..

[2]  Georgios Kambourakis,et al.  Optimal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks , 2018, IEEE Communications Surveys & Tutorials.

[3]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[4]  Mohamed Hamdi,et al.  A multi-attribute decision model for intrusion response system , 2014, Inf. Sci..

[5]  Akhtar Rasool,et al.  Heuristic and Meta-Heuristic Algorithms and Their Relevance to the Real World: A Survey , 2015 .

[6]  Hervé Debar,et al.  RORI-based countermeasure selection using the OrBAC formalism , 2013, International Journal of Information Security.

[7]  Mohamed Cheriet,et al.  Dynamic Optimal Countermeasure Selection for Intrusion Response System , 2018, IEEE Transactions on Dependable and Secure Computing.

[8]  Nor Badrul Anuar,et al.  Intrusion response systems: Foundations, design, and challenges , 2016, J. Netw. Comput. Appl..

[9]  Ganesh Ram Santhanam,et al.  Selecting the minimal set of preferred responses to counter detected intrusions , 2017, CISRC.

[10]  Zhen Xu,et al.  ConnSpoiler: Disrupting C&C Communication of IoT-Based Botnet Through Fast Detection of Anomalous Domain Queries , 2020, IEEE Transactions on Industrial Informatics.

[11]  Hervé Debar,et al.  Dynamic risk management response system to handle cyber threats , 2017, Future Gener. Comput. Syst..

[12]  Yongjun Li,et al.  Selecting Combined Countermeasures for Multi-Attack Paths in Intrusion Response System , 2018, 2018 27th International Conference on Computer Communication and Networks (ICCCN).

[13]  Mohamed Hamdi,et al.  A decisional framework system for computer network intrusion detection , 2007, Eur. J. Oper. Res..

[14]  Chunjie Zhou,et al.  A Dynamic Decision-Making Approach for Intrusion Response in Industrial Control Systems , 2019, IEEE Transactions on Industrial Informatics.

[15]  Michael P. Howarth,et al.  An intrusion detection & adaptive response mechanism for MANETs , 2014, Ad Hoc Networks.

[16]  G. Jacob,et al.  Combination approach to select optimal countermeasures based on the RORI index , 2012, Second International Conference on the Innovative Computing Technology (INTECH 2012).

[17]  Nora Cuppens-Boulahia,et al.  A Service Dependency Model for Cost-Sensitive Intrusion Response , 2010, ESORICS.