Active Network-based Adaptive Intrusion Response System

To the users, both detector and responder play the same important role in counteracting network-based intrusion. For a long time, the researches to them are different. The researches on respond technique are always being ignored. The majority of current network security systems react to attacks by generating reports or alarms. Then the system administrator initiates a manual response action. This introduces a window of vulnerability between when an intrusion is detected and when action is taken to defend against the attack. Manual responses do not counter automated and sophisticated attacks in a desirable manner. Further more, current network security technology lack cooperation and correlation between each safe system. Current security systems detect intrusion locally and response locally. This technology can't identify true source of attacker, and effectively respond to attacker in entire network level. Existing approaches in defending DDoS intrusions is just close service even close the system. But it is improbable for some crucial service. Even the application could accept, obviously, it isn't a kind of superior strategy.This paper set up a security system, which correlate routers, switches, firewalls, and hosts. Based on active network, this system making use of active network concepts and technology to automated respond to DDoS attack in entire network level. Through intrusion tracing, it could block, contain and isolate intrusion close to the source of the intrusion.Adaptive Intrusion Response System (AIRS) could make automatic response to intrusion and support for multiple IDS which monitor network and generate intrusion alarms. AIRS classify whether the incident is a continuation of an existing incident or is a new attack, dynamic analysis the incident, cataloging the attack and limit the response based on legal, ethical, institutional or resource constraints. Adaptive intrusion response strategies are suggested based on the alarm confidence, attack frequency, assessed risk, and estimated response costs.On the other hand, this paper describes the function and the technical details of a few response modules, which include Intrusion Blocking and Containing, Intrusion Traceback, Honeypots and Dual-Computer System. In the end, it describes the test result of this project.