| With the development of network and information, security problems become more serious than ever. As the instruments of attack become more and more complex and automated, the traditional static response strategies cannot satisfy the present requirement of intrusion response. Automatic response technique is highlighted in recent research. However, the Automated Intrusion Response System (AIRS) is still in its primitive stage so far. Many technical problems such as how to enhance the efficiency of the response and reduce the damage of the system and how to realize speediness and rationality and intelligent haven't been solved completely.This paper takes the existing intrusion detection system as its application background and study the intrusion response technology.Firstly, this paper introduces the basic knowledge of IRS, including research actuality abroad and at home, main system models, and key response technologies, and then analyzes the correlated main problems of IRS.Secondly, aiming at the current problem that the number of the raw alert is too big and the quality is too low, a model that can deeply process the raw alerts is presented, in which the technologies of filter-fusion and correlation are introduced. In order to find the real purpose of attack, the algorithm of Plan Recognition is presented on the basis of the introduction of other correlation approaches, Then some experiments are done using the IDS evaluating dataset of DARPA which is developed by MIT Lincoln laboratory in 2000, which prove that this model can reduce the number of alerts, reconstruct the process of attacks and improve the quality of alerts. The performance of this model laid the groundwork for future correct response decision-making.Finally, based on the summary of IRS studies, an automatic model of intrusion response system is presented. The model firstly introduces the diffluence agent in order to reduce the time of response and improve the efficiency of response, according to the result of the response. Then this paper puts forward the Cost based Optimal Response Decision model (CORD) inspired by Wenke Lee's cost sensitive model. This model takes into account the threat of attack, the negative response cost and the cost of response, and makes the optimization response choice come true, which is proved by related experiments. |
PDF Full Text Request