Abstract. As the number of network-based attacks increase, and system administrators become overwhelmed with Intrusion Detection System (IDS) alerts, systems that respond to these attacks are rapidly becoming a key area of research. Current response solutions are either localized to individual hosts, or focus on a refined set of possible attacks or resources, which emulate many features of low level IDS sensors.In this paper, we describe a modular network-based response framework that can incorporate existing response solutions and IDS sensors. This framework combines these components by uniting models that represent: events that affect the state of the system, the detection capabilities of sensors, the response capabilities of response agents, and the conditions that represent system policy. Linking these models provides a foundation for generating responses that can best satisfy policy, given the perceived system state and the capabilities of sensors and response agents.
Abstract:The goal of any intrusion detection, anti-virus, firewall or other security mechanism is not simply to stop attacks, but to protect a computing resource so that the resource can continue to perform its function. A computing resource, however, is only a component of a larger system and mission. Sometimes, the efforts made to stop an attack on a resource may be as bad as the attack itself in terms of affecting the overall ability of the system to complete its mission. What is needed is a method of choosing responses to attacks on components that still allows the system to achieve its goals. We present a model of computing resources and of how the loss or degradation of resources impacts the ability of a system to complete its mission. A human or robot analyst can use the model to assess the security status of a monitored system and to allocate resources in an optimal way.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.