Here is my problem on doing such research:
As most of existing work did before, they developed a tool/package/system aiming at specific environment or they have data set with intrusions injected inside already. At least, they are doing security measurement, analysis or security modeling at some kind of specific physical system or research object. If they do how to response, they will have their intrusion alerts from some kind of intrusion detection system (e.g.bro, snort) as their input, or simply use some trace. It cannot come from nowhere. It has to base on some kind of actual real system or results from other tools. Maybe I myself still stuck with engineering thought, not academic thought. Correct me here, please. Thanks.
Below is a list of most representive examples:
William H Sanders from UIUC
RRE: A Game Theoretic Intrusion Response and Recovery Enginecited by 12, Dependable System and Networks (DSN 2009)
This paper develop a Response and Recovery Engine (RRE) uses alert notifications from Snort, and then choose an optimal response actions by solving a partially observable competitive Markov decision process. They made process control network for a power grid and SCADA as their case study. In order to investigate how such RRE works in reality, they implemented RRE on top of Snort, running on Ubuntu system.
ADEPTS: adapative intrusion response using attack graphs in an e-commerce environment
Saurabh Bagchi from Purdue
cited by 29, DSN 2005
This paper develop ADEPTS to monitor and track intrusions in real-time and deploy responses to contain and restrict the spread of attacks in the system. It also has a testbed for experiments on ADEPTS. The author setup a payload system to mimic an e-commerce webstore, with web servers running applications. Different from RRE, it uses multiple detectors which communicate with ADEPTS, such as Snort and Libsafe. Three experiments were set to demonstrate this ADEPTS 1) for survivabilitity 2) ability to deploy response as the speed of attack varies, 3) adaptation in ADEPTS in choosing responses. Attack graph is used in this paper to show attack goals, since it could provide a possible path of spread of the intrusion.
Intrusion Response as a resource allocation problem
Michael Bloem, Tansu Alpcan, Tamer Basar from uiuc, information trust institute
This paper develop an algorithm for optimal allocation of the systm administrator's time available for responding to attacks, by modeling the interaction between malicious attackers and the intrusion detection system as a noncooperactive non-zero sum game. For the experiment part, this paper implement an IDS prototype in MATLAB and demonstrate its operation under various scenarios with and without such algorithm. One common thing is that it studies intrusion response in an access control systems (PR-BAC), developed by the Boeing company.
other works like Feedback control applied to survivability: A host-based autonomic defense system, which describes the design of a prototype host-based ADS intended to protect a Linux-based web server from automated Internet worm attacks; Using alert verification to identify successful intrusion attempts, presents tool that performs real-time verification of attacks detected by an intrusion detection system. It is not a response, but to verify the alert produced by IDS.
No comments:
Post a Comment