Model-based Response Planning Strategies for Autonomic Intrusion Protection

Iannucci, S., & Abdelwahed, S. (2018). Model-based Response Planning Strategies for Autonomic Intrusion Protection. Transaction on Autonomous and Adaptive Systems. ACM. 13(1).

The continuous increase in the quantity and sophistication of cyber attacks is making it more difficult and error-prone for the system administrators to handle the alerts generated by Intrusion Detection Systems (IDSs). To deal with this problem, several Intrusion Response Systems (IRSs) have been proposed lately. IRSs extend the IDSs by providing an automatic response to the detected attack. Such a response is usually selected either with a static attack-response mapping or by quantitatively evaluating all the available responses, given a set of pre-defined criteria. In this paper, we introduce a probabilistic model-based IRS built on the Markov Decision Process (MDP) framework. In contrast with most existing approaches to intrusion response, the proposed IRS effectively captures the dynamics of both the defended system and the attacker and is able to compose atomic response actions to plan optimal multi-objective long-term response policies to protect the system. We evaluate the effectiveness of the proposed IRS by showing that long-term response planning always outperforms short-term planning and we conduct a thorough performance assessment to show that the proposed IRS can be adopted to protect large distributed systems at run-time.