Skip to main content
SpringerLink
Log in

ARITO: Cyber-attack response system using accurate risk impact tolerance

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We propose a novel approach for automated intrusion response systems to assess the value of the loss that could be suffered by a compromised resource. A risk assessment component of the approach measures the risk impact and is tightly integrated with our response system component. When the total risk impact exceeds a certain threshold, the response selection mechanism applies one or more responses. A multi-level response selection mechanism is proposed to gauge the intrusion damage (attack progress) relative to the response impact. This model proposes a feedback mechanism, which measures the response goodness and helps indicate the new risk level following application of the response(s). Not only does our proposed model constitutes a novel online mechanism for response activation and deactivation based on the online risk impact, it also addresses the factors inherent in assessing risk and calculating response effectiveness that are more complex in terms of detail. We have designed a sophisticated multi-step attack to penetrate Web servers, as well as to acquire root privilege. Our simulation results illustrate the efficiency of the proposed model and confirm the feasibility of the approach in real time. At the end of paper, we discuss the various ways in which an attacker might succeed in completely bypassing our response system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

References

  1. Arnes, A., Haas, P., Vigna, G., Kemmerer, R.: Using a virtual security testbed for digital forensic reconstruction. J. Comput. Virol. 2(4), 275–289 (2007)

    Article  Google Scholar 

  2. Balepin, I., Maltsev, S., Rowe, J., Levitt, K.: Using specification-based intrusion detection for automated response. In: 6th International Symposium on Recent Advances in Intrusion Detection, pp. 136–154. Springer (2003)

  3. Chen, C.T.: A fuzzy approach to select the location of the distribution center. Fuzzy Sets Syst. 118, 65–73 (2001)

    Article  MATH  Google Scholar 

  4. Chou, S.Y., Chang, Y.H., Shen, C.Y.: A fuzzy simple additive weighting system under group decision-making for facility location selection with objective/subjective attributes. Oper. Res. 189, 145–232 (2008)

    Google Scholar 

  5. Common Vulnerability and Exposures, http://cve.mitre.org/. Accessed 14 May 2013

  6. Desnoyers, M., Dagenais, M.: LTTng: Tracing across execution layers, from the hypervisor to user-space. Linux Symposium. Ottawa, Canada (2008)

  7. Elhage, N.: https://access.redhat.com/security/cve/CVE-2010-4258 (2010). Accessed 14 May 2013

  8. Ezzati-Jivan, N., Dagenais, M.: A stateful approach to generate synthetic events from kernel traces. Adv. Softw. Eng. 2012 (2012), 12 pages (2012)

  9. Foo, B., Wu, Y.S., Mao, Y.C., Bagchi, S., Spafford, E.: ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment. In: International Conference on Dependable Systems and Networks, pp. 508–517. IEEE (2005)

  10. Fournier, P.M., Desnoyers, M., Dagenais, M.: Combined tracing of the kernel and applications with LTTng. In: Proceedings of the 2009 Linux Symposium (2009)

  11. Gehani, A., Kedem, G.: Rheostat: real-time risk management. In: Recent Advances in Intrusion Detection: 7th International Symposium, pp. 296–314. France (2004)

  12. Jahnke, M., Thul, C., Martini, P.: Graph-based metrics for intrusion response measures in computer networks. In: Proceedings of the 3rd LCN Workshop on Network Security. Held in conjunction with the 32nd IEEE Conference on Local Computer Networks (LCN), pp. 1035–1042. IEEE, Dublin, Ireland (2007)

  13. Jones, J.: An introduction to factor analysis of information risk (FAIR). Norwich J. Inf. Assur. 2(1), 1–76 (2006)

    Google Scholar 

  14. Kanoun, W, Cuppens-Boulahia, N., Cuppens, F., Dubus, S.: Risk-aware framework for activating and deactivating policy-based response. In: Fourth International Conference on Network and System Security, pp. 207–215. ACM (2010)

  15. Kheir, N., Cuppens-Boulahia, N., Cuppens, F., Debar, H.: A service dependency model for cost sensitive intrusion response. In: Proceedings of the 15th European Conference on Research in Computer Security, pp. 626–642. Springer (2010)

  16. Kheir, N., Debar, H., Cuppens-Boulahia, N., Cuppens, F., Viinikka, J.: Cost evaluation for intrusion response using dependency graphs. In: IFIP International Conference on Network and Service Security. IEEE (2009)

  17. Lee, W., Fan, W., Miller, M.: Toward cost-sensitive modeling for intrusion detection and response. J. Comput. Secur. 10(1), 5–22 (2002)

    Google Scholar 

  18. Mu, C.P., Li, X.J., Huang, H.K., Tian, S.F.: Online risk assessment of intrusion scenarios using D-S evidence theory. In: Proceedings of the 13th European Symposium on Research in Computer Security, pp. 35–48. Springer, Malaga (2008)

  19. Mu, C.P., Li, Y.: An intrusion response decision-making model based on hierarchical task network planning. Expert Syst. Appl. 37(3), 2465–2472 (2010)

    Article  MathSciNet  Google Scholar 

  20. Noel, S., Wang, L., Singhal, A., Jajodia, S.: Measuring security risk of networks using attack graphs. Int. J. Next-Gener. Comput. 1(1), 135–147 (2010)

    Google Scholar 

  21. Runkler, T.A.: Selection of appropriate defuzzification methods using application specific properties. IEEE Trans. Fuzzy Syst. 5(1), 72–79 (1997)

    Google Scholar 

  22. Shameli-Sendi, A., Jabbarifar, M., Shajari, M., Dagenais, M.: FEMRA: Fuzzy expert model for risk assessment. In: Proceedings of the Fifth International Conference on Internet Monitoring and Protection, pp. 48–53. IEEE, Barcelona, Spain (2010)

  23. Shameli-Sendi, A., Shajari, M., Hassanabadi, M., Jabbarifar, M., Dagenais, M.: Fuzzy multi-criteria decision-making for information security risk assessment. Open Cybern. Syst. J. 6, 26–37 (2012)

    Google Scholar 

  24. Shameli-Sendi, A., Ezzati-Jivan, N., Jabbarifar, M., Dagenais, M.: Intrusion response systems: survey and taxonomy. Int. J. Comput. Sci. Netw. Secur. 12(1), 1–14 (2012)

    Google Scholar 

  25. Stakhanova, N., Basu, S., Wong, J.: A cost-sensitive model for preemptive intrusion response systems. In: Proceedings of the 21st International Conference on Advanced Networking and Applications, pp. 428–435. IEEE (2007)

  26. Stakhanova, N., Strasburg, C., Basu, S., Wong, J.S.: Towards cost-sensitive assessment of intrusion response selection. J. Comput. Secur. 20(2–3), 169–198 (2012)

    Google Scholar 

  27. Strasburg, C., Stakhanova, N., Basu, S., Wong, J. S.: A framework for cost sensitive assessment of intrusion response selection. In: Proceedings of IEEE Computer Software and Applications Conference, pp. 355–360. IEEE (2009)

Download references

Acknowledgments

The support of the Natural Sciences and Engineering Research Council of Canada (NSERC), Ericsson Software Research, and Defence Research and Development Canada (DRDC) is gratefully acknowledged.

Author information

Authors and Affiliations

  1. Department of Computer and Software Engineering, École Polytechnique de Montréal, Montreal, Canada

    Alireza Shameli-Sendi & Michel Dagenais

Authors
  1. Alireza Shameli-Sendi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michel Dagenais
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alireza Shameli-Sendi.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Shameli-Sendi, A., Dagenais, M. ARITO: Cyber-attack response system using accurate risk impact tolerance. Int. J. Inf. Secur. 13, 367–390 (2014). https://doi.org/10.1007/s10207-013-0222-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-013-0222-9

Keywords

Search

Navigation