research-article

Model-Based Response Planning Strategies for Autonomic Intrusion Protection

Authors:

Stefano Iannucci,

Sherif AbdelwahedAuthors Info & Claims

ACM Transactions on Autonomous and Adaptive Systems (TAAS), Volume 13, Issue 1

Article No.: 4, Pages 1 - 23

https://doi.org/10.1145/3168446

Published: 16 April 2018 Publication History

Abstract

The continuous increase in the quantity and sophistication of cyberattacks is making it more difficult and error prone for system administrators to handle the alerts generated by intrusion detection systems (IDSs). To deal with this problem, several intrusion response systems (IRSs) have been proposed lately. IRSs extend the IDSs by providing an automatic response to the detected attack. Such a response is usually selected either with a static attack-response mapping or by quantitatively evaluating all available responses, given a set of predefined criteria. In this article, we introduce a probabilistic model-based IRS built on the Markov decision process (MDP) framework. In contrast to most existing approaches to intrusion response, the proposed IRS effectively captures the dynamics of both the defended system and the attacker and is able to compose atomic response actions to plan optimal multiobjective long-term response policies to protect the system. We evaluate the effectiveness of the proposed IRS by showing that long-term response planning always outperforms short-term planning, and we conduct a thorough performance assessment to show that the proposed IRS can be adopted to protect large distributed systems at runtime.

References

[1]

Sherif Abdelwahed, Jia Bai, Rong Su, and Nagarajan Kandasamy. 2009. On the application of predictive control techniques for adaptive performance management of computing systems. IEEE Transactions on Network and Service Management 6, 4, 212--225

Digital Library

[2]

Akamai. 2015. Akamai’s State of the Internet: Q3 2015 Report. Retrieved March 2, 2018, from https://www.stateoftheinternet.com/resources-cloud-security-2015-q3-web-security-report.html.

[3]

R. E. Bellman. 1957. Dynamic Programming. Princeton University Press, Princeton, NJ.

Digital Library

[4]

Yoshua Bengio. 2009. Learning deep architectures for AI. Foundations and Trends® in Machine Learning 2, 1, 1--127.

Digital Library

[5]

Monowar H. Bhuyan, Dhruba Kumar Bhattacharyya, and Jugal Kumar Kalita. 2014. Network anomaly detection: Methods, systems and tools. IEEE Communications Surveys and Tutorials 16, 1, 303--336.

[6]

Craig Boutilier. 1996. Planning, learning and coordination in multiagent decision processes. In Proceedings of the 6th Conference on Theoretical Aspects of Rationality and Knowledge. 195--210.

Digital Library

[7]

Lucian Busoniu, Robert Babuska, and Bart De Schutter. 2008. A comprehensive survey of multiagent reinforcement learning. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews 38, 2, 156--172.

Digital Library

[8]

Valeria Cardellini, Emiliano Casalicchio, Vincenzo Grassi, Stefano Iannucci, Francesco Lo Presti, and Raffaela Mirandola. 2012. Moses: A framework for QoS driven runtime adaptation of service-oriented systems. IEEE Transactions on Software Engineering 38, 5, 1138--1159.

Digital Library

[9]

Qian Chen, Sherif Abdelwahed, and Abdelkarim Erradi. 2014. A model-based validated autonomic approach to self-protect computing systems. IEEE Internet of Things Journal 1, 5, 446--460.

[10]

Yulia Cherdantseva and Jeremy Hilton. 2013. A reference model of information assurance and security. In Proceedings of the 2013 8th International Conference on Availability, Reliability, and Security (ARES’13). IEEE, Los Alamitos, CA, 546--555.

Digital Library

[11]

Chun-Jen Chung, Pankaj Khatkar, Tianyi Xing, Jeongkeun Lee, and Dijiang Huang. 2013. NICE: Network intrusion detection and countermeasure selection in virtual network systems. IEEE Transactions on Dependable and Secure Computing 10, 4, 198--211.

Digital Library

[12]

Carlos Diuk, Andre Cohen, and Michael L. Littman. 2008. An object-oriented representation for efficient reinforcement learning. In Proceedings of the 25th International Conference on Machine Learning. ACM, New York, NY, 240--247.

Digital Library

[13]

Jianbin Fang, Henk Sips, Lilun Zhang, Chuanfu Xu, Yonggang Che, and Ana Lucia Varbanescu. 2014. Test-driving Intel Xeon Phi. In Proceedings of the 5th ACM/SPEC International Conference on Performance Engineering. ACM, New York, NY, 137--148.

Digital Library

[14]

Mahdi Milani Fard and Joelle Pineau. 2011. Non-deterministic policies in Markovian decision processes. Journal of Artificial Intelligence Research 40, 1--24.

Digital Library

[15]

Ahmed Fawaz, Robin Berthier, and William H. Sanders. 2016. A response cost model for advanced metering infrastructures. IEEE Transactions on Smart Grid 7, 2, 543--553.

[16]

B. A. Fessi, S. Benabdallah, N. Boudriga, and M. Hamdi. 2014. A multi-attribute decision model for intrusion response system. Information Sciences 270, 237--254.

[17]

Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, and Eugene Spafford. 2005. ADEPTS: Adaptive intrusion response using attack graphs in an e-commerce environment. In Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN’05). IEEE, Los Alamitos, CA, 508--517.

Digital Library

[18]

Mansoureh Ghasemi, Hassan Asgharian, and Ahmad Akbari. 2016. A cost-sensitive automated response system for SIP-based applications. In Proceedings of the 2016 24th Iranian Conference onElectrical Engineering (ICEE’16). IEEE, Los Alamitos, CA, 1142--1147.

[19]

Salim Hariri, Bithika Khargharia, Houping Chen, Jingmei Yang, Yeliang Zhang, Manish Parashar, and Hua Liu. 2006. The autonomic computing paradigm. Cluster Computing 9, 1, 5--17.

Digital Library

[20]

C. L. Hwang and K. Yoon. 1981. Multiple Criteria Decision Making. Lecture Notes in Economics and Mathematical Systems. Springer.

[21]

Stefano Iannucci and Sherif Abdelwahed. 2016. A probabilistic approach to autonomic security management. In Proceedings of the 13th IEEE International Conference on Autonomic Computing (ICAC’16).

[22]

Stefano Iannucci and Sherif Abdelwahed. 2016. Towards autonomic intrusion response systems. In Proceedings of the 2016 IEEE International Conference on Autonomic Computing (ICAC’16).

[23]

Stefano Iannucci, Qian Chen, and Sherif Abdelwahed. 2016. High-performance intrusion response planning on many-core architectures. In Proceedings of the 2016 25th International Conference on Computer Communication and Networks (ICCCN’16).

[24]

Zakira Inayat, Abdullah Gani, Nor Badrul Anuar, Muhammad Khuram Khan, and Shahid Anwar. 2016. Intrusion response systems: Foundations, design, and challenges. Journal of Network and Computer Applications 62, 53--74.

Digital Library

[25]

Finn V. Jensen. 1996. An Introduction to Bayesian Networks. Vol. 210. UCL Press, London, England.

Digital Library

[26]

Leslie Pack Kaelbling, Michael L. Littman, and Andrew W. Moore. 1996. Reinforcement learning: A survey. Journal of Artificial Intelligence Research 4, 237--285.

Digital Library

[27]

Michael Kearns, Yishay Mansour, and Andrew Y. Ng. 2002. A sparse sampling algorithm for near-optimal planning in large Markov decision processes. Machine Learning 49, 2--3, 193--208.

Digital Library

[28]

J. O. Kephart and D. M. Chess. 2003. The vision of autonomic computing. IEEE Computer 36, 1, 41--50.

Digital Library

[29]

Levente Kocsis and Csaba Szepesvári. 2006. Bandit based Monte-Carlo planning. In Machine Learning: ECML 2006. Springer, 282--293.

Digital Library

[30]

Wenke Lee, Wei Fan, Matthew Miller, Salvatore J. Stolfo, and Erez Zadok. 2002. Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security 10, 1--2, 5--22.

Digital Library

[31]

L. Li, M. L. Littman, and L. Littman. 2008. Prioritized Sweeping Converges to the Optimal Value Function. Technical Report DCS-TR-631. Rutgers University.

[32]

Carlos Joshua Marquez. 2010. An Analysis of the IDS Penetration Tool: Metasploit. Retrieved March 2, 2018, from https://www.infosecwriters.com/text_resources/pdf/jmarquez_Metasploit.pdf.

[33]

Peter Mell, Karen Scarfone, and Sasha Romanosky. 2007. A Complete Guide to the Common Vulnerability Scoring System: Version 2.0. Retrieved March 2, 2018, from https://www.first.org/cvss/v2/guide.

[34]

Daniel A. Menascé. 2002. QoS issues in Web services. IEEE Internet Computing 6, 6, 72--75.

Digital Library

[35]

Erik Miehling, Mohammad Rasouli, and Demosthenis Teneketzis. 2015. Optimal defense policies for partially observable spreading processes on Bayesian attack graphs. In Proceedings of the 2nd ACM Workshop on Moving Target Defense. ACM, New York, NY, 67--76.

Digital Library

[36]

Chengpo Mu and Yingjiu Li. 2010. An intrusion response decision-making model based on hierarchical task network planning. Expert Systems with Applications 37, 3, 2465--2472.

Digital Library

[37]

Sven Ossenbuhl, Jessica Steinberger, and Harald Baier. 2015. Towards automated incident handling: How to select an appropriate response against a network-based attack? In Proceedings of the 2015 9th International Conference on IT Security Incident Management and IT Forensics (IMF’15). IEEE, Los Alamitos, CA, 51--67.

Digital Library

[38]

Martin L. Puterman and Moon Chirl Shin. 1978. Modified policy iteration algorithms for discounted Markov decision problems. Management Science 24, 11, 1127--1137.

Digital Library

[39]

Martin Roesch. 1999. Snort—lightweight intrusion detection for networks. In Proceedings of the 13th USENIX Conference on System Administration (LISA’99). 229--238.

Digital Library

[40]

Jerome H. Saltzer and Michael D. Schroeder. 1975. The protection of information in computer systems. Proceedings of the IEEE 63, 9, 1278--1308.

[41]

Alireza Shameli-Sendi and Michel Dagenais. 2015. ORCEF: Online response cost evaluation framework for intrusion response system. Journal of Network and Computer Applications 55, 89--107.

[42]

Natalia Stakhanova, Samik Basu, and Johnny Wong. 2007. A cost-sensitive model for preemptive intrusion response systems. In Proceedings of the 21st International Conference on Advanced Information Networking and Applications (AINA’07). 428--435.

Digital Library

[43]

Christopher Roy Strasburg, Natalia Stakhanova, Samik Basu, and Johnny S. Wong. 2008. The methodology for evaluating response cost for intrusion response systems. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 5230. Springer, 390--391.

Digital Library

[44]

Thomas Toth and Christopher Kruegel. 2002. Evaluating the impact of automated intrusion response mechanisms. In Proceedings of the 2002 18th Annual Computer Security Applications Conference. IEEE, Los Alamitos, CA, 301--310.

Digital Library

[45]

Eric Yuan, Naeem Esfahani, and Sam Malek. 2014. A systematic survey of self-protecting software systems. ACM Transactions on Autonomous and Adaptive Systems 8, 4, 17.

Digital Library

[46]

Xin Zan, Feng Gao, Jiuqiang Han, Xiaoyong Liu, and Jiaping Zhou. 2010. A hierarchical and factored POMDP based automated intrusion response framework. In Proceedings of the 2010 2nd International Conference on Software Technology and Engineering (ICSTE’10). IEEE, Los Alamitos, CA, 410.

[47]

Saman A. Zonouz, Himanshu Khurana, William H. Sanders, and Timothy M. Yardley. 2014. RRE: A game-theoretic intrusion response and recovery engine. IEEE Transactions on Parallel and Distributed Systems 25, 2, 395--406.

Digital Library

Cited By

Rezapour AGhasemiGol MTakabi D(2024)A Systematic Mapping Study on Intrusion Response SystemsIEEE Access10.1109/ACCESS.2024.338199812(46524-46550)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3381998
Leng SLi FZhang LWen YGuo YFang L(2023)ProMD: A Proactive Intrusion Response System for Enterprise Network with Multi-Domain2023 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00085(402-409)Online publication date: 21-Dec-2023
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00085
Bashendy MTantawy AErradi A(2023)Intrusion response systems for cyber-physical systems: A comprehensive surveyComputers & Security10.1016/j.cose.2022.102984124(102984)Online publication date: Jan-2023
https://doi.org/10.1016/j.cose.2022.102984
Show More Cited By

Index Terms

Model-Based Response Planning Strategies for Autonomic Intrusion Protection
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
      1. Artificial immune systems

Recommendations

Research on automated rollbackability of intrusion response

The rollbackable automated intrusion response mechanism, a method whereby an intrusion response can be treated by in the context of the detection/response life-cycle. The idea derives from the observation that most intrusion responses have negative ...
Taxonomy of intrusion risk assessment and response system

In recent years, we have seen notable changes in the way attackers infiltrate computer systems compromising their functionality. Research in intrusion detection systems aims to reduce the impact of these attacks. In this paper, we present a taxonomy of ...
An intrusion response decision-making model based on hierarchical task network planning

An intrusion response decision-making model based on hierarchical task network (HTN) planning is presented in the paper. Compared with other response decision-making models, the response decision-making model consists of not only the response measure ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Autonomous and Adaptive Systems

ACM Transactions on Autonomous and Adaptive Systems Volume 13, Issue 1

March 2018

184 pages

ISSN:1556-4665

EISSN:1556-4703

DOI:10.1145/3208359

Editor:
Bashar Nuseibeh
The Open University, UK

Issue’s Table of Contents

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 April 2018

Accepted: 01 November 2017

Revised: 01 April 2017

Received: 01 September 2016

Published in TAAS Volume 13, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Pacific Northwest National Laboratory under U.S. Department of Energy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
462
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)2

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rezapour AGhasemiGol MTakabi D(2024)A Systematic Mapping Study on Intrusion Response SystemsIEEE Access10.1109/ACCESS.2024.338199812(46524-46550)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3381998
Leng SLi FZhang LWen YGuo YFang L(2023)ProMD: A Proactive Intrusion Response System for Enterprise Network with Multi-Domain2023 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00085(402-409)Online publication date: 21-Dec-2023
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom59178.2023.00085
Bashendy MTantawy AErradi A(2023)Intrusion response systems for cyber-physical systems: A comprehensive surveyComputers & Security10.1016/j.cose.2022.102984124(102984)Online publication date: Jan-2023
https://doi.org/10.1016/j.cose.2022.102984
Gupta NJindal VBedi P(2023)A Survey on Intrusion Detection and Prevention SystemsSN Computer Science10.1007/s42979-023-01926-74:5Online publication date: 10-Jun-2023
https://dl.acm.org/doi/10.1007/s42979-023-01926-7
Li DHu YXiao GDuan MLi K(2023)An active defense model based on situational awareness and firewallsConcurrency and Computation: Practice and Experience10.1002/cpe.757735:6(1-1)Online publication date: 23-Jan-2023
https://doi.org/10.1002/cpe.7577
Tian JWang ZFang HChen LQin JChen JWang Z(2022)Few-Shot Learning-Based Network Intrusion Detection through an Enhanced Parallelized Triplet NetworkSecurity and Communication Networks10.1155/2022/33170482022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/3317048
Wang ZTian JQin JFang HChen L(2021)A Few-Shot Learning-Based Siamese Capsule Network for Intrusion Detection with Imbalanced Training DataComputational Intelligence and Neuroscience10.1155/2021/71269132021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/7126913
Iannucci SCasalicchio ELucantonio M(2021)An Intrusion Response Approach for Elastic Applications Based on Reinforcement Learning2021 IEEE Symposium Series on Computational Intelligence (SSCI)10.1109/SSCI50451.2021.9659882(01-10)Online publication date: 5-Dec-2021
https://doi.org/10.1109/SSCI50451.2021.9659882
Mann ZKunz FLaufer JBellendorf JMetzger APohl K(2021)RADAR: Data Protection in Cloud-Based Computer Systems at Run TimeIEEE Access10.1109/ACCESS.2021.30780599(70816-70842)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3078059
Casalicchio EGualandi G(2021)ASiMOVFuture Generation Computer Systems10.1016/j.future.2020.09.003115:C(213-235)Online publication date: 1-Feb-2021
https://dl.acm.org/doi/10.1016/j.future.2020.09.003
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents