A Cost-Sensitive Model for Preemptive Intrusion Response Systems

1. A Cost-Sensitive Model for Preemptive Intrusion Response Systems The IEEE 21st International Conference onAdvanced Information Networking and Applications (AINA-07) Natalia Stakhanova Samik Basu JohnnyWong Department of Computer Science Iowa State University

2. Intrusion incident handling intrusion prevention actions to prevent occurrence of attack intrusion detection detecting inappropriate, incorrect, or anomalous activity intrusion response actions to stop attacks and ensure safety of the computing environment was under active research in the 90th focus of current research

3. Intrusion response systems • By response selection mechanism • static selection • mapping of an alert to a predefined response exp.: pH (Somayaji’00), CITRA (Schnackenberg’01), BSML-based(Uppuluri’00), FLIPS (Locasto’05) • self-healing systems (Grizzard’04, Sidiroglou’05, Qin’05) • dynamic selection • selection of response is based on the certain attack metrics (confidence, severity of attack) exp.: EMERALD (Porras’97) • cost- based selection • based on the cost-sensitive model that incorporates intrusion damage and response cost factors exp.: ADEPTS (Foo’05), Balepin’03, Lee’00

4. Desired characteristics of intrusion response system • automatic selection & deployment of responses • preemptive invocation of responses before attack completes • adaptivness of the response mechanism • run-time adjustment of response selection according to the system state • cost-sensitive selection of the response action • balance of intrusion damage & response cost

5. Proposed approach • Real-time Automatic, Preemptive & Adaptable intrusion response based on Probabilistic cost-benefit analysis • Integrated with pattern-based intrusion detection system • out earlier work

6. Intrusion response selection • Automatic response • anomalous patterns are associated with response actions • The deployment of the response is determined through the 3-step process: when monitored behavior matches anomalous pattern … 1: determine when to start response selection: confidence that attack is occurring > probabilityThreshold 2: determine whether response action should be taken at this point: candidate responses if deployed at this point should cause less harm than the damage caused by the possible intrusion 3: select optimal response

7. Intrusion response selection • Cost-sensitive selection of the response • Success Factor (SF) • the percentage of times a response, under consideration, has succeeded in the past • Risk Factor (RF) • the severity of the response, i.e. the disruptive effect of the response on the system Optimal response should provide the maximum benefit at the lowest risk • Selection is based on utility function: expected value (EV) of response rS of a sequence S: EV (rS) = Prsucc(S) * SF + ( Prrisk(S) * (−RF) Prsucc(S) - the probability that sequence S will occur Prrisk(S) = 1 − Prsucc(S) • Higher EV indicates the “better” response

8. Intrusion response selection • Adaptable response • adaptability is based on success and failure of the triggered before responses: • If selected response fails, its success factor is updated to reflect this result

9. Intrusion response selection: example Example setting: Simplified view of anomalous patterns database

10. Intrusion response selection: example probability threshold = 0.5 the monitored pattern <2, 3, 4, 8> Pattern seen: <2, 3> <2>

11. Intrusion response selection: example probability threshold = 0.5 the monitored pattern <2, 3, 4, 8> Pattern seen: <2, 3, 4> Select response: Deploy the best response :

12. Results Metrics: Damage reduction = damage cost incurred by a full attack - damage cost caused by the prefix of the attack sequence (at the time of the response) Variability = 1/N*Σ(prefixLength * numOfSeq) i.e. the frequency or number of attack-patterns with the same prefix of a specific prefixLength

13. Average damage reduction

14. Average damage reduction vs error fdformat attack ftp-write attack eject attack

15. Thank you!