Research On Automated Intrusion Response System

With the continuous development of Internet, network intrusion techniques are also keeping evolving, which faces Internet with greater threat. The current research on preventing intrusions focuses on Intrusion Detection System (IDS), and many Intrusion Response Systems (IRS) are still limited to manual response. Because of its slowness in response and its inability to deal with the large number of events in high-speed large-scale network, the manual IRS cannot satisfy the present requirement of intrusion response. On the other hand, the research on Automated Intrusion Response System (AIRS) is still in its primitive stage. The classification based decision model is widely used, but only few factors have been taken into consideration in many AIRSs. As a result, it cannot always make reasonable decisions. This paper researches on AIRS which aims at protecting a local area network, and takes MONSTER, an intrusion prevention system, as its application background. The AIRS we studied takes events from misuse IDS as input. For its inherent limitation, a misuse IDS may generate multiple events for a single attack. Thus, the first problem we studied is redundance elimination, which preprocesses the input by merging redundant events so as to prevent AIRS from taking unnecessary responses. This paper first made a systematic analysis of the correlation features between the redundant events, including attack class constraint, spacial constraint, timing constraint. For spacial constraint, we enumerate all possibilities of attacks; while for timing constraint, we use relative mean square error model to describe this feature. The paper uses rule-based method to describe each redundance instance, and puts forward the Real-time Aggregation based Redundance Elimination algorithm (RARE) to eliminate redundant events in real time according to the rule set. Response decision is a key problem in the study of AIRS. Current AIRSs adopt traditional classification based response decision model. Its deficiency lies in that it lacks unified response goal, and its response policy is not well adaptive to the changes in environment. This paper puts forward the Cost based Optimal Response Decision model (CORD) inspired by Wenke Lee's cost sensitive model. This model takes into account both the threat of attack and the cost of response, and chooses the optimal response from the whole prospect. The model involves three classes of cost, that is, Residue Damage Cost (RDC), Response Operation Cost (ROC), and Negative Response Cost (NRC). The paper gives the quantification method of RDC, and converts the quantification of other costs into damage cost, thus unifies the quantification of all three classes of cost. The paper puts RARE and CORD into application in MONSTER, and makes an assessment of them. From the experiment, RARE can effectively eliminate the redundant events from the stream of primitive events, and the elimination ratio for our testing data set is above 10. In addition, the completeness of the algorithm can be guaranteed by borrowing the functionality of Macroscopical Attack Behavior Analysis Module to help extract rules. For CORD, it takes into account plenty of factors, and then makes reasonable decisions by establishing an order of possible responses for a specific attack and choosing the best one. Moreover, the response policy can be adjusted easily with the changes in environment, and it has good extensive ability for supporting new response methods. In the end, the paper expects the future of research on AIRS by discussing the prospect of using composite attack detection and attack prediction techniques in response decision.