Intrusion detection and response for system and network attacks

Abstract

<p>This work focuses on Intrusion Detection System (IDS) and Intrusion Response System (IRS) model for system and network attacks. For decades, IDS has evolved tremendously and has become highly sophisticated. However, the response to an attack is still manually triggered by an administrator who relies on static mapping to counteract the intrusion. The speed of attack-spread and its increased complexities in recent years have shown that it is highly critical to develop an automatic IRS. Moreover, manual responses are not flexible and effective in distributed environment without infrastructure.</p> <p>This work presents a cost based response model that is tightly coupled with multi-source IDS. It is a known fact that any system can be broken down into smaller granules of services and resources. A dependency graph is employed to describe the relations between services and resources in a system. This dependency graph is also used to propagate the total value of the system down to the service and resource levels. The damage cost of the intrusion and the response cost of the responses are evaluated using the dependency graph. Using several performance metrics, a response which brings the most benefit to the system is deployed.</p> <p>We demonstrate the abilities of our model by using buffer overflow attack caused by a computer worm on Optimized Link State Routing (OLSR) protocol on a wireless ad-hoc network environment. Experimental results show that our model is effective and is highly practical.</p>