Limiting%20Uncertainty%20in%20Intrusion%20Response - PowerPoint PPT Presentation

About This Presentation
Title:

Limiting%20Uncertainty%20in%20Intrusion%20Response

Description:

Did my response plan work and if it did not, how can I adapt it? AAIRS Methodology Uncertainty (Detection) Intrusion detection is imperfect. – PowerPoint PPT presentation

Number of Views:125
Avg rating:3.0/5.0
Slides: 12
Provided by: west199
Category:

less

Transcript and Presenter's Notes

Title: Limiting%20Uncertainty%20in%20Intrusion%20Response


1
Limiting Uncertainty in Intrusion Response
  • Curtis A. Carver Jr.
  • John M.D. Hill
  • Udo W. Pooch

2
Agenda
  • Motivation
  • Adaptive, Agent-based Intrusion Response System
    (AAIRS)
  • Uncertainty in Detection
  • Uncertainty in Classifying Attacks
  • Uncertainty in Response
  • Conclusions

3
Motivation (CERT Incidents)
  • The number of computer attacks is increasing and
    the attacks are becoming increasingly complex.

4
Motivation (Intrusion Response Systems)
  • Intrusion response systems must address
    uncertainty.
  • Response systems should provide automated
    mechanisms for adapting to uncertainty in
    intrusion response.
  • Of the systems surveyed, none provided mechanisms
    for answering the following questions

IR Classification
Notification 31
Manual Response 8
Automatic Response 17
Total 56
5
Uncertainty in Intrusion Response
  • Is the system really under attack?
  • If the system is under attack, is this a new
    attack or part of an ongoing attack?
  • Did my response plan work and if it did not, how
    can I adapt it?

6
AAIRS Methodology
7
Uncertainty (Detection)
  • Intrusion detection is imperfect.
  • AAIRS addresses uncertainty in detection by
    maintaining a false alarm rate on each supported
    intrusion detection system.
  • The false alarm rate is maintained by the system
    administrator but could be updated automatically
    by calibrating the false alarm rate.

8
Uncertainty (Classifying Attacks)
  • Detected attacks can be a new attack or part of
    an ongoing attack.
  • Event List History
  • Time Metric
  • Session Identifier
  • Attack Type Metric

9
Uncertainty in Response
  • Response plan consists of a response goal, two or
    more plan steps, and associated tactics and
    implementations.
  • Each plan step, tactic, and implementation has an
    associated success factor. The success factor is
    the ratio of the number of times it has been
    successfully deployed to the total number of
    times it has been deployed.

10
Uncertainty in Response
  • Plan Generation
  • Apply Policy Constraints
  • Set Response Taxonomy Weights
  • Determine System Response Goal Weights
  • Build Tentative Plan
  • Build Final Plan
  • Implementation Success or Failure
  • Plan Adaptation
  • Failed Implementation Substitution
  • Tactic Substitution
  • Significant Change Adaptation

11
Conclusions
  • Must manage uncertainty in intrusion response
    system.
  • The techniques presented in this paper provide a
    starting point for addressing this uncertainty.
Write a Comment
User Comments (0)
About PowerShow.com