--Saman Zonouz, Himanshu Khurana
This paper has implemented RRE on top of Snort, which is an open-source signature based IDS. RRE employs a game-theoretic response strategy against adversaries modeled as opponents in a two-player Stackelberg stochastic game. An important term used here is Attack-Response Trees (ARTs) to analyze undesired security events. By solving a partially observable competitive Markov decision process that is derived from attack-response trees, RRE will choose an optimal response actions. Basically, it depends the detection of Snort (alerts from here), using its alert to figure out respective response.
RRE is based on automated cost-sensitive model. What's great in this paper is that it modeled the security maintenance of computer networks as a two-player game in which the attacker and response engine try to maximize their own benefits by taking optimal adversary and response actions, respectively. Using ART, RRE explicitly takes inherent uncertainties into account along with alerts from Snort.
It is good method for small network (LAN) IDs.
Automated Response Using System-Call Delays
--Anil somayaji
This paper developed a system called pH (for process homeostasis), which can detect and stop intrusions before the target system is compromised. It monitors every executing process on a computer at the system-call level, and responds to anomalies by either delaying (slowing down) or aborting system calls. Normal behavior is determined by the currently running binary program.
pH is implemented as a patch for the Linux 2.2 kernel. They modified the system call dispatcher so that it calls a pH function prior to dispatching the system call. Basically, the author insert a independent process into Linux to monitor the entire process and detect the abnormal process.
It is good for single-host IDs.
Cooperating Security Managers: A Peer-Based Intrusion Detection System
--Maj. Gregory B. White, Eric A. Fisch
This paper designed and implemented CSM, which could perform a larger network IDS. Individual CSM works on each individual hosts. There is a security manager working to cooperatively and autonomously communicate with them and determine the current state of a system.
The prototype of CSM was developed using a Sun SPARC-station LX running SunOS v5.3. Basically, CSM is a package patched in OS to detect intrusive activities. Applied to a network, CSM is designed to perform intrusion detection and reporting functions in a distributed environment without requiring a designated central site or server to perform the analysis of network audit data.
Toward Cost-Sensitive Modeling for Intrusion Detection and Response (good paper)
--Wenke Lee@gatech
This paper builds a cost-sensitive intrusion detection model, including development cost, operational cost, damage cost and the cost of manual and automated response to intrusions. this kind of cost-sensitive machine learning techniques can produce detection models that are optimized for user-defined cost metrics.
The experiment uses the data from a military network with a wide variety of intrusions injected into the network over a period of 7 weeks. The data was divided into two parts: training set and test set.
The main objective in applying such a model is to compare intrusion damage and response cost to
Here is what I thought:
As we have seen above, almost all the previous work has developed a tool/package/system aiming at specific environment or they have data set with intrusions injected already. Since we don't have such kind of data set/trace, we could try to take advantage of the unique environment --- our cps simulation environment to develop a similar detection and response engine, as a goal. One problem is that this may not be easily ported to other internetworked environment. But one good thing is that it could be used to test different kinds of response strategy used to pick out a best response against the adversaries.
If it is too long, please just look at "Here is what I thought" part and give me some comment. thanks.
ReplyDelete