WIXLIB

JOURNAL OF LATEX CLASS FILES, VOL. 11, NO. 4, DECEMBER 20124Fig. 2: Taxonomy of Intrusion Response Systems.killing the process will improve service availability(system performance), but will not change anythingin terms of data confidentiality and integrity. Wenow have two very different results for the sameresponse. Also, of the effects of some responses maydepend on the network infrastructure. For example,applying a response inside the external DMZ isprobably very different from doing so inside theLAN or ”secure zone” in terms of CIA. Responsescannot be evaluated without considering the attacksthemselves, which are generally divided into thefollowing four categories [28], [29]:1) Denial of service (DoS): The attacker triesto make resources unavailable to their intended users, or consume resources such asbandwidth, disk space, or processor time. Theattacker is not looking to obtain root access,and so there is not much permanent damage.2) User to root (U2R): An individual user triesto obtain root privileges illegally by exploitingsystem vulnerabilities. The attacker first gainslocal access on the target machine, and thenexploits system vulnerabilities to perform thetransition from user to root level. After acquiring root privileges, the attacker can installbackdoor entries for future exploitation andchange system files to collect information[30].3) Remote to local (R2L): The attacker triesto gain unauthorized access to a computerfrom a remote machine by exploiting systemvulnerabilities.4) Probe: The attacker scans a network to gatherinformation and detect possible vulnerabilities. This type of attack is very useful, inthat it can provide information for the firststep of a multi-step attack. Examples areusing automated tools such as ipsweep, nmap,portsweep, etc.In the first category, where the attacker attemptsto slow down the system, we are looking for aresponse that can increase service availability (orperformance). In the second and third categories,because the system is under the control of anattacker, we are looking for a response that canincrease data confidentiality and integrity. In the

JOURNAL OF LATEX CLASS FILES, VOL. 11, NO. 4, DECEMBER 20125fourth category, attackers attempt to gather information about possible vulnerabilities from the network.Thus, responses that improve data confidentialityand service availability are called for. A dynamicresponse model offers the best response based on thecurrent situation of the network, and so the positiveeffects and negative impacts of the responses mustbe evaluated online at the time of the attack. Evaluating the cost of the response in online mode canbe based on resource interdependencies, the numberof online users, the users privilege level, etc. Thereare three types of response cost model:calculate the response cost. One solution is as Eq. 1illustrates [11], obviously the higher RC, the betterthe response in ordering list:2.2.1 Static cost modelThe static response cost is obtained by assigninga static value based on an experts opinion. So,in this approach, a static value is considered foreach response (RCs CON ST AN T ). Lee et al.[28] proposed an intrusion response system basedon cost factors. Attack damage and response costshave been statically defined based on four categories (ROOT, R2L, DoS, and PROBE ). Maximumdamage cost is 100 considered for ROOT categorymeanwhile minimum damage cost is 2 allocatedfor PROBE category. Maximum response cost is60 considered for ROOT category when attack istrying from a remote host. In contrast, minimumresponse cost is 5 considered for PROBE categorywhen probing is being done in a short period oftime. In this work there is not any list and evaluationof responses. The important feature of this workfrom response cost view is that response cost hastight relationship with attack category.2.2.2 Static evaluated cost modelIn this approach, a statically evaluated cost, obtained by an evaluation mechanism, is associatedwith each response (RCsc f (x)). The responsecost in the majority of existing models is staticallyevaluated. A common solution is to evaluate thepositive effects of the responses based on their consequences on confidentiality, integrity, availability,and performance. To evaluate the negative impacts,we can consider the consequences for the otherresources in terms of availability and performance[2], [40]. For example, after running a responsethat blocks a specific subnet, a Web server underattack is no longer at risk, but the availability of theservice has decreased. After evaluating the positiveeffect and negative impact of each response, we thenRCse P ositiveef f ectN egativeimpact(1)Papadaki and Furnell [67] proposed a staticevaluated cost response system. To evaluate thecharacteristics of each response action, they haveproposed the following parameters: counter-effects,stopping power, transparency, efficiency, and confidence level. Also, the proposed model assessesthe static and dynamic contexts of the attack. Adatabase for analyzing the static context is needed tomanage important characteristics of an attack, suchas targets, applications, vulnerabilities, and so on.In terms of evaluating the dynamic context of anattack, there are some interesting ideas embodied inthe proposed model. The two main features of thismodel are: 1) the ability to easily propose differentorders of responses for different attack scenarios;and 2) the ability to adapt decisions in response tochanges in the environment.Strasburg et al. [2] proposed a structured methodology for evaluating the cost of a response basedon three parameters: operational cost (OC), impactof the response on the system (RSI), and responsegoodness (RG). The response cost model is: RC OC RSI - RG. OC refers to the cost of settingup and developing responses. The RSI quantifiesthe negative effect of the response on the systemresources. RG is defined based on two concepts: 1)the number of possible intrusions that the responsecan potentially address; 2) the amount of resourcesthat can be protected by applying the response.2.2.3 Dynamic evaluated cost modelThe dynamic evaluated cost is based on the networksituation (RCde ). We can evaluate the response costonline based on the dependencies between resources[6], [48] and online users. For example, the effectof terminating a dangerous process depends on thenumber of other entities (other processes, onlineusers, etc.) that use this process. If the cost ofterminating the process is high then perhaps another response should be selected. Evaluating theresponse cost should take into account the resourcedependencies, the number of online users, and theuser privilege levels. In other words, we need anaccurate cost-sensitive response system.

JOURNAL OF LATEX CLASS FILES, VOL. 11, NO. 4, DECEMBER 20126Dynamic evaluated response cost approach isfirstly proposed in [34]. Toth and Kruegel [34]presented a network model that takes into accountrelationships between users and resources, sinceusers perform their activities by utilizing the available resources. The goal of a response model isto keep the system in as high a state of usabilityas possible. Each response alternative (which nodeto isolate) is inserted temporarily into the networkmodel and a calculation is performed to determinewhich response has the lowest negative impact onservices. In this model, every service has a staticcost, and there is only the ”block IP” response toevaluate as a way to repel an attack. When the IDSdetects an incoming attack, an algorithm attemptsto find the firewall/gateway that can effectivelyminimize the penalty cost of the response action.behaviors in terms of system calls, and has two levels of classification mechanism to detect intrusion.In the first detection step, when both normal andabnormal patterns are available, the model attemptsto determine what kind of pattern is triggered whensequences of system calls are monitored. If thesequences do not match the normal or abnormalpatterns, the system relies on machine learning techniques to establish whether the system is normal oranomalous. These authors have presented a responsesystem that is automated, cost-sensitive, preemptive,and adaptive. The response is triggered before theattack completes.Haslum et al. [29] proposed a real time intrusionprevention model. They designed a prediction modelbased on the hidden Markov model (HMM) tomodel the interaction between the intruder and thenetwork [68]. The proposed HMM is based onfour states: Normal, Intrusion Attempt, Intrusion inprogress, and Successful attack. When the attackergets appropriate results in attack, system movesfrom Normal state to the Intrusion attempt stateand so on. When the probability of Normal state isdown, it means the probability of other states are up.That model can detect the U2R, R2L, and PROBEcategories of attacks, but not the DoS category.2.3Response timeIn point of response time, IRSs can be classified intotype categories: Delayed and Proactive [13], [41]. Inthe delayed mode, the responses are formulate onlyafter an intrusion is detected. Most existing IRS usethis approach (e.g., [2], [67]) although it is knownto be ineffective for maximum security. This isbecause an attacks can cause serious harm (stealingconfidential information) before an IDS can detectit. This approach has been criticized because ofthe fact that an attack. Take, for example, the casewhere an attacker gains access to an unauthorizeddatabase. An IDS may detect this intrusion onlyafter the attacker had illegally gained possessionof critical information. In such as case, a delayedresponse would not be useful. Another importantlimitation of the delayed approach is that it is oftendifficult (if not impossible) to return the systemto a healthy state because of the damages thatan attack may cause before it is detected [18]. Incontrast, the proactive approach aims to controland prevent a malicious activity before it happens.This approach is considered critical for defendinghosts and networks against attacks. The proactiveIRS needs an intrusion prediction mechanism thatusually relies on probability measures [42] and it isoften hard to guarantee that the prediction result is100 accurate [13].In [3], Stakhanova et al. proposed a proactiveIRS. This model focuses on detecting anomalousbehavior in software systems. It monitors system2.4Adjustment abilityThere are two types of adjustment models: Nonadaptive and Adaptive [13], [66]. In the nonadaptive model, the order of the responses remainsthe same during the life of the IRS software. In fact,there is no mechanism for tracing the behaviors ofthe deployed responses. Tanachaiwiwat et al. [65]proposed a non-adaptive response system. Althoughthey claim that their method is adaptive, they have,in fact, implemented a non adaptive mechanism.They point out that verifying the effectiveness ofa response is quite expensive. They check, IDSefficiency, alarm frequency (per week), and damagecost, in order to select the best strategy. The alarmfrequency reveals the number of alarms triggeredper attack, and damage cost assesses the amountof damage that could be caused by the attacker.An appropriate list of response is available in theproposed model.In the adaptive model, the system has the abilityto automatically and appropriately adjust the orderof the responses based on response history [13].

JOURNAL OF LATEX CLASS FILES, VOL. 11, NO. 4, DECEMBER 20127Definition 2 (Response Goodness (G)). Response goodness represents the history of success(S) and failure (F) of each response to mitigateattack over timeChen et al. [58] proposed an intrusion detectionand prevention system based on firewalls. The ideais an attack response matrix which maps attacktypes to some responses. They do not considertrading off security enforcement levels and systemperformance.The response goodness concept was introducedby [3], [66]. This parameter guarantees that ourmodel will be adaptive and helps the IRS to preparethe best set of responses over time. The followingprocedure can be used to convert a non-adaptivemodel to an adaptive one [3]:Goodness(t) PnPSi mFjPi 1Pj 1nmi 1 Si j 1 FjRef f ectiveness (t) (RCs RCse RCde ) G(t)Ref f ectiveness (t 1) Ref f ectiveness (t) G(t 1)(2)Foo et al. [66] presented a graph-based approach,called ADEPTS. The responses for the affectednodes are based on parameters such as confidencelevel of attack, previous measurements of responsesin similar cases, etc. The model is adaptive andADEPTS uses a feedback mechanism to estimatethe success or failure of an applied response.Stakhanova et al. [3] proposed an adaptive IRS.There is a mapping between system resources, response actions, and intrusion patterns which hasto be defined in advance. Whenever a sequence ofsystem calls matches a prefix in an abnormal graph,the response algorithm decides whether to repel theattack or not, based on a confidence level threshold.Multiple candidate responses may be available, andthe one with the least negative effect is selectedbased on utility theory. The effectiveness of eachapplied response is measured for future responseselection. If the selected response succeeds in neutralizing the attack, its success factor is increasedby one, otherwise it is decreased by one.2.5 Response selectionThere are three response selection models: staticmapping, dynamic mapping, and cost-sensitive mapping.2.5.1 Static mappingAn alert is mapped to a predefined response. Thismodel is easy to build, but its weakness is that theresponse measures are predictable by attackers [34].2.5.2 Dynamic mappingThe responses of this model are based on multiplefactors, such as the system state, attack metrics(frequency, severity, confidence, etc.), and the network policy [31]. In other words, responses to anattack may differ, depending on the targeted host,for instance. One drawback of this model is that itdoes not learn anything from attack to attack, sothe intelligence level remains the same until thenext upgrade [32], [33]. Curtis et al. [31], [59],[60] propose a complex dynamic mapping based onan agent architecture (AAIRS). In AAIRS, multipleIDS monitor a host and generate alarms. The alarmsare first processed by the Master Analysis agent.This agent indicates the confidence level of theattack and passes it on to an Analysis agent, whichthen generates a response plan based on degree ofsuspicion, attack time, attacker type, attack type,attack implications, response goal, and policy constraints.2.5.3 Cost-sensitive mappingThis is an interesting technique that attempts toattune intrusion damage and response cost [11],[34].Definition 3 (Intrusion Damage Cost). Intrusiondamage cost represents the ”amount of damage toan attack target when the IDS and other protectivemeasures are either unavailable or ineffective [8]”.The results of a risk assessment are very important, in terms of minimizing the performance costof applying strong responses, as a weak responseis enough to mitigate a weak attack. Some costsensitive approaches have been proposed (e.g., [3],[66], [67]) that use an offline risk assessment component, which is calculated by evaluating all theresources in advance. The value of each resourceis static. In contrast, online risk assessment components can help accurately measure intrusion damage.The challenge with online risk assessment is theaccuracy of calculating intrusion damage. In case of

JOURNAL OF LATEX CLASS FILES, VOL. 11, NO. 4, DECEMBER 20128inaccurate calculation, the IRS may select an undulyhigh impact response for the network or apply aweaker response.Lee et al. [28] proposed a cost-sensitive modelbased on three factors: 1) operational cost, whichrefers to the cost of processing the stream of eventsby an IDS; 2) damage cost, the amount of damageto a resource caused by an attacker when the IDS isineffective; and 3) response cost, which is the costof applying a response when an attack is detected.Balepin et al. [50] presented a dynamic costsensitive model and a response cost model. Theyproposed a local resource dependency model toevaluate responses. Their approach considers thecurrent state of the system so as to calculate theresponse cost. Each resource has common responsemeasures associated with the current state. Theauthors argue that designing a model to assess thevalue of each resource is a difficult task, so theyrank the resources by their importance to producea cost configuration. Then, static costs are assignedto high priority resources. Costs are injected intothe resource dependency model when associatedresources are involved in an incident. A particularresponse for a node is selected based on three criteria: 1) response benefit: sum of costs of resourcesthat response action restores to a working state,2) response cost: sum of costs of resources whichis negatively affected by the response action, and3) attack cost: sum of costs of resources that arenegatively affected by the intruder. This approachsuffers from multiple limitations. First, it is not clearhow the response benefit is calculated in terms ofconfidentiality and integrity. Secondly, restoring thestate of resources alone cannot be used to evaluatethe response positive effect [48]. Finally, the proposed model is applicable for host-based intrusionresponse systems. Its application to network-basedintrusion response requires significant modificationsin the cost model [48].Mu and Li [11] presented a hierarchical tasknetwork planning model to repel intrusions. In theirapproach, every response has an associated staticrisk threshold that can be calculated by its ratioof positive to negative effects. The permission torun each response is based on the current riskindex of the network. When the risk index isgreater than the response static threshold, the nextresponse is allowed to run. The authors proposed aresponse selection window, where the most effectiveresponses are selected to repel intrusions. There isno evaluation of responses in this work. Also, itis unclear how the positive and negative effects ofresponses have been calculated. In that framework,the communication component is responsible forreceiving alerts from multiple IDSs. The authorsproposed to use an intrusion response planning tofind a sequence of actions that achieve a responsegoal. These goals are the same as those in [31]:analyze the attack, capture the attack, mask theattack, maximize confidentiality, maximize integrity,recovery gracefully, a

field of intrusion risk assessment and response systems. Index Terms—Intrusion detection system, Intrusion response system, Intrusion risk assessment, Response time, Prediction, Response cost, Attack graph, Service dependency graph. F 1 INTRODUCTION T ODAYS society relies increasingly on network services to manage its critical operations in a