Intelligent response system to mitigate the success likelihood of ongoing attacks

Intrusion response models and systems have been recently an active field in the security research. These systems rely on a fine diagnosis to perform and optimize their response. In particular, previous papers focus on balancing the cost of the response with the impact of the attack. In this paper, we present a novel attack response system, based on the assessment of the likelihood of success of attack objectives. First, the ongoing potential attacks are identified, and their success likelihood are calculated dynamically. The success likelihood depends mainly on the progress of the attack and the state of the monitored system. Second, candidate countermeasures are identified, and their effectiveness in reducing the pre-calculated success likelihood are assessed. Finally, the candidate countermeasures are prioritized.

[1]  Bharat B. Madan,et al.  A method for modeling and quantifying the security attributes of intrusion tolerant systems , 2004, Perform. Evaluation.

[2]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[3]  Nora Cuppens-Boulahia,et al.  Cost Evaluation for Intrusion Response Using Dependency Graphs , 2009, 2009 International Conference on Network and Service Security.

[4]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[5]  Johnny S. Wong,et al.  A Cost-Sensitive Model for Preemptive Intrusion Response Systems , 2007, 21st International Conference on Advanced Information Networking and Applications (AINA '07).

[6]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[7]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[8]  Frédéric Cuppens,et al.  Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework , 2006, Ann. des Télécommunications.

[9]  Nora Cuppens-Boulahia,et al.  Success Likelihood of Ongoing Attacks for Intrusion Detection and Response Systems , 2009, 2009 International Conference on Computational Science and Engineering.

[10]  Nora Cuppens-Boulahia,et al.  Automated reaction based on risk analysis and attackers skills in intrusion detection systems , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[11]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[12]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[13]  Mark Collier,et al.  Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions , 2006 .

[14]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[15]  Frédéric Cuppens,et al.  Recognizing Malicious Intention in an Intrusion Detection Process , 2002, HIS.

[16]  LeeWenke,et al.  Toward cost-sensitive modeling for intrusion detection and response , 2002 .

[17]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[18]  Frédéric Cuppens,et al.  CRIM: un module de corrélation d’alertes et de réaction aux attaques , 2006, Ann. des Télécommunications.

[19]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[20]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[21]  Nora Cuppens-Boulahia,et al.  Advanced Reaction Using Risk Assessment in Intrusion Detection Systems , 2007, CRITIS.