基于分层任务网络规划的入侵响应决策模型


An intrusion response decision-making model based on hierarchical task network planning Chengpo Mu a,*, Yingjiu Li b a The Key Laboratory for Mechatronic Engineering and Control, Beijing Institute of Technology, 100081 Beijing, PR China b School of Information Systems, Singapore Management University, 178902 Singapore, Singapore article info Keywords: Automated intrusion response system Hierarchical task network planning Intrusion response decision-making Intrusion detection abstract An intrusion response decision-making model based on hierarchical task network (HTN) planning is pre- sented in the paper. Compared with other response decision-making models, the response decision-mak- ing model consists of not only the response measure decision-making process but also response time decision-making process that is firstly proposed in the paper. The response time decision-making model is able to determine response time for different response HTN subtasks. Owing to the introduction of the response time decision-making, the intrusion response system can apply different response strategies to achieve different response goals set by administrators. The proposed response measure decision-making model can optimize a response plan by balancing the response effectiveness and the response negative impact in both a single response measure and a set of response measures. The response decision-making model is self-adaptive and has the ability of tolerating to false positive IDS alerts. The proposed model has been used in the intrusion detection alert management and intrusion response system (IDAM&IRS) devel- oped by us. The functions and architecture of IDAM&IRS are introduced in this paper. In addition, the intrusion response experiments of IDAM&IRS are presented, and the features of the response decision- making model are summarized. Ó 2009 Elsevier Ltd. All rights reserved. 1. Introduction Intrusion responses are a series actions and countermeasures when an intrusion is detected. In order to guarantee the security of computer networks,these actions and measures can prevent fur- ther attacks or restore the system to a normal state. The actions may come from human or come from computers. According to the level of automation, current intrusion response systems can be categorized as notification systems, manual response systems, and automatic response systems. Notification systems mainly gen- erate alerts about the intrusion which is then used by system administrator to select an intrusion response. Manual response system allows administrator to manually launch countermeasures against a detected intrusion by choosing from a predetermined set of response programs. In contrast to the two approaches above, automated intrusion response systems (AIRSs) could choose coun- termeasures themselves and respond to an attack immediately without human intervention. In addition,regardless of notification systems or manual response systems, there is a delay between detection of a possible intrusion and response to that intrusion. This delay (or called time window) can range from seconds to hours or even days (e.g., during weekends or holidays). The longer this time window, the higher the success rate of an intrusion, and the more damage caused to the attacked system (Fred, 1999). This time window is an important factor to both intruders and defend- ers. The shortest time window among the three types of responses is the time window in automated response systems. Although AIRSs have the shortest time window, building AIRs is the most complicated and difficult job. The major challenge in building AIRSs is the development of decision-making mechanisms accord- ing to the condition of intrusion attacks and attacked systems, to determine the response times and measures. 2. Related work As the critical technique of AIRSs, the intrusion response deci- sion-making has attracted special attention since the beginning of the 21st century in the network security research field. Most current intrusion response decision-making models are used to choose response measures in AIRSs. These models can be divided into following types. Static mapping models that map an alert to a predefined re- sponse are the majority of the existing approaches. They use sim- ple decision tables to determine how to react in the case of identified attacks. Although a static mapping model is easy to 0957-4174/$ - see front matter Ó 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.eswa.2009.07.079 * Corresponding author. E-mail addresses: muchengpo@bit.edu.cn (C. Mu), yjli@smu.edu.sg (Y. Li). Expert Systems with Applications 37 (2010) 2465–2472 Contents lists available at ScienceDirect Expert Systems with Applications journal homepage: www.elsevier.com/locate/eswa build, the response measures decided by the model are predictable and therefore, vulnerable to intrusions. Another weakness of the static mapping models is their inability to take into account other response decision factors, such as possible negative side effects of countermeasures, and the current states of the attacked systems. In addition, this approach seems to be infeasible for large scale sys- tems, which is noted by Toth et al. (2002). Dynamic response mapping models are more advanced than static mapping models as the response selection is based on the multiple response decision factors, including attack metrics (e.g., confidence and severity of attack), system state (e.g., existing vul- nerabilities, service implications) and administrator security will (response goals and security policy constraints). A typical dynamic response mapping model used in adaptive, agent-based intrusion response system (AAIRS) is proposed by Carver (2001) when an intrusion alert is generated, AAIRS decides its response plan according to a set of factors, including degree of suspicion, attack time, attack type, attacker type, attack implication, response goal and policy constraint. The model is shown in Fig. 1. Other auto- mated response systems or mechanisms that employ the dynamic response mapping approach are CSM (White, Fisch, & Pooch, 1996), and EMERALD (Porras et al., 1997) and CITRA (Schnackenberg, Hol- liday, & Smith, 2001). Although this approach provides much more fine-grained and flexible control in response to an attack, it can still be potentially exploited by an adversary (Stakhanova, Basu, & Wong, 2006). In addition, the approach seldom considers the neg- ative impact of response measures. The cost sensitive response decision model early proposed by Lee attempts to balance intrusion damage and response cost (Lee, 2002).The optimal response is determined based on the cost sensi- tive model that incorporates several cost and risk factors. Usually these factors are divided into factors related to the intrusion such as damage cost and factors characterizing response part such as re- sponse action cost. Similar to the cost sensitive decision response model, the response decision model proposed by Toth selects re- sponse measure according to the principle of minimal negative ef- fect on legitimate users (Toth & Kruegel, 2002). Accurate measurement of the cost and negative effect is one of the chal- lenges in using these models. In general, the above response decision-making models con- sider only response measure but no response time in decision- making process. As a result, these models cannot apply response strategy to achieve multiple response goals. Most proposed re- sponse measure decision-making models either focus on how to effectively stop intrusions or to decrease the response negative im- pact. However, a few of them can balance response effectiveness and response impact at same time. Most models are easily affected by false positive alerts,which lead to make false response decisions. In addition, none of them can make decisions to release executed response measures. 3. The architecture of IDAM&IRS and component functions We present a response decision-making model in intrusion detection alert management and intrusion response system (IDA- M&IRS) that is developed by our lab. Automated intrusion response is the major function of the system. Here we briefly introduce the architecture and the component functions related to the proposed approach in IDAM&IRS. The architecture of IDAM&IRS shown in Fig. 2 is distributed. The com- munication module is responsible for receiving alerts from multi- ple IDSs and sending response instructions to protected targets. In the alert filter, alerts are filtered according to their correspond- ing confidences. Only alerts with confidence values higher than the confidence threshold can pass through the module. We have pro- posed a supervised confidence learning approach described inFig. 1. The response decision-making model of AAIRS. Fig. 2. The architecture of IDAM&IRS. 2466 C. Mu, Y. Li / Expert Systems with Applications 37 (2010) 2465–2472 (Mu, Huang, & Tian, 2005), which is effective in filtering out regular and relevant false alerts (concerning false alert types refer to (Mu, Huang, & Tian, 2006)). The alert verification module compares the information referred by an alert with the information of its target host. It is used to reduce false alerts and irrelevant alerts, and pro- vide alert relevance scores that represent the likelihood of success- ful attacks (Mu, Huang, & Tian, 2005). The alert correlation module can aggregate related alerts together and form alert threads that represent corresponding intrusion scenarios, while providing risk assessment factors, including the alert amounts of alert threads and alert type numbers of alert threads. It can reduce random, uncorrelated false positive alerts and duplicate alerts (Mu et al., 2006). The online risk assessment module evaluates the real-time risk caused by each intrusion scenario (Mu, Huang, & Tian, 2008). According to the result of online risk assessment and other factors, the intrusion response decision-making module can determine re- sponse times and response measures, and write response instruc- tions into the response measure queue. Through the console, an administrator can browse and manage alerts, maintain IDAM&IRS, and configure its parameters. 4. Intrusion response decision-making based on hierarchical task network planning The logical structure of IDAM&IRS response decision-making model is shown in Fig. 3. To achieve a response goal set by admin- istrators, the response decision-making mechanism in Fig. 3 chooses the response time and response measures to form a re- sponse plan according to response factors under guiding of corre- sponding response strategy. 4.1. Hierarchical task network planning Planning systems search for a sequence of actions that will achieve desired goals – a goal might be achieved through the effect of an action (Callan, 2003). As a very active and growing area of re- search, planning has been applied in a lot of fields, including robot navigation, autonomous space vehicle control, maintenance plan- ning and many more. For instance, NASA is one of the most active organizations in the area and has constructed a number of planners for space mission. At present, GraphPlan and hierarchical task network (HTN) planners are commonly used in planning, among which HTN is the most widely studied knowledge-based approach. In many as- pects, HTN appears to be more suited for solving real-word plan- ning problems than minimal methods such as GraphPlan because the representational formalism of knowledge-based planners fits with the knowledge-rich domain of real-world application. The HTN search for a plan is constrained and the size of the search space is therefore considerably reduced for its knowledge-based feature. In a HTN planner, plans are represented by networks. An HTN is constructed from three types of components: 1. Goal task describes properties that we wish to make true. 2. Compound Task is a task that relies on a collection of other tasks. 3. Primitive Task is a task that can be directly executed. In a HTN network, nodes represent tasks and edges are used to convey the ordering of tasks. The plan starts with a high level task and is then expanded in terms of its subtask. The expansion is a decomposition of a goal task into lower level tasks (compound tasks, primitive tasks). The decomposition continues until only primitive tasks remain. Interested readers are referred to (Callan, 2003) for more details about HTN. 4.2. Intrusion response planning The job of a intrusion response planner is to find a sequence of actions that will achieve a response goal. The sequence of actions is often called an intrusion response plan. The hierarchical structure of IDAM&IRS response planning is shown in Fig. 4. The goal task is written as N ¼fk; W; f; KPg, where k represents an intrusion sce- nario that is being detected and responded, W is the response goal set by an administrator, f is the response strategy corresponding to the response goal, KP ¼fPi; Pj; ...; Png represents the response key points. The possible response goals set by administrators in the system are: analyze the attack, catch the attack, mask the attack, maximize confidentiality, maximize data integrity, minimize cost, recover gracefully, and sustain service. These response goals are proposed by Carver (2001). Response strategies serve for achieving response goals. Each response goal has its own specific response strategy. Different subtasks and their orders in KP can carry differ- ent strategies in the response process. Response key points are also called subtasks including: – general alarm subtask P1, which performs a single or general alarm response measures to notify administrators; – reinforced alarm subtask P2, which takes all possible ways to notify administrators; Fig. 3. The logical structure of IDAM&IRS response decision-making model. C. Mu, Y. Li / Expert Systems with Applications 37 (2010) 2465–2472 2467 – general evidence record subtask P3, which records intrusion related data in general and less manners (e.g., logging to hard disks); – reinforced evidence record P4, which records intrusion related data in specific and more manners (e.g., logging to CD or printers); – general backup subtask P5, which backup parts of data that are needed by recovering target systems; – reinforced backup subtask P6, which backup all data in a tar- get system; – weak attack block subtask P7, which takes weak response measures to stop an intrusion (e.g., blocking an IP address to access the attacked ports at the target host); – general attack block subtask P8, which takes general response measures to stop an intrusion (e.g., blocking an IP address to access the target host); – strong attack block subtask P9, which takes strong response measures to stop an intrusion, (e.g., blocking an IP address to access a target network or shutdown attacked hosts); – general counterattack subtask P10, which warns or attacks an intruder’s computer in general attack manners; – strong counterattack subtask P11, which attacks an intruder’s computer or network in strong attack manners; – response effect check subtask P12, which checks the effect of blocking response measures that have been taken; – response measure release subtask P13, which releases or removes the response measures that have been taken. For instance, if the response goal is to analyze an attack, the re- sponse strategy is that the response strength should be weak at start,then strong. Therefore we set KP ¼fP2; P4; P8; P12; P13g in this case. In this situation, the system firstly executes alarming and recording response actions that are weak and passive response measures. The block response task is later executed only if the risk of the intrusion is beyond the range set by its administrator. In or- der to analyze the attack, the response system should collect intru- sion data as much as possible. Otherwise, if the block actions were taken at first, the response system could not record enough intru- sion data for analyzing purpose. A key response point is denoted as Pi ¼fWPi; TPi; MPi; WPig, where WPi represents the subtask response goal, TPi is the response time decision-making subtask, MPi is the response measure deci- sion-making subtask, and WPi is the response decision writing sub- task. WPi writes response instructions into the response queue. In the response time decision-making subtask TPi ¼fWPi; RIPi; Ek; Cpig; WPi is the response goal which is the same as its upper sub- task’s, RIPi is the risk threshold of deciding response time, Ek is the risk assessment subtask that evaluates the risk caused by the intru- sion scenario k, and Cpi is the subtask to decide whether or not the system begins to response. In the response measure decision-making subtask MPi ¼fWPi; DPi; Cpig; WPi is the response goal which is the same as its upper subtask’s, DPi ¼½Pi EImin; Pi EImax, is the range for the response effective index (response measures within the range can effectively fulfil task Pi), and Cpi is the subtask of choosing response measures. In each response key point, there are 4 primitive tasks (Ek; Cpi; Cpi, and WPi) represented by rectangles in Fig. 4. When its 4 primitive tasks are completed, a key point subtask would be completed. As the completion of tasks from low level to high level, the response system would finish the goal task in term of the re- sponse strategy to achieve the response goal. In these 4 primitive tasks, subtasks Cpi and Cpi are the core of response decision-making and will be discussed in detail. The detail of the primitive task Ek is given in (Mu et al., 2008). 4.3. Response time decision-making Definition 1. Response time decision-making is to determine the execution time of each subtask Pi in KP. In other word, response time decision-making decides when a response system takes dif- ferent kinds of response tasks (or response measures) in an intru- sion response process. In a response time decision-making subtask TPi; RIPi ¼ fRIHPi; RINPig, where RIHPi is the risk threshold in the host level, and RINPi is the risk threshold in the network level. The risk thresh- olds of different tasks are set according to the response strategy and the risk distribution of an attacked target (Mu et al., 2008). Below we enumerate different response time decision-making approaches for different subtasks. (1) The approach for alarm subtasks, evidence record subtasks and backup subtasks. The measures of these subtasks are always executed in host level. Consequently the response time decision-making for these subtasks carries out only in host level. The time decision-making model can expressed as: IF RIk H P RIHPi THEN Pi BEGIN AND TPi ¼ t; i 2f1; 2; 3; 4; 5; 6g ð1Þ The equation means that when the risk RIk H caused by an intrusion scenario k in a host is greater than or equal to the threshold RIHPi, then begin subtask Pi and take the time t as the beginning time of subtask Pi. Fig. 4. Intrusion response planning based on HTN. 2468 C. Mu, Y. Li / Expert Systems with Applications 37 (2010) 2465–2472 (2) The approach for block subtasks and counterattack sub- tasks.The measures of these subtasks are executed in both host level and network level. Therefore,the response time decision-making for these subtasks carries out in both two levels. Its model is IF RIk H P RIHPi OR RIk LAN P RINPi THEN Pi BEGIN AND TPi ¼ t; i 2f7; 8; 9; 10; 11gð2Þ where RIk LAN is the risk caused by an intrusion scenario k in the whole network. (3) The approach for a response effect check subtask. The sub- task is used to check if an executed block measure have an effect and make an adjustment according to the check result. Its time decision-making model is IF t P TPi þ Teff THEN Pj BEGIN; i 2f7; 8; 9g j 2f12gð3Þ After a block measure is executed, it usually takes a period of time Teff to produce an effect of stopping an intrusion. The formula means that after Teff period of time of performing a block subtask, a check subtask P12 begins. (4) There are two cases for a response measure release subtask which is used to remove executed response measures. The response measures in certain subtasks do not need to act continually. These measures automatically release themselves after being executed. For example, once the measure ’Send mobile message’ sends an alarm message to an administrator, it will auto- matically stop. In the case, there is no need to make a time decision for subtask P13 In the case that response measures (e.g., block measures) need to act continually, the executed measures should be removed when the risk caused by an intrusion is lower than a threshold set by administrators. The time decision-making model can be described as IF RIk H < RIHPi AND RIk LAN < RINPi THEN RELEASE THE RESPONSE; i 2f13gð4Þ 4.4. Response measure decision-making Definition 2. Response measure decision-making is to deter- mine each response measure rmi and its order in the response measure set RM ¼frm1; rm2; ...; rmng which can accomplish sub- task Pj. Definition 3. Positive and negative ratio of a response measure is the ratio of the effective index of the response measure to the negative impact index of the response measure. That is R ¼ EI DI ð5Þ R combines the positive effect and negative impact of a response measure. Obviously the higher R, the better the response measure. To guarantee the response effect, it usually needs not just a sin- gle response measure, but a set of response measures. These mea- sures can complement each other and get a better response result than a single measure. For instance, to perform an alarm subtask, three response measures, including ‘alarm on screen’, ‘send email’, and ‘send mobile message’, can be performed at same time. These three response measures can notify administrators in multi channels, so administrators can know an intrusion happens in time. On the other hand, more response measures would cause more loads on protected hosts, and slow network performance. Therefore,the size of the response measure set should be limited in order to contain the impact of these measures. In order to address the problem caused by the response measure number in frm1; rm2; ...; rmng, selection windows are used to balance the rela- tion between response effectiveness and response negative impacts. Definition 4. Response measure selection window is a selection range defined by ½EImin; EImax, where EImin and EImax are the minimum effective index and the maximum effective index, respectively. Only the response measures within the range have the opportunities to be selected. Based on above definitions, the guidelines of the response mea- sure decision-making are as follows: – Each response measure within the response measure selection window must be able to achieve the response goal; – The position and size of the response measure selection window should balance response effectiveness and response negative impacts; – In the response measure selection window, only those response measures that have the highest positive and nega- tive ratio are selected. (1) According to above guidelines, the response measure deci- sion-making process for alarm subtasks, evidence record subtasks, backup subtasks, block subtasks and counterattack subtasks is as follows: A. Determine the response measure selection window. In order to finish each subtask, we have Taskj EImax Prmi Taskj EI PTaskj EImin i¼1;2;...;n ð6Þ i.e. EImin ¼ Taskj EImin; EImax ¼ Taskj EImax ð7Þ where rmi Taskj EI represents the effective index of the response measure rmi that can finish the subtask Taskj. The value of rmi Taskj EI is determined by the type of subtask Taskj and the attack type reflected by the updated alert in an intrusion scenario k. Taskj EImin represents the minimum effective index of response measures required by the completion of the subtask Taskj; Taskj EImax is the upper limit for effective indexes of response measures to finish Taskj. Basically the higher the effective index of a response measure, the higher the negative impact of the re- sponse measure. Therefore, the above approach can not only filter out those response measures that are not able to finish subtasks but also prevent those unnecessary response mea- sures with high negative impact from entering the window. Taskj EImin and Taskj EImax are determined according to the features of subtasks. B. Choose response measures in the selection window First, calculate R of each response measure in the selection window, then choose the response measures with the high- est R. Usually the number of the response measures with the highest R are not one. (2) The response measure decision-making for a response effect check subtask can be expressed as IF RIk H > RI0k H OR RIk LAN > RI0k LAN THEN Release the responses in the former block task Pi; Write the response in the former block task Pi into the Failed Response Table; Choose new responses for the former block task Pi according to the new risk: ELSE No need to adjust the response plan ENDIF C. Mu, Y. Li / Expert Systems with Applications 37 (2010) 2465–2472 2469 where RIk H and RIk LAN are the risk indexes caused by the intrusion scenario k in the host level and the network level, respectively at the time when the check subtask begins; RI0k H and RI0k LAN are the risk indexes caused by the intrusion scenario k in the host level and the network level, respectively at the time when the former block sub- task begins. Therefore, the above logical expression means that if the risk caused by an intrusion scenario does not decrease after the block subtask is executed, then the response plan should be adjusted (e.g., release the former response measures and choose new response measures for the block subtask) according to the updated risk. A response measure release subtask is used to remove the exe- cuted response measures; There is no a response measure selection process. 5. Experiments and analysis In our experiments, Snort 2.0 IDS and IDAM&IRS were deployed on the subnet (xxx.71.75.130–xxx.71.75.180) in our laboratory that has a connection to the Internet. BlackICE PC Protection and Norton Internet Security 7.0 IDSs were also installed on some hosts in the subnet. There are four types of network servers, i.e. Http Proxy, Ftp, Web and Database in the subnet. The operating systems include Windows XP, Windows 2000, Windows 2003 server, and Linux. The experiment subnet is shown in Fig. 5. Since it is impossible to test all attacks in our experiments, we consider a few of typical attacks to evaluate our approach. (1) The vertical scan attack (Staniford, Hoagland, & McAlerney, 2002) is an essential step in most intrusion scenarios. Attackers usually use the approach to collect messages about attacked targets in order to figure out a way to com- promise targets. Here we employed a scan tool to probe the database server in which a MS SQL Server database was running. Set the response goal W ¼ catch the attack. According to its cor- responding response strategy, let KP ¼fP2; P4; P8; P12; P13g. In order to gather intrusion data as much as possible, set the risk threshold RIHP2 ¼ RIHP4 ¼ 0:2 at the low values, RIHP8 ¼ 0:85 and RINP8 ¼ 0:25 at the higher value (the risk index in the network le- vel represents the scope affected by an intrusion in a protected net- work; the number range and meaning of the risk index in the network level are different from in the host level). In the experi- ment, the vertical scan triggered three kinds of alarm measures (i.e. sending alarm in the console, sending email, and sending mo- bile message), two kinds of record measures (i.e. writing the intru- der address into the black list, and logging to writable CD). The highest risk index caused by the scan in the host level and the net- work level are 0.7191 and 0.1439, respectively. Therefore, the ver- tical scan did not trigger any block response measures. The risk curve caused by the vertical scan is shown in Fig. 6. It shows that the system recorded the all scan activities and alarmed the admin- istrator in time. The execution of these response measures pro- vides a strong support for analyzing the attack and tracing the intruder. Set the response goal W ¼ recover gracefully, and take KP ¼fP1; P4; P6; P8; P12; P13g based on its response strategy. Differ- ent from the case of W ¼ catch the attack, we increase the risk thresholds RIHP1, RIHP4 and RIHP6 to 0.3, but decrease the risk thresholds RIHP8 to 0.6 and keep RINP8 ¼ 0:25. The increasing of the risk threshold values of subtasks P1; P4; P6 can promote the ability of tolerating abnormal network activities, reduce the risk of false response caused by false positive alerts and prevent unnec- essary frequent data backup; on the contrary, decreasing the risk thresholds of the block subtask P8 can trigger the block subtask earlier, thus prevent the protected target from being damaged in time and promote the block reliability of the response system. Be- sides the alarm and recording measures, the system backup mea- sure was carried out, which provides a data source for the later recovery. In the experiment, the block subtask was triggered. The response measure is to block the IP packets from the intruder 1 h on the firewall of the protected host. The Fig. 7. shows that the risk index decreases rapidly after the block response measure is executed. To verify the adaptability of the model, we replace the strong block subtask P8 in KP by the weak block subtask P7, that is KP ¼fP1; P4; P6; P7; P12; P13g. When the subtask P7 was triggered in the experiment, its response measure determined by the model is to block the intruder IP to access the specific port of the pro- tected host 1 h. However, the response check subtask P12 found that the risk did not decrease after the block action. Therefore it automatically chosen a new response measure which was to block the intruder IP to access the target host (all ports of the host) 1 day. The risk decreased rapidly after the measure was executed. The first block measure was unable to stop the attack because the ver- tical scan accessed all target ports (not a specific port). Fig. 5. Experiment subnet. 2470 C. Mu, Y. Li / Expert Systems with Applications 37 (2010) 2465–2472 (2) Most of dangerous intrusions usually consist of not a single attack step but multiple attack steps. In the scenario of Ftp MDTM vulnerability intrusion, an attacker can compromise an Ftp server in the following steps: – probe the 21 port of the target in order to decide if the tar- get provides Ftp service and get the messages about the name and version of the Ftp application software. One can make use of these messages to find if there is MDTM vulnerability on the Ftp server. – try to know a user name and its password of the Ftp appli- cation service in order to exploit its MDTM vulnerability. This step is to probe a user name and its password through a dictionary attack method. The step can be skipped if the Ftp service allows anonymous login. – Use an MDTM attack tool (such as Swan) to overflow the Ftp service. If this attack step succeeds, a specific port will be opened. Finally the attacker obtains the system opera- tion privilege on the target by telnetting the opened port. Set the response goal W ¼ maximize confidentiality. To reach the goal, the response strategy is that the response system should do it is best to prevent any information of the protect targets from being probed by intruders. Here we take KP ¼fP9; P1; P3; P12; P13g, and use low risk thresholds (about 0.2) for all subtasks in KP. In the experiment, subtask P9; P1 and P3 were triggered when the probing activity just started. The block measure determined by the model is to block all IP packets from the intruder to access all hosts in the protected network. The block rule was set on the gate firewall of the network, which can cover the whole network; Thus, it can pre- vent information of hosts in the network from being detected by outside intruder. The risk variation is shown in Fig. 8. When we set response goal W ¼ analyze the attack, the re- sponse system should try its best to collect intrusion information in order to analyze the attacks. Here we take KP ¼fP2; P4; P8; P12; P13g, set low risk thresholds for the reinforced alarm sub- task P2 and the reinforced evidence record P4, but high risk thresh- old for the general attack block P8. No sooner began the probe than the subtasks P2 and P4 were triggered. On the contrary, the block subtask P8 was not triggered until the overflow attack ended. The block response measure is to block the intruder IP packets to access the attacked host for 1 h. The block rule is set on the gate firewall. The risk variation is shown in Fig. 9. Basically the response system recorded all three step attack data, including the port probe data, the user account data, password probe data, and the overflow at- tack data. These data are the important evidence for analyzing the intrusion. Usually the risk caused by false positive alerts is not high (Mu et al., 2008). Fig. 10 shows the risk caused by the intrusion scenario that consists of 20 raw false positive alerts. In the experiment, as long as we keep the risk threshold below 0.3, the response system would not take any response actions in spits of what response goals we set. Notice that in the past, a lot of response decision- making models choose response measures according to raw IDS alerts; This may lead to false positive response because of the high IDS false positive alert rate (Chengpo, Houkuan, & Shengfeng, 2006). In comparison, our response decision-making model deter- mines response times according to the risk caused by an intrusion scenario. This is why our model can tolerate to false positive alerts to certain extent. In the above case of W ¼ maximize confidentiality, setting very low risk thresholds may cause false positive response. However, it is the cost that must be paid by maximizing the confi- dentiality of protected targets. 1 2 3 4 5 6 7 8 9 100.2 0.25 0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.7 Attack step Risk Index Fig. 6. The online risk assessment result for vertical scan when W ¼ catch the attack. Fig. 7. The online risk assessment result for vertical scan when W ¼ recover gracefully. Fig. 8. The online risk assessment result for Ftp MDTM vulnerability intrusion when W ¼ maximize confidentiality. C. Mu, Y. Li / Expert Systems with Applications 37 (2010) 2465–2472 2471 Besides the above attacks, we also consider other attacks, such as DoS attack. These experiments prove that the response system with the response decision-making model based on HTN can apply different response strategies to achieve different response goals set by administrators. 6. Conclusions Making full use of response expertise, the intrusion response decision-making model based on HTN combines the response time decision-making process and response measure decision-making process together to achieve multiple response goals. In our ap- proach, a response strategy can be incorporated into a response plan with a specific response goal because response times can exe- cute temporal constraints. The proposed response time decision- making approach based on the online risk assessment changes re- sponse decision-making from an isolated action into a process, which serves as the foundation for applying response strategy. The response system is able to avoid unnecessary responses and reduce the risk of false positive response by adjusting risk thresh- olds of subtasks. The response measure decision-making model balances the response effect and response impact both in a single response measure and a set of response measures. In addition, it can coordinate the response measures in host level and the re- sponse measures in network level to get a more desirable response effect than in a single level. The model is self adaptable because it can adjust response measures or remove executed response mea- sures according to the online risk condition. References Callan, R. (2003). Artificial intelligence. Palgrave Macmillan. pp. 142–183. Carver, C. A. (2001). Adaptive-based intrusion response, PhD dissertation. College Station: Texas A&M University. Chengpo, M., Houkuan, H., & Shengfeng, T. (2006). A survey of intrusion-detection alert aggregation and correlation techniques. Journal of Computer Research and Development, 43(1), 1–8. Fred, C. (1999). Simulating cyber attacks, defenses, and consequences, . Lee, W. (2002). Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security, 10(2), 5–22. Mu, C. P., Huang, H. K., & Tian, S. F. (2005). Intrusion Detection Alert Verification based on Multi-level Fuzzy Comprehensive Evaluation. In 2005 International conference on computational intelligence and security. LNAI 3801, Springer-Verlag, Berlin, Germany. Mu, C. P., Huang, H. K., & Tian, S. F. (2005). Managing intrusion-detection alerts based on fuzzy comprehensive evaluation. In 10th International conference on fuzzy theory and technology (FTT2005). Salt Lake City, UT, USA. Mu, C. P., Huang, H. K., & Tian, S. F. (2006). False positive alert, irrelevant alert and duplicate alert reduction based on a comprehensive approach. Journal of Dynamics of Continuous, Discrete and Impulsive System, Series B, Supplementary Issue. Mu, C. P., Huang, H. K., & Tian, S. F. (2008). Online risk assessment of intrusion scenarios using D–S evidence theory. In Proceedings of 13th European symposium on research in computer security a LNCS, Springer-Verlag, Berlin, Germany. Porras, P. A., & Neumann, P.G. (1997). EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of 20th national information systems security conference (pp. 353–365), Baltimore, MD, October 7–10 [Information Technology Lab, Gaithersburg USA 7]. Schnackenberg, D., Holliday, H., Smith, R., et al. (2001). Cooperative intrusion traceback and response architecture. In Proceedings of DARPA information survivability conference and exposition. Anaheim, CA. Stakhanova, N., Basu, S., & Wong, J. (2006). A taxonomy of intrusion response systems. Technical Report 06-05, Ames, IA, USA: Department of Computer Science, Iowa State University. Staniford, S., Hoagland, J. A., & McAlerney, J. M. (2002). Practical automated detection of stealthy portscans. Journal of Computer Security, 10(1–2), 105–136. Toth, T., & Kruegel, C. (2002). Evaluating the impact of automated intrusion response mechanisms. In Proceedings of 18th annual computer security application conference, Las Vegas, NV, USA, 2002. White, G. B., Fisch, E. A., & Pooch, U. W. (1996). Cooperating security managers: A peer-based intrusion detection system. IEEE Network, 10(1), 20–23. Fig. 9. The online risk assessment result for Ftp MDTM vulnerability intrusion when W ¼ analyze the attack. 1 2 3 4 5 6 7 8 9 10 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Attack step Index Fig. 10. The online risk assessment result for a false positive scenario. 2472 C. Mu, Y. Li / Expert Systems with Applications 37 (2010) 2465–2472
还剩7页未读

继续阅读

下载pdf到电脑,查找使用更方便

pdf的实际排版效果,会与网站的显示效果略有不同!!

需要 3 金币 [ 分享pdf获得金币 ] 0 人已下载

下载pdf