Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2003: Recent Advances in Intrusion Detection pp 136–154Cite as

Using Specification-Based Intrusion Detection for Automated Response

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2820))

Abstract

One of the most controversial issues in intrusion detection is automating responses to intrusions, which can provide a more efficient, quicker, and precise way to react to an attack in progress than a human. However, it comes with several disadvantages that can lead to a waste of resources, which has so far prevented wide acceptance of automated response-enabled systems. We feel that a structured approach to the problem is needed that will account for the above mentioned disadvantages. In this work, we briefly describe what has been done in the area before. Then we start addressing the problem by coupling automated response with specification-based, host-based intrusion detection. We describe the system map, and the map-based action cost model that give us the basis for deciding on response strategy. We also show the process of suspending the attack, and designing the optimal response strategy, even in the presence of uncertainty. Finally, we discuss the implementation issues, our experience with the early automated response agent prototype, the Automated Response Broker (ARB), and suggest topics for further research.

This is a preview of subscription content, log in via an institution.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alphatech: ALPHATECH Light Autonomic Defense System (last accessed June 30, 2003), http://www.alphatech.com/secondary/techpro/alads.html

  2. Amoroso, E.: Intrusion Detection: an introduction to Internet surveillance, correlation, trace back, traps, and response, Intrusion.net Books, New Jersey (1999)

    Google Scholar 

  3. Carver Jr., C.A., Pooch, U.W.: An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response. In: Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 6-7 (2000)

    Google Scholar 

  4. Fred Cohen & Associates, Deception for Protection (last accessed June 30, 2003), http://all.net/journal/deception/index.html

  5. Free Software Foundation, Inc., The GNU Privacy Guard (last accessed June 30, 2003), http://www.gnupg.org

  6. Ko, C.C.W.: Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach, Ph.D. Thesis, Davis, CA (August 1996)

    Google Scholar 

  7. Lee, W., Fan, W., Miller, M., Stolfo, S., Zadok, E.: Toward Cost-Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security 10(1, 2) (2002)

    Google Scholar 

  8. Lewandowski, S., Van Hook, D., O’Leary, G., Haines, J., Rosse, L.: SARA: Survivable Autonomic Response Architecture. In: DISCEX II 2001, Anaheim, CA (June 2001)

    Google Scholar 

  9. Network Associates Laboratories: Secure Execution Environments/Generic Software Wrappers for Security and Reliability (last accessed June 30, 2003), http://www.networkassociates.com/us/nailabs/research_projects/secure_execution/wrappers.asp

  10. Raiffa, H.: Decision Analysis: Introductory Lectures on Choices under Uncertainty. Addison-Wesley, Reading (1968)

    MATH  Google Scholar 

  11. RedHat, Inc.: Red Hat Security Advisory RHSA-2000:100-02 (last accessed June 30, 2003), http://rhn.redhat.com/errata/RHSA-2000-100.html

  12. SecurityFocus, Mailing List: FOCUS-IDS (last accessed June 30, 2003), http://www.securityfocus.com/archive/96/310579/2003-02-03/2003-02-09/1

  13. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium (2002)

    Google Scholar 

  14. Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the New Security Paradigms Workshop, Cork, Ireland (September 2000)

    Google Scholar 

  15. Tylutki, M.: : Optimal Intrusion Recovery and Response Through Resource and Attack Modeling, Ph.D. Thesis, Davis, CA (September 2003)

    Google Scholar 

  16. Toth, T., Kruegel, C.: Evaluating the impact of automated intrusion response mechanisms. In: 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, December 9-13 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Security Laboratory, University of California, Davis, Davis, CA, 95616, USA

    Ivan Balepin, Jeff Rowe & Karl Levitt

  2. IU8, Bauman Moscow State Technical University, Moscow, 105005, Russia

    Sergei Maltsev

Authors
  1. Ivan Balepin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sergei Maltsev
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jeff Rowe
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Karl Levitt
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California Santa Barbara, 93106-5110, Santa Barbara, CA, USA

    Giovanni Vigna

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

  3. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Balepin, I., Maltsev, S., Rowe, J., Levitt, K. (2003). Using Specification-Based Intrusion Detection for Automated Response. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45248-5_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40878-9

  • Online ISBN: 978-3-540-45248-5

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation