Thomas Toth and Christopher Kruegel
Technical University Vienna
AUSTRIA
Intrusion detection systems (IDSs) have reached a high level of sophistication and are able to detect intrusions with a variety of methods. Unfortunately, system administrators neither can keep up with the pace that an IDS is delivering alerts, nor can they react upon these within adequate time limits. Automatic response systems have to take over that task. In case of an identified intrusion, such components have to initiate appropriate actions to counter emerging threats. Must current intrusion response systems (IRSs) utilize static mappings to determine adequate response actions in reaction to detected intrusion. The problem with this approach is its inherent inflexibility. Countermeasures (such as changes of firewall rules) often do not only defend against the detected attack but may also have negative effects on legitimate users of the network and its services. To prevent the situation that a response action causes more damage that the actual attack, a mechanism that compares the severity of an attack to the effects of a response mechanism is needed. In this paper, we present a network model and an algorithm to evaluate the impact of response actions on the entities of a network. This allows the IRS to select a response among several alternatives which fulfills the security requirements and has a minimal negative effect on legitimate users.
Keywords: Intrusion Response, Intrusion Detection, Network Security