Abstract
One of the most controversial issues in intrusion detection is automating responses to intrusions, which can provide a more efficient, quicker, and precise way to react to an attack in progress than a human. However, it comes with several disadvantages that can lead to a waste of resources, which has so far prevented wide acceptance of automated response-enabled systems. We feel that a structured approach to the problem is needed that will account for the above mentioned disadvantages. In this work, we briefly describe what has been done in the area before. Then we start addressing the problem by coupling automated response with specification-based, host-based intrusion detection. We describe the system map, and the map-based action cost model that give us the basis for deciding on response strategy. We also show the process of suspending the attack, and designing the optimal response strategy, even in the presence of uncertainty. Finally, we discuss the implementation issues, our experience with the early automated response agent prototype, the Automated Response Broker (ARB), and suggest topics for further research.
This is a preview of subscription content, log in via an institution.
Preview
Unable to display preview. Download preview PDF.
References
Alphatech: ALPHATECH Light Autonomic Defense System (last accessed June 30, 2003), http://www.alphatech.com/secondary/techpro/alads.html
Amoroso, E.: Intrusion Detection: an introduction to Internet surveillance, correlation, trace back, traps, and response, Intrusion.net Books, New Jersey (1999)
Carver Jr., C.A., Pooch, U.W.: An Intrusion Response Taxonomy and its Role in Automatic Intrusion Response. In: Proceedings of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 6-7 (2000)
Fred Cohen & Associates, Deception for Protection (last accessed June 30, 2003), http://all.net/journal/deception/index.html
Free Software Foundation, Inc., The GNU Privacy Guard (last accessed June 30, 2003), http://www.gnupg.org
Ko, C.C.W.: Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-Based Approach, Ph.D. Thesis, Davis, CA (August 1996)
Lee, W., Fan, W., Miller, M., Stolfo, S., Zadok, E.: Toward Cost-Sensitive Modeling for Intrusion Detection and Response. Journal of Computer Security 10(1, 2) (2002)
Lewandowski, S., Van Hook, D., O’Leary, G., Haines, J., Rosse, L.: SARA: Survivable Autonomic Response Architecture. In: DISCEX II 2001, Anaheim, CA (June 2001)
Network Associates Laboratories: Secure Execution Environments/Generic Software Wrappers for Security and Reliability (last accessed June 30, 2003), http://www.networkassociates.com/us/nailabs/research_projects/secure_execution/wrappers.asp
Raiffa, H.: Decision Analysis: Introductory Lectures on Choices under Uncertainty. Addison-Wesley, Reading (1968)
RedHat, Inc.: Red Hat Security Advisory RHSA-2000:100-02 (last accessed June 30, 2003), http://rhn.redhat.com/errata/RHSA-2000-100.html
SecurityFocus, Mailing List: FOCUS-IDS (last accessed June 30, 2003), http://www.securityfocus.com/archive/96/310579/2003-02-03/2003-02-09/1
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proceedings of the 11th USENIX Security Symposium (2002)
Templeton, S., Levitt, K.: A requires/provides model for computer attacks. In: Proceedings of the New Security Paradigms Workshop, Cork, Ireland (September 2000)
Tylutki, M.: : Optimal Intrusion Recovery and Response Through Resource and Attack Modeling, Ph.D. Thesis, Davis, CA (September 2003)
Toth, T., Kruegel, C.: Evaluating the impact of automated intrusion response mechanisms. In: 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, December 9-13 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Balepin, I., Maltsev, S., Rowe, J., Levitt, K. (2003). Using Specification-Based Intrusion Detection for Automated Response. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-540-45248-5_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40878-9
Online ISBN: 978-3-540-45248-5
eBook Packages: Springer Book Archive