The arms race between cyber attackers and defenders has evolved to the point where an effective counter-measure strategy requires the use of an automated, distributed, and coordinated response. A key difficulty in achieving this goal lies in providing reliable measures by which to select appropriate responses to a wide variety of potential intrusions in a diverse population of network environments. In this chapter, the authors provide an analysis of the current state of automated intrusion response metrics from a pragmatic perspective. This analysis includes a review of the current state of the art as well as descriptions of the steps required to implement current work in production environments. The authors also discuss the research gaps that must be filled to improve security professionals’ ability to implement an automated intrusion response capability.
TopIntroduction
With the increased use of automation by attackers, the number of attacks and degree of damage which can be caused in a short amount of time have also increased. Small increments of time on a system can mean significant additional damage done by the attacker. In 2002, the Computer Emergency Response Team (CERT) noted:
Attack tool developers are using more advanced techniques. Attack tool signatures are more difficult to discover through analysis and more difficult to detect through signature-based systems such as antivirus software and intrusion detection systems. Three important characteristics are the anti-forensic nature, dynamic behavior, and modularity of the tools. (Householder, 2002, p. 1)
For instance, the CodeRed worm was known for its rapid rate of infection, infecting nearly 400,000 hosts in less than 24 hours (Zou, 2002). One researcher, presenting a biological model for Internet worm propagation, concluded: “Because high-speed worms are no longer a theoretical threat, we need to automate worm defenses; there is no conceivable way for system administrators to respond to threats of this speed.” (Misslinger, 2005, p. 8)
To address this shortcoming, the DARPA/ISO Autonomic Information Assurance program studied high-speed and broad scale attacks, and suggested that effective response must also be fast (e.g. automated), and strategically coordinated rather than local and reactive (Lewandowski, 2002). This need has prompted the security research community to explore a variety of approaches to automated intrusion response systems (IRS). Currently few of these approaches have been applied in practice, and in fact there is still a lack of agreement on an effective assessment framework, much less a recognition of the most promising research directions. We will discuss the challenges to assessing and utilizing intrusion response approaches, and suggest directions of research and development which may alleviate these issues.
Organization
Intrusion response systems can be categorized along several dimensions, including degree of automation, ability to adjust, time of response, cooperation, and selection mechanism (See Figure 1) (Stakhanova, 2007).
Figure 1. Intrusion response taxonomy (Stakhanova, 2007)
The class of dynamic and cost-sensitive response selection approaches also encompasses a range of complexity from heuristic response selection to attacker goal prediction. Heuristic selection identifies a guiding formula by which the optimal response can be estimated. A recent example is cost sensitive response selection, wherein an on-the-fly assessment of the potential impact of both the intrusion and each possible response is made, and the response with the best cost-benefit trade-off is chosen. These approaches usually center around an intuitive evaluation of system resources and the effect of intrusions and responses on them. In general, they sacrifice the predictive power of more complex approaches in favor of broader applicability and lower information gathering overhead for use.
At the other complexity extreme, goal prediction is based on a model of the attacker’s behavior. By observing a set of alerts, a determination is made that an attacker is targeting a certain resource and has achieved some degree of progress toward that goal. In general, these approaches require detailed resource interaction maps as well as representations of attacks in terms of fundamental attack steps (Yu, 2007). Goal prediction places heavy emphasis on refining the ability to determine and anticipate attacker actions, responding to the higher-level activities which are occurring rather than individual events.
In this chapter we will focus on automated, adaptive, and dynamic intrusion response systems, including works of varying complexity, noting response time and alert correlation supported by each approach.