Abstract: Intrusion Response Systems (IRS) have been a significant research topic in the recent year. The main part of IRS is based on the algorithm, which helps to select the response action for identified network- based attacks. The amount of increasing network-based attacks motivates the concerns towards network structure and outage.[1] The paper propose various response selection models, but they are not widely implemented and their evidences are not often generated due to data testing. In this paper we found a new model, called REASSESS- Response Effectiveness Assessment which tends to mitigate network-based attacks by absorbing an response selection process that calculates negative and positive impacts of each countermeasures. We co-relate REASSES with various response models of IE-IRS, ADEPTS, CS-IRS & TVA and further this model able to select the exact response to an attack by means of positive and negative impacts.
Index Terms—Introduction, Framework of IRS, Requirements and Assumptions, Intrusion Response selection models, REASSESS – Conclusions, Future Research.
- INTRODUCTION
Recently, network security has been the focus of substantial research. Since all the major enterprise applications are moving to cloud, security is the major concern that most of them are concerned. In the last few decades, internet is playing a vital role in each individual (Technology Dependant) intends to increase in technology-dependent. The availability of internetworks and data integrity must be secure enough from intrusions, which include denial of service (DoS, DDOS) attacks, unauthorized access, DNS spoofing attacks, and application layer attacks
In statistics, the reported network-based attacks are more sophisticated (e.g.., Multi- Vector attacks). According to the data revealed in February 2014, 39% of German organisation are victims to cyber-attacks. The federal office for information security stated that only 25% of incidents are communicated to external resources in order to recover from the normal operation. [3][6]
Our approach is to generalize and automate process that initiates mitigation and response measures towards various network-based attacks. Each IRS uses different metrics for choosing appropriate response and few only applicable for specific environments. Further most of the previous system is not reproducible due to closed test data.
The reminder of this paper is arranged as follows: Context of the work is described in section II, Requirements is specified in section III, An overview of response selection model is derived in section IV. The concept of reaction strategy model and its implementation is classified in section V. Idea to
evaluate and analyse the reaction strategy models. Finally, we give an outlook and future work in section VII.
II. Outline
In this section, we relate the network in which REASSESS are going to take place. Second, we introduce how an alert take place and initiates mitigation, response procedure within the IRS.[8] The major focus of this work are networks which is consisting of individual end hosts. Intrusion Response System IRS are placed to protect the network against malicious traffic, therefore IDS sensor is placed in the inline mode or promiscuous mode.
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Major advantages of IDS in promiscuous mode that prevents forwarding delays or impacts by sensor. On the below diagram, The traffic enters the network and passes to the DMZ zone, whereas it copies the packets and send to the IDS sensor, it analyse the packets with the original one and raise alerts if any malicious traffic is being detected. As a result the IDS is detecting the malicious attack but not preventing.
Fig: 1. Network topology of IDS in promiscuous mode.
On the other hand, inline IDS sensors placed in the network which is forced to go in one physical and logical port on the sensor, resulting delay before forwarding the packet. Automatic deployment of countermeasures take place in inline IDS where the sensor forwards the packet through one logical or physical interfaces.[4] For example: Deny packets from reaching towards its destination. Hence the inline IDS is known as IPS Intrusion prevention systems. Therefore the IPS not implement a distinct response selection process and mostly rely on simple mappings of attacks which is predefined responses.
Fig:2. Network topology of IDS in inline mode(IPS)
In order to overcome such shortcomings, IRSs must be capable of selecting appropriate response systems and make sure it performs both automatic mitigation and response, that helps to defend the network against malicious traffic. In the figure 1 & 2 the IRS is placed next to the IDS sensor, this paper focus on the reaction process which is deployed in the IRS.
- REQUIREMENTS OF IRS AND ASSUMPTIONS
In this section, we describe various requirements of the response selection model within the IRS, but our assumptions is to ensure that the task is not related to detection technologies.
- Automatic Deployment: The appropriate Selection of response should be deployed automatically to reduce delays and error caused by human interactions. Timelines of initial mitigation and response procedures which is highly implemented in the automatic deployment that reduces the expert knowledge in order to choose an response system appropriate.
- Scalability: The response selection model should be able to manage with different network topologies, example: Distributed or single networks, furthermore the response model should cope with different network sizes in order to identify different alerts. e.g.., Mid-size or backbone networks.
- Adaptability: The ever-changing nature of attacks appropriate response selection model should provide automatic learning capabilities. It should take an account of effectiveness and knowledge based on the previous response model.
- System Independency: Intrusion response system should ensure integrity with the security tools, which results it initiate response in order to interact with other security tools e.g.., router, firewall etc.
- Calculation Efficiency: A fast and efficient Calculation is essential to reduce the ongoing attacks and potential damages. Hence the identifying suitable response method to given alert should be calculated efficiently.
- Usability: The appropriate response model should provide input parameters in order to reduce configuration efforts.
- Security Mechanism: Response model selection to a given attack often includes sensitive data e g.., Raw data, information of various incident handling and its remediation. As a result, the calculation response selection model prevent unauthorised access to the response information that an attacker not initiate any malicious attack. Thus the response selection model should ensure integrity of an alert.
The main focus of this paper, is to select appropriate response selection model after malicious attack has been detected and thus the assumptions are as listed below:
Aggregation:Detection engine treats as one attack if each time the alert has been raised. Detection system implies aggregation and fusion of alarms which is based on the previous work.[7]
- RESPONSE SELECTION MODEL
This section, we focus on overview of existing response selection models and mandatory input parameters and requirements of each model. We identify the response models in terms of use-case context and how the response is selected based on the attack nature.
- Analysing the impact of automated response mechanisms:
IE- IRS is a response selection model which is used to select different firewall configuration as response to various attacks. Based on their effectiveness the firewall configuration is by Technical University Vienna[5]. As a result IE-IRS is used as a account dependencies between network services offered by hosts, system users, network topologies and firewall rules, thus the dependency tree is shown below:
Fig:3. Dependency Tree of IE-IRS
Fig. 4. Modelling Language of IE-IRS[1]
In the figure 4: Modelling language consists of input and output files, Bison1 grammar file and fast lexical analyzer generator (FLEX2) file, output file- C source code. It used to define the importance of network services.
Further selection of response model, degradation of work capability and penalty cost must be taken in account. For example: IE-IRS response model used to mitigate the denial of service DoS attack in the web servers. In order to select appropriate selection model, the capability is calculated using depth-first search without a cyclic behaviour, thus the capability value is c(e) [0..1] of an entity. P(e)- penalty cost of a network, further it is calculated using the following equation: p(e) = cr(e). If the response has low penalty cost, then it has least negative impact on the system.[2][1]
- Adaptive Intrusion Response using Attack Graph It mainly focus on host attacks (e.g.., buffer
overflows or privilege escalation), thus the attack graphs is used to identify the actions required in order to achieve different possible attack targets in a distributed system. The attack graph is based on Directed Acyclic Graph (DAG)[3] which used to show suitable responses.
Fig. 5. Attack Graph
In the intrusion graph the edges are categorized into three parts: OR, AND, and QUORU, this graph is active by means of any changes in system configuration or new known vulnerabilities which is related to system architecture. In order to update the graph a semi-automated method called PIG- Portable Intrusion Graph Generation which lists 2 inputs: vulnerability descriptions and system service descriptions.
Vulnerability Descriptions consists of querying common vulnerability databases such as NIS’s national vulnerability database (NVD), open source vulnerability database (OSVDB) and the common vulnerability exposure (CVE).
System Service descriptions is known as directed graph, in which each node represents a service and edges are intrusion channels. Further the response is deployed and the system checks if the response was successful and conclude no further alerts were observed.
- Cost Sensitive Assessment of Intrusion Response Selection:
A framework is designed based on the appropriate response selection in balance of the potential damage of an attack and mitigation cost.
CS-IRS is based on the response actions leads to positive and negative effects, To minimize the negative effect of the response a set of measurements were introduced as follows: Potential intrusion damage, response action effectiveness and response cost in a system. Both the response and intrusion cost is based on two factors: operational cost and system resources impact. Response effectiveness is calculated using response success rate against intrusion detection vector and response coverage value, thus estimated effectiveness range between [0,1]. CS-IRS is designed to provide host-based solutions which helps the response measures to reboot the system, block user accounts or restart the service.
- Topological Vulnerability Analysis:
This method was proposed by researchers of George Mason University in 2010. Topological Vulnerability Analysis is also known as preventive approach, it relies on previous security tools in order to gather the required information, includes vulnerability information and network configuration.
It combines both the internal and external vulnerability information e.g.., NIST NVD, CVE, rely [5]on the attacker perspective in order to discover the attack paths within the network. Internally the potential attacker might abuse network configuration that includes vulnerability sacn report and firewall rules. By taking this in account an attack graph is built by ADEPTS and TVA proposes the optimal
strategies in order to prevent the attack. For example: Graph must implies the context about dealing with intrusion attempts and generate recommendations for vulnerability mitigation and also provide computation of metrics in order to measure the overall network security.
- RESPONSE EFFECTIVENESS ASSESSMENT
We explain the concepts of response effectiveness and its components, methodology and lastly provide scenario’s as proof of concept.
- Reaction System Concept
Our response selection model is based on CS-IRS and IE- IRS, thus in CS-IRS the REASSESS estimates the degree of negativity based on the negative effects of a response and affected legitimate service request in terms of response deployment. In case with IE-IRS, penalty cost is related to the provided services as a service level agreement SLA.
It mainly consists of different stages: Input, alert processing, response selection and execution.
Fig. 6. Response selection Process
Fig.7. Reaction Strategy along with NIST incident response cycle.
- Calculation Methodology:
In most common cases, experts been informed about the nature of an alert and begin to extract those essential information, thus the information consists of data about the targeted system and source of the potential attack. Each response benefits and risks are compared with potential attack damage.
Response effectiveness is calculated with value E. R = r0, r1, .., rn response r is set for the system environment.
E(r) = Ap − An ∈ [−1..1]
The response model aim’s to select the highest effectiveness E and execution part is done along with the detected attacks. max(E) ⇔ max(Ap − An) ∈ [−1..1]
Negative impact An can be calculated as follow:
A = Fd(s)+S(s) [0..1]
2
The capability value F is determined based on the deployment of a response measure or attack event.
Fd(s) = 1 − F (s) ∈ [0..1].
As a result, a casual loop is identified between the incident and impacted services. Priority of alerts is classified by IDS.
Notation Table[1]
Sy mb ol |
Description |
Symbol |
Description |
s |
Entity (service) |
α |
Alert (Security event) |
E |
Effectiveness value |
r |
Response |
E( r) |
Effectiveness value for each response |
R = {r0,r1, ..,rn} |
Set of responses |
Ap |
Positives effects of a response |
An |
Negative effects of a response |
S( s) |
Importance of a service |
Fd(s) |
Capability reduction |
D |
Disruptive impact |
Aj |
Set of alerts |
dp sri (aj ) |
Responses that successfully mitigate the attack |
dptri (aj) |
Responses that do not successfully mitigate the attack |
Once the response is deployed, the positive impacts are calculated: Ap =rsr ∈ [0..1].
rsr(r,a ) = dpsri(aj) ∈ [0..1]
dptri(aj)
- Use case scenario
The concept of response selection model and calculation methodology is implemented in the experimental testbed setup as shown in the figure. 8, the virtual setup consists of two networks interconnected by the internet and intrusion response system IRS contains REASSESS is also located in the network A which is able to intercept ongoing data flow packets.
Malicious activity is originating from the attacker residing in network B, therefore the attacker targets the victim’s network
A. Resulting phase collects the relevant network interface packet which captures the attack files.
Three different scenarios are experienced in order to prove the performance, correctness and mitigation capabilities of REASSESS.
Performance Measurement: Performance is calculated using different amounts of alerts (e.g.., 125,500,2,000).
Correctness: IDS detects TCP SYN flooding attack, thus the response model calculates, identifies and deploys the suitable response. Finally we evaluate the calculation and identification in order to choose the appropriate response selection model is fast enough to counter the attack.
Mitigation Capabilities: Mitigation is calculated by testing the bandwidth of the attack. It consists of 200 000 network traffic packets and the attack duration of 13.41 seconds.
Fig. 8. Testbed Scenario
Fig, 9. Components of REASSESS application
- EVALUATION
In this section, 13 different response actions which includes various firewall rule changes, user accounts and process modification, using this the IE-IRS is evaluated. Highly optimized data structures plays vital role in evaluation process. In ADEPTS, real attack scenario is place for test purpose and the effectiveness of the system is not compared to response mechanism but static response is taken, but the static approach depends on mapping of attack patterns of pre-defined response. Whereas in CS-IRS evaluation is done using DARP offline data, with the outdated evaluation data and unidirectional traffic which is created to analyse and evaluate IDSs, but CS-
IRS results in poor methodology[1][8]. TVA only capable of providing the runtime graph but no further insights about the attack and its evaluation.
Evaluation Table of the Response Selection Model
Criterion |
IE-IRS |
ADEPTS |
CS-IRS |
TVA |
REASSESS |
Automatic deployment |
– |
+ |
+ |
– |
+ |
Scalability |
– |
– |
+ |
– |
+ |
Adaptability |
– |
0 |
+ |
0 |
+ |
System independency |
+ |
0 |
+ |
+ |
+ |
Calculation efficiency |
– |
+ |
+ |
0 |
0 |
Usability |
0 |
0 |
0 |
0 |
+ |
Security mechanisms |
– |
– |
– |
– |
– |
Evaluation |
– |
0 |
– |
– |
+ |
Sum |
-5 |
0 |
3 |
-3 |
5 |
Legend: high (+), medium (0) and low (−)
- CONCLUSIONS
The published response model have reasonable metrics in order to find the appropriate response selection model. To the best of knowledge, REASSESS response selection model is the first to consider the whole process of incident handling. A key question is how to identify the response models impact, IE-IRS is based on service dependency graph, but no practical findings. CS-IRS implies on historical data and expert judgement, whereas in REASSESS the impact of response as negative effects towards the legitimate requests to the service. Several challenges are worth for future research, In particular to make the selection model more realistic, a proposed standards should be placed for incident related information.
Developing secure communication channel between the IDS and response selection system will help to enable the usage of multiple IDS node
REFERENCES
[1] Sven Ossenbijl, Jessica Steinberger and Harald Baier, “Towards automated incident handling: Select an appropriate response against network-based attack”, Design and analysis of communication systems (DACS),university of Twente,
Enschede, Netherlands, Email: J [email protected]
[2] Natalia Stakhanova, Samik Basu, Johnny Wong, “A taxonomy of Intrusion response systems”, https://doi.org/10.1504/IJICS.2007.012248
[3] D.J Ragsdale, “Adaptation techniques for intrusion detection and response systems”, Inf. Technol. & Oper. Center, US Mil. Acad.., USA.
[4] Anish Desai, Yuvan Jiang, William Tarkington, Jeff Oliveto, “ Multi-level and multi-platform intrusion response system”, Netplexus corp US.
[5] Thomas Toth, Christopher Kruegel, “Evaluating the impact of automated intrusion response mechanisms”, Technical university Vienna, 2002.
[6] Bingrui Foo, Matthew W. Glause M. Howard, Yu-Sung Wu, Engene H, “Intrusion Response Systems: A Survey”, Center for education and research in information assurance and security (CERIAS), Email: [email protected]
[7] Nor Badrul Anuar, Maria Papadaki, Steven Furnell, Nathan Clarke, “A response selection model for intrusion response systems: response strategy model(RSM)”, Security and communication network Vol 7, issue 11 07 Nov 2013.
[8] Alieza Shameli-sendi, Habib Louafi, Wenbo He, “Dynamoc optimal countermeasure selection for intrusion response system”, journal of TDSC, 2016.
Cite This Work
To export a reference to this article please select a referencing style below: